none
How to load kmdf driver (wfp/inspect) on system boot. RRS feed

  • Question

  • Hello,

    I wrote simple 64bit kmdf driver (wfp/inspect). This driver is located in:

    %WinDir%\System32\Drivers\Inspect.sys

    I can load this driver using: net start inspect.

    Now I would like to load this driver during Windows startup, so I have prepared this inf file:

    [Version]
        Signature   = "$Windows NT$"
        Class       = WFPCALLOUTS
        ClassGuid   = {57465043-616C-6C6F-7574-5F636C617373}
        Provider    = %ProviderString%
        CatalogFile = Inspect.cat
        DriverVer = 09/20/2018,19.58.54.237

    [SourceDisksNames]
       1 = %InspectDisk%,,,""

    [SourceDisksFiles]
       Inspect.sys = 1,,

    [DestinationDirs]
        DefaultDestDir      = 12                                               ; %WinDir%\System32\Drivers
        Inspect.DriverFiles = 12                                               ; %WinDir%\System32\Drivers

    [DefaultInstall]
        OptionDesc = %InspectServiceDesc%
        CopyFiles  = Inspect.DriverFiles

    [DefaultInstall.Services]
        AddService = %InspectServiceName%,,Inspect.Service

    [DefaultUninstall]
        DelFiles = Inspect.DriverFiles

    [DefaultUninstall.Services]
        DelService = %InspectServiceName%,0x200                                ; SPSVCINST_STOPSERVICE
        DelReg     = Inspect.DelRegistry

    [Inspect.DriverFiles]
        Inspect.sys,,,0x00000040                                               ; COPYFLG_OVERWRITE_OLDER_ONLY

    [Inspect.Service]
        DisplayName   = %InspectServiceName%
        Description   = %InspectServiceDesc%
        ServiceType   = 1                                                      ; SERVICE_KERNEL_DRIVER
        StartType     = 0                                                      ; SERVICE_BOOT_START
        ErrorControl  = 1                                                      ; SERVICE_ERROR_NORMAL
        ServiceBinary = %12%\Inspect.sys                                       ; %WinDir%\System32\Drivers\Inspect.sys
        AddReg        = Inspect.AddRegistry

    [Inspect.AddRegistry]
        HKR,"Parameters","BlockTraffic",0x00010001,"0"                         ; FLG_ADDREG_TYPE_DWORD
        HKR,"Parameters","RemoteAddressToInspect",0x00000000,"10.0.0.1"        ; FLG_ADDREG_TYPE_SZ

    [Inspect.DelRegistry]
        HKR,"Parameters",,,

    [Strings]
        ProviderString     = "TODO-Set-Provider"
    InspectDisk        = "Traffic Inspect Installation Disk"
        InspectServiceDesc = "Traffic Inspect Callout Driver"
        InspectServiceName = "Inspect"

    but driver isn't load on boot.

    As I mentioned on the begin, it's 64bit kmdf driver.

    Did I forgot about something? Any suggestion/hint where the problem is?

    Thanks for help.


    • Edited by KrzysztofD Monday, September 24, 2018 11:23 AM
    Monday, September 24, 2018 8:43 AM

All replies

  • Hi,

    At this point I manage to run debugger. Here's results:


    Microsoft (R) Windows Debugger Version 10.0.17134.1 AMD64
    Copyright (c) Microsoft Corporation. All rights reserved.


    Waiting for pipe \.\pipe\vpcdebug
    Waiting to reconnect...
    Connected to Windows 10 17134 x64 target at (Wed Sep 26 14:55:37.674 2018 (UTC + 2:00)), ptr64 TRUE
    Kernel Debugger connection established.
    Symbol search path is: srv*
    Executable search path is:
    Windows 10 Kernel Version 17134 MP (1 procs) Free x64
    Built by: 17134.1.amd64fre.rs4_release.180410-1804
    Machine Name:
    Kernel base = 0xfffff8026d805000 PsLoadedModuleList = 0xfffff8026dbbf1f0
    System Uptime: 0 days 0:00:00.000
    nt!DebugService2+0x5:
    fffff8026d9a4fe5 cc int 3<br> kd> bu Inspect!DriverEntry<br> kd> ed nt!Kd_DEFAULT_Mask 0x8<br> kd> g<br> minio\security\base\lsa\security\driver\asyncsspi.cxx - SspiInitAsyncInterface IOINIT: Built-in driver \Driver\hwpolicy failed to initialize with status - 0xC000025E KDTARGET: Refreshing KD connection Breakpoint 0 hit Inspect!DriverEntry: fffff807e22c54c0 4889542410 mov qword ptr [rsp+10h],rdx
    0: kd> t
    Inspect!DriverEntry+0x1a:
    fffff807e22c54da 48c744244000000000 mov qword ptr [rsp+40h],0 0: kd> t Inspect!DriverEntry+0x23: fffff807e22c54e3 488d0dc6910000 lea rcx,[Inspect! ?? ::FNODOBFM::string' (fffff807e22ce6b0)]
    0: kd> t
    nt!DbgPrint:
    fffff8026d900730 4c8bdc mov r11,rsp 0: kd> t nt!DbgPrint+0x3: fffff8026d900733 49894b08 mov qword ptr [r11+8],rcx
    0: kd> t
    nt!DbgPrint+0x7:
    fffff8026d900737 49895310 mov qword ptr [r11+10h],rdx 0: kd> t nt!DbgPrint+0xb: fffff8026d90073b 4d894318 mov qword ptr [r11+18h],r8
    0: kd> t
    nt!DbgPrint+0xf:
    fffff8026d90073f 4d894b20 mov qword ptr [r11+20h],r9 0: kd> t nt!DbgPrint+0x13: fffff8026d900743 4883ec38 sub rsp,38h
    0: kd> t
    nt!DbgPrint+0x17:
    fffff8026d900747 ba65000000 mov edx,65h 0: kd> t nt!DbgPrint+0x1c: fffff8026d90074c c644242801 mov byte ptr [rsp+28h],1
    0: kd> t
    nt!DbgPrint+0x21:
    fffff8026d900751 498d4310 lea rax,[r11+10h] 0: kd> t nt!DbgPrint+0x25: fffff8026d900755 4c8bc9 mov r9,rcx
    0: kd> t
    nt!DbgPrint+0x28:
    fffff8026d900758 488d0d01ea0a00 lea rcx,[nt! ?? ::FNODOBFM::string' (fffff802`6d9af160)]
    0: kd> g
    [Inspect] DriverEntry start
    [Inspect] AddToBuffer: allocated bufferHelper.tab_buffer (192000 bytes) !
    [Inspect] WdfDeviceCreate 4.
    [Inspect] MonitorCtlDriverInit.
    [Inspect] WdfIoQueueCreate.
    [Inspect] TLInspectRegisterCallouts
    [Inspect] DriverEntry error. Driver cannot be started!
    [Inspect] DriverEntry Exit.


    Below is my DriverEntry code:


    Function_class(DRIVER_INITIALIZE)
    IRQL_requires_same
    NTSTATUS
    DriverEntry(
    In DRIVER_OBJECT* driverObject,
    In UNICODE_STRING* registryPath
    )
    {
    NTSTATUS status;
    WDF_DRIVER_CONFIG config;
    PWDFDEVICE_INIT pInit = NULL;

    DbgPrint("[Inspect] DriverEntry start\n");
    
    InitList();
    
    InitializeListHead(&gFlowList);
    KeInitializeSpinLock(&gFlowListLock);
    
    // Request NX Non-Paged Pool when available
    ExInitializeDriverRuntime(DrvRtPoolNxOptIn);
    
    WDF_DRIVER_CONFIG_INIT(&config, WDF_NO_EVENT_CALLBACK);
    config.DriverInitFlags |= WdfDriverInitNonPnpDriver;
    config.EvtDriverUnload = TLInspectEvtDriverUnload;
    
    status = WdfDriverCreate(
        driverObject,
        registryPath,
        WDF_NO_OBJECT_ATTRIBUTES,
        &config,
        &driver
    );
    
    if (!NT_SUCCESS(status))
    {
        goto Exit;
    }
    
    pInit = WdfControlDeviceInitAllocate(driver, &SDDL_DEVOBJ_SYS_ALL_ADM_ALL);
    
    if (!pInit)
    {
        DbgPrint("[Inspect] WdfControlDeviceInitAllocate FAILED!\n");
    
        status = STATUS_INSUFFICIENT_RESOURCES;
        goto Exit;
    }
    
    status = MonitorEvtDeviceAdd(pInit);
    
    status = FwpsInjectionHandleCreate(
        AF_UNSPEC,
        FWPS_INJECTION_TYPE_TRANSPORT,
        &gInjectionHandle
    );
    
    if (!NT_SUCCESS(status))
    {
        goto Exit;
    }
    
    KeInitializeSpinLock(&gConnListLock);
    
    KeInitializeEvent(
        &gWorkerEvent,
        NotificationEvent,
        FALSE
    );
    
    gWdmDevice = WdfDeviceWdmGetDeviceObject(device);
    
    status = TLInspectRegisterCallouts(gWdmDevice);
    
    if (!NT_SUCCESS(status))
    {
        goto Exit;
    }
    
    NT_ASSERT(NT_SUCCESS(status));

    Exit:
    if (!NT_SUCCESS(status))
    {
    DbgPrint("[Inspect] DriverEntry error. Driver cannot be started!\n");

        if (gEngineHandle != NULL)
        {
            TLInspectUnregisterCallouts();
        }
        if (gInjectionHandle != NULL)
        {
            FwpsInjectionHandleDestroy(gInjectionHandle);
        }
    }
    
    DbgPrint("[Inspect] DriverEntry Exit.\n");
    
    return status;

    };

    My first question is: why I can load this driver by myself (net start inspect) and it can't be done while system boot?
    Ofcourse, now I can see why, but I don't understand.

    I assume, there is a problem with WdfDriverCreate() function. It should return STATUS_SUCCESS but it doesn't.
    Can I use:

    DbgPrint("[Inspect] WdfDriverCreate status returns: %s", status);

    to check what this function returns?

    Maybe someone sees an obvious mistake?
    Please help me with track down this issue.

    Krzysiek


    Wednesday, September 26, 2018 7:14 PM