Workshop Windows Internals / winkern
Why use drivers
drivers capabilites
How to write Drivers
Forget NtApi
Language
Language
C/ C++
RUST
Simple entry
extern "C"
NTSTATUS
DriverEntry(
_In_ PDRIVER_OBJECT DriverObject,
_In_ PUNICODE_STRING RegistryPath)
{
UNREFERENCED_PARAMETER(RegistryPath);
DriverObject->DriverUnload = DriverCleanup;
DriverObject->MajorFunction[IRP_MJ_CREATE] = CreateClose;
DriverObject->MajorFunction[IRP_MJ_CLOSE] = CreateClose;
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DeviceControl;
PDEVICE_OBJECT deviceObject;
NTSTATUS status = IoCreateDevice(
DriverObject,
0,
&deviceName,
FILE_DEVICE_UNKNOWN,
0,
FALSE,
&deviceObject
);
status = IoCreateSymbolicLink(&symlink, &deviceName);
Major Function
IRQ level
Talking between driver and Userland
IOCTL
BOOL success = DeviceIoControl(
hDriver,
FIRST_DRIVER_IOCTL_TEST,
&data, // pointer to the data
sizeof(data), // the size of the data
&answer, // pointer to "answer"
sizeof(answer), // size of "answer"
&bytesReturned,
nullptr);switch (stack->Parameters.DeviceIoControl.IoControlCode)
{
case FIRST_DRIVER_IOCTL_TEST:
{
DbgPrint("[+] FIRST_DRIVER_IOCTL_TEST called\n");
if (stack->Parameters.DeviceIoControl.InputBufferLength < sizeof(TheQuestion))
{
status = STATUS_BUFFER_TOO_SMALL;
DbgPrint("[+] STATUS_BUFFER_TOO_SMALL\n");
break;
}
USERLAND
KERNELLAND
Shared memory
DriverCallback
Useful struct
Eprocess
IRP
Driver object
How to load it
sc create [service name] binPath= [path to your .sys file] type= kernel
sc start [service name]
Security around driver
DSE
PatchGuard
Usage of vulnerable driver
How to use the debugger
Some fun with IDT(R) and SSDT
Now code
A simple Lssas dumper helper
WHY ?
The ppl problem
How ?
Exemple usecase
Little project
Some ideas
- A simple anti-anti debugger
- An offensive driver (Use your imagination)
- A Simple EDR (patch ntdll, ETW / ETW-TI ...)
deck
By 0xkylm
