Releases: hfiref0x/KDU
Releases · hfiref0x/KDU
Kernel Driver Utility v1.2.5
v 1.2.5 from Aug 30, 2022 (1.2.5.2208)
- Marvin HW64 added as provider 23 (from the recent APT)
- New -diag command added for troubleshooting
- Rtls updated
- Project ported to MSVC 2022
Kernel Driver Utility v1.2.0
KDU - Kernel Driver Utility
The purpose of this tool is to give a simple way to explore Windows kernel/components without doing a lot of additional work or setting up local debugger. It features:
Protected Processes Hijacking via Process object modification;
Driver Signature Enforcement Overrider (similar to DSEFIx);
Driver loader for bypassing Driver Signature Enforcement (similar to TDL/Stryker);
Support of various vulnerable drivers use as functionality "providers".
System Requirements
x64 Windows 7/8/8.1/10/11;
Administrative privilege is required.
Currently Supported Providers
| Provider Id | Product Vendor | Driver | Software package | Code base | Version |
|---|---|---|---|---|---|
| 0 | Intel | IQVM64/Nal | Network Adapter Diagnostic Driver | Original | 1.03.0.7 |
| 1 | MSI | RTCore64 | MSI Afterburner | Semi-original | 4.6.2 build 15658 and below |
| 2 | Gigabyte | Gdrv | Gigabyte TOOLS | MAPMEM NTDDK 3.51 | Undefined |
| 3 | ASUSTeK | ATSZIO64 | ASUSTeK WinFlash utility | Semi-original | Undefined |
| 4 | Patriot | MsIo64 | Patriot Viper RGB utility | WINIO | 1.0 |
| 5 | ASRock | GLCKIO2 | ASRock Polychrome RGB | WINIO | 1.0.4 |
| 6 | G.SKILL | EneIo64 | G.SKILL Trident Z Lighting Control | WINIO | 1.00.08 |
| 7 | EVGA | WinRing0x64 | EVGA Precision X1 | WINRING0 | 1.0.2.0 |
| 8 | Thermaltake | EneTechIo64 | Thermaltake TOUGHRAM software | WINIO | 1.0.3 |
| 9 | Huawei | PhyMemx64 | Huawei MateBook Manager software | WINIO | Undefined |
| 10 | Realtek | RtkIo64 | Realtek Dash Client Utility | PHYMEM | Various |
| 11 | MSI | EneTechIo64 | MSI Dragon Center | WINIO | Various |
| 12 | LG | LHA | LG Device Manager | Semi-original | 1.6.0.2 |
| 13 | ASUSTeK | AsIO2 | ASUS GPU Tweak | WINIO | 2.1.7.1 and below |
| 14 | PassMark | DirectIo64 | PassMark Performance Test | Original | 10.1 and below |
| 15 | GMER | GmerDrv | Gmer "Antirootkit" | Original | 2.2 and below |
| 16 | Dell | DBUtil_2_3 | Dell BIOS Utility | Original | 2.3 and below |
| 17 | Benjamin Delpy | Mimidrv | Mimikatz | Original | 2.2 and below |
| 18 | Wen Jia Liu | KProcessHacker2 | Process Hacker | Original | 2.38 and below |
| 19 | Microsoft | ProcExp152 | Process Explorer | Original | 1.5.2 and below |
| 20 | Dell | DBUtilDrv2 | Dell BIOS Utility | Original | 2.7 and below |
| 21 | DarkByte | Dbk64 | Cheat Engine | Original | 7.4 and below |
| 22 | ASUSTeK | AsIO3 | ASUS GPU Tweak II/III | WINIO | 2.3.0.3 |
Mitigation
Modern hardware with Windows 10 last version installed and HVCI enabled
[HVCI] (https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity)
Changelog
v 1.2.0 from Feb 18, 2022 (1.2.0.2202)
- Mimikatz mimidrv wormhole driver added as provider 17
- Process Hacker KProcessHacker2 wormhole driver added as provider 18
- Process Explorer ProcExp152 wormhole driver added as provider 19
- Dell DbUtilDrv2 (CVE-2021-36276) driver added as provider 20
- Cheat Engine wormhole driver dbk64 added as provider 21
- ASUSTeK GpuTweakII AsIO3 (EneTech wormhole next-gen) driver added as provider 22
- Custom DSE patch callbacks
- Internal rearrange to accompany several new providers
- Readme updated
Kernel Driver Utility v1.1.2
KDU - Kernel Driver Utility
The purpose of this tool is to give a simple way to explore Windows kernel/components without doing a lot of additional work or setting up local debugger. It features:
Protected Processes Hijacking via Process object modification;
Driver Signature Enforcement Overrider (similar to DSEFIx);
Driver loader for bypassing Driver Signature Enforcement (similar to TDL/Stryker);
Support of various vulnerable drivers use as functionality "providers".
System Requirements
x64 Windows 7/8/8.1/10/11;
Administrative privilege is required.
Currently Supported Providers
| Provider Id | Product Vendor | Driver | Software package | Code base | Version |
|---|---|---|---|---|---|
| 0 | Intel | IQVM64/Nal | Network Adapter Diagnostic Driver | Original | 1.03.0.7 |
| 1 | MSI | RTCore64 | MSI Afterburner | Semi-original | 4.6.2 build 15658 and below |
| 2 | Gigabyte | Gdrv | Gigabyte TOOLS | MAPMEM NTDDK 3.51 | Undefined |
| 3 | ASUSTeK | ATSZIO64 | ASUSTeK WinFlash utility | Semi-original | Undefined |
| 4 | Patriot | MsIo64 | Patriot Viper RGB utility | WINIO | 1.0 |
| 5 | ASRock | GLCKIO2 | ASRock Polychrome RGB | WINIO | 1.0.4 |
| 6 | G.SKILL | EneIo64 | G.SKILL Trident Z Lighting Control | WINIO | 1.00.08 |
| 7 | EVGA | WinRing0x64 | EVGA Precision X1 | WINRING0 | 1.0.2.0 |
| 8 | Thermaltake | EneTechIo64 | Thermaltake TOUGHRAM software | WINIO | 1.0.3 |
| 9 | Huawei | PhyMemx64 | Huawei MateBook Manager software | WINIO | Undefined |
| 10 | Realtek | RtkIo64 | Realtek Dash Client Utility | PHYMEM | Various |
| 11 | MSI | EneTechIo64 | MSI Dragon Center | WINIO | Various |
| 12 | LG | LHA | LG Device Manager | Semi-original | 1.6.0.2 |
| 13 | ASUSTeK | AsIO2 | ASUS GPU Tweak | WINIO | 2.1.7.1 and below |
| 14 | PassMark | DirectIo64 | PassMark Performance Test | Original | 10.1 and below |
| 15 | GMER | GmerDrv | Gmer "Antirootkit" | Original | 2.2 and below |
| 16 | Dell | DBUtil_2_3 | Dell BIOS Utility | Original | 2.3 and below |
Mitigation
Modern hardware with Windows 10 last version installed and HVCI enabled
[HVCI] (https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity)
Changelog
v 1.1.2 from Jan 28, 2022 (1.1.2.2201)
- Dell dbutil_2_3 (CVE-2021-21551) provider added
- GMER "Antirootkit" provider added
- Fix for invalid Tanikaze compilation result
Kernel Driver Utility v1.1.1
KDU - Kernel Driver Utility
The purpose of this tool is to give a simple way to explore Windows kernel/components without doing a lot of additional work or setting up local debugger. It features:
Protected Processes Hijacking via Process object modification;
Driver Signature Enforcement Overrider (similar to DSEFIx);
Driver loader for bypassing Driver Signature Enforcement (similar to TDL/Stryker);
Support of various vulnerable drivers use as functionality "providers".
System Requirements
x64 Windows 7/8/8.1/10;
Administrative privilege is required.
Currently Supported Providers
| Provider Id | Product Vendor | Driver | Software package | Code base | Version |
|---|---|---|---|---|---|
| 0 | Intel | IQVM64/Nal | Network Adapter Diagnostic Driver | Original | 1.03.0.7 |
| 1 | MSI | RTCore64 | MSI Afterburner | Semi-original | 4.6.2 build 15658 and below |
| 2 | Gigabyte | Gdrv | Gigabyte TOOLS | MAPMEM NTDDK 3.51 | Undefined |
| 3 | ASUSTeK | ATSZIO64 | ASUSTeK WinFlash utility | Semi-original | Undefined |
| 4 | Patriot | MsIo64 | Patriot Viper RGB utility | WINIO | 1.0 |
| 5 | ASRock | GLCKIO2 | ASRock Polychrome RGB | WINIO | 1.0.4 |
| 6 | G.SKILL | EneIo64 | G.SKILL Trident Z Lighting Control | WINIO | 1.00.08 |
| 7 | EVGA | WinRing0x64 | EVGA Precision X1 | WINRING0 | 1.0.2.0 |
| 8 | Thermaltake | EneTechIo64 | Thermaltake TOUGHRAM software | WINIO | 1.0.3 |
| 9 | Huawei | PhyMemx64 | Huawei MateBook Manager software | WINIO | Undefined |
| 10 | Realtek | RtkIo64 | Realtek Dash Client Utility | PHYMEM | Various |
| 11 | MSI | EneTechIo64 | MSI Dragon Center | WINIO | Various |
| 12 | LG | LHA | LG Device Manager | Semi-original | 1.6.0.2 |
| 13 | ASUSTeK | AsIO2 | ASUS GPU Tweak | WINIO | 2.1.7.1 and below |
| 14 | PassMark | DirectIo64 | PassMark Performance Test | Original | 10.1 and below |
Mitigation
Modern hardware with Windows 10 last version installed and HVCI enabled
[HVCI] (https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity)
Changelog
v 1.1.1 from May 16, 2021 (1.1.1.2105)
- PassMark provider added
- DSEFix rewrite for newest Win10 versions support
Kernel Driver Utility v1.1.0
KDU - Kernel Driver Utility
The purpose of this tool is to give a simple way to explore Windows kernel/components without doing a lot of additional work or setting up local debugger. It features:
Protected Processes Hijacking via Process object modification;
Driver Signature Enforcement Overrider (similar to DSEFIx);
Driver loader for bypassing Driver Signature Enforcement (similar to TDL/Stryker);
Support of various vulnerable drivers use as functionality "providers".
System Requirements
x64 Windows 7/8/8.1/10;
Administrative privilege is required.
Currently Supported Providers
| Provider Id | Product Vendor | Driver | Software package | Code base | Version |
|---|---|---|---|---|---|
| 0 | Intel | IQVM64/Nal | Network Adapter Diagnostic Driver | Original | 1.03.0.7 |
| 1 | MSI | RTCore64 | MSI Afterburner | Semi-original | 4.6.2 build 15658 and below |
| 2 | Gigabyte | Gdrv | Gigabyte TOOLS | MAPMEM NTDDK 3.51 | Undefined |
| 3 | ASUSTeK | ATSZIO64 | ASUSTeK WinFlash utility | Semi-original | Undefined |
| 4 | Patriot | MsIo64 | Patriot Viper RGB utility | WINIO | 1.0 |
| 5 | ASRock | GLCKIO2 | ASRock Polychrome RGB | WINIO | 1.0.4 |
| 6 | G.SKILL | EneIo64 | G.SKILL Trident Z Lighting Control | WINIO | 1.00.08 |
| 7 | EVGA | WinRing0x64 | EVGA Precision X1 | WINRING0 | 1.0.2.0 |
| 8 | Thermaltake | EneTechIo64 | Thermaltake TOUGHRAM software | WINIO | 1.0.3 |
| 9 | Huawei | PhyMemx64 | Huawei MateBook Manager software | WINIO | Undefined |
| 10 | Realtek | RtkIo64 | Realtek Dash Client Utility | PHYMEM | Various |
| 11 | MSI | EneTechIo64 | MSI Dragon Center | WINIO | Various |
| 12 | LG | LHA | LG Device Manager | Semi-original | 1.6.0.2 |
| 13 | ASUSTeK | AsIO2 | ASUS GPU Tweak | WINIO | 2.1.7.1 and below |
Mitigation
Modern hardware with Windows 10 last version installed and HVCI enabled
[HVCI] (https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity)
Changelog
v 1.1.0 from Apr 22, 2021 (1.1.0.2104)
- New shellcode in 3 variants
- New parameters added
- Five additional providers added
- Providers moved into separate dll
- Internal rearrange
Kernel Driver Utility v1.0.0
KDU - Kernel Driver Utility
The purpose of this tool is to give a simple way to explore Windows kernel/components without doing a lot of additional work or setting up local debugger. It features:
Protected Processes Hijacking via Process object modification;
Driver loader for bypassing Driver Signature Enforcement (similar to TDL/Stryker);
Support of various vulnerable drivers use as functionality "providers".
System Requirements
x64 Windows 7/8/8.1/10;
Administrative privilege is required.
Currently Supported Providers
Intel Network Adapter Diagnostic Driver of version 1.03.0.7;
RTCore64 driver from MSI Afterburner of version 4.6.2 build 15658 and below;
Gdrv driver from various Gigabyte TOOLS of undefined version;
ATSZIO64 driver from ASUSTeK WinFlash utility of various versions;
MICSYS MsIo driver from Patriot Viper RGB utility of version 1.0.
Mitigation
Modern hardware with Windows 10 last version installed and HVCI enabled
[HVCI] (https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity)
Changelog
v 1.0.0 from Feb 09, 2020
- Initial release