Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

Shouldn't memory manager bring back paged out memory in PASSIVE_LEVEL IRQL?

kernelboikernelboi Member Posts: 21

I am directly calling some functions in other drivers (calling the DriverEntry of that driver)

The problem is that the page that contains that function seems to be paged out, because MmIsAddressValid returns false and also windbg says this when i try to go to that address :

Memory access error in 'u 0xF72BA57F'

But the address is correct (the symbol get resolved and i can see that this in fact is the driverentry for that driver)

So my question is how can i bring the paged out code back to memory so i can call it? i don't mess with IRQL in my code and its running at default IRQL. i thought when i am running at default IRQL the memory manager will take care of the paged out stuff and bring it back to memory when i try to jump to it, but it seems to not do it since i get BSOD

by default IRQL i mean PASSIVE_LEVEL, based on my understanding the default in drivers is this if we don't mess with it.

I think using MmProbeAndLock might help, But I'm not sure how can i convert the address of EntryPoint of the driver to an MDL? because it seems to need an IRP to construct an MDL, but i am not sending an IRP i am just jumping there?

I also heard that this might be because of the target driver using

#pragma alloc_text(INIT, DriverEntry)

Is this true? if so, how to bring it back to memory?

Comments

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,399

    Hmmmm... it's hard to know where to start.

    Why in the world would you call the DriverEntry entrypoint of another driver. Just don't do that. Don't. Do. It.

    And, yes... if the target driver has placed DriverEntry into the INIT segment, the memory is discarded. So, it can't be brought back into memory.

    And, finally... why are you guessing at what IRQL you're running at? What does KeGetCurrentIrql tell you? Note that many driver entry points are called (or can be called) at IRQL DISPATCH_LEVEL.

    Bottom line: What you want to do (call DriverEntry of another driver) is unsupported, dangerous, and very silly.

    What is it that you are trying to accomplish? What's the big picture here that you think you're solving by calling another driver's DriverEntry?

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • ThatsBerkanThatsBerkan Member Posts: 56
    edited January 20

    If you have access to the source code of the target driver:

    /SECTION:INIT,!D
    

    Otherwise, you simply can't. (I mean you sort of can if you read the file on disk and re-allocate the INIT section's memory but I wont give you any example or code because you're stupid for trying to do this)
    Looking at OP's post history, 'kernelboi' is most likely writing some bad-bad russian/chinese anti-cheat and tries to manually map and execute some of their kernel components/drivers. Please don't.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,399

    most likely writing some bad-bad russian/chinese anti-cheat

    As long as we believe he’s not writing malware, per se, I’ll let him keep his account here (all things being equal).

    If the general consensus becomes that he’s writing malware, I’ll ban him.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Mark_RoddyMark_Roddy Member - All Emails Posts: 4,426
    via Email
    At the moment it just appears to be idiot-ware. But as we have learned,
    beware the idiots on the march.

    Mark Roddy
  • MBond2MBond2 Member Posts: 304

    Now why in the world MmProbeAndLock would help to 'bring back' a function in a discarded section I cannot comprehend, but it has made me laugh.

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,909

    i thought when i am running at default IRQL the memory manager will take care of the paged out stuff and bring it back to memory when i try to jump to it,

    Yes, it will. You don't have "paged out stuff". You have discarded stuff. That isn't backed by the page file, and will never come back. Fortunately, you don't need it to. If the driver has been loaded, so that DriverEntry is discarded, then DriverEntry has already been called.

    Is this a device driver or an import driver?

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • kernelboikernelboi Member Posts: 21

    Its funny how yall comparing writing cheats to writing malware and acting like its some disgraceful thing to do..

    guess what, me writing some cheat so some kid can bypass an anti cheat and cheat in his favorite video game DOESNT HURT ANYONE, and its not illegal to do.. matter of fact we are doing anti cheat companies favors too because without us they are out of job... but go ahead and ban me for doing honest work to earn money for myself.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,399

    Its funny how yall comparing writing cheats to writing malware

    Well.... We question the motives of anyone who clearly doesn’t know how to write Windows kernel mode software, and wants to do exceptionally unusual and unsupported things in kernel mode that do not “fit” with the things one does when writing ordinary Windows drivers. We have learned, over the many years we’ve been here, that this is often the pattern of semi-amateur malware developers. And we try not to help malware developers here.

    That’s all. I don’t care if you want to build a game cheat or game anti-cheat. But knowing what you’re doing helps me decide how hard I’m willing to work to answer your questions... and if I want to help at all.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Dejan_MaksimovicDejan_Maksimovic Member - All Emails Posts: 430
    via Email
    On a side note, I am of the opinion that noone should be banned for
    asking for help in writing exploits, or discussing exploits.

    As ridcolous as it may seem to some, public discussion, and even
    helping, will open a lot more developers to the type of thinking, and
    make them think about securing their code.

    Of course, it should not be allowed to overflow all other discussions,
    but just as a thread or so around.
  • Sooncheol_WonSooncheol_Won Member Posts: 44

    we are doing anti cheat companies favors too because without us they are out of job

    yeah~ criminal sounds~

    Sounds of idiots who don't know what's more important and more valuable.

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,909

    guess what, me writing some cheat so some kid can bypass an anti cheat and cheat in his favorite video game DOESNT HURT ANYONE, and its not illegal to do.

    Of course it hurts someone. It hurts the other competitors who do not have the advantage of your "cheat". Many of these games have monetary or non-monetary prizes, which brings you into conspiracy to commit fraud. And, of course, you are violating the license agreement, and that certainly has the force of law.

    Morals are important.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • MBond2MBond2 Member Posts: 304

    I second the idea that security by obscurity is no security at all and that open a frank discussions on security holes that exist should be actively encouraged. This may not be the proper forum, but I'll leave that up the the discretion of he who runs it (sometimes known as the hanging judge)

    I my mind that extends into the detailed discussion of technical flaws. Especially from the point of view of why mistakes get made in general - and by extension what mistakes I am likely to make and how to be aware of them and avoid them; but not into the realm of helping people to exploit flaws that exist.

    I have not really cared about computer games since the decision not to port the NTVDM to x64. Since then, I haven't been able to play any of the 16 bit games I knew so well

  • anton_bassovanton_bassov Member MODERATED Posts: 5,245

    ..... which brings you into conspiracy to commit fraud. And, of course, you are violating the license agreement,
    and that certainly has the force of law.

    As a general rule, whenever someone who does not happen to be a lawyer starts speaking about the legal issues, they normally have a pretty good chance of starting sounding like a dimwit who perpetuates the various "suburban myths" that, despite all their apparent popularity with not-so-bright "average Joe"(as well as with his wife Jane), may sound really funny to anyone "in the know".

    For not-so-obvious (at least to me) reasons, I've got a weird feeling that this may very well be the case in this particular situation. Whenever I recall that the laws may (and actually do) vary across the jurisdictions, this feeling intensifies greatly,....

    Morals are important.

    When it comes to morals, this is, indeed, the area of the above mentioned couple's expertize. Therefore, I would rather recommend you to stick to this particular domain. After all, you seem to be really good at moralizing.....

    Anton Bassov

  • ThatsBerkanThatsBerkan Member Posts: 56
    edited January 22

    Blablabla, he is writing a cheat (which is similar to a malware/rootkit nowadays), so no one is going to help him.
    It's unethical, immoral, and usually against the game's tos. I don't know what's hard to understand.

    There are enough other obscure forums full of children for that kind of stuff.

  • anton_bassovanton_bassov Member MODERATED Posts: 5,245

    we are doing anti cheat companies favors too because without us they are out of job

    Sounds of idiots who don't know what's more important and more valuable.

    Actually, the OP presents quite an interesting argument. After all, if you stretch your imagination a bit, you can extend this logic not only to the malware writers who can be claimed "to do a favour to the AV companies", but to the burglars as well. Imagine a lawyer claiming that his
    client who stands a trial on the burglary charges had actually "tried to do a favour to the security firm, because it would be out of business otherwise". I just wonder what the judge's reaction would be like.......

    Anton Bassov

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Developing Minifilters 24 May 2021 Live, Online
Writing WDF Drivers 14 June 2021 Live, Online
Internals & Software Drivers 2 August 2021 Live, Online
Kernel Debugging 27 Sept 2021 Live, Online