Exetools  

Go Back   Exetools > General > Source Code

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 04-01-2023, 06:14
vitriol vitriol is offline
Friend
 
Join Date: Jan 2023
Posts: 5
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 0
Thanks Rcvd at 18 Times in 5 Posts
vitriol Reputation: 1
Talking TS-Fucker

Whats up folks,

this a known technique, still I'm sure you'll find some usefull code in my project.
TS-Fucker will force your machine into TestSigning Mode without having to restart the machine. Theres a nice Symbol available in CI.dll - kernel module that makes this possible. Its just one nibble that needs to be changed.

Code will download symbol file for CI.dll and with that get the Offset.
So it will work on all versions that havent yet blocked dbutil.sys vulnerable driver. (except Win11 with or without vbs??? I've got told, but for whom is interested I can share an article that shows how to get around it for win11)

https://github.com/Flerov/TS-Fucker
Attached Files
File Type: rar TS-Fucker.rar (141.5 KB, 29 views)

Last edited by vitriol; 04-01-2023 at 22:47.
Reply With Quote
The Following User Gave Reputation+1 to vitriol For This Useful Post:
sh3dow (04-03-2023)
The Following 8 Users Say Thank You to vitriol For This Useful Post:
DavidXanatos (04-02-2023), Mendax47 (04-01-2023), MrScotc (04-01-2023), niculaita (04-02-2023), RAMPage (04-02-2023), sh3dow (04-03-2023), Stingered (04-02-2023), tonyweb (04-01-2023)
  #2  
Old 04-01-2023, 21:49
Stingered Stingered is offline
Friend
 
Join Date: Dec 2017
Posts: 217
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 283
Thanks Rcvd at 156 Times in 76 Posts
Stingered Reputation: 2
How is this different from using Poweshell?

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlock" /t REG_DWORD /f /v "AllowDevelopmentWithoutDevLicense" /d "1"

I don't have access to the attached file, and the reason I am asking.
Reply With Quote
The Following User Says Thank You to Stingered For This Useful Post:
niculaita (04-02-2023)
  #3  
Old 04-01-2023, 22:55
vitriol vitriol is offline
Friend
 
Join Date: Jan 2023
Posts: 5
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 0
Thanks Rcvd at 18 Times in 5 Posts
vitriol Reputation: 1
I added link to my GitHub so you can try it out. I have no Idea how to make the Attachment open for registered users.

But to come to your question, you are talking about something different. As far as I know the Reg-Entry you posted is to enable App Development without needing a Developer License.

My code will put your Machine into TestSigning Mode (take a read here: )

usually you do this by issuing this command in an elevated CMD: bcdedit /debug on
Thus enabling TestSigning-Mode and making the Machine open for Remote Kernel Debugger Connections such as through WinDbg. Enabling this mode requires you to restart your System. Then you will be able to load Drivers (.sys) files without a by microsoft issued license.

My Patch will put your Machine into TestSigning-Mode at runtime, so you will be able to load unsigned kernel drivers without a license and without having to reboot the machine...
Reply With Quote
The Following 3 Users Say Thank You to vitriol For This Useful Post:
niculaita (04-02-2023), sh3dow (04-03-2023), Stingered (04-02-2023)
  #4  
Old 04-02-2023, 04:50
Stingered Stingered is offline
Friend
 
Join Date: Dec 2017
Posts: 217
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 283
Thanks Rcvd at 156 Times in 76 Posts
Stingered Reputation: 2
Quote:
Originally Posted by vitriol View Post
I added link to my GitHub so you can try it out. I have no Idea how to make the Attachment open for registered users.

But to come to your question, you are talking about something different. As far as I know the Reg-Entry you posted is to enable App Development without needing a Developer License.

My code will put your Machine into TestSigning Mode (take a read here: )

usually you do this by issuing this command in an elevated CMD: bcdedit /debug on
Thus enabling TestSigning-Mode and making the Machine open for Remote Kernel Debugger Connections such as through WinDbg. Enabling this mode requires you to restart your System. Then you will be able to load Drivers (.sys) files without a by microsoft issued license.

My Patch will put your Machine into TestSigning-Mode at runtime, so you will be able to load unsigned kernel drivers without a license and without having to reboot the machine...
Ahhh... I see now how this could be very useful! Would be interested in the work-around you discuss for Win11, if possible.
Reply With Quote
  #5  
Old 04-02-2023, 05:01
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 180
Rept. Given: 2
Rept. Rcvd 45 Times in 31 Posts
Thanks Given: 57
Thanks Rcvd at 344 Times in 116 Posts
DavidXanatos Reputation: 45
I would be also interested in the win 11 version, please.

PS: I see the hack changed the g_CiOptions I was under the impression that in recent windows versions this value is guarded by the patch guard, so changing it and leaving it changed will result in a BSOD sooner or later. Was this hack testes for its long therm stability?

Last edited by DavidXanatos; 04-02-2023 at 05:06.
Reply With Quote
The Following 4 Users Say Thank You to DavidXanatos For This Useful Post:
deepzero (04-02-2023), niculaita (04-02-2023), Stingered (04-02-2023), tonyweb (04-02-2023)
  #6  
Old 04-02-2023, 17:51
vitriol vitriol is offline
Friend
 
Join Date: Jan 2023
Posts: 5
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 0
Thanks Rcvd at 18 Times in 5 Posts
vitriol Reputation: 1
Here folks check this out
https://blog.xpnsec.com/gcioptions-in-a-virtualized-world/

When I have some time again I will also add it to my projects code.

And yes it can definitly trigger PG though I tested it on my Machine for days and didnt crash.
I am also trying to find a way to disable PatchGuard, I'm currently resetting KTIMERs and next I'm trying to patch some bugcheck-functions though I'm completly stuck on there have some problems with patching ie KiRaiseSeucurityCheckFailure from my exploit code so dunno if that would be suffienct to handle PG
Reply With Quote
The Following 4 Users Say Thank You to vitriol For This Useful Post:
niculaita (04-02-2023), sh3dow (04-03-2023), Stingered (04-02-2023), tonyweb (04-02-2023)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On



All times are GMT +8. The time now is 00:32.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2023 )