Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to find gafAsyncKeyState signature (Windows 11 22H2) #5

Open
jameslulz01 opened this issue Feb 26, 2023 · 3 comments
Open

Unable to find gafAsyncKeyState signature (Windows 11 22H2) #5

jameslulz01 opened this issue Feb 26, 2023 · 3 comments

Comments

@jameslulz01
Copy link

Hello,

Microsoft forced recently the 22H2 update (22621.1265) and since then the following information comes up when using 0.2.0-beta9:

22:38:27 [INFO] oslayer: export not found (unable to find gafAsyncKeyState)
22:38:27 [INFO] oslayer: not found (unable to find gafAsyncKeyState signature)
22:38:27 [INFO] oslayer: export not found (unable to find any proxy process that contains gafAsyncKeyState)

I'm using this repository in combination with memflow (0.2.0-beta9) and memflow-qemu (0.2.0-beta7), full log:

scanning "/home/james/.local/lib/memflow" for libraries
scanning "/home/james/Projects/kvm_manip/build" for libraries
adding plugin 'Connector/qemu': "/home/james/Projects/kvm_manip/build/libmemflow_qemu.so"
adding plugin 'OS/win32': "/home/james/Projects/kvm_manip/build/libmemflow_win32.so"
attempting to load `Connector` type plugin `qemu` from `/home/james/Projects/kvm_manip/build/libmemflow_qemu.so`
qemu process with name qemu-system-x86_64 found with pid 41460
qemu memory map found CTup2(7fe433e00000, 17179869184)
qemu process started with machine: pc-q35-7.0
qemu memory map size: 400000000
using fallback memory mappings for q35 with more than 2816mb of ram
qemu machine mem_map: MemoryMapping: base=0 size=80000000 real_base=7fe433e00000
MemoryMapping: base=100000000 size=380000000 real_base=7fe4b3e00000
attempting to load `OS` type plugin `win32` from `/home/james/Projects/kvm_manip/build/libmemflow_win32.so`
Building kernel of type memflow_win32::win32::kernel_builder::Win32KernelBuilder<memflow::plugins::connector::cglue_connectorinstance::cglue_internal::ConnectorInstance<cglue::boxed::CBox<cglue::trait_group::c_void>, cglue::arc::CArc<cglue::trait_group::c_void>>, memflow::plugins::connector::cglue_connectorinstance::cglue_internal::ConnectorInstance<cglue::boxed::CBox<cglue::trait_group::c_void>, cglue::arc::CArc<cglue::trait_group::c_void>>, memflow::mem::virt_translate::cache::CachedVirtualTranslate<memflow::mem::virt_translate::direct_translate::DirectTranslate, memflow::types::cache::timed_validator::TimedCacheValidator>>
arch=X86(64, false) kernel_hint=fffff80446c248e0 dtb=1ae000
base=fffff80446800000 size=17068032
kernel_guid=Some(Win32Guid { file_name: "ntkrnlmp.pdb", guid: "152D2E35E673E842C282B1EDB82FD0601" })
trying to find NtBuildNumber export
NtBuildNumber found at 0xc0cae0
trying to find RtlGetVersion export
RtlGetVersion found at 0x76e5d0
nt_build_number: 4026554461
kernel version: 10.0.22621
kernel_winver=Win32Version { nt_major_version: 10, nt_minor_version: 0, nt_build_number: 4026554461 }
PsInitialSystemProcess found at 0xfffff8044751da20
eprocess_base=ffff9d816cee8040
start_block.dtb=1ae000
reading pdb from local cache: /home/james/.cache/memflow/ntkrnlmp.pdb/152D2E35E673E842C282B1EDB82FD0601
updating connector mem_map=MemoryMapping: base=1000 size=2f000 real_base=1000
MemoryMapping: base=50000 size=4f000 real_base=50000
MemoryMapping: base=100000 size=7e5ec000 real_base=100000
MemoryMapping: base=7e9fe000 size=602000 real_base=7e9fe000
MemoryMapping: base=100000000 size=380000000 real_base=100000000
updating sysproc_dtb=1ae000
oslayer: export not found (unable to find gafAsyncKeyState)
oslayer: not found (unable to find gafAsyncKeyState signature)
oslayer: export not found (unable to find gafAsyncKeyState)
oslayer: not found (unable to find gafAsyncKeyState signature)
oslayer: export not found (unable to find gafAsyncKeyState)
oslayer: not found (unable to find gafAsyncKeyState signature)
oslayer: export not found (unable to find gafAsyncKeyState)
oslayer: not found (unable to find gafAsyncKeyState signature)
oslayer: export not found (unable to find gafAsyncKeyState)
oslayer: not found (unable to find gafAsyncKeyState signature)
oslayer: export not found (unable to find any proxy process that contains gafAsyncKeyState)
@ko1N
Copy link
Member

ko1N commented Mar 1, 2023

Ye, gafAsyncKeystate does not work on newer windows versions anymore. The implementation differs quite a bit. I rigged up some test code but didn't finish it yet. We are also always happy to accept contributions :)

@mkfyi
Copy link

mkfyi commented May 24, 2024

@ko1N for Windows 11 (tested on 22621.3593 and 22631.2861):

  • Get the base address of win32ksgd.sys found in csrss.exe
  • System session states is located at base + 0x3110
  • Dereference base + offset three times to get the current user session state
  • gafAsyncKeyState is user session state + 0x3690

@ntdelta ntdelta mentioned this issue Jun 9, 2024
Merged
@ko1N
Copy link
Member

ko1N commented Jun 9, 2024

Thanks for all the effort! 💯

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ko1N @mkfyi @jameslulz01