I have created a driver for SSDT shadow hooking.The driver created successfully in windows 7 environment using wdk.Whenever i try to start the service of driver using osrloader I got an error like parameter incorrect or system cannot find the file specified .I can able to register the service but I am unable to start the service.I have verified that HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XXXX image name and path are correct.How to resolve this error?
xxxxx@gmail.com wrote:
I have created a driver for SSDT shadow hooking.The driver created successfully in windows 7 environment using wdk.Whenever i try to start the service of driver using osrloader I got an error like parameter incorrect or system cannot find the file specified .I can able to register the service but I am unable to start the service.I have verified that HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XXXX image name and path are correct.How to resolve this error?
Why don’t you show us the contents of the Services key? Maybe we can
spot something. Do you get the same error if you use “net start”? Did
you build a driver with the correct bittedness (32-bit or 64-bit)? How
did you copy the file into place?
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
A driver or system service must reside on te local disk I do all my work
on my multi-terabyte server which rus an automated offsite backup, and the
number of times I’ve tried to run one of these from the network drive has
been fairly high (although I know beter now, it took a couple failures
each time)
joe
I have created a driver for SSDT shadow hooking.The driver created
successfully in windows 7 environment using wdk.Whenever i try to start
the service of driver using osrloader I got an error like parameter
incorrect or system cannot find the file specified .I can able to register
the service but I am unable to start the service.I have verified that
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\XXXX image name and
path are correct.How to resolve this error?
WINDBG is sponsored by OSR
OSR is hiring!! Info at http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
The code I used for register my service nd start.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\raji]
“Type”=dword:00000001
“Start”=dword:00000000
“ErrorControl”=dword:00000001
“Group”=“Base”
“ImagePath”=“\SystemRoot\System32\Drivers\raji.sys”
“Description”=“HookShadowSSDT - Sample Driver”
“DisplayName”=“HookShadowSSDT”
I have build the driver in correct environment(windows 7 x84 checked build) for windows 7 32 bit OS.
I just copy nd paste the file inside the system32\drivers directory.
I think you said it is a WDF driver, but this Registry technique I thought
only applied to non-PnP drivers.
joe
The code I used for register my service nd start.
Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\raji]
“Type”=dword:00000001
“Start”=dword:00000000
“ErrorControl”=dword:00000001
“Group”=“Base”
“ImagePath”=“\SystemRoot\System32\Drivers\raji.sys”
“Description”=“HookShadowSSDT - Sample Driver”
“DisplayName”=“HookShadowSSDT”I have build the driver in correct environment(windows 7 x84 checked
build) for windows 7 32 bit OS.
I just copy nd paste the file inside the system32\drivers directory.
WINDBG is sponsored by OSR
OSR is hiring!! Info at http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
I have used just osrloader to register and start the service of my driver when i try that driver can able to register but i when i try to start service i got an error parameter incorrect or system cannot find the path specified.
If i want to start the serivce of WDF how can i start the serivce
error message: cannot find the path specified
…
At 2013-04-09 09:03:39,xxxxx@gmail.com wrote:
I have used just osrloader to register and start the service of my driver when i try that driver can able to register but i when i try to start service i got an error parameter incorrect or system cannot find the path specified.
WINDBG is sponsored by OSR
OSR is hiring!! Info at http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Seems like you’re just trying to manually configure what inf install does, that’s fine but your ImagePath does not seem correct. I’ve not seen the full path used here, try using “system32\drivers\raji.sys” Note: you don’t need to escape the \ here.
Also, SystemRoot is an environment variable, you need to reference it as such %SystemRoot%\system32\drivers\raji.sys
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Monday, April 08, 2013 6:25 PM
To: Kernel Debugging Interest List
Subject: RE:[windbg] Driver Cannot Started??
If i want to start the serivce of WDF how can i start the serivce
WINDBG is sponsored by OSR
OSR is hiring!! Info at http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
I have use same technique to install sample driver just driver load and unload function only.That driver runs perfectly.When i use same technique to hook shadow SSDT i have this error so i thought location may not cause this error may be some other reason there.
When i try to install driver using .reg file technique i can able to see my driver name in active services but its function stopped i do not know which stops my driver to execute.
The reference I have taken to SSDT shadow hooking is
http://www.cnblogs.com/himessage/archive/2012/12/20/2825921.html
See my last response: \SystemRoot\system32\drivers does not exist. You need to either drop \systemroot\ or reference it correctly %SystemRoot%\system32\drivers\raji.sys … I don’t know how the system can find your image any other way.
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Monday, April 08, 2013 7:01 PM
To: Kernel Debugging Interest List
Subject: RE:[windbg] Driver Cannot Started??
I have use same technique to install sample driver just driver load and unload function only.That driver runs perfectly.When i use same technique to hook shadow SSDT i have this error so i thought location may not cause this error may be some other reason there.
When i try to install driver using .reg file technique i can able to see my driver name in active services but its function stopped i do not know which stops my driver to execute.
The reference I have taken to SSDT shadow hooking is
http://www.cnblogs.com/himessage/archive/2012/12/20/2825921.html
WINDBG is sponsored by OSR
OSR is hiring!! Info at http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
I was curious about what SSDT hooking code might look like. Having
followed the link and read the code, besides the fact that it is Doing
Something Evil, it is some of the worst code I have seen. I would fail
any student that handed in something that bad, but I can understand the
revulsion to SSDT hooking if it requires code like this amateurish mess
that pretends to be a program.
Basing anything on this code, again, ignoring the fact that you should not
be doing SSDT patching anyway, strikes me as the height of insanity.
Apply any criterion you want, about any form of good programming practice,
and it certainly clear that this code goes out of its way to violate that
criterion.
This falls into the category of “Burn products”, or as Don Burn puts it,
“Tell me what this product is so I can avoid it, and anything else this
company might produce”.
joe
I have use same technique to install sample driver just driver load and
unload function only.That driver runs perfectly.When i use same technique
to hook shadow SSDT i have this error so i thought location may not cause
this error may be some other reason there.
When i try to install driver using .reg file technique i can able to see
my driver name in active services but its function stopped i do not know
which stops my driver to execute.
The reference I have taken to SSDT shadow hooking ishttp://www.cnblogs.com/himessage/archive/2012/12/20/2825921.html
WINDBG is sponsored by OSR
OSR is hiring!! Info at http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
I am creating anti virus software shield only not an evil product ,without knowing my project do not say anything about that.I am preventing spread of virus in computer.For that i need to hook Shadow SSDT to write my own api handler for NtUserPostMessage,NtUserSendInput.While i look for reference SSDT shadow hooking all websites show this type of code only.I just try this whether this code is right or not.I am unable to start the driver itself.If u can help me u do not want to encourage me but please do not demotivate me
I have used %SystemRoot%\system32\drivers\raji.sys after that too i am unable to start the service of my driver
I have used net start command too after too i am getting same error"The system cannot find the file specified"
Rajima,
“If u can help me u do not want to encourage me but please do not
demotivate me”
Newcomer motivated you to stop hooking, there may be other ways to do what
you want to achieve. You can ask here politely if you want to learn.
Hooking at kernel will not be encouraged here. Reserved for malware
writers. Period.
On Tue, Apr 9, 2013 at 11:48 AM, wrote:
> I have used net start command too after too i am getting same error"The
> system cannot find the file specified"
>
> —
> WINDBG is sponsored by OSR
>
> OSR is hiring!! Info at http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
–
Cheers,
Siva
This thread is OT for many reasons. To the OP: throw away anything you’ve done up to this point, the code that you’ve started with has entirely wasted your time.
Thread locked.
xxxxx@gmail.com wrote:
The code I used for register my service nd start.
Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\raji]
“Type”=dword:00000001
“Start”=dword:00000000
“ErrorControl”=dword:00000001
“Group”=“Base”
“ImagePath”=“\SystemRoot\System32\Drivers\raji.sys”
“Description”=“HookShadowSSDT - Sample Driver”
“DisplayName”=“HookShadowSSDT”
That’s not code. That’s just a regedit script. Did you simply load
this up with “regedit”? If so, then you are bypassing the Service
Manager, and you have to reboot after doing so before your driver will
load. If you use the “sc” command to add the service, you don’t need
this extra step.
I have build the driver in correct environment(windows 7 x84 checked build) for windows 7 32 bit OS.
Did you mean x86 or did you mean x64?
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Speer, Kenny wrote:
Also, SystemRoot is an environment variable, you need to reference it as such %SystemRoot%\system32\drivers\raji.sys
That’s not true. \SystemRoot is a kernel symbolic link to the live
Windows directory. It works fine. There are lots of examples of this
in your registry.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
xxxxx@gmail.com wrote:
I have used net start command too after too i am getting same error"The system cannot find the file specified"
Have you checked to make sure you aren’t referencing any APIs that
aren’t available in kernel mode? The “depends” tool can help you with that.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.