flat assembler
Message board for the users of flat assembler.

Index > Windows > ERROR_BAD_DRIVER?

Author
Thread Post new topic Reply to topic
Igor1024



Joined: 12 Dec 2010
Posts: 19
Igor1024 19 May 2012, 02:18
Hi.
The matter is... I'm new at writing drivers, so I've chosen fasm for this purpose, but I've got a problem. Actually, any driver I write (even if it has only
Code:
format PE DLL native 4.0 at 0x10000
entry DriverEntry
include '%fasminc%\win32ax.inc'
include '%fasminc%\DDK\INCLUDE\DDK\ntstatus.inc'

proc DriverEntry
     mov eax,STATUS_DEVICE_CONFIGURATION_ERROR
     ret
endp
    
)
can't be started with StartService - I get ERROR_BAD_DRIVER. I've tried to find out the reason: I've got r0pc.sys (i've found it on this board) driver that could be started successfully. I changed 1 byte in r0pc.sys and got the same error - hm, checksum is incorrect. The same result if I manually change the checksum in pe header...
But what's wrong with code, or with linker itself?

_________________
The God is real,unless he is declared as integer.
Post 19 May 2012, 02:18
View user's profile Send private message Send e-mail Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20303
Location: In your JS exploiting you and your system
revolution 19 May 2012, 02:27
Where is your reloc section?
Post 19 May 2012, 02:27
View user's profile Send private message Visit poster's website Reply with quote
Igor1024



Joined: 12 Dec 2010
Posts: 19
Igor1024 19 May 2012, 04:15
Ohh... Exactly... I've absolutely forgot that this base address can be busy, thanks for fast reply.
Post 19 May 2012, 04:15
View user's profile Send private message Send e-mail Reply with quote
Igor1024



Joined: 12 Dec 2010
Posts: 19
Igor1024 26 May 2012, 11:13
Sorry that I continue that topic, but I've got one problem - the code is executed not at DriverEntry, but at Drvierentry+1, so it fails.
Let's take the simpliest code:

Code:
format PE DLL native 4.0 at 0x10000
entry DriverEntry
include '%fasminc%\win32ax.inc'
include '%fasminc%\DDK\INCLUDE\DDK\ntstatus.inc'

section '.text' code readable executable notpageable
proc DriverEntry
     int 3;db 0xcc
     mov eax,STATUS_DEVICE_CONFIGURATION_ERROR
     ret
endp

section '.reloc' fixups data readable discardable
    


Register and run the driver at VM with Windbg connected and get management not at int 3 instruction, but at 'add edi,dword ptr [eax-3FFFFE7Eh]' located at DriverEntry+1 (just disasm it by this offset).
I looked at PE header->EntryPoint - it points to DriverEntry, so I have no ideas about that trouble anymore.

If put db 0xcc instead of int 3 it works perfectly, but what's wrong with int 3?
Post 26 May 2012, 11:13
View user's profile Send private message Send e-mail Reply with quote
mindcooler



Joined: 01 Dec 2009
Posts: 423
Location: Västerås, Sweden
mindcooler 26 May 2012, 13:55
$cc is int3, it's not the same as int 3.
Post 26 May 2012, 13:55
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 26 May 2012, 14:35
also, what is the convention used in these drivers. I have made Drivers in C but never knew if they used __stdcall or __cdecl since I never made one using FASM.

Can you upload the DDK Assembly includes please. Thanks.
Post 26 May 2012, 14:35
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20303
Location: In your JS exploiting you and your system
revolution 26 May 2012, 14:48
typedef: There is already lots of driver code uploaded to this board. Do a search.
Post 26 May 2012, 14:48
View user's profile Send private message Visit poster's website Reply with quote
Igor1024



Joined: 12 Dec 2010
Posts: 19
Igor1024 26 May 2012, 22:58
mindcooler, yep, I've compared opcodes and they are different...
But what's the difference between their functionality?
Post 26 May 2012, 22:58
View user's profile Send private message Send e-mail Reply with quote
mindcooler



Joined: 01 Dec 2009
Posts: 423
Location: Västerås, Sweden
mindcooler 27 May 2012, 12:54
int3 is the special one-byte implicit software debugging interrupt, I don't know what the int imm 3 does in any operating system.
Post 27 May 2012, 12:54
View user's profile Send private message Visit poster's website MSN Messenger ICQ Number Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.