Log in

View Full Version : DRIVER_OBJECT structures list

Opcode
January 4th, 2005, 15:14
Hi!

I'm trying to find a way to get a list of all DRIVER_OBJECT structure addresses of the drivers loaded in the kernel.
SoftICE knows how to get the list, but I don't

PsLoadedModuleList variable was not useful to me.

Maybe some reverser know how to generate this list.
It is pratically the same of getting the list of the DEVICE_OBJECT
structure.

Thanks in advance for any help.

Regards,
Opcode
Kayaker
January 4th, 2005, 15:37
Hi Opcode,

Funny, I've been thinking about doing that exact same thing, I wanted to try to get the addresses of the IRP_MJxx functions (and other info) from the DRIVER_OBJECT structure for all loaded modules. I thought PsLoadedModuleList might be the way in too... I'd had a quick look at the Softice DRIVER command for the answer but apparently never shouted "Eureka!" Interesting question.

Regards,
Kayaker
Kayaker
January 4th, 2005, 18:28
Hi

Just quickly, looking again at the Softice c_Driver function, after initially parsing the command window text with the driver name, Sice apparently uses ZwOpenDirectoryObject in a subfunction. That would seem to be the key to developing a routine.


Code:


:000105FE _c_Driver3      proc near               ; CODE XREF: sub_2C904+1Dp

:000105FE                                         ; _c_Driver9+3B

:000105FE 

:000105FE ObjectAttributes= OBJECT_ATTRIBUTES ptr -24h

:000105FE var_C           = dword ptr -0Ch

:000105FE Handle          = dword ptr -4

:000105FE 

:000105FE                 push    ebp

:000105FF                 mov     ebp, esp

:00010601                 sub     esp, 24h

:00010604                 mov     eax, Object

:00010609                 push    esi

:0001060A                 xor     esi, esi

:0001060C                 cmp     eax, esi

:0001060E                 jnz     short loc_1067D

:00010610                 push    offset dword_105FA ; dd 5C = unicode 0, <\>,0

:00010615                 lea     eax, [ebp+var_C]

:00010618                 push    eax

:00010619                 call    ds:RtlInitUnicodeString_0

:0001061F                 lea     eax, [ebp+var_C]

:00010622                 mov     [ebp+ObjectAttributes.ObjectName], eax

:00010625                 lea     eax, [ebp+ObjectAttributes]

:00010628                 push    eax             ; ObjectAttributes

:00010629                 push    1               ; DesiredAccess

:0001062B                 lea     eax, [ebp+Handle]

:0001062E                 push    eax             ; DirectoryHandle

:0001062F                 mov     [ebp+ObjectAttributes.Length], 18h

:00010636                 mov     [ebp+ObjectAttributes.RootDirectory], esi

:00010639                 mov     [ebp+ObjectAttributes.Attributes], 40h

:00010640                 mov     [ebp+ObjectAttributes.SecurityDescriptor], esi

:00010643                 mov     [ebp+ObjectAttributes.SecurityQualityOfService], esi

:00010646                 call    ds:ZwOpenDirectoryObject

:0001064C                 test    eax, eax

:0001064E                 jnz     short loc_10678

:00010650                 push    esi             ; HandleInformation

:00010651                 push    offset Object   ; Object

:00010656                 push    esi             ; AccessMode

:00010657                 push    esi             ; ObjectType

:00010658                 push    1               ; DesiredAccess

:0001065A                 push    [ebp+Handle]    ; Handle

:0001065D                 call    ds:ObReferenceObjectByHandle

:00010663                 mov     ecx, Object

:00010669                 call    ds:ObfDereferenceObject

:0001066F                 push    [ebp+Handle]    ; Handle

:00010672                 call    ds:ZwClose

:00010678 

:00010678 loc_10678:                              ; CODE XREF: _c_Driver3+50j

:00010678                 mov     eax, Object

:0001067D 

:0001067D loc_1067D:                              ; CODE XREF: _c_Driver3+10j

:0001067D                 pop     esi

:0001067E                 leave

:0001067F                 retn

:0001067F _c_Driver3      endp
Neitsa
January 4th, 2005, 19:52
Hello,

Maybe a good way to have a DRIVER_OBJECT list is to disassemble KD (kernel debugger from debugging tools) and its DLLs.


Listing all drivers:

Quote:

kd> !object \device
Object: 82b18030 Type: (82b1c040) Directory
ObjectHeader: 82b18018
HandleCount: 0 PointerCount: 253
Directory Object: 82b1c390 Name: Device
13 symbolic links snapped through this directory
HashBucket[ 00 ]: 82a7faf0 Device 'KsecDD'
82ae0cd0 Device 'HarddiskVolume12'
82a7ead0 Device 'Ndis'
810d08d0 Device 'AdiUsbAdsl'
813fd110 Device 'Beep'
[cut]


retrieving DRIVER_OBJECT struct for a particular driver:

Quote:

kd> !drvobj beep
Driver object (81a678f0) is for:
\Driver\Beep
Driver Extension List: (id , addr)

Device Object list:
813fd110


Maybe this field is important (I mean it *could* be an array of pointers to all xxx_OBJECT) :

Directory Object: 82b1c390


The bang command !drvobj is located in those dlls :

Windows 2000 : kdextx86.dll
Windows XP and later : kdexts.dll

For further details on those commands see windbg help.

Dunno if it could help you, but maybe it worth the try.

Regards, Neitsa.
0rp
January 4th, 2005, 20:41
hi,

to get a list of all legacy drivers you can do:

Code:


OBJECT_ATTRIBUTES attributes;

UNICODE_STRING name;

HANDLE directory;

BYTE buf[3000];

DWORD idx, len;



RtlInitUnicodeString(&name, L"\\Driver";

InitializeObjectAttributes(&attributes, &name, OBJ_CASE_INSENSITIVE, NULL, NULL);

ZwOpenDirectoryObject(&directory, DIRECTORY_QUERY, &attributes);

ZwQueryDirectoryObject(directory, buf, sizeof(buf), TRUE, TRUE, &idx, &len);



do

{

	OBJECT_NAMETYPE_INFO *p = (OBJECT_NAMETYPE_INFO *)buf;



	DbgPrint("%S\n", p->ObjectName.Buffer);

}

while(NT_SUCCESS(ZwQueryDirectoryObject(directory, buf, sizeof(buf), TRUE, FALSE, &idx, &len)));





and to retrieve infos about attached deviceobjects:

Code:
DRIVER_OBJECT *driverobj;

UNICODE_STRING name;

DEVICE_OBJECT *device;



RtlInitUnicodeString(&name, L"\\Driver\\atapi";



ObReferenceObjectByName(&name, 0, NULL, 0, *IoDriverObjectType, KernelMode, NULL, &driverobj);



for (device = driverobj->DeviceObject; device != NULL; device = device->NextDevice)

{

	DbgPrint("devobj: %08X\n", device);

}



ObDereferenceObject(driverobj);
Opcode
January 4th, 2005, 20:51
Hi!

I was reading the Valerino's great article at rootkit.com:
http://www.rootkit.com/newsread.php?newsid=209

This article show how to hide a Driver entry in the \Driver directory.

I created a litle driver based in the Valerino article. See the attachment...
Use DebugView to see the list.

It is very similar with the 0rp's code.
I will try the 0rp code to see if I can get the DRIVER_OBJECT address
of each driver.

Thanks for all replies.

Regards,
Opcode
Kayaker
January 5th, 2005, 00:44
That works really nice Opcode. Your code spits out a DRIVER_OBJECT pointer for each driver listed in the global Driver Object directory (WinObj). The pointer matches (naturally) the one from the DEVICE_OBJECT structure which you can get from the Softice DRIVER command. I can definitely make use of this

Thanks for the code examples everyone.

BTW, we allow http:// here, there's a modification to the board to prevent direct clickable links outside the server, so no need for the ugly hxxp://

Cheers,
Kayaker