Jump to content
Tuts 4 You

SYS Driver (Dev-C++)


JMC31337

Recommended Posts

Posted (edited)

with dev-c++ create a hello world .sys driver

driver.cpp

--------------

#include <stdio.h>#include "ddk/ntddk.h"__stdcall NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath){ NTSTATUS status = STATUS_DEVICE_CONFIGURATION_ERROR; DbgPrint("enter DriverEntry,I'm Hopy!/n"); DbgPrint("Leave DriverEntry,byb :-) !/n"); return status;}

C:\Documents and Settings\Owner\Desktop\Dev-Cpp>bin\gcc -o drv.sys -s -shared -Wl,--entry,_DriverEntry driver.cpp -nostartfiles -nostdlib -lntoskrnl

using instdrv: E:\drv.sys (install , start)

debug view shows:

enter DriverEntry,I'm Hopy!/n

Leave DriverEntry,byb :-) !/n

now maybe with some C# using SCManager install API we can avoid that instdrv

Found that in China too... Much time as I spend over there I may as well get a passport and visa

INSTDRV.rar

Edited by JMC31337
Posted

theres a few more parts you need, like the registration of the dos device (its name), and various other things, you've barely scratched the surface there (which gets even messier when you do it in x64)

Posted (edited)

theres a few more parts you need, like the registration of the dos device (its name), and various other things, you've barely scratched the surface there (which gets even messier when you do it in x64)

Exactly... the last time i did a rootkit sys driver i used the MCSFT ddk tools... it was just neat doing this with dev-c++ on the fly...

OSRLoader to properly place the driver into registry and start its service... 

0xB709A000 drv.sys kernel space ...

 

im getting into doing this without touching the registry...

 

NTSTATUS status STATUS_SUCCESS   would have been better

Edited by JMC31337
Posted (edited)

and loading windows driver into KERNEL without using registry:


http://genesisdatabase.wordpress.com/2011/01/27/creating-your-own-driver-loader-in-c-driver-loader-source-code-rootkit/



#include <windows.h>
#include <stdio.h>
#include <iostream>
using namespace std;
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
#define SystemLoadAndCallImage 38
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PVOID Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef unsigned long NTSTATUS;
typedef struct _SYSTEM_LOAD_AND_CALL_IMAGE
{
UNICODE_STRING ModuleName;
} SYSTEM_LOAD_AND_CALL_IMAGE, *PSYSTEM_LOAD_AND_CALL_IMAGE;
typedef DWORD (CALLBACK* ZWSETSYSTEMINFORMATION)(DWORD, PVOID, ULONG);
ZWSETSYSTEMINFORMATION ZwSetSystemInformation;
typedef DWORD (CALLBACK* RTLINITUNICODESTRING)(PUNICODE_STRING,PCWSTR );
RTLINITUNICODESTRING RtlInitUnicodeString;
typedef DWORD (CALLBACK* RTLANSISTRINGTOUNICODESTRING)(PVOID, PVOID,DWORD);
RTLANSISTRINGTOUNICODESTRING RtlAnsiStringToUnicodeString;
int main(int argc, char *argv[])
{
SYSTEM_LOAD_AND_CALL_IMAGE GregsImage;
WCHAR daPath[] = L"\\??\\C:\\drv.sys"; //SYS DRIVER NAME
//////////////////////////////////////////////////////////////
// get DLL entry points
//////////////////////////////////////////////////////////////
if(!(RtlInitUnicodeString=(RTLINITUNICODESTRING)GetProcAddress( GetModuleHandle("ntdll.dll"),"RtlInitUnicodeString")))
{
cout<<"\n!!";getchar();
return false;
}
if(!(ZwSetSystemInformation=(ZWSETSYSTEMINFORMATION)GetProcAddress(GetModuleHandle("ntdll.dll"),"ZwSetSystemInformation" )))
{
cout<<"\n!!";getchar();
return false;
}
RtlInitUnicodeString(&(GregsImage.ModuleName),daPath);
if(!NT_SUCCESS(ZwSetSystemInformation(SystemLoadAndCallImage,&(GregsImage.ModuleName),sizeof(SYSTEM_LOAD_AND_CALL_IMAGE))))
{
cout<<"\n!!";getchar(); //ERROR
return false;
}
cout<<"\n123";
getchar();
return 0;
}


 



MIGBOT rootkit style


0xBF479000 drv.sys


 


Can that driver be removed without needing a reboot?


Edited by JMC31337
Posted (edited)

@JMC31337 your post really is just a very tiny tip of THAT iceberg. thx nonetheless..


 


 


there are some good tuts about windows driver programming and also about kernel drivers:


Edited by cypher
Posted (edited)

as always the information you posted is appreciated...


 


but what gets me is: 


If i change 


if(NT_SUCCESS(ZwSetSystemInformation(SystemLoadAndCallImage,&GregsImage.ModuleName),sizeof(SYSTEM_LOAD_AND_CALL_IMAGE))))


{


cout<<"works";


}


it always works for SP 3 with STATUS_SUCCESS .. but it doesnt load in a locked down user account.. though it will say "works"


Edited by JMC31337
Posted

also check out "ADHD - Another Debugger Hiding Driver" source for a full implementation. Source can be found on the webs


Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...