search

BlackINT3 / OpenArk

The Next Generation of Anti-Rookit(ARK) tool for Windows.
https://openark.blackint3.com
GNU Lesser General Public License v2.1
8.29k stars 835 forks source link

1.3.4进入内核模式失败 #164

Open xxhhlk opened 5 months ago

xxhhlk commented 5 months ago

OpenArk Console Copyright (C) 2019 BlackINT3 https://github.com/BlackINT3/OpenArk [UNONE::FsReadFileDataW] [WARN] C:\Users\im\AppData\Roaming\OpenArk\console\history.txt is empty file [UNONE::PsGetProcessInfo64W] [ERR] VirtualOpenProcess pid:4 err:5 [Kernel::InitKernelEntryView::::operator ()] [INFO] 操作系统 : Windows 10 [Kernel::InitKernelEntryView::::operator ()] [INFO] 主版本号 : 10 [Kernel::InitKernelEntryView::::operator ()] [INFO] 副版本号 : 0 [Kernel::InitKernelEntryView::::operator ()] [INFO] 发行编号 : 22H2 [Kernel::InitKernelEntryView::::operator ()] [INFO] 编译号 : 19045 [Kernel::InitKernelEntryView::::operator ()] [INFO] 主服务包 : 0 [Kernel::InitKernelEntryView::::operator ()] [INFO] 副服务包 : 0 [Kernel::InitKernelEntryView::::operator ()] [INFO] R3地址空间 : 0x10000 - 0x7FFFFFFEFFFF [Kernel::InitKernelEntryView::::operator ()] [INFO] R0地址空间 : 0xFFFF080000000000 - 0xFFFFFFFFFFFFFFFF [Kernel::InitKernelEntryView::::operator ()] [INFO] 页面大小 : 4 KB [Kernel::InitKernelEntryView::::operator ()] [INFO] 物理内存 : 32 GB [Kernel::InitKernelEntryView::::operator ()] [INFO] CPU核数 : 20 [Kernel::InitKernelEntryView::::operator ()] [INFO] 系统根目录 : C:\WINDOWS [Kernel::InitKernelEntryView::::operator ()] [INFO] 启动时间 : 2024-01-19 19:48:37 (0Day/17Hour/44Min) [Kernel::InitKernelEntryView::::operator ()] [INFO] BootInfo : UEFI [Kernel::InitKernelEntryView::::operator ()] [INFO] HVM : VT Enabled [OpenArk::onActionCheckUpdate] [INFO] requset server:http://file.blackint3.com:88/openark/version.txt [OpenArk::onActionCheckUpdate::::operator ()] [INFO] local appver:1.3.4, build:202312202152 [OpenArk::onActionCheckUpdate::::operator ()] [INFO] server responsed:{ "err": 0, "appver": "1.3.4", "appbd": "202312202152", "appcl": "LSDov5vnqIvlop7lvLrvvJrlop7liqDlhoXlrZjkvb/nlKjjgIFQRULjgIFURULjgIHnur/nqIvmoIjjgIHnu5PmnZ/nur/nqIvnrYnlkITnp43lip/og70NCi0g5YaF5qC45aKe5by677ya5aKe5Yqg5YWo5YaF5a2Y5pCc57Si44CB5Y246L296amx5Yqo5YiX6KGo44CB6ZWc5YOP5Yqr5oyB44CB5Yqg6L2956ym5Y+3562J5ZCE56eN5Yqf6IO9DQotIOaJq+aPj+aPkOWNh++8muS8mOWMllBF5omr5o+P44CB5pSv5oyB6Kej5p6Q5YaF5a2Y5YyWUEXnrYnlip/og70NCi0g6Kej5Yaz6YOo5YiG5LiN6IO96L+b5YWl5YaF5qC45qih5byP55qE6Zeu6aKYDQotIEJVR+S/ruWkje+8jOi/mOacieWFtuWug+W+iOWkmuacquaPkOWPiueahOWKn+iDvQ0KLSDnibnliKvor7TmmI7vvJrlop7liqDoh7TosKLlkI3ljZXvvIzmhJ/osKLlr7lPcGVuQXJr55qE5pSv5oyB77yBDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NCi0gSW1wb3ZlZCBwcm9jZXNzIG1hbmFnZXI6IEFkZGVkIG1lbW9yeSB1c2FnZSwgUEVCLCBURUIsIENhbGxTdGFjaywgVGVybWluYXRlIFRocmVhZCBldGMuDQotIEltcG92ZWQga2VybmVsIG1hbmFnZXI6IEFkZGVkIG1lbW9yeSBzZWFyY2gsIFVubG9hZGVkIGRyaXZlcnMsIElGRU8sIExvYWQgc3ltYm9scyBldGMuDQotIEltcHJvdmVkIHNjYW5uZXI6IEltcHJvdmVkIHBlIHNjYW5uZXIsIEFkZGVkIHNjYW5uZXIgZm9yIE1lbW9yeSBQRS4NCi0gRml4ZWQgc29tZSBmYWlsdXJlIGNhc2Ugd2hlbiBlbnRlciBrZXJuZWwgbW9kZS4NCi0gQnVnZml4ZWQgYW5kIG1hbnkgb3RoZXIgdW5tZW50aW9uZWQgZmVhdHVyZXMuDQotIFNwZWNpYWwgTm90ZXM6IEFkZGVkIGFja25vd2xlZGdlbWVudHMsIHRoYW5rcyBmb3IgeW91ciBzdXBwb3J0IQ==", "appurl": "https://github.com/BlackINT3/OpenArk/releases" }

[OpenArk::onActionCheckUpdate::::operator ()] [INFO] OpenArk is latest. [Kernel::ParseKernelSymbol] [INFO] PDB: C:\Users\im\AppData\Roaming\OpenArk\symbols\ci.pdb\F978A72B5A84D8D5262BA9654FE1F57D1\ci.pdb [Kernel::ParseKernelSymbol] [INFO] Download: http://msdl.blackint3.com:88/download/symbols/ci.pdb/F978A72B5A84D8D5262BA9654FE1F57D1/ci.pdb [Kernel::ParseKernelSymbol] [INFO] PDB: C:\Users\im\AppData\Roaming\OpenArk\symbols\fltMgr.pdb\C6B7358770920641714F8F39943309AC1\fltMgr.pdb [Kernel::ParseKernelSymbol] [INFO] Download: http://msdl.blackint3.com:88/download/symbols/fltMgr.pdb/C6B7358770920641714F8F39943309AC1/fltMgr.pdb [Kernel::ParseKernelSymbol] [INFO] PDB: C:\Users\im\AppData\Roaming\OpenArk\symbols\netio.pdb\A6FB7302AF03576B8E72B1E88E1987F31\netio.pdb [Kernel::ParseKernelSymbol] [INFO] Download: http://msdl.blackint3.com:88/download/symbols/netio.pdb/A6FB7302AF03576B8E72B1E88E1987F31/netio.pdb [Kernel::ParseKernelSymbol] [INFO] PDB: C:\Users\im\AppData\Roaming\OpenArk\symbols\ntkrnlmp.pdb\D7ABE9B23BAD553213DE9BB10F1677B81\ntkrnlmp.pdb [Kernel::ParseKernelSymbol] [INFO] Download: http://msdl.blackint3.com:88/download/symbols/ntkrnlmp.pdb/D7ABE9B23BAD553213DE9BB10F1677B81/ntkrnlmp.pdb [Kernel::ParseKernelSymbol] [INFO] PDB: C:\Users\im\AppData\Roaming\OpenArk\symbols\win32k.pdb\4861D9D8CC375CC7E28E23C9A6E302D71\win32k.pdb [Kernel::ParseKernelSymbol] [INFO] Download: http://msdl.blackint3.com:88/download/symbols/win32k.pdb/4861D9D8CC375CC7E28E23C9A6E302D71/win32k.pdb [Kernel::ParseKernelSymbol] [INFO] PDB: C:\Users\im\AppData\Roaming\OpenArk\symbols\win32kbase.pdb\0949450FAC20B4137303F4C4BF4DD3E81\win32kbase.pdb [Kernel::ParseKernelSymbol] [INFO] Download: http://msdl.blackint3.com:88/download/symbols/win32kbase.pdb/0949450FAC20B4137303F4C4BF4DD3E81/win32kbase.pdb [Kernel::ParseKernelSymbol] [INFO] PDB: C:\Users\im\AppData\Roaming\OpenArk\symbols\win32kfull.pdb\BC20C80D10E7BC4AEB33A16598296E8F1\win32kfull.pdb [Kernel::ParseKernelSymbol] [INFO] Download: http://msdl.blackint3.com:88/download/symbols/win32kfull.pdb/BC20C80D10E7BC4AEB33A16598296E8F1/win32kfull.pdb [UNONE::ObLoadDriverW] [ERR] NtLoadDriver service:\Registry\Machine\System\CurrentControlSet\Services\MicrosoftDoSvc err:c000010e [UNONE::ObLoadDriverW] [ERR] NtLoadDriver service:\Registry\Machine\System\CurrentControlSet\Services\OpenArkDrv64 err:c0000428 [Kernel::onEnterKernelMode] [INFO] InstallDriver 1. [Kernel::onEnterKernelMode] [INFO] InstallDriver 2. [Kernel::onEnterKernelMode] [ERR] InstallDriver C:\Users\im\AppData\Roaming\OpenArk\kernel\OpenArkDrv64.sys err

Windows 10 Pro 22H2 19045.3930

BH2WFR commented 5 months ago

我跟你报错信息差不多

BH2WFR commented 5 months ago
image image
BH2WFR commented 5 months ago

OpenArk Console Copyright (C) 2019 BlackINT3 https://github.com/BlackINT3/OpenArk [UNONE::FsReadFileDataW] [WARN] C:\Users\im\AppData\Roaming\OpenArk\console\history.txt is empty file [UNONE::PsGetProcessInfo64W] [ERR] VirtualOpenProcess pid:4 err:5 [Kernel::InitKernelEntryView::::operator ()] [INFO] 操作系统 : Windows 10 [Kernel::InitKernelEntryView::::operator ()] [INFO] 主版本号 : 10 [Kernel::InitKernelEntryView::::operator ()] [INFO] 副版本号 : 0 [Kernel::InitKernelEntryView::::operator ()] [INFO] 发行编号 : 22H2 [Kernel::InitKernelEntryView::::operator ()] [INFO] 编译号 : 19045 [Kernel::InitKernelEntryView::::operator ()] [INFO] 主服务包 : 0 [Kernel::InitKernelEntryView::::operator ()] [INFO] 副服务包 : 0 [Kernel::InitKernelEntryView::::operator ()] [INFO] R3地址空间 : 0x10000 - 0x7FFFFFFEFFFF [Kernel::InitKernelEntryView::::operator ()] [INFO] R0地址空间 : 0xFFFF080000000000 - 0xFFFFFFFFFFFFFFFF [Kernel::InitKernelEntryView::::operator ()] [INFO] 页面大小 : 4 KB [Kernel::InitKernelEntryView::::operator ()] [INFO] 物理内存 : 32 GB [Kernel::InitKernelEntryView::::operator ()] [INFO] CPU核数 : 20 [Kernel::InitKernelEntryView::::operator ()] [INFO] 系统根目录 : C:\WINDOWS [Kernel::InitKernelEntryView::::operator ()] [INFO] 启动时间 : 2024-01-19 19:48:37 (0Day/17Hour/44Min) [Kernel::InitKernelEntryView::::operator ()] [INFO] BootInfo : UEFI [Kernel::InitKernelEntryView::::operator ()] [INFO] HVM : VT Enabled [OpenArk::onActionCheckUpdate] [INFO] requset server:http://file.blackint3.com:88/openark/version.txt [OpenArk::onActionCheckUpdate::::operator ()] [INFO] local appver:1.3.4, build:202312202152 [OpenArk::onActionCheckUpdate::::operator ()] [INFO] server responsed:{ "err": 0, "appver": "1.3.4", "appbd": "202312202152", "appcl": "LSDov5vnqIvlop7lvLrvvJrlop7liqDlhoXlrZjkvb/nlKjjgIFQRULjgIFURULjgIHnur/nqIvmoIjjgIHnu5PmnZ/nur/nqIvnrYnlkITnp43lip/og70NCi0g5YaF5qC45aKe5by677ya5aKe5Yqg5YWo5YaF5a2Y5pCc57Si44CB5Y246L296amx5Yqo5YiX6KGo44CB6ZWc5YOP5Yqr5oyB44CB5Yqg6L2956ym5Y+3562J5ZCE56eN5Yqf6IO9DQotIOaJq+aPj+aPkOWNh++8muS8mOWMllBF5omr5o+P44CB5pSv5oyB6Kej5p6Q5YaF5a2Y5YyWUEXnrYnlip/og70NCi0g6Kej5Yaz6YOo5YiG5LiN6IO96L+b5YWl5YaF5qC45qih5byP55qE6Zeu6aKYDQotIEJVR+S/ruWkje+8jOi/mOacieWFtuWug+W+iOWkmuacquaPkOWPiueahOWKn+iDvQ0KLSDnibnliKvor7TmmI7vvJrlop7liqDoh7TosKLlkI3ljZXvvIzmhJ/osKLlr7lPcGVuQXJr55qE5pSv5oyB77yBDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NCi0gSW1wb3ZlZCBwcm9jZXNzIG1hbmFnZXI6IEFkZGVkIG1lbW9yeSB1c2FnZSwgUEVCLCBURUIsIENhbGxTdGFjaywgVGVybWluYXRlIFRocmVhZCBldGMuDQotIEltcG92ZWQga2VybmVsIG1hbmFnZXI6IEFkZGVkIG1lbW9yeSBzZWFyY2gsIFVubG9hZGVkIGRyaXZlcnMsIElGRU8sIExvYWQgc3ltYm9scyBldGMuDQotIEltcHJvdmVkIHNjYW5uZXI6IEltcHJvdmVkIHBlIHNjYW5uZXIsIEFkZGVkIHNjYW5uZXIgZm9yIE1lbW9yeSBQRS4NCi0gRml4ZWQgc29tZSBmYWlsdXJlIGNhc2Ugd2hlbiBlbnRlciBrZXJuZWwgbW9kZS4NCi0gQnVnZml4ZWQgYW5kIG1hbnkgb3RoZXIgdW5tZW50aW9uZWQgZmVhdHVyZXMuDQotIFNwZWNpYWwgTm90ZXM6IEFkZGVkIGFja25vd2xlZGdlbWVudHMsIHRoYW5rcyBmb3IgeW91ciBzdXBwb3J0IQ==", "appurl": "https://github.com/BlackINT3/OpenArk/releases" }

[OpenArk::onActionCheckUpdate::::operator ()] [INFO] OpenArk is latest. [Kernel::ParseKernelSymbol] [INFO] PDB: C:\Users\im\AppData\Roaming\OpenArk\symbols\ci.pdb\F978A72B5A84D8D5262BA9654FE1F57D1\ci.pdb [Kernel::ParseKernelSymbol] [INFO] Download: http://msdl.blackint3.com:88/download/symbols/ci.pdb/F978A72B5A84D8D5262BA9654FE1F57D1/ci.pdb [Kernel::ParseKernelSymbol] [INFO] PDB: C:\Users\im\AppData\Roaming\OpenArk\symbols\fltMgr.pdb\C6B7358770920641714F8F39943309AC1\fltMgr.pdb [Kernel::ParseKernelSymbol] [INFO] Download: http://msdl.blackint3.com:88/download/symbols/fltMgr.pdb/C6B7358770920641714F8F39943309AC1/fltMgr.pdb [Kernel::ParseKernelSymbol] [INFO] PDB: C:\Users\im\AppData\Roaming\OpenArk\symbols\netio.pdb\A6FB7302AF03576B8E72B1E88E1987F31\netio.pdb [Kernel::ParseKernelSymbol] [INFO] Download: http://msdl.blackint3.com:88/download/symbols/netio.pdb/A6FB7302AF03576B8E72B1E88E1987F31/netio.pdb [Kernel::ParseKernelSymbol] [INFO] PDB: C:\Users\im\AppData\Roaming\OpenArk\symbols\ntkrnlmp.pdb\D7ABE9B23BAD553213DE9BB10F1677B81\ntkrnlmp.pdb [Kernel::ParseKernelSymbol] [INFO] Download: http://msdl.blackint3.com:88/download/symbols/ntkrnlmp.pdb/D7ABE9B23BAD553213DE9BB10F1677B81/ntkrnlmp.pdb [Kernel::ParseKernelSymbol] [INFO] PDB: C:\Users\im\AppData\Roaming\OpenArk\symbols\win32k.pdb\4861D9D8CC375CC7E28E23C9A6E302D71\win32k.pdb [Kernel::ParseKernelSymbol] [INFO] Download: http://msdl.blackint3.com:88/download/symbols/win32k.pdb/4861D9D8CC375CC7E28E23C9A6E302D71/win32k.pdb [Kernel::ParseKernelSymbol] [INFO] PDB: C:\Users\im\AppData\Roaming\OpenArk\symbols\win32kbase.pdb\0949450FAC20B4137303F4C4BF4DD3E81\win32kbase.pdb [Kernel::ParseKernelSymbol] [INFO] Download: http://msdl.blackint3.com:88/download/symbols/win32kbase.pdb/0949450FAC20B4137303F4C4BF4DD3E81/win32kbase.pdb [Kernel::ParseKernelSymbol] [INFO] PDB: C:\Users\im\AppData\Roaming\OpenArk\symbols\win32kfull.pdb\BC20C80D10E7BC4AEB33A16598296E8F1\win32kfull.pdb [Kernel::ParseKernelSymbol] [INFO] Download: http://msdl.blackint3.com:88/download/symbols/win32kfull.pdb/BC20C80D10E7BC4AEB33A16598296E8F1/win32kfull.pdb [UNONE::ObLoadDriverW] [ERR] NtLoadDriver service:\Registry\Machine\System\CurrentControlSet\Services\MicrosoftDoSvc err:c000010e [UNONE::ObLoadDriverW] [ERR] NtLoadDriver service:\Registry\Machine\System\CurrentControlSet\Services\OpenArkDrv64 err:c0000428 [Kernel::onEnterKernelMode] [INFO] InstallDriver 1. [Kernel::onEnterKernelMode] [INFO] InstallDriver 2. [Kernel::onEnterKernelMode] [ERR] InstallDriver C:\Users\im\AppData\Roaming\OpenArk\kernel\OpenArkDrv64.sys err

Windows 10 Pro 22H2 19045.3930

你的电脑有没有安装卡巴斯基之类的软件? 我之前可以进入内核模式, 安装卡巴斯基以后就不行了

xxhhlk commented 5 months ago

你的电脑有没有安装卡巴斯基之类的软件?我之前可以进入内核模式,安装卡巴斯基以后就不行了

@BH2WFR 我确实安装了卡巴

xxhhlk commented 5 months ago

还真是 卸载卡巴斯基就可以进入内核模式 装上就不行 退出内核模式进不去了 退出卡巴斯基无效

lidawei97688 commented 4 months ago

同样的问题,然后在事件查看器里发现了这个

日志名称: Security 来源: Microsoft-Windows-Security-Auditing 日期: 2024/3/6 23:25:20 事件 ID: 5038 任务类别: System Integrity 级别: 信息 关键字: 审核失败 用户: 暂缺 计算机: PANGWEI 描述: 代码完整性已确定文件的图像哈希无效。文件可能由于未授权的修改而毁坏,或者无效的哈希会指示可能的磁盘设备错误。

文件名: \Device\HarddiskVolume3\Users\lidaw\AppData\Roaming\OpenArk\kernel\OpenArkDrv64.sys

elicec commented 3 months ago

OpenArk Console Copyright (C) 2019 BlackINT3 https://github.com/BlackINT3/OpenArk [UNONE::FsReadFileDataW] [WARN] C:\Users\admin\AppData\Roaming\OpenArk\console\history.txt is empty file [UNONE::PsGetProcessInfo64W] [ERR] VirtualOpenProcess pid:4 err:5 [Kernel::InitKernelEntryView::::operator ()] [INFO] 操作系统 : Windows 10 [Kernel::InitKernelEntryView::::operator ()] [INFO] 主版本号 : 10 [Kernel::InitKernelEntryView::::operator ()] [INFO] 副版本号 : 0 [Kernel::InitKernelEntryView::::operator ()] [INFO] 发行编号 : 22H2 [Kernel::InitKernelEntryView::::operator ()] [INFO] 编译号 : 19045 [Kernel::InitKernelEntryView::::operator ()] [INFO] 主服务包 : 0 [Kernel::InitKernelEntryView::::operator ()] [INFO] 副服务包 : 0 [Kernel::InitKernelEntryView::::operator ()] [INFO] R3地址空间 : 0x10000 - 0x7FFFFFFEFFFF [Kernel::InitKernelEntryView::::operator ()] [INFO] R0地址空间 : 0xFFFF080000000000 - 0xFFFFFFFFFFFFFFFF [Kernel::InitKernelEntryView::::operator ()] [INFO] 页面大小 : 4 KB [Kernel::InitKernelEntryView::::operator ()] [INFO] 物理内存 : 64 GB [Kernel::InitKernelEntryView::::operator ()] [INFO] CPU核数 : 16 [Kernel::InitKernelEntryView::::operator ()] [INFO] 系统根目录 : C:\WINDOWS [Kernel::InitKernelEntryView::::operator ()] [INFO] 启动时间 : 2024-03-13 07:40:26 (0Day/0Hour/15Min) [Kernel::InitKernelEntryView::::operator ()] [INFO] BootInfo : UEFI & VBS [Kernel::InitKernelEntryView::::operator ()] [INFO] HVM : VT Disabled [OpenArk::onActionCheckUpdate] [INFO] requset server:http://file.blackint3.com:88/openark/version.txt [OpenArk::onActionCheckUpdate::::operator ()] [INFO] local appver:1.3.4, build:202312202152 [OpenArk::onActionCheckUpdate::::operator ()] [INFO] server responsed:{ "err": 0, "appver": "1.3.4", "appbd": "202312202152", "appcl": "LSDov5vnqIvlop7lvLrvvJrlop7liqDlhoXlrZjkvb/nlKjjgIFQRULjgIFURULjgIHnur/nqIvmoIjjgIHnu5PmnZ/nur/nqIvnrYnlkITnp43lip/og70NCi0g5YaF5qC45aKe5by677ya5aKe5Yqg5YWo5YaF5a2Y5pCc57Si44CB5Y246L296amx5Yqo5YiX6KGo44CB6ZWc5YOP5Yqr5oyB44CB5Yqg6L2956ym5Y+3562J5ZCE56eN5Yqf6IO9DQotIOaJq+aPj+aPkOWNh++8muS8mOWMllBF5omr5o+P44CB5pSv5oyB6Kej5p6Q5YaF5a2Y5YyWUEXnrYnlip/og70NCi0g6Kej5Yaz6YOo5YiG5LiN6IO96L+b5YWl5YaF5qC45qih5byP55qE6Zeu6aKYDQotIEJVR+S/ruWkje+8jOi/mOacieWFtuWug+W+iOWkmuacquaPkOWPiueahOWKn+iDvQ0KLSDnibnliKvor7TmmI7vvJrlop7liqDoh7TosKLlkI3ljZXvvIzmhJ/osKLlr7lPcGVuQXJr55qE5pSv5oyB77yBDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NCi0gSW1wb3ZlZCBwcm9jZXNzIG1hbmFnZXI6IEFkZGVkIG1lbW9yeSB1c2FnZSwgUEVCLCBURUIsIENhbGxTdGFjaywgVGVybWluYXRlIFRocmVhZCBldGMuDQotIEltcG92ZWQga2VybmVsIG1hbmFnZXI6IEFkZGVkIG1lbW9yeSBzZWFyY2gsIFVubG9hZGVkIGRyaXZlcnMsIElGRU8sIExvYWQgc3ltYm9scyBldGMuDQotIEltcHJvdmVkIHNjYW5uZXI6IEltcHJvdmVkIHBlIHNjYW5uZXIsIEFkZGVkIHNjYW5uZXIgZm9yIE1lbW9yeSBQRS4NCi0gRml4ZWQgc29tZSBmYWlsdXJlIGNhc2Ugd2hlbiBlbnRlciBrZXJuZWwgbW9kZS4NCi0gQnVnZml4ZWQgYW5kIG1hbnkgb3RoZXIgdW5tZW50aW9uZWQgZmVhdHVyZXMuDQotIFNwZWNpYWwgTm90ZXM6IEFkZGVkIGFja25vd2xlZGdlbWVudHMsIHRoYW5rcyBmb3IgeW91ciBzdXBwb3J0IQ==", "appurl": "https://github.com/BlackINT3/OpenArk/releases" }

[OpenArk::onActionCheckUpdate::::operator ()] [INFO] OpenArk is latest. [Kernel::ParseKernelSymbol] [INFO] PDB: C:\Users\admin\AppData\Roaming\OpenArk\symbols\ci.pdb\4FE9D9AAE4F745C4E7E7999F3A7524991\ci.pdb [Kernel::ParseKernelSymbol] [INFO] PDB: C:\Users\admin\AppData\Roaming\OpenArk\symbols\fltMgr.pdb\C6B7358770920641714F8F39943309AC1\fltMgr.pdb [Kernel::ParseKernelSymbol] [INFO] PDB: C:\Users\admin\AppData\Roaming\OpenArk\symbols\netio.pdb\C1979904E69E1CA74129F38FC5A5134F1\netio.pdb [Kernel::ParseKernelSymbol] [INFO] PDB: C:\Users\admin\AppData\Roaming\OpenArk\symbols\ntkrnlmp.pdb\0D650DB61AD990C66CAEFCFC069200731\ntkrnlmp.pdb [Kernel::ParseKernelSymbol] [INFO] Download: http://msdl.blackint3.com:88/download/symbols/ntkrnlmp.pdb/0D650DB61AD990C66CAEFCFC069200731/ntkrnlmp.pdb [HttpDownload::::operator ()] [INFO] Download failed, err:203, msg:Error transferring http://msdl.blackint3.com:88/download/symbols/ntkrnlmp.pdb/0D650DB61AD990C66CAEFCFC069200731/ntkrnlmp.pdb - server replied: Not Found [Kernel::ParseKernelSymbol] [ERR] LoadSymbol: C:\Users\admin\AppData\Roaming\OpenArk\symbols\ntkrnlmp.pdb\0D650DB61AD990C66CAEFCFC069200731\ntkrnlmp.pdb err [Kernel::ParseKernelSymbol] [INFO] PDB: C:\Users\admin\AppData\Roaming\OpenArk\symbols\win32k.pdb\4FD4A8EF18FF219CA67DD2910BA963F01\win32k.pdb [Kernel::ParseKernelSymbol] [INFO] PDB: C:\Users\admin\AppData\Roaming\OpenArk\symbols\win32kbase.pdb\AA876FFB9C0F08A7C0116E9CF2C49ED51\win32kbase.pdb [Kernel::ParseKernelSymbol] [INFO] PDB: C:\Users\admin\AppData\Roaming\OpenArk\symbols\win32kfull.pdb\0903C592CC2F9033339565053E43450A1\win32kfull.pdb [Kernel::ParseKernelSymbol] [INFO] Download: http://msdl.blackint3.com:88/download/symbols/win32kfull.pdb/0903C592CC2F9033339565053E43450A1/win32kfull.pdb [UNONE::ObLoadDriverW] [ERR] NtLoadDriver service:\Registry\Machine\System\CurrentControlSet\Services\OpenArkDrv64 err:c0000428 [HttpDownload::::operator ()] [INFO] Download failed, err:203, msg:Error transferring http://msdl.blackint3.com:88/download/symbols/win32kfull.pdb/0903C592CC2F9033339565053E43450A1/win32kfull.pdb - server replied: Not Found [Kernel::ParseKernelSymbol] [ERR] LoadSymbol: C:\Users\admin\AppData\Roaming\OpenArk\symbols\win32kfull.pdb\0903C592CC2F9033339565053E43450A1\win32kfull.pdb err [Kernel::onEnterKernelMode] [INFO] InstallDriver 1. [Kernel::onEnterKernelMode] [INFO] InstallDriver 2. [Kernel::onEnterKernelMode] [ERR] InstallDriver C:\Users\admin\AppData\Roaming\OpenArk\kernel\OpenArkDrv64.sys err [Kernel::ParseKernelSymbol] [INFO] PDB: C:\Users\admin\AppData\Roaming\OpenArk\symbols\ci.pdb\4FE9D9AAE4F745C4E7E7999F3A7524991\ci.pdb [Kernel::ParseKernelSymbol] [INFO] PDB: C:\Users\admin\AppData\Roaming\OpenArk\symbols\fltMgr.pdb\C6B7358770920641714F8F39943309AC1\fltMgr.pdb [Kernel::ParseKernelSymbol] [INFO] PDB: C:\Users\admin\AppData\Roaming\OpenArk\symbols\netio.pdb\C1979904E69E1CA74129F38FC5A5134F1\netio.pdb [Kernel::ParseKernelSymbol] [INFO] PDB: C:\Users\admin\AppData\Roaming\OpenArk\symbols\ntkrnlmp.pdb\0D650DB61AD990C66CAEFCFC069200731\ntkrnlmp.pdb [Kernel::ParseKernelSymbol] [INFO] Download: http://msdl.blackint3.com:88/download/symbols/ntkrnlmp.pdb/0D650DB61AD990C66CAEFCFC069200731/ntkrnlmp.pdb [HttpDownload::::operator ()] [INFO] Download failed, err:203, msg:Error transferring http://msdl.blackint3.com:88/download/symbols/ntkrnlmp.pdb/0D650DB61AD990C66CAEFCFC069200731/ntkrnlmp.pdb - server replied: Not Found [Kernel::ParseKernelSymbol] [ERR] LoadSymbol: C:\Users\admin\AppData\Roaming\OpenArk\symbols\ntkrnlmp.pdb\0D650DB61AD990C66CAEFCFC069200731\ntkrnlmp.pdb err [Kernel::ParseKernelSymbol] [INFO] PDB: C:\Users\admin\AppData\Roaming\OpenArk\symbols\win32k.pdb\4FD4A8EF18FF219CA67DD2910BA963F01\win32k.pdb [Kernel::ParseKernelSymbol] [INFO] PDB: C:\Users\admin\AppData\Roaming\OpenArk\symbols\win32kbase.pdb\AA876FFB9C0F08A7C0116E9CF2C49ED51\win32kbase.pdb [Kernel::ParseKernelSymbol] [INFO] PDB: C:\Users\admin\AppData\Roaming\OpenArk\symbols\win32kfull.pdb\0903C592CC2F9033339565053E43450A1\win32kfull.pdb [Kernel::ParseKernelSymbol] [INFO] Download: http://msdl.blackint3.com:88/download/symbols/win32kfull.pdb/0903C592CC2F9033339565053E43450A1/win32kfull.pdb [UNONE::ObLoadDriverW] [ERR] NtLoadDriver service:\Registry\Machine\System\CurrentControlSet\Services\OpenArkDrv64 err:c0000428 [HttpDownload::::operator ()] [INFO] Download failed, err:203, msg:Error transferring http://msdl.blackint3.com:88/download/symbols/win32kfull.pdb/0903C592CC2F9033339565053E43450A1/win32kfull.pdb - server replied: Not Found [Kernel::ParseKernelSymbol] [ERR] LoadSymbol: C:\Users\admin\AppData\Roaming\OpenArk\symbols\win32kfull.pdb\0903C592CC2F9033339565053E43450A1\win32kfull.pdb err [Kernel::onEnterKernelMode] [INFO] InstallDriver 1. [Kernel::onEnterKernelMode] [INFO] InstallDriver 2. [Kernel::onEnterKernelMode] [ERR] InstallDriver C:\Users\admin\AppData\Roaming\OpenArk\kernel\OpenArkDrv64.sys err

q751654992 commented 2 months ago

我装了卡巴也是这个问题, 尝试暂停卡巴的保护, 也还是进不去内核模式

Gy4n commented 3 weeks ago

InstallDriver 2是高危操作,会被卡巴主防在内核层给拦截了。

xxhhlk commented 3 weeks ago

InstallDriver 2 是高危操作,会被卡巴主防在内核层给拦截了。

明白了,谢谢。那么除了卸载卡巴是否还有其他办法能够解决?

ChinaGeeker commented 2 weeks ago

碰到同样的问题,有解决办法吗

xxhhlk commented 1 week ago

碰到同样的问题,有解决办法吗

卸载卡巴之后如果有残留的驱动,都没法进入内核模式,删掉才行,所以大概率没办法解决。当然这是我个人想法,说不定开发者有什么好思路。目前我选择卸载卡巴。