Log in

View Full Version : patching a sys driver


Shub-nigurrath
November 28th, 2005, 15:10
Hi all,
I read this interesting post
http://www.codeproject.com/system/NoDeleteDelay.asp

and just to start trying to play with drivers I wanted to update the .sys file given with that paper (attached here for those of you not registered on codeproject) for the shell32 given with XP SP2 (the offsets are different: 0xA868E and 0xA86D5).

Well I took an hex editor and I updated the .sys file with the new offsets (see paper), but now it won't load anymore. Driver signature is gone of course, but the question comes: how can I update the driver signature (that' s for sure somewhere inside the .sys file) so as to write a "distributable" patch for the sys file?

Summing up this is the question then: how to patch .sys files on disk?

10x in advance!

doug
November 28th, 2005, 15:18
That's fairly easy to do:

invoke MapFileAndCheckSum,offset filename,offset mfac_checksum_previous,offset mfac_checksum_new
cmp eax,CHECKSUM_SUCCESS

Then open the file, seek to the checksum offset, write it (mfac_checksum_new), save, done.

Of course, if you just want to fix this one .sys file, several tools will do that for you (LordPE comes to my mind).

SiGiNT
November 28th, 2005, 15:45
Exactly,

All you need to do is make the checksum match what it is now rather than reporting what it was before the change - LordPE, PETools, and/or PEiD plug-in can do that for you. This is often a problem when making small changes to sentinel drivers.

SiGiNT

Shub-nigurrath
November 28th, 2005, 16:03
well, 10x
I noticed that checksum and also tried to fix it the same way you suggested before posting the question, but the driver refuses to start, it reports from StartService a generic ERROR_GEN_FAILURE, which were not reporting before.
This led me to thing that there should be something else.. but after some tests I realized that I were doing something wrong, so ok what you say is the answer..good.

10x a lot

nig
December 4th, 2005, 06:02
I Like Using LordPE .
So Well can CALC checkSum.

Care for Codeing , Else screen is Blue.