Right after starting dbgview.exe, we need to enable the “Capture Kernel” option, which enables logging of kernel messages (otherwise we won’t see the messages printed by our driver): This is exactly why dbgview.exe comes in handy, because it should display the messages we’re printing with DbgPrint in the kernel driver. But this by itself doesn’t tell us much, because we can’t directly interact with the driver and see whether it’s doing anything or now. We can see that the driver has been loaded into the kernel, which is exactly what we’re trying to achieve. As soon as this happens, we need to refresh the drivers in winobj.exe, which will now list the Example driver, as seen on the picture below: Let’s first download the OSR Driver Loader and select our driver.sys (seen in the Driver Path on the picture below):Īfter that, click on the Register Service and Start Service. Since the order of devices is listed alphabetically, the Example device name should appear directly after the selected name once we load the driver. On the picture above, we have selected the DSFKSvcs device name. Let’s first start the winobj.exe program to check out which drivers are currently loaded. To do that, the NtLoadDriver function call is invoked. Services that have the Type registry value set to SERVICE_KERNEL_DRIVER are device driver services that load device drivers from the C:WINDOWSSystem32drivers directory. Some of the services are presented below: This can be seen on the picture below:Īnother registry key is also read, the HKLMSYSTEMCurrentControlSetServices, which contains the database of services and device drivers, which is read into the SCM’s internals database. When the services.exe program starts, the internal database is initialized by reading the HKLMSYSTEMCurrentControlSetControlServiceGroupOrderList registry key, which contains the names and order of service groups. After it is started, it must launch all of the services that are configured to start automatically. The services.exe program is started early on in the system startup. In the article, we’ll see different methods of interacting with the SCM: by using OSR Driver Loader, sc.exe and of course by using the Win32 API functions.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |