Update

Sync with Zekamashi

KDU.sha256

@@ -1,6 +1,6 @@
 6ce17d185826dc452c50b1908315ff151cd57319f11ab6eb337dbe180f111fd4 *Bin\dummy.sys
 eefc8b804938fa0976416ae18efa0e30e67b537e7ce50d94dba7022971d17f19 *Bin\dummy2.sys
-d324787b986c66454293a5455bb9995257794bdb47264da2c02bce259656db78 *Bin\kdu.exe
+a119ec2873f0cf96c8156a5c8a7c98f5f6200a337756e4cad04eb1c63e035257 *Bin\kdu.exe
 06cf7aeac5256e35f45da73594faa704083f94809772c218e9cbf0c86c076438 *Bin\license.txt
 323d910f93683453d45239a0528d3c3cda7f2608fca864fd2a687184ffe129fe *Help\kdu1.png
 a1d7a51549914833a3414a93646952c25deabe072d8a271b54e10727f923b479 *Help\kdu2.png
@@ -43,9 +43,9 @@ badf02eed10b341e47c7f3d3592159fd66ac0433d8c0a48b44640ee021b5143f *Source\Hamakaz
 d413c012b1157c4f42b7b7bc8558c9a6efcaacae87855e90b3c187b179694625 *Source\Hamakaze\ps.h
 74284ca64f7d0accca20e5b924053e788abfd98be6727e1cfa802c3fcd07f49d *Source\Hamakaze\resource.h
 b92b0af5ae1222c0c109fdfbff4428ddb5e55d193204ffae984b90d963468604 *Source\Hamakaze\resource.rc
-2ed1fa6b4f8c30399da93b73e66f29c4bb05fe667855ef09c4bdc1600967f25d *Source\Hamakaze\sup.cpp
-265c6e79a495b24a691f65883e68d016f654e1ce4229a68d6d6e9390b25449b4 *Source\Hamakaze\sup.h
-eebd9f369bc645430dac91d5a848b079bb3334a7f8f9ccc2f9e67f79ee1ccf67 *Source\Hamakaze\victim.cpp
+e387fcdb1744f215650a21350799a22541b08add11e39ab232dc5700ed64bd25 *Source\Hamakaze\sup.cpp
+3f08f05e5b9660fa7cf358ebe8b41ef2684d11613e025c2fead8454676f2f2fd *Source\Hamakaze\sup.h
+e779b895304d6c623ac55db37b5616144dcbcf56f7a47da7660f12e36201ade0 *Source\Hamakaze\victim.cpp
 f26fc0e6c1267c30701d8d2cf137bd7a191ddbbd4bcff691cef98fd060cbebcb *Source\Hamakaze\victim.h
 fe0048a958e0300b56b511cc0499984fc396d8dfa07c3f320a40a68ee3ee5298 *Source\Hamakaze\drv\iQVM64.bin
 0d9fd42f0f48dccc82f3034ab31b418218885ddfbc70d413bd4f585282af7d59 *Source\Hamakaze\drv\procexp.bin
@@ -74,5 +74,5 @@ ef1b18997ea473ac8d516ef60efc64b9175418b8f078e088d783fdaef2544969 *Source\Hamakaz
 27159b8ff67d3f8e6c7fdb4b57b9f57f899bdfedf92cf10276269245c6f4e066 *Source\Hamakaze\minirtl\_strend.c
 60f19c6b805801e13824c4d9d44748da8245cd936971411d3d36b873121888eb *Source\Hamakaze\minirtl\_strlen.c
 0434d69daa20fbf87d829ffc17e43dcc2db3386aff434af888011fdec2f645a4 *Source\Hamakaze\minirtl\_strncpy.c
-d831e0b0ca64447180f8d9e699c57e85ba7ffeb8dd20e8c893460c1a0ff76f15 *Source\Hamakaze\ntdll\ntos.h
+0e1535a719ececda767b7e0e049170a4eb375329a730973f87a681dc8bd9392a *Source\Hamakaze\ntdll\ntos.h
 de7bdf0bd4acec31c963b916331399bce23c155e3002f0a8152a4a36af13faf8 *Source\Hamakaze\res\274.ico

Source/Hamakaze/ntdll/ntos.h

@@ -5,9 +5,9 @@
 *
 *  TITLE:       NTOS.H
 *
-*  VERSION:     1.126
+*  VERSION:     1.127
 *
-*  DATE:        22 Jan 2020
+*  DATE:        04 Feb 2020
 *
 *  Common header file for the ntos API functions and definitions.
 *
@@ -7341,7 +7341,10 @@ RtlCopySecurityDescriptor(
     _In_ PSECURITY_DESCRIPTOR InputSecurityDescriptor,
     _Out_ PSECURITY_DESCRIPTOR *OutputSecurityDescriptor);
 
-FORCEINLINE LUID NTAPI RtlConvertLongToLuid(
+FORCEINLINE 
+LUID 
+NTAPI 
+RtlConvertLongToLuid(
     _In_ LONG Long
 )
 {
@@ -7354,6 +7357,20 @@ FORCEINLINE LUID NTAPI RtlConvertLongToLuid(
     return(TempLuid);
 }
 
+FORCEINLINE 
+LUID 
+RtlConvertUlongToLuid(
+    _In_ ULONG Ulong
+)
+{
+    LUID tempLuid;
+
+    tempLuid.LowPart = Ulong;
+    tempLuid.HighPart = 0;
+
+    return tempLuid;
+}
+
 NTSYSAPI
 ULONG
 NTAPI

Source/Hamakaze/sup.cpp

@@ -227,92 +227,82 @@ BOOL supRegDeleteKeyRecursive(
 *
 */
 NTSTATUS supEnablePrivilege(
-    _In_ DWORD PrivilegeName,
-    _In_ BOOL fEnable
+    _In_ DWORD Privilege,
+    _In_ BOOL Enable
 )
 {
-    NTSTATUS         status;
-    ULONG            dummy;
-    HANDLE           hToken;
-    TOKEN_PRIVILEGES TokenPrivileges;
+    ULONG Length;
+    NTSTATUS Status;
+    HANDLE TokenHandle;
+    LUID LuidPrivilege;
+
+    PTOKEN_PRIVILEGES NewState;
+    UCHAR Buffer[sizeof(TOKEN_PRIVILEGES) + sizeof(LUID_AND_ATTRIBUTES)];
 
-    status = NtOpenProcessToken(
+    Status = NtOpenProcessToken(
         NtCurrentProcess(),
         TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,
-        &hToken);
+        &TokenHandle);
 
-    if (!NT_SUCCESS(status)) {
-        return status;
+    if (!NT_SUCCESS(Status)) {
+        return Status;
     }
 
-    TokenPrivileges.PrivilegeCount = 1;
-    TokenPrivileges.Privileges[0].Luid.LowPart = PrivilegeName;
-    TokenPrivileges.Privileges[0].Luid.HighPart = 0;
-    TokenPrivileges.Privileges[0].Attributes = (fEnable) ? SE_PRIVILEGE_ENABLED : 0;
-    status = NtAdjustPrivilegesToken(hToken, FALSE, &TokenPrivileges,
-        sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PULONG)&dummy);
-    if (status == STATUS_NOT_ALL_ASSIGNED) {
-        status = STATUS_PRIVILEGE_NOT_HELD;
+    NewState = (PTOKEN_PRIVILEGES)Buffer;
+
+    LuidPrivilege = RtlConvertUlongToLuid(Privilege);
+
+    NewState->PrivilegeCount = 1;
+    NewState->Privileges[0].Luid = LuidPrivilege;
+    NewState->Privileges[0].Attributes = Enable ? SE_PRIVILEGE_ENABLED : 0;
+
+    Status = NtAdjustPrivilegesToken(TokenHandle,
+        FALSE,
+        NewState,
+        sizeof(Buffer),
+        NULL,
+        &Length);
+
+    if (Status == STATUS_NOT_ALL_ASSIGNED) {
+        Status = STATUS_PRIVILEGE_NOT_HELD;
     }
 
-    NtClose(hToken);
-    return status;
+    NtClose(TokenHandle);
+    return Status;
 }
 
 /*
-* supLoadDriver
+* supxCreateDriverEntry
 *
 * Purpose:
 *
-* Install driver and load it.
-*
-* N.B.
-* SE_LOAD_DRIVER_PRIVILEGE is required to be assigned and enabled.
+* Creating registry entry for driver.
 *
 */
-NTSTATUS supLoadDriver(
-    _In_ LPCWSTR DriverName,
-    _In_ LPCWSTR DriverPath,
-    _In_ BOOLEAN UnloadPreviousInstance
+NTSTATUS supxCreateDriverEntry(
+    _In_opt_ LPCWSTR DriverPath,
+    _In_ LPCWSTR KeyName
 )
 {
     NTSTATUS status = STATUS_UNSUCCESSFUL;
     DWORD dwData, dwResult;
     HKEY keyHandle = NULL;
-    SIZE_T keyOffset;
-    UNICODE_STRING driverServiceName, driverImagePath;
-
-    WCHAR szBuffer[MAX_PATH + 1];
-
-    if (DriverName == NULL)
-        return STATUS_INVALID_PARAMETER_1;
-    if (DriverPath == NULL)
-        return STATUS_INVALID_PARAMETER_2;
+    UNICODE_STRING driverImagePath;
 
     RtlInitEmptyUnicodeString(&driverImagePath, NULL, 0);
-    if (!RtlDosPathNameToNtPathName_U(DriverPath,
-        &driverImagePath,
-        NULL,
-        NULL))
-    {
-        return STATUS_INVALID_PARAMETER_2;
-    }
 
-    RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
-
-    keyOffset = RTL_NUMBER_OF(NT_REG_PREP);
-
-    if (FAILED(StringCchPrintf(szBuffer, MAX_PATH,
-        DRIVER_REGKEY,
-        NT_REG_PREP,
-        DriverName)))
-    {
-        status = STATUS_INVALID_PARAMETER_1;
-        goto Cleanup;
+    if (DriverPath) {
+        if (!RtlDosPathNameToNtPathName_U(DriverPath,
+            &driverImagePath,
+            NULL,
+            NULL))
+        {
+            return STATUS_INVALID_PARAMETER_2;
+        }
     }
 
     if (ERROR_SUCCESS != RegCreateKeyEx(HKEY_LOCAL_MACHINE,
-        &szBuffer[keyOffset],
+        KeyName,
         0,
         NULL,
         REG_OPTION_NON_VOLATILE,
@@ -360,29 +350,89 @@ NTSTATUS supLoadDriver(
         if (dwResult != ERROR_SUCCESS)
             break;
 
-        dwResult = RegSetValueEx(keyHandle,
-            TEXT("ImagePath"),
-            0,
-            REG_EXPAND_SZ,
-            (BYTE*)driverImagePath.Buffer,
-            (DWORD)driverImagePath.Length + sizeof(UNICODE_NULL));
+        if (DriverPath) {
+            dwResult = RegSetValueEx(keyHandle,
+                TEXT("ImagePath"),
+                0,
+                REG_EXPAND_SZ,
+                (BYTE*)driverImagePath.Buffer,
+                (DWORD)driverImagePath.Length + sizeof(UNICODE_NULL));
+        }
 
     } while (FALSE);
 
     RegCloseKey(keyHandle);
 
     if (dwResult != ERROR_SUCCESS) {
         status = STATUS_ACCESS_DENIED;
-        goto Cleanup;
+    }
+    else
+    {
+        status = STATUS_SUCCESS;
     }
 
+Cleanup:
+    if (DriverPath) {
+        if (driverImagePath.Buffer) {
+            RtlFreeUnicodeString(&driverImagePath);
+        }
+    }
+    return status;
+}
+
+/*
+* supLoadDriver
+*
+* Purpose:
+*
+* Install driver and load it.
+*
+* N.B.
+* SE_LOAD_DRIVER_PRIVILEGE is required to be assigned and enabled.
+*
+*/
+NTSTATUS supLoadDriver(
+    _In_ LPCWSTR DriverName,
+    _In_ LPCWSTR DriverPath,
+    _In_ BOOLEAN UnloadPreviousInstance
+)
+{
+    SIZE_T keyOffset;
+    NTSTATUS status = STATUS_UNSUCCESSFUL;
+    UNICODE_STRING driverServiceName;
+
+    WCHAR szBuffer[MAX_PATH + 1];
+
+    if (DriverName == NULL)
+        return STATUS_INVALID_PARAMETER_1;
+    if (DriverPath == NULL)
+        return STATUS_INVALID_PARAMETER_2;
+
+    RtlSecureZeroMemory(szBuffer, sizeof(szBuffer));
+
+    keyOffset = RTL_NUMBER_OF(NT_REG_PREP);
+
+    if (FAILED(StringCchPrintf(szBuffer, MAX_PATH,
+        DRIVER_REGKEY,
+        NT_REG_PREP,
+        DriverName)))
+    {
+        return STATUS_INVALID_PARAMETER_1;
+    }
+
+    status = supxCreateDriverEntry(DriverPath,
+        &szBuffer[keyOffset]);
+
+    if (!NT_SUCCESS(status))
+        return status;
+
     RtlInitUnicodeString(&driverServiceName, szBuffer);
     status = NtLoadDriver(&driverServiceName);
 
     if (UnloadPreviousInstance) {
         if ((status == STATUS_IMAGE_ALREADY_LOADED) ||
-            (status == STATUS_OBJECT_NAME_COLLISION) || 
-            (status == STATUS_OBJECT_NAME_EXISTS)) 
+            (status == STATUS_OBJECT_NAME_COLLISION) ||
+            (status == STATUS_OBJECT_NAME_EXISTS))
         {
             status = NtUnloadDriver(&driverServiceName);
             if (NT_SUCCESS(status)) {
@@ -395,8 +445,6 @@ NTSTATUS supLoadDriver(
             status = STATUS_SUCCESS;
     }
 
-Cleanup:
-    RtlFreeUnicodeString(&driverImagePath);
     return status;
 }
 
@@ -434,6 +482,12 @@ NTSTATUS supUnloadDriver(
 
     keyOffset = RTL_NUMBER_OF(NT_REG_PREP);
 
+    status = supxCreateDriverEntry(NULL,
+        &szBuffer[keyOffset]);
+
+    if (!NT_SUCCESS(status))
+        return status;
+
     RtlInitUnicodeString(&driverServiceName, szBuffer);
     status = NtUnloadDriver(&driverServiceName);
 

Source/Hamakaze/sup.h

@@ -34,8 +34,8 @@ BOOL FORCEINLINE supHeapFree(
     _In_ PVOID Memory);
 
 NTSTATUS supEnablePrivilege(
-    _In_ DWORD PrivilegeName,
-    _In_ BOOL fEnable);
+    _In_ DWORD Privilege,
+    _In_ BOOL Enable);
 
 NTSTATUS supLoadDriver(
     _In_ LPCWSTR DriverName,

Source/Hamakaze/victim.cpp

@@ -123,6 +123,9 @@ BOOL VictimCreate(
                     printf_s("[!] Could not force unload victim, NTSTATUS(0x%lX) abort\r\n", ntStatus);
                     break;
                 }
+                else {
+                    printf_s("[+] Previous instance of victim driver unloaded\r\n");
+                }
             }
 
             drvBuffer = supQueryResourceData(ResourceId, ModuleBase, &resourceSize);