• Stars
    star
    1,785
  • Rank 26,056 (Top 0.6 %)
  • Language
    C
  • License
    MIT License
  • Created almost 5 years ago
  • Updated 7 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Kernel Driver Utility

Build status

KDU

Kernel Driver Utility

System Requirements

  • x64 Windows 7/8/8.1/10/11;
  • Administrative privilege is required.

Purpose and Features

The purpose of this tool is to give a simple way to explore Windows kernel/components without doing a lot of additional work or setting up local debugger. It features:

  • Protected Processes Hijacking via Process object modification;
  • Driver Signature Enforcement Overrider (similar to DSEFIx);
  • Driver loader for bypassing Driver Signature Enforcement (similar to TDL/Stryker);
  • Support of various vulnerable drivers use as functionality "providers".

Usage

KDU -list
KDU -diag
KDU -prv ProviderID
KDU -ps ProcessID
KDU -pse Commandline
KDU -dse value
KDU -map filename
  • -list - list currently available providers;
  • -diag - run system diagnostic for troubleshooting;
  • -prv - optional, select vulnerability driver provider;
  • -ps - modify process object of given ProcessID, downgrading any protections;
  • -pse - launch program as ProtectedProcessLight-AntiMalware (PPL);
  • -dse - write user defined value to the system DSE state flags;
  • -map - map driver to the kernel and execute it entry point, this command have dependencies listed below;
    • -scv version - optional, select shellcode version, default 1;
    • -drvn name - driver object name (only valid for shellcode version 3);
    • -drvr name - optional, driver registry key name (only valid for shellcode version 3).

Example:

  • kdu -ps 1234
  • kdu -map c:\driverless\mysuperhack.sys
  • kdu -prv 1 -ps 1234
  • kdu -prv 1 -map c:\driverless\mysuperhack.sys
  • kdu -prv 6 -scv 3 -drvn DrvObj -map c:\install\e3600bm.sys
  • kdu -prv 6 -scv 3 -drvn edrv -drvr e3600bl -map c:\install\e3600bl.sys
  • kdu -dse 0
  • kdu -dse 6
  • kdu -pse "C:\Windows\System32\notepad.exe C:\TEMP\words.txt"

Run on Windows 10 20H2*

Compiled and run on Windows 8.1*

Run on Windows 7 SP1 fully patched (precomplied version)*

Run on Windows 10 19H2 (precompiled version, SecureBoot enabled)*

All screenshots are from version 1.0X.

Limitations of -map command

Due to unusual way of loading that is not involving standard kernel loader, but uses overwriting already loaded modules with shellcode, there are some limitations:

  • Loaded drivers MUST BE specially designed to run as "driverless";

That mean you cannot use parameters specified at your DriverEntry as they won't be valid. That also mean you can not load any drivers but only specially designed or you need to alter shellcode responsible for driver mapping.

  • No SEH support for target drivers;

There is no SEH code in x64. Instead of this you have table of try/except/finally regions which must be in the executable image described by pointer in PE header. If there is an exception occured system handler will first look in which module that happened. Mapped drivers are not inside Windows controlled list of drivers (PsLoadedModulesList - PatchGuard protected), so nothing will be found and system will simple crash.

  • No driver unloading;

Mapped code can't unload itself, however you still can release all resources allocated by your mapped code. DRIVER_OBJECT->DriverUnload should be set to NULL.

  • Only ntoskrnl import resolved, everything else is up to you;

If your project need another module dependency then you have to rewrite this loader part.

  • Several Windows primitives are banned by PatchGuard from usage from the dynamic code.

Because of unsual way of loading mapped driver won't be inside PsLoadedModulesList. That mean any callback registered by such code will have handler located in memory outside this list. PatchGuard has ability to check whatever the registered callbacks point to valid loaded modules or not and BSOD with "Kernel notification callout modification" if such dynamic code detected.

In general if you want to know what you should not do in kernel look at https://github.com/hfiref0x/KDU/tree/master/Source/Examples/BadRkDemo which contain a few examples of forbidden things.

Kernel traces note

This tool does not change (and this won't change in future) internal Windows structures of MmUnloadedDrivers and/or PiDDBCacheTable. That's because:

  • KDU is not designed to circumvent third-party security software or various dubious crapware (e.g. anti-cheats);
  • These data can be a target for PatchGuard protection in the next major Windows 10 update.

You use it at your own risk. Some lazy AV may flag this tool as hacktool/malware.

Currently Supported Providers

Provider Id Product Vendor Driver Software package Code base Version MSFT blacklisted by*
0 Intel IQVM64/Nal Network Adapter Diagnostic Driver Original 1.03.0.7 Cert
1 MSI RTCore64 MSI Afterburner Semi-original 4.6.2 build 15658 and below Page hash
2 Gigabyte Gdrv Gigabyte TOOLS MAPMEM Undefined Name
3 ASUSTeK ATSZIO64 ASUSTeK WinFlash utility Semi-original Undefined Name
4 Patriot MsIo64 Patriot Viper RGB utility WINIO 1.0 Page hash
5 ASRock GLCKIO2 ASRock Polychrome RGB WINIO 1.0.4 Page hash
6 G.SKILL EneIo64 G.SKILL Trident Z Lighting Control WINIO 1.00.08 Cert
7 EVGA WinRing0x64 EVGA Precision X1 WINRING0 1.0.2.0 Name
8 Thermaltake EneTechIo64 Thermaltake TOUGHRAM software WINIO 1.0.3 Page hash
9 Huawei PhyMemx64 Huawei MateBook Manager software WINIO Undefined Name, Page hash
10 Realtek RtkIo64 Realtek Dash Client Utility PHYMEM Various Name
11 MSI EneTechIo64 MSI Dragon Center WINIO Various
12 LG LHA LG Device Manager Semi-original 1.6.0.2 Name
13 ASUSTeK AsIO2 ASUS GPU Tweak WINIO 2.1.7.1 and below
14 PassMark DirectIo64 PassMark Performance Test Original 10.1 and below Page hash
15 GMER GmerDrv Gmer "Antirootkit" Original 2.2 and below Name, Page hash, Cert
16 Dell DBUtil_2_3 Dell BIOS Utility Original 2.3 and below Page hash
17 Benjamin Delpy Mimidrv Mimikatz Original 2.2 and below Cert
18 Wen Jia Liu KProcessHacker2 Process Hacker Original 2.38 and below Name
19 Microsoft ProcExp152 Process Explorer Original 1.5.2 and below Name, Cert
20 Dell DBUtilDrv2 Dell BIOS Utility Original 2.7 and below
21 DarkByte Dbk64 Cheat Engine Original 7.4 and below Cert, Name
22 ASUSTeK AsIO3 ASUS GPU TweakII WINIO 2.3.0.3
23 Marvin Hw Marvin Hardware Access Driver Original 4.9 and below Name
24 CODESYS SysDrv3S CODESYS SysDrv3S MAPMEM 3.5.6 and below
25 Zemana amsdk WatchDog/MalwareFox/Zemana AM Original 3.0.0 and below
26 HiRes Ent. inpoutx64 Various WINIO 1.2.0 and below
27 PassMark DirectIo64 PassMark OSForensics Original Any
28 ASRock AsrDrv106 Phantom Gaming Tuning RWEverything 1.0.6 and below
29 Arthur Liberman ALSysIO64 Core Temp Original 2.0.11 and below
30 AMD AMDRyzenMasterDriver Multiple software packages Original 2.0.0.0 and below
31 Hilscher physmem Physical Memory Viewer for Windows Original 1.0.0.0 Cert, Name
32 Lenovo LDD Lenovo Diagnostics Driver for Windows 10 and later Original 1.0.4.0 and below Cert, Name
33 Dell pcdsrvc_x64 Dell PC Doctor Original 6.2.2.0
34 MSI winio MSI Foundation Service WINIO Undefined
35 HP EtdSupport ETDi Support Driver Original 18.0 and below
36 Pavel Yosifovich KExplore Kernel Explorer Original Undefined
37 Pavel Yosifovich KObjExp Kernel Object Explorer Original Undefined
38 Pavel Yosifovich KRegExp Kernel Registry Explorer Original Undefined
39 Inspect Element LTD EchoDrv Echo AntiCheat (spyware) Original Undefined
*At commit time, data maybe inaccurate.

More providers maybe added in the future.

How it work

It uses known to be vulnerable (or wormhole by design) driver from legitimate software to access arbitrary kernel memory with read/write primitives.

Depending on command KDU will either work as TDL/DSEFix or modify kernel mode process objects (EPROCESS).

When in -map mode KDU for most available providers will by default use 3rd party signed driver from SysInternals Process Explorer and hijack it by placing a small loader shellcode inside it IRP_MJ_DEVICE_CONTROL/IRP_MJ_CREATE/IRP_MJ_CLOSE handler. This is done by overwriting physical memory where Process Explorer dispatch handler located and triggering it by calling driver IRP_MJ_CREATE handler (CreateFile call). Next shellcode will map input driver as code buffer to kernel mode and run it with current IRQL be PASSIVE_LEVEL. After that hijacked Process Explorer driver will be unloaded together with vulnerable provider driver. This entire idea comes from malicious software of the middle of 200x known as rootkits.

Shellcode versions

KDU uses shellcode to map input drivers and execute their DriverEntry. There are few shellcode variants embedded into KDU. Shellcode V1, V2 and V3 used together with 3rd party victim driver (Process Explorer, by default). They are implemented as fake driver dispatch entry and their differences are: V1 uses newly created system thread to execute code, V2 uses system work items, V3 manually builds driver object and runs DriverEntry as if this driver was loaded normally. Shellcode V4 is simplified version of previous variants intended to be run not like an driver dispatch entry. While theoretically all "providers" can support all variants this implementation is limited per provider. You can view it by typing -list command and looking for shellcode support mask. Currently all providers except N21 support V1, V2 and V3 variants.

Build and Notes

KDU comes with full source code. In order to build from source you need Microsoft Visual Studio 2019 and later versions. For driver builds you need Microsoft Windows Driver Kit 10 and/or above.

Complete working binaries include: kdu.exe (main executable) and drv64.dll (drivers database). They must reside in the same directory that must have R/W access enabled for kdu.exe. All binaries MUST BE compiled in "Release" configuration. In order to use providers that require Microsoft Symbols usage you need to put dbghelp.dll and symsrv.dll from the Debugging Tools For Windows into KDU directory.

Utils and Notes

GenAsIo2Unlock is a special utility used to generate "unlocking" resource which is required for working with AsIO2 driver. Full source of this utility included in Source\Utils\GenAsIo2Unlock. Compiled version located in Sources\Hamakaze\Utils\GenAsIo2Unlock.exe. Warning this utility is set on execution at post-build-event for both Debug/Release configurations. If you don't want to run precompiled version replace it with newly compiled from sources. If you remove this post-build-event newly compiled KDU will NOT BE ABLE to use AsIO2 driver (provider #13).

Reporting bugs and incompatibilities

If you expirienced bug or incompatibility while using KDU with 3rd party software or OS feel free to fill the issue. However if this incompatibility is caused by your own actions such reports will be ignored. Any BSOD reports should include minidump attached or your own dump analysis (windbg !analyze -v), issues without these information will be ignored.

Anticheat, antimalware incompatibilities will be ignored, that's your own fault.

Disclaimer

Using this program might crash your computer with BSOD. Compiled binary and source code provided AS-IS in hope it will be useful BUT WITHOUT WARRANTY OF ANY KIND. Since KDU rely on completely bugged and vulnerable drivers security of computer where it executed maybe put at risk. Make sure you understand what you do.

Third party code usage

References

Wormhole drivers code

They are used in multiple products from hardware vendors mostly in unmodified state. They all break OS security model and additionally bugged. Links are for educational purposes of how not to do your drivers. Note that following github account have nothing to do with these code, these code in unmodified state and provided only for educational purposes.

Authors

(c) 2020 - 2023 KDU Project

More Repositories

1

UACME

Defeating Windows User Account Control
C
5,920
star
2

WinObjEx64

Windows Object Explorer 64-bit
C
1,633
star
3

SyscallTables

Windows NT x64 Syscall tables
C
1,039
star
4

TDL

Driver loader for bypassing Windows x64 Driver Signature Enforcement
C
1,001
star
5

VBoxHardenedLoader

VirtualBox VM detection mitigation loader
C
904
star
6

UPGDSED

Universal PatchGuard and Driver Signature Enforcement Disable
C
802
star
7

DSEFix

Windows x64 Driver Signature Enforcement Overrider
C
674
star
8

NtCall64

Windows NT x64 syscall fuzzer
C
533
star
9

WDExtract

Extract Windows Defender database from vdm files and unpack it
C
391
star
10

CVE-2015-1701

Win32k LPE vulnerability used in APT attack
C
284
star
11

WubbabooMark

Debugger Anti-Detection Benchmark
C
270
star
12

LightFTP

Small x86-32/x64 FTP Server
C
232
star
13

VMDE

Source from VMDE paper, adapted to 2015
C
171
star
14

ZeroAccess

ZeroAccess v3 toolkit
C
158
star
15

SXSEXP

Expand compressed files from WinSxS folder
C
133
star
16

Stryker

Multi-purpose proof-of-concept tool based on CPU-Z CVE-2017-15303
C
107
star
17

AuthHashCalc

Authenticode Hash Calculator for PE32/PE32+ files
C
97
star
18

MpEnum

Enumerate Windows Defender threat families and dump their names according category
C
85
star
19

Misc

Miscellaneous Code and Docs
C
77
star
20

ROCALL

ReactOS x86-32 syscall fuzzer
C
48
star
21

BSODScreen

BSOD Screensaver
C
38
star
22

AsIo3Unlock

ASUSTeK AsIO3 I/O driver unlock
C
19
star
23

Vault

Various code from the past (for historical purposes)
Pascal
12
star
24

LightFTP_win

C
11
star
25

hfiref0x.github.io

HTML
11
star
26

AR4FFC

Archive repository for fast fact-checks
3
star