search

ufrisk / pcileech

Direct Memory Access (DMA) Attack Software
GNU Affero General Public License v3.0
4.87k stars 718 forks source link

KMD for ntfs.sys v10.0.16299.15 #34

Closed philipcs closed 6 years ago

philipcs commented 6 years ago

Hi

I have aquired a pciescreamer card, and after having managed to flash and probe it, I was left with trying to inject a kernel module. Unfortunately pcileech.exe kmdload -kmd win10_x64 only works intermittently (1 out of 5 attempts - but I am not sure if it was truly successful, since pcileech.exe mount -device c:\temp\memdump_win10.raw failed afterwards), and using ntfs.sys is being stopped by my version of ntfs.sys being without a signature.

C:\pcileech-master\pcileech_files>pcileech_gensig.exe c:\Windows\System32\drivers\ntfs.sys
pcileech_gensig: failed! no signature matches file: c:\Windows\System32\drivers\ntfs.sys
PS C:\WINDOWS\system32\drivers> Get-Command .\ntfs.sys | format-list

Name            : ntfs.sys
CommandType     : Application
Definition      : C:\WINDOWS\system32\drivers\ntfs.sys
Extension       : .sys
Path            : C:\WINDOWS\system32\drivers\ntfs.sys
FileVersionInfo : File:             C:\WINDOWS\system32\drivers\ntfs.sys
                  InternalName:     ntfs.sys
                  OriginalFilename: ntfs.sys.mui
                  FileVersion:      10.0.16299.15 (WinBuild.160101.0800)
                  FileDescription:  NT File System Driver
                  Product:          Microsoft® Windows® Operating System
                  ProductVersion:   10.0.16299.15
                  Debug:            False
                  Patched:          False
                  PreRelease:       False
                  PrivateBuild:     False
                  SpecialBuild:     False
                  Language:         English (United States)

PS C:\WINDOWS\system32\drivers>  Get-FileHash .\ntfs.sys|format-list

Algorithm : SHA256
Hash      : EFC68FD339850013F11FC68D6C7D28EDC298C552C4A244E83E0CFCFDA92C19B9
Path      : C:\WINDOWS\system32\drivers\ntfs.sys

Is there a way for me to provide you with enough information to make this signature as well? Alternatively, is there a guide for how I can make the signatures myself?

ufrisk commented 6 years ago

I haven't updated the ntfs-style signatures for a while. Also, as-is they are a bit flimsy if they are working with more recent Windows builds. I might look into this again in the not too distant future though, and possibly generate a few new signatures. To look into exact your version I probably would need a copy of it since the more recent Windows build seems to have a more recent one. I also plan to look into some other methods of kernel injects in the not too distant future if I have time. If you can provide a link to your ntfs.sys I can possibly look into it.

about the kernel module, the generic approach win10_x64 sometimes work a little bit better if you wait 30 seconds or so after the computer is booted to the logon screen. Once loaded you can try to pop a system shell using: pcileech.exe wx64_pscmd -kmd 0x<address_of_kernel_module> I have noticed that the mount command (to mount the filesystem) is sometimes a bit unstable and may bluescreeen the computer. I'm currently trying to pinpoint the error.

pcileech.exe mount -device c:\temp\memdump_win10.raw tries to mount the memory process file system from a memory dump file from c:\temp... It has nothing to do with loading any kernel modules. If the memdump_win10.raw does not exist it will fail.

To dump all memory, take note of the max physical address in the probe. Then run: pcileech.exe dump -v -force -out yourdumpfile.raw -max 0x<your_max_probe_address>

Alternatively if you wish to mount the memory process file system from a computer (and not the file system mount which requires a kernel module) just run: pcileech.exe mount -max 0x<your_max_probe_address>

ufrisk commented 6 years ago

can you please send me your ntfs.sys file and I'll look into it.

philipcs commented 6 years ago

Sorry about the dump command being without the use of a kmd, I was remembering wrong. Of course it won't matter if the command is being run without using the kmd.

Where would you like for me to upload ntfs.sys? Not sure if you want me "polluting" your project with copyrighted material (by uploading it attached to this issue). Should I just upload to megaupload/dropbox and drop you a link via twitter?

ufrisk commented 6 years ago

yeah, mega or dropbox is fine

ufrisk commented 6 years ago

strange, the file you sent me, which is the most recent Windows 10 one shows Product version 10.0.16299.248 if you right click on it. It's the same SHA256 hash though. Anyway, the update should be on Github now. Hope this one works better.

it's probably best just to go for a regular memory scan insert - pcileech.exe kmdload -kmd win10x64_ntfs_20180210_16299 The current PCILeech have a bug that makes it very slow when encountering unreadable memory with the PCIeScreamer, such as the memory area between 3-4GB. You may wish to try: pcileech.exe kmdload -kmd win10x64_ntfs_20180210_16299 -min 0x100000000 to speed things up.

philipcs commented 6 years ago

Thanks, I will test this more when I get home. The pciescreamer card was not really that stable yesterday (would not show up in device manager etc), so I couldn't test it whne you released it. I'll try moving the card to a different pcie slot and see if it's more willing to cooperate.

I'll close this issue, since its likely that you have fixed the problem.