Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
Upcoming OSR Seminars | ||
---|---|---|
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | ||
Writing WDF Drivers | 12 September 2022 | Live, Online |
Internals & Software Drivers | 23 October 2022 | Live, Online |
Kernel Debugging | 14 November 2022 | Live, Online |
Developing Minifilters | 5 December 2022 | Live, Online |
Comments
> I'm having a look at Sysinternals' Processor Monitor. From what I know, it generates a kernel driver called PROCEXP??? on the fly when executed. WinObj.exe shows the driver object, device object, symlink of the same is really created. But the regedit shows no entry added to HKLM\System\CCS\Services
>
> How does it load a driver without leaving any trace in the registry?
DbgView does the same thing. You can run procmon when you start dbgview
to check it.
Hint: you can remove the Services registry entries for a kernel driver
that is still loaded.
--
Tim Roberts, [email protected]
Providenza & Boekelheide, Inc.
Tim Roberts, [email protected]
Providenza & Boekelheide, Inc.
Exactly how?
I used an API monitoring tool (http://www.rohitab.com/apimonitor) to hook the APIs called by Process Explorer. It does manually create a registry key HKLM\System\CCS\Services\PROCEXPxxx.SYS and delete it sometime later. But it doesn't call CreateService()/OpenService(). So, how does it load the PROCEXPxxx.SYS? My understanding is that if we manually create the registry key, we have to reboot once for the key to take effect (except if CreateService() is used to create the key)
> Exactly how?
>
> I used an API monitoring tool (http://www.rohitab.com/apimonitor) to hook the APIs called by Process Explorer. It does manually create a registry key HKLM\System\CCS\Services\PROCEXPxxx.SYS and delete it sometime later. But it doesn't call CreateService()/OpenService().
Are you sure ApiMonitor snaggles those APIs? If you do "dumpbin
/imports" on dbgview.exe, it clearly imports CreateService and friends.
--
Tim Roberts, [email protected]
Providenza & Boekelheide, Inc.
Tim Roberts, [email protected]
Providenza & Boekelheide, Inc.
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of
[email protected]
Sent: Thursday, February 26, 2015 7:50 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Why Process Monitor Loads it Driver Withou Registry
Entry
> Hint: you can remove the Services registry entries for a kernel driver
that is still loaded.
Exactly how?
I used an API monitoring tool (http://www.rohitab.com/apimonitor) to hook
the APIs called by Process Explorer. It does manually create a registry key
HKLM\System\CCS\Services\PROCEXPxxx.SYS and delete it sometime later. But it
doesn't call CreateService()/OpenService(). So, how does it load the
PROCEXPxxx.SYS? My understanding is that if we manually create the registry
key, we have to reboot once for the key to take effect (except if
CreateService() is used to create the key)
ZwSetSystemInformation can IIRC load the .sys without the SC key.
--
Maxim S. Shatskih
Microsoft MVP on File System And Storage
[email protected]
http://www.storagecraft.com
"Petr Kurtin" <[email protected]> wrote in message news:[email protected]
> Process Explorer is using NtLoadDriver, no SCM APIs
>
>
> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]] On Behalf Of
> [email protected]
> Sent: Thursday, February 26, 2015 7:50 PM
> To: Windows System Software Devs Interest List
> Subject: RE:[ntdev] Why Process Monitor Loads it Driver Withou Registry
> Entry
>
>> Hint: you can remove the Services registry entries for a kernel driver
> that is still loaded.
> Exactly how?
>
> I used an API monitoring tool (http://www.rohitab.com/apimonitor) to hook
> the APIs called by Process Explorer. It does manually create a registry key
> HKLM\System\CCS\Services\PROCEXPxxx.SYS and delete it sometime later. But it
> doesn't call CreateService()/OpenService(). So, how does it load the
> PROCEXPxxx.SYS? My understanding is that if we manually create the registry
> key, we have to reboot once for the key to take effect (except if
> CreateService() is used to create the key)
>
>
>
>
The "documentation" (i.e. the internet clones of the Gary Nebbett data)
for ZwSetSystemInformation about loading a driver has been wrong since
Windows XP. Most documentation forgets to mention it loads it in a session,
and it does not call DriverEntry. So trying to use that from user space
would have a lot of challenges, and as has already been pointed out, the SC
key is created, the driver loaded, then the key deleted.
Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Maxim S. Shatskih
Sent: Thursday, February 26, 2015 5:57 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Why Process Monitor Loads it Driver Withou Registry
Entry
NtLoadDriver IIRC requires the SC key.
ZwSetSystemInformation can IIRC load the .sys without the SC key.
--
Maxim S. Shatskih
Microsoft MVP on File System And Storage [email protected]
http://www.storagecraft.com
"Petr Kurtin" <[email protected]> wrote in message news:[email protected]
> Process Explorer is using NtLoadDriver, no SCM APIs
>
>
> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]] On Behalf Of
> [email protected]
> Sent: Thursday, February 26, 2015 7:50 PM
> To: Windows System Software Devs Interest List
> Subject: RE:[ntdev] Why Process Monitor Loads it Driver Withou
> Registry Entry
>
>> Hint: you can remove the Services registry entries for a kernel
>> driver
> that is still loaded.
> Exactly how?
>
> I used an API monitoring tool (http://www.rohitab.com/apimonitor) to
> hook the APIs called by Process Explorer. It does manually create a
> registry key HKLM\System\CCS\Services\PROCEXPxxx.SYS and delete it
> sometime later. But it doesn't call CreateService()/OpenService(). So,
> how does it load the PROCEXPxxx.SYS? My understanding is that if we
> manually create the registry key, we have to reboot once for the key
> to take effect (except if
> CreateService() is used to create the key)
>
>
>
>
---
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
> and it does not call DriverEntry.
Well, this is logical, since DriverEntry requires RegistryPath which is absent if there is no SC key, and passing NULL there is a bad idea since this is reserved for a crash dump/hiber path IIRC (or was it DriverObject == NULL for dump/hiber path?).
--
Maxim S. Shatskih
Microsoft MVP on File System And Storage
[email protected]
http://www.storagecraft.com
Tim,
I just did it on procexp.exe. And, no, it does NOT import CreateService.
So, how does a user mode program load a driver without rebooting/calling CreateService?
>> Are you sure ApiMonitor snaggles those APIs? If you do "dumpbin /imports" on dbgview.exe, it clearly imports CreateService and friends.
> I just did it on procexp.exe. And, no, it does NOT import CreateService.
>
> So, how does a user mode program load a driver without rebooting/calling CreateService?
My colleagues are saying NtLoadDriver/ZwLoadDriver can do that. I've
never used either one.
--
Tim Roberts, [email protected]
Providenza & Boekelheide, Inc.
Tim Roberts, [email protected]
Providenza & Boekelheide, Inc.
By leveraging the local kernel debugger in order to write garbage at nt!NtLoadDriver I was able to provoke a telltale BSoD:
STACK_TEXT:
ffffd001`930c3c38 fffff801`351b2f63 : 00000000`00000000 00000000`00000000 00000000`00000000 ffffe000`f181a800 : nt!NtLoadDriver
ffffd001`930c3c40 00007ff9`5d94e92a : 00007ff7`4b4c3779 00000000`007ced30 00000000`007cf170 00007ff7`4b5b14b8 : nt!KiSystemServiceCopyEnd+0x13
00000000`007ceac8 00007ff7`4b4c3779 : 00000000`007ced30 00000000`007cf170 00007ff7`4b5b14b8 00000000`00000000 : ntdll!NtLoadDriver+0xa
00000000`007cead0 00007ff7`4b508a1a : 00007ff7`4b5b14b8 00000000`007cf600 00007ff7`4b5d96e8 00007ff7`4b5b1498 : procexp64+0x13779
00000000`007cf5d0 00007ff7`4b50e07c : 00007ff7`4b5b2bf0 00007ff7`4a69a000 00000000`00000000 00007ff7`4a69a000 : procexp64+0x58a1a
00000000`007cfa40 00007ff7`4b4c975e : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : procexp64+0x5e07c
00000000`007cfb20 00007ff7`4b54c4a8 : 00007ff7`4b4b0000 00000000`00000001 00000000`007cfc50 00007ff7`4a69a000 : procexp64+0x1975e
00000000`007cfc10 00007ff7`4b5804c6 : 00007ff7`4b4b0000 00000000`00000000 00000000`00971b1c 00007ff7`00000001 : procexp64+0x9c4a8
00000000`007cfdc0 00007ff9`5c555f72 : 00000000`00000000 00007ff7`4b580514 00000000`00000000 00000000`00000000 : procexp64+0xd04c6
00000000`007cfe70 00007ff9`5d919b54 : 00007ff9`5c555f50 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x22
00000000`007cfea0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x34
==> ntdll!NtLoadDriver is being used.
Tim Roberts wrote: "Hint: you can remove the Services registry entries for a kernel driver
that is still loaded."
You can do that even from the driver itself and also remove its image file. By the way, this is where the funny part begins. Removing all evidence of your driver after it has been loaded. Heck, you can even create some system threads in your driver entry and immediately unload your driver.
Best Regards
Microwave89
> You can do that even from the driver itself and also remove
> its image file. By the way, this is where the funny part begins.
> Removing all evidence of your driver after it has been loaded.
> Heck, you can even create some system threads in your driver
> entry and immediately unload your driver.
> duplicate your driver into nonpaged pool before doing so)
I feel like this is the type of thing which would be discussed on the aforementioned "Chinese and Russian language" driver forums.
Hence, I won't discuss this issue(s) further.
Best Regards
Microwave89