Workshop Windows Internals / winkern

Why use drivers

drivers capabilites

How to write Drivers

Forget NtApi

Language

C/ C++

RUST

Simple entry

extern "C"
NTSTATUS
DriverEntry(
	_In_ PDRIVER_OBJECT DriverObject,
	_In_ PUNICODE_STRING RegistryPath)
{
	UNREFERENCED_PARAMETER(RegistryPath);

	DriverObject->DriverUnload = DriverCleanup;

	DriverObject->MajorFunction[IRP_MJ_CREATE] = CreateClose;
	DriverObject->MajorFunction[IRP_MJ_CLOSE] = CreateClose;
	DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DeviceControl;
	
	PDEVICE_OBJECT deviceObject;
	NTSTATUS status = IoCreateDevice(
		DriverObject,
		0,
		&deviceName,
		FILE_DEVICE_UNKNOWN,
		0,
		FALSE,
		&deviceObject
	);
	
	status = IoCreateSymbolicLink(&symlink, &deviceName);

Major Function

IRQ level

Talking between driver and Userland

IOCTL

BOOL success = DeviceIoControl(
    hDriver,
    FIRST_DRIVER_IOCTL_TEST,
    &data,              // pointer to the data
    sizeof(data),       // the size of the data
    &answer,            // pointer to "answer"
    sizeof(answer),     // size of "answer"
    &bytesReturned,
    nullptr);

switch (stack->Parameters.DeviceIoControl.IoControlCode)
{
case FIRST_DRIVER_IOCTL_TEST:
{
	DbgPrint("[+] FIRST_DRIVER_IOCTL_TEST called\n");

	if (stack->Parameters.DeviceIoControl.InputBufferLength < sizeof(TheQuestion))
	{
		status = STATUS_BUFFER_TOO_SMALL;
		DbgPrint("[+] STATUS_BUFFER_TOO_SMALL\n");
		break;
	}

USERLAND

KERNELLAND

Shared memory

DriverCallback

Useful struct

Eprocess

IRP

Driver object

How to load it

sc create [service name] binPath= [path to your .sys file] type= kernel
sc start [service name]

Security around driver

DSE

PatchGuard

Usage of vulnerable driver

How to use the debugger

Some fun with IDT(R) and SSDT

Now code

A simple Lssas dumper helper

WHY ?

The ppl problem

How ?

Exemple usecase

Little project

Some ideas

- A simple anti-anti debugger

- An offensive driver (Use your imagination)

- A Simple EDR (patch ntdll, ETW / ETW-TI ...)