injection icon indicating copy to clipboard operation
injection copied to clipboard

Published 20 hours ago verified publisher icon odzhan

Adapt WNF injector to Windows 10

Open yardenshafir opened this issue 1 year ago • 2 comments

In Windows 10/11 the NamesTableEntry of the WNF_SUBSCRIPTION_TABLE isn't a list anymore, instead it's a tree. Handling should be adjusted based on the system build (not sure exactly what build that changed in, will check and update here).

yardenshafir avatar May 09 '23 12:05 yardenshafir

Hello Yarden :)

I intend to update all the injection PoCs soon because I realise some of them may not work anymore as a result of changes in structures such as those you mentioned with WNF. I'm sure there are others too, so I'll need to test them all again and fix the ones that no longer work. If you have any details of new structures for WNF, i'd be grateful for any help.

Thank you.

odzhan avatar May 09 '23 23:05 odzhan

Absolutely! The main relevant difference is that the names _LIST_ENTRY became _RTL_BALANCED_NODE, and there are a couple more ULONG fields before the RetryDescriptor (though I'm not sure that matters much in this case since it's not used for injection). If I have some time next week I'll open a PR updating the structure and changing the list search to a tree search, I'll also update which build this changed in :)

yardenshafir avatar May 10 '23 11:05 yardenshafir