Merge pull request hfiref0x#45 from hfiref0x/dev128

Added -pse mode to run a program as ProtectedProcessLight-AntiMalware (PPL-AM) hfiref0x#44 Added asrdrv106 as provider 28 (CVE-2020-15368) Added ALSysIO64 as provider 29 Internal rearrange Readme updated Beta 1
Qy486 · Dec 3, 2022 · 4332d1a · 4332d1a
2 parents 4990763 + d90e709
commit 4332d1a
Show file tree

Hide file tree

Showing 76 changed files with 1,849 additions and 385 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,3 @@
+Source/**/output
+.vs
+Source/Hamakaze/shellstager.lst
diff --git a/KDU.sha256 b/KDU.sha256
diff --git a/README.md b/README.md
@@ -23,12 +23,14 @@ It features:
 ###### KDU -diag
 ###### KDU -prv ProviderID
 ###### KDU -ps ProcessID
+###### KDU -pse Commandline
 ###### KDU -dse value
 ###### KDU -map filename
 * -list - list currently available providers;
 * -diag - run system diagnostic for troubleshooting;
 * -prv  - optional, select vulnerability driver provider;
-* -ps 	- modify process object of given ProcessID;
+* -ps   - modify process object of given ProcessID, downgrading any protections;
+* -pse  - launch program as ProtectedProcessLight-AntiMalware (PPL);
 * -dse  - write user defined value to the system DSE state flags;
 * -map  - map driver to the kernel and execute it entry point, this command have dependencies listed below;
   * -scv version - optional, select shellcode version, default 1;
@@ -44,6 +46,7 @@ Example:
 + kdu -prv 6 -scv 3 -drvn edrv -drvr e3600bl -map c:\install\e3600bl.sys
 + kdu -dse 0
 + kdu -dse 6
++ kdu -pse "C:\Windows\System32\notepad.exe C:\TEMP\words.txt"
 
 Run on Windows 10 20H2*
 
@@ -129,6 +132,8 @@ You use it at your own risk. Some lazy AV may flag this tool as hacktool/malware
 | 25          | Zemana         | amsdk       | WatchDog/MalwareFox/Zemana AM      | Original          | 3.0.0 and below             |                      |
 | 26          | HiRes Ent.     | inpoutx64   | Various                            | WINIO             | 1.2.0 and below             |                      |
 | 27          | PassMark       | DirectIo64  | PassMark OSForensics               | Original          | Any                         |                      |
+| 28          | ASRock         | AsrDrv106   | Phantom Gaming Tuning              | RwEverything      | 1.0.6 and below             |                      |
+| 29          | Arthur Liberman| ALSysIO64   | Core Temp                          | Original          | 2.0.11 and below            |                      |
 
 ###### *At commit time, data maybe inaccurate.
 
@@ -190,6 +195,7 @@ Using this program might crash your computer with BSOD. Compiled binary and sour
 * KDU v1.1 release and bonus (AsIO3.sys unlock), https://swapcontext.blogspot.com/2021/04/kdu-v11-release-and-bonus-asio3sys.html
 * GhostEmperor: From ProxyLogon to kernel mode, https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/
 * KDU v1.2 release and the wonderful world of Microsoft incoherency, https://swapcontext.blogspot.com/2022/02/kdu-v12-release-and-wonderful-world-of.html
+* How to exploit a vulnerable windows driver, https://github.com/stong/CVE-2020-15368
 
 # Wormhole drivers code
 

diff --git a/Source/Hamakaze/KDU.vcxproj b/Source/Hamakaze/KDU.vcxproj
@@ -134,6 +134,8 @@
     <ClCompile Include="drvmap.cpp" />
     <ClCompile Include="dsefix.cpp" />
     <ClCompile Include="hde\hde64.c" />
+    <ClCompile Include="idrv\alcpu.cpp" />
+    <ClCompile Include="idrv\asrdrv.cpp" />
     <ClCompile Include="idrv\atszio.cpp" />
     <ClCompile Include="idrv\dbk.cpp" />
     <ClCompile Include="idrv\dbutil.cpp" />
@@ -181,6 +183,8 @@
     <ClInclude Include="dsefix.h" />
     <ClInclude Include="global.h" />
     <ClInclude Include="hde\hde64.h" />
+    <ClInclude Include="idrv\alcpu.h" />
+    <ClInclude Include="idrv\asrdrv.h" />
     <ClInclude Include="idrv\atszio.h" />
     <ClInclude Include="idrv\dbk.h" />
     <ClInclude Include="idrv\ldrsc.h" />
@@ -202,6 +206,7 @@
     <ClInclude Include="ipcsvc.h" />
     <ClInclude Include="shellcode.h" />
     <ClInclude Include="diag.h" />
+    <ClInclude Include="sig.h" />
     <ClInclude Include="wdksup.h" />
     <ClInclude Include="kduplist.h" />
     <ClInclude Include="kduprov.h" />

diff --git a/Source/Hamakaze/KDU.vcxproj.filters b/Source/Hamakaze/KDU.vcxproj.filters
@@ -174,6 +174,12 @@
     <ClCompile Include="idrv\zemana.cpp">
       <Filter>Source Files\idrv</Filter>
     </ClCompile>
+    <ClCompile Include="idrv\asrdrv.cpp">
+      <Filter>Source Files\idrv</Filter>
+    </ClCompile>
+    <ClCompile Include="idrv\alcpu.cpp">
+      <Filter>Source Files\idrv</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="global.h">
@@ -320,6 +326,15 @@
     <ClInclude Include="..\Shared\kdubase.h">
       <Filter>Header Files</Filter>
     </ClInclude>
+    <ClInclude Include="idrv\asrdrv.h">
+      <Filter>Source Files\idrv</Filter>
+    </ClInclude>
+    <ClInclude Include="sig.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="idrv\alcpu.h">
+      <Filter>Source Files\idrv</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <ResourceCompile Include="resource.rc">

diff --git a/Source/Hamakaze/KDU.vcxproj.user b/Source/Hamakaze/KDU.vcxproj.user
@@ -1,11 +1,11 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
-    <LocalDebuggerCommandArguments>-test</LocalDebuggerCommandArguments>
+    <LocalDebuggerCommandArguments>-prv 29 -dse 6</LocalDebuggerCommandArguments>
     <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
-    <LocalDebuggerCommandArguments>-prv 27 -map c:\install\dummy.sys</LocalDebuggerCommandArguments>
+    <LocalDebuggerCommandArguments>-prv 29 -dse 6</LocalDebuggerCommandArguments>
     <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
   </PropertyGroup>
 </Project>
diff --git a/Source/Hamakaze/diag.cpp b/Source/Hamakaze/diag.cpp
@@ -4,9 +4,9 @@
 *
 *  TITLE:       DIAG.CPP
 *
-*  VERSION:     1.25
+*  VERSION:     1.28
 *
-*  DATE:        17 Aug 2022
+*  DATE:        01 Dec 2022
 *
 *  Hamakaze system diagnostics component.
 *
@@ -437,7 +437,6 @@ VOID TracePsHandle(
     CLIENT_ID clientId;
     OBJECT_ATTRIBUTES obja;
 
-
     if (ClientId->UniqueProcess == NtCurrentTeb()->ClientId.UniqueProcess) {
         printf_s("> Process (self) handle trace\r\n");
     }
@@ -766,6 +765,62 @@ VOID KDUListDrivers(
 
 }
 
+VOID KDUListMemoryLayout()
+{
+    PCM_FULL_RESOURCE_DESCRIPTOR pDesc;
+    PCM_RESOURCE_LIST pList = supQueryPhysicalMemoryLayout();
+    PCM_PARTIAL_RESOURCE_DESCRIPTOR pPartialDesc;
+    if (pList == NULL)
+        return;
+
+    printf_s("ResourceList Count %lx\r\n", pList->Count);
+    for (ULONG i = 0; i < pList->Count; i++) {
+        pDesc = &pList->List[i];
+
+        printf_s("pDesc[%lu].PartialResourceList.Count %lu\r\n",
+            i,
+            pDesc->PartialResourceList.Count);
+
+        for (ULONG j = 0; j < pDesc->PartialResourceList.Count; j++) {
+
+            pPartialDesc = &pDesc->PartialResourceList.PartialDescriptors[j];
+
+            if (pPartialDesc->Type == CmResourceTypeMemory ||
+                pPartialDesc->Type == CmResourceTypeMemoryLarge)
+            {
+                ULONGLONG length = pPartialDesc->u.Memory.Length;
+
+                switch (pPartialDesc->Flags & CM_RESOURCE_MEMORY_LARGE)
+                {
+                case CM_RESOURCE_MEMORY_LARGE_40:
+                    length <<= 8;
+                    break;
+                case CM_RESOURCE_MEMORY_LARGE_48:
+                    length <<= 16;
+                    break;
+                case CM_RESOURCE_MEMORY_LARGE_64:
+                    length <<= 32;
+                    break;
+                }
+
+                printf_s("#%lu Flags 0x%04lX 0x%016llX::0x%016llX (length 0x%016llX, %llu Mb)\r\n",
+                    j,
+                    pPartialDesc->Flags,
+                    pPartialDesc->u.Memory.Start.QuadPart,
+                    pPartialDesc->u.Memory.Start.QuadPart + length,
+                    length,
+                    length / 1024 / 1024);
+
+            }
+            else {
+                printf_s("#%lu Type 0x%04lX, Flags 0x%04lX\r\n", j, pPartialDesc->Type, pPartialDesc->Flags);
+            }
+        }
+
+    }
+    supHeapFree(pList);
+}
+
 VOID KDUDiagStart()
 {
     PRTL_PROCESS_MODULES pvModules;
@@ -811,6 +866,9 @@ VOID KDUDiagStart()
 
         printf_s("> List of registered minifilters\r\n");
         KDUListFilters();
+
+        printf_s("> Physical memory layout\r\n");
+        KDUListMemoryLayout();
     }
     __except (EXCEPTION_EXECUTE_HANDLER) {
         supPrintfEvent(kduEventError, "Exception (0x%lX) during diagnostics\r\n", GetExceptionCode());