Driver Start Type Property

Question

I need to detect if a driver was initialized in the boot or system ... and I have the variable "DEVICE_OBJECT" to get this information. Researched the properties of "DEVICE_OBJECT" and "DRIVER_OBJECT" to extract this information without success. Does anyone have any tips on how to do?

You need way more information to get meaningful help, OS, driver, and driver detection library to start. — IllusiveBrian, Nov 20 '14 at 17:46

score 0 · Answer 1 · answered Nov 20 '14 at 22:19

NTSTATUS
IopInitializeDeviceNodeService(PDEVICE_NODE DeviceNode, BOOLEAN BootDriverOnly)
{
   NTSTATUS Status;
   ULONG ServiceStart;
   RTL_QUERY_REGISTRY_TABLE QueryTable[2];

   if (DeviceNode->ServiceName.Buffer == NULL)
   {
      return STATUS_UNSUCCESSFUL;
   }

   /*
    * Get service start value
    */

   RtlZeroMemory(QueryTable, sizeof(QueryTable));
   QueryTable[0].Name = L"Start";
   QueryTable[0].Flags = RTL_QUERY_REGISTRY_DIRECT;
   QueryTable[0].EntryContext = &ServiceStart;
   Status = RtlQueryRegistryValues(RTL_REGISTRY_SERVICES,
      DeviceNode->ServiceName.Buffer, QueryTable, NULL, NULL);
   if (!NT_SUCCESS(Status))
   {
      DPRINT("RtlQueryRegistryValues() failed (Status %x)\n", Status);
      return Status;
   }

Driver Start Type Property

1 Answers1