Wednesday, June 5, 2013

Rootkits Part 3 - The setup & your first device driver

Rootkits Part 3 - The setup & your first rootkit

Sorry for taking so long to get this post out, it has been a busy month.

Ok so if you missed the last post take a look at it, it discusses some basic windows functionality and internals that we will need to know.  

DISCLAIMER: The following material is for information and educational use only.

now that the disclaimer has been said, lets start.


There are many ways to start writing rootkits, some people use Microsofts Visual Studio 2010 (2012 sucks), which is a great option, you just need to install some tools like WinDDK which make rootkit developement easier.  To start we will just create our own files and not use a IDE to help us, that will be saved for a later post.

What you need:
  1. Windbg (for kernel debugging)
  2. Virtualization software (VMWare, KVM, Virtualbox, etc..)
  3. Windows XP (test/dev box)
  4. Windows 7 or another XP machine (remote debugging box)

Be sure to take snapshots before you start anything or run the rootkit, if you mess up you will get Blue screened real quick.

We will switch to all Windows 7 boxes after a basic understanding of development and debugging is covered.  

I decided to keep this post small so everyone can get a basic environment up and running.

Ok so once you have your environment up and running we will write a simple device driver.

We will be developing a device driver that will just print the classic "hello world", keep in mind real rootkits DO NOT print anything, this is just a basic driver, and by basic I mean basic.


Yes remember to take a snapshot of your clean box, you dont want to redo everything everytime, and it's not advised to just keep putting rootkits on a box, that can fuck shit up!

This code may be a little dated but it still works. (may need tweaking)
#include "ntddk.h" 
NTSTATUS DriverEntry( in PDRIVER_OBJECT theDriverObject, IN PUNICODE_STRING theRegistryPath ) '
     DbgPrint("hello world");
    return STATUS_SUCCESS;
This code was taken from Rootkits - Subverting the Windows kernel

Alright that was simple right.

Load this into the kernel and you will see the dbg message.

Now your wondering how the fuck do I load this into the Kernel, right?

We will use OSR Driver Loader, it can be found here:

Yes it hasnt been updated in a while, but it still works and beats writing your own driver loader, which we will eventually do in a later post.

Once OCR Driver Loader is installed run it and select the path to your driver then start it, you can check the task manager processes or use Process Explorer to check that the driver is running.  You should also see "hello world"  debug message.

We created this basic driver to check that our environment is working and that we can run a basic driver, this is a good step in any development environment to make sure everything is functioning and running properly.

I will add screenshots from my tests so there is visual reference and you can actually see it in action......  I wrote this post on a separate box from my development/test environment.

In the next post we will cover remote debugging, so make sure you have two windows boxes and have WinDBG installed.

No comments:

Post a Comment