flat assembler - MS COFF

Index > Windows > MS COFF - Driver

Goto page Previous 1, 2

Author

Thread

ouadji

Joined: 24 Dec 2008
Posts: 1081
Location: Belgium

ouadji 04 Jan 2010, 00:06

and the table "IAT" is available outside the function DriverEntry ? Shocked

and about "_NtProcessStartup" ... how did you solve this problem ?
and about "multiple '.text' sections" ... ?
how did you do to eliminate these errors Question

PS : I sent you a "mp".

_________________
I am not young enough to know everything (Oscar Wilde)-

04 Jan 2010, 00:06

ouadji

Joined: 24 Dec 2008
Posts: 1081
Location: Belgium

ouadji 04 Jan 2010, 01:00

Yeah ! it works now ! i'm happy !

and with the Linker of PellesC

but there is some difference

a) /ENTRY
b) /BASE
c) /ALIGN

d) and particularly this :

Code:

public DriverEntry as '_DriverEntry@8'

and not :

DriverEntry equ _DriverEntry@8
Public DriverEntry

I wonder if the solution doesn't come from there !!

Here is the beginnig of my driver and my file "Make"

Code:

format MS COFF

;NTOSKRNL.EXE
;============

;extrn '_Disasm@4' as Disasm:dword
extrn '_DbgPrint' as DbgPrint:dword
extrn '_IoCreateDevice@28' as IoCreateDevice:dword
extrn '_IoCreateSymbolicLink@8' as IoCreateSymbolicLink:dword
extrn '_MmLockPagableDataSection@4' as MmLockPagableDataSection:dword
extrn '_IoDeleteDevice@4' as IoDeleteDevice:dword
extrn '_IoCompleteRequest@8' as IoCompleteRequest:dword
extrn '_MmMapIoSpace@16' as MmMapIoSpace:dword
extrn '_MmUnmapIoSpace@8'as MmUnmapIoSpace:dword
extrn '_ExFreePoolWithTag@8' as ExFreePoolWithTag:dword
extrn '_KeSetSystemAffinityThread@4' as KeSetSystemAffinityThread:dword
extrn '_KeRevertToUserAffinityThread@0' as KeRevertToUserAffinityThread:dword
extrn '_IoDeleteSymbolicLink@4' as IoDeleteSymbolicLink:dword
extrn '_MmUnlockPagableImageSection@4' as MmUnlockPagableImageSection:dword
extrn '_MmMapLockedPagesSpecifyCache@24' as MmMapLockedPagesSpecifyCache:dword
extrn '_KeI386ReleaseGdtSelectors@8' as KeI386ReleaseGdtSelectors:dword
extrn '_KeI386AllocateGdtSelectors@8' as KeI386AllocateGdtSelectors:dword
extrn '_KeI386SetGdtSelector@8' as KeI386SetGdtSelector:dword
extrn '_ExAllocatePoolWithTag@12' as ExAllocatePoolWithTag:dword
extrn '_KeGetCurrentThread@0' as KeGetCurrentThread:dword
extrn '_KeQueryActiveProcessors@0' as KeQueryActiveProcessors:dword
extrn '_MmGetPhysicalAddress@4' as MmGetPhysicalAddress:dword

;HAL.DLL
;=======

extrn '_KeGetCurrentIrql@0' as KeGetCurrentIrql:dword
extrn '_HalGetInterruptVector@24' as HalGetInterruptVector:dword

include   'c:\TEST\perso_driver.inc'

public DriverEntry as '_DriverEntry@8'

;==============================================================================
section 'main' code readable writeable executable notpageable ;
;============ +++++ ===========================================================
DebutMonCode:
;============ +++++ ===========================================================

proc   DriverEntry             pDriverObject, usRegistryPath           ;

Code:

@echo off

set PATH=c:\PellesC\bin;

set LIB=C:\WinDDK\6001.18002\lib\wxp\i386;
set name=complet_driver

echo ____________________________________
echo *
echo *  COMPILATION WITH FASM.EXE (FASM 1.69.11)
echo *
echo ____________________________________

c:\fasm\fasm %name%.asm

echo ____________________________________
echo *
echo *   LINK WITH POLINK (PellesC)
echo *
echo ____________________________________

C:\PellesC\bin\PoLink /DRIVER /SUBSYSTEM:NATIVE /ENTRY:_DriverEntry@8 
/BASE:0x10000 /ALIGN:32 %name%.obj ntoskrnl.lib hal.lib /OUT:toto.sys

rem if exist %name%.obj del %name%.obj
pause

PS : difference with the Linker of MS
PellesC -> /ENTRY:_DriverEntry@8
MS -> /Entry:DriverEntry
(if I saw correctly in your example)

Thank you LocoDelAssembly, you really helped me !

_________________
I am not young enough to know everything (Oscar Wilde)-

04 Jan 2010, 01:00

ouadji

Joined: 24 Dec 2008
Posts: 1081
Location: Belgium

ouadji 04 Jan 2010, 09:13

after a good night's sleep, i tried a little more Wink

Code:

public DriverEntry as '_DriverEntry@8'
section 'main' code readable writeable executable notpageable
proc DriverEntry pDriverObject, usRegistryPath

OR

DriverEntry equ _DriverEntry@8
section 'main' code readable writeable executable notpageable
public DriverEntry
proc DriverEntry pDriverObject, usRegistryPath

above, all is ok, it works in both cases ! (The problem is not there)

BUT

in the file "make", if I delete this

Code:

/BASE:0x10000 /ALIGN:32

while there, it does not work !!!
in this case, IAT is gone outside "DriverEntry"

_________________
I am not young enough to know everything (Oscar Wilde)-

04 Jan 2010, 09:13

f0dder

Joined: 19 Feb 2004
Posts: 3175
Location: Denmark

f0dder 04 Jan 2010, 09:58

Does /driver imply /fixed:no ?

04 Jan 2010, 09:58

ouadji

Joined: 24 Dec 2008
Posts: 1081
Location: Belgium

ouadji 04 Jan 2010, 10:52

With the Linker of PellesC, "/FIXED:NO" is the default when linking a dynamic library (.dll)
but with "/DRIVER", i don't know. (but I think yes)

_________________
I am not young enough to know everything (Oscar Wilde)-

04 Jan 2010, 10:52

ouadji

Joined: 24 Dec 2008
Posts: 1081
Location: Belgium

ouadji 04 Jan 2010, 11:32

Code:

/BASE:0x10000 /ALIGN: ----

With :

/ALIGN:8, 16, 32 .... 0x100, 0x200, 0x400

it's ok, it works ! no problem with the IAT.

but,

/ALIGN:0x800
and
/ALIGN:0x1000 (i would like align on a page)

this doesn't work any more !
(IAT is gone outside the function "DriverEntry")
it's incredible ! no ? Shocked

_________________
I am not young enough to know everything (Oscar Wilde)-

04 Jan 2010, 11:32

ouadji

Joined: 24 Dec 2008
Posts: 1081
Location: Belgium

ouadji 04 Jan 2010, 16:49

after many trials Wink

Code:

/Align:4096

works with the Linker of MS (Linker of WDK Build 18002)

but,

don't works with the Linker of PellesC

i think there is a small bug in the Linker of PellesC.

_________________
I am not young enough to know everything (Oscar Wilde)-

04 Jan 2010, 16:49

LocoDelAssembly
Your code has a bug

Joined: 06 May 2005
Posts: 4624
Location: Argentina

LocoDelAssembly 04 Jan 2010, 18:41

So, finally works? Razz

Upload your working SYS if you want so I can check the IAT is in a non discardable section and it is not just working by coincidence.

04 Jan 2010, 18:41

ouadji

Joined: 24 Dec 2008
Posts: 1081
Location: Belgium

ouadji 04 Jan 2010, 18:58

Yes, it works fine now Very Happy

... but you have a share in it ! thanks !

_________________
I am not young enough to know everything (Oscar Wilde)-

Last edited by ouadji on 21 Sep 2010, 20:28; edited 1 time in total

04 Jan 2010, 18:58

LocoDelAssembly
Your code has a bug

Joined: 06 May 2005
Posts: 4624
Location: Argentina

LocoDelAssembly 04 Jan 2010, 19:10

Yes, it did its job correctly this time:

Code:

.idata:00017000 ; Section 4. (virtual address 00007000)
.idata:00017000 ; Virtual size                  : 0000005C (     92.)
.idata:00017000 ; Section size in file          : 00000200 (    512.)
.idata:00017000 ; Offset to raw data for section: 00005200
.idata:00017000 ; Flags 48000040: Data Not pageable Readable
.idata:00017000 ; Alignment     : default
.idata:00017000 ;
.idata:00017000 ; Imports from HAL.dll
.idata:00017000 ;
.idata:00017000 ; ---------------------------------------------------------------------------
.idata:00017000
.idata:00017000 ; Segment type: Externs
.idata:00017000 ; _idata
.idata:00017000                 extrn __imp_KeGetCurrentIrql:dword
.idata:00017000                                         ; DATA XREF: KeGetCurrentIrqlr
.idata:00017004                 extrn HalGetInterruptVector:dword
.idata:00017004                                         ; DATA XREF: .text:00016078r
.idata:00017008
.idata:0001700C ;
.idata:0001700C ; Imports from ntoskrnl.exe
.idata:0001700C ;
.idata:0001700C                 extrn __imp_MmLockPagableDataSection:dword
.idata:0001700C                                         ; DATA XREF: MmLockPagableDataSectionr
.idata:00017010                 extrn __imp_IoDeleteDevice:dword
.idata:00017010                                         ; DATA XREF: IoDeleteDevicer
.idata:00017014                 extrn __imp_IoCompleteRequest:dword
.idata:00017014                                         ; DATA XREF: IoCompleteRequestr
.idata:00017018                 extrn __imp_MmMapIoSpace:dword ; DATA XREF: MmMapIoSpacer
.idata:0001701C                 extrn __imp_MmUnmapIoSpace:dword
.idata:0001701C                                         ; DATA XREF: MmUnmapIoSpacer
.idata:00017020                 extrn __imp_ExFreePoolWithTag:dword
.idata:00017020                                         ; DATA XREF: ExFreePoolWithTagr
.idata:00017024                 extrn __imp_KeSetSystemAffinityThread:dword
.idata:00017024                                         ; DATA XREF: KeSetSystemAffinityThreadr
.idata:00017028                 extrn __imp_KeRevertToUserAffinityThread:dword
.idata:00017028                                         ; DATA XREF: KeRevertToUserAffinityThreadr
.idata:0001702C                 extrn __imp_IoDeleteSymbolicLink:dword
.idata:0001702C                                         ; DATA XREF: IoDeleteSymbolicLinkr
.idata:00017030                 extrn __imp_IoCreateSymbolicLink:dword
.idata:00017030                                         ; DATA XREF: IoCreateSymbolicLinkr
.idata:00017034                 extrn __imp_MmMapLockedPagesSpecifyCache:dword
.idata:00017034                                         ; DATA XREF: MmMapLockedPagesSpecifyCacher
.idata:00017038                 extrn __imp_KeI386ReleaseGdtSelectors:dword
.idata:00017038                                         ; DATA XREF: KeI386ReleaseGdtSelectorsr
.idata:0001703C                 extrn __imp_KeI386AllocateGdtSelectors:dword
.idata:0001703C                                         ; DATA XREF: KeI386AllocateGdtSelectorsr
.idata:00017040                 extrn __imp_KeI386SetGdtSelector:dword
.idata:00017040                                         ; DATA XREF: KeI386SetGdtSelectorr
.idata:00017044                 extrn __imp_ExAllocatePoolWithTag:dword
.idata:00017044                                         ; DATA XREF: ExAllocatePoolWithTagr
.idata:00017048                 extrn KeGetCurrentThread:dword ; DATA XREF: .text:00016066r
.idata:0001704C                 extrn KeQueryActiveProcessors:dword
.idata:0001704C                                         ; DATA XREF: .text:0001606Cr
.idata:00017050                 extrn __imp_IoCreateDevice:dword
.idata:00017050                                         ; DATA XREF: IoCreateDevicer
.idata:00017054                 extrn __imp_MmUnlockPagableImageSection:dword
.idata:00017054                                         ; DATA XREF: MmUnlockPagableImageSectionr
.idata:00017058
.idata:00017058

And as you can see, it stored the IAT only, the strings of the libraries and APIs are stored in the INIT section which is really good as are not needed once the run-time dynamic linking is done.

Remember to forward all of this to Beatrix as the MASM example binary driver has the IAT in the INIT section.

04 Jan 2010, 19:10

ouadji

Joined: 24 Dec 2008
Posts: 1081
Location: Belgium

ouadji 04 Jan 2010, 19:16

Code:

Flags 48000040: Data Not pageable Readable

Yeah !

Quote:

Remember to forward all of this to Beatrix as the MASM example binary driver has the IAT in the INIT section.

yes, but I don't know exactly what has given the solution ! Rolling Eyes

/ENTRY ? .. /BASE ? .. "public DriverEntry as '_DriverEntry@8'" ? ...
what do you think about it ?

_________________
I am not young enough to know everything (Oscar Wilde)-

04 Jan 2010, 19:16

LocoDelAssembly
Your code has a bug

Joined: 06 May 2005
Posts: 4624
Location: Argentina

LocoDelAssembly 04 Jan 2010, 19:52

I think DriverEntry equ _DriverEntry@8 is also ok, perhaps it was /BASE.

Since the .bat contains this:

Code:

\PellesC\bin\PoLink /SUBSYSTEM:NATIVE /DRIVER  %drv%.obj  BeaEngine.lib ntoskrnl.lib /OUT:%drv%.sys

rem \masm32\bin\link /nologo /driver /base:0x10000 /align:32 /out:%drv%.sys /subsystem:native %drv%.obj

I would use as much options from MS link on PoLink as possible to be completely sure it will work.

04 Jan 2010, 19:52

ouadji

Joined: 24 Dec 2008
Posts: 1081
Location: Belgium

ouadji 04 Jan 2010, 20:06

For the future, I will use the MS linker.
Same source program, same makefile ... only difference "/ALIGN",
with /ALIGN 0x1000, it works with the MS linker and doesn't work with linker of PellesC.
I think in this case, the linker of "PellesC" has a problem.
With the Linker of PellesC, if i use "/ALIGN:8, 16 or 0x100 it's ok !
But with /ALIGN:0x1000 (or 0x800), I checked several times, IAT is gone !
With the MS Linker, there is no problem ! strange, no !

-----------------------------------------------------------------------------------------------------

Set the base address and the alignment is not absolutely essential for a driver.
The default alignment is 4Ko, the default location for an ".exe" file is 0x400000,
for a "dll" is 0x10000000 ... (MSDN)
These parameters are used if you wish to change the default values.

A) MS Linker (linker of WDK build 18002)

Code:

c:\WinDDK\6001.18002\bin\x86\x86\link
/DRIVER /SUBSYSTEM:NATIVE,4.00 /ENTRY:DriverEntry
toto.obj BeaEngine.lib ntoskrnl.lib hal.lib /OUT:toto.sys

it works fine, no proglem with IAT.

B) PoLink (linker of PellesC)

Code:

C:\PellesC\bin\PoLink
/DRIVER /SUBSYSTEM:NATIVE,4.00 /ENTRY:_DriverEntry@8
toto.obj BeaEngine.lib ntoskrnl.lib hal.lib /OUT:toto.sys

it doesn't work, IAT is unavailable outside "DriverEntry".

After such results, sorry, but there, "Polink" has a problem.

_________________
I am not young enough to know everything (Oscar Wilde)-

04 Jan 2010, 20:06

Goto page Previous 1, 2

< Last Thread | Next Thread >

Forum Rules:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum