Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.More Info on Driver Writing and Debugging
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
Inf File
Hello everybody. I have some problem conserning to the driver installation inf. file. I want to hava an ImagePath for windows driver (ServiceBinary entry in the driver's INF file) to be in custom directory (on USB flash); I have writen like this
[DestinationDirs]
DefaultDestDir=-1; E:\path
NdisCopyfilessys=-1; E:\path
[... copyfiles.sys]
myDriver,,,2
[..._Service_Inst]
...........
ServiceBinary=%-1%\myDriver.sys
What is wrong. Thank You;
Howdy, Stranger!
| Upcoming OSR Seminars | ||
|---|---|---|
| OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | ||
| Kernel Debugging | 30 January 2023 | Live, Online |
| Developing Minifilters | 20 March 2023 | Live, Online |
| Internals & Software Drivers | 17 April 2023 | Live, Online |
| Writing WDF Drivers | 22 May 2023 | Live, Online |
Comments
Right. Think about what that would mean. What if the drive is not present on boot? What if the drive enumerates as F:? What if you yank the drive during operation? You can't put a driver on removable media.
Tim Roberts, [email protected]
Providenza & Boekelheide, Inc.
Thank You for Your reply. At first - It says "Could not add the requested future. The error is: A service installation section in this inf is invalid" . Second. I tryed to write StartType=3 (SERVICE_DEMAND_START). It also dont work; Third. Well. Windows dont allow me to have a driver image in removable disk. But Windows is not allow me to have a driver image alsow in eny random directory on hard disk, for example in myoun directory "C:\MyDir", exept some predefined system catalogs. Thank You.
Drivers belong in C:\Windows\System32\Drivers. If this is a non-PnP driver, then you don't need an INF at all. You can put the driver where you want (on a non-removable disk) and use the Service Manager APIs to create the Services entry to point wherever you want. This is how most of the SysInternals tools work. They have their drivers stored in the application's resources, and they install on the fly.
Tim Roberts, [email protected]
Providenza & Boekelheide, Inc.
Thank You Dear Tim_Roberts. A will try to do what You sey.
Sorry, I did as You said, but nothing happend.
I only want to have my drivers image in another dyrectory. No at Windows\System32\drivers
Try %24%\mydir\ to use a directory on the system disk and see if that works. Absolute drive letters are a problem, as Mr Roberts mentioned.
Peter Viscarola
OSR
@OSRDrivers
Thank You Mr. Peter_Viscarola. But that also not works. I looked to the windows policy rules, but nothing found there. My goal is to hide my net filter driver in the flash drive so that it is impossible to copy it.
Now I am trying to pass outgoing traffic to user mode, and to do some modifications there in user mode context. But it is not optimal, because the very large amount of data will be circulate from driver to user mode application and after from user mode to nic.
If %24% doesn’t work for the serviceBinary key, you’re doing something wrong.
Post the exact syntax you’re using, please.
Peter
Peter Viscarola
OSR
@OSRDrivers
No, I am not running any verification tool. Well. Thank You very mach.
;-------------------------------------------------------------------------
; NdisEncrypt.INF -- NDIS LightWeight Filter Driver
;
; TODO: Search for comments marked "TODO:", and follow their instructions to
; customize this INF for your driver. Then delete the "TODO:" comments.
;-------------------------------------------------------------------------
[version]
; Do not change these values
Signature = "$Windows NT$"
Class = NetService
ClassGUID = {4D36E974-E325-11CE-BFC1-08002BE10318}
; TODO: Customize this string for your company name
Provider = %Msft%
DriverVer =
CatalogFile = NdisEncrypt.cat
PnpLockdown = 1
;Include each architecture for which your driver package contains a compiled binary.
;If you do not supply a driver compiled for ia64, delete the NTia64 section.
[Manufacturer]
%Msft%=MSFT,NTx86,NTia64,NTamd64,NTarm,NTarm64
; MS_NdisEncrypt can be used with netcfg.exe to install/uninstall the driver.
[MSFT.NTx86]
%NdisEncrypt_Desc%=Install, MS_NdisEncrypt
[MSFT.NTia64]
%NdisEncrypt_Desc%=Install, MS_NdisEncrypt
[MSFT.NTamd64]
%NdisEncrypt_Desc%=Install, MS_NdisEncrypt
[MSFT.NTarm]
%NdisEncrypt_Desc%=Install, MS_NdisEncrypt
[MSFT.NTarm64]
%NdisEncrypt_Desc%=Install, MS_NdisEncrypt
;-------------------------------------------------------------------------
; Installation Section
;-------------------------------------------------------------------------
[Install]
AddReg=Inst_Ndi
Characteristics=0x40000 ;All LWFs must include the 0x40000 bit (NCF_LW_FILTER). Unlike miniports, you don't usually need to customize this value.
NetCfgInstanceId="{c0ba22b4-bb4a-4996-b2c9-e4399062c7f1}" ; This must be a random, unique value.FILTER_UNIQUE_NAME in filter.h must match this GUID identically.
Copyfiles = NdisEncrypt.copyfiles.sys
[SourceDisksNames]
1=%NdisEncrypt_Desc%,"",,
[SourceDisksFiles]
NdisEncrypt.sys=1
[DestinationDirs]
DefaultDestDir = -1, f:\mdir
NdisEncrypt.copyfiles.sys = -1, f:\mdir
[NdisEncrypt.copyfiles.sys]
NdisEncrypt.sys,,,2
;-------------------------------------------------------------------------
; Ndi installation support
;-------------------------------------------------------------------------
[Inst_Ndi]
HKR, Ndi,Service,,"NdisEncrypt"
HKR, Ndi,CoServices,0x00010000,"NdisEncrypt"
HKR, Ndi,HelpText,,%NdisEncrypt_HelpText%
;Set the FilterClass here.The FilterClass controls the order in which filte rs are bound to the underlying miniport.
;Possible options include: Custom, Diagnostic, Failover, Loadbalance, Vpn, Compression, Encryption, Scheduler
HKR, Ndi,FilterClass,, Encryption
;Specify whether you have a Modifying or Monitoring filter.
; For a Monitoring filter, use this: HKR, Ndi,FilterType,0x00010001, 1 ; Monitoring filter
; For a Modifying filter, use this: HKR, Ndi,FilterType,0x00010001, 2 ; Modifying filter
HKR, Ndi,FilterType,0x00010001,2
; Do not change these values
HKR, Ndi\Interfaces,UpperRange,,"noupper"
HKR, Ndi\Interfaces,LowerRange,,"nolower"
;Ensure that the list of media types below is correct. Typically, filters include "ethernet".
;Filters may also include "ppip" to include native WWAN stacks, but you must be prepared to handle the packet framing.
;Possible values are listed on MSDN, but common values include: ethernet, wan, ppip, ;wlan
HKR, Ndi\Interfaces, FilterMediaTypes,,"ethernet, wan, ppip"
HKR, Ndi,FilterRunType,0x00010001, 1 ; Mandatory filter
;-------------------------------------------------------------------------
; Service installation support
;-------------------------------------------------------------------------
[Install.Services]
; TODO: You may want to add the SPSVCINST_STARTSERVICE flag, like this:
; AddService=NdisEncrypt,0x800,NdisEncrypt_Service_Inst ; SPSVCINST_STARTSERVICE
AddService=NdisEncrypt,,NdisEncrypt_Service_Inst
[NdisEncrypt_Service_Inst]
DisplayName = %NdisEncrypt_Desc%
ServiceType = 1 ; 2
StartType = 1 ;SERVICE_SYSTEM_START
ErrorControl = 1 ;SERVICE_ERROR_NORMAL
ServiceBinary = %-1\NdisEncrypt.sys
;ServiceBinary = c:\Windows\System32\drivers\NdisEncrypt.sys
LoadOrderGroup = NDIS
Description = %NdisEncrypt_Desc%
AddReg = Common.Params.reg, NdisImPlatformBindingOptions.reg
DelService=NdisEncrypt,0x200 ; SPSVCINST_STOPSERVICE
[Install.Remove.Services]
; The SPSVCINST_STOPSERVICE flag instructs SCM to stop the NT service
; before uninstalling the driver.
DelService=NdisEncrypt,0x200 ; SPSVCINST_STOPSERVICE
[Common.Params.reg]
;You can add any sort of NDIS parameters here. Filter drivers don't always need NDIS parameters, so it's okay to have nothing here.
; Sample 1: "DriverParam" is a per-driver parameter.
HKR, FilterDriverParams\DriverParam, ParamDesc, , "Driverparam for lwf"
HKR, FilterDriverParams\DriverParam, default, , "5"
HKR, FilterDriverParams\DriverParam, type, , "int"
; Sample 2: "AdapterParam" is a per-module parameter.
HKR, FilterAdapterParams\AdapterParam, ParamDesc, , "Adapterparam for lwf"
HKR, FilterAdapterParams\AdapterParam, default, , "10"
HKR, FilterAdapterParams\AdapterParam, type, , "int"
[NdisImPlatformBindingOptions.reg]
; By default, when an LBFO team or Bridge is created, all filters will be
; unbound from the underlying members and bound to the TNic(s). This keyword
; allows a component to opt out of the default behavior
; To prevent binding this filter to the TNic(s):
; HKR, Parameters, NdisImPlatformBindingOptions,0x00010001,1 ; Do not bind to TNic
; To prevent unbinding this filter from underlying members:
; HKR, Parameters, NdisImPlatformBindingOptions,0x00010001,2 ; Do not unbind from Members
; To prevent both binding to TNic and unbinding from members:
; HKR, Parameters, NdisImPlatformBindingOptions,0x00010001,3 ; Do not bind to TNic or ;unbind from Members
HKR, Parameters, NdisImPlatformBindingOptions,0x00010001,0 ; Subscribe to default behavior
[Strings]
; TODO: Customize these strings.
Msft = "" ;TODO: Replace with your manufacturer name
NdisEncrypt_Desc = "NdisEncrypt NDIS LightWeight Filter"
NdisEncrypt_HelpText = "NdisEncrypt NDIS LightWeight Filter"
I'm not sure that you have thought through the reason why you want the driver file to reside in some custom location. There really is no argument for wanting to use a different location
FYI driver image files, like other PE images, use the .SYS file to satisfy page faults. So the .SYS file must be available all the time or the OS can crash. This behavior is different on different versions of Windows.
Thank you. I'm already going the other way. The reason for hiding my driver was because it contains a secret encryption algorithm. Okay. I now solve this problem by putting this algorithm in a user mode program and connecting it to my driver. Thanks to everyone who is trying to help me.
I want to ask another question. I want to send outgoing packets from NDIS filter driver to user mode program for modifying. I can not understand what mechanism is more compatible here. Can I do it with IRP packets or by another way. If the best way is to use IRPs, then how can I respond to an IRP, coming from user mode, from some drivers function (FilterSendNetBufferList, FilterReceiveNetBufferList ...), not from StartIo or DeviceIoControl.
I want to ask one more question. I want to send outgoing packets from an NDIS filter driver to a user mode program for modification. I can't figure out which mechanism is more compatible here. Can I do it with IRPs or some other way. If it's best to use an IRP, then how can I respond to an IRP coming from user mode from some driver function (FilterSendNetBufferList, FilterReceiveNetBufferList...) but not from StartIo or DeviceIoControl. (This second variant translated by Google) .
How to send outgoing packets from NDIS filter driver to user mode application for doing some modifications in user mode. And after get that packets already ready.
Thank You.
lookup inverted call
but you should also understand that you can't hide your code. If the CPU can execute it, then someone can find it. And while there is some value to using obscure algorithms, obscurity itself is not a form of security
Thank You for responce.