| View previous topic :: View next topic |
| Author |
Message |
iPromise
Grandmaster Cheater
![]() Reputation: -1
Joined: 27 Jun 2009
Posts: 529
Location: Canada
|
 Posted: Wed Feb 13, 2013 3:25 pm Post subject: Drivers -> 64 BIT |
 |
|
I recompiled my working driver for 32 bit into 64 bit using the Checked x64 build environment provided within the WinDDK. However, each time I try to load my driver in a 64 BIT operating system it just won't simply load. I checked to see if the service wasn't running correctly by using messages boxes but I didn't get any message.
how can I solve this problem?
| Code: |
// Obtain a handle to the service
SC_HANDLE hscService = OpenService ( hscManager, driverName.c_str (), SERVICE_START | DELETE | SERVICE_STOP );
// Create the service
if ( !hscService )
{
// Create the service
hscService = CreateService ( hscManager, driverName.c_str (), driverName.c_str (), SERVICE_START | DELETE | SERVICE_STOP,
SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_IGNORE, binaryPath.c_str (),
NULL, NULL, NULL, NULL, NULL );
}
if ( !hscService )
MessageBoxA ( 0, "failed", 0, 0 );
// Check
if ( hscService )
{
// Start the driver
StartService ( hscService, 0, NULL );
// Stop the driver
ControlService ( hscService, SERVICE_CONTROL_STOP, &ss );
DeleteService ( hscService );
CloseServiceHandle ( hscService );
}
|
EDIT
I disabled Driver Signing Enforcement with F8 after I did the following commands in CMD:
1.Copy / Paste: bcdedit.exe -set loadoptions DDISABLE_INTEGRITY_CHECKS
2.Copy / Paste: bcdedit.exe -set TESTSIGNING ON
DBK32 loads fine though =?
Might be a problem with my driver? I compiled it as AMD 64, is that how you should compile it?
EDIT
Compiled it as IA64 and it won't work either.
DBK64 works though. Hmmm
|
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 474
Joined: 09 May 2003
Posts: 25931
Location: The netherlands
|
| Posted: Wed Feb 13, 2013 6:03 pm Post subject: |
|
|
dbk64 has a proper business signature
But pressing f8 and disable driver signature enforcement should work (just be sure you do that every single time)
also, use getlasterror after StartService to find out why it won't load (577 means that windows is still complaining about unsigned drivers)
_________________
Tools give you results. Knowledge gives you control.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
iPromise
Grandmaster Cheater
![]() Reputation: -1
Joined: 27 Jun 2009
Posts: 529
Location: Canada
|
| Posted: Wed Feb 13, 2013 7:31 pm Post subject: |
|
|
how much did you have to pay to get a proper signature?
My driver keeps returning 577 even though i've disabled signatures.
And hold on, if you got CE signed, don't the people who signed you know that CE is commonly used as a hacking tool?
I don't think they'd sign a dll injection driver would they?
what if hackers got their hands on your driver and used it to make rookits, etc?
EDIT
I don't get the 577 message however I obtain a popup window from Windows saying that Windows has just tried to install an unsigned driver.
EDIT
http://i49.tinypic.com/fyoisw.png
Why would I get an unsigned message when I turned off enforce driver signature check?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 474
Joined: 09 May 2003
Posts: 25931
Location: The netherlands
|
| Posted: Wed Feb 13, 2013 8:04 pm Post subject: |
|
|
That message will always pop up, even if driver signing is disabled. It's to warn the user, but it will work
The driver signing certificate costs about $180 a year.
Also, people don't sign the driver, I sign the driver. The signature thing is only to verify that I am in fact the person that this driver came from, it's not whql crap that requires microsoft's approval before being signed
And sure, the driver might get abused by some hackers, but it has a few annoyances build in that make it less of a target. (e.g only applications running as administrator may communicate with it, and those applications need to have a signature signed with my own private key)
_________________
Tools give you results. Knowledge gives you control.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
iPromise
Grandmaster Cheater
![]() Reputation: -1
Joined: 27 Jun 2009
Posts: 529
Location: Canada
|
| Posted: Wed Feb 13, 2013 8:14 pm Post subject: |
|
|
Weird if thats the case how come I don't receive any DbgPrint messages from my driver.
it was originally working on 32 bit, however I recompiled it using the Check x64 build environment and tested it on my 64 bit.
I am also using DbgView to monitor my messages and I read that it works for 64 bit.
Any ideas?
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 474
Joined: 09 May 2003
Posts: 25931
Location: The netherlands
|
| Posted: Wed Feb 13, 2013 8:21 pm Post subject: |
|
|
Did you set dbgview to capture kernelmode messages?
The default is to not show those
(And does StartService return true or false ?)
_________________
Tools give you results. Knowledge gives you control.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
iPromise
Grandmaster Cheater
![]() Reputation: -1
Joined: 27 Jun 2009
Posts: 529
Location: Canada
|
| Posted: Wed Feb 13, 2013 8:51 pm Post subject: |
|
|
yay it works!
I just have a problem with ZwProtectVirtualMemory now because it keeps failing. Weird, it works for the 32 bit version. Maybe its the way I obtain the address because ZwProtectVirtualMemory is not documented.
Declaration
| Code: |
NTSYSAPI
NTSTATUS
NTAPI ZwPulseEvent( HANDLE h, PULONG p );
typedef NTSTATUS (__stdcall *ZWPROTECTMEM ) ( IN HANDLE ProcessHandle,
IN PVOID * BaseAddress,
IN SIZE_T * NumberOfBytesToProtect,
IN ULONG NewAccessProtection,
OUT PULONG OldAccessProtection
);
ZWPROTECTMEM ZwProtectVirtualMemory = NULL; |
Functions
| Code: |
int checkPattern ( unsigned char* pattern1, unsigned char* pattern2, size_t size )
{
register unsigned char* p1 = pattern1;
register unsigned char* p2 = pattern2;
while( size-- > 0 )
{
if( *p1++ != *p2++ )
return 1;
}
return 0;
}
PVOID findUnresolved ( PVOID pFunc )
{
UCHAR pattern[5] = { 0 };
PUCHAR bytePtr = NULL;
PULONG oldStart = 0;
ULONG newStart = 0;
memcpy( pattern, pFunc, 5 );
// subtract offset
oldStart = (PULONG)&(pattern[1]);
newStart = *oldStart - 1;
*oldStart = newStart;
// Search for pattern
for( bytePtr = (PUCHAR)pFunc - 5; bytePtr >= (PUCHAR)pFunc - 0x800; bytePtr-- )
if( checkPattern( bytePtr, pattern, 5 ) == 0 )
return (PVOID)bytePtr;
// pattern not found
return NULL;
}
|
Locating
| Code: |
// Get the address to ZwProtectVirtualMemory
ZwProtectVirtualMemory = (ZWPROTECTMEM) findUnresolved ( ZwPulseEvent );
|
I pretty much search for the entry-point of ZwProtectVirtualMemory starting from ZwPulseEvent - 5 since ZwPulseEvent is after ZwProtectVirtualMemory.
Can you give me some advice?
Thank you
|
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 474
Joined: 09 May 2003
Posts: 25931
Location: The netherlands
|
| Posted: Wed Feb 13, 2013 10:06 pm Post subject: |
|
|
Are you sure that in your current windows version ZwPulseEvent comes after ZwProtectVirtualMemory ?
_________________
Tools give you results. Knowledge gives you control.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
