Fixed Some Stuff

raax7 · raax7 · commit 27e0054aafb6 · 2024-05-10T20:03:22.000+01:00
diff --git a/KDMapper Dumper/Callbacks.cpp b/KDMapper Dumper/Callbacks.cpp
@@ -4,12 +4,12 @@
 #include "NT.h"
 #include "Utils.h"
 
-typedef NTSTATUS(*PFN_ORIGINAL_IO_CONTROL)(
+typedef NTSTATUS(*_IO_CONTROL)(
     _In_ PDEVICE_OBJECT DeviceObject,
     _In_ PIRP Irp
     );
 
-PFN_ORIGINAL_IO_CONTROL  OriginalIOControl = NULL;
+_IO_CONTROL OriginalIOControl = NULL;
 
 NTSTATUS hk_ControlIO(
     _In_ PDEVICE_OBJECT DeviceObject,
@@ -38,7 +38,7 @@ NTSTATUS hk_ControlIO(
 
     DBG("Dumping Memory! Source: 0x%p Destination: 0x%p Size: %d", Buffer->Source, Buffer->Destination, Buffer->Length);
 
-    NTSTATUS Status = DumpMemoryToDisk(L"KDMapperDumper", (PVOID)((UINT64)Buffer->Source - 0x400), Buffer->Length + 0x400);
+    NTSTATUS Status = DumpMemoryToDisk(L"KDMapperDumper", Buffer->Source, Buffer->Length);
     if (NT_SUCCESS(Status) == false)
     {
         DBG("Failed to dump memory - 0x%X", Status);
@@ -59,6 +59,10 @@ NTSTATUS hk_ControlIO(
     //
     // Attempt to dump the original driver with the PE header by attaching to the source process
     // and then going back 0x1000 bytes from the mapped driver.
+    // 
+    // This abuses the fact that when KDMapper sends the IOCTL request, it just adjusts
+    // the base address of the data it sends to the driver to skip the PE header.
+    // This means we can just go back 0x1000 bytes from the base address to get the PE header.
     //
     PVOID Pool = ExAllocatePool2(POOL_FLAG_NON_PAGED, Buffer->Length + 0x1000, POOL_TAG2);
     if (Pool == NULL)
@@ -184,7 +188,8 @@ VOID ImageLoadCallback(
         return;
 
     //
-    // Copy the first 0x1000 bytes of the image to an allocated pool buffer.
+    // Copy the first 0x1000 bytes of the image (the PE header) to a pool buffer.
+    // If the image size is less than 0x1000 bytes, we will just copy the entire image.
     //
     PVOID ImageBase = ImageInfo->ImageBase;
     SIZE_T PoolSize = min(ImageInfo->ImageSize, 0x1000);
@@ -199,7 +204,8 @@ VOID ImageLoadCallback(
     RtlCopyMemory(ImageBuffer, ImageBase, PoolSize);
 
     //
-    // Check the file header timestamp to see if it matches the timestamp of the KDMapper driver.
+    // Check the file header timestamp to see if it matches the timestamp of the
+    // vulnerable Intel LAN driver that KDMapper uses.
     //
     PIMAGE_DOS_HEADER DosHeader = (PIMAGE_DOS_HEADER)ImageBuffer;
     if (DosHeader->e_magic != IMAGE_DOS_SIGNATURE)
@@ -217,11 +223,15 @@ VOID ImageLoadCallback(
 
     DBG("Found Intel LAN driver at: 0x%p", ImageBase);
 
+    //
+    // Hook IoCreateDevice() so we can redirect all IOCTL requests to
+    // our own handler that will dump the memory.
+    //
     NTSTATUS Status = HookIATEntry(ImageBase, "ntoskrnl.exe", "IoCreateDevice", hk_IoCreateDevice);
     if (NT_SUCCESS(Status) == false)
     {
         DBG("Failed to hook IoCreateDevice() in Intel LAN Driver! - 0x%X", Status);
     }
 
-    return;
+    ExFreePoolWithTag(ImageBuffer, POOL_TAG);
 }
diff --git a/KDMapper Dumper/Entry.cpp b/KDMapper Dumper/Entry.cpp
@@ -25,6 +25,12 @@ extern "C" NTSTATUS DriverEntry(
     NTSTATUS Status;
     DriverObject->DriverUnload = Unload;
 
+    //
+    // This driver is not intended to be manually mapped.
+    // If you do use something like KDMapper to load this driver
+    // you will get a bugcheck on setting DriverObject->DriverUnload
+    // and on recieving a callback on ImageLoadCallback.
+    //
     Status = PsSetLoadImageNotifyRoutine(ImageLoadCallback);
     if (NT_SUCCESS(Status) == false)
     {
diff --git a/KDMapper Dumper/Globals.h b/KDMapper Dumper/Globals.h
@@ -35,6 +35,7 @@ typedef union _virt_addr_t
 } virt_addr_t, * pvirt_addr_t;
 
 #define POOL_TAG 'KDM '
-#define POOL_TAG2 'KDM2'
+#define POOL_TAG2 'KDM1'
+#define POOL_TAG3 'KDM2'
 
 #define DBG(Message, ...) DbgPrintEx(DPFLTR_IHVDRIVER_ID, DPFLTR_ERROR_LEVEL, "[KDMapper Dumper] " __FUNCTION__ "() - " Message "\n", __VA_ARGS__)
diff --git a/KDMapper Dumper/KDMapper Dumper.vcxproj b/KDMapper Dumper/KDMapper Dumper.vcxproj
@@ -72,9 +72,11 @@
   <PropertyGroup />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+    <Inf2CatUseLocalTime>true</Inf2CatUseLocalTime>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
+    <Inf2CatUseLocalTime>true</Inf2CatUseLocalTime>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'">
     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
diff --git a/KDMapper Dumper/Utils.cpp b/KDMapper Dumper/Utils.cpp
@@ -5,6 +5,7 @@
 
 #pragma warning(disable: 4244)
 
+// credit: https://github.com/uefibootkit/kdmapper-dumper
 NTSTATUS DumpMemoryToDisk(
     _In_ const WCHAR* FileNamePrefix,
     _In_ PVOID BaseAddress,
@@ -16,38 +17,35 @@ NTSTATUS DumpMemoryToDisk(
         return STATUS_INVALID_PARAMETER;
     }
 
-    HANDLE             h_file;
-    UNICODE_STRING     name;
-    OBJECT_ATTRIBUTES  attr;
-    IO_STATUS_BLOCK    status_block;
-    LARGE_INTEGER      offset{ NULL };
+    HANDLE File;
+    UNICODE_STRING FileNameUnicode;
+    OBJECT_ATTRIBUTES Attributes;
+    IO_STATUS_BLOCK StatusBlock;
+    LARGE_INTEGER Offset{ NULL };
 
     //
-    // Get the current kernel time and use that as the filen name.
+    // Get the current system time and use that in the file name.
     //
     LARGE_INTEGER CurrentTime;
     KeQuerySystemTime(&CurrentTime);
 
-    //
-    // Create the file name using the current time.
-    //
     WCHAR FileName[260];
     swprintf(FileName, L"\\??\\C:\\%s_%lld.bin", FileNamePrefix, CurrentTime.QuadPart);
 
     //
     // Initialize the unicode string.
     //
-    RtlInitUnicodeString(&name, FileName);
-    InitializeObjectAttributes(&attr, &name,
+    RtlInitUnicodeString(&FileNameUnicode, FileName);
+    InitializeObjectAttributes(&Attributes, &FileNameUnicode,
         OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
         NULL, NULL
     );
 
     NTSTATUS Status = ZwCreateFile(
-        &h_file,
+        &File,
         GENERIC_WRITE,
-        &attr,
-        &status_block,
+        &Attributes,
+        &StatusBlock,
         NULL,
         FILE_ATTRIBUTE_NORMAL,
         NULL,
@@ -63,21 +61,21 @@ NTSTATUS DumpMemoryToDisk(
     }
 
     Status = ZwWriteFile(
-        h_file,
+        File,
         NULL,
         NULL,
         NULL,
-        &status_block,
+        &StatusBlock,
         BaseAddress,
         Size,
-        &offset,
+        &Offset,
         NULL
     );
     if (NT_SUCCESS(Status) == false)
     {
         DBG("Failed to write to file - 0x%X", Status);
     }
 
-    ZwClose(h_file);
+    ZwClose(File);
     return Status;
 }
