How to start driver, which has imports from my own kernel dll?

How to start driver, which has imports from my own kernel dll?

Library files (.lib) are a thing

Are you asking how to build the driver ? Or how to load the driver ? For loading the driver, you need to make sure that the export driver is also deployed to the system (typically in the same INF as the consuming driver). When the memory manager loads your driver image, it will also load and initialize your export driver based on the import table in your driver. When your driver’s entry point runs , the export driver will be up and running.

1 Like

Are you asking how to build the driver ? Or how to load the driver ?

Check the following thread,so that you will get some idea about the OP’s objectives.

https://community.osr.com/discussion/292747/sync-memory-patch-execution

Anton Bassov

@Doron_Holan said:
Are you asking how to build the driver ? Or how to load the driver ? For loading the driver, you need to make sure that the export driver is also deployed to the system (typically in the same INF as the consuming driver). When the memory manager loads your driver image, it will also load and initialize your export driver based on the import table in your driver. When your driver’s entry point runs , the export driver will be up and running.

Yea. thanks for help. Export driver is what I need, it’s works like I expected.

P.s. I try to move some logic functionality to dll, for having ability to complile this dll in 2 version, for userspace and kernel, and integrate some of basic test in ci-cd, without launching second vm)

@anton_bassov said:

Are you asking how to build the driver ? Or how to load the driver ?

Check the following thread,so that you will get some idea about the OP’s objectives.

https://community.osr.com/discussion/292747/sync-memory-patch-execution

Anton Bassov

I think research windows internals, and how does it work, it’s not bad objective. It gives you knowledge about vulnerabilities on your system, and helps to protect yourself.

I think research windows internals, and how does it work, it’s not bad objective.

Sure. The most efficient way of doing it these days is simply downloading a copy of WRK and checking how the functions of your interest are actually implemented. This option was unavailable back in the days when I was programming Windows, so we had to rely upon disassembly.
Assuming that one had a copy of IDA Pro disassembler and SoftIce debugger, this was a great fun indeed.

However, assuming that you objective is, indeed, just learning the Windows internals, I just cannot see how hooking SSDT may possibly help you with this task

It gives you knowledge about vulnerabilities on your system, and helps to protect yourself.

“Protecting yourself” by means of disabling the PatchGuard and hooking the system calls? Come on, give me a break…

Anton Bassov

@anton_bassov said:

I think research windows internals, and how does it work, it’s not bad objective.

Sure. The most efficient way of doing it these days is simply downloading a copy of WRK and checking how the functions of your interest are actually implemented. This option was unavailable back in the days when I was programming Windows, so we had to rely upon disassembly.
Assuming that one had a copy of IDA Pro disassembler and SoftIce debugger, this was a great fun indeed.

However, assuming that you objective is, indeed, just learning the Windows internals, I just cannot see how hooking SSDT may possibly help you with this task

It gives you knowledge about vulnerabilities on your system, and helps to protect yourself.

“Protecting yourself” by means of disabling the PatchGuard and hooking the system calls? Come on, give me a break…

Anton Bassov

No, no)) I don’t think lauch malware on your host machine is good idea) But on vm, with your driver which hook syscall and log events, it can give some information.

Are we seeing in increase in these strange, inexperienced, malware type queries lately? Or is it just me?

I wonder why I just don’t delete these…

Peter

1 Like

But on vm, with your driver which hook syscall and log events, it can give some information.

At this point the whole nonsense becomes suspiciously reminiscent of the following thread ( particularly of its "stealth hooking"part),
which seems to confirm my suspicions further.

https://community.osr.com/discussion/comment/300538

As long as you happen to be an attacker, hooking the system calls while trying to stay invisible to the OS is, indeed, one of the best
possible strategies one can possibly imagine - this is simply out of the question. However, when it comes to actually protecting your system (i.e. to do something that you claim to be trying to do), this is the very last thing that may be of help.

Anton Bassov

Are we seeing in increase in these strange, inexperienced, malware type queries lately?

Yes, indeed. Since Microsoft has now made it essentially impossible for me to answer questions on their forums, I’ve moved to StackOverflow. There are quite a few posts there from novices trying to mount dictionary password attacks, or trying to finagle logins on other websites.

What I’m most shocked about is the huge number of posts from absolute newbies trying to create a website by scraping information from other websites. It’s like someone trying to publish a magazine consisting of ads and articles clipped from other magazines. It truly seems that there is a lack of simple ethics education in many parts of the world.

1 Like

@anton_bassov said:

But on vm, with your driver which hook syscall and log events, it can give some information.

At this point the whole nonsense becomes suspiciously reminiscent of the following thread ( particularly of its "stealth hooking"part),
which seems to confirm my suspicions further.

https://community.osr.com/discussion/comment/300538

As long as you happen to be an attacker, hooking the system calls while trying to stay invisible to the OS is, indeed, one of the best
possible strategies one can possibly imagine - this is simply out of the question. However, when it comes to actually protecting your system (i.e. to do something that you claim to be trying to do), this is the very last thing that may be of help.

Anton Bassov

Hooking syscall on real modern Windows system… it’s unreal… You can do it only in known enviroment, which has disabled some security setting, so hooking syscalls on real PC… No one malware don’t do it in real world.
But it used in virtual labs, for research.

Hooking syscall on real modern Windows system… it’s unreal… You can do it only in known enviroment,
which has disabled some security setting, so hooking syscalls on real PC… No one malware don’t do it in real world.

Hooking SSDT directly from the target system is, indeed, sort of infeasible task these days. This is where VM extensions may come in handy.

But it used in virtual labs, for research.

Well, in order to do the security research one needs the level of knowledge SIGNIFICANTLY above the one suggested by your questions…

Anton Bassov

1 Like