C++

Forum

 
building a widnow driver

cindyuk (9)
Hello all.
I'm trying to build/install/run a driver.
Visual studio 2008,wdk 7600,windows 7 x64.
So I took this example I found on the web:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
 
#include "ntddk.h"
 
VOID OnUnload( IN PDRIVER_OBJECT pDriverObject )
{
    DbgPrint("OnUnload called!");
}
 
NTSTATUS DriverEntry( IN PDRIVER_OBJECT pDriverObject, IN PUNICODE_STRING registryPath )
{
    DbgPrint("Driver loaded!");
    DbgPrint("Hello world!");
    pDriverObject->DriverUnload = OnUnload;
    return STATUS_SUCCESS;
}

I build the file with WDK 7
1
2
 
3 files compiled
1 executable built

I got my driver "main.sys"
back to visual studio and the function to load it in the service(local)
 
 
Install(_T("C:amd64\\main.sys"));

Compiling....all is ok I can see the driver when I load it in the service(local)
but when I go to service(local)to press "start" it says:
Window could not start servicetest service on local computer.Error 1058:The service can not be started,either because it is disabled or because it has no enabled devices associated with it
Can you help me please.
closed account (13bSLyTq)
Hi,

This is because the driver is not signed and therefore PatchGuard is blocking it from interfering with the kernel activity
Computergeek01 (5613)
@ OrionMaster: It's just as likely to be because this Install(_T("C:amd64\\main.sys")); isn't a legal path, OP forgot the first backslash in there. You're right about him requiring a signature, eventually. But this error is pretty specific in saying that Windows can't find the stub, so it hasn't even gotten to the point where it can see that it isn't signed.

@ OP: What does your definition for the function "Install()" look like OP?

By the way, the code that you posted is almost directly taken from chapter 2 of Greg Hoglund's book "Rootkits", so you can be pretty sure that the reference you found is old and out of date which accounts for why you didn't know about the requirement for drivers to be signed in Win 7 64.
cindyuk (9)
Hello.
Yes sorry I changed for install(L"C:amd64\\main.sys");
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
 
BOOL Install(  TCHAR szFilePath[MAX_PATH])
{
    if (IsInstalled())
        return TRUE;

    SC_HANDLE hSCM = ::OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
    if (hSCM == NULL)
    {
        MessageBox(NULL, _T("Couldn't open service manager"), szServiceName, MB_OK);
        return FALSE;
    }

    SC_HANDLE hService = ::CreateService(
        hSCM, szServiceName, szServiceName,
        SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS,
        SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL,
        szFilePath, NULL, NULL, _T(""), NULL, NULL);

    if (hService == NULL)
    {
        ::CloseServiceHandle(hSCM);
        MessageBox(NULL, _T("Couldn't create service"), szServiceName, MB_OK);
        return FALSE;
    }

    ::CloseServiceHandle(hService);
    ::CloseServiceHandle(hSCM);
    return TRUE;
}

I disabled signature verification of drivers:
 
 
        bcdedit /set nointegritychecks ON

I still can see the service but when I press manually start:
 
 
Window could not start the servicetest service on local computer. Error: 129 0X81
Last edited on
cindyuk (9)
Hello
I changed:
1
2
 
SC_HANDLE hService = ::CreateService(hSCM, szServiceName, szServiceName,
SERVICE_ALL_ACCESS,SERVICE_KERNEL_DRIVER,SERVICE_DEMAND_START,SERVICE_ERRORNORMAL,szFilePath, NULL, NULL,NULL, NULL, NULL);

bcdedit /set nointegritychecks ON
I restarted.my computer
Executing Visual studio and I got the message "Windows requires a digitally signed driver.A recently installed program tried to install an unsigned driver...."
I'm so close....
Computergeek01 (5613)
Always consider a different error message to be a good thing. For this issue see OrionMaster's post here: http://www.cplusplus.com/forum/windows/142898/#msg754464
I don't have any personal experience with it at this point, but I guess now is as good a time as any to learn so I'll start reading too: http://msdn.microsoft.com/en-us/library/windows/hardware/ff548231(v=vs.85).aspx
Computergeek01 (5613)
Look at that, I had the answer bookmarked this whole time: http://msdn.microsoft.com/en-us/library/windows/hardware/ff548693(v=vs.85).aspx

Do you know how to use certificates OP? i.e. Windows_Key + R -> mmc -> Certificates plug-in -> Choose_What_Certs_To_Manage -> Right_Click_On_Scope -> All Tasks -> Import
Well I guess you do now :p. Let us know if you need more help on this.
Topic archived. No new replies allowed.