Return to Answer

added 1 character in body

edited Apr 9, 2015 at 22:21

16.8k
1
16
31

patch the Address of Entry Point with a (0xcc aka int 3) and load the driver AddrOfEntryPoint normally points to either DriverEntry or GsDriverEntry

when broken you need to replace 0xcc by original byte and reset eip back by a byte

use eb <address> originalbyte enter r eip = <addresss>

here is the entry point of beep.sys which points to Beep!driverEntry

lkd> lm m beep start end module name f7b0e000 f7b0f080 Beep (pdb symbols) f:\symbols\beep.pdb\65DC45B439164E4C9DEFF20E161DC74C1\beep.pdb lkd> ? by(beep+3c) Evaluate expression: 208 = 000000d0 lkd> ? dwo(beep+bybeep+dwo(beep+3c)+28) Evaluate expression: 1644 = 0000066c lkd> .printf "%y\n" , beep+66c Beep!DriverEntry (f7b0e66c) lkd>

patch the Address of Entry Point with a (0xcc aka int 3) and load the driver AddrOfEntryPoint normally points to either DriverEntry or GsDriverEntry

when broken you need to replace 0xcc by original byte and reset eip back by a byte

use eb <address> originalbyte enter r eip = <addresss>

here is the entry point of beep.sys which points to Beep!driverEntry

lkd> lm m beep start end module name f7b0e000 f7b0f080 Beep (pdb symbols) f:\symbols\beep.pdb\65DC45B439164E4C9DEFF20E161DC74C1\beep.pdb lkd> ? by(beep+3c) Evaluate expression: 208 = 000000d0 lkd> ? dwo(beep+by(beep+3c)+28) Evaluate expression: 1644 = 0000066c lkd> .printf "%y\n" , beep+66c Beep!DriverEntry (f7b0e66c) lkd>

patch the Address of Entry Point with a (0xcc aka int 3) and load the driver AddrOfEntryPoint normally points to either DriverEntry or GsDriverEntry

when broken you need to replace 0xcc by original byte and reset eip back by a byte

use eb <address> originalbyte enter r eip = <addresss>

here is the entry point of beep.sys which points to Beep!driverEntry

lkd> lm m beep start end module name f7b0e000 f7b0f080 Beep (pdb symbols) f:\symbols\beep.pdb\65DC45B439164E4C9DEFF20E161DC74C1\beep.pdb lkd> ? by(beep+3c) Evaluate expression: 208 = 000000d0 lkd> ? dwo(beep+dwo(beep+3c)+28) Evaluate expression: 1644 = 0000066c lkd> .printf "%y\n" , beep+66c Beep!DriverEntry (f7b0e66c) lkd>

Source Link

answered Apr 9, 2015 at 21:31

blabb

16.8k
1
16
31

patch the Address of Entry Point with a (0xcc aka int 3) and load the driver AddrOfEntryPoint normally points to either DriverEntry or GsDriverEntry

when broken you need to replace 0xcc by original byte and reset eip back by a byte

use eb <address> originalbyte enter r eip = <addresss>

here is the entry point of beep.sys which points to Beep!driverEntry

lkd> lm m beep start end module name f7b0e000 f7b0f080 Beep (pdb symbols) f:\symbols\beep.pdb\65DC45B439164E4C9DEFF20E161DC74C1\beep.pdb lkd> ? by(beep+3c) Evaluate expression: 208 = 000000d0 lkd> ? dwo(beep+by(beep+3c)+28) Evaluate expression: 1644 = 0000066c lkd> .printf "%y\n" , beep+66c Beep!DriverEntry (f7b0e66c) lkd>