Hi folks,
Is it possible to enumerate, from a driver, all driver objects currently present in the system?
I know of ZwQuerySystemInformation, but that gives me the loaded modules’ base address.
TIA
You could use the undocumented ZwQueryDirectoryObject to do this.
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“xxxxx@yahoo.es” wrote in message
news:xxxxx@ntdev:
> Hi folks,
>
> Is it possible to enumerate, from a driver, all driver objects currently present in the system?
> I know of ZwQuerySystemInformation, but that gives me the loaded modules’ base address.
>
> TIA
Thanks Don, will try!
Once you have the list, what are you going to do with it? If you want a list of loaded modules, you can use auxklib to get that in a documented way.
d
dent from a phpne with no keynoard
-----Original Message-----
From: xxxxx@yahoo.es
Sent: October 26, 2010 7:05 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] DRIVER_OBJECT enumeration
Thanks Don, will try!
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Hi Doron,
It’s the DRIVER_OBJECT data that I’m interested in.
I don’t want to create malware, just check for changes in dispatch pointers.
Thanks!
Doesn’t PatchGuard already do this?
Regards,
George.
wrote in message news:xxxxx@ntdev…
> Hi Doron,
>
> It’s the DRIVER_OBJECT data that I’m interested in.
> I don’t want to create malware, just check for changes in dispatch
> pointers.
>
Try AuxKLibXxx
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
wrote in message news:xxxxx@ntdev…
> Hi folks,
>
> Is it possible to enumerate, from a driver, all driver objects currently present in the system?
> I know of ZwQuerySystemInformation, but that gives me the loaded modules’ base address.
>
> TIA
>
Maxim,
Auxklib enumerates loader module entries. The OP wants the driver objects.
Regards,
George.
Well, IIRC most of the “rootkit developers books” recommend to iterate
linked list (LIST_ENTRY ) of device objects starting from one passed into
your DriverEntry.
For example, download src from (make sure to shutdown your antivirus)
http://www.wrox.com/WileyCDA/WroxTitle/Professional-Rootkits.productCd-0470101547,descCd-DOWNLOAD.html
and take a look at Professional Rootkits Code 2-2-07\Chapter02Ghost\Ghost.c
This is for studying purposes, of course.
–
Volodymyr
a écrit dans le message de groupe de discussion :
xxxxx@ntdev…
> Hi Doron,
>
> It’s the DRIVER_OBJECT data that I’m interested in.
> I don’t want to create malware, just check for changes in dispatch
> pointers.
>
> Thanks!
>
And like any other linked list in the kernel you cannot control your
accesses with the kernel’s additions or deletions from list, so the
example is perfect for a rootkit or other malware, sooner or later it is
guaranteed to crash the system.
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
“Volodymyr M. Shcherbyna” wrote in message
news:xxxxx@ntdev:
> Well, IIRC most of the “rootkit developers books” recommend to iterate
> linked list (LIST_ENTRY ) of device objects starting from one passed into
> your DriverEntry.
>
> For example, download src from (make sure to shutdown your antivirus)
> http://www.wrox.com/WileyCDA/WroxTitle/Professional-Rootkits.productCd-0470101547,descCd-DOWNLOAD.html
> and take a look at Professional Rootkits Code 2-2-07\Chapter02Ghost\Ghost.c
>
> This is for studying purposes, of course.
>
> –
> Volodymyr
>
> a écrit dans le message de groupe de discussion :
> xxxxx@ntdev…
> > Hi Doron,
> >
> > It’s the DRIVER_OBJECT data that I’m interested in.
> > I don’t want to create malware, just check for changes in dispatch
> > pointers.
> >
> > Thanks!
> >
Of course, this is understandable and even not worth mentioning.
–
Volodymyr
“Don Burn” a écrit dans le message de groupe de discussion :
xxxxx@ntdev…
> And like any other linked list in the kernel you cannot control your
> accesses with the kernel’s additions or deletions from list, so the
> example is perfect for a rootkit or other malware, sooner or later it is
> guaranteed to crash the system.
>
>
> Don Burn (MVP, Windows DKD)
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
>
>
>
>
> “Volodymyr M. Shcherbyna” wrote in message
> news:xxxxx@ntdev:
>
>> Well, IIRC most of the “rootkit developers books” recommend to iterate
>> linked list (LIST_ENTRY ) of device objects starting from one passed into
>> your DriverEntry.
>>
>> For example, download src from (make sure to shutdown your antivirus)
>> http://www.wrox.com/WileyCDA/WroxTitle/Professional-Rootkits.productCd-0470101547,descCd-DOWNLOAD.html
>> and take a look at Professional Rootkits Code
>> 2-2-07\Chapter02Ghost\Ghost.c
>>
>> This is for studying purposes, of course.
>>
>> –
>> Volodymyr
>>
>> a écrit dans le message de groupe de discussion :
>> xxxxx@ntdev…
>> > Hi Doron,
>> >
>> > It’s the DRIVER_OBJECT data that I’m interested in.
>> > I don’t want to create malware, just check for changes in dispatch
>> > pointers.
>> >
>> > Thanks!
>> >
>
>
Obviously, if you are writing a commercial rootkit product liability is not
your primary concern. 
Regards,
George.
“Don Burn” wrote in message news:xxxxx@ntdev…
> And like any other linked list in the kernel you cannot control your
> accesses with the kernel’s additions or deletions from list, so the
> example is perfect for a rootkit or other malware, sooner or later it is
> guaranteed to crash the system.
>
>
> Don Burn (MVP, Windows DKD)
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
>
>
>
>
> “Volodymyr M. Shcherbyna” wrote in message
> news:xxxxx@ntdev:
>
>> Well, IIRC most of the “rootkit developers books” recommend to iterate
>> linked list (LIST_ENTRY ) of device objects starting from one passed into
>> your DriverEntry.
>>
>> For example, download src from (make sure to shutdown your antivirus)
>> http://www.wrox.com/WileyCDA/WroxTitle/Professional-Rootkits.productCd-0470101547,descCd-DOWNLOAD.html
>> and take a look at Professional Rootkits Code
>> 2-2-07\Chapter02Ghost\Ghost.c
>>
>> This is for studying purposes, of course.
>>
>> –
>> Volodymyr
>>
>> a écrit dans le message de groupe de discussion :
>> xxxxx@ntdev…
>> > Hi Doron,
>> >
>> > It’s the DRIVER_OBJECT data that I’m interested in.
>> > I don’t want to create malware, just check for changes in dispatch
>> > pointers.
>> >
>> > Thanks!
>> >
>
>
>>Doesn’t PatchGuard already do this?
I don’t think it checks for Major functions of any driver. (probably NDIS apart from kernel), or this is what I read last time.
That’s my (fairly dated) understanding as well - kernel, hal + ndis. Might
check things like peauth as well; not sure.
mm
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Wednesday, October 27, 2010 3:27 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] DRIVER_OBJECT enumeration
>Doesn’t PatchGuard already do this?
I don’t think it checks for Major functions of any driver. (probably NDIS
apart from kernel), or this is what I read last time.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer