DriverJack Turning NTFS and Emulated ROFs into an Infection
Alessandro Magnosi
DEF CON 32 Main Stage · Day 1 · Main Stage
Alessandro Magnosi's talk, "DriverJack Turning NTFS and Emulated ROFs into an Infection," introduces a novel and stealthy technique for loading malicious kernel drivers on Windows 11 systems. This research, developed by Magnosi and Jonas Leak, leverages specific **NTFS features** and a **CDFS bug** to bypass conventional driver loading mechanisms and, critically, evade the associated Windows event logs that typically alert defenders to driver installations. The technique, dubbed **DriverJack**, represents a significant advancement in kernel-level persistence and evasion, particularly relevant for sophisticated adversaries targeting high-value environments.
AI review
Alessandro Magnosi's "DriverJack" research unveils a highly sophisticated and stealthy method for loading unsigned kernel drivers on Windows 11 by exploiting specific NTFS features and an undisclosed CDFS bug. Critically, this technique bypasses the generation of standard Windows driver load events (Event ID 11 and 6), rendering it invisible to most conventional EDR and SIEM solutions. The work, motivated by a real-world OT engagement to backdoor Siemens Step 7 installation media with two-layer integrity checks, represents a significant leap in kernel-level persistence and evasion, forcing a…