v 1.2.7

Readme update
Bin removed

Bin/license.txt

@@ -1,21 +0,0 @@
-MIT License
-
-Copyright (c) 2020 - 2022 KDU Project
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.

KDU.sha256

@@ -1,6 +1,3 @@
-293cb9a86a3f89e377ef5c6716d70bbdfd9c57ff0a07d484bd8abc1f521e70cc *Bin\dummy.sys
-82370b38b940f98013a6506a82c35913ec810f312d93b93b5406f3caf07bda9f *Bin\dummy2.sys
-751d35646474f1854972d6cc45c5b7419933e36fabe013eba785f276ec566d25 *Bin\license.txt
 323d910f93683453d45239a0528d3c3cda7f2608fca864fd2a687184ffe129fe *Help\kdu1.png
 a1d7a51549914833a3414a93646952c25deabe072d8a271b54e10727f923b479 *Help\kdu2.png
 d2c38793dc0a55da29fd8336f397b9a9374690747d0d210d453f32c42cad9d84 *Help\kdu3.png
@@ -59,7 +56,7 @@ f0beb5db4e2771b9b212bff58a77dd34687e028963a7fb40e7c944a7fd872614 *Source\Hamakaz
 ad77ae168188a9748713ab5f7532447ca50a539fa8ebbec5ac86b273696b028e *Source\Hamakaze\tests.h
 2f9bba7bf761a8e6908132ae93d81aaaa38cbdebd38e2557505ea6309bbd2391 *Source\Hamakaze\victim.cpp
 b4165a29658b4770627aaac15bc36add0a47892d738920de1fc6ec73bb1c3cce *Source\Hamakaze\victim.h
-88b52fa7591526b119ac218956a7e19379f6383d6277cdc0bf00007ec3c0d37e *Source\Hamakaze\wdksup.h
+583eff47116a9b49ea04b93f627d4fe62913f64ec70ab826202d8e23b1b3889a *Source\Hamakaze\wdksup.h
 31860c95db21761086e2979753e981d6435f27435dead3ed7e4687e99bb878d4 *Source\Hamakaze\hde\hde64.c
 fd5b39e2865e12b9525ebda8fd9e9658b341ead5932d1bcb412a189f81ca42ca *Source\Hamakaze\hde\hde64.h
 9d37519623d404987300d3f3258148ba9adddfe1bed5f89a0e9e47646819c9c7 *Source\Hamakaze\hde\pstdint.h
@@ -68,7 +65,7 @@ b1350783a851e6345b880c8a5313e871d2249aa5524f41406c52fa62483f2229 *Source\Hamakaz
 015a6aff991174a881650c61fe1b28c5bfe3116a02a32abe5295ff389c5b7099 *Source\Hamakaze\idrv\atszio.h
 8e22d2a218561bd13ab8fbb9a6ef0949ab1e3b8cd70bfc9ccf2cd8ae3507927d *Source\Hamakaze\idrv\dbk.cpp
 24f81b4fdc1b924a36c981fb175b2dccebd7d029d6caed85fb731b74b22c7386 *Source\Hamakaze\idrv\dbk.h
-f438f20675618fe9babe9c10bf27b97987822d28fd4bbc300ef6119b3f1e906f *Source\Hamakaze\idrv\dbutil.cpp
+e7a1432ad47fb4d73d9300a6fdc2ae4fa2906821db327c028fdff15c660e4690 *Source\Hamakaze\idrv\dbutil.cpp
 ad955406989b80564e7e4cc400721e62d6d5c193e22037b075e07dd616f3c845 *Source\Hamakaze\idrv\dbutil.h
 791a4d40f3f5076d0e6ed47e7db972f448ccc78ca578c35f11db637962c868a5 *Source\Hamakaze\idrv\directio64.cpp
 73a97fa34df9c0733981536f2079d1eab89bfaf36b4c5d0003cb87d504764ec3 *Source\Hamakaze\idrv\directio64.h

README.md

@@ -146,15 +146,24 @@ When in -map mode KDU for most available providers will by default use 3rd party
 
 KDU uses shellcode to map input drivers and execute their DriverEntry. There are few shellcode variants embedded into KDU. Shellcode V1, V2 and V3 used together with 3rd party victim driver (Process Explorer, by default). They are implemented as fake driver dispatch entry and their differences are: V1 uses newly created system thread to execute code, V2 uses system work items, V3 manually builds driver object and runs DriverEntry as if this driver was loaded normally. Shellcode V4 is simplified version of previous variants intended to be run not like an driver dispatch entry. While theoretically all "providers" can support all variants this implementation is limited per provider. You can view it by typing -list command and looking for shellcode support mask. Currently all providers except N21 support V1, V2 and V3 variants.
 
-# Build 
+# Build and Notes
 
 KDU comes with full source code.
 In order to build from source you need Microsoft Visual Studio 2019 and later versions. For driver builds you need Microsoft Windows Driver Kit 10 and/or above.
 
+Complete working binaries include: kdu.exe (main executable) and drv64.dll (drivers database). They must reside in the same directory that must have R/W access enabled for kdu.exe. All binaries MUST BE compiled in "Release" configuration.
+
 # Utils and Notes
 
 GenAsIo2Unlock is a special utility used to generate "unlocking" resource which is required for working with AsIO2 driver. Full source of this utility included in Source\Utils\GenAsIo2Unlock. Compiled version located in Sources\Hamakaze\Utils\GenAsIo2Unlock.exe. **Warning this utility is set on execution at post-build-event for both Debug/Release configurations.** If you don't want to run precompiled version replace it with newly compiled from sources. If you remove this post-build-event newly compiled KDU will NOT BE ABLE to use AsIO2 driver (provider #13).
 
+# Reporting bugs and incompatibilities
+
+If you expirienced bug or incompatibility while using KDU with 3rd party software or OS feel free to fill the issue. However if this incompatibility is caused by your own actions such reports will be ignored. Any BSOD reports should include minidump attached or your own dump analysis (windbg !analyze -v), issues without these information will be ignored.
+
+Anticheat, antimalware incompatibilities will be ignored, that's your own fault.
+
+
 # Disclaimer
 
 Using this program might crash your computer with BSOD. Compiled binary and source code provided AS-IS in hope it will be useful BUT WITHOUT WARRANTY OF ANY KIND. Since KDU rely on completely bugged and vulnerable drivers security of computer where it executed maybe put at risk. Make sure you understand what you do.

Source/Hamakaze/idrv/dbutil.cpp

@@ -6,7 +6,7 @@
 *
 *  VERSION:     1.27
 *
-*  DATE:        10 Nov 2022
+*  DATE:        14 Nov 2022
 *
 *  Dell BIOS Utility driver routines.
 *
@@ -57,7 +57,7 @@ BOOL DbUtilManageFiles(
         // Drop DbUtilDrv2.
         //
         if (!KDUProvExtractVulnerableDriver(Context)) {
-            lastError = ERROR_INTERNAL_ERROR;
+            SetLastError(ERROR_INTERNAL_ERROR);
             return FALSE;
         }
 

Source/Hamakaze/wdksup.h

@@ -6,7 +6,7 @@
 *
 *  VERSION:     1.27
 *
-*  DATE:        01 Nov 2022
+*  DATE:        11 Nov 2022
 *
 *  Header file for NT WDK definitions.
 *
@@ -54,6 +54,197 @@ typedef _Enum_is_bitflag_ enum _WORK_QUEUE_TYPE {
     CustomPriorityWorkQueue = 32
 } WORK_QUEUE_TYPE;
 
+#include "pshpack4.h"
+typedef struct _CM_PARTIAL_RESOURCE_DESCRIPTOR {
+    UCHAR Type;
+    UCHAR ShareDisposition;
+    USHORT Flags;
+    union {
+
+        //
+        // Range of resources, inclusive.  These are physical, bus relative.
+        // It is known that Port and Memory below have the exact same layout
+        // as Generic.
+        //
+
+        struct {
+            PHYSICAL_ADDRESS Start;
+            ULONG Length;
+        } Generic;
+
+        //
+        //
+
+        struct {
+            PHYSICAL_ADDRESS Start;
+            ULONG Length;
+        } Port;
+
+        //
+        //
+
+        struct {
+#if defined(NT_PROCESSOR_GROUPS)
+            USHORT Level;
+            USHORT Group;
+#else
+            ULONG Level;
+#endif
+            ULONG Vector;
+            KAFFINITY Affinity;
+        } Interrupt;
+
+        //
+        // Values for message signaled interrupts are distinct in the
+        // raw and translated cases.
+        //
+
+        struct {
+            union {
+                struct {
+#if defined(NT_PROCESSOR_GROUPS)
+                    USHORT Group;
+#else
+                    USHORT Reserved;
+#endif
+                    USHORT MessageCount;
+                    ULONG Vector;
+                    KAFFINITY Affinity;
+                } Raw;
+
+                struct {
+#if defined(NT_PROCESSOR_GROUPS)
+                    USHORT Level;
+                    USHORT Group;
+#else
+                    ULONG Level;
+#endif
+                    ULONG Vector;
+                    KAFFINITY Affinity;
+                } Translated;
+            } DUMMYUNIONNAME;
+        } MessageInterrupt;
+
+        //
+        // Range of memory addresses, inclusive. These are physical, bus
+        // relative. The value should be the same as the one passed to
+        // HalTranslateBusAddress().
+        //
+
+        struct {
+            PHYSICAL_ADDRESS Start;    // 64 bit physical addresses.
+            ULONG Length;
+        } Memory;
+
+        //
+        // Physical DMA channel.
+        //
+
+        struct {
+            ULONG Channel;
+            ULONG Port;
+            ULONG Reserved1;
+        } Dma;
+
+        //
+        // Device driver private data, usually used to help it figure
+        // what the resource assignments decisions that were made.
+        //
+
+        struct {
+            ULONG Data[3];
+        } DevicePrivate;
+
+        //
+        // Bus Number information.
+        //
+
+        struct {
+            ULONG Start;
+            ULONG Length;
+            ULONG Reserved;
+        } BusNumber;
+
+        //
+        // Device Specific information defined by the driver.
+        // The DataSize field indicates the size of the data in bytes. The
+        // data is located immediately after the DeviceSpecificData field in
+        // the structure.
+        //
+
+        struct {
+            ULONG DataSize;
+            ULONG Reserved1;
+            ULONG Reserved2;
+        } DeviceSpecificData;
+
+        // The following structures provide support for memory-mapped
+        // IO resources greater than MAXULONG
+        struct {
+            PHYSICAL_ADDRESS Start;
+            ULONG Length40;
+        } Memory40;
+
+        struct {
+            PHYSICAL_ADDRESS Start;
+            ULONG Length48;
+        } Memory48;
+
+        struct {
+            PHYSICAL_ADDRESS Start;
+            ULONG Length64;
+        } Memory64;
+
+
+    } u;
+} CM_PARTIAL_RESOURCE_DESCRIPTOR, * PCM_PARTIAL_RESOURCE_DESCRIPTOR;
+#include "poppack.h"
+
+//
+// A Partial Resource List is what can be found in the ARC firmware
+// or will be generated by ntdetect.com.
+// The configuration manager will transform this structure into a Full
+// resource descriptor when it is about to store it in the regsitry.
+//
+// Note: There must a be a convention to the order of fields of same type,
+// (defined on a device by device basis) so that the fields can make sense
+// to a driver (i.e. when multiple memory ranges are necessary).
+//
+
+typedef struct _CM_PARTIAL_RESOURCE_LIST {
+    USHORT Version;
+    USHORT Revision;
+    ULONG Count;
+    CM_PARTIAL_RESOURCE_DESCRIPTOR PartialDescriptors[1];
+} CM_PARTIAL_RESOURCE_LIST, * PCM_PARTIAL_RESOURCE_LIST;
+
+//
+// A Full Resource Descriptor is what can be found in the registry.
+// This is what will be returned to a driver when it queries the registry
+// to get device information; it will be stored under a key in the hardware
+// description tree.
+//
+// Note: There must a be a convention to the order of fields of same type,
+// (defined on a device by device basis) so that the fields can make sense
+// to a driver (i.e. when multiple memory ranges are necessary).
+//
+
+typedef struct _CM_FULL_RESOURCE_DESCRIPTOR {
+    INTERFACE_TYPE InterfaceType; // unused for WDM
+    ULONG BusNumber; // unused for WDM
+    CM_PARTIAL_RESOURCE_LIST PartialResourceList;
+} CM_FULL_RESOURCE_DESCRIPTOR, * PCM_FULL_RESOURCE_DESCRIPTOR;
+
+//
+// The Resource list is what will be stored by the drivers into the
+// resource map via the IO API.
+//
+
+typedef struct _CM_RESOURCE_LIST {
+    ULONG Count;
+    CM_FULL_RESOURCE_DESCRIPTOR List[1];
+} CM_RESOURCE_LIST, * PCM_RESOURCE_LIST;
+
 typedef
 VOID
 WORKER_THREAD_ROUTINE(