For our purpose, the value should be defined as SERVICE_KERNEL_DRIVER (0x00000001).
The relevant parameters that must be defined in the new registry are: You can load a new driver using NTLoadDriver:īy default the driver service name should be under \Registry\Machine\System\CurrentControlSet\Services\īut, according with to the documentation you could also use paths under HKEY_CURRENT_USER, so you could modify a registry there to load arbitrary drivers on the system. To further prove the SeLoadDriverPrivilege is dangerous, let's exploit it to elevate privileges. We compile the above, execute and the privilege SeLoadDriverPrivilege is now enabled: Printf( "AdjustTokenPrivileges error: %x ", GetLastError())
Enable the privilege or disable all privileges. Printf( "LookupPrivilegeValue error: %un ", GetLastError()) L "SeLoadDriverPrivilege ", // privilege to lookup NULL, // lookup privilege on local system While this is goingĠ0219 // on, count the references for each of the devices.OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken) Simply mark all of the devicesĠ0218 // that the driver owns as being marked for unload. Simply return a successful completion status sinceĠ0205 // the driver is on its way out and therefore has been "marked forĠ0209 ExReleaseSpinLock( &IopDatabaseLock, irql ) Ġ0211 ObDereferenceObject( driverObject ) Ġ0216 // The driver exists, and it implements unload, and it has not, so far,Ġ0217 // been marked for an unload operation. 00190 // Check to see whether the driver has already been marked for an unloadĠ0191 // operation by anyone in the past.Ġ0194 ExAcquireSpinLock( &IopDatabaseLock, &irql ) Ġ0196 if ((driverObject->DeviceObject = NULL &Ġ0197 (driverObject->Flags & DRVO_UNLOAD_INVOKED)) ||Ġ0199 driverObject->DeviceObject->DeviceObjectExtension->ExtensionFlagsĠ0203 // The driver has already been marked for unload or is beingĠ0204 // unloaded.
0 kommentar(er)
