Log in

View Full Version : DRIVER_OBJECT structures list


Opcode
January 4th, 2005, 15:14
Hi!

I'm trying to find a way to get a list of all DRIVER_OBJECT structure addresses of the drivers loaded in the kernel.
SoftICE knows how to get the list, but I don't

PsLoadedModuleList variable was not useful to me.

Maybe some reverser know how to generate this list.
It is pratically the same of getting the list of the DEVICE_OBJECT
structure.

Thanks in advance for any help.

Regards,
Opcode

Kayaker
January 4th, 2005, 15:37
Hi Opcode,

Funny, I've been thinking about doing that exact same thing, I wanted to try to get the addresses of the IRP_MJxx functions (and other info) from the DRIVER_OBJECT structure for all loaded modules. I thought PsLoadedModuleList might be the way in too... I'd had a quick look at the Softice DRIVER command for the answer but apparently never shouted "Eureka!" Interesting question.

Regards,
Kayaker

Kayaker
January 4th, 2005, 18:28
Hi

Just quickly, looking again at the Softice c_Driver function, after initially parsing the command window text with the driver name, Sice apparently uses ZwOpenDirectoryObject in a subfunction. That would seem to be the key to developing a routine.


Code:

:000105FE _c_Driver3 proc near ; CODE XREF: sub_2C904+1Dp
:000105FE ; _c_Driver9+3B
:000105FE
:000105FE ObjectAttributes= OBJECT_ATTRIBUTES ptr -24h
:000105FE var_C = dword ptr -0Ch
:000105FE Handle = dword ptr -4
:000105FE
:000105FE push ebp
:000105FF mov ebp, esp
:00010601 sub esp, 24h
:00010604 mov eax, Object
:00010609 push esi
:0001060A xor esi, esi
:0001060C cmp eax, esi
:0001060E jnz short loc_1067D
:00010610 push offset dword_105FA ; dd 5C = unicode 0, <\>,0
:00010615 lea eax, [ebp+var_C]
:00010618 push eax
:00010619 call ds:RtlInitUnicodeString_0
:0001061F lea eax, [ebp+var_C]
:00010622 mov [ebp+ObjectAttributes.ObjectName], eax
:00010625 lea eax, [ebp+ObjectAttributes]
:00010628 push eax ; ObjectAttributes
:00010629 push 1 ; DesiredAccess
:0001062B lea eax, [ebp+Handle]
:0001062E push eax ; DirectoryHandle
:0001062F mov [ebp+ObjectAttributes.Length], 18h
:00010636 mov [ebp+ObjectAttributes.RootDirectory], esi
:00010639 mov [ebp+ObjectAttributes.Attributes], 40h
:00010640 mov [ebp+ObjectAttributes.SecurityDescriptor], esi
:00010643 mov [ebp+ObjectAttributes.SecurityQualityOfService], esi
:00010646 call ds:ZwOpenDirectoryObject
:0001064C test eax, eax
:0001064E jnz short loc_10678
:00010650 push esi ; HandleInformation
:00010651 push offset Object ; Object
:00010656 push esi ; AccessMode
:00010657 push esi ; ObjectType
:00010658 push 1 ; DesiredAccess
:0001065A push [ebp+Handle] ; Handle
:0001065D call ds:ObReferenceObjectByHandle
:00010663 mov ecx, Object
:00010669 call ds:ObfDereferenceObject
:0001066F push [ebp+Handle] ; Handle
:00010672 call ds:ZwClose
:00010678
:00010678 loc_10678: ; CODE XREF: _c_Driver3+50j
:00010678 mov eax, Object
:0001067D
:0001067D loc_1067D: ; CODE XREF: _c_Driver3+10j
:0001067D pop esi
:0001067E leave
:0001067F retn
:0001067F _c_Driver3 endp

Neitsa
January 4th, 2005, 19:52
Hello,

Maybe a good way to have a DRIVER_OBJECT list is to disassemble KD (kernel debugger from debugging tools) and its DLLs.


Listing all drivers:

Quote:

kd> !object \device
Object: 82b18030 Type: (82b1c040) Directory
ObjectHeader: 82b18018
HandleCount: 0 PointerCount: 253
Directory Object: 82b1c390 Name: Device
13 symbolic links snapped through this directory
HashBucket[ 00 ]: 82a7faf0 Device 'KsecDD'
82ae0cd0 Device 'HarddiskVolume12'
82a7ead0 Device 'Ndis'
810d08d0 Device 'AdiUsbAdsl'
813fd110 Device 'Beep'
[cut]


retrieving DRIVER_OBJECT struct for a particular driver:

Quote:

kd> !drvobj beep
Driver object (81a678f0) is for:
\Driver\Beep
Driver Extension List: (id , addr)

Device Object list:
813fd110


Maybe this field is important (I mean it *could* be an array of pointers to all xxx_OBJECT) :

Directory Object: 82b1c390


The bang command !drvobj is located in those dlls :

Windows 2000 : kdextx86.dll
Windows XP and later : kdexts.dll

For further details on those commands see windbg help.

Dunno if it could help you, but maybe it worth the try.

Regards, Neitsa.

0rp
January 4th, 2005, 20:41
hi,

to get a list of all legacy drivers you can do:

Code:

OBJECT_ATTRIBUTES attributes;
UNICODE_STRING name;
HANDLE directory;
BYTE buf[3000];
DWORD idx, len;

RtlInitUnicodeString(&name, L"\\Driver";
InitializeObjectAttributes(&attributes, &name, OBJ_CASE_INSENSITIVE, NULL, NULL);
ZwOpenDirectoryObject(&directory, DIRECTORY_QUERY, &attributes);
ZwQueryDirectoryObject(directory, buf, sizeof(buf), TRUE, TRUE, &idx, &len);

do
{
OBJECT_NAMETYPE_INFO *p = (OBJECT_NAMETYPE_INFO *)buf;

DbgPrint("%S\n", p->ObjectName.Buffer);
}
while(NT_SUCCESS(ZwQueryDirectoryObject(directory, buf, sizeof(buf), TRUE, FALSE, &idx, &len)));





and to retrieve infos about attached deviceobjects:

Code:
DRIVER_OBJECT *driverobj;
UNICODE_STRING name;
DEVICE_OBJECT *device;

RtlInitUnicodeString(&name, L"\\Driver\\atapi";

ObReferenceObjectByName(&name, 0, NULL, 0, *IoDriverObjectType, KernelMode, NULL, &driverobj);

for (device = driverobj->DeviceObject; device != NULL; device = device->NextDevice)
{
DbgPrint("devobj: %08X\n", device);
}

ObDereferenceObject(driverobj);

Opcode
January 4th, 2005, 20:51
Hi!

I was reading the Valerino's great article at rootkit.com:
http://www.rootkit.com/newsread.php?newsid=209

This article show how to hide a Driver entry in the \Driver directory.

I created a litle driver based in the Valerino article. See the attachment...
Use DebugView to see the list.

It is very similar with the 0rp's code.
I will try the 0rp code to see if I can get the DRIVER_OBJECT address
of each driver.

Thanks for all replies.

Regards,
Opcode

Kayaker
January 5th, 2005, 00:44
That works really nice Opcode. Your code spits out a DRIVER_OBJECT pointer for each driver listed in the global Driver Object directory (WinObj). The pointer matches (naturally) the one from the DEVICE_OBJECT structure which you can get from the Softice DRIVER command. I can definitely make use of this

Thanks for the code examples everyone.

BTW, we allow http:// here, there's a modification to the board to prevent direct clickable links outside the server, so no need for the ugly hxxp://

Cheers,
Kayaker