Hello, dear friends! I am new to the topic, so my question could be very naïve: I have successfully build the tool from sources using VS 2019, copied all necessary files to a remote computer, installed the certificate and now trying to install the driver itself there, using DEVCON. "devcon install Kernel-Bridge.inf hardware ID ?" What is hardware ID, which I need to use? Thanks a lot in advance! Your help is greatly appreciated!

Hey there,

KbReadProcessMemory fails with 158 error (ERROR_NOT_LOCKED). Driver loads without any errors. For my project I use "User-Bridge" wrappers as standalone .cpp/.h modules. Driver version: v1.19

BOOL status = KbReadProcessMemory(
	GetPidByName(L"process.exe"),
	Address,
	&buf,
	size
);

if (status == 0) {
	cout << GetLastError() << endl;
}

Any ideas how could be this fixed?

Mapping any driver even the simplest.

auto test = KbRtl::KbRtlMapDriverFile(L"C:\\dummy.sys", L"KBFM"); fmt::print("test {0} ", test);

Produces KbLdrImportNotResolved can someone provide me a dummy driver example or explain to me what this error means and how to fix it?

#include <ntddk.h>


extern "C" DRIVER_INITIALIZE DriverEntry;


namespace {
    UNICODE_STRING DeviceName = RTL_CONSTANT_STRING(L"\\Device\\KBFM");
    UNICODE_STRING DeviceLink = RTL_CONSTANT_STRING(L"\\??\\KBFM");
    PDEVICE_OBJECT DeviceInstance = NULL;
}

#define IO_INCREMENT_VALUE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0001, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define IO_RECEIVE_RANDOM_BUFFER CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0002, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
EXTERN_C_START



static NTSTATUS IoControl(PDEVICE_OBJECT DeviceObject, PIRP Irp);

static NTSTATUS UnloadDriver(PDRIVER_OBJECT DriverObject);

static NTSTATUS CreateCall(PDEVICE_OBJECT DeviceObject, PIRP irp);

static NTSTATUS CloseCall(PDEVICE_OBJECT DeviceObject, PIRP irp);
EXTERN_C_END

extern "C" NTSTATUS NTAPI DriverEntry(
    _In_ PDRIVER_OBJECT DriverObject,
    _In_ PUNICODE_STRING RegistryPath
) {
    UNREFERENCED_PARAMETER(RegistryPath);
    NTSTATUS Status = IoCreateDevice(DriverObject, 0, &DeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, &DeviceInstance);

    if (!NT_SUCCESS(Status)) {
        KdPrint(("[KBFM]: IoCreateDevice Error!\r\n"));
        return Status;
    }

    Status = IoCreateSymbolicLink(&DeviceLink, &DeviceName);

    if (!NT_SUCCESS(Status)) {
        KdPrint(("[KBFM]: IoCreateSymbolicLink Error!\r\n"));
        IoDeleteDevice(DeviceInstance);
        return Status;
    }


    DriverObject->MajorFunction[IRP_MJ_CREATE] = CreateCall;
    DriverObject->MajorFunction[IRP_MJ_CLOSE] = CloseCall;
    DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = IoControl;
    DriverObject->DriverUnload = reinterpret_cast<PDRIVER_UNLOAD>(UnloadDriver);

	
    return STATUS_SUCCESS;
}



static NTSTATUS UnloadDriver(PDRIVER_OBJECT DriverObject)
{
    KdPrint(("[KBFM]: Unload routne called!\r\n"));
    IoDeleteSymbolicLink(&DeviceLink);
    IoDeleteDevice(DriverObject->DeviceObject);
    return STATUS_SUCCESS;
}


static NTSTATUS CreateCall(PDEVICE_OBJECT DeviceObject, PIRP irp)
{
    UNREFERENCED_PARAMETER(DeviceObject);
    KdPrint(("[KBFM]: Create called!\r\n"));
    irp->IoStatus.Status = STATUS_SUCCESS;
    irp->IoStatus.Information = 0;

    IoCompleteRequest(irp, IO_NO_INCREMENT);
    return STATUS_SUCCESS;
}

static NTSTATUS CloseCall(PDEVICE_OBJECT DeviceObject, PIRP irp)
{
    UNREFERENCED_PARAMETER(DeviceObject);
    KdPrint(("[KBFM]: Closecall called!\r\n"));
    irp->IoStatus.Status = STATUS_SUCCESS;
    irp->IoStatus.Information = 0;

    IoCompleteRequest(irp, IO_NO_INCREMENT);
    return STATUS_SUCCESS;
}


static NTSTATUS IoControl(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
    UNREFERENCED_PARAMETER(DeviceObject);
    NTSTATUS Status = STATUS_INVALID_PARAMETER;
    ULONG BytesIO = 0;

    const IO_STACK_LOCATION stack = *IoGetCurrentIrpStackLocation(Irp);
    const ULONG ControlCode = stack.Parameters.DeviceIoControl.IoControlCode;

    if (ControlCode == IO_INCREMENT_VALUE)
    {


    }
    else if (ControlCode == IO_RECEIVE_RANDOM_BUFFER)
    {

    }

    // Complete the request
    Irp->IoStatus.Status = Status;
    Irp->IoStatus.Information = BytesIO;
    IoCompleteRequest(Irp, IO_NO_INCREMENT);

    return Status;
}

Trying to include "CppSupport.h" from your project, but these errors occur:

Severity	Code	Description	Project	File	Line	Suppression State
Error	C2980	C++ exception handling is not supported with /kernel	MyDriver1	C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\km\crt\exception	72	
Error	C2146	syntax error: missing ';' before identifier '_Raise_handler'	MyDriver1	C:\Sources\My\MyDriver1\MyDriver1\CppSupport.cpp	227	
Error	C2980	C++ exception handling is not supported with /kernel	MyDriver1	C:\Program Files (x86)\Windows Kits\10\Include\10.0.19041.0\km\crt\exception	72	

It shows and error at the following code:

_Prhand _Raise_handler = &RaiseHandler;

Could you help me, please, how to solve these errors?

3 errors preventing me from building Reading process memory

#include <Windows.h> #include "WdkTypes.h" #include "CtlTypes.h" #include "User-Bridge.h" int main() { using namespace KbLoader; // Unloading previous loaded instance: KbUnload(); BOOL Status = KbLoadAsFilter( L"C:\Users\Admin\Downloads\Kernel-Bridge\x64\Release\Kernel-Bridge.sys", L"260000" // Altitude of minifilter ); if (!Status) return 0; // Unable to load driver! // Successfully loaded! // Now you can use the User-Bridge API! KbUnload(); return 0; }

Error LNK2001 unresolved external symbol "int __cdecl KbLoader::KbLoadAsFilter(wchar_t const *,wchar_t const *)" ([email protected]@@[email protected]) MyProject C:\Users\Admin\Downloads\Kernel-Bridge-master\MyProject\MyProject.obj 1

Error LNK2001 unresolved external symbol "int __cdecl KbLoader::KbUnload(void)" ([email protected]@@YAHXZ) MyProject C:\Users\Admin\Downloads\Kernel-Bridge-master\MyProject\MyProject.obj 1

Error LNK1120 2 unresolved externals MyProject C:\Users\Admin\Downloads\Kernel-Bridge-master\x64\Release\MyProject.exe 1

Hello,

I'm working on the hypervisor to add more functionality to it. I've now added a dynamic buffer to change the result of CPUID instruction in hypervisor mode. now I want to detect which process caused a VM EXIT regardless of the exit reason.

psGetCurrentProcess() doesn't work;

Hello,

I've looked at the hypervisor API, however, It only starts and stops the virtualization. How is it possible to catch a CPUID instruction while the hypervisor is running and change the result values? is this possible with the API or source code change is needed?

Hey,

if I run the test I always get the message "Unable to load driver!". I adjusted the path for the kernel-bridge.sys but the issue still persists?

Am I doing sth wrong?

Best regards!

There are some memory regions where this function seems to fail (returns 0), whereas other memory regions seem to work fine. Any idea as to why this is happening or if there is a possible fix?

The same memory regions that KbFindSignature fails on KbReadProcessMemory also fails.

I tried to load the driver as a filter, and immediately got a blue screen, from some debugging, I found the bug in the DriverControl function, in line 311:

 IoCompleteRequest(Irp, IO_NO_INCREMENT);
 return Irp->IoStatus.Status;

The Irp variable is used after IoCompleteRequest, which should not be done (according to google)

https://github.com/HoShiMin/Kernel-Bridge/blob/master/User-Bridge/API/User-Bridge.cpp#L507 https://github.com/HoShiMin/Kernel-Bridge/blob/master/User-Bridge/API/User-Bridge.cpp#L565

KbMapMdl and KbMapMemory funcs have UserRequestedAddress arg, but it is not passed to KB_MAP_MDL_IN Input struct.

Hello @HoShiMin Can you please guide me on how to intercept KUSER_SHARED_DATA using the hypervisor? I know it's possible using EPT but I just don't know how to do it using KbVmmInterceptPage Thanks

This code crash compiler:

enum VMCS_FIELD_ENCODING : decltype(VMCS_COMPONENT_ENCODING::Value) {

with error:

3>C:\Sources\Kernel-Bridge\CommonTypes\VMX.h(266,6): fatal  error C1001: Internal compiler error.
3>(compiler file 'msc1.cpp', line 1576)
3> To work around this problem, try simplifying or changing the program near the locations listed above.
3>If possible please provide a repro here: https://developercommunity.visualstudio.com
3>Please choose the Technical Support command on the Visual C++
3> Help menu, or open the Technical Support help file for more information (compiling source file API\Hypervisor.cpp)
3>INTERNAL COMPILER ERROR in 'C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.33.31629\bin\HostX64\x64\CL.exe'
3>    Please choose the Technical Support command on the Visual C++
3>    Help menu, or open the Technical Support help file for more information
3>KernelShells.cpp
3>cl : command line  error D8040: error creating or communicating with child process
3>Done building project "Kernel-Bridge.vcxproj" -- FAILED.

Need to change:

enum VMCS_FIELD_ENCODING : unsigned int {

I use Visual Studio 2022, Windows SDK "10.0.22621.0" and appropriate WDK.

While testing, I noticed reading a process memory using Kernel-Bridge is slower than a small driver I wrote. I checked and it seems KB is mapping MDLs and then copies the memory. While all I need is using a Method_Out_Direct to get a kernel-address space buffer and attach to target process stack, Copy memory and detach. I wonder if such a thing or something close is possible in KB?

Please let us know when can we have an ARM64 version for Windows on ARM OS. We can help you test We have Windows on Rasberry Pi setup. Please pursue it we at Windows on Rasberry Pi community will be glad to extend support in testing your drivers and tools for ARM64.

Hi , you can use https://github.com/wbenny/KSOCKET KSOCKET is windows kernel socket. Its very easy to use.You can implement it. But there is no usermode to use it.Its kernel only. Just needs some wrapper. Maybe you can do it in Kernel-Bridge

Also checkout for Linux version: https://github.com/hbagdi/ksocket