Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • World
  • Users
  • Groups
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Code Project
CODE PROJECT For Those Who Code
  • Home
  • Articles
  • FAQ
Community
  1. Home
  2. General Programming
  3. C / C++ / MFC
  4. [Message Deleted]

[Message Deleted]

Scheduled Pinned Locked Moved C / C++ / MFC
16 Posts 5 Posters 1 Views 1 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M Mattzimmerer

    [Message Deleted]

    _ Offline
    _ Offline
    _Superman_
    wrote on last edited by
    #5

    Kernel mode drivers are written in C and not assembly. When in kernel mode memory is divided into paged and non-paged pool. If the function you're currently in is non-pagable you cannot safely access memory in the paged pool. You will need to properly understand memory management in Windows especially from the kernel mode to do the task safely.

    «_Superman_» I love work. It gives me something to do between weekends.
    Microsoft MVP (Visual C++)

    M 1 Reply Last reply
    0
    • _ _Superman_

      Kernel mode drivers are written in C and not assembly. When in kernel mode memory is divided into paged and non-paged pool. If the function you're currently in is non-pagable you cannot safely access memory in the paged pool. You will need to properly understand memory management in Windows especially from the kernel mode to do the task safely.

      «_Superman_» I love work. It gives me something to do between weekends.
      Microsoft MVP (Visual C++)

      M Offline
      M Offline
      Mattzimmerer
      wrote on last edited by
      #6

      Yea, I'm decent with C, I just don't know my way around the kernel to well. I've noticed a few sources I've pulled used _asm{} in driver code so I know you can do it. Anyways thanks for the input. Anything that points me to the prerequisite knowledge is greatly appreciated.

      B 1 Reply Last reply
      0
      • M Mattzimmerer

        Im not so sure I can use some of those functions you mentioned as they include Windows.h (the goal is a driver that is injected into the kernal that will read/write ram), I dont have my DDK installed as a virus ate my system =(. but Ill check em out. Thanks man! EDIT: new question, maybey it will get answered before I find the answer: How do I receive the debug messages from my driver? ie)DbgPrint("Exception in GetMemoryRegionData\n");

        modified on Saturday, December 26, 2009 3:10 PM

        J Offline
        J Offline
        JudyL_MD
        wrote on last edited by
        #7

        Mattzimmerer wrote:

        How do I receive the debug messages from my driver?

        DebugView from sysinternal DebugView[^]

        Be wary of strong drink. It can make you shoot at tax collectors - and miss. Lazarus Long, "Time Enough For Love" by Robert A. Heinlein

        1 Reply Last reply
        0
        • M Mattzimmerer

          Yea, I'm decent with C, I just don't know my way around the kernel to well. I've noticed a few sources I've pulled used _asm{} in driver code so I know you can do it. Anyways thanks for the input. Anything that points me to the prerequisite knowledge is greatly appreciated.

          B Offline
          B Offline
          Bram van Kampen
          wrote on last edited by
          #8

          Hi,

          Mattzimmerer wrote:

          I just don't know my way around the kernel to well

          Well, IMHO, you need to know the kernel inside Out, and Backward Front, before you should even attempt to mess with the Hardware end of Memory. Otherwise, it is bound to end up in tears!! If you explain to us what you want to achieve in the first place, I'm quite sure that one of us can then point you in a direction to reach your goal without resort to that sort of hardware access. :)

          Bram van Kampen

          M 1 Reply Last reply
          0
          • B Bram van Kampen

            Hi,

            Mattzimmerer wrote:

            I just don't know my way around the kernel to well

            Well, IMHO, you need to know the kernel inside Out, and Backward Front, before you should even attempt to mess with the Hardware end of Memory. Otherwise, it is bound to end up in tears!! If you explain to us what you want to achieve in the first place, I'm quite sure that one of us can then point you in a direction to reach your goal without resort to that sort of hardware access. :)

            Bram van Kampen

            M Offline
            M Offline
            Mattzimmerer
            wrote on last edited by
            #9

            yea, I can do what I'm trying to do without this kind of hardware access, basically I'm going for a kernel level readprocessmemory(). Dont worry friend, I welcome the tears of learning! I recognize that this is not an easy thing to do. Ok what was my question, ohh yea signing drivers. I seemed to have managed to test sign my driver and boot my OS in a mode so I can use test signed drivers (using vista64x, and wow its a pain, I was encountering so many less problems in vista 32x) Right now my biggest problem is loading the drivers. I have been using OSR Loader on vista 32x without a problem, but on 64x none of the OSRLoader exe files can even open up the sample drivers that I built out of the WDK library. If no one gives me a better solution my current scope is writing INF files... So I really don't wanna hear its hard and I need to know this and that, I'm learning this and that and beleive me its so much fun (im a computer engineering major so this stuff is to my benifit)! My GF hates it lol... I guess I have one question: Is it possible to correctly sign a driver using the makecert command in shell? I'm probally missing the grasp on that whole area...

            B 1 Reply Last reply
            0
            • M Mattzimmerer

              yea, I can do what I'm trying to do without this kind of hardware access, basically I'm going for a kernel level readprocessmemory(). Dont worry friend, I welcome the tears of learning! I recognize that this is not an easy thing to do. Ok what was my question, ohh yea signing drivers. I seemed to have managed to test sign my driver and boot my OS in a mode so I can use test signed drivers (using vista64x, and wow its a pain, I was encountering so many less problems in vista 32x) Right now my biggest problem is loading the drivers. I have been using OSR Loader on vista 32x without a problem, but on 64x none of the OSRLoader exe files can even open up the sample drivers that I built out of the WDK library. If no one gives me a better solution my current scope is writing INF files... So I really don't wanna hear its hard and I need to know this and that, I'm learning this and that and beleive me its so much fun (im a computer engineering major so this stuff is to my benifit)! My GF hates it lol... I guess I have one question: Is it possible to correctly sign a driver using the makecert command in shell? I'm probally missing the grasp on that whole area...

              B Offline
              B Offline
              Bram van Kampen
              wrote on last edited by
              #10

              Well,

              Mattzimmerer wrote:

              I welcome the tears of learning! I recognize that this is not an easy thing to do.

              Please Note that on this occasion the tears of learning could include a trashed harddrive. My First and Personal advice is: Revert to Windows XP. My Loathing of Vista is well documented on this forum. At the same time, I do not believe that MS was that stupid to as to leave out a documented method to load drivers. At any rate, if the above fails, what you seem to need to nudge is in that case not Process Memory, but you need probably to clobber a few bytes in your Driver File! Load it, Make your Mods, and Save it! :) :)

              Bram van Kampen

              M 1 Reply Last reply
              0
              • B Bram van Kampen

                Well,

                Mattzimmerer wrote:

                I welcome the tears of learning! I recognize that this is not an easy thing to do.

                Please Note that on this occasion the tears of learning could include a trashed harddrive. My First and Personal advice is: Revert to Windows XP. My Loathing of Vista is well documented on this forum. At the same time, I do not believe that MS was that stupid to as to leave out a documented method to load drivers. At any rate, if the above fails, what you seem to need to nudge is in that case not Process Memory, but you need probably to clobber a few bytes in your Driver File! Load it, Make your Mods, and Save it! :) :)

                Bram van Kampen

                M Offline
                M Offline
                Mattzimmerer
                wrote on last edited by
                #11

                Yea, they got good documentation on loading drivers, its just going to take some time to get the task done. I had a feeling I could possibly trash a hard drive, I think im going to still take some whacks at vista, but I was planning on setting up a different OS on a separate hard drive, and just now I noticed the possibility of trashing my main OS even though its on a different partition :wtf: ... Guess Ill just unplug it :laugh: ! Do you think I could trash my OS if I only code a readmemory function and not a write memory function? My plan was to only attempt to write to memory when I know the exact behavior of my device reading from memory. Say my driver: 1) allocates its own memory 2) copies a byte from a specified address into its own memory I should be fine right? How could I possibly screw that up right? ;P

                B 1 Reply Last reply
                0
                • M Mattzimmerer

                  Yea, they got good documentation on loading drivers, its just going to take some time to get the task done. I had a feeling I could possibly trash a hard drive, I think im going to still take some whacks at vista, but I was planning on setting up a different OS on a separate hard drive, and just now I noticed the possibility of trashing my main OS even though its on a different partition :wtf: ... Guess Ill just unplug it :laugh: ! Do you think I could trash my OS if I only code a readmemory function and not a write memory function? My plan was to only attempt to write to memory when I know the exact behavior of my device reading from memory. Say my driver: 1) allocates its own memory 2) copies a byte from a specified address into its own memory I should be fine right? How could I possibly screw that up right? ;P

                  B Offline
                  B Offline
                  Bram van Kampen
                  wrote on last edited by
                  #12

                  Mattzimmerer wrote:

                  Say my driver: 1) allocates its own memory 2) copies a byte from a specified address into its own memory I should be fine right? How could I possibly screw that up right?

                  What IRQ level is your driver running at? Allocating might not be available at that level. Then it will screw up! Also, from what memory context are you assuming your specified address for reading your byte. The High level virtual memory experience is created by smoke and mirrors at driver level. Driver land is another country, they do things different there. :)

                  Bram van Kampen

                  M 1 Reply Last reply
                  0
                  • B Bram van Kampen

                    Mattzimmerer wrote:

                    Say my driver: 1) allocates its own memory 2) copies a byte from a specified address into its own memory I should be fine right? How could I possibly screw that up right?

                    What IRQ level is your driver running at? Allocating might not be available at that level. Then it will screw up! Also, from what memory context are you assuming your specified address for reading your byte. The High level virtual memory experience is created by smoke and mirrors at driver level. Driver land is another country, they do things different there. :)

                    Bram van Kampen

                    M Offline
                    M Offline
                    Mattzimmerer
                    wrote on last edited by
                    #13

                    Well I was getting ahead of myself when I said that stuff. I'm not going to lie, I started out 100% fresh to wdf, and this is probally going to take me a lot of time since I need to learn everything. So I don't know yet... Right now I have a lowly goal of getting an "empty" driver that will print debug messages when my GUI app sends the appropriate irp. And at this very moment, I've blown my mind at why OSR Loader cannot start my service. OSRLoader says: "The Driver has been blocked from loading". Im guessing my driver code is incomplete, maybey missing a required function... (dunno the lingo) heres my header, would I need anything else to get my service to start/stop? #if !defined(_MEMORYREADER_H_) #define _MEMORYREADER_H_ #include <ntddk.h> #include <wdf.h> #define __DRIVER_NAME "MR: " typedef struct _DEVICE_CONTEXT { WDFQUEUE IoDefaultQueue; } DEVICE_CONTEXT, *PDEVICE_CONTEXT; WDF_DECLARE_CONTEXT_TYPE_WITH_NAME(DEVICE_CONTEXT, GetDeviceContext); NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ); NTSTATUS EvtDriverDeviceAdd( IN WDFDRIVER Driver, IN PWDFDEVICE_INIT DeviceInit ); NTSTATUS EvtDevicePrepareHardware( IN WDFDEVICE Device, IN WDFCMRESLIST ResourceList, IN WDFCMRESLIST ResourceListTranslated ); VOID EvtDeviceIoDefault( IN WDFQUEUE Queue, IN WDFREQUEST Request ); NTSTATUS EvtDeviceD0Entry( IN WDFDEVICE Device, IN WDF_POWER_DEVICE_STATE PreviousState ); NTSTATUS EvtDeviceD0Exit( IN WDFDEVICE Device, IN WDF_POWER_DEVICE_STATE TargetState ); #endif //(_MEMORYREADER_H_) Does OSR Loader work properly with Vista x64? If it does I would love a working example of a basic driver.

                    B 1 Reply Last reply
                    0
                    • M Mattzimmerer

                      Well I was getting ahead of myself when I said that stuff. I'm not going to lie, I started out 100% fresh to wdf, and this is probally going to take me a lot of time since I need to learn everything. So I don't know yet... Right now I have a lowly goal of getting an "empty" driver that will print debug messages when my GUI app sends the appropriate irp. And at this very moment, I've blown my mind at why OSR Loader cannot start my service. OSRLoader says: "The Driver has been blocked from loading". Im guessing my driver code is incomplete, maybey missing a required function... (dunno the lingo) heres my header, would I need anything else to get my service to start/stop? #if !defined(_MEMORYREADER_H_) #define _MEMORYREADER_H_ #include <ntddk.h> #include <wdf.h> #define __DRIVER_NAME "MR: " typedef struct _DEVICE_CONTEXT { WDFQUEUE IoDefaultQueue; } DEVICE_CONTEXT, *PDEVICE_CONTEXT; WDF_DECLARE_CONTEXT_TYPE_WITH_NAME(DEVICE_CONTEXT, GetDeviceContext); NTSTATUS DriverEntry( IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath ); NTSTATUS EvtDriverDeviceAdd( IN WDFDRIVER Driver, IN PWDFDEVICE_INIT DeviceInit ); NTSTATUS EvtDevicePrepareHardware( IN WDFDEVICE Device, IN WDFCMRESLIST ResourceList, IN WDFCMRESLIST ResourceListTranslated ); VOID EvtDeviceIoDefault( IN WDFQUEUE Queue, IN WDFREQUEST Request ); NTSTATUS EvtDeviceD0Entry( IN WDFDEVICE Device, IN WDF_POWER_DEVICE_STATE PreviousState ); NTSTATUS EvtDeviceD0Exit( IN WDFDEVICE Device, IN WDF_POWER_DEVICE_STATE TargetState ); #endif //(_MEMORYREADER_H_) Does OSR Loader work properly with Vista x64? If it does I would love a working example of a basic driver.

                      B Offline
                      B Offline
                      Bram van Kampen
                      wrote on last edited by
                      #14

                      Hi, Why not start Here:Driver Development Part 1: Introduction to Drivers[^] Regards, :)

                      Bram van Kampen

                      M 1 Reply Last reply
                      0
                      • B Bram van Kampen

                        Hi, Why not start Here:Driver Development Part 1: Introduction to Drivers[^] Regards, :)

                        Bram van Kampen

                        M Offline
                        M Offline
                        Mattzimmerer
                        wrote on last edited by
                        #15

                        What a great sample, seems to be exactly what I need! So if my driver calls DriverEntry it is operating in PASSIVE_LEVEL? Is this still in ring-0?

                        B 1 Reply Last reply
                        0
                        • M Mattzimmerer

                          What a great sample, seems to be exactly what I need! So if my driver calls DriverEntry it is operating in PASSIVE_LEVEL? Is this still in ring-0?

                          B Offline
                          B Offline
                          Bram van Kampen
                          wrote on last edited by
                          #16

                          Mattzimmerer wrote:

                          So if my driver calls DriverEntry

                          Your Driver does not call DriverEntry, The OS does that.

                          Mattzimmerer wrote:

                          Is this still in ring-0

                          That depends on from what level the OS calls the driver. Read the WHOLE article, not just the sample, and most of your questions will be answered. :)

                          Bram van Kampen

                          1 Reply Last reply
                          0
                          Reply
                          • Reply as topic
                          Log in to reply
                          • Oldest to Newest
                          • Newest to Oldest
                          • Most Votes


                          • Login

                          • Don't have an account? Register

                          • Login or register to search.
                          • First post
                            Last post
                          0
                          • Categories
                          • Recent
                          • Tags
                          • Popular
                          • World
                          • Users
                          • Groups