Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Internals
  New Posts New Posts RSS Feed - Use of NULL driver?
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Use of NULL driver?

 Post Reply Post Reply
Author
Message
Mad_guy View Drop Down
Newbie
Newbie


Joined: 30 September 2005
Status: Offline
Points: 26
Post Options Post Options   Thanks (0) Thanks(0)   Quote Mad_guy Quote  Post ReplyReply Direct Link To This Post Topic: Use of NULL driver?
    Posted: 15 May 2006 at 5:57pm
In process explorer I wanted to see what if any modules were loaded by programs like Retina Security Scanner or Kerio firewall, to maybe get an idea on how they work. I came across the NULL driver (system32\drivers\null.sys) and found it to be a very simplistic and easy to analyze driver, so I decided to investigate it and analyze it using my copy of IDA Pro. So far, I got this (I did most of it a while back but have come back to it recently): http://austin.youareinferior.net/analysis/nulldrvr.html

All I mainly have left to do is analyze the DriverDispatchRoutine (which is coalesced with the functions around it, i.e. it doesn't really have it's own stack frame and isn't a procedure, I haven't analyzed many device drivers, but I wouldn't think this would be the standard way the compiler would emit code, but whatever.) In my Win2k test box, I not only have IDA Pro but also a copy of SoftICE. It seems as if there are some differences in Win2k null.sys from WinXP SP2 null.sys, but doesn't seem to major.

Anyway, does anybody have any information over the NULL driver, such as why it's really there? I figure before doing more investigation it might be interesting to know if anybody has done any other research on the driver. Can anybody lead me to a resource? Or am I left on my own with IDA and SICE?
Back to Top
MP_ART View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 March 2006
Location: Russian Federation
Status: Offline
Points: 947
Post Options Post Options   Thanks (0) Thanks(0)   Quote MP_ART Quote  Post ReplyReply Direct Link To This Post Posted: 15 May 2006 at 9:00pm
Back to Top
EP_X0FF View Drop Down
Senior Member
Senior Member
Avatar

Joined: 08 March 2006
Location: Russian Federation
Status: Offline
Points: 4753
Post Options Post Options   Thanks (0) Thanks(0)   Quote EP_X0FF Quote  Post ReplyReply Direct Link To This Post Posted: 16 May 2006 at 12:43am
IMHO Null device driver is a for backward compatibility
Back to Top
Mad_guy View Drop Down
Newbie
Newbie


Joined: 30 September 2005
Status: Offline
Points: 26
Post Options Post Options   Thanks (0) Thanks(0)   Quote Mad_guy Quote  Post ReplyReply Direct Link To This Post Posted: 16 May 2006 at 1:00pm
Originally posted by MP_ART MP_ART wrote:

http://www.codeproject.com/system/driverdev.asp?df=100&f orumid=150661&exp=0&select=1344991

...About writing drivers, driver Dispatch routines

I know about drivers and driver dispatch routines (and that is a very good tutorial btw), what I was saying is I just haven't taken the time to analyze the NULL driver's dispatch routine, and wondered if all driver dispatch routines are coalesced with their adjacent functions in a sense (look at the disassembly and you'll understand what I mean.) I have a couple drivers I wrote on my win2k box, I'll analyze them sometime to see if the compiler emits that code the same way.
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down