A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about kernel-mode development.
 #28960  by pboy0922
 Sat Jul 30, 2016 3:18 pm
hi,I have write a driver ,this driver use PsSetLoadImageNotifyRoutine in DriverEntry,I want to monitor all the drivers which are loaded after my driver,then I let my driver start very early when the system boot,but I find a problem,my LoadImageNotifyRoutine can only monitor little driver during the system boot,can you help me ? :D
 #29047  by pboy0922
 Tue Aug 16, 2016 10:57 am
EP_X0FF wrote:Set your driver at startup as SERVICE_BOOT_START and give it low order group.
hi,EP_X0FF,I have set my driver at startup as SERVICE_BOOT_START,and its starting order number is 4th in all drivers on windows xp, the target driver's order number is 5th which I want to monitor. The target driver is also startup as SERVICE_BOOT_START. Then I found that,my driver can't monitor anyone driver which startup as SERVICE_BOOT_START. Do you know why?
 #29061  by Vrtule
 Wed Aug 17, 2016 12:18 pm
I suspect that Windows maps all boot-start drivers into memory at once. Then, it initializes them (not sure if one by one or in parallel). So, your driver cannot see how other boot-start driver load since they are already loaded and ony their DriverEntry needs to be called.
 #29095  by pboy0922
 Thu Aug 25, 2016 7:47 am
Vrtule wrote:I suspect that Windows maps all boot-start drivers into memory at once. Then, it initializes them (not sure if one by one or in parallel). So, your driver cannot see how other boot-start driver load since they are already loaded and ony their DriverEntry needs to be called.
yeah,I think also like you,maybe windows call the DriverEntrys of the boot-start driver step one by one,maybe call the next DriverEntry when the pre DriverEntry has not return. Or , this PsSetLoadImageNotifyRoutine function only effect after the boot-start driver all loads. :shock: