v 1.0.0

Release
msgpo · Feb 9, 2020 · efd90a3 · efd90a3
1 parent 75e101e
commit efd90a3
Show file tree

Hide file tree

Showing 8 changed files with 114 additions and 55 deletions.
diff --git a/Bin/kdu.exe b/Bin/kdu.exe
diff --git a/KDU.sha256 b/KDU.sha256
@@ -1,6 +1,6 @@
 6ce17d185826dc452c50b1908315ff151cd57319f11ab6eb337dbe180f111fd4 *Bin\dummy.sys
 eefc8b804938fa0976416ae18efa0e30e67b537e7ce50d94dba7022971d17f19 *Bin\dummy2.sys
-03aefd40698cafbd48138784f362fb9a36f726fb50f262ca40695729f7b553ca *Bin\kdu.exe
+74f4998278e617d3470c3371d712fd9218a6e6f6f007963b66b01b13d69e5934 *Bin\kdu.exe
 06cf7aeac5256e35f45da73594faa704083f94809772c218e9cbf0c86c076438 *Bin\license.txt
 323d910f93683453d45239a0528d3c3cda7f2608fca864fd2a687184ffe129fe *Help\kdu1.png
 a1d7a51549914833a3414a93646952c25deabe072d8a271b54e10727f923b479 *Help\kdu2.png
@@ -35,12 +35,12 @@ d45cf40c855a135898e4b35d0b5b2d00e3ad251a97d3f47990248116f22ff45e *Source\Example
 5a24f52c5c86d7d7da91bf5c06f151f9bb20ec715ca6c117b8f3e82f05a7fa80 *Source\Hamakaze\irp.h
 975cef84c77c8be845a7431f90a1d91564fdbf2eca29de12e971d96df852bc57 *Source\Hamakaze\KDU.vcxproj
 266599840dbb029c64bdc94cb5fc4c92726f03120d547a02e1ef949abe8d251f *Source\Hamakaze\KDU.vcxproj.filters
-548b2ca3c772769a4ed8dc4c49f59e1dfd4e1f6f8b9180e838abc1d1b2e1b43f *Source\Hamakaze\KDU.vcxproj.user
-e1ef23a4baa6476ae1e256c4e763170f8a65fe86e958931bef6ce48c07578067 *Source\Hamakaze\kduprov.cpp
-58dd14a987725517ff306706770bb4f73f6c57b45f5407d41b594909b73d7386 *Source\Hamakaze\kduprov.h
+0232e1301d7f921de4505a73d7b6df3ac1cbef8bfcdb9e53433be3a63bad25f5 *Source\Hamakaze\KDU.vcxproj.user
+66955360a66413e8527d3dfb6fd069a628f56097beeeb40f1cddebed3b613733 *Source\Hamakaze\kduprov.cpp
+1db73d6a14a13c7c3b3fdef415797ebb7c3fe2228b28048c2ae73985f73e4858 *Source\Hamakaze\kduprov.h
 b597aeae6865312703d103987f29d81b41741f6eb1b65193f8546d9e10a41d3c *Source\Hamakaze\main.cpp
-49a93f1646df71a48bd8a17558691ea420bb86bf8a1b1129f627ab29298a3bd5 *Source\Hamakaze\pagewalk.cpp
-536f0abe8580072dd58d524ceeee33ae5bfb1c919739daf9d541cd05f1bbca5d *Source\Hamakaze\pagewalk.h
+bba53e5adc6f885de5d49ebf194851d733fa6ed0dbe822dcdbb83ce66432cb98 *Source\Hamakaze\pagewalk.cpp
+545ecf7e669b6b28753a02e33fae6f503750d26cf0bf9089701f401fd24e0dd1 *Source\Hamakaze\pagewalk.h
 4f48c6b97e236d05eb0f0f3704e461ed9c41dd9ff8bc777ba8d2e332cf27f9c0 *Source\Hamakaze\ps.cpp
 d413c012b1157c4f42b7b7bc8558c9a6efcaacae87855e90b3c187b179694625 *Source\Hamakaze\ps.h
 86be07d82809b9550cf9770128897c832619644f9411eb53eb015d3c91b1db1d *Source\Hamakaze\resource.h

diff --git a/README.md b/README.md
@@ -120,6 +120,7 @@ Using this program might render your computer into BSOD. Compiled binary and sou
 * ATSZIO64 headers and libs, https://github.com/DOGSHITD/SciDetectorApp/tree/master/DetectSciApp
 * ATSZIO64 ASUS Drivers Privilege Escalation, https://github.com/LimiQS/AsusDriversPrivEscala
 * CVE-2019-18845, https://www.activecyber.us/activelabs/viper-rgb-driver-local-privilege-escalation-cve-2019-18845
+* DEFCON27: Get off the kernel if you cant drive, https://eclypsium.com/wp-content/uploads/2019/08/EXTERNAL-Get-off-the-kernel-if-you-cant-drive-DEFCON27.pdf
 
 # Authors
 

diff --git a/Source/Hamakaze/KDU.vcxproj.user b/Source/Hamakaze/KDU.vcxproj.user
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
-    <LocalDebuggerCommandArguments>-test</LocalDebuggerCommandArguments>
+    <LocalDebuggerCommandArguments>-list</LocalDebuggerCommandArguments>
     <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
   </PropertyGroup>
 </Project>
diff --git a/Source/Hamakaze/kduprov.cpp b/Source/Hamakaze/kduprov.cpp
@@ -6,7 +6,7 @@
 *
 *  VERSION:     1.00
 *
-*  DATE:        07 Feb 2020
+*  DATE:        09 Feb 2020
 *
 *  Vulnerable driver providers routines.
 *
@@ -37,15 +37,18 @@ KDU_PROVIDER g_KDUProviders[KDU_PROVIDERS_MAX] =
         (LPWSTR)L"CVE-2015-2291",
         (LPWSTR)L"NalDrv",
         (LPWSTR)L"Nal",
+        (LPWSTR)L"Intel Corporation",
+        (provRegisterDriver)KDUProviderStub,
+        (provUnregisterDriver)KDUProviderStub,
+        (provAllocateKernelVM)KDUProviderStub,
+        (provFreeKernelVM)KDUProviderStub,
         NalReadVirtualMemoryEx,
         NalWriteVirtualMemoryEx,
         NalVirtualToPhysical,
         (provReadControlRegister)KDUProviderStub,
         (provQueryPML4)KDUProviderStub,
         (provReadPhysicalMemory)KDUProviderStub,
-        (provWritePhysicalMemory)KDUProviderStub,
-        (provRegisterDriver)KDUProviderStub,
-        (provUnregisterDriver)KDUProviderStub
+        (provWritePhysicalMemory)KDUProviderStub
     },
 
     {
@@ -55,15 +58,18 @@ KDU_PROVIDER g_KDUProviders[KDU_PROVIDERS_MAX] =
         (LPWSTR)L"CVE-2019-16098",
         (LPWSTR)L"RTCore64",
         (LPWSTR)L"RTCore64",
+        (LPWSTR)L"MICRO-STAR INTERNATIONAL CO., LTD.",
+        (provRegisterDriver)KDUProviderStub,
+        (provUnregisterDriver)KDUProviderStub,
+        (provAllocateKernelVM)KDUProviderStub,
+        (provFreeKernelVM)KDUProviderStub,
         RTCoreReadVirtualMemory,
         RTCoreWriteVirtualMemory,
         (provVirtualToPhysical)KDUProviderStub,
         (provReadControlRegister)KDUProviderStub,
         (provQueryPML4)KDUProviderStub,
         (provReadPhysicalMemory)KDUProviderStub,
-        (provWritePhysicalMemory)KDUProviderStub,
-        (provRegisterDriver)KDUProviderStub,
-        (provUnregisterDriver)KDUProviderStub
+        (provWritePhysicalMemory)KDUProviderStub
     },
 
     {
@@ -73,15 +79,18 @@ KDU_PROVIDER g_KDUProviders[KDU_PROVIDERS_MAX] =
         (LPWSTR)L"CVE-2018-19320",
         (LPWSTR)L"Gdrv",
         (LPWSTR)L"GIO",
-        (provReadKernelVM)GioReadKernelVirtualMemory,
-        (provWriteKernelVM)GioWriteKernelVirtualMemory,
-        (provVirtualToPhysical)GioVirtualToPhysical,
-        (provReadControlRegister)KDUProviderStub,
-        (provQueryPML4)GioQueryPML4Value,
-        (provReadPhysicalMemory)GioReadPhysicalMemory,
-        (provWritePhysicalMemory)GioWritePhysicalMemory,
+        (LPWSTR)L"Giga-Byte Technology",
         (provRegisterDriver)KDUProviderStub,
-        (provUnregisterDriver)KDUProviderStub
+        (provUnregisterDriver)KDUProviderStub,
+        (provAllocateKernelVM)KDUProviderStub,
+        (provFreeKernelVM)KDUProviderStub,
+        GioReadKernelVirtualMemory,
+        GioWriteKernelVirtualMemory,
+        GioVirtualToPhysical,
+        (provReadControlRegister)KDUProviderStub,
+        GioQueryPML4Value,
+        GioReadPhysicalMemory,
+        GioWritePhysicalMemory
     },
 
     {
@@ -91,15 +100,18 @@ KDU_PROVIDER g_KDUProviders[KDU_PROVIDERS_MAX] =
         (LPWSTR)L"ASUSTeK WinFlash",
         (LPWSTR)L"ATSZIO",
         (LPWSTR)L"ATSZIO",
-        (provReadKernelVM)AtszioReadKernelVirtualMemory,
-        (provWriteKernelVM)AtszioWriteKernelVirtualMemory,
-        (provVirtualToPhysical)AtszioVirtualToPhysical,
-        (provReadControlRegister)KDUProviderStub,
-        (provQueryPML4)AtszioQueryPML4Value,
-        (provReadPhysicalMemory)AtszioReadPhysicalMemory,
-        (provWritePhysicalMemory)AtszioWritePhysicalMemory,
+        (LPWSTR)L"ASUSTeK Computer Inc.",
         (provRegisterDriver)KDUProviderStub,
-        (provUnregisterDriver)KDUProviderStub
+        (provUnregisterDriver)KDUProviderStub,
+        (provAllocateKernelVM)KDUProviderStub,
+        (provFreeKernelVM)KDUProviderStub,
+        AtszioReadKernelVirtualMemory,
+        AtszioWriteKernelVirtualMemory,
+        AtszioVirtualToPhysical,
+        (provReadControlRegister)KDUProviderStub,
+        AtszioQueryPML4Value,
+        AtszioReadPhysicalMemory,
+        AtszioWritePhysicalMemory
     },
 
     {
@@ -109,15 +121,18 @@ KDU_PROVIDER g_KDUProviders[KDU_PROVIDERS_MAX] =
         (LPWSTR)L"CVE-2019-18845",
         (LPWSTR)L"MsIo64",
         (LPWSTR)L"MsIo",
-        (provReadKernelVM)MsioReadKernelVirtualMemory,
-        (provWriteKernelVM)MsioWriteKernelVirtualMemory,
-        (provVirtualToPhysical)MsioVirtualToPhysical,
-        (provReadControlRegister)KDUProviderStub,
-        (provQueryPML4)MsioQueryPML4Value,
-        (provReadPhysicalMemory)MsioReadPhysicalMemory,
-        (provWritePhysicalMemory)MsioWritePhysicalMemory,
+        (LPWSTR)L"MICSYS Technology Co., Ltd.",
         (provRegisterDriver)KDUProviderStub,
-        (provUnregisterDriver)KDUProviderStub
+        (provUnregisterDriver)KDUProviderStub,
+        (provAllocateKernelVM)KDUProviderStub,
+        (provFreeKernelVM)KDUProviderStub,
+        MsioReadKernelVirtualMemory,
+        MsioWriteKernelVirtualMemory,
+        MsioVirtualToPhysical,
+        (provReadControlRegister)KDUProviderStub,
+        MsioQueryPML4Value,
+        MsioReadPhysicalMemory,
+        MsioWritePhysicalMemory
     }
 
 };
@@ -145,11 +160,17 @@ VOID KDUProvList()
             prov->DriverName,
             prov->DeviceName);
 
+        //
+        // Show signer.
+        //
+        printf_s("\tSigned by: \"%ws\"\r\n",
+            prov->SignerName);
+
         //
         // List provider flags.
         //
         printf_s("\tHVCI support: %s\r\n"\
-            "\tWHQL signature: %s\r\n",
+            "\tWHQL signature present: %s\r\n",
             (prov->SupportHVCI == 0) ? "No" : "Yes",
             (prov->SignatureWHQL == 0) ? "No" : "Yes");
 
@@ -474,11 +495,28 @@ PKDU_CONTEXT WINAPI KDUProviderCreate(
             (PVOID)prov->Callbacks.WriteKernelVM == (PVOID)KDUProviderStub)
         {
             printf_s("[!] Abort: selected provider does not support arbitrary kernel read/write or\r\n"\
-                "\tKDU interface is not implemented for these methods\r\n");
+                "\tKDU interface is not implemented for these methods.\r\n");
 
 #ifndef _DEBUG
             return NULL;
 #endif
+        }
+        break;
+
+    case ActionTypeDSECorruption:
+
+        //
+        // Check if we can write.
+        //
+        if ((PVOID)prov->Callbacks.WriteKernelVM == (PVOID)KDUProviderStub) {
+
+            printf_s("[!] Abort: selected provider does not support arbitrary kernel write.\r\n");
+
+
+#ifndef _DEBUG
+            return NULL;
+#endif
+
     }
         break;
 

diff --git a/Source/Hamakaze/kduprov.h b/Source/Hamakaze/kduprov.h
@@ -6,7 +6,7 @@
 *
 *  VERSION:     1.00
 *
-*  DATE:        07 Feb 2020
+*  DATE:        09 Feb 2020
 *
 *  Provider support routines.
 *
@@ -53,6 +53,21 @@ typedef BOOL(WINAPI* provWriteKernelVM)(
     _Out_writes_bytes_(NumberOfBytes) PVOID Buffer,
     _In_ ULONG NumberOfBytes);
 
+//
+// Prototype for allocating kernel memory function.
+//
+typedef BOOL(WINAPI* provAllocateKernelVM)(
+    _In_ HANDLE DeviceHandle,
+    _In_ ULONG NumberOfBytes,
+    _Out_ PVOID* Address);
+
+//
+// Prototype for freeing kernel memory function.
+//
+typedef BOOL(WINAPI* provFreeKernelVM)(
+    _In_ HANDLE DeviceHandle,
+    _Out_ PVOID Address);
+
 //
 // Prototype for virtual to physical address translation function.
 //
@@ -109,7 +124,8 @@ typedef BOOL(WINAPI* provUnregisterDriver)(
 typedef enum _KDU_ACTION_TYPE {
     ActionTypeMapDriver = 0,
     ActionTypeDKOM = 1,
-    ActionTypeUnspecified = 2,
+    ActionTypeDSECorruption = 2,
+    ActionTypeUnspecified = 3,
     ActionTypeMax
 } KDU_ACTION_TYPE;
 
@@ -127,16 +143,23 @@ typedef struct _KDU_PROVIDER {
     LPWSTR Desciption;
     LPWSTR DriverName; //only file name, e.g. PROCEXP152
     LPWSTR DeviceName; //device name, e.g. PROCEXP152
+    LPWSTR SignerName;
     struct {
+        provRegisterDriver RegisterDriver; //optional
+        provUnregisterDriver UnregisterDriver; //optional
+
+        provAllocateKernelVM AllocateKernelVM; //optional
+        provFreeKernelVM FreeKernelVM; //optional
+
         provReadKernelVM ReadKernelVM;
         provWriteKernelVM WriteKernelVM;
+
         provVirtualToPhysical VirtualToPhysical; //optional
         provReadControlRegister ReadControlRegister; //optional
+
         provQueryPML4 QueryPML4Value; //optional
         provReadPhysicalMemory ReadPhysicalMemory; //optional
         provWritePhysicalMemory WritePhysicalMemory; //optional
-        provRegisterDriver RegisterDriver; //optional
-        provUnregisterDriver UnregisterDriver; //optional
     } Callbacks;
 } KDU_PROVIDER, * PKDU_PROVIDER;
 

diff --git a/Source/Hamakaze/pagewalk.cpp b/Source/Hamakaze/pagewalk.cpp
@@ -2,11 +2,11 @@
 *
 *  (C) COPYRIGHT AUTHORS, 2018 - 2020
 *
-*  TITLE:       PAGEWALK.C
+*  TITLE:       PAGEWALK.CPP
 *
 *  VERSION:     1.00
 *
-*  DATE:        02 Feb 2020
+*  DATE:        07 Feb 2020
 *
 *  Function to translate virtual to physical addresses, x86-64.
 *
@@ -38,19 +38,16 @@ int PwEntryToPhyAddr(ULONG_PTR entry, ULONG_PTR* phyaddr)
 
 BOOL PwVirtualToPhysical(
     _In_ HANDLE DeviceHandle,
-    _In_ provQueryPML4 QueryPML4,
+    _In_ provQueryPML4 QueryPML4Routine,
     _In_ provReadPhysicalMemory ReadPhysicalMemoryRoutine,
     _In_ ULONG_PTR VirtualAddress,
     _Out_ ULONG_PTR* PhysicalAddress)
 {
-    ULONG_PTR	pml4_cr3, selector, table, entry = 0;
-    INT			r, shift;
+    ULONG_PTR   pml4_cr3, selector, table, entry = 0;
+    INT         r, shift;
 
-    if (QueryPML4(DeviceHandle,
-        &pml4_cr3) == 0)
-    {
+    if (QueryPML4Routine(DeviceHandle, &pml4_cr3) == 0)
         return 0;
-    }
 
     table = pml4_cr3 & PHY_ADDRESS_MASK;
 

diff --git a/Source/Hamakaze/pagewalk.h b/Source/Hamakaze/pagewalk.h
@@ -6,7 +6,7 @@
 *
 *  VERSION:     1.00
 *
-*  DATE:        02 Feb 2020
+*  DATE:        07 Feb 2020
 *
 *  Page table translation prototypes.
 *
@@ -21,7 +21,7 @@
 
 BOOL PwVirtualToPhysical(
     _In_ HANDLE DeviceHandle,
-    _In_ provQueryPML4 QueryPML4,
+    _In_ provQueryPML4 QueryPML4Routine,
     _In_ provReadPhysicalMemory ReadPhysicalMemoryRoutine,
     _In_ ULONG_PTR VirtualAddress,
     _Out_ ULONG_PTR* PhysicalAddress);