[flauteABC]

Are there any other techniques than NtLoadDriver / NtSetSystemInformation(SYSTEM_LOAD_AND_CALL_IMAGE) to load a kernel driver?

[Vrtule]

Hello,

well, there are also AddPrinterDriver and FilterLoad functions but they AFAIK lead to a call to the ZwLoadDriver (from kernelmode but I know of no security hole there). The same situation is with the StartService API (NtLoadDriver by services.exe).

THe NtSetSystemInformation method IMHO does not work since Windows Server 2003 (WXP x64). It is used to load win32k.sys only and there are specific checks to ensure that you no other driver gets loaded.

EDIT: BBCodes

[Microwave89]

FilterLoad sends an undocumented IOCTL (forgot the number) to FltMgrMsg device which in turn leads to a call of fltmgr!FltLoadFilter.
It does not use ZwLoadDriver...at least not in usermode.

Best Regards - Microwave89

[Vrtule]

FilterLoad sends an undocumented IOCTL (forgot the number) to FltMgrMsg device which in turn leads to a call of fltmgr!FltLoadFilter.
It does not use ZwLoadDriver...at least not in usermode.

AFAIK fltmgr!FltLoadFilter is the place where ZwLoadDriver is called. So, the call does not occur in usermode, howerver, fltmgr checks the access mode and takes appropriate actions (privilege check) when it is UserMode.

You can also load your driver by another trick but again, ZwLoadDriver is IMHO used. You can install your driver as a service and then register it as an upper or lower filter for certain device setup class. When a device of that class is discovered, your driver gets loaded by PnP. But this might be quite dangerous when registering as a filter for device setup classes that a re required on boot. In that case, the system will be unbootable if any of the filters do not exist.

[EP_X0FF]

Are there any other techniques than NtLoadDriver / NtSetSystemInformation(SYSTEM_LOAD_AND_CALL_IMAGE) to load a kernel driver?

Use vulnerable signed driver that allows write access to the kernel mode and can execute arbitrary kernel mode code.