Load a kernel-mode device driver

TheMSsForum.com: The Microsoft Software Forum

"Obviously, LoadLibraryEx ( ) succeeds, and the hex dumps of the
reported load address Ox007AOOOO preceding and following this API call prove
that
this memory region is initially unused but contains a DOS header afterward."
From SVEN B. SCHREIBER 's undocumented W2k.

My question is can we load a kernel mode driver to usermode address space?
Top

Re: Load a kernel-mode device driver by Alexander

Alexander
Tue Jan 03 23:14:24 CST 2006

Of course, if you create dummies for all the DLLs (NTOSKRNL, etc) it's
linked against. Then what?

"SLASH" <SLASH@discussions.microsoft.com> wrote in message
news:0E42E565-E1CC-4C02-AAF3-49A65ACCD550@microsoft.com...
> "Obviously, LoadLibraryEx ( ) succeeds, and the hex dumps of the
> reported load address Ox007AOOOO preceding and following this API call
> prove
> that
> this memory region is initially unused but contains a DOS header
> afterward."
> From SVEN B. SCHREIBER 's undocumented W2k.
>
> My question is can we load a kernel mode driver to usermode address space?
>
>


Top

Re: Load a kernel-mode device driver by pavel_a

pavel_a
Wed Jan 04 04:15:03 CST 2006

"Alexander Grigoriev" wrote:
> Of course, if you create dummies for all the DLLs (NTOSKRNL, etc) it's
> linked against. Then what?

Or use LOAD_LIBRARY_AS_DATAFILE...

--PA

> "SLASH" <SLASH@discussions.microsoft.com> wrote in message
> news:0E42E565-E1CC-4C02-AAF3-49A65ACCD550@microsoft.com...
> > "Obviously, LoadLibraryEx ( ) succeeds, and the hex dumps of the
> > reported load address Ox007AOOOO preceding and following this API call
> > prove
> > that
> > this memory region is initially unused but contains a DOS header
> > afterward."
> > From SVEN B. SCHREIBER 's undocumented W2k.
> >
> > My question is can we load a kernel mode driver to usermode address space?

Top

Re: Load a kernel-mode device driver by SLASH

SLASH
Wed Jan 04 04:48:03 CST 2006

Then how about load a real kernel mode driver?

"Alexander Grigoriev" wrote:

> Of course, if you create dummies for all the DLLs (NTOSKRNL, etc) it's
> linked against. Then what?
>
> "SLASH" <SLASH@discussions.microsoft.com> wrote in message
> news:0E42E565-E1CC-4C02-AAF3-49A65ACCD550@microsoft.com...
> > "Obviously, LoadLibraryEx ( ) succeeds, and the hex dumps of the
> > reported load address Ox007AOOOO preceding and following this API call
> > prove
> > that
> > this memory region is initially unused but contains a DOS header
> > afterward."
> > From SVEN B. SCHREIBER 's undocumented W2k.
> >
> > My question is can we load a kernel mode driver to usermode address space?
> >
> >
>
>
>
Top

Re: Load a kernel-mode device driver by Doron

Doron
Wed Jan 04 10:00:28 CST 2006

if the driver does not control a pnp device, CreateService/StartService will
load it. otherwise, if it is a pnp driver, you have to plug in the
hardware.

d

--
Please do not send e-mail directly to this alias. this alias is for
newsgroup purposes only.
This posting is provided "AS IS" with no warranties, and confers no rights.


"SLASH" <SLASH@discussions.microsoft.com> wrote in message
news:D01CD5B4-F49D-4261-B473-C6867C19CE6A@microsoft.com...
> Then how about load a real kernel mode driver?
>
> "Alexander Grigoriev" wrote:
>
>> Of course, if you create dummies for all the DLLs (NTOSKRNL, etc) it's
>> linked against. Then what?
>>
>> "SLASH" <SLASH@discussions.microsoft.com> wrote in message
>> news:0E42E565-E1CC-4C02-AAF3-49A65ACCD550@microsoft.com...
>> > "Obviously, LoadLibraryEx ( ) succeeds, and the hex dumps of the
>> > reported load address Ox007AOOOO preceding and following this API call
>> > prove
>> > that
>> > this memory region is initially unused but contains a DOS header
>> > afterward."
>> > From SVEN B. SCHREIBER 's undocumented W2k.
>> >
>> > My question is can we load a kernel mode driver to usermode address
>> > space?
>> >
>> >
>>
>>
>>


Top

Re: Load a kernel-mode device driver by Tim

Tim
Thu Jan 05 01:17:12 CST 2006

"Alexander Grigoriev" wrote:
>
>> Of course, if you create dummies for all the DLLs (NTOSKRNL, etc) it's
>> linked against. Then what?

"SLASH" <SLASH@discussions.microsoft.com> wrote:
>
>Then how about load a real kernel mode driver?

That's what Grigoriev is talking about. You can force a kernel driver to
be loaded into user-mode memory -- it is just another PE DLL, after all --
but the system will not be able to load any of the external DLLs that it
imports.

What that basically means is that it is impossible. It would be a huge job
to provide dummy DLLs to satisfy its imports, and once you had done so, you
certainly would not be able to execute the code.

What are you really trying to accomplish?
--
- Tim Roberts, timr@probo.com
Providenza & Boekelheide, Inc.
Top