Explanation of the Flowchart
- A. User-Mode Application (CreateFile): The process starts with a user-mode application (e.g., a C2 agent) calling CreateFile to open a handle to the driver’s symbolic link (e.g., \\.\VulnerableDevice). This is the entry point from user mode.
- B. Win32 API: The CreateFile call is processed by the Win32 API, which translates it into a kernel-mode request. The application may then call DeviceIoControl to send an IOCTL (I/O Control code).
- C. I/O Manager (Creates IRP): The Windows I/O Manager receives the request and creates an I/O Request Packet (IRP), which encapsulates the operation (e.g., IRP_MJ_DEVICE_CONTROL for IOCTLs).
- D. Driver (DriverEntry Initialized): The I/O Manager locates the driver’s Device Object (created during DriverEntry via IoCreateDevice) using the symbolic link. DriverEntry sets up the MajorFunction table, mapping IRPs to dispatch routines.
- E. Dispatch Routine (IRP_MJ_DEVICE_CONTROL): The IRP is routed to the driver’s dispatch routine for IRP_MJ_DEVICE_CONTROL, which handles the specific IOCTL code passed by DeviceIoControl.
- F. Execute Operation: The dispatch routine processes the IOCTL, performing operations like reading/writing memory or executing driver-specific logic (e.g., shellcode in a C2 context).
- G. I/O Manager (Completes IRP): The driver completes the IRP, passing results (e.g., data, status) back to the I/O Manager.
- H. User-Mode Application (Receives Response): The I/O Manager returns the results to the user-mode application via the Win32 API, completing the request.