Skip to content

FS_Sys_Drivers

Jump to bottom
ufrisk edited this page May 24, 2021 · 9 revisions

The sys/drivers directory

The directory sys/drivers exists as a sub-directory to the file system root.

The directory and its sub-directories contains information about loaded active kernel drivers.

The files in the sys/drivers directory are listed in the table below:

File Description
drivers.txt Summary information about all drivers.
driver_irp.txt Information about IRPs related to all drivers.
by-name/[name]/* Information about the Driver object and its header.

Files in the sys/drivers directory and sub-directories are read-only.

The directory exists only on Windows. Linux support is planned for the future.

File: drivers.txt

The file drivers.txt contains summary information about loaded active kernel drivers. The meaning of the different columns are as follows:

   #   Object Address Driver               Size Drv Range: Start-End              Service Key      Driver Name                 
--------------------------------------------------------------------------------------------------------------                 
0000 ffffcf00cb5f5450 ahcache             41000 fffff809b6240000-fffff809b6280fff ahcache          \Driver\ahcache
0001 ffffcf00cb337e60 iorate              11000 fffff809b6480000-fffff809b6490fff iorate           \Driver\iorate
0002 ffffcf00c9ff5ac0 pcw                 13000 fffff809b59e0000-fffff809b59f2fff pcw              \Driver\pcw
0003 ffffcf00c9f61c40 VBoxNetLwf          49000 fffff809b6b20000-fffff809b6b68fff VBoxNetLwf       \Driver\VBoxNetLwf
0004 ffffcf00c9819390 lxss                 b000 fffff809b5420000-fffff809b542afff lxss             \Driver\lxss
0005 ffffcf00cdd3b060 rspndr              1a000 fffff809bb420000-fffff809bb439fff rspndr           \Driver\rspndr
0006 ffffcf00cd6d2e60 WINUSB              1d000 fffff809bb180000-fffff809bb19cfff WINUSB           \Driver\WINUSB
0007 ffffcf00cb312d20 volume               b000 fffff809b7380000-fffff809b738afff volume           \Driver\volume
0008 ffffcf00c9547e60 SoftwareDevice          0 fffff8032ae89000-fffff8032ae89000 \Driver\Software \Driver\SoftwareDevice
...

File: driver_irp.txt

The file driver_irp.txt contains information about each of the IRPs tied to a driver.

Please note that unsupported requests point to the default unsupported function in the kernel. This is denoted as --- in the example below. Unknown target modules are listed as ?.

The meaning of the different columns are as follows:

   # Driver            # IRP_MJ_*                          Address Target Module       
--------------------------------------------------------------------------------       
0000 ahcache           0 CREATE                   fffff809b626a610 ahcache
0001 ahcache           1 CREATE_NAMED_PIPE        fffff8032aece2c0 ---
0002 ahcache           2 CLOSE                    fffff809b626a610 ahcache
0003 ahcache           3 READ                     fffff8032aece2c0 ---
0004 ahcache           4 WRITE                    fffff8032aece2c0 ---
0005 ahcache           5 QUERY_INFORMATION        fffff8032aece2c0 ---
0006 ahcache           6 SET_INFORMATION          fffff8032aece2c0 ---
0007 ahcache           7 QUERY_EA                 fffff8032aece2c0 ---
0008 ahcache           8 SET_EA                   fffff8032aece2c0 ---
0009 ahcache           9 FLUSH_BUFFERS            fffff8032aece2c0 ---
000a ahcache          10 QUERY_VOLUME_INFORMATION fffff8032aece2c0 ---
000b ahcache          11 SET_VOLUME_INFORMATION   fffff8032aece2c0 ---
000c ahcache          12 DIRECTORY_CONTROL        fffff8032aece2c0 ---
000d ahcache          13 FILE_SYSTEM_CONTROL      fffff8032aece2c0 ---
000e ahcache          14 DEVICE_CONTROL           fffff809b6260870 ahcache
000f ahcache          15 INTERNAL_DEVICE_CONTROL  fffff8032aece2c0 ---
0010 ahcache          16 SHUTDOWN                 fffff809b6278190 ahcache
0011 ahcache          17 LOCK_CONTROL             fffff8032aece2c0 ---
0012 ahcache          18 CLEANUP                  fffff8032aece2c0 ---
0013 ahcache          19 CREATE_MAILSLOT          fffff8032aece2c0 ---
0014 ahcache          20 QUERY_SECURITY           fffff8032aece2c0 ---
0015 ahcache          21 SET_SECURITY             fffff8032aece2c0 ---
0016 ahcache          22 POWER                    fffff8032aece2c0 ---
0017 ahcache          23 SYSTEM_CONTROL           fffff8032aece2c0 ---
0018 ahcache          24 DEVICE_CHANGE            fffff8032aece2c0 ---
0019 ahcache          25 QUERY_QUOTA              fffff8032aece2c0 ---
001a ahcache          26 SET_QUOTA                fffff8032aece2c0 ---
001b ahcache          27 PNP                      fffff8032aece2c0 ---
001c iorate            0 CREATE                   fffff809b6484860 iorate
001d iorate            1 CREATE_NAMED_PIPE        fffff809b6484860 iorate
001e iorate            2 CLOSE                    fffff809b6484860 iorate
...

Example

The example shows the loaded kernel driver list and its IRPs - which are both made available under the sys/drivers directory.

For Developers

The sys/drivers sub-directory is implemented as a built-in native C-code plugin. The plugin source is located in the file m_sys_driver.c in the vmm project.

Sponsor PCILeech and MemProcFS:

PCILeech and MemProcFS is free and open source!

I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!

If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk

Thank You 💖

Overview

API

Root File System

Per-Process File System

Development

FAQ

Clone this wiki locally