Re: Dynamically loading binaries in Kernel mode.

Indeed. I've written something like this a while ago for x86 XP and it
worked really
well. I found that it was best to overallocate from NonPagedPool so you
could have the image start at a page boundary.

If you are planning to create device objects you need to call IoCreateDriver
and set the appropriate bits in the flags field.

Snapping the IAT and processing the relocation blocks is simple if you have
the PE file spec. If you dont fancy doing the relocations by hand, then you
can always use nt!LdrProcessRelocationBlockLongLong.

Of course the one thing you can't easily do is set the PE page protections
(Execute for .text, Read only for .rdata and so forth) other than by
directly modifiying the PTE (which as far as I remember has no net effect on
large pages if that is where your pool allocation comes from).

So, yes, as I am sure you know because you are planning to do this, it is
very possible, but you do end up with a "kind of image" that is not like a
normal image in all respects. Other people on here might have suggestions
about how you might set page attributes properly.

Another thing you could do is to install a file system filter and lie
horribly in response to create, read, write, query/set information and fast
io requests for the file specified in your service registry key. In this way
you could probably fudge an apparently loaded image without ever touching
the backing store.

Carly

"Skywing" <skywing_NO_SPAM_@xxxxxxxxxxxxxxxxxxx> wrote in message
news:OdFT7uCVGHA.1204@xxxxxxxxxxxxxxxxxxxxxxx
It would be *much* easier to rewrite a PE loader than build even a very
simple file system. I've done the former, and while it's not the easiest
thing in the world, filesystems development pales in comparison.

"Ray Trent" <rat@xxxxxxxxxxxxx> wrote in message
news:OblUhrCVGHA.5332@xxxxxxxxxxxxxxxxxxxxxxx
Ah, I see what you're trying to do now. I'll keep my theory to myself out
of deference to your desire for secrecy.

Anyway, unless the place you're going to load it from is reachable via a
standard filesystem and unless you load it using standard export driver
mechanisms and interfaces, you're going to end up having to rewrite the
entire DLL loader by yourself.

Technically this might be possible, but you wouldn't have a small task in
front of you. In fact, it's probably a smaller task to develop an entire
(read-only?) filesystem driver for your storage device/location/whatever
and then just load an export driver the normal way by pretending it's on
disk.

Good luck getting it to load in a particular spot in memory, though. I
don't think there are any interfaces for that. But then again, maybe
that's not an *actual* requirement but something you just think is a
requirement. If you want an answer on this part of it, we'll probably
need more information on why you think you need that.

So you see, my suggestion for how to solve your problem didn't really
have anything to do with the question you actually asked.

*That's* why we respond to odd-looking questions with more questions.

Luis Miguel Huapaya wrote:
Well, we've considered the "separate driver" solution, but it will not
do the trick for the goals we have in mind. So without too many details
here is what we need to achieve:

1) Allocate kernel level memory (system memory) that is big enough to
receive the binary image (and related static data) of the dynamic code
that we want to run.
2) Load the code into memory. I won't get into details, but we can't
have the kernel level code reading it from disk.
3) Do whatever address fixups, etc.. required before "executing" the
code.
4) Execute the code.

Our dynamically linked code would publish a GetProcAddress() type
function capable of reporting back on the entry points of every other
function in the dynamic code. The GetProcAddress() function would
undoubdetly be at a fixed offset in the binary code. We would have to
figure a mechanism to report back on other functions in the binaries
based on the load address.

The dynamic code must be loadable/unloadable on demand.

I can't think of any other way to achieve our intended goal. It sucks
because I prefer simple solutions, but in this particular case, I don't
think there is any other choice.

cheers,
Luis Miguel Huapaya

"Don Burn" wrote:

Actually, the group will answer the question without going into the
details of you project. What we are looking for are the goals of you
need to load binaries. There are a number of solutions including do
not do that, but without understanding the reasoning behind the need a
lot of us find we are helping people shoot the system in the foot.

For instance in you situation, there are multiple methods you can use,
kernel mode DLL's, a seperate driver with an interface handled in many
ways, etc. The problem is that many people come to us with "I want to
do X, how can I accomplish it", when if they stepped back one level the
answer is "Use standard mechanism A".

A common example of this are people asking many different ways to have
the driver communicate with the application. Once we understand that
the question "how do I map a user space code section into the kernel?"
is really "how do I call up to an application with an action to do?"
the answer becomes obvious.


--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
Remove StopSpam from the email to reply


"Luis Miguel Huapaya" <LuisMiguelHuapaya@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message
news:52930D30-4618-4C8B-BDEF-6BE5FDE193C5@xxxxxxxxxxxxxxxx
Hi again,

I understand where you are coming from. Unfortunately there are legal
reasons pertaining to ongoing patent work that would prevent me from
disclosing the reasons why we (I) need to dynamically load code at the
kernel
level. It's unfortunately one of those situations where telling anyone
about
our master plan basically screws us :-)

So it sounds to me like I need to take this offline with a consultant,
get
an NDA signed and proceed with some technical questions since for the
most
part, the participants on this forum feel ill at ease with answering
my
questions without prior full disclosure (which won't happen anytime
soon).

cheers,
Luis Miguel Huapaya




--
Ray




.

Relevant Pages

  • Re: Dynamically loading binaries in Kernel mode.
    ... Allocate kernel level memory that is big enough to ... receive the binary image of the dynamic code ... Load the code into memory. ...
    (microsoft.public.development.device.drivers)
  • Re: Dynamically loading binaries in Kernel mode.
    ... Allocate kernel level memory that is big enough to ... receive the binary image of the dynamic code ... Load the code into memory. ...
    (microsoft.public.development.device.drivers)
  • Re: need RAID driver for install, but no floppy drive
    ... >> which in this case will be the install kernel. ... > driver on the rescue floppy. ... How do I mount those Debian install ... it should work when you try to load a driver off the floppy using the ...
    (Debian-User)
  • Re: Dynamically loading binaries in Kernel mode.
    ... Right now only the kernel will load ... Windows 2k/XP/2k3 Filesystem and Driver Consulting ...
    (microsoft.public.development.device.drivers)
  • Re: Evil: TI ACX111 non-success
    ... Perhaps ndis returning 6 and failing to load is a result of the ... This chip has two ranges, ... it seems this driver wants the FwRad16.bin image. ... If you plan to load the ndis.ko and if_ndis.ko kernel modules AFTER ...
    (freebsd-current)