Disabling DSE with the drivers DBUtil v2.3 and v2.5 shows BSOD

[schtrom]

Hi hfiref0x,

first many thanks and much respect to your hard work. It is always nice to see someone skilled releasing sources for others to learn. This is much appreciated. I myself have used your DSEFix extensively to load unsigned drivers since years. Lately I switched to KDU and got a BSOD on the DBUtil providers. The details and a potential fix follow below.

With DBUtil v2.3 driver we get a BSOD on Windows 10 and an instant reboot on Windows 7. The problem is related to the function "DbUtilWriteVirtualMemory" in the source code file "KDU-master\Source\Hamakaze\idrv\dbutil.cpp". The size of the structure which DBUtil accepts for input is increased by the following code line:

size = ALIGN_UP_BY(value, PAGE_SIZE);

Because DBUtil v2.3 uses the buffer size specified in DeviceIoControl as the size to transfer, it writes 4096 bytes to the virtual kernel address where g_CiOptions on Windows 10 and g_CiEnable on Windows 7 variable is located. Because this write occurs on read only memory we see a BSOD. We corrected this by setting the "size" variable equal to "value" in the source code like follows:

value = FIELD_OFFSET(DBUTIL_READWRITE_REQUEST, Data) + NumberOfBytes;
//size = ALIGN_UP_BY(value, PAGE_SIZE);
size = value;

The same should be implemented for the function "DbUtilReadVirtualMemory", but this does not cause a BSOD, because the memory is only read and not written for 4096 bytes.

In addition we tested the DBUtil v2.5 driver, which does not even install correctly. This is related to the function "DbUtilManageFiles" in the same source code file. This function first unpacks the driver to the program directory and afterwards extracts the INF and CAT files to the TEMP directory. Therefore the INF can not find the driver and the installation does not work. We also patched this with the following code change:

//cch = supExpandEnvironmentStrings(L"%temp%\\", szFileName, MAX_PATH);
lstrcpy(szFileName, Context->DriverFileName);
lpEnd = wcsrchr(szFileName, '\\');
*(lpEnd + 1) = 0;
//if (cch == 0 || cch > MAX_PATH) {
// SetLastError(ERROR_NOT_ENOUGH_MEMORY);
//}
//else {

We should implement this patch two times for the install and the uninstall part of this function. If we would only apply the 2nd unpacking patch, we can see that the driver DBUtil v2.5 does also cause a BSOD for the same reason as DBUtil v2.3 driver. Therefore the 1st patch does also solve the problem with DBUtil v2.5. After all patches are applied we can change DSE successfully with both providers.

I have attached a fixed and already patched source code file with comments. I hope that helps in fixing the little DBUtil bug.

KDU_dbutil_patched.zip

Keep the amazing stuff coming!
Greets Kai Schtrom

[hfiref0x]

Thanks this will be fixed in next version.

[schtrom]

Compiled v1.2.7 with Visual Studio 2022 this morning and did the following tests.

Successful tests:

• Provider 16 (DBUtil v2.3) on Windows 7 x64 SP1 DSE disable and enable working
• Provider 16 (DBUtil v2.3) on Windows 10 x64 Build 21H2 DSE disable and enable working
• Provider 20 (DBUtil v2.5) on Windows 10 x64 Build 21H2 DSE disable and enable working
• Provider 16 (DBUtil v2.3) on Windows 10 x64 Build 22H2 DSE disable and enable working
• Provider 20 (DBUtil v2.5) on Windows 10 x64 Build 22H2 DSE disable and enable working
• Provider 20 (DBUtil v2.5) on Windows 11 x64 Build 22H2 DSE disable and enable working

Unsuccessful tests:

• Provider 20 (DBUtil v2.5) on Windows 7 x64 SP1 DSE disable and enable not working
  This is normal, because v2.5 will only work on Windows 10 version 1507 (Threshold 1) and later.
• Provider 16 (DBUtil v2.3) on Windows 11 x64 Build 22H2 DSE disable and enable not working
  This is also normal, because the driver is blocked on this version

Verdict:
All working fine for me, but I only tested DSE. Thanks for the quick fix and have a nice day!

[hfiref0x]

Thanks for testing and reporting this bug.