Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Control Flow Guard question...

Prasad_Dabak-2Prasad_Dabak-2 Member - All Emails Posts: 18
Hello,

I have compiled my kernel mode driver with CFG enabled.

I do see, that, for indirect calls, my driver is going through a function pointer __guard_check_icall_fptr. However, at runtime, its pointing to _guard_check_icall_nop which is just doing "ret 0".

This makes me believe, that CFG is not enabled in the underlying operating system. I am using the latest Windows 10 build.

How do I enable CFG on Windows 10? Any advice would be greatly appreciated.

Thanks.
-Prasad

Comments

  • Amritanshu_JohriAmritanshu_Johri Member Posts: 75
    I have just used the samples to see what it is all about, but you should
    lookup MmEnableCfg.

    On Mon, Apr 24, 2017 at 2:38 PM, wrote:

    > Hello,
    >
    > I have compiled my kernel mode driver with CFG enabled.
    >
    > I do see, that, for indirect calls, my driver is going through a function
    > pointer __guard_check_icall_fptr. However, at runtime, its pointing to
    > _guard_check_icall_nop which is just doing "ret 0".
    >
    > This makes me believe, that CFG is not enabled in the underlying operating
    > system. I am using the latest Windows 10 build.
    >
    > How do I enable CFG on Windows 10? Any advice would be greatly appreciated.
    >
    > Thanks.
    > -Prasad
    >
    >
    > ---
    > NTDEV is sponsored by OSR
    >
    > Visit the list online at: showlists.cfm?list=ntdev>
    >
    > MONTHLY seminars on crash dump analysis, WDF, Windows internals and
    > software drivers!
    > Details at
    >
    > To unsubscribe, visit the List Server section of OSR Online at <
    > http://www.osronline.com/page.cfm?name=ListServer&gt;
    >
  • Ken_JohnsonKen_Johnson Member - All Emails Posts: 1,559
    Enforcement of CFG in kernel mode is tied to whether HVCI is enabled. Without HVCI, kernel mode CFG will get a pass-through implementation.

    This is a simple way to enable HVCI for testing, without requiring secure boot (i.e. so that you can load test signed drivers by enabling test signing) :

    rem Enable securekernel / VBS.
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
    rem Disable requirement for secure boot, IOMMU, etc..
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 0 /f
    rem Turn HVCI on.
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f


    Or you could set the Device Guard "Turn On Virtualization Based Security" group policy appropriately for the same effect. Note that the above doesn't try to lock the settings into firmware variables. Both methods require a reboot to take effect.


    Note that you still must have the Hyper-V hypervisor running in order to enable these features. Hyper-V guests have to be at least build 14393 (version 1607) or later running on a build 14393 (version 1607) Hyper-V host to enable HVCI (or any VBS-associated capability) in a guest VM (unless you want to use nested virtualization and run a nested hypervisor - not recommended for VBS as opposed to using the native guest VBS support available in 14393).


    Presently, only AMD64 supports HVCI and provides a full implementation of kernel CFG. The running OS instance that you wish enable kernel CFG on should be build 15063 (version 1703) or later, as that's the first released version that fully enables kernel CFG support. Drivers compiled with kernel CFG will transparently work on older OS versions (or instances where kernel CFG is not enabled), but will just receive a pass-through implementation.


    There is no connection between kernel CFG and the undocumented "EnableCFG" registry setting, which is no longer even honored in current builds of the OS.

    - S (Msft)

    -----Original Message-----
    From: [email protected] [mailto:[email protected]] On Behalf Of [email protected]
    Sent: Monday, April 24, 2017 2:09 AM
    To: Windows System Software Devs Interest List <[email protected]>
    Subject: [ntdev] Control Flow Guard question...

    Hello,

    I have compiled my kernel mode driver with CFG enabled.

    I do see, that, for indirect calls, my driver is going through a function pointer __guard_check_icall_fptr. However, at runtime, its pointing to _guard_check_icall_nop which is just doing "ret 0".

    This makes me believe, that CFG is not enabled in the underlying operating system. I am using the latest Windows 10 build.

    How do I enable CFG on Windows 10? Any advice would be greatly appreciated.

    Thanks.
    -Prasad


    ---
    NTDEV is sponsored by OSR

    Visit the list online at: <http://www.osronline.com/showlists.cfm?list=ntdev&gt;

    MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
    Details at <http://www.osr.com/seminars&gt;

    To unsubscribe, visit the List Server section of OSR Online at <http://www.osronline.com/page.cfm?name=ListServer&gt;
  • Prasad_Dabak-2Prasad_Dabak-2 Member - All Emails Posts: 18
    Thanks for the information! This is very useful.

    Thanks.
    -Prasad
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 7 Dec 2020 LIVE ONLINE
Internals & Software Drivers 25 Jan 2021 LIVE ONLINE
Developing Minifilters 8 March 2021 LIVE ONLINE