flat assembler
Message board for the users of flat assembler.

Home Search Register
Log in to check your private messages Log in

Index > Windows > MS COFF - Driver

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
ouadji



Joined: 24 Dec 2008
Posts: 1081
Location: Belgium
ouadji 02 Jan 2010, 00:59

hi Wink ,

with format MS COFF (not PE Native), i use directive "extrn"

Code:
format MS COFF

extrn '_IoCreateDevice@28' as IoCreateDevice:dword

extrn '_ExFreePoolWithTag@8' as ExFreePoolWithTag:dword
extrn '_KeSetSystemAffinityThread@4' as KeSetSystemAffinityThread:dword
extrn '_KeRevertToUserAffinityThread@0' as KeRevertToUserAffinityThread:dword

.....
DriverEntry equ _DriverEntry@8

section '.main' code readable writeable executable notpageable
public DriverEntry
proc DriverEntry pDriverObject, usRegistryPath
.....


I create the file ".obj" with "FASM" and then, I link tis file ".obj" with a external "dll".
(with a external linker - PellesC)
topic about this : clic here
This, to built a driver (/SUBSYSTEM:NATIVE /DRIVER)
And there, I have a problem ! ... eg : the function "IoCompleteRequest". (but also other)
If I call this function in the function "DriverEntry", no problem.
The table of mapping address is present in memory, all is ok.
But if I use "IoCompleteRequest" in the function DispatchCreate (IRP_MJ_CREATE) ,
the address table is gone and I have a nice BSOD. (I checked this with Syser)
However, in my sections "code" and "data", I used the directive "notpageable".
I also use the function "MmLockPagableCode/DataSection. But no results.
Inside the function "DriverEntry", there is no problem. But when I am inside the other functions of the driver, the table of addresses is gone et and I can't access any of my declared functions.

It seems that this table is in paged memory ... Shocked !

What should I do to make this table stays locked permanently in memory ?

thank you.

sorry for my english, i do my best Wink

_________________
I am not young enough to know everything (Oscar Wilde)- Image


Last edited by ouadji on 06 Jan 2010, 18:10; edited 5 times in total
Post 02 Jan 2010, 00:59
View user's profile Send private message Send e-mail Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 02 Jan 2010, 02:20
Sure it isn't something else? If the error is reproduced always then I don't think that the pageable section has much to do with this as Windows won't be reading from disk each time the section is touched (and even if it does you would need to be in an IRQL higher than PASSIVE_LEVEL to get the BSOD).

Quote:
However, in my sections "code" and "data", I used the directive "notpageable".
But this is not enough, the IAT also needs to be not pageable but it's the linker's job doing that.
Post 02 Jan 2010, 02:20
View user's profile Send private message Reply with quote
ouadji



Joined: 24 Dec 2008
Posts: 1081
Location: Belgium
ouadji 02 Jan 2010, 10:14

No, nothing else.
In "DriverEntry", all is ok, but in the other functions, IAT is gone.
About IRQL ... i'm in "Passive_Level".
Quote:
but it's the linker's job doing that
i think that this is the right idea
I've never had this trouble by using the format "PE Native"
(and without external linker)

Post 02 Jan 2010, 10:14
View user's profile Send private message Send e-mail Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 02 Jan 2010, 18:03
Could you upload the binary so I can give a look at it? If you have the minidump please upload it too.
Post 02 Jan 2010, 18:03
View user's profile Send private message Reply with quote
ouadji



Joined: 24 Dec 2008
Posts: 1081
Location: Belgium
ouadji 02 Jan 2010, 19:01

for minidump, it's ok
but "the binary" ... ? ... the ".sys" ?

Post 02 Jan 2010, 19:01
View user's profile Send private message Send e-mail Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 02 Jan 2010, 19:20
yep, I think IDApro will provide me with enough help to see what happens.
Post 02 Jan 2010, 19:20
View user's profile Send private message Reply with quote
ouadji



Joined: 24 Dec 2008
Posts: 1081
Location: Belgium
ouadji 02 Jan 2010, 19:51

thank you LocoDelAssembly Smile Smile Smile

it's not a very "conventional" driver.
But here ... all the calls are inactive, but the code is there.
Having said that, the structure of this driver is quite classical !



Last edited by ouadji on 02 Jan 2010, 20:31; edited 3 times in total
Post 02 Jan 2010, 19:51
View user's profile Send private message Send e-mail Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 02 Jan 2010, 20:17
Yes, the imports are made without a separate section for IAT. This is not a problem, NULL.SYS also do this BUT it doesn't put the import table in the INIT section and it hasn't the section marked as discardable neither (here is the problem, it is lost because Windows is allowed to remove it from memory AND NOT read it back from disk later)

Beatrix example has the very same problem (both the official MASM example and the one posted here for fasm). Maybe the linker is not doing a very good job after all Razz (or BeaEngine.lib itself has something wrong).

IDApro gives this message when I open Beatrix examples and your binary:
Quote:
The imports segments seems to be destroyed. This MAY mean that the file was packed or otherwise modified in order to make it more difficult to analyze. If you want to see the imports segment in the original form, please reload it with the 'make imports section' checkbox cleared.


With r0pc.SYS and NULL.SYS it doesn't complaint. Check the documentation of PellesC to see if some setting is missing here and please forward the comments to Beatrix as the MASM binary should be fixed too for extra reliability.
Post 02 Jan 2010, 20:17
View user's profile Send private message Reply with quote
ouadji



Joined: 24 Dec 2008
Posts: 1081
Location: Belgium
ouadji 02 Jan 2010, 20:29


the import table in the INIT section ... my god ! i understand now Exclamation

in my driver, BeaEngine is not present, I have removed it.
My driver is quite conventional.
Thank you very much for your help LocodelAssembly.

Post 02 Jan 2010, 20:29
View user's profile Send private message Send e-mail Reply with quote
ouadji



Joined: 24 Dec 2008
Posts: 1081
Location: Belgium
ouadji 03 Jan 2010, 00:48

In options of PellesC linker, there is the option "/Section",
which allows to assign some features about this section.
E (executable), R (readable) ... and P (not pageable). ... eg : /Section:init,REP.
I haven't managed to get a positive result,
however it seems to me have tried everything.
Outside the function "DriverEntry", the IAT is always gone ! Confused
Perhaps the format "MS COFF" Is not a pertinent format to build a driver,
i don't know ! If someone has an idea, it's welcome !

Post 03 Jan 2010, 00:48
View user's profile Send private message Send e-mail Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 03 Jan 2010, 02:55
Well, can't find PoLink manual anywhere so I'll guess. What about /Section:.idata,REP? That section doesn't really exists in the driver, but perhaps the linker will acknowledge it as you want to set those attributes to the imports.

I don't think MS COFF is the problem, drivers in MASM do exist and work (but those I saw are built with Microsoft's linker).
Post 03 Jan 2010, 02:55
View user's profile Send private message Reply with quote
ouadji



Joined: 24 Dec 2008
Posts: 1081
Location: Belgium
ouadji 03 Jan 2010, 08:54

PellesC manual

inside : command line options for the linker

clic here LocoDelAssembly. . . . . (max 700Ko on the forum. PellesC Manual : 1.13Mo)

then maybe try also with Microsoft's linker ?

Post 03 Jan 2010, 08:54
View user's profile Send private message Send e-mail Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 03 Jan 2010, 18:23
It says that it is temporally disabled.

I've tried with the linker of the WDK to compile just a very simple driver:
Code:
format MS COFF

include 'macro/proc32.inc'
STATUS_DEVICE_CONFIGURATION_ERROR = 00C0000182h

public DriverEntry as '_DriverEntry@8'

section '.text' code readable executable notpageable

proc DriverEntry lpDriverObject, lpusRegistryPath

    mov eax, STATUS_DEVICE_CONFIGURATION_ERROR
    ret
endp

But the linker insists that _NtProcessStartup cannot be resolved. I don't know way it completely ignores my "/driver" setting, using "/subsystem:native" is enough to start with that requirement (and if I remove it then it says I must provide an entry point).

This reminded me how grateful I am that I don't need a linker in fasm to get executables...
Post 03 Jan 2010, 18:23
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 03 Jan 2010, 19:39
Well, since today I have a little more patience I've tried again:
Code:
>link r0pc.obj %lib%\wxp\i386\ntoskrnl.lib /DRIVER /SUBSYSTEM:NATIVE /ENTRY:DriverEntry /BASE:0x10000 /ALIGN:32
Microsoft (R) Incremental Linker Version 9.00.30729.207
Copyright (C) Microsoft Corporation.  All rights reserved.

ntoskrnl.lib(ntoskrnl.exe) : warning LNK4078: multiple '.text' sections found with different attributes (60201020)

This under "Windows XP x86 Free Build Environment"(selectable from start menu once the WDK is installed)
The result of the linking are not so good as you can see (and I don't know how could I avoid having to specify every lib instead of letting the linker to find it out). It ends up with two ".text" sections and with the same attributes according to LordPE so I dont' know what the linker warning is about and why it didn't merge all together Confused

Here the listing:
Code:
.text:000102A0 ;
.text:000102A0 ; +-------------------------------------------------------------------------+
.text:000102A0 ; ¦     This file is generated by The Interactive Disassembler (IDA)        ¦
.text:000102A0 ; ¦     Copyright (c) 2006 by DataRescue sa/nv, <ida@datarescue.com>        ¦
.text:000102A0 ; ¦                      Licensed to: Freeware version                      ¦
.text:000102A0 ; +-------------------------------------------------------------------------+
.text:000102A0 ;
.text:000102A0 ; File Name   : C:\Documents and Settings\Hernan\Escritorio\r0pc010107\MSCOFF\r0pc.sys
.text:000102A0 ; Format      : Portable executable for 80386 (PE)
.text:000102A0 ; Imagebase   : 10000
.text:000102A0 ; Section 1. (virtual address 000002A0)
.text:000102A0 ; Virtual size                  : 00000028 (     40.)
.text:000102A0 ; Section size in file          : 00000040 (     64.)
.text:000102A0 ; Offset to raw data for section: 000002A0
.text:000102A0 ; Flags 68000020: Text Not pageable Executable Readable
.text:000102A0 ; Alignment     : default
.text:000102A0
.text:000102A0                 Ideal
.text:000102A0                 p686
.text:000102A0                 pmmx
.text:000102A0                 model flat
.text:000102A0
.text:000102A0 ; ---------------------------------------------------------------------------
.text:000102A0
.text:000102A0 ; Segment type: Pure code
.text:000102A0 ; Segment permissions: Read/Execute
.text:000102A0 segment         _text para public 'CODE' use32
.text:000102A0                 assume cs:_text
.text:000102A0                 ;org 102A0h
.text:000102A0                 assume es:nothing, ss:nothing, ds:_text, fs:nothing, gs:nothing
.text:000102A0
.text:000102A0 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:000102A0
.text:000102A0 ; Attributes: bp-based frame
.text:000102A0
.text:000102A0                 public start
.text:000102A0 proc            start near
.text:000102A0                 push    ebp
.text:000102A1                 mov     ebp, esp
.text:000102A3                 call    loc_102BA
.text:000102A3 ; ---------------------------------------------------------------------------
.text:000102A8 aHelloWorldD    db 'Hello World Very Happy!',0Dh,0Ah,0
.text:000102BA ; ---------------------------------------------------------------------------
.text:000102BA
.text:000102BA loc_102BA:                              ; CODE XREF: start+3p
.text:000102BA                 call    DbgPrint
.text:000102BF                 mov     eax, 0C0000182h
.text:000102C4                 leave
.text:000102C5                 retn    8
.text:000102C5 endp            start
.text:000102C5
.text:000102C5 ; ---------------------------------------------------------------------------
.text:000102C8                 db    0
.text:000102C9                 db    0
.text:000102CA                 db    0
.text:000102CB                 db    0
.text:000102CC                 db    0
.text:000102CD                 db    0
.text:000102CE                 db    0
.text:000102CF                 db    0
.text:000102D0                 db    0
.text:000102D1                 db    0
.text:000102D2                 db    0
.text:000102D3                 db    0
.text:000102D4                 db    0
.text:000102D5                 db    0
.text:000102D6                 db    0
.text:000102D7                 db    0
.text:000102D8                 db    0
.text:000102D9                 db    0
.text:000102DA                 db    0
.text:000102DB                 db    0
.text:000102DC                 db    0
.text:000102DD                 db    0
.text:000102DE                 db    0
.text:000102DF                 db    0
.text:000102DF ends            _text
.text:000102DF
.text:000102E0 ; Section 2. (virtual address 000002E0)
.text:000102E0 ; Virtual size                  : 00000006 (      6.)
.text:000102E0 ; Section size in file          : 00000020 (     32.)
.text:000102E0 ; Offset to raw data for section: 000002E0
.text:000102E0 ; Flags 68000020: Text Not pageable Executable Readable
.text:000102E0 ; Alignment     : default
.text:000102E0 ; ---------------------------------------------------------------------------
.text:000102E0
.text:000102E0 ; Segment type: Pure code
.text:000102E0 ; Segment permissions: Read/Execute
.text:000102E0 segment         _text para public 'CODE' use32
.text:000102E0                 assume cs:_text
.text:000102E0                 ;org 102E0h
.text:000102E0                 assume es:nothing, ss:nothing, ds:_text, fs:nothing, gs:nothing
.text:000102E0
.text:000102E0 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:000102E0
.text:000102E0 ; Attributes: thunk
.text:000102E0
.text:000102E0 proc            DbgPrint near           ; CODE XREF: start:loc_102BAp
.text:000102E0                 jmp     [ds:__imp_DbgPrint]
.text:000102E0 endp            DbgPrint
.text:000102E0
.text:000102E0 ; ---------------------------------------------------------------------------
.text:000102E6                 align 20h
.text:000102E6 ends            _text
.text:000102E6
.idata:00010300 ; Section 3. (virtual address 00000300)
.idata:00010300 ; Virtual size                  : 00000008 (      8.)
.idata:00010300 ; Section size in file          : 00000020 (     32.)
.idata:00010300 ; Offset to raw data for section: 00000300
.idata:00010300 ; Flags 48000040: Data Not pageable Readable
.idata:00010300 ; Alignment     : default
.idata:00010300 ;
.idata:00010300 ; Imports from ntoskrnl.exe
.idata:00010300 ;
.idata:00010300 ; ---------------------------------------------------------------------------
.idata:00010300
.idata:00010300 ; Segment type: Externs
.idata:00010300 ; _idata
.idata:00010300                 extrn __imp_DbgPrint:dword ; DATA XREF: DbgPrintr
.idata:00010304
.idata:00010304
.rdata:00010308 ; ---------------------------------------------------------------------------
.rdata:00010308
.rdata:00010308 ; Segment type: Pure data
.rdata:00010308 ; Segment permissions: Read
.rdata:00010308 segment         _rdata para public 'DATA' use32
.rdata:00010308                 assume cs:_rdata
.rdata:00010308                 ;org 10308h
.rdata:00010308                 db    0
.rdata:00010309                 db    0
.rdata:0001030A                 db    0
.rdata:0001030B                 db    0
.rdata:0001030C                 db    0
.rdata:0001030D                 db    0
.rdata:0001030E                 db    0
.rdata:0001030F                 db    0
.rdata:00010310                 db    0
.rdata:00010311                 db    0
.rdata:00010312                 db    0
.rdata:00010313                 db    0
.rdata:00010314                 db    0
.rdata:00010315                 db    0
.rdata:00010316                 db    0
.rdata:00010317                 db    0
.rdata:00010318                 db    0
.rdata:00010319                 db    0
.rdata:0001031A                 db    0
.rdata:0001031B                 db    0
.rdata:0001031C                 db    0
.rdata:0001031D                 db    0
.rdata:0001031E                 db    0
.rdata:0001031F                 db    0
.rdata:0001031F ends            _rdata
.rdata:0001031F
INIT:00010320 ; Section 4. (virtual address 00000320)
INIT:00010320 ; Virtual size                  : 0000004A (     74.)
INIT:00010320 ; Section size in file          : 00000060 (     96.)
INIT:00010320 ; Offset to raw data for section: 00000320
INIT:00010320 ; Flags E2000020: Text Discardable Executable Readable Writable
INIT:00010320 ; Alignment     : default
INIT:00010320 ; ---------------------------------------------------------------------------
INIT:00010320
INIT:00010320 ; Segment type: Pure code
INIT:00010320 ; Segment permissions: Read/Write/Execute
INIT:00010320 segment         INIT para public 'CODE' use32
INIT:00010320                 assume cs:INIT
INIT:00010320                 ;org 10320h
INIT:00010320                 assume es:nothing, ss:nothing, ds:_text, fs:nothing, gs:nothing
INIT:00010320                 dd 348h, 2 dup(0)
INIT:0001032C                 dd 35Ch, 300h, 5 dup(0)
INIT:00010348                 dd 350h, 0
INIT:00010350                 dd 62440030h, 69725067h, 746Eh, 736F746Eh, 6C6E726Bh, 6578652Eh
INIT:00010350                 dd 6 dup(0)
INIT:00010350 ends            INIT
INIT:00010350
INIT:00010350
INIT:00010350                 end start


At least on my virtualized XP it worked and showed "Hello World!! Very Happy" in DbgView but yet, this double '.text' should be fixed. The important part is that I got my imports in a non discardable section (and also not pageable which allows to call functions at higher IRQLs than PASSIVE_LEVEL).

For reference, this is the listing of your uploaded driver (only the imports part because the listing is too large):
Code:
.text:00401000 ;
.text:00401000 ; +-------------------------------------------------------------------------+
.text:00401000 ; ¦     This file is generated by The Interactive Disassembler (IDA)        ¦
.text:00401000 ; ¦     Copyright (c) 2006 by DataRescue sa/nv, <ida@datarescue.com>        ¦
.text:00401000 ; ¦                      Licensed to: Freeware version                      ¦
.text:00401000 ; +-------------------------------------------------------------------------+
.text:00401000 ;
.text:00401000 ; File Name   : C:\Documents and Settings\Hernan\Escritorio\Minidump - sys\Minidump - sys\toto.sys
.text:00401000 ; Format      : Portable executable for 80386 (PE)
.text:00401000 ; Imagebase   : 400000
.text:00401000 ; Section 1. (virtual address 00001000)
.text:00401000 ; Virtual size                  : 0000008A (    138.)
.text:00401000 ; Section size in file          : 00000200 (    512.)
.text:00401000 ; Offset to raw data for section: 00000400
.text:00401000 ; Flags 68000020: Text Not pageable Executable Readable
.text:00401000 ; Alignment     : default
.text:00401000
.text:00401000                 Ideal
.text:00401000                 p686
.text:00401000                 pmmx
.text:00401000                 model flat
.text:00401000
.text:00401000 ; ---------------------------------------------------------------------------
.text:00401000
.text:00401000 ; Segment type: Pure code
.text:00401000 ; Segment permissions: Read/Execute
.text:00401000 segment         _text para public 'CODE' use32
.text:00401000                 assume cs:_text
.text:00401000                 ;org 401000h
.text:00401000                 assume es:nothing, ss:nothing, ds:_text, fs:nothing, gs:nothing
.text:00401000
.text:00401000 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:00401000
.text:00401000 ; Attributes: thunk
.text:00401000
.text:00401000 proc            IoCreateDevice near     ; CODE XREF: start+25p
.text:00401000                 jmp     [ds:__imp_IoCreateDevice]
.text:00401000 endp            IoCreateDevice
.text:00401000
.text:00401006 ; [00000006 BYTES: COLLAPSED FUNCTION IoCompleteRequest. PRESS KEYPAD "+" TO EXPAND]
.text:0040100C ; [00000006 BYTES: COLLAPSED FUNCTION IoCreateSymbolicLink. PRESS KEYPAD "+" TO EXPAND]
.text:00401012 ; [00000006 BYTES: COLLAPSED FUNCTION MmLockPagableDataSection. PRESS KEYPAD "+" TO EXPAND]
.text:00401018 ; [00000006 BYTES: COLLAPSED FUNCTION IoDeleteDevice. PRESS KEYPAD "+" TO EXPAND]
.text:0040101E ; [00000006 BYTES: COLLAPSED FUNCTION MmMapIoSpace. PRESS KEYPAD "+" TO EXPAND]
.text:00401024 ; [00000006 BYTES: COLLAPSED FUNCTION MmUnmapIoSpace. PRESS KEYPAD "+" TO EXPAND]
.text:0040102A ; [00000006 BYTES: COLLAPSED FUNCTION ExFreePoolWithTag. PRESS KEYPAD "+" TO EXPAND]
.text:00401030 ; [00000006 BYTES: COLLAPSED FUNCTION KeSetSystemAffinityThread. PRESS KEYPAD "+" TO EXPAND]
.text:00401036 ; [00000006 BYTES: COLLAPSED FUNCTION KeRevertToUserAffinityThread. PRESS KEYPAD "+" TO EXPAND]
.text:0040103C ; [00000006 BYTES: COLLAPSED FUNCTION IoDeleteSymbolicLink. PRESS KEYPAD "+" TO EXPAND]
.text:00401042 ; [00000006 BYTES: COLLAPSED FUNCTION MmUnlockPagableImageSection. PRESS KEYPAD "+" TO EXPAND]
.text:00401048 ; [00000006 BYTES: COLLAPSED FUNCTION MmMapLockedPagesSpecifyCache. PRESS KEYPAD "+" TO EXPAND]
.text:0040104E ; [00000006 BYTES: COLLAPSED FUNCTION KeI386ReleaseGdtSelectors. PRESS KEYPAD "+" TO EXPAND]
.text:00401054 ; [00000006 BYTES: COLLAPSED FUNCTION KeI386AllocateGdtSelectors. PRESS KEYPAD "+" TO EXPAND]
.text:0040105A ; [00000006 BYTES: COLLAPSED FUNCTION KeI386SetGdtSelector. PRESS KEYPAD "+" TO EXPAND]
.text:00401060 ; [00000006 BYTES: COLLAPSED FUNCTION ExAllocatePoolWithTag. PRESS KEYPAD "+" TO EXPAND]
.text:00401066                 db 0FFh
.text:00401067                 db  25h ; %
.text:00401068                 db 0E4h ; õ OFF32 SEGDEF [INIT,40A0E4]
.text:00401069                 db 0A0h ; á
.text:0040106A                 db  40h ; @
.text:0040106B                 db    0
.text:0040106C                 db 0FFh
.text:0040106D                 db  25h ; %
.text:0040106E                 db 0E8h ; Þ OFF32 SEGDEF [INIT,40A0E8]
.text:0040106F                 db 0A0h ; á
.text:00401070                 db  40h ; @
.text:00401071                 db    0
.text:00401072 ; ---------------------------------------------------------------------------
.text:00401072                 jmp     [ds:DbgPrint]
.text:00401078 ; ---------------------------------------------------------------------------
.text:00401078                 jmp     [ds:MmGetPhysicalAddress]
.text:0040107E ; [00000006 BYTES: COLLAPSED FUNCTION KeGetCurrentIrql. PRESS KEYPAD "+" TO EXPAND]
.text:00401084 ; ---------------------------------------------------------------------------
.text:00401084                 jmp     [ds:HalGetInterruptVector]
.text:00401084 ; ---------------------------------------------------------------------------
.text:0040108A                 align 200h
.text:0040108A ends            _text
.text:0040108A
INIT:0040A000 ; Section 5. (virtual address 0000A000)
INIT:0040A000 ; Virtual size                  : 00000338 (    824.)
INIT:0040A000 ; Section size in file          : 00000400 (   1024.)
INIT:0040A000 ; Offset to raw data for section: 00006C00
INIT:0040A000 ; Flags E2000020: Text Discardable Executable Readable Writable
INIT:0040A000 ; Alignment     : default
INIT:0040A000 ; ---------------------------------------------------------------------------
INIT:0040A000
INIT:0040A000 ; Segment type: Pure code
INIT:0040A000 ; Segment permissions: Read/Write/Execute
INIT:0040A000 segment         INIT para public 'CODE' use32
INIT:0040A000                 assume cs:INIT
INIT:0040A000                 ;org 40A000h
INIT:0040A000                 assume es:nothing, ss:nothing, ds:_text, fs:nothing, gs:nothing
INIT:0040A000                 dd 0A03Ch, 2 dup(0)
INIT:0040A00C                 dd 0A2F6h, 0A0A0h, 0A094h, 2 dup(0)
INIT:0040A020                 dd 0A330h, 0A0F8h, 5 dup(0)
INIT:0040A03C                 dd 0A104h, 0A116h, 0A12Ah, 0A142h, 0A15Eh, 0A170h, 0A180h
INIT:0040A03C                 dd 0A192h, 0A1A6h, 0A1C2h, 0A1E2h, 0A1FAh, 0A218h, 0A238h
INIT:0040A03C                 dd 0A254h, 0A272h, 0A28Ah, 0A2A2h, 0A2B8h, 0A2D2h, 0A2DEh
INIT:0040A03C                 dd 0
INIT:0040A094                 dd 0A304h, 0A318h, 0
INIT:0040A094 ends            INIT
INIT:0040A094
.idata:0040A0A0 ;
.idata:0040A0A0 ; Imports from ntoskrnl.exe
.idata:0040A0A0 ;
.idata:0040A0A0 ; ---------------------------------------------------------------------------
.idata:0040A0A0
.idata:0040A0A0 ; Segment type: Externs
.idata:0040A0A0 ; _idata
.idata:0040A0A0                 extrn __imp_IoCreateDevice:dword
.idata:0040A0A0                                         ; DATA XREF: IoCreateDevicer
.idata:0040A0A0                                         ; Comment Added by Loco: This is inside INIT section
.idata:0040A0A4                 extrn __imp_IoCompleteRequest:dword
.idata:0040A0A4                                         ; DATA XREF: IoCompleteRequestr
.idata:0040A0A8                 extrn __imp_IoCreateSymbolicLink:dword
.idata:0040A0A8                                         ; DATA XREF: IoCreateSymbolicLinkr
.idata:0040A0AC                 extrn __imp_MmLockPagableDataSection:dword
.idata:0040A0AC                                         ; DATA XREF: MmLockPagableDataSectionr
.idata:0040A0B0                 extrn __imp_IoDeleteDevice:dword
.idata:0040A0B0                                         ; DATA XREF: IoDeleteDevicer
.idata:0040A0B4                 extrn __imp_MmMapIoSpace:dword ; DATA XREF: MmMapIoSpacer
.idata:0040A0B8                 extrn __imp_MmUnmapIoSpace:dword
.idata:0040A0B8                                         ; DATA XREF: MmUnmapIoSpacer
.idata:0040A0BC                 extrn __imp_ExFreePoolWithTag:dword
.idata:0040A0BC                                         ; DATA XREF: ExFreePoolWithTagr
.idata:0040A0C0                 extrn __imp_KeSetSystemAffinityThread:dword
.idata:0040A0C0                                         ; DATA XREF: KeSetSystemAffinityThreadr
.idata:0040A0C4                 extrn __imp_KeRevertToUserAffinityThread:dword
.idata:0040A0C4                                         ; DATA XREF: KeRevertToUserAffinityThreadr
.idata:0040A0C8                 extrn __imp_IoDeleteSymbolicLink:dword
.idata:0040A0C8                                         ; DATA XREF: IoDeleteSymbolicLinkr
.idata:0040A0CC                 extrn __imp_MmUnlockPagableImageSection:dword
.idata:0040A0CC                                         ; DATA XREF: MmUnlockPagableImageSectionr
.idata:0040A0D0                 extrn __imp_MmMapLockedPagesSpecifyCache:dword
.idata:0040A0D0                                         ; DATA XREF: MmMapLockedPagesSpecifyCacher
.idata:0040A0D4                 extrn __imp_KeI386ReleaseGdtSelectors:dword
.idata:0040A0D4                                         ; DATA XREF: KeI386ReleaseGdtSelectorsr
.idata:0040A0D8                 extrn __imp_KeI386AllocateGdtSelectors:dword
.idata:0040A0D8                                         ; DATA XREF: KeI386AllocateGdtSelectorsr
.idata:0040A0DC                 extrn __imp_KeI386SetGdtSelector:dword
.idata:0040A0DC                                         ; DATA XREF: KeI386SetGdtSelectorr
.idata:0040A0E0                 extrn __imp_ExAllocatePoolWithTag:dword
.idata:0040A0E0                                         ; DATA XREF: ExAllocatePoolWithTagr
.idata:0040A0E4                 extrn KeGetCurrentThread:dword
.idata:0040A0E8                 extrn KeQueryActiveProcessors:dword
.idata:0040A0EC                 extrn DbgPrint:dword    ; DATA XREF: .text:00401072r
.idata:0040A0F0                 extrn MmGetPhysicalAddress:dword
.idata:0040A0F0                                         ; DATA XREF: .text:00401078r
.idata:0040A0F4
.idata:0040A0F8 ;
.idata:0040A0F8 ; Imports from HAL.dll
.idata:0040A0F8 ;
.idata:0040A0F8                 extrn __imp_KeGetCurrentIrql:dword
.idata:0040A0F8                                         ; DATA XREF: KeGetCurrentIrqlr
.idata:0040A0FC                 extrn HalGetInterruptVector:dword
.idata:0040A0FC                                         ; DATA XREF: .text:00401084r
.idata:0040A100
.idata:0040A100
INIT:0040A104 ; ---------------------------------------------------------------------------
INIT:0040A104
INIT:0040A104 ; Segment type: Pure code
INIT:0040A104 ; Segment permissions: Read/Write/Execute
INIT:0040A104 segment         INIT para public 'CODE' use32
INIT:0040A104                 assume cs:INIT
INIT:0040A104                 ;org 40A104h
INIT:0040A104                 assume es:nothing, ss:nothing, ds:_text, fs:nothing, gs:nothing
INIT:0040A104                 dd 6F49013Dh, 61657243h, 65446574h, 65636976h, 13A0000h
INIT:0040A118 aIocompleterequ db 'IoCompleteRequest',0
INIT:0040A12A                 dw 146h
INIT:0040A12C aIocreatesymbol db 'IoCreateSymbolicLink',0
INIT:0040A141                 align 2
INIT:0040A142                 dw 2A8h
INIT:0040A144 aMmlockpagabled db 'MmLockPagableDataSection',0
INIT:0040A15D                 align 2
INIT:0040A15E                 dw 14Eh
INIT:0040A160 aIodeletedevice db 'IoDeleteDevice',0
INIT:0040A16F                 align 10h
INIT:0040A170                 dd 6D4D02ABh, 4970614Dh, 6170536Fh, 6563h, 6D4D02C9h, 616D6E55h
INIT:0040A170                 dd 536F4970h, 65636170h, 4E0000h
INIT:0040A194 aExfreepoolwith db 'ExFreePoolWithTag',0
INIT:0040A1A6                 dw 25Ah
INIT:0040A1A8 aKesetsystemaff db 'KeSetSystemAffinityThread',0
INIT:0040A1C2                 dw 24Bh
INIT:0040A1C4 aKereverttouser db 'KeRevertToUserAffinityThread',0
INIT:0040A1E1                 align 2
INIT:0040A1E2                 dw 150h
INIT:0040A1E4 aIodeletesymbol db 'IoDeleteSymbolicLink',0
INIT:0040A1F9                 align 2
INIT:0040A1FA                 dw 2C7h
INIT:0040A1FC aMmunlockpagabl db 'MmUnlockPagableImageSection',0
INIT:0040A218                 db 0ADh ; ¡
INIT:0040A219                 db 2, 4Dh, 6Dh
INIT:0040A21C aMaplockedpages db 'MapLockedPagesSpecifyCache',0
INIT:0040A237                 align 4
INIT:0040A238                 db  0Eh
INIT:0040A239                 db 2, 4Bh, 65h
INIT:0040A23C aI386releasegdt db 'I386ReleaseGdtSelectors',0
INIT:0040A254                 db    8
INIT:0040A255                 db 2, 4Bh, 65h
INIT:0040A258 aI386allocategd db 'I386AllocateGdtSelectors',0
INIT:0040A271                 align 2
INIT:0040A272                 dw 210h
INIT:0040A274 aKei386setgdtse db 'KeI386SetGdtSelector',0
INIT:0040A289                 align 2
INIT:0040A28A aA              db 'A',0
INIT:0040A28C aExallocatepool db 'ExAllocatePoolWithTag',0
INIT:0040A2A2                 dw 204h
INIT:0040A2A4 aKegetcurrentth db 'KeGetCurrentThread',0
INIT:0040A2B7                 align 4
INIT:0040A2B8                 db  2Ch ; ,
INIT:0040A2B9                 db 2, 4Bh, 65h
INIT:0040A2BC aQueryactivepro db 'QueryActiveProcessors',0
INIT:0040A2D2 a0              db '0',0
INIT:0040A2D4 aDbgprint       db 'DbgPrint',0
INIT:0040A2DD                 align 2
INIT:0040A2DE                 dw 29Ch
INIT:0040A2E0 aMmgetphysicala db 'MmGetPhysicalAddress',0
INIT:0040A2F5                 align 2
INIT:0040A2F6 aNtoskrnl_exe   db 'ntoskrnl.exe',0
INIT:0040A303                 align 4
INIT:0040A304 a@              db '@',0
INIT:0040A306 aKegetcurrentir db 'KeGetCurrentIrql',0
INIT:0040A317                 align 4
INIT:0040A318                 db  17h
INIT:0040A319                 align 2
INIT:0040A31A aHalgetinterrup db 'HalGetInterruptVector',0
INIT:0040A330 aHal_dll        db 'HAL.dll',0
INIT:0040A338                 align 100h
INIT:0040A338 ends            INIT
INIT:0040A338
INIT:0040A338
INIT:0040A338                 end start
Post 03 Jan 2010, 19:39
View user's profile Send private message Reply with quote
ouadji



Joined: 24 Dec 2008
Posts: 1081
Location: Belgium
ouadji 03 Jan 2010, 20:09

try here

CLIC
Here too

I also tried with the Linker of WDK,
and I had the same problem with "_NtProcessStartup"
Quote:
I dont' know what the linker warning is about and why it didn't merge all together

With the linker of PellesC, I think there is a command "/Merge "




Last edited by ouadji on 03 Jan 2010, 21:13; edited 1 time in total
Post 03 Jan 2010, 20:09
View user's profile Send private message Send e-mail Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3175
Location: Denmark
f0dder 03 Jan 2010, 20:39
LocoDelAssembly wrote:
(and I don't know how could I avoid having to specify every lib instead of letting the linker to find it out)
With normal linkers, you can't really avoid this... which is why you use an IDE or some build system instead of manually invoking your tools Smile

It's possibly to automatically include libraries, though: for Visual C++, you can use
Code:
#pragma comment(lib, "myfile.lib")
- which iirc just generates a specially named & formatted COFF section. Wouldn't recommend using this in general though, it's cleaner to have a proper build setup.

_________________
Image - carpe noctem
Post 03 Jan 2010, 20:39
View user's profile Send private message Visit poster's website Reply with quote
ouadji



Joined: 24 Dec 2008
Posts: 1081
Location: Belgium
ouadji 03 Jan 2010, 22:33

For fun ... Razz

in the function "DriverEntry, I copy the table "IAT",
and then I copy out into a array in my section "data".
Inside the other functions of the driver, i refer to my array. it works.
This demonstrates that the problem is there.

When Using a format "PE Native" and no external linker (only with FASM) ... it works !
Where is the difference in the structure of file ".sys" ... there must be a difference !


Post 03 Jan 2010, 22:33
View user's profile Send private message Send e-mail Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 03 Jan 2010, 23:24
ouadji, but do note that I successfully linked with MS linker and it also worked (the imports are stored where them should be).

I'm still unable to download the manual (all your links so far don't want to provide the service because either the "download slots" are all busy or the file is temporally disabled). I'll try out the last link you added from easy-share.
Post 03 Jan 2010, 23:24
View user's profile Send private message Reply with quote
ouadji



Joined: 24 Dec 2008
Posts: 1081
Location: Belgium
ouadji 03 Jan 2010, 23:35

how did you do with the MS linker ?
What are your directives for compilation with MS Linker?
and about "_NtProcessStartup ... ?

(and with "esay-Share", it's ok now ?)


_________________
I am not young enough to know everything (Oscar Wilde)- Image


Last edited by ouadji on 06 Jan 2010, 18:12; edited 1 time in total
Post 03 Jan 2010, 23:35
View user's profile Send private message Send e-mail Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 03 Jan 2010, 23:42
Quote:


how did you do with the MS linker ??

>link r0pc.obj %lib%\wxp\i386\ntoskrnl.lib /DRIVER /SUBSYSTEM:NATIVE /ENTRY:DriverEntry /BASE:0x10000 /ALIGN:32 (Look here)

The last settings (BASE and ALIGN) were added because I got a BAD_DRIVER error without them (haven't checked if with only one of them is enough). I see I forgot to add the code I've compiled, it was this:
Code:
format MS COFF

include 'macro/proc32.inc'
STATUS_DEVICE_CONFIGURATION_ERROR = 00C0000182h

public DriverEntry as '_DriverEntry@8'
extrn '_DbgPrint'as DbgPrint

section '.text' code readable executable notpageable

proc DriverEntry lpDriverObject, lpusRegistryPath
    call @f
    db "Hello World :D!", 13, 10, 0
@@: call DbgPrint

    mov eax, STATUS_DEVICE_CONFIGURATION_ERROR
    ret
endp


With easy-share, after waiting for the 500 seconds it shown a button with Arabic (?) chars not very well placed, I pressed it and all it did was to start the counting again.
Post 03 Jan 2010, 23:42
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Main index Download Documentation Examples Message board

Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.