Getting Current Driver path

Tester_Testing · February 16, 2011, 12:07pm

Hi

I want to receive my current driver’s full path, like:

C:\Windows\System32\Drivers\MyDriver.sys

How it’s possible?

Please advice.

Regards

mm1 · February 16, 2011, 12:09pm

You could look at the value of ‘ImagePath’ of your service key in the
registry.

What do you want to do with this information?

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.com
Sent: Wednesday, February 16, 2011 12:10 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Getting Current Driver path

Hi

I want to receive my current driver’s full path, like:

C:\Windows\System32\Drivers\MyDriver.sys

How it’s possible?

Please advice.

Regards

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Tester_Testing · February 16, 2011, 12:11pm

I want a better method, like using API like ZwQuerySystemInformation or something else.

I want to be sure I’m running from System32\Drivers for some reasons.

Best regards

— On Wed, 16/2/11, Martin O’Brien wrote:

From: Martin O’Brien
Subject: RE: [ntdev] Getting Current Driver path
To: “Windows System Software Devs Interest List”
Date: Wednesday, 16 February, 2011, 9:08

You could look at the value of ‘ImagePath’ of your service key in the
registry.

What do you want to do with this information?

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.com
Sent: Wednesday, February 16, 2011 12:10 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Getting Current Driver path

Hi

I want to receive my current driver’s full path, like:

C:\Windows\System32\Drivers\MyDriver.sys

How it’s possible?

Please advice.

Regards

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

mm1 · February 16, 2011, 12:16pm

If you’re trying to design security based on this information, it’s at best very fragile.

If that’s your goal – some sort of security, wouldn’t you be more interested in knowing you’re running a particular binary? That is, check to see if it is signed and so forth?

Good luck,

mm

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of mehdi yaghobi
Sent: Wednesday, February 16, 2011 12:11 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Getting Current Driver path

I want a better method, like using API like ZwQuerySystemInformation or something else.

I want to be sure I’m running from System32\Drivers for some reasons.

Best regards

— On Wed, 16/2/11, Martin O’Brien wrote:

From: Martin O’Brien
Subject: RE: [ntdev] Getting Current Driver path
To: “Windows System Software Devs Interest List”
Date: Wednesday, 16 February, 2011, 9:08

You could look at the value of ‘ImagePath’ of your service key in the
registry.

What do you want to do with this information?

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.com
Sent: Wednesday, February 16, 2011 12:10 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Getting Current Driver path

Hi

I want to receive my current driver’s full path, like:

C:\Windows\System32\Drivers\MyDriver.sys

How it’s possible?

Please advice.

Regards

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Tester_Testing · February 16, 2011, 12:18pm

I have to do it as it’s in project description I have, so I have to get my driver file path, sorry, maybe it’s not so logical, but I have to. Is there any way of doing it?

Regards

— On Wed, 16/2/11, Martin O’Brien wrote:

From: Martin O’Brien
Subject: RE: [ntdev] Getting Current Driver path
To: “Windows System Software Devs Interest List”
Date: Wednesday, 16 February, 2011, 9:15

If you’re trying to design security based on this information,
it’s at best very fragile.

If that’s your goal – some sort of security, wouldn’t you be
more interested in knowing you’re running a particular binary? That is, check
to see if it is signed and so forth?

Good luck,

mm

From:
xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On
Behalf Of mehdi yaghobi

Sent: Wednesday, February 16, 2011 12:11 PM

To: Windows System Software Devs Interest List

Subject: RE: [ntdev] Getting Current Driver path

I want a better method, like using API like
ZwQuerySystemInformation or something else.

I want to be sure I’m running from System32\Drivers for some reasons.

Best regards

— On Wed, 16/2/11, Martin O’Brien
wrote:

From: Martin O’Brien

Subject: RE: [ntdev] Getting Current Driver path

To: “Windows System Software Devs Interest List”

Date: Wednesday, 16 February, 2011, 9:08

You could look at the value of ‘ImagePath’ of your service
key in the

registry.

What do you want to do with this information?

mm

-----Original Message-----

From: xxxxx@lists.osr.com

[mailto:xxxxx@lists.osr.com]
On Behalf Of

xxxxx@yahoo.com

Sent: Wednesday, February 16, 2011 12:10 PM

To: Windows System Software Devs Interest List

Subject: [ntdev] Getting Current Driver path

Hi

I want to receive my current driver’s full path, like:

C:\Windows\System32\Drivers\MyDriver.sys

How it’s possible?

Please advice.

Regards

—

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:

http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at

http://www.osronline.com/page.cfm?name=ListServer

—

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:

http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other
seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List
Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

—

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:

http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Don_Burn_1 · February 16, 2011, 12:19pm

So you think using an undocumented call is better than using a
documented registry item? If your concern is which version of the
driver you have consider using a technique Ed Dekker showed me. He puts
the following in
Every source file:

void XXXTimestamp()
{
DbgPrint(“Timestamp %s - Last source modification %s Compiled %s
%s\n”, FILE, TIMESTAMP,DATE, TIME);
}

Where XXX is changed to be unique for the file, then in DriverEntry he
calls a routine that calls all of these to print the values.

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“mehdi yaghobi” wrote in message
news:xxxxx@ntdev:

> I want a better method, like using API like ZwQuerySystemInformation or something else.
>
> I want to be sure I’m running from System32\Drivers for some reasons.
>
> Best regards
>
> — On Wed, 16/2/11, Martin O’Brien wrote:
>
> From: Martin O’Brien
> Subject: RE: [ntdev] Getting Current Driver path
> To: “Windows System Software Devs Interest List”
> Date: Wednesday, 16 February, 2011, 9:08
>
> You could look at the value of ‘ImagePath’ of your service key in the
> registry.
>
> What do you want to do with this information?
>
>
> mm
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
> xxxxx@yahoo.com
> Sent: Wednesday, February 16, 2011 12:10 PM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] Getting Current Driver path
>
> Hi
>
> I want to receive my current driver’s full path, like:
>
> C:\Windows\System32\Drivers\MyDriver.sys
>
> How it’s possible?
>
> Please advice.
>
> Regards
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Tester_Testing · February 16, 2011, 12:24pm

Undocumented API would be good, I don’t care about documantation. But I don’t want version, I have to know exact path. Documented or not documented API would just work, but not registry.

Thanks
Regards

— On Wed, 16/2/11, Don Burn wrote:

From: Don Burn
Subject: RE:[ntdev] Getting Current Driver path
To: “Windows System Software Devs Interest List”
Date: Wednesday, 16 February, 2011, 9:19

So you think using an undocumented call is better than using a
documented registry item?? If your concern is which version of the
driver you have consider using a technique Ed Dekker showed me.? He puts
the following in
Every source file:

void XXXTimestamp()
{
???DbgPrint(“Timestamp %s - Last source modification %s? Compiled? %s?
%s\n”, FILE , TIMESTAMP , DATE , TIME );
}

Where XXX is changed to be unique for the file, then in DriverEntry he
calls a routine that calls all of these to print the values.

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“mehdi yaghobi” wrote in message
news:xxxxx@ntdev:

> I want a better method, like using API like ZwQuerySystemInformation or something else.
>
> I want to be sure I’m running from System32\Drivers for some reasons.
>
> Best regards
>
> — On Wed, 16/2/11, Martin O’Brien wrote:
>
> From: Martin O’Brien
> Subject: RE: [ntdev] Getting Current Driver path
> To: “Windows System Software Devs Interest List”
> Date: Wednesday, 16 February, 2011, 9:08
>
> You could look at the value of ‘ImagePath’ of your service key in the
> registry.
>
> What do you want to do with this information?
>
>
> mm
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
> xxxxx@yahoo.com
> Sent: Wednesday, February 16, 2011 12:10 PM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] Getting Current Driver path
>
> Hi
>
> I want to receive my current driver’s full path, like:
>
> C:\Windows\System32\Drivers\MyDriver.sys
>
> How it’s possible?
>
> Please advice.
>
> Regards
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Tester_Testing · February 16, 2011, 12:30pm

I heard some stuff about IopBuildFullDriverPath but can’t get it working.

Regards

— On Wed, 16/2/11, Don Burn wrote:

From: Don Burn
Subject: RE:[ntdev] Getting Current Driver path
To: “Windows System Software Devs Interest List”
Date: Wednesday, 16 February, 2011, 9:19

So you think using an undocumented call is better than using a
documented registry item?? If your concern is which version of the
driver you have consider using a technique Ed Dekker showed me.? He puts
the following in
Every source file:

void XXXTimestamp()
{
???DbgPrint(“Timestamp %s - Last source modification %s? Compiled? %s?
%s\n”, FILE , TIMESTAMP , DATE , TIME );
}

Where XXX is changed to be unique for the file, then in DriverEntry he
calls a routine that calls all of these to print the values.

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“mehdi yaghobi” wrote in message
news:xxxxx@ntdev:

> I want a better method, like using API like ZwQuerySystemInformation or something else.
>
> I want to be sure I’m running from System32\Drivers for some reasons.
>
> Best regards
>
> — On Wed, 16/2/11, Martin O’Brien wrote:
>
> From: Martin O’Brien
> Subject: RE: [ntdev] Getting Current Driver path
> To: “Windows System Software Devs Interest List”
> Date: Wednesday, 16 February, 2011, 9:08
>
> You could look at the value of ‘ImagePath’ of your service key in the
> registry.
>
> What do you want to do with this information?
>
>
> mm
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
> xxxxx@yahoo.com
> Sent: Wednesday, February 16, 2011 12:10 PM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] Getting Current Driver path
>
> Hi
>
> I want to receive my current driver’s full path, like:
>
> C:\Windows\System32\Drivers\MyDriver.sys
>
> How it’s possible?
>
> Please advice.
>
> Regards
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Don_Burn_1 · February 16, 2011, 12:34pm

So for questionable security you are ok with an API that is totally
undocumented and can change from rev to rev causing your driver to crash
the system? Why do you think knowing the path of your driver is going
to do anything?

Please let us know the name of the product, so we can avoid this piece
of shit.

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“mehdi yaghobi” wrote in message
news:xxxxx@ntdev:

> Undocumented API would be good, I don’t care about documantation. But I don’t want version, I have to know exact path. Documented or not documented API would just work, but not registry.
>
> Thanks
> Regards
>
> — On Wed, 16/2/11, Don Burn wrote:
>
> From: Don Burn
> Subject: RE:[ntdev] Getting Current Driver path
> To: “Windows System Software Devs Interest List”
> Date: Wednesday, 16 February, 2011, 9:19
>
> So you think using an undocumented call is better than using a
> documented registry item? If your concern is which version of the
> driver you have consider using a technique Ed Dekker showed me. He puts
> the following in
> Every source file:
>
> void XXXTimestamp()
> {
> DbgPrint(“Timestamp %s - Last source modification %s Compiled %s
> %s\n”, FILE , TIMESTAMP , DATE , TIME );
> }
>
> Where XXX is changed to be unique for the file, then in DriverEntry he
> calls a routine that calls all of these to print the values.
>
>
>
> Don Burn (MVP, Windows DKD)
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
>
>
>
>
> “mehdi yaghobi” wrote in message
> news:xxxxx@ntdev:
>
> > I want a better method, like using API like ZwQuerySystemInformation or something else.
> >
> > I want to be sure I’m running from System32\Drivers for some reasons.
> >
> > Best regards
> >
> > — On Wed, 16/2/11, Martin O’Brien wrote:
> >
> > From: Martin O’Brien
> > Subject: RE: [ntdev] Getting Current Driver path
> > To: “Windows System Software Devs Interest List”
> > Date: Wednesday, 16 February, 2011, 9:08
> >
> > You could look at the value of ‘ImagePath’ of your service key in the
> > registry.
> >
> > What do you want to do with this information?
> >
> >
> > mm
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of
> > xxxxx@yahoo.com
> > Sent: Wednesday, February 16, 2011 12:10 PM
> > To: Windows System Software Devs Interest List
> > Subject: [ntdev] Getting Current Driver path
> >
> > Hi
> >
> > I want to receive my current driver’s full path, like:
> >
> > C:\Windows\System32\Drivers\MyDriver.sys
> >
> > How it’s possible?
> >
> > Please advice.
> >
> > Regards
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > For our schedule of WDF, WDM, debugging and other seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > For our schedule of WDF, WDM, debugging and other seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

mm1 · February 16, 2011, 12:43pm

Why?

Hypothetically, let’s say that there was a function called
ZwGetFullDriverPathFromDriverName(), and when you called it, it told you
that you were in fact executing from \windows\system32\drivers or wherever
it is that you want to be executing from.

That doesn’t mean that you’re necessarily executing your driver. Somebody
could have replaced it, created a link to some other file, et. c., and it
says NOTHING about the contents of your driver. When hardlinks are
considered, this question doesn’t even really have a meaningful answer.

Now, these scenarios are not exactly common, nor can you really do anything
about them, but that’s the point. You’re going off into the weeds in
pursuit of a source of information that’s not guaranteed to be any better
than what you can get from ImagePath, and if you’re basing decisions on
where your driver is located - whether you get that information from
ImagePath or somewhere else, you’re likely going to get into trouble.

mm

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of mehdi yaghobi
Sent: Wednesday, February 16, 2011 12:24 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Getting Current Driver path

Undocumented API would be good, I don’t care about documantation. But I
don’t want version, I have to know exact path. Documented or not documented
API would just work, but not registry.

Thanks
Regards

— On Wed, 16/2/11, Don Burn wrote:

From: Don Burn
Subject: RE:[ntdev] Getting Current Driver path
To: “Windows System Software Devs Interest List”
Date: Wednesday, 16 February, 2011, 9:19

So you think using an undocumented call is better than using a
documented registry item? If your concern is which version of the
driver you have consider using a technique Ed Dekker showed me. He puts
the following in
Every source file:

void XXXTimestamp()
{
DbgPrint(“Timestamp %s - Last source modification %s Compiled %s
%s\n”, FILE , TIMESTAMP , DATE , TIME );
}

Where XXX is changed to be unique for the file, then in DriverEntry he
calls a routine that calls all of these to print the values.

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“mehdi yaghobi” wrote in message
news:xxxxx@ntdev:

> I want a better method, like using API like ZwQuerySystemInformation or
something else.
>
> I want to be sure I’m running from System32\Drivers for some reasons.
>
> Best regards
>
> — On Wed, 16/2/11, Martin O’Brien
wrote:
>
> From: Martin O’Brien
> Subject: RE: [ntdev] Getting Current Driver path
> To: “Windows System Software Devs Interest List”
> Date: Wednesday, 16 February, 2011, 9:08
>
> You could look at the value of ‘ImagePath’ of your service key in the
> registry.
>
> What do you want to do with this information?
>
>
> mm
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
> xxxxx@yahoo.com
> Sent: Wednesday, February 16, 2011 12:10 PM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] Getting Current Driver path
>
> Hi
>
> I want to receive my current driver’s full path, like:
>
> C:\Windows\System32\Drivers\MyDriver.sys
>
> How it’s possible?
>
> Please advice.
>
> Regards
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Don_Burn_1 · February 16, 2011, 1:13pm

You do realize that Iop stand for I/O private, i.e. a non-exported
undocumented call.

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“mehdi yaghobi” wrote in message
news:xxxxx@ntdev:

> I heard some stuff about IopBuildFullDriverPath but can’t get it working.
>
> Regards
>
> — On Wed, 16/2/11, Don Burn wrote:
>
> From: Don Burn
> Subject: RE:[ntdev] Getting Current Driver path
> To: “Windows System Software Devs Interest List”
> Date: Wednesday, 16 February, 2011, 9:19
>
> So you think using an undocumented call is better than using a
> documented registry item? If your concern is which version of the
> driver you have consider using a technique Ed Dekker showed me. He puts
> the following in
> Every source file:
>
> void XXXTimestamp()
> {
> DbgPrint(“Timestamp %s - Last source modification %s Compiled %s
> %s\n”, FILE , TIMESTAMP , DATE , TIME );
> }
>
> Where XXX is changed to be unique for the file, then in DriverEntry he
> calls a routine that calls all of these to print the values.
>
>
>
> Don Burn (MVP, Windows DKD)
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
>
>
>
>
> “mehdi yaghobi” wrote in message
> news:xxxxx@ntdev:
>
> > I want a better method, like using API like ZwQuerySystemInformation or something else.
> >
> > I want to be sure I’m running from System32\Drivers for some reasons.
> >
> > Best regards
> >
> > — On Wed, 16/2/11, Martin O’Brien wrote:
> >
> > From: Martin O’Brien
> > Subject: RE: [ntdev] Getting Current Driver path
> > To: “Windows System Software Devs Interest List”
> > Date: Wednesday, 16 February, 2011, 9:08
> >
> > You could look at the value of ‘ImagePath’ of your service key in the
> > registry.
> >
> > What do you want to do with this information?
> >
> >
> > mm
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of
> > xxxxx@yahoo.com
> > Sent: Wednesday, February 16, 2011 12:10 PM
> > To: Windows System Software Devs Interest List
> > Subject: [ntdev] Getting Current Driver path
> >
> > Hi
> >
> > I want to receive my current driver’s full path, like:
> >
> > C:\Windows\System32\Drivers\MyDriver.sys
> >
> > How it’s possible?
> >
> > Please advice.
> >
> > Regards
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > For our schedule of WDF, WDM, debugging and other seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > For our schedule of WDF, WDM, debugging and other seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Tester_Testing · February 16, 2011, 1:29pm

OK. Assume my Driver’s Key is SecCore, how can I read it’s ImagePath from Registry?

Regards

— On Wed, 16/2/11, Don Burn wrote:

From: Don Burn
Subject: Re:[ntdev] RE:Getting Current Driver path
To: “Windows System Software Devs Interest List”
Date: Wednesday, 16 February, 2011, 9:33

So for questionable security you are ok with an API that is totally
undocumented and can change from rev to rev causing your driver to crash
the system?? Why do you think knowing the path of your driver is going
to do anything?

Please let us know the name of the product, so we can avoid this piece
of shit.

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“mehdi yaghobi” wrote in message
news:xxxxx@ntdev:

> Undocumented API would be good, I don’t care about documantation. But I don’t want version, I have to know exact path. Documented or not documented API would just work, but not registry.
>
> Thanks
> Regards
>
> — On Wed, 16/2/11, Don Burn wrote:
>
> From: Don Burn
> Subject: RE:[ntdev] Getting Current Driver path
> To: “Windows System Software Devs Interest List”
> Date: Wednesday, 16 February, 2011, 9:19
>
> So you think using an undocumented call is better than using a
> documented registry item?? If your concern is which version of the
> driver you have consider using a technique Ed Dekker showed me.? He puts
> the following in
> Every source file:
>
> void XXXTimestamp()
> {
> ???DbgPrint(“Timestamp %s - Last source modification %s? Compiled? %s?
> %s\n”, FILE , TIMESTAMP , DATE , TIME );
> }
>
> Where XXX is changed to be unique for the file, then in DriverEntry he
> calls a routine that calls all of these to print the values.
>
>
>
> Don Burn (MVP, Windows DKD)
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
>
>
>
>
> “mehdi yaghobi” wrote in message
> news:xxxxx@ntdev:
>
> > I want a better method, like using API like ZwQuerySystemInformation or something else.
> >
> > I want to be sure I’m running from System32\Drivers for some reasons.
> >
> > Best regards
> >
> > — On Wed, 16/2/11, Martin O’Brien wrote:
> >
> > From: Martin O’Brien
> > Subject: RE: [ntdev] Getting Current Driver path
> > To: “Windows System Software Devs Interest List”
> > Date: Wednesday, 16 February, 2011, 9:08
> >
> > You could look at the value of ‘ImagePath’ of your service key in the
> > registry.
> >
> > What do you want to do with this information?
> >
> >
> > mm
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of
> > xxxxx@yahoo.com
> > Sent: Wednesday, February 16, 2011 12:10 PM
> > To: Windows System Software Devs Interest List
> > Subject: [ntdev] Getting Current Driver path
> >
> > Hi
> >
> > I want to receive my current driver’s full path, like:
> >
> > C:\Windows\System32\Drivers\MyDriver.sys
> >
> > How it’s possible?
> >
> > Please advice.
> >
> > Regards
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > For our schedule of WDF, WDM, debugging and other seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > For our schedule of WDF, WDM, debugging and other seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

mm1 · February 16, 2011, 1:37pm

In a nutshell: you get the service key path as an argument to DriverEntry()
(depending on your type of driver); open a handle to it with ZwOpenKey();
read the value with ZwQueryValueKey() or one of the Rtl registry routines.

For the details, read the docs.

Good luck,

mm

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of mehdi yaghobi
Sent: Wednesday, February 16, 2011 1:29 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] RE:Getting Current Driver path

OK. Assume my Driver’s Key is SecCore, how can I read it’s ImagePath from
Registry?

Regards

— On Wed, 16/2/11, Don Burn wrote:

From: Don Burn
Subject: Re:[ntdev] RE:Getting Current Driver path
To: “Windows System Software Devs Interest List”
Date: Wednesday, 16 February, 2011, 9:33

So for questionable security you are ok with an API that is totally
undocumented and can change from rev to rev causing your driver to crash
the system? Why do you think knowing the path of your driver is going
to do anything?

Please let us know the name of the product, so we can avoid this piece
of shit.

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“mehdi yaghobi” wrote in message
news:xxxxx@ntdev:

> Undocumented API would be good, I don’t care about documantation. But I
don’t want version, I have to know exact path. Documented or not documented
API would just work, but not registry.
>
> Thanks
> Regards
>
> — On Wed, 16/2/11, Don Burn wrote:
>
> From: Don Burn
> Subject: RE:[ntdev] Getting Current Driver path
> To: “Windows System Software Devs Interest List”
> Date: Wednesday, 16 February, 2011, 9:19
>
> So you think using an undocumented call is better than using a
> documented registry item? If your concern is which version of the
> driver you have consider using a technique Ed Dekker showed me. He puts
> the following in
> Every source file:
>
> void XXXTimestamp()
> {
> DbgPrint(“Timestamp %s - Last source modification %s Compiled %s
> %s\n”, FILE , TIMESTAMP , DATE , TIME );
> }
>
> Where XXX is changed to be unique for the file, then in DriverEntry he
> calls a routine that calls all of these to print the values.
>
>
>
> Don Burn (MVP, Windows DKD)
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
>
>
>
>
> “mehdi yaghobi” wrote in message
> news:xxxxx@ntdev:
>
> > I want a better method, like using API like ZwQuerySystemInformation or
something else.
> >
> > I want to be sure I’m running from System32\Drivers for some reasons.
> >
> > Best regards
> >
> > — On Wed, 16/2/11, Martin O’Brien
wrote:
> >
> > From: Martin O’Brien
> > Subject: RE: [ntdev] Getting Current Driver path
> > To: “Windows System Software Devs Interest List”
> > Date: Wednesday, 16 February, 2011, 9:08
> >
> > You could look at the value of ‘ImagePath’ of your service key in the
> > registry.
> >
> > What do you want to do with this information?
> >
> >
> > mm
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of
> > xxxxx@yahoo.com
> > Sent: Wednesday, February 16, 2011 12:10 PM
> > To: Windows System Software Devs Interest List
> > Subject: [ntdev] Getting Current Driver path
> >
> > Hi
> >
> > I want to receive my current driver’s full path, like:
> >
> > C:\Windows\System32\Drivers\MyDriver.sys
> >
> > How it’s possible?
> >
> > Please advice.
> >
> > Regards
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > For our schedule of WDF, WDM, debugging and other seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > For our schedule of WDF, WDM, debugging and other seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the
List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Pavel_A1 · February 16, 2011, 1:41pm

> Assume my Driver’s Key is SecCore, how can I read it’s ImagePath from
Registry?

Auch… this is yet another “security” nonsense. Please read again reply of Martin (mm) - the driver path does not mean much. Sysinternals tools, for example, used to delete the service key of their kernel drivers while the binary still in memory.

The normal documented way to get the path (whatever it is worth) is to use services API or just read it from the driver’s service key. If there is no ImagePath value, it is assumed to be %systemroot%\system32\drivers<servicename>.sys.

Regards,
–pa

Doron_Holan-2 · February 16, 2011, 1:41pm

And there are quite a few samples which demonstrate this

d

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Martin O’Brien
Sent: Wednesday, February 16, 2011 10:37 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] RE:Getting Current Driver path

In a nutshell: you get the service key path as an argument to DriverEntry() (depending on your type of driver); open a handle to it with ZwOpenKey(); read the value with ZwQueryValueKey() or one of the Rtl registry routines.

For the details, read the docs.

Good luck,

mm

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of mehdi yaghobi
Sent: Wednesday, February 16, 2011 1:29 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] RE:Getting Current Driver path

OK. Assume my Driver’s Key is SecCore, how can I read it’s ImagePath from Registry?

Regards

— On Wed, 16/2/11, Don Burn > wrote:

From: Don Burn >
Subject: Re:[ntdev] RE:Getting Current Driver path
To: “Windows System Software Devs Interest List” >
Date: Wednesday, 16 February, 2011, 9:33
So for questionable security you are ok with an API that is totally
undocumented and can change from rev to rev causing your driver to crash
the system? Why do you think knowing the path of your driver is going
to do anything?

Please let us know the name of the product, so we can avoid this piece
of shit.

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“mehdi yaghobi” > wrote in message
news:xxxxx@ntdev:

> Undocumented API would be good, I don’t care about documantation. But I don’t want version, I have to know exact path. Documented or not documented API would just work, but not registry.
>
> Thanks
> Regards
>
> — On Wed, 16/2/11, Don Burn > wrote:
>
> From: Don Burn >
> Subject: RE:[ntdev] Getting Current Driver path
> To: “Windows System Software Devs Interest List” >
> Date: Wednesday, 16 February, 2011, 9:19
>
> So you think using an undocumented call is better than using a
> documented registry item? If your concern is which version of the
> driver you have consider using a technique Ed Dekker showed me. He puts
> the following in
> Every source file:
>
> void XXXTimestamp()
> {
> DbgPrint(“Timestamp %s - Last source modification %s Compiled %s
> %s\n”, FILE , TIMESTAMP , DATE , TIME );
> }
>
> Where XXX is changed to be unique for the file, then in DriverEntry he
> calls a routine that calls all of these to print the values.
>
>
>
> Don Burn (MVP, Windows DKD)
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
>
>
>
>
> “mehdi yaghobi” > wrote in message
> news:xxxxx@ntdev:
>
> > I want a better method, like using API like ZwQuerySystemInformation or something else.
> >
> > I want to be sure I’m running from System32\Drivers for some reasons.
> >
> > Best regards
> >
> > — On Wed, 16/2/11, Martin O’Brien > wrote:
> >
> > From: Martin O’Brien >
> > Subject: RE: [ntdev] Getting Current Driver path
> > To: “Windows System Software Devs Interest List” >
> > Date: Wednesday, 16 February, 2011, 9:08
> >
> > You could look at the value of ‘ImagePath’ of your service key in the
> > registry.
> >
> > What do you want to do with this information?
> >
> >
> > mm
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto:xxxxx@lists.osr.com] On Behalf Of
> > xxxxx@yahoo.com
> > Sent: Wednesday, February 16, 2011 12:10 PM
> > To: Windows System Software Devs Interest List
> > Subject: [ntdev] Getting Current Driver path
> >
> > Hi
> >
> > I want to receive my current driver’s full path, like:
> >
> > C:\Windows\System32\Drivers\MyDriver.sys
> >
> > How it’s possible?
> >
> > Please advice.
> >
> > Regards
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > For our schedule of WDF, WDM, debugging and other seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > For our schedule of WDF, WDM, debugging and other seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Tester_Testing · February 16, 2011, 1:58pm

Never think that you know too much and asker is a newbie. When I asked this question, I was able to do some googling and finding some NtRegXXX for reading ImagePath, for a Win32 developer with 10 years of experience it’s nothing, just I thought maybe there is some non-popular not documented ready made API for it.

It’s not security nonsense, I know enough about security and windows programming to not ask non-sense questions… Just I can’t explain why I need it, you all will say Rootkit question, malware development, etc. So I don’t bother explaining reason. If somebody knows a method, just share. Otherwise I know NtReg stuff. Don’t judge so fast, don’t call everyone newbie, don’t call yourself professional, that’s all

— On Wed, 16/2/11, xxxxx@fastmail.fm wrote:

From: xxxxx@fastmail.fm
Subject: RE:[ntdev] Getting Current Driver path
To: “Windows System Software Devs Interest List”
Date: Wednesday, 16 February, 2011, 10:43

> Assume my Driver’s Key is SecCore, how can I read it’s ImagePath from
Registry?

Auch…? this is yet another “security” nonsense. Please read again reply of Martin (mm) - the driver path does not mean much. Sysinternals tools, for example, used to delete the service key of their kernel drivers while the binary still in memory.

The normal documented way to get the path (whatever it is worth) is to use services API or just read it from the driver’s service key. If there is no ImagePath value, it is assumed to be %systemroot%\system32\drivers<servicename>.sys.

Regards,
–pa

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Tester_Testing · February 16, 2011, 2:06pm

It’s for all who may have same question AND likes to use Registry:

This is what you need:

?
NTSTATUS GetImagePath(PUNICODE_STRING pRegistryPath,
??? ??? ??? ??? ??? ??? ??? ?PUNICODE_STRING pDest
??? ??? ??? ??? ??? ??? ??? ?)
//
// Purpose??? Get the image path string
//
//
//================================================================
{
??? // \Registry\Machine\System\CurrentControlSet\Services\DriverName

??? HANDLE Handle;
??? NTSTATUS status;
??? OBJECT_ATTRIBUTES ObjAttr;
??? UNICODE_STRING ImagePathValueName;
??? UNICODE_STRING BbfPathValueName;
??? UNICODE_STRING TempStr;
??? ULONG ulTemp;
??? PKEY_VALUE_FULL_INFORMATION pKeyValue;

??? ObjAttr.Length = sizeof(ObjAttr);??? ??? ??? // ULONG Length;
??? ObjAttr.RootDirectory = NULL;??? ??? ??? ??? // HANDLE RootDirectory;
??? ObjAttr.ObjectName = pRegistryPath;??? ??? ??? // PUNICODE_STRING ObjectName;
??? ObjAttr.Attributes = OBJ_CASE_INSENSITIVE;??? // ULONG Attributes;
??? ObjAttr.SecurityDescriptor = NULL;??? ??? ??? // PVOID SecurityDescriptor;??? // Points to type SECURITY_DESCRIPTOR
??? ObjAttr.SecurityQualityOfService = NULL;??? // PVOID SecurityQualityOfService;? // Points to type SECURITY_QUALITY_OF_SERVICE

??? status =
??? ZwOpenKey(
??? ??? &Handle,??? ??? ??? ??? ??? // OUT PHANDLE? KeyHandle,
??? ??? KEY_QUERY_VALUE,??? ??? ??? // IN ACCESS_MASK? DesiredAccess,
??? ??? &ObjAttr??? ??? ??? ??? ??? // IN POBJECT_ATTRIBUTES? ObjectAttributes
??? ??? );

??? if(!NT_SUCCESS(status))
??? ??? return status;

??? RtlInitUnicodeString(&ImagePathValueName,L"ImagePath");

??? ulTemp = 0;

??? // query the length of this value information by passing in zero length
??? status =
??? ZwQueryValueKey(
??? ??? Handle,??? ??? ??? ??? ??? ??? // IN HANDLE? KeyHandle,
??? ??? &ImagePathValueName,??? ??? // IN PUNICODE_STRING? ValueName,
??? ??? KeyValueFullInformation,??? // IN KEY_VALUE_INFORMATION_CLASS? KeyValueInformationClass,
??? ??? NULL,??? ??? ??? ??? ??? ??? // OUT PVOID? KeyValueInformation,
??? ??? ulTemp,??? ??? ??? ??? ??? ??? // IN ULONG? Length,
??? ??? &ulTemp??? ??? ??? ??? ??? ??? // OUT PULONG? ResultLength
??? ??? );

??? // allocate space for it
??? pKeyValue = ExAllocatePool(PagedPool,ulTemp);

??? if(pKeyValue == NULL)
??? {
??? ??? ZwClose(Handle);
??? ??? return STATUS_INSUFFICIENT_RESOURCES;
??? }

??? // read the value key
??? status =
??? ZwQueryValueKey(
??? ??? Handle,??? ??? ??? ??? ??? ??? // IN HANDLE? KeyHandle,
??? ??? &ImagePathValueName,??? ??? // IN PUNICODE_STRING? ValueName,
??? ??? KeyValueFullInformation,??? // IN KEY_VALUE_INFORMATION_CLASS? KeyValueInformationClass,
??? ??? pKeyValue,??? ??? ??? ??? ??? // OUT PVOID? KeyValueInformation,
??? ??? ulTemp,??? ??? ??? ??? ??? ??? // IN ULONG? Length,
??? ??? &ulTemp??? ??? ??? ??? ??? ??? // OUT PULONG? ResultLength
??? ??? );

??? if(!NT_SUCCESS(status)){
??? ??? ZwClose(Handle);
??? ??? ExFreePool(pKeyValue);
??? ??? return status;
??? }

??? // init TempStr to point to this string
??? RtlInitUnicodeString(&TempStr,(PCWSTR)((PUCHAR)pKeyValue + pKeyValue->DataOffset));

??? // Now we need to know the form of the pathname. We had to make a change
??? // (for XP) which got rid of the ??\ stuff and things now begin with
??? // System32…
??? //
??? // The problem is, we need to find the %SystemRoot%.
??? //
??? // First we will see if this is the old way…
??? //
??? ExFreePool(pKeyValue);
??? if(*(PUCHAR)(TempStr.Buffer) == ‘\’)
??? {
??? ??? // Old way
??? ??? //
??? ??? RtlCopyUnicodeString(pDest,&TempStr);
??? ??? ZwClose(Handle);
??? ??? return STATUS_SUCCESS;
??? }

??? // New way
??? //
??? RtlInitUnicodeString(&BbfPathValueName,L"BbfPath");

??? ulTemp = 0;

??? // query the length of this value information by passing in zero length
??? status =
??? ZwQueryValueKey(
??? ??? Handle,??? ??? ??? ??? ??? ??? // IN HANDLE? KeyHandle,
??? ??? &BbfPathValueName,??? ??? ??? // IN PUNICODE_STRING? ValueName,
??? ??? KeyValueFullInformation,??? // IN KEY_VALUE_INFORMATION_CLASS? KeyValueInformationClass,
??? ??? NULL,??? ??? ??? ??? ??? ??? // OUT PVOID? KeyValueInformation,
??? ??? ulTemp,??? ??? ??? ??? ??? ??? // IN ULONG? Length,
??? ??? &ulTemp??? ??? ??? ??? ??? ??? // OUT PULONG? ResultLength
??? ??? );

??? // allocate space for it
??? pKeyValue = ExAllocatePool(PagedPool,ulTemp);

??? if(pKeyValue == NULL)
??? {
??? ??? ZwClose(Handle);
??? ??? return STATUS_INSUFFICIENT_RESOURCES;
??? }

??? // read the value key
??? status =
??? ZwQueryValueKey(
??? ??? Handle,??? ??? ??? ??? ??? ??? // IN HANDLE? KeyHandle,
??? ??? &BbfPathValueName,??? ??? ??? // IN PUNICODE_STRING? ValueName,
??? ??? KeyValueFullInformation,??? // IN KEY_VALUE_INFORMATION_CLASS? KeyValueInformationClass,
??? ??? pKeyValue,??? ??? ??? ??? ??? // OUT PVOID? KeyValueInformation,
??? ??? ulTemp,??? ??? ??? ??? ??? ??? // IN ULONG? Length,
??? ??? &ulTemp??? ??? ??? ??? ??? ??? // OUT PULONG? ResultLength
??? ??? );

??? ZwClose(Handle);
??? if(!NT_SUCCESS(status)){
??? ??? ExFreePool(pKeyValue);
??? ??? return status;
??? }

??? // init TempStr to point to this string
??? RtlInitUnicodeString(&TempStr,(PCWSTR)((PUCHAR)pKeyValue + pKeyValue->DataOffset));

??? RtlZeroMemory(pDest->Buffer, pDest->MaximumLength);
??? RtlAppendUnicodeToString(pDest, L"\??\“);
??? RtlAppendUnicodeStringToString(pDest, &TempStr);
??? RtlAppendUnicodeToString(pDest, L”\driver.sys");

??? ExFreePool(pKeyValue);

??? return STATUS_SUCCESS;
}
?

// Driver Entry…
NTSTATUS DriverEntry(PDRIVER_OBJECT? pDriverObject, PUNICODE_STRING? pRegistryPath)
{
UNICODE_STRING ImagePath;
…
…
…

GetImagePath(pRegistryPath, &ImagePath);
DbgPrint(“Result: %wZ”, ImagePath);
return NtStatus;
}

Gary_Little-3 · February 16, 2011, 2:11pm

Sheehs, now we’re teaching Device Drivers 10? Look it up!!! How about YOU putting the code together and giving it a try. There are PLENTY of examples in the \WinDDK<version>\src to keep you more than occupied for many many months.

Conversely, you’ve stated a multitude of times where your driver SHOULD be: %System32%\Drivers, so why not simply look for your SYS file in that directory? If it’s not there then look to see if it’s hidden, or it’s been renamed in the SOURCES/INF and some dumb schmuck forgot to add, correct, or modify the proper file name to the drivers search function.

It really appears that what we have here is another attempt by pointy-haired bosses to inflict useless and pointless code when better time could be spent elsewhere. But … that’s my opinion.

Gary G. Little

----- Original Message -----
From: “mehdi yaghobi”
To: “Windows System Software Devs Interest List”
Sent: Wednesday, February 16, 2011 12:28:50 PM
Subject: Re:[ntdev] RE:Getting Current Driver path

OK. Assume my Driver’s Key is SecCore, how can I read it’s ImagePath from Registry?

Regards

— On Wed, 16/2/11, Don Burn wrote:

From: Don Burn
Subject: Re:[ntdev] RE:Getting Current Driver path
To: “Windows System Software Devs Interest List”
Date: Wednesday, 16 February, 2011, 9:33

So for questionable security you are ok with an API that is totally
undocumented and can change from rev to rev causing your driver to crash
the system? Why do you think knowing the path of your driver is going
to do anything?

Please let us know the name of the product, so we can avoid this piece
of shit.

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“mehdi yaghobi” < xxxxx@yahoo.com > wrote in message
news:xxxxx@ntdev:

> Undocumented API would be good, I don’t care about documantation. But I don’t want version, I have to know exact path. Documented or not documented API would just work, but not registry.
>
> Thanks
> Regards
>
> — On Wed, 16/2/11, Don Burn < xxxxx@acm.org > wrote:
>
> From: Don Burn < xxxxx@acm.org >
> Subject: RE:[ntdev] Getting Current Driver path
> To: “Windows System Software Devs Interest List” < xxxxx@lists.osr.com >
> Date: Wednesday, 16 February, 2011, 9:19
>
> So you think using an undocumented call is better than using a
> documented registry item? If your concern is which version of the
> driver you have consider using a technique Ed Dekker showed me. He puts
> the following in
> Every source file:
>
> void XXXTimestamp()
> {
> DbgPrint(“Timestamp %s - Last source modification %s Compiled %s
> %s\n”, FILE , TIMESTAMP , DATE , TIME );
> }
>
> Where XXX is changed to be unique for the file, then in DriverEntry he
> calls a routine that calls all of these to print the values.
>
>
>
> Don Burn (MVP, Windows DKD)
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
>
>
>
>
> “mehdi yaghobi” < xxxxx@yahoo.com > wrote in message
> news:xxxxx@ntdev:
>
> > I want a better method, like using API like ZwQuerySystemInformation or something else.
> >
> > I want to be sure I’m running from System32\Drivers for some reasons.
> >
> > Best regards
> >
> > — On Wed, 16/2/11, Martin O’Brien < xxxxx@gmail.com > wrote:
> >
> > From: Martin O’Brien < xxxxx@gmail.com >
> > Subject: RE: [ntdev] Getting Current Driver path
> > To: “Windows System Software Devs Interest List” < xxxxx@lists.osr.com >
> > Date: Wednesday, 16 February, 2011, 9:08
> >
> > You could look at the value of ‘ImagePath’ of your service key in the
> > registry.
> >
> > What do you want to do with this information?
> >
> >
> > mm
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto: xxxxx@lists.osr.com] On Behalf Of
> > xxxxx@yahoo.com
> > Sent: Wednesday, February 16, 2011 12:10 PM
> > To: Windows System Software Devs Interest List
> > Subject: [ntdev] Getting Current Driver path
> >
> > Hi
> >
> > I want to receive my current driver’s full path, like:
> >
> > C:\Windows\System32\Drivers\MyDriver.sys
> >
> > How it’s possible?
> >
> > Please advice.
> >
> > Regards
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > For our schedule of WDF, WDM, debugging and other seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > For our schedule of WDF, WDM, debugging and other seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Gary_Little-3 · February 16, 2011, 2:14pm

You get the registry path in the second parameter to Driver Entry. So go looking for the SacredCow key using that path. Again … that’s basic programming in driver development, with tons of examples just begging for you to go look at them.

Gary G. Little

----- Original Message -----
From: “mehdi yaghobi”
To: “Windows System Software Devs Interest List”
Sent: Wednesday, February 16, 2011 12:28:50 PM
Subject: Re:[ntdev] RE:Getting Current Driver path

OK. Assume my Driver’s Key is SecCore, how can I read it’s ImagePath from Registry?

Regards

— On Wed, 16/2/11, Don Burn wrote:

From: Don Burn
Subject: Re:[ntdev] RE:Getting Current Driver path
To: “Windows System Software Devs Interest List”
Date: Wednesday, 16 February, 2011, 9:33

So for questionable security you are ok with an API that is totally
undocumented and can change from rev to rev causing your driver to crash
the system? Why do you think knowing the path of your driver is going
to do anything?

Please let us know the name of the product, so we can avoid this piece
of shit.

Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

“mehdi yaghobi” < xxxxx@yahoo.com > wrote in message
news:xxxxx@ntdev:

> Undocumented API would be good, I don’t care about documantation. But I don’t want version, I have to know exact path. Documented or not documented API would just work, but not registry.
>
> Thanks
> Regards
>
> — On Wed, 16/2/11, Don Burn < xxxxx@acm.org > wrote:
>
> From: Don Burn < xxxxx@acm.org >
> Subject: RE:[ntdev] Getting Current Driver path
> To: “Windows System Software Devs Interest List” < xxxxx@lists.osr.com >
> Date: Wednesday, 16 February, 2011, 9:19
>
> So you think using an undocumented call is better than using a
> documented registry item? If your concern is which version of the
> driver you have consider using a technique Ed Dekker showed me. He puts
> the following in
> Every source file:
>
> void XXXTimestamp()
> {
> DbgPrint(“Timestamp %s - Last source modification %s Compiled %s
> %s\n”, FILE , TIMESTAMP , DATE , TIME );
> }
>
> Where XXX is changed to be unique for the file, then in DriverEntry he
> calls a routine that calls all of these to print the values.
>
>
>
> Don Burn (MVP, Windows DKD)
> Windows Filesystem and Driver Consulting
> Website: http://www.windrvr.com
> Blog: http://msmvps.com/blogs/WinDrvr
>
>
>
>
> “mehdi yaghobi” < xxxxx@yahoo.com > wrote in message
> news:xxxxx@ntdev:
>
> > I want a better method, like using API like ZwQuerySystemInformation or something else.
> >
> > I want to be sure I’m running from System32\Drivers for some reasons.
> >
> > Best regards
> >
> > — On Wed, 16/2/11, Martin O’Brien < xxxxx@gmail.com > wrote:
> >
> > From: Martin O’Brien < xxxxx@gmail.com >
> > Subject: RE: [ntdev] Getting Current Driver path
> > To: “Windows System Software Devs Interest List” < xxxxx@lists.osr.com >
> > Date: Wednesday, 16 February, 2011, 9:08
> >
> > You could look at the value of ‘ImagePath’ of your service key in the
> > registry.
> >
> > What do you want to do with this information?
> >
> >
> > mm
> >
> > -----Original Message-----
> > From: xxxxx@lists.osr.com
> > [mailto: xxxxx@lists.osr.com] On Behalf Of
> > xxxxx@yahoo.com
> > Sent: Wednesday, February 16, 2011 12:10 PM
> > To: Windows System Software Devs Interest List
> > Subject: [ntdev] Getting Current Driver path
> >
> > Hi
> >
> > I want to receive my current driver’s full path, like:
> >
> > C:\Windows\System32\Drivers\MyDriver.sys
> >
> > How it’s possible?
> >
> > Please advice.
> >
> > Regards
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > For our schedule of WDF, WDM, debugging and other seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> > http://www.osronline.com/page.cfm?name=ListServer
> >
> >
> > —
> > NTDEV is sponsored by OSR
> >
> > For our schedule of WDF, WDM, debugging and other seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Doron_Holan-2 · February 16, 2011, 3:01pm

You are touching freed memory

This does NOT make a deep copy, just a pointer assignment
// init TempStr to point to this string
RtlInitUnicodeString(&TempStr,(PCWSTR)((PUCHAR)pKeyValue + pKeyValue->DataOffset));

// Now we need to know the form of the pathname. We had to make a change
// (for XP) which got rid of the ??\ stuff and things now begin with
// System32…
//
// The problem is, we need to find the %SystemRoot%.
//
// First we will see if this is the old way…
//
ExFreePool(pKeyValue);

> TempStr.Buffer now points to invalid memory

if(*(PUCHAR)(TempStr.Buffer) == ‘\’) BOOM

also, stop casting to UCHAR, this should be
if(TempStr.Buffer[0]) == L’\')

and you should be making sure the string you just queried for has a length (yes, it is possible to query and successfully get a zero length string)

d

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of mehdi yaghobi
Sent: Wednesday, February 16, 2011 11:06 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Getting Current Driver path

It’s for all who may have same question AND likes to use Registry:

This is what you need:

NTSTATUS GetImagePath(PUNICODE_STRING pRegistryPath,
PUNICODE_STRING pDest
)
//
// Purpose Get the image path string
//
//
//================================================================
{
// \Registry\Machine\System\CurrentControlSet\Services\DriverName

HANDLE Handle;
NTSTATUS status;
OBJECT_ATTRIBUTES ObjAttr;
UNICODE_STRING ImagePathValueName;
UNICODE_STRING BbfPathValueName;
UNICODE_STRING TempStr;
ULONG ulTemp;
PKEY_VALUE_FULL_INFORMATION pKeyValue;

ObjAttr.Length = sizeof(ObjAttr); // ULONG Length;
ObjAttr.RootDirectory = NULL; // HANDLE RootDirectory;
ObjAttr.ObjectName = pRegistryPath; // PUNICODE_STRING ObjectName;
ObjAttr.Attributes = OBJ_CASE_INSENSITIVE; // ULONG Attributes;
ObjAttr.SecurityDescriptor = NULL; // PVOID SecurityDescriptor; // Points to type SECURITY_DESCRIPTOR
ObjAttr.SecurityQualityOfService = NULL; // PVOID SecurityQualityOfService; // Points to type SECURITY_QUALITY_OF_SERVICE

status =
ZwOpenKey(
&Handle, // OUT PHANDLE KeyHandle,
KEY_QUERY_VALUE, // IN ACCESS_MASK DesiredAccess,
&ObjAttr // IN POBJECT_ATTRIBUTES ObjectAttributes
);

if(!NT_SUCCESS(status))
return status;

RtlInitUnicodeString(&ImagePathValueName,L"ImagePath");

ulTemp = 0;

// query the length of this value information by passing in zero length
status =
ZwQueryValueKey(
Handle, // IN HANDLE KeyHandle,
&ImagePathValueName, // IN PUNICODE_STRING ValueName,
KeyValueFullInformation, // IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
NULL, // OUT PVOID KeyValueInformation,
ulTemp, // IN ULONG Length,
&ulTemp // OUT PULONG ResultLength
);

// allocate space for it
pKeyValue = ExAllocatePool(PagedPool,ulTemp);

if(pKeyValue == NULL)
{
ZwClose(Handle);
return STATUS_INSUFFICIENT_RESOURCES;
}

// read the value key
status =
ZwQueryValueKey(
Handle, // IN HANDLE KeyHandle,
&ImagePathValueName, // IN PUNICODE_STRING ValueName,
KeyValueFullInformation, // IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
pKeyValue, // OUT PVOID KeyValueInformation,
ulTemp, // IN ULONG Length,
&ulTemp // OUT PULONG ResultLength
);

if(!NT_SUCCESS(status)){
ZwClose(Handle);
ExFreePool(pKeyValue);
return status;
}

// init TempStr to point to this string
RtlInitUnicodeString(&TempStr,(PCWSTR)((PUCHAR)pKeyValue + pKeyValue->DataOffset));

// Now we need to know the form of the pathname. We had to make a change
// (for XP) which got rid of the ??\ stuff and things now begin with
// System32…
//
// The problem is, we need to find the %SystemRoot%.
//
// First we will see if this is the old way…
//
ExFreePool(pKeyValue);
if(*(PUCHAR)(TempStr.Buffer) == ‘\’)
{
// Old way
//
RtlCopyUnicodeString(pDest,&TempStr);
ZwClose(Handle);
return STATUS_SUCCESS;
}

// New way
//
RtlInitUnicodeString(&BbfPathValueName,L"BbfPath");

ulTemp = 0;

// query the length of this value information by passing in zero length
status =
ZwQueryValueKey(
Handle, // IN HANDLE KeyHandle,
&BbfPathValueName, // IN PUNICODE_STRING ValueName,
KeyValueFullInformation, // IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
NULL, // OUT PVOID KeyValueInformation,
ulTemp, // IN ULONG Length,
&ulTemp // OUT PULONG ResultLength
);

// allocate space for it
pKeyValue = ExAllocatePool(PagedPool,ulTemp);

if(pKeyValue == NULL)
{
ZwClose(Handle);
return STATUS_INSUFFICIENT_RESOURCES;
}

// read the value key
status =
ZwQueryValueKey(
Handle, // IN HANDLE KeyHandle,
&BbfPathValueName, // IN PUNICODE_STRING ValueName,
KeyValueFullInformation, // IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass,
pKeyValue, // OUT PVOID KeyValueInformation,
ulTemp, // IN ULONG Length,
&ulTemp // OUT PULONG ResultLength
);

ZwClose(Handle);
if(!NT_SUCCESS(status)){
ExFreePool(pKeyValue);
return status;
}

// init TempStr to point to this string
RtlInitUnicodeString(&TempStr,(PCWSTR)((PUCHAR)pKeyValue + pKeyValue->DataOffset));

RtlZeroMemory(pDest->Buffer, pDest->MaximumLength);
RtlAppendUnicodeToString(pDest, L"\??\“);
RtlAppendUnicodeStringToString(pDest, &TempStr);
RtlAppendUnicodeToString(pDest, L”\driver.sys<file:>");

ExFreePool(pKeyValue);

return STATUS_SUCCESS;
}

// Driver Entry…
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)
{
UNICODE_STRING ImagePath;
…
…
…

GetImagePath(pRegistryPath, &ImagePath);
DbgPrint(“Result: %wZ”, ImagePath);
return NtStatus;
}

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</file:>