Entry point for calling DriverEntry at ntoskrnl (Win10)

Forum for discussion about kernel-mode development.
Post Reply
User avatar
rkhunter
Posts: 1155
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Entry point for calling DriverEntry at ntoskrnl (Win10)

Post by rkhunter » Tue Aug 21, 2018 6:09 pm

Hi all.

Does anyone remember what function at NT kernel in Win10 responds for calling DriverEntry for loading drivers? I can't find any footprints in IopLoadDriver.

t4L
Global Moderator
Posts: 139
Joined: Tue Mar 09, 2010 5:44 pm

Re: Entry point for calling DriverEntry at ntoskrnl (Win10)

Post by t4L » Wed Aug 22, 2018 12:50 am

I think you can just have a dummy WDM driver, put a DbgBreak(); in DriverMain() and does a "k" in windbg.

User avatar
EP_X0FF
Global Moderator
Posts: 4812
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Entry point for calling DriverEntry at ntoskrnl (Win10)

Post by EP_X0FF » Wed Aug 22, 2018 6:04 am

It should be still there. Look for 0xC0000365 STATUS_FAILED_DRIVER_ENTRY.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

User avatar
rkhunter
Posts: 1155
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Contact:

Re: Entry point for calling DriverEntry at ntoskrnl (Win10)

Post by rkhunter » Wed Aug 22, 2018 11:17 am

Thx. I've analyzed it without applying structures and Hex-Rays. Looked for call [register+offset] and forgot about _guard_dispatch_icall.

Post Reply