From 4f8efe128a5ed81d243595457152c314939659c9 Mon Sep 17 00:00:00 2001 From: blindtiger Date: Mon, 30 Aug 2021 20:29:02 +0800 Subject: [PATCH] Monday 08/30/2021 20:29:02:197 --- Projects/Shark/AMD64/PatchGuardAMD64.c | 29 +++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) diff --git a/Projects/Shark/AMD64/PatchGuardAMD64.c b/Projects/Shark/AMD64/PatchGuardAMD64.c index a500693..c130675 100644 --- a/Projects/Shark/AMD64/PatchGuardAMD64.c +++ b/Projects/Shark/AMD64/PatchGuardAMD64.c @@ -489,8 +489,35 @@ InitializePgBlock( u64 Ror64[] = { 0xC3C8D348CA869148 }; u64 Rol64[] = { 0xC3C0D348CA869148 }; u64 RorWithBtc64[] = { 0x48C8D348CA869148, 0xCCCCCCCCC3C0BB0F }; + + // 4892 xchg rax, rdx + // 4801c8 add rax, rcx + // c3 ret + + // 4892 xchg rax, rdx + // 480fafc1 imul rax, rcx + // c3 ret + u64 PostCache[] = { 0xCCCCC3C801489248, 0xCCC3C1AF0F489248 }; + // 48c7c0c8000000 mov rax, 0C8h + // 482bc1 sub rax, rcx + // 4833c1 xor rax, rcx + // 4887ca xchg rcx, rdx + // 48f7d1 not rcx + // 80e13f and cl, 3Fh + // 48d3c8 ror rax, cl + // c3 ret + + // 48c7c0c8000000 mov rax, 0C8h + // 482bc1 sub rax, rcx + // 480fafc1 imul rax, rcx + // 4887ca xchg rcx, rdx + // 48f7d1 not rcx + // 80e13f and cl, 3Fh + // 48d3c8 ror rax, cl + // c3 ret + u64 PostKey[] = { 0x48000000C8C0C748, 0xCA8748C13348C12B, 0xD3483FE180D1F748, 0xCCCCCCCCCCCCC3C8, 0x48000000C8C0C748, 0x8748C1AF0F48C12B, 0x483FE180D1F748CA, 0xCCCCCCCCCCC3C8D3 @@ -1175,7 +1202,7 @@ InitializePgBlock( } } - if (GetGpBlock(PgBlock)->BuildNumber < 20000) { + if (GetGpBlock(PgBlock)->BuildNumber < 21000) { RtlInitUnicodeString(&RoutineString, L"MmAllocateMappingAddressEx"); RoutineAddress = MmGetSystemRoutineAddress(&RoutineString);