Hacker News new | ask | show | jobs
by stefan_ 2640 days ago
What is not malicious about a driver whose pure function (this thing literally has no other value or purpose) is maintaining an invincible NT_AUTHORITY process of their pre-installed management software? And achieving that by allocating a RWX page in services.exe? What are we even doing W^X for?

Maybe we have different expectations of what a driver is. Take a look for yourself, even the updated PC Manager Software on their website still has the driver with the goofy shellcode in its installer (no idea if it's just not loaded now):

https://consumer.huawei.com/us/support/pc/matebook-x-pro/
2 comments
monocasa 2640 days ago
> What is not malicious

> malicious - adj. - having or showing a desire to cause harm to someone

I'ts goofy, and wouldn't pass a design review that I was a part of, but it isn't "showing a desire to cause harm". It just looks like a rushed design.

> about a driver whose pure function (this thing literally has no other value or purpose)

I see nothing about how this driver doesn't have any other functions.

> is maintaining an invincible NT_AUTHORITY process of their pre-installed management software

Because you want the hardware management process to be resurrected if it fails. They're not gaining anything from an attack perspective by deferring to user mode, the process isn't hidden, and they're already running as a kernel driver so they have full control of the system as it is. In Raymond Chen's parlance, they're already on the other side of the airtight hatch.

> Maybe we have different expectations of what a driver is.

I mean, Minix ascribes it's uptime and reliability to a resurrection server. Is this a much crappier design? Yes. Is it such a bad design that it's malicious? No, that's absurd.

> Maybe we have different expectations of what a driver is.

I expect drivers to defer everything they can to user mode so they don't crash the kernel. That's one of the reasons why APCs exist in the first place.

> Take a look for yourself, even the updated PC Manager Software on their website still has the driver with the goofy shellcode in its installer (no idea if it's just not loaded now):

Oh no, they didn't take that out of their package, but even Microsoft says that they fixed the vulnerability, and quicker than responsible disclosure asks for.

link
stefan_ 2639 days ago
> I see nothing about how this driver doesn't have any other functions.

Obviously, you didn't look at it.

This is the irony of it all. There is nothing simple about writing a device driver to do what literally three lines of code in userland registering a service could have achieved. It is the furthest thing from a rushed design you could possibly do; it is taking the wrong turn 10 times and incurring exponential costs each time. That is why it's called a backdoor or malicious; it demonstrates unique niche knowledge in things that are the furthest imaginable distance from the shitty .NET amalgamation that their actual PC manager software is.

link
monocasa 2639 days ago
Quote the piece of the article that says that the driver has no other functions.

Particularly given that they describe how there's multiple ioctls.

And I can tell you from experience that relying on the service manager for a full watchdog solution is fraught with peril. It'll catch hard crashes, but not for instance dead locks.

link
dfox 2640 days ago
Writing "drivers" that do questionable things for even more questionable reasons seems to be par for the course in the Windows ecosystem. If I understand the whole situation correctly, Fortnite installs WHQL certified kernel driver, whose sole purpose is to cause BSOD when LSASS.EXE maps pages from the Fortnite process...
link
wyldfire 2640 days ago
Is that an anti-cheat feature?
link
pjmlp 2639 days ago
As if the same OEMs would constrain themselves when targeting other platforms.
link