Following my previous post on the topic, I came up with a few more tricks:
- since packed drivers typically use ExAllocatePool*, you need a user-mode equivalent to extract the packed driver. So I just made my fake ntoskrnl call VirtualAlloc* for the trick
- they often use RtlImageNtHeader, so I added a redirection for it in the fake ntoskrnl.
- some drivers import HAL.DLL and CLASSPNP.SYS, I made fake ones for them too.
- some drivers load ntoskrnl.exe manually. in this case, i'd use (under OllyDbg) multimate-assembler, with a standard snippet.
- it's important to recognize when the driver is trying to locate ntoskrnl, to be able to correct execution. Here are the various ways that I can recall:
- calling SIDT will give you the IDT, which is present in ntoskrnl.
- calling RDMSR with ECX=176 gives you Sysenter address, you can then locate ntoskrnl header.
- standard range checking:
mov eax, 0ffdff12chmov eax, [eax]loop:and ax, f001dec eaxcmp [eax], 5a4djnz loop
As usual, I included the (minimal) sources - happy unpacking!
Sources and binaries