Fixed Windows 10 driver creation

2025-09-18 16:04:26 +02:00
parent d6fb59442e
commit dc2a1f0717
2 changed files with 611 additions and 581 deletions
--- a/kvc/ControllerDriverManager.cpp
+++ b/kvc/ControllerDriverManager.cpp
@@ -1,28 +1,3 @@
-/*******************************************************************************
-  _  ____     ______ 
- | |/ /\ \   / / ___|
- | ' /  \ \ / / |    
- | . \   \ V /| |___ 
- |_|\_\   \_/  \____|
-
-The **Kernel Vulnerability Capabilities (KVC)** framework represents a paradigm shift in Windows security research, 
-offering unprecedented access to modern Windows internals through sophisticated ring-0 operations. Originally conceived 
-as "Kernel Process Control," the framework has evolved to emphasize not just control, but the complete **exploitation 
-of kernel-level primitives** for legitimate security research and penetration testing.
-
-KVC addresses the critical gap left by traditional forensic tools that have become obsolete in the face of modern Windows 
-security hardening. Where tools like ProcDump and Process Explorer fail against Protected Process Light (PPL) and Antimalware 
-Protected Interface (AMSI) boundaries, KVC succeeds by operating at the kernel level, manipulating the very structures 
-that define these protections.
-
-  -----------------------------------------------------------------------------
-  Author : Marek Wesołowski
-  Email  : marek@wesolowski.eu.org
-  Phone  : +48 607 440 283 (Tel/WhatsApp)
-  Date   : 04-09-2025
-
-*******************************************************************************/
-
 // ControllerDriverManager.cpp
 #include "Controller.h"
 #include "common.h"
@@ -121,12 +96,25 @@ bool Controller::InstallDriverSilently() noexcept {
    auto driverData = DecryptDriver(encryptedData);
    if (driverData.empty()) return false;

-    fs::path tempDir = GetSystemTempPath(); // Use system temp instead of user temp
+    fs::path tempDir = GetSystemTempPath();
    fs::path tempDriverPath = tempDir / fs::path(GetDriverFileName());
    
    if (!Utils::WriteFile(tempDriverPath.wstring(), driverData)) return false;

    fs::path driverDir = GetDriverStorePath();
+    
+    // Ensure target directory exists with TrustedInstaller privileges
+    DWORD attrs = GetFileAttributesW(driverDir.c_str());
+    if (attrs == INVALID_FILE_ATTRIBUTES) {
+        // Directory doesn't exist - create it with TrustedInstaller rights
+        std::wstring createDirCommand = L"cmd.exe /c mkdir \"" + driverDir.wstring() + L"\"";
+        if (!RunAsTrustedInstallerSilent(createDirCommand)) {
+            DeleteFileW(tempDriverPath.c_str());
+            ERROR(L"Failed to create driver directory with TrustedInstaller privileges");
+            return false;
+        }
+    }
+    
    fs::path driverPath = driverDir / fs::path(GetDriverFileName());

    // Copy with system privileges
@@ -138,7 +126,6 @@ bool Controller::InstallDriverSilently() noexcept {

    DeleteFileW(tempDriverPath.c_str());
    
-    // REGISTER THE SERVICE WITH CORRECT PRIVILEGES
    return RegisterDriverServiceSilent(driverPath.wstring());
 }

--- a/kvc/common.h
+++ b/kvc/common.h
@@ -196,14 +196,57 @@ bool IsServiceInstalled() noexcept;
 bool IsServiceRunning() noexcept;
 std::wstring GetCurrentExecutablePath() noexcept;

-// Driver path helper
+// Driver path helper with dynamic discovery and fallback mechanism
+// Searches for actual avc.inf_amd64_* directory in DriverStore FileRepository
+// Creates directory if needed, falls back to system32\drivers on failure
 inline std::wstring GetDriverStorePath() noexcept {
    wchar_t windowsDir[MAX_PATH];
    if (GetWindowsDirectoryW(windowsDir, MAX_PATH) == 0) {
        wcscpy_s(windowsDir, L"C:\\Windows");
    }
-    std::wstring result = windowsDir;
-    return result + L"\\System32\\DriverStore\\FileRepository\\avc.inf_amd64_12ca23d60da30d59";
+    
+    std::wstring baseResult = windowsDir;
+    std::wstring driverStoreBase = baseResult + L"\\System32\\DriverStore\\FileRepository\\";
+    
+    // Dynamic search for avc.inf_amd64_* pattern in FileRepository
+    WIN32_FIND_DATAW findData;
+    std::wstring searchPattern = driverStoreBase + L"avc.inf_amd64_*";
+    HANDLE hFind = FindFirstFileW(searchPattern.c_str(), &findData);
+    
+    if (hFind != INVALID_HANDLE_VALUE) {
+        // Found existing directory - use first match
+        do {
+            if (findData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) {
+                FindClose(hFind);
+                return driverStoreBase + findData.cFileName;
+            }
+        } while (FindNextFileW(hFind, &findData));
+        FindClose(hFind);
+    }
+    
+    // No existing directory found - create with TrustedInstaller privileges
+    std::wstring targetPath = driverStoreBase + L"avc.inf_amd64_12ca23d60da30d59";
+    return targetPath;
+}
+
+// Enhanced version that ensures directory exists before returning path
+// Returns empty string on critical failure, valid path on success
+inline std::wstring GetDriverStorePathSafe() noexcept {
+    std::wstring driverPath = GetDriverStorePath();
+    
+    // Ensure directory exists - critical for driver operations
+    DWORD attrs = GetFileAttributesW(driverPath.c_str());
+    if (attrs == INVALID_FILE_ATTRIBUTES) {
+        // Try to create if it doesn't exist
+        if (!CreateDirectoryW(driverPath.c_str(), nullptr) && 
+            GetLastError() != ERROR_ALREADY_EXISTS) {
+            return L""; // Critical failure
+        }
+    } else if (!(attrs & FILE_ATTRIBUTE_DIRECTORY)) {
+        return L""; // Path exists but is not a directory
+    }
+    
+    return driverPath;
 }

 // KVC combined binary processing constants