Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Driver loaded/connected; DeviceIoControl x86 ok but x64 fails with access denied.

fafalonefafalone Member Posts: 4

I'm new to driver development and have just created a barebones driver that does nothing but return a few 'yes I'm here' bytes on an IOCTL command; still unsigned as it's early development. I'm using Windows 7 for testing as all info suggests it's less nuts about unsigned drivers. I'm loading the driver after logon via service api. The x86 build works fine; it loads, all calls succeed, and it returns the expected 'hi there' bytes in the output buffer. The x64 build, CreateService and StartService report success, as does the CreateFile call to connect to my driver. However, DeviceIoControl fails with GetLastError=ERROR_ACCESS_DENIED and Windows pops up the no unsigned driver box, despite the fact I've booted with the 'Disable driver signature enforcement' option; this is very odd since an 'sc query' shows it as 'Running' and if my program has permission to load and start the driver, how can this be denied? This is not a status code my driver code returns under any known circumstances; I have several others for various other error check fails, but not that one, and it performs no security checks-- like I said, dead simple (also, my handler for IRP_MJ_DEVICE_CONTROL only returns statuses I set; it never returns a status set by an external call). These things make me believe the error lies outside of my driver.

Curious about whether I could obtain permission, I started my driver load/test program with another program I made that starts a process as a SYSTEM account impersonating TrustedInstaller. Access denied. I tried one more time with my program using the token from lsass.exe instead as that seems to have even higher permissions (the process can enable the SeCreateTokenPrivilege where the TI one cannot). Access was denied even to this.

Is there something else I need to be doing to have permission to communicate with a seemingly loaded unsigned driver in Win7 x64? Every resource I've found has indicated 'Disable driver signature enforcement' should have been sufficient; I've also set the 'Code signing for device drivers' policy in gpedit to 'Ignore', though I believe that's n/a for Win7. The VM is running Win7 Enterprise SP1 x64 (and the x86 is Win7 Ultimate).

Things that also have not worked (they report success when set and the second shows the watermark on reboot, but the same access denied):
bcdedit ddisable integrity checks
bcdedit testsigning on

The link is opened with hDev = CreateFile(L"\\\\.\\TESTDRV1"), GENERIC_READ Or FILE_SHARE_WRITE, FILE_SHARE_READ Or FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL)

Comments

  • fafalonefafalone Member Posts: 4

    Problem resolved. Issue: The GetLastError() code after DeviceIoControl receives a failed IRP_MJ_DEVICE_CONTROL with STATUS_INVALID_PARAMETER is for unknown reasons reported as ERROR_ACCESS_DENIED, which sent me chasing my tail looking for a problem in entirely the wrong place.

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,514

    Weird...That should get translated as ERROR_INVALID_PARAMETER:

    C:\Program Files (x86)\Windows Kits\10\Tools\x64>winerror -s 0xC000000D
        87 ERROR_INVALID_PARAMETER <--> c000000d STATUS_INVALID_PARAMETER
    
    

    -scott
    OSR

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 12 September 2022 Live, Online
Internals & Software Drivers 23 October 2022 Live, Online
Kernel Debugging 14 November 2022 Live, Online
Developing Minifilters 5 December 2022 Live, Online