A forum for reverse engineering, OS internals and malware analysis 

Boot time driver

Forum for discussion about kernel-mode development.

Re: Boot time driver

 #23187  by EP_X0FF
 Sun Jun 22, 2014 8:45 am
kmd wrote:so how does windows itself then loads boot drivers?
This does ntldr/winload using the BIOS disk I/O driver.

Boot Sequence:

BIOS->MBR->VBR->BootLoader (ntldr->ntdetect/bootmgr->winload)->ntoskrnl->wininit(System process)->others drivers etc->winlogon->all other windows crap start here.
BootLoader contain code to be able to read (only) the Windows-supported file systems (FAT16, FAT32, NTFS). It also parses BCD since Vista (instead of boot.ini parsed by ntldr in earlier versions).

You can find BkLoader source code (inside carberp pack) for investigating how it compromises windows boot process and inserts its malicious driver code to the boot sequence by hijacking KeLoaderBlock->BootDriverListHead.

Re: Boot time driver

 #23194  by RoxinAz
 Tue Jun 24, 2014 1:13 pm
kmd wrote:so how does windows itself then loads boot drivers?
It's also mentioned in 'Rootkit Arsenal' , sequence of boot loading by winload.exe .
Although, there's just some places (path) which kernel parse them , and devices or drivers (like Ntfs.sys) can't help us till loading.
Boot Sequence:

BIOS->MBR->VBR->BootLoader (ntldr->ntdetect/bootmgr->winload)->ntoskrnl->wininit(System process)->others drivers etc->winlogon->all other windows crap start here.
BootLoader contain code to be able to read (only) the Windows-supported file systems (FAT16, FAT32, NTFS). It also parses BCD since Vista (instead of boot.ini parsed by ntldr in earlier versions).
In addition, after loading drivers(image) in memory, pnp manager should calls DriverEntry of BootStart drivers to execute ... I found there's a different between loading drivers image and calling driverentry to execute.

In boot load driver(like system reserved and boot bus extender group), setting callbacks like 'pssetloadimagenotifyroutine' just can grab loading drivers image into memory ,but not executing...! Is there anyway to found executing of a driver as the time it's EntryPoint is calling? Or any callback that can set when a DriverEntry called?

Re: Boot time driver

 #23197  by EP_X0FF
 Tue Jun 24, 2014 4:18 pm
In your notification routine patch driver entry to your handler.

Re: Boot time driver

 #23200  by RoxinAz
 Wed Jun 25, 2014 4:43 am
EP_X0FF wrote:In your notification routine patch driver entry to your handler.
hmm... that's right 8-)
But, event though my boot driver loads before others in bootstart group,my EP doesn't call yet ,and other bootstart drivers have been loaded into memory as mine,so my callback such 'pssetloadimagenotifyroutine' couldn't work properly. It can just set for images which load after bootstart driver e.g,crashdmp.sys not for 'vdvroot' / 'partmgr' / 'Ntfs' , ...

So how can I prevent calling bootstart drivers EntryPoint? I didn't find APIs that can set callback function before EP calls ...
 Return to “Kernel-Mode Development”