Closed 0xGabriella closed 2 years ago
Thanks, Ill look into it when back home next week.
What are the other problematic functions?
Also, are you using memprocfs on linux or windows?
im using it on Windows. Both attacking pc and dma host pc.
Other problematic functions could be related to my previous issues. The time when i was trying to use memprocfs function to get specific drivers or dll imports, dumping pools, etc.
By the way just wondering, is there any API to read physical memory directly?. In case of the same problem happened i could try manual walking all necessary stuffs i need. Thank you!.
Yes, please supply -1 as the pid to read physical memory
https://github.com/ufrisk/MemProcFS/blob/697e1156d8cce775a091798d41c962dcfb0d75b3/vmm/vmmdll.h#L698
Hello, You can use the Normal VMM Read functions with pid -1 to read physical memory.
oh damn sorry i missed that on the wiki, Have a great holiday Ulf!, i will manual walk till the new update came out.
same problem here
I solved removing the update @0xGabriella maybe this is easier than implementing manual walking
Many thanks for looking into this. Ill look at it next week. Currently I'm at the defcon conference and I'm not able to. Hopefully Ill have a fix at the end of next week.
I wonder what it was in the update that broke things.
One last question, which windows version are you running?
windows pro 21H2 just removing the update KB5016616 all works again
thanks for your involvement
Based on some sources, the update contains patches for most public privilege escalation exploits.
Is this working again now with the most recent update I pushed to releases section? Please let me know.
Thank you Ulf for the fast response, looks like its already fixed by the latest patch, Thank you so much!. Anyways, can you tell us what problem caused it to break with the KB5016616 updates?.
Issue is that the pool parsing relies on some symbol offsets that pretty much gets updated every new windows update (kernel update).
For every release I add these offsets to the info.db database.
There is also a fallback using the microsoft symbol server. This does not seem to be working for you. Most likely version is that you don't have the files dbghelp.dll
and symsrv.dll
from the MemProcFS binary release next to the vmm.dll
file or no internet connection.
Hello Ulf! always wishing you good luck. As the title says, the update is causing few functions to return false like VMMDLL_Map_GetPool, etc. Discovered this after i reinstalled windows and the same problem happened again. Thank you!.