![]() ![]() I am always open to suggestions and critics about my work, so feel free to send me an email or write a comment down below. I hope it will inspire others to start their own and share knowledge on the field of reverse engineering and exploitation with everyone. I don't have the reverse engineering prowess to actually confirm this.Firstly, I’d like to thank everybody who has decided to read my blog. ![]() My speculation is that ntdll.dll does some initialization and writes some code around NtLoadDriver which makes it work. So the question boils down to: Why doesnt NtLoadDriver work when directly called via a syscall? And why does it work when using the ntdll export? I used the same signature I was using for the syscall delegate and passing in the exact same argument.Īnd to my surprise it seems to work perfectly and giving a successful result (NT_SUCCESS). So, I DllImported the NtLoadDriver from ntdll.dll and tested using that. I ran a test to see if my function signature for NtLoadDriver was wrong, or the UNICODE_STRING structure I was using was wrong. And I can also acquire a handle to the driver once its started. And I can confirm that the service is registered, and can be started and stopped using OSR Driver Loader. I use OSR Driver Loader to test whether a service is registered/unregistered or running/stopped. Maybe someone can explain it more simply. ![]() Unfortunately it's an error which I cannot understand. The NTSTATUS code is: STATUS_NO_CALLBACK_ACTIVE C0000258ĭescription: A callback return system service cannot be executed when no callback is active.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |