Code:

/* KDSubmarine v 1.0 is a PoC on KdSystemDebugControl based on ivanlef0u PoC * * Author: Giuseppe 'Evilcry' Bonfa' * E-Mail: evilcry @ gmail . com * Website: http://www.evilcodecave.blogspot.com * http://www.evilcry.netsons.org * * */ #define WIN32_LEAN_AND_MEAN #define _WIN32_WINNT 0x600 #include <windows.h> #include <winioctl.h> #include <shlwapi.h> #include <stdio.h> #include <stdlib.h> #include "kdsupport.h" #pragma comment(lib,"advapi32.lib") #pragma comment(lib,"shlwapi.lib") void hexdump(unsigned char *data, unsigned int amount) { unsigned int dp, p; const char trans[] = "................................ !\"#$%&'()*+,-./0123456789" ":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm" "nopqrstuvwxyz{|}~...................................." "....................................................." "........................................"; for (dp = 1; dp <= amount; dp++) { printf ("%02x ", data[dp-1]); if ((dp % 8) == 0) printf (" "); if ((dp % 16) == 0) { printf ("| "); p = dp; for (dp -= 16; dp < p; dp++) printf ("%c", trans[data[dp]]); printf ("

"); } } if ((amount % 16) != 0) { p = dp = 16 - (amount % 16); for (dp = p; dp > 0; dp--) { printf (" "); if (((dp % 8) == 0) && (p != 8)) printf (" "); } printf (" | "); for (dp = (amount - (16 - p)); dp < amount; dp++) printf ("%c", trans[data[dp]]); } printf ("

"); return ; } void KDumper(PUCHAR pBuff, ULONG Len) { HANDLE hFile; DWORD numberOfBytesWritten; hFile = CreateFileA("kdump.bin", GENERIC_WRITE, NULL, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if (hFile == INVALID_HANDLE_VALUE) { printf("Unable to create kdump.bin

"); return; } if(WriteFile(hFile, pBuff, Len, &numberOfBytesWritten, NULL)) { printf("Unable to Write kdump.bin

"); CloseHandle(hFile); return; } printf("kdump.bin correctly written

"); CloseHandle(hFile); } void KernelDumper(HANDLE hDevice) //Kernel Dump { KLDBG kldbg; SYSDBG_VIRTUAL Virtual; int userInput; ULONG address, Len; PUCHAR pBuff; DWORD BytesReturned; printf("Insert Address that you want to Dump: "); scanf_s("%x",&address); printf("

Insert length: "); scanf_s("%x",&Len); kldbg.DbgCommand = &Virtual; kldbg.DbgCommandClass = SysDbgReadVirtual; kldbg.DbgCommandLen = sizeof(Virtual); pBuff = (PUCHAR)HeapAlloc(GetProcessHeap(),HEAP_ZERO_MEMORY,Len); Virtual.Address = (PVOID)address; Virtual.Buffer = pBuff; Virtual.Request = Len; if(DeviceIoControl(hDevice, IOCTL, &kldbg, sizeof(kldbg), &Virtual, sizeof(Virtual), &BytesReturned, NULL) == 0 ) { printf("Unable to communicate with the driver

"); return; } printf("Do you want to Dump Kernel Memory? (1)Yes - (0)No: "); scanf_s("%d",&userInput); if((userInput == 0)) hexdump(pBuff,Len); else KDumper(pBuff, Len); HeapFree(GetProcessHeap(), HEAP_NO_SERIALIZE, pBuff); } BOOL GainPrivileges(void) { BOOL privGain = false; HANDLE hToken; LUID luid; TOKEN_PRIVILEGES tokenPrivileges; privGain = OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ); if (privGain) { privGain = LookupPrivilegeValueA(NULL, "SeDebugPrivilege", &luid); if (privGain) { tokenPrivileges.PrivilegeCount = 1; tokenPrivileges.Privileges[0].Luid = luid; tokenPrivileges.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; privGain = AdjustTokenPrivileges( hToken, false, &tokenPrivileges, sizeof(tokenPrivileges), NULL, NULL ); } } if(hToken) CloseHandle(hToken); return(privGain); } DWORD CheckDebugBoot(void) { HKEY hKey; CHAR BootOptions[1024] = {0}; DWORD Len = sizeof(BootOptions) - sizeof(CHAR); DWORD checkStatus = NULL; checkStatus = RegOpenKeyExA( HKEY_LOCAL_MACHINE, "System\\CurrentControlSet\\Control", NULL, KEY_QUERY_VALUE, &hKey ); if (checkStatus != ERROR_SUCCESS) { printf(" Can't Verify if System is in Debug Mode

"); return(0); } checkStatus = RegGetValueA( hKey, NULL, "SystemStartOptions", RRF_RT_REG_SZ, NULL, BootOptions, &Len ); if (checkStatus != ERROR_SUCCESS) { printf(" Can't Verify if System is in Debug Mode

"); return(0); } if ( StrStrIA(BootOptions,"DEBUG") == NULL ) { RegCloseKey(hKey); return(0); } RegCloseKey(hKey); return(1); } DWORD StartSCService(LPCTSTR Service) { SC_HANDLE hSCManager; SC_HANDLE hSCService; hSCManager = OpenSCManager( NULL, NULL, SC_MANAGER_ALL_ACCESS ); if (hSCManager == NULL) { printf("Unable to open Service Control Manager

"); return(0); } hSCService = OpenService( hSCManager, Service, SERVICE_START ); if (hSCService == NULL ) { printf("Unable to open Service Manager

"); CloseServiceHandle(hSCManager); return(0); } if(StartService(hSCService, 0, NULL) == 0 && GetLastError() != ERROR_SERVICE_ALREADY_RUNNING) { printf("Service is Already Running

"); CloseServiceHandle(hSCManager); CloseServiceHandle(hSCService); return(0); } CloseServiceHandle(hSCManager); CloseServiceHandle(hSCService); return(1); } void KernelSubmarine(HANDLE hDevice) // Will be used to collect various aother functions in future { KernelDumper(hDevice); } int main(void) { HANDLE hDevice; printf("+------------------------------------------------------+

"); printf("+---KDSubmarine by Giuseppe 'Evilcry' Bonfa 2010-------+

"); printf("+------------------------------------------------------+

"); if(!GainPrivileges()) { printf("Can't Enable Privileges

"); return(0); } if (CheckDebugBoot() == 0) { printf(" System need to be Booted in Debug Mode

"); return(0); } if(StartSCService(DBGSERVICE)==0) { printf("Unable to open Service Control Manager

"); return(0); } hDevice = CreateFileA( DGBDEV, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL ); if ( hDevice == INVALID_HANDLE_VALUE ) { printf("Unable to open Kernel Local Drive Debugger

"); return(0); } printf("Kernel Local Drive Debugger correctly loaded!

"); KernelSubmarine(hDevice); CloseHandle(hDevice); getchar(); return(EXIT_SUCCESS); }