Hello,
It appears that by some magic sysinterals filemon.exe has a
driver embedded inside it. Is my observation correct, and are there
any technical resources that cover this kind of thing ( in other
words: how can I do it 
)?
Thanks,
zep
Embed it as a binary object in your executable’s resource. Then extract
it into a temporary file (make sure you store it on a local drive -
drivers cannot be loaded from a network drive,) install it (via the SCM)
and load it.
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
Looking forward to seeing you at the next OSR File Systems class in
Boston, MA April 18-21, 2006.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of zeppelin@io.com
Sent: Sunday, April 16, 2006 1:54 AM
To: ntdev redirect
Subject: [ntdev] Driver in an EXE file?
Hello,
It appears that by some magic sysinterals filemon.exe has a
driver embedded inside it. Is my observation correct, and are there
any technical resources that cover this kind of thing ( in other
words: how can I do it )?
Thanks,
zep
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
It is just a binary resource. You can add any binary resource using
visual studio or the resource APIs
(BeginUpdateResource/UpdateResource/EndUpdateResource) with any string
or numerical value that you choose. Once it is in the EXE, you can
load it via LoadResource().
d
– I can spell, I just can’t type.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of zeppelin@io.com
Sent: Saturday, April 15, 2006 10:54 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Driver in an EXE file?
Hello,
It appears that by some magic sysinterals filemon.exe has a
driver embedded inside it. Is my observation correct, and are there
any technical resources that cover this kind of thing ( in other
words: how can I do it )?
Thanks,
zep
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
The driver is simply stored as a resource in the exe file. The exe reads in
the resource, creates a file of the appropriate name ($SYSDIR/mydriver.sys)
and writes the resource to the new file.
Loren
Hi,
Thanks for the responses. The part I didn’t realize was that
they wrote the resource (driver) out to a temp file then loaded it
like any other driver. Clever. Thanks for the enlightenment.
-z
At 08:04 PM 4/15/2006, you wrote:
Embed it as a binary object in your executable’s resource. Then extract
it into a temporary file (make sure you store it on a local drive -
drivers cannot be loaded from a network drive,) install it (via the SCM)
and load it.Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.comLooking forward to seeing you at the next OSR File Systems class in
Boston, MA April 18-21, 2006.-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of zeppelin@io.com
Sent: Sunday, April 16, 2006 1:54 AM
To: ntdev redirect
Subject: [ntdev] Driver in an EXE file?Hello,
It appears that by some magic sysinterals filemon.exe has a
driver embedded inside it. Is my observation correct, and are there
any technical resources that cover this kind of thing ( in other
words: how can I do itThanks,
zep
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
> filemon.exe has a driver embedded inside it.
It is a binary resource that is extracted into a .sys file, which is then
installed, and
then the .sys file is deleted.
IIRC, the book about rootkits describes this technique.
The only magic here is that a mydrdv.sys may be deleted after being
installed and
(sic!) started.
A “normal” EXE or DLL is kept open while being executed so the file can not
be deleted.
Not so with .sys, file deletion is ok even though the driver runs, and this
is the magic.
What I want to do is simply read the last log entry from a text log file
to parse it in real time
Am I the only one who got this message 11 times?
Maybe I misunderstand the question (but please do not resend it for the 12th
time, ok?),
but what is wrong with a standard 100% user-mode filesystem watcher?
No drivers, cut-and-paste it in C++ (or C# or VB.NET) from MSDN, and you’re
done.
Remember the current file length and, once a change hits, get the new length
and
read/display (new length - old length) bytes, starting from “old length”.
If you have to watch a_lot of files, you may need a completion port
(notifications
should be retrieved fast or they are lost, that’s an experimental fact, not
documented),
but this is still much simpler than a filter driver.
----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Sunday, April 16, 2006 1:53 AM
Subject: [ntdev] Driver in an EXE file?
> Hello,
> It appears that by some magic sysinterals filemon.exe has a driver
> embedded inside it. Is my observation correct, and are there any
> technical resources that cover this kind of thing ( in other words: how
> can I do it )?
>
> Thanks,
> zep
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> A “normal” EXE or DLL is kept open while being executed so the file can
not be deleted.
Not so with .sys, file deletion is ok even though the driver runs, and
this is the magic.
Is this still true however where the driver contains paged code?
First of all, sorry for blaming the poster for 11 copies, it’s the two
of my AVs, norton and freshly installed etrust, that were passing
the same message to each other. I had to disable one of the
email filters.
> Not so with .sys, file deletion is ok even though the driver runs, and
> this is the magic.
Is this still true however where the driver contains paged code?
Interesting question, never asked myself, because it “just works”.
My uneducated guess would be “yes, it’s still true”. I never saw
mydrvr.sys mapped, so - as my guess of the same quality goes
- its executable is copied into memory and resides there, be it
pagefile or not (I ignore details like INIT sections here).
[But what about a service EXE/DLL then? It is mapped, and
a driver is a service… Gosh, it was so simple, why did you
ask the question ???]
BTW, the fact that filemon is being hit at APC (at least), isn’t it a
proof that “yes” is the correct answer?
I’ll stage an experiment. Thanks for posting, anyway:-)
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
I would also wonder about drivers that provide messages via .mc files and
the registry key to find those strings in the driver. My guess is that
either would make deleting the driver while it is executing a bad idea. So
just don’t do either.
“Lyndon J. Clarke” wrote in message
news:xxxxx@ntdev…
>> A “normal” EXE or DLL is kept open while being executed so the file can
>> not be deleted.
>>
>> Not so with .sys, file deletion is ok even though the driver runs, and
>> this is the magic.
>
> Is this still true however where the driver contains paged code?
>
>
>
> My guess is that either would make deleting the driver while it is
executing a bad idea.
So just don’t do either.
On the contrary, it may be the right time to stage an experiement.
Problem is, paging can be ok for a while, where “a while” can take
a minute until a BSOD - or a thousand years.
Maybe, someone knows the correct answer?
The “Rootkits” book is in the office, but IIRC the author states that
you can delete the sys always.
And no, he is not a bad guy. Does not work for Sony anyway:-)
----- Original Message -----
From: “David J. Craig”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Sunday, April 16, 2006 2:28 PM
Subject: Re:[ntdev] Driver in an EXE file?
>I would also wonder about drivers that provide messages via .mc files and
>the registry key to find those strings in the driver. My guess is that
>either would make deleting the driver while it is executing a bad idea. So
>just don’t do either.
>
> “Lyndon J. Clarke” wrote in message
> news:xxxxx@ntdev…
>>> A “normal” EXE or DLL is kept open while being executed so the file can
>>> not be deleted.
>>>
>>> Not so with .sys, file deletion is ok even though the driver runs, and
>>> this is the magic.
>>
>> Is this still true however where the driver contains paged code?
>>
>>
>>
>
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
I don’t know if the OS retains a handle to the driver even if parts are
pagable or contain messages. You can force the behavior by using Driver
Verifier and set the option that forces all paged memory to be marked paged
out so it can detect references that are invalid.
“sh_alex” wrote in message news:xxxxx@ntdev…
>> My guess is that either would make deleting the driver while it is
>> executing a bad idea.
>> So just don’t do either.
> On the contrary, it may be the right time to stage an experiement.
> Problem is, paging can be ok for a while, where “a while” can take
> a minute until a BSOD - or a thousand years.
>
> Maybe, someone knows the correct answer?
>
> The “Rootkits” book is in the office, but IIRC the author states that
> you can delete the sys always.
>
> And no, he is not a bad guy. Does not work for Sony anyway:-)
>
>
>
> ----- Original Message -----
> From: “David J. Craig”
> Newsgroups: ntdev
> To: “Windows System Software Devs Interest List”
> Sent: Sunday, April 16, 2006 2:28 PM
> Subject: Re:[ntdev] Driver in an EXE file?
>
>
>>I would also wonder about drivers that provide messages via .mc files and
>>the registry key to find those strings in the driver. My guess is that
>>either would make deleting the driver while it is executing a bad idea.
>>So just don’t do either.
>>
>> “Lyndon J. Clarke” wrote in message
>> news:xxxxx@ntdev…
>>>> A “normal” EXE or DLL is kept open while being executed so the file can
>>>> not be deleted.
>>>>
>>>> Not so with .sys, file deletion is ok even though the driver runs, and
>>>> this is the magic.
>>>
>>> Is this still true however where the driver contains paged code?
>>>
>>>
>>>
>>
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
>
Once the driver is loaded, it is backed by the pagefile. That means
that you can delete the sys file, or a more common action, overwrite it
with a new version of the driver (both of which would fail if there was
an open handle to the image).
If you open event viewer and open up an event that the driver posted,
event viewer will open handle to driver (to get the message table) and
keep the handle open until the viewer is closed. That means that while
the viewer is open you cannot delete nor overwrite the file.
d
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of David J. Craig
Sent: Sunday, April 16, 2006 1:33 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Re:Driver in an EXE file?
I don’t know if the OS retains a handle to the driver even if parts are
pagable or contain messages. You can force the behavior by using Driver
Verifier and set the option that forces all paged memory to be marked
paged
out so it can detect references that are invalid.
“sh_alex” wrote in message news:xxxxx@ntdev…
>> My guess is that either would make deleting the driver while it is
>> executing a bad idea.
>> So just don’t do either.
> On the contrary, it may be the right time to stage an experiement.
> Problem is, paging can be ok for a while, where “a while” can take
> a minute until a BSOD - or a thousand years.
>
> Maybe, someone knows the correct answer?
>
> The “Rootkits” book is in the office, but IIRC the author states that
> you can delete the sys always.
>
> And no, he is not a bad guy. Does not work for Sony anyway:-)
>
>
>
> ----- Original Message -----
> From: “David J. Craig”
> Newsgroups: ntdev
> To: “Windows System Software Devs Interest List”
> Sent: Sunday, April 16, 2006 2:28 PM
> Subject: Re:[ntdev] Driver in an EXE file?
>
>
>>I would also wonder about drivers that provide messages via .mc files
and
>>the registry key to find those strings in the driver. My guess is
that
>>either would make deleting the driver while it is executing a bad
idea.
>>So just don’t do either.
>>
>> “Lyndon J. Clarke” wrote in message
>> news:xxxxx@ntdev…
>>>> A “normal” EXE or DLL is kept open while being executed so the file
can
>>>> not be deleted.
>>>>
>>>> Not so with .sys, file deletion is ok even though the driver runs,
and
>>>> this is the magic.
>>>
>>> Is this still true however where the driver contains paged code?
>>>
>>>
>>>
>>
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
>
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
zeppelin@io.com wrote:
It appears that by some magic sysinterals filemon.exe has a
driver embedded inside it. Is my observation correct, and are there
any technical resources that cover this kind of thing ( in other
words: how can I do it
If you go by Mark Russinovich’s own description (Sysinternals blog,
“Multi-platform Images”, September 2005), Winternals took their
approach from the “Hiding Your Driver” description in James Finnegan’s
“Pop Open a Privileged Set of APIs with Windows NT Kernel Mode
Drivers” in Microsoft Systems Journal (now MSDN Magazine) March 1998.
Multi-platform Images
http://www.sysinternals.com/blog/2005_09_01_archive.html
Pop Open a Privileged Set of APIs with Windows NT Kernel Mode Drivers
http://www.microsoft.com/MSJ/0398/driver.aspx
Alan Adams
> That means that you can delete the sys file…
If you open event viewer and open up an event…
That answers the question in full.
I just saved a minute - or 1,000 years - of experimenting:-)
Thanks.
----- Original Message -----
From: “Doron Holan”
To: “Windows System Software Devs Interest List”
Sent: Sunday, April 16, 2006 4:44 PM
Subject: RE: [ntdev] Re:Driver in an EXE file?
Once the driver is loaded, it is backed by the pagefile. That means
that you can delete the sys file, or a more common action, overwrite it
with a new version of the driver (both of which would fail if there was
an open handle to the image).
If you open event viewer and open up an event that the driver posted,
event viewer will open handle to driver (to get the message table) and
keep the handle open until the viewer is closed. That means that while
the viewer is open you cannot delete nor overwrite the file.
d
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of David J. Craig
Sent: Sunday, April 16, 2006 1:33 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Re:Driver in an EXE file?
I don’t know if the OS retains a handle to the driver even if parts are
pagable or contain messages. You can force the behavior by using Driver
Verifier and set the option that forces all paged memory to be marked
paged
out so it can detect references that are invalid.
“sh_alex” wrote in message news:xxxxx@ntdev…
>> My guess is that either would make deleting the driver while it is
>> executing a bad idea.
>> So just don’t do either.
> On the contrary, it may be the right time to stage an experiement.
> Problem is, paging can be ok for a while, where “a while” can take
> a minute until a BSOD - or a thousand years.
>
> Maybe, someone knows the correct answer?
>
> The “Rootkits” book is in the office, but IIRC the author states that
> you can delete the sys always.
>
> And no, he is not a bad guy. Does not work for Sony anyway:-)
>
>
>
> ----- Original Message -----
> From: “David J. Craig”
> Newsgroups: ntdev
> To: “Windows System Software Devs Interest List”
> Sent: Sunday, April 16, 2006 2:28 PM
> Subject: Re:[ntdev] Driver in an EXE file?
>
>
>>I would also wonder about drivers that provide messages via .mc files
and
>>the registry key to find those strings in the driver. My guess is
that
>>either would make deleting the driver while it is executing a bad
idea.
>>So just don’t do either.
>>
>> “Lyndon J. Clarke” wrote in message
>> news:xxxxx@ntdev…
>>>> A “normal” EXE or DLL is kept open while being executed so the file
can
>>>> not be deleted.
>>>>
>>>> Not so with .sys, file deletion is ok even though the driver runs,
and
>>>> this is the magic.
>>>
>>> Is this still true however where the driver contains paged code?
>>>
>>>
>>>
>>
>>
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
>> http://www.osronline.com/article.cfm?id=256
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
>
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Embed it as binary resource, then the EXE will write it away from the
resource to the tmp file, and them CreateService/StartService on this tmp file.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Sunday, April 16, 2006 9:53 AM
Subject: [ntdev] Driver in an EXE file?
> Hello,
> It appears that by some magic sysinterals filemon.exe has a
> driver embedded inside it. Is my observation correct, and are there
> any technical resources that cover this kind of thing ( in other
> words: how can I do it )?
>
> Thanks,
> zep
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
> > Not so with .sys, file deletion is ok even though the driver runs, and
> this is the magic.
Is this still true however where the driver contains paged code?
I always replaced the old driver binary with the rebuilt new driver binary
during my debug cycle. I never saw any issues with it, even with paged code.
The .SYS file of the loaded driver is not locked and can be deleted/replaced.
It is so on all OSes from NT4 to 2003.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
> I would also wonder about drivers that provide messages via .mc files and
the registry key to find those strings in the driver. My guess is that
either would make deleting the driver while it is executing a bad idea. So
Deleting the driver while it is executed if fine.
Deleting the driver while the event log is opened in Event Viewer (if the
driver is registered as message source) really causes “this file has a mapped
view” or similar error.
Event Viewer (and the underlying advapi32.dll) uses memory mapped files for
message sources.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
>If you open event viewer and open up an event that the driver posted,
event viewer will open handle to driver (to get the message table) and
keep the handle open until the viewer is closed. That means that while
Not a handle I think. According to the error message - not usual sharing
violation “…being used by another process”, but something like “…has a
mapped section” - the event log reading facilities in advapi32 map the file to
memory and then close the handle.
The file is not deletable/replaceable anyway in this case.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
ZEP:
The most common way is to include it as a resource in the RC script.
See “User-Defined Resource” in the Resource Compiler documentation in
the Platform SDK.
MM
>> zeppelin@io.com 2006-04-16 01:53 >>>
Hello,
It appears that by some magic sysinterals filemon.exe has a
driver embedded inside it. Is my observation correct, and are there
any technical resources that cover this kind of thing ( in other
words: how can I do it
Thanks,
zep
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
> Doron Holan:
Once the driver is loaded, it is backed by the pagefile. That means
that you can delete the sys file, or a more common action, overwrite it
with a new version of the driver (both of which would fail if there was
an open handle to the image).
So why can’t drivers be loaded from a network drive?
Dmitriy Budko
VMvare