Manual mapping with kdmapper

[kpolicar]

Hello!

Firstly, this question maybe doesn't fit on your Issues board, so I'll understand if I don't get any feedback. Still, it may also be useful for others interested in using your driver.

I was wondering if you could give me some insight as to why I can't seem to access the driver from MouiiCL. I'm loading the driver using kdmapper, you can check out my MouClassInputInjection fork for the necessary changes that had to be made to load the driver through kdmapper.

KDMapper output (successfully loaded, DriverEntry returned success code):

[<] Loading vulnerable driver
[+] NtLoadDriver Status 0x0
[+] PiDDBLock Ptr fffff8060ab0a17d
[+] PiDDBCacheTable Ptr fffff8060ab0d92b
[+] PiDDBLock Locked
[+] PiDDBCacheTable result -> TimeStamp: 5284eac3
[+] Found Table Entry = FFFFC78E1B44C750
[+] PiDDBCacheTable Cleaned
[+] Image base has been allocated at 0xFFFFE38171BCF000
[+] Skipped 0x1000 bytes of PE Header
[<] Calling DriverEntry 0xFFFFE38171BD6000
[+] DriverEntry returned 0x00000000
[<] Unloading vulnerable driver
[+] MmUnloadedDrivers Cleaned
[+] NtUnloadDriver Status 0x0
[+] Vul driver data destroyed before unlink
[+] success

Before loading the driver, running MouiiCL.exe:

MouiiIoInitialization failed: 2

Error code 2 signals _ERROR_FILE_NOTFOUND

After loading the driver, running MouiiCL.exe:

MouiiIoInitialization failed: 433

Error code 433 appears to be an undocumented error code (error codes), but from looking around it appears to signal "A device which does not exist was specified." (source)

Any insight would be greatly appreciated.

[changeofpace]

Does KDMapper require the mapped module to be "driverless" (like in TDL)?

If it does then you will need to write an alternate user <-> kernel comms mechanism that does not use ioctls.

If that doesn't apply then verify that the MouClassInputInjection device exists using WinObj.