driver image path

Hello, experts!

Can you please clarify few things about driver image ops:

1. Is there a kernel API to obtain a path from which NT driver binary was
loaded (similar to GetModuleNameEx in user mode)?

2. Is there are a kernel API to load NT kernel mode DLL dynamically (i.e.
load DLL built with TARGET=EXPORT_DRIVER, as opposed to statically linking
it, i.e. something similar to user-mode API LoadLibrary)?

3. Registry has a value, ImagePath, for every installed kernel-mode service
(HKLM\System\CurrentControlSet\Serivices\<DriverName>\ImagePath).
However, this value can be empty if CreateService specified NULL as image
path parameter (this seems to be a valid value, though doc does not describes
it).
Does this mean that either ImagePath _must_ be specified, or driver _must_
be in systemroot\system32\drivers?

4. Is default kernel load path is as simple as \systemroot\system32\drivers,
or there is more to it? And what about Win64, what is default path there?

5. I was not able to find any notes on this either in DDK or IFS kits help.
Can you point a good information source on subject?

6. Any changes in this area for various NT versions? Is information on
if/how this is to change in Longhorn is already available?

Many thanks in advance for answer(s),

ygs.

Don
Wed Jul 06 06:12:32 CDT 2005

Comments inline:
"ygs" <ygs@discussions.microsoft.com> wrote in message
news:BB13E7C3-ED22-4B9F-8A34-B4C7401658B5@microsoft.com...
> Hello, experts!
>
> Can you please clarify few things about driver image ops:
>
> 1. Is there a kernel API to obtain a path from which NT driver binary was
> loaded (similar to GetModuleNameEx in user mode)?

The documented way is to build your own list, using
PsSetLoadImageNotifyRoutine, the undocumented (but widlely covered on the
web) is ZwQuerySystemInfornation.

> 2. Is there are a kernel API to load NT kernel mode DLL dynamically (i.e.
> load DLL built with TARGET=EXPORT_DRIVER, as opposed to statically linking
> it, i.e. something similar to user-mode API LoadLibrary)?

ZwLoadDriver, but there is no equivalent to GetProcAddress

> 3. Registry has a value, ImagePath, for every installed kernel-mode
> service
> (HKLM\System\CurrentControlSet\Serivices\<DriverName>\ImagePath).
> However, this value can be empty if CreateService specified NULL as image
> path parameter (this seems to be a valid value, though doc does not
> describes
> it).
> Does this mean that either ImagePath _must_ be specified, or driver _must_
> be in systemroot\system32\drivers?

If ImagePath is not there it is assumed to %SYSTEMROOT%\system32\drivers.
Note you should no longer be using create service except for legacy drivers.


--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply

ygs
Wed Jul 06 13:59:05 CDT 2005

THANK YOU for good answer.

Quick Q: How do I find out %SystemRoot% location in kernel mode? Somewhere
in registry?
Also, I bet 64bit port has a different default place for drivers..

Maxim
Wed Jul 06 14:21:39 CDT 2005

> Does this mean that either ImagePath _must_ be specified, or driver _must_
> be in systemroot\system32\drivers?

Yes.

--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
maxim@storagecraft.com
http://www.storagecraft.com

Maxim
Wed Jul 06 14:27:22 CDT 2005

> ZwLoadDriver, but there is no equivalent to GetProcAddress

Yes, one will need to parse the PE headers manually to write the GetProcAddress
replacement.

--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
maxim@storagecraft.com
http://www.storagecraft.com

Maxim
Wed Jul 06 14:28:09 CDT 2005

No need. Just open the files as \SystemRoot\system32\...

--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
maxim@storagecraft.com
http://www.storagecraft.com

"ygs" <ygs@discussions.microsoft.com> wrote in message
news:5E0FC393-41A0-498A-B3D4-E5A197C1D3D2@microsoft.com...
> THANK YOU for good answer.
>
> Quick Q: How do I find out %SystemRoot% location in kernel mode? Somewhere
> in registry?
> Also, I bet 64bit port has a different default place for drivers..

ygs
Wed Jul 06 19:21:03 CDT 2005

Er, I still have a problem. (Please correct me if I misunderstood something).

Say, I would like to obtain a precise image details (path, size, etc.) of my
own driver loaded in memory - from within the driver. It appears that there
is no way to do it.

E.g. I mean ironclad location of loaded image based on actual system state.
Yes, one can infer it from registry, but registry can be modified at any
time given enough privileges. And driver file on disk can be deleted or
altered while driver is running, hence one cannot trust disk file size or
other data.

Two methods you had suggested do _not_ seem to do the trick:

1) Documented PsSetLoadImageNotifyRoutine(). It operates with the right
data, but has some serious limitations:
- only 8 system-wide callbacks can be registered (hence can be denied at any
time), and they cannot be UNregistered;
- [corollary] it will get lots of info it does not need, dragging
system-wide performance;
- callback won't have any knowledge of images loaded prior to its registering;
- [corollary] it cannot be used in the image to obtain info about image
itself (i.e. requiring yet another, monitoring image).

2) Undocumented ZwQuerySystemInfornation(). This seem to serve for a
one-time query I am looking for, but all API info I found on the web concerns
enumerating process and threads data. Since drivers are DLLs, one would need
enumeration of process modules. I was not able to find anything like it for
this API.


Re: kernel mode dynamic linking I was asking about, it looks like that would
essentially amounts to writing one's own kernel-mode image loader. Hmmm.

Thanks for helping,

ygs.

"Don Burn" wrote:

> Comments inline:
> "ygs" <ygs@discussions.microsoft.com> wrote in message
> news:BB13E7C3-ED22-4B9F-8A34-B4C7401658B5@microsoft.com...
> > Hello, experts!
> >
> > Can you please clarify few things about driver image ops:
> >
> > 1. Is there a kernel API to obtain a path from which NT driver binary was
> > loaded (similar to GetModuleNameEx in user mode)?
>
> The documented way is to build your own list, using
> PsSetLoadImageNotifyRoutine, the undocumented (but widlely covered on the
> web) is ZwQuerySystemInfornation.
>
> > 2. Is there are a kernel API to load NT kernel mode DLL dynamically (i.e.
> > load DLL built with TARGET=EXPORT_DRIVER, as opposed to statically linking
> > it, i.e. something similar to user-mode API LoadLibrary)?
>
> ZwLoadDriver, but there is no equivalent to GetProcAddress
>
> > 3. Registry has a value, ImagePath, for every installed kernel-mode
> > service (HKLM\System\CurrentControlSet\Serivices\<DriverName>\ImagePath).
> > However, this value can be empty if CreateService specified NULL as image
> > path parameter (this seems to be a valid value, though doc does not
> > describes it).
> > Does this mean that either ImagePath _must_ be specified, or driver _must_
> > be in systemroot\system32\drivers?
>
> If ImagePath is not there it is assumed to %SYSTEMROOT%\system32\drivers.
> Note you should no longer be using create service except for legacy drivers.
>
>
> --
> Don Burn (MVP, Windows DDK)
> Windows 2k/XP/2k3 Filesystem and Driver Consulting
> Remove StopSpam from the email to reply
>
>
>
>

ygs
Wed Jul 06 19:22:07 CDT 2005

Thanks, Maxim.

"Maxim S. Shatskih" wrote:

> No need. Just open the files as \SystemRoot\system32\...
>
> --
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> maxim@storagecraft.com
> http://www.storagecraft.com
>
> "ygs" <ygs@discussions.microsoft.com> wrote in message
> news:5E0FC393-41A0-498A-B3D4-E5A197C1D3D2@microsoft.com...
> > THANK YOU for good answer.
> >
> > Quick Q: How do I find out %SystemRoot% location in kernel mode? Somewhere
> > in registry?
> > Also, I bet 64bit port has a different default place for drivers..
>
>
>

Don
Wed Jul 06 19:30:50 CDT 2005

Use ZwQuerySystemInfornation(SystemModuleInformation thiere is data on the
web.


--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply



"ygs" <ygs@discussions.microsoft.com> wrote in message
news:F4433D43-9AB3-4E93-809D-5745F574D8C9@microsoft.com...
> Er, I still have a problem. (Please correct me if I misunderstood
> something).
>
> Say, I would like to obtain a precise image details (path, size, etc.) of
> my
> own driver loaded in memory - from within the driver. It appears that
> there
> is no way to do it.
>
> E.g. I mean ironclad location of loaded image based on actual system
> state.
> Yes, one can infer it from registry, but registry can be modified at any
> time given enough privileges. And driver file on disk can be deleted or
> altered while driver is running, hence one cannot trust disk file size or
> other data.
>
> Two methods you had suggested do _not_ seem to do the trick:
>
> 1) Documented PsSetLoadImageNotifyRoutine(). It operates with the right
> data, but has some serious limitations:
> - only 8 system-wide callbacks can be registered (hence can be denied at
> any
> time), and they cannot be UNregistered;
> - [corollary] it will get lots of info it does not need, dragging
> system-wide performance;
> - callback won't have any knowledge of images loaded prior to its
> registering;
> - [corollary] it cannot be used in the image to obtain info about image
> itself (i.e. requiring yet another, monitoring image).
>
> 2) Undocumented ZwQuerySystemInfornation(). This seem to serve for a
> one-time query I am looking for, but all API info I found on the web
> concerns
> enumerating process and threads data. Since drivers are DLLs, one would
> need
> enumeration of process modules. I was not able to find anything like it
> for
> this API.
>
>
> Re: kernel mode dynamic linking I was asking about, it looks like that
> would
> essentially amounts to writing one's own kernel-mode image loader. Hmmm.
>
> Thanks for helping,
>
> ygs.
>
> "Don Burn" wrote:
>
>> Comments inline:
>> "ygs" <ygs@discussions.microsoft.com> wrote in message
>> news:BB13E7C3-ED22-4B9F-8A34-B4C7401658B5@microsoft.com...
>> > Hello, experts!
>> >
>> > Can you please clarify few things about driver image ops:
>> >
>> > 1. Is there a kernel API to obtain a path from which NT driver binary
>> > was
>> > loaded (similar to GetModuleNameEx in user mode)?
>>
>> The documented way is to build your own list, using
>> PsSetLoadImageNotifyRoutine, the undocumented (but widlely covered on the
>> web) is ZwQuerySystemInfornation.
>>
>> > 2. Is there are a kernel API to load NT kernel mode DLL dynamically
>> > (i.e.
>> > load DLL built with TARGET=EXPORT_DRIVER, as opposed to statically
>> > linking
>> > it, i.e. something similar to user-mode API LoadLibrary)?
>>
>> ZwLoadDriver, but there is no equivalent to GetProcAddress
>>
>> > 3. Registry has a value, ImagePath, for every installed kernel-mode
>> > service
>> > (HKLM\System\CurrentControlSet\Serivices\<DriverName>\ImagePath).
>> > However, this value can be empty if CreateService specified NULL as
>> > image
>> > path parameter (this seems to be a valid value, though doc does not
>> > describes it).
>> > Does this mean that either ImagePath _must_ be specified, or driver
>> > _must_
>> > be in systemroot\system32\drivers?
>>
>> If ImagePath is not there it is assumed to %SYSTEMROOT%\system32\drivers.
>> Note you should no longer be using create service except for legacy
>> drivers.
>>
>>
>> --
>> Don Burn (MVP, Windows DDK)
>> Windows 2k/XP/2k3 Filesystem and Driver Consulting
>> Remove StopSpam from the email to reply
>>
>>
>>
>>
>

Alexander
Wed Jul 06 22:40:42 CDT 2005

Will MmGetProcedureAddress work?

"Maxim S. Shatskih" <maxim@storagecraft.com> wrote in message
news:eoMaaCmgFHA.3940@tk2msftngp13.phx.gbl...
>> ZwLoadDriver, but there is no equivalent to GetProcAddress
>
> Yes, one will need to parse the PE headers manually to write the
> GetProcAddress
> replacement.
>
> --
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> maxim@storagecraft.com
> http://www.storagecraft.com
>
>

Don
Thu Jul 07 06:45:52 CDT 2005

No, that works only for Kernel and HAL routines, not for exports from a
device driver.


--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply



"Alexander Grigoriev" <alegr@earthlink.net> wrote in message
news:ekjwqWqgFHA.1868@TK2MSFTNGP10.phx.gbl...
> Will MmGetProcedureAddress work?
>
> "Maxim S. Shatskih" <maxim@storagecraft.com> wrote in message
> news:eoMaaCmgFHA.3940@tk2msftngp13.phx.gbl...
>>> ZwLoadDriver, but there is no equivalent to GetProcAddress
>>
>> Yes, one will need to parse the PE headers manually to write the
>> GetProcAddress
>> replacement.
>>
>> --
>> Maxim Shatskih, Windows DDK MVP
>> StorageCraft Corporation
>> maxim@storagecraft.com
>> http://www.storagecraft.com
>>
>>
>
>

Tim
Thu Jul 07 23:24:51 CDT 2005

ygs <ygs@discussions.microsoft.com> wrote:
>
>Say, I would like to obtain a precise image details (path, size, etc.) of my
>own driver loaded in memory - from within the driver. It appears that there
>is no way to do it.

Ask yourself this question: would the Windows kernel care about this
information? If the answer is "no", as I suspect, then it is unlikely to
be stored in any kernel data structure.
--
- Tim Roberts, timr@probo.com
Providenza & Boekelheide, Inc

David
Fri Jul 08 00:51:25 CDT 2005

It is not that difficult. You have the registry entry that caused you to be
loaded passed in DriverEntry. You can look at the ImagePath to find your
driver. Do check to ensure that it is really still present because it can
be deleted once loaded into memory, unlike most applications. It will
require some effort to read the PE header and find the resources, but that
is another problem that can be overcome.

"Tim Roberts" <timr@probo.com> wrote in message
news:9uvrc1d8lbcle2qeosbci51dnm1p93s8h3@4ax.com...
> ygs <ygs@discussions.microsoft.com> wrote:
>>
>>Say, I would like to obtain a precise image details (path, size, etc.) of
>>my
>>own driver loaded in memory - from within the driver. It appears that
>>there
>>is no way to do it.
>
> Ask yourself this question: would the Windows kernel care about this
> information? If the answer is "no", as I suspect, then it is unlikely to
> be stored in any kernel data structure.
> --
> - Tim Roberts, timr@probo.com
> Providenza & Boekelheide, Inc