Blackbone icon indicating copy to clipboard operation
Blackbone copied to clipboard

Published 20 hours ago verified publisher icon DarthTon

Windows 10 20H2 (October Update) Offsets

Open Narumiiii opened this issue 3 years ago • 11 comments

Anyone can chare the offsets for 20H2 (Cctober Update) or explain how to find it? Thanks there are the offsets that need update.

            pData->KExecOpt = 0x283;
            pData->Protection = 0x87A;
            pData->EProcessFlags2 = 0x9D4; 
            pData->ObjTable = 0x570;
            pData->VadRoot = 0x7D8;
            pData->PrevMode = 0x232;
            pData->ExitStatus = 0x548;
            pData->NtCreateThdExIndex = 0xC1;
            pData->NtTermThdIndex = 0x53;
            pData->MiAllocPage = 0;

Narumiiii avatar Oct 25 '20 01:10 Narumiiii

NtCreateThdExIndex and PrevMode are still the same(creating thread works fine). ObjTable wasn't changed too as ik. If you really want how to find offsets: attach windbg to your vm with newest windows and type dt nt!_EPROCESS, replace eprocess with your struct name.

anarh1st47 avatar Oct 29 '20 18:10 anarh1st47

any have offsets?

AzeDonLees avatar Nov 11 '20 12:11 AzeDonLees

Dumped. All the same 👍🏻

LOG-KPROCESS : https://textuploader.com/1enl8/raw LOG-EPROCESS: https://textuploader.com/1enqa/raw LOG-KTHREAD: https://textuploader.com/1enq5/raw LOG-ETHREAD: https://textuploader.com/1enqd/raw

image image image

ghost avatar Dec 02 '20 16:12 ghost

@anarh1st47 Yes thank you some i figured out how to use the windbg to dump the ntoskernel structures thank you for the hint. @inc-Majdev Do you know why VAD Hiding result on BSOD?

Narumiii avatar Dec 15 '20 06:12 Narumiii

@inc-Majdev Do you know why VAD Hiding result on BSOD?

A struct should be added in the NativeStructs10.h header

NativeStrucs10.h

typedef struct _MMVAD_SHORT_20H2
{
	union
	{
		struct
		{
			/* 0x0000 */ struct _MMVAD_SHORT_20H2* NextVad;
			/* 0x0008 */ void* ExtraCreateInfo;
		}; /* size: 0x0010 */
		/* 0x0000 */ _RTL_BALANCED_NODE VadNode;
	}; /* size: 0x0018 */
	/* 0x0018 */ unsigned long StartingVpn;
	/* 0x001c */ unsigned long EndingVpn;
	/* 0x0020 */ unsigned char StartingVpnHigh;
	/* 0x0021 */ unsigned char EndingVpnHigh;
	/* 0x0022 */ unsigned char CommitChargeHigh;
	/* 0x0023 */ unsigned char SpareNT64VadUChar;
	/* 0x0024 */ long ReferenceCount;
	/* 0x0028 */ _EX_PUSH_LOCK PushLock;
	union
	{
		union
		{
			/* 0x0030 */ unsigned long LongFlags;
			/* 0x0030 */ _MMVAD_FLAGS_20H2 VadFlags;
			/* 0x0030 */ _MM_PRIVATE_VAD_FLAGS PrivateVadFlags;
			/* 0x0030 */ _MM_GRAPHICS_VAD_FLAGS GraphicsVadFlags;
			/* 0x0030 */ _MM_SHARED_VAD_FLAGS SharedVadFlags;
			/* 0x0030 */ volatile unsigned long VolatileVadLong;
		}; /* size: 0x0004 */
	} /* size: 0x0004 */ u;
	union
	{
		union
		{
			/* 0x0034 */ unsigned long LongFlags1;
			/* 0x0034 */ struct _MMVAD_FLAGS1 VadFlags1;
		}; /* size: 0x0004 */
	} /* size: 0x0004 */ u1;
	/* 0x0038 */ struct _MI_VAD_EVENT_BLOCK* EventList;
} MMVAD_SHORT_20H2, *PMMVAD_SHORT_20H2; /* size: 0x0040 */```

ghost avatar Dec 23 '20 18:12 ghost

@inc-Majdev Do you know why VAD Hiding result on BSOD?

A struct should be added in the NativeStructs10.h header

NativeStrucs10.h

typedef struct _MMVAD_SHORT_20H2
{
	union
	{
		struct
		{
			/* 0x0000 */ struct _MMVAD_SHORT_20H2* NextVad;
			/* 0x0008 */ void* ExtraCreateInfo;
		}; /* size: 0x0010 */
		/* 0x0000 */ _RTL_BALANCED_NODE VadNode;
	}; /* size: 0x0018 */
	/* 0x0018 */ unsigned long StartingVpn;
	/* 0x001c */ unsigned long EndingVpn;
	/* 0x0020 */ unsigned char StartingVpnHigh;
	/* 0x0021 */ unsigned char EndingVpnHigh;
	/* 0x0022 */ unsigned char CommitChargeHigh;
	/* 0x0023 */ unsigned char SpareNT64VadUChar;
	/* 0x0024 */ long ReferenceCount;
	/* 0x0028 */ _EX_PUSH_LOCK PushLock;
	union
	{
		union
		{
			/* 0x0030 */ unsigned long LongFlags;
			/* 0x0030 */ _MMVAD_FLAGS_20H2 VadFlags;
			/* 0x0030 */ _MM_PRIVATE_VAD_FLAGS PrivateVadFlags;
			/* 0x0030 */ _MM_GRAPHICS_VAD_FLAGS GraphicsVadFlags;
			/* 0x0030 */ _MM_SHARED_VAD_FLAGS SharedVadFlags;
			/* 0x0030 */ volatile unsigned long VolatileVadLong;
		}; /* size: 0x0004 */
	} /* size: 0x0004 */ u;
	union
	{
		union
		{
			/* 0x0034 */ unsigned long LongFlags1;
			/* 0x0034 */ struct _MMVAD_FLAGS1 VadFlags1;
		}; /* size: 0x0004 */
	} /* size: 0x0004 */ u1;
	/* 0x0038 */ struct _MI_VAD_EVENT_BLOCK* EventList;
} MMVAD_SHORT_20H2, *PMMVAD_SHORT_20H2; /* size: 0x0040 */```

Many thanks!

Narumiii avatar Dec 24 '20 11:12 Narumiii

@inc-Majdev even when I've done these above, Driver().EnsureLoaded() still failed : "BlackBone: Failed to load driver D:\Connor\build\Debug\BlackBoneDrv10.sys. Status 0xC0000428" any advice? and, your github repository is missing.

oiramario avatar Mar 30 '21 02:03 oiramario

@inc-Majdev even when I've done these above, Driver().EnsureLoaded() still failed : "BlackBone: Failed to load driver D:\Connor\build\Debug\BlackBoneDrv10.sys. Status 0xC0000428" any advice? and, your github repository is missing.

may be google? 0xC0000428 - STATUS_INVALID_IMAGE_HASH your driver is not signed.

boris768 avatar Apr 01 '21 06:04 boris768

@boris768 Thanks, I solved the problem.

oiramario avatar Apr 01 '21 19:04 oiramario

@Narumiii
Do you have NativeStructs10 for 21H1 ?

aCoDenz avatar Aug 21 '21 09:08 aCoDenz

@Narumiii Do you have NativeStructs10 for 21H1 ? NativeStructs10_21H1.h

ghost avatar Aug 21 '21 09:08 ghost