Results 1 to 4 of 4

Thread: How to unpack a .sys file?(device driver)

  1. #1

    How to unpack a .sys file?(device driver)

    Although .sys is a PE file, but I think dumping .sys is very different from
    dumping a exe or a dll.

    Anyone can give me some suggestions in unpacking .sys file?
    how to find the OEP?
    how to dump the import table? (I think ImportRec will not work in Ring 0.)

    I used google but found nothing helpful.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    As you correctly said, it is a PE
    The import table is the same in a PE, if you see a non crypted .sys you can see in the import table the imports from ntoskrnl. The entry point is the one specified in the PE, it corresponds to the DriverEntry function of the driver, in which i suppose the self-unpacking code should reside. After that, usually the callbacks of the driver are placed in the driver_object structure (see ddk and related documentation for this) and they are the ones you should be interested in.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    Registered User
    Join Date
    Feb 2002
    Some invaluable info abou sys in miniproject section. If well protected, you will not be able to live dump a .sys as a .exe because of int1 and int3 tricky redirections. Anyway, don't forget to unprotect pages with an or CR0
    good luck

  4. #4
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Blog Entries
    you can unpack SYS file by debugging step-by-step.
    for sympbols, by address determine those names, write down & then build new Import table.

    What SYS are you unpacking?

Similar Threads

  1. Linux device driver
    By robert in forum Linux RCE
    Replies: 15
    Last Post: April 14th, 2011, 14:00
  2. Replies: 4
    Last Post: January 16th, 2010, 16:49
  3. Can anybody unpack this file
    By localcrack in forum The Newbie Forum
    Replies: 2
    Last Post: February 13th, 2009, 19:31
  4. using HID device in Driver and strange device corruption
    By Hero in forum Advanced Reversing and Programming
    Replies: 2
    Last Post: February 17th, 2008, 00:30


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts