Hygieia, a vulnerable driver traces scanner written in C++ as an x64 Windows kernel driver.

Overview

Hygieia

The Greek goddess of health, her name is the source for the word "hygiene".

Hygieia is a windows driver that works similarly to how pagewalkr (https://github.com/Deputation/pagewalkr) does, except it's written in a much more elegant manner.

Most of Hygieia has been ripped out of a bigger private project of mine made to investigate how Windows stores data regarding the drivers that have been unloaded in the system.

PRs are welcome.

How does it work?

Hygieia scans the system's paging tables looking for a known vulnerable driver's timestamp and name (in this case, we're looking for kdmapper's driver).

You can find kdmapper here, to see what I'm talking about: https://github.com/z175/kdmapper

What does it support?

Hygieia has been tested as a test signed driver on Windows 10 21H1, and is capable of scanning 1 GB large pages, 2 MB large pages, and regular 4KB pages.

What is it for?

Investigating the traces left by vulnerable drivers to be able to better understand how the system stores and elaborates data relating to unloaded drivers, so that more effective detection methods could be built to find out whether or not one was loaded prior to loading a specific driver for anti-cheating purposes.

Of course, you can also use it to erase your vulnerable driver's traces to hide yourself, although I do not condone using Hygieia for anything that's not strictly educational.

How to compile it?

Install the Windows SDK and the Windows WDK, then simply build the solution.

How to use it?

On an administrative command prompt (preferrably in a VM), simply create a service and start it like so:

sc create hygieia type= kernel binPath= "C:\Path\To\Hygieia.sys"
sc start hygieia

and watch the magic happen in the debugger. Results will be printed there.

Output sample

This is how Hygieia's output looks like, after having mapped a driver using kdmapper.

[Hygieia] Driver started @FFFFF8025EF50000 - 0000000000008000
[Hygieia] Thread started!
[Hygieia] Physical address of page directory: 00000000001AD000
[Hygieia] Virtual address of page directory: FFFF86432190C000 
[Hygieia] Found vulnerable driver timestamp outside Hygieia @FFFFE609A360D9B0
[Hygieia] Found vulnerable driver name outside Hygieia @FFFFF603F64D90C0
[Hygieia] Found vulnerable driver timestamp outside Hygieia @FFFFF603F64D90CC
[Hygieia] Found vulnerable driver name **inside** Hygieia @FFFFF8025EF530C0
[Hygieia] Found vulnerable driver timestamp **inside** Hygieia @FFFFF8025EF530CC
[Hygieia] Total scanned memory: 1795510272.
[Hygieia] Scan completed in 27827 ms.

As you can see, Hygieia is capable of finding several hits inside kernel memory. Investigating those and correctly clearing them (and others that don't show up due to other information being stored other than the timestamp and the driver's name) is up to the reader.

You might also like...
A FREE Windows C development course where we will learn the Win32API and reverse engineer each step utilizing IDA Free in both an x86 and x64 environment.
A FREE Windows C development course where we will learn the Win32API and reverse engineer each step utilizing IDA Free in both an x86 and x64 environment.

FREE Reverse Engineering Self-Study Course HERE Hacking Windows The book and code repo for the FREE Hacking Windows book by Kevin Thomas. FREE Book Do

An ultrasonic 3D scanner
An ultrasonic 3D scanner

An Ultrasonic 3D Scanner Detailed build log and infos on my website If you're looking for instructions detailed enough to build it for yourself, just

A port scanner. Second version of portfin.

Zeus A port scanner. Second version of PortFin. Zeus is a tool which scans for open and closed port on a website/host. Note: This tool is the second v

OpenScan is an open-source document scanner app that enables users to scan hard copies of documents or notes and convert it into a PDF file. No ads. No data collection. We respect your privacy.
OpenScan is an open-source document scanner app that enables users to scan hard copies of documents or notes and convert it into a PDF file. No ads. No data collection. We respect your privacy.

OpenScan An open source app that enables users to scan hardcopies of documents or notes and convert it to a PDF file. No ads. No data collection. We r

SinMapper - usermode driver mapper that forcefully loads any signed kernel driver
SinMapper - usermode driver mapper that forcefully loads any signed kernel driver

usermode driver mapper that forcefully loads any signed kernel driver (legit cert) with a big enough section (example: .data, .rdata) to map your driver over. the main focus of this project is to prevent modern anti-cheats (BattlEye, EAC) from finding your driver and having the power to hook anything due to being inside of legit memory (signed legit driver).

A kernel level driver for Windows built to configure the Blue Screen Of Death

BSODConfigure A kernel level driver for Windows built to configure the Blue Screen Of Death. Go see the writeup at https://www.phasetw0.com/configurin

Windows kernel-mode driver emulating well-known USB game controllers.

Windows kernel-mode driver emulating well-known USB game controllers.

Windows kernel information leakage POCs on Windows 10 RS1+
Windows kernel information leakage POCs on Windows 10 RS1+

This repository covers various techniques and methods I write while conducting research into infoleaks, these are for leaking various Windows kernel a

Easily hook WIN32 x64 functions

About Library for easy hooking of arbitrary functions in WIN32 x64 executables. Only requires target function address. Disassembles the function prolo

Owner
Deputation
Student with an interest in virtualization (intel/amd), reverse engineering, the windows kernel and its internals. Anti-Cheat Developer @scpslofficial.
Deputation
x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration

anycall x64 Windows kernel code execution via user-mode, arbitrary syscall, vulnerable IOCTLs demonstration Read: https://www.godeye.club/2021/05/14/0

Kento Oki 148 Sep 15, 2022
x64 Windows kernel driver mapper, inject unsigned driver using anycall

anymapper x64 Windows kernel driver mapper, inject unsigned driver using anycall This project is WIP. Todo Fix: Can't make API calls from IAT nor func

Kento Oki 69 Aug 23, 2022
EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections and LSASS protections

EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Kernel callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.

Wavestone - Cybersecurity & Digital Trust 709 Sep 16, 2022
vdk is a set of utilities used to help with exploitation of a vulnerable driver.

vdk - vulnerable driver kit vdk is a set of utilities used to help with exploitation of a vulnerable driver. There are 2 main features of this library

Pavel 10 Aug 27, 2022
Log4j Vulnerability Scanner for Windows

THIS SCRIPT IS PROVIDED TO YOU "AS IS." TO THE EXTENT PERMITTED BY LAW, QUALYS HEREBY DISCLAIMS ALL WARRANTIES AND LIABILITY FOR THE PROVISION OR USE

Qualys, Inc. 151 Sep 15, 2022
This is a simple port scanner written in C. I recommend to build it before using.

C-Port-Scanner This is a simple port scanner written in C. I recommend to build it before using. For building it you have to use an application like V

Steven 9 Jun 6, 2022
Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10!

Ninja UUID Shellcode Runner Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10! Now supports running Cobalt

Bobby Cooke 328 Sep 14, 2022
very basic and minimalistic hooking "library" for windows (x64 support soon)

IceHook very basic and minimalistic hooking "library" for windows (x64 support soon) Example how to use: typedef void(__stdcall* twglSwapBuffers)(HDC

null 5 Jul 25, 2022
Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10!

Ninja UUID Shellcode Runner Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10! Now supports running Cobalt

Bobby Cooke 327 Sep 14, 2022
An open-source x64/x32 debugger for windows.

x64dbg An open-source binary debugger for Windows, aimed at malware analysis and reverse engineering of executables you do not have the source code fo

x64dbg 39.1k Sep 16, 2022