Hello everyone,
is it possible to lead a kernel mode library in Driver entry or Adddevce
routine fro a volume filter? ZwLoadDriver fails, our assumption is becasue
Zw* uses FS APIs and since FS is not UP yet thie issue. Is there a way to
bypass this?
–
The answer is yes, and has been answered here to many time to enumerate. Use
“TARGETTYPE=DYNLINK” to create a DLL, like SCSIPORT and STORPORT, with an
import library header file that you use to build your normally loaded
driver. Have an entry point like StorportInitialize that you call in the
DLL. The call to that function will load the DLL, if not already existent,
and your function will then set it up.
Gary G. Little
H (952) 223-1349
C (952) 454-4629
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of amitr0
Sent: Monday, March 29, 2010 2:59 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Loading a Kernel mode library at Volume filter load time
Hello everyone,
is it possible to lead a kernel mode library in Driver entry or Adddevce
routine fro a volume filter? ZwLoadDriver fails, our assumption is becasue
Zw* uses FS APIs and since FS is not UP yet thie issue. Is there a way to
bypass this?
–
— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
__________ Information from ESET Smart Security, version of virus signature
database 4982 (20100329) __________
The message was checked by ESET Smart Security.
This works at boot time before the fs or storage stacks are started because the loader resolves all imports for boot start drivers. If you are planning on dynamically loading the dll driver by caling zwloaddriver yourself, this will not work at boot unless the dll driver is also marked as a boot driver
d
tiny phone keyboard + fat thumbs = you do the muth
From: Gary G. Little
Sent: Monday, March 29, 2010 7:56 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Loading a Kernel mode library at Volume filter load time
The answer is yes, and has been answered here to many time to enumerate. Use ?TARGETTYPE=DYNLINK? to create a DLL, like SCSIPORT and STORPORT, with an import library header file that you use to build your normally loaded driver. Have an entry point like StorportInitialize that you call in the DLL. The call to that function will load the DLL, if not already existent, and your function will then set it up.
Gary G. Little
H (952) 223-1349
C (952) 454-4629
xxxxx@comcast.net
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of amitr0
Sent: Monday, March 29, 2010 2:59 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Loading a Kernel mode library at Volume filter load time
Hello everyone,
is it possible to lead a kernel mode library in Driver entry or Adddevce routine fro a volume filter? ZwLoadDriver fails, our assumption is becasue Zw* uses FS APIs and since FS is not UP yet thie issue. Is there a way to bypass this?
–
- amitr0
— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Information from ESET Smart Security, version of virus signature database 4982 (20100329)
The message was checked by ESET Smart Security.
http://www.eset.com
Information from ESET Smart Security, version of virus signature database 4982 (20100329)
The message was checked by ESET Smart Security.
http://www.eset.com
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Hi Gary,
in this approach can the base driver load multiple DLLs on the fly? For
example Machine A has two such DLLs and Machine B was only one. We need a
way to on-the-fly dynamically load and Unload the DLLs.
thanks
aB
On Mon, Mar 29, 2010 at 8:25 PM, Gary G. Little wrote:
> The answer is yes, and has been answered here to many time to enumerate.
> Use ?TARGETTYPE=DYNLINK? to create a DLL, like SCSIPORT and STORPORT, with
> an import library header file that you use to build your normally loaded
> driver. Have an entry point like StorportInitialize that you call in the
> DLL. The call to that function will load the DLL, if not already existent,
> and your function will then set it up.
>
>
>
> Gary G. Little
>
> H (952) 223-1349
>
> C (952) 454-4629
>
> xxxxx@comcast.net
>
>
>
> From: xxxxx@lists.osr.com [mailto:
> xxxxx@lists.osr.com] *On Behalf Of amitr0
> Sent: Monday, March 29, 2010 2:59 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] Loading a Kernel mode library at Volume filter load
> time
>
>
>
> Hello everyone,
>
>
>
> is it possible to lead a kernel mode library in Driver entry or Adddevce
> routine fro a volume filter? ZwLoadDriver fails, our assumption is becasue
> Zw uses FS APIs and since FS is not UP yet thie issue. Is there a way to
> bypass this?
>
>
>
> –
>
> - amitr0
>
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
> Information from ESET Smart Security, version of virus signature
> database 4982 (20100329)
>
>
>
> The message was checked by ESET Smart Security.
>
>
>
> http://www.eset.com
>
>
> Information from ESET Smart Security, version of virus signature
> database 4982 (20100329)
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
–
- amitr0
Doron,
So If I understand correctly, we make this Loadable module a boot start
Driver, but independent of any stack? Just as a Kernel module?
Also why do we explicitely need to call ZwLoadDriver when the Kernel
autoloads boot start modules? Is it to make it load right at the time we
need it instead of waiting for the Windows Kernel’s sequence?
thanks
ab
On Mon, Mar 29, 2010 at 8:40 PM, Doron Holan wrote:
> This works at boot time before the fs or storage stacks are started because
> the loader resolves all imports for boot start drivers. If you are planning
> on dynamically loading the dll driver by caling zwloaddriver yourself, this
> will not work at boot unless the dll driver is also marked as a boot driver
>
>
> d
>
> tiny phone keyboard + fat thumbs = you do the muth
>
>
>
> ------------------------------
> From: Gary G. Little
> Sent: Monday, March 29, 2010 7:56 AM
> To: Windows System Software Devs Interest List
> Subject: RE: [ntdev] Loading a Kernel mode library at Volume filter load
> time
>
> The answer is yes, and has been answered here to many time to
> enumerate. Use ?TARGETTYPE=DYNLINK? to create a DLL, like SCSIPORT and
> STORPORT, with an import library header file that you use to build your
> normally loaded driver. Have an entry point like StorportInitialize that you
> call in the DLL. The call to that function will load the DLL, if not
> already existent, and your function will then set it up.
>
>
>
> Gary G. Little
>
> H (952) 223-1349
>
> C (952) 454-4629
>
> xxxxx@comcast.net
>
>
>
> From: xxxxx@lists.osr.com [mailto:
> xxxxx@lists.osr.com] *On Behalf Of amitr0
> Sent: Monday, March 29, 2010 2:59 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] Loading a Kernel mode library at Volume filter load
> time
>
>
>
> Hello everyone,
>
>
>
> is it possible to lead a kernel mode library in Driver entry or Adddevce
> routine fro a volume filter? ZwLoadDriver fails, our assumption is becasue
> Zw uses FS APIs and since FS is not UP yet thie issue. Is there a way to
> bypass this?
>
>
>
> –
>
> - amitr0
>
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
> Information from ESET Smart Security, version of virus signature
> database 4982 (20100329)
>
>
>
> The message was checked by ESET Smart Security.
>
>
>
> http://www.eset.com
>
>
> Information from ESET Smart Security, version of virus signature
> database 4982 (20100329)
>
> The message was checked by ESET Smart Security.
>
> http://www.eset.com
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
–
- amitr0
Making it boot start is a double edged sword. Unload now becomes problematic and order of start becomes extremely. In the non boot driver case, zwloaddriver is needed, if all you are doing is boot start, then loading it via the api is not needed. Of course, loading the driver is just the first step, you have to find the driver and somehow exchange function pointers and if you don’t use zwloaddriver, make sure that the DLL sticks around as long as your driver can call it
d
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of amitr0
Sent: Tuesday, March 30, 2010 12:22 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Loading a Kernel mode library at Volume filter load time
Doron,
So If I understand correctly, we make this Loadable module a boot start Driver, but independent of any stack? Just as a Kernel module?
Also why do we explicitely need to call ZwLoadDriver when the Kernel autoloads boot start modules? Is it to make it load right at the time we need it instead of waiting for the Windows Kernel’s sequence?
thanks
ab
On Mon, Mar 29, 2010 at 8:40 PM, Doron Holan > wrote:
This works at boot time before the fs or storage stacks are started because the loader resolves all imports for boot start drivers. If you are planning on dynamically loading the dll driver by caling zwloaddriver yourself, this will not work at boot unless the dll driver is also marked as a boot driver
d
tiny phone keyboard + fat thumbs = you do the muth
________________________________
From: Gary G. Little >
Sent: Monday, March 29, 2010 7:56 AM
To: Windows System Software Devs Interest List >
Subject: RE: [ntdev] Loading a Kernel mode library at Volume filter load time
The answer is yes, and has been answered here to many time to enumerate. Use “TARGETTYPE=DYNLINK” to create a DLL, like SCSIPORT and STORPORT, with an import library header file that you use to build your normally loaded driver. Have an entry point like StorportInitialize that you call in the DLL. The call to that function will load the DLL, if not already existent, and your function will then set it up.
Gary G. Little
H (952) 223-1349
C (952) 454-4629
xxxxx@comcast.netmailto:xxxxx
From: xxxxx@lists.osr.commailto:xxxxx [mailto:xxxxx@lists.osr.commailto:xxxxx] On Behalf Of amitr0
Sent: Monday, March 29, 2010 2:59 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Loading a Kernel mode library at Volume filter load time
Hello everyone,
is it possible to lead a kernel mode library in Driver entry or Adddevce routine fro a volume filter? ZwLoadDriver fails, our assumption is becasue Zw* uses FS APIs and since FS is not UP yet thie issue. Is there a way to bypass this?
–
- amitr0
— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
__________ Information from ESET Smart Security, version of virus signature database 4982 (20100329)
The message was checked by ESET Smart Security.
http://www.eset.comhttp:</http:>
Information from ESET Smart Security, version of virus signature database 4982 (20100329) __________
The message was checked by ESET Smart Security.
http://www.eset.comhttp:</http:>
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
–
- amitr0
— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</mailto:xxxxx></mailto:xxxxx></mailto:xxxxx>
To my knowledge you can link to as many DLL’s as you want, and they will be
loaded in turn as your driver makes it’s initial call into them. However, if
you need to control unloading then you may need to consider more of a
bus/child driver architecture. With that you can create interfaces for
function calls or simply dynamically link the bus driver with common
functionality to the kids. The real point is that you have a more stable
platform with which to work since the bus driver will not be unceremoniously
ripped out from under you.
Gary G. Little
H (952) 223-1349
C (952) 454-4629
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of amitr0
Sent: Tuesday, March 30, 2010 2:19 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Loading a Kernel mode library at Volume filter load
time
Hi Gary,
in this approach can the base driver load multiple DLLs on the fly? For
example Machine A has two such DLLs and Machine B was only one. We need a
way to on-the-fly dynamically load and Unload the DLLs.
thanks
aB
On Mon, Mar 29, 2010 at 8:25 PM, Gary G. Little
wrote:
The answer is yes, and has been answered here to many time to enumerate. Use
“TARGETTYPE=DYNLINK” to create a DLL, like SCSIPORT and STORPORT, with an
import library header file that you use to build your normally loaded
driver. Have an entry point like StorportInitialize that you call in the
DLL. The call to that function will load the DLL, if not already existent,
and your function will then set it up.
Gary G. Little
H (952) 223-1349
C (952) 454-4629
xxxxx@comcast.net
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of amitr0
Sent: Monday, March 29, 2010 2:59 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Loading a Kernel mode library at Volume filter load time
Hello everyone,
is it possible to lead a kernel mode library in Driver entry or Adddevce
routine fro a volume filter? ZwLoadDriver fails, our assumption is becasue
Zw* uses FS APIs and since FS is not UP yet thie issue. Is there a way to
bypass this?
–
- amitr0
— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Information from ESET Smart Security, version of virus signature
database 4982 (20100329)
The message was checked by ESET Smart Security.
http://www.eset.com http:</http:>
Information from ESET Smart Security, version of virus signature
database 4982 (20100329)
The message was checked by ESET Smart Security.
http://www.eset.com http:</http:>
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
–
- amitr0
— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Information from ESET Smart Security, version of virus signature
database 4985 (20100330)
The message was checked by ESET Smart Security.
http://www.eset.com