Reputation: 699
Why can't my user-mode loader communicate with my unsigned kernel-mode driver?
Description:
I'm developing a proof-of-concept where a user-mode loader (DriverLoader.exe) communicates with a kernel-mode driver (DriverHelper.sys). The driver is unsigned, so I'm using EfiGuard to load it.
💡 Goal:
The driver (DriverHelper.sys) should expose a device (\Device\DriverHelper) and allow communication via DeviceIoControl().
The loader (DriverLoader.exe) should send an IOCTL request (IOCTL_MAP_DRIVER) to the driver to manually map another driver into kernel memory.
🔍 Current Status:
The driver loads successfully (confirmed via sc query DriverHelper).
I can see DbgPrint() messages in DbgView.exe, which confirms the driver is running.
However, CreateFileA("\\.\DriverHelper", ...) in the loader fails with error code 1 (ERROR_INVALID_FUNCTION), meaning it can't open the device.
🛠 What I've Tried:
- Ensured IoCreateDevice() and IoCreateSymbolicLink() execute without errors (logged in DbgView).
- Verified the driver is running with sc query DriverHelper.
- Confirmed that DbgView.exe captures logs, but no errors appear.
📌 Question:
Why does CreateFileA("\\.\DriverHelper", ...) fail with ERROR_INVALID_FUNCTION, even though the driver is running and exposing the device? How can I properly expose the device to user-mode so the loader can communicate with it?
Code Summary (Essential Parts)
Kernel-Mode Driver (DriverHelper.sys)
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath) {
UNICODE_STRING devName = RTL_CONSTANT_STRING(L"\\Device\\DriverHelper");
UNICODE_STRING symLink = RTL_CONSTANT_STRING(L"\\DosDevices\\DriverHelper");
PDEVICE_OBJECT DeviceObject = NULL;
NTSTATUS status = IoCreateDevice(DriverObject, 0, &devName,
FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN,
FALSE, &DeviceObject);
if (!NT_SUCCESS(status)) {
DbgPrint("[DriverHelper] Error en IoCreateDevice: %X\n", status);
return status;
}
status = IoCreateSymbolicLink(&symLink, &devName);
if (!NT_SUCCESS(status)) {
IoDeleteDevice(DeviceObject);
return status;
}
DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DriverDispatch;
DbgPrint("[DriverHelper] Driver Loaded\n");
return STATUS_SUCCESS;
}
User-Mode Loader (DriverLoader.exe)
HANDLE hDevice = CreateFileA("\\\\.\\DriverHelper", GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
if (hDevice == INVALID_HANDLE_VALUE) {
std::cerr << "[ERROR] Unable to open the driver device. Error code: " << GetLastError() << "\n";
return false;
}
Upvotes: -1
Views: 82
Answers (0)
Related Questions
- Is it possible to call functions from a kernel mode driver in a user mode application on Windows?
- Calling WDF driver from c++
- Can Kernel mode driver do ReadProcessMemory on any process?
- Programmatically installing unsigned driver with CreateService
- Read Kernel Memory from user mode WITHOUT driver
- Kernel-mode driver for detecting webcam access