Alcatraz icon indicating copy to clipboard operation
Alcatraz copied to clipboard

Published 20 hours ago verified publisher icon weak1337

Corrupts C++ kernel drivers

Open ByteWhite1x1 opened this issue 2 years ago • 6 comments

Hi.

I tried to obfuscate my C++ kernel driver with "DRV_OBJECT". Added one random function to be obfuscated to the list (Release build) and the result is always 0xC000007B STATUS_INVALID_IMAGE_FORMAT when I try to load the driver normally.

I got this working for "C" driver (Debug build) when I did not obfuscated the entry point. And if I remember correctly. Only "Mutate" was working. I ended up wasting several hours of my time while I tried to figure out the cause.

ByteWhite1x1 avatar Mar 06 '23 01:03 ByteWhite1x1

Please provide an executable image that causes this behavior to occur. Be sure to include the original and transformed executable images.

Iizerd avatar Mar 07 '23 04:03 Iizerd

Hi,

unfortunately I wasn't able to replicate this issue.

Test setup: Win 10 VM (22H2) with Test Signing Enabled.

Driver got compiled as unsigned and protected with Alcatraz. I was able to load it with windows service manager.

weak1337 avatar Mar 08 '23 19:03 weak1337

Thanks for taking your time to trying to reproduce the issue.

If I load the obfuscated driver from managed C# code as shown below. The result is 0xC000007B STATUS_INVALID_IMAGE_FORMAT.

Below code works for every driver that is not obfuscated with Alcatraz.

[DllImport("ntdll.dll", SetLastError = true)] public static extern NTSTATUS NtLoadDriver(ref UNICODE_STRING driverServiceName);

public static Native.NTSTATUS LoadDriver(string svcName, string drvPath) {

        mySvcName = svcName;

        string regPath = "CurrentControlSet\\Services\\" + svcName;
        
        RegistryKey svcKey = Registry.LocalMachine.CreateSubKey("SYSTEM\\" + regPath);

        svcKey.SetValue("ImagePath", "\\??\\" + drvPath);
        svcKey.SetValue("Type", 1); // A kernel-mode device driver            

        // "0" Boot: Loaded by kernel loader. Components of the driver stack for the boot (startup) volume must be loaded by the kernel loader
        // "1" System: Loaded by I/O subsystem. Specifies that the driver is loaded at kernel initialization
        // "2" Automatic: Loaded by Service Control Manager. Specifies that the service is loaded or started automatically
        // "3" Manual:. The service does not start until the user starts it manually, such as by using Services or Devices in Control Panel
        // "4" Disabled: Specifies that the service should not be started

        // svcKey.SetValue("Start", 2);

        svcKey.Close();

        Native.UNICODE_STRING uRegPath = new Native.UNICODE_STRING();

        bool privEnabled;
        var status = Native.RtlAdjustPrivilege(Native.SeLoadDriverPrivilege, true, Native.ADJUST_PRIVILEGE_TYPE.AdjustCurrentProcess, out privEnabled);

        Native.RtlInitUnicodeString(ref uRegPath, "\\Registry\\Machine\\SYSTEM\\" + regPath);            

        status = Native.NtLoadDriver(ref uRegPath);
        return status;

    }

If I load the obfuscated driver with ZwLoadDriver from a manually mapped driver. The driver loads just fine.

ByteWhite1x1 avatar Mar 10 '23 06:03 ByteWhite1x1

Once again, please provide the executable image before and after obfuscation. You have provided code that loads a driver. This is not what was requested previously.

Iizerd avatar Mar 10 '23 17:03 Iizerd

just

2540508978 avatar Mar 11 '23 01:03 2540508978

Please provide an executable image that causes this behavior to occur. Be sure to include the original and transformed executable images.

Alcatraz.zip

ByteWhite1x1 avatar Mar 14 '23 04:03 ByteWhite1x1