diStorm64 for Ring 0
Gil Dabah Jan 2007
http://ragestorm.net/distorm/

Tested sample with DDK 3790.1830 using WinXPSP2.

Steps of how to build the diStorm64 sample using the DDK.

Warning - Make sure the path you extracted diStorm to does not include any spaces, otherwise you will get an error from the build.

1) Open the DDK's build environment, for example: "Win XP Free Build Environment",
which readies the evnrionment variables for building a driver.

2) Launch "build".

3) If everything worked smoothly, you should see a new file named "distorm.sys" under objfre_wxp_x86\i386
(that's if you use WinXP and the Free Environment).

	- If you experienced any errors, try moving the whole distorm directory to c:\winddk\src\
	  (or any other directory tree which doesn't contain spaces in its name).

4) Now you will have to register the new driver:
	a. Copy the distorm.sys file to \windows\system32\drivers\.
	b. Use the DDK's regini.exe with the supplied distorm.ini.
	c. Restart Windows for the effect to take place. :(
	   (this can be bypassed, if you register the driver directly in the SCM, there are other tools which do so).

5) Now open your favorite debug-strings monitor (mine is DebugView).
Make sure you monitor kernel debug-strings.

6) Launching "net start distorm" from command line, will run the DriverEntry code in "main.c",
which will disassemble a few instructions from the KeBugcheck routine and dump it using DbgPrint.

7) Later launch "net stop distorm" from command line to stop the test driver.


NOTES:
-+----
The sample uses the stack for storing the results from the decode function.
If you have too many structures on the stack, you better allocate memory before calling the decode function,
and later on free that memory. Don't use the NONPAGED pool if you don't really need it.

_OffsetType is the type of the DecodedInstruction.Offset field, which defaults to 64bits,
so make sure that when you print this variable you use %I64X, or when you use it anywhere else, you use the _OffsetType as well.
If you want to change the _OffsetType into 32 bits, edit the "disconfig.h" file.

diStorm can be really compiled for all IRQL, it doesn't use any resource or the standard C library at all.
Although the sample uses diStorm at PASSIVE level.
