A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about kernel-mode development.
 #24897  by kerpow
 Sat Jan 10, 2015 9:25 am
Hi,

I am trying to get my driver working however although everything appears to be ok the target driver does not unload, although everything initiates in windbg. The target driver is loaded/spawned when a target program is run, the driver exports to temp and uses sc to load, it has a certificate.

I test sign my driver and install it to system32 via the below inf and then load it with "net start protect". My driver is loaded before the target driver loads therefore should block loading but this doesn't happen, when i "sc query target" it is still running, the target driver doesnt seem to have an unload function as its NON_STOPPABLE, NON_PAUSABLE however this shouldn't cause problems i don't think.

Please can you review the code and provide any feedback. Test machine Win 7 x64 SP1.

Thanks.
Attachments
src
(3.39 KiB) Downloaded 38 times
 #24898  by EP_X0FF
 Sat Jan 10, 2015 9:57 am
If the target driver has no defined Unload procedure it can't be unloaded by simple NtUnloadDriver. You need to patch it driver object or patch target driver entry point to return inside the ImageLoad notify callback.
 #24902  by EP_X0FF
 Sat Jan 10, 2015 4:40 pm
kerpow wrote:Thing is though is works sometimes, regardless of NtUnLoadDriver this also blocks the load procedure so should work still.
What is that target driver?

Set image notify callback, on load event get and patch driver entry point (from ImageInfo->ImageBase) with unsuccessful return value, this will 100% block any driver loading even without using filtering API.
 #25069  by kerpow
 Tue Jan 27, 2015 7:44 am
the code was solved with a direct call to the filename so that Name was no longer empty, simple code mistake. This code is not aimed at AV or Anti-Rootkits it is aimed at a target that loads a driver from usermode via service control manager, the usermode target does not do any tricks to detect the loading of a filter driver or callback registration and does not check itself if its driver is unloaded so this trick to unload the driver will work perfectly for the target in question.