KDU seems completely unable to map drivers
ahabx64 opened this issue · 2 comments
ahabx64 commented
Hello, when trying to map drivers using KDU (latest Release / latest Commit - doesn't make a difference) not a single provider seems to work despite having HVCI and the Vulnerable Driver Blocklist disabled.
All of them give me an output that is very similar to this:
KDU:
[#] Kernel Driver Utility v1.4.2 (build 2404) started, (c)2020 - 2024 KDU Project
[#] Built at Tue Apr 2 06:50:29 2024, header checksum 0x90776
[#] Supported x64 OS : Windows 7 and above
[*] Debug Mode Run, several features (like a shellcode proper generation) will be unavailable
[*] CPU vendor string: GenuineIntel
[*] Windows version: 10.0 build 22631
[*] SecureBoot is disabled on this machine
[*] Debug Mode ENABLED
[+] MSFT Driver block list is disabled
[+] Selected provider: 34
[*] Driver mapping using shellcode version: 1
[+] Input driver file "C:\Users\geeze\OneDrive\Desktop\nuts\HelloWorld.sys" loaded at 0x00007FF68F2D0000
[+] The "VMwareVMware" hypervisor present
[+] Drivers database "drv64.dll" loaded at 0x00007FF91B3B0000
[+] Drivers database version is OK
[+] Firmware type (FirmwareTypeUefi)
[+] Provider: "MSI Foundation Service", Name "WinIo"
[!] Vulnerable driver is already loaded
[+] Driver device "WinIo" has been opened successfully
[+] Executing post-open callback for given provider
[+] Driver device security descriptor set successfully
[+] Processing victim "Process Explorer v17" driver
[+] Mapped victim image at 000001A55DD10000 with size 0xC000 bytes
[+] Extracting victim driver "PROCEXP152" as "C:\Windows\system32\drivers\PROCEXP152.sys"
[+] Successfully loaded victim driver
[+] Query victim image information
[+] Query victim loaded driver layout
[+] Victim target address 0xFFFFF80748CB1D60
[+] Loaded ntoskrnl base 0xFFFFF8074CC00000
[+] Ntoskrnl.exe mapped at 0x7FF7A6790000
[+] Resolving kernel import for input driver
[+] Resolving payload import
[!] Bootstrap code size 0x1BC0 exceeds limit 0x794, abort (Value of Bootstrap code size differs between different scv but still never works)
[!] Unexpected shellcode procedure size, abort
[!] Error while building shellcode, abort
[+] Victim released
[!] Unable to unload vulnerable driver, NTSTATUS (0xC0000034): Object Name not found.
[+] Return value: 0. Bye-bye!
WinDbg from prv 34 (since machine startup, KDU ran almost immediately):
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 22621 MP (1 procs) Free x64
Edition build lab: 22621.1.amd64fre.ni_release.220506-1250
Kernel base = 0xfffff804`1c200000 PsLoadedModuleList = 0xfffff804`1ce134f0
System Uptime: 0 days 0:00:00.000
minio\security\base\lsa\security\driver\asyncsspi.cxx - SspiInitAsyncInterface
IOINIT: Built-in driver \Driver\hwpolicy failed to initialize with status - 0xC000025E
KDTARGET: Refreshing KD connection
DispBroker.Desktop.dll: 10/06/24 20:21:05 Pacific Daylight Time: SessionHandlerBase::EvaluateTargets found new target
Concerning target: Id=0x0, Adapter=b209 connected to {NOEDID_15AD_0405_00000000_000F0000_0}
DfsDs RPC server started.
StartDocked.LauncherFrame
Inside IoGetCurrentIrpStackLocationTest
Inside ObReferenceObjectByHandleTest
Inside ExAllocatePoolWithTagTest
Inside PsCreateSystemThreadTest
Inside ZwCloseTest
Inside ObfDereferenceObjectTest
Inside ObReferenceObjectByHandleTest
Inside KeSetEventTest
Inside ObfDereferenceObjectTest
Inside IofCompleteRequestTest
(-- KDU EXITED HERE --)
with some other providers something similar to this gets output to WinDbg as well:
[>] DriverEntryTest
\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\DrvObj
DriverObject->DriverName: \Driver\DrvObj
[<] DriverEntryTest
Inside ObfDereferenceObjectTest
Inside ObReferenceObjectByHandleTest
Inside KeSetEventTest
Inside ObfDereferenceObjectTest
Inside IofCompleteRequestTest
Entering WinIoDispatchIRP_MJ_CLOSELeaving WinIoDispatchEntering WinIoUnloadLeaving WinIoUnload
************************************************************************************
* \Device\HarddiskVolume3\Users\geeze\OneDrive\Desktop\nuts\EneTechIo64.sys violated CI base policy DriverSiPolicy.p7b with error code 0xc0000603 for scenario 0.
* It is now allowed to load because debugger is attached.
************************************************************************************
The Driver I'm trying to load is the simple driverless HelloWorld.sys from KDMapper
One thing that I'd also like to note is that KDMapper also doesn't work anymore for me all of a sudden, maybe knowing this could also contribute here.
Thanks in advance for any help.
hfiref0x commented
Hello,
of course it won't work.
[*] Debug Mode Run, several features (like a shellcode proper generation) will be unavailable
Build in Release.
ahabx64 commented
Damn I'm stupid, thanks man.