Prerequisite
Do you know how to code in C?
download WDK install it, get your hand on
any text editor you like.
I will introduce you later to more advanced way to develop kernel
drivers using visual studio, but if you’re a beginner you must learn the hard
way first, to better understand the roles, then break them ;)
Build Your First Driver
Create a new folder on your ‘C:\’
Drive, and called it ‘my_driver’, inside this folder create a new file
named ‘HelloDriver.c’, then copy and paste the following code:
/*
*+++++++++++++++++++++++++++++++++++++++++++++++++++
* Author : Dr_Hun74
* Module : HelloDriver.c
*
* implement a very basic driver, to describe
* how to use wdk to build the driver, load it
* and debug it, using WinDBG(kd.exe) debugger.
*+++++++++++++++++++++++++++++++++++++++++++++++++++
*/
#include <ntddk.h>
//
// NOTE: You don't have to use these macros you can simply use
// DbgPrint () as printf ().
//
#define FUNCTION ""
#define TRACE(msg_Trace) DbgPrint("fnct__%s: %s\n", FUNCTION, msg_Trace)
/*++
Routine Description:
This routine is the class driver unload routine.
Arguments:
pDriverObject - Pointer to driver object Created by the system.
Return Value:
None.
--*/
#define FUNCTION "DriverUnload"
VOID DriverUnload(PDRIVER_OBJECT pDriverObject)
{
TRACE("Unloading the driver");
return;
}
/*++
Routine Description:
This is the EntryPoint of the driver.
Arguments:
pDriverObject - Pointer to driver object created by system.
pus_RegPath - Pointer to the Unicode name of the registry path
for this driver.
Return Value:
The function value is the final status from the initialization operation.
--*/
#define FUNCTION "DriverEntry"
NTSTATUS DriverEntry( PDRIVER_OBJECT pDriverObject,
PUNICODE_STRING pus_RegPath
)
{
TRACE("Loading the driver");
//
// This is to tel the driver we're the Unload Routine is
// don't worry about it for now, i'll get to it in another
// tutorial
//
pDriverObject->DriverUnload = DriverUnload;
return STATUS_SUCCESS;
}
Now create another file ‘SOURCES’, then
copy the following code to it,
TARGETNAME = HelloDriver TARGETPATH = obj TARGETTYPE = DRIVER INCLUDES = %BUILD%\inc LIBS = %BUILD%\lib SOURCES = HelloDriver.c
One more file ‘makefile.def’, I promise
this is the last
!INCLUDE $(NTMAKEENV)\makefile.def
Your ‘C:\my_driver’ should look
like this
After you’ve done that, go to your start
menu, and select the envirement you want to target, for me I’ll chose windows
7,
Another thing I want to tel you,
Checked : debug Free : release
Now, execute the following command, don’t
forget to navigate to were you put the source files
cd \my_driver build
if the build was successful you should see
a new '.sys' driver, has been created inside your folder, meaning that your ready
to go to the next step.
Load/UnLoad the Driver
To load our driver, we use scm, or service
manager provided by Microsoft, we also gona use a tool from sysinternals
DbgView.exe, to catch the messages from our driver.
From an elevated command prompt, execute
the following command,
Load/Run the Driver
sc create Hello binpath= C:\my_driver\objchk_win7_x86\i386\HelloDriver.sys type= kernel sc stop Hello
UnLoad/Stop the Driver
sc stop Hello
Now, let’s take a look at DbgView and see
what he catch for us, but before that:
And here we go_
Debug Driver
I will assume that you already know the
basics of using WinDBG debugger, if you don’t there are some good really good ressources
that give you a quick start J
Look at the folder ‘UsefulRessources’,
provided with this document, or from the link bellow if your reading this from
my blog ‘hun7r.blogspot.com’.
run your target machine, and set it to be
debugged on kernel mode, then attach WinDBG to it, if you don’t know how to do these stuff refer to the files I mention
before.
After you do that, set an unresolved
breakpoint (bu) on DriverEntry () function, wich means, (http://msdn.microsoft.com/enus/library/windows/hardware/ff560012(v=vs.85).aspx).
By default, DbgPrint messages
do not appear in WinDbg when the driver is running on Windows Vista/7 due to
filtering reasons. You can clear this filtering using this simple call
kd> ed nt!kd_DEFAULT_MASK 0x8
Now start the driver as we see before (sc start HelloDriver bin …), and do not forget
to run DbgView.exe, on the target machine.
Take a look on your WinDBG, you’ll notice
that it’s magically load the source code, and set a break point on the
DriverEntry () routing.
Hit F10, twice to execute DbgPrint ()
method, and keep watching the debug window on WinDBG:
Now hit the go button, or just type g
Set another unresolved breakpoint, on
Hello!DriverUnload, hit the go button, and stop the driver from the target
machine, get back to WinDBG and repeat the same experiment.
Now stop the driver from an elevated command
prompt as we see before.
Did it show unload driver trace message?
Debug Driver at Boot Time
This is just another experiment, nothing
special, except two things:
- You need to copy your driver to ‘%SYSTEMROOT%\System32\Drivers\’
- Update some registry keys
And that’s it.
For the step 2, use the following c code,
compile it, and pass to it, the driver name you want to run at boot time, as
the first argument
/*
* Author : Dr_Hun74
* Building straight forward .reg file, to start driver at boot time
*
* You are free to develop this .c program as you wich ;)
*
*/
#include <stdio.h>
#define pDriverName argv [1]
int main (int argc, char *argv [])
{
if (argc != 2)
{
printf ("\n> Dr_Hun74:\n");
printf ("Usage: GenRegBootDriver <DriverName>\n", argv [0]);
getchar ();
return 0;
}
printf ("\n> Dr_Hun74!_GenRegBootDriver:\n");
printf (" >>> Generating registry values, to start driver at boot time ...\n");
printf (" >>> Happy Coding, zirek %c\n\n", 0x2);
FILE *fptr;
fptr = fopen ("BootRegDriver.reg", "w");
fprintf (fptr, "Windows Registry Editor Version 5.00\n\n");
fprintf (fptr, "[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\%s]\n", pDriverName);
fprintf (fptr, "\"Type\"=dword:00000001\n");
fprintf (fptr, "\"Start\"=dword:00000000\n");
fprintf (fptr, "\"ErrorControl\"=dword:00000001\n");
fprintf (fptr, "\"Group\"=\"Base\"\n");
fprintf (fptr, "\"ImagePath\"=\"\\SystemRoot\\System32\\Drivers\\%s.sys\"\n", pDriverName);
fprintf (fptr, "\"Description\"=\"Dr_Hun7r - Rootkit Driver, be careful\"\n");
fprintf (fptr, "\"DisplayName\"=\"%s\"\n", pDriverName);
printf (".done\n");
return 0;
}
Assuming that you compile the code, using
the name ‘GenRegbBootDriver.exe’, open your elevated command prompt, and
exetute the previous code as follow,
GenRegBootDriver HelloDriver, without ‘.sys’ and
also make sure you copy the driver to the location I mentioned in the 1st
step.
After you generate the .reg file, run it
and restart your system, if the machine is attached to WinDBG, it’ll break, before
windows start any driver, repeat the same experiment, we’ev used before, to
debug the driver.
Feel Home
and be my guest,
Best
Dr_Hun74
and be my guest,
Best
Dr_Hun74
No comments :
Post a Comment