thecruz / kdmapper Goto Github PK

I am just confused why it fails to load my driver every time. I am on 21h1 and am running a UserMode driver for an injection method, does not want to work. If anyone might have an explanation that would be great!
Edit: I have secure boot off, virtualization off and the BSOD message is KERNEL_SECURITY_CHECK_FAILURE

have you noticed in some instances it states the intel driver is already running and bails, can you apply a fix for this because it means whatever intel driver is running needs to be unloaded for kdmapper to then work.

also it would be good to have a check in place that kdmapper will only work once to avoid it potentially mapping a driver multiple times.

have you thought of adding cleaning into this kdmapper?

keep getting crash when launching

[<] Loading vulnerable driver, Name: vplfLaemxNtg
[+] NtLoadDriver Status 0x0
[+] PiDDBLock Ptr 0xfffff8064012323c
[+] PiDDBCacheTable Ptr 0xfffff80640123378
[+] PiDDBLock Locked
[+] PiDDBCacheTable result -> TimeStamp: 5284eac3
[+] Found Table Entry = 0xFFFF8A026C2AA4D0
[+] PiDDBCacheTable Cleaned
[+] g_KernelHashBucketList Found 0xFFFFF80640EBC080
[+] g_HashCacheLock Locked
[+] Found In g_KernelHashBucketList: vplfLaemxNtg
[+] g_KernelHashBucketList Cleaned
[+] MmUnloadedDrivers Cleaned: vplfLaemxNtg
[+] Image base has been allocated at 0xFFFFD08FD7FE0000
[+] Skipped 0x1000 bytes of PE Header
[!!] Crash at addr 0x00007FF6DBA0C9A5 by 0xc0000005
[<] Unloading vulnerable driver
[+] NtUnloadDriver Status 0x0
[+] Vul driver data destroyed before unlink

It just wont map the driver. Dont know what to do

OS: Windows 20H2
Using TygoL's build with --mdl flag and same driver works as expected.

I have all the runtimes installed, directx runtime aswell no clue why im getting this error. Got runtime dll errors and msvcp errors before installing runtimes now i just get "the application was unable to start correctly 0xc00007b"
Any clue why?

hi, I compiled BlackBoneDrv10 project with security check turned off (/GS-) and with an entry point (DriverEntry)
when I load the blackbone driver using kdmapper I have a bsod 0x0000003B (SYSTEM_SERVICE_EXCEPTION)

win10 19043
please help :)

If i use --mdl and I interact in anyway with the mdlptr i get a SYSTEM_SERVICE_EXCEPTION bsod. I have no idea why though. Here is my DriverEntry. If you know why tf its happening please help.

NTSTATUS DriverEntry(ULONG64* useless1, ULONG64* useless2, ULONG64 allocationPtr, ULONG64 allocationSize, ULONG64 mdlptr) { UNREFERENCED_PARAMETER(useless1); UNREFERENCED_PARAMETER(useless2); UNREFERENCED_PARAMETER(allocationPtr); UNREFERENCED_PARAMETER(allocationSize); PMDL mdl = (PMDL)mdlptr; return true; }

How do I unmap a driver?

[<] Loading vulnerable driver, Name: QvxVqegYVXXFT
[+] NtLoadDriver Status 0x0
[-] Can't find pattern
[-] Warning no PiDDBCacheTable Found
[-] Failed to ClearPiDDBCacheTable
[<] Unloading vulnerable driver
[+] NtUnloadDriver Status 0x0
[+] Vul driver data destroyed before unlink

This may be due to my windows version being Windows 11 22449.1000 can I get a confirmation?

gonna remove this in 2days

Hey do you know why I am getting a STATUS_INSUFFICIENT_RESOURCES when calling NtLoadDriver?

I saw in the closed tickets that someone had the same issue but he didn't posted any solution.

Hey,

As you know setting a custom entry point remove the "crtstartup" < at least in usermode

But here's two things that should work:

1- driver export (would work fine)
2- trace crt startup to get the real main and so skip the check and so the bsod

Here's just theory but I would like to know what you guys think,

Ill maybe write a small test to skip crt startup and make a PR once I got it to work

Thanks :)

Processor: 12th Gen Intel(R) Core(TM) i9-12900K
OS Build: Windows 11 22000.376

https://support.microsoft.com/en-us/topic/december-14-2021-kb5008215-os-build-22000-376-868d2c2f-a201-456e-be42-d95c794bebf0

Crashing on first step in kdmapper using HelloWorld driver

[<] Loading vulnerable driver, Name: 123456
.. Then BSOD/Crash

Hello

Cannot seem to get this to work at all, no anti-virus running, windows defender completely disabled.

[<] Loading vulnerable driver, Name: tZhrseVFgBikCWt [+] NtLoadDriver Status 0xc000009a [-] Failed to register and start service for the vulnerable driver

as NTLoadDriver is displaying - STATUS_INSUFFICIENT_RESOURCES

Compiled for Release Mode, x64 - Winver 21H1 19043.110

(Fixed)

Sorry for all the questions but I keep getting weird errors, any clue how to fix "The selected service cannot be started because it is not enabled or no enabled device is associated with it."

If I try to use PsSetCreateProcessNotifyRoutine, it will return 0xc0000022. If I use KsInitialize, it will directly blue screen. Is there any solution? thanks！

When calling

HANDLE iqvw64e_device_handle, unsigned char* data, ULONG64 param1, ULONG64 param2, bool PassAllocationAddressAsFirstParam, NTSTATUS* exitCode
kdmapper::MapDriver(iqvw64e_device_handle, base, 0, 0, true, &exitCode)

How I am able to parse the arguments aka the base address correctly inside the driver?
I tried like that:

NTSTATUS DriverEntry(PVOID a1, PVOID KBase)
{
	DbgPrintEx(0, 0, "a1: %p / KBase: %p \n", a1, KBase);
	return STATUS_SUCCESS;
}

altough both addresses were 0.
Thanks very much

1

hello I would like to know if it is possible to disable driver enforcement instead of mapping a driver?

Hi, I found that you can map driver with kdmapper multiple times. How I can check if driver already loaded?

Hi, i was planning to use kdmapper tool, but i'm currently on the windows 11 pro official release (windows 11 21h2 22000.51), is there any plan to add support to this windows version any time soon ? Thanks.

i think this line is wrong, as i just BSOD all the time until i looked at the code, i think it should be the following:
if (!intel_driver::CallKernelFunction(iqvw64e_device_handle, &status, address_of_entry_point, (mdlMode ? mdlptr : (PassAllocationAddressAsFirstParam ? realBase : param1)), param2)) {

otherwise mdl mode will BSOD

#include <ntifs.h>
#include <ntddk.h>

extern "C" NTSTATUS DriverEntry(unsigned __int64 a1, unsigned __int64 a2)
{
DbgPrintEx(0, 0, "yes\n");

return STATUS_SUCCESS;

}
This is my code
Everything is set by default. What did I do wrong

in the header

Hello!

Firstly, this is not an issue. I was hoping you might be able to help me / give me some insight as to why I can't load this driver with kdmapper? I'm new to driver programming, so the issue may be obvious.
The driver loads just fine if loaded normally, with test signing enabled through sc.exe

The rest of the details I've mentioned here:
changeofpace/MouClassInputInjection#11

hello, after my last windows 11 update is the kdmapper not working(no console output) the problem is only on my pc. My frind has testet it.

i have tryed my own driver & the helloworld driver.

My system: I7-7700k, Windows 11 21H2 22000.469

It works on my main computer but when I use it on my vmware it wont go through.

On VMWare:

VMware windows version:

My main computer windows version:

loading helloworld.sys causing BSOD

Any clue how to fix \device\nal already in use?

Hey,
So everything is working fine but if try to make a DriverUnload function and register it and then run kdmapper, my pc crashes!
can some one help me please?

X Patch

KdMapper performs exactly as intended when bcdedit -debug on has been used before rebooting. However if debug is set to off it doesn't run.

my driver entry starts a thread, which is doing init. the thread routine is like:
void driver_initialize(PVOID pcontext)
{
PInit_Context p = (PInit_Context)pcontext;
auto status = STATUS_SUCCESS;
PDRIVER_OBJECT driver_obj = p->driver_obj;
PUNICODE_STRING registery_path = p->registery_path;

DbgPrint("call driver_initialize");
UNICODE_STRING  sym_link, dev_name;
PDEVICE_OBJECT  dev_obj;

RtlInitUnicodeString(&dev_name, NT_DEVICE_NAME);
DbgPrint("%08x!!", driver_obj);
DbgPrint("%08x!!", registery_path);
status = IoCreateDevice(driver_obj, 0, &dev_name, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &dev_obj);	

}

But IoCreateDevice always crashes. when loaded with sc start, it is not crashed.

and without iocreatedevice, it can also be loaded by kdmapper.

so my question is, is this kdmapper support driver with IoCreateDevice call?

a workable sample driver for kdmapper is appreciated.

Is there a way to solve the error returned by ObRegistCallbacks?

Hello, how to change kdmapper driver name?

I've been looking throughout several forums and couldn't find any help regarding this issue, Im new to using this method and Im pretty much a newb in the scene as well. This was pretty much an already put together set of skills for Apex which I followed the instructions of to get it to run, AV off, ran as Admin but it puts out the following:

C:\Users\Blank\Desktop\Skills>kdmapper driver.sys
[<] Loading vulnerable driver
[-] Failed to get export win32kfull.NtGdiGetCOPPCompatibleOPMInformation
[-] Failed to allocate remote image in kernel
[-] Failed to map driver.sys
[<] Unloading vulnerable driver

I have no clue and spend a day now trying to find a post or anything related to it that could help

Hello i have this error: Failed to register and start service for the vulnerable driver

When use --mdl and virtualization(in Bios) + Hyper-v(in Windows) is enabled system start lag
Windows 10 20H2 19042.1052 (not VM)

I am trying to implement this in my project but when the kdmapper.exe is always detecting a false malware positive. I know it isn't but that's not what others think as on virustotal it's full of malware.

if someone could link me a driver that would be helpful. (2004)

how do i fix this i tried everything and the answer google gave me caused more errors

use latest kdmapper and load test driver then get bsod.
test driver and dump here: https://www.xloli.fun:929/down/xqsFs5dteMp8
password: wxAE4T

The application was unable to start correctly (0xc000007b).

Does anyone know what's wrong?

Every time I try to open the program, I get this error. I have all Visual Basic installed on my computer
Can you tell me what could be going on?

im trying using this injector https://github.com/Rhydon1337/windows-kernel-dll-injector with kdmapper i got bsod
page fault in nonpaged area i try disable Security checks -GS + set DriverEntry without luck what could it be ?

If the execution of the driver takes too long (more than a few seconds), the mapper keeps mapping a new image until the first one returns its status!

Calling KeDelayExecutionThread with Interval about -10000000 (1sec) can sometimes replicate the bug.

Note: It does not always happen, i.e. even if the driver is the exact same, it still doesn't always occur.