NSG650
Add Legacy Windows Support using WDK 7.1.0
Hey! Thanks you taking interest in the project and creating a PR! I have 2 concerns with this atm.
Are you sure the shell code will work on x86? Did you try compiling the project as C?
Hey! Thanks you taking interest in the project and creating a PR! I have 2 concerns with this atm.
Are you sure the shell code will work on x86? Did you try compiling the project as C?
Microsoft (R) Program Maintenance Utility Version 9.00.30729.207
Copyright (C) Microsoft Corporation. All rights reserved.
path contains nonexistant c:\windows\system32\openssh\, removing
path contains nonexistant c:\windows\system32\config\systemprofile\.dnx\bin, removing
path contains nonexistant c:\program files (x86)\windows kits\8.0\windows performance toolkit\, removing
path contains nonexistant c:\users\ce1cecl\.dotnet\tools, removing
BUILD: Compile and Link for x86
BUILDMSG: _NT_TARGET_VERSION SET TO WINXP
C:\WinDDK\7600.16385.1\Bin\x86\oacr\oacrcl @c:\users\ce1cecl\downloads\nomorebugcheck\nomorebugcheck\objfre_wxp_x86\i386\cl.rsp
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.207 for 80x86
Copyright (C) Microsoft Corporation. All rights reserved.
cl /Fo"c:\users\ce1cecl\downloads\nomorebugcheck\nomorebugcheck\objfre_wxp_x86\i386/"
/FC
/Ii386
/I.
/Ic:\users\ce1cecl\downloads\nomorebugcheck\nomorebugcheck\objfre_wxp_x86\i386
/IC:\WinDDK\7600.16385.1\inc\api
/IC:\WinDDK\7600.16385.1\inc\api
/IC:\WinDDK\7600.16385.1\inc\ddk
/IC:\WinDDK\7600.16385.1\inc\ddk
/IC:\WinDDK\7600.16385.1\inc\crt
/D_X86_=1
/Di386=1
/DSTD_CALL
/DCONDITION_HANDLING=1
/DNT_UP=1
/DNT_INST=0
/DWIN32=100
/D_NT1X_=100
/DWINNT=1
/D_WIN32_WINNT=0x0501
/DWINVER=0x0501
/D_WIN32_IE=0x0603
/DWIN32_LEAN_AND_MEAN=1
/DDEVL=1
/D__BUILDMACHINE__=WinDDK
/DFPO=0
/DNDEBUG
/D_DLL=1
/DNDEBUG
/DNTDDI_VERSION=0x05010200
/c
/Zc:wchar_t-
/Zl
/Zp8
/Gy
/Gm-
-cbstring
/W0
/WX
/Gz
/hotpatch
/EHs-c-
/GR-
/GF
/GS
/Zi
/Oxs
/Oy-
/Zi
/Fdc:\users\ce1cecl\downloads\nomorebugcheck\nomorebugcheck\objfre_wxp_x86\i386\
/DKMDF_MAJOR_VERSION_STRING=01
/DKMDF_MINOR_VERSION_STRING=009
/wd4603
/wd4627
/typedil-
/FIC:\WinDDK\7600.16385.1\inc\api\warning.h
.\driver.c
driver.c
c:\users\ce1cecl\downloads\nomorebugcheck\nomorebugcheck\driver.c(6) : error C2059: syntax error : 'string'
NMAKE : fatal error U1077: 'C:\WinDDK\7600.16385.1\Bin\x86\oacr\oacrcl.EXE' : return code '0x2'
Stop.
That happens when I renamed driver.cpp to driver.c without any furthur mods from me (didn't remove the extern c) To compare, here is the one for my current PR commit:
Microsoft (R) Program Maintenance Utility Version 9.00.30729.207
Copyright (C) Microsoft Corporation. All rights reserved.
path contains nonexistant c:\windows\system32\openssh\, removing
path contains nonexistant c:\windows\system32\config\systemprofile\.dnx\bin, removing
path contains nonexistant c:\program files (x86)\windows kits\8.0\windows performance toolkit\, removing
path contains nonexistant c:\users\ce1cecl\.dotnet\tools, removing
BUILD: Compile and Link for x86
BUILDMSG: _NT_TARGET_VERSION SET TO WINXP
C:\WinDDK\7600.16385.1\Bin\x86\oacr\oacrcl @c:\users\ce1cecl\downloads\nomorebugcheck\nomorebugcheck\objfre_wxp_x86\i386\cl.rsp
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.207 for 80x86
Copyright (C) Microsoft Corporation. All rights reserved.
cl /Fo"c:\users\ce1cecl\downloads\nomorebugcheck\nomorebugcheck\objfre_wxp_x86\i386/"
/FC
/Ii386
/I.
/Ic:\users\ce1cecl\downloads\nomorebugcheck\nomorebugcheck\objfre_wxp_x86\i386
/IC:\WinDDK\7600.16385.1\inc\api
/IC:\WinDDK\7600.16385.1\inc\api
/IC:\WinDDK\7600.16385.1\inc\ddk
/IC:\WinDDK\7600.16385.1\inc\ddk
/IC:\WinDDK\7600.16385.1\inc\crt
/D_X86_=1
/Di386=1
/DSTD_CALL
/DCONDITION_HANDLING=1
/DNT_UP=1
/DNT_INST=0
/DWIN32=100
/D_NT1X_=100
/DWINNT=1
/D_WIN32_WINNT=0x0501
/DWINVER=0x0501
/D_WIN32_IE=0x0603
/DWIN32_LEAN_AND_MEAN=1
/DDEVL=1
/D__BUILDMACHINE__=WinDDK
/DFPO=0
/DNDEBUG
/D_DLL=1
/DNDEBUG
/DNTDDI_VERSION=0x05010200
/c
/Zc:wchar_t-
/Zl
/Zp8
/Gy
/Gm-
-cbstring
/W0
/WX
/Gz
/hotpatch
/EHs-c-
/GR-
/GF
/GS
/Zi
/Oxs
/Oy-
/Zi
/Fdc:\users\ce1cecl\downloads\nomorebugcheck\nomorebugcheck\objfre_wxp_x86\i386\
/DKMDF_MAJOR_VERSION_STRING=01
/DKMDF_MINOR_VERSION_STRING=009
/wd4603
/wd4627
/typedil-
/FIC:\WinDDK\7600.16385.1\inc\api\warning.h
.\driver.cpp
driver.cpp
C:\WinDDK\7600.16385.1\Bin\x86\oacr\oacrlink /out:c:\users\ce1cecl\downloads\nomorebugcheck\nomorebugcheck\objfre_wxp_x86\i386\nomorebugcheck.sys /machine:ix86 @c:\users\ce1cecl\downloads\nomorebugcheck\nomorebugcheck\objfre_wxp_x86\i386\lnk.rsp
Microsoft (R) Incremental Linker Version 9.00.30729.207
Copyright (C) Microsoft Corporation. All rights reserved.
/MERGE:_PAGE=PAGE
/MERGE:_TEXT=.text
/SECTION:INIT,d
/OPT:REF
/OPT:ICF
/IGNORE:4198,4010,4037,4039,4065,4070,4078,4087,4089,4221
/INCREMENTAL:NO
/release
/NODEFAULTLIB
/WX
/debug
/debugtype:cv,fixup,pdata
/version:6.1
/osversion:6.1
/functionpadmin:5
/safeseh
/pdbcompress
/STACK:0x40000,0x1000
/driver
/base:0x10000
/align:0x80 /stub:c:\winddk\7600.16385.1\lib\wxp\stub512.com
/subsystem:native,5.01
/entry:GsDriverEntry@8
/out:c:\users\ce1cecl\downloads\nomorebugcheck\nomorebugcheck\objfre_wxp_x86\i386\nomorebugcheck.sys
c:\users\ce1cecl\downloads\nomorebugcheck\nomorebugcheck\objfre_wxp_x86\i386\driver.obj
c:\winddk\7600.16385.1\lib\wxp\i386\BufferOverflowK.lib
c:\winddk\7600.16385.1\lib\wxp\i386\ntoskrnl.lib
c:\winddk\7600.16385.1\lib\wxp\i386\hal.lib
c:\winddk\7600.16385.1\lib\wxp\i386\wmilib.lib
c:\winddk\7600.16385.1\lib\wxp\i386\sehupd.lib
As for the shell code working on x86, I didn't test it myself yet but I hope to later today reinstall an XP 32-bit VM and test it out. Edit: This happens when you do driver.c WITHOUT the extern:
Microsoft (R) Program Maintenance Utility Version 9.00.30729.207
Copyright (C) Microsoft Corporation. All rights reserved.
path contains nonexistant c:\windows\system32\openssh\, removing
path contains nonexistant c:\windows\system32\config\systemprofile\.dnx\bin, removing
path contains nonexistant c:\program files (x86)\windows kits\8.0\windows performance toolkit\, removing
path contains nonexistant c:\users\ce1cecl\.dotnet\tools, removing
BUILD: Compile and Link for x86
BUILDMSG: _NT_TARGET_VERSION SET TO WINXP
C:\WinDDK\7600.16385.1\Bin\x86\oacr\oacrcl @c:\users\ce1cecl\downloads\nomorebugcheck\nomorebugcheck\objfre_wxp_x86\i386\cl.rsp
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.30729.207 for 80x86
Copyright (C) Microsoft Corporation. All rights reserved.
cl /Fo"c:\users\ce1cecl\downloads\nomorebugcheck\nomorebugcheck\objfre_wxp_x86\i386/"
/FC
/Ii386
/I.
/Ic:\users\ce1cecl\downloads\nomorebugcheck\nomorebugcheck\objfre_wxp_x86\i386
/IC:\WinDDK\7600.16385.1\inc\api
/IC:\WinDDK\7600.16385.1\inc\api
/IC:\WinDDK\7600.16385.1\inc\ddk
/IC:\WinDDK\7600.16385.1\inc\ddk
/IC:\WinDDK\7600.16385.1\inc\crt
/D_X86_=1
/Di386=1
/DSTD_CALL
/DCONDITION_HANDLING=1
/DNT_UP=1
/DNT_INST=0
/DWIN32=100
/D_NT1X_=100
/DWINNT=1
/D_WIN32_WINNT=0x0501
/DWINVER=0x0501
/D_WIN32_IE=0x0603
/DWIN32_LEAN_AND_MEAN=1
/DDEVL=1
/D__BUILDMACHINE__=WinDDK
/DFPO=0
/DNDEBUG
/D_DLL=1
/DNDEBUG
/DNTDDI_VERSION=0x05010200
/c
/Zc:wchar_t-
/Zl
/Zp8
/Gy
/Gm-
-cbstring
/W0
/WX
/Gz
/hotpatch
/EHs-c-
/GR-
/GF
/GS
/Zi
/Oxs
/Oy-
/Zi
/Fdc:\users\ce1cecl\downloads\nomorebugcheck\nomorebugcheck\objfre_wxp_x86\i386\
/DKMDF_MAJOR_VERSION_STRING=01
/DKMDF_MINOR_VERSION_STRING=009
/wd4603
/wd4627
/typedil-
/FIC:\WinDDK\7600.16385.1\inc\api\warning.h
.\driver.c
driver.c
c:\users\ce1cecl\downloads\nomorebugcheck\nomorebugcheck\driver.c(24) : error C2275: 'LARGE_INTEGER' : illegal use of this type as an expression
c:\winddk\7600.16385.1\inc\api\ntdef.h(944) : see declaration of 'LARGE_INTEGER'
c:\users\ce1cecl\downloads\nomorebugcheck\nomorebugcheck\driver.c(24) : error C2146: syntax error : missing ';' before identifier 'Delay'
c:\users\ce1cecl\downloads\nomorebugcheck\nomorebugcheck\driver.c(24) : error C2065: 'Delay' : undeclared identifier
c:\users\ce1cecl\downloads\nomorebugcheck\nomorebugcheck\driver.c(26) : error C2065: 'Delay' : undeclared identifier
c:\users\ce1cecl\downloads\nomorebugcheck\nomorebugcheck\driver.c(26) : error C2224: left of '.LowPart' must have struct/union type
c:\users\ce1cecl\downloads\nomorebugcheck\nomorebugcheck\driver.c(27) : error C2065: 'Delay' : undeclared identifier
c:\users\ce1cecl\downloads\nomorebugcheck\nomorebugcheck\driver.c(27) : error C2224: left of '.HighPart' must have struct/union type
c:\users\ce1cecl\downloads\nomorebugcheck\nomorebugcheck\driver.c(29) : error C2065: 'Delay' : undeclared identifier
c:\users\ce1cecl\downloads\nomorebugcheck\nomorebugcheck\driver.c(35) : error C2143: syntax error : missing ';' before 'type'
c:\users\ce1cecl\downloads\nomorebugcheck\nomorebugcheck\driver.c(37) : error C2065: 'Status' : undeclared identifier
c:\users\ce1cecl\downloads\nomorebugcheck\nomorebugcheck\driver.c(45) : error C2061: syntax error : identifier 'DriverEntry'
c:\users\ce1cecl\downloads\nomorebugcheck\nomorebugcheck\driver.c(45) : error C2059: syntax error : ';'
c:\users\ce1cecl\downloads\nomorebugcheck\nomorebugcheck\driver.c(45) : error C2059: syntax error : 'type'
NMAKE : fatal error U1077: 'C:\WinDDK\7600.16385.1\Bin\x86\oacr\oacrcl.EXE' : return code '0x2'
Stop.
Hm, what a coincidence. I did the same thing two months ago
although the code seems to be nicely formated and what's changed except adding /W3 ?
https://github.com/Zero5k/NoMoreBugCheck-legacy
Hm, what a coincidence. I did the same thing two months ago although the code seems to be nicely formated and what's changed except adding
/W3? https://github.com/Zero5k/NoMoreBugCheck-legacy
I've noticed you seem to have left shellcode the same as well. Does it work?
Hm, what a coincidence. I did the same thing two months ago although the code seems to be nicely formated and what's changed except adding
/W3? https://github.com/Zero5k/NoMoreBugCheck-legacyI've noticed you seem to have left shellcode the same as well. Does it work?
50/50. On WinXP both X86 and X64, it either does not give the bsod and freezes (in rare occasions it won't bsod) or the shellcode simply does not take effect.
On WinVista and greater there's no issue, the bypass works perfectly. A friend of mine tried on Win2000 after somehow patching the XP driver to work on W2000 and it didn't BSOD'd
I got a question. What's the purpose of having a CHAR array with hex code in it?
Isn't the same thing as
#if defined(_M_IX86) || defined(_M_X64)
CHAR Patch() = {
__asm {
mov r10,
jmp r10
}
};
Hm, what a coincidence. I did the same thing two months ago although the code seems to be nicely formated and what's changed except adding
/W3? https://github.com/Zero5k/NoMoreBugCheck-legacyI've noticed you seem to have left shellcode the same as well. Does it work?
50/50. On WinXP both X86 and X64, it either does not give the bsod and freezes (in rare occasions it won't bsod) or the shellcode simply does not take effect. On WinVista and greater there's no issue, the bypass works perfectly. A friend of mine tried on Win2000 after somehow patching the XP driver to work on W2000 and it didn't BSOD'd I got a question. What's the purpose of having a
CHARarray with hex code in it? Isn't the same thing as#if defined(_M_IX86) || defined(_M_X64) CHAR Patch() = { __asm { mov r10, jmp r10 } };
You can't do inline assembly in x64 MSVC. Also it would make alot more sense like that since its copying raw shellcode bytes like that. For x86 I think you should probably do some similar shellcode like jmp 0x00000000 .
