none
Patching instructions of a loaded driver RRS feed

  • Question

  • Upon driver start-up, I need to change a single byte of bthport.sys to change it's run-time behavior, I am able to find the exact place to be updated, unfortunately, when updating the instruction I get GeneralProtection faliure, setting up the WP flag of the CR0 register didn't help.

    How can I programmatically control page protection in a kernel mode driver ?


    Nadav Rubinstein, See my Blog @ http://www.sophin.com

    Sunday, October 26, 2014 11:22 AM

Answers

  • Well unless this is an "embedded system" type solution, where I know exactly what is going into the box, patchiing would have been ruled out.  I know it is not what someone wants to hear, but considering the damage, that can happen by patching, and especially since the driver that does it is unlikely to be the one that is blamed for the failure, this is not a solution.  Depending on where this driver is deployed, a patch like that would likely result in a lawsuit for the developer and the company that shipped the driver.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com

    Sunday, October 26, 2014 3:09 PM

All replies

  • The first question I have to ask is why in the world do you think that patching an inbox driver makes any sense at all.  First as you state you are changing its runtime behavior, what happens if another driver depends on that behavior?  Second, you are assuming that the driver will not change, what happens when the driver is updated by Windows update, and your patch is no longer exactly right.

    This is one of those situations when I review 3rd party drivers for clients, that if I see this behavior, I recommend that the vendor be put on the "NEVER EVEN TALK TO THEM AGAIN, LET ALONE CONSIDER ONE OF THEIR PRODUCTS" list.  

    I don't know bthport.sys, but if you asked how to work around a particular problem, you might get an appropriate response, patching is certainly not it.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com

    Sunday, October 26, 2014 2:39 PM
  • Mr. Burn,

    He has asked, and wasn't offered any resolution besides of "not supported". What would you do in such situation?

    Regards,

    -- pa

    Sunday, October 26, 2014 3:00 PM
  • Well unless this is an "embedded system" type solution, where I know exactly what is going into the box, patchiing would have been ruled out.  I know it is not what someone wants to hear, but considering the damage, that can happen by patching, and especially since the driver that does it is unlikely to be the one that is blamed for the failure, this is not a solution.  Depending on where this driver is deployed, a patch like that would likely result in a lawsuit for the developer and the company that shipped the driver.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com

    Sunday, October 26, 2014 3:09 PM
  • Mr. Burn

    For a commercial product used & integrated by 3rd parties this is indeed not a solution of choice, in my case this is to be deployed in a controlled environment.

    I need to use my desktop to simulate an HID keyboard, in accordance with the BT Spec, PSMs 0x13 & 0x11 are used for HID, these HIDs are "reserved for OS use" on windows.

    I don't want to develop a custom HW, I would really like to be able to avoid this kind of solution due to the reasoning you have mentioned in your post, I would be happy to be advised for any alternative solution.



    Nadav Rubinstein, See my Blog @ http://www.sophin.com


    • Edited by Nadav Rub Sunday, October 26, 2014 3:49 PM
    Sunday, October 26, 2014 3:48 PM
  • From your description I realize it is for you experimenting.  The reason I come off so strong, is that in my 40+ years in the industry, if you answer something like this, while the person who posed the question is trying to do the right thing the next person will just see how to patch the code and not consider the consequences.  I've reviewed code multiple times where some totally inappropriate technique is used, and in some cases there is a large comment from the original progam that mentioned this was only for experimentation, and should never be used in a product, of course it was in a shipping product!!!


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com

    Sunday, October 26, 2014 4:31 PM