Is it Possible for a Kernel Driver To Rename Itself

#27577 by aleckernel
Thu Jan 07, 2016 1:30 pm

I know the FullDllName/BaseDllName of KLDR_DATA_TABLE_ENTRY contains the UNICODE_STRING of the driver name. I am wondering what would happen if someone just modify the name pointed to by the UNICODE_STRING.Buffer. The sounds like a way for rootkits to blend into the normal system drivers. If the driver is non-pageable. I suppose the name is no longer meaningful. (for pageable driver, the system may need to look up the driver name in the filesystem to reload discarded pages)

Code: Select all

lkd> dt KLDR_DATA_TABLE_ENTRY 85bd7400
ole32!KLDR_DATA_TABLE_ENTRY
   +0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x82f68e30 - 0x87c3d0d0 ]
   +0x008 ExceptionTable   : 0xa49f9910 Void
   +0x00c ExceptionTableSize : 2
   +0x010 GpValue          : 0xa4e22728 Void
   +0x014 NonPagedDebugInfo : (null)
   +0x018 DllBase          : 0xa49f9000 Void
   +0x01c EntryPoint       : 0xa49f9e00 Void
   +0x020 SizeOfImage      : 0x2000
   +0x024 FullDllName      : _UNICODE_STRING "\??\C:\Windows\system32\evildrv.sys"
   +0x02c BaseDllName      : _UNICODE_STRING "evildrv.sys"
   +0x034 Flags            : 0x49104000
   +0x038 LoadCount        : 1
   +0x03a __Unused5        : 0xd
   +0x03c SectionPointer   : (null)
   +0x040 CheckSum         : 0x9b1d
   +0x044 CoverageSectionSize : 0x28639
   +0x048 CoverageSection  : (null)
   +0x04c LoadedImports    : 0x85857c99 Void
   +0x050 PatchInformation : (null)
   +0x054 SizeOfImageNotRounded : 0x1680
   +0x058 TimeDateStamp    : 0x43593517

Changed to

Code: Select all

lkd> dt KLDR_DATA_TABLE_ENTRY 85bd7400
ole32!KLDR_DATA_TABLE_ENTRY
   +0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x82f68e30 - 0x87c3d0d0 ]
   +0x008 ExceptionTable   : 0xa49f9910 Void
   +0x00c ExceptionTableSize : 2
   +0x010 GpValue          : 0xa4e22728 Void
   +0x014 NonPagedDebugInfo : (null)
   +0x018 DllBase          : 0xa49f9000 Void
   +0x01c EntryPoint       : 0xa49f9e00 Void
   +0x020 SizeOfImage      : 0x2000
   +0x024 FullDllName      : _UNICODE_STRING "\??\C:\Windows\system32\atapi.sys"
   +0x02c BaseDllName      : _UNICODE_STRING "atapi.sys"
   +0x034 Flags            : 0x49104000
   +0x038 LoadCount        : 1
   +0x03a __Unused5        : 0xd
   +0x03c SectionPointer   : (null)
   +0x040 CheckSum         : 0x9b1d
   +0x044 CoverageSectionSize : 0x28639
   +0x048 CoverageSection  : (null)
   +0x04c LoadedImports    : 0x85857c99 Void
   +0x050 PatchInformation : (null)
   +0x054 SizeOfImageNotRounded : 0x1680
   +0x058 TimeDateStamp    : 0x43593517

system crash or not?

Username

aleckernel

Posts

17

Joined

Sat Feb 28, 2015 9:18 am

Re: Is it Possible for a Kernel Driver To Rename Itself

#27580 by EP_X0FF
Thu Jan 07, 2016 4:44 pm

Do you think it is something new? It is 11 years old and now absolutely useless.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Is it Possible for a Kernel Driver To Rename Itself

#27588 by aleckernel
Fri Jan 08, 2016 6:56 am

EP_X0FF wrote:Do you think it is something new? It is 11 years old and now absolutely useless.

I'm not looking for useful techniques to write something (rootkits/malwares or whatever). I'm more interested in LEARNING how to prevent kernel exploitation and the way the kernel uses the internal structures.

Perhaps, to rephrase my question a bit. Does the kernel uses the UNICODE_STRING members to connect the in-memory image of the driver to the disk image? If yes, would it be a possible that this is tampered with by malware (without causing a system crash)? And how do we detect this?

Username

aleckernel

Posts

17

Joined

Sat Feb 28, 2015 9:18 am

Re: Is it Possible for a Kernel Driver To Rename Itself

#27593 by EP_X0FF
Fri Jan 08, 2016 10:06 am

aleckernel wrote: Does the kernel uses the UNICODE_STRING members to connect the in-memory image of the driver to the disk image?

No. Before Windows 10 after loading driver you can simple delete it file from disk. I dont remember exactly but perhaps newer versions of PageGuard also protect PsLoadedModulesList from changes. In any way it is useless.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Is it Possible for a Kernel Driver To Rename Itself

#27595 by aleckernel
Fri Jan 08, 2016 10:53 am

EP_X0FF wrote:
aleckernel wrote: Does the kernel uses the UNICODE_STRING members to connect the in-memory image of the driver to the disk image?
No. Before Windows 10 after loading driver you can simple delete it file from disk. I dont remember exactly but perhaps newer versions of PageGuard also protect PsLoadedModulesList from changes. In any way it is useless.

But if the deleted driver file consists of pageable code and has been paged out, would the deleted file causes BSOD when the system need to page-in the code?

Username

aleckernel

Posts

17

Joined

Sat Feb 28, 2015 9:18 am

Re: Is it Possible for a Kernel Driver To Rename Itself

#27605 by EP_X0FF
Sun Jan 10, 2016 12:43 pm

Lol, and why it should? Pagefile anyone? And when there is no pagefile nothing can be unloaded and DisablePagingExecutive forced to 1.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Is it Possible for a Kernel Driver To Rename Itself

#27607 by Brock
Sun Jan 10, 2016 9:00 pm

WinDbg command !analyze -show 109 will show you everything PatchGuard protects

Accept nothing less than STATUS_SUCCESS

Username

Brock

Posts

222

Joined

Wed Apr 28, 2010 3:13 am

Location

Valparaiso, Florida USA

Contact