Update INI
- Added support for build 10.0.10240.16384 - Added HOW TO hints to KB
This commit is contained in:
binarymaster
parent
9a7c501ca9
commit
5062ff6c75
|
|
@ -54,6 +54,11 @@ CDefPolicy_Query_eax_ecx=B80001000089812003000090
|
|||
CDefPolicy_Query_eax_rcx=B80001000089813806000090
|
||||
|
||||
[6.0.6000.16386]
|
||||
; HOW TO search CSessionArbitrationHelper::IsSingleSessionPerUserEnabled function in IDA Pro:
|
||||
; 1. Search text: CSessionArbitrationHelper::IsSingleSessionPerUserEnabled
|
||||
; 2. All xrefs will point to this function (in x64 version xref points to subroutine, so you need to go one level up)
|
||||
; 3. Go to first graph block and find memset, VersionInformation, call GetVersionExW, and so on
|
||||
|
||||
; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled
|
||||
; Imagebase: 6F320000
|
||||
; .text:6F3360B9 lea eax, [ebp+VersionInformation]
|
||||
|
|
@ -74,6 +79,11 @@ SingleUserCode.x86=nop
|
|||
SingleUserPatch.x64=1
|
||||
SingleUserOffset.x64=65E3E
|
||||
SingleUserCode.x64=Zero
|
||||
; HOW TO search CDefPolicy::Query function in IDA Pro:
|
||||
; 1. Search text: CDefPolicy::Query
|
||||
; 2. All xrefs will point to this function (in x64 version xref sometimes points to subroutine, so you need to go one level up)
|
||||
; 3. Go to first graph block and find cmp/jz instructions on the bottom of block
|
||||
|
||||
; Patch CDefPolicy::Query
|
||||
; Original
|
||||
; .text:6F335CD8 cmp edx, [ecx+320h]
|
||||
|
|
@ -835,6 +845,12 @@ SLPolicyOffset.x64=21FD0
|
|||
SLPolicyFunc.x64=New_Win8SL
|
||||
|
||||
[6.3.9431.0]
|
||||
; HOW TO search CEnforcementCore::GetInstanceOfTSLicense function in IDA Pro:
|
||||
; 1. Search text: CSLQuery::IsLicenseTypeLocalOnly
|
||||
; 2. All xrefs will point to this function
|
||||
; 3. Go to function beginning and check ; CODE XREF string, it will point to GetInstanceOfTSLicense function
|
||||
; 4. Follow CODE XREF, switch to graph view, the next block below is to patch
|
||||
|
||||
; Patch CEnforcementCore::GetInstanceOfTSLicense
|
||||
; .text:1008A604 call ?IsLicenseTypeLocalOnly@CSLQuery@@SGJAAU_GUID@@PAH@Z ; CSLQuery::IsLicenseTypeLocalOnly(_GUID &,int *)
|
||||
; .text:1008A609 test eax, eax
|
||||
|
|
@ -890,6 +906,10 @@ DefPolicyCode.x86=CDefPolicy_Query_eax_ecx
|
|||
DefPolicyPatch.x64=1
|
||||
DefPolicyOffset.x64=350FD
|
||||
DefPolicyCode.x64=CDefPolicy_Query_eax_rcx
|
||||
; HOW TO search CSLQuery::Initialize function in IDA Pro:
|
||||
; 1. Search text: CSLQuery::Initialize - SLGetWindowsInformationDWORD failed
|
||||
; 2. All xrefs will point to this function
|
||||
|
||||
; Hook CSLQuery::Initialize
|
||||
SLInitHook.x86=1
|
||||
SLInitOffset.x86=196B0
|
||||
|
|
@ -1386,6 +1406,36 @@ SLInitHook.x64=1
|
|||
SLInitOffset.x64=22E40
|
||||
SLInitFunc.x64=New_CSLQuery_Initialize
|
||||
|
||||
[10.0.10240.16384]
|
||||
; Patch CEnforcementCore::GetInstanceOfTSLicense
|
||||
LocalOnlyPatch.x86=1
|
||||
LocalOnlyOffset.x86=A7D96
|
||||
LocalOnlyCode.x86=jmpshort
|
||||
LocalOnlyPatch.x64=1
|
||||
LocalOnlyOffset.x64=96901
|
||||
LocalOnlyCode.x64=jmpshort
|
||||
; Patch CSessionArbitrationHelper::IsSingleSessionPerUserEnabled
|
||||
SingleUserPatch.x86=1
|
||||
SingleUserOffset.x86=32A95
|
||||
SingleUserCode.x86=nop
|
||||
SingleUserPatch.x64=1
|
||||
SingleUserOffset.x64=18F74
|
||||
SingleUserCode.x64=Zero
|
||||
; Patch CDefPolicy::Query
|
||||
DefPolicyPatch.x86=1
|
||||
DefPolicyOffset.x86=2F5B9
|
||||
DefPolicyCode.x86=CDefPolicy_Query_eax_ecx
|
||||
DefPolicyPatch.x64=1
|
||||
DefPolicyOffset.x64=22865
|
||||
DefPolicyCode.x64=CDefPolicy_Query_eax_rcx
|
||||
; Hook CSLQuery::Initialize
|
||||
SLInitHook.x86=1
|
||||
SLInitOffset.x86=46581
|
||||
SLInitFunc.x86=New_CSLQuery_Initialize
|
||||
SLInitHook.x64=1
|
||||
SLInitOffset.x64=250F0
|
||||
SLInitFunc.x64=New_CSLQuery_Initialize
|
||||
|
||||
[SLInit]
|
||||
; Is server
|
||||
bServerSku=1
|
||||
|
|
@ -1405,6 +1455,13 @@ ulMaxDebugSessions=0
|
|||
bInitialized=1
|
||||
|
||||
[6.3.9431.0-SLInit]
|
||||
; HOW TO search SLInit global variables in IDA Pro:
|
||||
; 1. Search text: The SL policy for ',27h,'Allow Multiple Sessions',27h,' is not defined
|
||||
; 2. Xref will point to CSLQuery::Initialize function
|
||||
; 3. Follow xref, look for cmp instruction nearby
|
||||
; 4. It will be comparsion with CSLQuery::bServerSku constant
|
||||
; 5. Now it's easy to find other constants
|
||||
|
||||
bFUSEnabled.x86 =A22A8
|
||||
lMaxUserSessions.x86 =A22AC
|
||||
bAppServerAllowed.x86 =A22B0
|
||||
|
|
@ -1574,3 +1631,22 @@ bMultimonAllowed.x64 =F3458
|
|||
bServerSku.x64 =F345C
|
||||
ulMaxDebugSessions.x64=F3460
|
||||
bRemoteConnAllowed.x64=F3464
|
||||
|
||||
[10.0.10240.16384-SLInit]
|
||||
bFUSEnabled.x86 =C3F60
|
||||
lMaxUserSessions.x86 =C3F64
|
||||
bAppServerAllowed.x86 =C3F68
|
||||
bInitialized.x86 =C3F6C
|
||||
bMultimonAllowed.x86 =C3F70
|
||||
bServerSku.x86 =C3F74
|
||||
ulMaxDebugSessions.x86=C3F78
|
||||
bRemoteConnAllowed.x86=C3F7C
|
||||
|
||||
lMaxUserSessions.x64 =F23B0
|
||||
bAppServerAllowed.x64 =F23B4
|
||||
bServerSku.x64 =F23B8
|
||||
bFUSEnabled.x64 =F3460
|
||||
bInitialized.x64 =F3464
|
||||
bMultimonAllowed.x64 =F3468
|
||||
ulMaxDebugSessions.x64=F346C
|
||||
bRemoteConnAllowed.x64=F3470
|
||||
|
|
|
|||
|
|
@ -543,6 +543,32 @@ SLInitHook.x64=1
|
|||
SLInitOffset.x64=22E40
|
||||
SLInitFunc.x64=New_CSLQuery_Initialize
|
||||
|
||||
[10.0.10240.16384]
|
||||
LocalOnlyPatch.x86=1
|
||||
LocalOnlyOffset.x86=A7D96
|
||||
LocalOnlyCode.x86=jmpshort
|
||||
LocalOnlyPatch.x64=1
|
||||
LocalOnlyOffset.x64=96901
|
||||
LocalOnlyCode.x64=jmpshort
|
||||
SingleUserPatch.x86=1
|
||||
SingleUserOffset.x86=32A95
|
||||
SingleUserCode.x86=nop
|
||||
SingleUserPatch.x64=1
|
||||
SingleUserOffset.x64=18F74
|
||||
SingleUserCode.x64=Zero
|
||||
DefPolicyPatch.x86=1
|
||||
DefPolicyOffset.x86=2F5B9
|
||||
DefPolicyCode.x86=CDefPolicy_Query_eax_ecx
|
||||
DefPolicyPatch.x64=1
|
||||
DefPolicyOffset.x64=22865
|
||||
DefPolicyCode.x64=CDefPolicy_Query_eax_rcx
|
||||
SLInitHook.x86=1
|
||||
SLInitOffset.x86=46581
|
||||
SLInitFunc.x86=New_CSLQuery_Initialize
|
||||
SLInitHook.x64=1
|
||||
SLInitOffset.x64=250F0
|
||||
SLInitFunc.x64=New_CSLQuery_Initialize
|
||||
|
||||
[SLInit]
|
||||
bServerSku=1
|
||||
bRemoteConnAllowed=1
|
||||
|
|
@ -695,6 +721,7 @@ bMultimonAllowed.x86 =C17E8
|
|||
bServerSku.x86 =C17EC
|
||||
ulMaxDebugSessions.x86=C17F0
|
||||
bRemoteConnAllowed.x86=C17F4
|
||||
|
||||
bFUSEnabled.x64 =EEBF0
|
||||
lMaxUserSessions.x64 =EEBF4
|
||||
bAppServerAllowed.x64 =EEBF8
|
||||
|
|
@ -722,3 +749,22 @@ bMultimonAllowed.x64 =F3458
|
|||
bServerSku.x64 =F345C
|
||||
ulMaxDebugSessions.x64=F3460
|
||||
bRemoteConnAllowed.x64=F3464
|
||||
|
||||
[10.0.10240.16384-SLInit]
|
||||
bFUSEnabled.x86 =C3F60
|
||||
lMaxUserSessions.x86 =C3F64
|
||||
bAppServerAllowed.x86 =C3F68
|
||||
bInitialized.x86 =C3F6C
|
||||
bMultimonAllowed.x86 =C3F70
|
||||
bServerSku.x86 =C3F74
|
||||
ulMaxDebugSessions.x86=C3F78
|
||||
bRemoteConnAllowed.x86=C3F7C
|
||||
|
||||
lMaxUserSessions.x64 =F23B0
|
||||
bAppServerAllowed.x64 =F23B4
|
||||
bServerSku.x64 =F23B8
|
||||
bFUSEnabled.x64 =F3460
|
||||
bInitialized.x64 =F3464
|
||||
bMultimonAllowed.x64 =F3468
|
||||
ulMaxDebugSessions.x64=F346C
|
||||
bRemoteConnAllowed.x64=F3470
|
||||
|
|
|
|||
Loading…
Reference in New Issue