drvmap – driver manual mapper using capcom
How it works
It uses the vulnerable Capcom driver (here is a writeup on it by @MarkHC) to manually map a (unsigned) driver into kernel space similar to Blackbone and Turla Driver Loader. Most of the fixing up of the driver image happens in Usermode so it’s less likely to BSOD you there.
It uses ExAllocatePool ( i know it’s deprecated but it has the default PoolTag ) to allocate the memory for the driver. The PE headers are wiped afterwards. This is in no way perfect and im not quite happy with the error handling just yet.
Your driver needs a custom entry point. For one it strips Microsofts “CRT” for Drivers and the driver is called without creating a Driver Object prior. You can in theory hijack another drivers DRIVER_OBJECT if you wanna be extra stealthy.
If you want your own DRIVER_OBJECT i suggest to use IoCreateDriver which is an undocumented but exported function from ntoskrnl.
(DriverInitialize is the “real” Entry Point here)
Keep in mind that you should not use the parameters in that function for what they’re intended. I pass the base of the allocation and the size to the driver in drvmap.
Turla Driver Loaders dummy drivers should work just fine.
- There is no simple way of unloading your driver (besides the restart button )
- Im currently not fixing imports by ordinals. ( Too lazy and there’s RtlFindExportedRoutineByName for named exports)
- It’s only been tested on Win 10 and probably only supports Win 10
- You need to manually unload / clear the capcom driver e.g. from MmUnloadedDrivers
- You’re bound to the timing issues of the capcom driver (hasn’t impacted me once)
- I’ve been hearing that IoCreateDriver may bluescreen if not ran in a system thread. I’ve not experienced that myself neither on my vm nor on my main machine.
- I am not fixing SEH
What you need to do
- Start the capcom driver (sc start capcom)
- drvmap.exe <driver image>
- unload / remove the capcom driver in your driver
- clear the MmUnloadedDrivers entry or make it more legit