[aleckernel]

I am wondering how driverquery.exe gets its list of loaded device driver. As a first step, I tried using the API Monitor tool (http://www.rohitab.com/downloads) in 32bit Win7 to see what APIs it is calling. But to my surprise, it is NOT calling any of the following functions:
1) EnumDeviceDrivers() nor the GetDeviceDriver*()
2) EnumServicesStatus(), GetService*(), nor any of the service related calls in advapi.dll
3) DeviceIoControl() (so it is not using some special device driver)
4) Setup API functions in SetupAPI.dll

It does call CreateFile() on each of the .sys file in the system32\drivers\. But how does it get the list of .sys file in the directory? Are there any other areas I should check?

[EP_X0FF]

WMI

select * from Win32_PnpSignedDriver where DeviceName != NULL
Win32_SystemDriver

https://msdn.microsoft.com/en-us/librar ... s.85).aspx

[aleckernel]

I have no experience with WMI. Is it utilmately coming from an independent usermode database or the same info obtained from PsLoadedModuleList?

[EP_X0FF]

Well lets say: if you loaded your driver without using SCM and removed it references in kernel driverquery will not show it to you.

[aleckernel]

done some tests in win7 32bit, a test driver loaded by SCM, say:

Code: Select all

lkd> dt KLDR_DATA_TABLE_ENTRY 876db558
ole32!KLDR_DATA_TABLE_ENTRY
   +0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x82f68e30 - 0x85bd7400 ]
   +0x008 ExceptionTable   : 0xffffffff Void
   +0x00c ExceptionTableSize : 0xffffffff
   +0x010 GpValue          : 0x00410048 Void
   +0x014 NonPagedDebugInfo : (null) 
   +0x018 DllBase          : 0xa49fb000 Void
   +0x01c EntryPoint       : 0xa49fdfbe Void
   +0x020 SizeOfImage      : 0x4000
   +0x024 FullDllName      : _UNICODE_STRING "\??\D:\general\i386\sysProc.sys"
   +0x02c BaseDllName      : _UNICODE_STRING "sysProc.sys"
   +0x034 Flags            : 0x49104000
   +0x038 LoadCount        : 1
   +0x03a __Unused5        : 0x57
   +0x03c SectionPointer   : (null) 
   +0x040 CheckSum         : 0x12662
   +0x044 CoverageSectionSize : 0x540053
   +0x048 CoverageSection  : (null) 
   +0x04c LoadedImports    : 0x85857c99 Void
   +0x050 PatchInformation : (null) 
   +0x054 SizeOfImageNotRounded : 0x3700
   +0x058 TimeDateStamp    : 0x568cc031

using windbg, directly modify the UNICODE_STRING to change the driver's name to something else like "aaaProc.sys"

Code: Select all

lkd> dt KLDR_DATA_TABLE_ENTRY 876db558
ole32!KLDR_DATA_TABLE_ENTRY
   +0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x82f68e30 - 0x85bd7400 ]
   +0x008 ExceptionTable   : 0xffffffff Void
   +0x00c ExceptionTableSize : 0xffffffff
   +0x010 GpValue          : 0x00410048 Void
   +0x014 NonPagedDebugInfo : (null) 
   +0x018 DllBase          : 0xa49fb000 Void
   +0x01c EntryPoint       : 0xa49fdfbe Void
   +0x020 SizeOfImage      : 0x4000
   +0x024 FullDllName      : _UNICODE_STRING "\??\D:\general\i386\aaaProc.sys"
   +0x02c BaseDllName      : _UNICODE_STRING "aaaProc.sys"
   +0x034 Flags            : 0x49104000
   +0x038 LoadCount        : 1
   +0x03a __Unused5        : 0x57
   +0x03c SectionPointer   : (null) 
   +0x040 CheckSum         : 0x12662
   +0x044 CoverageSectionSize : 0x540053
   +0x048 CoverageSection  : (null) 
   +0x04c LoadedImports    : 0x85857c99 Void
   +0x050 PatchInformation : (null) 
   +0x054 SizeOfImageNotRounded : 0x3700
   +0x058 TimeDateStamp    : 0x568cc031

now the driverquery.exe still report the original name "sysProc.sys". Why process explorer (under System process->lower panel view->DLLs)shows the modified name "aaaProc.sys" . Does that mean driverquery.exe is relying on some other cached info? At least when looking for driver name

[EP_X0FF]

Your driver loaded by documented way. Of course Windows used this information in WMI query, because there wasn't event this driver unloaded and there is no "refresh/update" by design. And driverquery not use NtQuerySystemInformation like Process Explorer do. What is your final point? Hide driver? Allocate memory in kernel, copy your code in it and run. No driver/device objects needed.