Merge pull request #101 from hfiref0x/dev143

v1.4.3

README.md

@@ -162,6 +162,7 @@ Note: Provider with Id 0 assumed as default if no -prv command is specified.
 | 50     | ASRock         | AsrDrv107n  | ASRock Motherboard Utility    | 3.0.498 and below       |                      |
 | 51     | ASRock         | AsrDrv107  | ASRock Motherboard Utility    | 3.0.498 and below       |                      |
 | 52     | Intel          | PmxDrv  | Intel(R) Management Engine Tools Driver    | 1.0.0.1003 and below       |                      |
+| 53     | Jun Liu        | HwRwDrv  | Hardware read & write driver    | 1.0.0.6 and below       |                      |
 
 MSFT blacklist types:
 * Cert - by certificate used to sign the driver which makes it possible to ban huge number of files at one time.
@@ -224,6 +225,7 @@ MSFT blacklist types:
 |50|RWEverything||**File(SHA1):** 11D7E0D29AB17292FD43BDD5CCB7DA0403E50E52<br>**Authenticode(SHA1):** CA06D9FD91F7B681204B35975D5C069D0DABE276<br>**Page(SHA1):** B7693E1170B01F24A824892607C2258CA653805A<br>**Page(SHA256):** B8776F6889CF3D8252F0912DD9745F8EFF4513292DF2B2B1D484CDBC68FBAE4C|
 |51|RWEverything||**File(SHA1):** B1FAD5DA173C6A603FFFE20E0CB5F0BDCA823BD5<br>**Authenticode(SHA1):** 268073AD0B17E2161C1A2A6C5B1BDEBB7B3011B4<br>**Page(SHA1):** 0B48F35DAF8B8BC9BA4E413EF222415EAB791AE0<br>**Page(SHA256):** B073907634013A8EB65E4C8AA42535BAD08101E58B7B1489AEE395B7BE9C69E2|
 |52|Original||**File(SHA1):** 9E5FCAEA33C9A181C56F7D0E4D9C42F8EDEAD252<br>**Authenticode(SHA1):** 7919108CB1278503EC4A78DD25694C6770EAA989<br>**Page(SHA1):** E1CE5A5E2CEB0AAD9CB588A900BF471462FAC42B<br>**Page(SHA256):** 6991344C8771FC717F878F9A6B0C258BC81FB3BF1F7F3CBED3EF8F86541B253F|
+|53|WINRING0||**File(SHA1):** DB8BCB8693DDF715552F85B8E2628F060070F920<br>**Authenticode(SHA1):** 8C40A82DF3D606A87DF243C787283C26CE9B0458<br>**Page(SHA1):** F7362528C0118F895D4D51588102C51A09B1691C<br>**Page(SHA256):** 2A8B9C786DEA17F00E105BFEF82B723E2578150E814DD9A94ED007275C96AC25|
 
 ###### *At commit time, data maybe inaccurate.
 

Source/Hamakaze/KDU.vcxproj.user

@@ -1,11 +1,11 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
-    <LocalDebuggerCommandArguments>-dse 0</LocalDebuggerCommandArguments>
+    <LocalDebuggerCommandArguments>-test</LocalDebuggerCommandArguments>
     <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
-    <LocalDebuggerCommandArguments>-prv 52 -map c:\install\dummy2.sys</LocalDebuggerCommandArguments>
+    <LocalDebuggerCommandArguments>-prv 53 -map c:\install\dummy2.sys</LocalDebuggerCommandArguments>
     <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
   </PropertyGroup>
 </Project>

Source/Hamakaze/idrv/asrdrv.cpp

@@ -4,9 +4,9 @@
 *
 *  TITLE:       ASRDRV.CPP
 *
-*  VERSION:     1.41
+*  VERSION:     1.43
 *
-*  DATE:        10 Dec 2023
+*  DATE:        10 Nov 2023
 *
 *  ASRock driver routines.
 *
@@ -271,9 +271,6 @@ BOOL WINAPI AsrWritePhysicalMemory(
         &args);
 }
 
-
-
-
 /*
 * RweReadPhysicalMemory
 *

Source/Hamakaze/idrv/winring0.h

@@ -1,12 +1,12 @@
 /*******************************************************************************
 *
-*  (C) COPYRIGHT AUTHORS, 2020 - 2021
+*  (C) COPYRIGHT AUTHORS, 2020 - 2024
 *
 *  TITLE:       WINRING0.H
 *
-*  VERSION:     1.10
+*  VERSION:     1.43
 *
-*  DATE:        15 Apr 2021
+*  DATE:        10 Nov 2024
 *
 *  WinRing0 based drivers interface header.
 *
@@ -53,6 +53,25 @@ typedef struct _OLS_WRITE_MEMORY_INPUT {
 
 #pragma pack(pop)
 
+//
+// Faintsnow Hardware read & write driver interface.
+// Essentially it's a slightly tweaked WinRing0 copy-paste.
+//
+// Related CVE's: 
+//    CVE-2021-29337, CVE-2023-1679, CVE-2021-29337, CVE-2020-13517 etc, all the same and all makes zero sense.
+//
+
+#define HWRWDRV_TYPE        (DWORD)0x9C40
+
+#define HWRW_READ_MEMORY     (DWORD)0x841
+#define HWRW_WRITE_MEMORY    (DWORD)0x842
+
+#define IOCTL_HWRW_READ_MEMORY        \
+    CTL_CODE(HWRWDRV_TYPE, HWRW_READ_MEMORY, METHOD_BUFFERED, FILE_READ_ACCESS) //0x9C406104
+
+#define IOCTL_HWRW_WRITE_MEMORY       \
+    CTL_CODE(HWRWDRV_TYPE, HWRW_WRITE_MEMORY, METHOD_BUFFERED, FILE_WRITE_ACCESS) //0x9C40A108
+
 BOOL WINAPI WRZeroReadPhysicalMemory(
     _In_ HANDLE DeviceHandle,
     _In_ ULONG_PTR PhysicalAddress,

Source/Hamakaze/kduplist.h

@@ -4,9 +4,9 @@
 *
 *  TITLE:       KDUPLIST.H
 *
-*  VERSION:     1.42
+*  VERSION:     1.43
 *
-*  DATE:        01 Apr 2024
+*  DATE:        10 Nov 2024
 *
 *  Providers global list.
 *
@@ -1469,6 +1469,32 @@ static KDU_PROVIDER g_KDUProviders[] =
         (provValidatePrerequisites)NULL,
 
         (provOpenProcess)NULL
-    }
+    },
+
+    {
+        NULL,
+
+        (provStartVulnerableDriver)KDUProvStartVulnerableDriver,
+        (provStopVulnerableDriver)KDUProvStopVulnerableDriver,
+
+        (provRegisterDriver)NULL,
+        (provUnregisterDriver)NULL,
+        (provPreOpenDriver)NULL,
+        (provPostOpenDriver)KDUProviderPostOpen,
+        (provMapDriver)KDUMapDriver,
+        (provControlDSE)KDUControlDSE2,
+
+        (provReadKernelVM)NULL,
+        (provWriteKernelVM)NULL,
+
+        (provVirtualToPhysical)NULL,
+        (provQueryPML4)NULL,
+        (provReadPhysicalMemory)WRZeroReadPhysicalMemory,
+        (provWritePhysicalMemory)WRZeroWritePhysicalMemory,
+
+        (provValidatePrerequisites)NULL,
+
+        (provOpenProcess)NULL
+     }
 
 };

Source/Hamakaze/main.cpp

@@ -1,12 +1,12 @@
 /*******************************************************************************
 *
-*  (C) COPYRIGHT AUTHORS, 2020 - 2023
+*  (C) COPYRIGHT AUTHORS, 2020 - 2024
 *
 *  TITLE:       MAIN.CPP
 *
-*  VERSION:     1.40
+*  VERSION:     1.43
 *
-*  DATE:        20 Oct 2023
+*  DATE:        10 Nov 2024
 *
 *  Hamakaze main logic and entrypoint.
 *

Source/Hamakaze/resource.rc

@@ -51,8 +51,8 @@ END
 //
 
 VS_VERSION_INFO VERSIONINFO
- FILEVERSION 1,4,2,2409
- PRODUCTVERSION 1,4,2,2409
+ FILEVERSION 1,4,3,2411
+ PRODUCTVERSION 1,4,3,2411
  FILEFLAGSMASK 0x3fL
 #ifdef _DEBUG
  FILEFLAGS 0x1L
@@ -69,12 +69,12 @@ BEGIN
         BEGIN
             VALUE "CompanyName", "UG North"
             VALUE "FileDescription", "Kernel Driver Utility"
-            VALUE "FileVersion", "1.4.2.2409"
+            VALUE "FileVersion", "1.4.3.2411"
             VALUE "InternalName", "Hamakaze.exe"
             VALUE "LegalCopyright", "Copyright (C) 2020 - 2024 KDU Project"
             VALUE "OriginalFilename", "Hamakaze.exe"
             VALUE "ProductName", "KDU"
-            VALUE "ProductVersion", "1.4.2.2409"
+            VALUE "ProductVersion", "1.4.3.2411"
         END
     END
     BLOCK "VarFileInfo"

Source/Hamakaze/tests.cpp

@@ -4,9 +4,9 @@
 *
 *  TITLE:       TESTS.CPP
 *
-*  VERSION:     1.42
+*  VERSION:     1.43
 *
-*  DATE:        01 Apr 2024
+*  DATE:        10 Nov 2024
 *
 *  KDU tests.
 *
@@ -57,7 +57,7 @@ VOID KDUTestLoad()
 
 VOID KDUTestDSE(PKDU_CONTEXT Context)
 {
-    ULONG_PTR g_CiOptions = 0xfffff80031e3a478;//need update
+    ULONG_PTR g_CiOptions = 0xfffff8021bc3a308;//need update
     ULONG_PTR oldValue = 0, newValue = 0x0, testValue = 0;
     KDU_PROVIDER* prov = Context->Provider;
 
@@ -188,16 +188,16 @@ VOID KDUTest()
    // KDUTestLoad();
 
    // TestSymbols();
-    Context = KDUProviderCreate(KDU_PROVIDER_INTEL_PMXDRV, 
+    Context = KDUProviderCreate(KDU_PROVIDER_HWRWDRVX64, 
         FALSE, 
         NT_WIN10_20H1, 
         KDU_SHELLCODE_V1, 
         ActionTypeMapDriver);
 
     if (Context) {
 
-        //TestBrute(Context);
-        KDUTestDSE(Context);
+        TestBrute(Context);
+        //KDUTestDSE(Context);
 
         KDUProviderRelease(Context);
     }

Source/Shared/consts.h

@@ -4,9 +4,9 @@
 *
 *  TITLE:       CONSTS.H
 *
-*  VERSION:     1.42
+*  VERSION:     1.43
 *
-*  DATE:        23 Sep 2024
+*  DATE:        10 Nov 2024
 *
 *  Global consts.
 *
@@ -21,16 +21,16 @@
 
 #define KDU_VERSION_MAJOR       1
 #define KDU_VERSION_MINOR       4
-#define KDU_VERSION_REVISION    2
-#define KDU_VERSION_BUILD       2409
+#define KDU_VERSION_REVISION    3
+#define KDU_VERSION_BUILD       2411
 #define KDU_COPYRIGHT_YEAR      2024
 
 #define KDU_MIN_NTBUILDNUMBER   0x1DB1      //Windows 7 SP1
 #define KDU_MAX_NTBUILDNUMBER   0xFFFFFFFF  //Undefined
 
 #define IPC_GET_HANDLE          0x1337
 
-#define KDU_SYNC_MUTANT         0x2409
+#define KDU_SYNC_MUTANT         0x2411
 
 #define NT_REG_PREP             L"\\Registry\\Machine"
 #define DRIVER_REGKEY           L"%wS\\System\\CurrentControlSet\\Services\\%wS"
@@ -155,6 +155,7 @@
 #define IDR_ASROCKDRV3                  152
 #define IDR_ASROCKDRV4                  153
 #define IDR_PMXDRV64                    154
+#define IDR_HWRWDRVX64                  155
 
 //
 // Vulnerable drivers providers id
@@ -212,6 +213,7 @@
 #define KDU_PROVIDER_ASROCK4            50
 #define KDU_PROVIDER_ASROCK5            51
 #define KDU_PROVIDER_INTEL_PMXDRV       52
+#define KDU_PROVIDER_HWRWDRVX64         53
 
 #define KDU_PROVIDER_DEFAULT KDU_PROVIDER_INTEL_NAL
 

Source/Shared/ntos/ntbuilds.h

@@ -6,7 +6,7 @@
 *
 *  VERSION:     1.26
 *
-*  DATE:        15 Sep 2024
+*  DATE:        11 Oct 2024
 *
 *  Windows NT builds definition file.
 *
@@ -88,6 +88,8 @@
 // Windows 11 23H2
 #define NT_WIN11_23H2           22631
 
+// Windows 11 24H2
+#define NT_WIN11_24H2           26100
+
 // Windows 11 Active Development Branch
-#define NT_WIN11_24H2           26100 //canary (24H2)
-#define NT_WIN11_25H2           27695 //canary (25H2)
+#define NT_WIN11_25H2           27723 //canary (25H2)

Source/Shared/ntos/ntos.h

@@ -5,9 +5,9 @@
 *
 *  TITLE:       NTOS.H
 *
-*  VERSION:     1.226
+*  VERSION:     1.227
 *
-*  DATE:        07 Jun 2024
+*  DATE:        07 Oct 2024
 *
 *  Common header file for the ntos API functions and definitions.
 *
@@ -7405,6 +7405,29 @@ typedef struct _FLT_OBJECT_V2 {
     GUID UniqueIdentifier;
 } FLT_OBJECT_V2, *PFLT_OBJECT_V2; /* size: 0x0030 */
 
+// Since w11 25h2
+typedef struct _FLT_OBJECT_V3 {
+    ULONG Flags;
+    ULONG PointerCount;
+    EX_RUNDOWN_REF RundownRef;
+    LIST_ENTRY PrimaryLink;
+    PVOID RundownLog;
+    GUID UniqueIdentifier;
+} FLT_OBJECT_V3, * PFLT_OBJECT_V3; /* size: 0x0038 */
+
+typedef struct _FLT_OBJECT_LOG_ENTRY {
+    ULONG Action;
+    LONG Padding_25;
+    EX_RUNDOWN_REF RundownRef;
+    PVOID Stack[14];
+} FLT_OBJECT_LOG_ENTRY, * PFLT_OBJECT_LOG_ENTRY; /* size: 0x0080 */
+
+typedef struct _FLT_OBJECT_LOG {
+    LONG Index;
+    ULONG Reserved;
+    FLT_OBJECT_LOG_ENTRY Log[1024];
+} FLT_OBJECT_LOG, * PFLT_OBJECT_LOG; /* size: 0x20008 */
+
 typedef struct _FLT_SERVER_PORT_OBJECT {
     LIST_ENTRY FilterLink;
     PVOID ConnectNotify;
@@ -7576,8 +7599,43 @@ typedef struct _FLT_FILTER_V4 {
     /* 0x02a8 */ EX_PUSH_LOCK_AUTO_EXPAND PortLock;
 } FLT_FILTER_V4, * PFLT_FILTER_V4; /* size: 0x02b8 */
 
-typedef FLT_FILTER_V4 FLT_FILTER_COMPATIBLE;
-typedef PFLT_FILTER_V4 PFLT_FILTER_COMPATIBLE;
+// Windows 11+ (27XXX)
+typedef struct _FLT_FILTER_V5 {
+    /* 0x0000 */ FLT_OBJECT_V3 Base;
+    /* 0x0038 */ struct _FLTP_FRAME* Frame;
+    /* 0x0040 */ UNICODE_STRING Name;
+    /* 0x0050 */ UNICODE_STRING DefaultAltitude;
+    /* 0x0060 */ FLT_FILTER_FLAGS Flags;
+    /* 0x0064 */ LONG Padding;
+    /* 0x0068 */ DRIVER_OBJECT* DriverObject;
+    /* 0x0070 */ FLT_RESOURCE_LIST_HEAD InstanceList;
+    /* 0x00f0 */ struct _FLT_VERIFIER_EXTENSION* VerifierExtension;
+    /* 0x00f8 */ LIST_ENTRY VerifiedFiltersLink;
+    /* 0x0108 */ PVOID FilterUnload /* function */;
+    /* 0x0110 */ PVOID InstanceSetup /* function */;
+    /* 0x0118 */ PVOID InstanceQueryTeardown /* function */;
+    /* 0x0120 */ PVOID InstanceTeardownStart /* function */;
+    /* 0x0128 */ PVOID InstanceTeardownComplete /* function */;
+    /* 0x0130 */ struct _ALLOCATE_CONTEXT_HEADER* SupportedContextsListHead;
+    /* 0x0138 */ struct _ALLOCATE_CONTEXT_HEADER* SupportedContexts[7];
+    /* 0x0170 */ PVOID PreVolumeMount /* function */;
+    /* 0x0178 */ PVOID PostVolumeMount /* function */;
+    /* 0x0180 */ PVOID GenerateFileName /* function */;
+    /* 0x0188 */ PVOID NormalizeNameComponent /* function */;
+    /* 0x0190 */ PVOID NormalizeNameComponentEx /* function */;
+    /* 0x0198 */ PVOID NormalizeContextCleanup /* function */;
+    /* 0x01a0 */ PVOID KtmNotification /* function */;
+    /* 0x01a8 */ PVOID SectionNotification /* function */;
+    /* 0x01b0 */ struct _FLT_OPERATION_REGISTRATION* Operations;
+    /* 0x01b8 */ PVOID OldDriverUnload /* function */;
+    /* 0x01c0 */ FLT_MUTEX_LIST_HEAD ActiveOpens;
+    /* 0x0210 */ FLT_MUTEX_LIST_HEAD ConnectionList;
+    /* 0x0260 */ FLT_MUTEX_LIST_HEAD PortList;
+    /* 0x02b0 */ EX_PUSH_LOCK_AUTO_EXPAND PortLock;
+} FLT_FILTER_V5, * PFLT_FILTER_V5; /* size: 0x02c0 */
+
+typedef FLT_FILTER_V5 FLT_FILTER_COMPATIBLE;
+typedef PFLT_FILTER_V5 PFLT_FILTER_COMPATIBLE;
 
 /*
 ** FLT MANAGER END

Source/Tanikaze/Tanikaze.vcxproj

@@ -213,6 +213,7 @@
     <None Include="drv\gmerdrv.bin" />
     <None Include="drv\heavenluo.bin" />
     <None Include="drv\HW64.bin" />
+    <None Include="drv\HwRwDrv.x64.bin" />
     <None Include="drv\inpoutx64.bin" />
     <None Include="drv\iQVM64.bin" />
     <None Include="drv\irec.bin" />

Source/Tanikaze/Tanikaze.vcxproj.filters

@@ -220,6 +220,9 @@
     <None Include="drv\pmxdrv64.bin">
       <Filter>Resource Files</Filter>
     </None>
+    <None Include="drv\HwRwDrv.x64.bin">
+      <Filter>Resource Files</Filter>
+    </None>
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="main.cpp">