Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Discovering footprints of loaded and unloaded kernel mode drivers

JordanPietkaJordanPietka Member Posts: 5

Background: There are vulnerable kernel mode drivers for Windows systems, which can be loaded into the system for various purposes. Loaded kernel mode drivers leave traces in the system. Anti-cheat software for video games, for example, look for vulnerable driver traces in various parts of the system because they are used for cheating. The logic used by anti-cheat software could perhaps be (or were already) used by anti-rootkit tools or rootkits themselves.

I am wondering where traces are left after drivers are loaded and then unloaded. From my research, I found these two places in Windows NT kernel, where unloaded drivers leave traces:

  1. PiDDBCacheTable
  2. MmUnloadedDrivers

(Just to let you know, those are undocumented data structures) Where else could they leave traces? Is it possible for me to learn it without reverse-engineering the Windows kernel by myself?

Comments

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,802

    Well, there’s this.

    Not sure what else you’re asking.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • JordanPietkaJordanPietka Member Posts: 5

    @Peter_Viscarola_(OSR) said:
    Well, there’s this.

    Not sure what else you’re asking.

    Peter

    This information is incomplete. Windows Events and PiDDBCacheTable also contain information regarding unloaded kernel modules. You are supposed to be the guru of kernel mode development. It is sad that you don't know much.

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,401

    Bye bye.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • JordanPietkaJordanPietka Member Posts: 5

    @Tim_Roberts said:
    Bye bye.

    ?

  • Martin_BurnickiMartin_Burnicki Member - All Emails Posts: 27

    @JordanPietka said:

    @Tim_Roberts said:
    Bye bye.

    ?

    Hm, you offend the folks who try to help you, and then wonder why they stop replying to you? Really?

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,401

    @JordanPietka said:

    ?

    Peter owns the company that provides the equipment for this mailing list. It's his yard. I'm guessing you won't be here for long.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • JordanPietkaJordanPietka Member Posts: 5

    Look guys, for Windows kernel, a lot of information is missing. It is so incredibly frustrating that there is no information available publicly. So, people come to these forums and they cannot find information here as well.

    Also, I didn't say anything bad about Peter. I just said that it is sad that even Peter doesn't know a lot of stuff well. This doesn't mean Peter is unknowledgeable Person.

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,401

    Also, I didn't say anything bad about Peter. ... This doesn't mean Peter is unknowledgeable Person.

    Maybe you weren't paying attention, but what you literally typed was "It is sad that you don't know much." It is extremely difficult to spin that comment in a positive way.

    Besides which, of course, you are being extremely unfair. There are vast amounts of information about the Windows kernel available publicly. The implementation details are still proprietary, and what you are asking for are very narrow implementation details that are unimportant to the vast majority of kernel drivers. I doubt there are more than 2 kernel developers within Microsoft who could address your question. They're too busy making the system run. Security researchers and professional hackers probably have a clue, but they don't publish their results in peer-reviewed journals.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • JordanPietkaJordanPietka Member Posts: 5

    @Tim_Roberts said:

    Also, I didn't say anything bad about Peter. ... This doesn't mean Peter is unknowledgeable Person.

    Maybe you weren't paying attention, but what you literally typed was "It is sad that you don't know much." It is extremely difficult to spin that comment in a positive way.

    It's called "banter".

  • anton_bassovanton_bassov Member Posts: 5,158

    I have to remind everyone that we were all inexperienced once. Strange enough, but it has not yet been pointed out on this thread in so far....

    Anton Bassov

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA