Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to fix KbLdrStatus::KbLdrImportNotResolved at MapDriverFile? #18

Closed
vajos opened this issue Feb 10, 2020 · 5 comments
Closed

How to fix KbLdrStatus::KbLdrImportNotResolved at MapDriverFile? #18

vajos opened this issue Feb 10, 2020 · 5 comments

Comments

@vajos
Copy link

vajos commented Feb 10, 2020
edited
Loading

Mapping any driver even the simplest.

auto test = KbRtl::KbRtlMapDriverFile(L"C:\\dummy.sys", L"KBFM"); fmt::print("test {0} ", test);

Produces KbLdrImportNotResolved can someone provide me a dummy driver example or explain to me what this error means and how to fix it?

#include <ntddk.h>


extern "C" DRIVER_INITIALIZE DriverEntry;


namespace {
    UNICODE_STRING DeviceName = RTL_CONSTANT_STRING(L"\\Device\\KBFM");
    UNICODE_STRING DeviceLink = RTL_CONSTANT_STRING(L"\\??\\KBFM");
    PDEVICE_OBJECT DeviceInstance = NULL;
}

#define IO_INCREMENT_VALUE CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0001, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
#define IO_RECEIVE_RANDOM_BUFFER CTL_CODE(FILE_DEVICE_UNKNOWN, 0x0002, METHOD_BUFFERED, FILE_SPECIAL_ACCESS)
EXTERN_C_START



static NTSTATUS IoControl(PDEVICE_OBJECT DeviceObject, PIRP Irp);

static NTSTATUS UnloadDriver(PDRIVER_OBJECT DriverObject);

static NTSTATUS CreateCall(PDEVICE_OBJECT DeviceObject, PIRP irp);

static NTSTATUS CloseCall(PDEVICE_OBJECT DeviceObject, PIRP irp);
EXTERN_C_END

extern "C" NTSTATUS NTAPI DriverEntry(
    _In_ PDRIVER_OBJECT DriverObject,
    _In_ PUNICODE_STRING RegistryPath
) {
    UNREFERENCED_PARAMETER(RegistryPath);
    NTSTATUS Status = IoCreateDevice(DriverObject, 0, &DeviceName, FILE_DEVICE_UNKNOWN, 0, FALSE, &DeviceInstance);

    if (!NT_SUCCESS(Status)) {
        KdPrint(("[KBFM]: IoCreateDevice Error!\r\n"));
        return Status;
    }

    Status = IoCreateSymbolicLink(&DeviceLink, &DeviceName);

    if (!NT_SUCCESS(Status)) {
        KdPrint(("[KBFM]: IoCreateSymbolicLink Error!\r\n"));
        IoDeleteDevice(DeviceInstance);
        return Status;
    }


    DriverObject->MajorFunction[IRP_MJ_CREATE] = CreateCall;
    DriverObject->MajorFunction[IRP_MJ_CLOSE] = CloseCall;
    DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL] = IoControl;
    DriverObject->DriverUnload = reinterpret_cast<PDRIVER_UNLOAD>(UnloadDriver);

	
    return STATUS_SUCCESS;
}



static NTSTATUS UnloadDriver(PDRIVER_OBJECT DriverObject)
{
    KdPrint(("[KBFM]: Unload routne called!\r\n"));
    IoDeleteSymbolicLink(&DeviceLink);
    IoDeleteDevice(DriverObject->DeviceObject);
    return STATUS_SUCCESS;
}


static NTSTATUS CreateCall(PDEVICE_OBJECT DeviceObject, PIRP irp)
{
    UNREFERENCED_PARAMETER(DeviceObject);
    KdPrint(("[KBFM]: Create called!\r\n"));
    irp->IoStatus.Status = STATUS_SUCCESS;
    irp->IoStatus.Information = 0;

    IoCompleteRequest(irp, IO_NO_INCREMENT);
    return STATUS_SUCCESS;
}

static NTSTATUS CloseCall(PDEVICE_OBJECT DeviceObject, PIRP irp)
{
    UNREFERENCED_PARAMETER(DeviceObject);
    KdPrint(("[KBFM]: Closecall called!\r\n"));
    irp->IoStatus.Status = STATUS_SUCCESS;
    irp->IoStatus.Information = 0;

    IoCompleteRequest(irp, IO_NO_INCREMENT);
    return STATUS_SUCCESS;
}


static NTSTATUS IoControl(PDEVICE_OBJECT DeviceObject, PIRP Irp)
{
    UNREFERENCED_PARAMETER(DeviceObject);
    NTSTATUS Status = STATUS_INVALID_PARAMETER;
    ULONG BytesIO = 0;

    const IO_STACK_LOCATION stack = *IoGetCurrentIrpStackLocation(Irp);
    const ULONG ControlCode = stack.Parameters.DeviceIoControl.IoControlCode;

    if (ControlCode == IO_INCREMENT_VALUE)
    {


    }
    else if (ControlCode == IO_RECEIVE_RANDOM_BUFFER)
    {

    }

    // Complete the request
    Irp->IoStatus.Status = Status;
    Irp->IoStatus.Information = BytesIO;
    IoCompleteRequest(Irp, IO_NO_INCREMENT);

    return Status;
}
@HoShiMin
Copy link
Owner

HoShiMin commented Feb 11, 2020
edited
Loading

Show your driver dependencies in export table

@vajos
Copy link
Author

vajos commented Feb 11, 2020

Im not exactly sure what you mean so here is a dumpfile of my driver its 1:1 the above code.

PE signature found

File Type : EXECUTABLE IMAGE

FILE HEADER VALUES
8664 machine(x64)
6 number of sections
5E4000C1 time date stamp Sun Feb  9 13 : 53 : 21 2020
0 file pointer to symbol table
0 number of symbols
F0 size of optional header
22 characteristics
Executable
Application can handle large(> 2GB) addresses

OPTIONAL HEADER VALUES
20B magic # (PE32 + )
14.24 linker version
C00 size of code
E00 size of initialized data
0 size of uninitialized data
13E0 entry point(00000001400013E0) FxDriverEntry
1000 base of code
140000000 image base(0000000140000000 to 0000000140006FFF)
1000 section alignment
200 file alignment
10.00 operating system version
10.00 image version
10.00 subsystem version
0 Win32 version
7000 size of image
400 size of headers
11090 checksum
1 subsystem(Native)
4160 DLL characteristics
High Entropy Virtual Addresses
Dynamic base
NX compatible
Control Flow Guard
100000 size of stack reserve
1000 size of stack commit
100000 size of heap reserve
1000 size of heap commit
0 loader flags
10 number of directories
0[0] RVA[size] of Export Directory
5030[3C] RVA[size] of Import Directory
0[0] RVA[size] of Resource Directory
4000[D8] RVA[size] of Exception Directory
0[0] RVA[size] of Certificates Directory
6000[28] RVA[size] of Base Relocation Directory
2100[38] RVA[size] of Debug Directory
0[0] RVA[size] of Architecture Directory
0[0] RVA[size] of Global Pointer Directory
0[0] RVA[size] of Thread Storage Directory
2140[108] RVA[size] of Load Configuration Directory
0[0] RVA[size] of Bound Import Directory
2000[68] RVA[size] of Import Address Table Directory
0[0] RVA[size] of Delay Import Directory
0[0] RVA[size] of COM Descriptor Directory
0[0] RVA[size] of Reserved Directory


SECTION HEADER #1
.text name
81C virtual size
1000 virtual address(0000000140001000 to 000000014000181B)
A00 size of raw data
400 file pointer to raw data(00000400 to 00000DFF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
68000020 flags
Code
Not Paged
Execute Read

RAW DATA #1
0000000140001000: 48 89 54 24 10 48 89 4C 24 08 48 83 EC 28 48 8D  H.T$.H.L$.H.ì(H.
    0000000140001010: 0D EB 07 00 00 E8 0D 03 00 00 48 8B 44 24 38 C7.ë...è....H.D$8Ç
    0000000140001020 : 40 30 00 00 00 00 48 8B 44 24 38 48 C7 40 38 00  @0....H.D$8HÇ@8.
    0000000140001030: 00 00 00 33 D2 48 8B 4C 24 38 FF 15 08 10 00 00  ...3ÒH.L$8ÿ.....
    0000000140001040: 33 C0 48 83 C4 28 C3 CC CC CC CC CC CC CC CC CC  3ÀH.Ä(ÃÌÌÌÌÌÌÌÌÌ
        0000000140001050: 48 89 54 24 10 48 89 4C 24 08 48 83 EC 28 48 8D  H.T$.H.L$.H.ì(H.
            0000000140001060: 0D 7B 07 00 00 E8 BD 02 00 00 48 8B 44 24 38 C7  .{...è½...H.D$8Ç
            0000000140001070: 40 30 00 00 00 00 48 8B 44 24 38 48 C7 40 38 00  @0....H.D$8HÇ@8.
            0000000140001080: 00 00 00 33 D2 48 8B 4C 24 38 FF 15 B8 0F 00 00  ...3ÒH.L$8ÿ.¸...
            0000000140001090 : 33 C0 48 83 C4 28 C3 CC CC CC CC CC CC CC CC CC  3ÀH.Ä(ÃÌÌÌÌÌÌÌÌÌ
                00000001400010A0: 48 89 54 24 10 48 89 4C 24 08 48 83 EC 58 48 8D  H.T$.H.L$.H.ìXH.
                00000001400010B0: 05 EB 1F 00 00 48 89 44 24 30 C6 44 24 28 00 C7.ë...H.D$0ÆD$(.Ç
                    00000001400010C0: 44 24 20 00 00 00 00 41 B9 22 00 00 00 4C 8D 05  D$ ....A¹"...L..
                    00000001400010D0 : 2C 1F 00 00 33 D2 48 8B 4C 24 60 FF 15 5F 0F 00, ...3ÒH.L$`ÿ._..
                    00000001400010E0: 00 89 44 24 40 83 7C 24 40 00 7D 18 0F AE E8 48  ..D$@. | $@.}..®èH
                    00000001400010F0: 8D 0D 7A 06 00 00 E8 2C 02 00 00 8B 44 24 40 E9  ..z...è, ....D$@é
                    0000000140001100: A1 00 00 00 48 8D 15 F5 1E 00 00 48 8D 0D FE 1E  ¡...H..õ...H..þ.
                    0000000140001110 : 00 00 FF 15 20 0F 00 00 89 44 24 40 83 7C 24 40  ..ÿ. ....D$@. | $@
                    0000000140001120: 00 7D 22 0F AE E8 48 8D 0D 63 06 00 00 E8 F5 01  .}".®èH..c...èõ.
                    0000000140001130: 00 00 48 8B 0D 67 1F 00 00 FF 15 E9 0E 00 00 8B  ..H..g...ÿ.é....
                    0000000140001140 : 44 24 40 EB 60 B8 08 00 00 00 48 6B C0 00 48 8B  D$@ë`¸....HkÀ.H.
                    0000000140001150: 4C 24 60 48 8D 15 F6 FE FF FF 48 89 54 01 70 B8  L$`H..öþÿÿH.T.p¸
                    0000000140001160: 08 00 00 00 48 6B C0 02 48 8B 4C 24 60 48 8D 15  ....HkÀ.H.L$`H..
                    0000000140001170: 8C FE FF FF 48 89 54 01 70 B8 08 00 00 00 48 6B.þÿÿH.T.p¸....Hk
                    0000000140001180: C0 0E 48 8B 4C 24 60 48 8D 15 22 00 00 00 48 89  À.H.L$`H.."...H.
                    0000000140001190: 54 01 70 48 8B 44 24 60 48 8D 0D 11 01 00 00 48  T.pH.D$`H......H
                    00000001400011A0: 89 48 68 33 C0 48 83 C4 58 C3 CC CC CC CC CC CC.Hh3ÀH.ÄXÃÌÌÌÌÌÌ
                    00000001400011B0 : 48 89 54 24 10 48 89 4C 24 08 56 57 48 81 EC 88  H.T$.H.L$.VWH.ì.
                    00000001400011C0: 00 00 00 48 8B 05 56 1E 00 00 48 33 C4 48 89 44  ...H..V...H3ÄH.D
                    00000001400011D0 : 24 78 C7 44 24 24 0D 00 00 C0 C7 44 24 28 00 00  $xÇD$$...ÀÇD$(..
                        00000001400011E0: 00 00 48 8B 8C 24 A8 00 00 00 E8 71 00 00 00 48  ..H..$¨...èq...H
                        00000001400011F0 : 8D 4C 24 30 48 8B F9 48 8B F0 B9 48 00 00 00 F3.L$0H.ùH.ð¹H...ó
                        0000000140001200 : A4 8B 44 24 48 89 44 24 20 48 8B 84 24 A8 00 00  ¤.D$H.D$ H..$¨..
                        0000000140001210 : 00 8B 4C 24 24 89 48 30 8B 44 24 28 48 8B 8C 24  ..L$$.H0.D$(H..$
                            0000000140001220: A8 00 00 00 48 89 41 38 33 D2 48 8B 8C 24 A8 00  ¨...H.A83ÒH..$¨.
                            0000000140001230 : 00 00 FF 15 10 0E 00 00 8B 44 24 24 48 8B 4C 24  ..ÿ......D$$H.L$
                            0000000140001240 : 78 48 33 CC E8 B7 00 00 00 48 81 C4 88 00 00 00  xH3Ìè·...H.Ä....
                            0000000140001250 : 5F 5E C3 CC CC CC CC CC CC CC CC CC CC CC CC CC  _ ^ ÃÌÌÌÌÌÌÌÌÌÌÌÌÌ
                            0000000140001260 : 48 89 4C 24 08 48 83 EC 18 48 8B 44 24 20 0F BE  H.L$.H.ì.H.D$.¾
                            0000000140001270: 40 43 48 8B 4C 24 20 0F BE 49 42 FF C1 3B C1 7E  @CH.L$.¾IBÿÁ; Á~
                            0000000140001280: 0B CD 2C C7 04 24 00 00 00 00 EB 07 C7 04 24 01.Í, Ç.$....ë.Ç.$.
                            0000000140001290: 00 00 00 48 8B 44 24 20 48 8B 80 B8 00 00 00 48  ...H.D$ H..¸...H
                            00000001400012A0 : 83 C4 18 C3 CC CC CC CC CC CC CC CC CC CC CC CC.Ä.ÃÌÌÌÌÌÌÌÌÌÌÌÌ
                            00000001400012B0 : 48 89 4C 24 08 48 83 EC 28 48 8D 0D 00 05 00 00  H.L$.H.ì(H......
                                00000001400012C0: E8 62 00 00 00 48 8D 0D 44 1D 00 00 FF 15 86 0D  èb...H..D...ÿ...
                                00000001400012D0 : 00 00 48 8B 44 24 30 48 8B 48 08 FF 15 47 0D 00  ..H.D$0H.H.ÿ.G..
                                00000001400012E0: 00 33 C0 48 83 C4 28 C3 CC CC CC CC CC CC CC CC  .3ÀH.Ä(ÃÌÌÌÌÌÌÌÌ
                                    00000001400012F0: CC CC CC CC CC CC 66 66 0F 1F 84 00 00 00 00 00  ÌÌÌÌÌÌff........
                                    0000000140001300 : 48 3B 0D 19 1D 00 00 75 10 48 C1 C1 10 66 F7 C1  H; .....u.HÁÁ.f÷Á
                                    0000000140001310: FF FF 75 01 C3 48 C1 C9 10 E9 02 00 00 00 CC CC  ÿÿu.ÃHÁÉ.é....ÌÌ
                                    0000000140001320 : B9 02 00 00 00 CD 29 FF 25 23 0D 00 00 CC CC CC  ¹....Í)ÿ % #...ÌÌÌ
                                0000000140001330 : 48 83 EC 28 4D 8B 41 38 48 8B CA 49 8B D1 E8 0D  H.ì(M.A8H.ÊI.Ñè.
                                    0000000140001340: 00 00 00 B8 01 00 00 00 48 83 C4 28 C3 CC CC CC  ...¸....H.Ä(ÃÌÌÌ
                                        0000000140001350: 48 83 EC 28 41 8B 00 4C 8B C9 44 8B D8 4C 8B D1  H.ì(A..L.ÉD.ØL.Ñ
                                            0000000140001360: 41 83 E3 F8 A8 04 74 13 41 8B 40 08 4D 63 50 04  A.ãø¨.t.A.@.McP.
                                            0000000140001370: F7 D8 4C 03 D1 48 63 C8 4C 23 D1 49 63 C3 4E 8B  ÷ØL.ÑHcÈL#ÑIcÃN.
                                            0000000140001380: 04 10 48 8B 42 10 8B 48 08 48 8B 42 08 8A 54 01  ..H.B..H.H.B..T.
                                            0000000140001390: 03 F6 C2 0F 74 09 0F B6 C2 83 E0 F0 4C 03 C8 4D.öÂ.t..¶Â.àðL.ÈM
                                            00000001400013A0: 33 C8 49 8B C9 E8 56 FF FF FF 48 83 C4 28 C3 CC  3ÈI.ÉèVÿÿÿH.Ä(ÃÌ
                                                00000001400013B0: 48 83 EC 28 48 8D 0D 75 1C 00 00 E8 D0 02 00 00  H.ì(H..u...èÐ...
                                                    00000001400013C0: 4C 8B 05 19 1F 00 00 48 8D 15 62 1C 00 00 48 8D  L......H..b...H.
                                                    00000001400013D0 : 0D F3 1E 00 00 E8 4C 03 00 00 48 83 C4 28 C3 CC.ó...èL...H.Ä(ÃÌ
                                                        00000001400013E0: 48 89 5C 24 08 57 48 83 EC 20 48 8B DA 48 8B F9  H.\$.WH.ì H.ÚH.ù
                                                        00000001400013F0: E8 0B 3C 00 00 48 8B D3 48 8B CF E8 0C 00 00 00  è. < ..H.ÓH.Ïè....
                                                        0000000140001400: 48 8B 5C 24 30 48 83 C4 20 5F C3 CC 48 89 5C 24  H.\$0H.Ä _ÃÌH.\$
                                                        0000000140001410: 08 48 89 6C 24 10 48 89 74 24 18 57 48 83 EC 20.H.l$.H.t$.WH.ì
                                                        0000000140001420: 33 ED 48 8B F2 48 8B F9 48 85 C9 75 0A E8 6E FC  3íH.òH.ùH.Éu.ènü
                                                        0000000140001430 : FF FF E9 ED 00 00 00 48 8D 05 72 1C 00 00 48 89  ÿÿéí...H..r...H.
                                                        0000000140001440 : 3D A3 1E 00 00 48 8D 0D 7C 1E 00 00 48 89 05 7D = £...H.. | ...H..}
                                                        0000000140001450: 1E 00 00 C7 05 6B 1E 00 00 00 00 08 02 48 FF 15  ...Ç.k.......Hÿ.
                                                            0000000140001460: CC 0B 00 00 0F 1F 44 00 00 4C 8D 0D 70 1E 00 00  Ì.....D..L..p...
                                                            0000000140001470: 48 8B CF 4C 8D 05 B6 1B 00 00 48 8D 15 47 1E 00  H.ÏL..¶...H..G..
                                                            0000000140001480 : 00 E8 9A 02 00 00 85 C0 0F 88 96 00 00 00 48 8B.è.....À......H.
                                                            0000000140001490 : 05 43 1E 00 00 48 8D 0D 94 1B 00 00 48 8B 90 48.C...H......H..H
                                                            00000001400014A0 : 06 00 00 48 89 15 0E 1E 00 00 E8 31 01 00 00 8B  ...H......è1....
                                                            00000001400014B0 : D8 85 C0 78 68 E8 C2 00 00 00 8B D8 85 C0 78 5D  Ø.ÀxhèÂ....Ø.Àx]
                                                            00000001400014C0: 48 8B D6 48 8B CF E8 D5 FB FF FF 8B D8 85 C0 78  H.ÖH.ÏèÕûÿÿ.Ø.Àx
                                                                00000001400014D0 : 4C 48 8B 05 08 1E 00 00 40 38 68 30 74 26 48 8B  LH......@8h0t & H.
                                                                00000001400014E0: 4F 68 48 8B 05 07 1E 00 00 48 85 C9 48 0F 45 C1  OhH......H.ÉH.EÁ
                                                                00000001400014F0 : 48 89 05 F9 1D 00 00 48 8D 05 52 00 00 00 48 89  H..ù...H..R...H.
                                                                0000000140001500 : 47 68 EB 15 8B 40 08 A8 02 74 0E 48 8D 05 2E 00  Ghë..@.¨.t.H....
                                                                0000000140001510: 00 00 48 89 05 9F 1D 00 00 33 C0 EB 07 E8 8E FE  ..H......3Àë.è.þ
                                                                0000000140001520 : FF FF 8B C3 48 8B 5C 24 30 48 8B 6C 24 38 48 8B  ÿÿ.ÃH.\$0H.l$8H.
                                                                0000000140001530: 74 24 40 48 83 C4 20 5F C3 CC CC CC CC CC CC CC  t$@H.Ä _ÃÌÌÌÌÌÌÌ
                                                                0000000140001540: 48 83 EC 28 E8 67 FE FF FF 48 83 C4 28 C3 CC CC  H.ì(ègþÿÿH.Ä(ÃÌÌ
                                                                    0000000140001550: 48 83 EC 28 48 8B 05 95 1D 00 00 48 85 C0 74 12  H.ì(H......H.Àt.
                                                                        0000000140001560: 48 8D 15 E9 FF FF FF 48 3B C2 74 06 FF 15 FE 0A  H..éÿÿÿH; Ât.ÿ.þ.
                                                                        0000000140001570: 00 00 E8 39 FE FF FF 48 83 C4 28 C3 48 89 5C 24  ..è9þÿÿH.Ä(ÃH.\$
                                                                            0000000140001580: 08 57 48 83 EC 20 48 8D 05 F3 1A 00 00 48 8D 3D.WH.ì H..ó...H. =
                                                                            0000000140001590: FC 1A 00 00 48 3B C7 76 07 B8 7B 00 00 C0 EB 2C  ü...H; Çv.¸{ ..Àë,
                                                                            00000001400015A0: 48 8D 1D E9 1A 00 00 EB 1C 83 3B 28 75 29 48 8B  H..é...ë..; (u)H.
                                                                            00000001400015B0: 43 20 48 85 C0 74 0A FF 15 B3 0A 00 00 48 89 43  C H.Àt.ÿ.³...H.C
                                                                            00000001400015C0 : 18 48 83 C3 28 48 3B DF 72 DF 33 C0 48 8B 5C 24.H.Ã(H; ßrß3ÀH.\$
                                                                            00000001400015D0: 30 48 83 C4 20 5F C3 B8 04 00 00 C0 EB EE CC CC  0H.Ä _ø...ÀëîÌÌ
                                                                            00000001400015E0 : 48 89 5C 24 08 48 89 74 24 10 57 48 83 EC 30 48  H.\$.H.t$.WH.ì0H
                                                                            00000001400015F0: 8B F9 48 8D 35 77 1A 00 00 48 8D 0D 60 1A 00 00.ùH.5w...H..`...
                                                                            0000000140001600: 33 C0 48 3B CE 77 72 4C 8D 05 62 1A 00 00 4C 3B  3ÀH; ÎwrL..b...L;
                                                                            0000000140001610: C6 73 6B 49 8D 40 04 48 3B C6 77 5D 41 83 38 50  ÆskI.@.H; Æw]A.8P
                                                                            0000000140001620: 75 50 49 8D 58 50 48 3B DE 77 4E 49 8B 40 38 4C  uPI.XPH; ÞwNI.@8L
                                                                            0000000140001630: 89 05 42 1A 00 00 48 85 C0 74 1C 4D 8B C8 48 8D  ..B...H.Àt.M.ÈH.
                                                                            0000000140001640 : 0D EB 00 00 00 4C 8B 05 94 1C 00 00 48 8B D7 FF.ë...L......H.×ÿ
                                                                            0000000140001650 : 15 1B 0A 00 00 EB 0F 48 8B 15 82 1C 00 00 48 8B  .....ë.H......H.
                                                                            0000000140001660 : CF E8 CA 00 00 00 85 C0 78 14 4C 8B C3 48 3B DE  ÏèÊ....Àx.L.ÃH; Þ
                                                                            0000000140001670: EB 9F B8 04 00 00 C0 EB 05 B8 7B 00 00 C0 48 8B  ë.¸...Àë.¸{..ÀH.
                                                                            0000000140001680: 5C 24 40 48 8B 74 24 48 48 83 C4 30 5F C3 CC CC  \$@H.t$HH.Ä0_ÃÌÌ
                                                                            0000000140001690: 48 89 5C 24 08 57 48 83 EC 30 48 8B 05 D7 19 00  H.\$.WH.ì0H..×..
                                                                            00000001400016A0: 00 48 8D 1D C8 19 00 00 48 8B F9 48 8D 0D AE 19.H..È...H.ùH..®.
                                                                            00000001400016B0 : 00 00 48 3B C1 74 49 48 3B D8 77 44 48 8B 43 40  ..H; ÁtIH; ØwDH.C@
                                                                            00000001400016C0: 48 85 C0 74 1C 4C 8B 05 14 1C 00 00 48 8D 0D 6D  H.Àt.L......H..m
                                                                            00000001400016D0 : 00 00 00 4C 8B CB 48 8B D7 FF 15 91 09 00 00 EB  ...L.ËH.×ÿ.....ë
                                                                            00000001400016E0: 12 48 8B 15 F8 1B 00 00 4C 8B C3 48 8B CF E8 4D.H..ø...L.ÃH.ÏèM
                                                                            00000001400016F0 : 00 00 00 48 83 C3 50 48 3B 1D 7A 19 00 00 76 BC  ...H.ÃPH; .z...v¼
                                                                            0000000140001700: 48 8B 5C 24 40 48 83 C4 30 5F C3 CC CC CC CC CC  H.\$@H.Ä0_ÃÌÌÌÌÌ
                                                                            0000000140001710: C2 00 00 CC CC CC CC CC CC CC CC CC CC CC CC CC  Â..ÌÌÌÌÌÌÌÌÌÌÌÌÌ
                                                                            0000000140001720 : FF 25 EA 08 00 00 FF 25 DC 08 00 00 CC CC CC CC  ÿ % ê...ÿ % Ü...ÌÌÌÌ
                                                                            0000000140001730: FF 25 CA 08 00 00 CC CC CC CC CC CC CC CC CC CC  ÿ % Ê...ÌÌÌÌÌÌÌÌÌÌ
                                                                            0000000140001740: FF 25 D2 08 00 00 CC CC CC CC CC CC CC CC CC CC  ÿ % Ò...ÌÌÌÌÌÌÌÌÌÌ
                                                                            0000000140001750: CC CC CC CC CC CC 66 66 0F 1F 84 00 00 00 00 00  ÌÌÌÌÌÌff........
                                                                            0000000140001760 : FF E0 CC CC CC CC CC CC CC CC CC CC CC CC CC CC  ÿàÌÌÌÌÌÌÌÌÌÌÌÌÌÌ
                                                                            0000000140001770 : 5B 4B 42 46 4D 5D 3A 20 49 6F 43 72 65 61 74 65[KBFM] : IoCreate
                                                                            0000000140001780 : 44 65 76 69 63 65 20 45 72 72 6F 72 21 0D 0A 00  Device Error!...
                                                                            0000000140001790 : 5B 4B 42 46 4D 5D 3A 20 49 6F 43 72 65 61 74 65[KBFM] : IoCreate
                                                                            00000001400017A0 : 53 79 6D 62 6F 6C 69 63 4C 69 6E 6B 20 45 72 72  SymbolicLink Err
                                                                            00000001400017B0 : 6F 72 21 0D 0A 00 CC CC CC CC CC CC CC CC CC CC or !...ÌÌÌÌÌÌÌÌÌÌ
                                                                            00000001400017C0 : 5B 4B 42 46 4D 5D 3A 20 55 6E 6C 6F 61 64 20 72[KBFM] : Unload r
                                                                            00000001400017D0 : 6F 75 74 6E 65 20 63 61 6C 6C 65 64 21 0D 0A 00  outne called!...
                                                                            00000001400017E0 : 5B 4B 42 46 4D 5D 3A 20 43 72 65 61 74 65 20 63[KBFM] : Create c
                                                                            00000001400017F0 : 61 6C 6C 65 64 21 0D 0A 00 CC CC CC CC CC CC CC  alled!...ÌÌÌÌÌÌÌ
                                                                            0000000140001800 : 5B 4B 42 46 4D 5D 3A 20 43 6C 6F 73 65 63 61 6C[KBFM] : Closecal
                                                                            0000000140001810 : 6C 20 63 61 6C 6C 65 64 21 0D 0A 00              l called!...

                                                                          SECTION HEADER #2
                                                                            .rdata name
                                                                               524 virtual size
                                                                              2000 virtual address(0000000140002000 to 0000000140002523)
                                                                               600 size of raw data
                                                                               E00 file pointer to raw data(00000E00 to 000013FF)
                                                                                 0 file pointer to relocation table
                                                                                 0 file pointer to line numbers
                                                                                 0 number of relocations
                                                                                 0 number of line numbers
                                                                          48000040 flags
                                                                                   Initialized Data
                                                                                   Not Paged
                                                                                   Read Only

                                                                          RAW DATA #2
                                                                            0000000140002000: 9A 51 00 00 00 00 00 00 86 51 00 00 00 00 00 00.Q.......Q......
                                                                            0000000140002010 : 74 51 00 00 00 00 00 00 B0 51 00 00 00 00 00 00  tQ......°Q......
                                                                            0000000140002020 : 00 00 00 00 00 00 00 00 24 51 00 00 00 00 00 00  ........$Q......
                                                                            0000000140002030 : 5C 51 00 00 00 00 00 00 0C 51 00 00 00 00 00 00  \Q.......Q......
                                                                            0000000140002040: FA 50 00 00 00 00 00 00 E4 50 00 00 00 00 00 00  úP......äP......
                                                                            0000000140002050 : D8 50 00 00 00 00 00 00 36 51 00 00 00 00 00 00  ØP......6Q......
                                                                            0000000140002060 : 00 00 00 00 00 00 00 00 10 17 00 40 01 00 00 00  ...........@....
                                                                            0000000140002070: 60 17 00 40 01 00 00 00 00 10 00 00 50 10 00 00  `..@........P...
                                                                            0000000140002080: B0 11 00 00 B0 12 00 00 20 13 00 00 E0 13 00 00  °...°... ...à...
                                                                            0000000140002090 : 40 15 00 00 50 15 00 00 10 17 00 00 30 17 00 00  @...P.......0...
                                                                            00000001400020A0: 40 17 00 00 00 00 00 00 00 00 00 00 00 00 00 00  @...............
                                                                            00000001400020B0: 5C 00 44 00 65 00 76 00 69 00 63 00 65 00 5C 00  \.D.e.v.i.c.e.\.
                                                                            00000001400020C0: 4B 00 42 00 46 00 4D 00 00 00 00 00 00 00 00 00  K.B.F.M.........
                                                                            00000001400020D0 : 5C 00 3F 00 3F 00 5C 00 4B 00 42 00 46 00 4D 00  \. ? . ? .\.K.B.F.M.
                                                                            00000001400020E0: 00 00 00 00 00 00 00 00 4B 00 6D 00 64 00 66 00  ........K.m.d.f.
                                                                            00000001400020F0 : 4C 00 69 00 62 00 72 00 61 00 72 00 79 00 00 00  L.i.b.r.a.r.y...
                                                                            0000000140002100 : 00 00 00 00 C1 00 40 5E 00 00 00 00 02 00 00 00  ....Á.@ ^........
                                                                            0000000140002110: 60 00 00 00 48 22 00 00 48 10 00 00 00 00 00 00  `...H"..H.......
                                                                            0000000140002120: C1 00 40 5E 00 00 00 00 0D 00 00 00 BC 01 00 00  Á.@ ^........¼...
                                                                            0000000140002130: A8 22 00 00 A8 10 00 00 00 00 00 00 00 00 00 00  ¨"..¨...........
                                                                            0000000140002140 : 08 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
                                                                            0000000140002150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
                                                                            0000000140002160 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
                                                                            0000000140002170 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
                                                                            0000000140002180 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
                                                                            0000000140002190 : 00 00 00 00 00 00 00 00 20 30 00 40 01 00 00 00  ........ 0.@....
                                                                            00000001400021A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
                                                                            00000001400021B0 : 68 20 00 40 01 00 00 00 70 20 00 40 01 00 00 00  h .@....p .@....
                                                                            00000001400021C0: 78 20 00 40 01 00 00 00 0B 00 00 00 00 00 00 00  x .@............
                                                                            00000001400021D0: 00 45 01 00 00 00 00 00 00 00 00 00 00 00 00 00.E..............
                                                                            00000001400021E0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
                                                                            00000001400021F0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
                                                                            0000000140002200 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
                                                                            0000000140002210 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
                                                                            0000000140002220 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
                                                                            0000000140002230 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
                                                                            0000000140002240 : 00 00 00 00 00 00 00 00 52 53 44 53 5B E1 DD 12  ........RSDS[áÝ.
                                                                            0000000140002250:8D 84 92 4C A0 C9 82 D9 2B 74 4E D2 01 00 00 00  ...L.É.Ù + tNÒ....
                                                                            0000000140002260 : 43 3A 5C 55 73 65 72 73 5C 50 65 74 65 72 5C 44  C : \Users\Peter\D
                                                                            0000000140002270: 65 73 6B 74 6F 70 5C 44 72 69 76 65 72 47 61 6D  esktop\DriverGam
                                                                            0000000140002280: 65 48 61 63 6B 69 6E 67 5C 78 36 34 5C 44 65 62  eHacking\x64\Deb
                                                                            0000000140002290: 75 67 5C 44 72 69 76 65 72 52 65 61 64 4D 65 6D  ug\DriverReadMem
                                                                            00000001400022A0: 6F 72 79 2E 70 64 62 00 00 00 00 00 00 10 00 00  ory.pdb.........
                                                                            00000001400022B0 : 50 07 00 00 2E 74 65 78 74 24 6D 6E 00 00 00 00  P....text$mn....
                                                                            00000001400022C0 : 50 17 00 00 20 00 00 00 2E 74 65 78 74 24 6D 6E  P... ....text$mn
                                                                            00000001400022D0 : 24 30 30 00 70 17 00 00 AC 00 00 00 2E 74 65 78  $00.p...¬....tex
                                                                            00000001400022E0 : 74 24 73 00 00 20 00 00 68 00 00 00 2E 69 64 61  t$s.. ..h....ida
                                                                            00000001400022F0 : 74 61 24 35 00 00 00 00 68 20 00 00 10 00 00 00  ta$5....h ......
                                                                            0000000140002300 : 2E 30 30 63 66 67 00 00 78 20 00 00 38 00 00 00  .00cfg..x ..8...
                                                                            0000000140002310 : 2E 67 66 69 64 73 00 00 B0 20 00 00 98 01 00 00.gfids..° ......
                                                                            0000000140002320 : 2E 72 64 61 74 61 00 00 48 22 00 00 20 02 00 00.rdata..H".. ...
                                                                            0000000140002330 : 2E 72 64 61 74 61 24 7A 7A 7A 64 62 67 00 00 00.rdata$zzzdbg...
                                                                            0000000140002340 : 68 24 00 00 BC 00 00 00 2E 78 64 61 74 61 00 00  h$..¼....xdata..
                                                                            0000000140002350 : 00 30 00 00 60 00 00 00 2E 64 61 74 61 00 00 00  .0..`....data...
                                                                            0000000140002360: 60 30 00 00 10 00 00 00 2E 6B 6D 64 66 63 6C 61  `0.......kmdfcla
                                                                            0000000140002370: 73 73 62 69 6E 64 24 61 00 00 00 00 70 30 00 00  ssbind$a....p0..
                                                                            0000000140002380 : 08 00 00 00 2E 6B 6D 64 66 63 6C 61 73 73 62 69  .....kmdfclassbi
                                                                            0000000140002390: 6E 64 24 63 00 00 00 00 78 30 00 00 08 00 00 00  nd$c....x0......
                                                                            00000001400023A0: 2E 6B 6D 64 66 63 6C 61 73 73 62 69 6E 64 24 64.kmdfclassbind$d
                                                                            00000001400023B0 : 00 00 00 00 80 30 00 00 10 00 00 00 2E 6B 6D 64  .....0.......kmd
                                                                            00000001400023C0 : 66 74 79 70 65 69 6E 69 74 24 61 00 90 30 00 00  ftypeinit$a..0..
                                                                            00000001400023D0 : 10 00 00 00 2E 6B 6D 64 66 74 79 70 65 69 6E 69  .....kmdftypeini
                                                                            00000001400023E0 : 74 24 63 00 A0 30 00 00 58 02 00 00 2E 62 73 73  t$c..0..X....bss
                                                                            00000001400023F0 : 00 00 00 00 00 40 00 00 D8 00 00 00 2E 70 64 61  .....@..Ø....pda
                                                                            0000000140002400: 74 61 00 00 00 50 00 00 30 00 00 00 49 4E 49 54  ta...P..0...INIT
                                                                            0000000140002410 : 00 00 00 00 30 50 00 00 28 00 00 00 2E 69 64 61  ....0P..(....ida
                                                                            0000000140002420: 74 61 24 32 00 00 00 00 58 50 00 00 18 00 00 00  ta$2....XP......
                                                                            0000000140002430 : 2E 69 64 61 74 61 24 33 00 00 00 00 70 50 00 00.idata$3....pP..
                                                                            0000000140002440 : 68 00 00 00 2E 69 64 61 74 61 24 34 00 00 00 00  h....idata$4....
                                                                            0000000140002450 : D8 50 00 00 FC 00 00 00 2E 69 64 61 74 61 24 36  ØP..ü....idata$6
                                                                            0000000140002460 : 00 00 00 00 00 00 00 00 02 09 03 00 01 16 00 06  ................
                                                                            0000000140002470: 09 22 00 00 02 0E 03 00 01 16 00 06 0E A2 00 00  ."...........¢..
                                                                            0000000140002480: 1A 22 06 00 03 16 00 06 13 01 11 00 0C 70 0B 60  ."...........p.`
                                                                            0000000140002490: 30 13 00 00 78 00 00 00 02 09 03 00 01 16 00 06  0...x...........
                                                                            00000001400024A0: 09 42 00 00 02 0E 03 00 01 16 00 06 0E 42 00 00.B...........B..
                                                                            00000001400024B0: 01 00 00 00 02 04 03 00 01 16 00 06 04 42 00 00  .............B..
                                                                            00000001400024C0 : 02 14 0A 00 02 16 00 06 14 64 08 00 14 54 07 00  .........d...T..
                                                                            00000001400024D0: 14 34 06 00 14 32 10 70 02 0A 06 00 02 16 00 06  .4...2.p........
                                                                            00000001400024E0 : 0A 34 06 00 0A 32 06 70 02 0A 06 00 02 06 09 06  .4...2.p........
                                                                            00000001400024F0: 0A 34 06 00 0A 32 06 70 02 0A 06 00 02 16 00 06  .4...2.p........
                                                                            0000000140002500 : 0A 34 08 00 0A 52 06 70 02 0F 08 00 02 16 00 06  .4...R.p........
                                                                            0000000140002510: 0F 64 09 00 0F 34 08 00 0F 52 0B 70 00 00 00 00.d...4...R.p....
                                                                            0000000140002520: 01 00 00 00                                      ....

                                                                            Debug Directories

                                                                                  Time Type        Size      RVA  Pointer
                                                                              -------- ------ - -------- -------- --------
                                                                              5E4000C1 cv            60 00002248     1048    Format: RSDS, {12DDE15B - 848D - 4C92 - A0C9 - 82D92B744ED2}, 1, C : \Users\Peter\Desktop\DriverGameHacking\x64\Debug\DriverReadMemory.pdb
                                                                              5E4000C1 coffgrp      1BC 000022A8     10A8

                                                                            Section contains the following load config :

                                                                                      00000108 size
                                                                                             0 time date stamp
                                                                                          0.00 Version
                                                                                             0 GlobalFlags Clear
                                                                                             0 GlobalFlags Set
                                                                                             0 Critical Section Default Timeout
                                                                                             0 Decommit Free Block Threshold
                                                                                             0 Decommit Total Free Threshold
                                                                              0000000000000000 Lock Prefix Table
                                                                                             0 Maximum Allocation Size
                                                                                             0 Virtual Memory Threshold
                                                                                             0 Process Heap Flags
                                                                                             0 Process Affinity Mask
                                                                                             0 CSD Version
                                                                                          0000 Dependent Load Flag
                                                                              0000000000000000 Edit List
                                                                              0000000140003020 Security Cookie
                                                                              0000000140002068 Guard CF address of check - function pointer
                                                                              0000000140002070 Guard CF address of dispatch - function pointer
                                                                              0000000140002078 Guard CF function table
                                                                                             B Guard CF function count
                                                                                      00014500 Guard Flags
                                                                                                 CF instrumented
                                                                                                 FID table present
                                                                                                 Export suppression info present
                                                                                                 Long jump target table present
                                                                                          0000 Code Integrity Flags
                                                                                          0000 Code Integrity Catalog
                                                                                      00000000 Code Integrity Catalog Offset
                                                                                      00000000 Code Integrity Reserved
                                                                              0000000000000000 Guard CF address taken IAT entry table
                                                                                             0 Guard CF address taken IAT entry count
                                                                              0000000000000000 Guard CF long jump target table
                                                                                             0 Guard CF long jump target count
                                                                              0000000000000000 Dynamic value relocation table
                                                                              0000000000000000 Hybrid metadata pointer
                                                                              0000000000000000 Guard RF address of failure - function
                                                                              0000000000000000 Guard RF address of failure - function pointer
                                                                                      00000000 Dynamic value relocation table offset
                                                                                          0000 Dynamic value relocation table section
                                                                                          0000 Reserved2
                                                                              0000000000000000 Guard RF address of stack pointer verification function pointer
                                                                                      00000000 Hot patching table offset
                                                                                          0000 Reserved3
                                                                              0000000000000000 Enclave configuration pointer
                                                                              0000000000000000 Volatile metadata pointer

                                                                              Guard CF Function Table

                                                                                    Address
                                                                                    --------
                                                                                    0000000140001000
                                                                                    0000000140001050
                                                                                    00000001400011B0
                                                                                    00000001400012B0
                                                                                    0000000140001320  __report_gsfailure
                                                                                    00000001400013E0  FxDriverEntry
                                                                                    0000000140001540  FxStubDriverMiniportUnload
                                                                                    0000000140001550  FxStubDriverUnload
                                                                                    0000000140001710  _guard_check_icall_nop
                                                                                    0000000140001730  WdfVersionBindClass
                                                                                    0000000140001740  WdfVersionUnbindClass

                                                                          SECTION HEADER #3
                                                                             .data name
                                                                               2F8 virtual size
                                                                              3000 virtual address(0000000140003000 to 00000001400032F7)
                                                                               200 size of raw data
                                                                              1400 file pointer to raw data(00001400 to 000015FF)
                                                                                 0 file pointer to relocation table
                                                                                 0 file pointer to line numbers
                                                                                 0 number of relocations
                                                                                 0 number of line numbers
                                                                          C8000040 flags
                                                                                   Initialized Data
                                                                                   Not Paged
                                                                                   Read Write

                                                                          RAW DATA #3
                                                                            0000000140003000: 18 00 1A 00 00 00 00 00 B0 20 00 40 01 00 00 00  ........° .@....
                                                                            0000000140003010: 10 00 12 00 00 00 00 00 D0 20 00 40 01 00 00 00  ........Ð .@....
                                                                            0000000140003020: 32 A2 DF 2D 99 2B 00 00 CD 5D 20 D2 66 D4 FF FF  2¢ß - . + ..Í] ÒfÔÿÿ
                                                                            0000000140003030: 30 00 00 00 00 00 00 00 E8 20 00 40 01 00 00 00  0.......è .@....
                                                                            0000000140003040: 01 00 00 00 0F 00 00 00 00 00 00 00 BC 01 00 00  ............¼...
                                                                            0000000140003050 : D8 32 00 40 01 00 00 00 00 00 00 00 00 00 00 00  Ø2.@............
                                                                            0000000140003060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
                                                                            0000000140003070 : 00 00 00 00 00 00 00 00 60 30 00 40 01 00 00 00  ........`0.@....
                                                                            0000000140003080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
                                                                            0000000140003090 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
                                                                            00000001400030A0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
                                                                            00000001400030B0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
                                                                            00000001400030C0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
                                                                            00000001400030D0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
                                                                            00000001400030E0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
                                                                            00000001400030F0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
                                                                            0000000140003100 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
                                                                            0000000140003110 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
                                                                            0000000140003120 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
                                                                            0000000140003130 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
                                                                            0000000140003140 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
                                                                            0000000140003150 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
                                                                            0000000140003160 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
                                                                            0000000140003170 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
                                                                            0000000140003180 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
                                                                            0000000140003190 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
                                                                            00000001400031A0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
                                                                            00000001400031B0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
                                                                            00000001400031C0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
                                                                            00000001400031D0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
                                                                            00000001400031E0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
                                                                            00000001400031F0 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

                                                                          SECTION HEADER #4
                                                                            .pdata name
                                                                                D8 virtual size
                                                                              4000 virtual address(0000000140004000 to 00000001400040D7)
                                                                               200 size of raw data
                                                                              1600 file pointer to raw data(00001600 to 000017FF)
                                                                                 0 file pointer to relocation table
                                                                                 0 file pointer to line numbers
                                                                                 0 number of relocations
                                                                                 0 number of line numbers
                                                                          48000040 flags
                                                                                   Initialized Data
                                                                                   Not Paged
                                                                                   Read Only

                                                                          RAW DATA #4
                                                                            0000000140004000: 00 10 00 00 47 10 00 00 A4 24 00 00 50 10 00 00  ....G...¤$..P...
                                                                            0000000140004010 : 97 10 00 00 A4 24 00 00 A0 10 00 00 AA 11 00 00  ....¤$......ª...
                                                                            0000000140004020 : 74 24 00 00 B0 11 00 00 53 12 00 00 80 24 00 00  t$..°...S....$..
                                                                            0000000140004030 : 60 12 00 00 A4 12 00 00 68 24 00 00 B0 12 00 00  `...¤...h$..°...
                                                                            0000000140004040: E8 12 00 00 98 24 00 00 00 13 00 00 1E 13 00 00  è....$..........
                                                                            0000000140004050 : B0 24 00 00 30 13 00 00 4D 13 00 00 B4 24 00 00  °$..0...M...´$..
                                                                            0000000140004060 : 50 13 00 00 AF 13 00 00 B4 24 00 00 B0 13 00 00  P...¯...´$..°...
                                                                            0000000140004070 : DF 13 00 00 B4 24 00 00 E0 13 00 00 0B 14 00 00  ß...´$..à.......
                                                                            0000000140004080: D8 24 00 00 0C 14 00 00 39 15 00 00 C0 24 00 00  Ø$......9...À$..
                                                                            0000000140004090 : 40 15 00 00 4E 15 00 00 B4 24 00 00 50 15 00 00  @...N...´$..P...
                                                                            00000001400040A0: 7C 15 00 00 B4 24 00 00 7C 15 00 00 DE 15 00 00 | ...´$.. | ...Þ...
                                                                            00000001400040B0 : E8 24 00 00 E0 15 00 00 8E 16 00 00 08 25 00 00  è$..à........ % ..
                                                                            00000001400040C0: 90 16 00 00 0B 17 00 00 F8 24 00 00 60 17 00 00  ........ø$..`...
                                                                            00000001400040D0: 65 17 00 00 20 25 00 00                          e... % ..

                                                                          Function Table(18)

                                                                                     Begin    End      Info      Function Name

                                                                            00000000 00001000 00001047 000024A4
                                                                            0000000C 00001050 00001097 000024A4
                                                                            00000018 000010A0 000011AA 00002474  DriverEntry
                                                                            00000024 000011B0 00001253 00002480
                                                                            00000030 00001260 000012A4 00002468  IoGetCurrentIrpStackLocation
                                                                            0000003C 000012B0 000012E8 00002498
                                                                            00000048 00001300 0000131E 000024B0  __security_check_cookie
                                                                            00000054 00001330 0000134D 000024B4  __GSHandlerCheck
                                                                            00000060 00001350 000013AF 000024B4  __GSHandlerCheckCommon
                                                                            0000006C 000013B0 000013DF 000024B4 ? FxStubDriverUnloadCommon@@YAXXZ(void __cdecl FxStubDriverUnloadCommon(void))
                                                                            00000078 000013E0 0000140B 000024D8  FxDriverEntry
                                                                            00000084 0000140C 00001539 000024C0  FxDriverEntryWorker
                                                                            00000090 00001540 0000154E 000024B4  FxStubDriverMiniportUnload
                                                                            0000009C 00001550 0000157C 000024B4  FxStubDriverUnload
                                                                            000000A8 0000157C 000015DE 000024E8 ? FxStubInitTypes@@YAJXZ(long __cdecl FxStubInitTypes(void))
                                                                            000000B4 000015E0 0000168E 00002508 ? FxStubBindClasses@@YAJPEAU_WDF_BIND_INFO@@@Z(long __cdecl FxStubBindClasses(struct _WDF_BIND_INFO*))
                                                                            000000C0 00001690 0000170B 000024F8 ? FxStubUnbindClasses@@YAXPEAU_WDF_BIND_INFO@@@Z(void __cdecl FxStubUnbindClasses(struct _WDF_BIND_INFO*))
                                                                            000000CC 00001760 00001765 00002520  _guard_dispatch_icall_nop

                                                                          SECTION HEADER #5
                                                                              INIT name
                                                                               1D4 virtual size
                                                                              5000 virtual address(0000000140005000 to 00000001400051D3)
                                                                               200 size of raw data
                                                                              1800 file pointer to raw data(00001800 to 000019FF)
                                                                                 0 file pointer to relocation table
                                                                                 0 file pointer to line numbers
                                                                                 0 number of relocations
                                                                                 0 number of line numbers
                                                                          62000020 flags
                                                                                   Code
                                                                                   Discardable
                                                                                   Execute Read

                                                                          RAW DATA #5
                                                                            0000000140005000: 48 8B 05 19 E0 FF FF 48 85 C0 74 1A 48 B9 32 A2  H...àÿÿH.Àt.H¹2¢
                                                                            0000000140005010 : DF 2D 99 2B 00 00 48 3B C1 74 0B 48 F7 D0 48 89  ß - . + ..H; Át.H÷ÐH.
                                                                            0000000140005020: 05 03 E0 FF FF C3 B9 06 00 00 00 CD 29 CC CC CC  ..àÿÿù....Í)ÌÌÌ
                                                                            0000000140005030: 98 50 00 00 00 00 00 00 00 00 00 00 4E 51 00 00.P..........NQ..
                                                                            0000000140005040 : 28 20 00 00 70 50 00 00 00 00 00 00 00 00 00 00  (..pP..........
                                                                            0000000140005050: C8 51 00 00 00 20 00 00 00 00 00 00 00 00 00 00  ÈQ... ..........
                                                                            0000000140005060 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
                                                                            0000000140005070 : 9A 51 00 00 00 00 00 00 86 51 00 00 00 00 00 00.Q.......Q......
                                                                            0000000140005080 : 74 51 00 00 00 00 00 00 B0 51 00 00 00 00 00 00  tQ......°Q......
                                                                            0000000140005090 : 00 00 00 00 00 00 00 00 24 51 00 00 00 00 00 00  ........$Q......
                                                                            00000001400050A0 : 5C 51 00 00 00 00 00 00 0C 51 00 00 00 00 00 00  \Q.......Q......
                                                                            00000001400050B0: FA 50 00 00 00 00 00 00 E4 50 00 00 00 00 00 00  úP......äP......
                                                                            00000001400050C0 : D8 50 00 00 00 00 00 00 36 51 00 00 00 00 00 00  ØP......6Q......
                                                                            00000001400050D0 : 00 00 00 00 00 00 00 00 59 00 44 62 67 50 72 69  ........Y.DbgPri
                                                                            00000001400050E0 : 6E 74 00 00 AE 03 49 6F 66 43 6F 6D 70 6C 65 74  nt..®.IofComplet
                                                                            00000001400050F0 : 65 52 65 71 75 65 73 74 00 00 95 02 49 6F 43 72  eRequest....IoCr
                                                                            0000000140005100 : 65 61 74 65 44 65 76 69 63 65 00 00 A0 02 49 6F  eateDevice....Io
                                                                            0000000140005110 : 43 72 65 61 74 65 53 79 6D 62 6F 6C 69 63 4C 69  CreateSymbolicLi
                                                                            0000000140005120 : 6E 6B 00 00 AC 02 49 6F 44 65 6C 65 74 65 44 65  nk..¬.IoDeleteDe
                                                                            0000000140005130 : 76 69 63 65 00 00 AE 02 49 6F 44 65 6C 65 74 65  vice..®.IoDelete
                                                                            0000000140005140 : 53 79 6D 62 6F 6C 69 63 4C 69 6E 6B 00 00 6E 74  SymbolicLink..nt
                                                                            0000000140005150 : 6F 73 6B 72 6E 6C 2E 65 78 65 00 00 6C 07 52 74  oskrnl.exe..l.Rt
                                                                            0000000140005160 : 6C 43 6F 70 79 55 6E 69 63 6F 64 65 53 74 72 69  lCopyUnicodeStri
                                                                            0000000140005170 : 6E 67 00 00 06 00 57 64 66 56 65 72 73 69 6F 6E  ng....WdfVersion
                                                                            0000000140005180 : 42 69 6E 64 00 00 08 00 57 64 66 56 65 72 73 69  Bind....WdfVersi
                                                                            0000000140005190: 6F 6E 55 6E 62 69 6E 64 00 00 07 00 57 64 66 56  onUnbind....WdfV
                                                                            00000001400051A0 : 65 72 73 69 6F 6E 42 69 6E 64 43 6C 61 73 73 00  ersionBindClass.
                                                                            00000001400051B0 : 09 00 57 64 66 56 65 72 73 69 6F 6E 55 6E 62 69  ..WdfVersionUnbi
                                                                            00000001400051C0: 6E 64 43 6C 61 73 73 00 57 44 46 4C 44 52 2E 53  ndClass.WDFLDR.S
                                                                            00000001400051D0 : 59 53 00 00                                      YS..

                                                                            Section contains the following imports :

                                                                              ntoskrnl.exe
                                                                                       140002028 Import Address Table
                                                                                       140005098 Import Name Table
                                                                                               0 time date stamp
                                                                                               0 Index of first forwarder reference

                                                                                                   2AC IoDeleteDevice
                                                                                                   76C RtlCopyUnicodeString
                                                                                                   2A0 IoCreateSymbolicLink
                                                                                                   295 IoCreateDevice
                                                                                                   3AE IofCompleteRequest
                                                                                                    59 DbgPrint
                                                                                                   2AE IoDeleteSymbolicLink

                                                                              WDFLDR.SYS
                                                                                       140002000 Import Address Table
                                                                                       140005070 Import Name Table
                                                                                               0 time date stamp
                                                                                               0 Index of first forwarder reference

                                                                                                     7 WdfVersionBindClass
                                                                                                     8 WdfVersionUnbind
                                                                                                     6 WdfVersionBind
                                                                                                     9 WdfVersionUnbindClass

                                                                          SECTION HEADER #6
                                                                            .reloc name
                                                                                28 virtual size
                                                                              6000 virtual address(0000000140006000 to 0000000140006027)
                                                                               200 size of raw data
                                                                              1A00 file pointer to raw data(00001A00 to 00001BFF)
                                                                                 0 file pointer to relocation table
                                                                                 0 file pointer to line numbers
                                                                                 0 number of relocations
                                                                                 0 number of line numbers
                                                                          42000040 flags
                                                                                   Initialized Data
                                                                                   Discardable
                                                                                   Read Only

                                                                          RAW DATA #6
                                                                            0000000140006000: 00 20 00 00 14 00 00 00 68 A0 70 A0 98 A1 B0 A1  . ......h.p..¡°¡
                                                                            0000000140006010 : B8 A1 C0 A1 00 30 00 00 14 00 00 00 08 A0 18 A0  ¸¡À¡.0..........
                                                                            0000000140006020: 38 A0 50 A0 78 A0 00 00                          8.P.x...

                                                                          BASE RELOCATIONS #6
                                                                              2000 RVA,       14 SizeOfBlock
                                                                                68  DIR64      0000000140001710  _guard_check_icall_nop
                                                                                70  DIR64      0000000140001760  _guard_dispatch_icall_nop
                                                                               198  DIR64      0000000140003020  __security_cookie
                                                                               1B0  DIR64      0000000140002068  __guard_check_icall_fptr
                                                                               1B8  DIR64      0000000140002070  __guard_dispatch_icall_fptr
                                                                               1C0  DIR64      0000000140002078  __guard_fids_table
                                                                              3000 RVA,       14 SizeOfBlock
                                                                                 8  DIR64      00000001400020B0 ? ? _C@_1BK@MPJGGNGA@ ? $AA ? 2 ? $AAD ? $AAe ? $AAv ? $AAi ? $AAc ? $AAe ? $AA ? 2 ? $AAK ? $AAB ? $AAF ? $AAM@ (`string')
                                                                                18  DIR64      00000001400020D0 ? ? _C@_1BC@BGGPPAIA@ ? $AA ? 2 ? $AA ? $DP ? $AA ? $DP ? $AA ? 2 ? $AAK ? $AAB ? $AAF ? $AAM@ (`string')
                                                                                38  DIR64      00000001400020E8 ? ? _C@_1BI@BJCKEEDJ@ ? $AAK ? $AAm ? $AAd ? $AAf ? $AAL ? $AAi ? $AAb ? $AAr ? $AAa ? $AAr ? $AAy@ (`string')
                                                                                50  DIR64      00000001400032D8  WdfFunctions_01015
                                                                                78  DIR64      0000000140003060 ? __KMDF_CLASS_BIND_START@@3U_MARKER_TYPE@@A(struct _MARKER_TYPE __KMDF_CLASS_BIND_START)
                                                                                 0  ABS

                                                                            Summary

                                                                                  1000.data
                                                                                  1000.pdata
                                                                                  1000.rdata
                                                                                  1000.reloc
                                                                                  1000.text
                                                                                  1000 INIT

@HoShiMin
Copy link
Owner

WDFLDR.SYS
140002000 Import Address Table
140005070 Import Name Table
0 time date stamp
0 Index of first forwarder reference

				 7 WdfVersionBindClass
				 8 WdfVersionUnbind
				 6 WdfVersionBind
				 9 WdfVersionUnbindClass

It seems that they're not exported by MmGetSystemRoutineAddress that uses to resolve dependencies of your driver. You can find a minimal working sample in KbLoadableModule folder. Or you can add your own resolving routine in KbMapDriverFile function.

@vajos
Copy link
Author

vajos commented Feb 11, 2020

Hey thanks <3 can you maybe give me some keywords to learn more about why this happens. (Is it because I include #include <ntddk.h>) and maybe what i need to care about when writing my own driver that will be mapped with the kernel bridge framework. Sry for taking your time away and thanks again

@HoShiMin
Copy link
Owner

HoShiMin commented Feb 11, 2020
edited
Loading

why this happens

Hm, I don't know why does exactly it happen... Is it a WDM-driver? Maybe it links something from WDF in a linker command line?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@HoShiMin @vajos