Hi Gents,
On my spare time, I took a look at unsecured drivers in the wild.
There is a long list of vulnerable drivers (specially coming from motherboard manucfacturers).
What is a vulnerable driver? A driver that will accept IOCTL's from anyone (rather than only a specific application).
What can you achieve? Modify memory in kernel land.
Therefore I gave it a go with rtcore driver (from MSI) and decided to play with the EPROCESS structure.
Quoting MS : "The EPROCESS structure is an opaque structure that serves as the process object for a process."
And there are a lot of goodies in this "opaque" structure - starting with the PPL flag ("protected process light").
Quoting Kapersky : "Protected Process Light (PPL) technology is used for controlling and protecting running processes and protecting them from infection by malicious code and the potentially harmful effects of other processes."
So there are times where you would like to shutdown a process or access or its virtual memory ... and you just cant.
Changing the flag of the process in its eprocess structure will make it possible.
The sourcecode and binaries are there.
Be (really and very) careful as you are playing with kernel there (and you should not) : BSOD's are right there at the next corner.
Syntax:
memRW.exe load "%cd%\rtcore64.sys"
memRW.exe list
memRW.exe removeppl PID
memRW.exe makesystem PID
memRW.exe stealtoken from_pid to_pid
memRW.exe unload "%cd%\rtcore64.sys"
In the future, I aim at reading/dumping memory right from the physical memory rather than from the virtual memory.
Comments, feedback, etc welcome.
Regards,
Erwan