-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi all,
Le Lundi 10 Novembre 2003 08:11, Marcus Meissner a écrit :
On Fri, Nov 07, 2003 at 07:46:58PM +0100, Lionel Ulmer wrote:
On Fri, Nov 07, 2003 at 10:32:02AM +0000, Mike Hearn wrote:
Lionel, could QEMU be used here? I guess the driver expects to have kernel level access to the machine, so we could either:
Well, as I have no idea how .SYS loading working and how it interfaces with the kernel, I cannot comment here.
The newer .SYS files are just PE libraries. They have smaller section alignments, but otherwise they look just like normal DLLs.
They reference hal.dll, ntoskrnl.exe, etc. as imports.
The main hook into them is the DRIVER_OBJECT struct. On initialisation you call the DLL entry procedure with DriverEntry(DRIVER_OBJECT*, UNICODE_STRING *name); if I read http://msdn.microsoft.com/library/en-us/kmarch/hh/kmarch/drvrrtns_6r76.asp correctly.
The DRIVER_OBJECT struct then gets filled with the function pointers the driver supports. http://msdn.microsoft.com/library/en-us/kmarch/hh/kmarch/k112_6jaq.asp for a read.
The patches I posted should allow loading of these driver dlls. However, the start function is still called PE User DLL style, which needs to be fixed.
Well it's not really easy as the NT_HEADER only declare: Characteristics: 0306 EXECUTABLE_IMAGE LINE_NUMS_STRIPPED 32BIT_MACHINE DEBUG_STRIPPED
So we can only use the file extension (and maybe the imported libs, .sys files using kernel libs) to use the good "dll-entry" between .sys and .exe files :(
I don't think Alexandre will love the hack to support this :)
Ciao, Marcus
Regards, Raphael