KMD for ntfs.sys v10.0.16299.15 about pcileech HOT 6 CLOSED

I haven't updated the ntfs-style signatures for a while. Also, as-is they are a bit flimsy if they are working with more recent Windows builds. I might look into this again in the not too distant future though, and possibly generate a few new signatures. To look into exact your version I probably would need a copy of it since the more recent Windows build seems to have a more recent one. I also plan to look into some other methods of kernel injects in the not too distant future if I have time. If you can provide a link to your ntfs.sys I can possibly look into it.

about the kernel module, the generic approach win10_x64 sometimes work a little bit better if you wait 30 seconds or so after the computer is booted to the logon screen. Once loaded you can try to pop a system shell using: pcileech.exe wx64_pscmd -kmd 0x<address_of_kernel_module> I have noticed that the mount command (to mount the filesystem) is sometimes a bit unstable and may bluescreeen the computer. I'm currently trying to pinpoint the error.

pcileech.exe mount -device c:\temp\memdump_win10.raw tries to mount the memory process file system from a memory dump file from c:\temp... It has nothing to do with loading any kernel modules. If the memdump_win10.raw does not exist it will fail.

To dump all memory, take note of the max physical address in the probe. Then run:
pcileech.exe dump -v -force -out yourdumpfile.raw -max 0x<your_max_probe_address>

Alternatively if you wish to mount the memory process file system from a computer (and not the file system mount which requires a kernel module) just run: pcileech.exe mount -max 0x<your_max_probe_address>

from pcileech.

can you please send me your ntfs.sys file and I'll look into it.

from pcileech.

Sorry about the dump command being without the use of a kmd, I was remembering wrong. Of course it won't matter if the command is being run without using the kmd.

Where would you like for me to upload ntfs.sys? Not sure if you want me "polluting" your project with copyrighted material (by uploading it attached to this issue). Should I just upload to megaupload/dropbox and drop you a link via twitter?

from pcileech.

yeah, mega or dropbox is fine

from pcileech.

strange, the file you sent me, which is the most recent Windows 10 one shows Product version 10.0.16299.248 if you right click on it. It's the same SHA256 hash though. Anyway, the update should be on Github now. Hope this one works better.

it's probably best just to go for a regular memory scan insert - pcileech.exe kmdload -kmd win10x64_ntfs_20180210_16299
The current PCILeech have a bug that makes it very slow when encountering unreadable memory with the PCIeScreamer, such as the memory area between 3-4GB. You may wish to try: pcileech.exe kmdload -kmd win10x64_ntfs_20180210_16299 -min 0x100000000 to speed things up.

from pcileech.

Thanks, I will test this more when I get home. The pciescreamer card was not really that stable yesterday (would not show up in device manager etc), so I couldn't test it whne you released it. I'll try moving the card to a different pcie slot and see if it's more willing to cooperate.

I'll close this issue, since its likely that you have fixed the problem.

from pcileech.