Loading Kernel Driver
Objectives
The purpose of this lab is to explore an alternative and stealthy option of loading/unloading a kernel device driver via undocumented
NTAPIs namely NtLoadDriver and NtUnloadDriver.Loading a Kernel Driver
Till now, we have covered building exploit primitives but we still rely on
3rd party driver loaders like OSR Driver Loader to load our vulnerable and signed driver. Now, this is a luxury that we might not have in our exploitation scenarios ergo we have to learn how to load a device driver ourselves.There are predominantly two ways by which we can load a device driver:
1
1. Service Control Driver Loading
2
2. Nt/ZwLoadDriver Driver Loading
Copied!
Although we will discuss both of them, we will only implement the latter technique due to the reasons mentioned below.
There is also a third undocumented option to load kernel drivers using
NtSetSystemInformation with SYSTEM_LOAD_AND_CALL_IMAGE. However, this method actually limits the capabilities of the driver and is impractical for our purposes ergo we shall not take this into consideration.Service Control Driver Loading
We can load a kernel driver using
Service Control Manager(SCM) either via a built-in tool called sc.exe or using Service Control API.The advantages of using this method are that it is the officially supported/documented mechanism for loading kernel device drivers and it is quite easy to realize in code.
The disadvantages of this method are that it is a very noisy technique that leaves behind large forensic artefacts in the form of service creation, service start/stop, service deletion logs etc.
We can load/unload/query drivers by executing the following commands from an elevated command prompt:
1
sc create <service name> type= kernel bin= <full path to driver>
2
sc start <service name>
3
sc query <service name>
4
sc stop <service name>
Copied!
Note that this method is also utilized by
OSR Driver Loader.NtLoadDriver Driver Loading
There is however a second option to load kernel drivers using an
NTAPI function known as NtLoadDriver.The advantages of using this method are that it is a stealthy alternative to load drivers without leaving behind glaring logs or alerts.
Stealth usually comes at the cost of increased complexity in terms of development and this is no different. When opting for this method, we have to take care of a couple of things manually which wasn't previously required.
The steps required to load a driver using this method are:
- 1.Ensure that the driver
PE/SYSfile is available locally on disk. - 2.Next step is enabling a privilege in the access token that is required to load drivers known as
SeLoadDriverPrivilege/SE_LOAD_DRIVER_NAME. It should be worth noting that this privilege is only available in aHigh-ILprocess token to be enabled in the first place implying non-admin processes shouldn't normally be able to load drivers(which of course makes sense right?) - 3.Our next step is creating a service registry key for the driver which is required for loading drivers via this technique. First, we create a service key at
HKLM\SYSTEM\CurrentControlSet\Services\<driver name>and four subkeys calledImagePath,Type,StartandErrorControlunder it. Then the values of the subkeys are set toDriver Unicode path,1(this is a kernel device driver),3(we want a manual load) and finally0(since we do not load the driver at startup) respectively. - 4.Now, we need to convert the service key path of the driver to
Unicode. This can be achieved usingRtlInitUnicodeStringand is necessary sinceNtLoadDriveris required to be fed theUnicodepath only. - 5.Finally, we can call
NtLoadDriverwith theService Key Unicode pathas the single argument to load the driver. - 6.To unload the driver, the steps remain the same through
1-4but this time we make the call toNtUnloadDriverwith theService Key Unicode pathas the single argument to unload the driver. Cleanup taskings can be performed afterwards as and when necessary.
Service registry key of driver
It should be noted that loading a driver via this technique will trigger
PsSetLoadImageNotifyRoutine callback routines that might be registered by PSP and logging software such as Sysmon etc. Also, remember that the usual CI rules are also applicable while loading a driver using this technique.Code
Now that we are done with the theory, let's implement the functions necessary for loading a kernel driver:
The below piece of code assumes that we already have
SE_LOAD_DRIVER_NAME privilege available and enabled in the process token.Utils.h
1
#define DRIVER_NAME L"MsIo64"
2
​
3
#define DRIVER_PATH L"\\??\\C:\\Windows\\System32\\drivers\\MsIo64.sys"
4
​
5
// Create registry entry for driver
6
// ------------------------------------------------------------------------
7
​
8
BOOL create_driver_reg_entry(LPCWSTR driverName, LPCWSTR driverPath) {
9
// Init some important stuff
10
BOOL ok = FALSE;
11
wchar_t keyPath[MAX_PATH];
12
UNICODE_STRING keyPathU;
13
NTSTATUS status;
14
HANDLE keyHandle = NULL;
15
OBJECT_ATTRIBUTES objectAttributes = { 0 };
16
UNICODE_STRING errorControlU;
17
DWORD errorControlValue = 0; // Do not show warning
18
UNICODE_STRING startU;
19
DWORD startValue = 3; // Load on demand
20
UNICODE_STRING typeU;
21
DWORD typeValue = 1; // Kernel device driver
22
UNICODE_STRING imagePathU;
23
LPCWSTR imagePathValue = driverPath;
24
SIZE_T imagePathSize = ((((DWORD)lstrlenW(imagePathValue) + 1)) * 2);
25
​
26
// Convert driver registry service key to unicode
27
swprintf(keyPath, MAX_PATH, L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\%ls", driverName);
28
RtlInitUnicodeString(&keyPathU, keyPath);
29
​
30
// Create driver registry service key
31
objectAttributes.Length = sizeof(OBJECT_ATTRIBUTES);
32
objectAttributes.ObjectName = &keyPathU;
33
status = NtCreateKey(&keyHandle, KEY_ALL_ACCESS, &objectAttributes, 0, NULL, REG_OPTION_NON_VOLATILE, NULL);
34
if (status != STATUS_SUCCESS) {
35
printf("[-] NtCreateKey error: 0x%X\n", status); // [DBG]
36
goto cleanup;
37
}
38
​
39
// Convert ErrorControl subkey to unicode
40
RtlInitUnicodeString(&errorControlU, L"ErrorControl");
41
​
42
// Set up ErrorControl subkey
43
status = NtSetValueKey(keyHandle, &errorControlU, 0, REG_DWORD, &errorControlValue, sizeof(errorControlValue));
44
if (status != STATUS_SUCCESS) {
45
printf("[-] NtSetValueKey1 error: 0x%X\n", status); // [DBG]
46
goto cleanup;
47
}
48
​
49
// Convert Start subkey to unicode
50
RtlInitUnicodeString(&startU, L"Start");
51
​
52
// Set up Start subkey
53
status = NtSetValueKey(keyHandle, &startU, 0, REG_DWORD, &startValue, sizeof(startValue));
54
if (status != STATUS_SUCCESS) {
55
printf("[-] NtSetValueKey2 error: 0x%X\n", status); // [DBG]
56
goto cleanup;
57
}
58
​
59
// Convert Type subkey to unicode
60
RtlInitUnicodeString(&typeU, L"Type");
61
​
62
// Set up Type subkey
63
status = NtSetValueKey(keyHandle, &typeU, 0, REG_DWORD, &typeValue, sizeof(typeValue));
64
if (status != STATUS_SUCCESS) {
65
printf("[-] NtSetValueKey3 error: 0x%X\n", status); // [DBG]
66
goto cleanup;
67
}
68
​
69
// Convert ImagePath subkey to unicode
70
RtlInitUnicodeString(&imagePathU, L"ImagePath");
71
​
72
// Set up ImagePath subkey
73
status = NtSetValueKey(keyHandle, &imagePathU, 0, REG_EXPAND_SZ, (LPVOID)imagePathValue, imagePathSize);
74
if (status != STATUS_SUCCESS) {
75
printf("[-] NtSetValueKey4 error: 0x%X\n", status); // [DBG]
76
goto cleanup;
77
}
78
​
79
ok = TRUE;
80
​
81
// Cleanup
82
cleanup:
83
if (keyHandle)
84
NtClose(keyHandle);
85
​
86
return ok;
87
}
88
​
89
// To load a driver from disk
90
// Needs SE_LOAD_DRIVER_NAME privilege enabled in process token
91
// Needs driver registry service key to be set
92
// ------------------------------------------------------------------------
93
​
94
BOOL load_driver(LPCWSTR driverName) {
95
// Init some important stuff
96
wchar_t keyPath[MAX_PATH];
97
UNICODE_STRING keyPathU;
98
NTSTATUS status;
99
​
100
// Convert driver registry service key to unicode
101
swprintf(keyPath, MAX_PATH, L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\%ls", driverName);
102
RtlInitUnicodeString(&keyPathU, keyPath);
103
​
104
// Load driver
105
status = NtLoadDriver(&keyPathU);
106
if (status == STATUS_IMAGE_ALREADY_LOADED || status == STATUS_OBJECT_NAME_COLLISION || status != STATUS_SUCCESS) {
107
printf("[-] Driver may already be loaded, please unload it to continue!\n"); // [DBG]
108
printf("[-] NtLoadDriver error: 0x%X\n", status); // [DBG]
109
return FALSE;
110
}
111
​
112
return TRUE;
113
}
114
​
115
// To unload a loaded driver
116
// Needs SE_LOAD_DRIVER_NAME privilege enabled in process token
117
// Needs driver registry service key to be set
118
// ------------------------------------------------------------------------
119
​
120
BOOL unload_driver(LPCWSTR driverName) {
121
// Init some important stuff
122
wchar_t keyPath[MAX_PATH];
123
UNICODE_STRING keyPathU;
124
NTSTATUS status;
125
​
126
// Convert driver registry service key to unicode
127
swprintf(keyPath, MAX_PATH, L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\%ls", driverName);
128
RtlInitUnicodeString(&keyPathU, keyPath);
129
​
130
// Unload driver
131
status = NtUnloadDriver(&keyPathU);
132
if (status != STATUS_SUCCESS) {
133
printf("[-] NtUnloadDriver error: 0x%X\n", status); // [DBG]
134
return FALSE;
135
}
136
​
137
return TRUE;
138
}
Copied!
There's not much to explain in this short code snippet since I have taken the effort to comment on every line so as to prevent any confusions.
And here is the output(+ some
DebugViewfu to verify our code)
Loading kernel driver
Note that this test was conducted with a different test driver that uses
DbgPrint to print debug messages on load/unload which are captured via DebugView. This is of course done for easier verification and demonstration.Links
Credits
- 4.
- 5.
- 6.
Last modified 1yr ago