with dev-c++ create a hello world .sys driver

driver.cpp

--------------

#include <stdio.h>#include "ddk/ntddk.h"__stdcall NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath){ NTSTATUS status = STATUS_DEVICE_CONFIGURATION_ERROR; DbgPrint("enter DriverEntry,I'm Hopy!/n"); DbgPrint("Leave DriverEntry,byb :-) !/n"); return status;}

C:\Documents and Settings\Owner\Desktop\Dev-Cpp>bin\gcc -o drv.sys -s -shared -Wl,--entry,_DriverEntry driver.cpp -nostartfiles -nostdlib -lntoskrnl

using instdrv: E:\drv.sys (install , start)

debug view shows:

enter DriverEntry,I'm Hopy!/n

Leave DriverEntry,byb :-) !/n

now maybe with some C# using SCManager install API we can avoid that instdrv

Found that in China too... Much time as I spend over there I may as well get a passport and visa

INSTDRV.rar

Edited December 27, 201311 yr by JMC31337

theres a few more parts you need, like the registration of the dos device (its name), and various other things, you've barely scratched the surface there (which gets even messier when you do it in x64)

theres a few more parts you need, like the registration of the dos device (its name), and various other things, you've barely scratched the surface there (which gets even messier when you do it in x64)

Exactly... the last time i did a rootkit sys driver i used the MCSFT ddk tools... it was just neat doing this with dev-c++ on the fly...

OSRLoader to properly place the driver into registry and start its service... 

0xB709A000 drv.sys kernel space ...

 

im getting into doing this without touching the registry...

 

NTSTATUS status = STATUS_SUCCESS   would have been better

Edited December 28, 201311 yr by JMC31337

and loading windows driver into KERNEL without using registry:

http://genesisdatabase.wordpress.com/2011/01/27/creating-your-own-driver-loader-in-c-driver-loader-source-code-rootkit/

#include <windows.h> 

#include <stdio.h>

#include <iostream>

using namespace std; 

#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0) 

#define SystemLoadAndCallImage 38 

typedef struct _UNICODE_STRING { 

  USHORT Length; 

  USHORT MaximumLength; 

  PVOID Buffer;

} UNICODE_STRING, *PUNICODE_STRING; 

typedef unsigned long NTSTATUS; 

typedef struct _SYSTEM_LOAD_AND_CALL_IMAGE 

{ 

  UNICODE_STRING ModuleName; 

} SYSTEM_LOAD_AND_CALL_IMAGE, *PSYSTEM_LOAD_AND_CALL_IMAGE; 

typedef DWORD (CALLBACK* ZWSETSYSTEMINFORMATION)(DWORD, PVOID, ULONG);

ZWSETSYSTEMINFORMATION ZwSetSystemInformation;

typedef DWORD (CALLBACK* RTLINITUNICODESTRING)(PUNICODE_STRING,PCWSTR );

RTLINITUNICODESTRING RtlInitUnicodeString;

typedef DWORD (CALLBACK* RTLANSISTRINGTOUNICODESTRING)(PVOID, PVOID,DWORD);

RTLANSISTRINGTOUNICODESTRING RtlAnsiStringToUnicodeString;

int main(int argc, char *argv[])

{ 

   SYSTEM_LOAD_AND_CALL_IMAGE GregsImage;

   WCHAR daPath[] = L"\\??\\C:\\drv.sys";   //SYS DRIVER NAME

   //////////////////////////////////////////////////////////////

   // get DLL entry points

   //////////////////////////////////////////////////////////////

   if(!(RtlInitUnicodeString=(RTLINITUNICODESTRING)GetProcAddress( GetModuleHandle("ntdll.dll"),"RtlInitUnicodeString")))

   {

      cout<<"\n!!";getchar();

      return false;

   }

   if(!(ZwSetSystemInformation=(ZWSETSYSTEMINFORMATION)GetProcAddress(GetModuleHandle("ntdll.dll"),"ZwSetSystemInformation" )))

   {

cout<<"\n!!";getchar();

      return false;

   }

   RtlInitUnicodeString(&(GregsImage.ModuleName),daPath);

   if(!NT_SUCCESS(ZwSetSystemInformation(SystemLoadAndCallImage,&(GregsImage.ModuleName),sizeof(SYSTEM_LOAD_AND_CALL_IMAGE))))

   {

cout<<"\n!!";getchar();  //ERROR

      return false;

   }

   cout<<"\n123";

  getchar();

  return 0;

}

 

MIGBOT rootkit style

0xBF479000 drv.sys

 

Can that driver be removed without needing a reboot?

Edited December 28, 201311 yr by JMC31337

@JMC31337 your post really is just a very tiny tip of THAT iceberg. thx nonetheless..

 

 

there are some good tuts about windows driver programming and also about kernel drivers:

• http://www.codeproject.com/Articles/9504/Driver-Development-Part-1-Introduction-to-Drivers 6parts in total. General driver development
  
• http://www.codeproject.com/Articles/13677/Hooking-the-kernel-directly kernel driver, "messing/manipulating" around with kernel functions
  
• http://msdn.microsoft.com/en-us/library/windows/hardware/jj200334%28v=vs.85%29.aspx get your IDE setup for driver development
  

Edited December 29, 201311 yr by cypher

as always the information you posted is appreciated...

 

but what gets me is: 

If i change 

if(NT_SUCCESS(ZwSetSystemInformation(SystemLoadAndCallImage,&GregsImage.ModuleName),sizeof(SYSTEM_LOAD_AND_CALL_IMAGE))))

{

cout<<"works";

}

it always works for SP 3 with STATUS_SUCCESS .. but it doesnt load in a locked down user account.. though it will say "works"

Edited December 29, 201311 yr by JMC31337

also check out "ADHD - Another Debugger Hiding Driver" source for a full implementation. Source can be found on the webs