What is the function of opening the C:\\Windows\\System32\\drivers\\filecrypt.sys？

Tserith / Parasite

Compact MBR Bootkit for Windows

44 stars 14 forks source link

What is the function of opening the C:\\Windows\\System32\\drivers\\filecrypt.sys？ #5

Closed badboycxcc closed 2 months ago

badboycxcc commented 2 months ago

What is the function of opening the C:\Windows\System32\drivers\filecrypt.sys file? How to load your own sys file?

Tserith commented 2 months ago

The bootkit does not open filecrypt.sys. It adds an entry to BootDriverListHead so that the Windows bootloader will attempt to load it as a core driver. When it does that, the bootkit intercepts the disk read interrupt and provides the bootkit's custom driver instead. Once the custom driver is executed it removes the extra entry so filecrypt.sys will be properly loaded after kernel initialization.

badboycxcc commented 2 months ago

Is this how it works?

Windows bootloader loads the system filecrypt.sys normally
Bootkit intercepts and replaces Driver.sys (malicious sys)
Windows reloads filecrypt.sys and runs normally

Tserith commented 2 months ago

Bootkit tells bootloader to load filecrypt.sys earlier than normal (before initialization)
Windows tries to read filecrypt.sys and the bootkit replaces it with Driver.sys
Windows loads filecrypt.sys normally (after initialization)

badboycxcc commented 2 months ago