- Status
- Offline
- Joined
- Mar 3, 2026
- Messages
- 581
- Reaction score
- 7
Anyone currently digging into kernel-level exploits knows the headache of dealing with Plug and Play (PnP) drivers. Trying to weaponize a vulnerable PnP driver usually requires the PnP manager to call AddDevice in a very specific state, and doing it through the standard Setup API is bloated, noisy, and generally disgusting.
If you are trying to load a vulnerable driver to get kernel execution without leaving the usual footprints (INF files, registry artifacts, etc.), you have to bypass the high-level garbage. The goal here is to manually trigger the PnP manager's loading logic by reversing the underlying IOCTLs and registry keys that the Setup API normally handles behind the scenes.
For those looking for the entry point to interface with the Configuration Manager and bypass the INF installer:
Technical Implementation Notes:
It is a much cleaner way to operate if you're trying to keep the telemetry low. Has anyone else mapped out the specific IOCTLs for CMApi to force a re-enumeration without a hardware ID match?
Drop your research or reversing notes below.
If you are trying to load a vulnerable driver to get kernel execution without leaving the usual footprints (INF files, registry artifacts, etc.), you have to bypass the high-level garbage. The goal here is to manually trigger the PnP manager's loading logic by reversing the underlying IOCTLs and registry keys that the Setup API normally handles behind the scenes.
For those looking for the entry point to interface with the Configuration Manager and bypass the INF installer:
Code:
L"\\Device\\DeviceApi\\CMApi"Technical Implementation Notes:
- Interaction with CMApi allows for more direct control over how the PnP manager perceives a "new" device.
- Bypassing the Setup API means you need to manually handle the device node creation and property settings in the registry.
- This is the path forward for anyone trying to build a clean loader for vulnerable drivers that require PnP initialization to function or expose their vulnerability.
Registry Keys: You'll still need to mirror certain property keys that the PnP manager expects, or the service start will fail with a generic "device not found" or "parameter incorrect" error.
Permissions: Accessing CMApi directly often requires SYSTEM or at least high-integrity with specific privileges depending on the OS build.
Permissions: Accessing CMApi directly often requires SYSTEM or at least high-integrity with specific privileges depending on the OS build.
It is a much cleaner way to operate if you're trying to keep the telemetry low. Has anyone else mapped out the specific IOCTLs for CMApi to force a re-enumeration without a hardware ID match?
Drop your research or reversing notes below.
