flat assembler
Message board for the users of flat assembler.

Index > Windows > Drivers for 98/2000

Goto page Previous  1, 2, 3, 4, 5
Author
Thread Post new topic Reply to topic
386



Joined: 11 Nov 2023
Posts: 28
Location: Ukraine (Ruthenia)
386 14 Nov 2023, 22:23
Quote:
A driver is allowed to call only ntoskrnl.exe / hal.dll - OS kernel searches these 2 kernel components, if a driver wants to call anything not present in these 2 components, then the driver is not loaded at all.
I am afraid, this information is not correct.

At least for Windows XP SP3.

Building kernel-mode driver with correct Imports
Post 14 Nov 2023, 22:23
View user's profile Send private message Reply with quote
Feryno



Joined: 23 Mar 2005
Posts: 509
Location: Czech republic, Slovak republic
Feryno 16 Nov 2023, 15:05
And did you try kernel debugger to check whether you call ntoskrnl or bootvid.dll?
Post 16 Nov 2023, 15:05
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
386



Joined: 11 Nov 2023
Posts: 28
Location: Ukraine (Ruthenia)
386 16 Nov 2023, 17:00
Dear Feryno!

I definitely call bootvid.dll and not ntoskrnl.exe because I use bootvid.dll and not ntoskrnl.exe in my import Smile
Feryno wrote:
I looked into these 2 binaries in XP RTM and VidDisplayString + VidResetDisplay are present in ntoskrnl.exe.
It is very good that you looked into these 2 binaries, but you should look deeper Smile

VidDisplayString + VidResetDisplay are not exported, they are imported by ntoskrnl.exe from bootvid.dll.
Post 16 Nov 2023, 17:00
View user's profile Send private message Reply with quote
Feryno



Joined: 23 Mar 2005
Posts: 509
Location: Czech republic, Slovak republic
Feryno 17 Nov 2023, 08:02
Interesting finding! 10 years ago I wanted to make some exports in my driver but a collegue told me that it won't work and that I should implement _IRP for communicating between his and my driver... But apparently using exports is possible since at least win2000 https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/creating-export-drivers
Sorry for misleading you and congrat that you are a man who tries hard to achieve things which look impossible!
Post 17 Nov 2023, 08:02
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
386



Joined: 11 Nov 2023
Posts: 28
Location: Ukraine (Ruthenia)
386 17 Nov 2023, 18:37
Thank you for kind words and for the link, Feryno!

Now I understand that scsiport.sys is not an ordinary kernel-mode driver!

I've never used it, but when I read about it before, I thought: what a strange driver...

Now I see that this driver is almost like an "ordinary" kernel-mode DLL! Smile
Post 17 Nov 2023, 18:37
View user's profile Send private message Reply with quote
Feryno



Joined: 23 Mar 2005
Posts: 509
Location: Czech republic, Slovak republic
Feryno 18 Nov 2023, 08:20
I also remembered why I did that mistake with ntoskrnl and hal. When you need to check whether some procedure is present, you call ntoskrnl MmGetSystemRoutineAddress and it checks only ntoskrnl and hal. I use it for checking whether MmGetPhysicalMemoryRanges, MmGetVirtualForPhysical are present. If they are not present, my driver loads and reports they are missing. If I compiled my driver with these 2 procedures in imports and such a driver is tried to load in a system when any of the 2 proc is missing, the loading itself fails which is very annoying (you wait few dozens of seconds and only then SC manager reports an error with same strange number which you have to check what the number does mean). A driver compiled with some other driver name in imports also fails to load if the other driver is not present. Here howto to check from usermode whether some driver is loaded, it is an undocumented system call (its analogy in kernemode exists if you need to perform such check from a driver instead from usermode). It is command line based and you can redirect its console output into a text file like
a00 > drivers_list.txt
It is only for x64 versions of ms win, but you can very likely convert it into 32 bits although I do not know whether the undocumented syscall exists in 32 bits. It may also disappear in future version of ms win (it is still present in w10 ver. 10.0.19045.3693 but I did not check whether it is present in w11).

Code:
format PE64 console at (1 shl 32) on 'nul'

include 'macros.inc'
include 'winnt.h.inc'
include 'kmd64.inc'


section '.code' code readable executable writeable


align 10h
entry $

a=1                                     ; return address from procedure

        push    rbx rsi rdi rbp
b=4                                     ; pushed qwords

virtual at rsp
stack_frame_begin:
red_area        rq      4
input_params    rq      2               ; WriteFile needs 2 qwords in stack for input params
stack_frame_size = $ - stack_frame_begin
end virtual
d=(stack_frame_size+7)/8                ; stack frame in qwords

c=(a+b+d) and 1                         ; align stack at 10h

        sub     rsp,8*(c+d)

        lea     r9,[rsp+8*(4+0)]                ; _Out_opt_     PULONG                          ReturnLength
        mov     dword [r9],sizeof_buffer
        mov     r8d,[r9]                        ; _In_          ULONG                           SystemInformationLength
        lea     rdx,[buffer]                    ; _Inout_       PVOID                           SystemInformation
        mov     ecx,SystemModuleInformation     ; _In_          SYSTEM_INFORMATION_CLASS        SystemInformationClass
        call    [NtQuerySystemInformation]
        test    eax,eax
        jnz     exit

struct  RTL_PROCESS_MODULE_INFORMATION
struct  RTL_PROCESS_MODULES

        lea     rbx,[buffer+RTL_PROCESS_MODULES.Modules]
        lea     rdi,[rbx]
        cld
        movdqa  xmm3,dqword [Sum1]
        movdqa  xmm4,dqword [Comp1]
        movdqa  xmm2,dqword [Mask1]
        movdqa  xmm5,dqword [Num1]

align 10h
L0:     mov     rax,[rbx+RTL_PROCESS_MODULE_INFORMATION.ImageBase]
        bswap   rax
        movq    xmm0,rax
        movdqa  xmm1,xmm0
        psrlq   xmm0,4
        pand    xmm0,xmm2
        pand    xmm1,xmm2
        punpcklbw       xmm0,xmm1
        movdqa  xmm1,xmm0
        pcmpgtb xmm0,xmm4
        pand    xmm0,xmm5
        paddb   xmm1,xmm3
        paddb   xmm1,xmm0
; we must use movdqu instead of movdqa because we don't know if rdi is aligned 10h
        movdqu  dqword [rdi],xmm1
        add     rdi,16
        mov     al,'h'
        stosb
        mov     al,' '
        stosb

;       mov     eax,[rbx+RTL_PROCESS_MODULE_INFORMATION.ImageSize]
        lea     rsi,[rbx+RTL_PROCESS_MODULE_INFORMATION.FullPathName]
        mov     ecx,RTL_PROCESS_MODULE_INFORMATION_max_full_path_name
        lodsb

align 10h
L1:     stosb
        lodsb
        or      al,al
        loopnz  L1

        mov     al,0Dh
        stosb
        mov     al,0Ah
        stosb

        add     rbx,sizeof.RTL_PROCESS_MODULE_INFORMATION
        dec     dword [buffer+RTL_PROCESS_MODULES.NumberOfModules]
        jnz     L0

STD_OUTPUT_HANDLE               = -11
INVALID_HANDLE_VALUE            = -1
;       mov     rcx,STD_OUTPUT_HANDLE
        push    STD_OUTPUT_HANDLE
        pop     rcx
        call    [GetStdHandle]
        push    rax
        pop     rcx
if INVALID_HANDLE_VALUE = -1
        inc     rax
else
        cmp     rax,INVALID_HANDLE_VALUE
end if
        jz      exit

        and     qword [rsp + 8*(4+0)],0
        lea     r9,[rsp + 8*(4+1)]
        mov     r8,rdi
        lea     rdx,[buffer+RTL_PROCESS_MODULES.Modules]
        sub     r8,rdx
;       lea     rcx,[rcx]
        call    [WriteFile]

exit:   xor     ecx,ecx
        call    [ExitProcess]

; in case the above failed
        xor     eax,eax
        add     rsp,8*(c+d)
        pop     rbp rdi rsi rbx
        ret


align 10h
Sum1                    dq      3030303030303030h, 3030303030303030h
Mask1                   dq      0f0f0f0f0f0f0f0fh, 0f0f0f0f0f0f0f0fh
Comp1                   dq      0909090909090909h, 0909090909090909h
Num1                    dq      0707070707070707h, 0707070707070707h


section '.idata' import data readable writeable

                        dd      0,0,0,  RVA ntdll_name, RVA ntdll_table
                        dd      0,0,0,  RVA krnl_name,  RVA krnl_table
                        dd      0,0,0,  0,              0

ntdll_table:
NtQuerySystemInformation        dq      RVA _NtQuerySystemInformation
                        dq      0

krnl_table:
ExitProcess             dq      RVA _ExitProcess
GetStdHandle            dq      RVA _GetStdHandle
WriteFile               dq      RVA _WriteFile
                        dq      0


ntdll_name              db      'NTDLL.DLL',0
krnl_name               db      'KERNEL32.DLL',0

; ntdll.dll:
_NtQuerySystemInformation       db      0,0,'NtQuerySystemInformation',0

; kernel32.dll:
_CloseHandle            db      0,0,'CloseHandle',0
_ExitProcess            db      0,0,'ExitProcess',0
_GetStdHandle           db      0,0,'GetStdHandle',0
_WriteFile              db      0,0,'WriteFile',0


section '.data' data readable writeable
sizeof_buffer           =       16*1024*1024
buffer                  rb      sizeof_buffer    


Description: list drivers from usermode x64 version only
Download
Filename: list_drivers_from_usermode.zip
Filesize: 12.2 KB
Downloaded: 109 Time(s)

Post 18 Nov 2023, 08:20
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
386



Joined: 11 Nov 2023
Posts: 28
Location: Ukraine (Ruthenia)
386 18 Nov 2023, 15:15
Wow! Very nice tool, Feryno! Thank you!

I think it would be very useful for me!

Let's fight MS for our freedom! Smile
Post 18 Nov 2023, 15:15
View user's profile Send private message Reply with quote
386



Joined: 11 Nov 2023
Posts: 28
Location: Ukraine (Ruthenia)
386 18 Nov 2023, 15:34
Feryno wrote:
I do not know whether the undocumented syscall exists in 32 bits.
Well, 32-bit Windows XP SP3 does have NtQuerySystemInformation function in its ntdll.dll.

Let's use Native API and make the Word better! Smile
Post 18 Nov 2023, 15:34
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3, 4, 5

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.