Shameless driver Loading Method

From: http: // www.debugman.com/read.php? Tid = 614

Method 1: replace win32k. sys
In the 2k3 system, ZwSetSystemInformation disables driver loading in user mode and only allows SMSS. exe to load win32k. sys. So we can use this feature:
1. SMSS. EXE Injection
2. Enable the SeLoadDriverPrivilege permission
3. Rename the original win32k. sys.
4. copy our driver to systemrootsystem32.
5. Load \ SystemRoot \ System32 \ win32k. sys in SMSS. EXE
6. Rename \ SystemRoot \ System32 \ win32k. sys
7. Rename the original win32k. sys file.

Method 2: exploit the vulnerability of a third-party driver
There should be a lot of such drivers. We can choose some drivers with large installation capacity to do this. For example, a famous anti-virus software has a local privilege escalation vulnerability... Once you get the ring0 permission and load it with ZwSetSystemInformation, everything is fine.

Method 3: infect the driver started with the System
This method is similar to virus infection, but it takes some PE knowledge to get control after the system restarts next time. I will not say much about it.

By the way, ZwSetSystemInformation can also be used to create a Device. Because the DriverObject pointer sent to DriverEntry when ZwSetSystemInformation is loaded is incorrect, we cannot use it to create a Device, however, we can assign a DriverObject to create it, as shown below:

NTSTATUS
DriverEntry (
IN PDRIVER_OBJECT DriverObject,
IN PUNICODE_STRING RegistryPath
)
{
NTSTATUS ntStatus = STATUS_SUCCESS;
UNICODE_STRING ntUnicodeString;
UNICODE_STRING ntWin32NameString;
PDEVICE_OBJECT deviceObject = NULL;
ULONG I;

DriverObject = ExAllocatePoolWithTag (NonPagedPool, sizeof (DRIVER_OBJECT), clAS); // allocate DriverObject

RtlZeroMemory (DriverObject, sizeof (DRIVER_OBJECT ));

RtlInitUnicodeString (& ntUnicodeString, NT_DEVICE_NAME );

NtStatus = IoCreateDevice (
DriverObject,
0,
& NtUnicodeString,
0x8800, // The device type must be custom
FILE_DEVICE_SECURE_OPEN,
TRUE,
& DeviceObject );

If (! NT_SUCCESS (ntStatus ))
{
Dbuplint ("Couldnt create the device object ");
Return ntStatus;
}

// Note that you need to clear the INITIALIZING flag by yourself. Otherwise, the setting cannot be enabled.
ClearFlag (deviceObject-> Flags, DO_DEVICE_INITIALIZING );

DriverObject-> MajorFunction [IRP_MJ_CREATE] = CreateClose;
DriverObject-> MajorFunction [IRP_MJ_CLOSE] = CreateClose;

// Note: You must assign a DispathRoutine to IRP_MJ_CLEANUP; otherwise, the device will be suspended when it is disabled.
DriverObject-> MajorFunction [IRP_MJ_CLEANUP] = CreateClose;

DriverObject-> MajorFunction [IRP_MJ_DEVICE_CONTROL] = DeviceControl;

// Note that the connection must be a Global symbolic connection; otherwise, the connection will disappear after the program exits.
RtlInitUnicodeString (& ntWin32NameString, L "\ DosDevices \ Global \ RkrTest ");

NtStatus = IoCreateSymbolicLink (
& NtWin32NameString, & ntUnicodeString );

If (! NT_SUCCESS (ntStatus ))
{
Dbuplint ("Couldnt create symbolic link "));
IoDeleteDevice (deviceObject );
}

Return ntStatus;
}

If you are happy, allocate more space and compress the OBJECT_HEADER. This prevents some software from failing to scan the DriverObject object header.

When using CreateFile, you should specify "\. \ Global \ SymbolLink" as follows"

What other shameless methods can we discuss?