A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about user-mode development.
 #800  by __Genius__
 Tue Apr 20, 2010 6:52 pm
Author : Sav1or [ Russian Federation ]
Code: Select all
#include<stdio.h>
#include<windows.h>

typedef struct _tagLOAD
{
	WORD Len;
	WCHAR ServiceName[512];
} LOAD , *PLOAD;

#define MAGIC_IOCTL 0x00088004 


VOID WINAPI make_reg( LPWSTR szDriverName, LPWSTR szDriverPath )
{
	
	DWORD dwType = SERVICE_KERNEL_DRIVER;  
	DWORD dwStart = SERVICE_DEMAND_START;  
	HKEY hKey;
	WCHAR szMain[512] = {0};
	WCHAR szImgPath[512] = {0};
	wchar_t szRegPath[512]={0};
	
	wsprintfW( szMain, 
		L"%s%s",
		L"SYSTEM\\CurrentControlSet\\Services\\",
		szDriverName );
	
	wsprintfW( szImgPath,
		L"%s%s",
		L"\\??\\", 
		szDriverPath);
	  
	if( RegCreateKeyW( HKEY_LOCAL_MACHINE, szMain, &hKey ) == ERROR_SUCCESS ) 
	{
		RegSetValueExW( hKey, 
			L"DisplayName", 
			0, 
			REG_SZ, 
			(LPBYTE)szDriverName, 
			(DWORD)lstrlenW(szDriverName)*2);
		
		RegSetValueExW( hKey, 
			L"ImagePath", 
			0, 
			REG_EXPAND_SZ,
			(LPBYTE)szImgPath, 
			(DWORD)lstrlenW(szImgPath)*2);
		
		RegSetValueExW( hKey, 
			L"Type",
			0,
			REG_DWORD,
			(LPBYTE)&dwType,
			(DWORD)sizeof(dwType) );
		
		RegSetValueExW( hKey, 
			L"Start",
			0,
			REG_DWORD,
			(LPBYTE)&dwStart,
			(DWORD)sizeof(dwStart) );
		
	} 	
}


int main( int argc , char *argv[] )
{
	HANDLE hDevice;
	LOAD service_to_load;
	BOOL err;
	DWORD dwRet=0;
	WCHAR drvPath[512];

	memset( drvPath , 0 , 512 );
	GetCurrentDirectoryW( MAX_PATH , drvPath );
	lstrcatW( drvPath , L"\\load.sys" );
	make_reg( L"load" , drvPath );
	hDevice = CreateFile ("\\\\.\\FltMgr" , GENERIC_READ | GENERIC_WRITE , FILE_SHARE_READ | FILE_SHARE_WRITE , NULL , OPEN_EXISTING , FILE_ATTRIBUTE_NORMAL , NULL );
	if( hDevice == INVALID_HANDLE_VALUE )
	{
		printf("CreateFile failed with status : %d\n" , GetLastError() );
		goto __end;
	}

	wcscpy( service_to_load.ServiceName , L"load");
	service_to_load.Len = wcslen( service_to_load.ServiceName )*sizeof(WCHAR);
	err = DeviceIoControl( hDevice , MAGIC_IOCTL , &service_to_load , sizeof(service_to_load) , NULL , 0 , &dwRet , NULL );
	if( !err )
	{
		printf("sorry\n");
		goto __end;
	}
	printf(":)\n");

__end:

	CloseHandle( hDevice );
	return 0;
}
This will load the driver with the help of FltMgr Driver .
original post
 #802  by Alex
 Tue Apr 20, 2010 7:36 pm
Source codes like this shouldn't be published because this helps only malware writers, but if someone decided to disclose this method there is no way back. Does anyone know malware which use this funny method? This method like in NtLoadDriver service case requires SE_LOAD_DRIVER_PRIVILEGE privilege so it isn't nothing special.

Alex
 #809  by EP_X0FF
 Wed Apr 21, 2010 3:19 am
I believe any sophisticated HIPS will catch this because of notify routines and file system filters. This IOCTL btw does not work for Vista/7.
Personally I didn't saw this technique in malware samples I've analyzed.
Currently they actively copy-pasting TDL3 loading scheme and because it was posted at rootkit.com article as ready to copy example :)
 #811  by sww
 Wed Apr 21, 2010 8:40 am
I've analyzed xp sp3, windows 7 and vista x64. They are all contains that code.
 #814  by EP_X0FF
 Wed Apr 21, 2010 9:32 am
Damn it you are right :D
It is working on Vista SP2 in my test application. Just takes some time.
 #817  by sww
 Wed Apr 21, 2010 9:54 am
You're still need of SeLoadDriver privilege set :)