hfiref0x / KDU

KDU Kernel Driver Utility System Requirements • x64 Windows 7/8/8.1/10/11; • Administrative privilege is required. Purpose and Features The purpose of this tool is to provide a simple way to explore the Windows kernel/components without requiring extensive setup or a local debugger. It features: • Protected Process Hijacking via Process object modification; • Driver Signature Enforcement Overrider (similar to DSEFix); • Driver loader for bypassing Driver Signature Enforcement (similar to TDL/Stryker); • Support for various vulnerable drivers used as functionality "providers". Usage KDU -list KDU -diag KDU -prv ProviderID KDU -ps ProcessID KDU -pse Commandline KDU -dmp ProcessID KDU -dse value KDU -map filename • -list - list currently available providers; • -diag - run system diagnostics for troubleshooting; • -prv - optional, select vulnerable driver provider; • -ps - modify process object of given ProcessID, downgrading any protections; • -pse - launch program as ProtectedProcessLight-AntiMalware (PPL); • -psw - launch program as ProtectedProcessLight-WinTcb (PPL); • -dmp - dump virtual memory of the given process; • -dse - write user-defined value to the system DSE state flags; • -map - map driver to the kernel and execute its entry point; this command has dependencies listed below; • -scv version - optional, select shellcode version, default 1; • -drvn name - driver object name (only valid for shellcode version 3); • -drvr name - optional, driver registry key name (only valid for shellcode version 3). Example: • kdu -ps 1234 • kdu -map c:\driverless\mysuperhack.sys • kdu -dmp 666 • kdu -prv 1 -ps 1234 • kdu -prv 1 -map c:\driverless\mysuperhack.sys • kdu -prv 6 -scv 3 -drvn DrvObj -map c:\install\e3600bm.sys • kdu -prv 6 -scv 3 -drvn edrv -drvr e3600bl -map c:\install\e3600bl.sys • kdu -dse 0 • kdu -dse 6 • kdu -pse "C:\Windows\System32\notepad.exe C:\TEMP\words.txt" • kdu -psw "C:\Windows\System32\cmd.exe" Run on Windows 11 24H2* Run on Windows 10 20H2* Compiled and run on Windows 8.1* Run on Windows 7 SP1 fully patched (precompiled version)* Run on Windows 10 19H2 (precompiled version, SecureBoot enabled)* All screenshots are from version 1.0X. Limitations of -map command Due to the unusual way of loading that does not involve the standard kernel loader, but uses overwriting already loaded modules with shellcode, there are some limitations: • Loaded drivers MUST BE specially designed to run as "driverless"; That means you cannot use parameters specified at your DriverEntry as they won't be valid. That also means you cannot load *any* drivers but only specially designed ones, or you need to alter shellcode routines. • No SEH support for target drivers; There is no SEH code in x64. Instead, you have a table of try/except/finally regions described by a pointer in the PE header. If there is an exception, it may result in a BSOD. • No driver unloading; Mapped code can't unload itself; however, you can release all resources allocated by your mapped code. DRIVER_OBJECT->DriverUnload should be set to NULL. • Only ntoskrnl import resolved, everything else is up to you; If your project needs another module dependency, you must rewrite this loader part. • Several Windows primitives are banned by PatchGuard from usage by dynamic code. Because of the unusual way of loading, mapped driver won't be inside PsLoadedModulesList. That means any callback registered by such code will have its handler located in memory outside this list. PatchGuard may detect this and crash the system. In general, if you want to know what you *should not do* in kernel, look at https://github.com/hfiref0x/KDU/tree/master/Source/Examples/BadRkDemo which contains a few examples of forbidden things. Kernel traces note This tool does not change (and will not change in future) internal Windows structures of MmUnloadedDrivers and/or PiDDBCacheTable. That's because: • KDU is not designed to circumvent third-party security software or various dubious software (e.g. anti-cheats); • These data can be a target for PatchGuard protection in the next major Windows 10 update. You use it at your own risk. Some lazy AV may flag this tool as hacktool/malware. Supported Providers Note: Provider with Id 0 is assumed as default if no -prv command is specified. | Id | Vendor | Driver | Software package | Version | MSFT blacklist* | |--------|----------------|-------------|------------------------------------|-----------------------------|----------------------| | 0 | Intel | IQVM64/Nal | Network Adapter Diagnostic Driver | 1.03.0.7 | Cert | | 1 | MSI | RTCore64 | MSI Afterburner | 4.6.2 build 15658 and below | Page hash | | 2 | Gigabyte | Gdrv | Gigabyte TOOLS | Undefined | Name | | 3 | ASUSTeK | ATSZIO64 | ASUSTeK WinFlash utility | Undefined | Name | | 4 | Patriot | MsIo64 | Patriot Viper RGB utility | 1.0 | Page hash | | 5 | ASRock | GLCKIO2 | ASRock Polychrome RGB | 1.0.4 | Page hash | | 6 | G.SKILL | EneIo64 | G.SKILL Trident Z Lighting Control | 1.00.08 | Cert | | 7 | EVGA | WinRing0x64 | EVGA Precision X1 | 1.0.2.0 | Name | | 8 | Thermaltake | EneTechIo64 | Thermaltake TOUGHRAM software | 1.0.3 | Page hash | | 9 | Huawei | PhyMemx64 | Huawei MateBook Manager software | Undefined | Name, Page hash | | 10 | Realtek | RtkIo64 | Realtek Dash Client Utility | Various | Name | | 11 | MSI | EneTechIo64 | MSI Dragon Center | Various | | | 12 | LG | LHA | LG Device Manager | 1.6.0.2 | Name | | 13 | ASUSTeK | AsIO2 | ASUS GPU Tweak | 2.1.7.1 and below | | | 14 | PassMark | DirectIo64 | PassMark Performance Test | 10.1 and below | Page hash | | 15 | GMER | GmerDrv | Gmer "Antirootkit" | 2.2 and below | Name, Page hash, Cert| | 16 | Dell | DBUtil_2_3 | Dell BIOS Utility | 2.3 and below | Page hash | | 17 | Benjamin Delpy | Mimidrv | Mimikatz | 2.2 and below | Cert | | 18 | Wen Jia Liu | KProcessHacker2 | Process Hacker | 2.38 and below | Name | | 19 | Microsoft | ProcExp152 | Process Explorer | 1.5.2 and below | Name, Cer…