Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

strange issue with getting driver base address

Qwert664Qwert664 Member Posts: 7

Hello, I am trying to get a kernel image base address by walking through PsLoadedModuleList. I have a strange access violation bugcheck in RtlDowncaseUnicodeString + 0x4D. Strangely, my code works perfectly on someone else's machine.

` `` PVOID GetDriverBaseAddress(OUT PULONG pSize, UNICODE_STRING DriverName)
{
DbgPrint("requested module name %wZ \n", driverName);

    PLIST_ENTRY moduleList = (PLIST_ENTRY)PsLoadedModuleList;

    UNICODE_STRING  DrvName;

    for (PLIST_ENTRY link = moduleList;
        link != moduleList->Blink;
        link = link->Flink)
    {
        PLDR_DATA_TABLE_ENTRY entry = CONTAINING_RECORD(link, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks);

        RtlDowncaseUnicodeString(&DrvName, &entry->BaseDllName, TRUE);


        DbgPrint("module name %wZ \n", entry->BaseDllName);

        if (RtlCompareUnicodeString(&driverName, &DrvName, false) == 0)
        {
            DbgPrint("module found, size %i  base address %p \n", entry->SizeOfImage, entry->DllBase);

            if (pSize && MmIsAddressValid(pSize))
            {
                *pSize = entry->SizeOfImage;
            }

            return entry->DllBase;
        }

        RtlFreeUnicodeString(&DrvName);
    }

    return 0;
}

```

Comments

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,411

    I am trying to get a kernel image base address by walking through PsLoadedModuleList.

    Why?

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Qwert664Qwert664 Member Posts: 7

    @Peter_Viscarola_(OSR) said:

    I am trying to get a kernel image base address by walking through PsLoadedModuleList.

    Why?

    Peter

    I'm working on a hypervisor for dynamically analyzing driver images, so I need to find image base address for stealth hooking.

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,916

    Is it possible this is running at a raised IRQL? It's well known that the Unicode translation tables all live in paged memory and require PASSIVE_LEVEL. If you have driver verifier running, it aggressively pages out paged memory to force these kinds of errors.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • anton_bassovanton_bassov Member MODERATED Posts: 5,245

    I'm working on a hypervisor for dynamically analyzing driver images, so I need to find image base address for stealth hooking

    Something tells me that you are not going to last long in this NG with the projects like that. After all, it sounds like just a classical
    description of Blue Pill-style rootkit......

    Anton Bassov

  • ThatsBerkanThatsBerkan Member Posts: 56
    edited March 6

    You don't check the return status of RtlDowncaseUnicodeString, you most likely don't run at < DISPATCH_LEVEL, you don't disable the APCs and lock the _RESOURCE* object (PsLoadedModuleResource) used to synchronize access to the PsLoadedModuleList, etc...

    If you're going to mess with undocumented lists and functions, you should at least understand how it works... instead of pasting everything together from some rootkit code you've found on github.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,411

    Something tells me that you are not going to last long in this NG

    Some tells me Mr. Bassov has seen the future.

    Just sayin,

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Qwert664Qwert664 Member Posts: 7

    So I decided to check IRQL as suggested by some people in this thread, and IRQL is PASSIVE_LEVEL

  • Sergey_PisarevSergey_Pisarev Member - All Emails Posts: 275

    @anton_bassov said:

    I'm working on a hypervisor for dynamically analyzing driver images, so I need to find image base address for stealth hooking

    Something tells me that you are not going to last long in this NG with the projects like that. After all, it sounds like just a classical
    description of Blue Pill-style rootkit......

    Anton Bassov

    Virtualization-based Security in Windows is based on the ideas devised by Blue Pill.
    Not everything that is based on rootkit in general or Blue Pill in particular is necessary bad.

    Problem is the use of undocumented structures.
    Using HW virtualization to intercept certain events is totally ok if you are able to implement it correctly.

  • Sergey_PisarevSergey_Pisarev Member - All Emails Posts: 275

    @Qwert664 said:
    So I decided to check IRQL as suggested by some people in this thread, and IRQL is PASSIVE_LEVEL

    If you do that in vmexit callback IRQL doesn't matter - interrupts are disabled completely

  • Qwert664Qwert664 Member Posts: 7
    edited March 6

    @Sergey_Pisarev said:

    @Qwert664 said:
    So I decided to check IRQL as suggested by some people in this thread, and IRQL is PASSIVE_LEVEL

    If you do that in vmexit callback IRQL doesn't matter - interrupts are disabled completely

    I'm not doing this in vmexit handler, in fact I'm actually testing this piece of code completely seperately from the main project. My suspicion was that the offsets for structs changed, however I checked in windbg and this was not the case.

    EDIT: The problem was caused by#include <pshpack1>, which messed up some struct alignment. I removed this header include and everything works perfectly now. Thanks for all the replies.

  • anton_bassovanton_bassov Member MODERATED Posts: 5,245

    Problem is the use of undocumented structures.

    Actually, I am more "impressed" by "stealth hooking" part. The use of undocumented structures in itself is not necessarily a sign of malicious intentions (although it is most definitely not a sign of good engineering habits either, especially if some "supported" alternatives are available). However, the willingness to become transparent to the OS is "rather suspicious".....

    Anton Bassov

  • Daniel_TerhellDaniel_Terhell Member Posts: 1,357

    Hello, I am trying to get a kernel image base address by walking through PsLoadedModuleList

    Why don't you use AuxKlibQueryModuleInformation which is documented for this purpose ?
    //Daniel

  • anton_bassovanton_bassov Member MODERATED Posts: 5,245

    Why don't you use AuxKlibQueryModuleInformation which is documented for this purpose ?

    The most likely scenario is that, in his pursuit of "stealth hooking", the OP simply wants to unlink his module from PsLoadedModuleList,
    i.e. to do the trick that had been described by Mr.Hoglund and Mr.Butler in "Subverting the Windows kernel" more than 15 years ago

    Anton Bassov

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Developing Minifilters 24 May 2021 Live, Online
Writing WDF Drivers 14 June 2021 Live, Online
Internals & Software Drivers 2 August 2021 Live, Online
Kernel Debugging 27 Sept 2021 Live, Online