Conversation
There was a problem hiding this comment.
Pull request overview
This PR adds a --url parameter to kdmapper, enabling users to map a kernel driver directly from a URL without writing a .sys file to disk. It introduces ReadUrlToMemory() using WinHTTP APIs and integrates the URL-based workflow into the command-line argument parsing in main.cpp.
Changes:
- Added
ReadUrlToMemory()function inutils.cppusing WinHTTP to download driver binary from a URL into memory - Updated
main.cppto parse a--urlparameter and branch between file-based and URL-based driver loading - Updated
README.MDand help text to document the new--urlparameter
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
kdmapper/utils.cpp |
Added ReadUrlToMemory() using WinHTTP APIs with URL parsing, HTTP/HTTPS support, status code validation, and chunked download |
kdmapper/main.cpp |
Added --url parameter parsing, URL validation, and branching logic for URL vs file-based driver loading |
kdmapper/include/utils.hpp |
Declared ReadUrlToMemory() in the kdmUtils namespace |
README.MD |
Documented the new --url parameter |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| return -1; | ||
| } | ||
|
|
||
| driver_url = argv[urlParamIdx + 1]; |
There was a problem hiding this comment.
When --url is specified but the URL value is empty (e.g., kdmapper.exe --url ""), driver_url.empty() will be true and driver_path will also be empty (never set in the urlParamIdx > 0 branch). This causes the code to fall through to the file existence check, producing a confusing error message ("File doesn't exist") instead of indicating the URL is invalid. Consider adding a validation for an empty URL value immediately after line 165, similar to how the missing value is checked at line 159.
| driver_url = argv[urlParamIdx + 1]; | |
| driver_url = argv[urlParamIdx + 1]; | |
| if (driver_url.empty()) { | |
| kdmLog(L"[-] Empty value for --url" << std::endl); | |
| help(); | |
| return -1; | |
| } |
| cleanup: | ||
| WinHttpCloseHandle(hRequest); | ||
| WinHttpCloseHandle(hConnect); | ||
| WinHttpCloseHandle(hSession); |
There was a problem hiding this comment.
When the download loop encounters a failure (e.g., WinHttpQueryDataAvailable or WinHttpReadData fails), the function returns false but out_buffer may still contain partial data. While the caller currently checks the return value and doesn't use the buffer on failure, it would be safer to clear out_buffer in the cleanup path when success is false, to avoid accidentally using partial/corrupt data if the calling code changes in the future.
| WinHttpCloseHandle(hSession); | |
| WinHttpCloseHandle(hSession); | |
| if (!success && out_buffer) { | |
| out_buffer->clear(); | |
| } |
| return false; | ||
| } | ||
|
|
||
| const bool useHttps = urlComponents.nScheme == INTERNET_SCHEME_HTTPS; |
There was a problem hiding this comment.
This function allows downloading kernel drivers over plaintext HTTP, which is vulnerable to man-in-the-middle attacks where a malicious driver binary could be substituted in transit. Since this tool maps drivers into kernel space with full system privileges, consider either restricting to HTTPS only, or at minimum logging a warning when HTTP (non-HTTPS) is used so the user is aware of the risk.
| const bool useHttps = urlComponents.nScheme == INTERNET_SCHEME_HTTPS; | |
| const bool useHttps = urlComponents.nScheme == INTERNET_SCHEME_HTTPS; | |
| if (!useHttps) { | |
| kdmLog(L"[!] Warning: Downloading driver over insecure HTTP; this is vulnerable to man-in-the-middle attacks." << std::endl); | |
| } |
| --free to automatically unmap the allocated memory | ||
| --indPages to map in allocated independent pages | ||
| --PassAllocationPtr to pass allocation ptr as first param | ||
| --url "<http(s)://...>" to map a driver from URL directly from memory (no .sys file written to disk) |
There was a problem hiding this comment.
The new --url "<http(s)://...>" documentation implies that mapping a driver from an http:// URL is supported, but the implementation (kdmUtils::ReadUrlToMemory) actually allows plain HTTP for downloading the kernel driver image. Fetching kernel-mode code over unencrypted HTTP lets a network or DNS attacker tamper with the driver binary in transit and gain arbitrary kernel code execution on systems using --url with http:// endpoints. This feature should be documented and implemented as HTTPS-only (rejecting or strongly warning against http://), so all driver downloads are integrity-protected in transit.
| --url "<http(s)://...>" to map a driver from URL directly from memory (no .sys file written to disk) | |
| --url "<https://...>" to map a driver from an HTTPS URL directly from memory (no .sys file written to disk; plain http:// URLs are not supported for security reasons) |
Reopening a feature from almost a year ago!
This fork brings a new parameter: --url to map driver directly from url without it being downloaded