A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about kernel-mode development.
 #26862  by flauteABC
 Thu Oct 01, 2015 6:21 pm
Are there any other techniques than NtLoadDriver / NtSetSystemInformation(SYSTEM_LOAD_AND_CALL_IMAGE) to load a kernel driver?
 #26869  by Vrtule
 Fri Oct 02, 2015 11:53 am
Hello,

well, there are also AddPrinterDriver and FilterLoad functions but they AFAIK lead to a call to the ZwLoadDriver (from kernelmode but I know of no security hole there). The same situation is with the StartService API (NtLoadDriver by services.exe).

THe NtSetSystemInformation method IMHO does not work since Windows Server 2003 (WXP x64). It is used to load win32k.sys only and there are specific checks to ensure that you no other driver gets loaded.

EDIT: BBCodes
 #26873  by Microwave89
 Fri Oct 02, 2015 8:28 pm
FilterLoad sends an undocumented IOCTL (forgot the number) to FltMgrMsg device which in turn leads to a call of fltmgr!FltLoadFilter.
It does not use ZwLoadDriver...at least not in usermode.

Best Regards - Microwave89
 #26874  by Vrtule
 Fri Oct 02, 2015 10:58 pm
FilterLoad sends an undocumented IOCTL (forgot the number) to FltMgrMsg device which in turn leads to a call of fltmgr!FltLoadFilter.
It does not use ZwLoadDriver...at least not in usermode.
AFAIK fltmgr!FltLoadFilter is the place where ZwLoadDriver is called. So, the call does not occur in usermode, howerver, fltmgr checks the access mode and takes appropriate actions (privilege check) when it is UserMode.

You can also load your driver by another trick but again, ZwLoadDriver is IMHO used. You can install your driver as a service and then register it as an upper or lower filter for certain device setup class. When a device of that class is discovered, your driver gets loaded by PnP. But this might be quite dangerous when registering as a filter for device setup classes that a re required on boot. In that case, the system will be unbootable if any of the filters do not exist.
 #26878  by EP_X0FF
 Sat Oct 03, 2015 4:33 pm
flauteABC wrote:Are there any other techniques than NtLoadDriver / NtSetSystemInformation(SYSTEM_LOAD_AND_CALL_IMAGE) to load a kernel driver?
Use vulnerable signed driver that allows write access to the kernel mode and can execute arbitrary kernel mode code.