Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Sept/Oct 2019 Issue of The NT Insider available


Download PDF here: http://insider.osr.com/2019/ntinsider_2019_01.pdf

It’s a particularly BIG issue, too: 40 pages of technical goodness, ranging from WDF to Minifilters. Check it out.
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Discovering footprints of loaded and unloaded kernel mode drivers

JordanPietkaJordanPietka Member Posts: 5

Background: There are vulnerable kernel mode drivers for Windows systems, which can be loaded into the system for various purposes. Loaded kernel mode drivers leave traces in the system. Anti-cheat software for video games, for example, look for vulnerable driver traces in various parts of the system because they are used for cheating. The logic used by anti-cheat software could perhaps be (or were already) used by anti-rootkit tools or rootkits themselves.

I am wondering where traces are left after drivers are loaded and then unloaded. From my research, I found these two places in Windows NT kernel, where unloaded drivers leave traces:

  1. PiDDBCacheTable
  2. MmUnloadedDrivers

(Just to let you know, those are undocumented data structures) Where else could they leave traces? Is it possible for me to learn it without reverse-engineering the Windows kernel by myself?

Comments

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,476

    Well, there’s this.

    Not sure what else you’re asking.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • JordanPietkaJordanPietka Member Posts: 5

    @Peter_Viscarola_(OSR) said:
    Well, there’s this.

    Not sure what else you’re asking.

    Peter

    This information is incomplete. Windows Events and PiDDBCacheTable also contain information regarding unloaded kernel modules. You are supposed to be the guru of kernel mode development. It is sad that you don't know much.

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,133

    Bye bye.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • JordanPietkaJordanPietka Member Posts: 5

    @Tim_Roberts said:
    Bye bye.

    ?

  • Martin_BurnickiMartin_Burnicki Member - All Emails Posts: 26

    @JordanPietka said:

    @Tim_Roberts said:
    Bye bye.

    ?

    Hm, you offend the folks who try to help you, and then wonder why they stop replying to you? Really?

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,133

    @JordanPietka said:

    ?

    Peter owns the company that provides the equipment for this mailing list. It's his yard. I'm guessing you won't be here for long.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • JordanPietkaJordanPietka Member Posts: 5

    Look guys, for Windows kernel, a lot of information is missing. It is so incredibly frustrating that there is no information available publicly. So, people come to these forums and they cannot find information here as well.

    Also, I didn't say anything bad about Peter. I just said that it is sad that even Peter doesn't know a lot of stuff well. This doesn't mean Peter is unknowledgeable Person.

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,133

    Also, I didn't say anything bad about Peter. ... This doesn't mean Peter is unknowledgeable Person.

    Maybe you weren't paying attention, but what you literally typed was "It is sad that you don't know much." It is extremely difficult to spin that comment in a positive way.

    Besides which, of course, you are being extremely unfair. There are vast amounts of information about the Windows kernel available publicly. The implementation details are still proprietary, and what you are asking for are very narrow implementation details that are unimportant to the vast majority of kernel drivers. I doubt there are more than 2 kernel developers within Microsoft who could address your question. They're too busy making the system run. Security researchers and professional hackers probably have a clue, but they don't publish their results in peer-reviewed journals.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • JordanPietkaJordanPietka Member Posts: 5

    @Tim_Roberts said:

    Also, I didn't say anything bad about Peter. ... This doesn't mean Peter is unknowledgeable Person.

    Maybe you weren't paying attention, but what you literally typed was "It is sad that you don't know much." It is extremely difficult to spin that comment in a positive way.

    It's called "banter".

  • anton_bassovanton_bassov Member Posts: 5,054

    I have to remind everyone that we were all inexperienced once. Strange enough, but it has not yet been pointed out on this thread in so far....

    Anton Bassov

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 21 Oct 2019 OSR Seminar Space & ONLINE
Internals & Software Drivers 18 Nov 2019 Dulles, VA
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 27 Apr 2020 OSR Seminar Space & ONLINE