Class filter driver and Vista 64

There is an upper filter driver for keyboard class driver kbdclass and installer for it (WiX 2.0 + DIFxAPP) that successfully installs the filter on WinXP 32/64, Win2003 32/64, Vista 32 and Win2008 32.

But when installed on Vista 64 or Win2008 64 the filter driver won’t load and hangs keyboard and mouse. In Device Manager there is a warning on keyboard and mouse that reads “Windows cannot initialize the device driver for this hardware” (error code 37). WinDBG won’t attach to the loading driver. Driver should write to GlobalLogger through WPP trace but the log is empty.

Driver, CoInstaller and .cat file are signed with test certificate. .cat file is created after other files signing. Test certificate is added as Root and TrustedPublisher on target system (and if one doesn’t add this certificate, install fails with error like “I’m not trusting this certificate and (subsequently) the driver”).

There is this document “Digital Signatures for Kernel Modules on Systems Running Windows Vista” (http://www.microsoft.com/whdc/winlogo/drvsign/kmsigning.mspx) that reads:
“The load-time signature check does not have access to the Trusted Root Certificate Authorities certificate store. Instead, it must depend on the root authorities that are built into the Windows Vista kernel. The Microsoft Code Verification Root is one of the root authorities trusted by the Windows Vista kernel and operating system loader:”

Does that mean that even in testing mode (Bcdedit.exe –set TESTSIGNING ON) the driver filter signed with test certificate will be always rejected? How to test class filter driver then?

>the driver filter signed with test certificate will be always rejected? How to
test

class filter driver then?

Hit F8 each boot.


Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

F8 doesn’t change a thing.

Did you follow the rules for kernel driver signing on Vista 64 for
boot-start drivers? The .sys file needs to have an embedded signature
with your software publisher certificate (SPC) from a supported
signature authority, and cross-signed with the corresponding Microsoft
cross-signing certificate. A self-created cert won’t work for this.

The TESTSIGNING ON flag only applies to allowing driver installation
when checking the .cat file, AFAIK. If you don’t sign/cross-sign with a
valid SPC, as previously noted, F8 at boot (or having a kernel debugger
attached) is the only way to get it to load.

xxxxx@gmail.com wrote:

There is an upper filter driver for keyboard class driver kbdclass and installer for it (WiX 2.0 + DIFxAPP) that successfully installs the filter on WinXP 32/64, Win2003 32/64, Vista 32 and Win2008 32.

But when installed on Vista 64 or Win2008 64 the filter driver won’t load and hangs keyboard and mouse. In Device Manager there is a warning on keyboard and mouse that reads “Windows cannot initialize the device driver for this hardware” (error code 37). WinDBG won’t attach to the loading driver. Driver should write to GlobalLogger through WPP trace but the log is empty.

Driver, CoInstaller and .cat file are signed with test certificate. .cat file is created after other files signing. Test certificate is added as Root and TrustedPublisher on target system (and if one doesn’t add this certificate, install fails with error like “I’m not trusting this certificate and (subsequently) the driver”).

There is this document “Digital Signatures for Kernel Modules on Systems Running Windows Vista” (http://www.microsoft.com/whdc/winlogo/drvsign/kmsigning.mspx) that reads:
“The load-time signature check does not have access to the Trusted Root Certificate Authorities certificate store. Instead, it must depend on the root authorities that are built into the Windows Vista kernel. The Microsoft Code Verification Root is one of the root authorities trusted by the Windows Vista kernel and operating system loader:”

Does that mean that even in testing mode (Bcdedit.exe –set TESTSIGNING ON) the driver filter signed with test certificate will be always rejected? How to test class filter driver then?


Ray
(If you want to reply to me off list, please remove “spamblock.” from my
email address)

If F8 doesn’t work, then it isn’t a signature problem, which leaves the
conclusion that there’s probably some subtle (probably 64-bit related)
bug in the driver that’s only exposed on Vista+.

xxxxx@gmail.com wrote:

F8 doesn’t change a thing.


Ray
(If you want to reply to me off list, please remove “spamblock.” from my
email address)

> If F8 doesn’t work, then it isn’t a signature problem, which leaves the

conclusion that there’s probably some subtle (probably 64-bit related)
bug in the driver that’s only exposed on Vista+.

Correct.

Will WinDbg show the .ModLoad event for the driver’s binary?


Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

What must I enable in WinDBG to make it show such events?
I’ve done debug mostly by the logs. And attached WinDBG only on already loaded system.

I think there was Event Filters menu item, enable the Load Module event to
print a prompt (IIRC this is default).


Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

wrote in message news:xxxxx@ntdev…
> What must I enable in WinDBG to make it show such events?
> I’ve done debug mostly by the logs. And attached WinDBG only on already
loaded system.
>

When View\Verbose mode is on debugger shows that my driver is loaded:

ModLoad: fffff98003c09000 fffff98003c1f000 i8042prt.sys
ModLoad: fffff98003d67000 fffff98003d75000 kbdclass.sys (class driver)
ModLoad: fffff98004620000 fffff9800465f000 suppressor.sys (my filter driver)

But break on DriverEntry is not working. Debugger won’t stop there.
The driver is written with KMDF. Could it be that there is some framework code to execute before the DriverEntry?

PS To set a DriverEntry brake I break to the working OS, open my source file, hit F9 on the first line of DriverEntry’s code, let OS go and restart it. bl shows that there is a brake on needed line.

xxxxx@gmail.com wrote:

When View\Verbose mode is on debugger shows that my driver is loaded:

ModLoad: fffff98003c09000 fffff98003c1f000 i8042prt.sys
ModLoad: fffff98003d67000 fffff98003d75000 kbdclass.sys (class driver)
ModLoad: fffff98004620000 fffff9800465f000 suppressor.sys (my filter driver)

Try “bu DriverEntry!suppressor”

Thanks
Wayne

Won’t stop:

0: kd> bl
0 eu 0001 (0001) (DriverEntry!suppressor)

And driver module is loaded:


ModLoad: fffff98004298000 fffff980042ae000 i8042prt.sys
ModLoad: fffff9800427f000 fffff9800428d000 kbdclass.sys
ModLoad: fffff98004419000 fffff98004458000 suppressor.sys

ModLoad: fffff9800616e000 fffff98006177000 hidusb.sys
ModLoad: fffff9800431e000 fffff98004328000 kbdhid.sys
ModLoad: fffff980064e5000 fffff98006524000 suppressor.sys

On Fri, Aug 1, 2008 at 12:03 PM, Wayne Gong wrote:
>
>
> xxxxx@gmail.com wrote:
>>
>> When View\Verbose mode is on debugger shows that my driver is loaded:
>>
>> ModLoad: fffff98003c09000 fffff98003c1f000 i8042prt.sys
>> ModLoad: fffff98003d67000 fffff98003d75000 kbdclass.sys (class driver)
>> ModLoad: fffff98004620000 fffff9800465f000 suppressor.sys (my filter
>> driver)
>>
>>
>
> Try “bu DriverEntry!suppressor”
>
> Thanks
> Wayne
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

It seems that there was a typo. But still it doesn’t stop.
I made WinDBG break on OS boot (Ctrl+Alt+K):

Loading symbols for fffff80001c00000 ntkrnlmp.exe -\> ntkrnlmp.exe nt!DbgBreakPointWithStatus: fffff80001c473c0 cc int 3
kd> bl
0 eu 0001 (0001) (DriverEntry!suppressor)
1 eu 0001 (0001) (suppressor!DriverEntry)
2 eu 0001 (0001) (@@masm(suppressor.c:78+))

And driver still loads and won’t break in DriverEntry.

If I break on kbdclass!DriverEntry it stops!
How could it be that my “suppressor” module is loaded but break on suppressor!DriverEntry doesn’t work?
Could it be that before my DriverEntry some KMDF code is executing and DriverEntry isn’t called at all?
How to debug then?

Try to add a DbgBreakPoint() call at the beginning of DriverEntry for a change.

----- Original Message ----
From: “xxxxx@gmail.com
To: Windows System Software Devs Interest List
Sent: Friday, August 1, 2008 11:38:51 AM
Subject: RE:[ntdev] Class filter driver and Vista 64

If I break on kbdclass!DriverEntry it stops!
How could it be that my “suppressor” module is loaded but break on suppressor!DriverEntry doesn’t work?
Could it be that before my DriverEntry some KMDF code is executing and DriverEntry isn’t called at all?
How to debug then?


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

> Try to add a DbgBreakPoint() call at the beginning of DriverEntry for a

change.
… or DbgPrint - to make sure that you do go there.

----- Original Message -----
From: “Calin Iaru”
To: “Windows System Software Devs Interest List”
Sent: Friday, August 01, 2008 6:18 AM
Subject: Re: [ntdev] Class filter driver and Vista 64

> Try to add a DbgBreakPoint() call at the beginning of DriverEntry for a
> change.
>
>
>
> ----- Original Message ----
> From: “xxxxx@gmail.com
> To: Windows System Software Devs Interest List
> Sent: Friday, August 1, 2008 11:38:51 AM
> Subject: RE:[ntdev] Class filter driver and Vista 64
>
> If I break on kbdclass!DriverEntry it stops!
> How could it be that my “suppressor” module is loaded but break on
> suppressor!DriverEntry doesn’t work?
> Could it be that before my DriverEntry some KMDF code is executing and
> DriverEntry isn’t called at all?
> How to debug then?
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

DbgBreakPoint( ) didn’t help either - no break occurs.
There are lots of WPP trace calls as well as DbgPrintEx(
DPFLTR_DEFAULT_ID, DPFLTR_ERROR_LEVEL, … ) calls in DriverEntry but
none of them seems to work.

On Fri, Aug 1, 2008 at 3:10 PM, Alex Shvedov wrote:
>> Try to add a DbgBreakPoint() call at the beginning of DriverEntry for a
>> change.
>
> … or DbgPrint - to make sure that you do go there.
>
>
> ----- Original Message ----- From: “Calin Iaru”
> To: “Windows System Software Devs Interest List”
> Sent: Friday, August 01, 2008 6:18 AM
> Subject: Re: [ntdev] Class filter driver and Vista 64
>
>
>> Try to add a DbgBreakPoint() call at the beginning of DriverEntry for a
>> change.
>>
>>
>>
>> ----- Original Message ----
>> From: “xxxxx@gmail.com
>> To: Windows System Software Devs Interest List
>> Sent: Friday, August 1, 2008 11:38:51 AM
>> Subject: RE:[ntdev] Class filter driver and Vista 64
>>
>> If I break on kbdclass!DriverEntry it stops!
>> How could it be that my “suppressor” module is loaded but break on
>> suppressor!DriverEntry doesn’t work?
>> Could it be that before my DriverEntry some KMDF code is executing and
>> DriverEntry isn’t called at all?
>> How to debug then?
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>>
>>
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Driver successfully loaded on Win2008 Server x64!
And as before failed to load (not even break on DriverEntry) in Vista Enterprise x64 (without SP1).
I’m installing SP1 now.

Any ideas?

bcdedit testsigning on Server 2008 and not on Vista?

----- Original Message ----
From: “xxxxx@gmail.com
To: Windows System Software Devs Interest List
Sent: Friday, August 1, 2008 2:31:53 PM
Subject: RE:[ntdev] Class filter driver and Vista 64

Driver successfully loaded on Win2008 Server x64!
And as before failed to load (not even break on DriverEntry) in Vista Enterprise x64 (without SP1).
I’m installing SP1 now.

Any ideas?


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

> How could it be that my “suppressor” module is loaded but break on
suppressor!

DriverEntry doesn’t work?

Set the Load Module Event to “enable” and, when WinDbg will get control due to
“suppressor” being loaded, set a breakpoint to suppressor!DriverEntry or find
the numeric address using !dh command (add entry point address to module base).


Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

“testsigning is on” on both OS.

Win2008 x64 - successfully loaded the driver
Vista x64 - failed. Error code 37 in Device Manager.

Vista x64 SP1 - it’s funny but it’s not working. I installed SP1.
Rebooted. Installed my driver (MSI installer created with WiX) - OS
have hanged. After hard reset OS won’t load - hangs while loading some
drivers (in safe mode stops on crcdisk.sys, with WinDBG attached - on
spldr.sys) . Could it be hard drive problem? Anyway no info on Vista
x64 SP1 by now.

On Fri, Aug 1, 2008 at 4:39 PM, Calin Iaru wrote:
> bcdedit testsigning on Server 2008 and not on Vista?
>
>
>
> ----- Original Message ----
> From: “xxxxx@gmail.com
> To: Windows System Software Devs Interest List
> Sent: Friday, August 1, 2008 2:31:53 PM
> Subject: RE:[ntdev] Class filter driver and Vista 64
>
> Driver successfully loaded on Win2008 Server x64!
> And as before failed to load (not even break on DriverEntry) in Vista Enterprise x64 (without SP1).
> I’m installing SP1 now.
>
> Any ideas?
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
>
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>