Home

Awesome

Build status

KDU

Kernel Driver Utility

System Requirements

Purpose and Features

The purpose of this tool is to give a simple way to explore Windows kernel/components without doing a lot of additional work or setting up local debugger. It features:

Usage

KDU -list
KDU -diag
KDU -prv ProviderID
KDU -ps ProcessID
KDU -pse Commandline
KDU -dmp ProcessID
KDU -dse value
KDU -map filename

Example:

Run on Windows 10 20H2*

<img src="https://raw.githubusercontent.com/hfiref0x/kdu/master/Help/kdu1.png" width="600" />

Compiled and run on Windows 8.1*

<img src="https://raw.githubusercontent.com/hfiref0x/kdu/master/Help/kdu2.png" width="600" />

Run on Windows 7 SP1 fully patched (precomplied version)*

<img src="https://raw.githubusercontent.com/hfiref0x/kdu/master/Help/kdu3.png" width="600" />

Run on Windows 10 19H2 (precompiled version, SecureBoot enabled)*

<img src="https://raw.githubusercontent.com/hfiref0x/kdu/master/Help/kdu4.png" width="600" />
All screenshots are from version 1.0X.

Limitations of -map command

Due to unusual way of loading that is not involving standard kernel loader, but uses overwriting already loaded modules with shellcode, there are some limitations:

That mean you cannot use parameters specified at your DriverEntry as they won't be valid. That also mean you can not load any drivers but only specially designed or you need to alter shellcode responsible for driver mapping.

There is no SEH code in x64. Instead of this you have table of try/except/finally regions which must be in the executable image described by pointer in PE header. If there is an exception occurred system handler will first look in which module that happened. Mapped drivers are not inside Windows controlled list of drivers (PsLoadedModulesList - PatchGuard protected), so nothing will be found and system will simple crash.

Mapped code can't unload itself, however you still can release all resources allocated by your mapped code. DRIVER_OBJECT->DriverUnload should be set to NULL.

If your project need another module dependency then you have to rewrite this loader part.

Because of unsual way of loading mapped driver won't be inside PsLoadedModulesList. That mean any callback registered by such code will have handler located in memory outside this list. PatchGuard has ability to check whatever the registered callbacks point to valid loaded modules or not and BSOD with "Kernel notification callout modification" if such dynamic code detected.

In general if you want to know what you should not do in kernel look at https://github.com/hfiref0x/KDU/tree/master/Source/Examples/BadRkDemo which contain a few examples of forbidden things.

Kernel traces note

This tool does not change (and this won't change in future) internal Windows structures of MmUnloadedDrivers and/or PiDDBCacheTable. That's because:

You use it at your own risk. Some lazy AV may flag this tool as hacktool/malware.

Supported Providers

Note: Provider with Id 0 assumed as default if no -prv command is specified.

IdVendorDriverSoftware packageVersionMSFT blacklist*
0IntelIQVM64/NalNetwork Adapter Diagnostic Driver1.03.0.7Cert
1MSIRTCore64MSI Afterburner4.6.2 build 15658 and belowPage hash
2GigabyteGdrvGigabyte TOOLSUndefinedName
3ASUSTeKATSZIO64ASUSTeK WinFlash utilityUndefinedName
4PatriotMsIo64Patriot Viper RGB utility1.0Page hash
5ASRockGLCKIO2ASRock Polychrome RGB1.0.4Page hash
6G.SKILLEneIo64G.SKILL Trident Z Lighting Control1.00.08Cert
7EVGAWinRing0x64EVGA Precision X11.0.2.0Name
8ThermaltakeEneTechIo64Thermaltake TOUGHRAM software1.0.3Page hash
9HuaweiPhyMemx64Huawei MateBook Manager softwareUndefinedName, Page hash
10RealtekRtkIo64Realtek Dash Client UtilityVariousName
11MSIEneTechIo64MSI Dragon CenterVarious
12LGLHALG Device Manager1.6.0.2Name
13ASUSTeKAsIO2ASUS GPU Tweak2.1.7.1 and below
14PassMarkDirectIo64PassMark Performance Test10.1 and belowPage hash
15GMERGmerDrvGmer "Antirootkit"2.2 and belowName, Page hash, Cert
16DellDBUtil_2_3Dell BIOS Utility2.3 and belowPage hash
17Benjamin DelpyMimidrvMimikatz2.2 and belowCert
18Wen Jia LiuKProcessHacker2Process Hacker2.38 and belowName
19MicrosoftProcExp152Process Explorer1.5.2 and belowName, Cert
20DellDBUtilDrv2Dell BIOS Utility2.7 and below
21DarkByteDbk64Cheat Engine7.4 and belowCert, Name
22ASUSTeKAsIO3ASUS GPU TweakII2.3.0.3
23MarvinHwMarvin Hardware Access Driver4.9 and belowName
24CODESYSSysDrv3SCODESYS SysDrv3S3.5.6 and belowCert
25ZemanaamsdkWatchDog/MalwareFox/Zemana AM3.0.0 and below
26HiRes Ent.inpoutx64Various1.2.0 and below
27PassMarkDirectIo64PassMark OSForensicsAny
28ASRockAsrDrv106Phantom Gaming Tuning1.0.6 and below
29Arthur LibermanALSysIO64Core Temp2.0.11 and below
30AMDAMDRyzenMasterDriverMultiple software packages2.0.0.0 and below
31HilscherphysmemPhysical Memory Viewer for Windows1.0.0.0Cert, Name
32LenovoLDDLenovo Diagnostics Driver for Windows 10 and later1.0.4.0 and belowCert, Name
33Dellpcdsrvc_x64Dell PC Doctor6.2.2.0
34MSIwinioMSI Foundation ServiceUndefined
35HPEtdSupportETDi Support Driver18.0 and belowCert
36Pavel YosifovichKExploreKernel ExplorerUndefined
37Pavel YosifovichKObjExpKernel Object ExplorerUndefined
38Pavel YosifovichKRegExpKernel Registry ExplorerUndefined
39Inspect Element LTDEchoDrvEcho AntiCheat (spyware)UndefinedHash
40NVidianvoclockNVidia System Utility Driver7.0.0.32
41BinalyzeIRECBinalyze DFIR3.11.0
42DavidXXWPhyDMACCSLIC ToolKit1.2.0Page hash
43RazerrzpnkRazer Synapse2.20.15.1104
44AMDPdFwKrnlAMD Radeon™ Software (Adrenalin Edition and PRO Edition)23.9.1 and below
45AMDAODDriverAMD OverDrive Driver2.1.5 and below
46Wincor NixdorfwnBios64WinBios Driver1.2.0 and below
47EVGAEleetX1EVGA ELEET X11.0.16.0 and below
48ASRockAxtuDrvAsRock Extreme TunerUndefined
49ASRockAppShopDrv103ASRock APP Shop1.0.58 and below
50ASRockAsrDrv107nASRock Motherboard Utility3.0.498 and below
51ASRockAsrDrv107ASRock Motherboard Utility3.0.498 and below
52IntelPmxDrvIntel(R) Management Engine Tools Driver1.0.0.1003 and below
53Jun LiuHwRwDrvHardware read & write driver1.0.0.6 and below

MSFT blacklist types:

KDU provider details, alternatives are available

IdCodebaseAssigned CVE'sHashes
0OriginalCVE-2015-2291File(SHA1): D04E5DB5B6C848A29732BFD52029001F23C3DA75<br>Authenticode(SHA1): 2CBFE4AD0E1231FF3E19C19CA9311D952CE170B7<br>Page(SHA1): 55B90A6E4323FC1D7B71B23F81FC758F45740E02<br>Page(SHA256): FB14DC1657C0EDD18FA747005EB7125DBBD83595095D67906BB0B4D57222D4C1
1Semi-originalCVE-2019-16098File(SHA1): F6F11AD2CD2B0CF95ED42324876BEE1D83E01775<br>Authenticode(SHA1): 4A68C2D7A4C471E062A32C83A36EEDB45A619683<br>Page(SHA1): 84152FA241C3808F8C7752964589C957E440403F<br>Page(SHA256): A807532037A3549AE3E046F183D782BCB78B6193163EA448098140563CF857CB
2MAPMEMCVE-2018-19320File(SHA1): FE10018AF723986DB50701C8532DF5ED98B17C39<br>Authenticode(SHA1): 0F5034FCF5B34BE22A72D2ECC29E348E93B6F00F<br>Page(SHA1): DC02DA48DF2F9B558453847399A8DE47C5AD56CC<br>Page(SHA256): 95406C37FDE1B08524FAB782200C8BECAEC98A40B020F41C5BA13032FE9522FA
3Semi-originalCVE-2023-41444File(SHA1): 490109FA6739F114651F4199196C5121D1C6BDF2<br>Authenticode(SHA1): B66BF2B1B07F8F2BAB1418131AE66B0A55265F73<br>Page(SHA1): 04384DE86A18CE8D17DB3BB33CB9DD06868D4C32<br>Page(SHA256): 1871BE94AD775FD220F9A04C0F6B84C2C34CF898A4096E94359D9E5E269835DC
4WINIOCVE-2019-18845File(SHA1): E6305DDDD06490D7F87E3B06D09E9D4C1C643AF0<br>Authenticode(SHA1): 7E732ACB7CFAD9BA043A9350CDEFF25D742BECB8<br>Page(SHA1): CDE1A50E1DF7870F8E4AFD8631E45A847C714C0A<br>Page(SHA256): 05736AB8B48DF84D81CB2CC0FBDC9D3DA34C22DB67A3E71C6F4B6B3923740DD5
5WINIOCVE-2018-18535, CVE-2018-18536, CVE-2018-18537File(SHA1): CC51BE79AE56BC97211F6B73CC905C3492DA8F9D<br>Authenticode(SHA1): D99B80B3269D735CAC43AF5E43483E64CA7961C3<br>Page(SHA1): 51E0740AAEE5AE76B0095C92908C97B817DB8BEA<br>Page(SHA256): E7F011E9857C7DB5AACBD424612CD7E3D12C363FDC8F072DDFAF9E2E5C85F5F3
6WINIOCVE-2020-12446File(SHA1): B4D014B5EDD6E19CE0E8395A64FAEDF49688ECB5<br>Authenticode(SHA1): 651B953CB03928E41424AD59F21D4978D6F4952E<br>Page(SHA1): 3727D824713E733558A20DE9876AABF1059D3158<br>Page(SHA256): 88C83F618C8F4069DED87C409A8446C5A30E22A303E64AAFF1C5BE6302ADEDB4
7WINRING0CVE-2020–14979File(SHA1): 012DB3A80FAF1F7F727B538CBE5D94064E7159DE<br>Authenticode(SHA1): 7AED8186977FCF7EE219DA493BAECDB95EC8040D<br>Page(SHA1): 9AB2257AE97DB4B0617640C90DD45AB7F144FBB9<br>Page(SHA256): D48209A183CDFEAADBD8A644730BD76BBF89C759844890739F934F242C226305
8WINIOFile(SHA1): 3CD037FBBA8AAE82C1B111C9F8755349C98BCB3C<br>Authenticode(SHA1): CE280412DD778CAFBE6DBB05B8CAB42E98D3AE56<br>Page(SHA1): 6CAFC03207391464AB7E69F47228CB82539BEBDE<br>Page(SHA256): 3F88ABF8908108207DA38DBC9E8690B3D63DB7F856B16E9F0D3A3B389FC72561
9WINIOFile(SHA1): 6ECFC7CCC4843812BFCCFB7E91594C018F0A0FF9<br>Authenticode(SHA1): 3C9F40AC72B0202CB40627FDEB7298079187193A<br>Page(SHA1): 6E7D8ABF7F81A2433F27B052B3952EFC4B9CC0B1<br>Page(SHA256): B7113B9A68E17428E2107B19BA099571AAFFC854B8FB9CBCEB79EF9E3FD1CC62
10PHYMEMFile(SHA1): B21CBA198D721737AABD882ADA6C91295A5975ED<br>Authenticode(SHA1): 7593D46A73EC00E00AEF3E9D0031C2B21B74ECFB<br>Page(SHA1): D4B640263D2A6C9906D4032F252CC81D838E2116<br>Page(SHA256): 77EC9BF2DBB106EF51D4DE49E70801D48001BF06146A370D0669E385B87C0826
11WINIOFile(SHA1): A87D6EAC2D70A3FBC04E59412326B28001C179DE<br>Authenticode(SHA1): 6B60825564B2DCCFF3A4F904B71541BFE94136C9<br>Page(SHA1): 8911B97A3140C2523287E1039B08DE8EF4D7F9AB<br>Page(SHA256): 85859FFD16396D0FE9897BAFBDCE94FF66474DCDEF7754FCDF2C9C7A8CE451DB
12Semi-originalCVE-2019-8372File(SHA1): 3FD55927D5997D33F5449E9A355EB5C0452E0DE3<br>Authenticode(SHA1): 87C155D933CA3513E29D235562D96B88D3913CDE<br>Page(SHA1): B565361205846323911766F55E380D93C6A3AB02<br>Page(SHA256): 4818AA3F52BCF3554131B56A3A0F0C2D8BBB5F6D18837F68D811EAD7917A2DE3
13WINIOCVE-2021-28685File(SHA1): AA2EA973BB248B18973E57339307CFB8D309F687<br>Authenticode(SHA1): 92FEE95E32A727D135F1F46CA98C201FFFBF6950<br>Page(SHA1): C5F1D135831851E9D7A06F9636E2A50B1D5C3A04<br>Page(SHA256): B4DCE5B50224C2461B49F1850C73EF84E65A64D89E2F32DD931A2F3C62D9D6BF
14OriginalCVE-2020-15481File(SHA1): 2DB49BDF8029FDCDA0A2F722219AE744EAE918B0<br>Authenticode(SHA1): F1BDD3236F43338A119D74ECA730F0D464DED973<br>Page(SHA1): A14331F63EC907BF3E472F1E0CB8F19DE06EF4E4<br>Page(SHA256): 7F0A28CCF0AB76964D40E063F9D4B88193B77E4BADF66E8C8F87C97127885987
15OriginalFile(SHA1): 83506DE48BD0C50EA00C9E889FE980F56E6C6E1B<br>Authenticode(SHA1): 0BCA6C35159282FD64615ABC4D398399B061847B<br>Page(SHA1): 0882AB6651CD17F3D7D696E9C48EB4934159AE4C<br>Page(SHA256): 0F5DE6DE77D764E2370FA69D3CD8B2C0EC4DFC6F6736C7EDE97F3F75567ED47A
16OriginalCVE-2021-21551File(SHA1): C948AE14761095E4D76B55D9DE86412258BE7AFD<br>Authenticode(SHA1): E3C1DD569AA4758552566B0213EE4D1FE6382C4B<br>Page(SHA1): E09B5E80805B8FE853EA27D8773E31BFF262E3F7<br>Page(SHA256): 7E2AD3D6D76F4FCD4583B865FFC12DE6C44FC16CBCBB81D480CB067F2A860422
17OriginalFile(SHA1): A8DDB7565B61BC021CD2543A137E00627F999DCC<br>Authenticode(SHA1): 0E732D18A7D880F0505433A0DA0E100DA0E1C3A3<br>Page(SHA1): A1E322631A67DE6441A08C991352281CF7C83FD8<br>Page(SHA256): 787AC1DB370421BD26915EAE797F67AD4C6E53775970DC18226ED5225B0B8A3B
18OriginalFile(SHA1): D8498707F295082F6A95FD9D32C9782951F5A082<br>Authenticode(SHA1): 61B55BB7C111F93BD3EA9AC71591E1A6B89FEEE1<br>Page(SHA1): 15FA18C40598FFD05C7F99DB81EEEA1336FC4213<br>Page(SHA256): B6033C16527F2ADBC9E8E5C7678F649E55009319B8612765686ACB1A1C82FDDA
19OriginalFile(SHA1): 3296844D22C87DD5EBA3AA378A8242B41D59DB7A<br>Authenticode(SHA1): EDC10781EB6D1E3BDF9D15CFEBDDBE1A1FB804D9<br>Page(SHA1): AF2B5A3F4DBCE417295FB2CECD8DF91C5A679D44<br>Page(SHA256): 2C22F27671EE4C530C16821CEE2A9F48C19F99B873E36D94C4AAA0194D52B8CB
20OriginalCVE-2021-36276File(SHA1): 90A76945FD2FA45FAB2B7BCFDAF6563595F94891<br>Authenticode(SHA1): 6BC2AB0F03D7A58685A165B519E8FEE6937526A6<br>Page(SHA1): 66B2E2438725B576428CBEAE3E481148B4B5FD8C<br>Page(SHA256): C60578FAD95216EF74BCD9661A562C0DDC2C8697D64B546F59A7EF85F71D3814
21OriginalFile(SHA1): A54AE1793E9D77E61416E0D9FB81269A4BC8F8A2<br>Authenticode(SHA1): 1BE4BA36BA9CE5B10D90137C08CC21F823379841<br>Page(SHA1): 2EF1502DDE6A1CB120AC379F8C7155EB96E4BA02<br>Page(SHA256): F7443FBAC813EAF0AA94C73265C3BE7E723A5BF64BEF1D80E8FF57D7573FC53C
22WINIOFile(SHA1): CFA85A19D9A2F7F687B0DECDC4A5480B6E30CB8C<br>Authenticode(SHA1): 4BFC51E23494F7EAF27560F92CD6FBCED2FFA4F6<br>Page(SHA1): 09C0DC0C0440F9362BD29960236CD716B3E21453<br>Page(SHA256): 209D5B95C83B4923C825DF9F3DE5F5EFCEFA0C2F82FD77D9BB38FE41E81B3D02
23OriginalFile(SHA1): 4E56E0B1D12664C05615C69697A2F5C5D893058A<br>Authenticode(SHA1): 6E87CD3B027A07A810164D618E3F2FCE61EB6EC4<br>Page(SHA1): 45F1309E10159325BA1DFAE4CAE214BD07B355F1<br>Page(SHA256): EF15F8CE1C905139AC64C15C2E91E808054421D2B95E2F531EFC6FC5D9D2A471
24MAPMEMCVE-2022-22516File(SHA1): E1069365CB580E3525090F2FA28EFD4127223588<br>Authenticode(SHA1): 432B5809D84935D15574DE8D64B22E06682FF715<br>Page(SHA1): 13EA5846AFE3B9141C712FAFBA9F1B95B26087E5<br>Page(SHA256): 6E0C60A5AA46C6CCE7EB4EFA8D36D6D343C0D26694D8A9E194F254988603FC26
25OriginalCVE-2021-31728, CVE-2022-42045File(SHA1): 290D6376658CF0F8182DE0FAE40B503098FA09FD<br>Authenticode(SHA1): 084553447BDBC056BBE49BAD8ACFAF25EB83462A<br>Page(SHA1): 760DE62D6AF5F8CD46E2B2074CDF7B0805B58484<br>Page(SHA256): 8BFEE3E7582C0432CD02A8D75D00B8CBA9CD9A2525E3E61E0D0C8AAAC2FCFEEB
26WINIOFile(SHA1): 6AFC6B04CF73DD461E4A4956365F25C1F1162387<br>Authenticode(SHA1): 8E1F51761F21148F68AC925CC5F9E9C78F3D5EC4<br>Page(SHA1): 83714FAAF1643DBA7ABF28A4AC287A43FDEBDE81<br>Page(SHA256): 1D665C5DDA5E49B5C7F5231327D4A41D83201107CF428800EF24FDBB1CC505F7
27OriginalFile(SHA1): 01B95AE502AA09AABC69A0482FCC8198F7765950<br>Authenticode(SHA1): 4AEA4FBB9A732D57643F61F1BF3B82CEBB18AB72<br>Page(SHA1): 981F8CC044C6E21E2A4746B47EBEBAEEF49B9114<br>Page(SHA256): 50F9C8874653A6C25179C33EAEB19A6EC4C21BCB1EB14429DD0746C338766911
28RWEverythingCVE-2020-15368File(SHA1): B0032B8D8E6F4BD19A31619CE38D8E010F29A816<br>Authenticode(SHA1): F621633290173DAAC18BB14CA3F52BC027CD2721<br>Page(SHA1): 32F6424734185AF58281EA4C66805A8238E61427<br>Page(SHA256): 281D8225E91591F799F93BF448F78F3F50B9AA7D6F1ADD3E2AC58D6BA0DE1473
29OriginalFile(SHA1): 256D285347ACD715ED8920E41E5EC928AE9201A8<br>Authenticode(SHA1): 530DD2863A09DC57801D62551C48EB9E48476FE8<br>Page(SHA1): 845EE7617D94A6A13016419B94CFC2D15D9BB71A<br>Page(SHA256): C13FDB8225E21B899A340506DB055B949C941A33D8C2D73C81E46BF5C4DDFF47
30OriginalCVE-2020-12928File(SHA1): CEC887F20AB468CAA1C99FCBE7FBDFAB25FADF39<br>Authenticode(SHA1): E37C6AA2630FA3CCB3EE7D219A7332CCE95FA11F<br>Page(SHA1): 70A164E25FD351CEDFEDEB3D89871A1D487D0379<br>Page(SHA256): E47556832FA7CF286FFD7F7A0646FA8015AF651D5C968F20353F6B7CFF18A1DC
31OriginalFile(SHA1): 17614FDEE3B89272E99758983B99111CBB1B312C<br>Authenticode(SHA1): FD0CB3EA1DEB4FDB22536A7C15669EB53315E5C8<br>Page(SHA1): 0D03AC1B15AE10BB40A7660F25F3A68E1330024E<br>Page(SHA256): CB27AD883FCF265B8E2C8D393C0B403914C1911A935A5D248B4C37B4D99CD7BE
32OriginalCVE-2022-3699File(SHA1): B89A8EEF5AEAE806AF5BA212A8068845CAFDAB6F<br>Authenticode(SHA1): 6D9543725ACA0C9C8F403425952692CCC1D2D7F2<br>Page(SHA1): B40A38E4D3BFB567F313A190A30F3AA9189EC1A0<br>Page(SHA256): 4273E0BE1A21142DE6BA672EFDAC0AC1FADC7AF0D0DAACA4E4D330D02C8F4CC8
33OriginalCVE-2019-12280File(SHA1): D0A228ED8AF190DEC0C1A812E212F5E68EE3B43E<br>Authenticode(SHA1): 85D493F5636B46F6C4F8B1028F8E8659F31DC562<br>Page(SHA1): A48431302A6C5053D178FCEC3390FBC1CACCB893<br>Page(SHA256): 08AFD2489CB6A093E3F588B1D13D20468AE3E27A2F0AEC9E43C41D20FFB2F6EE
34WINIOFile(SHA1): 9745D77E3C27437BBCCF39E074F7D57A99FE83B1<br>Authenticode(SHA1): 1419392FC1EC6EF497442FEE3F7553A68B78A03D<br>Page(SHA1): 863F4AFE82D791D655B2DCE5C893B37422364230<br>Page(SHA256): F3165AFC15FA99745D7151501E1E2A738AD04DA5A4E76E5CE135B8E247AE0D1D
35OriginalFile(SHA1): A57EEFA0C653B49BD60B6F46D7C441A78063B682<br>Authenticode(SHA1): 96FAA975FEB28588372A98A1E77D98AF7FC90E41<br>Page(SHA1): 197859EEFBCF17BE48A3C49818B35F263701755F<br>Page(SHA256): 5C8C0FC9B3B7C6C7E6BDD83A8D3ED44E075D9C3B42463E1CC5EE28049517488E
36OriginalFile(SHA1): 090A4FC285D4F47B1E6A1011353A329C1F4C8E09<br>Authenticode(SHA1): C77403CFFCD15438EA3DDDF0763AB0A70A9100CB<br>Page(SHA1): DCCA45C770E93BCF9FC7A9ADFC4653AE744C798C<br>Page(SHA256): DE88E584BC88C463F479CAA5A6F4C166B8180E2AEAC62A54879875D374704631
37OriginalFile(SHA1): 3303BA52A334DA58A4992C4F9FBA7272E294B7AF<br>Authenticode(SHA1): 43239D3355CED44FB56C4127BF96EF2ED1BE2780<br>Page(SHA1): 6ECDAAECEB20B8D037FD4508A4B1DCE1ADCD2203<br>Page(SHA256): 6DA94C767419BAFB993B39913CD99146EB80FC13B5A6D5DE96829E084D4CFC83
38OriginalFile(SHA1): F3383FE0FF00BDEA1AA9E68BCAAD8B83885E306D<br>Authenticode(SHA1): D889E03CE654903A5113F49F49A1C23F3317E7D0<br>Page(SHA1): 0773B431922B3208DB0C4A4E02F9CE7297AAE774<br>Page(SHA256): AE38ADF8B97188675D8F6396F2DC0801C60CBFD546CAEDE915B73E9332DF6C8C
39OriginalCVE-2023-38817File(SHA1): A93197C8C1897A95C4FB0367D7451019AE9F3054<br>Authenticode(SHA1): 678620A9CC9E7FFE179BC5CDA0A2DD0597E231EE<br>Page(SHA1): 832832028D40A3CFD08D364554FCE0B4F37317FF<br>Page(SHA256): 49ED19D5E1E122936035A48EA99FFD68CA4915578107888D5C2B0BB9E30E67C0
40OriginalFile(SHA1): BDA102AFBC60F3F3C5BCBD5390FFBBBB89170B9C<br>Authenticode(SHA1): 0FB1D0EF14AB73FCB4C62043859064CC5F9F88C2<br>Page(SHA1): B754B2C62796004560E2ADF5178099B98F111C25<br>Page(SHA256): 83D2A9535CDB68A8D6EAE5582DB7A70E01A520151448CEB572D96566A2AECB82
41OriginalCVE-2023-41444File(SHA1): D2FB46277C36498E87D0F47415B7980440D40E3D<br>Authenticode(SHA1): 719F659300BA463EFEEAB5916F0378C64FC1AD4A<br>Page(SHA1): F7FEA2BE8FF65DBB89BAF39EF8E0D80DAB81CB8E<br>Page(SHA256): 5FEB045C2452FD280BA1CAD5FC9B4F0DE7FC95EABDCE19FA2CD1F632891F3B1A
42WINRING0File(SHA1): 177B541412A45646177B2352FA2D9E89E0EEFE5A<br>Authenticode(SHA1): 200ABD07303234FC114360D9DABC38DA1F1F2A22<br>Page(SHA1): 84B91B1AED8F83DE14323089148BE2577FDC826C<br>Page(SHA256): B8502DB6B8947E5D852102166D0BEF8252EA3431D582E968EF44C35E56609C91
43OriginalCVE-2017-9769File(SHA1): F999709E5B00A68A0F4FA912619FE6548AD0C42D<br>Authenticode(SHA1): 1AC31466261A6DA69FBEB8E99D0B7B772071AC7F<br>Page(SHA1): 4EC299E9A539F6BC194BD3D436B24A565BD32EF4<br>Page(SHA256): C8CE0EE4FF58779A292B5626D9953888A1A04799E18924CB7A075095C25042E8
44OriginalCVE-2023-20598File(SHA1): A24840E32071E0F64E1DFF8CA540604896811587<br>Authenticode(SHA1): 661A1A28950CEC3F2C3D0E72AB2A05D4A173CF9A<br>Page(SHA1): 869BED04EB66492AC532E36C3C6171AB34DA1A00<br>Page(SHA256): E5DC6305227951B05997CD147C59795991F7EDE52461D069EFE1D568DD25C580
45OriginalCVE-2020-12928File(SHA1): 17D28A90EF4D3DBB083371F99943FF938F3B39F6<br>Authenticode(SHA1): 9A329362E340FC8363E67FB5F23A8391CB83BF00<br>Page(SHA1): 0BC84A62ABD3CA20305FB834592928C2317439D6<br>Page(SHA256): 76C7A12CDE2FDC80A6AF0A58E7698FC1F5EC8746EFB461FB07155B7065480715
46WINIOFile(SHA1): AEC96520E85330594D3165C86CB92EAC34C1E095<br>Authenticode(SHA1): A7179D7CF5EE58276C3C42A16195A0B733F31B53<br>Page(SHA1): AF7FED1C68BB2D459F7778EC6D20459618CF3D26<br>Page(SHA256): 490B1FFC374F9CDEC57BBCE9DAD93251516DE93C7A7F3475D8AC55A6DCBB958E
47OriginalFile(SHA1): DA66B66DCA5EA8689DB903EC23E98F2C881DE6F8<br>Authenticode(SHA1): A8D16FED8999033126D60C656A3BA359DFAA559F<br>Page(SHA1): 082FBFF03465F78276D5A2066398A9D3C73DB9AB<br>Page(SHA256): F677A9447400EAEE6E12A88F59AAADCF6DDF8F16EC8F7612BF50AB378A9B9012
48RWEverythingFile(SHA1): 3F6A997B04D2299BA0E9F505803E8D60D0755F44<br>Authenticode(SHA1): E7FAC017B371A43276E03BF5F71D437E8D377930<br>Page(SHA1): EE9A5A98C257F2D50030B7F3AB6D7DA805FCC150<br>Page(SHA256): D159D969E05C83F27F446BCC5F171A0043CC3DF0B518962CEE7ACBE30BCC02F8
49RWEverythingFile(SHA1): 6074C2360F5DC74738873A525DFBD67EB6625986<br>Authenticode(SHA1): 03C523F31603C460076AD549F985DD9533734E95<br>Page(SHA1): 85B6FC43E943C9EB9B3DE1FF82A56870620CC1CF<br>Page(SHA256): A3AF7747FAC60B814FA6717B174F1199B9D163081B55AE40CEDD9983B6D033F5
50RWEverythingFile(SHA1): 11D7E0D29AB17292FD43BDD5CCB7DA0403E50E52<br>Authenticode(SHA1): CA06D9FD91F7B681204B35975D5C069D0DABE276<br>Page(SHA1): B7693E1170B01F24A824892607C2258CA653805A<br>Page(SHA256): B8776F6889CF3D8252F0912DD9745F8EFF4513292DF2B2B1D484CDBC68FBAE4C
51RWEverythingFile(SHA1): B1FAD5DA173C6A603FFFE20E0CB5F0BDCA823BD5<br>Authenticode(SHA1): 268073AD0B17E2161C1A2A6C5B1BDEBB7B3011B4<br>Page(SHA1): 0B48F35DAF8B8BC9BA4E413EF222415EAB791AE0<br>Page(SHA256): B073907634013A8EB65E4C8AA42535BAD08101E58B7B1489AEE395B7BE9C69E2
52OriginalFile(SHA1): 9E5FCAEA33C9A181C56F7D0E4D9C42F8EDEAD252<br>Authenticode(SHA1): 7919108CB1278503EC4A78DD25694C6770EAA989<br>Page(SHA1): E1CE5A5E2CEB0AAD9CB588A900BF471462FAC42B<br>Page(SHA256): 6991344C8771FC717F878F9A6B0C258BC81FB3BF1F7F3CBED3EF8F86541B253F
53WINRING0File(SHA1): DB8BCB8693DDF715552F85B8E2628F060070F920<br>Authenticode(SHA1): 8C40A82DF3D606A87DF243C787283C26CE9B0458<br>Page(SHA1): F7362528C0118F895D4D51588102C51A09B1691C<br>Page(SHA256): 2A8B9C786DEA17F00E105BFEF82B723E2578150E814DD9A94ED007275C96AC25
*At commit time, data maybe inaccurate.

More providers maybe added in the future.

How it work

It uses known to be vulnerable (or wormhole by design) driver from legitimate software to access arbitrary kernel memory with read/write primitives.

Depending on command KDU will either work as TDL/DSEFix or modify kernel mode process objects (EPROCESS).

When in -map mode KDU for most available providers will by default use 3rd party signed driver from SysInternals Process Explorer and hijack it by placing a small loader shellcode inside it IRP_MJ_DEVICE_CONTROL/IRP_MJ_CREATE/IRP_MJ_CLOSE handler. This is done by overwriting physical memory where Process Explorer dispatch handler located and triggering it by calling driver IRP_MJ_CREATE handler (CreateFile call). Next shellcode will map input driver as code buffer to kernel mode and run it with current IRQL be PASSIVE_LEVEL. After that hijacked Process Explorer driver will be unloaded together with vulnerable provider driver. This entire idea comes from malicious software of the middle of 200x known as rootkits.

Shellcode versions

KDU uses shellcode to map input drivers and execute their DriverEntry. There are few shellcode variants embedded into KDU. Shellcode V1, V2 and V3 used together with 3rd party victim driver (Process Explorer, by default). They are implemented as fake driver dispatch entry and their differences are: V1 uses newly created system thread to execute code, V2 uses system work items, V3 manually builds driver object and runs DriverEntry as if this driver was loaded normally. Shellcode V4 is simplified version of previous variants intended to be run not like an driver dispatch entry. While theoretically all "providers" can support all variants this implementation is limited per provider. You can view it by typing -list command and looking for shellcode support mask. Currently all providers except N21 support V1, V2 and V3 variants.

Build and Notes

KDU comes with full source code. In order to build from source you need Microsoft Visual Studio 2019 and later versions. For driver builds you need Microsoft Windows Driver Kit 10 and/or above.

Complete working binaries include: kdu.exe (main executable) and drv64.dll (drivers database). They must reside in the same directory that must have R/W access enabled for kdu.exe. All binaries MUST BE compiled in "Release" configuration. In order to use providers that require Microsoft Symbols usage you need to put dbghelp.dll and symsrv.dll from the Debugging Tools For Windows into KDU directory.

Utils and Notes

GenAsIo2Unlock is a special utility used to generate "unlocking" resource which is required for working with AsIO2 driver. Full source of this utility included in Source\Utils\GenAsIo2Unlock. Compiled version located in Sources\Hamakaze\Utils\GenAsIo2Unlock.exe. Warning this utility is set on execution at post-build-event for both Debug/Release configurations. If you don't want to run precompiled version replace it with newly compiled from sources. If you remove this post-build-event newly compiled KDU will NOT BE ABLE to use AsIO2 driver (provider #13).

Reporting bugs and incompatibilities

If you experienced bug or incompatibility while using KDU with 3rd party software or OS feel free to fill the issue. However if this incompatibility is caused by your own actions such reports will be ignored. Any BSOD reports should include minidump attached or your own dump analysis (windbg !analyze -v), issues without these information will be ignored.

Anticheat, antimalware incompatibilities will be ignored, that's your own fault.

Disclaimer

Using this program might crash your computer with BSOD. Compiled binary and source code provided AS-IS in hope it will be useful BUT WITHOUT WARRANTY OF ANY KIND. Since KDU rely on completely bugged and vulnerable drivers security of computer where it executed maybe put at risk. Make sure you understand what you do.

Third party code usage

References

Wormhole drivers code

They are used in multiple products from hardware vendors mostly in unmodified state. They all break OS security model and additionally bugged. Links are for educational purposes of how not to do your drivers. Note that following github account have nothing to do with these code, these code in unmodified state and provided only for educational purposes.

Authors

(c) 2020 - 2024 KDU Project