Unable to unload vulnerable driver, NTSTATUS (0xC0000010)
hern0s-dev opened this issue · 1 comments
hern0s-dev commented
I get this error when I try kdu.exe -dse 6
[#] Kernel Driver Utility v1.2.8 (build 2212) started, (c)2020 - 2022 KDU Project
[#] Build at Fri Dec 9 07:44:47 2022, header checksum 0x4FDEE
[#] Supported x64 OS : Windows 7 and above
[*] CPU vendor string: AuthenticAMD
[*] Windows version: 10.0 build 22621
[*] SecureBoot is disabled on this machine
[+] MSFT Driver block list is disabled
[+] Drivers database "drv64.dll" loaded at 0x00007FF8A1280000
[+] Firmware type (FirmwareTypeUefi)
[+] Provider: "CVE-2015-2291", Name "NalDrv"
[!] Vulnerable driver is already loaded
[+] Driver device "NalDrv" has successfully opened
[+] Executing post-open callback for given provider
[+] Driver device security descriptor set successfully
[+] Module "CI.dll" loaded for pattern search
[!] Could not query DSE state, GetLastError 5
[!] Unable to unload vulnerable driver, NTSTATUS (0xC0000010)
[+] Return value: 0. Bye-bye!
I already tried kdu.exe -prv 0 1 2 3 and others I changed provider but still same. Here is -diag result
> [#] Kernel Driver Utility v1.2.8 (build 2212) started, (c)2020 - 2022 KDU Project
> [#] Build at Fri Dec 9 07:44:47 2022, header checksum 0x4FDEE
> [#] Supported x64 OS : Windows 7 and above
> [*] CPU vendor string: AuthenticAMD
> [*] Windows version: 10.0 build 22621
> [*] SecureBoot is disabled on this machine
> [+] MSFT Driver block list is disabled
> [+] Running system diagnostics
> > System range start FFFF800000000000
> > Speculation mitigation state flags
> >> SystemKernelVaShadowInformation
> KvaShadowEnabled ←[37mFALSE
> ←[37m KvaShadowUserGlobal ←[37mFALSE
> ←[37m KvaShadowPcid ←[37mFALSE
> ←[37m KvaShadowInvpcid ←[37mFALSE
> ←[37m KvaShadowRequired ←[37mFALSE
> ←[37m KvaShadowRequiredAvailable ←[32mTRUE
> ←[37m InvalidPteBit 0
> L1DataCacheFlushSupported ←[37mFALSE
> ←[37m L1TerminalFaultMitigationPresent ←[32mTRUE
> ←[37m >> SystemSpeculationControlInformation
> BpbEnabled ←[32mTRUE
> ←[37m BpbDisabledSystemPolicy ←[37mFALSE
> ←[37m BpbDisabledNoHardwareSupport ←[37mFALSE
> ←[37m SpecCtrlEnumerated ←[32mTRUE
> ←[37m SpecCmdEnumerated ←[32mTRUE
> ←[37m IbrsPresent ←[32mTRUE
> ←[37m StibpPresent ←[32mTRUE
> ←[37m SmepPresent ←[32mTRUE
> ←[37m SpeculativeStoreBypassDisableAvailable ←[32mTRUE
> ←[37m SpeculativeStoreBypassDisableSupported ←[32mTRUE
> ←[37m SpeculativeStoreBypassDisabledSystemWide ←[37mFALSE
> ←[37m SpeculativeStoreBypassDisabledKernel ←[37mFALSE
> ←[37m SpeculativeStoreBypassDisableRequired ←[32mTRUE
> ←[37m BpbDisabledKernelToUser ←[37mFALSE
> ←[37m SpecCtrlRetpolineEnabled ←[32mTRUE
> ←[37m SpecCtrlImportOptimizationEnabled ←[32mTRUE
> ←[37m EnhancedIbrs ←[37mFALSE
> ←[37m HvL1tfStatusAvailable ←[37mFALSE
> ←[37m HvL1tfProcessorNotAffected ←[37mFALSE
> ←[37m HvL1tfMigitationEnabled ←[37mFALSE
> ←[37m HvL1tfMigitationNotEnabled_Hardware ←[37mFALSE
> ←[37m HvL1tfMigitationNotEnabled_LoadOption ←[37mFALSE
> ←[37m HvL1tfMigitationNotEnabled_CoreScheduler ←[37mFALSE
> ←[37m EnhancedIbrsReported ←[32mTRUE
> ←[37m MdsHardwareProtected ←[37mFALSE
> ←[37m MbClearEnabled ←[37mFALSE
> ←[37m MbClearReported ←[32mTRUE
> ←[37m TsxCtrlStatus 3
> TsxCtrlReported ←[32mTRUE
> ←[37m TaaHardwareImmune ←[32mTRUE
> ←[37m >> SystemSpeculationControlInformation v2
> SbdrSsdpHardwareProtected ←[37mFALSE
> ←[37m FbsdpHardwareProtected ←[37mFALSE
> ←[37m PsdpHardwareProtected ←[37mFALSE
> ←[37m FbClearEnabled ←[37mFALSE
> ←[37m FbClearReported ←[32mTRUE
> ←[37m> List of loaded drivers
> [#] [ImageBase] [ImageSize] [FileName]
> 0 FFFFF80114400000 17068032 \SystemRoot\system32\ntoskrnl.exe
> 1 FFFFF801115C0000 24576 \SystemRoot\system32\hal.dll
> 2 FFFFF801115D0000 45056 \SystemRoot\system32\kd.dll
> 3 FFFFF80111580000 217088 \SystemRoot\system32\mcupdate_AuthenticAMD.dll
> 4 FFFFF80116A30000 450560 \SystemRoot\System32\drivers\CLFS.SYS
> 5 FFFFF80116A00000 167936 \SystemRoot\System32\drivers\tm.sys
> 6 FFFFF801115E0000 110592 \SystemRoot\system32\PSHED.dll
> 7 FFFFF80116AA0000 53248 \SystemRoot\system32\BOOTVID.dll
> 8 FFFFF80116BD0000 483328 \SystemRoot\System32\drivers\FLTMGR.SYS
> 9 FFFFF80116C80000 397312 \SystemRoot\System32\drivers\msrpc.sys
> 10 FFFFF80116C50000 180224 \SystemRoot\System32\drivers\ksecdd.sys
> 11 FFFFF80116AB0000 1130496 \SystemRoot\System32\drivers\clipsp.sys
> 12 FFFFF80116CF0000 61440 \SystemRoot\System32\drivers\cmimcext.sys
> 13 FFFFF80116D00000 90112 \SystemRoot\System32\drivers\werkernel.sys
> 14 FFFFF80116D20000 49152 \SystemRoot\System32\drivers\ntosext.sys
> 15 FFFFF80116D30000 991232 \SystemRoot\system32\CI.dll
> 16 FFFFF80116E30000 774144 \SystemRoot\System32\drivers\cng.sys
> 17 FFFFF80116EF0000 815104 \SystemRoot\system32\drivers\Wdf01000.sys
> 18 FFFFF80116FE0000 77824 \SystemRoot\system32\drivers\WppRecorder.sys
> 19 FFFFF80116FC0000 94208 \SystemRoot\system32\drivers\WDFLDR.SYS
> 20 FFFFF80117000000 57344 \SystemRoot\System32\DriverStore\FileRepository\prm.inf_amd64_de435dc5c75d64a5\PRM.sys
> 21 FFFFF80117010000 159744 \SystemRoot\System32\Drivers\acpiex.sys
> 22 FFFFF80117040000 114688 \SystemRoot\system32\drivers\SgrmAgent.sys
> 23 FFFFF80117060000 753664 \SystemRoot\System32\drivers\ACPI.sys
> 24 FFFFF80117120000 49152 \SystemRoot\System32\drivers\WMILIB.SYS
> 25 FFFFF80117130000 45056 \SystemRoot\System32\drivers\msisadrv.sys
> 26 FFFFF80117140000 565248 \SystemRoot\System32\drivers\pci.sys
> 27 FFFFF801171D0000 356352 \SystemRoot\System32\drivers\tpm.sys
> 28 FFFFF80117260000 483328 \SystemRoot\System32\drivers\intelpep.sys
> 29 FFFFF801172E0000 98304 \SystemRoot\system32\drivers\WindowsTrustedRT.sys
> 30 FFFFF80117300000 77824 \SystemRoot\System32\drivers\IntelPMT.sys
> 31 FFFFF80117320000 45056 \SystemRoot\System32\drivers\WindowsTrustedRTProxy.sys
> 32 FFFFF80117330000 90112 \SystemRoot\System32\drivers\pcw.sys
> 33 FFFFF80117350000 372736 \SystemRoot\System32\Drivers\klupd_klif_arkmon.sys
> 34 FFFFF801173B0000 114688 \SystemRoot\System32\drivers\vdrvroot.sys
> 35 FFFFF801173D0000 245760 \SystemRoot\system32\DRIVERS\cm_km.sys
> 36 FFFFF80117410000 200704 \SystemRoot\system32\drivers\pdc.sys
> 37 FFFFF80117450000 98304 \SystemRoot\system32\drivers\CEA.sys
> 38 FFFFF80117470000 208896 \SystemRoot\System32\drivers\partmgr.sys
> 39 FFFFF801174B0000 921600 \SystemRoot\System32\drivers\spaceport.sys
> 40 FFFFF801175A0000 114688 \SystemRoot\System32\drivers\volmgr.sys
> 41 FFFFF801175C0000 409600 \SystemRoot\System32\drivers\volmgrx.sys
> 42 FFFFF80117630000 126976 \SystemRoot\System32\drivers\mountmgr.sys
> 43 FFFFF80117650000 204800 \SystemRoot\System32\drivers\storahci.sys
> 44 FFFFF80117690000 1159168 \SystemRoot\System32\drivers\storport.sys
> 45 FFFFF801177B0000 241664 \SystemRoot\System32\drivers\stornvme.sys
> 46 FFFFF801177F0000 147456 \SystemRoot\System32\drivers\EhStorClass.sys
> 47 FFFFF80117820000 114688 \SystemRoot\System32\drivers\fileinfo.sys
> 48 FFFFF80117840000 290816 \SystemRoot\System32\Drivers\Wof.sys
> 49 FFFFF80117890000 487424 \SystemRoot\system32\drivers\wd\WdFilter.sys
> 50 FFFFF80117910000 3366912 \SystemRoot\System32\Drivers\Ntfs.sys
> 51 FFFFF80117C50000 61440 \SystemRoot\System32\Drivers\Fs_Rec.sys
> 52 FFFFF80117C60000 1630208 \SystemRoot\system32\drivers\ndis.sys
> 53 FFFFF80117DF0000 647168 \SystemRoot\system32\drivers\NETIO.SYS
> 54 FFFFF80117E90000 217088 \SystemRoot\System32\Drivers\ksecpkg.sys
> 55 FFFFF80117ED0000 53248 \SystemRoot\System32\drivers\amdpsp.sys
> 56 FFFFF80117EE0000 3338240 \SystemRoot\System32\drivers\tcpip.sys
> 57 FFFFF80118210000 536576 \SystemRoot\System32\drivers\fwpkclnt.sys
> 58 FFFFF801182A0000 200704 \SystemRoot\System32\drivers\wfplwfs.sys
> 59 FFFFF801182E0000 868352 \SystemRoot\System32\DRIVERS\fvevol.sys
> 60 FFFFF801183C0000 45056 \SystemRoot\System32\drivers\volume.sys
> 61 FFFFF801183D0000 458752 \SystemRoot\System32\drivers\volsnap.sys
> 62 FFFFF80118450000 331776 \SystemRoot\System32\drivers\rdyboost.sys
> 63 FFFFF801184B0000 159744 \SystemRoot\System32\Drivers\mup.sys
> 64 FFFFF801184E0000 172032 \SystemRoot\System32\Drivers\klupd_klif_klbg.sys
> 65 FFFFF80118510000 77824 \SystemRoot\system32\drivers\iorate.sys
> 66 FFFFF80118550000 131072 \SystemRoot\System32\drivers\disk.sys
> 67 FFFFF80118580000 479232 \SystemRoot\System32\drivers\CLASSPNP.SYS
> 68 FFFFF801232D0000 163840 \SystemRoot\System32\Drivers\crashdmp.sys
> 69 FFFFF80123000000 102400 \SystemRoot\system32\DRIVERS\klbackupdisk.sys
> 70 FFFFF80123020000 204800 \SystemRoot\System32\drivers\cdrom.sys
> 71 FFFFF80123060000 581632 \SystemRoot\system32\DRIVERS\klflt.sys
> 72 FFFFF801230F0000 204800 \SystemRoot\system32\DRIVERS\klbackupflt.sys
> 73 FFFFF80123130000 90112 \SystemRoot\system32\drivers\filecrypt.sys
> 74 FFFFF80123150000 65536 \SystemRoot\system32\drivers\tbs.sys
> 75 FFFFF80123170000 1064960 \SystemRoot\system32\DRIVERS\klif.sys
> 76 FFFFF80124BE0000 544768 \SystemRoot\system32\DRIVERS\ks.sys
> 77 FFFFF80124200000 1871872 \SystemRoot\system32\DRIVERS\klhk.sys
> 78 FFFFF801243D0000 720896 \SystemRoot\system32\DRIVERS\klgse.sys
> 79 FFFFF80124490000 77824 \SystemRoot\system32\DRIVERS\klpd.sys
> 80 FFFFF801244B0000 118784 \SystemRoot\system32\DRIVERS\kldisk.sys
> 81 FFFFF801244D0000 45056 \SystemRoot\System32\Drivers\Null.SYS
> 82 FFFFF801244E0000 40960 \SystemRoot\System32\Drivers\Beep.SYS
> 83 FFFFF801244F0000 4689920 \SystemRoot\System32\drivers\dxgkrnl.sys
> 84 FFFFF80124970000 139264 \SystemRoot\System32\drivers\watchdog.sys
> 85 FFFFF801249A0000 94208 \SystemRoot\System32\DriverStore\FileRepository\basicdisplay.inf_amd64_02da009b3d736cc1\BasicDisplay.sys
> 86 FFFFF801249C0000 73728 \SystemRoot\System32\DriverStore\FileRepository\basicrender.inf_amd64_f7df692e0f5ee07f\BasicRender.sys
> 87 FFFFF801249E0000 114688 \SystemRoot\System32\Drivers\Npfs.SYS
> 88 FFFFF80124A00000 73728 \SystemRoot\System32\Drivers\Msfs.SYS
> 89 FFFFF80124A20000 163840 \SystemRoot\System32\Drivers\CimFS.SYS
> 90 FFFFF80124A50000 147456 \SystemRoot\system32\DRIVERS\klwfp.sys
> 91 FFFFF80124A80000 147456 \SystemRoot\system32\DRIVERS\tdx.sys
> 92 FFFFF80124AB0000 69632 \SystemRoot\system32\DRIVERS\TDI.SYS
> 93 FFFFF80124AD0000 331776 \SystemRoot\System32\DRIVERS\netbt.sys
> 94 FFFFF80124B30000 81920 \SystemRoot\system32\drivers\afunix.sys
> 95 FFFFF80124C70000 688128 \SystemRoot\system32\drivers\afd.sys
> 96 FFFFF80124D20000 315392 \SystemRoot\system32\DRIVERS\klwtp.sys
> 97 FFFFF80124D70000 90112 \SystemRoot\system32\DRIVERS\klim6.sys
> 98 FFFFF80124D90000 110592 \SystemRoot\System32\drivers\vwififlt.sys
> 99 FFFFF80124DB0000 176128 \SystemRoot\System32\drivers\pacer.sys
> 100 FFFFF80124DE0000 86016 \SystemRoot\System32\drivers\ndiscap.sys
> 101 FFFFF80124B50000 86016 \SystemRoot\system32\drivers\netbios.sys
> 102 FFFFF80126480000 819200 \SystemRoot\System32\drivers\Vid.sys
> 103 FFFFF80126550000 163840 \SystemRoot\System32\drivers\winhvr.sys
> 104 FFFFF80126580000 86016 \SystemRoot\system32\DRIVERS\klpnpflt.sys
> 105 FFFFF80126000000 512000 \SystemRoot\system32\DRIVERS\rdbss.sys
> 106 FFFFF80126080000 262144 \SystemRoot\System32\drivers\ViGEmBus.sys
> 107 FFFFF801260D0000 77824 \SystemRoot\system32\drivers\nsiproxy.sys
> 108 FFFFF801260F0000 65536 \SystemRoot\System32\drivers\npsvctrig.sys
> 109 FFFFF80126110000 69632 \SystemRoot\System32\drivers\mssmbios.sys
> 110 FFFFF80126130000 299008 \SystemRoot\system32\DRIVERS\kneps.sys
> 111 FFFFF80126180000 229376 \??\C:\ProgramData\Kaspersky Lab\AVP21.3\Bases\klids.sys
> 112 FFFFF801261C0000 184320 \SystemRoot\System32\Drivers\dfsc.sys
> 113 FFFFF80126230000 450560 \SystemRoot\System32\Drivers\fastfat.SYS
> 114 FFFFF801262A0000 106496 \SystemRoot\system32\drivers\bam.sys
> 115 FFFFF801262C0000 376832 \SystemRoot\system32\DRIVERS\ahcache.sys
> 116 FFFFF80126320000 61440 \SystemRoot\System32\drivers\amdxe.sys
> 117 FFFFF80126330000 176128 \SystemRoot\System32\drivers\amdfendr.sys
> 118 FFFFF80126360000 81920 \SystemRoot\System32\DriverStore\FileRepository\compositebus.inf_amd64_2e50c98177d80a40\CompositeBus.sys
> 119 FFFFF80126380000 61440 \SystemRoot\System32\drivers\kdnic.sys
> 120 FFFFF80126390000 114688 \SystemRoot\System32\DriverStore\FileRepository\amdsafd.inf_amd64_1a1a381a2c0e293c\amdsafd.sys
> 121 FFFFF801263B0000 471040 \SystemRoot\System32\drivers\portcls.sys
> 122 FFFFF80126430000 143360 \SystemRoot\System32\drivers\drmk.sys
> 123 FFFFF80126460000 65536 \SystemRoot\system32\drivers\ksthunk.sys
> 124 FFFFF801265A0000 94208 \SystemRoot\System32\DriverStore\FileRepository\umbus.inf_amd64_8ee833e5ca48d1de\umbus.sys
> 125 FFFFF801270D0000 667648 \SystemRoot\System32\drivers\USBXHCI.SYS
> 126 FFFFF80127180000 286720 \SystemRoot\system32\drivers\ucx01000.sys
> 127 FFFFF80126600000 712704 \SystemRoot\System32\DriverStore\FileRepository\rt25cx21x64.inf_amd64_affac63db0770a78\rt25cx21x64.sys
> 128 FFFFF801266B0000 389120 \SystemRoot\system32\drivers\NetAdapterCx.sys
> 129 FFFFF801388D0000 94785536 \SystemRoot\System32\DriverStore\FileRepository\u0386458.inf_amd64_e0283e9e7966f704\B386218\amdkmdag.sys
> 130 FFFFF8013E340000 192512 \SystemRoot\System32\drivers\HDAudBus.sys
> 131 FFFFF8013E370000 45056 \SystemRoot\System32\drivers\AMDPCIDev.sys
> 132 FFFFF8013E380000 53248 \SystemRoot\System32\drivers\amdgpio2.sys
> 133 FFFFF8013E390000 208896 \SystemRoot\System32\Drivers\msgpioclx.sys
> 134 FFFFF8013E3D0000 53248 \SystemRoot\System32\drivers\wmiacpi.sys
> 135 FFFFF80138600000 282624 \SystemRoot\System32\drivers\amdppm.sys
> 136 FFFFF80138650000 45056 \SystemRoot\System32\drivers\amdgpio3.sys
> 137 FFFFF80138660000 69632 \SystemRoot\System32\DriverStore\FileRepository\uefi.inf_amd64_3abb917fc03c6fa8\UEFI.sys
> 138 FFFFF801386E0000 40960 \SystemRoot\System32\drivers\amdfendrmgr.sys
> 139 FFFFF801386F0000 61440 \SystemRoot\System32\drivers\dtliteusbbus.sys
> 140 FFFFF80138700000 57344 \SystemRoot\System32\drivers\NdisVirtualBus.sys
> 141 FFFFF80138710000 49152 \SystemRoot\System32\DriverStore\FileRepository\swenum.inf_amd64_d84a235075a8ff73\swenum.sys
> 142 FFFFF80138720000 45056 \SystemRoot\System32\drivers\AWCCDriver.sys
> 143 FFFFF80138730000 69632 \SystemRoot\System32\drivers\HidHide.sys
> 144 FFFFF80138750000 45056 \SystemRoot\System32\drivers\dtlitescsibus.sys
> 145 FFFFF80138760000 65536 \SystemRoot\System32\drivers\rdpbus.sys
> 146 FFFFF80138780000 712704 \SystemRoot\System32\drivers\UsbHub3.sys
> 147 FFFFF80138830000 61440 \SystemRoot\System32\drivers\USBD.SYS
> 148 FFFFF80138840000 253952 \SystemRoot\system32\drivers\AtihdWT6.sys
> 149 FFFFF80126710000 528384 \SystemRoot\System32\drivers\HdAudio.sys
> 150 FFFFF80138880000 77824 \SystemRoot\System32\drivers\hidusb.sys
> 151 FFFFF80138680000 278528 \SystemRoot\System32\drivers\HIDCLASS.SYS
> 152 FFFFF801388A0000 90112 \SystemRoot\System32\drivers\HIDPARSE.SYS
> 153 FFFFF8013E3E0000 69632 \SystemRoot\System32\drivers\mouhid.sys
> 154 FFFFF801267A0000 106496 \SystemRoot\system32\DRIVERS\klmouflt.sys
> 155 FFFFF801267C0000 86016 \SystemRoot\System32\drivers\mouclass.sys
> 156 FFFFF801267E0000 73728 \SystemRoot\System32\drivers\kbdhid.sys
> 157 FFFFF80126800000 102400 \SystemRoot\system32\DRIVERS\klkbdflt.sys
> 158 FFFFF80126820000 86016 \SystemRoot\System32\drivers\kbdclass.sys
> 159 FFFFF80126840000 163840 \SystemRoot\System32\drivers\USBSTOR.SYS
> 160 FFFFF80126870000 221184 \SystemRoot\System32\drivers\usbccgp.sys
> 161 FFFFFD379FB50000 696320 \SystemRoot\System32\win32k.sys
> 162 FFFFF801386D0000 49152 \SystemRoot\System32\WIN32KSGD.SYS
> 163 FFFFFD379F600000 3604480 \SystemRoot\System32\win32kbase.sys
> 164 FFFFFD37A06A0000 3837952 \SystemRoot\System32\win32kfull.sys
> 165 FFFFF801268D0000 69632 \SystemRoot\System32\Drivers\dump_dumpstorport.sys
> 166 FFFFF80126930000 241664 \SystemRoot\System32\drivers\dump_stornvme.sys
> 167 FFFFF80126990000 122880 \SystemRoot\System32\Drivers\dump_dumpfve.sys
> 168 FFFFF801269B0000 1138688 \SystemRoot\System32\drivers\dxgmms2.sys
> 169 FFFFF80126AD0000 122880 \SystemRoot\System32\drivers\monitor.sys
> 170 FFFFFD37A0A50000 286720 \SystemRoot\System32\cdd.dll
> 171 FFFFF80126AF0000 356352 \SystemRoot\System32\drivers\WUDFRd.sys
> 172 FFFFF80126B50000 81920 \SystemRoot\system32\drivers\bfs.sys
> 173 FFFFF80126B70000 172032 \SystemRoot\system32\drivers\luafv.sys
> 174 FFFFF80126BA0000 241664 \SystemRoot\system32\drivers\wcifs.sys
> 175 FFFFF80126BE0000 196608 \SystemRoot\System32\drivers\rdpdr.sys
> 176 FFFFF801388C0000 61440 \SystemRoot\System32\drivers\WpdUpFltr.sys
> 177 FFFFF80126C20000 573440 \SystemRoot\system32\drivers\cldflt.sys
> 178 FFFFF80126CB0000 110592 \SystemRoot\system32\drivers\storqosflt.sys
> 179 FFFFF80126CD0000 163840 \SystemRoot\system32\drivers\bindflt.sys
> 180 FFFFF80126D00000 155648 \SystemRoot\system32\DRIVERS\bowser.sys
> 181 FFFFF80126D30000 434176 \SystemRoot\system32\drivers\msquic.sys
> 182 FFFFF80126DA0000 655360 \SystemRoot\system32\DRIVERS\mrxsmb.sys
> 183 FFFFF80126E50000 323584 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
> 184 FFFFF80126EA0000 102400 \SystemRoot\system32\drivers\lltdio.sys
> 185 FFFFF80126EC0000 102400 \SystemRoot\system32\drivers\mslldp.sys
> 186 FFFFF80126EE0000 118784 \SystemRoot\system32\drivers\rspndr.sys
> 187 FFFFF80126F00000 126976 \SystemRoot\System32\DRIVERS\wanarp.sys
> 188 FFFFF80126F20000 757760 \SystemRoot\system32\DRIVERS\nwifi.sys
> 189 FFFFF80126FE0000 102400 \SystemRoot\system32\drivers\ndisuio.sys
> 190 FFFFF80127000000 110592 \SystemRoot\System32\drivers\mpsdrv.sys
> 191 FFFFF80127020000 90112 \SystemRoot\system32\drivers\mmcss.sys
> 192 FFFFF80127040000 53248 \??\C:\Windows\system32\AMDRyzenMasterDriver.sys
> 193 FFFFF80127050000 372736 \SystemRoot\System32\DRIVERS\srvnet.sys
> 194 FFFFF80123300000 856064 \SystemRoot\system32\drivers\peauth.sys
> 195 FFFFF801574B0000 872448 \SystemRoot\System32\DRIVERS\srv2.sys
> 196 FFFFF80157590000 77824 \SystemRoot\System32\drivers\condrv.sys
> 197 FFFFF801575B0000 266240 \SystemRoot\System32\Drivers\klupd_klif_mark.sys
> 198 FFFFF80156600000 6111232 \??\C:\Users\hiper\OneDrive\Masa³st³\KDmapper\NalDrv.sys
> 199 FFFFF80156BE0000 1777664 \SystemRoot\system32\drivers\HTTP.sys
> 200 FFFFF80156DA0000 352256 \SystemRoot\System32\Drivers\klupd_klif_klark.sys
> > List of device and driver objects in the common locations
> \ -> clfs
> \ -> FatCdrom
> \ -> Fat
> \ -> Ntfs
> \Device -> 0000006a
> \Device -> 00000058
> \Device -> GPIO_1
> \Device -> 00000044
> \Device -> NTPNP_PCI0030
> \Device -> NTPNP_PCI0002
> \Device -> 00000030
> \Device -> Nal
> \Device -> 00000068
> \Device -> USBPDO-9
> \Device -> 00000054
> \Device -> GPIO_2
> \Device -> AmdLog
> \Device -> KLIM6_DUMMYklim6
> \Device -> NTPNP_PCI0031
> \Device -> NTPNP_PCI0003
> \Device -> 00000064
> \Device -> USBPDO-5
> \Device -> 00000050
> \Device -> MSGpioClassExt0
> \Device -> NTPNP_PCI0032
> \Device -> NTPNP_PCI0004
> \Device -> MSSGRMAGENTSYS
> \Device -> 0000000f
> \Device -> MMCSS
> \Device -> lltdio
> \Device -> 00000074
> \Device -> 00000060
> \Device -> USBPDO-1
> \Device -> Bam
> \Device -> Psched
> \Device -> Tcp6
> \Device -> NTPNP_PCI0033
> \Device -> NTPNP_PCI0005
> \Device -> 0000001f
> \Device -> 0000000b
> \Device -> Ndisuio
> \Device -> 00000070
> \Device -> FakeVid10
> \Device -> RaidPort0
> \Device -> NTPNP_PCI0034
> \Device -> NTPNP_PCI0006
> \Device -> 0000002f
> \Device -> 0000001b
> \Device -> 00000009
> \Device -> SrvAdmin
> \Device -> FakeVid11
> \Device -> FakeVid8
> \Device -> KlDiskCtl
> \Device -> RaidPort1
> \Device -> 0000003f
> \Device -> NTPNP_PCI0035
> \Device -> NTPNP_PCI0007
> \Device -> 0000002b
> \Device -> 00000019
> \Device -> 00000005
> \Device -> FakeVid12
> \Device -> FakeVid4
> \Device -> 0000004f
> \Device -> ahcache
> \Device -> NTPNP_PCI0036
> \Device -> 0000003b
> \Device -> NTPNP_PCI0008
> \Device -> 00000029
> \Device -> 00000015
> \Device -> 00000001
> \Device -> FakeVid13
> \Device -> FakeVid0
> \Device -> 0000005f
> \Device -> _HID00000001
> \Device -> 0000004b
> \Device -> IPSECDOSP
> \Device -> NTPNP_PCI0037
> \Device -> 00000039
> \Device -> NTPNP_PCI0009
> \Device -> 00000025
> \Device -> 00000011
> \Device -> klnkd_061303_KLIF
> \Device -> PEAuth
> \Device -> FakeVid14
> \Device -> 0000005b
> \Device -> 00000049
> \Device -> NTPNP_PCI0038
> \Device -> 00000035
> \Device -> 00000021
> \Device -> WMIDataDevice
> \Device -> MPS
> \Device -> FakeVid15
> \Device -> 0000006b
> \Device -> 00000059
> \Device -> 00000045
> \Device -> Spaceport
> \Device -> NTPNP_PCI0039
> \Device -> 00000031
> \Device -> LanmanDatagramReceiver
> \Device -> 00000069
> \Device -> 00000055
> \Device -> vwififlt
> \Device -> WFPL2DPConfig
> \Device -> ConDrv
> \Device -> RdpDrPort
> \Device -> UMDFCtrlDev-38762bd4-7e0f-11ed-8c4e-806e6f6e6963
> \Device -> 00000065
> \Device -> USBPDO-6
> \Device -> 00000051
> \Device -> Tcp
> \Device -> DxgKrnl
> \Device -> NTPNP_PCI0010
> \Device -> 00000075
> \Device -> 00000061
> \Device -> RealTekCard{C71C7B73-2EA3-4E74-A704-ECD4A71B8E26}
> \Device -> USBPDO-2
> \Device -> USBFDO-0
> \Device -> Null
> \Device -> NTPNP_PCI0011
> \Device -> 0000000c
> \Device -> WANARP
> \Device -> 00000071
> \Device -> Udp6
> \Device -> NamedPipe
> \Device -> NTPNP_PCI0012
> \Device -> 0000001c
> \Device -> LLDPCTRL
> \Device -> RdpDrDvMgr
> \Device -> FakeVid9
> \Device -> Video0
> \Device -> Kneps
> \Device -> NTPNP_PCI0013
> \Device -> 0000002c
> \Device -> 00000006
> \Device -> FakeVid5
> \Device -> Video1
> \Device -> NXTIPSEC
> \Device -> KsecDD
> \Device -> 0000003c
> \Device -> NTPNP_PCI0014
> \Device -> 00000016
> \Device -> 00000002
> \Device -> DeviceApi
> \Device -> FakeVid1
> \Device -> Video2
> \Device -> _HID00000002
> \Device -> 0000004c
> \Device -> WFPL2
> \Device -> MountPointManager
> \Device -> NTPNP_PCI0015
> \Device -> 00000026
> \Device -> CNG
> \Device -> 00000012
> \Device -> SrvNet
> \Device -> Video3
> \Device -> 0000005c
> \Device -> lwm
> \Device -> 00000036
> \Device -> NTPNP_PCI0016
> \Device -> 00000022
> \Device -> KMDF0
> \Device -> 0000006c
> \Device -> Video4
> \Device -> HidHide
> \Device -> 00000046
> \Device -> NTPNP_PCI0017
> \Device -> 00000032
> \Device -> Video5
> \Device -> 00000056
> \Device -> KLWTP_DUMMY
> \Device -> 00000042
> \Device -> NTPNP_PCI0018
> \Device -> UMDFCtrlDev-38762bd0-7e0f-11ed-8c4e-806e6f6e6963
> \Device -> Video6
> \Device -> 00000066
> \Device -> USBPDO-7
> \Device -> 00000052
> \Device -> netadaptercx0
> \Device -> WFP
> \Device -> NTPNP_PCI0019
> \Device -> 00000076
> \Device -> Video7
> \Device -> 00000062
> \Device -> USBPDO-3
> \Device -> USBFDO-1
> \Device -> amdpsp
> \Device -> 0000000d
> \Device -> WwanProt
> \Device -> 00000072
> \Device -> DrDynVc
> \Device -> Mailslot
> \Device -> HarddiskVolume1
> \Device -> RawCdRom
> \Device -> 0000001d
> \Device -> WANARPV6
> \Device -> kneps_DUMMY
> \Device -> RawIp6
> \Device -> RawIp
> \Device -> Tdx
> \Device -> HarddiskVolumeShadowCopy1
> \Device -> HarddiskVolume2
> \Device -> VolMgrControl
> \Device -> 0000002d
> \Device -> 00000007
> \Device -> FakeVid6
> \Device -> PointerClass0
> \Device -> Nsi
> \Device -> FsWrap
> \Device -> HarddiskVolume3
> \Device -> Mup
> \Device -> kl_cm.{EE198DD8-F4ED-4799-A748-5A130DE3050E}
> \Device -> 0000003d
> \Device -> NTPNP_PCI0020
> \Device -> WindowsTrustedRT
> \Device -> 00000017
> \Device -> 00000003
> \Device -> FakeVid2
> \Device -> PointerClass1
> \Device -> _HID00000003
> \Device -> 0000004d
> \Device -> Udp
> \Device -> HarddiskVolume4
> \Device -> RawTape
> \Device -> NTPNP_PCI0021
> \Device -> 00000027
> \Device -> 00000013
> \Device -> klark_041403_KLIF
> \Device -> Bfs
> \Device -> 0000005d
> \Device -> RdpBus
> \Device -> KLWTP
> \Device -> HarddiskVolume5
> \Device -> 00000037
> \Device -> NTPNP_PCI0022
> \Device -> 00000023
> \Device -> 0000006d
> \Device -> 00000047
> \Device -> HarddiskVolume6
> \Device -> NTPNP_PCI0023
> \Device -> 00000033
> \Device -> rspndr
> \Device -> UMDFCtrlDev-38762bfc-7e0f-11ed-8c4e-c5ba839355fb
> \Device -> UMDFCtrlDev-38762bf3-7e0f-11ed-8c4e-c5ba839355fb
> \Device -> 00000057
> \Device -> NetBt_Wins_Export
> \Device -> 00000043
> \Device -> HarddiskVolume7
> \Device -> FileInfo
> \Device -> NTPNP_PCI0024
> \Device -> 00000067
> \Device -> HarddiskVolume8
> \Device -> USBPDO-8
> \Device -> 00000053
> \Device -> klbg_111403_KLIF
> \Device -> arkmon_021304_KLIF
> \Device -> NTPNP_PCI0025
> \Device -> RESOURCE_HUB
> \Device -> 00000063
> \Device -> HarddiskVolume9
> \Device -> KeyboardClass0
> \Device -> USBPDO-4
> \Device -> KLIM6klim6
> \Device -> WfpAle
> \Device -> Ndis
> \Device -> NTPNP_PCI0026
> \Device -> 0000000e
> \Device -> 00000073
> \Device -> KeyboardClass1
> \Device -> USBPDO-0
> \Device -> DfsClient
> \Device -> PartmgrControl
> \Device -> PcwDrv
> \Device -> NTPNP_PCI0027
> \Device -> 0000001e
> \Device -> 0000000a
> \Device -> KeyboardClass2
> \Device -> UCX0
> \Device -> KLWFP_DUMMY
> \Device -> RdyBoost
> \Device -> NTPNP_PCI0028
> \Device -> PciControl
> \Device -> 0000002e
> \Device -> 0000001a
> \Device -> 00000008
> \Device -> Srv2
> \Device -> AMDRyzenMasterDriverV19
> \Device -> FakeVid7
> \Device -> KeyboardClass3
> \Device -> Netbios
> \Device -> Beep
> \Device -> eQoS
> \Device -> 0000003e
> \Device -> RawDisk
> \Device -> NTPNP_PCI0029
> \Device -> 0000002a
> \Device -> 00000018
> \Device -> 00000004
> \Device -> FakeVid3
> \Device -> KeyboardClass4
> \Device -> _HID00000004
> \Device -> 0000004e
> \Device -> NetBT_Tcpip_{C71C7B73-2EA3-4E74-A704-ECD4A71B8E26}
> \Device -> VRegDriver
> \Device -> Afd
> \Device -> 0000003a
> \Device -> 00000028
> \Device -> 00000014
> \Device -> KeyboardClass5
> \Device -> 0000005e
> \Device -> _HID00000000
> \Device -> AWCCDevice
> \Device -> 0000004a
> \Device -> NameResTrk
> \Device -> BitLocker
> \Device -> 00000038
> \Device -> NTPNP_PCI0000
> \Device -> 00000024
> \Device -> 00000010
> \Device -> 0000006e
> \Device -> 0000005a
> \Device -> 00000048
> \Device -> 00000034
> \Device -> NTPNP_PCI0001
> \Device -> 00000020
> \Driver -> klkbdflt
> \Driver -> amdgpio2
> \Driver -> fvevol
> \Driver -> vdrvroot
> \Driver -> NetBT
> \Driver -> acpiex
> \Driver -> Wdf01000
> \Driver -> mpsdrv
> \Driver -> storahci
> \Driver -> MMCSS
> \Driver -> lltdio
> \Driver -> bam
> \Driver -> Psched
> \Driver -> BasicRender
> \Driver -> disk
> \Driver -> HTTP
> \Driver -> NalDrv
> \Driver -> Ndisuio
> \Driver -> stornvme
> \Driver -> klupd_klif_arkmon
> \Driver -> WscVReg
> \Driver -> monitor
> \Driver -> ahcache
> \Driver -> iorate
> \Driver -> pcw
> \Driver -> klupd_klif_klark
> \Driver -> AmdPPM
> \Driver -> rt25cx21
> \Driver -> Ucx01000
> \Driver -> USBXHCI
> \Driver -> partmgr
> \Driver -> PEAUTH
> \Driver -> MsLldp
> \Driver -> klmouflt
> \Driver -> AWCCDriver
> \Driver -> Vid
> \Driver -> klim6
> \Driver -> ACPI_HAL
> \Driver -> amdgpio3
> \Driver -> spaceport
> \Driver -> USBSTOR
> \Driver -> HidUsb
> \Driver -> vwififlt
> \Driver -> condrv
> \Driver -> DXGKrnl
> \Driver -> PnpManager
> \Driver -> RDPDR
> \Driver -> Null
> \Driver -> intelpep
> \Driver -> PRM
> \Driver -> wanarp
> \Driver -> SoftwareDevice
> \Driver -> kneps
> \Driver -> klflt
> \Driver -> CLFS
> \Driver -> WindowsTrustedRTProxy
> \Driver -> AMDXE
> \Driver -> NdisCap
> \Driver -> KSecDD
> \Driver -> volmgr
> \Driver -> DeviceApi
> \Driver -> umbus
> \Driver -> klpnpflt
> \Driver -> klbackupdisk
> \Driver -> CNG
> \Driver -> Win32k
> \Driver -> amdfendrmgr
> \Driver -> npsvctrig
> \Driver -> volume
> \Driver -> KSecPkg
> \Driver -> TPM
> \Driver -> mouclass
> \Driver -> HidHide
> \Driver -> NativeWifiP
> \Driver -> msisadrv
> \Driver -> IntelPMT
> \Driver -> kbdclass
> \Driver -> dtliteusbbus
> \Driver -> AMDPCIDev
> \Driver -> mouhid
> \Driver -> dtlitescsibus
> \Driver -> AMDSAFD
> \Driver -> volsnap
> \Driver -> amdpsp
> \Driver -> GPIOClx0101
> \Driver -> nsiproxy
> \Driver -> WMIxWDM
> \Driver -> MsQuic
> \Driver -> tdx
> \Driver -> WindowsTrustedRT
> \Driver -> HDAudBus
> \Driver -> BasicDisplay
> \Driver -> rdpbus
> \Driver -> klwtp
> \Driver -> klhk
> \Driver -> kbdhid
> \Driver -> AtiHDAudioService
> \Driver -> UEFI
> \Driver -> pdc
> \Driver -> rspndr
> \Driver -> WpdUpFltr
> \Driver -> WmiAcpi
> \Driver -> klupd_klif_klbg
> \Driver -> HdAudAddService
> \Driver -> NetAdapterCx
> \Driver -> mssmbios
> \Driver -> klwfp
> \Driver -> volmgrx
> \Driver -> pci
> \Driver -> NdisVirtualBus
> \Driver -> kdnic
> \Driver -> cdrom
> \Driver -> NDIS
> \Driver -> cm_km
> \Driver -> swenum
> \Driver -> amdfendr
> \Driver -> klids
> \Driver -> rdyboost
> \Driver -> WFPLWFS
> \Driver -> Tcpip
> \Driver -> SgrmAgent
> \Driver -> klupd_klif_mark
> \Driver -> AMDRyzenMasterDriverV19
> \Driver -> USBHUB3
> \Driver -> Beep
> \Driver -> kldisk
> \Driver -> usbccgp
> \Driver -> amdwddmg
> \Driver -> AFD
> \Driver -> mountmgr
> \Driver -> ksthunk
> \Driver -> ViGEmBus
> \Driver -> afunix
> \Driver -> WudfRd
> \Driver -> CompositeBus
> \Driver -> EhStorClass
> \Driver -> ACPI
> > Process (self) handle trace
> >> 0xFFFFF80114ACCFD7, \SystemRoot\system32\ntoskrnl.exe, base 0xFFFFF80114400000
> >> 0xFFFFF80114ACD423, \SystemRoot\system32\ntoskrnl.exe, base 0xFFFFF80114400000
> >> 0xFFFFF8011483D4E8, \SystemRoot\system32\ntoskrnl.exe, base 0xFFFFF80114400000
> >> 0x00007FF8B60EF2C4, ntdll.dll, base 0x00007FF8B6050000
> >> 0x00007FF63FC0F928, kdu.exe, base 0x00007FF63FC00000
> >> 0x00007FF63FC0FD5C, kdu.exe, base 0x00007FF63FC00000
> >> 0x00007FF63FC0FFEB, kdu.exe, base 0x00007FF63FC00000
> >> 0x00007FF63FC09F3D, kdu.exe, base 0x00007FF63FC00000
> >> 0x00007FF63FC0A829, kdu.exe, base 0x00007FF63FC00000
> >> 0x00007FF63FC0AA0E, kdu.exe, base 0x00007FF63FC00000
> >> 0x00007FF63FC10820, kdu.exe, base 0x00007FF63FC00000
> >> 0x00007FF8B44C26BD, KERNEL32.DLL, base 0x00007FF8B44B0000
> >> 0x00007FF8B60ADFB8, ntdll.dll, base 0x00007FF8B6050000
> > Thread handle trace
> >> 0xFFFFF80114BB1522, \SystemRoot\system32\ntoskrnl.exe, base 0xFFFFF80114400000
> >> 0xFFFFF80114BB1303, \SystemRoot\system32\ntoskrnl.exe, base 0xFFFFF80114400000
> >> 0xFFFFF8011483D4E8, \SystemRoot\system32\ntoskrnl.exe, base 0xFFFFF80114400000
> >> 0x00007FF8B60F14D4, ntdll.dll, base 0x00007FF8B6050000
> >> 0x00007FF63FC0F997, kdu.exe, base 0x00007FF63FC00000
> >> 0x00007FF63FC0FD5C, kdu.exe, base 0x00007FF63FC00000
> >> 0x00007FF63FC0FFEB, kdu.exe, base 0x00007FF63FC00000
> >> 0x00007FF63FC09F3D, kdu.exe, base 0x00007FF63FC00000
> >> 0x00007FF63FC0A829, kdu.exe, base 0x00007FF63FC00000
> >> 0x00007FF63FC0AA0E, kdu.exe, base 0x00007FF63FC00000
> >> 0x00007FF63FC10820, kdu.exe, base 0x00007FF63FC00000
> >> 0x00007FF8B44C26BD, KERNEL32.DLL, base 0x00007FF8B44B0000
> >> 0x00007FF8B60ADFB8, ntdll.dll, base 0x00007FF8B6050000
> > Process (1188) handle trace
> Cannot open process, NTSTATUS (0xC0000022)
> > Section handle trace
> >> 0xFFFFF80114ACF260, \SystemRoot\system32\ntoskrnl.exe, base 0xFFFFF80114400000
> >> 0xFFFFF80114ACF3CC, \SystemRoot\system32\ntoskrnl.exe, base 0xFFFFF80114400000
> >> 0xFFFFF8011483D4E8, \SystemRoot\system32\ntoskrnl.exe, base 0xFFFFF80114400000
> >> 0x00007FF8B60EF744, ntdll.dll, base 0x00007FF8B6050000
> >> 0x00007FF63FC0FABB, kdu.exe, base 0x00007FF63FC00000
> >> 0x00007FF63FC0FE06, kdu.exe, base 0x00007FF63FC00000
> >> 0x00007FF63FC0FFEB, kdu.exe, base 0x00007FF63FC00000
> >> 0x00007FF63FC09F3D, kdu.exe, base 0x00007FF63FC00000
> >> 0x00007FF63FC0A829, kdu.exe, base 0x00007FF63FC00000
> >> 0x00007FF63FC0AA0E, kdu.exe, base 0x00007FF63FC00000
> >> 0x00007FF63FC10820, kdu.exe, base 0x00007FF63FC00000
> >> 0x00007FF8B44C26BD, KERNEL32.DLL, base 0x00007FF8B44B0000
> >> 0x00007FF8B60ADFB8, ntdll.dll, base 0x00007FF8B6050000
> > Analyzing process working set
> >> ThreadId [10820] Pc 00007FF8B60EF184 (ntdll.dll) : Va 00007FF8B60EF185 (ntdll.dll)
> >> ThreadId [10820] Pc 00007FF8B60EF184 (ntdll.dll) : Va 000000000014CE09 (Unknown)
> >> ThreadId [10820] Pc 00007FF63FC0F4AF (kdu.exe) : Va 00007FF63FC0F4AF (kdu.exe)
> >> ThreadId [10820] Pc 00007FF63FC0F4C2 (kdu.exe) : Va 000000000014CE31 (Unknown)
> >> ThreadId [10820] Pc 00007FF63FC0F4D3 (kdu.exe) : Va 00007FF63FC2A609 (kdu.exe)
> >> ThreadId [10820] Pc 00007FF8B60EF118 (ntdll.dll) : Va 000000007FFE0309 (Unknown)
> > List of registered minifilters
> >> bindflt
> >> WdFilter
> >> KLIF
> >> storqosflt
> >> wcifs
> >> CldFlt
> >> bfs
> >> FileCrypt
> >> luafv
> >> klbackupflt
> >> npsvctrig
> >> Wof
> >> FileInfo
> > Physical memory layout
> ResourceList Count 1
> pDesc[0].PartialResourceList.Count 7
> #0 Flags 0x0000 0x0000000000001000::0x00000000000A0000 (length 0x000000000009F000, 0 Mb)
> #1 Flags 0x0000 0x0000000000100000::0x0000000009E02000 (length 0x0000000009D02000, 157 Mb)
> #2 Flags 0x0000 0x000000000A000000::0x000000000A200000 (length 0x0000000000200000, 2 Mb)
> #3 Flags 0x0000 0x000000000A20E000::0x000000000B000000 (length 0x0000000000DF2000, 13 Mb)
> #4 Flags 0x0000 0x000000000B020000::0x00000000CB147000 (length 0x00000000C0127000, 3073 Mb)
> #5 Flags 0x0000 0x00000000CDBFF000::0x00000000CF000000 (length 0x0000000001401000, 20 Mb)
> #6 Flags 0x0200 0x0000000100000000::0x000000042F380000 (length 0x000000032F380000, 13043 Mb)
> [+] Return value: 1. Bye-bye!
hfiref0x commented
[!] Vulnerable driver is already loaded
198 FFFFF80156600000 6111232 ??\C:\Users\hiper\OneDrive\Masa³st³\KDmapper\NalDrv.sys
c0000010 - STATUS_INVALID_DEVICE_REQUEST, you have different version of NalDrv loaded, get rid of it.
[!] Could not query DSE state, GetLastError 5 (ERROR_ACCESS_DENIED).
Loaded NalDrv is a different version of what KDU use, get rid of it.
Run kdu -prv 1 -dse 0 and post result.
Additionally you are running bunch of Kaspersky drivers that may interfere, get rid of it.