Getting the filename/path from Driver Name

NTDEV
1

I am enumerating the driver names list, that is, the objects placed on \Driver directory, using ZwQueryDirectoryObject.
That way I get the ‘driver names’ listing.

Having these driver names, how can I get the filename/path of each driver module ?
For example, if I have the driver name “Serial” how can I get from this name the location of the driver module, for example “SystemRoot\System32\Drivers\serial.sys”.

I know there are functions to get the listing of system modules(ZwQuerySystemInformation), but I cannot use these functions.

Any ideas are welcome.

2

Hi,

What about ZwQueryDirectoryObject, ZwOpenFile to open each driver object,
then ObReferenceObjectByHandle / ObQueryNameString?.

I hope this helps.

Regards,
mK

I am enumerating the driver names list, that is, the objects placed on
\Driver directory, using ZwQueryDirectoryObject.
That way I get the ‘driver names’ listing.

Having these driver names, how can I get the filename/path of each driver
module ?
For example, if I have the driver name “Serial” how can I get from this name
the location of the driver module, for example
“SystemRoot\System32\Drivers\serial.sys”.

I know there are functions to get the listing of system
modules(ZwQuerySystemInformation), but I cannot use these functions.

Any ideas are welcome.

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Express yourself instantly with MSN Messenger! Download today it’s FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

3

If you are not working in a hostile environment (detecting viruses, etc.)
then you can use OpenSCManager and QueryServiceConfig to query the
lpBinaryPathName of the driver. In nearly all cases, the service name for a
driver is the name of the driver without the .sys extension.

– arlie

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Misha Karpin
Sent: Wednesday, December 21, 2005 12:28 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Getting the filename/path from Driver Name

Hi,

What about ZwQueryDirectoryObject, ZwOpenFile to open each driver object,
then ObReferenceObjectByHandle / ObQueryNameString?.

I hope this helps.

Regards,
mK

I am enumerating the driver names list, that is, the objects placed on
\Driver directory, using ZwQueryDirectoryObject.
That way I get the ‘driver names’ listing.

Having these driver names, how can I get the filename/path of each driver
module ?
For example, if I have the driver name “Serial” how can I get from this name
the location of the driver module, for example
“SystemRoot\System32\Drivers\serial.sys”.

I know there are functions to get the listing of system
modules(ZwQuerySystemInformation), but I cannot use these functions.

Any ideas are welcome.

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Express yourself instantly with MSN Messenger! Download today it’s FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@stonestreetone.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

4

And for those drivers which the driver name != the service name, the
value in \Driver\Xxxx will be the service name, so you can query for
service Xxxx always w/out issue.

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Arlie Davis
Sent: Wednesday, December 21, 2005 9:37 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Getting the filename/path from Driver Name

If you are not working in a hostile environment (detecting viruses,
etc.)
then you can use OpenSCManager and QueryServiceConfig to query the
lpBinaryPathName of the driver. In nearly all cases, the service name
for a
driver is the name of the driver without the .sys extension.

– arlie

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Misha Karpin
Sent: Wednesday, December 21, 2005 12:28 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Getting the filename/path from Driver Name

Hi,

What about ZwQueryDirectoryObject, ZwOpenFile to open each driver
object,
then ObReferenceObjectByHandle / ObQueryNameString?.

I hope this helps.

Regards,
mK

I am enumerating the driver names list, that is, the objects placed on
\Driver directory, using ZwQueryDirectoryObject.
That way I get the ‘driver names’ listing.

Having these driver names, how can I get the filename/path of each
driver
module ?
For example, if I have the driver name “Serial” how can I get from this
name
the location of the driver module, for example
“SystemRoot\System32\Drivers\serial.sys”.

I know there are functions to get the listing of system
modules(ZwQuerySystemInformation), but I cannot use these functions.

Any ideas are welcome.

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Express yourself instantly with MSN Messenger! Download today it’s FREE!

http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@stonestreetone.com To
unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com