flat assembler
Message board for the users of flat assembler.

Index > Windows > ERROR_BAD_DRIVER?

Author
Thread Post new topic Reply to topic
Igor1024



Joined: 12 Dec 2010
Posts: 19
Igor1024
Hi.
The matter is... I'm new at writing drivers, so I've chosen fasm for this purpose, but I've got a problem. Actually, any driver I write (even if it has only
Code:
format PE DLL native 4.0 at 0x10000
entry DriverEntry
include '%fasminc%\win32ax.inc'
include '%fasminc%\DDK\INCLUDE\DDK\ntstatus.inc'

proc DriverEntry
     mov eax,STATUS_DEVICE_CONFIGURATION_ERROR
     ret
endp
    
)
can't be started with StartService - I get ERROR_BAD_DRIVER. I've tried to find out the reason: I've got r0pc.sys (i've found it on this board) driver that could be started successfully. I changed 1 byte in r0pc.sys and got the same error - hm, checksum is incorrect. The same result if I manually change the checksum in pe header...
But what's wrong with code, or with linker itself?

_________________
The God is real,unless he is declared as integer.
Post 19 May 2012, 02:18
View user's profile Send private message Send e-mail Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17714
Location: In your JS exploiting you and your system
revolution
Where is your reloc section?
Post 19 May 2012, 02:27
View user's profile Send private message Visit poster's website Reply with quote
Igor1024



Joined: 12 Dec 2010
Posts: 19
Igor1024
Ohh... Exactly... I've absolutely forgot that this base address can be busy, thanks for fast reply.
Post 19 May 2012, 04:15
View user's profile Send private message Send e-mail Reply with quote
Igor1024



Joined: 12 Dec 2010
Posts: 19
Igor1024
Sorry that I continue that topic, but I've got one problem - the code is executed not at DriverEntry, but at Drvierentry+1, so it fails.
Let's take the simpliest code:

Code:
format PE DLL native 4.0 at 0x10000
entry DriverEntry
include '%fasminc%\win32ax.inc'
include '%fasminc%\DDK\INCLUDE\DDK\ntstatus.inc'

section '.text' code readable executable notpageable
proc DriverEntry
     int 3;db 0xcc
     mov eax,STATUS_DEVICE_CONFIGURATION_ERROR
     ret
endp

section '.reloc' fixups data readable discardable
    


Register and run the driver at VM with Windbg connected and get management not at int 3 instruction, but at 'add edi,dword ptr [eax-3FFFFE7Eh]' located at DriverEntry+1 (just disasm it by this offset).
I looked at PE header->EntryPoint - it points to DriverEntry, so I have no ideas about that trouble anymore.

If put db 0xcc instead of int 3 it works perfectly, but what's wrong with int 3?
Post 26 May 2012, 11:13
View user's profile Send private message Send e-mail Reply with quote
mindcooler



Joined: 01 Dec 2009
Posts: 423
Location: Västerås, Sweden
mindcooler
$cc is int3, it's not the same as int 3.
Post 26 May 2012, 13:55
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
also, what is the convention used in these drivers. I have made Drivers in C but never knew if they used __stdcall or __cdecl since I never made one using FASM.

Can you upload the DDK Assembly includes please. Thanks.
Post 26 May 2012, 14:35
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17714
Location: In your JS exploiting you and your system
revolution
typedef: There is already lots of driver code uploaded to this board. Do a search.
Post 26 May 2012, 14:48
View user's profile Send private message Visit poster's website Reply with quote
Igor1024



Joined: 12 Dec 2010
Posts: 19
Igor1024
mindcooler, yep, I've compared opcodes and they are different...
But what's the difference between their functionality?
Post 26 May 2012, 22:58
View user's profile Send private message Send e-mail Reply with quote
mindcooler



Joined: 01 Dec 2009
Posts: 423
Location: Västerås, Sweden
mindcooler
int3 is the special one-byte implicit software debugging interrupt, I don't know what the int imm 3 does in any operating system.
Post 27 May 2012, 12:54
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.