Is it possible to encrypt a .sys file?

[deroko]

yes, you may append your code to .sys but make sure to update checksum in PE header and to make code section writable. Any exception in r0 will cause bsod

The PE-checksum will be your smallest problem if you plan to encrypt *.SYS files.

You must take care of what sections are loaded at which time, you must take care of the init callbacks, you will run into some big problems when trying to allocate memory and some other nasty problems. Just to name one, how do you plan to call LoadLibrary or GetProcAddres from Ring-0? KERNEL32 is not present and you can't use SEH to find the imports by trial and error.

[OHPen]

He have to use native api, but thats obvious...

[deroko]

Quote:

Originally Posted by MarkusO

Just to name one, how do you plan to call LoadLibrary or GetProcAddres from Ring-0? KERNEL32 is not present and you can't use SEH to find the imports by trial and error.

Simple, find ptr to ntoskrnl.exe from IDT and then cycle backward till you find ntoskrnl.exe base then locate ZwQuerySystemInformation to receive addresses of needed drivers and write GetProcAddress by yourself walking trough exports of needed .sys files At least that's how I would do it.

Quote:

Originally Posted by MarkusO

The PE-checksum will be your smallest problem if you plan to encrypt *.SYS files.

You must take care of what sections are loaded at which time, you must take care of the init callbacks, you will run into some big problems when trying to allocate memory and some other nasty problems. Just to name one, how do you plan to call LoadLibrary or GetProcAddres from Ring-0? KERNEL32 is not present and you can't use SEH to find the imports by trial and error.

I do not think make a PE checksum will encrypt the .sys file.
It only prevent some modifications.
Encrypt file can not be analyzed by static disassemble tool such as IDA pro.

And as we know, VMProtect can make protection on .sys file but not encrypt, even compress.