Windows 24H2 CI.DLL!g_CiOptions search pattern is broken

Question

Windows 24H2 CI.DLL!g_CiOptions search pattern is broken

Whothatmofo opened this issue 2 months ago · 10 comments

Whothatmofo commented 2 months ago

can't seem to get it to work properly with windows 24h2 and cant load drivers.

Answer 1 · 2024-09-20T01:24:25.000Z

Very informative. Show kdu -diag.

Answer 2 · 2024-09-22T13:18:58.000Z

Whothatmofo commented 2 months ago

Answer 3 · 2024-09-22T14:21:21.000Z

It cannot find internal CI.DLL variable. Attach your CI.DLL somewhere and post a link to it.

Answer 4 · 2024-09-22T15:29:04.000Z

ci.dll from system32, correct

Answer 5 · 2024-09-22T15:30:40.000Z

https://drive.google.com/file/d/1zs_ZttCD4Bj61bNl62hexPX7uGH4Nrv7/view?usp=drive_link

Answer 6 · 2024-09-23T00:10:03.000Z

Your link gives "Access denied".

Answer 7 · 2024-09-23T00:23:00.000Z

try it now, sorry hfire

Answer 8 · 2024-09-23T02:42:08.000Z

Open dsefix.cpp and replace KDUpCheckInstructionBlock with

ULONG KDUpCheckInstructionBlock(
    _In_ PBYTE Code,
    _In_ ULONG Offset
)
{
    ULONG offset = Offset;
    hde64s hs;

    RtlSecureZeroMemory(&hs, sizeof(hs));

    hde64_disasm(&Code[offset], &hs);
    if ((hs.flags & F_ERROR) || (hs.len != 3)) {
        return 0;
    }

    //
    // mov     r9, rbx
    //
    if (Code[offset] != 0x4C ||
        Code[offset + 1] != 0x8B)
    {
        return 0;
    }

    offset += hs.len;

    hde64_disasm(&Code[offset], &hs);
    if ((hs.flags & F_ERROR) || (hs.len != 3)) {
        return 0;
    }

    //
    // mov     r8, rdi 
    // 
    // or 
    //
    // mov     r8d, edi
    //
    if (Code[offset] != 0x4C && 
        Code[offset] != 0x44 &&
        Code[offset + 1] != 0x8B)
    {
        return 0;
    }

    offset += hs.len;

    hde64_disasm(&Code[offset], &hs);
    if (hs.flags & F_ERROR)
        return 0;

    if (hs.len == 3) {

        //
        // mov     rdx, rsi
        //
        if (Code[offset] != 0x48 ||
            Code[offset + 1] != 0x8B)
        {
            return 0;
        }
    }
    else if (hs.len == 5)
    {
        //
        // mov[rsp + 38h + 28h], rax
        //
        if (Code[offset] != 0x48 ||
            Code[offset + 1] != 0x89)
        {
            return 0;
        }

        offset += hs.len;
        hde64_disasm(&Code[offset], &hs);
        if (hs.flags & F_ERROR || hs.len != 3) {
            return 0;
        }
        //
        // mov     rdx, rsi
        //
        if (Code[offset] != 0x48 ||
            Code[offset + 1] != 0x8B)
        {
            return 0;
        }
    }
    else {
        return 0;
    }

    offset += hs.len;

    hde64_disasm(&Code[offset], &hs);
    if ((hs.flags & F_ERROR) || (hs.len != 2)) {
        return 0;
    }

    //
    // mov     ecx, ebp
    //
    if (Code[offset] != 0x8B ||
        Code[offset + 1] != 0xCD)
    {
        return 0;
    }

    return offset + hs.len;
}

Tell me if it works.
edit: fixed code tags

Answer 9 · 2024-09-23T03:02:20.000Z

will update you soon as i can

Answer 10 · 2024-09-23T13:37:56.000Z

working perfect hfire. ty!