pcileech icon indicating copy to clipboard operation
pcileech copied to clipboard
verified publisher icon ufrisk

PCILeech Gensig

Open aaronssu opened this issue 5 years ago • 10 comments

Was able to get GenSig to compile by updating the vcxproj file to include the below in the Globals propertygroup tag:

{C55314C6-71A0-4AE2-A4F0-E5E531A5E065} pcileech_gensig 10.0 x64

After compiling, I was not able to signature match my my ntfs.sys

aaronssu avatar Jul 07 '20 01:07 aaronssu

The signatures are unfortunately very out of date and are more for historical reasons now.

You may try the built in -kmd WIN10_X64 or -kmd WIN10_X64_2 built-in signatures if you wish to do kernel injects. I'm not sure it will work on Win10 2004 though; but I plan to look into this.

ufrisk avatar Jul 08 '20 00:07 ufrisk

Hi, I would like to add some sigs for windows, add unlock supports for x86 versions. Windows 10 verifies auth in ntlmshare.dll, and others using msv1_0.dll. I can find some sigs in x86 version, But how can I know the CHEATING VALUE? Is there any INFO That I Can do some research on this? Thanks. PS, EMAIL: [email protected] TWITTER: 0bing0

0bing0 avatar Jul 12 '21 15:07 0bing0

Hi, I would like to add some sigs for windows, add unlock supports for x86 versions. Windows 10 verifies auth in ntlmshare.dll, and others using msv1_0.dll. I can find some sigs in x86 version, But how can I know the CHEATING VALUE? Is there any INFO That I Can do some research on this? Thanks. PS, EMAIL: [email protected] TWITTER: 0bing0

Hi and thanks :) Yes this method is used to patch the 64-bit versions of the binaries. I haven't added support for 32-bit due to the relatively small market share (and this being a hobby project without that many being interested). I'm away on vacation now but I hope to drop you a note at the end of the week.

ufrisk avatar Jul 12 '21 16:07 ufrisk

Hi, I would like to add some sigs for windows, add unlock supports for x86 versions. Windows 10 verifies auth in ntlmshare.dll, and others using msv1_0.dll. I can find some sigs in x86 version, But how can I know the CHEATING VALUE? Is there any INFO That I Can do some research on this? Thanks. PS, EMAIL: [email protected] TWITTER: 0bing0

Hi and thanks :) Yes this method is used to patch the 64-bit versions of the binaries. I haven't added support for 32-bit due to the relatively small market share (and this being a hobby project without that many being interested). I'm away on vacation now but I hope to drop you a note at the end of the week.

Awesome. To find and patch sigs in memory is somehow interesting. I tried some of your X64 sigs and it did UNLOCK window login screen successfully, but just don't know how it works, kind of awkward. Waiting for your notes, Thanks.

0bing0 avatar Jul 19 '21 01:07 0bing0

Hi, I added the info file describing the format. It seems to have been gone missing when I rearranged the project a while back.

https://github.com/ufrisk/pcileech/blob/master/files/signature_info.txt https://github.com/ufrisk/pcileech/blob/master/files/unlock_win10x64.sig

basically PCILeech will scan each page for byte sequences at known offsets (from page base) and if found it will apply a patch from a 3rd byte sequence. In some older .sig file I NOP an instruction; in the more recent ones I invert the password check by changing a JZ to a JNZ after the actual password check. Please let me know if this would be enough info to get started.

ufrisk avatar Jul 19 '21 10:07 ufrisk

Hi, I added the info file describing the format. It seems to have been gone missing when I rearranged the project a while back.

https://github.com/ufrisk/pcileech/blob/master/files/signature_info.txt https://github.com/ufrisk/pcileech/blob/master/files/unlock_win10x64.sig

basically PCILeech will scan each page for byte sequences at known offsets (from page base) and if found it will apply a patch from a 3rd byte sequence. In some older .sig file I NOP an instruction; in the more recent ones I invert the password check by changing a JZ to a JNZ after the actual password check. Please let me know if this would be enough info to get started.

Thank you. I studied the "signature format" and "patches for ntlmshared.dll" docs. As you said, cheating with NOP or JZ<->JNZ, can work well. But I am still confused about the particular SIG for NtlmShared.dll (2019-03-19)/10.0.18362.1. signature for Windows 10 x64 [NtlmShared.dll (2019-03-19)/10.0.18362.1]
741,32C0E904FBFFFF,741,32C0E904FBFFFF,741,B001E904FBFFFF What does the values( 0xB0 0x01) mean? Or just more INFO about NtlmShared.dll?

0bing0 avatar Jul 19 '21 11:07 0bing0

this means that in the located page that matches bytes 32C0E904FBFFFF at offset 0x741 and 32C0E904FBFFFF at offset 0x741 its going to change the bytes at offset 0x741 to B001E904FBFFFF.

The 0xB001 ... is in this case machine code bytes from the dll (ntlmshared.dll 64-bit version).

ufrisk avatar Jul 19 '21 12:07 ufrisk

Thank you for your patience. Maybe I didn't make it clear. What I was trying to say is that, why just cheating with 0xb0 0x01 value could work. And this can work well even on Windows 11 which I am still testing. I don't know why, but it does work...

0bing0 avatar Jul 19 '21 12:07 0bing0

no particular reason; I just haven't optimized the signatures; I just added them when they were working.

ufrisk avatar Jul 19 '21 13:07 ufrisk

no particular reason; I just haven't optimized the signatures; I just added them when they were working.

Ah ah, OK, maybe I can just do as you do. Anyway, it works, and that's what it matters.

0bing0 avatar Jul 19 '21 14:07 0bing0

I'm closing this issue due to old age.

ufrisk avatar Jun 01 '24 15:06 ufrisk