Hello…
First of all: I’m not very good in writing something in this language, so I realy hope, you are able to understand me. At the moment I’m trying me out at writing some kind of anti-virus-software, which should be able to terminate a malware-driver on demand and list informations about loaded drivers (an experiment for personal use only, nothing I wan’t to sell). In order to do so, I learned a little bit of driver-writing - so don’t wonder about anything, I’m realy a beginner who tries to get into this stuff.
In Native API there is a function called ZwSetSystemInformation (class -> SystemUnloadImage), which is able to unload a driver whithout calling it’s DriverUnload routine. To use this function, I need a pointer to the DriverSection member of the DRIVER_OBJECT structure of the driver, I wan’t to terminate. When I’m useing ObReferenceObjectByName with \driver\ + “drivername”, I 'm able to get the pointer I want. But especially from one kind of malware-drivers I can’t get the drivername - I only have the loading address in virtual memory, path and filename.
Is there any way to get the DRIVER_OBJECT structure from a “driver” without having an object-name?
regards
Andreas
Forget this it is not worth the effort. First you cannot unload a driver
with with references to the DRIVER_OBJECT so all the driver has to do to
defeat you is call ObReferenceObject on its DRIVER_OBJECT or DEVICE_OBJECT.
Second, most MALWARE uses hooking, so if you unload the driver the hook
will still be there and result is a crash.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
http://www.windrvr.com
Remove StopSpam from the email to reply
wrote in message news:xxxxx@ntdev…
> Hello…
>
> First of all: I’m not very good in writing something in this language, so
> I realy hope, you are able to understand me. At the moment I’m trying me
> out at writing some kind of anti-virus-software, which should be able to
> terminate a malware-driver on demand and list informations about loaded
> drivers (an experiment for personal use only, nothing I wan’t to sell).
> In order to do so, I learned a little bit of driver-writing - so don’t
> wonder about anything, I’m realy a beginner who tries to get into this
> stuff.
>
> In Native API there is a function called ZwSetSystemInformation (class ->
> SystemUnloadImage), which is able to unload a driver whithout calling
> it’s DriverUnload routine. To use this function, I need a pointer to the
> DriverSection member of the DRIVER_OBJECT structure of the driver, I
> wan’t to terminate. When I’m useing ObReferenceObjectByName with \driver\
> + “drivername”, I 'm able to get the pointer I want. But especially from
> one kind of malware-drivers I can’t get the drivername - I only have the
> loading address in virtual memory, path and filename.
>
> Is there any way to get the DRIVER_OBJECT structure from a “driver”
> without having an object-name?
>
> regards
>
> Andreas
>
>
>
>
>
>
>
To be clear, a reference on the driver object (or device object) will
not prevent DriverUnload being called (assuming ZwUnloadDriver was
called on it), it will prevent the image from being removed from memory.
This means you can have a driver which has had DriverUnload called on it
and still remain in memory until that remaining reference (let’s from a
file handle) is there.
I also don’t know if you can use
ZwSetSystemInformation(SystemUnloadImage) on a driver that was loaded by
ZwLoadDriver (vs ZwSetSystemInformation(SystemLoadImage)
d
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Sunday, November 19, 2006 6:15 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Getting DRIVER_OBJECT structure without drivername?
Forget this it is not worth the effort. First you cannot unload a
driver
with with references to the DRIVER_OBJECT so all the driver has to do to
defeat you is call ObReferenceObject on its DRIVER_OBJECT or
DEVICE_OBJECT.
Second, most MALWARE uses hooking, so if you unload the driver the hook
will still be there and result is a crash.
–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
http://www.windrvr.com
Remove StopSpam from the email to reply
wrote in message news:xxxxx@ntdev…
> Hello…
>
> First of all: I’m not very good in writing something in this language,
so
> I realy hope, you are able to understand me. At the moment I’m trying
me
> out at writing some kind of anti-virus-software, which should be able
to
> terminate a malware-driver on demand and list informations about
loaded
> drivers (an experiment for personal use only, nothing I wan’t to
sell).
> In order to do so, I learned a little bit of driver-writing - so don’t
> wonder about anything, I’m realy a beginner who tries to get into this
> stuff.
>
> In Native API there is a function called ZwSetSystemInformation (class
->
> SystemUnloadImage), which is able to unload a driver whithout calling
> it’s DriverUnload routine. To use this function, I need a pointer to
the
> DriverSection member of the DRIVER_OBJECT structure of the driver, I
> wan’t to terminate. When I’m useing ObReferenceObjectByName with
\driver\
> + “drivername”, I 'm able to get the pointer I want. But especially
from
> one kind of malware-drivers I can’t get the drivername - I only have
the
> loading address in virtual memory, path and filename.
>
> Is there any way to get the DRIVER_OBJECT structure from a “driver”
> without having an object-name?
>
> regards
>
> Andreas
>
>
>
>
>
>
>
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Hello, thanks for answering…
…but unloading is not the question - that seams to work even if the reference count isn’t 0, too.
Getting DRIVER_OBJECT structure without a drivername, that’s the problem. Is there any way to get it without scanning memory? When driver ist loaded by a special function which is very well known by malware writers, I don’t get the drivername. Can I get DRIVER_OBJECT structure through filename ore loading address???
Crashes may be possible, but’s an experiment and I will see this later by my own.
Ah, yes - ZwSetSystemInformation(SystemUnloadImage) works for drivers loaded with ZwLoadDriver, too. It’s documented this way and I’ve already tested it.
regards
Andreas
If you have detected that a system has been compromised, especially by a kernel-mode virus, then the only real option is to shut down the system and repair by booting from a different OS image. As long as the hostile code is running, you have no way to guarantee that the hostile code has been isolated and removed. Every solution that you can think of has a work-around.
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@web.de
Sent: Monday, November 20, 2006 1:47 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Getting DRIVER_OBJECT structure without drivername?
Hello, thanks for answering…
…but unloading is not the question - that seams to work even if the reference count isn’t 0, too.
Getting DRIVER_OBJECT structure without a drivername, that’s the problem. Is there any way to get it without scanning memory? When driver ist loaded by a special function which is very well known by malware writers, I don’t get the drivername. Can I get DRIVER_OBJECT structure through filename ore loading address???
Crashes may be possible, but’s an experiment and I will see this later by my own.
Ah, yes - ZwSetSystemInformation(SystemUnloadImage) works for drivers loaded with ZwLoadDriver, too. It’s documented this way and I’ve already tested it.
regards
Andreas
Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer