Page 1 of 1

.sys injection

Posted: Thu Aug 13, 2009 5:57 pm
by aiwnjoo
hi, i have a custom driver that manipulates drawing in a target process hl2.exe and i need some help on injection methods, i could just load via a batch app but it there other ways like what you do for dll injection?

Posted: Fri Aug 14, 2009 6:12 am
by madshi
Not sure what you're asking. You have your own driver and want to inject a DLL into a target process from within that driver? Is that what you're asking? If so, I'm sorry to say, but that is one of the "secret" power functionalities of madCodeHook. I'd hurt my own business if I explained how that works.

Or are you asking something else?

Posted: Fri Aug 14, 2009 2:33 pm
by aiwnjoo
lol i understand Madshi mate, thanks for the response.

What im asking is i have developed my own custom driver which modifys guo stuff in cs and css nothing special or "hackish" but im not too clued up on ways to load my driver into memory.

Standard dll injection uses an exe (injector) to inject the dll into target process.

I want to do similar but with my driver .sys

I can use batch to load the driver, but i would prefer a better approach.

Posted: Fri Aug 14, 2009 3:09 pm
by madshi
CreateService/StartService is one possibility. Another is NtLoadDriver. Of course you need enough privileges to do that.

Posted: Sat Aug 15, 2009 5:49 am
by iconic
Without giving away too much information... you can receive alerts of process creation events from kernel callback functions such as PsSetCreateProcessNotifyRoutine() or PsSetCreateThreadNotifyRoutine(). Inside you will get notification of whether the process is being created or terminated along with the process id and parent process id. Basically, with this you will always get notified of a process creation at a convenient time since the process hasn't executed any code yet, as a matter of fact to prove this you can create sleep in the callback and witness the process not even being created yet. My recommendation in ring0 is to queue an asynchronous procedure call from within your driver.

All you need is the virtual address of LoadLibrary() in ring3 and the full path of your injected DLL. Lucky for you, system DLLs such as ntdll and kernel32 are always mapped at the same virtual address in each process by default (unless a relocation occurs which shouldn't really happen with ntdll or kernel32)... Just remember however, not all processes have to link with certain DLLs, you might read into 100% native processes, they only need ntdll (i.e> SMSS).

Good luck young warrior!

--Iconic

Posted: Sat Aug 15, 2009 4:41 pm
by aiwnjoo
without all the required instructions you provided i managed to create a simple injector to load the driver into memory pretty much same way as i inject dll's but by using services extracted from device manager.

now i can host my driver and spawn it at users request without storing on local drive.

thx a lot dudes.