Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

How can i find the driver_object address of a driver without symbols?

henrik_meidahenrik_meida Member Posts: 118

I want to find the address of a driver_object of a specific driver in a crash dump that i dont have symbols for.

Usually when i type !drvobj drivername, windbg finds the driver object, but i assume it cant find it now because i dont have the symbols for this driver loaded.

So how can i find the driver_object of this driver, in order to use !drvobj drivername 2?

Comments

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,846
    edited January 1

    I clearly don’t understand your question…. You know the name of the driver? So… Does !drvobj name (where name is the name of the driver) not work? You shouldn’t need the driver symbols for that.

    The “lm” command shows the driver IS loaded?

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • henrik_meidahenrik_meida Member Posts: 118

    @Peter_Viscarola_(OSR) said:
    I clearly don’t understand your question…. You know the name of the driver? So… Does !drvobj name (where name is the name of the driver) not work? You shouldn’t need the driver symbols for that.

    The “lm” command shows the driver IS loaded?

    Peter

    Turns out the reason for this was that it was a malicious driver and its was doing some stuff to its DRIVER_OBJECT that was causing !drvobj to fail.

    So lets assume that for whatever reason !drvobj doesn't work, but i know the name of the driver and its start and end address based on lm command, what is the easiest way that i can find its corresponding DRIVER_OBJECT address in this situation? (using WinDBG commands)

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 24 January 2022 Live, Online
Internals & Software Drivers 7 February 2022 Live, Online
Kernel Debugging 21 March 2022 Live, Online
Developing Minifilters 23 May 2022 Live, Online