From d952b74f9cc2b12da0b622d292923f34d00d4feb Mon Sep 17 00:00:00 2001 From: Fyyre Date: Tue, 9 May 2017 06:10:06 -0400 Subject: [PATCH] Removal of KeInitAmd64SpecificState. Addition of patch for primary Pg initialize function KiFilterFiberContext. Compatible 7601 - 16170 --- bin/patch.exe | Bin 1733632 -> 1733120 bytes src/main.c | 64 +++++++++++++++++++------------------------------ src/patterns.h | 10 ++------ 3 files changed, 27 insertions(+), 47 deletions(-) diff --git a/bin/patch.exe b/bin/patch.exe index d2240d1c2a4f5f389433dc099d70241ab900fa99..b5f088f53d814f473638746fa556824eb3599838 100644 GIT binary patch delta 10340 zcmeHMdt6mj_TTr&MNr`aa^NDb3mo1)kcUc$Ui5+o0s|ypsiCQu1&HJbVTF@OF3n)~@I)^o4D z&faUUwa=l}y}b7G<-1KW`?dwnVaBhQ#j>G-KV#((q>Rv{X*|X>Mu;fo<)(4TdpKi@ zN!-C$(r00e?Pbj7rP=9!_KsjSP?h{eQ?zL}KWiF4w6zR^06;n0-t%c_q<_LFFx7z3 zfSG)fkSH{;?UO$X4fEH0!6)+uY~-7TMAIgI0Dr67E(sr*gxja`SG=Az1@q@9cw}9FZ9K44*UyrGBkKCICjbZ6^}lx=@UXi6 z6wGL8+<_2_6~C%h#!4EyEDiS)-x4`-9%F?{o=6Dds9jOTYgevyT#p9$NJ8ph-8)JjuQ*Jglfs|X!o0>JQ zj=08)vNBJaVEKKAtT-jRTz}MdbLXj3r{v};$u=`@W}f!6#ftds1B_*SU83|CE8jYX zDespwb~|SjxA;AA6JIxMlj&PN*e`Bq_kE1@43=ARo11u+-@ViGkrIUz#D%Sl33?E( zgG3OqO4&5Q_59_G{S3+DAaSOm5+{g!8Bq47jA7zOM zI7j0WNH+|++>LyWWlz$NGila0kDF6AU7K|{NX+VhJ=WF_T+id&FF0!K!Ujk(j>^pq zQYn(!a!~w6A=6^Xo}Ydt%=_}WF2urimYJP;p z`B{8lz(`j$ylBIhHm509u}TwEaqEqYDelG&OT#NzSXI2gf-#5kX1fm}N8+mD?GWhs zY-!j5lVas9%?FG!x>a#5#v`keixJjDSvgtU;*iqh7IE%;@-~vZ_d)L~D-M^GW;s~x zuZoFqS*&zsbZZkl1g=rFG)#hXxut?e;|bldIF_=~hm^H61d)n@sewNkCyFd&#qC}x z(d?Fn(HJgIkeQ82r9xaF%u8;FEp&;7_$BjQo(chX%i_t)w|Z z9~?QG|06Jjrp`M0?SQG9`t{MZ`sn*Sqi@wmKaCv4)VE(7?W)FTJYg5kj5bY@X84|5 z-=(VOpm@-uu#m!#YU;cLCRIE<0|~btJNEP}#t!%3i1%cJ`w5w^su~`@4 z&b^U5wTRK!dG`l@rzFG?Dp5}BN62l*DX<)HH+0lc04qHC;V#tzF!neVlh7XLcs%d$ z>~Z0Z{D+X0aYgGf36-(N%E4L{>&Ihi8%G69LV0rY#?V~Tr@S+?P_Q>}e`~0a*uWF5 zHwr$be1mm`=!Jz^+B{Znc1SiV5%^<1!~bcu`mfQ-zgBY0N)wL@n;voUdTp25waYah(uf#KXeJ3G)ki zS$N3Me59{dc8Ux6>hRoDb0HS*f+{WnmX)`aUR4w{@*P#|mq}J7RV$}e(W{Vu5S}A! zU&})yVp61gNd=ohhzyZCah+-RqRN8jNy3KT4FTlC?&XUjt`C_EuDJOLsl%J_e(647 zcRTNlh!bX(b9Y3MP~_&BkvE(E!M8Axy^N|(8(K4PAl_f-e!52mq3;$EbUx=y~ z(#v>*ZL&`txsT*^{O;%s(`o)f^f}WIo)JA+D5~X0Z7IU$&v~z{+w>Ffj7b$Xf5v-b zy7?P1v0jdB^PAiq8*loC`^QZd-jVqYabrwZxhw9RUw1K%t@5s%+HZ-rb2Tc%|J$i} ztlOw+rS>mvDa6E|Gj(&GkV@ooRek${5onzAMF+`N}k` z(4h}h)qP8^sy24iSXHqQmm{qzF>H)G#~*h?Q%?}mxRiM11O8n~jo?_$SENeAH{_rg zpto`moWU4rY{3w3)khS9oKym?Bxa_PA5Y$M}EC)di)RA{cpan#0wjtE0 z*O%8s9b2Ve03fk4zoD5>71#E2P=*R)?)q#ZDeODn5KAXe}PO<@YpL70-<)iFugJ z7mZryV)VH4Ta~wzK2`h-lTdH&8HcA=E%&9Ns<%v4>-$WWrV!A|yY)W{mThk|iw~`Y zMYnUL-rz3|WvrpYX|+$F`wCT;&Rxd&;?afuE4Ux$alE#@J=-#sI@ z_|3+^yhC&pRq>ZBZSxwgg3IWD*Fmd)9r5Gs#)vxyj5uM8cm*SHzA~`x7^wWLO#}bR zN$r%Q#b&WYJV>rU8%BlT6Rak}FUQ6GH-%t}%-4^J5Pp}%A089#NW^&Z4c zZR?*{0>u9aDV~Oc){N+#WYnasr={V9ZX_2$QLh_S5xs_tVlV5ri*35mP*f!M0^MjD z(dA_H(Pw1jaxQ}ZPf40f(!Rfv)R_Ze2@bzI2|}f0k9&8ICZ`R2j^qK5e|ZZ2Rq@G8 zE#9RNf7zxBX^!)Q2836$2?x?va)q4n~;Td7)kRD_lWV71A=c@YTP{HVDknfT2o3UVY9iY zO4ki`r{U(PT%a34R0dBk~ZsTwVX}t%iP!t`G6( zBX#|wy53oX=LquXOuBCCt!#$&kaM8)_9*|7rcJ!j7?=y4;L&yIy48j*2D&Rq6fNNA zbltdHd28lPLu@d?`bLJ`%74hr4=#t&bLn%mObJlM32A(KR!Bw?6vYECgcb-2n+trf z;8_2f5LGloQlfYp?=EZ7`1Y(_t~(dNz5b?FiSmV4+hV0Z^H4qsXKtP!)%a;=vPAg_Q+7 zZ$d))%3Jj76_uv5aFb8dY?DfoZ%?>c zsJ)4g&YmcgkK|R^(V=G-8`gU2&nql%BFXg)NDEi;o;(QhRGGA401+Q^mSe9-p&h zc@DFtuQE&KRh{85EJ>?$I{Ti%rfY2eaeKp+nh+`^fwFQ&e??o9z#p*B8gUE>qdjtC zEedOX#@88L`O05Zak{iMuVDOb@sv1gZL(4!;TuY^R7$I8m+7usr0E=%LMNozizU0I zVKWj3x9u~0eV)~HkpCfXjc`1NTc(rYQYGbJrIuGF=&8g06?udYS(U2z9=t(?uVGrL zP{mgvD25B<=xizmC>v94{GuZ+`cY_fK`0<}V67 z5PdBUa$t$(mV(5H(~!b}pDKQcuSuGN9-ITLt}~jK7vyI)Lag+aG+uGy9nK8~k>TT_ z_5p@G)?ZcW6AK0m0!!z3coaWbFjaW8ga=HUKRg;kP;5L!PZhnRc0)FSE2sUN(=^ggb(tM~IPKe1B2C>m0_r zaS=r@cvr;q?TDNLO)>&4B3?27kx;Wa80N>#Kf#S2-1ngL;I0~!XF3Y*3S>BLX>xP0 z32Z1<%{}ERZXfkWlRC9;sqwa1SYJEVR~5TP&`dA)Q7}}yae&b%RPj$E_#@Y6<*d-u z^Q2`MZP&j2+GouCb@WY|x{XF>s9J;3jvg{Ldj$6@&Ir>u*;F?T1-fuhm-t5xd&9-WX+aef1FR@H=ndqXxceU|q{t6y0?3yUxHx z23~Anr-54y{J4P+8Thn;FB`a5$19lEgSz8j11A_b)4)>y5Ha*HSm4| zA2sk91AofT&JJ}27>|`;;7kJ-7`Vc~l?GmI;0*@eZQ$NN=uvkY_?Uq=7_&WX@W1TT z?c6$cu@i>ic?0h-aIJx>3|wyDi3UzE@Gt}GZW+7quui>d;J+EzqhDw6vo-8uY_}nB z7+5m!{RUoS;9&;t-J!d>WZ<_9{Jep;8hD+7R~UGvfn@_{5-tG58UpJho)~q!cNVi# z(pE0iaat~z(medJN>JO0jU1r=h69Zi3#PkckE0k zEyF+UoJ-a^CHi22=Ud2_4cH@-($ZM(;GXyog>9 z?rUL8@`ik^ZnuZO?i`-{3&(#B$mw#DN*N$oz&4Z?)CNPANwTN;Kb_-EHl9_JGs!&< z!9W&c7MOXlzxMyef&hJn7%~R!;lmQWnRT%rvsMga*44q)?s@$AnvlRF2!>40z;tLJ zV@LR(Yf=OI3~5>rV_m};>*IlUhMM|#@|}r+#hdjJyAkaq5v`byT@&o`_h$YTLz#d2 zkY1n5-j!NJ&LM1fC}ZJP#hw~TSW4tI>!c83#BkG zSQ{Hwn#kC<0H0QU4X^RMZf&&d8V7Ayf|-enJD6xX!n{lMxXzf3Xq>OH-Q&=4#xr&g zdD0?$RpSR`W3dhIq#wu+9Aokpn0LC67A6g5L5md@lzBgozRQ=ME9I_9E_(P%tYBF9 zAm(e@%!D*Ogi6nXIJdHD2V-vl>|6AQ`3-OJVwS}L*h>p5%|{jkDDPt!_73vj%CO`E zY{HU#`4@MI+7jOtMJQ@rtd{Gwp4l`1zyfd+`7_{qWA@+jlpzCc_=a^OT#M)Hx0JP5 z&&L2bo2(mW`*z^4NG~?j6wSOY3u*N5NCg&yZ-4>LDCV;`o|TrP`vV%b8tYvlY5XO~ z9wZs;Nk5PuI0kASdiP_luZ$Qzs>JDBh~fw!Z0tv=35FAJ>^;8&=v_(Guo)l=reX{k zGx`AF zW7^h@!}0#lc*w?dpRrx^D(Pn1F9%p62DL)EYGdKxjE+vGUL`t?f3PuS&|Xs~AKVnr zGn>x4sFF}$+Xr|MG~qV^dq7`nWT2^`#RQ=`gC-mcaD%?q)<9Exn~qjC44sDXEPw=> z@OA(yKfBiIK%?ck*go{VN-%^QLeRxPw*o(c_SQfH2DCY9e=5XIEsa{; zWx$7!6aF613!3m4bTx+dk_Jp&tYI@Qgag|dwY(|eh#E$O*8}XJYk@1!wB~`n*1SMd z6Kje^kf2+E??%tsPxb?P7xgp=jp}pA3FiU&Kx-|^1%^5pb+WtBhax}|-Ue`hCcFbs z0eWE18Q71gFFiC7*BRIl_QA#R2x!7dfK#C9GI=-PL(m<-VRi%r+GPV#l!s;6f{1{B z2e5*!240SiWFvY&ccLye3LT~ba>50GWi)m`*P#xj0@gxK_~8Pq4rsy$0Z)LYFZ{n0 zV*mGpVR)Nm1G~q- z&T^?7``b+kAGC@-h{NiT1Ib!lkBp6^B=rmv%Pz|~ixD4O~T?xDpuomr&M58v{`vj&`)B!l9-iy_ zyw7`kp7%Yl;>`RN-uasiDYa>)JDL8|#ZpnL%0kn}%e=3jT>9KiE1Ef-pcOd%CkDCNZ>X0GL|9 zK)_U9Ec6vtv8P9ziirzVeZeR52Ry;o2z?D}_}lossOc-=OM{SN54vl`%icZ&GeyBM>}ZSo=04r^3}XIiYiM|+8B$4GxTOfV%|S;@*_<>SgL z>-+XBR^FJ_kFh2Fokc5ebfq!o9J2Dpige%sD{rt2 z;B>qE-<=~$WY_O|mB?cQ%6r`GY+ZSyumGxHs8-%MaR*~{$>s9R68UgN!v&MO9m9W* z=D_YLI?#wY_S6JP4T{PAK4cC1P3|4Q6(rb7f-5HX%fL4IiX?w6U#e)h;*`pVU0F1$ zJnM=nnU$E{jmIFjAitCvzA!!6 z(kTHu(S_YI&nE9F&HAuh{!|giPh+e+Yj3M@_d3Q52%|jfL#fgD3OLwH9^<9QK{Xnm zUx$rFZiJi`yNr2z`n!8W<1?kk1r~EvNma=dss6m#E{iwTFqV6vLcV5~FWcmk6%9w7 zlkA?5z0>%C;MInid`hph;M6A=>+C6cicYTL4ZR*4_vBRSc3-PeTF;n(7|`Efkm$X5 zmC9v->wNj3)HvM|CN(-OvA*u^^PoFLk}p$7lHHT|;GKMO$YRU!DQHJ7d%~cH=CW(G z>hjYD)#Z1q`T39${R_eEOol<{G6ZxNaf!q&0QVemNyN>p%$UBfj<(O5SB)| zKBVgfT|)zZHFS%mtcrU5u+_LszSZkJATbcht@b)Y<`0|V3u9L_+gzD1}h%&z+x7C%;T zA*{b^1^M-$c}-)s{3|A^KoP$|I*`2$EhhJF%&j7RK8g0)hr0q0JkFXTegJ`X1WoSe zVPcm*QhmTE_oyPihW6N3{p|2-r5)(8S+XUM_=oA_Z8>?r3Vom?+gz4x(~jCuMO*@x zc6m?kQMH3};Appxf^*4J2`?0)Hx-#glCR?Eo7^#^qF_FRKM6^IEF{_MU1*`+P3~jZ zn|9e|vD)QB(94It_xz|RZfIVIMv@bcV~#|Gr-)6e3u7gAB6i*zRlFoTy4ax{qpls^ zcP=Z+Eg!BcnvZhL#|oNfaxqJD(Sgka7uQr5BX7Bwr@H7KOY~LE&o}CvCieCD@z?wi z4?k9J4UZ|h<;K)KlE+bfZyOZR57N#@u$0HJZ<{-DOgam}iMO~caQ9C3=@P;1 z$AA`UrY1%Frvrduu{tLH$2eo)Q^G@`+MhjekCeX*x=x)V*j|U zz6J82DH6i{$ST+CcB=xs3_LA44vVaweNh(;B8AK)5Mc*LRi}Zwdw6ef5oRr zCWX4_R`-QEduNm)o~h6mEEsF-T}7Te;&`Gn(HEVs>9lH;-7LsmQ~9US zMTQ6-8B;E-t>-giVuU62d`Zk?A!9s09CM#oiCL;?94s~3EM_{y_+>QnirCoDvub%z z^O5mSZoW8nTtfUl#dIkSDDc6w1m84_B9pj-IVQ}#% zbEfdsX>K(ipJPJra(*UVRrK8>Oq2NWz5@*LT*w%U4##D-owAQzzNYxxvKLkpN)LFCv|bYwLDKFen4$MgDUMZOECrX7`*sqps6 zLTVAo7xhn%e;2eGkK}oh8Y^NNJmJU=FXP+$FLOC)xHHzuAIVo0F_#!*xM4#vdd2ia zHd4H2lv01yV0t_nwES894Z*ZwccXZ20W6L>`>R>N`$aHg?iOdPwZLhyIw{p$!{C}{ z`ZIR!2Btw4n_-WPH%FcMcPWtEmS&vn4EDoo4M%ZwO0bp~(?~+{$C9ZO;UrQxrCV^m z#+LD819A*8+<#z->qGcz4uV_sLw$_Rtibum6xjCJXr z5k4s6hXy7H|H$K=1LIv)$SvORPqD4HAZ{vNH!%f>{}3sz9#=QSHKNah_CBu8r^$Ul zGg?{>#WBrj6Va_?l-i+PH#TTS!;qT1TQ#F4M88NzU!Eo-mvavKia=WRdPsWpTar45 zLHGy>mqI94Z1HaHROPgQUy^(_E~4W5sRjdJZ)XsfYC6&-jxqXsU=`k&Q=8Cda98 zEXnU!xG=c5;5;Tr5nm=X?jLEexeSR~ogOA(qjBT!G+j?`Hm;I#J6#R#&*4i4&k&Z} z%})$Y3%fiI8xwDe{mwzy)@SDNpqv`vOgUeaGeCG`Fn=Lun6S2-f0dK%3LUKaGPys| z=Dh|hq24v#$X5G$>Rw&{rlzm*={=ghk59i&(~tJ)7i#*8HEMfj9mX-zr<2~Y76zKZ+bTfFQm*$m5 zy$Gf6>Syze3{%7>2Jt`VMdvPs0#9zA4(|a7${R-qV8Su~bts1R=@sins_WyWFZfIzxsHU(}sK zn&_$~>myR*ki(!9kzt(8aLbevYGT?6X>+VPBD|@v<+yRE7;}AqmLqy2SCs6Wq^gTP z9nA+1y&-r@`M~_lUN7}0le%!c3;Ofw{4C+QQob&~PtLn@w0jn%rW6EHO5JR*I4E1n zhm;f8d2Hre>)g7jXKvmjDmWj7A+w8Ej8Kj34QI)QlWO7gXRHcJ5p{#+&<8Qk)AWzcY_ z$OQ5F!tsf_sXabuWXtV4@5X1Xl{fs6gH5(}MVykwzb{Pa^Ck{168v=_MO*+sig>Y~ z>O*ztsmf5q8CiVr9r+>sea;l|lT2QB$K1$8Q(>tsr!@cxV94FG_=P(h!r760#ISk7 zlOy@7!v@7g&7xUDB3W(8_5+E^hPSfu=1hKR*aO0bOg?9Lp>V1%e{Oi1u&IRa9zIT3 zFn~uC6&cdGqiDDxjC+cTgzbI!!J-L*)$p3vFHRJOF$ z>b_DJO_?NIlH1fbg4mkQzaBBAcQkg4I_8EIJ!l79$lYHm|FHP|}1c$@hlYpkIs|JJ%h`1uY#tE57B zC6#Y2=@Y6wW{%k84n=gQ@^4CPi32erbb$l%?_C7(Q6t9)Ul;N}j&ulhDg4w(bLd}E zXv80@E~cb#(Tjqi051ZY!EcQo2nmbh^zlqp-(YrFbOQ3xU8`1W&(NKVlmU`=_#8-=WD7W9#<7u@A?C{ z9&hz=dhp!ey@4P9_u9f0x97e z@qR^oKc0qx3iuufMeM@IaLm)LKtI+()^|xt`i6L(Q$ENQY)7d*pe_-T4Ln|kK*F9b zz~{99@Q)EM8^0ig2fUs$bR%^j8-F0w zXspJ>v>M0Yw-%fYlos4Lo$_@@!HtFt$1PiGj52_|7qjLa`77=p^?Nh+sGnWa%~LSH zR?M#=#;Mc!kE;|6Wp5M%lnO<>7RN7)88U1a{<0w9=*&ZF>#RKo4<58ms=D3!byeL& zt#cK%#HdFPJGL>7&lo!-W(*9J)_O%){-)|-=3RRZD(O*8uZ}G-2rpFd^Y$^5qF+{& zQS$1QKcirj_t>wTvf?}TEIzG=&VwSdilZ2$?-0q6qM0@z)QeFPi^oDG;et*NnM zqCq%W+VthP4|=5iR0bPo5+>t3C~q>B4W}V=7tNuBVkmxE#y^-iTsRTYq)c3F5axt) zXXOH6!JnJHsZ28LuqMSg46cNYu*Q#{j(>bs;|J=z#xXXIZoK%pPshu2yg|n=>9|G5 zM|JGg@vk}#dq(qP*077^=>nUMt8`qg<3&1NrQ?k{F4i6H()q(WKBMCwbIf5=Q^* z`X){Am5vYSc$G&}nFVJz7j)&`5^TJqw&R_hKCh7ez`qy;%6Ts9zYtscz9arjj zmyXx#c({(uIu6zGRei5~rQ_W?eoe<4b-YT)OLbhmkx6QZ6Lo>4PmLBgW3#6+EA8g6 zIU4RLBF#uZ7rr%;nlba;_!TyX@0t2YQ|+D8g#mL}IlG_DXHHha7UGYILs=fK>$Pky zy9d%5z&+rd>~6qZe(A2{|67ZuA=3wm>ApW|hM@CGgc!9N-~@vopDuJ=N(|rp;HExo zBK{QVoV(O%p${JTnS-!_d@@URHZ#xRa~6#mVvB=#QT5$UjEa1cZ;iJsTehrv4qh#6 zo(IPsm+XN{HM@WEQ;Q<|^~XDz9(M!hlhlG&A+|PT&mb-6vOJQt^TfsZ1{ zGZ=F~mSPl`u{u=!E9&Slt%npc2JPeH`uelj>JS!N*^9+4imH8P20y$wI(!p?A=5UP z28T1YiT|`XE4*EoW=Al#Kax5f?2IwA^KxfjSN}Cyi_M6(SY(WNLwpd6hvWFXU>2Vf z(0PC)c+aAoe=dES2PL4TVk2zk)Vhw9pcn8)GYc!ibQWqbmt`@HEDFFft z$Xmn0%#1}~?zizb>*57kkGiDH?7k>60Kc``EO+PQ()?J2;TY>tD>z^t{ZMKg{rUJs zK!I+4i{}#_N_O4ippENeWMXv-6AkY$e}@)Vn^BL(`95>xqj~|hkS8_5_f)>A5UZnm zCw+ImdmDql!2ENB>^MtL7Evv;h`c}W?;i@Jab16?*riSbW-uV1 zU0jl?9v=FWkT%$-SPL#Y4Hb-8)@!~0mZvS!-G+}_+S?U1Q@inGOkivRz<_=qL$Y`f zI4;qT1sjr?Ux$!QgYSSW1z!}yoJlO88jmErf=U2?r|xLJD=jL&2C|Rz5J=yh@7@OP z_}Qf|xHjoAc<#pQ6kwjCVSPOu6w^H95#P_Z&*DEbYPHRGG6$M)K0dy*fwlr? zq0*fpd#ZXaz3fr>I}V6itKmzaGeCE*W>oXC@-b@23EKcp(1gbT+@QNxr|y-DDp)yg zqV2FDyc2L9w2O##z%O9vs+v{ISg&;$5%7L10s`Fze7yt_gQlBoJU{|%2987RauD6E zj!`}P65xiM@D;!_)V5oFqFVM}qp|+7WVsbTGC6G~s9f$q6UuaLe|;ijE1>9JXu206Dn^Bs zm>t*Of~4)z)#Mg{}R-$6K{d0<=6=vj>RFzF$WFxp{pMcU2OmefF1xpfDzyi=m`h_1OkEp!GKy(EfVY>sMcATd3a-!~XyQ!}CD^ diff --git a/src/main.c b/src/main.c index 283eda0..36ef847 100644 --- a/src/main.c +++ b/src/main.c @@ -32,9 +32,9 @@ WCHAR g_szDeviceParition[MAX_PATH + 1]; //ntos PATCH_CONTEXT CcInitializeBcbProfiler; -PATCH_CONTEXT KeInitAmd64SpecificState; PATCH_CONTEXT SeValidateImageData; PATCH_CONTEXT SepInitializeCodeIntegrity; +PATCH_CONTEXT KiFilterFiberContext; //winload PATCH_CONTEXT ImgpValidateImageHash; @@ -213,72 +213,58 @@ BOOLEAN QueryCcInitializeBcbProfilerOffsetSymbols( return (Address != 0); } -BOOLEAN QueryKeInitAmd64SpecificStateOffsetSymbols( +/* +* QueryKiFilterFiberContextOffset +* +* Purpose: +* +* Search for KiFilterFiberContext pattern address inside ntoskrnl.exe. +* Function main Patch Guard Initialization. +* +*/ +BOOLEAN QueryKiFilterFiberContextOffset( _In_ ULONG BuildNumber, _In_ PBYTE DllBase, _In_ SIZE_T DllVirtualSize, _In_ IMAGE_NT_HEADERS *NtHeaders ) { - ULONG ScanSize = 0, PatternSize = 0, SkipBytes = 0; ULONG_PTR Address = 0; - PVOID Ptr, Pattern = NULL; - PVOID ScanPtr = NULL; + PVOID Ptr; - ScanPtr = supLookupImageSectionByNameULONG('TINI', DllBase, &ScanSize); + UNREFERENCED_PARAMETER(DllVirtualSize); switch (BuildNumber) { + case 7601: case 9200: case 9600: case 10240: case 10586: case 14393: case 15063: + case 16170: - ScanPtr = DllBase; - ScanSize = (ULONG)DllVirtualSize; - if (ScanPtr) { - Pattern = ptKeInitAmd64SpecificState_15063; - PatternSize = sizeof(ptKeInitAmd64SpecificState_15063); - SkipBytes = ptSubBytesKeInitAmd64SpecificState_15063; - } + Address = (ULONG_PTR)SymbolAddressFromName(TEXT("KiFilterFiberContext")); break; default: break; } - if ((ScanPtr == NULL) || (ScanSize == 0)) - return FALSE; - - if ((Pattern == NULL) || (PatternSize == 0)) - return FALSE; - - Address = (ULONG_PTR)FindPattern( - ScanPtr, - ScanSize, - Pattern, - PatternSize); - if (Address != 0) { // // Convert to physical offset in file. // Ptr = RtlAddressInSectionTable(NtHeaders, DllBase, (ULONG)(Address - (ULONG_PTR)DllBase)); - KeInitAmd64SpecificState.AddressOfPatch = (ULONG_PTR)Ptr - (ULONG_PTR)DllBase; - - // - // Skip 'mov' instruction - // - KeInitAmd64SpecificState.AddressOfPatch -= SkipBytes; + KiFilterFiberContext.AddressOfPatch = (ULONG_PTR)Ptr - (ULONG_PTR)DllBase; // // Assign patch data block to be written in patch routine. // - KeInitAmd64SpecificState.PatchData = pdKeInitAmd64SpecificState; - KeInitAmd64SpecificState.SizeOfPatch = sizeof(pdKeInitAmd64SpecificState); + KiFilterFiberContext.PatchData = pdKiFilterFiberContext; + KiFilterFiberContext.SizeOfPatch = sizeof(pdKiFilterFiberContext); } @@ -560,15 +546,15 @@ BOOLEAN ScanNtos() cuiPrintText(g_ConOut, szBuffer, g_ConsoleOutput, TRUE); // - // Scan for KeInitAmd64SpecificState + // Scan for KiFilterFiberContext // - if (!QueryKeInitAmd64SpecificStateOffsetSymbols(BuildNumber, DllBase, DllVirtualSize, NtHeaders)) { - supShowError(ERROR_CAN_NOT_COMPLETE, TEXT("Cannot query KeInitAmd64SpecificState offset")); + if (!QueryKiFilterFiberContextOffset(BuildNumber, DllBase, DllVirtualSize, NtHeaders)) { + supShowError(ERROR_CAN_NOT_COMPLETE, TEXT("Cannot query KiFilterFiberContext offset")); break; } - _snwprintf_s(szBuffer, MAX_PATH * 2, MAX_PATH, TEXT("-> KeInitAmd64SpecificState\t%08X"), - KeInitAmd64SpecificState.AddressOfPatch); + _snwprintf_s(szBuffer, MAX_PATH * 2, MAX_PATH, TEXT("-> KiFilterFiberContext\t%08X"), + KiFilterFiberContext.AddressOfPatch); cuiPrintText(g_ConOut, szBuffer, g_ConsoleOutput, TRUE); // @@ -716,7 +702,7 @@ BOOLEAN ModifyFilesAndMove( PatchContext[0] = (ULONG_PTR)&SeValidateImageData; PatchContext[1] = (ULONG_PTR)&CcInitializeBcbProfiler; PatchContext[2] = (ULONG_PTR)&SepInitializeCodeIntegrity; - PatchContext[3] = (ULONG_PTR)&KeInitAmd64SpecificState; + PatchContext[3] = (ULONG_PTR)&KiFilterFiberContext; if (!supPatchFile(szBuffer, (ULONG_PTR*)&PatchContext, 4)) return FALSE; diff --git a/src/patterns.h b/src/patterns.h index 66c1daf..fc81ff8 100644 --- a/src/patterns.h +++ b/src/patterns.h @@ -47,14 +47,8 @@ unsigned char ptCcInitializeBcbProfiler_7601[] = { 0x10, 0x89, 0x4C, 0x24, 0x08, 0x53, 0x55, 0x56 }; -// always in INIT -//Patch data for KeInitAmd64SpecificState (return TRUE; ) -unsigned char pdKeInitAmd64SpecificState[] = { 0xEB }; - -//search pattern for Windows 10 10.0.10563.0 -unsigned char ptKeInitAmd64SpecificState_15063[] = { 0x0B, 0xD0, 0x8B, 0xCA, 0xF7, 0xD9 }; - -#define ptSubBytesKeInitAmd64SpecificState_15063 16 +//Patch data for KiFilterFiberContext ( return TRUE; ) +unsigned char pdKiFilterFiberContext[] = { 0xB0, 0x01, 0xC3 }; //Always in PAGE