3

Process Monitor and Explorer are supplied an EXE file. But they include a driver. -Where is it.

By Windows Internals,

Process Monitor works by extracting a file system filter device driver from its executable image (Procmon.exe) the first time you run it after a boot, installing the driver in memory, and then deleting the driver image from disk.

I would like to know the detail mechanism.
Are there some codes about that? Where can I find them.
Or could you explain me this.
Thanks.

Benjamin
  • 10,085
  • 19
  • 80
  • 130

2 Answers2

3

Last time I looked it was just embedded into the executable as a resource. You can use something like Resource Hacker to see it. I guess when the process starts it extracts the driver from the resource section and installs it.

Luke
  • 11,211
  • 2
  • 27
  • 38
  • Thanks Luke. *when the process starts it extracts the driver from the resource section and installs it.* But I would like to know more details about this. – Benjamin Oct 21 '10 at 23:42
  • 1
    It just copies the driver resource out to a temp file, then loads the driver into the system via the temp file. Nothing fancy. – nobody Oct 21 '10 at 23:51
  • @Benjamin: what details? There's nothing special to it. It is extracted the way any other resource is extracted from any other executable file. And once extracted, it is installed like any other device driver is installed. If you want to ask about one of those steps, you might want to ask a question about that specifically. – jalf Oct 21 '10 at 23:52
  • @Andrew Thanks Andrew. That's what I wanted to know. – Benjamin Oct 22 '10 at 02:49
2

Executable file in Windows may contain among other things "resource" section. It may contain any binary data, which executable may access at run-time.

The trick is to put the whole other executable (the SYS file of the driver for instance) inside an EXE during the link time. Then at runtime the EXE extract this into a SYS file.

Then this driver may be loaded on-the-fly (using SC-manager)

valdo
  • 12,632
  • 2
  • 37
  • 67