New offsets for msv1_0.dll for Windows 7 Entreprise

[Fist0urs]

Hi there,

first of all, thank you for your awesome tool 👍

Lately I had to proceed to a DMA attack on a workstation using Windows 7 Entreprise and the offset was not existing in the unlock.py. So here is a new one that was working.

In order to be able to retrieve automatically some offsets, I coded a little script (available at https://github.com/Synacktiv/stuffz/blob/master/search_offsets_DMA.py if you want to take a look) to do so.
I asked a good friend of mine if he could extract for me all the msv1_0.dll and NtlmShared.dll from VirusTotal with legitimate Microsoft signatures in order to do a list of possible found offsets and add the missing ones to your tool.

Here was the result:

$ ./search_offsets_DMA.py -h
usage: search_offsets_DMA.py [-h]
                             [--os {WindowsXP,WindowsVista,Windows7,Windows8,Windows8.1}]
                             [--archi {x86,x64}] (-f FILE | -d DIRECTORY)

Script to extract all offsets needed by 'inception' tool in order to proceed
to a DMA attack through FireWire connection, by jean-christophe.delaunay <at>
synacktiv.com

optional arguments:
  -h, --help            show this help message and exit
  --os {WindowsXP,WindowsVista,Windows7,Windows8,Windows8.1}
                        Specify Windows version which DLL is from
  --archi {x86,x64}     Specify architecture of Windows version
  -f FILE, --file FILE  Dll to search offsets in (msv1_0.dll or
                        NtlmShared.dll). Cannot be used with '-d'
  -d DIRECTORY, --directory DIRECTORY
                        Directory containing Dlls to search offsets in
                        (msv1_0.dll or NtlmShared.dll). Cannot be used with
                        '-f'

$ ./search_offsets_DMA.py -d ./msv1_0s/
dll name: ./msv1_0s/599380a5229e3ab1097f6c4f84f61d82df7002664d616e312a657da4c2ce89e7
  file version:    6.3.9600.18468
  product version: 6.3.9600.18468

  MD5:    2ce3233b09ec1af8b71a035559b25511
  SHA1:   e4453c5ae599297177d31acded3ccaa7e295dd1d
  SHA256: 599380a5229e3ab1097f6c4f84f61d82df7002664d616e312a657da4c2ce89e7

    OS version:      Windows8.1
    architecture:    x86
    service_pack(s): 
    offset(s):       0x12572

    OS version:      Windows8
    architecture:    x86
    service_pack(s): 
    offset(s):       0x12572

dll name: ./msv1_0s/9e12eafaf5c120931d6be0cabc7b04cc6c5ae8c0cd2c34ea4a729c3573335136
  file version:    6.3.9600.18192
  product version: 6.3.9600.18192

  MD5:    c3ae667f60e043515838ab868c9b0e5b
  SHA1:   fdebbdf0920eb235b9406be8e764941e3e737dbb
  SHA256: 9e12eafaf5c120931d6be0cabc7b04cc6c5ae8c0cd2c34ea4a729c3573335136

    OS version:      Windows8.1
    architecture:    x86
    service_pack(s): 
    offset(s):       0x12533

    OS version:      Windows8
    architecture:    x86
    service_pack(s): 
    offset(s):       0x12533

dll name: ./msv1_0s/3b2c000c098ee3738c6b98c9c62221f5080e509e8542a6f0e24e7a2f8731ed8f
  file version:    6.3.9600.18405
  product version: 6.3.9600.18405

  MD5:    14571a53a8d68ce72aebae110d63d3ef
  SHA1:   8549723d203b3182d83a3374678806ebecaf1056
  SHA256: 3b2c000c098ee3738c6b98c9c62221f5080e509e8542a6f0e24e7a2f8731ed8f

    OS version:      Windows8.1
    architecture:    x86
    service_pack(s): 
    offset(s):       0x12513

    OS version:      Windows8
    architecture:    x86
    service_pack(s): 
    offset(s):       0x12513

dll name: ./msv1_0s/adef9f5d2b0c2a30cb1b395c774e7fe75437135a09d3d4e6f97ee8656ce139b4
  file version:    6.1.7601.17514
  product version: 6.1.7601.17514

  MD5:    ef12b8385aa2849999008a977918f96b
  SHA1:   a88c8332a0b39d272c4da7cdea99755084509d69
  SHA256: adef9f5d2b0c2a30cb1b395c774e7fe75437135a09d3d4e6f97ee8656ce139b4

    OS version:      WindowsVista
    architecture:    x64
    service_pack(s): SP2
    offset(s):       0xf321

    OS version:      Windows7
    architecture:    x64
    service_pack(s): SP0, SP1
    offset(s):       0xf321

dll name: ./msv1_0s/f982abb2353e45e3e09b30ea99efdc2a905ad75b43cdb0a34db33d91aaddab17
  file version:    6.1.7601.17514
  product version: 6.1.7601.17514

  MD5:    4c1e16b9a53102c8d6fba587cbcb95de
  SHA1:   9fc022a5b12d879a1ace860e2c42c31fcdfeb769
  SHA256: f982abb2353e45e3e09b30ea99efdc2a905ad75b43cdb0a34db33d91aaddab17

    OS version:      Windows7
    architecture:    x86
    service_pack(s): SP1
    offset(s):       0xd312

dll name: ./msv1_0s/507c7802fdcc10ce699b84fde070f2363bf1a288394977c15d9faca8188d566a
  file version:    6.3.9600.18264
  product version: 6.3.9600.18264

  MD5:    4b86791ba7d8c6bd1cefa0ddb65396f5
  SHA1:   ccadd401fb8e862d9dc043fe928a6a02a9232c8e
  SHA256: 507c7802fdcc10ce699b84fde070f2363bf1a288394977c15d9faca8188d566a

    OS version:      Windows8.1
    architecture:    x86
    service_pack(s): 
    offset(s):       0x12513

    OS version:      Windows8
    architecture:    x86
    service_pack(s): 
    offset(s):       0x12513

dll name: ./msv1_0s/dcbeee43972509842ff52afbb7d04bec7960c18a655406322fb25e0007f682b0
  file version:    6.1.7600.16385
  product version: 6.1.7600.16385

  MD5:    f40388a19f3be3cec25656ce07392877
  SHA1:   442f07f6961b3c484aa0c83d3b213db9ec08313c
  SHA256: dcbeee43972509842ff52afbb7d04bec7960c18a655406322fb25e0007f682b0

    OS version:      WindowsVista
    architecture:    x86
    service_pack(s): SP0, SP1, SP2
    offset(s):       0xd926

    OS version:      Windows7
    architecture:    x86
    service_pack(s): SP0
    offset(s):       0xd926

dll name: ./msv1_0s/85f164213f28ae01d944f8522692095bb6cad4f1042944350faa4ea940dbefc4
  file version:    6.1.7601.23714
  product version: 6.1.7601.23714

  MD5:    02af6e3d34312f16343c122ba4e277c7
  SHA1:   54fad1646659c7e8d0526a8dab01b44f48a38d28
  SHA256: 85f164213f28ae01d944f8522692095bb6cad4f1042944350faa4ea940dbefc4

    OS version:      Windows7
    architecture:    x86
    service_pack(s): SP1
    offset(s):       0xb642

dll name: ./msv1_0s/aed7b850b5fd8756c7f1b5aa84676bc0d39acb7f274fef7582748c6bf3619732
  file version:    6.3.9600.18512
  product version: 6.3.9600.18512

  MD5:    3f5b34126f767b7faa6cb5bee2c615a8
  SHA1:   a715bb4b24f1bcf4100cb7c847219edaf935456a
  SHA256: aed7b850b5fd8756c7f1b5aa84676bc0d39acb7f274fef7582748c6bf3619732

    OS version:      Windows8.1
    architecture:    x86
    service_pack(s): 
    offset(s):       0x122d2

    OS version:      Windows8
    architecture:    x86
    service_pack(s): 
    offset(s):       0x122d2

dll name: ./msv1_0s/06a28d229540f728c60dea5e9baba90cace94aa8190a6a12d71783b7fe226243.dll
  file version:    6.3.9600.16384
  product version: 6.3.9600.16384

  MD5:    f931d28f625beb9fc7e8c6909b8dbc45
  SHA1:   1666ae0c313275bb6a1a8db8c79f00583cfd32dc
  SHA256: 06a28d229540f728c60dea5e9baba90cace94aa8190a6a12d71783b7fe226243

    OS version:      Windows8.1
    architecture:    x86
    service_pack(s): 
    offset(s):       0x11ca0

    OS version:      Windows8
    architecture:    x86
    service_pack(s): 
    offset(s):       0x11ca0

dll name: ./msv1_0s/7128ac37b5dcc307c00806caeca3d7c92fde6a8fd89fad46736dd574184b55cc
  file version:    6.3.9600.18512
  product version: 6.3.9600.18512

  MD5:    a1009197814718e106df268e0e15fb78
  SHA1:   3d421d03fc446fa76bc969fa3a8f74b25efaa519
  SHA256: 7128ac37b5dcc307c00806caeca3d7c92fde6a8fd89fad46736dd574184b55cc

    OS version:      Windows8.1
    architecture:    x64
    service_pack(s): 
    offset(s):       0x16704

    OS version:      Windows8
    architecture:    x64
    service_pack(s): 
    offset(s):       0x16704

dll name: ./msv1_0s/f72ab21b18715aa7b1f235fc9e02c9b02c20f36ce28faee831f57b39784bfbea
  file version:    6.3.9600.17415
  product version: 6.3.9600.17415

  MD5:    c997df628b7258b4ae62b8eccfbd09e9
  SHA1:   ba619f0aed7820e7548d6653fd67892fd975d9b9
  SHA256: f72ab21b18715aa7b1f235fc9e02c9b02c20f36ce28faee831f57b39784bfbea

    OS version:      Windows8.1
    architecture:    x86
    service_pack(s): 
    offset(s):       0x14cb3

    OS version:      Windows8
    architecture:    x86
    service_pack(s): 
    offset(s):       0x14cb3

dll name: ./msv1_0s/93cc37b8df1cf0db3c6e1d3230f5bd343cc9e3e7bc374d931b5edc6e1e0708b9
  file version:    6.1.7601.23796
  product version: 6.1.7601.23796

  MD5:    57b6d231b55cbbf1f9d507fbb951c0db
  SHA1:   c9288c01ae7f202c4f02516c2d6dc171c650f84a
  SHA256: 93cc37b8df1cf0db3c6e1d3230f5bd343cc9e3e7bc374d931b5edc6e1e0708b9

    OS version:      WindowsVista
    architecture:    x64
    service_pack(s): SP2
    offset(s):       0x4e05

    OS version:      Windows7
    architecture:    x64
    service_pack(s): SP0, SP1
    offset(s):       0x4e05

I couldn't tests the new offsets as I only have the DLL, so feel free to decide what to do with them ;)

Cheers!

[carmaa]

This looks awesome, thanks. Mind if I include your script in inception (with proper attribution, of course)?

Haven’t tested the offsets yet, but will do and merge if everything’s ok.

[Fist0urs]

You can include it, ofc 👍

I also plan to add 2 related features when I have time:

• command line option to inception to be able to specify offset + OS + archi + SP, so that it will apply patch without needing to bruteforce
• Dump the 4GB, reconstruct .text section of msv1_0.dll/NtlmShared.dll from memory pages and apply the script (so that we could extract the offset and launch inception again specifying this offset. This would give a 100% reliability of the tool)

What do you think about these ideas?

Cheers!

EDIT: just let me add the most important in the script before adding it: the BeerWare license 😉
EDIT2: done 👍

[cbaker730]

Yes! Please accept this. We just added offset 0xe05 for Win7 Pro SP1 msv1_0.dll v6.1.7601.24094 and it worked beautifully. Wish we'd seen this first. Also nice work by Fist0urs on search_offsets_DMA.py.