 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Stylo
Grandmaster Cheater Supreme
![]() Reputation: 3
Joined: 16 May 2007
Posts: 1073
Location: Israel
|
 Posted: Thu Oct 28, 2010 12:51 pm Post subject: need help with driver developing |
 |
|
for some reason i cannot see the dbgprint messages i post in my driver
my code goes like that
| Code: |
#include <ntddk.h>
NTSTATUS DriverEntry( PDRIVER_OBJECT pDriverObject, PUNICODE_STRING pRegistryPath ) {
DbgPrint( "MY MESSAGE" );
return STATUS_SUCCESS;
}
|
but when i run it and watch the dbgview nothing coming up.
any idea from does who know how to write drivers?
_________________
Stylo |
|
| Back to top |
|
 |
HomerSexual
Grandmaster Cheater Supreme
 Reputation: 5
Joined: 03 Feb 2007
Posts: 1657
|
| Posted: Thu Oct 28, 2010 1:11 pm Post subject: |
|
|
check the settings in DbgView. You have to specify to capture kernel messages
_________________
|
|
| Back to top |
|
|
smartz993
I post too much
 Reputation: 2
Joined: 20 Jun 2006
Posts: 2013
Location: USA
|
|
| Back to top |
|
|
Stylo
Grandmaster Cheater Supreme
![]() Reputation: 3
Joined: 16 May 2007
Posts: 1073
Location: Israel
|
| Posted: Fri Oct 29, 2010 6:06 am Post subject: |
|
|
@Homer
the capture kernel messages option is marked
@smartz
i'm developing in windows 7
_________________
Stylo |
|
| Back to top |
|
|
Jani
Grandmaster Cheater
![]() Reputation: 2
Joined: 29 Dec 2006
Posts: 804
|
| Posted: Fri Oct 29, 2010 12:45 pm Post subject: |
|
|
| The code is fine. Are you sure you're (try) loading the driver? Also, DbgView settings (filters, etc).
|
|
| Back to top |
|
|
Stylo
Grandmaster Cheater Supreme
![]() Reputation: 3
Joined: 16 May 2007
Posts: 1073
Location: Israel
|
| Posted: Fri Oct 29, 2010 2:06 pm Post subject: |
|
|
Actually it's now working on win xp on my laptop
but when i want to load it again, nothing pops
is there any unloading option i need to use to unload the driver or it's automatically unloaded?
_________________
Stylo |
|
| Back to top |
|
|
KernelMode
How do I cheat?
![]() Reputation: 1
Joined: 13 Oct 2010
Posts: 9
Location: Messing around with bits in you kernel for now...
|
| Posted: Fri Oct 29, 2010 5:47 pm Post subject: |
 |
|
On windows seven you have to be sure to run the DbgView as administrator (so it's driver can load) for kernel capture to work. Be sure that your windows 7 is 32-bit as well, other wise that could be the problem as well. You can't load a 32-bit driver on a 64-bit OS.
Yes you need an unload routine and you must unload the driver, it does not unload by itself.
definition: (goes in your header file)
| Code: |
DRIVER_UNLOAD Unload;
|
| Code: |
VOID Unload(IN PDRIVER_OBJECT DriverObject)
{
DbgPrint("Test Driver Unloaded!\n");
IoDeleteDevice(DriverObject->DeviceObject);
}
|
In your unload routine you would un-do anything that your driver did as to prevent a blue screen. For example, say you hooked some kernel API's in your driver, and redirected to code to your driver. If you just unload at that point your guaranteed to crash, as since your driver is unloaded, the hooks aren't leading to valid memory anymore! So you would remove any hooks applied before unloading. This was just an example, it also applies to any changes you make that wont sit well with your driver unloaded.
Anyway if you want to do anything more than just a DbgPrint, you're going to have to set up your driver properly in your driver entry, and know how to have your driver communicate with a user mode application. You could use Read/WriteFile to read from/ write to your driver. But I prefer DeviceIoControl as you can read/write data in one go!
Here's what a DriverEntry looks like in a driver that does more than a DbgPrint:
| Code: |
NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING RegistryPath)
{
NTSTATUS NtStatus = 0;
PDEVICE_OBJECT pDeviceObject = 0;
UNICODE_STRING DrvrName, DosDrvrName, temp;
PVOID BackupServiceTable, BackupArgumentTable;
DbgPrint("Test Driver Loaded!\n");
RtlInitUnicodeString(&DrvrName, L"\\Device\\TestDriver10");
RtlInitUnicodeString(&DosDrvrName, L"\\DosDevices\\TestDriver10");
NtStatus = IoCreateDevice(pDriverObject, 0, &DrvrName, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &pDeviceObject);
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DriverIO;
pDriverObject->MajorFunction[IRP_MJ_CREATE] = CreateClose;
pDriverObject->MajorFunction[IRP_MJ_CLOSE] = CreateClose;
pDriverObject->DriverUnload = Unload;
pDeviceObject->Flags |= DO_BUFFERED_IO; //DO_DIRECT_IO;
pDeviceObject->Flags &= (~DO_DEVICE_INITIALIZING);
IoCreateSymbolicLink(&DosDrvrName, &DrvrName);
return NtStatus;
}
|
You can read up on it to understand exactly what each step is for, but it basically just creates your device, sets up your handlers (IRP_MJ_XXX), and symbolic links it!
| Code: |
pDriverObject->MajorFunction[IRP_MJ_CREATE] = CreateClose;
pDriverObject->MajorFunction[IRP_MJ_CLOSE] = CreateClose;
|
The create/close are required to have, if you want your call to CreateFile/CloseHandle (after done) to work. You use CreateFile from usermode to open a handle to the driver, and when you write or read to that handle with ReadFile/WriteFile/DeviceIoControl, it invokes the correct handler in your driver.
| Code: |
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DriverIO;
|
In this test driver I just put together, I didn't implement the handlers for ReadFile/WriteFile, but I did for DeviceIoControl.
Take a look
TestDriver.h
| Code: |
#include <ntddk.h>
#define IOCTL_INITIALIZE (ULONG)CTL_CODE(FILE_DEVICE_UNKNOWN, 0xBAAD, METHOD_BUFFERED, FILE_ANY_ACCESS)
#define SYSTEMSERVICE(_pSDT, _function) _pSDT->ServiceTable[*(PULONG)((PUCHAR)_function+1)]
typedef struct _SERVICE_DESCRIPTOR_TABLE
{
PVOID *ServiceTable;
PULONG CounterTable;
ULONG TableSize;
PUCHAR ArgumentTable;
} SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE;
DRIVER_INITIALIZE DriverEntry;
__drv_dispatchType(IRP_MJ_DEVICE_CONTROL)
DRIVER_DISPATCH DriverIO;
__drv_dispatchType(IRP_MJ_CREATE)
__drv_dispatchType(IRP_MJ_CLOSE)
DRIVER_DISPATCH CreateClose;
DRIVER_UNLOAD Unload;
|
TestDriver.c
| Code: |
#include "TestDriver.h"
PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;
ULONG ZwOpenProcessAddr;
NTSTATUS DriverEntry(IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING RegistryPath)
{
NTSTATUS NtStatus = 0;
PDEVICE_OBJECT pDeviceObject = 0;
UNICODE_STRING DrvrName, DosDrvrName;
DbgPrint("Test Driver Loaded!\n");
RtlInitUnicodeString(&DrvrName, L"\\Device\\TestDriver10");
RtlInitUnicodeString(&DosDrvrName, L"\\DosDevices\\TestDriver10");
NtStatus = IoCreateDevice(pDriverObject, 0, &DrvrName, FILE_DEVICE_UNKNOWN, FILE_DEVICE_SECURE_OPEN, FALSE, &pDeviceObject);
pDriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = DriverIO;
pDriverObject->MajorFunction[IRP_MJ_CREATE] = CreateClose;
pDriverObject->MajorFunction[IRP_MJ_CLOSE] = CreateClose;
pDriverObject->DriverUnload = Unload;
pDeviceObject->Flags |= DO_BUFFERED_IO; //DO_DIRECT_IO;
pDeviceObject->Flags &= (~DO_DEVICE_INITIALIZING);
IoCreateSymbolicLink(&DosDrvrName, &DrvrName);
return NtStatus;
}
NTSTATUS DriverIO(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
NTSTATUS NtStatus = STATUS_SUCCESS;
PIO_STACK_LOCATION Stack = IoGetCurrentIrpStackLocation(Irp);
UNICODE_STRING temp;
switch(Stack->Parameters.DeviceIoControl.IoControlCode)
{
case IOCTL_INITIALIZE:
{
struct _TestInput
{
ULONG ProcessID;
ULONG AndOther;
char Data[5];
int Etc;
} TestInput, *pInput;
struct _TestOutput
{
ULONG KeServiceDescriptorTable;
ULONG ZwOpenProcessAddress;
} TestOutput, *pOutput;
//Get address of KeServiceDescriptorTable && then ZwOpenProcess
RtlInitUnicodeString(&temp, L"KeServiceDescriptorTable");
KeServiceDescriptorTable = MmGetSystemRoutineAddress(&temp);
ZwOpenProcessAddr = (ULONG)SYSTEMSERVICE(KeServiceDescriptorTable, ZwOpenProcess);
//Input
if(Stack->Parameters.DeviceIoControl.InputBufferLength == sizeof(TestInput)) //usermode app passed in a properly sized input buffer
{
pInput = Irp->AssociatedIrp.SystemBuffer;
DbgPrint("[DeviceIoControl Input] ProcessID: %u; AndOther: %u, etc...", pInput->ProcessID, pInput->AndOther);
//access input using your defined structure pointer
//pInput->Whatever;
}
//Output
if(Stack->Parameters.DeviceIoControl.OutputBufferLength == sizeof(TestOutput))
{
pOutput = Irp->AssociatedIrp.SystemBuffer;
//same for output...
//pOutput->Whatever;
pOutput->KeServiceDescriptorTable = (ULONG)KeServiceDescriptorTable;
pOutput->ZwOpenProcessAddress = ZwOpenProcessAddr;
DbgPrint("[DeviceIoControl Output] KeServiceDescriptorTable: %p; ZwOpenProcessAddress: %p", KeServiceDescriptorTable, ZwOpenProcessAddr);
}
break;
}
}
if(NtStatus == STATUS_SUCCESS)
{
Irp->IoStatus.Information = Stack->Parameters.DeviceIoControl.OutputBufferLength;
}
else
{
Irp->IoStatus.Information = 0;
}
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return NtStatus;
}
NTSTATUS CreateClose(IN PDEVICE_OBJECT DeviceObject, IN PIRP Irp)
{
Irp->IoStatus.Status = 0;
Irp->IoStatus.Information = 0;
IoCompleteRequest(Irp, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
VOID Unload(IN PDRIVER_OBJECT DriverObject)
{
DbgPrint("Test Driver Unloaded!\n");
IoDeleteDevice(DriverObject->DeviceObject);
}
|
The test driver doesn't really do much yet, but it's a base to work from and add code to. It lays out the basic framework for which I've written my drivers around.
Your homework is to make a usermode app that interfaces with the driver! The user mode app should be able to load the driver, invoke the DeviceIoControl IOCTL_INITIALIZE, passing in the input structure and receiving back the output structure, and finally unload the driver.
To load a driver with the method I like to use it's something like:
| Code: |
SCManagerHandle = OpenSCManager(0, 0, SC_MANAGER_CREATE_SERVICE);
if(SCManagerHandle)
{
OutputDebugString("SCManager handle gotten!");
ServiceHandle = CreateServiceA(SCManagerHandle, ServiceName,
ServiceName,
SERVICE_START | DELETE | SERVICE_STOP,
SERVICE_KERNEL_DRIVER,
SERVICE_DEMAND_START,
SERVICE_ERROR_IGNORE,
DriverPath,
0, 0, 0, 0, 0);
if(!ServiceHandle)
{
OutputDebugString("Service already exists, open it instead!");
ServiceHandle = OpenServiceA(SCManagerHandle, ServiceName, SERVICE_START | DELETE | SERVICE_STOP);
}
if(ServiceHandle)
{
OutputDebugString("starting service!");
StartService(ServiceHandle, 0, 0);
return 1;
}
|
unloading is something like:
| Code: |
SERVICE_STATUS ss;
ControlService(ServiceHandle, SERVICE_CONTROL_STOP, &ss);
DeleteService(ServiceHandle);
CloseServiceHandle(ServiceHandle);
CloseServiceHandle(SCManagerHandle);
|
Use CreateFile to get a handle for use with DeviceIoControl, with the file name as "\\.\DriverServiceName" So for this test driver it would be "\\.\TestDriver10".
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
