Log in

View Full Version : How to unpack a .sys file?(device driver)


cloud_y
February 12th, 2004, 12:40
Although .sys is a PE file, but I think dumping .sys is very different from
dumping a exe or a dll.

Anyone can give me some suggestions in unpacking .sys file?
how to find the OEP?
how to dump the import table? (I think ImportRec will not work in Ring 0.)

I used google but found nothing helpful.
//thanks

AndreaGeddon
February 12th, 2004, 13:41
As you correctly said, it is a PE
The import table is the same in a PE, if you see a non crypted .sys you can see in the import table the imports from ntoskrnl. The entry point is the one specified in the PE, it corresponds to the DriverEntry function of the driver, in which i suppose the self-unpacking code should reside. After that, usually the callbacks of the driver are placed in the driver_object structure (see ddk and related documentation for this) and they are the ones you should be interested in.
Bye!
AndreaGeddon

LiSa
February 19th, 2004, 12:24
Some invaluable info abou sys in miniproject section. If well protected, you will not be able to live dump a .sys as a .exe because of int1 and int3 tricky redirections. Anyway, don't forget to unprotect pages with an or CR0
good luck
LiSa

evaluator
February 19th, 2004, 14:34
you can unpack SYS file by debugging step-by-step.
for sympbols, by address determine those names, write down & then build new Import table.

What SYS are you unpacking?