Merge pull request #43 from hfiref0x/dev127

v 1.2.7

README.md

@@ -126,6 +126,9 @@ You use it at your own risk. Some lazy AV may flag this tool as hacktool/malware
 | 22          | ASUSTeK        | AsIO3       | ASUS GPU TweakII                   | WINIO             | 2.3.0.3                     |                      |
 | 23          | Marvin         | Hw          | Marvin Hardware Access Driver      | Original          | 4.9 and below               | Name                 |
 | 24          | CODESYS        | SysDrv3S    | CODESYS SysDrv3S                   | MAPMEM            | 3.5.6 and below             |                      |
+| 25          | Zemana         | amsdk       | WatchDog/MalwareFox/Zemana AM      | Original          | 3.0.0 and below             |                      |
+| 26          | HiRes Ent.     | inpoutx64   | Various                            | WINIO             | 1.2.0 and below             |                      |
+| 27          | PassMark       | DirectIo64  | PassMark OSForensics               | Original          | Any                         |                      |
 
 ###### *At commit time, data maybe inaccurate.
 
@@ -143,15 +146,24 @@ When in -map mode KDU for most available providers will by default use 3rd party
 
 KDU uses shellcode to map input drivers and execute their DriverEntry. There are few shellcode variants embedded into KDU. Shellcode V1, V2 and V3 used together with 3rd party victim driver (Process Explorer, by default). They are implemented as fake driver dispatch entry and their differences are: V1 uses newly created system thread to execute code, V2 uses system work items, V3 manually builds driver object and runs DriverEntry as if this driver was loaded normally. Shellcode V4 is simplified version of previous variants intended to be run not like an driver dispatch entry. While theoretically all "providers" can support all variants this implementation is limited per provider. You can view it by typing -list command and looking for shellcode support mask. Currently all providers except N21 support V1, V2 and V3 variants.
 
-# Build 
+# Build and Notes
 
 KDU comes with full source code.
 In order to build from source you need Microsoft Visual Studio 2019 and later versions. For driver builds you need Microsoft Windows Driver Kit 10 and/or above.
 
+Complete working binaries include: kdu.exe (main executable) and drv64.dll (drivers database). They must reside in the same directory that must have R/W access enabled for kdu.exe. All binaries MUST BE compiled in "Release" configuration.
+
 # Utils and Notes
 
 GenAsIo2Unlock is a special utility used to generate "unlocking" resource which is required for working with AsIO2 driver. Full source of this utility included in Source\Utils\GenAsIo2Unlock. Compiled version located in Sources\Hamakaze\Utils\GenAsIo2Unlock.exe. **Warning this utility is set on execution at post-build-event for both Debug/Release configurations.** If you don't want to run precompiled version replace it with newly compiled from sources. If you remove this post-build-event newly compiled KDU will NOT BE ABLE to use AsIO2 driver (provider #13).
 
+# Reporting bugs and incompatibilities
+
+If you expirienced bug or incompatibility while using KDU with 3rd party software or OS feel free to fill the issue. However if this incompatibility is caused by your own actions such reports will be ignored. Any BSOD reports should include minidump attached or your own dump analysis (windbg !analyze -v), issues without these information will be ignored.
+
+Anticheat, antimalware incompatibilities will be ignored, that's your own fault.
+
+
 # Disclaimer
 
 Using this program might crash your computer with BSOD. Compiled binary and source code provided AS-IS in hope it will be useful BUT WITHOUT WARRANTY OF ANY KIND. Since KDU rely on completely bugged and vulnerable drivers security of computer where it executed maybe put at risk. Make sure you understand what you do.

Source/Hamakaze/KDU.vcxproj

@@ -35,6 +35,7 @@
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
   <ImportGroup Label="ExtensionSettings">
+    <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
   </ImportGroup>
   <ImportGroup Label="Shared">
   </ImportGroup>
@@ -65,7 +66,7 @@
       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
       <ConformanceMode>true</ConformanceMode>
       <BufferSecurityCheck>false</BufferSecurityCheck>
-      <AdditionalIncludeDirectories>$(SolutionDir)\Shared;$(ProjectDir);%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>$(ProjectDir);$(SolutionDir);$(SolutionDir)\Shared;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
@@ -74,6 +75,9 @@
     <PostBuildEvent>
       <Command>$(ProjectDir)Utils\GenAsIo2Unlock .\output\$(Platform)\$(Configuration)\$(TargetName)$(TargetExt)</Command>
     </PostBuildEvent>
+    <MASM>
+      <AssembledCodeListingFile>shellstager.lst</AssembledCodeListingFile>
+    </MASM>
   </ItemDefinitionGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
     <ClCompile>
@@ -89,15 +93,14 @@
       <BufferSecurityCheck>false</BufferSecurityCheck>
       <ControlFlowGuard>false</ControlFlowGuard>
       <MultiProcessorCompilation>true</MultiProcessorCompilation>
-      <AdditionalIncludeDirectories>$(SolutionDir)\Shared;$(ProjectDir);%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
-      <DebugInformationFormat>None</DebugInformationFormat>
+      <AdditionalIncludeDirectories>$(ProjectDir);$(SolutionDir);$(SolutionDir)\Shared;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
       <EnablePREfast>true</EnablePREfast>
     </ClCompile>
     <Link>
       <SubSystem>Console</SubSystem>
       <EnableCOMDATFolding>true</EnableCOMDATFolding>
       <OptimizeReferences>true</OptimizeReferences>
-      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
       <SetChecksum>true</SetChecksum>
       <UACExecutionLevel>RequireAdministrator</UACExecutionLevel>
       <AdditionalOptions>/NOCOFFGRPINFO %(AdditionalOptions)</AdditionalOptions>
@@ -106,6 +109,9 @@
     <PostBuildEvent>
       <Command>$(ProjectDir)Utils\GenAsIo2Unlock .\output\$(Platform)\$(Configuration)\$(TargetName)$(TargetExt)</Command>
     </PostBuildEvent>
+    <MASM>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+    </MASM>
   </ItemDefinitionGroup>
   <ItemGroup>
     <ClCompile Include="..\Shared\ldr\ldr.cpp" />
@@ -144,6 +150,7 @@
     <ClCompile Include="idrv\nal.cpp" />
     <ClCompile Include="idrv\rtcore.cpp" />
     <ClCompile Include="idrv\winring0.cpp" />
+    <ClCompile Include="idrv\zemana.cpp" />
     <ClCompile Include="ipcsvc.cpp" />
     <ClCompile Include="main.cpp" />
     <ClCompile Include="kduprov.cpp" />
@@ -156,6 +163,8 @@
     <ClCompile Include="victim.cpp" />
   </ItemGroup>
   <ItemGroup>
+    <ClInclude Include="..\Shared\consts.h" />
+    <ClInclude Include="..\Shared\kdubase.h" />
     <ClInclude Include="..\Shared\ldr\ldr.h" />
     <ClInclude Include="..\Shared\minirtl\cmdline.h" />
     <ClInclude Include="..\Shared\minirtl\minirtl.h" />
@@ -168,7 +177,6 @@
     <ClInclude Include="..\Shared\ntos\ntsup.h" />
     <ClInclude Include="..\Shared\tinyaes\aes.h" />
     <ClInclude Include="compress.h" />
-    <ClInclude Include="consts.h" />
     <ClInclude Include="drvmap.h" />
     <ClInclude Include="dsefix.h" />
     <ClInclude Include="global.h" />
@@ -190,6 +198,7 @@
     <ClInclude Include="idrv\nal.h" />
     <ClInclude Include="idrv\rtcore.h" />
     <ClInclude Include="idrv\winring0.h" />
+    <ClInclude Include="idrv\zemana.h" />
     <ClInclude Include="ipcsvc.h" />
     <ClInclude Include="shellcode.h" />
     <ClInclude Include="diag.h" />
@@ -213,7 +222,11 @@
     <None Include="res\SB_SMBUS_SDK.bin" />
     <None Include="res\Taigei32.bin" />
   </ItemGroup>
+  <ItemGroup>
+    <MASM Include="shellmasm.asm" />
+  </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">
+    <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
   </ImportGroup>
 </Project>

Source/Hamakaze/KDU.vcxproj.filters

@@ -171,6 +171,9 @@
     <ClCompile Include="idrv\marvinhw.cpp">
       <Filter>Source Files\idrv</Filter>
     </ClCompile>
+    <ClCompile Include="idrv\zemana.cpp">
+      <Filter>Source Files\idrv</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="global.h">
@@ -197,9 +200,6 @@
     <ClInclude Include="victim.h">
       <Filter>Header Files</Filter>
     </ClInclude>
-    <ClInclude Include="consts.h">
-      <Filter>Header Files</Filter>
-    </ClInclude>
     <ClInclude Include="idrv\nal.h">
       <Filter>Source Files\idrv</Filter>
     </ClInclude>
@@ -311,6 +311,15 @@
     <ClInclude Include="idrv\marvinhw.h">
       <Filter>Source Files\idrv</Filter>
     </ClInclude>
+    <ClInclude Include="idrv\zemana.h">
+      <Filter>Source Files\idrv</Filter>
+    </ClInclude>
+    <ClInclude Include="..\Shared\consts.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="..\Shared\kdubase.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <ResourceCompile Include="resource.rc">
@@ -330,4 +339,9 @@
       <Filter>Resource Files</Filter>
     </None>
   </ItemGroup>
+  <ItemGroup>
+    <MASM Include="shellmasm.asm">
+      <Filter>Source Files</Filter>
+    </MASM>
+  </ItemGroup>
 </Project>

Source/Hamakaze/KDU.vcxproj.user

@@ -1,11 +1,11 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
-    <LocalDebuggerCommandArguments>-prv 24 -map c:\OpA22\dummy.sys</LocalDebuggerCommandArguments>
+    <LocalDebuggerCommandArguments>-test</LocalDebuggerCommandArguments>
     <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
-    <LocalDebuggerCommandArguments>-prv 24 -map c:\OpA22\dummy.sys</LocalDebuggerCommandArguments>
+    <LocalDebuggerCommandArguments>-prv 27 -map c:\install\dummy.sys</LocalDebuggerCommandArguments>
     <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
   </PropertyGroup>
 </Project>

Source/Hamakaze/consts.h

@@ -4,9 +4,9 @@
 *
 *  TITLE:       CONSTS.H
 *
-*  VERSION:     1.26
+*  VERSION:     1.27
 *
-*  DATE:        16 Oct 2022
+*  DATE:        08 Nov 2022
 *
 *  Global consts.
 *
@@ -21,8 +21,8 @@
 
 #define KDU_VERSION_MAJOR       1
 #define KDU_VERSION_MINOR       2
-#define KDU_VERSION_REVISION    6
-#define KDU_VERSION_BUILD       2210
+#define KDU_VERSION_REVISION    7
+#define KDU_VERSION_BUILD       2211
 
 #define KDU_BASE_ID             0xff123456
 #define KDU_SYNC_MUTANT         0xabcd
@@ -48,7 +48,9 @@
 
 #define PROVIDER_RES_KEY        ' owo' // Giving you enough uwu's.
 
-#define SYSTEM_PID_MAGIC             4
+#define SYSTEM_PID_MAGIC           4
+
+#define PROCEXP152_DISPATCH_OFFSET 0x2220 // Valid only for 1.5.2
 
 //
 // Data id table
@@ -87,3 +89,6 @@
 #define IDR_ASUSIO3                     125
 #define IDR_HW64                        126
 #define IDR_SYSDRV3S                    127
+#define IDR_ZEMANA                      128
+#define IDR_RESERVED1                   129
+#define IDR_RESERVED2                   130

Source/Hamakaze/dsefix.cpp

@@ -4,9 +4,9 @@
 *
 *  TITLE:       DSEFIX.CPP
 *
-*  VERSION:     1.20
+*  VERSION:     1.27
 *
-*  DATE:        14 Feb 2022
+*  DATE:        25 Oct 2022
 *
 *  CI DSE corruption related routines.
 *  Based on DSEFix v1.3

Source/Hamakaze/global.h

@@ -4,9 +4,9 @@
 *
 *  TITLE:       GLOBAL.H
 *
-*  VERSION:     1.25
+*  VERSION:     1.27
 *
-*  DATE:        17 Aug 2022
+*  DATE:        10 Nov 2022
 *
 *  Common include header file.
 *
@@ -36,7 +36,8 @@
 #define KDU_SHELLCODE_V2    (2)
 #define KDU_SHELLCODE_V3    (3)
 #define KDU_SHELLCODE_V4    (4)
-#define KDU_SHELLCODE_VMAX  KDU_SHELLCODE_V4
+#define KDU_SHELLCODE_V5    (5)
+#define KDU_SHELLCODE_VMAX  KDU_SHELLCODE_V5
 
 #include <Windows.h>
 #include <strsafe.h>
@@ -72,7 +73,8 @@ extern "C" {
 #pragma comment(lib, "Setupapi.lib")
 #pragma comment(lib, "Newdev.lib")
 
-#include "consts.h"
+#include "shared/consts.h"
+#include "shared/kdubase.h"
 #include "sup.h"
 #include "compress.h"
 #include "victim.h"

Source/Hamakaze/idrv/dbk.cpp

@@ -4,9 +4,9 @@
 *
 *  TITLE:       DBK.CPP
 *
-*  VERSION:     1.20
+*  VERSION:     1.27
 *
-*  DATE:        16 Feb 2022
+*  DATE:        10 Nov 2022
 *
 *  Cheat Engine's DBK driver routines.
 *
@@ -343,9 +343,10 @@ BOOL DbkStartVulnerableDriver(
 {
     BOOL bLoaded = FALSE;
     NTSTATUS ntStatus;
-    LPWSTR lpDeviceName = Context->Provider->DeviceName;
+    KDU_DB_ENTRY* provLoadData = Context->Provider->LoadData;
+    LPWSTR lpDeviceName = provLoadData->DeviceName;
+    LPWSTR lpDriverName = provLoadData->DriverName;
     LPWSTR lpFullFileName = Context->DriverFileName;
-    LPWSTR lpDriverName = Context->Provider->DriverName;
 
     //
     // Check if driver already loaded.
@@ -391,13 +392,13 @@ BOOL DbkStartVulnerableDriver(
     if (bLoaded) {
 
         printf_s("[+] Acquiring handle for driver device \"%ws\" -> please wait, this can take a few seconds\r\n",
-            Context->Provider->DeviceName);
+            provLoadData->DeviceName);
 
         if (DbkOpenCheatEngineDriver(Context)) {
 
             supPrintfEvent(kduEventInformation,
                 "[+] Successfully acquired handle for driver device \"%ws\"\r\n",
-                Context->Provider->DeviceName);
+                provLoadData->DeviceName);
 
         }
     }
@@ -707,16 +708,13 @@ BOOL DbkMapDriver(
 {
     BOOL bSuccess = FALSE;
     PVOID pvShellCode;
-    KDU_PROVIDER* prov;
     HANDLE deviceHandle;
+    HANDLE sectionHandle = NULL;
 
     FUNCTION_ENTER_MSG(__FUNCTION__);
 
-    prov = Context->Provider;
     deviceHandle = Context->DeviceHandle;
 
-    HANDLE sectionHandle = NULL;
-
     pvShellCode = KDUSetupShellCode(Context, ImageBase, &sectionHandle);
     if (pvShellCode) {