Red Teaming Experiments
linkedintwitterpatreongithub
Search…
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
Exfiltration
reversing, forensics & misc
Internals
Configuring Kernel Debugging Environment with kdnet and WinDBG Preview
Compiling a Simple Kernel Driver, DbgPrint, DbgView
Loading Windows Kernel Driver for Debugging
Subscribing to Process Creation, Thread Creation and Image Load Notifications from a Kernel Driver
Listing Open Handles and Finding Kernel Object Addresses
Sending Commands From Your Userland Program to Your Kernel Driver using IOCTL
Windows Kernel Drivers 101
Windows x64 Calling Convention: Stack Frame
Linux x64 Calling Convention: Stack Frame
System Service Descriptor Table - SSDT
Interrupt Descriptor Table - IDT
Token Abuse for Privilege Escalation in Kernel
Manipulating ActiveProcessLinks to Hide Processes in Userland
ETW: Event Tracing for Windows 101
Exploring Injected Threads
Parsing PE File Headers with C++
Instrumenting Windows APIs with Frida
Exploring Process Environment Block
Writing a Custom Bootloader
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered By GitBook
Loading Windows Kernel Driver for Debugging

On the system where you want to load your driver (debugee), from an elevated command prompt, disable the driver integrity checks so that we can load our unsigned drivers onto Windows 10:
bcdedit /set nointegritychecks on; bcdedit /set testsigning on
Once you have rebooted the system, open up the OSR Loader and load the driver as shown below:
Note that my driver name was kmdfHelloDriver. We can now confirm the driver loaded successfully by debugging the kernel:
0: kd> db kmdfHelloDriver
Additionally, we can check it this way by showing some basic details about the loaded module:
0: kd> ln kmdfHelloDriver
If we check it via the service configuration manager, we also see that our driver is now loaded and running:
sc.exe query kmdfHelloDriver

The benefit of loading a kernel driver this way is that it does not rely on OSR Driver Loader or any other 3rd party tools and also is much more efficient.
Important In order for this technique to work, the WinDBG debugger needs to be attached to the debugee.

On the debuggee, launch an elevated powershell console and do the following:
notepad $PROFILE.AllUsersAllHosts
in the powershell profile, add the following powershell function:
function Install-Driver($name)
{
$cleanName = $name -replace ".sys|.\\", ""
​
sc.exe stop $cleanName
sc.exe delete $cleanName
​
cp $name c:\windows\system32\drivers\ -verbose -force
sc.exe create $cleanName type= kernel start= demand error= normal binPath= c:\windows\System32\Drivers\$cleanName.sys DisplayName= $cleanName
​
sc.exe start $cleanName
}
The above function Install-Driver takes one parameter $name, which signifies a driver name that we want to install.
The function Install-Driver will:
  • Attempt to stop the service (unload the driver) if it's already running (no error checking)
  • Attempt to delete the service (no error checking)
  • Copy the driver from the current directory to c:\windows\system32\drivers
  • Create a service for the driver
  • Start the service (load the driver)
Below screenshot shows the two steps explained above:
Once the powershell profile is saved, close the powershell console and open it again for the function Install-Driver to become usable.

Navigate to the folder that contains the .sys file of the driver you want to install, which in my case is wdm-helloworld.sys in Z:\wdm-helloworld\x64\Debug:
Now, we can install the driver by simply invoking:
Install-Driver wdm-helloworld.sys

If we have source code for the driver we want to debug, we can load its source code and step through it in WinDBG. Load the source code via the Source > Open Source File and re-load the driver again using Install-Driver function:
Stepping through driver's C code
Previous
Compiling a Simple Kernel Driver, DbgPrint, DbgView
Next
Subscribing to Process Creation, Thread Creation and Image Load Notifications from a Kernel Driver
Last modified 2yr ago
Copy link
On this page
Loading a Driver with OSR Driver Loader
Loading a Driver via Command Prompt + WinDBG
Preparing Powershell Profile
Loading the Driver
Stepping through Source Code