Why Process Monitor Loads it Driver Withou Registry Entry

I’m new to kernel mode driver.

I’m having a look at Sysinternals’ Processor Monitor. From what I know, it generates a kernel driver called PROCEXP??? on the fly when executed. WinObj.exe shows the driver object, device object, symlink of the same is really created. But the regedit shows no entry added to HKLM\System\CCS\Services

How does it load a driver without leaving any trace in the registry?

Typing mistake. I’m talking about “Process Explorer” not monitor

xxxxx@hotmail.com wrote:

I’m having a look at Sysinternals’ Processor Monitor. From what I know, it generates a kernel driver called PROCEXP??? on the fly when executed. WinObj.exe shows the driver object, device object, symlink of the same is really created. But the regedit shows no entry added to HKLM\System\CCS\Services

How does it load a driver without leaving any trace in the registry?

DbgView does the same thing. You can run procmon when you start dbgview
to check it.

Hint: you can remove the Services registry entries for a kernel driver
that is still loaded.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

> Hint: you can remove the Services registry entries for a kernel driver that is still loaded.
Exactly how?

I used an API monitoring tool (http://www.rohitab.com/apimonitor) to hook the APIs called by Process Explorer. It does manually create a registry key HKLM\System\CCS\Services\PROCEXPxxx.SYS and delete it sometime later. But it doesn’t call CreateService()/OpenService(). So, how does it load the PROCEXPxxx.SYS? My understanding is that if we manually create the registry key, we have to reboot once for the key to take effect (except if CreateService() is used to create the key)

xxxxx@hotmail.com wrote:

Exactly how?

I used an API monitoring tool (http://www.rohitab.com/apimonitor) to hook the APIs called by Process Explorer. It does manually create a registry key HKLM\System\CCS\Services\PROCEXPxxx.SYS and delete it sometime later. But it doesn’t call CreateService()/OpenService().

Are you sure ApiMonitor snaggles those APIs? If you do “dumpbin
/imports” on dbgview.exe, it clearly imports CreateService and friends.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Process Explorer is using NtLoadDriver, no SCM APIs

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@hotmail.com
Sent: Thursday, February 26, 2015 7:50 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Why Process Monitor Loads it Driver Withou Registry
Entry

Hint: you can remove the Services registry entries for a kernel driver
that is still loaded.
Exactly how?

I used an API monitoring tool (http://www.rohitab.com/apimonitor) to hook
the APIs called by Process Explorer. It does manually create a registry key
HKLM\System\CCS\Services\PROCEXPxxx.SYS and delete it sometime later. But it
doesn’t call CreateService()/OpenService(). So, how does it load the
PROCEXPxxx.SYS? My understanding is that if we manually create the registry
key, we have to reboot once for the key to take effect (except if
CreateService() is used to create the key)

NtLoadDriver IIRC requires the SC key.

ZwSetSystemInformation can IIRC load the .sys without the SC key.


Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

“Petr Kurtin” wrote in message news:xxxxx@ntdev…
> Process Explorer is using NtLoadDriver, no SCM APIs
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
> xxxxx@hotmail.com
> Sent: Thursday, February 26, 2015 7:50 PM
> To: Windows System Software Devs Interest List
> Subject: RE:[ntdev] Why Process Monitor Loads it Driver Withou Registry
> Entry
>
>> Hint: you can remove the Services registry entries for a kernel driver
> that is still loaded.
> Exactly how?
>
> I used an API monitoring tool (http://www.rohitab.com/apimonitor) to hook
> the APIs called by Process Explorer. It does manually create a registry key
> HKLM\System\CCS\Services\PROCEXPxxx.SYS and delete it sometime later. But it
> doesn’t call CreateService()/OpenService(). So, how does it load the
> PROCEXPxxx.SYS? My understanding is that if we manually create the registry
> key, we have to reboot once for the key to take effect (except if
> CreateService() is used to create the key)
>
>
>
>

Max,

The “documentation” (i.e. the internet clones of the Gary Nebbett data)
for ZwSetSystemInformation about loading a driver has been wrong since
Windows XP. Most documentation forgets to mention it loads it in a session,
and it does not call DriverEntry. So trying to use that from user space
would have a lot of challenges, and as has already been pointed out, the SC
key is created, the driver loaded, then the key deleted.

Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Maxim S. Shatskih
Sent: Thursday, February 26, 2015 5:57 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Why Process Monitor Loads it Driver Withou Registry
Entry

NtLoadDriver IIRC requires the SC key.

ZwSetSystemInformation can IIRC load the .sys without the SC key.


Maxim S. Shatskih
Microsoft MVP on File System And Storage xxxxx@storagecraft.com
http://www.storagecraft.com

“Petr Kurtin” wrote in message news:xxxxx@ntdev…
> Process Explorer is using NtLoadDriver, no SCM APIs
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
> xxxxx@hotmail.com
> Sent: Thursday, February 26, 2015 7:50 PM
> To: Windows System Software Devs Interest List
> Subject: RE:[ntdev] Why Process Monitor Loads it Driver Withou
> Registry Entry
>
>> Hint: you can remove the Services registry entries for a kernel
>> driver
> that is still loaded.
> Exactly how?
>
> I used an API monitoring tool (http://www.rohitab.com/apimonitor) to
> hook the APIs called by Process Explorer. It does manually create a
> registry key HKLM\System\CCS\Services\PROCEXPxxx.SYS and delete it
> sometime later. But it doesn’t call CreateService()/OpenService(). So,
> how does it load the PROCEXPxxx.SYS? My understanding is that if we
> manually create the registry key, we have to reboot once for the key
> to take effect (except if
> CreateService() is used to create the key)
>
>
>
>


NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Thanks Don!

and it does not call DriverEntry.

Well, this is logical, since DriverEntry requires RegistryPath which is absent if there is no SC key, and passing NULL there is a bad idea since this is reserved for a crash dump/hiber path IIRC (or was it DriverObject == NULL for dump/hiber path?).


Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

>Are you sure ApiMonitor snaggles those APIs? If you do “dumpbin /imports” on dbgview.exe, it clearly imports CreateService and friends.

Tim,

I just did it on procexp.exe. And, no, it does NOT import CreateService.

So, how does a user mode program load a driver without rebooting/calling CreateService?

xxxxx@hotmail.com wrote:

> Are you sure ApiMonitor snaggles those APIs? If you do “dumpbin /imports” on dbgview.exe, it clearly imports CreateService and friends.
I just did it on procexp.exe. And, no, it does NOT import CreateService.

So, how does a user mode program load a driver without rebooting/calling CreateService?

My colleagues are saying NtLoadDriver/ZwLoadDriver can do that. I’ve
never used either one.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

@alec lee: ntdll!NtLoadDriver is being used. However, Using API Monitor I was unable to nail the native call down (hook technique used = “Static Import”).
By leveraging the local kernel debugger in order to write garbage at nt!NtLoadDriver I was able to provoke a telltale BSoD:

STACK_TEXT:
ffffd001930c3c38 fffff801351b2f63 : 0000000000000000 0000000000000000 0000000000000000 ffffe000f181a800 : nt!NtLoadDriver
ffffd001930c3c40 00007ff95d94e92a : 00007ff74b4c3779 00000000007ced30 00000000007cf170 00007ff74b5b14b8 : nt!KiSystemServiceCopyEnd+0x13
00000000007ceac8 00007ff74b4c3779 : 00000000007ced30 00000000007cf170 00007ff74b5b14b8 0000000000000000 : ntdll!NtLoadDriver+0xa
00000000007cead0 00007ff74b508a1a : 00007ff74b5b14b8 00000000007cf600 00007ff74b5d96e8 00007ff74b5b1498 : procexp64+0x13779
00000000007cf5d0 00007ff74b50e07c : 00007ff74b5b2bf0 00007ff74a69a000 0000000000000000 00007ff74a69a000 : procexp64+0x58a1a
00000000007cfa40 00007ff74b4c975e : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : procexp64+0x5e07c
00000000007cfb20 00007ff74b54c4a8 : 00007ff74b4b0000 0000000000000001 00000000007cfc50 00007ff74a69a000 : procexp64+0x1975e
00000000007cfc10 00007ff74b5804c6 : 00007ff74b4b0000 0000000000000000 0000000000971b1c 00007ff700000001 : procexp64+0x9c4a8
00000000007cfdc0 00007ff95c555f72 : 0000000000000000 00007ff74b580514 0000000000000000 0000000000000000 : procexp64+0xd04c6
00000000007cfe70 00007ff95d919b54 : 00007ff95c555f50 0000000000000000 0000000000000000 0000000000000000 : KERNEL32!BaseThreadInitThunk+0x22
00000000007cfea0 0000000000000000 : 0000000000000000 0000000000000000 0000000000000000 0000000000000000 : ntdll!RtlUserThreadStart+0x34

==> ntdll!NtLoadDriver is being used.

Tim Roberts wrote: “Hint: you can remove the Services registry entries for a kernel driver
that is still loaded.”

You can do that even from the driver itself and also remove its image file. By the way, this is where the funny part begins. Removing all evidence of your driver after it has been loaded. Heck, you can even create some system threads in your driver entry and immediately unload your driver. :wink: (You will need to duplicate your driver into nonpaged pool before doing so)

Best Regards

Microwave89

Micel Whave wrote:

You can do that even from the driver itself and also remove
its image file. By the way, this is where the funny part begins.
Removing all evidence of your driver after it has been loaded.
Heck, you can even create some system threads in your driver
entry and immediately unload your driver. :wink: (You will need to
duplicate your driver into nonpaged pool before doing so)

I feel like this is the type of thing which would be discussed on the aforementioned “Chinese and Russian language” driver forums.

Yes, that might be.
Hence, I won’t discuss this issue(s) further.

Best Regards

Microwave89