none
New to Drivers RRS feed

  • Question

  • Dear all,

    It is my first post in this forum. I am trying to build a driver that can work on XP to Win8.

    The idea is to detect process execution via the PsSetCreateProcessNotifyRoutin
    e function.

    The first question is: 1) what WDK should I use for this backward compatibility (XP onwards)?

    My second question is: 2) I have downloaded several samples and they don't seem to be working in Windows 8 (nor the compiled sys nor my compiled sys)

    Can someone give me some starting pointers on how can I compile a driver and how can I make it work? I am using VS2008 and Win8, so my approach would be via the cmd build.

    Thanks for the help in advance.

    Regards,


    Thursday, March 26, 2015 11:37 AM

Answers

  • There is a general rule, that you use the latest WDK that supports the oldest OS you wish to run on.  For XP that would be the Windows 7 WDK.   The Win7 WDK includes its own compiler and toolset and that is what you should use.  Be aware, that the approach to building drivers changed completely with the Windows 8 WDK.

    You say you downloaded samples, the question is from where.  There are a lot of questionable samples on the web, the Win7 WDK includes its own samples and you should use those.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com

    Thursday, March 26, 2015 12:47 PM
  • Driver signing enforcement is for 64-bit whether it is XP and any other version.  For initial testing yes you need to disable driver signing.  At some point you want to be doing Test Signing to make sure that works, and assuming you are shipping this driver to the world, you need to sign the driver.  Note: signing is a challenge since Win8 wants a SHA256 key, Win7 has a recent update that allows it to use that key, and earlier OS's require the SHA128 key.  It gets even more complex with Windows 10, since the signing is different there.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com

    Thursday, March 26, 2015 1:25 PM
  • Thanks Don.

    I managed to compile the driver. One quick question, what Build Environment should I use for XP onwards compatibility?

    Now I have another problem, I disabled the Driver Signing Enforcement for testing purposes.

    I am trying to load it, OpenService returns fine, but StartService fails with code 1275. What could be the problem? I am running Win8 x64.

    Thanks!

    Thursday, March 26, 2015 2:54 PM
  • Thanks Don. Well, now I did progress. I installed the driver and a pop up blocking window appeared.

    Program Compatibility Assistant - A digital signed driver is required.

    I have disabled the enforcement in the startup and then did:

    bcdedit -set loadoptions DISABLE_INTEGRITY_CHECKS
    bcdedit -set TESTSIGNING ON

    I also see the Test Watermark in my screen

    I don't know still what I am missing.


    Saturday, March 28, 2015 1:41 PM

All replies

  • There is a general rule, that you use the latest WDK that supports the oldest OS you wish to run on.  For XP that would be the Windows 7 WDK.   The Win7 WDK includes its own compiler and toolset and that is what you should use.  Be aware, that the approach to building drivers changed completely with the Windows 8 WDK.

    You say you downloaded samples, the question is from where.  There are a lot of questionable samples on the web, the Win7 WDK includes its own samples and you should use those.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com

    Thursday, March 26, 2015 12:47 PM
  • Thanks Don.

    I am using it already, what Build Environment should I use ?

    Also, I need to test the driver on Win8, should I go ahead and disable the Driver Signing Enforcement?

    Thanks!

    Thursday, March 26, 2015 1:19 PM
  • Driver signing enforcement is for 64-bit whether it is XP and any other version.  For initial testing yes you need to disable driver signing.  At some point you want to be doing Test Signing to make sure that works, and assuming you are shipping this driver to the world, you need to sign the driver.  Note: signing is a challenge since Win8 wants a SHA256 key, Win7 has a recent update that allows it to use that key, and earlier OS's require the SHA128 key.  It gets even more complex with Windows 10, since the signing is different there.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com

    Thursday, March 26, 2015 1:25 PM
  • Thanks Don.

    I managed to compile the driver. One quick question, what Build Environment should I use for XP onwards compatibility?

    Now I have another problem, I disabled the Driver Signing Enforcement for testing purposes.

    I am trying to load it, OpenService returns fine, but StartService fails with code 1275. What could be the problem? I am running Win8 x64.

    Thanks!

    Thursday, March 26, 2015 2:54 PM
  • The rule is to use the oldest OS you want to support, Microsoft does an outstanding job of providing compatibility for drivers moving forward.  Note: for x64 the XP build is listed as Server 2003 x64. 

    The error means the driver is blocked, do you have a debugger connected?  Using the F8 for to disable driver signing enforcement typically expects debugging enabled and active also.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com

    Thursday, March 26, 2015 3:07 PM
  • Yes, I am in a debugging environment. I disabled enforcement via the startup/boot setup. What could be the problem?
    Thursday, March 26, 2015 3:37 PM
  • Tried again with another driver and keeps throwing a 1275 error.

    I am using this class to load it:

    http://www.codeproject.com/Articles/31905/A-C-class-wrapper-to-load-unload-device-drivers

    Any hints?



    Thursday, March 26, 2015 8:00 PM
  • Which sample driver's did you use.  The wrapper and the OSR Loader only work on non-PnP drivers.  Since most of the samples are Plug and Play these days, this could be the problem.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com

    Friday, March 27, 2015 11:03 AM
  • Don, I used the following samples:

    http://www.codeproject.com/Articles/2018/Detecting-Windows-NT-K-process-execution

    and several samples from:

    C:\WinDDK\7600.16385.1\src

    With the CodeProject driver, StartService throws a 1275 error with the compiled sys and my compiled sys as well.

    What can I do different so as to make this work? My Win8 is in Debug Test mode (watermark)

    Thanks



    Friday, March 27, 2015 7:13 PM
  • Try using a current sample such as the src\general\ioctl\wdm sample from the WDK.  See if the sys file from that will load on your system.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com

    Friday, March 27, 2015 7:31 PM
  • Don, I compiled the sioctl.sys and still get a 1275 error on StartService. First, when I started the load the StartService hang and I needed to break it.

    The second time (and so on) the 1275 returned. Still does not load.

    What I am doing to compile the driver is checking Build Enviromental Variables, and then in the opened cmd building it. It compiles OK.

    What else could I do to see what's happening?

    Thanks for all your help.





    Friday, March 27, 2015 8:07 PM
  • Well, now that I read the post I am compiling the Driver with the x64 Environment for my Win 8 64. The problem now is that StartService throws a 1058 error. My question now is: is the WDK 7 good to build drivers in Win 8 64? I don't know still what I am doing wrong. Thanks !
    Saturday, March 28, 2015 1:05 PM
  • The Win7 WDK will work for a Win8 x64 driver just fine.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com

    Saturday, March 28, 2015 1:22 PM
  • Thanks Don. Well, now I did progress. I installed the driver and a pop up blocking window appeared.

    Program Compatibility Assistant - A digital signed driver is required.

    I have disabled the enforcement in the startup and then did:

    bcdedit -set loadoptions DISABLE_INTEGRITY_CHECKS
    bcdedit -set TESTSIGNING ON

    I also see the Test Watermark in my screen

    I don't know still what I am missing.


    Saturday, March 28, 2015 1:41 PM
  • Well. I solved it. Rebooted again !

    Thanks for all your support !

    In addition, does someone know any good working sample for detecting process execution via PsSetCreateProcessNotifyRoutine?

    Thanks !


    Saturday, March 28, 2015 5:02 PM
  • I don't know of any good examples, but what are you looking for with PsSetCreateProcessNotifyRoutine?  The callback you register will be called when a process is created  or exits.  If you want to know the executable file, call PsSetLoadImageNotifyRoutine, the first callback for the process is the executable file. 


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com

    Saturday, March 28, 2015 5:23 PM
  • Don, thanks. I am new to drivers. Could you explain me how that callback works?
    Saturday, March 28, 2015 7:17 PM
  • The following is a small sample (untested) that shows how to register the callbacks and a couple of sample callback routines:

    static ImageCallback ( IN PUNICODE_STRING FullImageName,
    					   IN HANDLE ProcessId, 
    					   IN PIMAGE_INFO ImageInfo )
    {
    	UNREFERENCED_PARAMETER( ImageInfo );
    
    	KdPrint(( "Process %x loading %wZ\n", ProcessId, FullImageName );
    }
    
    static VOID ProcessCallback ( IN HANDLE ParentId, IN HANDLE ProcessId, IN BOOLEAN Create )
    {
    	UNREFERENCED_PARAMETER( ParentId );
    
    	KdPrint(( "Process %x being %s\n", ProcessId, Create ? "created" : "deleted" );
    }
    
    NTSTATUS RegisterCallbacks( void )
    {
    	NTSTATUS	status;
    
    	status = PsSetCreateProcessNotifyRoutine( ProcessCallback, FALSE );
    	if ( NT_SUCCESS( status ) )
    	{
    		status = PsSetLoadImageNotifyRoutine( ImageCallback );
    		if ( !NT_SUCCESS( status ) )
    		{
    			(void) PsSetCreateProcessNotifyRoutine( ProcessCallback, TRUE );
    		}
    	}
    	return status;
    }
    

    Basically, the PsSetXXX functions register with the OS callback functions you create, and the system then calls them on a process creation or image load (i.e. an executable or a DLL).  Be sure you unregister these callbacks with PsSetCreateProcessNortifyRoutine(XXX, TRUE); and PsRemoveLoadImageNotifyRoutine(XXX); when you are exiting your driver.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com

    Saturday, March 28, 2015 7:39 PM
  • Thanks Don. I will try it. There was a sample is OSR online but the link seem to be broken. Do you know where I can download a trustful working example? Also, this approach may not work in XP, am I correct? If so, what can use in XP to detect process execution with a driver? Thanks for all the help.
    Sunday, March 29, 2015 12:16 PM
  • The functions are present and supported in Windows XP.  Be aware that depending on the Windows revision the path to the executable may be different. 


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com

    Sunday, March 29, 2015 1:06 PM