Exetools

Exetools (https://forum.exetools.com/index.php)
-   Source Code (https://forum.exetools.com/forumdisplay.php?f=46)
-   -   TS-Fucker (https://forum.exetools.com/showthread.php?t=20504)

vitriol 04-01-2023 06:14

TS-Fucker
 
1 Attachment(s)
Whats up folks,

this a known technique, still I'm sure you'll find some usefull code in my project.
TS-Fucker will force your machine into TestSigning Mode without having to restart the machine. Theres a nice Symbol available in CI.dll - kernel module that makes this possible. Its just one nibble that needs to be changed.

Code will download symbol file for CI.dll and with that get the Offset.
So it will work on all versions that havent yet blocked dbutil.sys vulnerable driver. (except Win11 with or without vbs??? I've got told, but for whom is interested I can share an article that shows how to get around it for win11)

https://github.com/Flerov/TS-Fucker

Stingered 04-01-2023 21:49

How is this different from using Poweshell?

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock" /t REG_DWORD /f /v "AllowDevelopmentWithoutDevLicense" /d "1"

I don't have access to the attached file, and the reason I am asking.

vitriol 04-01-2023 22:55

I added link to my GitHub so you can try it out. I have no Idea how to make the Attachment open for registered users.

But to come to your question, you are talking about something different. As far as I know the Reg-Entry you posted is to enable App Development without needing a Developer License.

My code will put your Machine into TestSigning Mode (take a read here: )

usually you do this by issuing this command in an elevated CMD: bcdedit /debug on
Thus enabling TestSigning-Mode and making the Machine open for Remote Kernel Debugger Connections such as through WinDbg. Enabling this mode requires you to restart your System. Then you will be able to load Drivers (.sys) files without a by microsoft issued license.

My Patch will put your Machine into TestSigning-Mode at runtime, so you will be able to load unsigned kernel drivers without a license and without having to reboot the machine...

Stingered 04-02-2023 04:50

Quote:

Originally Posted by vitriol (Post 127443)
I added link to my GitHub so you can try it out. I have no Idea how to make the Attachment open for registered users.

But to come to your question, you are talking about something different. As far as I know the Reg-Entry you posted is to enable App Development without needing a Developer License.

My code will put your Machine into TestSigning Mode (take a read here: )

usually you do this by issuing this command in an elevated CMD: bcdedit /debug on
Thus enabling TestSigning-Mode and making the Machine open for Remote Kernel Debugger Connections such as through WinDbg. Enabling this mode requires you to restart your System. Then you will be able to load Drivers (.sys) files without a by microsoft issued license.

My Patch will put your Machine into TestSigning-Mode at runtime, so you will be able to load unsigned kernel drivers without a license and without having to reboot the machine...

Ahhh... I see now how this could be very useful! Would be interested in the work-around you discuss for Win11, if possible.

DavidXanatos 04-02-2023 05:01

I would be also interested in the win 11 version, please.

PS: I see the hack changed the g_CiOptions I was under the impression that in recent windows versions this value is guarded by the patch guard, so changing it and leaving it changed will result in a BSOD sooner or later. Was this hack testes for its long therm stability?

vitriol 04-02-2023 17:51

Here folks check this out
https://blog.xpnsec.com/gcioptions-in-a-virtualized-world/

When I have some time again I will also add it to my projects code.

And yes it can definitly trigger PG though I tested it on my Machine for days and didnt crash.
I am also trying to find a way to disable PatchGuard, I'm currently resetting KTIMERs and next I'm trying to patch some bugcheck-functions though I'm completly stuck on there have some problems with patching ie KiRaiseSeucurityCheckFailure from my exploit code so dunno if that would be suffienct to handle PG


All times are GMT +8. The time now is 21:25.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX