none
How to write a driver to prepare for device guard(memory integrity) RRS feed

  • Question

  • We have a project that supports os over xp using vs 2005 and wdk 7600.
    Until now, the latest version of Windows 10 has been operating normally.
    However, this time, the device guard protection feature of Windows 10 is turned on with memory integrity turned on.
    When we investigated, only one of several drivers failed to load.
    It only fails to load the driver adding / INTEGRITYCHECK to the link option to use the PsSetCreateProcessNotifyRoutineEx API.
    When running the StartSevice API to load the driver, an error occurs with Error Code 87 (The parameter is incorrect).

    1. What should I do to successfully load this driver?
    2. Is it ok to load other drivers properly when memory integrity is turned on?
    (See the FAQs at https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/.) If using standard settings with the old versions of the WDK and Visual Studio, and the INIT section is marked as RWX.


    So to solve the problem, I want to rebuild with vs2017 and wdk 10 according to driver compatibility with Device Guard in windows 10.
    (https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/)

    Without modifying the entire code, POOL_NX_OPTIN = 1 and ExInitializeDriverRuntime (DrvRtPoolNxOptIn) as described in the link below; And then loaded after the build
    (https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/single-binary-opt-in-pool-nx-optin)
    It failed with the same error code 87.

    This driver is not loaded and can not be verified.
    So there is no problem testing verifier (memory integrity) after building another driver with the above options.
    So I do not think the build is wrong.

    1. How can I tell why the driver is not loaded (DriverEntry is not called)


    2. If the driver is successfully loaded, should we create two separate files for the driver for xp and the driver for windows 10?
    Friday, March 22, 2019 6:43 AM

Answers

  • We found the cause. The problem was in code signing.
    Signing with signtool.exe was successful when I used the / nph option without using the / ph option.
    See the link below for more details.
    https://support.microsoft.com/en-us/help/3194715/bugcheck-0x7e-occurs-in-windows-10-when-device-guard-is-active


    In addition, we had a project that used RtlVer.lib and we could not load it, but we did not use RtlVer.lib so we did not have any problems.
    Wednesday, May 22, 2019 6:25 AM

All replies

  • Turn on "Loader Snaps", which will display information on every file that is loaded or why it failed to load. In your Start Menu, under Windows Kits, you'll find Global Flags (x64). Run that, select the Kernel Flags tab, and select the checkbox next to "Show loader snaps" (left column, second from the top). Then try and load your driver. If you don't see any output in the debugger, then you'll have to reboot. You should see some messages that describe the problem when your driver is loaded.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Friday, March 22, 2019 7:02 AM
    Moderator
  • Thanks, I will try.
    Monday, March 25, 2019 12:09 AM
  • Ok, thank you for your informaion.
    Monday, March 25, 2019 12:09 AM
  • We found the cause. The problem was in code signing.
    Signing with signtool.exe was successful when I used the / nph option without using the / ph option.
    See the link below for more details.
    https://support.microsoft.com/en-us/help/3194715/bugcheck-0x7e-occurs-in-windows-10-when-device-guard-is-active


    In addition, we had a project that used RtlVer.lib and we could not load it, but we did not use RtlVer.lib so we did not have any problems.
    Wednesday, May 22, 2019 6:25 AM