#1
|
|||
|
|||
Ill bcome crazy with damn driver!
Why when i change a bit in this driver (w_w.ramdisk.tk) it doesnt start anymore?
1) driver is not signature 2) i've removed the installer (i deleted ramdisk.dll(<-- no crc check inside) from system32 and installer registry keys). Driver run. this is driver entry method: Quote:
Now the things go bad: When i change only one char in driver ramdisk.sys it doesnt run anymore(!?!?) and softice doesnt break anymore in driver entry point! Why? There is any security check in windows kernel? it seems that the system doesnt start it anymore because its changed... Thx in adv, DaGoN |
#2
|
|||
|
|||
just a hunch...
make sure you've unloaded the previous instance of ramdisk.sys before starting up the new one. windows may be preventing the loading of another ramdisk.sys because one is already in place. |
#3
|
|||
|
|||
Yes, i stop the service, after i load it in winhex and i change a char and save it, i restart the service and the service doesnt start anymore...
Stop again the service, undo in winhex and save it, i restart the service and it works! I've try it with differents xp machines... DaGoN Last edited by DaGoN; 06-24-2004 at 04:12. |
#4
|
|||
|
|||
fixed checksum already?
|
#5
|
|||
|
|||
Quote:
I havent found nothing about it. Thx, DaGoN |
#6
|
|||
|
|||
Hi,
Use LordPE to recalculate the CheckSum. |
#7
|
|||
|
|||
LordPe reduce the file size and optimize it but the result is always the same: It doesnt work.
Lordpe result: Validate Pe image... done. Try it, its strange, seem that there is a check from the system before driver start. my test bc * bpx IoAllocateDriverObjectExtension start service softice break bpx @esp (bpx on caller) bd 00 x sofice break here: Quote:
bc * bpx IoAllocateDriverObjectExtension i restart the service softice doesnt break anymore DaGoN |
#8
|
|||
|
|||
Hi,
You are using Rebuild PE. I'm said to you to recalculate the Checksum. Open LordPE hit "PE Editor", choose the sys file, locate the checksum and you will see a "?" on the right hand side just hit it and then hit "Save". ALiAli |
#9
|
|||
|
|||
Thanks my friend.. now it works real good.
Ive patched this damn driver! Thx again, DaGoN |
#10
|
|||
|
|||
Just to fully answer your question,
Yes, there is a security check done by the NT Kernel, which is to verify that the PE Checksum is correct or not. You can find the code to generate it yourself and skip LordPE... Or you can patch the kernel loader to disable this check. Best regards, Alex Ionescu Relsoft Technologies http://www.relsoft.net |
#11
|
|||
|
|||
Quote:
Thanks for ur infos... Byez, DaGoN |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Driver patching / filter driver | aldente | General Discussion | 4 | 03-21-2006 04:43 |