find driverObject from module address using windbg kernel mode debugging

Question

I have the module address of a loaded driver. I want to get the driverobject from the module address or name using windbg in kernel mode debugging. Is there a command to find it?

Answer 1

I don't recall if there's a list of driver objects accessible from a kernel global variable, so this is rather involved.

In Windbg you can query a list of all object (known to the object manager) with !object. This command, with the path option, allows you to query the \driver folder in the object manager to list all _DRIVER_OBJECT, for ex.:

0: kd> !object \driver
Object: ffff9c0a5dd51920  Type: (ffffe58ca0c8cd20) Directory
    ObjectHeader: ffff9c0a5dd518f0 (new version)
    HandleCount: 0  PointerCount: 105
    Directory Object: ffff9c0a5dc24420  Name: Driver

    Hash Address          Type                      Name
    ---- -------          ----                      ----
     00  ffffe58ca160ce00 Driver                    fvevol
         ffffe58ca0c9be20 Driver                    vdrvroot
     01  ffffe58ca15e8e00 Driver                    NetBT
         ffffe58ca0cc6e30 Driver                    acpiex
         ffffe58ca0d69df0 Driver                    Wdf01000
     02  ffffe58ca6ce8e30 Driver                    WdNisDrv
         ffffe58ca0c8e060 Driver                    mpsdrv
    
     // ... snip ...

Problem is that it's not scriptable at all since you'll want to traverse the whole list (edit: the module base of a driver is given in _DRIVER_OBJECT.DriverStart)

The object manager root lies at the global nt!ObpRootDirectoryObject but it's a pain in the back to parse...

Hugsy made a really nice JS script to parse it, and fortunately it supports the \driver entry.

0. Download the script :)
1. Load the script: e.g. .scriptload "C:\test\ObjectExplorer.js"
2. Query all driver objects

dx -r0 @$drvs = @$cursession.Objects.Children.Where( obj => obj.Name == "Driver" ).First().Children.Select( obj_entry => obj_entry.NativeObject)

Note : if you want to see how the scripts encapsulates the objects, you can just do:

dx -r0 @$drvs = @$cursession.Objects.Children.Where( obj => obj.Name == "Driver" ).First().Children

3. Filter driver objects with the module base you have, e.g.: (obviously replace the 0xfffff8073a2d0000 address with your own)

0: kd> dx -g @$drvs.Where( drv => drv.DriverStart == 0xfffff8073a2d0000 )
===========================================================================================================================================================================================
=                              = [<Raw View>] = (+) HardwareDatabase                                         = (+) DeviceObject                                 = (+) Flags = (+) Devices =
===========================================================================================================================================================================================
= [0x0] : Driver "\Driver\CNG" - {...}        - 0xfffff80736355710 : "\REGISTRY\MACHINE\HARDWARE\DESCRIPT... - 0xffffe58ca0d7ac10 : Device for "\Driver\CNG"    - 0x12      - {...}       =
===========================================================================================================================================================================================

You can then click on the entries, it outputs the full _DRIVER_OBJECT (or you can just dt the address):

0: kd> dx -r1 (*((ntkrnlmp!_DRIVER_OBJECT *)0xffffe58ca0c8ec10))
(*((ntkrnlmp!_DRIVER_OBJECT *)0xffffe58ca0c8ec10))                 : Driver "\Driver\CNG" [Type: _DRIVER_OBJECT]
    [<Raw View>]     [Type: _DRIVER_OBJECT]
    HardwareDatabase : 0xfffff80736355710 : "\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM" [Type: _UNICODE_STRING *]
    DeviceObject     : 0xffffe58ca0d7ac10 : Device for "\Driver\CNG" [Type: _DEVICE_OBJECT *]
    Flags            : 0x12
    Devices         
0: kd> dx -r1 -nv (*((ntkrnlmp!_DRIVER_OBJECT *)0xffffe58ca0c8ec10))
(*((ntkrnlmp!_DRIVER_OBJECT *)0xffffe58ca0c8ec10))                 : Driver "\Driver\CNG" [Type: _DRIVER_OBJECT]
    [+0x000] Type             : 4 [Type: short]
    [+0x002] Size             : 336 [Type: short]
    [+0x008] DeviceObject     : 0xffffe58ca0d7ac10 : Device for "\Driver\CNG" [Type: _DEVICE_OBJECT *]
    [+0x010] Flags            : 0x12 [Type: unsigned long]
    [+0x018] DriverStart      : 0xfffff8073a2d0000 [Type: void *]
    [+0x020] DriverSize       : 0xbd000 [Type: unsigned long]
    [+0x028] DriverSection    : 0xffffe58ca0c6dd50 [Type: void *]
    [+0x030] DriverExtension  : 0xffffe58ca0c8ed60 [Type: _DRIVER_EXTENSION *]
    [+0x038] DriverName       [Type: _UNICODE_STRING]
    [+0x048] HardwareDatabase : 0xfffff80736355710 : "\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM" [Type: _UNICODE_STRING *]
    [+0x050] FastIoDispatch   : 0x0 [Type: _FAST_IO_DISPATCH *]
    [+0x058] DriverInit       : 0xfffff8073a384010 : cng!GsDriverEntry+0x0 [Type: long (__cdecl*)(_DRIVER_OBJECT *,_UNICODE_STRING *)]
    [+0x060] DriverStartIo    : 0x0 : 0x0 [Type: void (__cdecl*)(_DEVICE_OBJECT *,_IRP *)]
    [+0x068] DriverUnload     : 0x0 : 0x0 [Type: void (__cdecl*)(_DRIVER_OBJECT *)]
    [+0x070] MajorFunction    [Type: long (__cdecl* [28])(_DEVICE_OBJECT *,_IRP *)]

Answer 2

Somehow !object \driver did not show my driver. Don't know the exact reason. Could manage some workaround. Since I knew the module address, debugged till driverEntry.First parameter to DriverEntry is the DriverObject. I was able to dump it.

Answer 3

If you know the name of driver Then you can use

!drvobject drivername flag

If you have an address you can use

lm a address

to get the module name and use the module name in drvobj to get the details