diff --git a/Bin/kdu.exe b/Bin/kdu.exe index ec3670f..526a97e 100644 Binary files a/Bin/kdu.exe and b/Bin/kdu.exe differ diff --git a/KDU.sha256 b/KDU.sha256 index cdf1c8e..078987d 100644 --- a/KDU.sha256 +++ b/KDU.sha256 @@ -1,6 +1,6 @@ 6ce17d185826dc452c50b1908315ff151cd57319f11ab6eb337dbe180f111fd4 *Bin\dummy.sys eefc8b804938fa0976416ae18efa0e30e67b537e7ce50d94dba7022971d17f19 *Bin\dummy2.sys -d324787b986c66454293a5455bb9995257794bdb47264da2c02bce259656db78 *Bin\kdu.exe +a119ec2873f0cf96c8156a5c8a7c98f5f6200a337756e4cad04eb1c63e035257 *Bin\kdu.exe 06cf7aeac5256e35f45da73594faa704083f94809772c218e9cbf0c86c076438 *Bin\license.txt 323d910f93683453d45239a0528d3c3cda7f2608fca864fd2a687184ffe129fe *Help\kdu1.png a1d7a51549914833a3414a93646952c25deabe072d8a271b54e10727f923b479 *Help\kdu2.png @@ -43,9 +43,9 @@ badf02eed10b341e47c7f3d3592159fd66ac0433d8c0a48b44640ee021b5143f *Source\Hamakaz d413c012b1157c4f42b7b7bc8558c9a6efcaacae87855e90b3c187b179694625 *Source\Hamakaze\ps.h 74284ca64f7d0accca20e5b924053e788abfd98be6727e1cfa802c3fcd07f49d *Source\Hamakaze\resource.h b92b0af5ae1222c0c109fdfbff4428ddb5e55d193204ffae984b90d963468604 *Source\Hamakaze\resource.rc -2ed1fa6b4f8c30399da93b73e66f29c4bb05fe667855ef09c4bdc1600967f25d *Source\Hamakaze\sup.cpp -265c6e79a495b24a691f65883e68d016f654e1ce4229a68d6d6e9390b25449b4 *Source\Hamakaze\sup.h -eebd9f369bc645430dac91d5a848b079bb3334a7f8f9ccc2f9e67f79ee1ccf67 *Source\Hamakaze\victim.cpp +e387fcdb1744f215650a21350799a22541b08add11e39ab232dc5700ed64bd25 *Source\Hamakaze\sup.cpp +3f08f05e5b9660fa7cf358ebe8b41ef2684d11613e025c2fead8454676f2f2fd *Source\Hamakaze\sup.h +e779b895304d6c623ac55db37b5616144dcbcf56f7a47da7660f12e36201ade0 *Source\Hamakaze\victim.cpp f26fc0e6c1267c30701d8d2cf137bd7a191ddbbd4bcff691cef98fd060cbebcb *Source\Hamakaze\victim.h fe0048a958e0300b56b511cc0499984fc396d8dfa07c3f320a40a68ee3ee5298 *Source\Hamakaze\drv\iQVM64.bin 0d9fd42f0f48dccc82f3034ab31b418218885ddfbc70d413bd4f585282af7d59 *Source\Hamakaze\drv\procexp.bin @@ -74,5 +74,5 @@ ef1b18997ea473ac8d516ef60efc64b9175418b8f078e088d783fdaef2544969 *Source\Hamakaz 27159b8ff67d3f8e6c7fdb4b57b9f57f899bdfedf92cf10276269245c6f4e066 *Source\Hamakaze\minirtl\_strend.c 60f19c6b805801e13824c4d9d44748da8245cd936971411d3d36b873121888eb *Source\Hamakaze\minirtl\_strlen.c 0434d69daa20fbf87d829ffc17e43dcc2db3386aff434af888011fdec2f645a4 *Source\Hamakaze\minirtl\_strncpy.c -d831e0b0ca64447180f8d9e699c57e85ba7ffeb8dd20e8c893460c1a0ff76f15 *Source\Hamakaze\ntdll\ntos.h +0e1535a719ececda767b7e0e049170a4eb375329a730973f87a681dc8bd9392a *Source\Hamakaze\ntdll\ntos.h de7bdf0bd4acec31c963b916331399bce23c155e3002f0a8152a4a36af13faf8 *Source\Hamakaze\res\274.ico diff --git a/Source/Hamakaze/ntdll/ntos.h b/Source/Hamakaze/ntdll/ntos.h index 59ea638..acada23 100644 --- a/Source/Hamakaze/ntdll/ntos.h +++ b/Source/Hamakaze/ntdll/ntos.h @@ -5,9 +5,9 @@ * * TITLE: NTOS.H * -* VERSION: 1.126 +* VERSION: 1.127 * -* DATE: 22 Jan 2020 +* DATE: 04 Feb 2020 * * Common header file for the ntos API functions and definitions. * @@ -7341,7 +7341,10 @@ RtlCopySecurityDescriptor( _In_ PSECURITY_DESCRIPTOR InputSecurityDescriptor, _Out_ PSECURITY_DESCRIPTOR *OutputSecurityDescriptor); -FORCEINLINE LUID NTAPI RtlConvertLongToLuid( +FORCEINLINE +LUID +NTAPI +RtlConvertLongToLuid( _In_ LONG Long ) { @@ -7354,6 +7357,20 @@ FORCEINLINE LUID NTAPI RtlConvertLongToLuid( return(TempLuid); } +FORCEINLINE +LUID +RtlConvertUlongToLuid( + _In_ ULONG Ulong +) +{ + LUID tempLuid; + + tempLuid.LowPart = Ulong; + tempLuid.HighPart = 0; + + return tempLuid; +} + NTSYSAPI ULONG NTAPI diff --git a/Source/Hamakaze/sup.cpp b/Source/Hamakaze/sup.cpp index 9bf29a7..c80a3ac 100644 --- a/Source/Hamakaze/sup.cpp +++ b/Source/Hamakaze/sup.cpp @@ -227,92 +227,82 @@ BOOL supRegDeleteKeyRecursive( * */ NTSTATUS supEnablePrivilege( - _In_ DWORD PrivilegeName, - _In_ BOOL fEnable + _In_ DWORD Privilege, + _In_ BOOL Enable ) { - NTSTATUS status; - ULONG dummy; - HANDLE hToken; - TOKEN_PRIVILEGES TokenPrivileges; + ULONG Length; + NTSTATUS Status; + HANDLE TokenHandle; + LUID LuidPrivilege; - status = NtOpenProcessToken( + PTOKEN_PRIVILEGES NewState; + UCHAR Buffer[sizeof(TOKEN_PRIVILEGES) + sizeof(LUID_AND_ATTRIBUTES)]; + + Status = NtOpenProcessToken( NtCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, - &hToken); + &TokenHandle); - if (!NT_SUCCESS(status)) { - return status; + if (!NT_SUCCESS(Status)) { + return Status; } - TokenPrivileges.PrivilegeCount = 1; - TokenPrivileges.Privileges[0].Luid.LowPart = PrivilegeName; - TokenPrivileges.Privileges[0].Luid.HighPart = 0; - TokenPrivileges.Privileges[0].Attributes = (fEnable) ? SE_PRIVILEGE_ENABLED : 0; - status = NtAdjustPrivilegesToken(hToken, FALSE, &TokenPrivileges, - sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PULONG)&dummy); - if (status == STATUS_NOT_ALL_ASSIGNED) { - status = STATUS_PRIVILEGE_NOT_HELD; + NewState = (PTOKEN_PRIVILEGES)Buffer; + + LuidPrivilege = RtlConvertUlongToLuid(Privilege); + + NewState->PrivilegeCount = 1; + NewState->Privileges[0].Luid = LuidPrivilege; + NewState->Privileges[0].Attributes = Enable ? SE_PRIVILEGE_ENABLED : 0; + + Status = NtAdjustPrivilegesToken(TokenHandle, + FALSE, + NewState, + sizeof(Buffer), + NULL, + &Length); + + if (Status == STATUS_NOT_ALL_ASSIGNED) { + Status = STATUS_PRIVILEGE_NOT_HELD; } - NtClose(hToken); - return status; + NtClose(TokenHandle); + return Status; } /* -* supLoadDriver +* supxCreateDriverEntry * * Purpose: * -* Install driver and load it. -* -* N.B. -* SE_LOAD_DRIVER_PRIVILEGE is required to be assigned and enabled. +* Creating registry entry for driver. * */ -NTSTATUS supLoadDriver( - _In_ LPCWSTR DriverName, - _In_ LPCWSTR DriverPath, - _In_ BOOLEAN UnloadPreviousInstance +NTSTATUS supxCreateDriverEntry( + _In_opt_ LPCWSTR DriverPath, + _In_ LPCWSTR KeyName ) { NTSTATUS status = STATUS_UNSUCCESSFUL; DWORD dwData, dwResult; HKEY keyHandle = NULL; - SIZE_T keyOffset; - UNICODE_STRING driverServiceName, driverImagePath; - - WCHAR szBuffer[MAX_PATH + 1]; - - if (DriverName == NULL) - return STATUS_INVALID_PARAMETER_1; - if (DriverPath == NULL) - return STATUS_INVALID_PARAMETER_2; + UNICODE_STRING driverImagePath; RtlInitEmptyUnicodeString(&driverImagePath, NULL, 0); - if (!RtlDosPathNameToNtPathName_U(DriverPath, - &driverImagePath, - NULL, - NULL)) - { - return STATUS_INVALID_PARAMETER_2; - } - RtlSecureZeroMemory(szBuffer, sizeof(szBuffer)); - - keyOffset = RTL_NUMBER_OF(NT_REG_PREP); - - if (FAILED(StringCchPrintf(szBuffer, MAX_PATH, - DRIVER_REGKEY, - NT_REG_PREP, - DriverName))) - { - status = STATUS_INVALID_PARAMETER_1; - goto Cleanup; + if (DriverPath) { + if (!RtlDosPathNameToNtPathName_U(DriverPath, + &driverImagePath, + NULL, + NULL)) + { + return STATUS_INVALID_PARAMETER_2; + } } if (ERROR_SUCCESS != RegCreateKeyEx(HKEY_LOCAL_MACHINE, - &szBuffer[keyOffset], + KeyName, 0, NULL, REG_OPTION_NON_VOLATILE, @@ -360,12 +350,14 @@ NTSTATUS supLoadDriver( if (dwResult != ERROR_SUCCESS) break; - dwResult = RegSetValueEx(keyHandle, - TEXT("ImagePath"), - 0, - REG_EXPAND_SZ, - (BYTE*)driverImagePath.Buffer, - (DWORD)driverImagePath.Length + sizeof(UNICODE_NULL)); + if (DriverPath) { + dwResult = RegSetValueEx(keyHandle, + TEXT("ImagePath"), + 0, + REG_EXPAND_SZ, + (BYTE*)driverImagePath.Buffer, + (DWORD)driverImagePath.Length + sizeof(UNICODE_NULL)); + } } while (FALSE); @@ -373,16 +365,74 @@ NTSTATUS supLoadDriver( if (dwResult != ERROR_SUCCESS) { status = STATUS_ACCESS_DENIED; - goto Cleanup; } + else + { + status = STATUS_SUCCESS; + } + +Cleanup: + if (DriverPath) { + if (driverImagePath.Buffer) { + RtlFreeUnicodeString(&driverImagePath); + } + } + return status; +} + +/* +* supLoadDriver +* +* Purpose: +* +* Install driver and load it. +* +* N.B. +* SE_LOAD_DRIVER_PRIVILEGE is required to be assigned and enabled. +* +*/ +NTSTATUS supLoadDriver( + _In_ LPCWSTR DriverName, + _In_ LPCWSTR DriverPath, + _In_ BOOLEAN UnloadPreviousInstance +) +{ + SIZE_T keyOffset; + NTSTATUS status = STATUS_UNSUCCESSFUL; + UNICODE_STRING driverServiceName; + + WCHAR szBuffer[MAX_PATH + 1]; + + if (DriverName == NULL) + return STATUS_INVALID_PARAMETER_1; + if (DriverPath == NULL) + return STATUS_INVALID_PARAMETER_2; + + RtlSecureZeroMemory(szBuffer, sizeof(szBuffer)); + + keyOffset = RTL_NUMBER_OF(NT_REG_PREP); + + if (FAILED(StringCchPrintf(szBuffer, MAX_PATH, + DRIVER_REGKEY, + NT_REG_PREP, + DriverName))) + { + return STATUS_INVALID_PARAMETER_1; + } + + status = supxCreateDriverEntry(DriverPath, + &szBuffer[keyOffset]); + + if (!NT_SUCCESS(status)) + return status; RtlInitUnicodeString(&driverServiceName, szBuffer); status = NtLoadDriver(&driverServiceName); if (UnloadPreviousInstance) { if ((status == STATUS_IMAGE_ALREADY_LOADED) || - (status == STATUS_OBJECT_NAME_COLLISION) || - (status == STATUS_OBJECT_NAME_EXISTS)) + (status == STATUS_OBJECT_NAME_COLLISION) || + (status == STATUS_OBJECT_NAME_EXISTS)) { status = NtUnloadDriver(&driverServiceName); if (NT_SUCCESS(status)) { @@ -395,8 +445,6 @@ NTSTATUS supLoadDriver( status = STATUS_SUCCESS; } -Cleanup: - RtlFreeUnicodeString(&driverImagePath); return status; } @@ -434,6 +482,12 @@ NTSTATUS supUnloadDriver( keyOffset = RTL_NUMBER_OF(NT_REG_PREP); + status = supxCreateDriverEntry(NULL, + &szBuffer[keyOffset]); + + if (!NT_SUCCESS(status)) + return status; + RtlInitUnicodeString(&driverServiceName, szBuffer); status = NtUnloadDriver(&driverServiceName); diff --git a/Source/Hamakaze/sup.h b/Source/Hamakaze/sup.h index 259b029..ee1f71f 100644 --- a/Source/Hamakaze/sup.h +++ b/Source/Hamakaze/sup.h @@ -34,8 +34,8 @@ BOOL FORCEINLINE supHeapFree( _In_ PVOID Memory); NTSTATUS supEnablePrivilege( - _In_ DWORD PrivilegeName, - _In_ BOOL fEnable); + _In_ DWORD Privilege, + _In_ BOOL Enable); NTSTATUS supLoadDriver( _In_ LPCWSTR DriverName, diff --git a/Source/Hamakaze/victim.cpp b/Source/Hamakaze/victim.cpp index d0811eb..853a6ce 100644 --- a/Source/Hamakaze/victim.cpp +++ b/Source/Hamakaze/victim.cpp @@ -123,6 +123,9 @@ BOOL VictimCreate( printf_s("[!] Could not force unload victim, NTSTATUS(0x%lX) abort\r\n", ntStatus); break; } + else { + printf_s("[+] Previous instance of victim driver unloaded\r\n"); + } } drvBuffer = supQueryResourceData(ResourceId, ModuleBase, &resourceSize);