I need to differ two binary files - a driver and a common dll. As far as I understand I need to view sections of this files (e.g. via DumpBin) and see if there is an INIT section. Is this criteria complete?
Asked
Active
Viewed 1,836 times
2 Answers
1
You need to parse the binary and look into Subsystem filed of IMAGE_OPTIONAL_HEADER, if it's NATIVE, then it's a driver. Look into the following link for details:
Isso
- 1,285
- 11
- 23
-
Not entirely true. It could be a native program or DLL or a kernel mode DLL as well. "Native" actually means nothing other than "*no* subsystem". It's not some magic subsystem living somewhere on each Windows machine :) – 0xC0000022L Apr 03 '12 at 17:54
0
You would have to use heuristics to establish this fact and be certain to the extent possible. The problem is that there literally exist native user-mode programs (e.g. autochk.exe) and DLLs (frankly nothing comes to mind off hand, but I've seen them as part of native programs that do stuff before winlogon.exe gets to run) as well as kernel-mode counterparts (bootvid.dll, hal.dll and the kernel in one of its various forms ntoskrnl.exe).
So to establish it is a driver you could try the following:
IMAGE_OPTIONAL_HEADER::SubSystem, as pointed out, should signify that it's "native" (i.e. has no subsystem:IMAGE_SUBSYSTEM_NATIVE)- Verify that the
IMAGE_FILE_HEADER::Characteristicsis not DLL (which would mean it's a kernel or user mode DLL, check againstIMAGE_FILE_DLL) - Make sure it does or does not import
ntdll.dllor another user mode DLL or to the contrary that it imports one of the kernel mode modules (ntoskrnl.exe,hal.dll,bootvid.dll) to establish whether it would run in kernel or user mode.
The structs and defines are all included in winnt.h.
The gist:
- establish the subsystem (only
IMAGE_SUBSYSTEM_NATIVEis interesting for your case) - establish it is a DLL or not
- establish whether it links against user or kernel mode components
0xC0000022L
- 20,597
- 9
- 86
- 152