flat assembler
Message board for the users of flat assembler.
Index
> Windows > Drivers for 98/2000 Goto page Previous 1, 2, 3, 4, 5 |
Author |
|
386 14 Nov 2023, 22:23
Quote: A driver is allowed to call only ntoskrnl.exe / hal.dll - OS kernel searches these 2 kernel components, if a driver wants to call anything not present in these 2 components, then the driver is not loaded at all. At least for Windows XP SP3. Building kernel-mode driver with correct Imports |
|||
14 Nov 2023, 22:23 |
|
Feryno 16 Nov 2023, 15:05
And did you try kernel debugger to check whether you call ntoskrnl or bootvid.dll?
|
|||
16 Nov 2023, 15:05 |
|
386 16 Nov 2023, 17:00
Dear Feryno!
I definitely call bootvid.dll and not ntoskrnl.exe because I use bootvid.dll and not ntoskrnl.exe in my import Feryno wrote: I looked into these 2 binaries in XP RTM and VidDisplayString + VidResetDisplay are present in ntoskrnl.exe. VidDisplayString + VidResetDisplay are not exported, they are imported by ntoskrnl.exe from bootvid.dll. |
|||
16 Nov 2023, 17:00 |
|
Feryno 17 Nov 2023, 08:02
Interesting finding! 10 years ago I wanted to make some exports in my driver but a collegue told me that it won't work and that I should implement _IRP for communicating between his and my driver... But apparently using exports is possible since at least win2000 https://learn.microsoft.com/en-us/windows-hardware/drivers/kernel/creating-export-drivers
Sorry for misleading you and congrat that you are a man who tries hard to achieve things which look impossible! |
|||
17 Nov 2023, 08:02 |
|
Feryno 18 Nov 2023, 08:20
I also remembered why I did that mistake with ntoskrnl and hal. When you need to check whether some procedure is present, you call ntoskrnl MmGetSystemRoutineAddress and it checks only ntoskrnl and hal. I use it for checking whether MmGetPhysicalMemoryRanges, MmGetVirtualForPhysical are present. If they are not present, my driver loads and reports they are missing. If I compiled my driver with these 2 procedures in imports and such a driver is tried to load in a system when any of the 2 proc is missing, the loading itself fails which is very annoying (you wait few dozens of seconds and only then SC manager reports an error with same strange number which you have to check what the number does mean). A driver compiled with some other driver name in imports also fails to load if the other driver is not present. Here howto to check from usermode whether some driver is loaded, it is an undocumented system call (its analogy in kernemode exists if you need to perform such check from a driver instead from usermode). It is command line based and you can redirect its console output into a text file like
a00 > drivers_list.txt It is only for x64 versions of ms win, but you can very likely convert it into 32 bits although I do not know whether the undocumented syscall exists in 32 bits. It may also disappear in future version of ms win (it is still present in w10 ver. 10.0.19045.3693 but I did not check whether it is present in w11). Code: format PE64 console at (1 shl 32) on 'nul' include 'macros.inc' include 'winnt.h.inc' include 'kmd64.inc' section '.code' code readable executable writeable align 10h entry $ a=1 ; return address from procedure push rbx rsi rdi rbp b=4 ; pushed qwords virtual at rsp stack_frame_begin: red_area rq 4 input_params rq 2 ; WriteFile needs 2 qwords in stack for input params stack_frame_size = $ - stack_frame_begin end virtual d=(stack_frame_size+7)/8 ; stack frame in qwords c=(a+b+d) and 1 ; align stack at 10h sub rsp,8*(c+d) lea r9,[rsp+8*(4+0)] ; _Out_opt_ PULONG ReturnLength mov dword [r9],sizeof_buffer mov r8d,[r9] ; _In_ ULONG SystemInformationLength lea rdx,[buffer] ; _Inout_ PVOID SystemInformation mov ecx,SystemModuleInformation ; _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass call [NtQuerySystemInformation] test eax,eax jnz exit struct RTL_PROCESS_MODULE_INFORMATION struct RTL_PROCESS_MODULES lea rbx,[buffer+RTL_PROCESS_MODULES.Modules] lea rdi,[rbx] cld movdqa xmm3,dqword [Sum1] movdqa xmm4,dqword [Comp1] movdqa xmm2,dqword [Mask1] movdqa xmm5,dqword [Num1] align 10h L0: mov rax,[rbx+RTL_PROCESS_MODULE_INFORMATION.ImageBase] bswap rax movq xmm0,rax movdqa xmm1,xmm0 psrlq xmm0,4 pand xmm0,xmm2 pand xmm1,xmm2 punpcklbw xmm0,xmm1 movdqa xmm1,xmm0 pcmpgtb xmm0,xmm4 pand xmm0,xmm5 paddb xmm1,xmm3 paddb xmm1,xmm0 ; we must use movdqu instead of movdqa because we don't know if rdi is aligned 10h movdqu dqword [rdi],xmm1 add rdi,16 mov al,'h' stosb mov al,' ' stosb ; mov eax,[rbx+RTL_PROCESS_MODULE_INFORMATION.ImageSize] lea rsi,[rbx+RTL_PROCESS_MODULE_INFORMATION.FullPathName] mov ecx,RTL_PROCESS_MODULE_INFORMATION_max_full_path_name lodsb align 10h L1: stosb lodsb or al,al loopnz L1 mov al,0Dh stosb mov al,0Ah stosb add rbx,sizeof.RTL_PROCESS_MODULE_INFORMATION dec dword [buffer+RTL_PROCESS_MODULES.NumberOfModules] jnz L0 STD_OUTPUT_HANDLE = -11 INVALID_HANDLE_VALUE = -1 ; mov rcx,STD_OUTPUT_HANDLE push STD_OUTPUT_HANDLE pop rcx call [GetStdHandle] push rax pop rcx if INVALID_HANDLE_VALUE = -1 inc rax else cmp rax,INVALID_HANDLE_VALUE end if jz exit and qword [rsp + 8*(4+0)],0 lea r9,[rsp + 8*(4+1)] mov r8,rdi lea rdx,[buffer+RTL_PROCESS_MODULES.Modules] sub r8,rdx ; lea rcx,[rcx] call [WriteFile] exit: xor ecx,ecx call [ExitProcess] ; in case the above failed xor eax,eax add rsp,8*(c+d) pop rbp rdi rsi rbx ret align 10h Sum1 dq 3030303030303030h, 3030303030303030h Mask1 dq 0f0f0f0f0f0f0f0fh, 0f0f0f0f0f0f0f0fh Comp1 dq 0909090909090909h, 0909090909090909h Num1 dq 0707070707070707h, 0707070707070707h section '.idata' import data readable writeable dd 0,0,0, RVA ntdll_name, RVA ntdll_table dd 0,0,0, RVA krnl_name, RVA krnl_table dd 0,0,0, 0, 0 ntdll_table: NtQuerySystemInformation dq RVA _NtQuerySystemInformation dq 0 krnl_table: ExitProcess dq RVA _ExitProcess GetStdHandle dq RVA _GetStdHandle WriteFile dq RVA _WriteFile dq 0 ntdll_name db 'NTDLL.DLL',0 krnl_name db 'KERNEL32.DLL',0 ; ntdll.dll: _NtQuerySystemInformation db 0,0,'NtQuerySystemInformation',0 ; kernel32.dll: _CloseHandle db 0,0,'CloseHandle',0 _ExitProcess db 0,0,'ExitProcess',0 _GetStdHandle db 0,0,'GetStdHandle',0 _WriteFile db 0,0,'WriteFile',0 section '.data' data readable writeable sizeof_buffer = 16*1024*1024 buffer rb sizeof_buffer
|
|||||||||||
18 Nov 2023, 08:20 |
|
386 18 Nov 2023, 15:15
Wow! Very nice tool, Feryno! Thank you!
I think it would be very useful for me! Let's fight MS for our freedom! |
|||
18 Nov 2023, 15:15 |
|
386 18 Nov 2023, 15:34
Feryno wrote: I do not know whether the undocumented syscall exists in 32 bits. Let's use Native API and make the Word better! |
|||
18 Nov 2023, 15:34 |
|
Goto page Previous 1, 2, 3, 4, 5 < Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.