Use BoundsChecker Driver Edition on kernel mode DLL

0 Likes

Problem:

How can I use BoundsChecker to monitor a kernel mode DLL like printer driver or video driver? I cannot get any events from BoundsChecker.

Resolution:

Perform the following steps to use BoundsChecker on kernel mode DLL.

1. Select your DLL from DriverWorkbench | BoundsChecker | Settings | Select Drivers. If you can see your DLL from this list, then go to step 2.

1.1 If you cannot see your DLL from Select Driver page, you need to click on Add Driver button and manually add your DLL to this list.

1.2 Click OK on BoundsChecker Settings dialog box. Run regedit.exe. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BChkD\UserDriver. You should see this key pointing to your DLL.

1.3 In the UserDriver key, the driver you just added should be listed. Following the name of each of your DLL (say testprn.dll), there will be two bytes 00 01. The 00 is a NULL terminator and should be left alone. The 01 is a byte that tells BoundsChecker how to hook this driver. For printer and video drivers, change this byte to 02.

2. Select Driver APIs in BoundsChecker | Settings. Do not select events Int0E/Int2E_AppMode/Int2E_KernelMode in Interrupt/Faults category unless necessary. These three APIs will generate a tremendous number of events, which may overwrite your intended log in the BoundsChecker circular-queue buffer.

3. Reboot system if you make any changes. You should see DLL events next time system boots up and your DLL is used.

Old KB# 11621
Comment List
Anonymous
Related Discussions
Recommended