Results 1 to 8 of 8

Thread: KMD -- manual unloading???

  1. #1

    KMD -- manual unloading???

    Hi guys,

    I apologize in advance if this is a bit off topic, but I figured one of you guys might be able to help me a bit.

    Currently, I'm writing my first KMD. At this point the kmd and the loader assemble, but at this newbie starge of development there seem to be a few bugs which bring down the system when it acutally runs, heh, heh I'm using the CreateService / OpenService / StartService API's to dynamcially load the driver. As its currently crashing before before being properly unloaded, I can't load it again until after a reboot and even sometimes after a reboot the CreateService returns with an ERROR_SERVICE_DISABLED. I know there are some registry entries associated with services so I'm guessing that perhaps the driver is flagged in the registry for deletion, but the registered service is only deleted when the system is *properly* shut down, not locked-up cold necessitating a hard reboot? I really have no idea... I'm probably way off the mark here and I only have a couple of sketchy examples to go on. Anyway, does anyone know if there is a procedure for manually unloading a failed driver? This rebooting and ERROR_SERVICE_DISABLED problem is driving me nuts.

    Thanks in advance,
    Clandestiny

  2. #2
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Are you using Win9x or NT/2k/XP?

    All info for registered drivers/services can be found under the current registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

    If the driver is set to disabled there, you can either change its state manually, or delete the entry completely to reset it (then reboot).

    If you are using NT/2k/XP, there are some more tips I can give.


    A quite generic solution is to search for your driver name in the registry (e.g. "my_driver.sys") and see what you find. The entries in which it will occur is often not very hard to "reverse".

    dELTA

  3. #3
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Stupid board software... Do you see the line with the registry key above? As you can see, it is broken off in the middle of the word "Services", and no matter how I try to edit it, it will still be broken off in the exact same place. Seems like some kind of "maximum wordlength" or something...

  4. #4
    sometimes you can unload a kmd by typingf

    net stop kmdname

    from a cmd window.. works for most i've tried, but the kmd must have an unload service for it to work i think.

  5. #5
    Thank you guys for the input.

    dELTA, the driver is for Win2K. I have edited the registry as you suggested. I've observed that this works great provided that you do a clean shutdown / reboot, however, if the driver locks up in a blue screen forcing a hard reboot I find that I will still get the ERROR_SERVICE_DISABLED problem on the next restart. At that point, if I go in and edit the registry after the first hard reboot and do a clean shutdown/ boot I am able to load the driver again. So basically this requires 2 restarts, 1 hard reboot after the crash and 1 clean reboot after editing the registry. It's still a pain in the ass ! Guess its what I get for playing around with KMDs, eh? I'm open to any additional tips / examples you've got for Win 2k drivers...

    Thanks,
    Clandestiny

  6. #6
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    In Windows 2k/XP you mostly don't need to edit the registry by hand in this way if you don't want to. You can also do the following:

    1.
    On your desktop, right-click "My computer".

    2.
    From the menu, choose "Manage", a window will appear.

    3a.
    For non-kernel-driver services you go to the item "Services and Applications --> Services".

    3b.
    For kernel drivers you go to the "Device manager". You then bring out the "View" menu from the top menu bar and choose "Show hidden devices". A new item called "Non-Plug and Play Drivers" will now appear in the list to the right. Under it you will find items for all kernel drivers registered in the system.

    4.
    On any of these driver/service items, you can right-click to bring up options for editing its properties and enable/disable/uninstall it.


    About the reboots, yes, that is what you get for playing around with drivers.

    It might be possible to do the followng to make it just a single reboot though:

    1.
    Load the driver.

    2.
    "Pause" the driver before it gets to the potential crash point.

    3.
    Delete the registry entries for the driver.

    4.
    Continue execution of the driver.

    5.
    If the driver crashes your computer, all should be well again after rebooting. If it does not crash, you simply restore the registry entries after your tests are complete.

    It's probably most easy to make a little program for quick removal/restoration of the registry entries.

    Good luck!

    dELTA

  7. #7
    I think great tool for unload driver from memory is DriverMonitor from DriverStudio. It can unload driver and remove it from registry too. Just select driver and click to icons

  8. #8
    Thank you dELTA and separator! DriverMonitor is EXACTLY what I was looking for... And to think I had it already installed on my HD w/ the rest of DriverStudio and SoftICE with no idea wtf it was used for till now... /sending myself to the corner to RTFM

    Thanks,
    Clandestiny

Similar Threads

  1. unloading softice?
    By Aquatic in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: February 27th, 2003, 07:24
  2. manual unpacking.. and i mean manual :)
    By Kr0n0 in forum Malware Analysis and Unpacking Forum
    Replies: 5
    Last Post: August 20th, 2002, 14:40
  3. how to unpacking manual?
    By tHE SnaKe in forum Malware Analysis and Unpacking Forum
    Replies: 10
    Last Post: June 16th, 2002, 11:29
  4. Help with manual unpacking!!
    By NeO in forum Advanced Reversing and Programming
    Replies: 2
    Last Post: February 13th, 2001, 06:40

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •