v 1.4.1

Block loading of unsupported db files #92

Source/Hamakaze/KDU.vcxproj.user

@@ -1,11 +1,11 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
-    <LocalDebuggerCommandArguments>-test</LocalDebuggerCommandArguments>
+    <LocalDebuggerCommandArguments>-prv 14 -map c:\install\dummy.sys</LocalDebuggerCommandArguments>
     <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
-    <LocalDebuggerCommandArguments>-prv 48 -map c:\install\dummy.sys</LocalDebuggerCommandArguments>
+    <LocalDebuggerCommandArguments>-prv 14 -map c:\install\dummy.sys</LocalDebuggerCommandArguments>
     <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
   </PropertyGroup>
 </Project>

Source/Hamakaze/kduprov.cpp

@@ -1,12 +1,12 @@
 /*******************************************************************************
 *
-*  (C) COPYRIGHT AUTHORS, 2020 - 2023
+*  (C) COPYRIGHT AUTHORS, 2020 - 2024
 *
 *  TITLE:       KDUPROV.CPP
 *
-*  VERSION:     1.40
+*  VERSION:     1.41
 *
-*  DATE:        21 Oct 2023
+*  DATE:        30 Mar 2024
 *
 *  Vulnerable drivers provider abstraction layer.
 *
@@ -778,6 +778,8 @@ HINSTANCE KDUProviderLoadDB(
 )
 {
     HINSTANCE hInstance;
+    KDU_DB_VERSION *pVersionInfo;
+    BOOL bFailed = TRUE;
 
     FUNCTION_ENTER_MSG(__FUNCTION__);
 
@@ -786,12 +788,50 @@ HINSTANCE KDUProviderLoadDB(
     if (hInstance) {
         printf_s("[+] Drivers database \"%ws\" loaded at 0x%p\r\n", DRV64DLL, hInstance);
 
-        gProvTable = (PKDU_DB)GetProcAddress(hInstance, "gProvTable");
-        if (gProvTable == NULL) {
-            supPrintfEvent(kduEventError, "[!] Providers table not found\r\n");
+        do {
+
+            pVersionInfo = (PKDU_DB_VERSION)GetProcAddress(hInstance, "gVersion");
+            if (pVersionInfo == NULL) {
+                supPrintfEvent(kduEventError, "[!] Providers version data not found\r\n");
+                break;
+            }
+
+            if (pVersionInfo->MajorVersion != KDU_VERSION_MAJOR ||
+                pVersionInfo->MinorVersion != KDU_VERSION_MINOR ||
+                pVersionInfo->Revision != KDU_VERSION_REVISION ||
+                pVersionInfo->Build != KDU_VERSION_BUILD)
+            {
+                supPrintfEvent(kduEventError, "[!] Providers database has wrong version, expected %lu.%lu.%lu.%lu, got %lu.%lu.%lu.%lu\r\n",
+                    KDU_VERSION_MAJOR,
+                    KDU_VERSION_MINOR,
+                    KDU_VERSION_REVISION,
+                    KDU_VERSION_BUILD,
+                    pVersionInfo->MajorVersion,
+                    pVersionInfo->MinorVersion,
+                    pVersionInfo->Revision,
+                    pVersionInfo->Build);
+
+                break;
+            }
+            else {
+                printf_s("[+] Drivers database version is OK\r\n");
+            }
+
+            gProvTable = (PKDU_DB)GetProcAddress(hInstance, "gProvTable");
+            if (gProvTable == NULL) {
+                supPrintfEvent(kduEventError, "[!] Providers table not found\r\n");
+                break;
+            }
+
+            bFailed = FALSE;
+
+        } while (FALSE);
+
+        if (bFailed) {
             FreeLibrary(hInstance);
             hInstance = NULL;
         }
+
     }
     else {
         supShowWin32Error("[!] Cannot load drivers database", GetLastError());

Source/Hamakaze/resource.rc

@@ -51,8 +51,8 @@ END
 //
 
 VS_VERSION_INFO VERSIONINFO
- FILEVERSION 1,4,1,2312
- PRODUCTVERSION 1,4,1,2312
+ FILEVERSION 1,4,1,2403
+ PRODUCTVERSION 1,4,1,2403
  FILEFLAGSMASK 0x3fL
 #ifdef _DEBUG
  FILEFLAGS 0x1L
@@ -69,12 +69,12 @@ BEGIN
         BEGIN
             VALUE "CompanyName", "UG North"
             VALUE "FileDescription", "Kernel Driver Utility"
-            VALUE "FileVersion", "1.4.1.2312"
+            VALUE "FileVersion", "1.4.1.2403"
             VALUE "InternalName", "Hamakaze.exe"
             VALUE "LegalCopyright", "Copyright (C) 2020 - 2024 KDU Project"
             VALUE "OriginalFilename", "Hamakaze.exe"
             VALUE "ProductName", "KDU"
-            VALUE "ProductVersion", "1.4.1.2312"
+            VALUE "ProductVersion", "1.4.1.2403"
         END
     END
     BLOCK "VarFileInfo"

Source/Shared/consts.h

@@ -1,12 +1,12 @@
 /*******************************************************************************
 *
-*  (C) COPYRIGHT AUTHORS, 2020 - 2023
+*  (C) COPYRIGHT AUTHORS, 2020 - 2024
 *
 *  TITLE:       CONSTS.H
 *
 *  VERSION:     1.41
 *
-*  DATE:        11 Dec 2023
+*  DATE:        30 Mar 2024
 *
 *  Global consts.
 *
@@ -22,15 +22,15 @@
 #define KDU_VERSION_MAJOR       1
 #define KDU_VERSION_MINOR       4
 #define KDU_VERSION_REVISION    1
-#define KDU_VERSION_BUILD       2312
-#define KDU_COPYRIGHT_YEAR      2023
+#define KDU_VERSION_BUILD       2403
+#define KDU_COPYRIGHT_YEAR      2024
 
 #define KDU_MIN_NTBUILDNUMBER   0x1DB1      //Windows 7 SP1
 #define KDU_MAX_NTBUILDNUMBER   0xFFFFFFFF  //Undefined
 
 #define IPC_GET_HANDLE          0x1337
 
-#define KDU_SYNC_MUTANT         0x2312
+#define KDU_SYNC_MUTANT         0x2403
 
 #define NT_REG_PREP             L"\\Registry\\Machine"
 #define DRIVER_REGKEY           L"%wS\\System\\CurrentControlSet\\Services\\%wS"

Source/Shared/kdubase.h

@@ -1,12 +1,12 @@
 /*******************************************************************************
 *
-*  (C) COPYRIGHT AUTHORS, 2022 - 2023
+*  (C) COPYRIGHT AUTHORS, 2022 - 2024
 *
 *  TITLE:       KDUBASE.H
 *
-*  VERSION:     1.31
+*  VERSION:     1.41
 *
-*  DATE:        08 Apr 2023
+*  DATE:        30 Mar 2024
 *
 *  Base KDU definitions.
 *
@@ -68,3 +68,10 @@ typedef struct _KDU_DB {
     ULONG NumberOfEntries;
     KDU_DB_ENTRY* Entries;
 } KDU_DB, * PKDU_DB;
+
+typedef struct _KDU_DB_VERSION {
+    WORD MajorVersion;
+    WORD MinorVersion;
+    WORD Revision;
+    WORD Build;
+} KDU_DB_VERSION, * PKDU_DB_VERSION;

Source/Shared/ntos/ntos.h

@@ -1,13 +1,13 @@
 /************************************************************************************
 *
-*  (C) COPYRIGHT AUTHORS, 2015 - 2023 
+*  (C) COPYRIGHT AUTHORS, 2015 - 2024 
 *  Translated from Microsoft sources/debugger or mentioned elsewhere.
 *
 *  TITLE:       NTOS.H
 *
-*  VERSION:     1.219
+*  VERSION:     1.223
 *
-*  DATE:        21 Jul 2023
+*  DATE:        12 Mar 2024
 *
 *  Common header file for the ntos API functions and definitions.
 *
@@ -101,6 +101,7 @@ typedef ULONGLONG REGHANDLE, *PREGHANDLE;
 typedef PVOID *PDEVICE_MAP;
 typedef PVOID PHEAD;
 typedef PVOID PEJOB;
+typedef PVOID PKTHREAD;
 typedef struct _IO_TIMER* PIO_TIMER;
 typedef LARGE_INTEGER PHYSICAL_ADDRESS;
 typedef struct _EJOB* PESILO;
@@ -5516,6 +5517,61 @@ typedef struct _EMP_CALLBACK_LIST_ENTRY {
     SINGLE_LIST_ENTRY CallbackListEntry;
 } EMP_CALLBACK_LIST_ENTRY, * PEMP_CALLBACK_LIST_ENTRY;
 
+typedef enum _IO_NOTIFICATION_EVENT_CATEGORY {
+    EventCategoryReserved,
+    EventCategoryHardwareProfileChange,
+    EventCategoryDeviceInterfaceChange,
+    EventCategoryTargetDeviceChange
+} IO_NOTIFICATION_EVENT_CATEGORY;
+
+typedef
+NTSTATUS
+(*PDRIVER_NOTIFICATION_CALLBACK_ROUTINE) (
+    IN PVOID NotificationStructure,
+    IN PVOID Context
+    );
+
+typedef struct _KGUARDED_MUTEX {
+    LONG Count;
+    PKTHREAD Owner;
+    ULONG Contention;
+    KEVENT Event;
+    union {
+        struct {
+            SHORT KernelApcDisable;
+            SHORT SpecialApcDisable;
+        };
+
+        ULONG CombinedApcDisable;
+    };
+
+} KGUARDED_MUTEX, * PKGUARDED_MUTEX;
+
+typedef struct _DEVICE_CLASS_NOTIFY_ENTRY {
+
+    // 
+    // Header entries 
+    // 
+
+    LIST_ENTRY ListEntry;
+    IO_NOTIFICATION_EVENT_CATEGORY EventCategory;
+    ULONG SessionId;
+    HANDLE SessionHandle;
+    PDRIVER_NOTIFICATION_CALLBACK_ROUTINE CallbackRoutine;
+    PVOID Context;
+    PDRIVER_OBJECT DriverObject;
+    USHORT RefCount;
+    BOOLEAN Unregistered;
+    PKGUARDED_MUTEX Lock;
+    PERESOURCE EntryLock;
+    // 
+    // ClassGuid - the guid of the device class we are interested in 
+    // 
+
+    GUID ClassGuid;
+
+} DEVICE_CLASS_NOTIFY_ENTRY, * PDEVICE_CLASS_NOTIFY_ENTRY;
+
 /*
 ** Callbacks END
 */
@@ -6920,10 +6976,15 @@ typedef struct _PROCESS_MITIGATION_POLICY_INFORMATION {
 /*
 ** KUSER_SHARED_DATA START
 */
-#define NX_SUPPORT_POLICY_ALWAYSOFF 0
-#define NX_SUPPORT_POLICY_ALWAYSON  1
-#define NX_SUPPORT_POLICY_OPTIN     2
-#define NX_SUPPORT_POLICY_OPTOUT    3
+#define NX_SUPPORT_POLICY_ALWAYSOFF     0
+#define NX_SUPPORT_POLICY_ALWAYSON      1
+#define NX_SUPPORT_POLICY_OPTIN         2
+#define NX_SUPPORT_POLICY_OPTOUT        3
+
+#define SEH_VALIDATION_POLICY_ON        0
+#define SEH_VALIDATION_POLICY_OFF       1
+#define SEH_VALIDATION_POLICY_TELEMETRY 2
+#define SEH_VALIDATION_POLICY_DEFER     3
 
 #include <pshpack4.h>
 typedef struct _KSYSTEM_TIME {
@@ -7004,7 +7065,7 @@ typedef struct _KUSER_SHARED_DATA {
     ULONG Reserved3;
     volatile ULONG TimeSlip;
     ALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture;
-    ULONG AltArchitecturePad;
+    ULONG BootId; //previously AltArchitecturePad
     LARGE_INTEGER SystemExpirationDate;
     ULONG SuiteMask;
     BOOLEAN KdDebuggerEnabled;
@@ -7114,6 +7175,8 @@ typedef struct _KUSER_SHARED_DATA {
     KSYSTEM_TIME FeatureConfigurationChangeStamp;
     ULONG Spare;
 
+    ULONG64 UserPointerAuthMask;
+
 } KUSER_SHARED_DATA, *PKUSER_SHARED_DATA;
 #include <poppack.h>
 
@@ -9726,7 +9789,18 @@ NTSYSAPI
 NTSTATUS
 NTAPI
 RtlDefaultNpAcl(
-    _Out_ PACL *Acl);
+    _Out_ PACL* Acl);
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+RtlAddProcessTrustLabelAce(
+    _Inout_ PACL Acl,
+    _In_ ULONG AceRevision,
+    _In_ ULONG AceFlags,
+    _In_ PSID ProcessTrustLabelSid,
+    _In_ UCHAR AceType,
+    _In_ ACCESS_MASK AccessMask);
 
 NTSYSAPI
 BOOLEAN
@@ -12147,6 +12221,21 @@ NtNotifyChangeDirectoryFile(
     _In_ ULONG CompletionFilter,
     _In_ BOOLEAN WatchTree);
 
+NTSYSAPI
+NTSTATUS
+NTAPI
+NtCopyFileChunk(
+    _In_ HANDLE SourceHandle,
+    _In_ HANDLE DestinationHandle,
+    _In_opt_ HANDLE EventHandle,
+    _Out_ PIO_STATUS_BLOCK IoStatusBlock,
+    _In_ ULONG Length,
+    _In_ PLARGE_INTEGER SourceOffset,
+    _In_ PLARGE_INTEGER DestOffset,
+    _In_opt_ PULONG SourceKey,
+    _In_opt_ PULONG DestKey,
+    _In_ ULONG Flags);
+
 NTSYSAPI
 NTSTATUS
 NTAPI
@@ -13463,6 +13552,15 @@ NtQueryPerformanceCounter(
     _Out_ PLARGE_INTEGER PerformanceCounter,
     _Out_opt_ PLARGE_INTEGER PerformanceFrequency);
 
+NTSYSAPI
+NTSTATUS
+NTAPI
+NtConvertBetweenAuxiliaryCounterAndPerformanceCounter(
+    _In_ BOOLEAN ConvertAuxiliaryToPerformanceCounter,
+    _In_ PLARGE_INTEGER PerformanceOrAuxiliaryCounterValue,
+    _Out_ PLARGE_INTEGER ConvertedValue,
+    _Out_opt_ PLARGE_INTEGER ConversionError);
+
 /************************************************************************************
 *
 * Process and Thread API.
@@ -14955,6 +15053,22 @@ NtRaiseHardError(
     _In_ ULONG ValidResponseOptions,
     _Out_ PULONG Response);
 
+/************************************************************************************
+*
+* IoRing API.
+*
+************************************************************************************/
+
+NTSYSAPI
+NTSTATUS
+NTAPI
+NtCreateIoRing(
+    _Out_ PHANDLE IoRingHandle,
+    _In_ ULONG CreateParametersLength,
+    _In_ PVOID CreateParameters,
+    _In_ ULONG OutputParametersLength,
+    _Out_ PVOID OutputParameters);
+
 /************************************************************************************
 *
 * Thread Pooling API and definitions.

Source/Tanikaze/export.def

@@ -1,2 +1,3 @@
 EXPORTS
 gProvTable
+gVersion