Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


What's done in a minifilter GsDriverEntry routine?

fafalonefafalone Member Posts: 4

I noticed that's where the entry point actually is. For KMDF drivers, it's clear what happens there, if unfortunately too poorly documented to understand much beyond a surface level. For minifilters, all the fltmgr.sys APIs show up in the IAT as direct imports and I don't see any imports not accounted for by user code that might be communicating with kernel components. Is there anything essential being done there? What happens if you set DriverEntry as the entry point?

Comments

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 9,025

    Is there anything essential being done there

    Yes.

    What happens if you set DriverEntry as the entry point?

    Things don't work properly.

    I mean... disassemble and walk into the code if you need more than that, right?

    Peter Viscarola
    OSR
    @OSRDrivers

  • fafalonefafalone Member Posts: 4

    Well I have very, very little knowledge of assembly. I did dump the disassembly and it sure looks like it's not doing anything besides a buffer-overrun protection related __security_init_cookie routine. Can you share your expertise as to why this assessment is incorrect, and why, assuming I could do without buffer overrun protection (old-style WDM drivers obviously run without it), it would not work to skip it, or possibly call it myself?

    GsDriverEntry:
      00000001400060A0: 48 89 5C 24 08     mov         qword ptr [rsp+8],rbx
      00000001400060A5: 57                 push        rdi
      00000001400060A6: 48 83 EC 20        sub         rsp,20h
      00000001400060AA: 48 8B DA           mov         rbx,rdx
      00000001400060AD: 48 8B F9           mov         rdi,rcx
      00000001400060B0: E8 17 00 00 00     call        __security_init_cookie
      00000001400060B5: 48 8B D3           mov         rdx,rbx
      00000001400060B8: 48 8B CF           mov         rcx,rdi
      00000001400060BB: E8 40 FF FF FF     call        DriverEntry
      00000001400060C0: 48 8B 5C 24 30     mov         rbx,qword ptr [rsp+30h]
      00000001400060C5: 48 83 C4 20        add         rsp,20h
      00000001400060C9: 5F                 pop         rdi
      00000001400060CA: C3                 ret
      00000001400060CB: CC                 int         3
    __security_init_cookie:
      00000001400060CC: 48 8B 05 2D CF FF  mov         rax,qword ptr [__security_cookie]
                        FF
      00000001400060D3: 48 85 C0           test        rax,rax
      00000001400060D6: 74 1B              je          00000001400060F3
      00000001400060D8: 48 B9 32 A2 DF 2D  mov         rcx,2B992DDFA232h
                        99 2B 00 00
      00000001400060E2: 48 3B C1           cmp         rax,rcx
      00000001400060E5: 74 0C              je          00000001400060F3
      00000001400060E7: 48 F7 D0           not         rax
      00000001400060EA: 48 89 05 17 CF FF  mov         qword ptr [__security_cookie_complement],rax
                        FF
      00000001400060F1: C3                 ret
      00000001400060F2: CC                 int         3
      00000001400060F3: B9 06 00 00 00     mov         ecx,6
      00000001400060F8: CD 29              int         29h
      00000001400060FA: CC CC
    

    Does the filter manager enforce the presence of this protection somehow?

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 9,025

    it sure looks like it's not doing anything besides a buffer-overrun protection related __security_init_cookie routine

    Your analysis is correct.

    it would not work to skip it, or possibly call it myself

    Why on EARTH would you want to do that?

    Peter Viscarola
    OSR
    @OSRDrivers

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 12 September 2022 Live, Online
Internals & Software Drivers 23 October 2022 Live, Online
Kernel Debugging 14 November 2022 Live, Online
Developing Minifilters 5 December 2022 Live, Online