Reflective-Driver-Loader icon indicating copy to clipboard operation
Reflective-Driver-Loader copied to clipboard

Published 20 hours ago verified publisher icon Professor-plum

Problem loading driver

Open RSBColab opened this issue 7 years ago • 5 comments

I have a problem with the driver. In win 10 if I add a DbgPrint on driver example i have a BSOD. Also, I want to load from user address the driver but I'm not sure if I'm doing it right.

I've tried:

h = CreateFile(TEXT("\\.\bsideshide"), GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);

But it is not working.

RSBColab avatar Sep 27 '17 20:09 RSBColab

What is the blue screen you are getting? Do you have a minidump? It's hard to say why you're having those issues. Where did you put the DbgPrint? Was it in the driver entry or in the reflective loader? There are certain points during the loading that cannot be interrupted or need to complete very quickly otherwise patch guard will throw an error.

As for the call to createfile I don't understand what you are trying to do. Can you give me a little more description?

Professor-plum avatar Sep 27 '17 21:09 Professor-plum

I put the DbgPrint on both, so maybe that was the problem, I will check again.

About the second problem, I'm trying to call the driver from user mode to use it. I added to the reflective kernel driver a call handle function and created a user mode application to send the driver IOCTLs through DeviceIoControl, but I'm not sure how to do this cause I cannot find the driver once installed.

The createfile is something like this: https://stackoverflow.com/questions/8263380/send-ioctl-to-windows-device-driver-createfile-fails

I'm not sure what parameters should have the CreateFile to access the driver.

Thanks!

RSBColab avatar Sep 28 '17 05:09 RSBColab

Ah, I understand now. In order to address your driver from userland, you need to register a device object and then create a Symbolic link. This article should get you started https://docs.microsoft.com/en-us/windows-hardware/drivers/ifs/creating-the-control-device-object Driver Objects and Device Objects are very different objects but often get confused This article may also help http://ericasselin.com/userlandkernel-communication-deviceiocontrol-method

Professor-plum avatar Sep 28 '17 16:09 Professor-plum

Hi! Thank you for the help:

I've tried adding this

const WCHAR deviceNameBuffer[] = L"\\Device\\testdrv1"; const WCHAR deviceSymLinkBuffer[] = L"\\DosDevices\\testdrv1"; PDEVICE_OBJECT g_MyDevice; // Global pointer to our device object

`UNICODE_STRING deviceNameUnicodeString, deviceSymLinkUnicodeString;

// Normalize name and symbolic link.
RtlInitUnicodeString(&deviceNameUnicodeString,
	deviceNameBuffer);
RtlInitUnicodeString(&deviceSymLinkUnicodeString,
	deviceSymLinkBuffer);

// Create the device.
status = IoCreateDevice(DriverObject,
	0, // For driver extension
	&deviceNameUnicodeString,
	FILE_DEVICE_UNKNOWN,
	FILE_DEVICE_UNKNOWN,
	FALSE,
	&g_MyDevice);

// Create the symbolic link
status = IoCreateSymbolicLink(&deviceSymLinkUnicodeString,
	&deviceNameUnicodeString);`

To the code on DriverEntry where you have the line "//TODO: Enter Rootkit code here" and it gives me a BSOD on Win10 with all updates til today.

Not sure if I'm doing it ok.

soltrac avatar Sep 29 '17 09:09 soltrac

Everything you are doing looks right. It could be that something has changed in Windows 10 which is breaking it. I'm a bit swamped at the moment but if I find some free time I'll try and reproduce the problem on the latest build of Windows 10

Professor-plum avatar Oct 02 '17 16:10 Professor-plum