No output after mapping dummy driver
nrmu9 opened this issue · 2 comments
nrmu9 commented
Hello, I've compiled the projects in Release x64 with VS2022. I compiled the dummy driver as well and tried to map it using KDU, with the following command: kdu.exe -map dummy.sys
. However when I do, there's no output in DbgView64. Yes I have the "Capture Kernel" option enabled.
C:\KDU-1.4.1>kdu.exe -map dummy.sys -prv 1
[#] Kernel Driver Utility v1.4.1 (build 2312) started, (c)2020 - 2023 KDU Project
[#] Built at Sat Dec 23 18:05:01 2023, header checksum 0x66A47
[#] Supported x64 OS : Windows 7 and above
[*] CPU vendor string: GenuineIntel
[*] Windows version: 10.0 build 19045
[*] SecureBoot is disabled on this machine
[+] MSFT Driver block list is enabled
[+] Selected provider: 1
[*] Driver mapping using shellcode version: 1
[+] Input driver file "dummy.sys" loaded at 0x00007FF62F2E0000
[+] MSFT hypervisor present
[+] Drivers database "drv64.dll" loaded at 0x00007FF9E2DC0000
[+] Firmware type (FirmwareTypeUefi)
[+] Provider: "CVE-2019-16098", Name "RTCore64"
[+] Extracting vulnerable driver as "C:\KDU-1.4.1\RTCore64.sys"
[+] Vulnerable driver "RTCore64" loaded
[+] Driver device "RTCore64" has been opened successfully
[+] Executing post-open callback for given provider
[+] Driver device security descriptor set successfully
[+] Processing victim "Process Explorer v17" driver
[+] Mapped victim image at 0000020D44940000 with size 0xC000 bytes
[+] Extracting victim driver "PROCEXP152" as "C:\Windows\system32\drivers\PROCEXP152.sys"
[+] Successfully loaded victim driver
[+] Query victim image information
[+] Query victim loaded driver layout
[+] Victim target address 0xFFFFF802A4CC1D60
[+] Loaded ntoskrnl base 0xFFFFF80221800000
[+] Ntoskrnl.exe mapped at 0x7FF64ECA0000
[+] Resolving kernel import for input driver
[+] Resolving payload import
[*] ZwClose 0xFFFFF80221BF9C40
[*] PsCreateSystemThread 0xFFFFF80221EA9200
[+] Resolving base shellcode import
[*] MmSectionObjectType 0xFFFFF802224FC520
[*] ExAllocatePoolWithTag 0xFFFFF802221B7010
[*] IofCompleteRequest 0xFFFFF80221A5D0D0
[*] ZwMapViewOfSection 0xFFFFF80221BF9F60
[*] ZwUnmapViewOfSection 0xFFFFF80221BF9FA0
[*] ObReferenceObjectByHandle 0xFFFFF80221E45F80
[*] ObfDereferenceObject 0xFFFFF80221A45B20
[*] KeSetEvent 0xFFFFF80221A3DBF0
[+] Bootstrap code size = 0x2D5
[+] Driver handler code modified
[+] Executing shellcode
[~] Shellcode result: NTSTATUS (0x0)
[+] Victim released
[+] Vulnerable driver "RTCore64" unloaded
[+] Vulnerable driver file removed
[+] Return value: 1. Bye-bye!
hfiref0x commented
Enable verbose kernel output and try again. DbgView doesn't work sometimes at all.
nrmu9 commented
Enable verbose kernel output and try again. DbgView doesn't work sometimes at all.
Thank you! It works. You're amazing :)