I need to scan all driver objects loaded on the system. Can anyone
recommend a good method to scan (during run-time) for drivers?
Does Windows store an internal pointer to a list of driver objects (or
device objects)? Device Objects are linked with Flink struct’s to that
would probably be easier to parse.
Thanks!
AFAIK, there is no documented way of doing this. I once did that by walking
through the object directory in an in-house experimental driver.
Calvin Guan, Software Engineer
ATI Technologies Inc. Markham ON. Canada
Tel: (905) 882-2600 Ext. 8654
-----Original Message-----
From: Fred Walters [mailto:xxxxx@charter.net]
Sent: Tuesday, December 09, 2003 1:48 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] How to scan all loaded driversI need to scan all driver objects loaded on the system. Can anyone
recommend a good method to scan (during run-time) for drivers?Does Windows store an internal pointer to a list of driver objects (or
device objects)? Device Objects are linked with Flink
struct’s to that
would probably be easier to parse.Thanks!
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256You are currently subscribed to ntdev as: xxxxx@ati.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
In user-mode you have the PSAPI functions
EnumDeviceDrivers/GetDeviceDriverBaseName/GetDeviceDriverFileName, but
if you really need to inspect the driver object structures themselves in
kernel-mode, then I don’t know if there is a documented way to do what
you want to do. (Not even WinDbg is able to give you this information).
(Thinking…)
There certainly is an nt!IoDriverObjectType exported from ntoskrnl, but
the Object Manager function to enumerate objects
(ObEnumerateObjectsByType) is not exported. So much for that.
Fred Walters wrote:
I need to scan all driver objects loaded on the system. Can anyone
recommend a good method to scan (during run-time) for drivers?Does Windows store an internal pointer to a list of driver objects (or
device objects)? Device Objects are linked with Flink struct’s to that
would probably be easier to parse.Thanks!
–
Nick Ryan (MVP for DDK)
> In user-mode you have the PSAPI functions
EnumDeviceDrivers/GetDeviceDriverBaseName/GetDeviceDriverFileName, but
if you really need to inspect the driver object structures themselves in
kernel-mode, then I don’t know if there is a documented way to do what
you want to do. (Not even WinDbg is able to give you this information).
Eh? There is certainly the !drivers extension command that lists the
drivers, so there clearly is a list of some sort. I suppose you would have
to find each driver and then walk its list of devices to find all of the
devices on the system.
Loren
WinDbg lists the drivers and various information about each driver, but
NOT the address of the driver’s driver objects (which is annoying
because I’m then forced to backtrace via a device object).
Loren Wilton wrote:
>In user-mode you have the PSAPI functions
>EnumDeviceDrivers/GetDeviceDriverBaseName/GetDeviceDriverFileName, but
>if you really need to inspect the driver object structures themselves in
>kernel-mode, then I don’t know if there is a documented way to do what
>you want to do. (Not even WinDbg is able to give you this information).Eh? There is certainly the !drivers extension command that lists the
drivers, so there clearly is a list of some sort. I suppose you would have
to find each driver and then walk its list of devices to find all of the
devices on the system.Loren
–
Nick Ryan (MVP for DDK)
If we’re just talking about WinDbg, then on 2k+ “!drvobj ”
works fine, and of course you can get the list of drivers with
“!drivers”… it takes a long time loading symbols the first time you
run this command, so I’m guessing it’s probably doing some reasonably
complicated fingering through object lists, but who knows…
Nick Ryan wrote:
>
> WinDbg lists the drivers and various information about each driver, but
> NOT the address of the driver’s driver objects (which is annoying
> because I’m then forced to backtrace via a device object).
>
> Loren Wilton wrote:
>
>>> In user-mode you have the PSAPI functions
>>> EnumDeviceDrivers/GetDeviceDriverBaseName/GetDeviceDriverFileName, but
>>> if you really need to inspect the driver object structures themselves in
>>> kernel-mode, then I don’t know if there is a documented way to do what
>>> you want to do. (Not even WinDbg is able to give you this information).
>>
>>
>>
>> Eh? There is certainly the !drivers extension command that lists the
>> drivers, so there clearly is a list of some sort. I suppose you would
>> have
>> to find each driver and then walk its list of devices to find all of the
>> devices on the system.
>>
>> Loren
>>
>>
>>
>
–
…/ray..
Excellent, I missed the part in the documentation for this function that
stated that you could specify a driver name on 2k+.
Ray Trent wrote:
If we’re just talking about WinDbg, then on 2k+ “!drvobj ”
> works fine, and of course you can get the list of drivers with
> “!drivers”… it takes a long time loading symbols the first time you
> run this command, so I’m guessing it’s probably doing some reasonably
> complicated fingering through object lists, but who knows…
>
> Nick Ryan wrote:
>
>>
>> WinDbg lists the drivers and various information about each driver,
>> but NOT the address of the driver’s driver objects (which is annoying
>> because I’m then forced to backtrace via a device object).
>>
>> Loren Wilton wrote:
>>
>>>> In user-mode you have the PSAPI functions
>>>> EnumDeviceDrivers/GetDeviceDriverBaseName/GetDeviceDriverFileName, but
>>>> if you really need to inspect the driver object structures
>>>> themselves in
>>>> kernel-mode, then I don’t know if there is a documented way to do what
>>>> you want to do. (Not even WinDbg is able to give you this information).
>>>
>>>
>>>
>>>
>>> Eh? There is certainly the !drivers extension command that lists the
>>> drivers, so there clearly is a list of some sort. I suppose you
>>> would have
>>> to find each driver and then walk its list of devices to find all of the
>>> devices on the system.
>>>
>>> Loren
>>>
>>>
>>>
>>
>
–
Nick Ryan (MVP for DDK)
Actually, the “lm” command is supposed to be used instead of “!drivers”
in the latest debuggers.
D
This posting is provided “AS IS” with no warranties, and confers no
rights
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ray Trent
Sent: Wednesday, December 10, 2003 2:00 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Re: How to scan all loaded drivers
If we’re just talking about WinDbg, then on 2k+ “!drvobj ”
works fine, and of course you can get the list of drivers with
“!drivers”… it takes a long time loading symbols the first time you
run this command, so I’m guessing it’s probably doing some reasonably
complicated fingering through object lists, but who knows…
Nick Ryan wrote:
>
> WinDbg lists the drivers and various information about each driver,
but
> NOT the address of the driver’s driver objects (which is annoying
> because I’m then forced to backtrace via a device object).
>
> Loren Wilton wrote:
>
>>> In user-mode you have the PSAPI functions
>>> EnumDeviceDrivers/GetDeviceDriverBaseName/GetDeviceDriverFileName,
but
>>> if you really need to inspect the driver object structures
themselves in
>>> kernel-mode, then I don’t know if there is a documented way to do
what
>>> you want to do. (Not even WinDbg is able to give you this
information).
>>
>>
>>
>> Eh? There is certainly the !drivers extension command that lists the
>> drivers, so there clearly is a list of some sort. I suppose you
would
>> have
>> to find each driver and then walk its list of devices to find all of
the
>> devices on the system.
>>
>> Loren
>>
>>
>>
>
–
…/ray..
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
!drivers is far more useful to me since lm only lists the modules for
which I’ve explicitly loaded symbols.
I wish there was a !windbg command that would take an address and return
the module name and offset into where that address resides (if there is
such a command, I can’t find it). I’m sick of having to manually scan
through the list of base addresses return by !drivers to eyeball which
one is closest too and less than the address I’m curious about. (No, the
ln command does not work for this purpose).
Doron Holan wrote:
Actually, the “lm” command is supposed to be used instead of “!drivers”
in the latest debuggers.D
This posting is provided “AS IS” with no warranties, and confers no
rights-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ray Trent
Sent: Wednesday, December 10, 2003 2:00 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] Re: How to scan all loaded driversIf we’re just talking about WinDbg, then on 2k+ “!drvobj ”
> works fine, and of course you can get the list of drivers with
> “!drivers”… it takes a long time loading symbols the first time you
> run this command, so I’m guessing it’s probably doing some reasonably
> complicated fingering through object lists, but who knows…
>
> Nick Ryan wrote:
>
>
>>WinDbg lists the drivers and various information about each driver,
>
> but
>
>>NOT the address of the driver’s driver objects (which is annoying
>>because I’m then forced to backtrace via a device object).
>>
>>Loren Wilton wrote:
>>
>>
>>>>In user-mode you have the PSAPI functions
>>>>EnumDeviceDrivers/GetDeviceDriverBaseName/GetDeviceDriverFileName,
>
> but
>
>>>>if you really need to inspect the driver object structures
>
> themselves in
>
>>>>kernel-mode, then I don’t know if there is a documented way to do
>
> what
>
>>>>you want to do. (Not even WinDbg is able to give you this
>
> information).
>
>>>
>>>
>>>Eh? There is certainly the !drivers extension command that lists the
>>>drivers, so there clearly is a list of some sort. I suppose you
>
> would
>
>>>have
>>>to find each driver and then walk its list of devices to find all of
>
> the
>
>>>devices on the system.
>>>
>>> Loren
>>>
>>>
>>>
>>
>
–
Nick Ryan (MVP for DDK)
Hi All,
There is utility comew along with the 2k ddk named as drivers.exe which will tell you about the loaded drivers. And if it is there then u can also do the listing of the drivers as per ur need.
Good Luck,
From: Nick Ryan
>Reply-To: “Windows System Software Devs Interest List”
>To: “Windows System Software Devs Interest List”
>Subject: [ntdev] Re: How to scan all loaded drivers
>Date: Wed, 10 Dec 2003 15:15:05 -0800
>
>!drivers is far more useful to me since lm only lists the modules
>for which I’ve explicitly loaded symbols.
>
>I wish there was a !windbg command that would take an address and
>return the module name and offset into where that address resides
>(if there is such a command, I can’t find it). I’m sick of having to
>manually scan through the list of base addresses return by !drivers
>to eyeball which one is closest too and less than the address I’m
>curious about. (No, the ln command does not work for this purpose).
>
>Doron Holan wrote:
>
>>Actually, the “lm” command is supposed to be used instead of
>>“!drivers”
>>in the latest debuggers.
>>
>>D
>>
>>This posting is provided “AS IS” with no warranties, and confers no
>>rights
>>
>>-----Original Message-----
>>From: xxxxx@lists.osr.com
>>[mailto:xxxxx@lists.osr.com] On Behalf Of Ray Trent
>>Sent: Wednesday, December 10, 2003 2:00 PM
>>To: Windows System Software Devs Interest List
>>Subject: [ntdev] Re: How to scan all loaded drivers
>>
>>If we’re just talking about WinDbg, then on 2k+ “!drvobj
>>” works fine, and of course you can get the list of
>>drivers with “!drivers”… it takes a long time loading symbols the
>>first time you run this command, so I’m guessing it’s probably
>>doing some reasonably complicated fingering through object lists,
>>but who knows…
>>
>>Nick Ryan wrote:
>>
>>
>>>WinDbg lists the drivers and various information about each
>>>driver,
>>
>>but
>>
>>>NOT the address of the driver’s driver objects (which is annoying
>>>because I’m then forced to backtrace via a device object).
>>>
>>>Loren Wilton wrote:
>>>
>>>
>>>>>In user-mode you have the PSAPI functions
>>>>>EnumDeviceDrivers/GetDeviceDriverBaseName/GetDeviceDriverFileName,
>>
>>but
>>
>>>>>if you really need to inspect the driver object structures
>>
>>themselves in
>>
>>>>>kernel-mode, then I don’t know if there is a documented way to
>>>>>do
>>
>>what
>>
>>>>>you want to do. (Not even WinDbg is able to give you this
>>
>>information).
>>
>>>>
>>>>
>>>>Eh? There is certainly the !drivers extension command that lists
>>>>the
>>>>drivers, so there clearly is a list of some sort. I suppose you
>>
>>would
>>
>>>>have
>>>>to find each driver and then walk its list of devices to find all
>>>>of
>>
>>the
>>
>>>>devices on the system.
>>>>
>>>> Loren
>>>>
>>>>
>>>>
>>>
>>
>
>–
>Nick Ryan (MVP for DDK)
>
>
>—
>Questions? First check the Kernel Driver FAQ at
>http://www.osronline.com/article.cfm?id=256
>
>You are currently subscribed to ntdev as: xxxxx@hotmail.com
>To unsubscribe send a blank email to
>xxxxx@lists.osr.com
Discover India. Celebrate her diversity. Come, fall in love!
Only if you have the proper GlobalFlag bit set.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: “Fred Walters”
To: “Windows System Software Devs Interest List”
Sent: Tuesday, December 09, 2003 9:47 PM
Subject: [ntdev] How to scan all loaded drivers
> I need to scan all driver objects loaded on the system. Can anyone
> recommend a good method to scan (during run-time) for drivers?
>
> Does Windows store an internal pointer to a list of driver objects (or
> device objects)? Device Objects are linked with Flink struct’s to that
> would probably be easier to parse.
>
> Thanks!
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
“lm” lists them.
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com
----- Original Message -----
From: “Nick Ryan”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Wednesday, December 10, 2003 10:03 PM
Subject: [ntdev] Re: How to scan all loaded drivers
> WinDbg lists the drivers and various information about each driver, but
> NOT the address of the driver’s driver objects (which is annoying
> because I’m then forced to backtrace via a device object).
>
> Loren Wilton wrote:
>
> >>In user-mode you have the PSAPI functions
> >>EnumDeviceDrivers/GetDeviceDriverBaseName/GetDeviceDriverFileName, but
> >>if you really need to inspect the driver object structures themselves in
> >>kernel-mode, then I don’t know if there is a documented way to do what
> >>you want to do. (Not even WinDbg is able to give you this information).
> >
> >
> > Eh? There is certainly the !drivers extension command that lists the
> > drivers, so there clearly is a list of some sort. I suppose you would have
> > to find each driver and then walk its list of devices to find all of the
> > devices on the system.
> >
> > Loren
> >
> >
> >
>
> –
> Nick Ryan (MVP for DDK)
>
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com