DriverJack is a tool designed to load a vulnerable driver by abusing lesser-known NTFS techniques.
These method bypass the registration of a Driver Service on the system by hijacking an existing service, and also spoof the image path presented in the Driver Load event.
To further masquerade the presence of a vulnerable driver, the attack also abuses an Emulated Filesystem Read-Only bypass to swap the content of a driver file on a mounted ISO before loading it.
DriverJack abuses the possibility of remapping files mounted on emulated filesystems to RW pages to overwrite their contents. This RO bypass is implemented in IoCdfsLib.
Once the ISO is mounted, the attack proceeds by selecting a service driver that can be started or stopped, or one that can be triggered, requiring administrative privileges unless misconfigured.
This technique exploits the ability of an installer to access the C:\Windows\System32\drivers
directory directly, allowing a malicious symbolic link to be placed there.
The symbolic link is processed by the OS with precedence, leading to the malicious driver being loaded when the service is restarted.
Key Steps:
NtLoadDriver
function normalizes the NT Path of the symbolic link.Developed in collaboration with jonasLyk of the Secret Club hacker collective, this method involves redirecting the \Device\BootDevice
NT symbolic link, part of the path from which a driver binary is loaded.
This allows for the hiding of a rootkit within the system.
Steps:
BootDevice
symlink target.BootDevice
symlink to point to the mounted ISO.BootDevice
symlink target.This method was inspired by techniques used in the unDefender project to disable the Windows Defender service and driver.
The Load Driver event will still show the real path of the driver being loaded, pointing to the ISO mountpoint.
Although widely known, this technique is rarely used due to the potential for system instability.
It involves temporarily changing the drive letter assigned to the BootPartition
, tricking the driver load process to access a different drive.
When combined with NT Symlink Abuse, explained before, this technique can completely masquerade the path of the driver being loaded, bypassing detection by SysMon and other monitoring tools.
DriverJack demonstrates another, non-conventional way for vulnerable driver-loading that leverages CDFS emulated filesystems and lesser-known NTFS symbolic link properties.
This Python script for Linux can analyze Microsoft Windows *.msi Installer files and point out…
Bear C2 is a compilation of C2 scripts, payloads, and stagers used in simulated attacks…
Discover your application security risks and vulnerabilities in only a few minutes. In this guide…
The idea behind waymore is to find even more links from the Wayback Machine than…
The Pycript extension for Burp Suite is a valuable tool for penetration testing and security…
For official releases, refer to Dependency Track Docs >> Changelogs for information about improvements and…