NtLoadDriver

Prototype

NTSTATUS NtLoadDriver(
  PUNICODE_STRING DriverServiceName
);

Arguments

Syscall IDs by Windows version

Syscall stub

4C 8B D1            mov r10, rcx
B8 0E 01 00 00      mov eax, 0x10E
F6 04 25 08 03 FE 7F 01   test byte ptr [0x7FFE0308], 1
75 03               jne short +3
0F 05               syscall
C3                  ret
CD 2E               int 2Eh
C3                  ret

Undocumented notes

Single-argument syscall that takes the **NT registry path** to the driver's service key — *not* a filesystem path to the .sys file. The kernel reads `ImagePath`, `Type`, `Start`, `Group` and other entries from that key, loads the image with `MmLoadSystemImage`, calls `DriverEntry`, then inserts the driver into `PsLoadedModuleList`. The caller must hold `SeLoadDriverPrivilege` (default: Administrators, Print Operators) and the privilege must be **enabled** in the thread token — this is the single hard prerequisite. SSN drifts heavily across builds (0xF5 → 0x10E), making dynamic resolution mandatory. Drivers loaded this way are loaded *demand-start* (Type=3), which appears in PnP telemetry differently than `Start=2` (auto) services that the SCM brings up at boot.

Common malware usage

The **BYOVD (Bring Your Own Vulnerable Driver)** entry point — the syscall every kernel-level attack on a modern Windows host eventually funnels through. The full chain: (1) drop the vulnerable but Microsoft-signed driver (RTCore64.sys, gdrv.sys, mhyprot2.sys, dbutil_2_3.sys, procexp152.sys, kprocesshacker.sys, etc.) to disk; (2) create the service registry key under `\Registry\Machine\System\CurrentControlSet\Services\<RandomName>` with `ImagePath=\??\C:\path\drv.sys`, `Type=1`, `Start=3` (either by NtSetValueKey directly or by `OpenSCManager`+`CreateServiceW` which is noisier); (3) enable `SeLoadDriverPrivilege` via `NtAdjustPrivilegesToken`; (4) call NtLoadDriver with the service-key path; (5) open `\\.\<DeviceName>` and send IOCTLs via `NtDeviceIoControlFile`. The same syscall is also abused for **rootkit installation (T1014)** — Necurs, FU, TDL3/4, and the Equation Group's GrayFish all loaded their kernel components via this path. Legitimate service-driver persistence (T1543.003) uses the same call but goes through the SCM.

Detection opportunities

**Highest-fidelity driver-load telemetry on Windows**, and the most-watched syscall by EDRs. Detection sources: (a) **Microsoft-Windows-Kernel-PnP** ETW (`{9C205A39-1250-487D-ABD7-E831C6290539}`) emits a load event with the image path, signing details, and the loading process; (b) **Sysmon Event ID 6 (DriverLoad)** — image, hash, signed/unsigned status, signer; (c) **Security Event 4673/4674** when `SeLoadDriverPrivilege` is exercised; (d) **PsSetLoadImageNotifyRoutine** fires for *every* image load including drivers and feeds every modern EDR. Microsoft's Vulnerable Driver Blocklist (`HVCI` + Code Integrity policy `SiPolicy.p7b`, default-on Windows 11 22H2+ and Server 2022+) hash-blocks the publicly known BYOVD families pre-load; the LOLDrivers.io project maintains the community hash list. High-value hunts: any NtLoadDriver call by a process that has been alive < 60 s; any driver loaded from outside `%SystemRoot%\System32\drivers`; any driver whose signer is on the LOLDrivers list; any driver whose service key was created < 5 minutes before NtLoadDriver. Microsoft Defender's `Block abuse of exploited vulnerable signed drivers` ASR rule (D1E49AAC-8F56-4280-B9BA-993A6D77406C) actively blocks the catalog.

Direct syscall examples

// 1) Caller has already enabled SeLoadDriverPrivilege in its token.
// 2) Service registry entry has been written under HKLM\SYSTEM\CurrentControlSet\Services\Evil:
//      ImagePath = \??\C:\Users\Public\rtcore64.sys
//      Type      = 1            (kernel driver)
//      Start     = 3            (demand)
//      ErrorCtrl = 1

UNICODE_STRING svc;
RtlInitUnicodeString(&svc,
    L"\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Evil");

NTSTATUS s = NtLoadDriver(&svc);
// On success the driver's DriverEntry has run and \\.\RTCore64 is now openable.

; SSN heavily build-dependent. Always resolve dynamically for portable code.
NtLoadDriver PROC
    mov  r10, rcx
    mov  eax, 10Eh         ; Win11 24H2
    syscall
    ret
NtLoadDriver ENDP

// Cargo: ntapi = "0.4", winapi = { version = "0.3", features = ["ntdef","ntsecapi"] }
use ntapi::ntpsapi::NtCurrentProcess;
use ntapi::ntrtl::RtlInitUnicodeString;
use winapi::shared::ntdef::{HANDLE, UNICODE_STRING};

extern "system" {
    fn NtLoadDriver(name: *mut UNICODE_STRING) -> i32;
    fn NtOpenProcessToken(p: HANDLE, da: u32, t: *mut HANDLE) -> i32;
    fn NtAdjustPrivilegesToken(
        t: HANDLE, dis: u8, n: *mut u8, len: u32,
        prev: *mut u8, ret: *mut u32) -> i32;
}

pub unsafe fn byovd_load(service_key_nt_path: *const u16) -> i32 {
    // 1) enable SeLoadDriverPrivilege in our own token (token plumbing omitted)
    // 2) issue the load
    let mut us: UNICODE_STRING = core::mem::zeroed();
    RtlInitUnicodeString(&mut us, service_key_nt_path);
    NtLoadDriver(&mut us)
}

MITRE ATT&CK mappings

• T1068Exploitation for Privilege Escalationmitre ↗
• T1543.003Create or Modify System Process: Windows Servicemitre ↗
• T1014Rootkitmitre ↗
• T1562.001Impair Defenses: Disable or Modify Toolsmitre ↗