Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Sept/Oct 2019 Issue of The NT Insider available


Download PDF here: http://insider.osr.com/2019/ntinsider_2019_01.pdf

It’s a particularly BIG issue, too: 40 pages of technical goodness, ranging from WDF to Minifilters. Check it out.
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Bcrypt in the kernel

Don_Burn_1Don_Burn_1 Member Posts: 4,311
Microsoft states that there CNG package works in the kernel
http://msdn.microsoft.com/en-us/library/bb204775(VS.85).aspx and they
have definitions in bcrypt.h that are for kernel mode functions. What
is missing is the documentation that is claimed to be there for things
like IRQL the functions can be called at or anything else related to
using it in the kernel.

So my question is can the Bcrypt api's be used in the kernel? Does
Microsoft really support them (I normally take the approach if it is not
in the WDK documentation it is in the grey area of support)? And can
anyone point me to some documentation / examples of how to use them in
the kernel.


Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr

Comments

  • Martin_GhazaryanMartin_Ghazaryan Member Posts: 25
    You may want to get CNG SDK with samples, containing kernel mode usage examples along with other stuff:

    http://www.microsoft.com/downloads/details.aspx?familyid=1ef399e9-b018-49db-a98b-0ced7cb8ff6f&displaylang=en

    Briefly, CNG is officially supported started from Vista (in both, user and kernel mode). In kernel mode it's implemented as an export driver (ksecdd.sys, with ksecdd.lib import library). IRQL and other info can be found in documentation for each function separately:

    http://msdn.microsoft.com/en-us/library/aa833130(VS.85).aspx
  • Don_Burn_1Don_Burn_1 Member Posts: 4,311
    Yes I've had that for days. The one kernel sample is pretty poor and
    nowhere does it document what IRQL's you can call functions at, even
    though if you search enough on microsoft.com it implies some functions
    can be called at DISPATCH_LEVEL just not which functions they are.


    Don Burn (MVP, Windows DKD)
    Windows Filesystem and Driver Consulting
    Website: http://www.windrvr.com
    Blog: http://msmvps.com/blogs/WinDrvr




    > -----Original Message-----
    > From: xxxxx@yandex.ru [mailto:xxxxx@yandex.ru]
    > Posted At: Wednesday, June 02, 2010 1:42 PM
    > Posted To: ntdev
    > Conversation: Bcrypt in the kernel
    > Subject: RE: Bcrypt in the kernel
    >
    > You may want to get CNG SDK with samples, containing kernel mode usage
    > examples along with other stuff:
    >
    >
    http://www.microsoft.com/downloads/details.aspx?familyid=1ef399e9-b018-4
    9db-
    > a98b-0ced7cb8ff6f&displaylang=en
    >
    > Briefly, CNG is officially supported started from Vista (in both, user
    and
    > kernel mode). In kernel mode it's implemented as an export driver
    (ksecdd.sys,
    > with ksecdd.lib import library). IRQL and other info can be found in
    > documentation for each function separately:
    >
    > http://msdn.microsoft.com/en-us/library/aa833130(VS.85).aspx
    >
    >
    >
    >
    > __________ Information from ESET Smart Security, version of virus
    signature
    > database 5167 (20100602) __________
    >
    > The message was checked by ESET Smart Security.
    >
    > http://www.eset.com
    >
  • Martin_GhazaryanMartin_Ghazaryan Member Posts: 25
    Well, the rule is pretty much generic I think -- if you pass stuff in nonpaged memory, you can call it at DISPATCH_LEVEL, otherwise -- PASSIVE_LEVEL. Here's a snip from description of BCryptEncrypt:

    "Depending on what processor modes a provider supports, BCryptEncrypt can be called either from user mode or kernel mode. Kernel mode callers can execute either at PASSIVE_LEVEL IRQL or DISPATCH_LEVEL IRQL. If the current IRQL level is DISPATCH_LEVEL, the handle provided in the hKey parameter must be derived from an algorithm handle returned by a provider that was opened with the BCRYPT_PROV_DISPATCH flag, and any pointers passed to the BCryptEncrypt function must refer to nonpaged (or locked) memory."
  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,413
    Not to be an annoying douche-bag, but I *do* see IRQL-related comments in the docs... at least for BCryptEncrypt:

    http://msdn.microsoft.com/en-us/library/aa375421(VS.85).aspx

    ..........
    Depending on what processor modes a provider supports, BCryptEncrypt can be called either from user mode or kernel mode. Kernel mode callers can execute either at PASSIVE_LEVEL IRQL or DISPATCH_LEVEL IRQL. If the current IRQL level is DISPATCH_LEVEL, the handle provided in the hKey parameter must be derived from an algorithm handle returned by a provider that was opened with the BCRYPT_PROV_DISPATCH flag, and any pointers passed to the BCryptEncrypt function must refer to nonpaged (or locked) memory.

    To call this function in kernel mode, use Ksecdd.lib, which is part of the Driver Development Kit (DDK).
    ..........

    Peter Viscarola
    OSR
    @OSRDrivers

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 7,413
    Ah, sorry... I see Mr. Ghazaryan has already pointed to this same passage.

    I'll go back to sleep now,

    Peter
    OSR

    Peter Viscarola
    OSR
    @OSRDrivers

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 21 Oct 2019 OSR Seminar Space & ONLINE
Internals & Software Drivers 18 Nov 2019 Dulles, VA
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 27 Apr 2020 OSR Seminar Space & ONLINE