hoshimin / kernel-bridge Goto Github PK
View Code? Open in Web Editor NEWWindows kernel hacking framework, driver template, hypervisor and API written on C++
License: GNU General Public License v3.0
Windows kernel hacking framework, driver template, hypervisor and API written on C++
License: GNU General Public License v3.0
Hello @HoShiMin
Can you please guide me on how to intercept KUSER_SHARED_DATA using the hypervisor?
I know it's possible using EPT but I just don't know how to do it using KbVmmInterceptPage
Thanks
Please let us know when can we have an ARM64 version for Windows on ARM OS. We can help you test We have Windows on Rasberry Pi setup. Please pursue it we at Windows on Rasberry Pi community will be glad to extend support in testing your drivers and tools for ARM64.
I'm trying to hexdump another process and I don't really know how to find the mapped regions of the target process. Do you have any idea if theres already a relatively simple method to do that?
Best regards!
I just do with ntSuspendThread before but it return with 0xC00000022
waiting for your inter vt production ^_^
Hey there,
KbReadProcessMemory
fails with 158 error (ERROR_NOT_LOCKED
). Driver loads without any errors.
For my project I use "User-Bridge" wrappers as standalone .cpp/.h modules.
Driver version: v1.19
BOOL status = KbReadProcessMemory(
GetPidByName(L"process.exe"),
Address,
&buf,
size
);
if (status == 0) {
cout << GetLastError() << endl;
}
Any ideas how could be this fixed?
#include <stdexcept>
after the target process terminated, there will still be a pfn left on system,
and bsod when produrce of memory management try to scan all pfn and find a useless pfn.
Hello,
I tried loading the signed binaries but i get the message "a certificate was explicitly revoked by its issuer"
I used the api incorrectly
CommPortListener Events are never called, it stuck in Subscribe function.
I tried to debug the problem , it's something in this line
" Status=Self>Port.Recv(reinterpret_cast<CommPortPacket>(&Message));"
in ListenerThread function
any ideas what could be the problem ?
P.S : same problem is happening for TestObCallbacks event listener never called
Hello,
I've looked at the hypervisor API, however, It only starts and stops the virtualization. How is it possible to catch a CPUID instruction while the hypervisor is running and change the result values?
is this possible with the API or source code change is needed?
While testing, I noticed reading a process memory using Kernel-Bridge is slower than a small driver I wrote.
I checked and it seems KB is mapping MDLs and then copies the memory. While all I need is using a Method_Out_Direct to get a kernel-address space buffer and attach to target process stack, Copy memory and detach.
I wonder if such a thing or something close is possible in KB?
CppSupport
struct MyStruct1{
int a;
int b;
}
struct MyStruct2{
int a;
int b;
MyStruct1* s1;
}
auto s2 = new MyStruct2();
s2->s1 = new MyStruct1();
...
delete s2->s1; // BSOD
auto s1 = new MyStruct1();
delete s1; // Not BSOD
Is there any example how to load unsigned drivers with that library ?
https://github.com/HoShiMin/Kernel-Bridge/blob/master/User-Bridge/API/User-Bridge.cpp#L507
https://github.com/HoShiMin/Kernel-Bridge/blob/master/User-Bridge/API/User-Bridge.cpp#L565
KbMapMdl and KbMapMemory funcs have UserRequestedAddress arg, but it is not passed to KB_MAP_MDL_IN Input struct.
Hello,
I am trying to use your framework to learn kernel exploit development. The first thing I am trying to do is to get the base address of notepad++.exe but I can't seem to get it working. Do you mind showing me how to achieve this?
So far my code is:
typedef NTSTATUS(NTAPI *_NtQueryInformationProcess)(
IN HANDLE ProcessHandle,
ULONG ProcessInformationClass,
OUT PVOID ProcessInformation,
IN ULONG ProcessInformationLength,
OUT PULONG ReturnLength OPTIONAL
);
typedef NTSTATUS(NTAPI *_NtReadVirtualMemory)(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
OUT PVOID Buffer,
IN SIZE_T Size,
OUT PSIZE_T NumberOfBytesRead);
typedef NTSTATUS(NTAPI *_NtWow64ReadVirtualMemory64)(
IN HANDLE ProcessHandle,
IN PVOID64 BaseAddress,
OUT PVOID Buffer,
IN ULONG64 Size,
OUT PULONG64 NumberOfBytesRead);
typedef struct _PROCESS_BASIC_INFORMATION_WOW64 {
PVOID Reserved1[2];
PVOID64 PebBaseAddress;
PVOID Reserved2[4];
ULONG_PTR UniqueProcessId[2];
PVOID Reserved3[2];
} PROCESS_BASIC_INFORMATION_WOW64;
typedef struct _UNICODE_STRING_WOW64 {
USHORT Length;
USHORT MaximumLength;
PVOID64 Buffer;
} UNICODE_STRING_WOW64;
... main method ...
bool driver_status = KbLoader::KbLoadAsDriver(L"C:\\Development\\Kernel-Bridge.sys");
if (driver_status)
{
const wchar_t* ProcessName = L"notepad++.exe";
ULONG pid = 1234;
WdkTypes::HANDLE hProcess = NULL;
KbOpenProcess(pid, &hProcess);
BOOL wow;
IsWow64Process(&hProcess, &wow);
if (wow)
{
std::cout << "Process is 64bit" << std::endl;
PROCESS_BASIC_INFORMATION_WOW64 pbi;
ZeroMemory(&pbi, sizeof(pbi));
// get process information from 64-bit world
_NtQueryInformationProcess query = (_NtQueryInformationProcess)GetProcAddress(GetModuleHandleA("notepad++.exe"), "NtWow64QueryInformationProcess64");
DWORD q = 0;
query(&hProcess, 0, &pbi, sizeof(pbi), NULL);
if (q != 0)
{
printf("NtWow64QueryInformationProcess64 failed\n");
}
else
{
std::cout << "B: " << pbi.PebBaseAddress << std::endl;
}
}
KbCloseHandle(hProcess);
KbWriteProcessMemory writes to a static address, reopening the process will not restore the previous data
Hi , you can use
https://github.com/wbenny/KSOCKET
KSOCKET is windows kernel socket.
Its very easy to use.You can implement it.
But there is no usermode to use it.Its kernel only.
Just needs some wrapper.
Maybe you can do it in Kernel-Bridge
Also checkout for Linux version:
https://github.com/hbagdi/ksocket
How to use ept hook
Mapping any driver even the simplest.
auto test = KbRtl::KbRtlMapDriverFile(L"C:\\dummy.sys", L"KBFM"); fmt::print("test {0} ", test);
Produces KbLdrImportNotResolved can someone provide me a dummy driver example or explain to me what this error means and how to fix it?
#include <ntddk.h>
extern "C" DRIVER_INITIALIZE DriverEntry;
namespace {
UNICODE_STRING DeviceName = RTL_CONSTANT_STRING(L"\\Device\\KBFM");
UNICODE_STRING DeviceLink = RTL_CONSTANT_STRING(L"\\??\\KBFM");
PDEVICE_OBJECT DeviceInstance = NULL;
}
#define IO_INCREMENT_VALUE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0001, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define IO_RECEIVE_RANDOM_BUFFER CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0002, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
EXTERN_C_START
static NTSTATUS IoControl(PDEVICE_OBJECT DeviceObject, PIRP Irp);
static NTSTATUS UnloadDriver(PDRIVER_OBJECT DriverObject);
static NTSTATUS CreateCall(PDEVICE_OBJECT DeviceObject, PIRP irp);
static NTSTATUS CloseCall(PDEVICE_OBJECT DeviceObject, PIRP irp);
EXTERN_C_END
extern "C" NTSTATUS NTAPI DriverEntry(
_In_ PDRIVER_OBJECT DriverObject,
_In_ PUNICODE_STRING RegistryPath
) {
UNREFERENCED_PARAMETER(RegistryPath);
NTSTATUS Status = IoCreateDevice(DriverObject, 0, &DeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, &DeviceInstance);
if (!NT_SUCCESS(Status)) {
KdPrint(("[KBFM]: IoCreateDevice Error!\r\n"));
return Status;
}
Status = IoCreateSymbolicLink(&DeviceLink, &DeviceName);
if (!NT_SUCCESS(Status)) {
KdPrint(("[KBFM]: IoCreateSymbolicLink Error!\r\n"));
IoDeleteDevice(DeviceInstance);
return Status;
}
DriverObject->MajorFunction[IRP_MJ_CREATE] = CreateCall;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = CloseCall;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = IoControl;
DriverObject->DriverUnload = reinterpret_cast<PDRIVER_UNLOAD>(UnloadDriver);
return STATUS_SUCCESS;
}
static NTSTATUS UnloadDriver(PDRIVER_OBJECT DriverObject)
{
KdPrint(("[KBFM]: Unload routne called!\r\n"));
IoDeleteSymbolicLink(&DeviceLink);
IoDeleteDevice(DriverObject->DeviceObject);
return STATUS_SUCCESS;
}
static NTSTATUS CreateCall(PDEVICE_OBJECT DeviceObject, PIRP irp)
{
UNREFERENCED_PARAMETER(DeviceObject);
KdPrint(("[KBFM]: Create called!\r\n"));
irp->IoStatus.Status = STATUS_SUCCESS;
irp->IoStatus.Information = 0;
IoCompleteRequest(irp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
static NTSTATUS CloseCall(PDEVICE_OBJECT DeviceObject, PIRP irp)
{
UNREFERENCED_PARAMETER(DeviceObject);
KdPrint(("[KBFM]: Closecall called!\r\n"));
irp->IoStatus.Status = STATUS_SUCCESS;
irp->IoStatus.Information = 0;
IoCompleteRequest(irp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
static NTSTATUS IoControl(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
UNREFERENCED_PARAMETER(DeviceObject);
NTSTATUS Status = STATUS_INVALID_PARAMETER;
ULONG BytesIO = 0;
const IO_STACK_LOCATION stack = *IoGetCurrentIrpStackLocation(Irp);
const ULONG ControlCode = stack.Parameters.DeviceIoControl.IoControlCode;
if (ControlCode == IO_INCREMENT_VALUE)
{
}
else if (ControlCode == IO_RECEIVE_RANDOM_BUFFER)
{
}
// Complete the request
Irp->IoStatus.Status = Status;
Irp->IoStatus.Information = BytesIO;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return Status;
}
APC executes the remote process code. After one execution, the process crashes. Please help me
hi,
i want to add api, not sure if it is planned?
like:
NtWaitForSingleObject (wait for create thread)
NtQueryVirtualMemory
Hello, dear friends!
I am new to the topic, so my question could be very naïve:
I have successfully build the tool from sources using VS 2019, copied all necessary files to a remote computer, installed the certificate and now trying to install the driver itself there, using DEVCON.
"devcon install Kernel-Bridge.inf hardware ID ?"
What is hardware ID, which I need to use?
Thanks a lot in advance! Your help is greatly appreciated!
Kernel-Bridge/Kernel-Bridge/API/StringsAPI.h
Line 195 in a5c0cdb
leaks memory when SummaryLength < SSO_SIZE
Would it be possible to edit the DMI information that resides in the ROM ( 0x000F0000-0x000FFFFF ) ? I've tried editing the SMBIOS that resides in the Phys address and it works on some chipsets, but on some it doesnt, any workaround ?
By the way, DMI != SMBIOS.
I'd like to keep using the wrappers included in the project, pretty neat project
debug_me.exe
is a simple application which call MessageBoxA when button clicked.
Now we use KbWriteProcessMemory with TriggleCoW to user32.MessageBoxA
like this:
VOID BSOD_Test() {
WdkTypes::PEPROCESS Process;
DWORD ProcessId = GetProcessIdByName(TEXT("debug_me.exe")); // A wow64 process
PVOID Address = (PVOID)0x76311F70; // user32.MessageBoxA
Processes::Descriptors::KbGetEprocess(ProcessId, &Process);
printf("MessageBoxA: VA:%p, PA:0x%I64X\n", Address, GetPhysAddr(Process, Address));
{
BYTE Buffer[1] = { 0 };
BOOL Status = Processes::MemoryManagement::KbReadProcessMemory(ProcessId, (WdkTypes::PVOID)Address, Buffer, 1);
printf("MessageBoxA: KbReadProcessMemory: 0x%02X\n", Buffer[0]);
}
{
BYTE* NewBuffer = new BYTE[1];
NewBuffer[0] = 0xC3;
BOOL Status = Processes::MemoryManagement::KbWriteProcessMemory(ProcessId, (WdkTypes::PVOID)Address, NewBuffer, 1, TRUE);
delete[] NewBuffer;
printf("MessageBoxA: KbWriteProcessMemory: %d\n", Status);
printf("MessageBoxA: PA:0x%I64X\n", GetPhysAddr(Process, Address));
}
Processes::Descriptors::KbDereferenceObject(Process);
}
The debug_me.exe
will crash obviously because the user32.MessageBoxA
is changed to 0xC3
and caused some stack error.
Then it will cause immediately BSOD.
QUOTA_UNDERFLOW (21)
This bugcheck occurs if a kernel component mishandles quota charges and
returns more quota than was previously charged to a particular quota block.
Arguments:
Arg1: ffffc9872b1ee080, The process (if any) that was initially charged.
Arg2: 0000000000000002, The quota type in question (paged pool, nonpaged pool, etc.)
Arg3: ffffffffffffffff, The initial charge amount to return.
Arg4: fffffffffffae8bd, The remaining (unreturned) charge.
------------------
os:
Windows 10 1809
stack:
[0x4] nt!PspReturnQuota + 0x180085
[0x5] nt!PsReturnProcessPageFileQuota + 0x25
[0x6] nt!MiReturnFullProcessCharges + 0x4b
[0x7] nt!MiRemoveVadCharges + 0xab
[0x8] nt!MiFinishVadDeletion + 0xf1
[0x9] nt!MiDeleteVad + 0x15f2
[0xa] nt!MiUnmapVad + 0x49
[0xb] nt!MiCleanVad + 0x30
[0xc] nt!MmCleanProcessAddressSpace + 0x113
[0xd] nt!PspRundownSingleProcess + 0x129
[0xe] nt!PspProcessRundownWorkerSingle + 0x32
[0xf] nt!ExpWorkerThread + 0x16a
[0x10] nt!PspSystemThreadStartup + 0x55
[0x11] nt!KiStartSystemThread + 0x1c
Since the KbTriggerCopyOnWrite
will still take some minnutes/hours to cause a BSOD, which meen it difficult to debug.
This maybe helpful to find the problem.
Hello,
I'm working on the hypervisor to add more functionality to it. I've now added a dynamic buffer to change the result of CPUID instruction in hypervisor mode. now I want to detect which process caused a VM EXIT regardless of the exit reason.
psGetCurrentProcess() doesn't work;
Might I be able to force all Windows network traffic through WSL2 to use IPTABLES mangle instead or in additioon to Windows Firewall?
Perhaps by "Bridging" from Windows to WSL2 and let WSL2 communicate to and from the wire using IPTABLES with ability to use IPTABLES as firewall?
Of course they work independently albeit with Nat addresses... I'd like to use one IP for all bidirectional communications enabling the IPTABLES firewall instead of Windows.... too many limitations in Windows Firewall.
Appreciate any hints or thoughts, tested or theoretical - hypothetical.
After last update KbWriteProcessMemory get BSOD some time later "Process Locked ..."
Previously, everything worked
Hello, How can I build Kernel-Bridge for x86?
alpaca::serialize can be successfully executed
alpaca::deserialize Execution fails
Could you take a look
[https://github.com/p-ranav/alpaca #](url)
3 errors preventing me from building Reading process memory
#include <Windows.h>
#include "WdkTypes.h"
#include "CtlTypes.h"
#include "User-Bridge.h"
int main()
{
using namespace KbLoader;
// Unloading previous loaded instance:
KbUnload();
BOOL Status = KbLoadAsFilter(
L"C:\Users\Admin\Downloads\Kernel-Bridge\x64\Release\Kernel-Bridge.sys",
L"260000" // Altitude of minifilter
);
if (!Status)
return 0; // Unable to load driver!
// Successfully loaded!
// Now you can use the User-Bridge API!
KbUnload();
return 0;
}
Error LNK2001 unresolved external symbol "int __cdecl KbLoader::KbLoadAsFilter(wchar_t const *,wchar_t const *)" (?KbLoadAsFilter@KbLoader@@YAHPEB_W0@Z) MyProject C:\Users\Admin\Downloads\Kernel-Bridge-master\MyProject\MyProject.obj 1
Error LNK2001 unresolved external symbol "int __cdecl KbLoader::KbUnload(void)" (?KbUnload@KbLoader@@yahxz) MyProject C:\Users\Admin\Downloads\Kernel-Bridge-master\MyProject\MyProject.obj 1
Error LNK1120 2 unresolved externals MyProject C:\Users\Admin\Downloads\Kernel-Bridge-master\x64\Release\MyProject.exe 1
in my previous question #25 i described how i have access to kernel functions and system (kernel) address space.
is it possible to map all physical memory to system address space? im trying to not leave traces in usermode program such as very big mapped region.
my uc thread with code: https://www.unknowncheats.me/forum/general-programming-and-reversing/409449-mapping-physical-memory-system-address-space.html
as you can see my code in post on uc is not working as it should
is that even possible to do this?
I tried to load the driver as a filter, and immediately got a blue screen, from some debugging, I found the bug in the DriverControl function, in line 311:
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return Irp->IoStatus.Status;
The Irp variable is used after IoCompleteRequest, which should not be done (according to google)
Hello HoShiMin,
While trying to modprobe kvm_amd I got the following error:
kvm_amd: SVM disabled (by BIOS) in MSR_VM_CR
Apparently my AMD Ryzen 7 PRO 4750G with Radeon Graphics disables these processor extensions by default.
I couldn't find much information regarding this, but I stumbled upon your project.
Any chance you could guide as to what SVM & MSR_VM_CR stand for? Any documentation one could get to?
is there way that it can be done?
Do you know how to make the processor chew a single instruction? What function would I look at?
Hey,
if I run the test I always get the message "Unable to load driver!". I adjusted the path for the kernel-bridge.sys but the issue still persists?
Am I doing sth wrong?
Best regards!
This code crash compiler:
enum VMCS_FIELD_ENCODING : decltype(VMCS_COMPONENT_ENCODING::Value) {
with error:
3>C:\Sources\Kernel-Bridge\CommonTypes\VMX.h(266,6): fatal error C1001: Internal compiler error.
3>(compiler file 'msc1.cpp', line 1576)
3> To work around this problem, try simplifying or changing the program near the locations listed above.
3>If possible please provide a repro here: https://developercommunity.visualstudio.com
3>Please choose the Technical Support command on the Visual C++
3> Help menu, or open the Technical Support help file for more information (compiling source file API\Hypervisor.cpp)
3>INTERNAL COMPILER ERROR in 'C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.33.31629\bin\HostX64\x64\CL.exe'
3> Please choose the Technical Support command on the Visual C++
3> Help menu, or open the Technical Support help file for more information
3>KernelShells.cpp
3>cl : command line error D8040: error creating or communicating with child process
3>Done building project "Kernel-Bridge.vcxproj" -- FAILED.
Need to change:
enum VMCS_FIELD_ENCODING : unsigned int {
I use Visual Studio 2022, Windows SDK "10.0.22621.0" and appropriate WDK.
There are some memory regions where this function seems to fail (returns 0), whereas other memory regions seem to work fine. Any idea as to why this is happening or if there is a possible fix?
The same memory regions that KbFindSignature fails on KbReadProcessMemory also fails.
Trying to include "CppSupport.h" from your project, but these errors occur:
Severity Code Description Project File Line Suppression State
Error C2980 C++ exception handling is not supported with /kernel MyDriver1 C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\km\crt\exception 72
Error C2146 syntax error: missing ';' before identifier '_Raise_handler' MyDriver1 C:\Sources\My\MyDriver1\MyDriver1\CppSupport.cpp 227
Error C2980 C++ exception handling is not supported with /kernel MyDriver1 C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\km\crt\exception 72
It shows and error at the following code:
_Prhand _Raise_handler = &RaiseHandler;
Could you help me, please, how to solve these errors?
How does one implement a system where one can read register values between each instruction?
Hypervisor? Callbacks?
Thank you!
Hello.
I get this error:
[+] Ensuring previous driver instance is removed...
[+] Installing Kernel-Bridge driver...
[-] Failed to install Kernel-Bridge driver!
Last error: -2146762484
How can I fix this?
Hello,
Any chance for a Delphi API to access this beautiful library ?
Thank you
hello you,can you make a binding for vlang
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.