.sys injection

just write whatever you want
Post Reply
aiwnjoo
Posts: 52
Joined: Tue Mar 06, 2007 1:06 pm

.sys injection

Post by aiwnjoo »

hi, i have a custom driver that manipulates drawing in a target process hl2.exe and i need some help on injection methods, i could just load via a batch app but it there other ways like what you do for dll injection?
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Not sure what you're asking. You have your own driver and want to inject a DLL into a target process from within that driver? Is that what you're asking? If so, I'm sorry to say, but that is one of the "secret" power functionalities of madCodeHook. I'd hurt my own business if I explained how that works.

Or are you asking something else?
aiwnjoo
Posts: 52
Joined: Tue Mar 06, 2007 1:06 pm

Post by aiwnjoo »

lol i understand Madshi mate, thanks for the response.

What im asking is i have developed my own custom driver which modifys guo stuff in cs and css nothing special or "hackish" but im not too clued up on ways to load my driver into memory.

Standard dll injection uses an exe (injector) to inject the dll into target process.

I want to do similar but with my driver .sys

I can use batch to load the driver, but i would prefer a better approach.
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

CreateService/StartService is one possibility. Another is NtLoadDriver. Of course you need enough privileges to do that.
iconic
Site Admin
Posts: 1064
Joined: Wed Jun 08, 2005 5:08 am

Post by iconic »

Without giving away too much information... you can receive alerts of process creation events from kernel callback functions such as PsSetCreateProcessNotifyRoutine() or PsSetCreateThreadNotifyRoutine(). Inside you will get notification of whether the process is being created or terminated along with the process id and parent process id. Basically, with this you will always get notified of a process creation at a convenient time since the process hasn't executed any code yet, as a matter of fact to prove this you can create sleep in the callback and witness the process not even being created yet. My recommendation in ring0 is to queue an asynchronous procedure call from within your driver.

All you need is the virtual address of LoadLibrary() in ring3 and the full path of your injected DLL. Lucky for you, system DLLs such as ntdll and kernel32 are always mapped at the same virtual address in each process by default (unless a relocation occurs which shouldn't really happen with ntdll or kernel32)... Just remember however, not all processes have to link with certain DLLs, you might read into 100% native processes, they only need ntdll (i.e> SMSS).

Good luck young warrior!

--Iconic
aiwnjoo
Posts: 52
Joined: Tue Mar 06, 2007 1:06 pm

Post by aiwnjoo »

without all the required instructions you provided i managed to create a simple injector to load the driver into memory pretty much same way as i inject dll's but by using services extracted from device manager.

now i can host my driver and spawn it at users request without storing on local drive.

thx a lot dudes.
Post Reply