Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Windows 24H2 CI.DLL!g_CiOptions search pattern is broken #98

Closed
Whothatmofo opened this issue Sep 19, 2024 · 10 comments
Closed

Windows 24H2 CI.DLL!g_CiOptions search pattern is broken #98

Whothatmofo opened this issue Sep 19, 2024 · 10 comments
Labels
bug Something isn't working

Comments

@Whothatmofo
Copy link

can't seem to get it to work properly with windows 24h2 and cant load drivers.
@hfiref0x
Copy link
Owner

Very informative. Show kdu -diag.

@Whothatmofo
Copy link
Author

wefewr

@hfiref0x
Copy link
Owner

It cannot find internal CI.DLL variable. Attach your CI.DLL somewhere and post a link to it.

@Whothatmofo
Copy link
Author

ci.dll from system32, correct

@Whothatmofo
Copy link
Author

https://drive.google.com/file/d/1zs_ZttCD4Bj61bNl62hexPX7uGH4Nrv7/view?usp=drive_link

@hfiref0x
Copy link
Owner

Your link gives "Access denied".

@Whothatmofo
Copy link
Author

try it now, sorry hfire

@hfiref0x
Copy link
Owner

hfiref0x commented Sep 23, 2024
edited
Loading

Open dsefix.cpp and replace KDUpCheckInstructionBlock with

ULONG KDUpCheckInstructionBlock(
    _In_ PBYTE Code,
    _In_ ULONG Offset
)
{
    ULONG offset = Offset;
    hde64s hs;

    RtlSecureZeroMemory(&hs, sizeof(hs));

    hde64_disasm(&Code[offset], &hs);
    if ((hs.flags & F_ERROR) || (hs.len != 3)) {
        return 0;
    }

    //
    // mov     r9, rbx
    //
    if (Code[offset] != 0x4C ||
        Code[offset + 1] != 0x8B)
    {
        return 0;
    }

    offset += hs.len;

    hde64_disasm(&Code[offset], &hs);
    if ((hs.flags & F_ERROR) || (hs.len != 3)) {
        return 0;
    }

    //
    // mov     r8, rdi 
    // 
    // or 
    //
    // mov     r8d, edi
    //
    if (Code[offset] != 0x4C && 
        Code[offset] != 0x44 &&
        Code[offset + 1] != 0x8B)
    {
        return 0;
    }

    offset += hs.len;

    hde64_disasm(&Code[offset], &hs);
    if (hs.flags & F_ERROR)
        return 0;

    if (hs.len == 3) {

        //
        // mov     rdx, rsi
        //
        if (Code[offset] != 0x48 ||
            Code[offset + 1] != 0x8B)
        {
            return 0;
        }
    }
    else if (hs.len == 5)
    {
        //
        // mov[rsp + 38h + 28h], rax
        //
        if (Code[offset] != 0x48 ||
            Code[offset + 1] != 0x89)
        {
            return 0;
        }

        offset += hs.len;
        hde64_disasm(&Code[offset], &hs);
        if (hs.flags & F_ERROR || hs.len != 3) {
            return 0;
        }
        //
        // mov     rdx, rsi
        //
        if (Code[offset] != 0x48 ||
            Code[offset + 1] != 0x8B)
        {
            return 0;
        }
    }
    else {
        return 0;
    }

    offset += hs.len;

    hde64_disasm(&Code[offset], &hs);
    if ((hs.flags & F_ERROR) || (hs.len != 2)) {
        return 0;
    }

    //
    // mov     ecx, ebp
    //
    if (Code[offset] != 0x8B ||
        Code[offset + 1] != 0xCD)
    {
        return 0;
    }

    return offset + hs.len;
}

Tell me if it works.
edit: fixed code tags

@hfiref0x hfiref0x added the bug Something isn't working label Sep 23, 2024
@Whothatmofo
Copy link
Author

will update you soon as i can

hfiref0x added a commit that referenced this issue Sep 23, 2024
@hfiref0x
dev142-dsefix
fd69ceb 
Address #98 issue
@Whothatmofo
Copy link
Author

working perfect hfire. ty!

@hfiref0x hfiref0x changed the title windows 24h2 Windows 24H2 CI.DLL!g_CiOptions search pattern is broken Sep 23, 2024
@hfiref0x hfiref0x mentioned this issue Sep 23, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hfiref0x @Whothatmofo