code integrity check failure with verifier on Windows server 2016

Hi

Even after making the driver compatible by using Nx pool version calls for memory allocations for Windows Server 2016,the HLK test for HVCI are still failing.

Any known reasons for this?

why verifier still not able to pass this test ?

I tried using the MACRO for pool type as well specifically used NonPagedPoolNx as well.

The Execute Pool Type Count: still shows high numbers.

The driver has been built with VS 2015 and WDK 10.

Thanks for the help.

Thanks,
Regards…kiran

About two months ago I went thru the exercise of getting rid of all the executable memory in a driver. I’d have to refresh my memory by looking at the code checkin, but I seem to remember one detail was getting the MDL mappings (MmGetSystemAddressForMdlSafe and variants) to all map as non-executable. You may not have allocated this memory, but your driver may map the MDL page frame list into a system virtual memory, which needs to be non-executable.

Jan

On 11/10/16, 9:36 PM, “xxxxx@lists.osr.com on behalf of xxxxx@hotmail.com” wrote:

Hi

Even after making the driver compatible by using Nx pool version calls for memory allocations for Windows Server 2016,the HLK test for HVCI are still failing.

Any known reasons for this?

why verifier still not able to pass this test ?

I tried using the MACRO for pool type as well specifically used NonPagedPoolNx as well.

The Execute Pool Type Count: still shows high numbers.

The driver has been built with VS 2015 and WDK 10.

Thanks for the help.

Thanks,
Regards…kiran

Does the driver pass CA and SDV? These are pretty helpful in identifying problems like the one you’re describing.

Peter
OSR
@OSRDrivers

Yes.The driver is now able to pass the HVCIT of HLK.

Thanks to Jan Bottorff.

I did saw your comment on MDL call some time back in one another thread while making my driver 2016 compatible and to get rid of the HLK errors for HVCIT. Since then I started looking at all the allocations for IRP/MDL/MEMORY in my driver code.I was able to pass this additional flag “MdlMappingNoExecute” for MmGetSystemAddressForMdlSafe() and could get rid of 500+ error count that was showing in for Execute Pool Type Count.

It was hard for me to review the huge code for all these allocations said above and also because I was not able to break the 2016 kernel through debugger.

Thanks for your help.