I’m trying to run Windows native application (i.e subsystem: NATIVE) on Windows 10 and 8.1. The application signed with a test certificate and test sign mode was set on Windows. I’ve created the application based on “Enpty WDM Driver” template in Visual Studio with the latest WDK. I’ve compiled an exe file. Except ntdll.lib no default libs had been used. The test certificate of the application was placed in trusted Root Certification Authorities storage.
The executable of the application was placed in C:\Windows\System32 directory and the approipriate value (application name) was added to the registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute. So, the application must be executed on a boot time. But the BSOD is occured with the error code 0xC0000145. This NTSTATUS value has a name STATUS_APP_INIT_FAILURE. But when I try to start this application on Windows 7 application is correctly executed.
I assume something is wrong with a certificate. Maybe I had placed it into inappropriate storage. How can I start a native application in Windows 10 and 8.1?
anything that runs early boot must have a valid certificate and secure boot disabled if not.
The test certificate had been added to the System storage.
Secure Boot is not present in virtual machine with windows 8.1 and is not enabled in virtual machine with Windows 10.
As I remember, boot drivers must have additional security attributes such as integritychecks. Maybe same approaches are required to native applications. So, I’ve added /INTEGRITYCHECK parameter to linker options. It sets the IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY in DllCharactersitic field.
But nothing has changed.
I’ve attached WinDBG to Windows 8.1 virtual machine.
NativeApp.exe is the name of the compiled native application, discussed above.
Here is the output:
Arg1 is 0xC000007B, which is STATUS_INVALID_IMAGE_FORMAT. Are you quite sure you compiled this as a 64-bit application? Did you compile it to target 8.1? Unlike user-mode, the native loader checks all of those obscure PE headers.
I’ve attached WinDBG to Windows 8.1 virtual machine.
NativeApp.exe is the name of the compiled native application, discussed above.
Here is the output:
Sorry for multiposting. The problem was on my side. The web-page was not responded in my browser. I updated it and a draft was sent.
2Tim_Roberts:
Yes, application compiled for x64.
Target OS Version: Windows 8.1
_NT_TARGET_VERSION: Windows 8.1
The output of link /dump /headers:
Microsoft (R) COFF/PE Dumper Version 14.24.28314.0
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file NativeApp.exe
PE signature found
File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
8664 machine (x64)
3 number of sections
600324DB time date stamp Sat Jan 16 21:39:39 2021
0 file pointer to symbol table
0 number of symbols
F0 size of optional header
22 characteristics
Executable
Application can handle large (>2GB) addresses
OPTIONAL HEADER VALUES
20B magic # (PE32+)
14.24 linker version
200 size of code
600 size of initialized data
0 size of uninitialized data
1000 entry point (0000000140001000) NtProcessStartup
1000 base of code
140000000 image base (0000000140000000 to 0000000140003FFF)
1000 section alignment
200 file alignment
10.00 operating system version
10.00 image version
6.03 subsystem version
0 Win32 version
4000 size of image
400 size of headers
34E4 checksum
1 subsystem (Native)
41E0 DLL characteristics
High Entropy Virtual Addresses
Dynamic base
Check integrity
NX compatible
Control Flow Guard
100000 size of stack reserve
1000 size of stack commit
100000 size of heap reserve
1000 size of heap commit
0 loader flags
10 number of directories
0 [ 0] RVA [size] of Export Directory
21B4 [ 28] RVA [size] of Import Directory
0 [ 0] RVA [size] of Resource Directory
3000 [ C] RVA [size] of Exception Directory
C00 [ 618] RVA [size] of Certificates Directory
0 [ 0] RVA [size] of Base Relocation Directory
2030 [ 38] RVA [size] of Debug Directory
0 [ 0] RVA [size] of Architecture Directory
0 [ 0] RVA [size] of Global Pointer Directory
0 [ 0] RVA [size] of Thread Storage Directory
0 [ 0] RVA [size] of Load Configuration Directory
0 [ 0] RVA [size] of Bound Import Directory
2000 [ 20] RVA [size] of Import Address Table Directory
0 [ 0] RVA [size] of Delay Import Directory
0 [ 0] RVA [size] of COM Descriptor Directory
0 [ 0] RVA [size] of Reserved Directory
SECTION HEADER #1
.text name
5E virtual size
1000 virtual address (0000000140001000 to 000000014000105D)
200 size of raw data
400 file pointer to raw data (00000400 to 000005FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60000020 flags
Code
Execute Read
SECTION HEADER #2
.rdata name
24A virtual size
2000 virtual address (0000000140002000 to 0000000140002249)
400 size of raw data
600 file pointer to raw data (00000600 to 000009FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
40000040 flags
Initialized Data
Read Only
Debug Directories
Time Type Size RVA Pointer
-------- ------- -------- -------- --------
600324DB cv 5B 00002068 668 Format: RSDS, {6CB0426F-AF4C-4E18-BB4B-B4FF967E51D0}, 1, D:\Developing\Current Projects\NativeApp\x64\Release\NativeApp.pdb
600324DB coffgrp E4 000020C4 6C4
SECTION HEADER #3
.pdata name
C virtual size
3000 virtual address (0000000140003000 to 000000014000300B)
200 size of raw data
A00 file pointer to raw data (00000A00 to 00000BFF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
40000040 flags
Initialized Data
Read Only
Summary
1000 .pdata
1000 .rdata
1000 .text
2Peter_Viscarola_(OSR):
I’ve created project with a type “Empty WDM Driver” in Visual Studio 2019.
Then I 've changed Configuration Properties->Configuration Type from sys to Application (.exe)
Then Linker->Input->Additional Dependencies set only ntdll.lib
Then Linker->Advanced->Entry Point set to NtProcessStartup
The only odd thing is that the operating system version in the header is 10.00. The user mode loader cares about that, so I wouldn’t be surprised if the kernel was at least as picky. Have you checked the linker properties in your Visual Studio project to make sure it’s not set to Windows 10?
With the following vcxproj file that I hacked together…Note that I don’t claim this to be definitive (haven’t had the need for a production native app in a very long time) but should put you on the right path: