How to open a **.exe file in a wdm driver program?
-
How to open a **.exe file in a wdm driver program? Hi! I had copied a **.exe file in a pen disk,and I wish that everytime I attach this pen disk to pc the **.exe file can auto run. I know that system can auto run this **.exe file if I create a autorun.inf in the pen disk. But now I wanna my pen disk driver program can run this **.exe file instead of system. So my question is: If it has the possibility to create a user model process in a WDM driver program,that's to say,if the wdm driver can invoke a user model API? Thanks! momer All the blesses we are enjoy are the fruits of labor,toil,study and self-denial.
-
How to open a **.exe file in a wdm driver program? Hi! I had copied a **.exe file in a pen disk,and I wish that everytime I attach this pen disk to pc the **.exe file can auto run. I know that system can auto run this **.exe file if I create a autorun.inf in the pen disk. But now I wanna my pen disk driver program can run this **.exe file instead of system. So my question is: If it has the possibility to create a user model process in a WDM driver program,that's to say,if the wdm driver can invoke a user model API? Thanks! momer All the blesses we are enjoy are the fruits of labor,toil,study and self-denial.
I am going to advise that this cant be done. The correct way to do this is to have a serivce running on the PC that has registered for WM_DEVICCHANGE messages. When a device arrives it is interested in is plugged in it then runs the exe. It might be possible to run the exe from a driver, but, I dont know how. It might require using undocumented kernel API functions which give portaqbility problems. Nunc est bibendum
-
I am going to advise that this cant be done. The correct way to do this is to have a serivce running on the PC that has registered for WM_DEVICCHANGE messages. When a device arrives it is interested in is plugged in it then runs the exe. It might be possible to run the exe from a driver, but, I dont know how. It might require using undocumented kernel API functions which give portaqbility problems. Nunc est bibendum
Hi!,fat_boy^_^ Yes,I agree with you that it's a correct way to run a service on pc. But now I wanna have a try to realize it from the driver. Maybe the kernel API ZwCreatefile() can open an exe file,but,in the driver program,how to get the drive-lettle of the pen disk where the exe file is stored? Cause the system may assign different drive-lettle for the pen disk each time the pen disk pluged in pc. Can you give me some advice,fat_boy? Thanks! momer
-
Hi!,fat_boy^_^ Yes,I agree with you that it's a correct way to run a service on pc. But now I wanna have a try to realize it from the driver. Maybe the kernel API ZwCreatefile() can open an exe file,but,in the driver program,how to get the drive-lettle of the pen disk where the exe file is stored? Cause the system may assign different drive-lettle for the pen disk each time the pen disk pluged in pc. Can you give me some advice,fat_boy? Thanks! momer
It is not just a case of opening an exe. You have to create a process, map the exe into it and call its main function. At least that is what I am guessing at, god knows how you will do it in reality but you would be mimicing part of the OSs functionality. If you want to get somethinbg working that is reliable, go the service route that waits for device arrival, via WM_DEVICECHANGE messages and starts the app. We had to do exactly this for one of our products and, as a driver writter, I was deflecting all kinds of comment by application writers about how easy it is for a driver to do this, with me replying, 'go on then, you do it, and get it through WHQL, and have it run on todays OS and tomorrows' We went the serive route and so should you. Nunc est bibendum
-
It is not just a case of opening an exe. You have to create a process, map the exe into it and call its main function. At least that is what I am guessing at, god knows how you will do it in reality but you would be mimicing part of the OSs functionality. If you want to get somethinbg working that is reliable, go the service route that waits for device arrival, via WM_DEVICECHANGE messages and starts the app. We had to do exactly this for one of our products and, as a driver writter, I was deflecting all kinds of comment by application writers about how easy it is for a driver to do this, with me replying, 'go on then, you do it, and get it through WHQL, and have it run on todays OS and tomorrows' We went the serive route and so should you. Nunc est bibendum
"You have to create a process, map the exe into it and call its main function. At least that is what I am guessing at, god knows how you will do it in reality but you would be mimicing part of the OSs functionality. " Where should we create the process,in our driver program? Is it possible to create a process,which maybe an user mode app,in our kenel mode driver program? fat_boy,you know that we can create or open a data file stored on harddisk by using the kennel api ZwCreatefile,so,if we can open an exe file,such as C:\Program Files\Internet Explorer\IEXPLORE.EXE,by useing ZwCreatefile(maybe some other kernel api) in our driver program,then,the only problem is how to get the drive-lettle of the pen disk where the actual exe file stored. So,what about your apinion? Thank you very much! All the blesses we are enjoy are the fruits of labor,toil,study and self-denial.
-
"You have to create a process, map the exe into it and call its main function. At least that is what I am guessing at, god knows how you will do it in reality but you would be mimicing part of the OSs functionality. " Where should we create the process,in our driver program? Is it possible to create a process,which maybe an user mode app,in our kenel mode driver program? fat_boy,you know that we can create or open a data file stored on harddisk by using the kennel api ZwCreatefile,so,if we can open an exe file,such as C:\Program Files\Internet Explorer\IEXPLORE.EXE,by useing ZwCreatefile(maybe some other kernel api) in our driver program,then,the only problem is how to get the drive-lettle of the pen disk where the actual exe file stored. So,what about your apinion? Thank you very much! All the blesses we are enjoy are the fruits of labor,toil,study and self-denial.
Oh yes, running a process from KernelMode CAN be done, though it is complicated.. Here it is: By: valerino I don't think this code needs any comment. Say welcome to usermode calls in kernel land..... with this technique you can even call MessageBox from inside your driver. No more ugly non-working phrack samples, this is the real stuff :) 1) The APC injector //************************************************************************ // NTSTATUS UtilInstallUserModeApcForCreateProcess(char* CommandLine, PKTHREAD pTargetThread, PKPROCESS pTargetProcess) // // Setup usermode APC to execute a process //************************************************************************/ NTSTATUS UtilInstallUserModeApcForCreateProcess(char* CommandLine, PKTHREAD pTargetThread, PEPROCESS pTargetProcess) { PRKAPC pApc = NULL; PMDL pMdl = NULL; PVOID MappedAddress = NULL; ULONG size; KAPC_STATE ApcState; PKEVENT pEvent = NULL; // check params if (!pTargetThread || !pTargetProcess) return STATUS_UNSUCCESSFUL; // allocate memory for apc and event pApc = ExAllocatePool (NonPagedPool,sizeof (KAPC)); if (!pApc) return STATUS_INSUFFICIENT_RESOURCES; pEvent = ExAllocatePool (NonPagedPool,sizeof (KEVENT)); if (!pEvent) { ExFreePool (pApc); return STATUS_INSUFFICIENT_RESOURCES; } // allocate mdl big enough to map the code to be executed size = (unsigned char*)UtilUserApcCreateProcessEnd - (unsigned char*)UtilUserApcCreateProcess; pMdl = IoAllocateMdl (UtilUserApcCreateProcess, size, FALSE,FALSE,NULL); if (!pMdl) { ExFreePool (pEvent); ExFreePool (pApc); return STATUS_INSUFFICIENT_RESOURCES; } // lock the pages in memory __try { MmProbeAndLockPages (pMdl,KernelMode,IoWriteAccess); } __except (EXCEPTION_EXECUTE_HANDLER) { IoFreeMdl (pMdl); ExFreePool (pEvent); ExFreePool (pApc); return STATUS_UNSUCCESSFUL; } // map the pages into the specified process KeStackAttachProcess (pTargetProcess,&ApcState); MappedAddress = MmMapLockedPagesSpecifyCache (pMdl,UserMode,MmCached,NULL,FALSE,NormalPagePriority); if (!MappedAddress) { // cannot map address KeUnstackDetachProcess (&ApcState); IoFreeMdl (pMdl); ExFreePool (pEvent); ExFreePoo