c8b9782baa
Some checks failed
sm-rpc / build (Debug, aarch64-linux-gnu) (push) Failing after 13m15s
sm-rpc / build (Release, mipsel-linux-gnu) (push) Failing after 13m1s
sm-rpc / build (Release, host.gcc) (push) Failing after 13m14s
sm-rpc / build (Release, arm-linux-gnueabihf) (push) Failing after 13m35s
sm-rpc / build (Release, aarch64-linux-gnu) (push) Failing after 13m56s
sm-rpc / build (Debug, mipsel-linux-gnu) (push) Failing after 14m22s
sm-rpc / build (Debug, host.gcc) (push) Failing after 14m49s
sm-rpc / build (Debug, arm-linux-gnueabihf) (push) Failing after 15m13s
49 lines
2.3 KiB
Plaintext
49 lines
2.3 KiB
Plaintext
diStorm3 for Ring 0
|
|
Gil Dabah Aug 2010
|
|
http://ragestorm.net/distorm/
|
|
|
|
Tested sample with DDK 7600.16385.1 using WinXPSP2.
|
|
|
|
Steps of how to build the diStorm64 sample using the DDK.
|
|
|
|
Warning - Make sure the path you extracted diStorm to does not include any spaces, otherwise you will get an error from the build.
|
|
|
|
1) Open the DDK's build environment, for example: "Win XP Free Build Environment",
|
|
which readies the evnrionment variables for building a driver. Or run the SETENV.BAT in console.
|
|
|
|
2) Launch "build", once you're in the directory of the /ddkproj.
|
|
|
|
3) If everything worked smoothly, you should see a new file named "distorm.sys" under objfre_wxp_x86\i386
|
|
(that's if you use WinXP and the Free Environment).
|
|
|
|
- If you experienced any errors, try moving the whole distorm directory to c:\winddk\src\
|
|
(or any other directory tree which doesn't contain spaces in its name).
|
|
|
|
4) Now you will have to register the new driver:
|
|
a. Copy the distorm.sys file to \windows\system32\drivers\.
|
|
b. Use the DDK's regini.exe with the supplied distorm.ini.
|
|
c. Restart Windows for the effect to take place. :(
|
|
|
|
**The alternative is to use some tool like KmdManager.exe, which will register the driver without a need for the .ini file, nor a reboot.
|
|
|
|
|
|
5) Now open your favorite debug-strings monitor (mine is DebugView).
|
|
Make sure you monitor kernel debug-strings.
|
|
|
|
6) Launching "net start distorm" from command line, will run the DriverEntry code in "main.c",
|
|
which will disassemble a few instructions from the KeBugcheck routine and dump it using DbgPrint.
|
|
|
|
|
|
NOTES:
|
|
-+----
|
|
The sample uses the stack for storing the results from the decode function.
|
|
If you have too many structures on the stack, you better allocate memory before calling the decode function,
|
|
and later on free that memory. Don't use the NONPAGED pool if you don't really need it.
|
|
|
|
_OffsetType is the type of the DecodedInstruction.Offset field, which defaults to 64bits,
|
|
so make sure that when you print this variable you use %I64X, or when you use it anywhere else, you use the _OffsetType as well.
|
|
Notice that we call directly distorm_decode64, since we SUPPORT_64BIT_OFFSET and because we don't have the macros of distorm.h.
|
|
|
|
diStorm can be really compiled for all IRQL, it doesn't use any resource or the standard C library at all.
|
|
Although the sample uses diStorm at PASSIVE level.
|