Open ByteWhite1x1 opened 1 year ago
Please provide an executable image that causes this behavior to occur. Be sure to include the original and transformed executable images.
Hi,
unfortunately I wasn't able to replicate this issue.
Test setup: Win 10 VM (22H2) with Test Signing Enabled.
Driver got compiled as unsigned and protected with Alcatraz. I was able to load it with windows service manager.
Thanks for taking your time to trying to reproduce the issue.
If I load the obfuscated driver from managed C# code as shown below. The result is 0xC000007B STATUS_INVALID_IMAGE_FORMAT.
Below code works for every driver that is not obfuscated with Alcatraz.
[DllImport("ntdll.dll", SetLastError = true)] public static extern NTSTATUS NtLoadDriver(ref UNICODE_STRING driverServiceName);
public static Native.NTSTATUS LoadDriver(string svcName, string drvPath) {
mySvcName = svcName;
string regPath = "CurrentControlSet\\Services\\" + svcName;
RegistryKey svcKey = Registry.LocalMachine.CreateSubKey("SYSTEM\\" + regPath);
svcKey.SetValue("ImagePath", "\\??\\" + drvPath);
svcKey.SetValue("Type", 1); // A kernel-mode device driver
// "0" Boot: Loaded by kernel loader. Components of the driver stack for the boot (startup) volume must be loaded by the kernel loader
// "1" System: Loaded by I/O subsystem. Specifies that the driver is loaded at kernel initialization
// "2" Automatic: Loaded by Service Control Manager. Specifies that the service is loaded or started automatically
// "3" Manual:. The service does not start until the user starts it manually, such as by using Services or Devices in Control Panel
// "4" Disabled: Specifies that the service should not be started
// svcKey.SetValue("Start", 2);
svcKey.Close();
Native.UNICODE_STRING uRegPath = new Native.UNICODE_STRING();
bool privEnabled;
var status = Native.RtlAdjustPrivilege(Native.SeLoadDriverPrivilege, true, Native.ADJUST_PRIVILEGE_TYPE.AdjustCurrentProcess, out privEnabled);
Native.RtlInitUnicodeString(ref uRegPath, "\\Registry\\Machine\\SYSTEM\\" + regPath);
status = Native.NtLoadDriver(ref uRegPath);
return status;
}
If I load the obfuscated driver with ZwLoadDriver from a manually mapped driver. The driver loads just fine.
Once again, please provide the executable image before and after obfuscation. You have provided code that loads a driver. This is not what was requested previously.
just
Please provide an executable image that causes this behavior to occur. Be sure to include the original and transformed executable images.
Hi.
I tried to obfuscate my C++ kernel driver with "DRV_OBJECT". Added one random function to be obfuscated to the list (Release build) and the result is always 0xC000007B STATUS_INVALID_IMAGE_FORMAT when I try to load the driver normally.
I got this working for "C" driver (Debug build) when I did not obfuscated the entry point. And if I remember correctly. Only "Mutate" was working. I ended up wasting several hours of my time while I tried to figure out the cause.