Skip to content

Windows 10 DLL Injector via Driver utilizing VAD and hiding the loaded driver

Notifications You must be signed in to change notification settings

KameronHawk/Kernel-VAD-Injector

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
 
 
 
 
 
 

Repository files navigation

Driver DLL Injector

Driver DLL Injector Description

Driver DLL Injector is a powerful tool that allows users to load drivers of their choice using their preferred mapper. By leveraging the capabilities of an unsigned driver loader, such as KDmapper, this injector was built and tested on Windows 10 2004 x64 processes

Driver Portion:

The driver hooks a patch guard safe function known as xKdEnumerateDebuggingDevices for communication with our usermode process. This method is highly detected on popular anti-cheats, so we go a step further and trap a usermode thread in kernel to communicate restoring the original functions address therefore bypassing function integrity checks.

The driver does the following for hiding traces left behind:

  • VAD Manipulation: The driver strategically allocates memory behind the "thread stack" by leveraging undocumented Virtual Address Descriptor (VAD) functions like MiInsertChange and MiAllocVad, which are not widely known. Once the VAD is allocated and DLL is sucessfully loaded the driver will remove the VAD from the VAD tree.

  • PTE Manipulation: To bypass checks from NtQueryVirtualMemory, the driver manipulates Page Table Entries (PTEs) to make the pages allocated by VAD executable. By modifying the PTEs, the driver ensures that the VAD does not update with the executable (X) bit enabled, circumventing potential restrictions.

  • Clearing PiDDBCacheTable, MmUnloadedDrivers (Hash Bucket List).

  • Depending on what manual mapper you use for the driver, you will have to also take into account big pools.

Usermode Portion:

The usermode process utilizes Discord's overlay to call our DLL main's function.

The usermode process does the following:

  • "Links" with the hooked kernel function, supplying all of our address's and message codes.
  • Scans the process for Discord overlay, if found setup shellcode, and allocate VAD.
  • Setup shellcode for calling DLL main, and then
  • Once the DLL is injected the usermode process will send a message to the driver saying "We're done!" and the driver will clean up all of the traces that are left behind.

To use the Driver DLL Injector, follow these steps:

1. Choose and install a compatible mapper, such as KDmapper.
2. Compile or build the Driver DLL Injector project.
3. Load the driver using the selected mapper
4. Launch test application (with discord overlay enabled)
5. Launch usermode application and wait for Hello World message box.

Detection Vectors

  • Page Table walks, Stack Walks, etc.
  • WDF will list the driver loaded because it is not cleared like MmUnLoadedDrivers
  • The usermode thread will have an insane amount of CPU cycle time spent in kernel land, check task manager for "Kernel time"

Issues Encountered

When making this project, there were several blocks along the way. Some of the following were:

  • DLL crashing because the DLL properties were setup wrongly. Setting /sdl-, /GS-, and runtime library to /MT fixed my issues with crashing.
  • Mapping the driver using a mapper would cause a KMODE_EXCEPTION BSOD, fixing this by setting the driver property /GS-.
  • Discords overlay takes time to initalize, if you try to inject before the overlay is initalized you will crash because of NULL pointers.

Credits

ModMap - for showing VAD manipulation

SkCrypt - for the encrpytion

Stealthy Kernel Mode Injector - for the driver base

Poseidon - for trapping um thread in kernel land

FACE INJECTOR - for the shellcode

About

Windows 10 DLL Injector via Driver utilizing VAD and hiding the loaded driver

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published