This project demonstrates a method to inject a crafted image into a legitimate kernel driver.
- Infector (User-mode app): Injects the payload into a given driver.
- Payload (Kernel driver): Executes the infection logic in the kernel.
- The infector creates a new RWX section in the target driver.
- Payload image data is injected as shellcode into this section.
- The driver’s entry point is updated to point to the injected image.
- The original entry point is saved in
OptionalHeader.LoaderFlagsand called at runtime to preserve normal driver behavior.
Infector.exe <target_driver.sys> <payload.sys> <output_driver.sys>
<target_driver.sys>– Legitimate driver to infect.<payload.sys>– Kernel payload to inject.<output_driver.sys>– Output infected driver.
Infector.exe tcpip.sys payload.sys tcpip_infected.sys