EoPLoadDriver icon indicating copy to clipboard operation
EoPLoadDriver copied to clipboard
verified publisher icon TarlogicSecurity

Not working on Windows 10 and Windows Server 2008 R2

Open ghost opened this issue 7 years ago • 1 comments

Payload is not working under my test environments in both Windows 10 and Server 2008 R2. Trying to load Capcom.sys(c1d5cf8c43e7679b782630e93f5e6420ca1749a7)

Running under Windows 10 (Version 10.0.17134.345) as a local user belongs to Administrator group

RegCreateKeyEx failed: 0x0
[+] Enabling SeLoadDriverPrivilege
[+] SeLoadDriverPrivilege Enabled
[+] Loading Driver: \Registry\User\S-1-5-21-3294158787-947196347-1753039676-1001\System\CurrentControlSet\MyService
NTSTATUS: c00000e5, WinError: 0

Running under Windows Server 2008 R2 as user nt authoriry\system

RegCreateKeyEx failed: 0x0
[+] Enabling SeLoadDriverPrivilege
[+] SeLoadDriverPrivilege Enabled
[+] Loading Driver: \Registry\User\S-1-5-18\System\CurrentControlSet\MyService
NTSTATUS: c0000428, WinError: 0

Running under Windows Server 2008 R2 as user Administrator

[+] Enabling SeLoadDriverPrivilege                                                             
[+] SeLoadDriverPrivilege Enabled                                                              
[+] Loading Driver: \Registry\User\S-1-5-21-953262931-566350628-63446256-500\System\CurrentCont
rolSet\MyService                                                                               
NTSTATUS: c0000428, WinError: 0

ghost avatar Oct 22 '18 08:10 ghost

Hi, as of Windows 10 Version 1803, NTLoadDriver seems to forbid references to registry keys under HKEY_CURRENT_USER.

MarleyHaXs avatar Nov 09 '18 09:11 MarleyHaXs