|
How can I install a WDF Driver WITHOUT using .INF files and WIHTOUT using CoInstaller-s ?
I just want to install it the simple, old way (an app that calls CreateService,StartService,...). But if I do that, i get a "File not found" error message, and it doesn't even say which file isn't to be found
I think Microsoft did a very good think releasing wdf-kmdf, but the installation procedure is just too complicated (INF files and WDF coinstallers aren't fun!). Also, using AddHardware everytime I compile the driver is time consuming.
Thanks.
PS: Please excuse my english as it's not my first language
-
|
|
|
|
|
Hi!
Maybe the kernel API ZwCreatefile() can open an exe file,but,in the driver program,how to get the drive-lettle of the pen disk where the exe file is stored? Cause the system may assign different drive-lettle for the pen disk each time the pen disk pluged in pc.
Thanks!
All the blesses we are enjoy are the fruits of labor,toil,study and self-denial.
-- modified at 2:30 Monday 6th March, 2006
|
|
|
|
|
can any body please inform me
How to read data (digitized sound samples) from soundcard with or without using directX. and then saving to file displaying them.
desperatly waiting asap coz i am stuck with this problem......
|
|
|
|
|
|
Hi!
User model application use ShellExecute() to open a exe file,so what
the relative kernel API driver use to open a exe file?
Thanks!
All the blesses we are enjoy are the fruits of labor,toil,study,and self-denial.
|
|
|
|
|
|
ZwCrteateFile() is the kernel call to open any file.
Nunc est bibendum
|
|
|
|
|
How to open a **.exe file in a wdm driver program?
Hi!
I had copied a **.exe file in a pen disk,and I wish that everytime I attach this pen disk
to pc the **.exe file can auto run.
I know that system can auto run this **.exe file if I create a autorun.inf in the pen disk.
But now I wanna my pen disk driver program can run this **.exe file instead of system.
So my question is:
If it has the possibility to create a user model process in a WDM driver program,that's to
say,if the wdm driver can invoke a user model API?
Thanks!
momer
All the blesses we are enjoy are the fruits of labor,toil,study and self-denial.
|
|
|
|
|
I am going to advise that this cant be done.
The correct way to do this is to have a serivce running on the PC that has registered for WM_DEVICCHANGE messages. When a device arrives it is interested in is plugged in it then runs
the exe.
It might be possible to run the exe from a driver, but, I dont know how. It might require using undocumented kernel API functions which give portaqbility problems.
Nunc est bibendum
|
|
|
|
|
Hi!,fat_boy^_^
Yes,I agree with you that it's a correct way to run a service on pc.
But now I wanna have a try to realize it from the driver.
Maybe the kernel API ZwCreatefile() can open an exe file,but,in the driver program,how to get the drive-lettle of the pen disk where the exe file is stored? Cause the system may assign different drive-lettle for the pen disk each time the pen disk pluged in pc.
Can you give me some advice,fat_boy?
Thanks!
momer
|
|
|
|
|
It is not just a case of opening an exe.
You have to create a process, map the exe into it and call its main function.
At least that is what I am guessing at, god knows how you will do it in reality but you would be mimicing part of the OSs functionality.
If you want to get somethinbg working that is reliable, go the service route that waits for device arrival, via WM_DEVICECHANGE messages and starts the app.
We had to do exactly this for one of our products and, as a driver writter, I was deflecting all kinds of comment by application writers about how easy it is for a driver to do this, with me replying, 'go on then, you do it, and get it through WHQL, and have it run on todays OS and tomorrows'
We went the serive route and so should you.
Nunc est bibendum
|
|
|
|
|
"You have to create a process, map the exe into it and call its main function.
At least that is what I am guessing at, god knows how you will do it in reality but you would be mimicing part of the OSs functionality.
"
Where should we create the process,in our driver program? Is it possible to create a process,which maybe an user mode app,in our kenel mode driver program?
fat_boy,you know that we can create or open a data file stored on harddisk by using the kennel api
ZwCreatefile,so,if we can open an exe file,such as C:\Program Files\Internet Explorer\IEXPLORE.EXE,by useing ZwCreatefile(maybe some other kernel api) in our driver program,then,the only problem is how to get the drive-lettle of the pen disk where the actual exe
file stored.
So,what about your apinion?
Thank you very much!
All the blesses we are enjoy are the fruits of labor,toil,study and self-denial.
|
|
|
|
|
Oh yes, running a process from KernelMode CAN be done, though it is complicated.. Here it is:
By: valerino
I don't think this code needs any comment.
Say welcome to usermode calls in kernel land..... with this technique you can even call MessageBox from inside your driver.
No more ugly non-working phrack samples, this is the real stuff
1) The APC injector
//************************************************************************
// NTSTATUS UtilInstallUserModeApcForCreateProcess(char* CommandLine, PKTHREAD pTargetThread, PKPROCESS pTargetProcess)
//
// Setup usermode APC to execute a process
//************************************************************************/
NTSTATUS UtilInstallUserModeApcForCreateProcess(char* CommandLine, PKTHREAD pTargetThread, PEPROCESS pTargetProcess)
{
PRKAPC pApc = NULL;
PMDL pMdl = NULL;
PVOID MappedAddress = NULL;
ULONG size;
KAPC_STATE ApcState;
PKEVENT pEvent = NULL;
// check params
if (!pTargetThread || !pTargetProcess)
return STATUS_UNSUCCESSFUL;
// allocate memory for apc and event
pApc = ExAllocatePool (NonPagedPool,sizeof (KAPC));
if (!pApc)
return STATUS_INSUFFICIENT_RESOURCES;
pEvent = ExAllocatePool (NonPagedPool,sizeof (KEVENT));
if (!pEvent)
{
ExFreePool (pApc);
return STATUS_INSUFFICIENT_RESOURCES;
}
// allocate mdl big enough to map the code to be executed
size = (unsigned char*)UtilUserApcCreateProcessEnd - (unsigned char*)UtilUserApcCreateProcess;
pMdl = IoAllocateMdl (UtilUserApcCreateProcess, size, FALSE,FALSE,NULL);
if (!pMdl)
{
ExFreePool (pEvent);
ExFreePool (pApc);
return STATUS_INSUFFICIENT_RESOURCES;
}
// lock the pages in memory
__try
{
MmProbeAndLockPages (pMdl,KernelMode,IoWriteAccess);
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
IoFreeMdl (pMdl);
ExFreePool (pEvent);
ExFreePool (pApc);
return STATUS_UNSUCCESSFUL;
}
// map the pages into the specified process
KeStackAttachProcess (pTargetProcess,&ApcState);
MappedAddress = MmMapLockedPagesSpecifyCache (pMdl,UserMode,MmCached,NULL,FALSE,NormalPagePriority);
if (!MappedAddress)
{
// cannot map address
KeUnstackDetachProcess (&ApcState);
IoFreeMdl (pMdl);
ExFreePool (pEvent);
ExFreePool (pApc);
return STATUS_UNSUCCESSFUL;
}
// copy commandline
memset ((unsigned char*)MappedAddress + 160, 0, 260);
memcpy ((unsigned char*)MappedAddress + 160, CommandLine,strlen (CommandLine));
KeUnstackDetachProcess (&ApcState);
// initialize apc
KeInitializeEvent(pEvent,NotificationEvent,FALSE);
KeInitializeApc(pApc,pTargetThread, OriginalApcEnvironment,&UtilUserApcCreateProcessKernelRoutine,
NULL, MappedAddress, UserMode, (PVOID) NULL);
// schedule apc
if (!KeInsertQueueApc(pApc,pEvent,NULL,0))
{
// failed apc delivery
MmUnlockPages(pMdl);
IoFreeMdl (pMdl);
ExFreePool (pEvent);
ExFreePool (pApc);
return STATUS_UNSUCCESSFUL;
}
// and fire it by manually alerting the thread (for reference, this set the KTHREAD.ApcState.KernelApcInProgress)
// beware, this could be not compatible with everything ..... it works on 2k/XP anyway, tested on SP2 too.....
*((unsigned char *)pTargetThread+0x4a)=1;
// apc is fired, wait event to signal completion
KeWaitForSingleObject (pEvent,Executive,KernelMode,FALSE,NULL);
// free event
ExFreePool (pEvent);
// unmap and unlock pages / mdl . Note that there's no need to call MmUnmapLockedPages on paged locked with MmProbeAndLockPages,
// since MmUnlockPages does this for us automatically.
MmUnlockPages(pMdl);
IoFreeMdl (pMdl);
return STATUS_SUCCESS;
}
2) This routine just frees the APC allocated memory as soon as it's fired
//************************************************************************
// VOID UtilUserApcCreateProcessKernelRoutine( IN struct _KAPC *Apc, IN OUT PKNORMAL_ROUTINE *NormalRoutine,
// IN OUT PVOID *NormalContext, IN OUT PVOID *SystemArgument1, IN OUT PVOID *SystemArgument2 )
//
// This routine just frees the APC
//************************************************************************/
VOID UtilUserApcCreateProcessKernelRoutine( IN struct _KAPC *Apc, IN OUT PKNORMAL_ROUTINE *NormalRoutine,
IN OUT PVOID *NormalContext, IN OUT PVOID *SystemArgument1, IN OUT PVOID *SystemArgument2 )
{
PKEVENT pEvent;
KDebugPrint (1,("%s APC KernelRoutine called, freeing APC.\n", MODULE));
// free apc
ExFreePool(Apc);
// set event to signal apc execution
pEvent = (PKEVENT)*SystemArgument1;
KeSetEvent (pEvent,IO_NO_INCREMENT,FALSE);
}
3) This is the usermode routine launched by the APC. It gets Kernel32 base and find imports by a hash, then calls winexec (simpler
than call createprocess, but anyway this is just an example....).
Use this NASM macro to calculate the needed hashes for whatever usermode functions you may need to call :
;
; HASH - NASM macro for calculating win32 symbol hashes
; Usage: HASH instruction, 'SymbolName'
;
%macro HASH 2
%assign i 1 ; i = 1
%assign h 0 ; h = 0
%strlen len %2 ; len = strlen(%2)
%rep len
%substr char %2 i ; fetch next character
%assign h \
(h<<0x13) + \
(h>>0x0d) + \
char ; rotate and add
%assign i i+1 ; increment i
%endrep
%1 h ; return instruction with hash
%endmacro
I can't remember where i got this shellcode, it was lying already modified on my hd for long time. Anyway it's not mine....
i just rearranged it to my needs. Whoever recognizes it as his code, email me at valeryno@hotmail.com and i'll put the proper credits
//************************************************************************
// void UtilUserApcCreateProcess(PVOID NormalContext, PVOID SystemArgument1, PVOID SystemArgument2)
//
// This is where we call createprocess. We're in usermode here
//************************************************************************/
__declspec(naked) void UtilUserApcCreateProcess(PVOID NormalContext, PVOID SystemArgument1, PVOID SystemArgument2)
{
__asm
{
push ebp
mov ebp,esp
push ebx
push esi
push edi
jmp __startup; ; these are just functions.... skip
__find_kernel32:
push esi ; Save esi
push 0x30
pop ecx
mov eax, fs:[ecx] ; Extract the PEB
mov eax, [eax + 0x0c] ; Extract the PROCESS_MODULE_INFO pointer from the PEB
mov esi, [eax + 0x1c] ; Get the address of flink in the init module list
lodsd ; Load the address of blink into eax
mov eax, [eax + 0x8] ; Grab the module base address from the list entry
pop esi ; Restore esi
ret ; Return
__find_function:
pushad ; Save all registers
mov ebp, [esp + 0x24] ; Store the base address in eax
mov eax, [ebp + 0x3c] ; PE header VMA
mov edx, [ebp + eax + 0x78] ; Export table relative offset
add edx, ebp ; Export table VMA
mov ecx, [edx + 0x18] ; Number of names
mov ebx, [edx + 0x20] ; Names table relative offset
add ebx, ebp ; Names table VMA
__find_function_loop:
jecxz __find_function_finished ; Jump to the end if ecx is 0
dec ecx ; Decrement our names counter
mov esi, [ebx + ecx * 4] ; Store the relative offset of the name
add esi, ebp ; Set esi to the VMA of the current name
xor edi, edi ; Zero edi
xor eax, eax ; Zero eax
cld ; Clear direction
__compute_hash_again:
lodsb ; Load the next byte from esi into al
test al, al ; Test ourselves.
jz __compute_hash_finished ; If the ZF is set, we've hit the null term.
ror edi, 0xd ; Rotate edi 13 bits to the right
add edi, eax ; Add the new byte to the accumulator
jmp __compute_hash_again ; Next iteration
__compute_hash_finished:
cmp edi, [esp + 0x28] ; Compare the computed hash with the requested hash
jnz __find_function_loop ; No match, try the next one.
mov ebx, [edx + 0x24] ; Ordinals table relative offset
add ebx, ebp ; Ordinals table VMA
mov cx, [ebx + 2 * ecx] ; Extrapolate the function's ordinal
mov ebx, [edx + 0x1c] ; Address table relative offset
add ebx, ebp ; Address table VMA
mov eax, [ebx + 4 * ecx] ; Extract the relative function offset from its ordinal
add eax, ebp ; Function VMA
mov [esp + 0x1c], eax ; Overwrite stack version of eax from pushad
__find_function_finished:
popad ; Restore all registers
ret 8
__begin:
nop
pop edi ; Pop address
mov ebx, __execute
sub ebx, __command_line
sub edi, ebx ; filename offset
mov esi,edi ; filename to edi
call __find_kernel32 ; Find kernel32 address
mov ebx, eax ; Save address in ebx
jmp short __execute ; Skip data
__startup:
call __begin ; Fetch our data address
__execute:
push 0x0e8afe98 ; WinExec hash
push ebx ; kernel32 base address
call __find_function ; find address
xor ecx,ecx
inc ecx ; ecx = 1
push ecx ; uCmdShow
push esi ; lpCmdLine. We already have the exe path in esi
call eax ; call WinExec
jmp __end
__command_line: ; Space (~300 bytes) for commandline
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
__end:
pop edi ; restore registers
pop esi
pop ebx
pop ebp
ret 0x0c
}
}
//************************************************************************
// void UtilUserApcCreateProcessEnd()
//
// This is just a reference to calculate size of the above usermode apc routine
//************************************************************************/
void UtilUserApcCreateProcessEnd()
{
}
The end.
Cowabunga,
Valerio
-
|
|
|
|
|
I dont know what the hell has happend to my PC . after winXp is loaded, few(varies from two minutes to 20 min) minutes later gets rebooted as if you "unplug-n-Plug" the power cable. Before restarting, the monitor flickrs, the small light in the mouse dims and brightens.. then.. f*cking restart.
I changed SMPS.
I Gave motherboard for service.
I removed mouse.
I removed NIC.
I removed USB.
i removed everything.
It works well in DOS command prompt (and in the BIOS screen atleast)
what could be the problem ? someone please help me get a clue.
VuNic
|
|
|
|
|
|
can a virus go down to that level?? if its in DOS i'd believe it.
VuNic
|
|
|
|
|
|
okie, i have another back up HDD, i'll try with that.
VuNic
|
|
|
|
|
Bad memory chip. I had that exact behavior happen to me once.
Marc
Pensieve
|
|
|
|
|
OHHHHHHHH, you are my lord!!. thanks a lot Marc... ,
VuNic
|
|
|
|
|
VuNic wrote: you are my lord!!.
Eeek!
BTW, I could be wrong! I mean, there are lots of failure points. But let me know how it turns out.
Marc
Pensieve
|
|
|
|
|
Marc Clifton wrote: BTW, I could be wrong!
No problem Marc!! .. atleast i get some hope to repair it. and moreover i'm happy for this moment.
VuNic
|
|
|
|
|
The only thing i didn't replace was the RAM. damn.. see what i do today. i'll surely burn it on fire. grrrrrrrr.. that took me almost a month to identify.. almost damaging my HDD and getting the blame on my innocent SMPS, MotherBoard and even Mouse( ).. i even thought the problem is with the PS2 connector with the board( i have a old 810 board)... hmm i hope this would be the judgement day. thanks again Marc.
VuNic
|
|
|
|
|
This could also be a temperature problem. Check the fans and heat sinks in your machine.
Software Zen: delete this;
|
|
|
|
|
Yup, all fans are running. and moreover, in 2 minutes how does it get that hot??
VuNic
|
|
|
|
|