This is important to note because some modifications in the driver loader entry allow us to play tricks on the OS. The loader entry constructed for a driver is actually what is mapped into the driver section, so you can cast the DriverSection field to PKLDR_DATA_TABLE_ENTRY and modify fields in the driver loader entry. After the driver section is created, a loader entry is created – much like the loader entries in usermode that are stored in the PEB and obtained by iterating a linked list the kernel stores loader entries using the _KLDR_DATA_TABLE_ENTRY structure in a global structure called PsLoadedModuleList. Inside of MmLoadSystemImageEx the system creates a driver section, the driver section is the section object that your drive occupies and can be referenced by using the DriverSection field in _DRIVER_OBJECT. In Figure 1 above you’ll notice that once NtLoadDriver is called it directly wraps IopLoadDriverImage (no API reference since it’s a private routine.) Inside of IopLoadDriverImage we see various system routines used, most notably the use of IopLoadDriver which contains the system routine of interest: MmLoadSystemImageEx. ![]() ![]() ![]() NtLoadDriver is a system routine defined in ntoskrnl that loads a driver into the system by using the DriverServiceName as specified in the registry path to initialize and load.
0 Comments
Leave a Reply. |