tags:

views:

39

answers:

3
Q: 

How can a device driver be EXE like Process Monitor

Process Monitor and Explorer are supplied an EXE file. But they include a driver. -Where is it.

By Windows Internals,

Process Monitor works by extracting a file system filter device driver from its executable image (Procmon.exe) the first time you run it after a boot, installing the driver in memory, and then deleting the driver image from disk.

I would like to know the detail mechanism.
Are there some codes about that? Where can I find them.
Or could you explain me this.
Thanks.

+2  A: 

Last time I looked it was just embedded into the executable as a resource. You can use something like Resource Hacker to see it. I guess when the process starts it extracts the driver from the resource section and installs it.

Luke  2010-10-15 14:28:16
Thanks Luke. *when the process starts it extracts the driver from the resource section and installs it.* But I would like to know more details about this.
Benjamin  2010-10-21 23:42:05
It just copies the driver resource out to a temp file, then loads the driver into the system via the temp file. Nothing fancy.
Andrew Medico  2010-10-21 23:51:52
@Benjamin: what details? There's nothing special to it. It is extracted the way any other resource is extracted from any other executable file. And once extracted, it is installed like any other device driver is installed. If you want to ask about one of those steps, you might want to ask a question about that specifically.
jalf  2010-10-21 23:52:38
@Andrew Thanks Andrew. That's what I wanted to know.
Benjamin  2010-10-22 02:49:59
A: 

Try this: install everything and start it. Search for procexp (install it if you didn't already). Start it from within everything and observe file listing...

... what happened?

Procexp upon starting created another file, and then deleted it.

Daniel Mošmondor  2010-10-21 23:49:26
I'm sure doing so would be enlightening, but an answer which basically says "download a program off the internet, run it and see what happens" *has* to be downvoted.
jalf  2010-10-21 23:53:32
No it doesn't (at least I think so) - because - everything is a valuable resource for everyone, and second, it will clearly show how procexp drops another file then starts... OK, maybe I needed to write that in the answer at first, you are right
Daniel Mošmondor  2010-10-21 23:56:45
+1  A: 

Executable file in Windows may contain among other things "resource" section. It may contain any binary data, which executable may access at run-time.

The trick is to put the whole other executable (the SYS file of the driver for instance) inside an EXE during the link time. Then at runtime the EXE extract this into a SYS file.

Then this driver may be loaded on-the-fly (using SC-manager)

valdo  2010-10-22 00:02:16

related questions

Verifying files for testing
How do you create your own moniker (URL Protocol) on Windows systems?
Windows Equivalent of 'nice'
Is this a good way to determine OS Architecture?
Dual vs. Quadcore on a Webserver
Is there a WMI Redistributable Package?
PHP Error - Uploading a file
Ruby On Rails with Windows Vista - Best Setup?
OpenVPN Config file to prevent timeout
How can I create Debian install packages in Windows for a Visual Studio project?
How do I configure and communicate with a serial port?
What's the best setup for Mono development on Windows?
Appropriate pagefile size for SQL Server
XML Editing/Viewing Software
Linux shell equivalent on IIS
What is a better file copy alternative than the Windows default?
Windows Help files - what are the options?
Heap corruption under Win32; how to locate?
Best way to access Exchange using PHP?
Get a preview jpeg of a pdf on windows?
WinForms ComboBox data binding gotcha
How do you schedule tasks in Windows?
Register Windows program with the mailto protocol programmatically
Embedding Windows Media Player for all Browsers
Best Subversion clients for Windows Vista (64bit)