Ill bcome crazy with damn driver!

DaGoN · #1 06-24-2004, 04:55

Quote:

Originally Posted by pLayAr

fixed checksum already?

Ehm... how i can fix the checksum of a device drive?
I havent found nothing about it.

Thx,
DaGoN

aliali · #2 06-24-2004, 06:10

Hi,

Use LordPE to recalculate the CheckSum.

DaGoN · #3 06-24-2004, 16:17

LordPe reduce the file size and optimize it but the result is always the same: It doesnt work.
Lordpe result: Validate Pe image... done.

Try it, its strange, seem that there is a check from the system before driver start.

my test
bc *
bpx IoAllocateDriverObjectExtension
start service
softice break
bpx @esp (bpx on caller)
bd 00
x
sofice break here:

Quote:

::::::::::::::: ENTRY POINT :::::::::::::::::::::
INIT:00018500 push ebp
INIT:00018501 mov ebp, esp
INIT:00018503 push esi
INIT:00018504 mov esi, [ebp+arg_0]
INIT:00018507 lea eax, [ebp+arg_0]
INIT:0001850A push eax
INIT:0001850B push 10h
INIT:0001850D push offset start
INIT:00018512 push esi
INIT:00018513 call ds:IoAllocateDriverObjectExtension
INIT:00018519 test eax, eax <---- good all works fine (ramdisk process)
INIT:0001851B jl loc_185DA
INIT:00018521 mov ecx, [ebp+arg_0]
INIT:00018524 push edi
INIT:00018525 mov edi, [ebp+arg_4]
INIT:00018528 mov ax, [edi]
INIT:0001852B mov [ecx], ax
INIT:0001852E mov ax, [edi+2]
...
...

i change a char
bc *
bpx IoAllocateDriverObjectExtension
i restart the service
softice doesnt break anymore

DaGoN

aliali · #4 06-24-2004, 18:40

Hi,

You are using Rebuild PE. I'm said to you to recalculate the Checksum.

Open LordPE hit "PE Editor", choose the sys file, locate the checksum and you will see a "?" on the right hand side just hit it and then hit "Save".

ALiAli

DaGoN · #5 06-24-2004, 19:07

Thanks my friend.. now it works real good.
Ive patched this damn driver!

Thx again,
DaGoN

#6 06-28-2004, 13:09

Just to fully answer your question,

Yes, there is a security check done by the NT Kernel, which is to verify that the PE Checksum is correct or not. You can find the code to generate it yourself and skip LordPE... Or you can patch the kernel loader to disable this check.

Best regards,
Alex Ionescu
Relsoft Technologies
http://www.relsoft.net

DaGoN · #7 07-01-2004, 18:17

Quote:

You can find the code to generate it yourself and skip LordPE... Or you can patch the kernel loader to disable this check.

Ive choose to recalculate the checksum

.
Thanks for ur infos...
Byez,
DaGoN

Thread Tools
Show Printable Version Email this Page
Display Modes
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Driver patching / filter driver	aldente	General Discussion	4	03-21-2006 04:43