Get file attribute information in driver

Hey , How can I get file information such as version in windows driver? There are some methods in user mode such as VerQueryValueA etc but has no any information in MSDN about get it in driver.

try reading the Device Proeprties there is version key
https://docs.microsoft.com/en-us/windows-hardware/drivers/install/devpkey-device-driverversion

@Baget said:
try reading the Device Proeprties there is version key
DEVPKEY_Device_DriverVersion - Windows drivers | Microsoft Learn

Hey, What I mean is

You really don’t want to do this from your driver. Why not have a “helper” service in user-mode retrieve and interpret this information, and then pass whatever is necessary to your driver?

Peter

weilin_jiang wrote:

Hey , How can I get file information such as version in windows driver? There are some methods in user mode such as VerQueryValueA etc but has no any information in MSDN about get it in driver.

There are no APIs to do so.  You would have to do it by hand, by
locating the PE section directory, finding the .rsrc section, and
parsing the version resources yourself.  You don’t really want to do
that.  Listen to Peter. ^®

Peter and Tim are right, too many levels up for you to have any
involvement. #hackorama

On Fri, Dec 14, 2018 at 4:24 PM Tim_Roberts
wrote:

> OSR http://osr.vanillacommunities.com/
> Tim_Roberts commented on Get file attribute information in driver
>
> weilin_jiang wrote:
> > Hey , How can I get file information such as version in windows driver?
> There are some methods in user mode such as VerQueryValueA etc but has no
> any information in MSDN about get it in driver.
>
> There are no APIs to do so. You would have to do it by hand, by
> locating the PE section directory, finding the .rsrc section, and
> parsing the version resources yourself. You don’t really want to do
> that. Listen to Peter. ^®
>
> –
> Reply to this email directly or follow the link below to check it out:
> http://osr.vanillacommunities.com/discussion/comment/291847#Comment_291847
>
> Check it out:
> http://osr.vanillacommunities.com/discussion/comment/291847#Comment_291847
>

What you can do is that if you have an install script for your driver that you put some information to the registry to your driver service path. This information you can easily read in the driver.
You mention “copyright…”. It sounds that you will prohibit that someone has changed your driver. You know that if the user changed a signed driver the certificate is broken. I looked at the function “WinVerifyTrust” but this function is not supported in kernel mode.

You would have to do it by hand, by locating the PE section directory, finding the .rsrc section, and
parsing the version resources yourself. You don’t really want to do that. Listen to Peter. ^®

Please note that parsing PE headers from the driver may be unsafe, because the system may discard some stuff that it knows is not going to be needed after the driver has been already loaded. For example, this is what it does with the .INIT section, and, IIRC, some PE-related sections of the driver’s loaded image may follow the same pattern. As a result, some pointers that you get by adding the RVA offsets to the module’s base address may be, in actuality, pointing to the middle of nowhere. Unfortunately, I cannot immediately recall all the details because I encountered this “caveat” around 15 years ago or so, but I do recall seeing BSOD few times before actually realising what was going on and why I was seeing it.

The moral of the story - don’t try messing around with PE headers from the driver

Anton Bassov

@“Peter_Viscarola_(OSR)” said:
You really don’t want to do this from your driver. Why not have a “helper” service in user-mode retrieve and interpret this information, and then pass whatever is necessary to your driver?

Peter

Thanks, Peter.
I think this way is too complicated,so I want to know if there is an easier way to approach it.

@Tim_Roberts said:
weilin_jiang wrote:

Hey , How can I get file information such as version in windows driver? There are some methods in user mode such as VerQueryValueA etc but has no any information in MSDN about get it in driver.

There are no APIs to do so. You would have to do it by hand, by
locating the PE section directory, finding the .rsrc section, and
parsing the version resources yourself. You don’t really want to do
that. Listen to Peter. ^®

@anton_bassov said:

You would have to do it by hand, by locating the PE section directory, finding the .rsrc section, and
parsing the version resources yourself. You don’t really want to do that. Listen to Peter. ^®

Please note that parsing PE headers from the driver may be unsafe, because the system may discard some stuff that it knows is not going to be needed after the driver has been already loaded. For example, this is what it does with the .INIT section, and, IIRC, some PE-related sections of the driver’s loaded image may follow the same pattern. As a result, some pointers that you get by adding the RVA offsets to the module’s base address may be, in actuality, pointing to the middle of nowhere. Unfortunately, I cannot immediately recall all the details because I encountered this “caveat” around 15 years ago or so, but I do recall seeing BSOD few times before actually realising what was going on and why I was seeing it.

The moral of the story - don’t try messing around with PE headers from the driver

Anton Bassov

It seems that this is not a standard way and too dangerous do it in driver-mode.

Maybe I really should do it in user-mode and then send it to driver.

Maybe I really should do it in user-mode and then send it to driver.

That’s the way people do it. It’s faaaar easier to do this in user mode and send it to the driver, than it is to do this in kernel mode.

Peter