0

Is this possible from Kernel Mode.

I have a DLL i want to save in Resource and i want to use the following FindResource(), LoadResource(), LockResource(), SizeOfResource() to load a DLL from the driver and then use SetWindowsHookEx() to do a global DLL injection I have done this via normal .exe file now i want to ask if this is even possible when doing something like this with Drivers in this case? Please let me know as i am quite new to Driver development although i have done some couple of things in Windows earlier.

Kate
  • 21
  • 5
  • Technically yes, you don't even need to do it in kernel mode? You just need a userspace component to your driver that loads it. – Mgetz Jun 03 '19 at 15:22
  • By userspace component can you elaborate more? Do i need to have an embeded .exe file that can actually handle such? – Kate Jun 03 '19 at 15:24
  • You can inject a dll from the kernel but not the way you described. You don't have functions like FindResource LoadResource LockResource in kernel mode. You would need to learn how to manually map the driver into processes in usermode. As @Mgetz you can have your driver communicate to usermode using DeviceIoControl. – Irelia Jun 03 '19 at 15:27
  • "By userspace component", I'd add a new .c file and add the #include in the driver correct? – Kate Jun 03 '19 at 15:27
  • No. userspace components and drivers are two completely different things. The usermode SDK is not the same as the driver development kit. They would need to be two separate modules. One driver, one userspace executable. – Irelia Jun 03 '19 at 15:29
  • @Nina .. Oh that? guess i have to have a look at that then – Kate Jun 03 '19 at 15:29
  • @Nina , by Manual Mapping? do you imply shellcode and codecave injection? extracting the shellcode and using the shellcode to inject into the process? – Kate Jun 03 '19 at 15:39
  • By manual mapping I mean, allocating memory in the remote process, writing the dll's PE headers and each section of the dll then fixing the relative virtual addresses in the injected module so they use their new injected base address. – Irelia Jun 03 '19 at 15:42
  • @Kate: You should state what your end goal is. Using a kernel driver is not an end goal and sounds like it's probably the wrong approach here (unnecessarily complicated). – 500 - Internal Server Error Jun 03 '19 at 15:44
  • injecting a simple messageBox dll into a process. @500-InternalServerError – Kate Jun 03 '19 at 15:49
  • 1
    Well you can do it from a driver as I explained. It's just a lot of unnecessary work and if you're new to driver development, you'll hit a lot of pitfalls. – Irelia Jun 03 '19 at 15:56
  • 1
    @Kate if your driver has a usermode driver framework component that component can load the DLL as it's in regular old usermode. – Mgetz Jun 03 '19 at 19:05
  • Possible duplicate of [How to display a pop-up message box from a driver (kernel mode)?](https://stackoverflow.com/questions/9897693/how-to-display-a-pop-up-message-box-from-a-driver-kernel-mode) – paulsm4 Jun 07 '19 at 16:18

0 Answers0