User Controls

Best way to install a Kernel Module/Firmware component on Windows?

  1. #1
    Sophie Pedophile Tech Support
    Preferably in a sneaky fashion. I guess on Windows we might refer to Kernel Modules as Drivers. Although i could be wrong. I am far more acquainted with such matters including proper nomenclature on Linux based systems. So for the purpose of this thread i will be using the term kernel module.

    In any case, i have a couple Windows environments running in VM,for general Windows development, including low level stuff. I got kernel debugging tools of various kinds, both from Microsoft and some that have been developed by security experts, that do low level security and exploit dev targeting Windows for a living.

    Now i have the driver development kit, which allows me to install kernel modules in my Windows VM, and i have the ADK, which means i can create what would on Linux be considered a bootstrapping script, but the ADK is more than that, it allows me to create images that are fully customized from the button up. It is generally used in enterprise setting where the IT team has to deploy multiple instances of Windows that are completely customized to fit the needs of the organization. Don't want Cortana? N problem simply remove it from the install script, need certain registry entries changed? Go ahead. It would in fact be perfect to set up a Windows install that has no telemetry, no built in protections for messing with the kernel and security/system critical components and i eventually plan on releasing a special deploy geared towards exploit, rootkit and bootkit development.

    However, even with such a deploy and more generally the Driver Development Kit i am still stuck to installing any kernel module or driver to the box i developed it on, or the deploys i made with the ADK. I'd like to be able to develop a firmware and other stuff targeting the kernel, and distribute it so that everyone may enjoy Soph's Firmware Solutions.





    Now there's tools like the one below, and it's pretty handy for testing.

    https://www.osronline.com/article.cfm%5earticle=157.htm

    However that driver loader wouldn't be very handy to do stuff like:



    That with, remotely through a reverse shell or as part of a malware. Obviously this thread is purely for educational purposes. But i wanted to ask any of you that might have experience with this sort of stuff what the best way to go about something like this would be. Even if you don't have any personal experience with this kind of thing i'd be down to hear your thoughts and discuss the possibilities.
  2. #2
    ⠀⠀⠀⠀⠀⠀ African Astronaut
    The best way is to run it as a shell of the .exe filetype (shell spawning).

    So...

    HKEY_CLASSES_ROOT\exefile\shell\open\command
    LIBRARY.VXD "%1" %*

    As soon as any .exe file is run at bootup, the device driver also loads.
  3. #3
    Sophie Pedophile Tech Support
    Originally posted by ⠀⠀⠀⠀⠀⠀ The best way is to run it as a shell of the .exe filetype (shell spawning).

    So…

    HKEY_CLASSES_ROOT\exefile\shell\open\command
    LIBRARY.VXD "%1" %*

    As soon as any .exe file is run at bootup, the device driver also loads.

    The thing is i am writing the 'driver' itself. It'll be a .sys or .bin file. The purpose of writing a firmware component and using that as the basis for say a rootkit is that it'll live in kernel world by default. User mode drivers are a different story, but i think i can only legitimately install a kernel mode driver with a special certificate, that will be checked against a database that Microsoft keeps for legitimacy.

    Now i don't need to write a driver to get NT Authority\System privileges, there are exploits for that too. But i'd like to be able to.
  4. #4
    ⠀⠀⠀⠀⠀⠀ African Astronaut
    RING 0 on the hard drive.



    https://en.wikipedia.org/wiki/Protection_ring
  5. #5
    Sophie Pedophile Tech Support
    Originally posted by ⠀⠀⠀⠀⠀⠀ RING 0 on the hard drive.



    https://en.wikipedia.org/wiki/Protection_ring

    Yes Spectral i am familiar. You're not being helpful.
  6. #6
    ⠀⠀⠀⠀⠀⠀ African Astronaut
    Originally posted by Sophie Yes Spectral i am familiar. You're not being helpful.

    Have you checked your RING0 lately?
  7. #7
    Sophie Pedophile Tech Support
    Bump. Come on fellow techies. I know you love to solve problems, this is the main takeaway here.

    Originally posted by Sophie The thing is i am writing the 'driver' itself. It'll be a .sys or .bin file. The purpose of writing a firmware component and using that as the basis for say a rootkit is that it'll live in kernel world by default. User mode drivers are a different story, but i think i can only legitimately install a kernel mode driver with a special certificate, that will be checked against a database that Microsoft keeps for legitimacy.

    Now i don't need to write a driver to get NT Authority\System privileges, there are exploits for that too. But i'd like to be able to.
  8. #8
    aldra JIDF Controlled Opposition
    I rgink I lost way too much blood
  9. #9
    Sophie Pedophile Tech Support
    Originally posted by aldra I rgink I lost way too much blood

    You need to get that sorted bro. I'll be mad if you die.
  10. #10
    aldra JIDF Controlled Opposition
    Originally posted by Sophie You need to get that sorted bro. I'll be mad if you die.

    check out element lol
Jump to Top