Comments (3)
PsSetCreateProcessNotifyRoutine
now is just a wrapper for PspSetCreateProcessNotifyRoutine
, the same as PsSetCreateProcessNotifyRoutineEx
, previously in Vista/XP times AFAIR it wasn't implemented that way. Inside it calls MmVerifyCallbackFunctionCheckFlags
which check if driver is loaded and code is compiled with /INTEGRITYCHECK
linker setting. First check accomplished by walking loaded modules list (KLDR_DATA_TABLE_ENTRY
) and looking for address of supplied notify routine to be in range of one of the loaded modules. If it found then KLDR_DATA_TABLE_ENTRY->Flag checked against 0x20 value. In case of any error STATUS_ACCESS_DENIED
will be returned.
You need to manually set this flag for your DriverObject->DriverSection->Flags. To bypass loaded module list check just search in google for various solutions. Most of them advising to use trampoline jump set somewhere in the innocent legit driver, so MmVerifyCallbackFunctionCheckFlags
will validate legit driver instead of your mapped one. For example you can load Process Explorer driver, overwrite it driver dispatch with your small trampoline which will just jump to your real notify handler and install notify routine by supplying address of ProcessExplorer ovewritten code.
from kdu.
Thank you for answering, there is another question, why do I use WskRegister() in ksocket to cause a BSOD? Thanks~
from kdu.
I've no idea since I don't know how do you call it and what is your environment. And this is not a KDU issue.
from kdu.
Related Issues (20)
- Insufficient system resources HOT 2
- error HOT 1
- Thanks HOT 1
- Cannot load drivers database, GetLastError 126: HOT 2
- what happened to HVCI support? HOT 1
- Will KDU wait for the DriverEntry of a mapped driver? HOT 2
- Could not accept victim target, GetLastError 2148204812 HOT 4
- KsDumper Driver unloadable? Maybe any mapped driver? HOT 4
- cant use PsGetCreateProcessNotifyRoutine() ??? HOT 4
- Why some people crash on mapping drivers ? HOT 1
- Contact HOT 1
- Providers table not found HOT 4
- how to handle not present page in PwEntryToPhyAddr HOT 1
- No output after mapping dummy driver HOT 2
- Shellcode executing warning HOT 4
- Shellcode version issue HOT 3
- Use in Python HOT 1
- Driver import table parsing issue HOT 1
- add dse_pg bypass HOT 1
- compile HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kdu.