How can a device driver be EXE like Process Monitor

StackOverflow https://stackoverflow.com/questions/3939136

Question

Process Monitor and Explorer are supplied an EXE file. But they include a driver. -Where is it.

By Windows Internals,

Process Monitor works by extracting a file system filter device driver from its executable image (Procmon.exe) the first time you run it after a boot, installing the driver in memory, and then deleting the driver image from disk.

I would like to know the detail mechanism.
Are there some codes about that? Where can I find them.
Or could you explain me this.
Thanks.

Was it helpful?

Solution

Last time I looked it was just embedded into the executable as a resource. You can use something like Resource Hacker to see it. I guess when the process starts it extracts the driver from the resource section and installs it.

OTHER TIPS

Executable file in Windows may contain among other things "resource" section. It may contain any binary data, which executable may access at run-time.

The trick is to put the whole other executable (the SYS file of the driver for instance) inside an EXE during the link time. Then at runtime the EXE extract this into a SYS file.

Then this driver may be loaded on-the-fly (using SC-manager)

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top