[aleckernel]

I know Sysinternals' Process Explorer silently loads a Device Driver called PROCEXPxxx.SYS. I'm wondering how it does this. To me, it looks like a good example of silently bundling a kernel mode component in our application without leaving any trace in the Registry.

First off, the driver is created dynamically from the exe (perhaps as a resource).

By using Process Monitor to check the registry, I can tell PE is using RegCreateKey to create the keys under HKLM\System\CurrentControlSet\Services\PROCEXPxxx manually (and immediately delete it afterward so that nothing is left behind after the driver is running).

By using "dumpbin /imports procexp.exe", I found that PE doesn't import CreateService at all. And by using the API Monitor (http://www.rohitab.com/apimonitor), I did confirm that CreateService won't be called when we run it.

So, how does Process Explorer elegantly load a driver silently without rebooting and calling CreateService?

[EP_X0FF]

Nothing mysterious. It is NtLoadDriver.

[aleckernel]

Is there any doc that talks about NTLoadDriver? What Process Explorer does is that it deletes the registry keys and the PROCEXPxxx.SYS driver image in windows\system32\drivers after calling NTLoadDriver to load the driver into kernel memory. This seems to be a simple trick to eliminate any trace of loading a driver (at least to user mode code).

I'm wondering if there are any limitation in deleting the registry and driver file image after loading the driver. This technique is a good way to cover the driver's track

[EP_X0FF]

https://msdn.microsoft.com/en-us/librar ... 85%29.aspx

Registry record and file on disk only required if you want and configured your driver to be loaded after reboot (dwStartType description from CreateService). Since Marks tools load drivers on demand he don't need to keep files/registry entries.