Novirusthanks kernel mode driver loader

The driver, runPTEditorLoader.exe --unloadAlternatively, you can also use any other driver-loading tool, e.g., OSRLoader or NoVirusThanks Kernel-Mode Driver Loader.Install Kernel Part From SourceLinuxBuilding the kernel module requires the kernel headers of the kernel. On Ubuntu, they can be installed by runningsudo apt install linux-headers-$(uname -r)Both the library and the the kernel module can be build by runningThe resulting kernel module can be loaded usingsudo insmod module/pteditor.koWindowsThe kernel driver for Windows requires Visual Studio with Visual C++, the Windows SDK, and the Windows Driver Kit (WDK) to build.Using the Visual Studio project, the driver can then simply be built from Visual Studio.RequirementsThe library requires a recent Linux kernel (continuously tested on the current kernel for Ubuntu 16.04 (kernel 4.15), 18.04 (kernel 5.3), and 20.04 (kernel 5.8)) or Windows 10.It supports both x86_64 and ARMv8.The library does not rely on any other library. It uses only standard C functionality.On Linux, the library does not require root privileges, whereas on Windows it requires administrator privileges.TestTo test whether the kernel part and the library works, the repository contains unit tests.The tests are found in the folder test and can be compiled with make (Linux) or Visual Studio (Windows).ExampleThe basic functionality (ptedit_init and ptedit_cleanup) is always required.After the initialization, all functions provided by the library can be used.For examples see example.c or the examples in the demo folder.The demo folder contains multiple examples:memmap: Starting from the root of paging, the demo iterates through all page tables of all levels and dumps the contents of the entries.map_pt: A Rowhamer exploit simulation, which maps the page table to a user-accessible address for manipulation.uncachable: This demos manipulates the memory type of a mapping to uncachable and back to cachable.nx: After setting a function to non-executable, it uses the page tables to make the function executable again.virt2phys: Converts a

Driver inside itself. One thing worth to mention: the author employed a small trick in an attempt for anti-static analysis during this unpacking process. He first hooks an imported API in the IAT of current driver with the unpacking routine, then call that API, and because that API address in the IAT has been modified already, the execution is transferred to the real decompressing procedure. When an analyst uses static analysis (e.g IDA disassembly) he could miss the unpacking routine. In the sample I analyze, the hooked API is RtlAppendAsciizToString. Figure 3. TDL3 kernel mode dropper anti-static analysis: IAT self hooking At the end of this stage, the loader performs the PE mapping against the unpacked driver over an NonpagedPool and finally jumps to that new zone, begins its second stage of kernel mode infection. II.4 The second kernel mode dropper stage: Infecting & storing rootkit’s code The real deal lies in the “freshly baked” codes. It does various things to survive the rootkit reboot, but the most important and interesting parts are: o Infecting miniport driver o Survive-reboot strategy o Direct read/write to hard disk using SCSI class request II.4. 1 Infecting driver The infector first queries the device object responsible with partition0 on the hard disk device which the “\systemroot” is linked/installed on. It’s convinient for the rootkit to retrieve the last miniport driver object and the name of the driver’s binary file via that device object. For example, in my analysis, name of the driver is “atapi” while “\systemroot\system32\drivers\atapi.sys” is going to be infected. The infecting algorithm isn’t complicated, it overwrites the data of “.rsrc” section of victim driver with 824 bytes instead of kidnapping the whole driver like others did (e.g Rustock.C), so that size of the infected file isn’t changed before and after the infection

A small library to modify all page-table levels of all processes from user space for x86_64 (Linux and Windows 10) and ARMv8 (Linux).It also allows to read and program memory types (i.e., PATs on x86 and MAIRs on ARM).InstallationThe library relies on the pteditor kernel module (Linux) or kernel driver (Windows). The kernel part is provided as source code for compilation (Linux and Windows), PPA (Linux), and as pre-built binary (Windows).The library can be used by linking it to the application (see example.c) or as a single header (ptedit_header.h) which can be directly included (see the demos).Install from PPA (Linux, recommended)First, add the public key of the PPA and the PPA URL to the package manager, and update the package managercurl -s " | sudo apt-key add -sudo curl -s -o /etc/apt/sources.list.d/misc0110.list " apt updateThen, simply install the kernel modulesudo apt install pteditor-dkmsPre-Built Driver (Windows, recommended)The repository also contains a pre-built driver for Windows 10 in the driver folder.To load the driver, you have to first disable secure boot and driver signature enforcement.Temporarily Disable Driver Signature EnforcementHold the shift key while clicking on "Restart" in the start menu. This brings up a restart menu, where you can disable driver signature enforcement in "Troubleshoot > Advanced Options > Startup Settings". Press "Restart", and the in the startup settings press "7" or "F7" to disable driver signature enforcement.After the PC is started, the driver can be loaded. Keep in mind that the driver signature enforcement is enabled when the PC is rebooted.Permanently Disable Driver Signature EnforcementTo permanently disable driver signature enforcement, enable Windows test mode by enteringbcdedit /set testsigning onin an administrator command prompt. To disable test mode, runbcdedit /set testsigning offLoading the DriverTo load and active the driver, the repository contains a loader in driver/PTEditorLoader. Simply runas an administrator. To unload