I wanted to write an article on kernel mode development but nothing seemed like an interesting idea. That’s when I remembered rootkits exist.

Now, we won’t really write anything malicious, but I think it makes for a fun introduction to driver development.

Not every “rootkit” is malicious, many security protection programs function in a similar manner. Even many anti-cheating systems in games now implement a kernel component.

I am not and do not claim to be an expert on kernel mode development so if you see anything I did that is wrong, do let me know :)

The “rootkit” will communicate with a kernel driver and prevent some process from being started. For this case it will be notepad.

Requirements

C++
Some Windows knowledge

Even if you only know C, you should be able to follow along.

Setup

Host machine

We will write a kernel driver so we need several things installed.

Virtual machine running Windows 10 x64
Visual Studio
Windows Driver Kit

The virtual machine is required since a crash on your driver is a crash of Windows, which would not be very nice. You also can’t use a kernel debugger on your own machine because setting a breakpoint would freeze the entire machine (I will not cover WinDbg usage here).

Virtual machine

Now, on your virtual machine we will need enable “test signing”. This is due to the fact all kernel drivers need to be signed on x64 Windows which is not very convenient for development.

On a command prompt running with elevated privileges: bcdedit /set testsigning on.

Next, we will need to download DebugView which lets us see output from the driver (kernel mode “printf” equivalent). For DebugView to work for kernel mode, we need to create a registry key.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\Debug Print Filter

Under the new registry key, create a value “DEFAULT” of DWORD type and set it to 0xFFFFFFFF.

Restart the virtual machine to apply the changes.

Development

On your host machine, if you installed WDK correctly, you should see a project type “Empty WDM Driver”. Name it what name you prefer and create it.

We have created a blank driver, but we will also need a user mode component that will communicate with the driver. Add a new project to the solution of type “Console App (C++)”.

RootkitClient
- RootkitClient.cpp
Rootkit
- Rootkit.cpp
- RootkitCommon.h

Rootkit.cpp - driver code
RootkitCommon.h - shared code between kernel mode and client
RootkitClient.cpp - user mode component

Let’s turn our attention to Rootkit.cpp

I will explain everything in the boilerplate so don’t worry if it makes no sense right now.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42


#include <ntddk.h>

#include <ntddk.h>
#include "RootkitCommon.h"

#define DEVICE_NAME L"\\Device\\SimpleRootkit"
#define SYMLINK L"\\??\\SimpleRootkit"

void RootkitUnload(PDRIVER_OBJECT DriverObject)
{

}

NTSTATUS RootkitCreateClose(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
	UNREFERENCED_PARAMETER(DeviceObject);
	Irp->IoStatus.Status = STATUS_SUCCESS;
	Irp->IoStatus.Information = 0;
	IoCompleteRequest(Irp, 0);
	return STATUS_SUCCESS;
}

NTSTATUS RootkitDeviceControl(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
	UNREFERENCED_PARAMETER(DeviceObject);
	Irp->IoStatus.Status = STATUS_SUCCESS;
	Irp->IoStatus.Information = 0;
	IoCompleteRequest(Irp, 0);
	return STATUS_SUCCESS;
}

extern "C"
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING RegistryPath)
{
	UNREFERENCED_PARAMETER(RegistryPath);
	DriverObject->DriverUnload = RootkitUnload;
	DriverObject->MajorFunction[IRP_MJ_CREATE] = RootkitCreateClose;
	DriverObject->MajorFunction[IRP_MJ_CLOSE] = RootkitCreateClose;
	DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = RootkitDeviceControl;
	
	return STATUS_SUCCESS;
}

Let’s start with DriverEntry.

This can be considered the “main” function of the kernel driver.

extern “C” is required as this function is exported and requires C linkage.

Now, by default all warnings are treated as errors, including unused variables. What “UNREFERENCED_PARAMETER” does is it “references” RegistryPath so we do not receive an error. We could have left the parameter name out but I wanted to present the complete function signature here.

We set “RootkitUnload” as the function that is called when the driver is unloaded. If we don’t free resources we are using, we will have a resource leak until the next reboot, unlike in user code where Windows will clean up resources left by the process.

A driver can choose to handle several “I/O request packets” (IRP) from user mode or kernel mode and for those we provide dispatch routines.

Code can interact with drivers in much the same way it interacts with files, it does not mean our driver deals with file or network I/O. This will become clearer in a moment.

We register three functions:

IRP_MJ_CREATE - When we create an handle to our driver using CreateFile.
IRP_MJ_CLOSE - When the last handle is closed
IRP_MJ_DEVICE_CONTROL - When DeviceIoControlis used from client mode

IRP_MJ_CREATE and IRP_MJ_CLOSE are set to the same function. All the function does is set everything to “ok” on the IRP and returns success.

IRP_MJ_DEVICE_CONTROL currently is not doing anything, but it will receive a “control code” from user mode and an input and output buffer. This is what we will use to communicate between user mode and kernel mode.

Device Object

So user mode can communicate with our driver, we need to set up a Device Object so it can receive IRPs, and then create a symbolic link to it so that an handle can be opened to it using CreateFile.

After this we will turn to writing the start of RootkitClient which hopefully will make everything clearer.

DriverEntry

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29


UNICODE_STRING devName = RTL_CONSTANT_STRING(DEVICE_NAME);
PDEVICE_OBJECT DeviceObject;

NTSTATUS status = IoCreateDevice(
    DriverObject,
    0,
    &devName,
    FILE_DEVICE_UNKNOWN,
    0,
    FALSE,
    &DeviceObject
);

if (CHECK_ERRORS(status))
{
    return status;
}

UNICODE_STRING symLink = RTL_CONSTANT_STRING(SYMLINK);

status = IoCreateSymbolicLink(&symLink, &devName);

if (CHECK_ERRORS(status))
{
    IoDeleteDevice(DeviceObject);
    return status;
}

return STATUS_SUCCESS;

We create a device object, and then create a symlink to it so it can be accessed from our RootkitClient using CreateFile.

CHECK_ERRORS is a helper I wrote to print errors and return true/false if one exists.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11


#define CHECK_ERRORS( status ) CheckErrors(status, __FILE__, __LINE__)

bool CheckErrors(NTSTATUS status, const char* file, int line)
{
	if (!NT_SUCCESS(status))
	{
		KdPrint((DRIVER_NAME "encountered an error (0x%08X) on %s %d\n", status, file, line));
		return true;
	}
	return false;
}

Before moving onto the client code, we need to define a control code for IRP_MJ_DEVICE_CONTROL.

RootkitCommon.h

1
2


#define ROOTKIT_DEVICE 0x8000
#define IOCTL_ROOTKIT_PREVENT_START CTL_CODE(ROOTKIT_DEVICE, 0x800, METHOD_BUFFERED, FILE_ANY_ACCESS)

IOCTL_ROOTKIT_PREVENT_START will be our control code to monitor an executable and prevent it from starting.

It is created using the CTL_CODE macro. ROOTKIT_DEVICE is the device type for hardware drivers, but since we won’t be dealing with them we should use 0x8000 as recommended by Microsoft.

After is the operation number, it does not matter but should start with 0x800.

RootkitClient.cpp

On our client code, we will place the following:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34


#include <cstdio>
#include <Windows.h>
#include "../SimpleRootkit/RootkitCommon.h";
#include <wchar.h>

int main()
{
	HANDLE device = CreateFile(L"\\\\.\\SimpleRootkit", GENERIC_WRITE, FILE_SHARE_WRITE, nullptr, OPEN_EXISTING, 0, nullptr);

	if (device == INVALID_HANDLE_VALUE) {
		printf("Couldn't open device.\n");
		return 0;
	}

	DWORD bytesReturned;

	WCHAR executableName[] = L"\\Windows\\System32\\notepad.exe";
	size_t len = (wcslen(executableName) + 1) * sizeof(WCHAR);

	DWORD result = DeviceIoControl(device, IOCTL_ROOTKIT_PREVENT_START, executableName, len, nullptr, 0, &bytesReturned, nullptr);

	CloseHandle(device);

	if (result)
	{
		printf("%s", "Try starting notepad.exe!\n");
	}

	else
	{
		printf("%s", "An error occurred, check DebugView\n");
	}

}

There is not a lot there, and if we ignore the error checking, we only have have a few small relevant things.

We open an handle to the device object using the symlink created and prepare the data to be sent.

The most important function here is DeviceIoControl which will be handled by IRP_MJ_DEVICE_CONTROL. We send a WCHAR buffer and the length in bytes.

Now, we need to actually implement the functionality to monitor the process starting. Let’s implement RootkitDeviceControl first.

Rootkit.cpp

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38



NTSTATUS RootkitDeviceControl(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
	PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(Irp);
	NTSTATUS status = STATUS_SUCCESS;
	do
	{
		if (stack->Parameters.DeviceIoControl.IoControlCode != IOCTL_ROOTKIT_PREVENT_START)
		{
			status = STATUS_INVALID_DEVICE_REQUEST;
			CHECK_ERRORS(status);
			break;
		}

		WCHAR* executableName = (WCHAR*)Irp->AssociatedIrp.SystemBuffer;

		if (executableName == nullptr)
		{
			status = STATUS_INVALID_PARAMETER;
			CHECK_ERRORS(status);
			break;
		}

		RtlInitUnicodeString(&CURRENT_EXECUTABLE, executableName);

		KdPrint(("Prevent %wZ from being started.\n", CURRENT_EXECUTABLE));

	} while (false);


	UNREFERENCED_PARAMETER(DeviceObject);

	Irp->IoStatus.Status = status;
	Irp->IoStatus.Information = 0;

	IoCompleteRequest(Irp, 0);
	return status;
}

If we ignore the error checking (which you should never do in kernel mode), we have the following:

1
2
3


PIO_STACK_LOCATION stack = IoGetCurrentIrpStackLocation(Irp);
WCHAR* executableName = (WCHAR*)Irp->AssociatedIrp.SystemBuffer;
RtlInitUnicodeString(&CURRENT_EXECUTABLE, executableName);

We need to retrieve our current stack location, this is due to the fact that drivers can operate in “layers”.

After some error checking, we retrieve the executable path from the client and initialize CURRENT_EXECUTABLE with it.

Next we need to monitor for the process start. We can use callbacks for that. On DriverEntry we setup a callback for process creation so that we are notified each time a process is created or terminated.

1
2
3
4
5
6
7


status = PsSetCreateProcessNotifyRoutineEx(OnProcessNotify, FALSE);

if (CHECK_ERRORS(status))
{
    IoDeleteDevice(DeviceObject);
    return status;
}

We can remove the callback on Unload by setting the second argument to TRUE.

1
2
3
4
5
6
7


void RootkitUnload(PDRIVER_OBJECT DriverObject)
{
	UNICODE_STRING symLink = RTL_CONSTANT_STRING(SYMLINK);
	IoDeleteSymbolicLink(&symLink);
	PsSetCreateProcessNotifyRoutineEx(OnProcessNotify, TRUE);
	IoDeleteDevice(DriverObject->DeviceObject);
}

Next up, the last part: preventing the process from starting.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15


void OnProcessNotify(PEPROCESS Process, HANDLE ProcessId, PPS_CREATE_NOTIFY_INFO CreateInfo)
{
	UNREFERENCED_PARAMETER(Process);
	UNREFERENCED_PARAMETER(ProcessId);
	if (CreateInfo && CreateInfo->FileObject != nullptr 
		&& CURRENT_EXECUTABLE.Buffer != nullptr 
		&& CreateInfo->FileObject->FileName.Buffer != nullptr)
	{
		if (RtlCompareUnicodeString(&CreateInfo->FileObject->FileName, &CURRENT_EXECUTABLE, TRUE) == 0)
		{
			KdPrint(("Preventing %wZ from being started!\n", CreateInfo->FileObject->FileName));
			CreateInfo->CreationStatus = STATUS_ACCESS_DENIED;
		}
	}
}

We are only interested in process creation, and we can known that by the fact that CreateInfo is not NULL.

After some error checking, we use RtlCompareUnicodeString to make sure it’s our intended executable, and then set its CreationStatus to STATUS_ACCESS_DENIED. Doing this makes the process creation fail.

Deployment

Let’s move both SimpleRootkit.sys and RootkitClient.exe to the VM.

On a command prompt with elevated privileges:

sc create simplerootkit type= kernel binPath= c:\dev\simplerootkit.sys sc start simplerootkit

Make sure to have DbgView open and that you have selected Capture -> Capture Kernel.

Now run RootkitClient.exe and try to start notepad. You will not be able to.

Introducing Windows Drivers By Writing a Rootkit