-
Notifications
You must be signed in to change notification settings - Fork 418
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KsDumper Driver unloadable? Maybe any mapped driver? #79
Comments
In general: Regarding exact readme: General purpose of this KDU "map" feature is about giving your code r0 access, what you will do with it is totally on your own. Target driver maybe using threads, setting hooks, allocating additional memory - whatever, everything must be tracked and terminated/freed upon "unmap", including own driver code memory. How you will do that (shellcode, another vulnerable driver/workitem) is out of this topic scope. There are some caveats also. Don't forget also that driver unloaded with API will be moved later to internal list of unloaded drivers which I assume many users of this project doesn't want. Have no idea if this is already Microsoft concern or maybe added in the future, but unloading with API what wasn't loaded with API is a perfect < insert PatchGuard bsod > moment. |
This makes sense as to why it works for KsDumper, it's a very basic kernel driver that's being loaded. So there's really nothing to track. So should I be wary of giving the ability to unload the driver via API since Microsoft could patch to check for that and bsod? It's already an option to unload the driver on program exit, but if it becomes a situation as mentioned above, should I get ahead of that and not unload the driver but instead keep it running as in the original program? |
If it works then why not. Its not some mass production critical infrastructure software isn't it? It's impossible to predict future OS changes, some code in NT wasn't changed since 4.0 so... |
Good points, if it works it works lol. |
I have been using KDU for about a year now to support KsDumper 11, the revival of KsDumper with win11 support.
https://github.com/mastercodeon314/KsDumper-11
I was able to add functionality to the KsDumper driver to be unloadable. This is interesting since the readme for KDU says that i cannot have mapped code unload itself, however, i am able to setup an IO CTRL code and when getting that IOCTRL code, the driver calls the Unload function.
NTSTATUS Unload(IN PDRIVER_OBJECT DriverObject) { IoDeleteSymbolicLink(&symLink); IoDeleteSymbolicLink(&deviceName); IoDeleteDevice(deviceObject); return ZwUnloadDriver(&deviceName); }
This seems to contradict what it says in the readme, but i am not sure if i am releasing all resources allocated by my mapped code.
Any explanation on this?
Usage of the ZwUnloadDriver made this possible,
The text was updated successfully, but these errors were encountered: