Peculiar BSOD when running with secure boot

Greetings,

This is my first time posting on the forum so forgive me if I don’t know what I’m doing

I’m in the process of trying to make a Windows mini filter I maintain compatible with Windows 10 Enterprise and Secure Boot/Device Guard. Here is what I have done so far:

1. I cross signed my driver as I always have with our companies SHA-1 and SHA-256 certs.

2. I EV signed the driver using a hardware token and sent the driver to Microsoft, receiving a Microsoft signed driver in return.

3. I changed the driver to opt-in to NX.

4. I followed the steps in the MS blog made the driver run cleanly through driver verifier’s new code integrity checks.

5. I gave the driver to my QA department and they tried it on a real machine with Secure boot turned on.

The driver blue screened while loading my driver in GsDriverEntry on the first instruction:

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff8005c0263ac, The address that the exception occurred at
Arg3: ffffd00020e91728, Exception Record Address
Arg4: ffffd00020e90f40, Context Record Address

0: kd> u fffff8005c0263ac
DataNow_Driver!GsDriverEntry [d:\th\minkernel\tools\gs_support\kmode\gs_support.c @ 113]:
fffff8005c0263ac 48895c2408 mov qword ptr [rsp+8],rbx fffff8005c0263b1 57 push rdi
fffff8005c0263b2 4883ec20 sub rsp,20h fffff8005c0263b6 488bda mov rbx,rdx
fffff8005c0263b9 488bf9 mov rdi,rcx fffff8005c0263bc e817000000 call DataNow_Driver!__security_init_cookie (fffff800`5c0263d8)

So I’m clearly missing something. Can anyone explain what would cause my driver to BSOD in such a way at driver load time? It’s difficult to work out what’s going on when the stack doesn’t point to anything specific in my code.

Many thanks,

Ben Staniford.
This email and all attachments are CONFIDENTIAL. It is meant for the intended recipient(s) only. If you are not the intended recipient(s), please notify the sender immediately and delete this email and any attachment; you must not disclose the contents to any other person or make any copies. We may monitor email communications to the extent permitted or as required by law and as necessary and justifiable for business purposes. This email and its contents (including, without limitation, quotes) shall not operate to bind AppSense to any order or contract unless expressly confirmed in writing by AppSense. AppSense refers to AppSense Holdings Limited and its subsidiaries including AppSense, Incorporated, AppSense Limited, and AppSense GmbH AppSense Holdings Limited is a limited company registered in England and Wales with its registered office address at 3300 Daresbury Business Park, Daresbury, Warrington, WA4 4HS, UK.

Another odd facet of this BSOD (which happens every time I reproduce it) is that every single file associated with our product is corrupt after the blue screen. The driver is a corrupt file and all the user mode dlls and .exe files are also corrupt. This seems very strange to me, since they were not being written to at the point when the driver crashed and no other files seems corrupt… It’s almost as if Windows has deliberately made the files in the installation unload-able as some kind of security precaution…

Ben Staniford wrote:

This is my first time posting on the forum so forgive me if I don’t
know what I’m doing

I’m in the process of trying to make a Windows mini filter I maintain
compatible with Windows 10 Enterprise and Secure Boot/Device Guard.
Here is what I have done so far:

1. I cross signed my driver as I always have with our companies
   SHA-1 and SHA-256 certs.

2. I EV signed the driver using a hardware token and sent the
   driver to Microsoft, receiving a Microsoft signed driver in return.

3. I changed the driver to opt-in to NX.

4. I followed the steps in the MS blog made the driver run
   cleanly through driver verifier’s new code integrity checks.

5. I gave the driver to my QA department and they tried it on a
   real machine with Secure boot turned on.

I presume you did not actually do things in that order. You can’t
change the driver after it has been signed and attested. That
invalidates the signature.

The driver blue screened while loading my driver in GsDriverEntry on
the first instruction:

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)

This is a very common bugcheck. Usually the exception address pinpoints

the driver/function that caused the problem. Always note this address

as well as the link date of the driver/image that contains this address.

Did you do a “!analyze -v”? That often offers helpful suggestions.

Is this a brand-new driver, or is it one that has worked on earlier
systems? Did it start from a sample? Looking at the situation here, I
would first suspect some kind of a compiler settings problem, but it’s a
little hard to tell. GsDriverEntry gets called before your code ever
gains control.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

What Mr. Roberts said.

Please clarify the actual procedure you’re using for your driver, and when/if the system crashes do a !analyze -v and post the output.

Let me assure you that’s not what’s happening.

Peter
OSR
@OSRDrivers

Apologies, yes, the signing was done last

The driver has been around for 4 years, and has been part of quite a few releases to customers now. I’ve been working on it for most of that time. The driver presently works great on all versions of Windows Vista/7/8/10 except Windows 10 enterprise with the new “virtualization-based isolation for Code Integrity”. As soon as I turn that on it falls over, seemingly while loading the driver.

Yes, I did do an !analyze -v of course but it was less helpful than usual simply stating that there’s been an access violation in the very first instruction in GsDriverEntry.

Here is the full output of !analyze -v as requested. (Including a !dh of my driver just to prove I don’t have any writable/executable sections) Thanks for all your help!

0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED (7e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: ffffffffc0000005, The exception code that was not handled
Arg2: fffff8005c0263ac, The address that the exception occurred at
Arg3: ffffd00020e91728, Exception Record Address
Arg4: ffffd00020e90f40, Context Record Address

Debugging Details:

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

FAULTING_IP:
DataNow_Driver!GsDriverEntry+0 [d:\th\minkernel\tools\gs_support\kmode\gs_support.c @ 113]
fffff800`5c0263ac 48895c2408 mov qword ptr [rsp+8],rbx

EXCEPTION_RECORD: ffffd00020e91728 – (.exr 0xffffd00020e91728)
ExceptionAddress: fffff8005c0263ac (DataNow_Driver!GsDriverEntry)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: ffffffffffffffff
Attempt to read from address ffffffffffffffff

CONTEXT: ffffd00020e90f40 – (.cxr 0xffffd00020e90f40;r)
rax=0000000000000000 rbx=0000000000000000 rcx=ffffe001765671f0
rdx=ffffe00196625000 rsi=ffffe001765671f0 rdi=0000000000000000
rip=fffff8005c0263ac rsp=ffffd00020e91968 rbp=ffffd00020e91a70
r8=0400000000020020 r9=fffff801bfcb3c40 r10=00000000000001c8
r11=ffffd00020e91960 r12=ffffffff8000139c r13=0000000000000200
r14=ffffe00196625000 r15=0000000020206f49
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
DataNow_Driver!GsDriverEntry:
fffff8005c0263ac 48895c2408 mov qword ptr [rsp+8],rbx ss:0018:ffffd00020e91970=0000000000000000
Last set context:
rax=0000000000000000 rbx=0000000000000000 rcx=ffffe001765671f0
rdx=ffffe00196625000 rsi=ffffe001765671f0 rdi=0000000000000000
rip=fffff8005c0263ac rsp=ffffd00020e91968 rbp=ffffd00020e91a70
r8=0400000000020020 r9=fffff801bfcb3c40 r10=00000000000001c8
r11=ffffd00020e91960 r12=ffffffff8000139c r13=0000000000000200
r14=ffffe00196625000 r15=0000000020206f49
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
DataNow_Driver!GsDriverEntry:
fffff8005c0263ac 48895c2408 mov qword ptr [rsp+8],rbx ss:0018:ffffd00020e91970=0000000000000000
Resetting default scope

DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT

PROCESS_NAME: System

CURRENT_IRQL: 0

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_PARAMETER1: 0000000000000000

EXCEPTION_PARAMETER2: ffffffffffffffff

READ_ADDRESS: unable to get nt!MmSpecialPoolStart
unable to get nt!MmSpecialPoolEnd
unable to get nt!MmPagedPoolEnd
unable to get nt!MmNonPagedPoolStart
unable to get nt!MmSizeOfNonPagedPoolInBytes
ffffffffffffffff

FOLLOWUP_IP:
DataNow_Driver!GsDriverEntry+0 [d:\th\minkernel\tools\gs_support\kmode\gs_support.c @ 113]
fffff800`5c0263ac 48895c2408 mov qword ptr [rsp+8],rbx

BUGCHECK_STR: AV

ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre

LAST_CONTROL_TRANSFER: from fffff801bfefc507 to fffff8005c0263ac

STACK_TEXT:
ffffd00020e91968 fffff801bfefc507 : 0000000000000000 0000000000000000 ffffe001765671f0 fffff801000001c8 : DataNow_Driver!GsDriverEntry [d:\th\minkernel\tools\gs_support\kmode\gs_support.c @ 113]
ffffd00020e91970 fffff801bfe5ceaa : 0000000000000000 0000000000000000 0000000000000300 fffff801bfe12340 : nt!IopLoadDriver+0x51f
ffffd00020e91b40 fffff801bfb52359 : fffff80100000000 ffffffff8000139c ffffe00176fa7340 fffff801bfe12340 : nt!IopLoadUnloadDriver+0x4e
ffffd00020e91b80 fffff801bfac6a45 : 00000005b19bbdff 0000000000000080 ffffe0016e8d9680 ffffe00176fa7340 : nt!ExpWorkerThread+0xe9
ffffd00020e91c10 fffff801bfbc7ae6 : ffffd000bef00180 ffffe00176fa7340 fffff801bfac6a04 0000000000000000 : nt!PspSystemThreadStartup+0x41
ffffd00020e91c60 0000000000000000 : ffffd00020e92000 ffffd00020e8c000 0000000000000000 0000000000000000 : nt!KiStartSystemThread+0x16

FAULTING_SOURCE_LINE: d:\th\minkernel\tools\gs_support\kmode\gs_support.c

FAULTING_SOURCE_FILE: d:\th\minkernel\tools\gs_support\kmode\gs_support.c

FAULTING_SOURCE_LINE_NUMBER: 113

SYMBOL_STACK_INDEX: 0

SYMBOL_NAME: DataNow_Driver!GsDriverEntry+0

FOLLOWUP_NAME: MachineOwner

MODULE_NAME: DataNow_Driver

IMAGE_NAME: DataNow_Driver.sys

DEBUG_FLR_IMAGE_TIMESTAMP: 579a15e7

IMAGE_VERSION: 4.1.161.0

STACK_COMMAND: .cxr 0xffffd00020e90f40 ; kb

BUCKET_ID_FUNC_OFFSET: 0

FAILURE_BUCKET_ID: AV_DataNow_Driver!GsDriverEntry

BUCKET_ID: AV_DataNow_Driver!GsDriverEntry

ANALYSIS_SOURCE: KM

FAILURE_ID_HASH_STRING: km:av_datanow_driver!gsdriverentry

FAILURE_ID_HASH: {dda8a74a-15c0-b974-2bcf-d0804c709cfa}

Followup: MachineOwner

0: kd> !dh DataNow_Driver.sys

File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
8664 machine (X64)
9 number of sections
579A15E7 time date stamp Thu Jul 28 15:25:43 2016

0 file pointer to symbol table
0 number of symbols
F0 size of optional header
22 characteristics
Executable
App can handle >2gb addresses

OPTIONAL HEADER VALUES
20B magic #
14.00 linker version
10000 size of code
3000 size of initialized data
0 size of uninitialized data
163AC address of entry point
1000 base of code
----- new -----
fffff8005c010000 image base
1000 section alignment
200 file alignment
1 subsystem (Native)
10.00 operating system version
10.00 image version
5.02 subsystem version
19000 size of image
400 size of headers
22CE9 checksum
0000000000100000 size of stack reserve
0000000000001000 size of stack commit
0000000000100000 size of heap reserve
0000000000001000 size of heap commit
1E0 DLL characteristics
High entropy VA supported
Dynamic base
Check integrity
NX compatible
0 [0] address [size] of Export Directory
165FC [3C] address [size] of Import Directory
17000 [440] address [size] of Resource Directory
13000 [63C] address [size] of Exception Directory
12C00 [6A90] address [size] of Security Directory
18000 [68] address [size] of Base Relocation Directory
107C0 [38] address [size] of Debug Directory
0 [0] address [size] of Description Directory
0 [0] address [size] of Special Directory
0 [0] address [size] of Thread Storage Directory
10800 [A0] address [size] of Load Configuration Directory
0 [0] address [size] of Bound Import Directory
10000 [240] address [size] of Import Address Table Directory
0 [0] address [size] of Delay Import Directory
0 [0] address [size] of COR20 Header Directory
0 [0] address [size] of Reserved Directory

SECTION HEADER #1
.text name
EC05 virtual size
1000 virtual address
EE00 size of raw data
400 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
68000020 flags
Code
Not Paged
(no align specified)
Execute Read

SECTION HEADER #2
.rdata name
13CC virtual size
10000 virtual address
1400 size of raw data
F200 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
48000040 flags
Initialized Data
Not Paged
(no align specified)
Read Only

Debug Directories(2)
Type Size Address Pointer
cv 95 108a0 faa0 Format: RSDS, guid, 1, F:\Builds\203\DataNow\DataNow_Mainline_Nightly\Sources\DataNow\Source\Output\x64\Win7 Release\PrivatePDBs\DataNow_Driver.pdb
( 13) 198 10938 fb38

SECTION HEADER #3
.data name
900 virtual size
12000 virtual address
200 size of raw data
10600 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
C8000040 flags
Initialized Data
Not Paged
(no align specified)
Read Write

SECTION HEADER #4
.pdata name
63C virtual size
13000 virtual address
800 size of raw data
10800 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
48000040 flags
Initialized Data
Not Paged
(no align specified)
Read Only

SECTION HEADER #5
.gfids name
4 virtual size
14000 virtual address
200 size of raw data
11000 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
48000040 flags
Initialized Data
Not Paged
(no align specified)
Read Only

SECTION HEADER #6
PAGE name
1FF virtual size
15000 virtual address
200 size of raw data
11200 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60000020 flags
Code
(no align specified)
Execute Read

SECTION HEADER #7
INIT name
EEE virtual size
16000 virtual address
1000 size of raw data
11400 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
62000020 flags
Code
Discardable
(no align specified)
Execute Read

SECTION HEADER #8
.rsrc name
440 virtual size
17000 virtual address
600 size of raw data
12400 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
42000040 flags
Initialized Data
Discardable
(no align specified)
Read Only

SECTION HEADER #9
.reloc name
68 virtual size
18000 virtual address
200 size of raw data
12A00 file pointer to raw data
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
42000040 flags
Initialized Data
Discardable
(no align specified)
Read Only
0: kd> !lmi DataNow_Driver.sys
Loaded Module Info: [datanow_driver.sys]
Module: DataNow_Driver
Base Address: fffff8005c010000
Image Name: DataNow_Driver.sys
Machine Type: 34404 (X64)
Time Stamp: 579a15e7 Thu Jul 28 15:25:43 2016
Size: 19000
CheckSum: 22ce9
Characteristics: 22
Debug Data Dirs: Type Size VA Pointer
CODEVIEW 95, 108a0, faa0 RSDS - GUID: {ED9EDB40-E67B-49A6-8B09-1503E7A31F4D}
Age: 1, Pdb: F:\Builds\203\DataNow\DataNow_Mainline_Nightly\Sources\DataNow\Source\Output\x64\Win7 Release\PrivatePDBs\DataNow_Driver.pdb
?? 198, 10938, fb38 [Data not mapped]
Image Type: MEMORY - Image read successfully from loaded memory.
Symbol Type: PDB - Symbols loaded successfully from image header.
c:\symcache\DataNow_Driver.pdb\ED9EDB40E67B49A68B091503E7A31F4D1\DataNow_Driver.pdb
Compiler: Resource - front end [0.0 bld 0] - back end [14.0 bld 23918]
Load Report: private symbols & lines, source indexed

This is the page I used as a guide when updating my mini-filter to be compatible with device guard. As far as I can tell I am now compliant with all these. Until I did these things my driver was dying in driver verifier with the code integrity checks turned on. Now it is not, but it dies with this very baffling BSOD with the real life setting turned on.

https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/

* Opt-in to NX by default
* Use NX APIs/flags for memory allocation ? NonPagedPoolNx
* Don?t use sections that are both writable and executable
* Don?t attempt to directly modify executable system memory
* Don?t use dynamic code in kernel
* Don?t load data files as executable
* Section Alignment must be a multiple of 0x1000 (PAGE_SIZE). E.g. DRIVER_ALIGNMENT=0x1000

Ah… OK.

So, your post/thread has just gone from “confusing and whatever” to “super interesting”… at least to me.

in the interest of being accurate and narrowing things down: Your OP said that it was Secure Boot that was causing the problem. Can we say that your driver works with or without Secure Boot being enabled… but it does NOT work when Device Guard is enabled?

Peter
OSR
@OSRDrivers

> Can we say that your driver

works with or without Secure Boot being enabled… but it does NOT work when
Device Guard is enabled?

Yes, that is accurate, apologies for being unclear in my OP. It is most certainly device guard that is causing me a problem.

The faulting address is the entry point of your driver. Your code is not involved.
GsDriverEntry is a stubb that sets up the stack cookie protection mechanism before
your DriverEntry is called.

The EXCEPTION_RECORD does not look consistent with the code that is pointed out:

fffff800`5c0263ac 48895c2408 mov qword ptr [rsp+8],rbx

The faulting instruction is a typical prologue inbstruction that saves a non-volatile
register (RBX) to the “home space” (address RSP+8). So this instruction just writes
the content of a register on the stack. This is not a read instruction. How could the
stack be non-writable ?

The faulting address is the very first instruction of your driver binary (entry point)
so the address (and the page) of the instruction may be NX (How could it be ?). This could
be a compiler or linker option.

What does the following command show ?

!pte fffff800`5c0263ac

> The faulting instruction is a typical prologue inbstruction that saves a non-volatile register (RBX) to the “home space” (address RSP+8). So this instruction just writes the content of a register on the stack. This is not a read instruction. How could the stack be non-writable ?

Yes, this is really confusing me also.

What does the following command show ?

0: kd> !pte fffff800`5c0263ac
VA fffff8005c0263ac
PXE at FFFFF6FB7DBEDF80 PPE at FFFFF6FB7DBF0008 PDE at FFFFF6FB7E001700 PTE at FFFFF6FC002E0130
contains 0000000001244063 contains 0000000000EDD863 contains 0000000244B91863 contains 00000001CD816121
pfn 1244 —DA–KWEV pfn edd —DA–KWEV pfn 244b91 —DA–KWEV pfn 1cd816 -G–A–KREV

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: 02 August 2016 19:21
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Peculiar BSOD when running with secure boot

The faulting address is the entry point of your driver. Your code is not involved.
GsDriverEntry is a stubb that sets up the stack cookie protection mechanism before your DriverEntry is called.

The EXCEPTION_RECORD does not look consistent with the code that is pointed out:

fffff8005c0263ac 48895c2408 mov qword ptr [rsp+8],rbx<br><br>The faulting instruction is a typical prologue inbstruction that saves a non-volatile register (RBX) to the "home space" (address RSP+8). So this instruction just writes the content of a register on the stack. This is not a read instruction. How could the stack be non-writable ?<br><br>The faulting address is the very first instruction of your driver binary (entry point) so the address (and the page) of the instruction may be NX (How could it be ?). This could be a compiler or linker option.<br><br>What does the following command show ?<br><br>!pte fffff8005c0263ac

—
NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:
This email and all attachments are CONFIDENTIAL. It is meant for the intended recipient(s) only. If you are not the intended recipient(s), please notify the sender immediately and delete this email and any attachment; you must not disclose the contents to any other person or make any copies. We may monitor email communications to the extent permitted or as required by law and as necessary and justifiable for business purposes. This email and its contents (including, without limitation, quotes) shall not operate to bind AppSense to any order or contract unless expressly confirmed in writing by AppSense. AppSense refers to AppSense Holdings Limited and its subsidiaries including AppSense, Incorporated, AppSense Limited, and AppSense GmbH AppSense Holdings Limited is a limited company registered in England and Wales with its registered office address at 3300 Daresbury Business Park, Daresbury, Warrington, WA4 4HS, UK.</http:></http:></http:>

The instruction belongs to a read-only-execute page.

So now look at the stack protection (!pte @rsp).

If it is writable then ???

> So now look at the stack protection (!pte @rsp).

If it is writable then ???

Here’s the stack protection, it would appear to be write-execute… So what’s going on? Where’s the access violation? And how could this relate to device guard…

0: kd> !pte @rsp
VA ffffd00020e91968
PXE at FFFFF6FB7DBEDD00 PPE at FFFFF6FB7DBA0000 PDE at FFFFF6FB74000838 PTE at FFFFF6E800107488
contains 0000000000EF7863 contains 0000000000EF6863 contains 000000011AA62863 contains 800000012994F963
pfn ef7 —DA–KWEV pfn ef6 —DA–KWEV pfn 11aa62 —DA–KWEV pfn 12994f -G-DA–KWEV

>Here’s the stack protection, it would appear to be write-execute… So what’s going on? Where’s the access violation? And how could this relate to device guard…

The stack should be NX!

Here is a stack on a Windows 10 Entreprise 2015 LTSB virtual machine:

kd> !pte @rsp
VA ffffd000d7abb5b0
PXE at FFFFF6FB7DBEDD00 PPE at FFFFF6FB7DBA0018 PDE at FFFFF6FB740035E8 PTE at FFFFF6E8006BD5D8
contains 0000000000323863 contains 0000000000335863 contains 0000000000097863 contains 8000000000713963
pfn 323 —DA–KWEV pfn 335 —DA–KWEV pfn 97 —DA–KWEV pfn 713 -G-DA–KW-V

This stack is NX.

Virtualization-based security (VBS): This is protection that uses the hypervisor to help protect the kernel and other parts of the operating system. When VBS is enabled, it strengthens either the default kernel-mode code integrity policy (which protects against bad drivers or system files), or the configurable code integrity policy that you deploy.
With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code. The hypervisor, the most privileged level of system software, enforces R/W/X permissions across system memory. Code integrity checks are performed in a secure environment which is resistant to attack from kernel mode software, and page permissions for kernel mode are set and maintained by the hypervisor. Even if there are vulnerabilities that allow memory modification, like a buffer overflow, the modified memory cannot be executed.

This was extracted from the second page below:

https://technet.microsoft.com/en-us/itpro/windows/keep-secure/device-guard-deployment-guide

https://technet.microsoft.com/en-us/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies

> The stack should be NX!

Ahh… so that’s my issue then… Thanks! Ok, how the heck have I ended up with an executable stack? Shouldn’t the opt-in preprocessor define and the NX setting I put in my DriverMain have sorted that out for me?

A executable stack does not conform with the DEP (Data Execution Prevention) mechanism.

Look at the compiler and linker options. How can you have an executable stack ?

> The stack should be NX!

My head hurts.

OP… Please tell us that you’re building your FS Minifilter using standard WDK build procedures and settings. You’re not doing anything “clever” are you?

Have you told us which WDK you’re building with, by the way? And with what target OS version?

Peter
OSR
@OSRDrivers

> OP… Please tell us that you’re building your FS Minifilter using standard WDK

build procedures and settings. You’re not doing anything “clever” are you?

Well, another guy set up the build, although it seems pretty standard… He has it building through a VS2015 project. I’m reviewing the compiler options now and I can’t see anything that looks as though it would make the stack executable.

Have you told us which WDK you’re building with, by the way? And with what
target OS version?

I’m building with the WDK 10.

Here are my compiler and linker command lines… (There’s some stuff which looks like it should have been removed when we removed XP support) but I can’t see anything that would account for an executable stack:

Would it be Windows its self that would set up the stack anyway? Would it be even possible to set this with a compiler/linker option?

Compiler:

/GS /analyze- /W4 /wd"4603" /wd"4627" /wd"4986" /wd"4987" /wd"4996" /Gy /Zc:wchar_t- /I"V:\4.1\DataNow\Properties..\Source" /I"V:\4.1\DataNow\Properties..\Source\Includes" /I"V:\4.1\DataNow\Properties..\Source\DataNow\Includes" /I"V:\4.1\DataNow\Properties..\Source\DataNow\Includes\DataNowHttp" /I"V:\4.1\DataNow\Properties..\Source\DataNow\Includes\WinEvtLib" /I"V:\4.1\DataNow\Properties..\Source\DataNow\Includes\ServiceLib" /I"V:\4.1\DataNow\Properties..\Source\Libraries\Includes" /I"V:\4.1\DataNow\Properties..\Source\Libraries\Includes\Common" /I"V:\4.1\DataNow\Properties..\Source\Libraries\Includes\DataNow_JSON" /I"V:\4.1\DataNow\Properties..\Source\Libraries\Includes\SharedPolicy" /I"V:\4.1\DataNow\Properties..\Source\Libraries\Includes\DeltaLibrary" /I"V:\4.1\DataNow\Properties..\Source\Libraries\DbgLog" /I"V:\4.1\DataNow\Properties..\Source\Libraries\RpcInterface_Service\x64" /I"V:\4.1\DataNow\Properties..\Source\Libraries\RpcInterface_Tray\x64" /I"V:\4.1\CppUnit\Properties..\Source\include" /I"V:\4.1\Office2010DeveloperResources\Properties..\Source\Include" /I"V:\4.1\detours\Properties..\Source\Include" /I"V:\4.1\DataNow\Properties..\Source\Intermediate\x64\Win7 Release\DataNow_Driver" /analyze:“stacksize1024” /Zi /Gm- /Ox /sdl /Fd"V:\4.1\DataNow\Properties..\Source\Intermediate\x64\Win7 Release\DataNow_Driver\cl_DataNow_Driver.pdb" /FI"C:\Program Files (x86)\Windows Kits\10\Include\10.0.10586.0\shared\warning.h" /Zc:inline /fp:precise /Zp8 /D “PROJECT_DataNow_Driver” /D “_CRT_SECURE_NO_WARNINGS” /D “_ATL_XP_TARGETING” /D “_WIN32_WINNT=_WIN32_WINNT_WINXP” /D “NTDDI_VERSION=NTDDI_WINXPSP3” /D “_WIN64” /D “AMD64” /D “AMD64” /D “_WIN32_WINNT=0x0601” /D “WINVER=0x0601” /D “WINNT=1” /D “NTDDI_VERSION=0x06010000” /D “POOL_NX_OPTIN=1” /errorReport:prompt /GF /WX /Zc:forScope /GR- /Gz /Oy- /Oi /Fa"V:\4.1\DataNow\Properties..\Source\Intermediate\x64\Win7 Release\DataNow_Driver" /nologo /Fo"V:\4.1\DataNow\Properties..\Source\Intermediate\x64\Win7 Release\DataNow_Driver" /Os /Fp"V:\4.1\DataNow\Properties..\Source\Intermediate\x64\Win7 Release\DataNow_Driver\DataNow_Driver.pch"

Linker:

/OUT:“V:\4.1\DataNow\Properties..\Source\Output\x64\Win7 Release\DataNow_Driver.sys” /MANIFEST:NO /PROFILE /Driver /PDB:“V:\4.1\DataNow\Properties..\Source\Output\x64\Win7 Release\PrivatePDBs\DataNow_Driver.pdb” /DYNAMICBASE “fltmgr.lib” “C:\Program Files (x86)\Windows Kits\10\lib\10.0.10586.0\km\x64\BufferOverflowK.lib” “C:\Program Files (x86)\Windows Kits\10\lib\10.0.10586.0\km\x64\ntoskrnl.lib” “C:\Program Files (x86)\Windows Kits\10\lib\10.0.10586.0\km\x64\hal.lib” “C:\Program Files (x86)\Windows Kits\10\lib\10.0.10586.0\km\x64\wmilib.lib” /RELEASE /LARGEADDRESSAWARE /VERSION:“10.0” /MACHINE:X64 /ENTRY:“GsDriverEntry” /WX /PDBSTRIPPED:“V:\4.1\DataNow\Properties..\Source\Output\x64\Win7 Release\PublicPDBs\DataNow_Driver.pdb” /OPT:REF /INCREMENTAL:NO /PGD:“V:\4.1\DataNow\Properties..\Source\Output\x64\Win7 Release\DataNow_Driver.pgd” /SUBSYSTEM:NATIVE",5.02" /OPT:ICF /ERRORREPORT:PROMPT /MERGE:“_TEXT=.text;_PAGE=PAGE” /NOLOGO /LIBPATH:“V:\4.1\DataNow\Properties..\Source\Output\x64\Win7 Release” /LIBPATH:“V:\4.1\CppUnit\Properties..\Source\lib\x64” /LIBPATH:“V:\4.1\Office2010DeveloperResources\Properties..\Source\x64\Win7 Release” /LIBPATH:"V:\4.1\detours\Properties..\Source\lib\x64" /NODEFAULTLIB /SECTION:“INIT,d”

No, no… Is this building as a “normal” Windows driver project? What are the project properties set to?

Peter
OSR
@OSRDrivers