| > What is not malicious > malicious - adj. - having or showing a desire to cause harm to someone I'ts goofy, and wouldn't pass a design review that I was a part of, but it isn't "showing a desire to cause harm". It just looks like a rushed design. > about a driver whose pure function (this thing literally has no other value or purpose) I see nothing about how this driver doesn't have any other functions. > is maintaining an invincible NT_AUTHORITY process of their pre-installed management software Because you want the hardware management process to be resurrected if it fails. They're not gaining anything from an attack perspective by deferring to user mode, the process isn't hidden, and they're already running as a kernel driver so they have full control of the system as it is. In Raymond Chen's parlance, they're already on the other side of the airtight hatch. > Maybe we have different expectations of what a driver is. I mean, Minix ascribes it's uptime and reliability to a resurrection server. Is this a much crappier design? Yes. Is it such a bad design that it's malicious? No, that's absurd. > Maybe we have different expectations of what a driver is. I expect drivers to defer everything they can to user mode so they don't crash the kernel. That's one of the reasons why APCs exist in the first place. > Take a look for yourself, even the updated PC Manager Software on their website still has the driver with the goofy shellcode in its installer (no idea if it's just not loaded now): Oh no, they didn't take that out of their package, but even Microsoft says that they fixed the vulnerability, and quicker than responsible disclosure asks for. |
Obviously, you didn't look at it.
This is the irony of it all. There is nothing simple about writing a device driver to do what literally three lines of code in userland registering a service could have achieved. It is the furthest thing from a rushed design you could possibly do; it is taking the wrong turn 10 times and incurring exponential costs each time. That is why it's called a backdoor or malicious; it demonstrates unique niche knowledge in things that are the furthest imaginable distance from the shitty .NET amalgamation that their actual PC manager software is.