As the topic how to obtain module Version Windows Ring0 driver layer and company resources such as information,
Must pass and ring3 communication to achieve?
You have any ideas?

CodePudding user response:

http://www.cnblogs.com/liuconggang/archive/2013/01/12/2857683.html
See the communication between Ring0 and Ring3, hope to help you ~

CodePudding user response:

reference 1st floor VisualEleven response:

http://www.cnblogs.com/liuconggang/archive/2013/01/12/2857683.htmlSee Ring0 and communications between Ring3, hope to help you ~

Whether must want to obtain module by ring3 version information, driver layer is there a way to get it? What way?

CodePudding user response:

Calculate, enumeration modules are path to read files take it

CodePudding user response:

GetFileVersionInfoSize
GetFileVersionInfo
You can refer to these two functions, and access to the File information,,

CodePudding user response:

VerQueryValue

\ StringFileInfo \ lang - codepage \ string - name Specifies a value in a language - specific StringTable structure.
The lang - codepage name is a concatenation of a language and code page identifier pair found as a DWORD in The translation array for The resource.

Here the lang - codepage name must be specified as a hexadecimal string.

The function retrieves a string value specific to The language and code page indicated.

The string - name, The name must be one of The following predefined strings:

Comments
CompanyName
FileDescription
FileVersion
InternalName
LegalCopyright
LegalTrademarks
OriginalFilename
ProductName
ProductVersion
PrivateBuild
SpecialBuild

CodePudding user response:

reference 4 floor shen_wei response:

GetFileVersionInfoSize
GetFileVersionInfo
You can refer to these two functions, and access to the File information,,

The building Lord says is ring0 layer (kernel driver), application layer has a direct API easy, of course,
But there is no corresponding kernel driver layer API

CodePudding user response:

I also encountered this problem!
And file version information, such as digital signature check, the information in the application layer to obtain fine
Are not directly in the driver kernel apis,

Risk can only let the driver and application layer communication, through the application layer to obtain, and the application layer to return the information to drive,
But doing so will affect the efficiency! And the processing of the kernel layer must also be forbidden:
For example, if you are processing an IRP, to make an IRP pending, and join the IRP pending request queue so that the follow-up according to the result of the application layer of the judgment to continue IRP processing
If it is in the kernel hooks and let the thread temporarily to wait for an event object, so that the follow-up after receiving the application layer of the judgment result set this event according to the result of the application layer of the judgment and subsequent processing.
Code implementation trival, back and forth this ring0 to ring3 layer 1 significantly reduce running efficiency,

If there is no direct kernel apis have wanted to have higher operation efficiency, can only be considered as a PE file content parsing, but it will be a huge work,

CodePudding user response:

Filled with compromise in the project implementation,