SkillAgentSearch skills...

KDU

Kernel Driver Utility

GenerateConvertImprove

Install / Use

/learn @hfiref0x/KDU
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

KDU

Build status Visitors

Kernel Driver Utility

System Requirements

  • x64 Windows 7/8/8.1/10/11;
  • Administrative privilege is required.

Purpose and Features

The purpose of this tool is to provide a simple way to explore the Windows kernel/components without requiring extensive setup or a local debugger. It features:

  • Protected Process Hijacking via Process object modification;
  • Driver Signature Enforcement Overrider (similar to DSEFix);
  • Driver loader for bypassing Driver Signature Enforcement (similar to TDL/Stryker);
  • Support for various vulnerable drivers used as functionality "providers".

Usage

KDU -list
KDU -diag
KDU -prv ProviderID
KDU -ps ProcessID
KDU -pse Commandline
KDU -dmp ProcessID
KDU -dse value
KDU -map filename
  • -list - list currently available providers;
  • -diag - run system diagnostics for troubleshooting;
  • -prv - optional, select vulnerable driver provider;
  • -ps - modify process object of given ProcessID, downgrading any protections;
  • -pse - launch program as ProtectedProcessLight-AntiMalware (PPL);
  • -psw - launch program as ProtectedProcessLight-WinTcb (PPL);
  • -dmp - dump virtual memory of the given process;
  • -dse - write user-defined value to the system DSE state flags;
  • -map - map driver to the kernel and execute its entry point; this command has dependencies listed below;
    • -scv version - optional, select shellcode version, default 1;
    • -drvn name - driver object name (only valid for shellcode version 3);
    • -drvr name - optional, driver registry key name (only valid for shellcode version 3).

Example:

  • kdu -ps 1234
  • kdu -map c:\driverless\mysuperhack.sys
  • kdu -dmp 666
  • kdu -prv 1 -ps 1234
  • kdu -prv 1 -map c:\driverless\mysuperhack.sys
  • kdu -prv 6 -scv 3 -drvn DrvObj -map c:\install\e3600bm.sys
  • kdu -prv 6 -scv 3 -drvn edrv -drvr e3600bl -map c:\install\e3600bl.sys
  • kdu -dse 0
  • kdu -dse 6
  • kdu -pse "C:\Windows\System32\notepad.exe C:\TEMP\words.txt"
  • kdu -psw "C:\Windows\System32\cmd.exe"

Run on Windows 11 24H2*

<img width="1181" height="563" alt="image" src="https://github.com/user-attachments/assets/bbdf6d18-bc74-41e2-a7cf-297e439ec9df" />

Run on Windows 10 20H2*

<img src="https://raw.githubusercontent.com/hfiref0x/kdu/master/Help/kdu1.png" width="600" />

Compiled and run on Windows 8.1*

<img src="https://raw.githubusercontent.com/hfiref0x/kdu/master/Help/kdu2.png" width="600" />

Run on Windows 7 SP1 fully patched (precompiled version)*

<img src="https://raw.githubusercontent.com/hfiref0x/kdu/master/Help/kdu3.png" width="600" />

Run on Windows 10 19H2 (precompiled version, SecureBoot enabled)*

<img src="https://raw.githubusercontent.com/hfiref0x/kdu/master/Help/kdu4.png" width="600" />
All screenshots are from version 1.0X.

Limitations of -map command

Due to the unusual way of loading that does not involve the standard kernel loader, but uses overwriting already loaded modules with shellcode, there are some limitations:

  • Loaded drivers MUST BE specially designed to run as "driverless";

That means you cannot use parameters specified at your DriverEntry as they won't be valid. That also means you cannot load any drivers but only specially designed ones, or you need to alter shellcode routines.

  • No SEH support for target drivers;

There is no SEH code in x64. Instead, you have a table of try/except/finally regions described by a pointer in the PE header. If there is an exception, it may result in a BSOD.

  • No driver unloading;

Mapped code can't unload itself; however, you can release all resources allocated by your mapped code. DRIVER_OBJECT->DriverUnload should be set to NULL.

  • Only ntoskrnl import resolved, everything else is up to you;

If your project needs another module dependency, you must rewrite this loader part.

  • Several Windows primitives are banned by PatchGuard from usage by dynamic code.

Because of the unusual way of loading, mapped driver won't be inside PsLoadedModulesList. That means any callback registered by such code will have its handler located in memory outside this list. PatchGuard may detect this and crash the system.

In general, if you want to know what you should not do in kernel, look at https://github.com/hfiref0x/KDU/tree/master/Source/Examples/BadRkDemo which contains a few examples of forbidden things.

Kernel traces note

This tool does not change (and will not change in future) internal Windows structures of MmUnloadedDrivers and/or PiDDBCacheTable. That's because:

  • KDU is not designed to circumvent third-party security software or various dubious software (e.g. anti-cheats);
  • These data can be a target for PatchGuard protection in the next major Windows 10 update.

You use it at your own risk. Some lazy AV may flag this tool as hacktool/malware.

Supported Providers

Note: Provider with Id 0 is assumed as default if no -prv command is specified.

| Id | Vendor | Driver | Software package | Version | MSFT blacklist* | |--------|----------------|-------------|------------------------------------|-----------------------------|----------------------| | 0 | Intel | IQVM64/Nal | Network Adapter Diagnostic Driver | 1.03.0.7 | Cert | | 1 | MSI | RTCore64 | MSI Afterburner | 4.6.2 build 15658 and below | Page hash | | 2 | Gigabyte | Gdrv | Gigabyte TOOLS | Undefined | Name | | 3 | ASUSTeK | ATSZIO64 | ASUSTeK WinFlash utility | Undefined | Name | | 4 | Patriot | MsIo64 | Patriot Viper RGB utility | 1.0 | Page hash | | 5 | ASRock | GLCKIO2 | ASRock Polychrome RGB | 1.0.4 | Page hash | | 6 | G.SKILL | EneIo64 | G.SKILL Trident Z Lighting Control | 1.00.08 | Cert | | 7 | EVGA | WinRing0x64 | EVGA Precision X1 | 1.0.2.0 | Name | | 8 | Thermaltake | EneTechIo64 | Thermaltake TOUGHRAM software | 1.0.3 | Page hash | | 9 | Huawei | PhyMemx64 | Huawei MateBook Manager software | Undefined | Name, Page hash | | 10 | Realtek | RtkIo64 | Realtek Dash Client Utility | Various | Name | | 11 | MSI | EneTechIo64 | MSI Dragon Center | Various | | | 12 | LG | LHA | LG Device Manager | 1.6.0.2 | Name | | 13 | ASUSTeK | AsIO2 | ASUS GPU Tweak | 2.1.7.1 and below | | | 14 | PassMark | DirectIo64 | PassMark Performance Test | 10.1 and below | Page hash | | 15 | GMER | GmerDrv | Gmer "Antirootkit" | 2.2 and below | Name, Page hash, Cert| | 16 | Dell | DBUtil_2_3 | Dell BIOS Utility | 2.3 and below | Page hash | | 17 | Benjamin Delpy | Mimidrv | Mimikatz | 2.2 and below | Cert | | 18 | Wen Jia Liu | KProcessHacker2 | Process Hacker | 2.38 and below | Name | | 19 | Microsoft | ProcExp152 | Process Explorer | 1.5.2 and below | Name, Cert | | 20 | Dell | DBUtilDrv2 | Dell BIOS Utility | 2.7 and below | | | 21 | DarkByte | Dbk64 | Cheat Engine | 7.4 and below | Cert, Name | | 22 | ASUSTeK | AsIO3 | ASUS GPU TweakII | 2.3.0.3 | | | 23 | Marvin | Hw | Marvin Hardware Access Driver | 4.9 and below | Name | | 24 | CODESYS | SysDrv3S | CODESYS SysDrv3S | 3.5.6 and below | Cert | | 25 | Zemana | amsdk | WatchDog/MalwareFox/Zemana AM | 3.0.0 and below | | | 26 | HiRes Ent. | inpoutx64 | Various | 1.2.0 and below | | | 27 | PassMark | DirectIo64 | PassMark OSForensics | Any | | | 28 | ASRock | AsrDrv106 | Phantom Gaming Tuning | 1.0.6 and below | | | 29 | Arthur Liberman| ALSysIO64 | Core Temp | 2.0.11 and below | | | 30 | AMD | AMDRyzenMasterDriver | Multiple software packages | 2.0.0.0 and below | | | 31 | Hilscher | physmem | Physical Memory Viewer for Windows | 1.0.0.0 | Cert, Name | | 32 | Lenovo | LDD | Lenovo Diagnostics Driver for Windows 10 and later | 1.0.4.0 and below | Cert, Name | | 33 | Dell | pcdsrvc_x64 | Dell PC Doctor

hfiref0x

View profile

View on GitHub
GitHub Stars2.5k
CategoryDevelopment
Updated6h ago
Forks511
hfiref0x/KDU

Languages

C

Security Score

100/100

Audited on Apr 1, 2026

No findings