search

hfiref0x / KDU

Kernel Driver Utility
MIT License
1.93k stars 423 forks source link

[!] Bootstrap code size 0x1875 exceeds limit 0x794, abort #57

Closed caiocinel closed 1 year ago

caiocinel commented 1 year ago 
C:\Users\caioc\Desktop>kdu -map driver.sys
[#] Kernel Driver Utility v1.2.8 (build 2212) started, (c)2020 - 2022 KDU Project
[#] Build at Fri Dec  9 01:44:47 2022, header checksum 0x7C8AA
[#] Supported x64 OS : Windows 7 and above
[*] Debug Mode Run
[*] CPU vendor string: AuthenticAMD
[*] Windows version: 10.0 build 22000
[*] SecureBoot is enabled on this machine
[*] WHQL enforcement ENABLED
[+] MSFT Driver block list is disabled
[*] Driver mapping using shellcode version: 1
[+] Input driver file "driver.sys" loaded at 0x00007FF6C77D0000
[+] Drivers database "drv64.dll" loaded at 0x00007FFCEAD50000
[+] Firmware type (FirmwareTypeUefi)
[+] Provider: "CVE-2015-2291", Name "NalDrv"
[+] Extracting vulnerable driver as "C:\Users\caioc\Desktop\NalDrv.sys"
[+] Vulnerable driver "NalDrv" loaded
[+] Driver device "NalDrv" has successfully opened
[+] Executing post-open callback for given provider
[+] Driver device security descriptor set successfully
[+] Victim "PROCEXP152" 1 acquire attempt of 3 (max)
[+] Processing victim "Process Explorer" driver
[+] Extracting victim driver "PROCEXP152" as "C:\Windows\system32\drivers\PROCEXP152.sys"
[+] Victim is accepted, handle 0x00000000000000D4
[+] Reading FILE_OBJECT at 0xFFFFC70BB8C872D0
[+] Reading DEVICE_OBJECT at 0xFFFFC70BB2CBCAF0
[+] Reading DRIVER_OBJECT at 0xFFFFC70BB3DB9BF0
[+] Victim IRP_MJ_DEVICE_CONTROL 0xFFFFF803448E2220
[+] Victim DriverUnload 0xFFFFF803448E3280
[+] Loaded ntoskrnl base 0xFFFFF80111C00000
[+] Ntoskrnl.exe mapped at 0x7FF612180000
[+] Resolving kernel import for input driver
[+] Resolving payload import
[!] Bootstrap code size 0x1875 exceeds limit 0x794, abort
[!] Unexpected shellcode procedure size, abort
[!] Error while building shellcode, abort
[+] Victim released
[+] Vulnerable driver "NalDrv" unloaded
[+] Vulnerable driver file removed
[+] Return value: 0. Bye-bye!

Do you have any idea what could be causing this problem?

hfiref0x commented 1 year ago

The working binary must be built in Release configuration. Yours is debug.