some time ago I decided to learn how to write drivers. Unfortunatelly I didn't get too far because for testing the driver it is kinda important for you to be able to unload it without the need of restarting the machine. Now I got back to it but I am just not able to get past this on my own.
Now I suppose just to make the question more straight forward you sure want to see this:
VOID Unload(PDRIVER_Object DriverObject)
{
DbgPrint("Unload\r\n");
}
and
NTSTATUS DriverEntry(PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath)
{
DbgPrint("Entry\r\n");
pDriverObject->DriverUnload = Unload;
return STATUS_SUCCESS;
}
In DbgView it prints the "Entry" message, but when unloading the driver it doesn't print the "Unload" one. Actually trying to stop the driver service changes it's status to NOT_STOPPABLE.
Then I have to restart if I want another try.
I work with Windows 7 and with same outcomes I have tried to do it booting up with TESTSIGNING ON and with no signiture required too. A little bit odd thing is the load doesn't work either unless I create device in the entry function. Only then I can find my driver with winobj in the \Driver directory. I have also tried it out on another machine with Win7 installation but it turned out local settings are not the issue. If you recognize this kind of kernel behaviour I would really like to hear it, thanks.
Actually if know about some programm that can load .sys and then is able to unload it, drop a link or name. Source codes not required, the executable should do.. or vice versa.. thanks.
Driver development - use OSR Driver Loader
Ok the problem was I linked with /driver:wdm because I read an older tutorial. That is wrong nowadays, you can only IoCreateDevice in DriverEntry in legacy drivers that means proper option is just /driver. Sorry I dont understand the behaviour of I/O manager, but if you are having the same problem, just get rid of that wdm flag and it will unload.
Related
Lately, I have been playing with drivers in Windows 7. So far, I have built a driver that can talk with a user mode application.
However, I keep having a problem starting and stopping the driver.
First, I install the driver and start it, and it works just fine. I stop it, and it stops fine as well. However, when I go to start it again, it errors out with an error 2 code "Can't find the file specified".
In order to fix this, I have to uninstall the driver, then reboot. Once I have rebooted, I can install it again, and run it once, and then the process starts all over.
So my question is how do I work around this problem? I really hate having to reboot every time I rebuild and test my driver, so I was wondering if I am doing something wrong in my build and deployment process.
I am using the standard DDK command line build for the build process, and I am using an app called OSR Driver Loader to load the driver. I can, however, use the SC command line to install it as well.
I solved it. I needed to delete the symbolic link that I was creating, and to delete the Device instance.
Here is the code I out into the OnUnload function:
// this deletes the symbolic link for the driver
IoDeleteSymbolicLink(&deviceLinkUnicodeString);
// this deletes the device
IoDeleteDevice(g_RootkitDevice);
So In full, I needed to have this as my OnUnload function:
VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
{
// this deletes the symbolic link for the driver
IoDeleteSymbolicLink(&deviceLinkUnicodeString);
// this deletes the device
IoDeleteDevice(g_RootkitDevice);
}
I'm working on an embedded Linux system that has a specific I2C platform driver and I'm writing a custom I2C driver. Everything works fine, but I have a problem with their dependencies.
As my custom driver uses the default I2C functions, once I compile it, the make command automatically updates the modules.dep file saying that my driver depends on i2c-core to run, but that is not enough. In order to i2c-core to be configured I need to load i2c-omap first (the platform's driver) and only then my driver works properly.
Unfortunately, I can't find any dummy function to call and thus trick the make into adding another dependency when it generates my driver. Also, I would prefer an automated solution instead of modifying modules.dep with something like sed -i 's/RE1/RE2/' modules.dep.
So, is there any way to explicitly add a dependency to a module when I compile it?
Thanks!
I found an answer here: http://www.xml.com/ldd/chapter/book/ch11.html
I solved my problem calling
request_module("i2c-omap");
Anyway, this does not exactly update the dependencies file as I first intended. If anyone knows a way to do that, please add a comment here!
I'm a rookie at C in general and VS 2013 also. I am trying to use some C code provided by a vendor in VS 2013 express. It compiles and runs without problem using the command line compiler but I would like to use the IDE.
I started a new project, C++ for console app, and I have pasted the code into the IDE and saved it as xyy.c so that it builds successfully. I thought it would be nice to have it in a GUI, so I duplicated the effort with a Win32 app project. It also builds.
The program's job is to connect to a PCI card that has Plx chip as an interface and program an FPGA. The Win32 program succeeds, even though I can't see any of the info printed by the program. The console program fails and I think it is because it fails to find the driver for the Plx chip. I thought I would get a clue by single stepping through the Win32 program to see which driver was supposed to be found.
However, after the first pass through a while loop, I get a pop up that says "Source Not Found" and "stack.cpp not found". Google wasn't any help to me.
I be grateful for any suggestions.
You might have "Enable .NET Framework source stepping" enabled (see http://msdn.microsoft.com/en-us/library/cc667410.aspx). So when you are at Stack... and trying to step into, it will actually try, but you don't have the sources for that. There is also a new experience for using the .NET framework reference source that was announced recently: http://blogs.msdn.com/b/dotnet/archive/2014/02/24/a-new-look-for-net-reference-source.aspx
I faced the same problem. I advise at the moment of receiving the information "stack.cpp not found" to look at the stack trace and check if there is something like this: "RTC".
If there is, you need to change the flag along the path (for example, set the Default or a more convenient configuration for you):
Project Properties -> C/C++ -> Code Generation -> Basic Runtime Checks
More details: https://learn.microsoft.com/en-us/cpp/build/reference/rtc-run-time-error-checks?view=msvc-160
Once I've written a sort of a driver for Windows, which had to intercept the interaction of the native display driver with the OS. The native display driver consists of a miniport driver and a DLL loaded by win32k.sys into the session space. My goal was to meddle between the win32k.sys and that DLL. Moreover, the system might have several display drivers, I had to hook them all.
I created a standard WDM driver, which was configured to load at system boot (i.e. before win32k). During its initialization it hooked the ZwSetSystemInformation, by patching the SSDT. This function is called by the OS whenever it loads/unloads a DLL into the session space, which is exactly what I need.
When ZwSetSystemInformation is invoked with SystemLoadImage parameter - one of its parameters is the pointer to a SYSTEM_LOAD_IMAGE structure, and its ModuleBase is the module base mapping address. Then I analyze the mapped image, patch its entry point with my function, and the rest is straightforward.
Now I need to port this driver to a 64-bit Windows. Needless to say it's not a trivial task at all. So far I found the following obstacles:
All drivers must be signed
PatchGuard
SSDT is not directly exported.
If I understand correctly, PatchGuard and driver signing verification may be turned off, the driver should be installed on a dedicated machine, and we may torture it the way we want.
There're tricks to locate the SSDT as well, according to online sources.
However recently I've discovered there exists a function called PsSetLoadImageNotifyRoutine. It may simplify the task considerably, and help avoid dirty tricks.
My question are:
If I use PsSetLoadImageNotifyRoutine, will I receive notifications about DLLs loaded into the session space? The official documentation talks about "system space or user space", but does "system space" also includes the session space?
Do I need to disable the PatchGuard if I'm going to patch the mapped DLL image after it was mapped?
Are there any more potential problems I didn't think about?
Are there any other ways to achieve what I want?
Thanks in advance.
Do I need to disable the PatchGuard if I'm going to patch the mapped DLL image after it was mapped?
To load any driver on x64 it must be signed. With admin rights you can disabled PatchGuard and I personally recommend using DSEO, a GUI application made for this. Or you can bypass PatchGuard by overwriting the MBR (or BIOS), although this is typically considered a bootkit - malware.
I'm writing a program in C and want it to have an option that will keep a mac laptop awake even if the lid is closed so processes can continue. There seems to be very little information available on this topic so I really don't know where to begin. If anyone knows how to accomplish this or where I can find more information I would really appreciate (i.e. will I need to work with the BIOS for this or are there built in functions?). Also, if it's easier to do it in another language that is fine as I'm not stubbornly set on using C.
You need to write a kernel extension for this. The OS doesn't support it by default because the laptops aren't designed to properly cool themselves with the lid closed and internal display enabled. SleepLess is a $10 utility that'll do what you want, too. If you warp the display or something, it's your own fault. :-).
If you want to write something yourself, LidSleep.kext looks like a good start (it does the opposite, i.e. sleeping on lid close) and comes with source code.
(It is possible and supported to wake up some Mac laptops with the screen closed by using an external input device.)
You can do this using the I/O Kit framework, see QA1340 listing 2 for sample code using IOPMAssertionCreateWithName to temporarily prevent sleep.
The link to LidSleep.kext listed above is not working, so I can inform that the author of NoSleep has made the source code available here, so you can see for yourself how it can be done:
https://code.google.com/p/macosx-nosleep-extension/
If your laptop is a reasonably recent model, you don't need to add anything. If you are running Lion, it simply works. If you're running an older OS you have to wake up the laptop by sending it a keystroke or mouse click from an external keyboard or mouse. See http://support.apple.com/kb/ht3131