Merge pull request #44 from pathtofile/RunCommandPPL

Added -pse mode to run a program as ProtectedProcessLight-AntiMalware
removed bad fixes
2022-12-01 05:49:20 +07:00 · 2022-12-01 08:10:26 +11:00 · 2022-11-30 10:42:46 +11:00 · 2022-11-30 10:42:07 +11:00 · 2022-11-30 10:19:11 +11:00 · 2022-11-30 10:17:43 +11:00
5 changed files with 153 additions and 10 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,3 @@
+Source/**/output
+.vs
+Source/Hamakaze/shellstager.lst
--- a/README.md
+++ b/README.md
@ -23,12 +23,14 @@ It features:
 ###### KDU -diag
 ###### KDU -prv ProviderID
 ###### KDU -ps ProcessID
+###### KDU -pse Commandline
 ###### KDU -dse value
 ###### KDU -map filename
 * -list - list currently available providers;
 * -diag - run system diagnostic for troubleshooting;
 * -prv  - optional, select vulnerability driver provider;
-* -ps 	- modify process object of given ProcessID;
+* -ps   - modify process object of given ProcessID, downgrading any protections;
+* -pse  - launch program as ProtectedProcessLight-AntiMalware (PPL);
 * -dse  - write user defined value to the system DSE state flags;
 * -map  - map driver to the kernel and execute it entry point, this command have dependencies listed below;
  * -scv version - optional, select shellcode version, default 1;
@ -44,6 +46,7 @@ Example:
 + kdu -prv 6 -scv 3 -drvn edrv -drvr e3600bl -map c:\install\e3600bl.sys
 + kdu -dse 0
 + kdu -dse 6
+ kdu -pse "C:\Windows\System32\notepad.exe C:\TEMP\words.txt"

 Run on Windows 10 20H2*

--- a/Source/Hamakaze/main.cpp
+++ b/Source/Hamakaze/main.cpp
@ -23,6 +23,7 @@
 #define CMD_MAP         L"-map"
 #define CMD_SCV         L"-scv"
 #define CMD_PS          L"-ps"
+#define CMD_PSE         L"-pse"
 #define CMD_DSE         L"-dse"
 #define CMD_LIST        L"-list"
 #define CMD_SI          L"-diag"
@ -37,6 +38,7 @@
                     "kdu -list         - list available providers\r\n"\
                     "kdu -diag         - run system diagnostic for troubleshooting\r\n"\
                     "kdu -prv id       - optional, sets provider id to be used with rest of commands, default 0\r\n"\
+                     "kdu -pse cmdline  - Launch program as PPL\r\n"\
                     "kdu -ps pid       - disable ProtectedProcess for given pid\r\n"\
                     "kdu -dse value    - write user defined value to the system DSE state flags\r\n"\
                     "kdu -map filename - map driver to the kernel and execute it entry point, this command have dependencies listed below\r\n"\
@ -46,6 +48,38 @@

 #define T_PRNTDEFAULT   "%s\r\n"

+/*
+* KDUProcessPSEObjectSwitch
+*
+* Purpose:
+*
+* Handle -pse switch.
+*
+*/
+INT KDUProcessPSEObjectSwitch(
+    _In_ ULONG HvciEnabled,
+    _In_ ULONG NtBuildNumber,
+    _In_ ULONG ProviderId,
+    _In_ LPWSTR CommandLine
+)
+{
+    INT retVal = 0;
+    KDU_CONTEXT* provContext;
+
+    provContext = KDUProviderCreate(ProviderId,
+        HvciEnabled,
+        NtBuildNumber,
+        KDU_SHELLCODE_NONE,
+        ActionTypeDKOM);
+
+    if (provContext) {
+        retVal = KDURunCommandPPL(provContext, CommandLine);
+        KDUProviderRelease(provContext);
+    }
+
+    return retVal;
+}
+
 /*
 * KDUProcessPSObjectSwitch
 *
@ -71,7 +105,7 @@ INT KDUProcessPSObjectSwitch(
        ActionTypeDKOM);

    if (provContext) {
-        retVal = KDUControlProcess(provContext, ProcessId);
+        retVal = KDUUnprotectProcess(provContext, ProcessId);
        KDUProviderRelease(provContext);
    }

@ -429,9 +463,19 @@ INT KDUProcessCommandLine(

                }
            }
+            else if (supGetCommandLineOption(CMD_PSE,
+                        TRUE,
+                        szParameter,
+                        sizeof(szParameter) / sizeof(WCHAR),
+                        NULL))
+            {
+                retVal = KDUProcessPSEObjectSwitch(HvciEnabled,
+                    NtBuildNumber,
+                    providerId,
+                    szParameter);
+            }

-            else
-
+            else {
                //
                // Check if -ps specified.
                //
@ -455,6 +499,7 @@ INT KDUProcessCommandLine(
                    //
                    printf_s(T_PRNTDEFAULT, T_KDUUSAGE);
                }
+            }

    } while (FALSE);

--- a/Source/Hamakaze/ps.cpp
+++ b/Source/Hamakaze/ps.cpp
@ -86,6 +86,85 @@ LPSTR KDUGetProtectionSignerAsString(
    return pStr;
 }

+/*
+* KDUControlProcess
+*
+* Purpose:
+*
+* Start a Process as PPL-Antimalware
+*
+*/
+BOOL KDURunCommandPPL(
+    _In_ PKDU_CONTEXT Context,
+    _In_ LPWSTR CommandLine)
+{
+    BOOL       bResult = FALSE;
+    DWORD      dwThreadResumeCount = 0;
+
+    STARTUPINFO si;
+    PROCESS_INFORMATION pi;
+
+    ZeroMemory(&si, sizeof(si));
+    si.cb = sizeof(si);
+    ZeroMemory(&pi, sizeof(pi));
+
+    wprintf_s(L"[+] Creating Process '%s'\r\n", CommandLine);
+
+    bResult = CreateProcess(
+        NULL,               // No module name (use command line)
+        CommandLine,        // Command line
+        NULL,               // Process handle not inheritable
+        NULL,               // Thread handle not inheritable
+        FALSE,              // Set handle inheritance to FALSE
+        CREATE_SUSPENDED,   // Create Process suspended so we can edit
+                            // its protection level prior to starting
+        NULL,               // Use parent's environment block
+        NULL,               // Use parent's starting directory 
+        &si,                // Pointer to STARTUPINFO structure
+        &pi);               // Pointer to PROCESS_INFORMATION structure
+    if (!bResult) {
+        printf("[!] Failed to create process: 0x%x\n", GetLastError());
+        return bResult;
+    }
+    printf_s("[+] Created Process with PID %d\r\n", pi.dwProcessId);
+
+    bResult = KDUControlProcess(Context, pi.dwProcessId, PsProtectedSignerAntimalware, PsProtectedTypeProtectedLight);
+    if (!bResult) {
+        printf("[!] Failed to set process as PPL: 0x%x\n", GetLastError());
+        return bResult;
+    }
+
+    dwThreadResumeCount = ResumeThread(pi.hThread);
+    if (dwThreadResumeCount != 1) {
+        printf("[!] Failed to resume process: %d | 0x%x\n", dwThreadResumeCount, GetLastError());
+        return bResult;
+    }
+
+    // Wait until child process exits.
+    WaitForSingleObject(pi.hProcess, INFINITE);
+
+    // Close process and thread handles.
+    CloseHandle(pi.hProcess);
+    CloseHandle(pi.hThread);
+
+    return bResult;
+}
+
+/*
+* KDUControlProcess
+*
+* Purpose:
+*
+* Modify process object to remove PsProtectedProcess access restrictions.
+*
+*/
+BOOL KDUUnprotectProcess(
+    _In_ PKDU_CONTEXT Context,
+    _In_ ULONG_PTR ProcessId)
+{
+    return KDUControlProcess(Context, ProcessId, PsProtectedSignerNone, PsProtectedTypeNone);
+}
+
 /*
 * KDUControlProcess
 *
@ -96,7 +175,9 @@ LPSTR KDUGetProtectionSignerAsString(
 */
 BOOL KDUControlProcess(
    _In_ PKDU_CONTEXT Context,
-    _In_ ULONG_PTR ProcessId)
+    _In_ ULONG_PTR ProcessId,
+    _In_ PS_PROTECTED_SIGNER PsProtectionSigner,
+    _In_ PS_PROTECTED_TYPE PsProtectionType)
 {
    BOOL       bResult = FALSE;
    ULONG      Buffer;
@ -194,15 +275,15 @@ BOOL KDUControlProcess(
                        PsProtection->Type,
                        pStr);

-                    printf_s("\tPsProtection->Audit: %lu\r\n", PsProtection->Audit);
-
                    pStr = KDUGetProtectionSignerAsString(PsProtection->Signer);
                    printf_s("\tPsProtection->Signer: %lu (%s)\r\n",
                        PsProtection->Signer,
                        pStr);

-                    PsProtection->Signer = PsProtectedSignerNone;
-                    PsProtection->Type = PsProtectedTypeNone;
+                    printf_s("\tPsProtection->Audit: %lu\r\n", PsProtection->Audit);
+
+                    PsProtection->Signer = PsProtectionSigner;
+                    PsProtection->Type = PsProtectionType;
                    PsProtection->Audit = 0;

                    bResult = Context->Provider->Callbacks.WriteKernelVM(Context->DeviceHandle, 
--- a/Source/Hamakaze/ps.h
+++ b/Source/Hamakaze/ps.h
@ -30,6 +30,17 @@

 #define EPROCESS_TO_PROTECTION(Object, PsProtectionOffset) ((ULONG_PTR)Object + (ULONG_PTR)PsProtectionOffset)

-BOOL KDUControlProcess(
+BOOL KDUUnprotectProcess(
    _In_ PKDU_CONTEXT Context,
    _In_ ULONG_PTR ProcessId);
+
+BOOL KDURunCommandPPL(
+    _In_ PKDU_CONTEXT Context,
+    _In_ LPWSTR CommandLine);
+
+BOOL KDUControlProcess(
+    _In_ PKDU_CONTEXT Context,
+    _In_ ULONG_PTR ProcessId,
+    _In_ PS_PROTECTED_SIGNER PsProtectionSigner,
+    _In_ PS_PROTECTED_TYPE PsProtectionType);
+
Author	SHA1	Message	Date
hfiref0x	154faf74e3	Merge pull request #44 from pathtofile/RunCommandPPL Added -pse mode to run a program as ProtectedProcessLight-AntiMalware	2022-12-01 05:49:20 +07:00
pathtofile	31af91a2f5	removed bad fixes	2022-12-01 08:10:26 +11:00
pathtofile	f2412b8482	Updated README	2022-11-30 10:42:46 +11:00
pathtofile	8f48ca6b49	Updated README	2022-11-30 10:42:07 +11:00
pathtofile	d3d59dd51b	added .gitignore to keep source tree clean	2022-11-30 10:19:11 +11:00
pathtofile	f905cf4bca	Renamed functions for clarity	2022-11-30 10:17:43 +11:00
pathtofile	60d5606cd7	Added -pse mode to run a program as ProtectedProcessLight-AntiMalware (PPL-AM)	2022-11-29 23:45:45 +11:00