Comments (11)
hfiref0x
commented on July 24, 2024
The drv64.dll (tanikaze) file is corrupted or built with incorrect/corrupted data.
from kdu.
bditt
commented on July 24, 2024
The drv64.dll (tanikaze) file is corrupted or built with incorrect/corrupted data.
Hm.... I was using the released version, but I'll try building it myself.
from kdu.
bditt
commented on July 24, 2024
Hm.... I was using the released version, but I'll try building it myself.
When building, I get 2 errors:
error MSB3073: The command "F:\Source Codes\KDU-1.1.1\Source\Hamakaze\Utils\GenAsIo2Unlock .\output\x64\Release\kdu.exe
error MSB3073: :VCEnd" exited with code 9009.
Is this what is causing the issues?
from kdu.
bditt
commented on July 24, 2024
Hm.... I was using the released version, but I'll try building it myself.
When building, I get 2 errors: error MSB3073: The command "F:\Source Codes\KDU-1.1.1\Source\Hamakaze\Utils\GenAsIo2Unlock .\output\x64\Release\kdu.exe error MSB3073: :VCEnd" exited with code 9009.
Is this what is causing the issues?
Fixed this issue, but still getting error 2 aka 0xC000005 "Could not load drivers database"
from kdu.
hadevn
commented on July 24, 2024
yeah same me ! Could not load drivers database
from kdu.
hfiref0x
commented on July 24, 2024
The 3rd party software on your machine may cause it.
from kdu.
bditt
commented on July 24, 2024
The 3rd party software on your machine may cause it.
I have tried on a fresh install on my other PC, along with multiple other PCs with friends, and hasnt worked on any of them.
Any other suggestions?
Why would the prebuilt version have issues now when it never did before?
from kdu.
hfiref0x
commented on July 24, 2024
Windows update, WD update, moon phase.
Run procmon, dependency walker - any tracer and post a log.
from kdu.
hfiref0x
commented on July 24, 2024
Windows 11 21H2 - all crapware features disabled except TPM, no 3rd party software installed.
C:\>ver
Microsoft Windows [Version 10.0.22000.318]
C:\>git clone https://github.com/hfiref0x/kdu rep
Cloning into 'rep'...
remote: Enumerating objects: 692, done.
remote: Counting objects: 100% (692/692), done.
remote: Compressing objects: 100% (402/402), done.
remote: Total 692 (delta 446), reused 522 (delta 284), pack-reused 0Receiving objects: 96% (665/692), 2.36 MiB | 2.36 MReceiving objects: 100% (692/692), 2.46 MiB | 2.29 MiB/s, done.
Resolving deltas: 100% (446/446), done.
C:\>cd rep\bin
C:\rep\Bin>kdu -prv 14 -map c:\rep\bin\dummy.sys
[#] Kernel Driver Utility v1.1.1 started, (c)2020 - 2021 KDU Project
[#] Build at Fri May 14 22:25:32 2021, header checksum 0x3E810
[#] Supported x64 OS : Windows 7 and above
[*] Windows version: 10.0 build 22000
[*] SecureBoot is disabled on this machine
[+] Selected provider: 14
[*] Driver mapping using shellcode version: 1
[+] Input driver file loaded at 0x00007FF615F10000
[+] Provider: PassMark DirectIO, Name "DirectIo64"
[+] Drivers database "drv64.dll" loaded at 0x0000017CCDF80002
[+] Extracting vulnerable driver as "C:\rep\Bin\DirectIo64.sys"
[+] Vulnerable driver "DirectIo64" loaded
[+] Vulnerable driver opened
[+] Executing post-open callback for given provider
[+] Driver device security descriptor set successfully
[+] Victim driver map attempt 1 of 3
[+] Extracting victim driver "PROCEXP152" as "C:\Users\admin\AppData\Local\Temp\PROCEXP152.sys"
[+] Victim driver loaded, handle 0x00000000000000B0
[+] Reading FILE_OBJECT at 0xFFFF80075C692600
[+] Reading DEVICE_OBJECT at 0xFFFF800758A9DE00
[+] Reading DRIVER_OBJECT at 0xFFFF800758334E00
[+] Victim IRP_MJ_DEVICE_CONTROL 0xFFFFF80445E82220
[+] Victim DriverUnload 0xFFFFF80445E83280
[+] Loaded ntoskrnl base 0xFFFFF80437E00000
[+] Ntoskrnl.exe mapped at 0x7FF79B1A0000
[+] Resolving kernel import for input driver
[+] Resolving payload import
[*] ZwClose 0xFFFFF80438211B20
[*] PsCreateSystemThread 0xFFFFF804384C8C00
[+] Resolving base shellcode import
[*] MmSectionObjectType 0xFFFFF80438B069A0
[*] ExAllocatePoolWithTag 0xFFFFF8043886B900
[*] ExFreePoolWithTag 0xFFFFF8043886B010
[*] IofCompleteRequest 0xFFFFF80438134910
[*] ZwMapViewOfSection 0xFFFFF80438211E40
[*] ZwUnmapViewOfSection 0xFFFFF80438211E80
[*] ObReferenceObjectByHandle 0xFFFFF8043856D690
[*] ObfDereferenceObject 0xFFFFF80438105630
[*] KeSetEvent 0xFFFFF8043812ECA0
[+] Bootstrap code size = 0x2D5
[+] Driver IRP_MJ_DEVICE_CONTROL handler code modified
[+] Run shellcode
[~] Shellcode result: NTSTATUS (0x0)
[+] Victim driver unloaded
[+] Vulnerable driver unloaded
[+] Vulnerable driver file removed
[+] Return value: 1. Bye-bye!
I've no confirmation of any of your claims and so far I haven't seen anything except "something does not work here" - this doesn't work this way if you want help or this is bug that need to be fixed.
I want you to post exact steps to reproduce your problem, logs of KDU execution, your software configuration, your loaded drivers list at moment of issue. If it is detected by WD for some reason I need to know signature name.
However, if this behaviour is a result of some crappy anti-cheat filter driver work then I won't help you because this project is not intended for bypassing anti-cheat crapware.
Update on W11 after installing latest cummulative patch.
C:\>ver
Microsoft Windows [Version 10.0.22000.348]
C:\>cd rep\bin
C:\rep\Bin>kdu -prv 14 -map c:\rep\bin\dummy.sys
[#] Kernel Driver Utility v1.1.1 started, (c)2020 - 2021 KDU Project
[#] Build at Fri May 14 22:25:32 2021, header checksum 0x3E810
[#] Supported x64 OS : Windows 7 and above
[*] Windows version: 10.0 build 22000
[*] SecureBoot is disabled on this machine
[+] Selected provider: 14
[*] Driver mapping using shellcode version: 1
[+] Input driver file loaded at 0x00007FF753650000
[+] Provider: PassMark DirectIO, Name "DirectIo64"
[+] Drivers database "drv64.dll" loaded at 0x00000192459D0002
[+] Extracting vulnerable driver as "C:\rep\Bin\DirectIo64.sys"
[+] Vulnerable driver "DirectIo64" loaded
[+] Vulnerable driver opened
[+] Executing post-open callback for given provider
[+] Driver device security descriptor set successfully
[+] Victim driver map attempt 1 of 3
[+] Extracting victim driver "PROCEXP152" as "C:\Users\admin\AppData\Local\Temp\PROCEXP152.sys"
[+] Victim driver loaded, handle 0x00000000000000C0
[+] Reading FILE_OBJECT at 0xFFFFE40AACAA31C0
[+] Reading DEVICE_OBJECT at 0xFFFFE40AAC7F19F0
[+] Reading DRIVER_OBJECT at 0xFFFFE40AA6148B50
[+] Victim IRP_MJ_DEVICE_CONTROL 0xFFFFF80078DA2220
[+] Victim DriverUnload 0xFFFFF80078DA3280
[+] Loaded ntoskrnl base 0xFFFFF8006FC00000
[+] Ntoskrnl.exe mapped at 0x7FF60AEB0000
[+] Resolving kernel import for input driver
[+] Resolving payload import
[*] ZwClose 0xFFFFF80070011F70
[*] PsCreateSystemThread 0xFFFFF800702C8CD0
[+] Resolving base shellcode import
[*] MmSectionObjectType 0xFFFFF800709069A0
[*] ExAllocatePoolWithTag 0xFFFFF8007066B900
[*] ExFreePoolWithTag 0xFFFFF8007066B010
[*] IofCompleteRequest 0xFFFFF8006FF349D0
[*] ZwMapViewOfSection 0xFFFFF80070012290
[*] ZwUnmapViewOfSection 0xFFFFF800700122D0
[*] ObReferenceObjectByHandle 0xFFFFF8007036D9E0
[*] ObfDereferenceObject 0xFFFFF8006FF056F0
[*] KeSetEvent 0xFFFFF8006FF2ED60
[+] Bootstrap code size = 0x2D5
[+] Driver IRP_MJ_DEVICE_CONTROL handler code modified
[+] Run shellcode
[~] Shellcode result: NTSTATUS (0x0)
[+] Victim driver unloaded
[+] Vulnerable driver unloaded
[+] Vulnerable driver file removed
[+] Return value: 1. Bye-bye!
Nothing.
from kdu.
bditt
commented on July 24, 2024
Okay, I was an idiot, seems you need the drv64.dll dll.
I wasn't packaging it before, but I guess I need to package it now.
Sorry for wasting your time.
from kdu.
dmnlocco
commented on July 24, 2024
Hm.... I was using the released version, but I'll try building it myself.
When building, I get 2 errors: error MSB3073: The command "F:\Source Codes\KDU-1.1.1\Source\Hamakaze\Utils\GenAsIo2Unlock .\output\x64\Release\kdu.exe error MSB3073: :VCEnd" exited with code 9009.
Is this what is causing the issues?
How to fix this?
from kdu.
Related Issues (20)
- Insufficient system resources HOT 2
- error HOT 1
- Thanks HOT 1
- Cannot load drivers database, GetLastError 126: HOT 2
- what happened to HVCI support? HOT 1
- Will KDU wait for the DriverEntry of a mapped driver? HOT 2
- Could not accept victim target, GetLastError 2148204812 HOT 4
- KsDumper Driver unloadable? Maybe any mapped driver? HOT 4
- cant use PsGetCreateProcessNotifyRoutine() ??? HOT 4
- Why some people crash on mapping drivers ? HOT 1
- Contact HOT 1
- Providers table not found HOT 4
- how to handle not present page in PwEntryToPhyAddr HOT 1
- No output after mapping dummy driver HOT 2
- Shellcode executing warning HOT 4
- Shellcode version issue HOT 3
- Use in Python HOT 1
- Driver import table parsing issue HOT 1
- add dse_pg bypass HOT 1
- compile HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kdu.