Skip to content
This repository has been archived by the owner on Mar 29, 2019. It is now read-only.

Commit

Permalink
Removal of KeInitAmd64SpecificState. Addition of patch for primary Pg…
Browse files Browse the repository at this point in the history 
… initialize function KiFilterFiberContext. Compatible 7601 - 16170
  • Loading branch information
Fyyre committed May 9, 2017
1 parent 9b3fbaa commit d952b74
Show file tree
Hide file tree
Showing 3 changed files with 27 additions and 47 deletions.
Binary file modified bin/patch.exe
View file
Binary file not shown.
64 changes: 25 additions & 39 deletions src/main.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,9 +32,9 @@ WCHAR g_szDeviceParition[MAX_PATH + 1];
//ntos

PATCH_CONTEXT CcInitializeBcbProfiler;
PATCH_CONTEXT KeInitAmd64SpecificState;
PATCH_CONTEXT SeValidateImageData;
PATCH_CONTEXT SepInitializeCodeIntegrity;
PATCH_CONTEXT KiFilterFiberContext;

//winload
PATCH_CONTEXT ImgpValidateImageHash;
Expand Down Expand Up @@ -213,72 +213,58 @@ BOOLEAN QueryCcInitializeBcbProfilerOffsetSymbols(
return (Address != 0);
}

BOOLEAN QueryKeInitAmd64SpecificStateOffsetSymbols(
/*
* QueryKiFilterFiberContextOffset
*
* Purpose:
*
* Search for KiFilterFiberContext pattern address inside ntoskrnl.exe.
* Function main Patch Guard Initialization.
*
*/
BOOLEAN QueryKiFilterFiberContextOffset(
_In_ ULONG BuildNumber,
_In_ PBYTE DllBase,
_In_ SIZE_T DllVirtualSize,
_In_ IMAGE_NT_HEADERS *NtHeaders
)
{
ULONG ScanSize = 0, PatternSize = 0, SkipBytes = 0;
ULONG_PTR Address = 0;
PVOID Ptr, Pattern = NULL;
PVOID ScanPtr = NULL;
PVOID Ptr;

ScanPtr = supLookupImageSectionByNameULONG('TINI', DllBase, &ScanSize);
UNREFERENCED_PARAMETER(DllVirtualSize);

switch (BuildNumber) {

case 7601:
case 9200:
case 9600:
case 10240:
case 10586:
case 14393:
case 15063:
case 16170:

ScanPtr = DllBase;
ScanSize = (ULONG)DllVirtualSize;
if (ScanPtr) {
Pattern = ptKeInitAmd64SpecificState_15063;
PatternSize = sizeof(ptKeInitAmd64SpecificState_15063);
SkipBytes = ptSubBytesKeInitAmd64SpecificState_15063;
}
Address = (ULONG_PTR)SymbolAddressFromName(TEXT("KiFilterFiberContext"));
break;

default:
break;
}

if ((ScanPtr == NULL) || (ScanSize == 0))
return FALSE;

if ((Pattern == NULL) || (PatternSize == 0))
return FALSE;

Address = (ULONG_PTR)FindPattern(
ScanPtr,
ScanSize,
Pattern,
PatternSize);

if (Address != 0) {

//
// Convert to physical offset in file.
//
Ptr = RtlAddressInSectionTable(NtHeaders, DllBase, (ULONG)(Address - (ULONG_PTR)DllBase));
KeInitAmd64SpecificState.AddressOfPatch = (ULONG_PTR)Ptr - (ULONG_PTR)DllBase;

//
// Skip 'mov' instruction
//
KeInitAmd64SpecificState.AddressOfPatch -= SkipBytes;
KiFilterFiberContext.AddressOfPatch = (ULONG_PTR)Ptr - (ULONG_PTR)DllBase;

//
// Assign patch data block to be written in patch routine.
//
KeInitAmd64SpecificState.PatchData = pdKeInitAmd64SpecificState;
KeInitAmd64SpecificState.SizeOfPatch = sizeof(pdKeInitAmd64SpecificState);
KiFilterFiberContext.PatchData = pdKiFilterFiberContext;
KiFilterFiberContext.SizeOfPatch = sizeof(pdKiFilterFiberContext);

}

Expand Down Expand Up @@ -560,15 +546,15 @@ BOOLEAN ScanNtos()
cuiPrintText(g_ConOut, szBuffer, g_ConsoleOutput, TRUE);

//
// Scan for KeInitAmd64SpecificState
// Scan for KiFilterFiberContext
//
if (!QueryKeInitAmd64SpecificStateOffsetSymbols(BuildNumber, DllBase, DllVirtualSize, NtHeaders)) {
supShowError(ERROR_CAN_NOT_COMPLETE, TEXT("Cannot query KeInitAmd64SpecificState offset"));
if (!QueryKiFilterFiberContextOffset(BuildNumber, DllBase, DllVirtualSize, NtHeaders)) {
supShowError(ERROR_CAN_NOT_COMPLETE, TEXT("Cannot query KiFilterFiberContext offset"));
break;
}

_snwprintf_s(szBuffer, MAX_PATH * 2, MAX_PATH, TEXT("-> KeInitAmd64SpecificState\t%08X"),
KeInitAmd64SpecificState.AddressOfPatch);
_snwprintf_s(szBuffer, MAX_PATH * 2, MAX_PATH, TEXT("-> KiFilterFiberContext\t%08X"),
KiFilterFiberContext.AddressOfPatch);
cuiPrintText(g_ConOut, szBuffer, g_ConsoleOutput, TRUE);

//
Expand Down Expand Up @@ -716,7 +702,7 @@ BOOLEAN ModifyFilesAndMove(
PatchContext[0] = (ULONG_PTR)&SeValidateImageData;
PatchContext[1] = (ULONG_PTR)&CcInitializeBcbProfiler;
PatchContext[2] = (ULONG_PTR)&SepInitializeCodeIntegrity;
PatchContext[3] = (ULONG_PTR)&KeInitAmd64SpecificState;
PatchContext[3] = (ULONG_PTR)&KiFilterFiberContext;

if (!supPatchFile(szBuffer, (ULONG_PTR*)&PatchContext, 4))
return FALSE;
Expand Down
10 changes: 2 additions & 8 deletions src/patterns.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,14 +47,8 @@ unsigned char ptCcInitializeBcbProfiler_7601[] = {
0x10, 0x89, 0x4C, 0x24, 0x08, 0x53, 0x55, 0x56
};

// always in INIT
//Patch data for KeInitAmd64SpecificState (return TRUE; )
unsigned char pdKeInitAmd64SpecificState[] = { 0xEB };

//search pattern for Windows 10 10.0.10563.0
unsigned char ptKeInitAmd64SpecificState_15063[] = { 0x0B, 0xD0, 0x8B, 0xCA, 0xF7, 0xD9 };

#define ptSubBytesKeInitAmd64SpecificState_15063 16
//Patch data for KiFilterFiberContext ( return TRUE; )
unsigned char pdKiFilterFiberContext[] = { 0xB0, 0x01, 0xC3 };

//Always in PAGE

Expand Down

0 comments on commit d952b74

Please sign in to comment.