是否可以从内存加载系统驱动程序而不直接接触文件系统?
[英]Is it posible to load a system driver from memory without it touching the filesystem directly?
问题描述
Is it possible to load a signed windows driver from memory without the file ever touching the disk?
是否可以从内存中加载已签名的 Windows 驱动程序而文件从未接触过磁盘? If it is possible, is it trivial to achieve or are there any obstacles to overcome.如果可能的话,实现起来是否微不足道,或者是否有任何障碍需要克服。 To clarify, the driver may exist on the disk at some point but in an encoded state.澄清一下,驱动程序可能在某个时刻存在于磁盘上,但处于编码状态。
For example, I know that it's possible to decode a payload from memory and inject it into another running process, but since that's technically a Windows "Feature" I'm not sure whether things are as easy when you're loading things into the kernel.例如,我知道可以从内存中解码有效负载并将其注入另一个正在运行的进程,但由于这在技术上是 Windows 的“功能”,我不确定当你将东西加载到内核时事情是否那么容易.
If it is possible, bonus points for sources.如果可能,请为来源加分。 All my search has turned up is people calling each other idiots and malware authors without actually getting into whether it's technically possible/feasable.我所有的搜索结果都是人们互相称白痴和恶意软件作者,而没有真正了解这在技术上是否可行/可行。
My use case is md5sum detection since to load drivers onto a 64 bit windows system they must be signed, and so the hash would be immutable.我的用例是 md5sum 检测,因为要将驱动程序加载到 64 位 Windows 系统上,它们必须经过签名,因此哈希值是不可变的。 If you can load drivers from memory then monitoring the file system wouldn't be sufficient for my needs.如果您可以从内存中加载驱动程序,那么监控文件系统将不足以满足我的需求。
1 个解决方案
解决方案1
1 已采纳 2020-01-23 18:23:35
No, Drivers have to have an entry in the service manager to point to some bin file.不,驱动程序必须在服务管理器中有一个条目指向某个 bin 文件。 this is part of the Service registry这是服务注册表的一部分
I know that windbg is able to replace the image of a driver, but it is from a kernel debugger using a map files我知道 windbg 能够替换驱动程序的映像,但它来自使用映射文件的内核调试器
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.