├── README.md ├── driver.cpp └── driver.h /README.md: -------------------------------------------------------------------------------- 1 | Driver Loader / Injection / Rootkit in C++ for Windows 2 | ============== 3 | 4 | Intro 5 | -------------- 6 | I wrote this project back in 2011 when I was playing a bit with Injections. 7 | The class is used to Inject Drivers's / Rootkits into Windows Kernel. 8 | 9 | CDriver_Loader has methods to Load and Eject from the Windows Kernel. 10 | 11 | 12 | Usage 13 | --------------- 14 | CDriver_Loader* driver; 15 | try 16 | { 17 | driver = new CDriver_Loader(); 18 | driver->InitSvc(L"c://rootkit.sys", L"driver", L"driver", SERVICE_DEMAND_START); 19 | cout << "Driver Loaded!" << endl; 20 | 21 | driver->CreateSvc(); 22 | cout << "Driver Created!" << endl; 23 | driver->StartSvc(); 24 | cout << "Driver Started!" << endl; 25 | 26 | cout << "Press any key to unload driver..."; 27 | cin.get(); 28 | driver->UnloadSvc(); 29 | cout << "Driver unloaded!" << endl; 30 | } 31 | catch (std::exception &e) 32 | { 33 | cout << "Error:" << e.what() << endl; 34 | } 35 | 36 | delete driver; 37 | -------------------------------------------------------------------------------- /driver.cpp: -------------------------------------------------------------------------------- 1 | /* ========================================================= 2 | * Driver.cpp 3 | * ********************************************************* 4 | * 5 | * Class: CDriver_Loader 6 | * 7 | * Author: Dan Revah 8 | * 9 | * Date: 03/12/2011 (DD/MM/YYYY) 10 | * Version: 1.00 11 | * 12 | * (-!-) Kernel-mode driver loader 13 | * - Injecting into windows kernel 14 | * ======================================================== */ 15 | 16 | #include "driver.h" 17 | 18 | /* =========================================================== 19 | * CDriver_Loader::CDriver_Loader() 20 | * 21 | * (*) Default Constructor 22 | */ 23 | CDriver_Loader::CDriver_Loader(): 24 | init(false), loaded(false), started(false), mFilePath(NULL), mServiceName(NULL), 25 | mDisplayName(NULL), mStartType(0), mService(NULL) 26 | { 27 | } 28 | 29 | /* ========================================================================================================== 30 | * CDriver_Loader::CDriver_Loader(LPTSTR filePath, LPTSTR serviceName, LPTSTR displayName, DWORD startType) 31 | * 32 | * (*) Initializing constructor 33 | */ 34 | CDriver_Loader::CDriver_Loader(LPTSTR filePath, LPTSTR serviceName, LPTSTR displayName, DWORD startType): 35 | init(true), loaded(false), started(false), mFilePath(filePath), mServiceName(serviceName), 36 | mDisplayName(displayName), mStartType(startType), mService(NULL) 37 | { 38 | } 39 | 40 | /* ==================================== 41 | * CDriver_Loader::~CDriver_Loader() 42 | * 43 | * (*) Destructor 44 | */ 45 | CDriver_Loader::~CDriver_Loader() 46 | { 47 | UnloadSvc(); 48 | 49 | mFilePath = NULL; 50 | mServiceName = NULL; 51 | mDisplayName = NULL; 52 | 53 | mStartType = 0; 54 | 55 | mService = NULL; 56 | 57 | init = false; 58 | loaded = false; 59 | started = false; 60 | 61 | } 62 | 63 | /* =========================================================== 64 | * DWORD CDriver_Loader::CreateSvc() 65 | * 66 | * - Creating the driver service 67 | * Return Value 68 | * If the function succeeds, the return value is SVC_OK 69 | * If the function failed it will throw a exception 70 | */ 71 | DWORD CDriver_Loader::CreateSvc() 72 | { 73 | SC_HANDLE hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE); 74 | 75 | if (hSCManager == NULL) 76 | throw std::exception("OpenSCManager Failed with error code: "+GetLastError()); 77 | 78 | mService = CreateService(hSCManager, mServiceName, mDisplayName, SC_MANAGER_ALL_ACCESS, 79 | SERVICE_KERNEL_DRIVER, mStartType, SERVICE_ERROR_NORMAL, mFilePath, NULL, NULL, NULL, NULL, NULL ); 80 | 81 | if (mService == NULL) 82 | { 83 | mService = OpenService(hSCManager, mServiceName, SERVICE_ALL_ACCESS); 84 | 85 | if (mService == NULL) 86 | { 87 | CloseServiceHandle(hSCManager); 88 | throw std::exception("CreateService Failed with error code: "+GetLastError()); 89 | } 90 | } 91 | 92 | loaded = true; 93 | CloseServiceHandle(hSCManager); 94 | 95 | return SVC_OK; 96 | } 97 | 98 | 99 | /* ============================================================================================================ 100 | * DWORD CDriver_Loader::InitSvc(LPTSTR filePath, LPTSTR serviceName, LPTSTR displayName, DWORD startType) 101 | * 102 | * - Initilazing the service parameters 103 | * 104 | * Parameters: 105 | * filePath - The fully-qualified path to the service binary file 106 | * serviceName - The service name 107 | * displayName - The dos-service name 108 | * startType - The service start options 109 | * 110 | * Return Value 111 | * If the function succeeds or already initialzed, the return value is SV_OK 112 | */ 113 | DWORD CDriver_Loader::InitSvc(LPTSTR filePath, LPTSTR serviceName, LPTSTR displayName, DWORD startType) 114 | { 115 | if (isInit()) 116 | return SVC_OK; 117 | 118 | mFilePath = filePath; 119 | mServiceName = serviceName; 120 | mDisplayName = displayName; 121 | mStartType = startType; 122 | 123 | mService = NULL; 124 | 125 | init = true; 126 | loaded = false; 127 | started = false; 128 | 129 | return SVC_OK; 130 | } 131 | 132 | /* ============================================================== 133 | * SVC_Result CDriver_Loader::StartSvc() 134 | * 135 | * - Initilazing the service parameters 136 | * 137 | * Return Value 138 | * If the function succeeds, the return value is SVC_OK 139 | * If the function failed it will throw a exception 140 | */ 141 | DWORD CDriver_Loader::StartSvc() 142 | { 143 | if (!isLoaded()) 144 | throw std::exception("Service is not loaded"); 145 | 146 | if (isStarted()) 147 | return SVC_OK; 148 | 149 | SC_HANDLE hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE); 150 | 151 | if (hSCManager == NULL) 152 | throw std::exception("OpenSCManager Failed with error code: "+GetLastError()); 153 | 154 | mService = OpenService(hSCManager, mServiceName, SERVICE_ALL_ACCESS); 155 | 156 | if (mService == NULL) 157 | { 158 | CloseServiceHandle(hSCManager); 159 | throw std::exception("OpenService Failed with error code: "+GetLastError()); 160 | } 161 | 162 | if (StartService(mService,0,NULL)== NULL) 163 | { 164 | CloseServiceHandle(hSCManager); 165 | CloseServiceHandle(mService); 166 | throw std::exception("StartService Failed with error code: "+GetLastError()); 167 | } 168 | 169 | CloseServiceHandle(hSCManager); 170 | started = true; 171 | 172 | return SVC_OK; 173 | } 174 | 175 | /* ============================================================== 176 | * DWORD CDriver_Loader::StopSvc() 177 | * 178 | * - Initilazing the service parameters 179 | * 180 | * Return Value 181 | * If the function succeeds, the return value is SVC_OK 182 | * If the function failed it will throw a exception 183 | */ 184 | DWORD CDriver_Loader::StopSvc() 185 | { 186 | SERVICE_STATUS ss; 187 | 188 | if (!isStarted()) 189 | return SVC_OK; 190 | 191 | SC_HANDLE hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE); 192 | 193 | if (hSCManager == NULL) 194 | throw std::exception("OpenSCManager Failed with error code: "+GetLastError()); 195 | 196 | mService = OpenService(hSCManager, mServiceName, SERVICE_ALL_ACCESS); 197 | 198 | if (mService == NULL) 199 | { 200 | CloseServiceHandle(hSCManager); 201 | throw std::exception("OpenService Failed with error code: "+GetLastError()); 202 | } 203 | 204 | if (ControlService(mService,SERVICE_CONTROL_STOP,&ss)== NULL) 205 | { 206 | CloseServiceHandle(hSCManager); 207 | CloseServiceHandle(mService); 208 | throw std::exception("ControlService Failed with error code: "+GetLastError()); 209 | } 210 | 211 | CloseServiceHandle(hSCManager); 212 | CloseServiceHandle(mService); 213 | started = false; 214 | 215 | return SVC_OK; 216 | } 217 | 218 | /* ============================================================== 219 | * DWORD CDriver_Loader::UnloadSvc() 220 | * 221 | * - Unloading the service 222 | * 223 | * Return Value 224 | * If the function succeeds, the return value is SVC_OK 225 | * If the function failed it will throw a exception 226 | */ 227 | DWORD CDriver_Loader::UnloadSvc() 228 | { 229 | if (!isLoaded()) 230 | return SVC_OK; 231 | 232 | if (isStarted()) 233 | { 234 | if (StopSvc() != SVC_OK) 235 | throw std::exception("Unloading driver Failed with error code: "+GetLastError()); 236 | } 237 | 238 | SC_HANDLE hSCManager = OpenSCManager(NULL,NULL,SC_MANAGER_CREATE_SERVICE); 239 | 240 | if (hSCManager == NULL) 241 | throw std::exception("OpenSCManager Failed with error code: "+GetLastError()); 242 | 243 | mService = OpenService(hSCManager, mServiceName, SERVICE_ALL_ACCESS); 244 | 245 | if (mService == NULL) 246 | { 247 | CloseServiceHandle(hSCManager); 248 | throw std::exception("OpenService Failed with error code: "+GetLastError()); 249 | } 250 | 251 | DeleteService(mService); 252 | CloseServiceHandle(hSCManager); 253 | 254 | loaded = false; 255 | 256 | return SVC_OK; 257 | } 258 | -------------------------------------------------------------------------------- /driver.h: -------------------------------------------------------------------------------- 1 | /* ========================================================= 2 | * Driver.cpp 3 | * ********************************************************* 4 | * 5 | * Class: CDriver_Loader 6 | * 7 | * Author: Dan Revah 8 | * 9 | * Date: 03/12/2011 (DD/MM/YYYY) 10 | * Version: 1.00 11 | * 12 | * (-!-) Kernel-mode driver loader 13 | * - Injecting into windows kernel 14 | * ======================================================== */ 15 | #ifndef _DRIVER_H_ 16 | #define _DRIVER_H_ 17 | 18 | #include 19 | #include 20 | 21 | #define SVC_OK 0x01 22 | 23 | /* ================================================ 24 | * Begin CDriver_Loader Class Definition 25 | * ================================================= */ 26 | class CDriver_Loader { 27 | public: 28 | // Constructors 29 | CDriver_Loader(); // Default constructor 30 | CDriver_Loader(LPTSTR, LPTSTR, LPTSTR, DWORD); // Initalzing 31 | 32 | // Destructor 33 | ~CDriver_Loader(); 34 | 35 | // Status functions 36 | inline bool isInit() const { return init; } 37 | inline bool isLoaded() const { return loaded; } 38 | inline bool isStarted() const { return started; } 39 | 40 | // Driver service functions 41 | DWORD InitSvc(LPTSTR filePath, LPTSTR serviceName, LPTSTR displayName, DWORD startType); // initalizing the driver service 42 | DWORD CreateSvc(); // Creating the driver service 43 | DWORD StartSvc(); // Starting the driver service 44 | DWORD StopSvc(); // Starting the driver service 45 | DWORD UnloadSvc(); // Unload the driver service 46 | 47 | private: 48 | 49 | LPTSTR mFilePath; //driver file path 50 | LPTSTR mServiceName; //service name 51 | LPTSTR mDisplayName; //dos service name 52 | 53 | DWORD mStartType; //start type 54 | 55 | SC_HANDLE mService; //service's handle 56 | 57 | // Status variables 58 | bool init; 59 | bool loaded; 60 | bool started; 61 | }; 62 | 63 | #endif 64 | --------------------------------------------------------------------------------