Signatures for loading KMDs outdated WIN10.

[KimCalvin]

I was just trying some stuff out for a bit with my USB3380 and found out that I wasnt able to load a KMD. After checking the ntfs.sys it seems like it got updated to version 10.0.17134.112 last month.

Im not in a hurry, but it would be appreciated if anyone could take a look at the new signatures.

[ufrisk]

Thanks, I'll take a look at this, hopefully some time next week.

Meanwhile I hope the other more generic injection method - win10_x64 is working.

[KimCalvin]

It didnt work for me, ill try to check what the error message was once my exams are done next week.

[ufrisk]

update,

Unfortunately updating the signature still won't work if the target have more than ~3GB RAM with the USB3380 due to changes in Windows. Your best shot here is the win10_x64 signature unfortunately.

I'll try update the signature anyway since it may still be useful to FPGA users,

[minkjaco]

Hi, I'm using FPGA (605/601) on Windows 10 1803 and have pulled the most recent version of the repository, but am still unable to load a KMD using win10_x64. I see changes made for the unlock signature, but I am wondering about any changes for signatures in other places, like kmd.c when looking for the page table. It looks like pcileech_gensig.cfg needs to be updated to generate signatures for the new ntfs.sys file. Is there any update on this?

Thanks

[ufrisk]

@minkjaco unfortunately not. I still have to look into this. It was a bit more complicated than I initially thought since my old automated method of generating the signature didn't work.

I may possibly find the time to do this after DEF CON, which will be mid to end of August. But no promises.

The win10_x64 signature is working for me in 1803 (unless I have kernel code integrity enabled) though.

[minkjaco]

@ufrisk thanks for the quick response. Interesting that you see that working on 1803. Any things I can try to get it working, since I've already disabled VT and VT-d in the BIOS Setup?

[ufrisk]

If you disabled VT-d and VT-x in BIOS it should work with the generic win10_x64 as far I as I've seen in my test systems. It was 1-2 months since I looked though so I need to look into this again.

I probably have to design a new method of doing things - with the FPGA it should be possible to pretty easily come up with something. But that is for later in August when I'm back from the US.

[ufrisk]

I'm closing this very old issue.

Signatures for WIndows 10 should now have been updated to better support all WIndows 10 versions - including the latest Win10 2004 release with the WIN10_X64_3 KMD inject.