JMC31337 Posted December 27, 2013 Posted December 27, 2013 (edited) with dev-c++ create a hello world .sys driverdriver.cpp--------------#include <stdio.h>#include "ddk/ntddk.h"__stdcall NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath){ NTSTATUS status = STATUS_DEVICE_CONFIGURATION_ERROR; DbgPrint("enter DriverEntry,I'm Hopy!/n"); DbgPrint("Leave DriverEntry,byb :-) !/n"); return status;}C:\Documents and Settings\Owner\Desktop\Dev-Cpp>bin\gcc -o drv.sys -s -shared -Wl,--entry,_DriverEntry driver.cpp -nostartfiles -nostdlib -lntoskrnlusing instdrv: E:\drv.sys (install , start)debug view shows:enter DriverEntry,I'm Hopy!/nLeave DriverEntry,byb :-) !/nnow maybe with some C# using SCManager install API we can avoid that instdrvFound that in China too... Much time as I spend over there I may as well get a passport and visa INSTDRV.rar Edited December 27, 2013 by JMC31337
evlncrn8 Posted December 27, 2013 Posted December 27, 2013 theres a few more parts you need, like the registration of the dos device (its name), and various other things, you've barely scratched the surface there (which gets even messier when you do it in x64)
JMC31337 Posted December 28, 2013 Author Posted December 28, 2013 (edited) theres a few more parts you need, like the registration of the dos device (its name), and various other things, you've barely scratched the surface there (which gets even messier when you do it in x64) Exactly... the last time i did a rootkit sys driver i used the MCSFT ddk tools... it was just neat doing this with dev-c++ on the fly... OSRLoader to properly place the driver into registry and start its service... 0xB709A000 drv.sys kernel space ... im getting into doing this without touching the registry... NTSTATUS status = STATUS_SUCCESS would have been better Edited December 28, 2013 by JMC31337
JMC31337 Posted December 28, 2013 Author Posted December 28, 2013 (edited) and loading windows driver into KERNEL without using registry:http://genesisdatabase.wordpress.com/2011/01/27/creating-your-own-driver-loader-in-c-driver-loader-source-code-rootkit/ #include <windows.h> #include <stdio.h> #include <iostream> using namespace std; #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0) #define SystemLoadAndCallImage 38 typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PVOID Buffer; } UNICODE_STRING, *PUNICODE_STRING; typedef unsigned long NTSTATUS; typedef struct _SYSTEM_LOAD_AND_CALL_IMAGE { UNICODE_STRING ModuleName; } SYSTEM_LOAD_AND_CALL_IMAGE, *PSYSTEM_LOAD_AND_CALL_IMAGE; typedef DWORD (CALLBACK* ZWSETSYSTEMINFORMATION)(DWORD, PVOID, ULONG); ZWSETSYSTEMINFORMATION ZwSetSystemInformation; typedef DWORD (CALLBACK* RTLINITUNICODESTRING)(PUNICODE_STRING,PCWSTR ); RTLINITUNICODESTRING RtlInitUnicodeString; typedef DWORD (CALLBACK* RTLANSISTRINGTOUNICODESTRING)(PVOID, PVOID,DWORD); RTLANSISTRINGTOUNICODESTRING RtlAnsiStringToUnicodeString; int main(int argc, char *argv[]) { SYSTEM_LOAD_AND_CALL_IMAGE GregsImage; WCHAR daPath[] = L"\\??\\C:\\drv.sys"; //SYS DRIVER NAME ////////////////////////////////////////////////////////////// // get DLL entry points ////////////////////////////////////////////////////////////// if(!(RtlInitUnicodeString=(RTLINITUNICODESTRING)GetProcAddress( GetModuleHandle("ntdll.dll"),"RtlInitUnicodeString"))) { cout<<"\n!!";getchar(); return false; } if(!(ZwSetSystemInformation=(ZWSETSYSTEMINFORMATION)GetProcAddress(GetModuleHandle("ntdll.dll"),"ZwSetSystemInformation" ))) { cout<<"\n!!";getchar(); return false; } RtlInitUnicodeString(&(GregsImage.ModuleName),daPath); if(!NT_SUCCESS(ZwSetSystemInformation(SystemLoadAndCallImage,&(GregsImage.ModuleName),sizeof(SYSTEM_LOAD_AND_CALL_IMAGE)))) { cout<<"\n!!";getchar(); //ERROR return false; } cout<<"\n123"; getchar(); return 0; } MIGBOT rootkit style0xBF479000 drv.sys Can that driver be removed without needing a reboot? Edited December 28, 2013 by JMC31337
cypher Posted December 29, 2013 Posted December 29, 2013 (edited) @JMC31337 your post really is just a very tiny tip of THAT iceberg. thx nonetheless.. there are some good tuts about windows driver programming and also about kernel drivers:http://www.codeproject.com/Articles/9504/Driver-Development-Part-1-Introduction-to-Drivers 6parts in total. General driver development http://www.codeproject.com/Articles/13677/Hooking-the-kernel-directly kernel driver, "messing/manipulating" around with kernel functions http://msdn.microsoft.com/en-us/library/windows/hardware/jj200334%28v=vs.85%29.aspx get your IDE setup for driver development Edited December 29, 2013 by cypher
JMC31337 Posted December 29, 2013 Author Posted December 29, 2013 (edited) as always the information you posted is appreciated... but what gets me is: If i change if(NT_SUCCESS(ZwSetSystemInformation(SystemLoadAndCallImage,&GregsImage.ModuleName),sizeof(SYSTEM_LOAD_AND_CALL_IMAGE)))){cout<<"works";}it always works for SP 3 with STATUS_SUCCESS .. but it doesnt load in a locked down user account.. though it will say "works" Edited December 29, 2013 by JMC31337
cypher Posted December 29, 2013 Posted December 29, 2013 also check out "ADHD - Another Debugger Hiding Driver" source for a full implementation. Source can be found on the webs
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now