[iSecure]

Is there any method to determine if system going to call DriverEntry() of driver image, which have been mapped by MmLoadSystemImage() previosly.

I ask this because i have discover that some drivers (e.g. "videoprt.sys") have their images mapped but their DriverEntry() never get called. They behave just like some user-mode DLLs, which don't do anything except for providing some export functions to other modules. But i don't understand why their entry point even exist (address is not null), if it never get called anyway.

I hook entry points of loaded images inside callback handler registered by PsSetLoadImageNotifyRoutine() to execute some code, but my new entry point never get called. So i wonder how i can determine this behavior, maybe some flags in PE-related structures? Or the only way is to hardcode names of drivers, which seem to have such behavior and just ignore them inside my callback handler?

[EP_X0FF]

IIRC MmLoadSystemImage just does what the name of routine and calls ImageNotifies arrays near to the end of loading process when everything is ready. IopLoadDriver calls DriverInit which is set from AddressOfEntryPoint + imagebaseaddress.

[iSecure]

Yes, i know this. So there is no way to tell if it is "typical" driver image loading or image for "export" driver, which entry point won't be called? It seems that this is related to dependencies resolving, when some driver needs external functions system loader just maps image for driver in import section, but not calling its entry point. But this is strange, in user-mode similar situation DllMain() will be called anyway...

Maybe someone can explain this better? =)

[rkhunter]

AFAIR ZwSetSystemInformation with specific class can load system image without entry point calling.

[iSecure]

Seems like there is no 100% way to filter this behavior. Found a little better solution than hardcoding driver names: checking for export directory existance.

Code: Select all

if (ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress != 0)
{
   // skip this driver because more likely it was loaded as part of dependencies resolving
   // for some other driver, which has this reference in import directory, 
   // so this driver's entry point won't be called most certainly
}
else
{
   // do required work (e.g. hook driver's entry point)
}

Thanks.

[rkhunter]

What task you need solve?

[iSecure]

I hook driver entry point to execute my code. I want this "target" to be random, but some drivers are being loaded just by MmLoadSystemImage (dependecies resolving) and not by IopLoadDriver (common loading via ZwLoadDriver), which means they are just mapped in memory, but their entry points never get called. I need method to determine such behavior, and choose different target. Because if i hook entry point of driver whose DriverEntry never get called, my own code won't be executed either. This is for academic purposes.

[rkhunter]

I hook driver entry point to execute my code.

What technique are you using for it? On what level are you working (or want working; I mean, documented/semi-documented/not documented).
Tell little more about what are you already using and coding.

[iSecure]

Patching code at entry point of driver inside of callback handler registered by PsSetLoadImageNotifyRoutine(). Hooked entry point (if ever get called by system loader) restores original bytes at entry point, calls original entry point and DbgPrint() returned status.