As it is explained here, the DriverEntry name is not fixed across drivers, and you can choose any name you want. What makes a routine the initial one, is precicely the INIT keyword, and when the driver is compiled, the compiler creates a section called "optional" embedded in the driver where it is stored this address in an entry labeled "AddressOfEntryPoint". So all we have to do is find this address and insert a breakpoint in WinDBG.
To do that I used the following utility. Install it, open your driver and there you have:
Now you can insert a new breakpoint with: bp YouDriver+0x000bb09c, or if the driver you want to debug is loaded at boot time, reboot your computer and when WinDbg hits use: bu YouDriver+0x000bb09c.
If everything went fine you should run into a breakpoint inside function ioploaddriver from the Windows Kernel.
Hope it helps! As always, if you find any bug or want to contribute just send a comment. Thanks a lot!
No hay comentarios:
Publicar un comentario