Driver Manipulation – SY0-601 CompTIA Security+ : 1.3

If they can’t infect your application, an attacker might try infecting your drivers. In this video, you’ll learn about driver manipulation and how shimming and refactoring can be used to exploit your operating system.

<< Previous Video: Request Forgeries Next: SSL Stripping >>



The anti-virus and anti-malware software that we run on our workstations is very good at stopping known vulnerabilities. There are a set of signatures that are downloaded that integrate with the software. And if anything enters your system that matches one of those signatures, it is blocked by the antivirus software. But of course, our systems continue to get infected. So the attackers must be finding other ways to get into our systems.

The attackers would love to find things like a zero day attack, which is a type of attack that is unknown. There are no signatures for a zero day attack, which would be perfect for an attacker to use against any one system. Attackers are also looking for new attack types, different ways that they could use to infect your computer, that are different than anything you may have seen before.

An unusual kind of attack, would be to attack with the drivers that are used on your system. These are the hardware drivers that are effectively the conduit between the hardware of your computer and the software of your operating system. These drivers are trusted by your operating system, making them a perfect conduit for a malware attack.

A good example of the vulnerability that a driver can bring to a system occurred in May of 2016, with audio drivers on Hewlett-Packard systems. These drivers manage the audio chips that were embedded on these HP systems, and they included some audio controls software that interacted with the driver. This audio control software included a debugging feature. And that debugging feature included a key logger.

This key logger meant that the attacker, or anyone using or taking advantage of this driver, would be able to gather information on what keystrokes were typed on this computer. This really speaks to the scope of the vulnerabilities that can occur with our drivers. Since we have video drivers, and keyboard drivers, and mouse drivers, be very easy for an attacker to gather information and be able to use the information that’s going into or out of our computers.

A shim is something you would use to fit into the gap that’s created between two different objects. If you’re installing a door, you may need some wood to use as a shim that would go between the doorjamb and the wall itself. Or if you’re in a restaurant and the table is uneven, you can use a sugar packet as a schism between the bottom of the table and the floor that’s underneath.

There are also shims built into your operating system. Windows has one called the Windows compatibility mode. You can run an application, but have Windows run that application as if it is running in a different operating system. This allows older applications to run in newer versions of Windows. You just have to tell the newest version of Windows, what version of Windows should this application run as.

This also uses an application compatibility shim cache, to be able to cache this information that’s being transferred between the existing operating system, and the one that is being used as the previous operating system. Malware authors have found that they can take advantage of this shimmed area to be able to put malware onto a computer, and could get around some of the security features like the user account control that exists inside of Windows.

A good example of a malware author taking advantage of this was in January of 2015. Microsoft released a vulnerability statement that said that someone can take advantage of this compatibility mode, to elevate the privilege of the current user on that system. Another way that malware authors get around the existing antivirus or anti-malware software, is to use refactoring.

You might see this also referenced as metamorphic malware. This means that when your system is downloading this malware, it’s downloading a unique version of that malware that will not match any of the signatures that are in your antivirus or anti-malware software. The malware author will add additional code to the malware, such as a no op instruction, that’s a no operation instruction that effectively doesn’t do anything, but it makes the malware look different.

Or they might add loops or pointless code strings, to make it so that a signature can’t match for this particular executable. This executable uses refactoring to reorder functions, modify the flow of the application itself, or to reorder the code so that it looks different than any other signature that might already be in the antivirus software. This means that if you’re trying to stop this particular kind of malware, you’re going to need other types of layered approaches to try to identify and stop anything that might have been refactored.