Map and projects (the most frequently updated page of this blog)


Mais je me lâche la main, je m’éloigne de moi...

unpacking drivers in user-mode (2)

Following my previous post on the topic, I came up with a few more tricks:
  • since packed drivers typically use ExAllocatePool*, you need a user-mode equivalent to extract the packed driver. So I just made my fake ntoskrnl call VirtualAlloc* for the trick
  • they often use RtlImageNtHeader, so I added a redirection for it in the fake ntoskrnl.
  • some drivers import HAL.DLL and CLASSPNP.SYS, I made fake ones for them too.
  • some drivers load ntoskrnl.exe manually. in this case, i'd use (under OllyDbg) multimate-assembler, with a standard snippet.
  • it's important to recognize when the driver is trying to locate ntoskrnl, to be able to correct execution. Here are the various ways that I can recall:
  1. calling SIDT will give you the IDT, which is present in ntoskrnl.
  2. calling RDMSR with ECX=176 gives you Sysenter address, you can then locate ntoskrnl header.
  3. standard range checking:
mov eax, 0ffdff12ch
mov eax, [eax]
and ax, f001
dec eax
cmp [eax], 5a4d
jnz loop

As usual, I included the (minimal) sources - happy unpacking!
Sources and binaries

No comments:

Post a Comment