Control Flow Guard question...

Hello,

I have compiled my kernel mode driver with CFG enabled.

I do see, that, for indirect calls, my driver is going through a function pointer __guard_check_icall_fptr. However, at runtime, its pointing to _guard_check_icall_nop which is just doing “ret 0”.

This makes me believe, that CFG is not enabled in the underlying operating system. I am using the latest Windows 10 build.

How do I enable CFG on Windows 10? Any advice would be greatly appreciated.

Thanks.
-Prasad

I have just used the samples to see what it is all about, but you should
lookup MmEnableCfg.

On Mon, Apr 24, 2017 at 2:38 PM, wrote:

> Hello,
>
> I have compiled my kernel mode driver with CFG enabled.
>
> I do see, that, for indirect calls, my driver is going through a function
> pointer __guard_check_icall_fptr. However, at runtime, its pointing to
> _guard_check_icall_nop which is just doing “ret 0”.
>
> This makes me believe, that CFG is not enabled in the underlying operating
> system. I am using the latest Windows 10 build.
>
> How do I enable CFG on Windows 10? Any advice would be greatly appreciated.
>
> Thanks.
> -Prasad
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: http:> showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
></http:></http:>

Enforcement of CFG in kernel mode is tied to whether HVCI is enabled. Without HVCI, kernel mode CFG will get a pass-through implementation.

This is a simple way to enable HVCI for testing, without requiring secure boot (i.e. so that you can load test signed drivers by enabling test signing) :

rem Enable securekernel / VBS.
reg add “HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard” /v “EnableVirtualizationBasedSecurity” /t REG_DWORD /d 1 /f
rem Disable requirement for secure boot, IOMMU, etc…
reg add “HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard” /v “RequirePlatformSecurityFeatures” /t REG_DWORD /d 0 /f
rem Turn HVCI on.
reg add “HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard” /v “HypervisorEnforcedCodeIntegrity” /t REG_DWORD /d 1 /f

Or you could set the Device Guard “Turn On Virtualization Based Security” group policy appropriately for the same effect. Note that the above doesn’t try to lock the settings into firmware variables. Both methods require a reboot to take effect.

Note that you still must have the Hyper-V hypervisor running in order to enable these features. Hyper-V guests have to be at least build 14393 (version 1607) or later running on a build 14393 (version 1607) Hyper-V host to enable HVCI (or any VBS-associated capability) in a guest VM (unless you want to use nested virtualization and run a nested hypervisor - not recommended for VBS as opposed to using the native guest VBS support available in 14393).

Presently, only AMD64 supports HVCI and provides a full implementation of kernel CFG. The running OS instance that you wish enable kernel CFG on should be build 15063 (version 1703) or later, as that’s the first released version that fully enables kernel CFG support. Drivers compiled with kernel CFG will transparently work on older OS versions (or instances where kernel CFG is not enabled), but will just receive a pass-through implementation.

There is no connection between kernel CFG and the undocumented “EnableCFG” registry setting, which is no longer even honored in current builds of the OS.

  • S (Msft)

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@icloud.com
Sent: Monday, April 24, 2017 2:09 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Control Flow Guard question…

Hello,

I have compiled my kernel mode driver with CFG enabled.

I do see, that, for indirect calls, my driver is going through a function pointer __guard_check_icall_fptr. However, at runtime, its pointing to _guard_check_icall_nop which is just doing “ret 0”.

This makes me believe, that CFG is not enabled in the underlying operating system. I am using the latest Windows 10 build.

How do I enable CFG on Windows 10? Any advice would be greatly appreciated.

Thanks.
-Prasad


NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>

Thanks for the information! This is very useful.

Thanks.
-Prasad