recent wdfilter update - Githubissues

TheCruZ / kdmapper

KDMapper is a simple tool that exploits iqvw64e.sys Intel driver to manually map non-signed drivers in memory

MIT License

1.98k stars 501 forks source link

recent wdfilter update #139

Closed rohybnol closed 3 months ago

rohybnol commented 5 months ago

anyone found new pattern for the latest wdfilter driver update? I tried the commit from the master branch already but it seems outdated

Jueshh commented 4 months ago

        MpFreeDriverInfoExRef = FindPatternInSectionAtKernel( device_handle, "PAGE", WdFilter, (PUCHAR)"\x49\x8B\xC9\x4C\x89\x42\x08\xE8\x00\x00\x00\x00\x4C\x8B\x05\x00\x00\x00\x00\xE9\x00\x00\x00\x00", "xxxxxxxx????xxx????x????" );

We had the same problem with latest version of Win 10 22H2 so this might be the solution of your problem.

AuroraInHeaven commented 3 months ago

Same issue, WIN10 22H2. And this's not working for me.

      MpFreeDriverInfoExRef = FindPatternInSectionAtKernel( device_handle, "PAGE", WdFilter, (PUCHAR)"\x49\x8B\xC9\x4C\x89\x42\x08\xE8\x00\x00\x00\x00\x4C\x8B\x05\x00\x00\x00\x00\xE9\x00\x00\x00\x00", "xxxxxxxx????xxx????x????" );
We had the same problem with latest version of Win 10 22H2 so this might be the solution of your problem.

AuroraInHeaven commented 3 months ago

solved

/*
    48 89 4A 08                   mov     [rdx+8], rcx
    49 8B C8                      mov     rcx, r8         ; P
    E8 C3 58 FE FF                call    sub_1C0065308
    48 8B 0D 44 41 FA FF          mov     rcx, cs:qword_1C0023B90
    E9 39 FF FF FF                jmp     loc_1C007F98A
*/
MpFreeDriverInfoExRef = FindPatternInSectionAtKernel(device_handle, "PAGE", WdFilter, (PUCHAR)"\x48\x89\x4A\x00\x49\x8b\x00\xE8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xE9", "xxx?xx?x???????????x");

TheCruZ commented 3 months ago

This has been fixed some time ago