ufrisk
commented
2 years ago Thanks, Ill look into it when back home next week.
What are the other problematic functions?
Also, are you using memprocfs on linux or windows?
Closed 0xGabriella closed 2 years ago
ufrisk
commented
2 years ago Thanks, Ill look into it when back home next week.
What are the other problematic functions?
Also, are you using memprocfs on linux or windows?
0xGabriella
commented
2 years ago im using it on Windows. Both attacking pc and dma host pc.
0xGabriella
commented
2 years ago Other problematic functions could be related to my previous issues. The time when i was trying to use memprocfs function to get specific drivers or dll imports, dumping pools, etc.
0xGabriella
commented
2 years ago By the way just wondering, is there any API to read physical memory directly?. In case of the same problem happened i could try manual walking all necessary stuffs i need. Thank you!.
ufrisk
commented
2 years ago Yes, please supply -1 as the pid to read physical memory
https://github.com/ufrisk/MemProcFS/blob/697e1156d8cce775a091798d41c962dcfb0d75b3/vmm/vmmdll.h#L698
cycript
commented
2 years ago Hello, You can use the Normal VMM Read functions with pid -1 to read physical memory.
0xGabriella
commented
2 years ago oh damn sorry i missed that on the wiki, Have a great holiday Ulf!, i will manual walk till the new update came out.
pineda89
commented
2 years ago same problem here
I solved removing the update @0xGabriella maybe this is easier than implementing manual walking
ufrisk
commented
2 years ago Many thanks for looking into this. Ill look at it next week. Currently I'm at the defcon conference and I'm not able to. Hopefully Ill have a fix at the end of next week.
I wonder what it was in the update that broke things.
One last question, which windows version are you running?
pineda89
commented
2 years ago windows pro 21H2 just removing the update KB5016616 all works again
thanks for your involvement
0xGabriella
commented
2 years ago Based on some sources, the update contains patches for most public privilege escalation exploits.
ufrisk
commented
2 years ago Is this working again now with the most recent update I pushed to releases section? Please let me know.
0xGabriella
commented
2 years ago Thank you Ulf for the fast response, looks like its already fixed by the latest patch, Thank you so much!. Anyways, can you tell us what problem caused it to break with the KB5016616 updates?.
ufrisk
commented
2 years ago Issue is that the pool parsing relies on some symbol offsets that pretty much gets updated every new windows update (kernel update).
For every release I add these offsets to the info.db database.
There is also a fallback using the microsoft symbol server. This does not seem to be working for you. Most likely version is that you don't have the files dbghelp.dll and symsrv.dll from the MemProcFS binary release next to the vmm.dll file or no internet connection.
Hello Ulf! always wishing you good luck. As the title says, the update is causing few functions to return false like VMMDLL_Map_GetPool, etc. Discovered this after i reinstalled windows and the same problem happened again. Thank you!.