I know Sysinternals' Process Explorer silently loads a Device Driver called PROCEXPxxx.SYS. I'm wondering how it does this. To me, it looks like a good example of silently bundling a kernel mode component in our application.
First off, the driver is created dynamically from the exe (perhaps as a resource).
By using Process Monitor to check the registry, I can tell PE is using RegCreateKey to create the keys under HKLM\System\CurrentControlSet\Services\PROCEXPxxx manually (and immediately delete it afterward so that nothing is left behind after the driver is running).
By using "dumpbin /imports procexp.exe", I found that PE doesn't import CreateService at all. And by using the API Monitor (http://ift.tt/GBGzro), I did confirm that CreateService won't be called when we run it.
So, how does Process Explorer elegantly load a driver silently without rebooting and calling CreateService?
Aucun commentaire:
Enregistrer un commentaire