Re: Reverse engineering Windows drivers.

From: Jeff V. Merkey (jmerkey@timpanogas.com)
Date: Mon Jan 31 2000 - 12:25:23 EST

Next message: Jeff Garzik: "Re: 2.3.41 is dep_bool officially broken? :)"
Previous message: Andreas Schwab: "Re: waitpid and strace -f"
In reply to: Jeff Garzik: "Re: Reverse engineering Windows drivers."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If you are using the MS DDK, you can run a program called 'rebase' to
strip out the symbols into a *.DBG file that you can import into the NT
kernel debugger and MSDEV workbench (which come free with Visual C++).
All drivers under Windows NT are either VXD (LE Format) or PE Format.
The following commands will strip driver symbols for PE based drivers
(32/64 bit) and let you reverse enginneer them. We do **LOTS** of NT
kernel work. THis is undocumented NT stuff, and you are welcome!

dumpbin /headers <driver.sys>

(you need the image address which is usually 0x10000 for most PE
drivers, but you should check)

rebase -b 0x1000 -x . <driver.sys>

This will split the symbols from free build and checked build drivers
and let you use MS tools to reverse compile them. You want to do this
is you need to import a *.DBG file into any MS tools.

email me if you have further questions.

Jeff

Jeff Garzik wrote:
>
> On Sun, 30 Jan 2000, Patrick Roberts wrote:
>
> > I'm trying to find some correct settings for my video card that I'm writing a
> > utility for. Can anyone recommend some freeware that:
> >
> > 1) Disassembles windows programs/drivers/dlls under linux (or do I HAVE to buy
> > and install Windows...God forbid!)
>
> My best recommendation is to buy Windows, and buy Windows Sourcer. It
> is THE best Windows/DOS disassembler I've ever seen. Not only is the
> asm generation excellent, along with somewhat-insightful code comments,
> but it recognizes all DOS/Windows debugging info formats, so that your
> assembly code will look even better if the vendor was foolish^H^H^Hnice
> enough to include the symbol info.
>
> Jeff
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.rutgers.edu
> Please read the FAQ at http://www.tux.org/lkml/

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jeff Garzik: "Re: 2.3.41 is dep_bool officially broken? :)"
Previous message: Andreas Schwab: "Re: waitpid and strace -f"
In reply to: Jeff Garzik: "Re: Reverse engineering Windows drivers."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Mon Jan 31 2000 - 21:00:29 EST