A forum for reverse engineering, OS internals and malware analysis 

attaching to device just after load.

Forum for discussion about kernel-mode development.

attaching to device just after load.

 #8175  by madaboo
 Sun Aug 21, 2011 8:39 am
Hello.

I'm looking for a suggestion how can I attach to specified driver stack with my own driver (I want to make filter driver) just after it has been loaded. (I mean here that driver I want to attach to is loaded dynamically in system so I don't really know when it is loaded).
I've tried to use PsSetLoadImageNotifyRoutine callback to track this moment, but it seems that it too early - and when I'm calling IoAttachDevice() IO manager returns specified device not found (c0000034) as I understand it is because driverEntry routine has not been called yet.
Can you tell me how could I achieve this? Or maybe I'm doing something wrong.
I would like to aviod any illegal solutions.

Thank you for joining to discussion.
madaboo

Re: attaching to device just after load.

 #8178  by madaboo
 Sun Aug 21, 2011 10:40 am
redp, Thanks for quick response!
I will check your 'inf' suggestions soon.
Driver I want to attach is no PnP so probably I won't be able to apply your second suggestion however thank you for this - I will remember it for next time ;) .

Do you think that there is no other 'callback &notify' solution that could work for this?
Maybe there is callback for driver loading notifications or something?

Re: attaching to device just after load.

 #8182  by redp
 Sun Aug 21, 2011 1:57 pm
Sure there are lots of less official dirty hacks to do that
You could hijaq IoCreateDevice from IAT of driver which controls device to attach
Or even just make hook on this functions (e.g. using splicing)
or some other function like IoCreateSymbolicLink
etc etc

Re: attaching to device just after load.

 #8186  by madaboo
 Sun Aug 21, 2011 4:55 pm
redp,

Thanks again for joining discussion.
When I was posting this quesion I was considering legal solutions only.
BTW could you give me some links on howto for splicing, hijaq from IAT - it is sounds interesting...
But my quesion about legal way of attaching to existing driver (if you have any other ideas) that is loaded dynamically is still opened.

Thank you very much.

Re: attaching to device just after load.

 #8189  by redp
 Sun Aug 21, 2011 6:05 pm
remembering Richard Feynman :twisted:
You could rebuild kernel from wrk and add some custom patches
Or you can patch pointer to IoCreateDevice in VfRegularThunks table and just load target driver under driver verifier
Or you could patch NtCreateFile in SDT to intercept opening of your device to attach
etc etc

Re: attaching to device just after load.

 #8199  by madaboo
 Mon Aug 22, 2011 9:39 am
redp,
Thanks again for your reply.
According to my question - can you give me some links, tutorials for those 'hacking' methods?

Thanks a lot for your help!

Re: attaching to device just after load.

 #8265  by Brock
 Thu Aug 25, 2011 8:36 am
What hacking methods are you in need of? Elaboration is needed otherwise you are writing in crayons
 Return to “Kernel-Mode Development”