Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Execute Native Application in Windows 10 and 8.1

KernelCoreKernelCore Member Posts: 6

I'm trying to run Windows native application (i.e subsystem: NATIVE) on Windows 10 and 8.1. The application signed with a test certificate and test sign mode was set on Windows. I've created the application based on "Enpty WDM Driver" template in Visual Studio with the latest WDK. I've compiled an exe file. Except ntdll.lib no default libs had been used. The test certificate of the application was placed in trusted Root Certification Authorities storage.

The executable of the application was placed in C:\Windows\System32 directory and the approipriate value (application name) was added to the registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute. So, the application must be executed on a boot time. But the BSOD is occured with the error code 0xC0000145. This NTSTATUS value has a name STATUS_APP_INIT_FAILURE. But when I try to start this application on Windows 7 application is correctly executed.
I assume something is wrong with a certificate. Maybe I had placed it into inappropriate storage. How can I start a native application in Windows 10 and 8.1?

The code of the application:

#include <ntifs.h>
#include <ntdef.h>

NTSYSCALLAPI NTSTATUS NTAPI NtDisplayString(PUNICODE_STRING DisplayString);
NTSYSAPI NTSTATUS NTAPI NtTerminateProcess(HANDLE ProcessHandle, NTSTATUS ExitStatus);

VOID NtProcessStartup(PVOID StartupArgument)
{
    UNICODE_STRING str;
    RtlInitUnicodeString(&str, L"Hello, world!\n");
    NtDisplayString(&str);
    NtTerminateProcess((HANDLE)(-1), 0);
}

Comments

  • ThatsBerkanThatsBerkan Member Posts: 36

    I've never dealt with that kind of software but I believe anything that runs early boot must have a valid certificate and secure boot disabled if not.

  • KernelCoreKernelCore Member Posts: 6

    anything that runs early boot must have a valid certificate and secure boot disabled if not.

    The test certificate had been added to the System storage.
    Secure Boot is not present in virtual machine with windows 8.1 and is not enabled in virtual machine with Windows 10.

    As I remember, boot drivers must have additional security attributes such as integritychecks. Maybe same approaches are required to native applications. So, I've added /INTEGRITYCHECK parameter to linker options. It sets the IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY in DllCharactersitic field.
    But nothing has changed.

    Maybe, some additional options required?

  • MBond2MBond2 Member Posts: 238

    hook up a debugger and see where it fails?

  • KernelCoreKernelCore Member Posts: 6

    I've attached WinDBG to Windows 8.1 virtual machine.
    NativeApp.exe is the name of the compiled native application, discussed above.
    Here is the output:

    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    Unknown bugcheck code (c0000145)
    Unknown bugcheck description
    Arguments:
    Arg1: ffffffffc000007b
    Arg2: 0000000000000000
    Arg3: 0000000000000000
    Arg4: 0000000000000000
    
    Debugging Details:
    ------------------
    
    
    KEY_VALUES_STRING: 1
    
    
    PROCESSES_ANALYSIS: 1
    
    SERVICE_ANALYSIS: 1
    
    STACKHASH_ANALYSIS: 1
    
    TIMELINE_ANALYSIS: 1
    
    
    DUMP_CLASS: 1
    
    DUMP_QUALIFIER: 0
    
    BUILD_VERSION_STRING:  9600.16384.amd64fre.winblue_rtm.130821-1623
    
    BUGCHECK_STR:  0xc0000145
    
    ERROR_CODE: (NTSTATUS) 0xc0000145 - <Unable to get error code text>
    
    EXCEPTION_CODE: (NTSTATUS) 0xc0000145 - <Unable to get error code text>
    
    EXCEPTION_CODE_STR:  c0000145
    
    EXCEPTION_PARAMETER1:  ffffffffc000007b
    
    EXCEPTION_PARAMETER2:  0000000000000000
    
    EXCEPTION_PARAMETER3:  0000000000000000
    
    EXCEPTION_PARAMETER4: 0
    
    DUMP_TYPE:  0
    
    BUGCHECK_P1: ffffffffc000007b
    
    BUGCHECK_P2: 0
    
    BUGCHECK_P3: 0
    
    BUGCHECK_P4: 0
    
    CPU_COUNT: 1
    
    CPU_MHZ: fb3
    
    CPU_VENDOR:  AuthenticAMD
    
    CPU_FAMILY: 15
    
    CPU_MODEL: 2
    
    CPU_STEPPING: 0
    
    DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT
    
    PROCESS_NAME:  NativeApp.exe
    
    CURRENT_IRQL:  0
    
    ANALYSIS_SESSION_HOST:  MY-PC
    
    ANALYSIS_SESSION_TIME:  01-15-2021 19:18:18.0891
    
    ANALYSIS_VERSION: 10.0.18362.1 amd64fre
    
    LAST_CONTROL_TRANSFER:  from fffff800be5f37c6 to fffff800be570c90
    
    STACK_TEXT:  
    ffffd000`20667f08 fffff800`be5f37c6 : ffffe000`01e93f90 00000000`00000000 ffffd000`20668070 fffff800`be518654 : nt!DbgBreakPointWithStatus
    ffffd000`20667f10 fffff800`be5f30d7 : 00000000`00000003 00000000`c0000145 ffffe000`01e93f90 00000000`00000000 : nt!KiBugCheckDebugBreak+0x12
    ffffd000`20667f70 fffff800`be56a1a4 : ffffe000`0053bc00 00000000`00000002 ffffe000`00000048 00000000`00000000 : nt!KeBugCheck2+0x8ab
    ffffd000`20668680 fffff800`be792da5 : 00000000`0000004c 00000000`c0000145 ffffd000`213463f8 ffffe000`01e97060 : nt!KeBugCheckEx+0x104
    ffffd000`206686c0 fffff800`be78b320 : ffffe000`0053bc00 ffffd000`206687d9 00000000`00000000 00000000`00000002 : nt!PopGracefulShutdown+0x2c9
    ffffd000`20668700 fffff800`be5758b3 : ffffe000`0053b880 00000000`00000000 00000000`c0000004 ffffd000`20668900 : nt! ?? ::OKHAJAOM::`string'+0xe30
    ffffd000`20668840 fffff800`be56dd00 : fffff800`be9b407f 00000000`00000001 ffffd000`20668a58 00000000`c0000004 : nt!KiSystemServiceCopyEnd+0x13
    ffffd000`206689d8 fffff800`be9b407f : 00000000`00000001 ffffd000`20668a58 00000000`c0000004 00300039`00630030 : nt!KiServiceLinkage
    ffffd000`206689e0 fffff800`be8e856f : ffffd000`21347000 ffff2fa7`3077a629 ffffe000`0053b9c0 00000000`00000000 : nt! ?? ::NNGAKEGL::`string'+0x6d47f
    ffffd000`20668aa0 fffff800`be4fc14e : fffff800`be4fc094 00000000`00000000 00000000`00000002 ffffe000`0053b880 : nt!PopPolicyWorkerAction+0x63
    ffffd000`20668b10 fffff800`be4563cd : fffff800`00000002 ffffd000`20668bd0 00000000`80000000 ffffe000`0053b880 : nt!PopPolicyWorkerThread+0xba
    ffffd000`20668b50 fffff800`be501664 : c110ebc1`d08bd98b ffffe000`0053b880 ffffe000`0053b880 ffffe000`00078040 : nt!ExpWorkerThread+0x2b5
    ffffd000`20668c00 fffff800`be5706c6 : fffff800`be70b180 ffffe000`0053b880 ffffe000`00161040 89c0b60f`10e8c1c2 : nt!PspSystemThreadStartup+0x58
    ffffd000`20668c60 00000000`00000000 : ffffd000`20669000 ffffd000`20663000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16
    
    
    THREAD_SHA1_HASH_MOD_FUNC:  d7f444b71e491dcfdd8b3266714c4b6897af456b
    
    THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  e6132901e8a12b2b476db61a013524cabc9aa059
    
    THREAD_SHA1_HASH_MOD:  7f608ac2fbce9034a3386b1d51652e4911d30234
    
    FOLLOWUP_IP: 
    nt! ?? ::OKHAJAOM::`string'+e30
    fffff800`be78b320 cc              int     3
    
    FAULT_INSTR_CODE:  cf0a40cc
    
    SYMBOL_STACK_INDEX:  5
    
    SYMBOL_NAME:  nt! ?? ::OKHAJAOM::`string'+e30
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: nt
    
    IMAGE_NAME:  ntkrnlmp.exe
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  5215d156
    
    IMAGE_VERSION:  6.3.9600.16384
    
    STACK_COMMAND:  .thread ; .cxr ; kb
    
    BUCKET_ID_FUNC_OFFSET:  e30
    
    FAILURE_BUCKET_ID:  0xc0000145_nt!_??_::OKHAJAOM::_string_
    
    BUCKET_ID:  0xc0000145_nt!_??_::OKHAJAOM::_string_
    
    PRIMARY_PROBLEM_CLASS:  0xc0000145_nt!_??_::OKHAJAOM::_string_
    
    TARGET_TIME:  2021-01-15T16:17:29.000Z
    
    OSBUILD:  9600
    
    OSSERVICEPACK:  16384
    
    SERVICEPACK_NUMBER: 0
    
    OS_REVISION: 0
    
    SUITE_MASK:  784
    
    PRODUCT_TYPE:  1
    
    OSPLATFORM_TYPE:  x64
    
    OSNAME:  Windows 8.1
    
    OSEDITION:  Windows 8.1 WinNt TerminalServer SingleUserTS Personal
    
    OS_LOCALE:  
    
    USER_LCID:  0
    
    OSBUILD_TIMESTAMP:  2013-08-22 12:52:38
    
    BUILDDATESTAMP_STR:  130821-1623
    
    BUILDLAB_STR:  winblue_rtm
    
    BUILDOSVER_STR:  6.3.9600.16384.amd64fre.winblue_rtm.130821-1623
    
    ANALYSIS_SESSION_ELAPSED_TIME:  1d4c
    
    ANALYSIS_SOURCE:  KM
    
    FAILURE_ID_HASH_STRING:  km:0xc0000145_nt!_??_::okhajaom::_string_
    
    FAILURE_ID_HASH:  {5e85bcb5-48b0-448f-d0d7-e7da59707767}
    
    Followup:     MachineOwner
    ---------
    
    
  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,771

    Arg1 is 0xC000007B, which is STATUS_INVALID_IMAGE_FORMAT. Are you quite sure you compiled this as a 64-bit application? Did you compile it to target 8.1? Unlike user-mode, the native loader checks all of those obscure PE headers.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,242

    Hmmmm... I haven't done this for a very, very, long time.

    Let's start at the beginning, shall we? It seems you've managed to create an executable that's not properly formatted to run on Win 8 or Win 10.

    So, I think we should ask: How, exactly, are you building this?

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • KernelCoreKernelCore Member Posts: 6

    I've attached WinDBG to Windows 8.1 virtual machine.
    NativeApp.exe is the name of the compiled native application, discussed above.
    Here is the output:

    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    Unknown bugcheck code (c0000145)
    Unknown bugcheck description
    Arguments:
    Arg1: ffffffffc000007b
    Arg2: 0000000000000000
    Arg3: 0000000000000000
    Arg4: 0000000000000000
    
    Debugging Details:
    ------------------
    
    
    KEY_VALUES_STRING: 1
    
    
    PROCESSES_ANALYSIS: 1
    
    SERVICE_ANALYSIS: 1
    
    STACKHASH_ANALYSIS: 1
    
    TIMELINE_ANALYSIS: 1
    
    
    DUMP_CLASS: 1
    
    DUMP_QUALIFIER: 0
    
    BUILD_VERSION_STRING:  9600.16384.amd64fre.winblue_rtm.130821-1623
    
    BUGCHECK_STR:  0xc0000145
    
    ERROR_CODE: (NTSTATUS) 0xc0000145 - <Unable to get error code text>
    
    EXCEPTION_CODE: (NTSTATUS) 0xc0000145 - <Unable to get error code text>
    
    EXCEPTION_CODE_STR:  c0000145
    
    EXCEPTION_PARAMETER1:  ffffffffc000007b
    
    EXCEPTION_PARAMETER2:  0000000000000000
    
    EXCEPTION_PARAMETER3:  0000000000000000
    
    EXCEPTION_PARAMETER4: 0
    
    DUMP_TYPE:  0
    
    BUGCHECK_P1: ffffffffc000007b
    
    BUGCHECK_P2: 0
    
    BUGCHECK_P3: 0
    
    BUGCHECK_P4: 0
    
    CPU_COUNT: 1
    
    CPU_MHZ: fb3
    
    CPU_VENDOR:  AuthenticAMD
    
    CPU_FAMILY: 15
    
    CPU_MODEL: 2
    
    CPU_STEPPING: 0
    
    DEFAULT_BUCKET_ID:  WIN8_DRIVER_FAULT
    
    PROCESS_NAME:  NativeApp.exe
    
    CURRENT_IRQL:  0
    
    ANALYSIS_SESSION_HOST:  MY-PC
    
    ANALYSIS_SESSION_TIME:  01-15-2021 19:18:18.0891
    
    ANALYSIS_VERSION: 10.0.18362.1 amd64fre
    
    LAST_CONTROL_TRANSFER:  from fffff800be5f37c6 to fffff800be570c90
    
    STACK_TEXT:  
    ffffd000`20667f08 fffff800`be5f37c6 : ffffe000`01e93f90 00000000`00000000 ffffd000`20668070 fffff800`be518654 : nt!DbgBreakPointWithStatus
    ffffd000`20667f10 fffff800`be5f30d7 : 00000000`00000003 00000000`c0000145 ffffe000`01e93f90 00000000`00000000 : nt!KiBugCheckDebugBreak+0x12
    ffffd000`20667f70 fffff800`be56a1a4 : ffffe000`0053bc00 00000000`00000002 ffffe000`00000048 00000000`00000000 : nt!KeBugCheck2+0x8ab
    ffffd000`20668680 fffff800`be792da5 : 00000000`0000004c 00000000`c0000145 ffffd000`213463f8 ffffe000`01e97060 : nt!KeBugCheckEx+0x104
    ffffd000`206686c0 fffff800`be78b320 : ffffe000`0053bc00 ffffd000`206687d9 00000000`00000000 00000000`00000002 : nt!PopGracefulShutdown+0x2c9
    ffffd000`20668700 fffff800`be5758b3 : ffffe000`0053b880 00000000`00000000 00000000`c0000004 ffffd000`20668900 : nt! ?? ::OKHAJAOM::`string'+0xe30
    ffffd000`20668840 fffff800`be56dd00 : fffff800`be9b407f 00000000`00000001 ffffd000`20668a58 00000000`c0000004 : nt!KiSystemServiceCopyEnd+0x13
    ffffd000`206689d8 fffff800`be9b407f : 00000000`00000001 ffffd000`20668a58 00000000`c0000004 00300039`00630030 : nt!KiServiceLinkage
    ffffd000`206689e0 fffff800`be8e856f : ffffd000`21347000 ffff2fa7`3077a629 ffffe000`0053b9c0 00000000`00000000 : nt! ?? ::NNGAKEGL::`string'+0x6d47f
    ffffd000`20668aa0 fffff800`be4fc14e : fffff800`be4fc094 00000000`00000000 00000000`00000002 ffffe000`0053b880 : nt!PopPolicyWorkerAction+0x63
    ffffd000`20668b10 fffff800`be4563cd : fffff800`00000002 ffffd000`20668bd0 00000000`80000000 ffffe000`0053b880 : nt!PopPolicyWorkerThread+0xba
    ffffd000`20668b50 fffff800`be501664 : c110ebc1`d08bd98b ffffe000`0053b880 ffffe000`0053b880 ffffe000`00078040 : nt!ExpWorkerThread+0x2b5
    ffffd000`20668c00 fffff800`be5706c6 : fffff800`be70b180 ffffe000`0053b880 ffffe000`00161040 89c0b60f`10e8c1c2 : nt!PspSystemThreadStartup+0x58
    ffffd000`20668c60 00000000`00000000 : ffffd000`20669000 ffffd000`20663000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x16
    
    
    THREAD_SHA1_HASH_MOD_FUNC:  d7f444b71e491dcfdd8b3266714c4b6897af456b
    
    THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  e6132901e8a12b2b476db61a013524cabc9aa059
    
    THREAD_SHA1_HASH_MOD:  7f608ac2fbce9034a3386b1d51652e4911d30234
    
    FOLLOWUP_IP: 
    nt! ?? ::OKHAJAOM::`string'+e30
    fffff800`be78b320 cc              int     3
    
    FAULT_INSTR_CODE:  cf0a40cc
    
    SYMBOL_STACK_INDEX:  5
    
    SYMBOL_NAME:  nt! ?? ::OKHAJAOM::`string'+e30
    
    FOLLOWUP_NAME:  MachineOwner
    
    MODULE_NAME: nt
    
    IMAGE_NAME:  ntkrnlmp.exe
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  5215d156
    
    IMAGE_VERSION:  6.3.9600.16384
    
    STACK_COMMAND:  .thread ; .cxr ; kb
    
    BUCKET_ID_FUNC_OFFSET:  e30
    
    FAILURE_BUCKET_ID:  0xc0000145_nt!_??_::OKHAJAOM::_string_
    
    BUCKET_ID:  0xc0000145_nt!_??_::OKHAJAOM::_string_
    
    PRIMARY_PROBLEM_CLASS:  0xc0000145_nt!_??_::OKHAJAOM::_string_
    
    TARGET_TIME:  2021-01-15T16:17:29.000Z
    
    OSBUILD:  9600
    
    OSSERVICEPACK:  16384
    
    SERVICEPACK_NUMBER: 0
    
    OS_REVISION: 0
    
    SUITE_MASK:  784
    
    PRODUCT_TYPE:  1
    
    OSPLATFORM_TYPE:  x64
    
    OSNAME:  Windows 8.1
    
    OSEDITION:  Windows 8.1 WinNt TerminalServer SingleUserTS Personal
    
    OS_LOCALE:  
    
    USER_LCID:  0
    
    OSBUILD_TIMESTAMP:  2013-08-22 12:52:38
    
    BUILDDATESTAMP_STR:  130821-1623
    
    BUILDLAB_STR:  winblue_rtm
    
    BUILDOSVER_STR:  6.3.9600.16384.amd64fre.winblue_rtm.130821-1623
    
    ANALYSIS_SESSION_ELAPSED_TIME:  1d4c
    
    ANALYSIS_SOURCE:  KM
    
    FAILURE_ID_HASH_STRING:  km:0xc0000145_nt!_??_::okhajaom::_string_
    
    FAILURE_ID_HASH:  {5e85bcb5-48b0-448f-d0d7-e7da59707767}
    
    Followup:     MachineOwner
    ---------
    
    
  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,242
    edited January 16
    You know... once would have been enough.

    And answering my questions would be helpful.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Doron_HolanDoron_Holan Member - All Emails Posts: 10,553
    Perhaps you are compiling it as a driver, not a native app. Inspect your link command line and it should be clear what type of PE you are creating.
    d
  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,771

    Do a "link /dump /headers xxx.exe" and post the output.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • KernelCoreKernelCore Member Posts: 6

    Sorry for multiposting. The problem was on my side. The web-page was not responded in my browser. I updated it and a draft was sent.

    2Tim_Roberts:
    Yes, application compiled for x64.
    Target OS Version: Windows 8.1
    _NT_TARGET_VERSION: Windows 8.1

    The output of link /dump /headers:

    Microsoft (R) COFF/PE Dumper Version 14.24.28314.0
    Copyright (C) Microsoft Corporation.  All rights reserved.
    
    
    Dump of file NativeApp.exe
    
    PE signature found
    
    File Type: EXECUTABLE IMAGE
    
    FILE HEADER VALUES
                8664 machine (x64)
                   3 number of sections
            600324DB time date stamp Sat Jan 16 21:39:39 2021
                   0 file pointer to symbol table
                   0 number of symbols
                  F0 size of optional header
                  22 characteristics
                       Executable
                       Application can handle large (>2GB) addresses
    
    OPTIONAL HEADER VALUES
                 20B magic # (PE32+)
               14.24 linker version
                 200 size of code
                 600 size of initialized data
                   0 size of uninitialized data
                1000 entry point (0000000140001000) NtProcessStartup
                1000 base of code
           140000000 image base (0000000140000000 to 0000000140003FFF)
                1000 section alignment
                 200 file alignment
               10.00 operating system version
               10.00 image version
                6.03 subsystem version
                   0 Win32 version
                4000 size of image
                 400 size of headers
                34E4 checksum
                   1 subsystem (Native)
                41E0 DLL characteristics
                       High Entropy Virtual Addresses
                       Dynamic base
                       Check integrity
                       NX compatible
                       Control Flow Guard
              100000 size of stack reserve
                1000 size of stack commit
              100000 size of heap reserve
                1000 size of heap commit
                   0 loader flags
                  10 number of directories
                   0 [       0] RVA [size] of Export Directory
                21B4 [      28] RVA [size] of Import Directory
                   0 [       0] RVA [size] of Resource Directory
                3000 [       C] RVA [size] of Exception Directory
                 C00 [     618] RVA [size] of Certificates Directory
                   0 [       0] RVA [size] of Base Relocation Directory
                2030 [      38] RVA [size] of Debug Directory
                   0 [       0] RVA [size] of Architecture Directory
                   0 [       0] RVA [size] of Global Pointer Directory
                   0 [       0] RVA [size] of Thread Storage Directory
                   0 [       0] RVA [size] of Load Configuration Directory
                   0 [       0] RVA [size] of Bound Import Directory
                2000 [      20] RVA [size] of Import Address Table Directory
                   0 [       0] RVA [size] of Delay Import Directory
                   0 [       0] RVA [size] of COM Descriptor Directory
                   0 [       0] RVA [size] of Reserved Directory
    
    
    SECTION HEADER #1
       .text name
          5E virtual size
        1000 virtual address (0000000140001000 to 000000014000105D)
         200 size of raw data
         400 file pointer to raw data (00000400 to 000005FF)
           0 file pointer to relocation table
           0 file pointer to line numbers
           0 number of relocations
           0 number of line numbers
    60000020 flags
             Code
             Execute Read
    
    SECTION HEADER #2
      .rdata name
         24A virtual size
        2000 virtual address (0000000140002000 to 0000000140002249)
         400 size of raw data
         600 file pointer to raw data (00000600 to 000009FF)
           0 file pointer to relocation table
           0 file pointer to line numbers
           0 number of relocations
           0 number of line numbers
    40000040 flags
             Initialized Data
             Read Only
    
      Debug Directories
    
            Time Type        Size      RVA  Pointer
        -------- ------- -------- -------- --------
        600324DB cv            5B 00002068      668    Format: RSDS, {6CB0426F-AF4C-4E18-BB4B-B4FF967E51D0}, 1, D:\Developing\Current Projects\NativeApp\x64\Release\NativeApp.pdb
        600324DB coffgrp       E4 000020C4      6C4
    
    SECTION HEADER #3
      .pdata name
           C virtual size
        3000 virtual address (0000000140003000 to 000000014000300B)
         200 size of raw data
         A00 file pointer to raw data (00000A00 to 00000BFF)
           0 file pointer to relocation table
           0 file pointer to line numbers
           0 number of relocations
           0 number of line numbers
    40000040 flags
             Initialized Data
             Read Only
    
      Summary
    
            1000 .pdata
            1000 .rdata
            1000 .text
    
    

    2Peter_Viscarola_(OSR):
    I've created project with a type "Empty WDM Driver" in Visual Studio 2019.
    Then I 've changed Configuration Properties->Configuration Type from sys to Application (.exe)
    Then Linker->Input->Additional Dependencies set only ntdll.lib
    Then Linker->Advanced->Entry Point set to NtProcessStartup

    Here is a link to this project:
    https://github.com/KrnlDeveloper/NativeApp

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,771

    The only odd thing is that the operating system version in the header is 10.00. The user mode loader cares about that, so I wouldn't be surprised if the kernel was at least as picky. Have you checked the linker properties in your Visual Studio project to make sure it's not set to Windows 10?

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,242

    What happens when you try to run the app from the command line? In other words, without having it auto run.

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,377

    This is an application not a driver so you don't want a WDM project...I got this to work:

    #include <Windows.h>
    #include <winternl.h>
    
    NTSYSCALLAPI NTSTATUS NTAPI NtDisplayString(PUNICODE_STRING DisplayString);
    NTSYSAPI NTSTATUS NTAPI NtTerminateProcess(HANDLE ProcessHandle, NTSTATUS ExitStatus);
    
    VOID NtProcessStartup(PVOID StartupArgument)
    {
        UNICODE_STRING str;
        RtlInitUnicodeString(&str, L"Hello, world!\n");
        NtDisplayString(&str);
        NtTerminateProcess((HANDLE)(-1), 0);
    }
    

    With the following vcxproj file that I hacked together...Note that I don't claim this to be definitive (haven't had the need for a production native app in a very long time) but should put you on the right path:

    <?xml version="1.0" encoding="utf-8"?>
    <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
      <ItemGroup Label="ProjectConfigurations">
        <ProjectConfiguration Include="Debug|Win32">
          <Configuration>Debug</Configuration>
          <Platform>Win32</Platform>
        </ProjectConfiguration>
        <ProjectConfiguration Include="Release|Win32">
          <Configuration>Release</Configuration>
          <Platform>Win32</Platform>
        </ProjectConfiguration>
        <ProjectConfiguration Include="Debug|x64">
          <Configuration>Debug</Configuration>
          <Platform>x64</Platform>
        </ProjectConfiguration>
        <ProjectConfiguration Include="Release|x64">
          <Configuration>Release</Configuration>
          <Platform>x64</Platform>
        </ProjectConfiguration>
      </ItemGroup>
      <PropertyGroup Label="Globals">
        <VCProjectVersion>16.0</VCProjectVersion>
        <Keyword>Win32Proj</Keyword>
        <ProjectGuid>{528ca95a-561b-4343-bd8a-205b5d808828}</ProjectGuid>
        <RootNamespace>NativeApp</RootNamespace>
        <WindowsTargetPlatformVersion>$(LatestTargetPlatformVersion)</WindowsTargetPlatformVersion>
      </PropertyGroup>
      <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
      <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
        <ConfigurationType>Application</ConfigurationType>
        <UseDebugLibraries>true</UseDebugLibraries>
        <PlatformToolset>v142</PlatformToolset>
        <CharacterSet>Unicode</CharacterSet>
        <Driver_SpectreMitigation>false</Driver_SpectreMitigation>
      </PropertyGroup>
      <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
        <ConfigurationType>Application</ConfigurationType>
        <UseDebugLibraries>false</UseDebugLibraries>
        <PlatformToolset>v142</PlatformToolset>
        <WholeProgramOptimization>true</WholeProgramOptimization>
        <CharacterSet>Unicode</CharacterSet>
        <Driver_SpectreMitigation>false</Driver_SpectreMitigation>
      </PropertyGroup>
      <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
        <ConfigurationType>Application</ConfigurationType>
        <UseDebugLibraries>true</UseDebugLibraries>
        <PlatformToolset>v142</PlatformToolset>
        <CharacterSet>Unicode</CharacterSet>
        <Driver_SpectreMitigation>false</Driver_SpectreMitigation>
      </PropertyGroup>
      <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
        <ConfigurationType>Application</ConfigurationType>
        <UseDebugLibraries>false</UseDebugLibraries>
        <PlatformToolset>v142</PlatformToolset>
        <WholeProgramOptimization>true</WholeProgramOptimization>
        <CharacterSet>Unicode</CharacterSet>
        <Driver_SpectreMitigation>false</Driver_SpectreMitigation>
      </PropertyGroup>
      <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
      <ImportGroup Label="ExtensionSettings">
      </ImportGroup>
      <ImportGroup Label="Shared">
      </ImportGroup>
      <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
        <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
      </ImportGroup>
      <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
        <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
      </ImportGroup>
      <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
        <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
      </ImportGroup>
      <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
        <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
      </ImportGroup>
      <PropertyGroup Label="UserMacros" />
      <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
        <LinkIncremental>false</LinkIncremental>
      </PropertyGroup>
      <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
        <LinkIncremental>false</LinkIncremental>
      </PropertyGroup>
      <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
        <LinkIncremental>false</LinkIncremental>
      </PropertyGroup>
      <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
        <LinkIncremental>false</LinkIncremental>
      </PropertyGroup>
      <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
        <ClCompile>
          <WarningLevel>Level3</WarningLevel>
          <SDLCheck>true</SDLCheck>
          <PreprocessorDefinitions>_DEBUG%(PreprocessorDefinitions)</PreprocessorDefinitions>
          <ConformanceMode>true</ConformanceMode>
          <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
          <SupportJustMyCode>false</SupportJustMyCode>
          <BufferSecurityCheck>false</BufferSecurityCheck>
          <ExceptionHandling>false</ExceptionHandling>
          <BasicRuntimeChecks>Default</BasicRuntimeChecks>
        </ClCompile>
        <Link>
          <SubSystem>Native</SubSystem>
          <GenerateDebugInformation>true</GenerateDebugInformation>
          <AdditionalDependencies>ntdll.lib</AdditionalDependencies>
          <IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>
        </Link>
      </ItemDefinitionGroup>
      <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
        <ClCompile>
          <WarningLevel>Level3</WarningLevel>
          <FunctionLevelLinking>true</FunctionLevelLinking>
          <IntrinsicFunctions>true</IntrinsicFunctions>
          <SDLCheck>true</SDLCheck>
          <PreprocessorDefinitions>NDEBUG%(PreprocessorDefinitions)</PreprocessorDefinitions>
          <ConformanceMode>true</ConformanceMode>
          <BufferSecurityCheck>false</BufferSecurityCheck>
          <ExceptionHandling>false</ExceptionHandling>
        </ClCompile>
        <Link>
          <SubSystem>Native</SubSystem>
          <EnableCOMDATFolding>true</EnableCOMDATFolding>
          <OptimizeReferences>true</OptimizeReferences>
          <GenerateDebugInformation>true</GenerateDebugInformation>
          <AdditionalDependencies>ntdll.lib</AdditionalDependencies>
          <IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>
        </Link>
      </ItemDefinitionGroup>
      <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
        <ClCompile>
          <WarningLevel>Level3</WarningLevel>
          <SDLCheck>true</SDLCheck>
          <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
          <ConformanceMode>true</ConformanceMode>
          <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
          <SupportJustMyCode>false</SupportJustMyCode>
          <BufferSecurityCheck>false</BufferSecurityCheck>
          <ExceptionHandling>false</ExceptionHandling>
          <BasicRuntimeChecks>Default</BasicRuntimeChecks>
        </ClCompile>
        <Link>
          <SubSystem>Native</SubSystem>
          <GenerateDebugInformation>true</GenerateDebugInformation>
          <AdditionalDependencies>ntdll.lib</AdditionalDependencies>
          <IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>
        </Link>
      </ItemDefinitionGroup>
      <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
        <ClCompile>
          <WarningLevel>Level3</WarningLevel>
          <FunctionLevelLinking>true</FunctionLevelLinking>
          <IntrinsicFunctions>true</IntrinsicFunctions>
          <SDLCheck>true</SDLCheck>
          <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
          <ConformanceMode>true</ConformanceMode>
          <BufferSecurityCheck>false</BufferSecurityCheck>
          <ExceptionHandling>false</ExceptionHandling>
        </ClCompile>
        <Link>
          <SubSystem>Native</SubSystem>
          <EnableCOMDATFolding>true</EnableCOMDATFolding>
          <OptimizeReferences>true</OptimizeReferences>
          <GenerateDebugInformation>true</GenerateDebugInformation>
          <AdditionalDependencies>ntdll.lib</AdditionalDependencies>
          <IgnoreAllDefaultLibraries>true</IgnoreAllDefaultLibraries>
        </Link>
      </ItemDefinitionGroup>
      <ItemGroup>
        <ClCompile Include="NativeApp.c" />
      </ItemGroup>
      <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
      <ImportGroup Label="ExtensionTargets">
      </ImportGroup>
    </Project>
    

    -scott
    OSR

  • KernelCoreKernelCore Member Posts: 6

    Scott_Noone_(OSR), thanks a lot! It works.
    I used incorrect headers ntifs.h and ntdef.h.

    The good news is that the application does not have to be signed with a certificate.
    Thanks again!

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 7 Dec 2020 LIVE ONLINE
Internals & Software Drivers 25 Jan 2021 LIVE ONLINE
Developing Minifilters 8 March 2021 LIVE ONLINE