hfiref0x/KDU

KDU seems completely unable to map drivers

ahabx64 opened this issue · 2 comments

Hello, when trying to map drivers using KDU (latest Release / latest Commit - doesn't make a difference) not a single provider seems to work despite having HVCI and the Vulnerable Driver Blocklist disabled.
All of them give me an output that is very similar to this:

	KDU:
	[#] Kernel Driver Utility v1.4.2 (build 2404) started, (c)2020 - 2024 KDU Project
	[#] Built at Tue Apr  2 06:50:29 2024, header checksum 0x90776
	[#] Supported x64 OS : Windows 7 and above
	[*] Debug Mode Run, several features (like a shellcode proper generation) will be unavailable
	[*] CPU vendor string: GenuineIntel
	[*] Windows version: 10.0 build 22631
	[*] SecureBoot is disabled on this machine
	[*] Debug Mode ENABLED
	[+] MSFT Driver block list is disabled
	[+] Selected provider: 34
	[*] Driver mapping using shellcode version: 1
	[+] Input driver file "C:\Users\geeze\OneDrive\Desktop\nuts\HelloWorld.sys" loaded at 0x00007FF68F2D0000
	[+] The "VMwareVMware" hypervisor present
	[+] Drivers database "drv64.dll" loaded at 0x00007FF91B3B0000
	[+] Drivers database version is OK
	[+] Firmware type (FirmwareTypeUefi)
	[+] Provider: "MSI Foundation Service", Name "WinIo"
	[!] Vulnerable driver is already loaded
	[+] Driver device "WinIo" has been opened successfully
	[+] Executing post-open callback for given provider
	[+] Driver device security descriptor set successfully
	[+] Processing victim "Process Explorer v17" driver
	[+] Mapped victim image at 000001A55DD10000 with size 0xC000 bytes
	[+] Extracting victim driver "PROCEXP152" as "C:\Windows\system32\drivers\PROCEXP152.sys"
	[+] Successfully loaded victim driver
	[+] Query victim image information
	[+] Query victim loaded driver layout
	[+] Victim target address 0xFFFFF80748CB1D60
	[+] Loaded ntoskrnl base 0xFFFFF8074CC00000
	[+] Ntoskrnl.exe mapped at 0x7FF7A6790000
	[+] Resolving kernel import for input driver
	[+] Resolving payload import
	[!] Bootstrap code size 0x1BC0 exceeds limit 0x794, abort (Value of Bootstrap code size differs between different scv but still never works)
	[!] Unexpected shellcode procedure size, abort
	[!] Error while building shellcode, abort
	[+] Victim released
	[!] Unable to unload vulnerable driver, NTSTATUS (0xC0000034): Object Name not found.
	[+] Return value: 0. Bye-bye!
WinDbg from prv 34 (since machine startup, KDU ran almost immediately):
	************* Path validation summary **************
	Response                         Time (ms)     Location
	Deferred                                       srv*
	Symbol search path is: srv*
	Executable search path is: 
	Windows 10 Kernel Version 22621 MP (1 procs) Free x64
	Edition build lab: 22621.1.amd64fre.ni_release.220506-1250
	Kernel base = 0xfffff804`1c200000 PsLoadedModuleList = 0xfffff804`1ce134f0
	System Uptime: 0 days 0:00:00.000
	minio\security\base\lsa\security\driver\asyncsspi.cxx - SspiInitAsyncInterface
	IOINIT: Built-in driver \Driver\hwpolicy failed to initialize with status - 0xC000025E
	KDTARGET: Refreshing KD connection
	DispBroker.Desktop.dll: 10/06/24 20:21:05 Pacific Daylight Time: SessionHandlerBase::EvaluateTargets found new target
	   Concerning target: Id=0x0, Adapter=b209 connected to {NOEDID_15AD_0405_00000000_000F0000_0}
	DfsDs RPC server started.
	StartDocked.LauncherFrame
	Inside IoGetCurrentIrpStackLocationTest
	Inside ObReferenceObjectByHandleTest
	Inside ExAllocatePoolWithTagTest
	Inside PsCreateSystemThreadTest
	Inside ZwCloseTest
	Inside ObfDereferenceObjectTest
	Inside ObReferenceObjectByHandleTest
	Inside KeSetEventTest
	Inside ObfDereferenceObjectTest
	Inside IofCompleteRequestTest
	(-- KDU EXITED HERE --)
with some other providers something similar to this gets output to WinDbg as well:
	[>] DriverEntryTest
	\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\DrvObj
	DriverObject->DriverName: \Driver\DrvObj
	[<] DriverEntryTest
	Inside ObfDereferenceObjectTest
	Inside ObReferenceObjectByHandleTest
	Inside KeSetEventTest
	Inside ObfDereferenceObjectTest
	Inside IofCompleteRequestTest
	Entering WinIoDispatchIRP_MJ_CLOSELeaving WinIoDispatchEntering WinIoUnloadLeaving WinIoUnload

	************************************************************************************
	*  \Device\HarddiskVolume3\Users\geeze\OneDrive\Desktop\nuts\EneTechIo64.sys violated CI base policy DriverSiPolicy.p7b with error code 0xc0000603 for scenario 0.
	*  It is now allowed to load because debugger is attached.
	************************************************************************************

My Windows Version (VM):
image

The Driver I'm trying to load is the simple driverless HelloWorld.sys from KDMapper

One thing that I'd also like to note is that KDMapper also doesn't work anymore for me all of a sudden, maybe knowing this could also contribute here.

Thanks in advance for any help.

Hello,
of course it won't work.

[*] Debug Mode Run, several features (like a shellcode proper generation) will be unavailable

Build in Release.

Damn I'm stupid, thanks man.