In windows NT kernel (Vista, 7 etc.), running process’s as SYSTEM is not permitted, the reason behind this is due to end-user have too powerful access to Windows, as much as this may be useful – for the Microsoft TM, it is not as the end-user can remove all security restrictions, Microsoft TM incorporated into Windows.
A End-User can remove Raw Socket(s) restriction, which can then allow them to spoof IP addresses when DDOSing or accessing Web. This as you know is not too safe nor legal, therefore in Windows it is impossible to run as SYSTEM.
This however can be evaded, as you know Windows & all OS contain Ring’s mechanism – Ring3, Ring2, Ring1, Ring0
In Ring0 mode\level, all CPU operations and all command executions taking place among ring0 memory space will automatically be having SYSTEM privileges and have complete access to Windows OS itself. Using Ring0 we can completely remove all Restrictions placed.
How to run in Ring0 Mode:
In Ring0 mode (aka Kernel Mode), you cannot run the usual applications\executable (.EXE) which are run normally (on Ring3 Mode). To run in Ring0 Kernel Mode, you need to develop and launch a Driver (.SYS).
I have created a simple Driver for your sake (Windows 7 Tested):
NTSTATUS DriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)
KdPrintEx(( DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "KmdfSmall: DriverEntry\n" ));
status = WdfDriverCreate(DriverObject, RegistryPath, WDF_NO_OBJECT_ATTRIBUTES, &config, WDF_NO_HANDLE);
DbgPrint("Hello World! By OrionMaster");
NTSTATUS KmdfSmallEvtDeviceAdd(_In_ WDFDRIVER Driver, _Inout_ PWDFDEVICE_INIT DeviceInit)
KdPrintEx(( DPFLTR_IHVDRIVER_ID, DPFLTR_INFO_LEVEL, "KmdfSmall: KmdfSmallEvtDeviceAdd\n" ));
status = WdfDeviceCreate(&DeviceInit, WDF_NO_OBJECT_ATTRIBUTES, &hDevice);
Before trying to run this montage, you need to download Windows 7\8 WDK (Windows Driver Development Kit):
NOTE: You must have Visual Studio 2012 Premium OR Ultimate in order to develop.
soon after download & installation finished and came to a halt, open you VS2012:
Open Microsoft Visual Studio. On the File menu, choose New > Project. The New Project dialog box opens,
In the New Project dialog box, in the left pane, locate and select WDF.
In the middle pane, select Kernel Mode Driver, Empty (KMDF).
In the Name field, enter any name you wish for the project name.
In the Location field, enter the directory where you want to create the new project.
Check Create directory for solution. Click OK.
Wait for few seconds, allow VS2012 to initialize all settings and such,
VS2012 will create 2 projects – [ProjectName] Package, [ProjectName]
In the Solution Explorer window, right-click the top project and choose Add > New Item.
In the Add New Item dialog box, select C++ File. For Name, enter “Driver.c”. C FILE NOT .CPP FILE
In the Solution Explorer window, right-click Solution ‘[PROJECT NAME]’ (2 projects) and choose Configuration Manager. Choose a configuration and platform for both the driver project and the package project. For this exercise, we choose Win7 Debug and x64.
In the Solution Explorer window, right-click the topmost project and choose Properties. In Wpp Tracing > All Options, set Run Wpp tracing to No. Click OK.
As you may see after the build completed, the output is a .SYS file, it is the driver. All we programmed is a simple Hello World Kernel Mode Driver, few weeks of learning you will be able to program fluently such as hooks and such.
To test this, you driver need to be signed digitally by a Certificate, or you can change the configuration build type to Win7 Debug and Win32.
The reason you need digitally signed certificate on ALL x64 machines is solely because of Patch Guard on the Kernel to protect it from “rogue” Kernel Drivers. Therefore it is important to sign else Patch Guard denies the Driver access to the Kernel. On other hand on x86 machines you can launch and register “rogue” Driver softwares.
If you want to try bypass Patch-guard, obviously which should be more or less “sketchy” as Legitimate Software should\would not behave in that manner. Take a look at CodeProject:
This trick\technique can be easily adapted to newer versions of the PatchGuard, just to make you aware using these tricks may not be a good trial to use as Microsoft is notorious to fix Kernel Bugs as soon as possible, thus once your technique is patched on all machines with the exploitable PatchGuard – your Software will become useless and unable to run. That is why I advise to digitally sign it.
If you cannot afford to sign this, some legitimate developers steal signatures just to test if the driver works – but do again be aware Malware Developers also use this method. To understand how to steal digital signatures just for TEST (I am not promoting Signature Stealing) read Symantec’s blog regarding stealing signatures and technical details:
There are 2 ways to run a driver – One being Registry and one other being CreateService. I find CreateService being the easiest to do:
// Thanks CodeProject
int _cdecl main(void)
hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE);
hService = CreateService(hSCManager, "Example",
SERVICE_START | DELETE | SERVICE_STOP,
NULL, NULL, NULL, NULL, NULL);
hService = OpenService(hSCManager, "Example",
SERVICE_START | DELETE | SERVICE_STOP);
StartService(hService, 0, NULL);
printf("Press Enter to close service\r\n");
ControlService(hService, SERVICE_CONTROL_STOP, &ss);
Now, I will answer how to run a usual – Ring3 Application as SYSTEM. In Kernel Mode as said before you have complete control over System, this means we can elevate applications\process to any privilege level we wish. To do this we need to do a simple token trick.
To read about how to implement it I recommend you read: Subverting Windows Kernel, although it is very old it can easily be run in the Newer OS.
More Driver Development:
Until Next Time,