cant work on Win10 1903 18362.x

[wbaby]

ms already fix and encrypt compare feilds PgCompareFields cant find any encrypt pg context on 18362.x Already test on 18362.30 18362.116 and 18362.145

[wbaby]

Im working on your project now Great project

[wbaby]

according to my tests, In most cases,i cant find any running worker

[wbaby]

If there is a no image running worker sometimes, In Most of the time, cant find any declassified feilds in this pool region or system pte

[9176324]

[9176324]

根据调试情形看,基本都在SystemPtes,你可以在MmAllocateIndependentPages设置断点,能断下来.

[wbaby]

I download your release shark.7z and resign the shark.sys driver, use your Sea.exe to load shark.sys this is my test result:

Env: 1903 18362.113 Pro N UEFI mode ,secure boot is disable

very few times, I can find worker but most of time, there is no thread worker

[wbaby]

And on 18362, search HeaderEx sig will get many results and first result is wrong in .text seciton It cause wrong SizeINITKDBG result

[9176324]

尝试删除这些位的检查 保留 BitNumber = PointerPte - BasePte;

                                    RtlSetBit(BitMap, BitNumber);

[9176324]

这个我倒没注意 55 41 54 41 55 41 56 41 57 48 8D 68 A1 48 81 EC B0 00 00 00 8B 82 用表哥这个

[wbaby]

still same diff result from you

[Shark] load [Shark] < FFFFC4086ADC2C88 > PgBlock [Shark] < 00000000000000C0 > SizeCmpAppendDllSection [Shark] < 0000000000000001 > BtcEnable [Shark] < 00000000000007E8 > OffsetEntryPoint [Shark] < 0000000000019000 > SizeINITKDBG [Shark] < FFFFF8023836A0A0 > ntoskrnl.exe!ExFreePool [Shark] < FFFFF8023865E010 > ntoskrnl.exe!ObCloseHandle + 140 [Shark] < FFFFF802380C6080 > ntoskrnl.exe!ExQueueWorkItem [Shark] < FFFFF802380361C0 > ntoskrnl.exe!ExReleaseResourceLite [Shark] < FFFFF80238116730 > MmFreeIndependentPages [Shark] < FFFFF80238586010 > PsInvertedFunctionTable [Shark] < FFFFF802381C3DDE > KiStartSystemThread [Shark] < FFFFF8023812F6D0 > PspSystemThreadStartup [Shark] < FFFFF80238041CF0 > MmDeterminePoolType [Shark] < FFFFC40864BD0000 > PoolBigPageTable [Shark] < 0000000000008000 > PoolBigPageTableSize [Shark] < FFFFF8023842EC70 > ExpLargePoolTableLock [Shark] < 00000000008C4000 > NumberOfPtes [Shark] < FFFFFBCB00000000 > BasePte [Shark] < 0000000000000000 > SystemPtes < FFFFFBCB00000000 <=> FFFFFBCB04620000 > [Shark] < 0000000000000000 > BigPool < FFFFC40864BD0000 | 0000000000008000 > [Shark] < FFFFC4086386C3AE > found declassified context [Shark] unload

[Shark] < FFFFC4086386C3AE > found declassified context // useless declassified context pool

[wbaby]

Thx for your reply and help ; D I will continue to debug

[wbaby]

Sometimes, my test shows the pg worker, but if you search compare fields that form your project in this context, you will get nothing

[9176324]

必须劫持返回点 在PG代码内部 CONTEXT 和 栈上的数据可能被加密

[wbaby]

必须劫持返回点 在PG代码内部 CONTEXT 和 栈上的数据可能被加密

Yes , I get your point But for now, I'm working on why most of time cant find any pg thread worker on my all Windows 1903

[wbaby]

ms already fix and encrypt compare feilds PgCompareFields cant find any encrypt pg context on 18362.x Already test on 18362.30 18362.116 and 18362.145

I can confirm what I said before. I also insert APC to every system thread not only worker thread, and also not find PG worker.

In some conditions I print systemptes that output a page and make a breakpoint at MmAllocateIndependentPages also a get a page I can confirm this is a pg context , but can not decrypt it by your fields collision. The pg page size is random like usual,0x5C000 0x5D000 0x76000 0x77000 , etc very few times a pg worker will execute from this systempte page, but most of time, there is no thread worker running,just this systempte page

[9176324]

emmm..., 我会修复的,等几天.

[YangKi1902]

hello, i got CRITICAL_STRUCTURE_CORRUPTION when i try to hook something on Windows 10 18362, it's still ok on 17763, is it same? how to fix it ?

[9176324]

只支持到 10.0.18362.30, 往上等待更新

[9176324]

ms already fix and encrypt compare feilds PgCompareFields cant find any encrypt pg context on 18362.x Already test on 18362.30 18362.116 and 18362.145

I can confirm what I said before. I also insert APC to every system thread not only worker thread, and also not find PG worker.

In some conditions I print systemptes that output a page and make a breakpoint at MmAllocateIndependentPages also a get a page I can confirm this is a pg context , but can not decrypt it by your fields collision. The pg page size is random like usual,0x5C000 0x5D000 0x76000 0x77000 , etc very few times a pg worker will execute from this systempte page, but most of time, there is no thread worker running,just this systempte page

完整的内存区块已经被双重加密 加密算法密钥随机 目前无

[Eziken]

So, 1903+ versions are not possible anymore?

[YangKi1902]

updated to 18362.175, it's working again.

Update : sorry, sometime working and sometime not, maybe because random encrypting.

[9176324]

decrypted in worker

[YangKi1902]

decrypted in worker

nice, will update ?

[hzqst]

18362.10005 patchguard has been disarmed by some new memory trick. to avoid being fucked by Micro$oft, the code will not be available here.

[9176324]

yes, the code will not be available here.