[utsav.0202]

Hi

I saw the following code in the DriverEntry of a driver.

Code: Select all

PLDR_DATA ldr;

ldr = (PLDR_DATA)DriverObject->DriverSection;
ldr->Flags |= 0x20;

What is it for?

Thanks and Regards
Utsav

[Alex]

I can't find definition of such flag (or combination). There is a gap in loader's flag definitions, so I'm also interested in where (which driver) and what for this flag is set:

Code: Select all

#define LDRP_STATIC_LINK                0x00000002
#define LDRP_IMAGE_DLL                  0x00000004
#define LDRP_LOAD_IN_PROGRESS           0x00001000
#define LDRP_UNLOAD_IN_PROGRESS         0x00002000
#define LDRP_ENTRY_PROCESSED            0x00004000
#define LDRP_ENTRY_INSERTED             0x00008000
#define LDRP_CURRENT_LOAD               0x00010000
#define LDRP_FAILED_BUILTIN_LOAD        0x00020000
#define LDRP_DONT_CALL_FOR_THREADS      0x00040000
#define LDRP_PROCESS_ATTACH_CALLED      0x00080000
#define LDRP_DEBUG_SYMBOLS_LOADED       0x00100000
#define LDRP_IMAGE_NOT_AT_BASE          0x00200000
#define LDRP_COR_IMAGE                  0x00400000
#define LDRP_COR_OWNS_UNMAP             0x00800000
#define LDRP_SYSTEM_MAPPED              0x01000000
#define LDRP_IMAGE_VERIFYING            0x02000000
#define LDRP_DRIVER_DEPENDENT_DLL       0x04000000
#define LDRP_ENTRY_NATIVE               0x08000000
#define LDRP_REDIRECTED                 0x10000000
#define LDRP_NON_PAGED_DEBUG_INFO       0x20000000
#define LDRP_MM_LOADED                  0x40000000
#define LDRP_COMPAT_DATABASE_PROCESSED  0x80000000

[Vrtule]

This seems to be the flag that allows unsigned drivers to use some "new" routines like ObRegisterCallbacks or PsSetCreateProcessNotifyRoutineEx more easily. It changes behavior of MmVerifyCallback in a way it does not require the callback being registered to come from signed driver.

I neither tested this nor I am sure whether the statement above holds now. I have found this information two years ago here: http://d.hatena.ne.jp/xna/20080517/1210984806

[utsav.0202]

I tested it but couldn't understand

when I set the flag and didn't sign the driver I got
Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

next I didn't set the flag but signed the driver and got
A device attached to the system is not functioning.

It worked only when the flag was set and driver was signed.

[swirl]

I neither tested this nor I am sure whether the statement above holds now. I have found this information two years ago here: http://d.hatena.ne.jp/xna/20080517/1210984806

I found this exact same link and seem to work just fine (http://www.inreverse.net/?p=1740)

[Vrtule]

I tested it but couldn't understand

when I set the flag and didn't sign the driver I got
Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

next I didn't set the flag but signed the driver and got
A device attached to the system is not functioning.

It worked only when the flag was set and driver was signed.

Hmmm, this is interesting. I think you ust have bug somewhere. I never tried this flag, just signed the driver (with self-signed certificate). Everything worked fine on both x86 and x64 versions of Windows.

[utsav.0202]

Thanks.
I'll go through the code once again.