Closed wthueb closed 1 year ago
shatterr
commented
7 years ago tdl is an option, havent checked the driver entry code but it will need to be compatible with tdl. I use 1s timeouts between all the dse disabling (1s), load driver (1), re-enable (1s)
1s is perfect I don't BSOD on loads with that
wthueb
commented
7 years ago how would one go about making this "driverless," which is what is required for tdl according to the readme
what does "driverless" even mean in that regard?
goodbyte0
commented
6 years ago Late ass reply but:
A driverless driver is a driver that does not have an actual EntryPoint. but the Entry point references to an initialization function which is your real driver entry point.
This is how a fake driver entry looks like:
NTSTATUS DriverEntry(_In_ struct _DRIVER_OBJECT *DriverObject,
_In_ PUNICODE_STRING RegistryPath)
{
NTSTATUS status;
UNICODE_STRING drv_name;
DbgPrintEx(0, 0, "False entry loading\n");
RtlInitUnicodeString(&drv_name, L"\\Driver\\NAMEOFYOURDRIVER");
status = IoCreateDriver(&drv_name, &DriverInitialize);
return status;
}Your real entry point should be the normal one that is included in this source(renamed to DriverInitalize). Just look at the Turla Loader driver example source codes and try to implement them into your source code, then test it on a virtual machine with windbg attached.
i know the bsod is caused by patchguard, and not re-enabling the dse in time. i was wondering if the timings to do this properly were well known/if the source (with a 5 second timeout) is the best option
also, tdl is apparently an option which doesn't invoke a bsod. would that work?