2

The only method i know to break on a DriverEntry of a rootkit driver when its loaded is to disassmble nt!IopLoadDriver and find an indirect call in it and break on it. Setting a break point on rootkitDriverName!DriverEntry doesn't work either for some reason.

Is there any easier way to break on the rootkit driver entry? Why does rootkitDriverName!DriverEntry not work?

0xC0000022L
  • 10,908
  • 9
  • 41
  • 79
Notoriouss
  • 176
  • 8
  • Here are more info about this, and nicely explained few different methods https://blogg.pwc.no/styringogkontroll/starting-dynamic-analysis-on-a-windows-x64-rootkit – DoomedRaven Oct 25 '23 at 09:31

1 Answers1

3

Try enabling break on module load:

sxe ld rootkitDriverName

See also https://reverseengineering.stackexchange.com/a/2638/60

Igor Skochinsky
  • 36,553
  • 7
  • 65
  • 115
  • Thanks, but the problem is, this still doesnt break on the driverEntry of the rootkit driver and instead its in a kernel function related to debugging, and using bu rootkitDriver!DriverEntry doesnt work, it gives this error "Couldn't resolve error". (I am loading the driver using OSRloader) – Notoriouss Jan 05 '21 at 05:53
  • with sxe ld you also need !gflag +ksl and a valid pdb and /or .reload /f (couldnt resolve is because you do not have a symbol file ) – blabb Jan 05 '21 at 13:39
  • @Notoriouss: I think !drvobj should display the entry address so you can set breakpoint there. – Igor Skochinsky Jan 05 '21 at 14:50
  • @IgorSkochinsky but !drvobj gives the symbol error as well, i do not have the pdb file for the driver tho, should the symbol get resolved considering i don't have the pdb? i use !drvobj rootkitdrivername, the same name that i registered with OSRloader, and the same one that lm shows – Notoriouss Jan 06 '21 at 05:17
  • @Notoriouss are you sure the error is about the driver and not kernel symbols which are necessary for the command to work? – Igor Skochinsky Jan 07 '21 at 00:56
  • @IgorSkochinsky yes its for the driver, and i also did the .reload /f to make sure all the symbols are loaded, still i cannot use the rootkit's driver name to break – Notoriouss Jan 09 '21 at 11:43
  • @IgorSkochinsky Are you sure this works when we don't have the symbols for the driver? considering OP is asking about rootkits i doubt there is any symbol available. – OneAndOnly Jan 17 '21 at 07:36