Flag: Tornado! Hurricane!

 Forums >>  Debuggers  >>  How to Break at DriverEntry Using WinDbg or SoftIce?

Topic created on: September 21, 2007 01:27 CDT by babutreddy .

Please provide a method by which I can add a break point to a driver (WITHOUT ITS SYMBOLS) at DriverEntry point.

  Soul12     September 21, 2007 02:25.54 CDT
Patch in a int3 ? then softice can prolly intercept it..but im no driver expert

  frankboldewin     September 21, 2007 02:42.48 CDT
there is a non exported function in ntoskrnl.exe called ioploaddriver. bpx that api. keep in mind that you need to load the nms (softice propriatary pdb format) to find this import. in my rustock.b paper i have written a detailed step-by-step guide how to do this.

windbg should do this without problems.

you can also try to install a callback with PsSetLoadImageNotifyRoutine and then initiate a debugger break

  babutreddy     September 21, 2007 04:38.13 CDT
> frankboldewin: there is a non exported function in ntoskrnl.exe called ioploaddriver. bpx that api. keep in mind that you need to load the nms (softice propriatary pdb format) to find this import. in my rustock.b paper i have written a detailed step-by-step guide how to do this.
>
> windbg should do this without problems.
>
> you can also try to break on pssetimagenotifyroutine

Thanks a lot... I will try this

  anonymouse     September 21, 2007 11:33.54 CDT
https://www.openrce.org/forums/posts/315#928

how is driver loaded is it BootLoading Driver

  NateLawson   September 22, 2007 13:58.45 CDT
A driver is a modified PE file.  There is no exported DriverEntry symbol and you can name the function anything you want.  There's a special section, INIT, that contains the DriverEntry code that is called when the driver is loaded.  The start address within the INIT section is contained in the PE section "OPTIONAL" and is labeled "AddressOfEntryPoint".  Find the load address of the driver, add the offset from the start address, and set a hw breakpoint.

You can also set a conditional breakpoint based on the name of the driver as it's being loaded.

  nezumi     October 13, 2007 17:51.34 CDT
# how to break at DriverEntry for _any_ driver without syms
there are many ways to do this.
1) patch the driver and insert CCh code at DriverEntry.
it doesn't work for signed driver and causes a lot of problems:
how to bypass unhanded exception.

2) break on IoCreateDevice or any other API-function called by the driver;
it works, but causes many false positive alarm;
it doesn't work at all if the driver doesn't call any API function in DriverEntry;

3) break on unexported internal kernel function ioploaddriver
it works, but requests pdb-symbols;

4) well, the simplest method is:
a) create your own driver and place int 03 at the DriverEntry;
b) load it and catch the exception in the debugger;
c) unroll stack and see which functions was called before;
/* in my case - W2KSP0 - this is internal function placed at 804D9281h */
d) set break on 804D9281h and reload driver
(need reboot, if don't want to bypass the unhanded exception)
e) catch the debugger pop-up and trace 804D9281h
utill you see CALL [EAX+2Ch] or something like that.
does it look familiar? I mean 2Ch constant. this is offset of the EntryPoint!
f) save address of the CALL [EAX+2Ch] (in my case it's 804A442Eh).
well, every time you want to pop-up at the DriverEntry,
just break on 804A442Eh.
the point is: this address will be always the same
(of course if you don't install/uninstall Service Pack)
CALL [EAX+2Ch] passes control to the DriverEntry.

  nezumi     October 14, 2007 10:11.22 CDT
ok, there is a better solution:
1) write your own demo driver (see bellow);
2) put CCh (int 03) into DriverEntry;
3) load the driver;
4) wait until the debugger pops-up;
5) trace code until you return to the mother-function;
6) this function is internal _IoLoadDriver procedure; /* but it doesn't matter at all */
7) see the instruction above: "CALL [EAX+2Ch]", where EAX -> "PE", 2Ch is an offset of the DriverEntry;
8) remember the address of the CALL [EAX+2Ch], it various from one version of the kernel to another, but for certain version (your version) it's always the same. (for W2KSP0 RUS it's 804A442Eh);
9) since, "CALL [EAX+2Ch]" immediately passes control to the DriveEntry this is best solution to break on it and have a fun.

now, the demo-driver:
---------------------
.686
.model flat, stdcall
.code

DriverEntry proc
int 03
nop
mov eax, 0C0000182h; STATUS_DEVICE_CONFIGURATION_ERROR
ret
DriverEntry endp
end DriverEntry

and now how to make it (you must to have NTDDK):
------------------------------------------------
ml.exe /nologo /c /coff demo.asm
link.exe /nologo /driver /base:0x10000 /align:32 /out:demo.sys /subsystem:native demo.obj

  lallous     May 20, 2009 05:17.18 CDT
hi

using Windbg you can use "bu" command;

bu drivername+entrypoint_rva

so for example:

bu mydriver+300

Note: Registration is required to post to the forums.

There are 31,038 total registered users.


Recently Created Topics
Ultimate Hacking Cha...
Jun/21
CreateMutex
May/31
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06
Immunity Debugger Re...
Aug/03


Recent Forum Posts
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack


Recent Blog Entries
crystalwade
Jul/20
test

nieo
Mar/22
Android Application Reversing

halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit