flat assembler
Message board for the users of flat assembler.

Index > Windows > device driver

Author
Thread Post new topic Reply to topic
Ali.Z



Joined: 08 Jan 2018
Posts: 716
Ali.Z 13 Jul 2018, 18:58
am i doing something worng?
user thread cant execute kernel code?
what should i do?
Code:
; .exe file

main:
if i use these 2 lines my program crash, otherwise it runs smoothly
;call [getcr3]                 ; getcr3 is in my .sys
;mov [valueofcr3],eax    ; move cr3 value to this variable to be written in my file

     push [OFRW]            ; open file for read and write operations
     push OFStructure
     push lwmmFile           ; file name
     call [OpenFile]
     cmp al,0xFF
     jz return
     mov [FileHandle],eax
     push 0x00
     push NumOfBytesWritten
     push 0x04
     push valueofcr3
     push [FileHandle]
     call [WriteFile]            ; write contents of cr3 register to file , for test purpose
     push [FileHandle]
     call [CloseHandle]
     return:
     ret   
library kernel32,'KERNEL32.DLL',\
        native,'NATIVE.SYS' 

import native,\
      getcr3,'getcr3'                     
    


Code:
include 'win32a.inc'

format pe native
entry main

section '.text' code readable executable
main:

getcr3:
mov eax,cr3
ret  


section '.edata' export data readable

  export 'NATIVE.SYS',\
         getcr3,'getcr3'        

_________________
Asm For Wise Humans
Post 13 Jul 2018, 18:58
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20303
Location: In your JS exploiting you and your system
revolution 13 Jul 2018, 19:29
User code can't execute privileged instructions.

If you want to write a kernel mode driver then there are two ways to get it running:
1) Set your boot mode to allow for unsigned drivers and install it, or
2) Set up an account with MS and have your driver signed, then you can run it in normal boot mode. This option costs money, and is not something you can do quickly, it takes time.
Post 13 Jul 2018, 19:29
View user's profile Send private message Visit poster's website Reply with quote
Ali.Z



Joined: 08 Jan 2018
Posts: 716
Ali.Z 13 Jul 2018, 20:03
what if i used "PsCreateSystemThread" will it work?

option 1, i need to disable it from boot manager? by pressing F8 while booting?
Post 13 Jul 2018, 20:03
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20303
Location: In your JS exploiting you and your system
revolution 13 Jul 2018, 20:10
The security of the system won't allow you to get a system thread from user code. You will need to have code already running in kernel mode (CPL=0), and this means a driver will be required.

I'm not sure about how to enable the unsigned driver mode, maybe F8 will have the option. But once you are in that mode you will still need to install the driver so that it runs at boot time.
Post 13 Jul 2018, 20:10
View user's profile Send private message Visit poster's website Reply with quote
Ali.Z



Joined: 08 Jan 2018
Posts: 716
Ali.Z 13 Jul 2018, 20:16
okay thanks, one last thing is:

what do you mean with driver installation? (i never heard about this)
Post 13 Jul 2018, 20:16
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20303
Location: In your JS exploiting you and your system
revolution 13 Jul 2018, 20:32
Ali.A wrote:
okay thanks, one last thing is:

what do you mean with driver installation? (i never heard about this)
You will have to tell the system to run your driver. There are registry settings somewhere (I'm not sure where they are actually) that you add you driver to the list, and then the driver is checked and installed at boot time.
Post 13 Jul 2018, 20:32
View user's profile Send private message Visit poster's website Reply with quote
Ali.Z



Joined: 08 Jan 2018
Posts: 716
Ali.Z 13 Jul 2018, 20:39
alright, ill dig into regedit later.
Post 13 Jul 2018, 20:39
View user's profile Send private message Reply with quote
Ali.Z



Joined: 08 Jan 2018
Posts: 716
Ali.Z 20 Jul 2018, 02:16
note im in win7 x86_x64
okay, Where Windows Searches for Drivers

Code:
HKEY_LOCAL_MACHINE
   Software
      Microsoft
         Windows
            CurrentVersion    

under current version there is:

- Device Installer
- DriverSearching -> Plugin

can you take a look at this?

anyhow, i been researching for couple days .. and found its not possible to an executable to DIRECTLY communicate with drivers.
there is something called "callback" function.
but i failed understanding what do callback means, and how to do something similar.
Post 20 Jul 2018, 02:16
View user's profile Send private message Reply with quote
Feryno



Joined: 23 Mar 2005
Posts: 509
Location: Czech republic, Slovak republic
Feryno 20 Jul 2018, 08:18
you must install and start your driver in some way:

- manually using commands
sc ...
net start ...

- or using your own program which calls ring3 api (Sc...)


you are trying WriteFile to your driver so it must handle IRP_MJ_WRITE which is missing, your driver executes only main routine on starting it
your driver lacks registering its name so you cannot even open it (OpenFile)
your driver lacks unload proc so you can start it only once and then you need to reboot OS to start it again
because you have x64 win, you must compile your driver as x64 (you can't run 32 bit driver in x64 win, but you can use 32 bit ring3 programs to register/start/open/write etc to your 64 bit driver)


plenty of things, so download a sample from fasm examples page...
http://flatassembler.net/examples.php
(the last one - on the bottom of page)
Post 20 Jul 2018, 08:18
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
Ali.Z



Joined: 08 Jan 2018
Posts: 716
Ali.Z 20 Jul 2018, 08:57
Feryno wrote:
because you have x64 win, you must compile your driver as x64 (you can't run 32 bit driver in x64 win, but you can use 32 bit ring3 programs to register/start/open/write etc to your 64 bit driver)

what?, really didnt know this at all!.
i dont wanna learn x86_x64 programming, i guess i have to switch to x86 OS.

thanks anyway.

_________________
Asm For Wise Humans
Post 20 Jul 2018, 08:57
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.