>
• Some malwares use device drivers to escalate
privileges
– VirtualBox CVE-2014-2477
• Device Drivers already present in some Red Team
toolkits
– Mimikatz uses a driver (mimidrv.sys) to facilitate
injection
Slide 7
Slide 7 text
>
• Windows Driver Model (WDM)
• Windows OS driver catalogues :
– bus driver (e.g. USB, PCI)
– function driver (e.g. USB Adaptor)
– filter driver (e.g. Anti-Virus)
Slide 8
Slide 8 text
> &
• After Windows 7, Filter compiling was migrate into VS,
and refracture WDF, Minifilter from WDM
• Minifilter is more easier to compile that traditional
Filter, dynamic install/attach/unload also the new
feature for minifilter
Slide 9
Slide 9 text
>
• VXD (Virtual X Driver)
– Windows 95、Windows 98
• KDM (Kernel Driver Model)
– Windows NT
• WDM (Windows Driver Model)
– Windows 2000 ~ Windows 8.1
– DDK (Driver Developer Kit)
• WDF (Windows Driver Frameworks)
– Windows 7 ~ Windows 10
– WDK (Windows Driver Kit)
>
Windows
~= Microkernel + LibOS
~= Monolithic Like
source: Wikipedia
Slide 12
Slide 12 text
>
Applicaton
Windows
Servicce
UserMode PnP
Manager
Setupapi.dll
WMI Service
WDM WMI
Routine
PnP Manager Power Manager I/O Manager
function filter
HAL
...
...
.inf
.cat
registry
I/O system
Driver
Kernel Mode
User Mode
>
• In Windows OS kernel-mode is stack-like architecture, this kind
Layered driver Architecture also been called Driver Stack.
source : MSDN
source: MSDN
>
Envuroment Subsystem/
Dlls
I/O System
Kernel Mode
User Mode
I/O Manager
IRP
File System
Manager
Volumn
Manager
IRP
source: The Windows 2000 Device Driver Book
>
Kernel Mode
User Mode
Reflector(Filter)
Kernel Mode Driver
Kernel Mode Driver
Windows Kernel
Driver Manager
Applications
Win32 API
UMDF Driver
UMDF Framework
UMDF Runtime
Reflector(Filter)
Kernel Mode Driver
UMDF Driver
UMDF Framework
UMDF Runtime
UMDF Host Process UMDF Host Process
Local Device Stack Local Device Stack
WUDFx02000.dll
UMDFCtrlDev
Slide 19
Slide 19 text
>
IRP
FiDO
FiDO
FiDO
FDO
FiDO
FiDO
PDO
Upper Filter Driver C
Upper Filter Driver B
Upper Filter Driver A
Lower Filter Driver B
Lower Filter Driver A
Function Driver
Bus Driver
source: Windows Internals
Slide 20
Slide 20 text
>
• IRP(I/O Request Packets) work flow in Windows OS:
source : MSDN
Calculate drivers
number and
allocate IRP,
then dispatcher to
• WDF
• function driver
Slide 21
Slide 21 text
> Enviroment Subsystem/
Dlls
I/O System
Kernel Mode
User Mode
I/O Manager
Filter
Manager
File System
Manager
File System
Manager
IRP
IRP
IRP
MiniFilterDriverA
MiniFilterDriverB
MiniFilterDriverC
1.
2. 3.
4.
5.
6.
7.
> Envuroment Subsystem/
Dlls
I/O System
Kernel Mode
User Mode
I/O Manager
Filter
Manager
File System
Manager
File System
Manager
IRP
IRP
IRP
MiniFilterDriverA
MiniFilterDriverB
MiniFilterDriverC
7.
6.
5.
4.
3.
2.
1.
Slide 24
Slide 24 text
>
• IRP (I/O Request Package) is a data structure in Windows kernel,
it has been designed to store input/output data
• IRP is a complicate data structurer, there’s 2 major attributes:
MajorFunction & MinorFunction, which stand for IRP’s major type
and type’s detail description
• Same MajorFunction will present different behaviors with
different MinorFunctions
>
Write Buffer
Prevent ransomware, we can use these information
to compare entropy & sdhash
Slide 29
Slide 29 text
> Use these information to determine file should be
backup or not (size, position, format)
source: MSDN
Slide 30
Slide 30 text
No content
Slide 31
Slide 31 text
• After Microsoft publish minifilter framework, there also
come up with WDM to WDF, Windows 7 to Windows 10. Microsoft
migrate those develop framework into Visual Studio. Notice
that there still lots version conflict problems
• WDK installer can be downloaded from official website, SDK
should be select to install during Visual Studio installing
progress
• Visual Studio 2017 & 2019 default not install SDK, need to
select the checkbox
• ARM/ARM64
> 、 、
Slide 32
Slide 32 text
>
SDK should fit WDK, but VS, SDK first
Slide 33
Slide 33 text
>
Slide 34
Slide 34 text
> 、 、
Slide 35
Slide 35 text
> 、 、
• Dev. Env. Consistency
Slide 36
Slide 36 text
>
• Change target platform from [build setting] to [project -> driver settings]
Slide 37
Slide 37 text
>
• Change target platform from [build setting] to [project -> driver settings]
>
• On Microsoft Windows 2000 and later versions of the operating
system, "\??" is equivalent to "\DosDevices".
• For example, the object name of the "C:\WINDOWS\example.txt" file
is "\DosDevices\C:\WINDOWS\example.txt".
Path Type Description
\\abc\xyz MSDN
C:\abc\xyz MSDN
\\.\C:\abc\xyz MSDN
\\?\C:\abc\xyz MSDN
\\?\UNC\abc\xyz MSDN
\??\UNC\abc\xyz MSDN
?\UNC\abc\xyz Undocumented in WindowsServer 2012 2016
Slide 57
Slide 57 text
>
Slide 58
Slide 58 text
Driver Entry create port
>
Push Block into port
WDK SAMPLE : minispy.sys
Slide 59
Slide 59 text
>
Add data into Block Buffer
Slide 60
Slide 60 text
>
Call function to Kernel add IRP data
into buffer
Slide 61
Slide 61 text
>
• User module
User-mode extract data from
communication port,
according data structure in UK.h to
split the data buffer
• Windows drivers
– Signed
– WHQL signed
– EV signing cert (A Must for Win10 signing process)
>
source: この勇者が俺TUEEEくせに慎重すぎる
Slide 84
Slide 84 text
>
• LoJax
• Slingshot
• MSI+ASUS+GIGABYTE+ASROCK
Slide 85
Slide 85 text
>
LoJax
• First UEFI malware found in the wild
• Implant tool includes RwDrv.sys driver from
RWEverything
• Loads driver to gain direct access to SPI
controller in PCH
• Uses direct SPI controller access to rewrite
UEFI firmware
Slide 86
Slide 86 text
>
Slingshot
• APT campaign brought along its own malicious
driver
• Active from 2012 through at least 2018
• Exploited other drivers with read/write MSR to
bypass Driver Signing Enforcement to install
kernel rootkit
>
• Most drivers specify only the FILE_DEVICE_SECURE_OPEN
characteristic. This ensures that the same security settings are
applied to any open request into the device's namespace.
Slide 90
Slide 90 text
source: apple daily
Slide 91
Slide 91 text
>
Slide 92
Slide 92 text
>
Maybe FILE_DEVICE_SECURE_OPEN has
been defined as 0?
Slide 93
Slide 93 text
>
source: 焼きたて!! ジャぱん
Slide 94
Slide 94 text
>
Slide 95
Slide 95 text
>
Slide 96
Slide 96 text
>
Windows Internal 7th
Windows 7 Device Driver
source: Tom and Jerry
Slide 97
Slide 97 text
>
• MinimumRequiredLength
– The minimum buffer size, in bytes, that
the driver needs to process the I/O
request.
Slide 98
Slide 98 text
>
• Model specific registers (MSR) exist in CPUs. Contrary to the name,
some MSRs are actually part of the official x86 or x64 architecture
and not "model specific"
• The transition to kernel-mode is done via an MSR
– syscall -> read MSR -> call MSR pointer (Ring-0)
-> kernel function handles the syscall logic
• Default on modern systems we only care about MSR_LSTAR (0xc0000082)
• Can inspect via rdmsr command in windbg
Slide 99
Slide 99 text
>
• You can probably see where this is going
• Exposed wrmsr (__writemsr) instruction gives us a
pointer to overwrite primitive
– Function pointer is called when any syscall is
issued
– Called from Ring-0
source: Fireeye
Slide 100
Slide 100 text
>
source: Fireeye
Slide 101
Slide 101 text
>
source: Fireeye
Slide 102
Slide 102 text
>
• Win8+ Supervisor Mode Execution Prevention (SMEP) - BSODs if CPU
detects execution of a user-mode VA while in Ring-0
• As a response to Spectre and Meltdown Microsoft added Kernel Page
Table Isolation (KPTI), KPTI maintains a separate set of page
tables for user- and kernel-mode
EZ MODE ~Win8 SMEP Win8+ Spectre+Meltdown KPTI
source: Fireeye
Slide 103
Slide 103 text
No content
Slide 104
Slide 104 text
>
• HyperV & PatchGuard catches MSR and CR3/CR4
modifications
• Adding some sort of cookie check post-CR3
restoration could raise the bar
– Require attackers to also have arbitrary kernel reads
• More driver install notifications
– Hardware drivers have confirmation prompts on install –
but not software drivers?
• Windows Driver Samples should import their
security advises on MSDN
Slide 105
Slide 105 text
>
• Device Driver Debauchery and MSR Madness
– Ryan Warns & Tim Harrison - FireEye
• Get off the kernel if you can’t drive
– Jesse Michael - DEFCON 27
• Reverse Engineering and Bug Hunting On KMDF Drivers
– Enrique Nissim - IOActive
• Windows Drivers Attack Surface
– Ilja Van Sprundel
• Windows Internals 6,7, MSDN
– Microsoft
• Practical Malware Analysis
– Michael Sikorski & Andrew Honig
Slide 106
Slide 106 text
No content
Slide 107
Slide 107 text
No content
Slide 108
Slide 108 text
>
• 在 Win64,PatchGuard x64 一言不合就藍屏
Process/3rdAPI
(wxWidgets.lib)
Windows API
System Service
Dispatcher
(KiSystemService)
NtCreateFile
SSDT
User Mode
Kernel Mode
ntdll.dll
NtClose
P.S. 如何破解PatchGuard有一整串討論跟實作喔~
Slide 109
Slide 109 text
因為是載入 Driver,所以所調用的 Kernel API 時 Table 所指的記憶體位置並不確定
因此,直接用 Kernel 函數名稱取址並非其運行時 Table 所指的記憶體位置
Hook 函數時需要另外使用 MmGetSystemRoutineAddress( ) 函數確切取得運行時記憶體位置
>
• In Win32
System Service
Dispatcher
(KiSystemService)
NtCreateFile
SSDT
User Mode
Kernel Mode
ntdll.dll
NewCreateFile
>
• Hold the shift while click reboot button.
SHIFT
One Time Solution
source: Netflix
Slide 113
Slide 113 text
>
One Time Solution
Slide 114
Slide 114 text
>
• cmd.exe (system administrator )
> bcdedit /set TESTSIGNING ON
Enable by command
Inndy大神: 也可以在 Kernel 找到確切驗證位址後關掉
Slide 115
Slide 115 text
>
• I assume you build your own
dirver already, if you try to use
sign function within VS project,
that’s another issue.
• You should already
have .cat, .sys & .inf (with sign
function in VS, you will get your
own usable .cer if you set it
right.)