Why Process Monitor Loads it Driver Withou Registry Entry

alec_lee

I'm new to kernel mode driver.

I'm having a look at Sysinternals' Processor Monitor. From what I know, it generates a kernel driver called PROCEXP??? on the fly when executed. WinObj.exe shows the driver object, device object, symlink of the same is really created. But the regedit shows no entry added to HKLM\System\CCS\Services

How does it load a driver without leaving any trace in the registry?

alec_lee

Typing mistake. I'm talking about "Process Explorer" not monitor

Tim_Roberts

[email protected] wrote:
> I'm having a look at Sysinternals' Processor Monitor. From what I know, it generates a kernel driver called PROCEXP??? on the fly when executed. WinObj.exe shows the driver object, device object, symlink of the same is really created. But the regedit shows no entry added to HKLM\System\CCS\Services
>
> How does it load a driver without leaving any trace in the registry?

DbgView does the same thing. You can run procmon when you start dbgview
to check it.

Hint: you can remove the Services registry entries for a kernel driver
that is still loaded.

--
Tim Roberts, [email protected]
Providenza & Boekelheide, Inc.

alec_lee

> Hint: you can remove the Services registry entries for a kernel driver that is still loaded.
Exactly how?

I used an API monitoring tool (http://www.rohitab.com/apimonitor) to hook the APIs called by Process Explorer. It does manually create a registry key HKLM\System\CCS\Services\PROCEXPxxx.SYS and delete it sometime later. But it doesn't call CreateService()/OpenService(). So, how does it load the PROCEXPxxx.SYS? My understanding is that if we manually create the registry key, we have to reboot once for the key to take effect (except if CreateService() is used to create the key)

Tim_Roberts

[email protected] wrote:
> Exactly how?
>
> I used an API monitoring tool (http://www.rohitab.com/apimonitor) to hook the APIs called by Process Explorer. It does manually create a registry key HKLM\System\CCS\Services\PROCEXPxxx.SYS and delete it sometime later. But it doesn't call CreateService()/OpenService().

Are you sure ApiMonitor snaggles those APIs? If you do "dumpbin
/imports" on dbgview.exe, it clearly imports CreateService and friends.

--
Tim Roberts, [email protected]
Providenza & Boekelheide, Inc.

Petr_Kurtin

Process Explorer is using NtLoadDriver, no SCM APIs


-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of
[email protected]
Sent: Thursday, February 26, 2015 7:50 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Why Process Monitor Loads it Driver Withou Registry
Entry

> Hint: you can remove the Services registry entries for a kernel driver
that is still loaded.
Exactly how?

I used an API monitoring tool (http://www.rohitab.com/apimonitor) to hook
the APIs called by Process Explorer. It does manually create a registry key
HKLM\System\CCS\Services\PROCEXPxxx.SYS and delete it sometime later. But it
doesn't call CreateService()/OpenService(). So, how does it load the
PROCEXPxxx.SYS? My understanding is that if we manually create the registry
key, we have to reboot once for the key to take effect (except if
CreateService() is used to create the key)

Maxim_S._Shatskih

NtLoadDriver IIRC requires the SC key.

ZwSetSystemInformation can IIRC load the .sys without the SC key.

--
Maxim S. Shatskih
Microsoft MVP on File System And Storage
[email protected]
http://www.storagecraft.com

"Petr Kurtin" <[email protected]> wrote in message news:[email protected]
> Process Explorer is using NtLoadDriver, no SCM APIs
>
>
> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]] On Behalf Of
> [email protected]
> Sent: Thursday, February 26, 2015 7:50 PM
> To: Windows System Software Devs Interest List
> Subject: RE:[ntdev] Why Process Monitor Loads it Driver Withou Registry
> Entry
>
>> Hint: you can remove the Services registry entries for a kernel driver
> that is still loaded.
> Exactly how?
>
> I used an API monitoring tool (http://www.rohitab.com/apimonitor) to hook
> the APIs called by Process Explorer. It does manually create a registry key
> HKLM\System\CCS\Services\PROCEXPxxx.SYS and delete it sometime later. But it
> doesn't call CreateService()/OpenService(). So, how does it load the
> PROCEXPxxx.SYS? My understanding is that if we manually create the registry
> key, we have to reboot once for the key to take effect (except if
> CreateService() is used to create the key)
>
>
>
>

Don_Burn

Max,

The "documentation" (i.e. the internet clones of the Gary Nebbett data)
for ZwSetSystemInformation about loading a driver has been wrong since
Windows XP. Most documentation forgets to mention it loads it in a session,
and it does not call DriverEntry. So trying to use that from user space
would have a lot of challenges, and as has already been pointed out, the SC
key is created, the driver loaded, then the key deleted.


Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com





-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Maxim S. Shatskih
Sent: Thursday, February 26, 2015 5:57 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Why Process Monitor Loads it Driver Withou Registry
Entry

NtLoadDriver IIRC requires the SC key.

ZwSetSystemInformation can IIRC load the .sys without the SC key.

--
Maxim S. Shatskih
Microsoft MVP on File System And Storage [email protected]
http://www.storagecraft.com

"Petr Kurtin" <[email protected]> wrote in message news:[email protected]
> Process Explorer is using NtLoadDriver, no SCM APIs
>
>
> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]] On Behalf Of
> [email protected]
> Sent: Thursday, February 26, 2015 7:50 PM
> To: Windows System Software Devs Interest List
> Subject: RE:[ntdev] Why Process Monitor Loads it Driver Withou
> Registry Entry
>
>> Hint: you can remove the Services registry entries for a kernel
>> driver
> that is still loaded.
> Exactly how?
>
> I used an API monitoring tool (http://www.rohitab.com/apimonitor) to
> hook the APIs called by Process Explorer. It does manually create a
> registry key HKLM\System\CCS\Services\PROCEXPxxx.SYS and delete it
> sometime later. But it doesn't call CreateService()/OpenService(). So,
> how does it load the PROCEXPxxx.SYS? My understanding is that if we
> manually create the registry key, we have to reboot once for the key
> to take effect (except if
> CreateService() is used to create the key)
>
>
>
>

---
NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Maxim_S._Shatskih

Thanks Don!

> and it does not call DriverEntry.

Well, this is logical, since DriverEntry requires RegistryPath which is absent if there is no SC key, and passing NULL there is a bad idea since this is reserved for a crash dump/hiber path IIRC (or was it DriverObject == NULL for dump/hiber path?).

--
Maxim S. Shatskih
Microsoft MVP on File System And Storage
[email protected]
http://www.storagecraft.com

alec_lee

>Are you sure ApiMonitor snaggles those APIs? If you do "dumpbin /imports" on dbgview.exe, it clearly imports CreateService and friends.

Tim,

I just did it on procexp.exe. And, no, it does NOT import CreateService.

So, how does a user mode program load a driver without rebooting/calling CreateService?

Tim_Roberts

[email protected] wrote:
>> Are you sure ApiMonitor snaggles those APIs? If you do "dumpbin /imports" on dbgview.exe, it clearly imports CreateService and friends.
> I just did it on procexp.exe. And, no, it does NOT import CreateService.
>
> So, how does a user mode program load a driver without rebooting/calling CreateService?

My colleagues are saying NtLoadDriver/ZwLoadDriver can do that. I've
never used either one.

--
Tim Roberts, [email protected]
Providenza & Boekelheide, Inc.

Micel_Whave

@alec lee: ntdll!NtLoadDriver is being used. However, Using API Monitor I was unable to nail the native call down (hook technique used = "Static Import").
By leveraging the local kernel debugger in order to write garbage at nt!NtLoadDriver I was able to provoke a telltale BSoD:

STACK_TEXT:
ffffd001`930c3c38 fffff801`351b2f63 : 00000000`00000000 00000000`00000000 00000000`00000000 ffffe000`f181a800 : nt!NtLoadDriver
ffffd001`930c3c40 00007ff9`5d94e92a : 00007ff7`4b4c3779 00000000`007ced30 00000000`007cf170 00007ff7`4b5b14b8 : nt!KiSystemServiceCopyEnd+0x13
00000000`007ceac8 00007ff7`4b4c3779 : 00000000`007ced30 00000000`007cf170 00007ff7`4b5b14b8 00000000`00000000 : ntdll!NtLoadDriver+0xa
00000000`007cead0 00007ff7`4b508a1a : 00007ff7`4b5b14b8 00000000`007cf600 00007ff7`4b5d96e8 00007ff7`4b5b1498 : procexp64+0x13779
00000000`007cf5d0 00007ff7`4b50e07c : 00007ff7`4b5b2bf0 00007ff7`4a69a000 00000000`00000000 00007ff7`4a69a000 : procexp64+0x58a1a
00000000`007cfa40 00007ff7`4b4c975e : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : procexp64+0x5e07c
00000000`007cfb20 00007ff7`4b54c4a8 : 00007ff7`4b4b0000 00000000`00000001 00000000`007cfc50 00007ff7`4a69a000 : procexp64+0x1975e
00000000`007cfc10 00007ff7`4b5804c6 : 00007ff7`4b4b0000 00000000`00000000 00000000`00971b1c 00007ff7`00000001 : procexp64+0x9c4a8
00000000`007cfdc0 00007ff9`5c555f72 : 00000000`00000000 00007ff7`4b580514 00000000`00000000 00000000`00000000 : procexp64+0xd04c6
00000000`007cfe70 00007ff9`5d919b54 : 00007ff9`5c555f50 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x22
00000000`007cfea0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x34

==> ntdll!NtLoadDriver is being used.

Tim Roberts wrote: "Hint: you can remove the Services registry entries for a kernel driver
that is still loaded."

You can do that even from the driver itself and also remove its image file. By the way, this is where the funny part begins. Removing all evidence of your driver after it has been loaded. Heck, you can even create some system threads in your driver entry and immediately unload your driver. (You will need to duplicate your driver into nonpaged pool before doing so)


Best Regards

Microwave89

Chris_Aseltine

Micel Whave wrote:

> You can do that even from the driver itself and also remove
> its image file. By the way, this is where the funny part begins.
> Removing all evidence of your driver after it has been loaded.
> Heck, you can even create some system threads in your driver
> entry and immediately unload your driver. (You will need to
> duplicate your driver into nonpaged pool before doing so)

I feel like this is the type of thing which would be discussed on the aforementioned "Chinese and Russian language" driver forums.

Micel_Whave

Yes, that might be.
Hence, I won't discuss this issue(s) further.

Best Regards

Microwave89