none
ELAM driver callback RRS feed

Answers

  • No, you don't need to call IoRegisterBootDriverCallback - at least, that was the case a few years ago when I wrote an ELAM driver and service for a client

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog


    Thursday, January 23, 2020 9:35 PM
    Moderator

All replies

  • No, you don't need to call IoRegisterBootDriverCallback - at least, that was the case a few years ago when I wrote an ELAM driver and service for a client

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog


    Thursday, January 23, 2020 9:35 PM
    Moderator
  • Thanks Brian. 

    Any MSDN doc link to confirm this behavior? 

    Thursday, January 23, 2020 9:58 PM
  • LOL, the ELAM stuff is barely documented as it is! You can post a comment on the doc page for IoRegisterBootDriverCallback and you might get a response. Frankly, this is the least of your worries when creating an ELAM driver and service. Worst case, you register a callback routine, mark the file as not having been inspected, and then just return. I spent more time getting the certificates right than on any other part of the project.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog



    Thursday, January 23, 2020 10:31 PM
    Moderator
  • Thanks Brian. I will submit a question on this.
    Friday, January 24, 2020 3:03 PM
  • Hi Brian,

    One more question. You mentioned that you wrote ELAM driver without registering for the callback. In that case, you are able to successfully completed HLK test?

    (You already mentioned you have waited long time to get signed by MS, in this case you should have definitely got the HLK logs. But just to get some clarity i am asking. _

    Friday, January 31, 2020 3:42 PM
  • I didn't get it signed by Microsoft, my client decided they would handle it.

    What I meant was generating the proper certificates for signing the executables was horrific (you'll see that I made several comments on the ELAM doc pages). The docs are probably better now, but back then figuring out how to generate the certs using PowerShell took longer than writing the driver and the service.

    If you have a working driver, why not just try it?

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Friday, January 31, 2020 9:00 PM
    Moderator
  • Ok Brian. I will try and let you know. 

    Thanks

    Friday, January 31, 2020 9:18 PM