Hi,
At this point I manage to run debugger. Here’s results:
Microsoft (R) Windows Debugger Version 10.0.17134.1 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Waiting for pipe \.\pipe\vpcdebug
Waiting to reconnect…
Connected to Windows 10 17134 x64 target at (Wed Sep 26 14:55:37.674 2018 (UTC + 2:00)), ptr64 TRUE
Kernel Debugger connection established.
Symbol search path is: srv*
Executable search path is:
Windows 10 Kernel Version 17134 MP (1 procs) Free x64
Built by: 17134.1.amd64fre.rs4_release.180410-1804
Machine Name:
Kernel base = 0xfffff8026d805000 PsLoadedModuleList = 0xfffff802
6dbbf1f0
System Uptime: 0 days 0:00:00.000
nt!DebugService2+0x5:
fffff8026d9a4fe5 cc int 3<br> kd> bu Inspect!DriverEntry<br> kd> ed nt!Kd_DEFAULT_Mask 0x8<br> kd> g<br> minio\security\base\lsa\security\driver\asyncsspi.cxx - SspiInitAsyncInterface IOINIT: Built-in driver \Driver\hwpolicy failed to initialize with status - 0xC000025E KDTARGET: Refreshing KD connection Breakpoint 0 hit Inspect!DriverEntry: fffff807
e22c54c0 4889542410 mov qword ptr [rsp+10h],rdx
0: kd> t
Inspect!DriverEntry+0x1a:
fffff807e22c54da 48c744244000000000 mov qword ptr [rsp+40h],0 0: kd> t Inspect!DriverEntry+0x23: fffff807
e22c54e3 488d0dc6910000 lea rcx,[Inspect! ?? ::FNODOBFM::string' (fffff807
e22ce6b0)]
0: kd> t
nt!DbgPrint:
fffff8026d900730 4c8bdc mov r11,rsp 0: kd> t nt!DbgPrint+0x3: fffff802
6d900733 49894b08 mov qword ptr [r11+8],rcx
0: kd> t
nt!DbgPrint+0x7:
fffff8026d900737 49895310 mov qword ptr [r11+10h],rdx 0: kd> t nt!DbgPrint+0xb: fffff802
6d90073b 4d894318 mov qword ptr [r11+18h],r8
0: kd> t
nt!DbgPrint+0xf:
fffff8026d90073f 4d894b20 mov qword ptr [r11+20h],r9 0: kd> t nt!DbgPrint+0x13: fffff802
6d900743 4883ec38 sub rsp,38h
0: kd> t
nt!DbgPrint+0x17:
fffff8026d900747 ba65000000 mov edx,65h 0: kd> t nt!DbgPrint+0x1c: fffff802
6d90074c c644242801 mov byte ptr [rsp+28h],1
0: kd> t
nt!DbgPrint+0x21:
fffff8026d900751 498d4310 lea rax,[r11+10h] 0: kd> t nt!DbgPrint+0x25: fffff802
6d900755 4c8bc9 mov r9,rcx
0: kd> t
nt!DbgPrint+0x28:
fffff8026d900758 488d0d01ea0a00 lea rcx,[nt! ?? ::FNODOBFM::
string’ (fffff802`6d9af160)]
0: kd> g
[Inspect] DriverEntry start
[Inspect] AddToBuffer: allocated bufferHelper.tab_buffer (192000 bytes) !
[Inspect] WdfDeviceCreate 4.
[Inspect] MonitorCtlDriverInit.
[Inspect] WdfIoQueueCreate.
[Inspect] TLInspectRegisterCallouts
[Inspect] DriverEntry error. Driver cannot be started!
[Inspect] DriverEntry Exit.
Below is my DriverEntry code:
Function_class(DRIVER_INITIALIZE)
IRQL_requires_same
NTSTATUS
DriverEntry(
In DRIVER_OBJECT* driverObject,
In UNICODE_STRING* registryPath
)
{
NTSTATUS status;
WDF_DRIVER_CONFIG config;
PWDFDEVICE_INIT pInit = NULL;
DbgPrint("[Inspect] DriverEntry start\n");
InitList();
InitializeListHead(&gFlowList);
KeInitializeSpinLock(&gFlowListLock);
// Request NX Non-Paged Pool when available
ExInitializeDriverRuntime(DrvRtPoolNxOptIn);
WDF_DRIVER_CONFIG_INIT(&config, WDF_NO_EVENT_CALLBACK);
config.DriverInitFlags |= WdfDriverInitNonPnpDriver;
config.EvtDriverUnload = TLInspectEvtDriverUnload;
status = WdfDriverCreate(
driverObject,
registryPath,
WDF_NO_OBJECT_ATTRIBUTES,
&config,
&driver
);
if (!NT_SUCCESS(status))
{
goto Exit;
}
pInit = WdfControlDeviceInitAllocate(driver, &SDDL_DEVOBJ_SYS_ALL_ADM_ALL);
if (!pInit)
{
DbgPrint("[Inspect] WdfControlDeviceInitAllocate FAILED!\n");
status = STATUS_INSUFFICIENT_RESOURCES;
goto Exit;
}
status = MonitorEvtDeviceAdd(pInit);
status = FwpsInjectionHandleCreate(
AF_UNSPEC,
FWPS_INJECTION_TYPE_TRANSPORT,
&gInjectionHandle
);
if (!NT_SUCCESS(status))
{
goto Exit;
}
KeInitializeSpinLock(&gConnListLock);
KeInitializeEvent(
&gWorkerEvent,
NotificationEvent,
FALSE
);
gWdmDevice = WdfDeviceWdmGetDeviceObject(device);
status = TLInspectRegisterCallouts(gWdmDevice);
if (!NT_SUCCESS(status))
{
goto Exit;
}
NT_ASSERT(NT_SUCCESS(status));
Exit:
if (!NT_SUCCESS(status))
{
DbgPrint(“[Inspect] DriverEntry error. Driver cannot be started!\n”);
if (gEngineHandle != NULL)
{
TLInspectUnregisterCallouts();
}
if (gInjectionHandle != NULL)
{
FwpsInjectionHandleDestroy(gInjectionHandle);
}
}
DbgPrint("[Inspect] DriverEntry Exit.\n");
return status;
};
My first question is: why I can load this driver by myself (net start inspect) and it can’t be done while system boot?
Ofcourse, now I can see why, but I don’t understand.
I assume, there is a problem with WdfDriverCreate() function. It should return STATUS_SUCCESS but it doesn’t.
Can I use:
DbgPrint(“[Inspect] WdfDriverCreate status returns: %s”, status);
to check what this function returns?
Maybe someone sees an obvious mistake?
Please help me with track down this issue.
Krzysiek