在Windows 7 32位VM上安装SSDT挂钩会返回系统错误2

Question

I use the following code to create a driver that hooks Win7-32bit SSDT table. It is taken straight from Greg & Jamie's book. Please note that I don't even call the hooking code from main:

main.c http://pastebin.com/Ck8FSVbv

SSDT_Hook.h http://pastebin.com/y1ssD1ni

When I try to load it, sc.exe returns error 2.

But I can't figure out why. Couldn't find answers is similar questions.

Answer 1

It seems that system cannot find your driver file. You probably specified bad full path when installing the service. Look to the service registry key

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\<your_service_name>

for the ImagePath value. This value must contain full path to your driver file, either relative to the system root (usually C:\\Windows ), or "totally" absolute – starting with the \\??\\X: prefix ( X is the drive letter, \\??\\ makes the path absolute from the Object Manager point of view).

I assume you grabbed the code from the Rootkits: Subverting the Windows Kernel book. It's a great book, howerver, keep in mind the following:

1) it is kinda old and many of its codes do not work on multiprocessor machines,

2) it is a hacker book which means it does not tell you how to do things nicely, it just tells you how to make a code working somewhat. A code based on it may work but may be full of errors if you lack knowledge about Windows driver development.

That does not mean it is a bad book. It just is not a guide how you should write Windows drivers.