[rkhunter]

Ok. So I have no way to simulate a new DRIVER_OBJECT fill in.

Dispatch handlers you retrieves with code analyze (DriverEntry, for example), others data for structure copy from original object.

[EP_X0FF]

Ok. So I have no way to simulate a new DRIVER_OBJECT fill in.

Probably some drivers can be loaded few times (if their internal logic accept this, some PNP I belive). For your task peloader+ldasm is the best option.

[Tigzy]

Ok, so I'll do.
Thank you both. ;)

In IDA, I got this:
Do you think this part looks like an Major function definition?

Code: Select all

INIT:00024D47 loc_24D47:                              ; CODE XREF: start-CBCj
INIT:00024D47                 mov     [eax], bx
INIT:00024D4A                 mov     ax, [edi]
INIT:00024D4D                 mov     ecx, [ebp+arg_0]
INIT:00024D50                 push    edi
INIT:00024D51                 mov     [ecx+2], ax
INIT:00024D55                 push    [ebp+arg_0]
INIT:00024D58                 call    ds:RtlCopyUnicodeString
INIT:00024D5E                 mov     eax, [esi+18h]
INIT:00024D61                 mov     dword ptr [eax+4], offset loc_1F47C
INIT:00024D68                 mov     dword ptr [esi+30h], offset sub_17864
INIT:00024D6F                 mov     dword ptr [esi+34h], offset loc_213D6
INIT:00024D76                 mov     dword ptr [esi+74h], offset sub_16852
INIT:00024D7D                 mov     dword ptr [esi+70h], offset loc_1A712
INIT:00024D84                 mov     dword ptr [esi+90h], offset loc_1A73C
INIT:00024D8E                 mov     dword ptr [esi+0A4h], offset loc_21302
INIT:00024D98                 mov     dword ptr [esi+94h], offset loc_21336
INIT:00024DA2                 push    19h
INIT:00024DA4                 mov     edx, offset loc_1A6F2
INIT:00024DA9                 mov     [esi+38h], edx
INIT:00024DAC                 mov     [esi+40h], edx
INIT:00024DAF                 pop     ecx
INIT:00024DB0                 mov     ebx, offset sub_21294
INIT:00024DB5                 mov     eax, ebx
INIT:00024DB7                 mov     edi, offset dword_1CBC0
INIT:00024DBC                 rep stosd
INIT:00024DBE                 mov     eax, offset loc_212E4
INIT:00024DC3                 mov     dword_1CBC4, eax
INIT:00024DC8                 mov     dword_1CBCC, eax
INIT:00024DCD                 mov     dword_1CBD4, eax
INIT:00024DD2                 mov     dword_1CBD8, eax
INIT:00024DD7                 push    19h
INIT:00024DD9                 pop     ecx
INIT:00024DDA                 mov     eax, offset loc_21260
INIT:00024DDF                 mov     edi, offset dword_1C000
INIT:00024DE4                 rep stosd
INIT:00024DE6                 mov     eax, offset loc_1400E
INIT:00024DEB                 mov     dword_1C008, eax
INIT:00024DF0                 mov     dword_1C05C, eax
INIT:00024DF5                 mov     eax, ebx
INIT:00024DF7                 mov     edi, offset unk_1CC80
INIT:00024DFC                 stosd
INIT:00024DFD                 stosd
INIT:00024DFE                 stosd
INIT:00024DFF                 stosd
INIT:00024E00                 mov     eax, offset loc_21260
INIT:00024E05                 mov     edi, offset unk_1CC70
INIT:00024E0A                 stosd
INIT:00024E0B                 stosd
INIT:00024E0C                 stosd
INIT:00024E0D                 mov     ecx, offset loc_1FED2
INIT:00024E12                 stosd
INIT:00024E13                 mov     dword_1C004, ecx
INIT:00024E19                 mov     dword_1C014, ecx
INIT:00024E1F                 push    0Ch
INIT:00024E21                 pop     ecx
INIT:00024E22                 mov     eax, ebx
INIT:00024E24                 mov     edi, offset unk_1CC40
INIT:00024E29                 mov     dword_1CBC0, offset loc_1FBC4
INIT:00024E33                 mov     dword_1CBC8, offset loc_1F7B2
INIT:00024E3D                 mov     dword_1CBD0, offset loc_1F872
INIT:00024E47                 mov     dword_1CBDC, offset loc_1FE52
INIT:00024E51                 mov     dword_1CC0C, offset loc_1F920
INIT:00024E5B                 mov     dword_1CC18, offset loc_1FA2C
INIT:00024E65                 mov     dword_1CBF4, offset loc_1F120
INIT:00024E6F                 mov     dword_1CC10, offset loc_1F448
INIT:00024E79                 mov     dword_1CC1C, offset loc_1F75C
INIT:00024E83                 mov     dword_1C000, offset loc_151F8
INIT:00024E8D                 mov     dword_1C01C, offset loc_207FA
INIT:00024E97                 mov     dword_1C00C, edx
INIT:00024E9D                 mov     dword_1C010, offset loc_20F88
INIT:00024EA7                 mov     dword_1C018, edx
INIT:00024EAD                 mov     dword_1C04C, offset loc_20FD6
INIT:00024EB7                 mov     dword_1C024, offset loc_203C2
INIT:00024EC1                 mov     dword_1C030, offset loc_20492
INIT:00024ECB                 mov     dword_1C058, offset loc_20A4E
INIT:00024ED5                 mov     dword_1C050, offset loc_20A04
INIT:00024EDF                 mov     dword_1CC88, offset loc_19270
INIT:00024EE9                 mov     dword_1CC8C, offset loc_18EA6
INIT:00024EF3                 mov     dword_1CC78, offset loc_18D66
INIT:00024EFD                 mov     dword_1CC7C, offset loc_18728
INIT:00024F07                 rep stosd
INIT:00024F09                 push    0Ch
INIT:00024F0B                 pop     ecx
INIT:00024F0C                 mov     eax, offset loc_23C68
INIT:00024F11                 mov     edi, offset unk_1C080
INIT:00024F16                 rep stosd
INIT:00024F18                 call    sub_199B0
INIT:00024F1D                 call    sub_2110A
INIT:00024F22                 push    [ebp+arg_4]
INIT:00024F25                 push    esi
INIT:00024F26                 call    sub_2466C
INIT:00024F2B                 xor     eax, eax
INIT:00024F2D
INIT:00024F2D loc_24F2D:                              ; CODE XREF: start-CB5j
INIT:00024F2D                 pop     edi
INIT:00024F2E
INIT:00024F2E loc_24F2E:                              ; CODE XREF: start-D07j
INIT:00024F2E                                         ; start-CEEj
INIT:00024F2E                 pop     esi
INIT:00024F2F                 pop     ebx
INIT:00024F30                 pop     ebp
INIT:00024F31                 retn    8

[rkhunter]

Part of your code

Code: Select all

INIT:00024D68                 mov     dword ptr [esi+30h], offset sub_17864
INIT:00024D6F                 mov     dword ptr [esi+34h], offset loc_213D6
INIT:00024D76                 mov     dword ptr [esi+74h], offset sub_16852
INIT:00024D7D                 mov     dword ptr [esi+70h], offset loc_1A712
INIT:00024D84                 mov     dword ptr [esi+90h], offset loc_1A73C
INIT:00024D8E                 mov     dword ptr [esi+0A4h], offset loc_21302
INIT:00024D98                 mov     dword ptr [esi+94h], offset loc_21336

looks like driver_object's dispatch table initialization. FYI: you can make this code more readable if maps structure _DRIVER_OBJECT in IDA by selecting all this area and press 't' key.

[Tigzy]

I'm not familiar with all the functionalities of IDA....
What I'm I supposed to do to cast this part as DRIVER_OBJECT?

Capture.PNG (49.35 KiB) Viewed 279 times

[Tigzy]

I compared with one of my drivers, this is the good part indeed.

Code: Select all

for(uiIndex = 0; uiIndex < IRP_MJ_MAXIMUM_FUNCTION; uiIndex++)
             pDriverObject->MajorFunction[uiIndex] = Drv_UnSupportedFunction;
    
        pDriverObject->MajorFunction[IRP_MJ_CLOSE]             = Drv_Close;
        pDriverObject->MajorFunction[IRP_MJ_CREATE]            = Drv_Create;
        pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]    = Drv_IoControl;
        pDriverObject->MajorFunction[IRP_MJ_READ]              = Drv_Read;
        pDriverObject->MajorFunction[IRP_MJ_WRITE]             = USE_WRITE_FUNCTION;    
       
        pDriverObject->DriverUnload =  Drv_Unload; 
        pDeviceObject->Flags |= IO_TYPE; 
        pDeviceObject->Flags &= (~DO_DEVICE_INITIALIZING);

Code: Select all

push    1Bh
lea     edx, [esi+38h]
pop     ecx
mov     eax, offset Drv_UnSupportedFunction
mov     edi, edx
rep stosd
mov     eax, [ebp+var_4]
mov     dword ptr [esi+40h], offset Drv_Close
mov     dword ptr [edx], offset Drv_Create
mov     dword ptr [esi+70h], offset Drv_IoControl
mov     dword ptr [esi+44h], offset Drv_Read
mov     dword ptr [esi+48h], offset Drv_WriteNeither
mov     dword ptr [esi+34h], offset Drv_Unload
and     dword ptr [eax+1Ch], 0FFFFFF7Fh

[rkhunter]

I'm not familiar with all the functionalities of IDA....
What I'm I supposed to do to cast this part as DRIVER_OBJECT?

1. Look all available structures "View"->"Open Subviews"->"Structures", press "Insert"->"Add standart structure".
2. If it not presents in the list, type library not loaded.
3. Go to "View"->"Open Subviews"->"Type libraries", press "Insert" and load ntddk and ntapi.
4. Add DRIVER_OBJECT in structure's list by using 1.
5. Select area, press 't' and click to DRIVER_OBJECT.

[Tigzy]

Ok, understood.
But I only got mssdk lib in the list, not ntddk. Do you know how to add them to the loadable lib list?

---

In the mean time I understood how it worked

My Driver.sys PE got an image base of 0x10000
My offset for the DRIVER_OBJECT at offset 0x70 is 0x2B2CA in absolute offset => 0x1B2CA in RVA
According to the DRIVER_OBJECT struct, 0x38 is the first index of the major functions table (MJ_CREATE)
0x70 is the index 14 = MJ_DEVICE_CONTROL, and I find the good offset relative to my driver

Capture.PNG (89.57 KiB) Viewed 272 times

[rkhunter]

And what you plan to do next?

[Tigzy]

I've found a cute lib for disassembly.
The tricky part is to explore every part including jumps of the entrypoint to find a pattern matching the Major function fill in.
Then I get the indexes + offsets back to an array for later usage