Discussion:
Writing a Device driver - specified device driver is invalid
(too old to reply)
R.Wieser
2018-09-16 09:12:16 UTC
Permalink
Hello all,

I've been trying to create a device-driver for a couple of days now, but no
matter what I do I cannot seem to write one thats accepted by the OS :-(

I've been following several tutorials quite closely, but none of them gave
me the desired result. The last tut was this one:

https://www.codeproject.com/Articles/9504/Driver-Development-Part-1-Introduction-to-Drivers

I've been trying to run it using sc.exe (using as little code of my own hand
as possible), but in the end I also tried the code at the bottom of the
article (if only to see if sc.exe and it behaved differently). Alas,
StartService returned the same errorcode.


I've got a few problems here:
1) I cannot find any documentation to what a the header of a generated
devicedriver executable should look like.
2) I cannot find an example driver to compare my generated driver against.
3) I'm programming in Assembly, meaning that I really have to do
*everything* myself.

I did disassemble a few drivers I have on my system (Beep, Serial,
DLPortIO), but am not even sure if any of those are of the same kind as the
one I'm trying to create (kernel, userland,WDM style, other?).

Help ?

Regards,
Rudy Wieser

P.s.
If needed I can email sourcecode and/or the resulting driver.
R.Wieser
2018-09-16 12:01:14 UTC
Permalink
Post by R.Wieser
Hello all,
I've been trying to create a device-driver for a couple of days now, but
no matter what I do I cannot seem to write one thats accepted by the OS
:-(
Well, as so often posting a problem is almost directly followed by its
solution (I bet you that someone up there is again laughing his ass off).

While googeling what the difference between a "native" and a "windowed"
subsystem would be (other than the "SubSystem" value in the PE headers) I
ran across a mentioning that a devicedriver *must* have a valid checksum.

And whatdoyouknow, when I calculated and applied it to my first driver
(which I had modified to kingdom come to get a peep outof it) and re-ran it
my 'puter crashed. Victory! :-D

After that I started a later driver (which strictly followed the tutorial)
it loaded and unloaded without a problem - *AND* I saw some DbgPrint appear
!

It looks like the reason I didn't see anything appear is that DbgPrint was
never called because the driver was rejected (one way or another) even
before calling its entrypoint.

So, two problems solved for the price of one. :-)

Regards,
Rudy Wieser
Apd
2018-09-16 12:49:02 UTC
Permalink
Post by R.Wieser
Well, as so often posting a problem is almost directly followed by its
solution (I bet you that someone up there is again laughing his ass off).
I'm glad you solved it.
Post by R.Wieser
While googeling what the difference between a "native" and a "windowed"
subsystem would be (other than the "SubSystem" value in the PE headers) I
ran across a mentioning that a devicedriver *must* have a valid checksum.
My other post (before I read this) is now redundant.
Post by R.Wieser
And whatdoyouknow, when I calculated and applied it to my first driver
(which I had modified to kingdom come to get a peep outof it) and re-ran it
my 'puter crashed. Victory! :-D
After that I started a later driver (which strictly followed the tutorial)
it loaded and unloaded without a problem - *AND* I saw some DbgPrint appear
!
It looks like the reason I didn't see anything appear is that DbgPrint was
never called because the driver was rejected (one way or another) even
before calling its entrypoint.
So, two problems solved for the price of one. :-)
Happy days!
Apd
2018-09-16 12:42:41 UTC
Permalink
Post by R.Wieser
I've been trying to create a device-driver for a couple of days now, but no
matter what I do I cannot seem to write one thats accepted by the OS :-(
You don't say which OS. I believe drivers for later systems than XP
must be signed.
Post by R.Wieser
I've been following several tutorials quite closely, but none of them gave
https://www.codeproject.com/Articles/9504/Driver-Development-Part-1-Introduction-to-Drivers
There are 6 parts to that tutorial which I saved some years ago (so
it's perhaps quite good!).

Disclaimer: I have never written a driver but do (used to) understand
somewhat how they work. I wrote a program to be able to load native
executables (kernel mode drivers) in user mode for the purpose of
stepping through the code in OllyDbg (naturally, I had to step over or
modify privileged instructions). This was a few years ago when I was
analysing malware.
Post by R.Wieser
I've been trying to run it using sc.exe (using as little code of my own hand
as possible), but in the end I also tried the code at the bottom of the
article (if only to see if sc.exe and it behaved differently). Alas,
StartService returned the same errorcode.
1) I cannot find any documentation to what a the header of a generated
devicedriver executable should look like.
Do you mean the PE header of the executable (.sys) file?
If so, you must set the checksum in the optional header for the driver
to be able to load. I don't recall how it's calculated but there are
utilities available to do it. You should also set the subsystem field
to 1 (native).
Post by R.Wieser
2) I cannot find an example driver to compare my generated driver against.
3) I'm programming in Assembly, meaning that I really have to do
*everything* myself.
Another thing is that any imports specified must be ntoskrnl.exe,
hal.dll or other drivers (e.g. ndis.sys for networking). You can't
import from user-mode dlls like kernel32.
Post by R.Wieser
I did disassemble a few drivers I have on my system (Beep, Serial,
DLPortIO), but am not even sure if any of those are of the same kind as the
one I'm trying to create (kernel, userland,WDM style, other?).
Beep.sys and others in system32\drivers are kernel drivers. I'm not
sure about the styles (WDM) but I think they are ways of simplifying
coding. The DriverEntry routine and setup of the driver object should
be the same at the lowest level.

The newsgroup comp.os.ms-windows.programmer.nt.kernel-mode is for
driver development, although it's pretty quiet.
R.Wieser
2018-09-16 13:42:27 UTC
Permalink
Apd,
Post by Apd
You don't say which OS.
My apologies, I forgot. The OS I'm working with is XPsp3.
Post by Apd
There are 6 parts to that tutorial which I saved some years ago
(so it's perhaps quite good!).
It sure does look good (apart from hiding sourcecode behind a "you must be a
member" lock). But as its written for C{something} it misses low-level
details that I, as an Assembly programmer, need.
Post by Apd
Do you mean the PE header of the executable (.sys) file?
Yep.
Post by Apd
If so, you must set the checksum in the optional header for the
driver to be able to load.
Yep. Thats what I, much too late, found out. I *knew* PE executables have
checksums, but as they are normally set to Zero I forgot all about them.
Post by Apd
Another thing is that any imports specified must be ntoskrnl.exe,
I noticed that when I took a peek in a few drivers. And together with the
"native" setting it made sense to me.
Post by Apd
I'm not sure about the styles (WDM) but I think they are ways of
simplifying coding.
I assumed as much, but did not (yet) find an article mentioning their actual
differences (on code level). It made my "what is going wrong?" searches
difficult.
Post by Apd
The newsgroup comp.os.ms-windows.programmer.nt.kernel-mode
is for driver development, although it's pretty quiet.
Currently just a single message. But I'll just lurk there for a while, to
see what level the people there are (I'm a hobbyist).
Post by Apd
I'm glad you solved it.
That makes two of us.
Post by Apd
My other post (before I read this) is now redundant.
Better a bit of redundance than having nothing (to fall back on) at all.

And I did forget to say "thank you", did I ? Well, Thank you. :-)
Post by Apd
Happy days!
Exactly.

Now lets see what other interresting problems I'll encounter ...

Regards,
Rudy Wieser
R.Wieser
2018-09-17 17:41:34 UTC
Permalink
Apd (and others),
Post by Apd
Post by R.Wieser
https://www.codeproject.com/Articles/9504/Driver-Development-Part-1-Introduction-to-Drivers
There are 6 parts to that tutorial which I saved some years ago (so
it's perhaps quite good!).
Just a heads-up:

When I ran the WriteDirectIO code as-is (though without the "display the
received string" part) any first write works, but a second one causes the
'puter to crash/reboot. And whats more, it even happens when the driver is
unloaded and reloaded again. (Whut?)

It turns out that the IRP_MJ_WRITE needs to contain a "IoCompleteRequest"
call (likely to release resources).

Another thing is that the "WriteFile" (in a testing program) shows a result
of Zero bytes written.
Thats because the "Information" field in the IRPs "IoStatus" record has to
be filled with the ammount of bytes accepted (normally with the ByteCount in
the current MDL).

And thats just IRP_MJ_WRITE. Now lets see what problems IRP_MJ_READ is
going to cause. :-)

Regards,
Rudy Wieser

Loading...