hfiref0x / kdu Goto Github PK
View Code? Open in Web Editor NEWKernel Driver Utility
License: MIT License
kdu's People
Stargazers
Watchers
Forkers
thiagoalexsander crackercat fake-cheater developer191 bb33bb blueskeye fcccode fengjixuchui runonceex kmsecurityresearch taxi2za 2217936322 gavz ek0 ackroute a10ncoder ivanpos2015 topotam pegasusx kernullist waterman178 hobbit19 qiutao1204 morelli690 frankurcrazy akpotter jack51706 hypn4 marcosd4h gigabait oesis songbei6 stacklikemind zh4x zanzo420 eaglesquads gattacker poiuytr92 cualquiercosa327 kennyzeng y11en yangfan6888 ohpe owen0225 freeide renecn dull1337 sheisback cydiakk n3mes1s humble-desser gdraperi longjohncoder heruix blaquee certifiedpaster startagain2016 hymeca ericyoong mmg1 5l1v3r1 rocker9527 zcg19 ltwell lokuo useful-stuff jonlv scx1125 huoji120 matrixkung qazwar v0idi arckicriss ykankaya v4nyl ibrahim-elsakka vineetkia ulubey4242 besimbicer89 bfuzzy1 msgpo mitbad-d raystyle xelentra1 pokevas scp-66 askyeye oborges dumpsterfirevip fhgzs onecool9009 dnangle bon3less okandok jiweihong zhuhuibeishadiao ziger2019 shhoya hackflame iamhatlingkdu's Issues
cl critical structure corruption BSOD
when using DSE 0 i got cl critical structure corruption bsod 20h2 OS Build 19042.804
Worth adding old ProcessHacker driver as provider?
Hi hfiref0x!
Ever considered adding support for an old ProcessHacker driver and repurposing it as a provider?
https://github.com/RedSection/OffensivePH
Or its way to long shot?
Regards,
M.
ready to use binary availability
Hello.
I cant seem to be able to compile this. Is there a ready-made binary somewhere?
Error (0xC0000428) on x64
I'm getting this error when trying to load my driver, is this any known?
[!] Bootstrap code size 0x1875 exceeds limit 0x794, abort
C:\Users\caioc\Desktop>kdu -map driver.sys
[#] Kernel Driver Utility v1.2.8 (build 2212) started, (c)2020 - 2022 KDU Project
[#] Build at Fri Dec 9 01:44:47 2022, header checksum 0x7C8AA
[#] Supported x64 OS : Windows 7 and above
[*] Debug Mode Run
[*] CPU vendor string: AuthenticAMD
[*] Windows version: 10.0 build 22000
[*] SecureBoot is enabled on this machine
[*] WHQL enforcement ENABLED
[+] MSFT Driver block list is disabled
[*] Driver mapping using shellcode version: 1
[+] Input driver file "driver.sys" loaded at 0x00007FF6C77D0000
[+] Drivers database "drv64.dll" loaded at 0x00007FFCEAD50000
[+] Firmware type (FirmwareTypeUefi)
[+] Provider: "CVE-2015-2291", Name "NalDrv"
[+] Extracting vulnerable driver as "C:\Users\caioc\Desktop\NalDrv.sys"
[+] Vulnerable driver "NalDrv" loaded
[+] Driver device "NalDrv" has successfully opened
[+] Executing post-open callback for given provider
[+] Driver device security descriptor set successfully
[+] Victim "PROCEXP152" 1 acquire attempt of 3 (max)
[+] Processing victim "Process Explorer" driver
[+] Extracting victim driver "PROCEXP152" as "C:\Windows\system32\drivers\PROCEXP152.sys"
[+] Victim is accepted, handle 0x00000000000000D4
[+] Reading FILE_OBJECT at 0xFFFFC70BB8C872D0
[+] Reading DEVICE_OBJECT at 0xFFFFC70BB2CBCAF0
[+] Reading DRIVER_OBJECT at 0xFFFFC70BB3DB9BF0
[+] Victim IRP_MJ_DEVICE_CONTROL 0xFFFFF803448E2220
[+] Victim DriverUnload 0xFFFFF803448E3280
[+] Loaded ntoskrnl base 0xFFFFF80111C00000
[+] Ntoskrnl.exe mapped at 0x7FF612180000
[+] Resolving kernel import for input driver
[+] Resolving payload import
[!] Bootstrap code size 0x1875 exceeds limit 0x794, abort
[!] Unexpected shellcode procedure size, abort
[!] Error while building shellcode, abort
[+] Victim released
[+] Vulnerable driver "NalDrv" unloaded
[+] Vulnerable driver file removed
[+] Return value: 0. Bye-bye!
Do you have any idea what could be causing this problem?
Does not work with installed Hyper-V
So, i had bsod after add Hyper-V component of windows. And kdu works after uninstall Hyper-V. Is this normal behavior? Or fixable?
used: Win 11 22000.318, -dse command
Use WskRegister will definitely BSOD
WSK_REGISTRATION WskRegistration;
WSK_CLIENT_DISPATCH WskDispatch = { MAKE_WSK_VERSION(1,0), 0, NULL };
WSK_CLIENT_NPI WskClient;
WskClient.ClientContext = NULL;
WskClient.Dispatch = &WskDispatch;
WskRegister(&WskClient, &WskRegistration);
I do not know why。。。
[Information] Microsoft banned Microsoft SysInternals Process Explorer driver
It took them 10+ years and about 4 different APT usages (which I can count/remember) to figure out that something is wrong with it.
Recent update of WDAC blocklist now include block of all Process Explorer drivers with version <=16.x. Since this driver is used in KDU as well (as victim shellcode placeholder/target) this change will also affect KDU.
New 17.x Process Explorer driver bring the following "security" improvements:
First, in IOCTL callable routine responsible for openning handle for given process it now checks whatever this process you want to open is "protected" (PsIsProtectedProcess) and if it is - then sets access flags to PROCESS_QUERY_LIMITED_INFORMATION.
Second, the routine involving ZwDuplicateObject also got similar update not allowing you to duplicate handles of protected processes or PsInitialSystemProcess.
Crashes on reading FILE_OBJECT
Hi (me again),
I'm trying to map a driver with the drvmap function. However, my PC blue screens on reading FILE_OBJECT (I assume where it calls ReadKernelVM?). This only happens for one of the drivers I am using, both of them I have compiled and made driverless.
(The other one works perfectly). The driver entry point does not appear to be called before the crash. When I debugged the kernel crash dump in WinDbg with my driver source, it did not reference it in the slightest. Instead it gave the NTSTATUS error "reached breakpoint"?
I read that there is an issue when having vgc installed, so I uninstalled it yet I get the same result.
If you want I can attach a copy of the driver I am trying to map. I have tried providers 1 and 2 and concluded after it crashing on both of them that it was independent of that.
Thanks
I will have a blue screen when loading this driver
filesrc:https://anonfiles.com/pek9A8K7x3/src_zip
Please revise it for me.
Unable to load vulnerable driver, NTSTATUS (0xC0000603)
Simply, can't disable dse or can't map anything.
BSOD
After using -dse 6 and -map Driver.sys my pc would BSOD after a while (sometimes very soon sometimes takes a bit) with the error CRITICAL_STRUCTURE_CORRUPTION on CI.dll
any idea for a fix? i see that Ci dll is loaded by kdu so im guessing thats where the issue originated from
minidump file below
Windows 11 issues.
I'm use modified KDU for load unsigned kernel driver for my project.
Recently, i got complaints from W11 users - driver loading fail, followed by BSOD with KMODE_EXCEPTION_NOT_HANDLED - seems like provided by system antivirus.
Can you, please, check what do they change?
BSOD while kdu.exe -map mydrv.sys
hello, hfire0x. First of all, thank you for your project. It was great.
this is my dump ,I used windbg and found that some functions had wrong addresses, such as "MmGetSystemRoutineAddress" or "DbgPrintEx",I think this is probably because the ntoskrnl import is wrong(Of course, my guess may not be right 😁)
102022-9578-01.zip
this is the entry of my driver:
extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath)
{
UNREFERENCED_PARAMETER(DriverObject);
UNREFERENCED_PARAMETER(RegistryPath);
__debugbreak();
// Direct use of ”DbgPrintEx“ Also will go wrong
UNICODE_STRING str;
RtlInitUnicodeString(&str, L"DbgPrintEx");
sys_DbgPrintEx = (P_DbgPrintEx)MmGetSystemRoutineAddress(&str);
sys_DbgPrintEx(0, 0, "[LysdDrv] LysdDrv DriverEntry start \n");
return STATUS_UNSUCCESSFUL;
}
But the strange thing is that the other driver just works and their driverentry is exactly the same,So I compared their project attributes and changed them to the same(I swear I checked every attribute very carefully),But helplessly, they still only have a blue screen, the other one is normal.
I hope you can help me. Thank you!
BSOD with hyper-v turned on in Windows 11 22H2
If I have hyper-v turned on:
bcdedit.exe /set hypervisorlaunchtype auto
provider 0 will BSOD on win11
If I turn hyper-v off it will work without problems:
bcdedit.exe /set hypervisorlaunchtype off
Is it possible to make it work with hyper-v launch?
[!] Could not load drivers database, GetLastError 2
Get this error when trying to load a dummy driver. I looked it up and it says that im missing 1 or more dll files. I imagine it has something to do with building the dlls in the main source file but i dont know where to put the dll files.
Unable to load vulnerable driver (22H2)
[!] Unable to load vulnerable driver, NTSTATUS (0xC0000603)
Windows 11, build 22621.521 (22H2)
Heavy system load at target driver call
Thanks for tool, it can help me to avoid stupid and non-free fingerprinting, but i need you help.
I write a tool to control fans/temps/power distribution for some specific hardware (specific manufacturer).
It uses kernel driver, so now it can only work in test mode.
I try to use your tool, and the current stage is:
- I can successfully load driver, initialization is OK.
- I can access driver trough IO, operation chain works as well.
The issue are - some IO operations provide heavy system load (interrupts catch 50-80% CPU).
They work, but took minutes to hour at so unresponsive system.
I'm out of ideas why it happened, direct loading didn't provide this issue.
PS: I access ACPI driver from mine, is this the source of the issue? How can I fix it?
Cannot load drivers database, GetLastError 126:
[+] The "" hypervisor present
[!] Cannot load drivers database, GetLastError 126: [+] Return value: 0. Bye-bye!
Insufficient system resources
Hi! I'm trying to run the utility with .\kdu.exe -map .\mydriver.sys in powershell admin, receive this log:
[#] Kernel Driver Utility v1.3.3 (build 2307) started, (c)2020 - 2023 KDU Project
[#] Built at Fri Sep 1 10:17:29 2023, header checksum 0x55823
[#] Supported x64 OS : Windows 7 and above
[*] CPU vendor string: AuthenticAMD
[*] Windows version: 10.0 build 22621
[*] SecureBoot is enabled on this machine
[*] WHQL enforcement ENABLED
[+] MSFT Driver block list is enabled
[*] Driver mapping using shellcode version: 1
[+] Input driver file ".\mydriver.sys" loaded at 0x00007FF99A420000
[+] MSFT hypervisor present
[+] Drivers database "drv64.dll" loaded at 0x00007FF96C700000
[+] Firmware type (FirmwareTypeUefi)
[+] Provider: "CVE-2015-2291", Name "NalDrv"
[+] Extracting vulnerable driver as "path\NalDrv.sys"
[!] Unable to load vulnerable driver, NTSTATUS (0xC000009A): Insufficient system resources exist to complete the API.
[+] Return value: 0. Bye-bye!
I've noticed other closed issues for the block list and enforcement, but I'm unsure this issue relates to them, since the error is about system resources. I have 16 Gb RAM in total, 8 Gb unused, so I doubt it's RAM. Is there any other troubleshooting I can do?
I tried running the system without driver signature checking using this tutorial using Disable driver signature enforcement but it didn't help.
Could not query DSE state, GetLastError 5
I am using Windows 10 with the latest version 21H1 build 19044.1826
I have tried disabling Secure Boot, disabling Memory Integrity from windows defender, but when i do the command kdu -dse ANYTHING, I get this output:
[#] Kernel Driver Utility v1.2.0 (build 2202) started, (c)2020 - 2022 KDU Project
[#] Build at Thu Feb 17 01:33:48 2022, header checksum 0x4D588
[#] Supported x64 OS : Windows 7 and above
[*] Windows version: 10.0 build 19044
[*] SecureBoot is disabled on this machine
[+] Provider: "CVE-2015-2291", Name "NalDrv"
[+] Drivers database "drv64.dll" loaded at 0x0000019058F80002
[+] Extracting vulnerable driver as "C:\Users\user\Desktop\NalDrv.sys"
[+] Vulnerable driver "NalDrv" loaded
[+] Vulnerable driver "NalDrv" opened
[+] Executing post-open callback for given provider
[+] Driver device security descriptor set successfully
[+] Module "CI.dll" loaded for pattern search
[!] Could not query DSE state, GetLastError 5
[!] Unable to unload vulnerable driver, NTSTATUS (0xC0000010)
[+] Return value: 0. Bye-bye!
Unable to load the driver
- Unable to load vulnerable driver, NTSTATUS (0xC0000603)
Which stands for STATUS_IMAGE_CERT_REVOKED
Is there any fix to it? I've been searching for a while but can't find any.
OS: win11 newest
Unable to re-enable DSE
I have typed the following cmd in the my console "kdu.exe" -prv 1 -dse 6".
After reentering the same command again (6 replaced with 0)
I was not able to restart my computer without dse dsiabled... I have no clue how to reenable dse because all the methods i've used (bcdedit.exe /set nointegritychecks off & troubleshoot restart and enable dse) don't work. Any ideas?
Thanks
Hi.
Unless you're not already aware of https://github.com/ByteWhite1x1/EDR-bypass-disable-PspNotifyEnableMask
I also have DSE bypass at runtime for Windows 10/11 22H2. If you need. That's my thank you to for the KDU project. It's been really useful with testing.
You just PM me or something if you want a private DSE bypass. As of 09/2023. MS has patched this in the latest Windows 10 Pro 22H2. You need to do the PTE trick to bypass DSE without a BSDO. I don't want to post this information publicly. It's only for those who work hard like you.
error
DSE bypass not working on 20H2 after KB5003173 update
The latest Windows update for 20H2 that is KB5003173, breaks the functionality of the DSE bypass.
Steps to reproduce:
- Upgrade your OS to the newest version available
- Run KDU as follows:
kdu.exe -dse 0 - Observe the unchanged code integrity options value
KDU will report success in despite of the code integrity options value hasn't been altered. Hence, NtLoadDriver will report STATUS_INVALID_IMAGE_HASH.
I have also checked it using NtQuerySystemInformation(SystemCodeIntegrityInformation... and here's the output of that:
CODEINTEGRITY_OPTION_TESTSIGN=FALSE
CODEINTEGRITY_OPTION_UMCI_ENABLED=FALSE
CODEINTEGRITY_OPTION_UMCI_AUDITMODE_ENABLED=FALSE
CODEINTEGRITY_OPTION_UMCI_EXCLUSIONPATHS_ENABLED=FALSE
CODEINTEGRITY_OPTION_TEST_BUILD=FALSE
CODEINTEGRITY_OPTION_PREPRODUCTION_BUILD=FALSE
CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED=FALSE
CODEINTEGRITY_OPTION_FLIGHT_BUILD=FALSE
CODEINTEGRITY_OPTION_FLIGHTING_ENABLED=FALSE
CODEINTEGRITY_OPTION_HVCI_KMCI_ENABLED=FALSE
CODEINTEGRITY_OPTION_HVCI_KMCI_AUDITMODE_ENABLED=FALSE
CODEINTEGRITY_OPTION_HVCI_KMCI_STRICTMODE_ENABLED=FALSE
CODEINTEGRITY_OPTION_HVCI_IUM_ENABLED=TRUE
CodeIntegrityOptions=0x2001
I suspect the memory location of the target variable has changed.
Windows 11 22H2 last version
Hello. I tried enable DSE on Windows 11 22H2 last version, but i got error "unable to load vulnerable driver, ntstatus 0xc0000603".
Is not supported? I disabled windows defender.
Could not load drivers database, GetLastError 126
DSE
What happens I don't set dse 0 and dse 6 after mapping the driver?
WinRing0x64 cause bluescreen Win10&Win11
I always crash if i try to use prov 7(WinRing0x64)...
Tested on Win10 21h2 & Win11 22H2 /In WMWARE
TYPO README.md
Hello,
In this issue, I have identified two minor typos that need correction.
occured -> occurred README.md L79
expirienced -> experienced README.md L177
Thank you for your time and consideration in addressing these errors.
Best regards,
Melody
Windows crashes after minutes after re-enable DSE
Hi,
I use kdu -dse 0 to disable DSE and then I load my driver. (at first attempt it says current value is 16 and set to 0)
I use kdu -dse 6 to re-enable DSE just in less than 30 sec. (i tried -dse 16 but it set it to 10)
Everything works perfectly until after minutes system crashes with bluescreen.
Event Log says :
The mrxsmb10 service failed to start due to the following error: Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
mrxsmb10 is a unsigned driver from Microsoft itself. How can i avoid this?
_Also out of curiosity how those unsigned drivers are loaded by Microsoft at first place it's like 100+ drivers with not certificate in system32/drivers ?
NalDrv seems to bug out
When trying to leverage KDU's 0 provider (NalDrv) I get the following error:
[#] Kernel Driver Utility v1.1.1 started, (c)2020 - 2021 KDU Project
[#] Build at Fri May 14 22:25:32 2021, header checksum 0x3E810
[#] Supported x64 OS : Windows 7 and above
[*] Windows version: 10.0 build 19043
[*] SecureBoot is disabled on this machine
[+] Selected provider: 0
[*] Driver mapping using shellcode version: 1
[+] Input driver file loaded at 0x00007FF605B60000
[+] Provider: CVE-2015-2291, Name "NalDrv"
[+] Drivers database "drv64.dll" loaded at 0x000001EB374E0002
[!] Vulnerable driver is already loaded
[+] Vulnerable driver opened
[+] Executing post-open callback for given provider
[+] Driver device security descriptor set successfully
[+] Victim driver map attempt 1 of 3
[+] Extracting victim driver "PROCEXP152" as "C:\Users\Jean\AppData\Local\Temp\PROCEXP152.sys"
[+] Victim driver loaded, handle 0x00000000000000EC
[+] Reading FILE_OBJECT at 0xFFFFC30ADBAA7260
[!] Could not read FILE_OBJECT at 0xFFFFC30ADBAA7260
[!] Error preloading victim driver, abort
[+] Victim driver unloaded
[!] Unable to unload vulnerable driver, NTSTATUS (0xC0000034)
[+] Return value: 0. Bye-bye!
When checking sysmon, I do not see any new event ID 6 loads for the NalDrv
I do see a reg entry for NalDrv being created by KDU, but the regentry does not specify a driver location.
lastely, in the readme.md, provider 0 is labeled as IQVM64, I think this is a mistake?
win 11
i cant load map driver or use dse in window 11
i got this
Abort: selected provider does not support HVCI
how to fix it ?
Unable to unload vulnerable driver, NTSTATUS (0xC0000010)
I get this error when I try kdu.exe -dse 6
[#] Kernel Driver Utility v1.2.8 (build 2212) started, (c)2020 - 2022 KDU Project
[#] Build at Fri Dec 9 07:44:47 2022, header checksum 0x4FDEE
[#] Supported x64 OS : Windows 7 and above
[*] CPU vendor string: AuthenticAMD
[*] Windows version: 10.0 build 22621
[*] SecureBoot is disabled on this machine
[+] MSFT Driver block list is disabled
[+] Drivers database "drv64.dll" loaded at 0x00007FF8A1280000
[+] Firmware type (FirmwareTypeUefi)
[+] Provider: "CVE-2015-2291", Name "NalDrv"
[!] Vulnerable driver is already loaded
[+] Driver device "NalDrv" has successfully opened
[+] Executing post-open callback for given provider
[+] Driver device security descriptor set successfully
[+] Module "CI.dll" loaded for pattern search
[!] Could not query DSE state, GetLastError 5
[!] Unable to unload vulnerable driver, NTSTATUS (0xC0000010)
[+] Return value: 0. Bye-bye!
I already tried kdu.exe -prv 0 1 2 3 and others I changed provider but still same. Here is -diag result
> [#] Kernel Driver Utility v1.2.8 (build 2212) started, (c)2020 - 2022 KDU Project
> [#] Build at Fri Dec 9 07:44:47 2022, header checksum 0x4FDEE
> [#] Supported x64 OS : Windows 7 and above
> [*] CPU vendor string: AuthenticAMD
> [*] Windows version: 10.0 build 22621
> [*] SecureBoot is disabled on this machine
> [+] MSFT Driver block list is disabled
> [+] Running system diagnostics
> > System range start FFFF800000000000
> > Speculation mitigation state flags
> >> SystemKernelVaShadowInformation
> KvaShadowEnabled ←[37mFALSE
> ←[37m KvaShadowUserGlobal ←[37mFALSE
> ←[37m KvaShadowPcid ←[37mFALSE
> ←[37m KvaShadowInvpcid ←[37mFALSE
> ←[37m KvaShadowRequired ←[37mFALSE
> ←[37m KvaShadowRequiredAvailable ←[32mTRUE
> ←[37m InvalidPteBit 0
> L1DataCacheFlushSupported ←[37mFALSE
> ←[37m L1TerminalFaultMitigationPresent ←[32mTRUE
> ←[37m >> SystemSpeculationControlInformation
> BpbEnabled ←[32mTRUE
> ←[37m BpbDisabledSystemPolicy ←[37mFALSE
> ←[37m BpbDisabledNoHardwareSupport ←[37mFALSE
> ←[37m SpecCtrlEnumerated ←[32mTRUE
> ←[37m SpecCmdEnumerated ←[32mTRUE
> ←[37m IbrsPresent ←[32mTRUE
> ←[37m StibpPresent ←[32mTRUE
> ←[37m SmepPresent ←[32mTRUE
> ←[37m SpeculativeStoreBypassDisableAvailable ←[32mTRUE
> ←[37m SpeculativeStoreBypassDisableSupported ←[32mTRUE
> ←[37m SpeculativeStoreBypassDisabledSystemWide ←[37mFALSE
> ←[37m SpeculativeStoreBypassDisabledKernel ←[37mFALSE
> ←[37m SpeculativeStoreBypassDisableRequired ←[32mTRUE
> ←[37m BpbDisabledKernelToUser ←[37mFALSE
> ←[37m SpecCtrlRetpolineEnabled ←[32mTRUE
> ←[37m SpecCtrlImportOptimizationEnabled ←[32mTRUE
> ←[37m EnhancedIbrs ←[37mFALSE
> ←[37m HvL1tfStatusAvailable ←[37mFALSE
> ←[37m HvL1tfProcessorNotAffected ←[37mFALSE
> ←[37m HvL1tfMigitationEnabled ←[37mFALSE
> ←[37m HvL1tfMigitationNotEnabled_Hardware ←[37mFALSE
> ←[37m HvL1tfMigitationNotEnabled_LoadOption ←[37mFALSE
> ←[37m HvL1tfMigitationNotEnabled_CoreScheduler ←[37mFALSE
> ←[37m EnhancedIbrsReported ←[32mTRUE
> ←[37m MdsHardwareProtected ←[37mFALSE
> ←[37m MbClearEnabled ←[37mFALSE
> ←[37m MbClearReported ←[32mTRUE
> ←[37m TsxCtrlStatus 3
> TsxCtrlReported ←[32mTRUE
> ←[37m TaaHardwareImmune ←[32mTRUE
> ←[37m >> SystemSpeculationControlInformation v2
> SbdrSsdpHardwareProtected ←[37mFALSE
> ←[37m FbsdpHardwareProtected ←[37mFALSE
> ←[37m PsdpHardwareProtected ←[37mFALSE
> ←[37m FbClearEnabled ←[37mFALSE
> ←[37m FbClearReported ←[32mTRUE
> ←[37m> List of loaded drivers
> [#] [ImageBase] [ImageSize] [FileName]
> 0 FFFFF80114400000 17068032 \SystemRoot\system32\ntoskrnl.exe
> 1 FFFFF801115C0000 24576 \SystemRoot\system32\hal.dll
> 2 FFFFF801115D0000 45056 \SystemRoot\system32\kd.dll
> 3 FFFFF80111580000 217088 \SystemRoot\system32\mcupdate_AuthenticAMD.dll
> 4 FFFFF80116A30000 450560 \SystemRoot\System32\drivers\CLFS.SYS
> 5 FFFFF80116A00000 167936 \SystemRoot\System32\drivers\tm.sys
> 6 FFFFF801115E0000 110592 \SystemRoot\system32\PSHED.dll
> 7 FFFFF80116AA0000 53248 \SystemRoot\system32\BOOTVID.dll
> 8 FFFFF80116BD0000 483328 \SystemRoot\System32\drivers\FLTMGR.SYS
> 9 FFFFF80116C80000 397312 \SystemRoot\System32\drivers\msrpc.sys
> 10 FFFFF80116C50000 180224 \SystemRoot\System32\drivers\ksecdd.sys
> 11 FFFFF80116AB0000 1130496 \SystemRoot\System32\drivers\clipsp.sys
> 12 FFFFF80116CF0000 61440 \SystemRoot\System32\drivers\cmimcext.sys
> 13 FFFFF80116D00000 90112 \SystemRoot\System32\drivers\werkernel.sys
> 14 FFFFF80116D20000 49152 \SystemRoot\System32\drivers\ntosext.sys
> 15 FFFFF80116D30000 991232 \SystemRoot\system32\CI.dll
> 16 FFFFF80116E30000 774144 \SystemRoot\System32\drivers\cng.sys
> 17 FFFFF80116EF0000 815104 \SystemRoot\system32\drivers\Wdf01000.sys
> 18 FFFFF80116FE0000 77824 \SystemRoot\system32\drivers\WppRecorder.sys
> 19 FFFFF80116FC0000 94208 \SystemRoot\system32\drivers\WDFLDR.SYS
> 20 FFFFF80117000000 57344 \SystemRoot\System32\DriverStore\FileRepository\prm.inf_amd64_de435dc5c75d64a5\PRM.sys
> 21 FFFFF80117010000 159744 \SystemRoot\System32\Drivers\acpiex.sys
> 22 FFFFF80117040000 114688 \SystemRoot\system32\drivers\SgrmAgent.sys
> 23 FFFFF80117060000 753664 \SystemRoot\System32\drivers\ACPI.sys
> 24 FFFFF80117120000 49152 \SystemRoot\System32\drivers\WMILIB.SYS
> 25 FFFFF80117130000 45056 \SystemRoot\System32\drivers\msisadrv.sys
> 26 FFFFF80117140000 565248 \SystemRoot\System32\drivers\pci.sys
> 27 FFFFF801171D0000 356352 \SystemRoot\System32\drivers\tpm.sys
> 28 FFFFF80117260000 483328 \SystemRoot\System32\drivers\intelpep.sys
> 29 FFFFF801172E0000 98304 \SystemRoot\system32\drivers\WindowsTrustedRT.sys
> 30 FFFFF80117300000 77824 \SystemRoot\System32\drivers\IntelPMT.sys
> 31 FFFFF80117320000 45056 \SystemRoot\System32\drivers\WindowsTrustedRTProxy.sys
> 32 FFFFF80117330000 90112 \SystemRoot\System32\drivers\pcw.sys
> 33 FFFFF80117350000 372736 \SystemRoot\System32\Drivers\klupd_klif_arkmon.sys
> 34 FFFFF801173B0000 114688 \SystemRoot\System32\drivers\vdrvroot.sys
> 35 FFFFF801173D0000 245760 \SystemRoot\system32\DRIVERS\cm_km.sys
> 36 FFFFF80117410000 200704 \SystemRoot\system32\drivers\pdc.sys
> 37 FFFFF80117450000 98304 \SystemRoot\system32\drivers\CEA.sys
> 38 FFFFF80117470000 208896 \SystemRoot\System32\drivers\partmgr.sys
> 39 FFFFF801174B0000 921600 \SystemRoot\System32\drivers\spaceport.sys
> 40 FFFFF801175A0000 114688 \SystemRoot\System32\drivers\volmgr.sys
> 41 FFFFF801175C0000 409600 \SystemRoot\System32\drivers\volmgrx.sys
> 42 FFFFF80117630000 126976 \SystemRoot\System32\drivers\mountmgr.sys
> 43 FFFFF80117650000 204800 \SystemRoot\System32\drivers\storahci.sys
> 44 FFFFF80117690000 1159168 \SystemRoot\System32\drivers\storport.sys
> 45 FFFFF801177B0000 241664 \SystemRoot\System32\drivers\stornvme.sys
> 46 FFFFF801177F0000 147456 \SystemRoot\System32\drivers\EhStorClass.sys
> 47 FFFFF80117820000 114688 \SystemRoot\System32\drivers\fileinfo.sys
> 48 FFFFF80117840000 290816 \SystemRoot\System32\Drivers\Wof.sys
> 49 FFFFF80117890000 487424 \SystemRoot\system32\drivers\wd\WdFilter.sys
> 50 FFFFF80117910000 3366912 \SystemRoot\System32\Drivers\Ntfs.sys
> 51 FFFFF80117C50000 61440 \SystemRoot\System32\Drivers\Fs_Rec.sys
> 52 FFFFF80117C60000 1630208 \SystemRoot\system32\drivers\ndis.sys
> 53 FFFFF80117DF0000 647168 \SystemRoot\system32\drivers\NETIO.SYS
> 54 FFFFF80117E90000 217088 \SystemRoot\System32\Drivers\ksecpkg.sys
> 55 FFFFF80117ED0000 53248 \SystemRoot\System32\drivers\amdpsp.sys
> 56 FFFFF80117EE0000 3338240 \SystemRoot\System32\drivers\tcpip.sys
> 57 FFFFF80118210000 536576 \SystemRoot\System32\drivers\fwpkclnt.sys
> 58 FFFFF801182A0000 200704 \SystemRoot\System32\drivers\wfplwfs.sys
> 59 FFFFF801182E0000 868352 \SystemRoot\System32\DRIVERS\fvevol.sys
> 60 FFFFF801183C0000 45056 \SystemRoot\System32\drivers\volume.sys
> 61 FFFFF801183D0000 458752 \SystemRoot\System32\drivers\volsnap.sys
> 62 FFFFF80118450000 331776 \SystemRoot\System32\drivers\rdyboost.sys
> 63 FFFFF801184B0000 159744 \SystemRoot\System32\Drivers\mup.sys
> 64 FFFFF801184E0000 172032 \SystemRoot\System32\Drivers\klupd_klif_klbg.sys
> 65 FFFFF80118510000 77824 \SystemRoot\system32\drivers\iorate.sys
> 66 FFFFF80118550000 131072 \SystemRoot\System32\drivers\disk.sys
> 67 FFFFF80118580000 479232 \SystemRoot\System32\drivers\CLASSPNP.SYS
> 68 FFFFF801232D0000 163840 \SystemRoot\System32\Drivers\crashdmp.sys
> 69 FFFFF80123000000 102400 \SystemRoot\system32\DRIVERS\klbackupdisk.sys
> 70 FFFFF80123020000 204800 \SystemRoot\System32\drivers\cdrom.sys
> 71 FFFFF80123060000 581632 \SystemRoot\system32\DRIVERS\klflt.sys
> 72 FFFFF801230F0000 204800 \SystemRoot\system32\DRIVERS\klbackupflt.sys
> 73 FFFFF80123130000 90112 \SystemRoot\system32\drivers\filecrypt.sys
> 74 FFFFF80123150000 65536 \SystemRoot\system32\drivers\tbs.sys
> 75 FFFFF80123170000 1064960 \SystemRoot\system32\DRIVERS\klif.sys
> 76 FFFFF80124BE0000 544768 \SystemRoot\system32\DRIVERS\ks.sys
> 77 FFFFF80124200000 1871872 \SystemRoot\system32\DRIVERS\klhk.sys
> 78 FFFFF801243D0000 720896 \SystemRoot\system32\DRIVERS\klgse.sys
> 79 FFFFF80124490000 77824 \SystemRoot\system32\DRIVERS\klpd.sys
> 80 FFFFF801244B0000 118784 \SystemRoot\system32\DRIVERS\kldisk.sys
> 81 FFFFF801244D0000 45056 \SystemRoot\System32\Drivers\Null.SYS
> 82 FFFFF801244E0000 40960 \SystemRoot\System32\Drivers\Beep.SYS
> 83 FFFFF801244F0000 4689920 \SystemRoot\System32\drivers\dxgkrnl.sys
> 84 FFFFF80124970000 139264 \SystemRoot\System32\drivers\watchdog.sys
> 85 FFFFF801249A0000 94208 \SystemRoot\System32\DriverStore\FileRepository\basicdisplay.inf_amd64_02da009b3d736cc1\BasicDisplay.sys
> 86 FFFFF801249C0000 73728 \SystemRoot\System32\DriverStore\FileRepository\basicrender.inf_amd64_f7df692e0f5ee07f\BasicRender.sys
> 87 FFFFF801249E0000 114688 \SystemRoot\System32\Drivers\Npfs.SYS
> 88 FFFFF80124A00000 73728 \SystemRoot\System32\Drivers\Msfs.SYS
> 89 FFFFF80124A20000 163840 \SystemRoot\System32\Drivers\CimFS.SYS
> 90 FFFFF80124A50000 147456 \SystemRoot\system32\DRIVERS\klwfp.sys
> 91 FFFFF80124A80000 147456 \SystemRoot\system32\DRIVERS\tdx.sys
> 92 FFFFF80124AB0000 69632 \SystemRoot\system32\DRIVERS\TDI.SYS
> 93 FFFFF80124AD0000 331776 \SystemRoot\System32\DRIVERS\netbt.sys
> 94 FFFFF80124B30000 81920 \SystemRoot\system32\drivers\afunix.sys
> 95 FFFFF80124C70000 688128 \SystemRoot\system32\drivers\afd.sys
> 96 FFFFF80124D20000 315392 \SystemRoot\system32\DRIVERS\klwtp.sys
> 97 FFFFF80124D70000 90112 \SystemRoot\system32\DRIVERS\klim6.sys
> 98 FFFFF80124D90000 110592 \SystemRoot\System32\drivers\vwififlt.sys
> 99 FFFFF80124DB0000 176128 \SystemRoot\System32\drivers\pacer.sys
> 100 FFFFF80124DE0000 86016 \SystemRoot\System32\drivers\ndiscap.sys
> 101 FFFFF80124B50000 86016 \SystemRoot\system32\drivers\netbios.sys
> 102 FFFFF80126480000 819200 \SystemRoot\System32\drivers\Vid.sys
> 103 FFFFF80126550000 163840 \SystemRoot\System32\drivers\winhvr.sys
> 104 FFFFF80126580000 86016 \SystemRoot\system32\DRIVERS\klpnpflt.sys
> 105 FFFFF80126000000 512000 \SystemRoot\system32\DRIVERS\rdbss.sys
> 106 FFFFF80126080000 262144 \SystemRoot\System32\drivers\ViGEmBus.sys
> 107 FFFFF801260D0000 77824 \SystemRoot\system32\drivers\nsiproxy.sys
> 108 FFFFF801260F0000 65536 \SystemRoot\System32\drivers\npsvctrig.sys
> 109 FFFFF80126110000 69632 \SystemRoot\System32\drivers\mssmbios.sys
> 110 FFFFF80126130000 299008 \SystemRoot\system32\DRIVERS\kneps.sys
> 111 FFFFF80126180000 229376 \??\C:\ProgramData\Kaspersky Lab\AVP21.3\Bases\klids.sys
> 112 FFFFF801261C0000 184320 \SystemRoot\System32\Drivers\dfsc.sys
> 113 FFFFF80126230000 450560 \SystemRoot\System32\Drivers\fastfat.SYS
> 114 FFFFF801262A0000 106496 \SystemRoot\system32\drivers\bam.sys
> 115 FFFFF801262C0000 376832 \SystemRoot\system32\DRIVERS\ahcache.sys
> 116 FFFFF80126320000 61440 \SystemRoot\System32\drivers\amdxe.sys
> 117 FFFFF80126330000 176128 \SystemRoot\System32\drivers\amdfendr.sys
> 118 FFFFF80126360000 81920 \SystemRoot\System32\DriverStore\FileRepository\compositebus.inf_amd64_2e50c98177d80a40\CompositeBus.sys
> 119 FFFFF80126380000 61440 \SystemRoot\System32\drivers\kdnic.sys
> 120 FFFFF80126390000 114688 \SystemRoot\System32\DriverStore\FileRepository\amdsafd.inf_amd64_1a1a381a2c0e293c\amdsafd.sys
> 121 FFFFF801263B0000 471040 \SystemRoot\System32\drivers\portcls.sys
> 122 FFFFF80126430000 143360 \SystemRoot\System32\drivers\drmk.sys
> 123 FFFFF80126460000 65536 \SystemRoot\system32\drivers\ksthunk.sys
> 124 FFFFF801265A0000 94208 \SystemRoot\System32\DriverStore\FileRepository\umbus.inf_amd64_8ee833e5ca48d1de\umbus.sys
> 125 FFFFF801270D0000 667648 \SystemRoot\System32\drivers\USBXHCI.SYS
> 126 FFFFF80127180000 286720 \SystemRoot\system32\drivers\ucx01000.sys
> 127 FFFFF80126600000 712704 \SystemRoot\System32\DriverStore\FileRepository\rt25cx21x64.inf_amd64_affac63db0770a78\rt25cx21x64.sys
> 128 FFFFF801266B0000 389120 \SystemRoot\system32\drivers\NetAdapterCx.sys
> 129 FFFFF801388D0000 94785536 \SystemRoot\System32\DriverStore\FileRepository\u0386458.inf_amd64_e0283e9e7966f704\B386218\amdkmdag.sys
> 130 FFFFF8013E340000 192512 \SystemRoot\System32\drivers\HDAudBus.sys
> 131 FFFFF8013E370000 45056 \SystemRoot\System32\drivers\AMDPCIDev.sys
> 132 FFFFF8013E380000 53248 \SystemRoot\System32\drivers\amdgpio2.sys
> 133 FFFFF8013E390000 208896 \SystemRoot\System32\Drivers\msgpioclx.sys
> 134 FFFFF8013E3D0000 53248 \SystemRoot\System32\drivers\wmiacpi.sys
> 135 FFFFF80138600000 282624 \SystemRoot\System32\drivers\amdppm.sys
> 136 FFFFF80138650000 45056 \SystemRoot\System32\drivers\amdgpio3.sys
> 137 FFFFF80138660000 69632 \SystemRoot\System32\DriverStore\FileRepository\uefi.inf_amd64_3abb917fc03c6fa8\UEFI.sys
> 138 FFFFF801386E0000 40960 \SystemRoot\System32\drivers\amdfendrmgr.sys
> 139 FFFFF801386F0000 61440 \SystemRoot\System32\drivers\dtliteusbbus.sys
> 140 FFFFF80138700000 57344 \SystemRoot\System32\drivers\NdisVirtualBus.sys
> 141 FFFFF80138710000 49152 \SystemRoot\System32\DriverStore\FileRepository\swenum.inf_amd64_d84a235075a8ff73\swenum.sys
> 142 FFFFF80138720000 45056 \SystemRoot\System32\drivers\AWCCDriver.sys
> 143 FFFFF80138730000 69632 \SystemRoot\System32\drivers\HidHide.sys
> 144 FFFFF80138750000 45056 \SystemRoot\System32\drivers\dtlitescsibus.sys
> 145 FFFFF80138760000 65536 \SystemRoot\System32\drivers\rdpbus.sys
> 146 FFFFF80138780000 712704 \SystemRoot\System32\drivers\UsbHub3.sys
> 147 FFFFF80138830000 61440 \SystemRoot\System32\drivers\USBD.SYS
> 148 FFFFF80138840000 253952 \SystemRoot\system32\drivers\AtihdWT6.sys
> 149 FFFFF80126710000 528384 \SystemRoot\System32\drivers\HdAudio.sys
> 150 FFFFF80138880000 77824 \SystemRoot\System32\drivers\hidusb.sys
> 151 FFFFF80138680000 278528 \SystemRoot\System32\drivers\HIDCLASS.SYS
> 152 FFFFF801388A0000 90112 \SystemRoot\System32\drivers\HIDPARSE.SYS
> 153 FFFFF8013E3E0000 69632 \SystemRoot\System32\drivers\mouhid.sys
> 154 FFFFF801267A0000 106496 \SystemRoot\system32\DRIVERS\klmouflt.sys
> 155 FFFFF801267C0000 86016 \SystemRoot\System32\drivers\mouclass.sys
> 156 FFFFF801267E0000 73728 \SystemRoot\System32\drivers\kbdhid.sys
> 157 FFFFF80126800000 102400 \SystemRoot\system32\DRIVERS\klkbdflt.sys
> 158 FFFFF80126820000 86016 \SystemRoot\System32\drivers\kbdclass.sys
> 159 FFFFF80126840000 163840 \SystemRoot\System32\drivers\USBSTOR.SYS
> 160 FFFFF80126870000 221184 \SystemRoot\System32\drivers\usbccgp.sys
> 161 FFFFFD379FB50000 696320 \SystemRoot\System32\win32k.sys
> 162 FFFFF801386D0000 49152 \SystemRoot\System32\WIN32KSGD.SYS
> 163 FFFFFD379F600000 3604480 \SystemRoot\System32\win32kbase.sys
> 164 FFFFFD37A06A0000 3837952 \SystemRoot\System32\win32kfull.sys
> 165 FFFFF801268D0000 69632 \SystemRoot\System32\Drivers\dump_dumpstorport.sys
> 166 FFFFF80126930000 241664 \SystemRoot\System32\drivers\dump_stornvme.sys
> 167 FFFFF80126990000 122880 \SystemRoot\System32\Drivers\dump_dumpfve.sys
> 168 FFFFF801269B0000 1138688 \SystemRoot\System32\drivers\dxgmms2.sys
> 169 FFFFF80126AD0000 122880 \SystemRoot\System32\drivers\monitor.sys
> 170 FFFFFD37A0A50000 286720 \SystemRoot\System32\cdd.dll
> 171 FFFFF80126AF0000 356352 \SystemRoot\System32\drivers\WUDFRd.sys
> 172 FFFFF80126B50000 81920 \SystemRoot\system32\drivers\bfs.sys
> 173 FFFFF80126B70000 172032 \SystemRoot\system32\drivers\luafv.sys
> 174 FFFFF80126BA0000 241664 \SystemRoot\system32\drivers\wcifs.sys
> 175 FFFFF80126BE0000 196608 \SystemRoot\System32\drivers\rdpdr.sys
> 176 FFFFF801388C0000 61440 \SystemRoot\System32\drivers\WpdUpFltr.sys
> 177 FFFFF80126C20000 573440 \SystemRoot\system32\drivers\cldflt.sys
> 178 FFFFF80126CB0000 110592 \SystemRoot\system32\drivers\storqosflt.sys
> 179 FFFFF80126CD0000 163840 \SystemRoot\system32\drivers\bindflt.sys
> 180 FFFFF80126D00000 155648 \SystemRoot\system32\DRIVERS\bowser.sys
> 181 FFFFF80126D30000 434176 \SystemRoot\system32\drivers\msquic.sys
> 182 FFFFF80126DA0000 655360 \SystemRoot\system32\DRIVERS\mrxsmb.sys
> 183 FFFFF80126E50000 323584 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
> 184 FFFFF80126EA0000 102400 \SystemRoot\system32\drivers\lltdio.sys
> 185 FFFFF80126EC0000 102400 \SystemRoot\system32\drivers\mslldp.sys
> 186 FFFFF80126EE0000 118784 \SystemRoot\system32\drivers\rspndr.sys
> 187 FFFFF80126F00000 126976 \SystemRoot\System32\DRIVERS\wanarp.sys
> 188 FFFFF80126F20000 757760 \SystemRoot\system32\DRIVERS\nwifi.sys
> 189 FFFFF80126FE0000 102400 \SystemRoot\system32\drivers\ndisuio.sys
> 190 FFFFF80127000000 110592 \SystemRoot\System32\drivers\mpsdrv.sys
> 191 FFFFF80127020000 90112 \SystemRoot\system32\drivers\mmcss.sys
> 192 FFFFF80127040000 53248 \??\C:\Windows\system32\AMDRyzenMasterDriver.sys
> 193 FFFFF80127050000 372736 \SystemRoot\System32\DRIVERS\srvnet.sys
> 194 FFFFF80123300000 856064 \SystemRoot\system32\drivers\peauth.sys
> 195 FFFFF801574B0000 872448 \SystemRoot\System32\DRIVERS\srv2.sys
> 196 FFFFF80157590000 77824 \SystemRoot\System32\drivers\condrv.sys
> 197 FFFFF801575B0000 266240 \SystemRoot\System32\Drivers\klupd_klif_mark.sys
> 198 FFFFF80156600000 6111232 \??\C:\Users\hiper\OneDrive\Masa³st³\KDmapper\NalDrv.sys
> 199 FFFFF80156BE0000 1777664 \SystemRoot\system32\drivers\HTTP.sys
> 200 FFFFF80156DA0000 352256 \SystemRoot\System32\Drivers\klupd_klif_klark.sys
> > List of device and driver objects in the common locations
> \ -> clfs
> \ -> FatCdrom
> \ -> Fat
> \ -> Ntfs
> \Device -> 0000006a
> \Device -> 00000058
> \Device -> GPIO_1
> \Device -> 00000044
> \Device -> NTPNP_PCI0030
> \Device -> NTPNP_PCI0002
> \Device -> 00000030
> \Device -> Nal
> \Device -> 00000068
> \Device -> USBPDO-9
> \Device -> 00000054
> \Device -> GPIO_2
> \Device -> AmdLog
> \Device -> KLIM6_DUMMYklim6
> \Device -> NTPNP_PCI0031
> \Device -> NTPNP_PCI0003
> \Device -> 00000064
> \Device -> USBPDO-5
> \Device -> 00000050
> \Device -> MSGpioClassExt0
> \Device -> NTPNP_PCI0032
> \Device -> NTPNP_PCI0004
> \Device -> MSSGRMAGENTSYS
> \Device -> 0000000f
> \Device -> MMCSS
> \Device -> lltdio
> \Device -> 00000074
> \Device -> 00000060
> \Device -> USBPDO-1
> \Device -> Bam
> \Device -> Psched
> \Device -> Tcp6
> \Device -> NTPNP_PCI0033
> \Device -> NTPNP_PCI0005
> \Device -> 0000001f
> \Device -> 0000000b
> \Device -> Ndisuio
> \Device -> 00000070
> \Device -> FakeVid10
> \Device -> RaidPort0
> \Device -> NTPNP_PCI0034
> \Device -> NTPNP_PCI0006
> \Device -> 0000002f
> \Device -> 0000001b
> \Device -> 00000009
> \Device -> SrvAdmin
> \Device -> FakeVid11
> \Device -> FakeVid8
> \Device -> KlDiskCtl
> \Device -> RaidPort1
> \Device -> 0000003f
> \Device -> NTPNP_PCI0035
> \Device -> NTPNP_PCI0007
> \Device -> 0000002b
> \Device -> 00000019
> \Device -> 00000005
> \Device -> FakeVid12
> \Device -> FakeVid4
> \Device -> 0000004f
> \Device -> ahcache
> \Device -> NTPNP_PCI0036
> \Device -> 0000003b
> \Device -> NTPNP_PCI0008
> \Device -> 00000029
> \Device -> 00000015
> \Device -> 00000001
> \Device -> FakeVid13
> \Device -> FakeVid0
> \Device -> 0000005f
> \Device -> _HID00000001
> \Device -> 0000004b
> \Device -> IPSECDOSP
> \Device -> NTPNP_PCI0037
> \Device -> 00000039
> \Device -> NTPNP_PCI0009
> \Device -> 00000025
> \Device -> 00000011
> \Device -> klnkd_061303_KLIF
> \Device -> PEAuth
> \Device -> FakeVid14
> \Device -> 0000005b
> \Device -> 00000049
> \Device -> NTPNP_PCI0038
> \Device -> 00000035
> \Device -> 00000021
> \Device -> WMIDataDevice
> \Device -> MPS
> \Device -> FakeVid15
> \Device -> 0000006b
> \Device -> 00000059
> \Device -> 00000045
> \Device -> Spaceport
> \Device -> NTPNP_PCI0039
> \Device -> 00000031
> \Device -> LanmanDatagramReceiver
> \Device -> 00000069
> \Device -> 00000055
> \Device -> vwififlt
> \Device -> WFPL2DPConfig
> \Device -> ConDrv
> \Device -> RdpDrPort
> \Device -> UMDFCtrlDev-38762bd4-7e0f-11ed-8c4e-806e6f6e6963
> \Device -> 00000065
> \Device -> USBPDO-6
> \Device -> 00000051
> \Device -> Tcp
> \Device -> DxgKrnl
> \Device -> NTPNP_PCI0010
> \Device -> 00000075
> \Device -> 00000061
> \Device -> RealTekCard{C71C7B73-2EA3-4E74-A704-ECD4A71B8E26}
> \Device -> USBPDO-2
> \Device -> USBFDO-0
> \Device -> Null
> \Device -> NTPNP_PCI0011
> \Device -> 0000000c
> \Device -> WANARP
> \Device -> 00000071
> \Device -> Udp6
> \Device -> NamedPipe
> \Device -> NTPNP_PCI0012
> \Device -> 0000001c
> \Device -> LLDPCTRL
> \Device -> RdpDrDvMgr
> \Device -> FakeVid9
> \Device -> Video0
> \Device -> Kneps
> \Device -> NTPNP_PCI0013
> \Device -> 0000002c
> \Device -> 00000006
> \Device -> FakeVid5
> \Device -> Video1
> \Device -> NXTIPSEC
> \Device -> KsecDD
> \Device -> 0000003c
> \Device -> NTPNP_PCI0014
> \Device -> 00000016
> \Device -> 00000002
> \Device -> DeviceApi
> \Device -> FakeVid1
> \Device -> Video2
> \Device -> _HID00000002
> \Device -> 0000004c
> \Device -> WFPL2
> \Device -> MountPointManager
> \Device -> NTPNP_PCI0015
> \Device -> 00000026
> \Device -> CNG
> \Device -> 00000012
> \Device -> SrvNet
> \Device -> Video3
> \Device -> 0000005c
> \Device -> lwm
> \Device -> 00000036
> \Device -> NTPNP_PCI0016
> \Device -> 00000022
> \Device -> KMDF0
> \Device -> 0000006c
> \Device -> Video4
> \Device -> HidHide
> \Device -> 00000046
> \Device -> NTPNP_PCI0017
> \Device -> 00000032
> \Device -> Video5
> \Device -> 00000056
> \Device -> KLWTP_DUMMY
> \Device -> 00000042
> \Device -> NTPNP_PCI0018
> \Device -> UMDFCtrlDev-38762bd0-7e0f-11ed-8c4e-806e6f6e6963
> \Device -> Video6
> \Device -> 00000066
> \Device -> USBPDO-7
> \Device -> 00000052
> \Device -> netadaptercx0
> \Device -> WFP
> \Device -> NTPNP_PCI0019
> \Device -> 00000076
> \Device -> Video7
> \Device -> 00000062
> \Device -> USBPDO-3
> \Device -> USBFDO-1
> \Device -> amdpsp
> \Device -> 0000000d
> \Device -> WwanProt
> \Device -> 00000072
> \Device -> DrDynVc
> \Device -> Mailslot
> \Device -> HarddiskVolume1
> \Device -> RawCdRom
> \Device -> 0000001d
> \Device -> WANARPV6
> \Device -> kneps_DUMMY
> \Device -> RawIp6
> \Device -> RawIp
> \Device -> Tdx
> \Device -> HarddiskVolumeShadowCopy1
> \Device -> HarddiskVolume2
> \Device -> VolMgrControl
> \Device -> 0000002d
> \Device -> 00000007
> \Device -> FakeVid6
> \Device -> PointerClass0
> \Device -> Nsi
> \Device -> FsWrap
> \Device -> HarddiskVolume3
> \Device -> Mup
> \Device -> kl_cm.{EE198DD8-F4ED-4799-A748-5A130DE3050E}
> \Device -> 0000003d
> \Device -> NTPNP_PCI0020
> \Device -> WindowsTrustedRT
> \Device -> 00000017
> \Device -> 00000003
> \Device -> FakeVid2
> \Device -> PointerClass1
> \Device -> _HID00000003
> \Device -> 0000004d
> \Device -> Udp
> \Device -> HarddiskVolume4
> \Device -> RawTape
> \Device -> NTPNP_PCI0021
> \Device -> 00000027
> \Device -> 00000013
> \Device -> klark_041403_KLIF
> \Device -> Bfs
> \Device -> 0000005d
> \Device -> RdpBus
> \Device -> KLWTP
> \Device -> HarddiskVolume5
> \Device -> 00000037
> \Device -> NTPNP_PCI0022
> \Device -> 00000023
> \Device -> 0000006d
> \Device -> 00000047
> \Device -> HarddiskVolume6
> \Device -> NTPNP_PCI0023
> \Device -> 00000033
> \Device -> rspndr
> \Device -> UMDFCtrlDev-38762bfc-7e0f-11ed-8c4e-c5ba839355fb
> \Device -> UMDFCtrlDev-38762bf3-7e0f-11ed-8c4e-c5ba839355fb
> \Device -> 00000057
> \Device -> NetBt_Wins_Export
> \Device -> 00000043
> \Device -> HarddiskVolume7
> \Device -> FileInfo
> \Device -> NTPNP_PCI0024
> \Device -> 00000067
> \Device -> HarddiskVolume8
> \Device -> USBPDO-8
> \Device -> 00000053
> \Device -> klbg_111403_KLIF
> \Device -> arkmon_021304_KLIF
> \Device -> NTPNP_PCI0025
> \Device -> RESOURCE_HUB
> \Device -> 00000063
> \Device -> HarddiskVolume9
> \Device -> KeyboardClass0
> \Device -> USBPDO-4
> \Device -> KLIM6klim6
> \Device -> WfpAle
> \Device -> Ndis
> \Device -> NTPNP_PCI0026
> \Device -> 0000000e
> \Device -> 00000073
> \Device -> KeyboardClass1
> \Device -> USBPDO-0
> \Device -> DfsClient
> \Device -> PartmgrControl
> \Device -> PcwDrv
> \Device -> NTPNP_PCI0027
> \Device -> 0000001e
> \Device -> 0000000a
> \Device -> KeyboardClass2
> \Device -> UCX0
> \Device -> KLWFP_DUMMY
> \Device -> RdyBoost
> \Device -> NTPNP_PCI0028
> \Device -> PciControl
> \Device -> 0000002e
> \Device -> 0000001a
> \Device -> 00000008
> \Device -> Srv2
> \Device -> AMDRyzenMasterDriverV19
> \Device -> FakeVid7
> \Device -> KeyboardClass3
> \Device -> Netbios
> \Device -> Beep
> \Device -> eQoS
> \Device -> 0000003e
> \Device -> RawDisk
> \Device -> NTPNP_PCI0029
> \Device -> 0000002a
> \Device -> 00000018
> \Device -> 00000004
> \Device -> FakeVid3
> \Device -> KeyboardClass4
> \Device -> _HID00000004
> \Device -> 0000004e
> \Device -> NetBT_Tcpip_{C71C7B73-2EA3-4E74-A704-ECD4A71B8E26}
> \Device -> VRegDriver
> \Device -> Afd
> \Device -> 0000003a
> \Device -> 00000028
> \Device -> 00000014
> \Device -> KeyboardClass5
> \Device -> 0000005e
> \Device -> _HID00000000
> \Device -> AWCCDevice
> \Device -> 0000004a
> \Device -> NameResTrk
> \Device -> BitLocker
> \Device -> 00000038
> \Device -> NTPNP_PCI0000
> \Device -> 00000024
> \Device -> 00000010
> \Device -> 0000006e
> \Device -> 0000005a
> \Device -> 00000048
> \Device -> 00000034
> \Device -> NTPNP_PCI0001
> \Device -> 00000020
> \Driver -> klkbdflt
> \Driver -> amdgpio2
> \Driver -> fvevol
> \Driver -> vdrvroot
> \Driver -> NetBT
> \Driver -> acpiex
> \Driver -> Wdf01000
> \Driver -> mpsdrv
> \Driver -> storahci
> \Driver -> MMCSS
> \Driver -> lltdio
> \Driver -> bam
> \Driver -> Psched
> \Driver -> BasicRender
> \Driver -> disk
> \Driver -> HTTP
> \Driver -> NalDrv
> \Driver -> Ndisuio
> \Driver -> stornvme
> \Driver -> klupd_klif_arkmon
> \Driver -> WscVReg
> \Driver -> monitor
> \Driver -> ahcache
> \Driver -> iorate
> \Driver -> pcw
> \Driver -> klupd_klif_klark
> \Driver -> AmdPPM
> \Driver -> rt25cx21
> \Driver -> Ucx01000
> \Driver -> USBXHCI
> \Driver -> partmgr
> \Driver -> PEAUTH
> \Driver -> MsLldp
> \Driver -> klmouflt
> \Driver -> AWCCDriver
> \Driver -> Vid
> \Driver -> klim6
> \Driver -> ACPI_HAL
> \Driver -> amdgpio3
> \Driver -> spaceport
> \Driver -> USBSTOR
> \Driver -> HidUsb
> \Driver -> vwififlt
> \Driver -> condrv
> \Driver -> DXGKrnl
> \Driver -> PnpManager
> \Driver -> RDPDR
> \Driver -> Null
> \Driver -> intelpep
> \Driver -> PRM
> \Driver -> wanarp
> \Driver -> SoftwareDevice
> \Driver -> kneps
> \Driver -> klflt
> \Driver -> CLFS
> \Driver -> WindowsTrustedRTProxy
> \Driver -> AMDXE
> \Driver -> NdisCap
> \Driver -> KSecDD
> \Driver -> volmgr
> \Driver -> DeviceApi
> \Driver -> umbus
> \Driver -> klpnpflt
> \Driver -> klbackupdisk
> \Driver -> CNG
> \Driver -> Win32k
> \Driver -> amdfendrmgr
> \Driver -> npsvctrig
> \Driver -> volume
> \Driver -> KSecPkg
> \Driver -> TPM
> \Driver -> mouclass
> \Driver -> HidHide
> \Driver -> NativeWifiP
> \Driver -> msisadrv
> \Driver -> IntelPMT
> \Driver -> kbdclass
> \Driver -> dtliteusbbus
> \Driver -> AMDPCIDev
> \Driver -> mouhid
> \Driver -> dtlitescsibus
> \Driver -> AMDSAFD
> \Driver -> volsnap
> \Driver -> amdpsp
> \Driver -> GPIOClx0101
> \Driver -> nsiproxy
> \Driver -> WMIxWDM
> \Driver -> MsQuic
> \Driver -> tdx
> \Driver -> WindowsTrustedRT
> \Driver -> HDAudBus
> \Driver -> BasicDisplay
> \Driver -> rdpbus
> \Driver -> klwtp
> \Driver -> klhk
> \Driver -> kbdhid
> \Driver -> AtiHDAudioService
> \Driver -> UEFI
> \Driver -> pdc
> \Driver -> rspndr
> \Driver -> WpdUpFltr
> \Driver -> WmiAcpi
> \Driver -> klupd_klif_klbg
> \Driver -> HdAudAddService
> \Driver -> NetAdapterCx
> \Driver -> mssmbios
> \Driver -> klwfp
> \Driver -> volmgrx
> \Driver -> pci
> \Driver -> NdisVirtualBus
> \Driver -> kdnic
> \Driver -> cdrom
> \Driver -> NDIS
> \Driver -> cm_km
> \Driver -> swenum
> \Driver -> amdfendr
> \Driver -> klids
> \Driver -> rdyboost
> \Driver -> WFPLWFS
> \Driver -> Tcpip
> \Driver -> SgrmAgent
> \Driver -> klupd_klif_mark
> \Driver -> AMDRyzenMasterDriverV19
> \Driver -> USBHUB3
> \Driver -> Beep
> \Driver -> kldisk
> \Driver -> usbccgp
> \Driver -> amdwddmg
> \Driver -> AFD
> \Driver -> mountmgr
> \Driver -> ksthunk
> \Driver -> ViGEmBus
> \Driver -> afunix
> \Driver -> WudfRd
> \Driver -> CompositeBus
> \Driver -> EhStorClass
> \Driver -> ACPI
> > Process (self) handle trace
> >> 0xFFFFF80114ACCFD7, \SystemRoot\system32\ntoskrnl.exe, base 0xFFFFF80114400000
> >> 0xFFFFF80114ACD423, \SystemRoot\system32\ntoskrnl.exe, base 0xFFFFF80114400000
> >> 0xFFFFF8011483D4E8, \SystemRoot\system32\ntoskrnl.exe, base 0xFFFFF80114400000
> >> 0x00007FF8B60EF2C4, ntdll.dll, base 0x00007FF8B6050000
> >> 0x00007FF63FC0F928, kdu.exe, base 0x00007FF63FC00000
> >> 0x00007FF63FC0FD5C, kdu.exe, base 0x00007FF63FC00000
> >> 0x00007FF63FC0FFEB, kdu.exe, base 0x00007FF63FC00000
> >> 0x00007FF63FC09F3D, kdu.exe, base 0x00007FF63FC00000
> >> 0x00007FF63FC0A829, kdu.exe, base 0x00007FF63FC00000
> >> 0x00007FF63FC0AA0E, kdu.exe, base 0x00007FF63FC00000
> >> 0x00007FF63FC10820, kdu.exe, base 0x00007FF63FC00000
> >> 0x00007FF8B44C26BD, KERNEL32.DLL, base 0x00007FF8B44B0000
> >> 0x00007FF8B60ADFB8, ntdll.dll, base 0x00007FF8B6050000
> > Thread handle trace
> >> 0xFFFFF80114BB1522, \SystemRoot\system32\ntoskrnl.exe, base 0xFFFFF80114400000
> >> 0xFFFFF80114BB1303, \SystemRoot\system32\ntoskrnl.exe, base 0xFFFFF80114400000
> >> 0xFFFFF8011483D4E8, \SystemRoot\system32\ntoskrnl.exe, base 0xFFFFF80114400000
> >> 0x00007FF8B60F14D4, ntdll.dll, base 0x00007FF8B6050000
> >> 0x00007FF63FC0F997, kdu.exe, base 0x00007FF63FC00000
> >> 0x00007FF63FC0FD5C, kdu.exe, base 0x00007FF63FC00000
> >> 0x00007FF63FC0FFEB, kdu.exe, base 0x00007FF63FC00000
> >> 0x00007FF63FC09F3D, kdu.exe, base 0x00007FF63FC00000
> >> 0x00007FF63FC0A829, kdu.exe, base 0x00007FF63FC00000
> >> 0x00007FF63FC0AA0E, kdu.exe, base 0x00007FF63FC00000
> >> 0x00007FF63FC10820, kdu.exe, base 0x00007FF63FC00000
> >> 0x00007FF8B44C26BD, KERNEL32.DLL, base 0x00007FF8B44B0000
> >> 0x00007FF8B60ADFB8, ntdll.dll, base 0x00007FF8B6050000
> > Process (1188) handle trace
> Cannot open process, NTSTATUS (0xC0000022)
> > Section handle trace
> >> 0xFFFFF80114ACF260, \SystemRoot\system32\ntoskrnl.exe, base 0xFFFFF80114400000
> >> 0xFFFFF80114ACF3CC, \SystemRoot\system32\ntoskrnl.exe, base 0xFFFFF80114400000
> >> 0xFFFFF8011483D4E8, \SystemRoot\system32\ntoskrnl.exe, base 0xFFFFF80114400000
> >> 0x00007FF8B60EF744, ntdll.dll, base 0x00007FF8B6050000
> >> 0x00007FF63FC0FABB, kdu.exe, base 0x00007FF63FC00000
> >> 0x00007FF63FC0FE06, kdu.exe, base 0x00007FF63FC00000
> >> 0x00007FF63FC0FFEB, kdu.exe, base 0x00007FF63FC00000
> >> 0x00007FF63FC09F3D, kdu.exe, base 0x00007FF63FC00000
> >> 0x00007FF63FC0A829, kdu.exe, base 0x00007FF63FC00000
> >> 0x00007FF63FC0AA0E, kdu.exe, base 0x00007FF63FC00000
> >> 0x00007FF63FC10820, kdu.exe, base 0x00007FF63FC00000
> >> 0x00007FF8B44C26BD, KERNEL32.DLL, base 0x00007FF8B44B0000
> >> 0x00007FF8B60ADFB8, ntdll.dll, base 0x00007FF8B6050000
> > Analyzing process working set
> >> ThreadId [10820] Pc 00007FF8B60EF184 (ntdll.dll) : Va 00007FF8B60EF185 (ntdll.dll)
> >> ThreadId [10820] Pc 00007FF8B60EF184 (ntdll.dll) : Va 000000000014CE09 (Unknown)
> >> ThreadId [10820] Pc 00007FF63FC0F4AF (kdu.exe) : Va 00007FF63FC0F4AF (kdu.exe)
> >> ThreadId [10820] Pc 00007FF63FC0F4C2 (kdu.exe) : Va 000000000014CE31 (Unknown)
> >> ThreadId [10820] Pc 00007FF63FC0F4D3 (kdu.exe) : Va 00007FF63FC2A609 (kdu.exe)
> >> ThreadId [10820] Pc 00007FF8B60EF118 (ntdll.dll) : Va 000000007FFE0309 (Unknown)
> > List of registered minifilters
> >> bindflt
> >> WdFilter
> >> KLIF
> >> storqosflt
> >> wcifs
> >> CldFlt
> >> bfs
> >> FileCrypt
> >> luafv
> >> klbackupflt
> >> npsvctrig
> >> Wof
> >> FileInfo
> > Physical memory layout
> ResourceList Count 1
> pDesc[0].PartialResourceList.Count 7
> #0 Flags 0x0000 0x0000000000001000::0x00000000000A0000 (length 0x000000000009F000, 0 Mb)
> #1 Flags 0x0000 0x0000000000100000::0x0000000009E02000 (length 0x0000000009D02000, 157 Mb)
> #2 Flags 0x0000 0x000000000A000000::0x000000000A200000 (length 0x0000000000200000, 2 Mb)
> #3 Flags 0x0000 0x000000000A20E000::0x000000000B000000 (length 0x0000000000DF2000, 13 Mb)
> #4 Flags 0x0000 0x000000000B020000::0x00000000CB147000 (length 0x00000000C0127000, 3073 Mb)
> #5 Flags 0x0000 0x00000000CDBFF000::0x00000000CF000000 (length 0x0000000001401000, 20 Mb)
> #6 Flags 0x0200 0x0000000100000000::0x000000042F380000 (length 0x000000032F380000, 13043 Mb)
> [+] Return value: 1. Bye-bye!
a question please
hello friends
and thank you for your hard works
i have a questions please
i compiled a driver using examples from this repo
i want to use ZwProtectVirtualMemory
but as described only ntoskrnl symbols was resolved
so i tried to find its address and direct use it
using MmGetSystemRoutineAddress
but i will get BSOD KMOD_UNHANDLED_ECECPTION
isnt this code should work ? as i only used ntoskrnl symbols to locate function in kernel and use it
and if not
is there any better way to solve ?
i want to change protection of user mod process
and __try __except those are not usefull in maped driver ?
error
[#] Kernel Driver Utility v1.3.3 (build 2307) started, (c)2020 - 2023 KDU Project
[#] Built at Fri Sep 1 14:29:34 2023, header checksum 0x81FE7
[#] Supported x64 OS : Windows 7 and above
[] Debug Mode Run, several features (like a shellcode proper generation) will be unavailable
[] CPU vendor string: AuthenticAMD
[] Windows version: 10.0 build 22621
[] SecureBoot is enabled on this machine
[] WHQL enforcement ENABLED
[+] MSFT Driver block list is disabled
[] Driver mapping using shellcode version: 1
[+] Input driver file "KernelCheatYT.sys" loaded at 0x00007FF6FE660000
[+] MSFT hypervisor present
[!] Cannot load drivers database, GetLastError 126: The specified module could not be found.
[+] Return value: 0. Bye-bye!
Could not load drivers database.
I have been using KDU for a while now and all of a sudden I'm getting this error?
I can't seem to find any more about this issue besides it's 0xC000005? Doesn't matter what provider I use.
suggestion: add "patchguard dance" from wind
would it be possible to add the "patchguard dance" from https://github.com/katlogic/WindowsD to prevent bsod after touching dse state?
[Enhancement] Add PassMark LPE-ready driver
Demo for references, https://gist.github.com/hfiref0x/33985b7694c06bc8ee6d8385efadb85e
Driver details:
SHA256, EV certificate, full of bugs and vulnerabilities.
Dedicated previous CVE id: CVE-2020-15481, CVE-2020-15480
CVE vendor response:
CVE-2020-15480, Ban LSTAR and SYSENTER_EIP_MSR from readmsr IOCTL.
CVE-2020-15481, disputable CVE, when loaded with PassMark software DirectIO driver device despite having default SD will be created with DO_EXCLUSIVE object flags, thus it won't allow multiple handles and potential PoC won't work unless they somehow got into PassMark program address space which require elevation or another exploit. PassMark addressed this with regenerating IOCTL's values and leaving everything as is.
PassMark DirectIO mapping routines for reference https://gist.github.com/hfiref0x/fb822ab89c9f10c46deb172c961ce7bf
unable to load venerable driver
Unable to load vulnerable driver, NTSTATUS (0xC000009A)
Return value: 0
I get this error when I use "kdu -dse 6"
any way to fix?
List of checked providers
Below is the list of drivers checked during KDU development which are for some reason(s) did not get the opportunity to get into it.
-
AMI amifldrv64.sys - from BIOS flashing tool, based on MAPMEM. Disadvantage: driver is very old.
-
ASUS AsIO3.sys - from infamous EneTech dev who loves to copy-paste from Google.
Driver locked, unlocking rep for reference https://github.com/hfiref0x/AsIo3Unlock. Disadvantage is requirement to use AsusCertService application as zombie proxy for registering AsIO3 "trusted" application. Besides it is still the same WINIO just WHQL signed in Dec 2020. -
ATI atillk64.sys - respective CVE ids: CVE-2019-7246, CVE-2020-12138. Disadvantages are: driver is very old and provides access to physical memory through MmMapIoSpace which limits it use.
-
DELL PC Doctror pcdsrvc_x64.sys - Driver locked, unlocking requires sending IOCTL with specific value as "key" 0xA1B2C3D4. Disadvantage is MmMapIoSpace. -
GPU-Z gpu-z.sys driver - respective CVE id: CVE-2019-7245. Disadvantage is MmMapIoSpace.
-
miHoYo mhyprot2.sys driver - anti-cheat driver from Chinese game company. Itself a wormhole with functionality to read/write to the virtual memory of arbitrary processes and read arbitrary kernel memory. Driver is locked, unlocking code is available. Disadvantages: does not provide write access to kernel/physical memory, extensive size (>1 Mb).
-
Razer Synapse rzpnk.sys driver - respective CVE id: CVE-2017-14398. Despite having amazing features on board this driver doesn't allow physical memory access beyond 4Gb as it truncates addresses above. In general it is unusable for main KDU tasks. -
Supermicro superbmc.sys driver - based on MAPMEM. Disadvantage: this driver has initialization bug which result in BSOD on it load at certain conditions.
-
VirtualBox vboxdrv.sys from Chinese APT which is different to original Turla group driver. While they utilize the same unpatched exploit of VBox 1.6-2.x it uses different driver and original exploit code need a little tweak to work with it. Disadvantages: driver is old, since 1.6 experience it is known that vboxdrv is exclusively bugged, implementing this will require a lot of additional code as it need different approach for code execution.
-
Some AMI BIOS flashing drivers based on WINIO, unfortunately they expect bus address to be 32 bit long.
-
Lalla NVME Pin driver - device driver from NVMECraft bundle. Contains MmMapIoSpace arbitrary read/write primitive, however due to driver bug it abuse is way too complicated.
-
Getac gtckmdfbs driver. Contain full set of wormhole features, however memory physical address is limited to ULONG limit.
and dozens I/O drivers based on WINIO and WinRing0 from various HW vendors.
[Support] Bad image format when trying to map a driver
Hi,
Whenever I try to map a driver, I get a bad image format exception. I've tried with two I've compiled on my home system now. I have sign task off and when I register them as a service using your DSE disable function they load normally. Do I need to enable some other compile-time switch to fit the "driverless" protocol?
Thanks
Critical Structure Corruption BSOD
I have some question,
- Do I need to run '-dse 0' after using '-dse 6'?
- Does CRITICAL_STRUCTURE_CORRUPTION BSOD have todo with KDU?
- Do I have to do anything after using KDU, like revert back something?
I dont know how or why my pc just got BSOD sometime even after I restarted my pc, happens after i use '-dse 6' and '-map driver.sys' on kdu.
Randomly BSOD
Hello hfiref0x i am testing with a weird issue let me explain. I have 2 computers both uses the same Windows 10 edition (Professional) and build (the latest) 19041.1023, on the first computer i don't get BSOD never but on the second i get BSOD after some minutes after modifiying CI.DLL value (i always restore the original value) the BSOD error code is CRITICAL_STRUCTURE_CORRUPTION - CI.DLL. This happened to me before i fixed it by reinstalling Windows with a the latest version via USB, its there any alternative to the reinstall? Thanks.
vulnerable driver is already loaded
friend of mine cant load the driver but for me its work we use same windows version 22621.1413 windows 11
me
friend
what is the issue here?
BSOD KMODE_EXEPTION_NOT_HANDLED
Hello
i got BSOD KMODE_EXEPTION_NOT_HANDLED
when i -map my driver
driver dont have any params and unload driver set to NULL
what is issue
thank you
please teach me
If I try to use PsSetCreateProcessNotifyRoutine, it will return 0xc0000022. If I use WskRegister, it will directly blue screen. Is there any solution? thanks!
The following is part of the dump information:
KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common BugCheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: 000000000000a13e, The address that the exception occurred at
Arg3: 0000000000000008, Parameter 0 of the exception
Arg4: 000000000000a13e, Parameter 1 of the exception
Debugging Details:
*** WARNING: Unable to verify checksum for win32k.sys
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 4624
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 10453
Key : Analysis.Init.CPU.mSec
Value: 562
Key : Analysis.Init.Elapsed.mSec
Value: 11240
Key : Analysis.Memory.CommitPeak.Mb
Value: 80
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
BUGCHECK_CODE: 1e
BUGCHECK_P1: ffffffffc0000005
BUGCHECK_P2: a13e
BUGCHECK_P3: 8
BUGCHECK_P4: a13e
WRITE_ADDRESS: fffff8067eafa390: Unable to get MiVisibleState
Unable to get NonPagedPoolStart
Unable to get NonPagedPoolEnd
Unable to get PagedPoolStart
Unable to get PagedPoolEnd
unable to get nt!MmSpecialPagesInUse
000000000000a13e
EXCEPTION_PARAMETER1: 0000000000000008
EXCEPTION_PARAMETER2: 000000000000a13e
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXNTFS: 1 (!blackboxntfs)
BLACKBOXPNP: 1 (!blackboxpnp)
BLACKBOXWINLOGON: 1
CUSTOMER_CRASH_COUNT: 1
PROCESS_NAME: System
TRAP_FRAME: ffff800000000000 -- (.trap 0xffff800000000000)
Unable to read trap frame at ffff8000`00000000
STACK_TEXT:
fffffd8cb9171bf8 fffff8067e259ecb : 000000000000001e ffffffffc0000005 000000000000a13e 0000000000000008 : nt!KeBugCheckEx
fffffd8cb9171c00 fffff8067e2092ac : 0000000000001000 fffffd8cb91724a0 ffff800000000000 0000000000000000 : nt!KiDispatchException+0x17467b
fffffd8cb91722c0 fffff8067e205443 : 0000000000000c10 ffffe91085f6ac10 0000000000000000 000000000a2af350 : nt!KiExceptionDispatch+0x12c
fffffd8cb91724a0 000000000000a13e : ffff9c84f39be413 0000000000000000 0000000000000000 0000000000000000 : nt!KiPageFault+0x443
fffffd8cb9172638 ffff9c84f39be413 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0xa13e
fffffd8cb9172640 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0xffff9c84`f39be413
SYMBOL_NAME: nt!KiDispatchException+17467b
MODULE_NAME: nt
IMAGE_NAME: ntkrnlmp.exe
IMAGE_VERSION: 10.0.19041.1237
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 17467b
FAILURE_BUCKET_ID: 0x1E_c0000005_nt!KiDispatchException
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {1f8f9473-8a73-d8e8-6f8e-f77ccc1647ea}
Followup: MachineOwner
Disabling DSE with the drivers DBUtil v2.3 and v2.5 shows BSOD
Hi hfiref0x,
first many thanks and much respect to your hard work. It is always nice to see someone skilled releasing sources for others to learn. This is much appreciated. I myself have used your DSEFix extensively to load unsigned drivers since years. Lately I switched to KDU and got a BSOD on the DBUtil providers. The details and a potential fix follow below.
With DBUtil v2.3 driver we get a BSOD on Windows 10 and an instant reboot on Windows 7. The problem is related to the function "DbUtilWriteVirtualMemory" in the source code file "KDU-master\Source\Hamakaze\idrv\dbutil.cpp". The size of the structure which DBUtil accepts for input is increased by the following code line:
size = ALIGN_UP_BY(value, PAGE_SIZE);
Because DBUtil v2.3 uses the buffer size specified in DeviceIoControl as the size to transfer, it writes 4096 bytes to the virtual kernel address where g_CiOptions on Windows 10 and g_CiEnable on Windows 7 variable is located. Because this write occurs on read only memory we see a BSOD. We corrected this by setting the "size" variable equal to "value" in the source code like follows:
value = FIELD_OFFSET(DBUTIL_READWRITE_REQUEST, Data) + NumberOfBytes;
//size = ALIGN_UP_BY(value, PAGE_SIZE);
size = value;
The same should be implemented for the function "DbUtilReadVirtualMemory", but this does not cause a BSOD, because the memory is only read and not written for 4096 bytes.
In addition we tested the DBUtil v2.5 driver, which does not even install correctly. This is related to the function "DbUtilManageFiles" in the same source code file. This function first unpacks the driver to the program directory and afterwards extracts the INF and CAT files to the TEMP directory. Therefore the INF can not find the driver and the installation does not work. We also patched this with the following code change:
//cch = supExpandEnvironmentStrings(L"%temp%\\", szFileName, MAX_PATH);
lstrcpy(szFileName, Context->DriverFileName);
lpEnd = wcsrchr(szFileName, '\\');
*(lpEnd + 1) = 0;
//if (cch == 0 || cch > MAX_PATH) {
// SetLastError(ERROR_NOT_ENOUGH_MEMORY);
//}
//else {
We should implement this patch two times for the install and the uninstall part of this function. If we would only apply the 2nd unpacking patch, we can see that the driver DBUtil v2.5 does also cause a BSOD for the same reason as DBUtil v2.3 driver. Therefore the 1st patch does also solve the problem with DBUtil v2.5. After all patches are applied we can change DSE successfully with both providers.
I have attached a fixed and already patched source code file with comments. I hope that helps in fixing the little DBUtil bug.
Keep the amazing stuff coming!
Greets Kai Schtrom
Error
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.