That explains. Thank you.
Strange thing: other application called Punto Switcher “tries to obtain LoadDriver priviledge”, too… but it never loaded and accessed any drivers.
This one:
?
If so, yes i read it and understood.
You do know what privileges are, right? Just because a program enables a privilege for itself doesn’t mean its going to use it.
My level is “average”: I see word “driver” i know something serious is about to happen 
Interesting. And full paths are displayed in this case…
I had no clue why alerts for installing driver (one technique) displayed correct paths (e.g. HKLM\System\ControlSet003\Services\driver_name), but other alerts for installing driver (another technique) displayed wildcarded path (HKLM\System\ControlSet???\Services\driver_name).
Are those displayed by guard32? It’s possible that whoever coded guard32 put “ControlSet???” on purpose…
Access to “ControlSet???” alert is displayed for executable which attempt to install and load driver using services controller (attached pics).
update: these are displayed when guard32 is enabled.
[attachment deleted by admin]
SS26. Would you be so kinds to post screenshots using the English interface? That makes things easier to understand.
EricJH. Al right. Screenshots made in future will be in English. But those from my archieve remain as they are now (including those already attached).
Yes, that makes sense. Whoever coded guard32 decided to hook CreateService or a similar function in order to improve alerts (see my previous explanation), and put in the “ControlSet???” message. Why didn’t they use a better message such as “trying to create a service”? Who knows…
When TestDrivers.exe uses NtLoadDriver, it writes to the registry itself, guard32 doesn’t intervene, and the CIS driver catches it and displays an alert with “ControlSet003”.
Now when we know due to you how does Defense+ behave in these 2 cases,
would it be interesting to see Defense+ in action if neither services controller nor NtLoadDriver are used to load a driver?..
[bolded by me; does “main” imply there other, additional ways ?]
I used “main” because every sensible method of driver loading fits into one of those two categories. There are the methods I know of executing code in kernel-mode:
- (XP only) NtSetSystemInformation with SystemLoadGdiDriverInformation. CIS already catches this.
- (XP only) NtSystemDebugControl to write to kernel-mode memory. CIS hooks NtSystemDebugControl, so it should be detected.
- (XP only) \Device\PhysicalMemory, same outcome as above. Should be detected.
- NtLoadDriver. This can be used through the services controller or can be called directly.
Many thanks for this information.
Thanks also from me wj32.