Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Loading DLL into system process problem on Windows 8

Michael_Grabelkovsky-1Michael_Grabelkovsky-1 Member Posts: 33
I have driver which loads DLL inside processes. It use LdrLoadDll() and everything works great under Windows 7 - my DLL is loaded about to any process.

The problem started from Windows 8.
Ordinary processes are loaded.
But when I try to load DLL inside services.exe the following message is in WinDbg:

[\Device\HarddiskVolume2\Program Files\XYZ\XYZ\Client\bin\XYZDll.dll]:[\Device\HarddiskVolume2\Windows\System32\services.exe] 0x8 > 0x1
******************************************************************
* This break indicates this binary is not signed correctly: \Device\HarddiskVolume2\Program Files\XYZ\XYZ\Client\bin\XYZDll.dll
* and does not meet the system policy.
* The binary was attempted to be loaded in the process: \Device\HarddiskVolume2\Windows\System32\services.exe
* This is not a failure in CI, but a problem with the failing binary.
* Please contact the binary owner for getting the binary correctly signed.
******************************************************************
Code Integrity violation: 1068

I found its description on Microsoft https://msdn.microsoft.com/en-us/library/windows/hardware/dn756632(v=vs.85).aspx

From it follows, that DLL has to be signed as "0x8 =Microsoft signed".
Over more, "Windows signed" certificate can't be used!?!
I signed DLL by my Test Certificate which I use for driver, it does not help.

Questions:
1. What "Microsoft signed" certificate means? As I understand from source above it is not same to "Windows signed" certificate. How I may acquire Microsoft certificate?
2. Is it exist other way loading DLL and avoid named problem?

Comments

  • Aleh_KazakevichAleh_Kazakevich Member Posts: 74
    > Michael Grabelkovsky wrote:
    >
    > The problem started from Windows 8.
    > Ordinary processes are loaded.
    > But when I try to load DLL inside services.exe the following message is in
    > WinDbg:
    > ...

    This is a part of Windows 8.1 security model called 'Protected Processes Light' (PPL).
    More details can be found in the Alex Ionescu's blog:

    The Evolution of Protected Processes Part 1: Pass-the-Hash Mitigations in Windows 8.1
    http://www.alex-ionescu.com/?p=97

    The Evolution of Protected Processes Part 2: Exploit/Jailbreak Mitigations, Unkillable Processes and Protected Services
    http://www.alex-ionescu.com/?p=116

    Protected Processes Part 3 : Windows PKI Internals (Signing Levels, Scenarios, Root Keys, EKUs & Runtime Signers)
    http://www.alex-ionescu.com/?p=146

    > It use LdrLoadDll() and everything works great under Windows 7 - my DLL
    > is loaded about to any process.

    This is not true. On Windows 7 and even on Windows Vista your dll injecting
    mechanism will not work for the Vista-style protected processes like audiodg.exe.
    Open the system event log ('security') and you will find some number of 'Audit
    Failure' messages with similar 'symptoms' that are referenced to your
    'wrongly-signed' dll.

    You may resolve a part of this problems if you sign your dll with a proper
    cross-certificate (like a kernel-mode driver) with a /INTEGRITYCHECK and
    /ph (page hashes) options but you cannot bypass the Windows security model
    (or, think about allocating executable memory and place base-independent
    code instead calling LdrLoadDll/LoadLibrary/etc).

    Another solution is calling of the 'PsIsProtectedProcess' (Vista+) and
    'PsIsProtectedProcessLight' (Win8.1+) to detect and skip protected processes.
  • Aleh,
    Thanks a lot for really interesting information and references.
    Now I'm at list understand the subject and problem.

    Unfortunately your recommendations (/INTEGRITYCHECK + /ph) are not sufficient - don't help.

    Skip protected processes is not the goal. If I don't success on instrumentation, they are loading and starting - no problem.
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA