As soon as I wrote a kind of driver for Windows, which had to intercept the interaction of the native display driver with the OS. The native display driver consists of a miniport driver and a DLL loaded by win32k.sys into the session space. My goal was to intervene between win32k.sys and this dll. Moreover, the system may have several display drivers, I had to connect them all.
I created a standard WDM driver that was configured to boot at system boot (that is, before win32k). During initialization, he connected ZwSetSystemInformationby fixing SSDT. This function is called by the OS whenever it loads / unloads the DLL into the session space, which is exactly what I need.
When ZwSetSystemInformationcalled with a parameter SystemLoadImage, one of its parameters is a pointer to the structure SYSTEM_LOAD_IMAGE, and its ModuleBaseis the mapping address of the base module. Then I analyze the displayed image, patch its entry point with my function, and the rest is simple.
Now I need to port this driver to 64-bit Windows. Needless to say, this is not a trivial task. So far, I have found the following obstacles:
- All drivers must be signed.
- Patchguard
- SSDT is not directly exported.
If I understand correctly, checking PatchGuard and the driver’s signature can be disabled, the driver must be installed on a special computer, and we can torture him the way we want.
There are tricks to find SSDT as well, according to online sources.
, PsSetLoadImageNotifyRoutine. .
:
PsSetLoadImageNotifyRoutine, DLL, ? " ", " " ?- PatchGuard, DLL , ?
- - , ?
- ?
.