Debug running .sys driver.

WINDBG
1

Hi,

Working on Windows XP,

I have a driver (.sys only, no sources/inf) and want to debug it,
below are some of its important attributes I got using DeviceTree

+++++++++
PDO \Device\0000000023 -[root\LEGACY_XYZCTL]
Driver Name: \Driver\PnpManager
Major Function Codes Supported:
IRP_MJ_CREATE
IRP_MJ_CLOSE
IRP_MJ_DEVICE_CONTROL
+++++++++

I do not have the source code, or inf file for the same. Also,it is not a

class driver.

(A) Is it possible to debug the same in the assembly ? Is it possible
to place an UPPER DEVICE FILTER DRIVER on this driver, and going
inside this driver through our filter driver’s IOCallDriver method ?

(B) IF yes, what are the registry settings that needs to be done
inorder to place our upper device filter driver on this driver. Please
detail.

(B) IF NOT, please detail any alternate way to debug the same?

My main objective is to debug the running driver inorder to find out
some valuable information.

Thanks,
RB.

2

Rodney Brooks wrote:

Hi,

Working on Windows XP,

I have a driver (.sys only, no sources/inf) and want to debug it,
below are some of its important attributes I got using DeviceTree

You do have an INF for this. It’s one of the files in
\Windows\INF\oem*.inf.

(A) Is it possible to debug the same in the assembly ?

Of course. In fact, if you don’t have the source, that’s the only choice.

Is it possible
to place an UPPER DEVICE FILTER DRIVER on this driver, and going
inside this driver through our filter driver’s IOCallDriver method ?

Yes, but if all you want to do is single-step through it, you can just
set a breakpoint at the appropriate entry points, which you can
determine by looking at the DriverEntry for the driver.

(B) IF yes, what are the registry settings that needs to be done
inorder to place our upper device filter driver on this driver. Please
detail.

Just like with any filter driver, you need to create a
CurrentControlSet\System\Services entry for your filter, then add the
service name in the UpperFilters registry entry in the
CurrentControlSet\System\Enum key for that driver. You can use
SetupDiSetDeviceRegistryProperty to do this.

(B) IF NOT, please detail any alternate way to debug the same?

My main objective is to debug the running driver inorder to find out
some valuable information.

Note that reverse engineering may be prohibited by law in some
jurisdictions.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.