I’m debugging a windows 7 x86 kernel with a SCSI disk in VMware
the lowest layer driver in my disk stack was the \Driver\LSI_SAS, i wanted to see if the IRP_MJ_INTERNAL_DEVICE_CONTROL in the lowest layer driver is hooked or not
the IRP_MJ_INTERNAL_DEVICE_CONTROL of this LSI_SAS driver(which is for vmware) points to storport!RaDriverScsiIrp, didn’t look to have inline hook there either
but i cannot check the storport driver object using !drvobj :
!drvobj storport
Driver object (86a08000) is for:
86a08000: is not a driver object
Why is this happening?
and also which driver/function this storport!RaDriverScsiIrp eventually call that i need to check for hooks? is there any lower layer than this that i need to check ? didn’t look to have any inline hook in it either.
Storport is a library, not a driver. The miniports using Storport in this case LSI_SAS have the driver object.
From your questions it is time for you to back up and read Windows Internals to get a high level overview of how the system works.
1 Like
What do you mean by “hook” here? If the driver object has a handler for that IRP, then the driver is handling those IRPs. Just that simple.
Storport drivers use the port/miniport model. The user’s miniport driver and the storport DLL together are a single driver with one driver object. The port driver (storport, in this case) handles the dispatching and calls entry points in the miniport.
1 Like
@Don_Burn said:
Storport is a library, not a driver. The miniports using Storport in this case LSI_SAS have the driver object.
From your questions it is time for you to back up and read Windows Internals to get a high level overview of how the system works.
Seems like you need to take a look at windows internals yourself mate :
Chapter 4, page 242, Windows internals 7th edition part 1 :
“because the Storport.sys driver fills in the right value when calling the kernel”
how about giving help instead of cheeky responses?
I also tried checking for inline hooks inside that storport function and comparing it to disk but didnt find anything
@Tim_Roberts said:
What do you mean by “hook” here? If the driver object has a handler for that IRP, then the driver is handling those IRPs. Just that simple.
Storport drivers use the port/miniport model. The user’s miniport driver and the storport DLL together are a single driver with one driver object. The port driver (storport, in this case) handles the dispatching and calls entry points in the miniport.
I’m analyzing a bootkit, and i know for a fact that it has hooked something in the lowest layer, i thought i would follow the device stack and check the lowest driver and devices in there for any hook but could not find any, but checking the major function of LSI_SAS seems like there is no problem and IRP_MJ_INTERNAL_DEVICE_CONTROL points to this function in ataport, disassembled this function as well but couldn’t see anything suspicious, is there anything lower than this that i need to check? any function or driver that might be hooked and are lower than this?
Not every driver(module loaded in kernel) is a driver(code that “drives” something itself).
Don’s advice is 100% valid.
1 Like
Mr. @kernelboi: Show Mr. Burn the respect he deserves, or you’ll be gone from here as fast as I can click a button.
If something you’ve read appears to you to disagree with something Mr. Burn wrote, the proper, respectful, response would be “But Mr. Burn, such-and-such says this. I don’t understand how this squares with what you said. Would you be kind and patient enough to explain it to me, a noob, please?”
You ask a lot of questions here, Mr @kernelboi … Show proper respect to your betters who are trying to help you.
Peter
1 Like
@“Peter_Viscarola_(OSR)” said:
Mr. @kernelboi: Show Mr. Burn the respect he deserves, or you’ll be gone from here as fast as I can click a button.
If something you’ve read appears to you to disagree with something Mr. Burn wrote, the proper, respectful, response would be “But Mr. Burn, such-and-such says this. I don’t understand how this squares with what you said. Would you be kind and patient enough to explain it to me, a noob, please?”
You ask a lot of questions here, Mr @kernelboi … Show proper respect to your betters who are trying to help you.
Peter
I apologize if i offended anyone because it was definitely not my intention to do so, and i definitely know for a fact that i myself am the king of noobs in this website and I’m just here to learn from experts and i am open to new book suggestions for me to read.
@Don_Burn said:
Storport is a library, not a driver. The miniports using Storport in this case LSI_SAS have the driver object.
From your questions it is time for you to back up and read Windows Internals to get a high level overview of how the system works.
Thank you for your suggestion, sorry if my previous comment came out as rude because it was definitely not my intention so i apologize.
Nicely handled, Mr. @kernelboi … Well done.
Peter
1 Like
Someday soon kernelboi wil be kernelman
Mark Roddy
1 Like