dummys
commented
1 year ago I checked inside the ntlmshared.dll and the signature you have in the wx64_unlock.c is matching. I will try to break on the function when I inject the shellcode to see
Closed dummys closed 1 year ago
dummys
commented
1 year ago I checked inside the ntlmshared.dll and the signature you have in the wx64_unlock.c is matching. I will try to break on the function when I inject the shellcode to see
dummys
commented
1 year ago Oh and I can't find shellcode64.exe where this file come from ?
EDIT: Nevermind, found it in your repo: https://github.com/ufrisk/shellcode64 you should put the url in the documentation
ufrisk
commented
1 year ago Apologies for the late answer. I believe this signature may not be fully up to date with the most recent security patches.
I'll look into it and hopefully update it in the weekend.
It shouldn't bluescreen though, so I don't know what's going on there.
dummys
commented
1 year ago @ufrisk are you on discord/irc something ? Then we can try debug together ? I have kernel debugging in place
ufrisk
commented
1 year ago I've updated the signatures now, I couldn't find the ntlmshared.dll version you had though so it may not work.
Please let me know how it goes. And my Discord is: UlfFrisk#5780 it may be easier than doing the twitter messages...
dummys
commented
1 year ago thanks a lot for your help and the issue was because of VT-D IO enabled in the bios.
Hi, The kmdload is working and the command to get a shell too. I'm trying to unlock the windows logon.
Then BSOD. If I check the version of NTLMShared it is the version 10.0.19041.1 which when I check inside the wx64_unlock.c is supported. How I can debug it ?
I also tried to run the patch with unlock:
Not working too.