Driver Issues- BSOD even for Hello World!

OSR_Community_User · June 4, 2017, 8:04am

So I found a good driver code on github for drivers.
I build it and it built successfully! tried but it seems it
does work but I noticed due to signing driver issues I wasn’t
able to load the driver…it is not allowed so I did the noob obvious
…I pressed F8 and disabled the driver signing…but I still get a BSOD

https://github.com/Microsoft/Windows-driver-samples/tree/master/general/obcallback
to be honest I gave up on driver development …There aren’t any good tutorials
“Hello world !” causes a BSOD…anyone with pointers???

Jamey_Kirby · June 4, 2017, 1:04pm

This should work as the simplest driver:

#include <ntddk.h>
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING
RegistryPath) {
UNREFERENCE_PARAMETERS(DriverObject);
UNREFERENCED_PARAMETER(RegistryPath);
KdPrint((“Hello World\n”));
return STATUS_SUCCESS;
}

Also, in VisualStudio project settings, set testsigning, and then set your
system to load testsigned drivers like this:

bcdedit.exe -set loadoptions DDISABLE_INTEGRITY_CHECKS
bcdedit.exe -set TESTSIGNING ON

This way, you don’t need to keep doing the F8 thing.

Also remember to set Debug Print Filter in the registry so that you can see
your debug output (0xf works as a good starting value). You don’t need to
load the debugger, just load a good debug viewer like the one from OSR.

– Jamey

On Sun, Jun 4, 2017 at 8:03 AM wrote:

> So I found a good driver code on github for drivers.
> I build it and it built successfully! tried but it seems it
> does work but I noticed due to signing driver issues I wasn’t
> able to load the driver…it is not allowed so I did the noob obvious
> …I pressed F8 and disabled the driver signing…but I still get a BSOD
>
>
> https://github.com/Microsoft/Windows-driver-samples/tree/master/general/obcallback
> to be honest I gave up on driver development …There aren’t any good
> tutorials
> “Hello world !” causes a BSOD…anyone with pointers???
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:></ntddk.h>

Jamey_Kirby · June 4, 2017, 1:06pm

Sorry for the typo Typing too fast and not proof-reading.

UNREFERENCED_PARAMETER(DriverObject);
UNREFERENCED_PARAMETER(RegistryPath);

On Sun, Jun 4, 2017 at 1:04 PM Jamey Kirby wrote:

> This should work as the simplest driver:
>
> #include <ntddk.h>
> NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING
> RegistryPath) {
> UNREFERENCE_PARAMETERS(DriverObject);
> UNREFERENCED_PARAMETER(RegistryPath);
> KdPrint((“Hello World\n”));
> return STATUS_SUCCESS;
> }
>
> Also, in VisualStudio project settings, set testsigning, and then set your
> system to load testsigned drivers like this:
>
> bcdedit.exe -set loadoptions DDISABLE_INTEGRITY_CHECKS
> bcdedit.exe -set TESTSIGNING ON
>
> This way, you don’t need to keep doing the F8 thing.
>
> Also remember to set Debug Print Filter in the registry so that you can
> see your debug output (0xf works as a good starting value). You don’t need
> to load the debugger, just load a good debug viewer like the one from OSR.
>
> – Jamey
>
>
> On Sun, Jun 4, 2017 at 8:03 AM wrote:
>
>> So I found a good driver code on github for drivers.
>> I build it and it built successfully! tried but it seems it
>> does work but I noticed due to signing driver issues I wasn’t
>> able to load the driver…it is not allowed so I did the noob obvious
>> …I pressed F8 and disabled the driver signing…but I still get a BSOD
>>
>>
>> https://github.com/Microsoft/Windows-driver-samples/tree/master/general/obcallback
>> to be honest I gave up on driver development …There aren’t any good
>> tutorials
>> “Hello world !” causes a BSOD…anyone with pointers???
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> Visit the list online at: <
>> http://www.osronline.com/showlists.cfm?list=ntdev>
>>
>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>> software drivers!
>> Details at http:
>>
>> To unsubscribe, visit the List Server section of OSR Online at <
>> http://www.osronline.com/page.cfm?name=ListServer>
>>
></http:></ntddk.h>

Jamey_Kirby · June 4, 2017, 1:07pm

Don’t forget to also check project configuration setting to make sure you
are building for the proper architecture (x86 vs AMD64). Running a 32 bit
driver on a 64 bit machine will BSOD; and visa versa.

On Sun, Jun 4, 2017 at 1:05 PM Jamey Kirby wrote:

> Sorry for the typo Typing too fast and not proof-reading.
>
> UNREFERENCED_PARAMETER(DriverObject);
> UNREFERENCED_PARAMETER(RegistryPath);
>
>
>
> On Sun, Jun 4, 2017 at 1:04 PM Jamey Kirby wrote:
>
>> This should work as the simplest driver:
>>
>> #include <ntddk.h>
>> NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING
>> RegistryPath) {
>> UNREFERENCE_PARAMETERS(DriverObject);
>> UNREFERENCED_PARAMETER(RegistryPath);
>> KdPrint((“Hello World\n”));
>> return STATUS_SUCCESS;
>> }
>>
>> Also, in VisualStudio project settings, set testsigning, and then set
>> your system to load testsigned drivers like this:
>>
>> bcdedit.exe -set loadoptions DDISABLE_INTEGRITY_CHECKS
>> bcdedit.exe -set TESTSIGNING ON
>>
>> This way, you don’t need to keep doing the F8 thing.
>>
>> Also remember to set Debug Print Filter in the registry so that you can
>> see your debug output (0xf works as a good starting value). You don’t need
>> to load the debugger, just load a good debug viewer like the one from OSR.
>>
>> – Jamey
>>
>>
>> On Sun, Jun 4, 2017 at 8:03 AM wrote:
>>
>>> So I found a good driver code on github for drivers.
>>> I build it and it built successfully! tried but it seems it
>>> does work but I noticed due to signing driver issues I wasn’t
>>> able to load the driver…it is not allowed so I did the noob obvious
>>> …I pressed F8 and disabled the driver signing…but I still get a
>>> BSOD
>>>
>>>
>>> https://github.com/Microsoft/Windows-driver-samples/tree/master/general/obcallback
>>> to be honest I gave up on driver development …There aren’t any good
>>> tutorials
>>> “Hello world !” causes a BSOD…anyone with pointers???
>>>
>>> —
>>> NTDEV is sponsored by OSR
>>>
>>> Visit the list online at: <
>>> http://www.osronline.com/showlists.cfm?list=ntdev>
>>>
>>> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>>> software drivers!
>>> Details at http:
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at <
>>> http://www.osronline.com/page.cfm?name=ListServer>
>>>
>></http:></ntddk.h>

Tim_Roberts · June 5, 2017, 11:39am

xxxxx@mail.com wrote:

So I found a good driver code on github for drivers.
I build it and it built successfully! tried but it seems it
does work but I noticed due to signing driver issues I wasn’t
able to load the driver…it is not allowed so I did the noob obvious
…I pressed F8 and disabled the driver signing…but I still get a BSOD

I’m confused. You said “it seems it does work” and then you said “I
still get a BSOD”. Which is it? Are you saying it loaded, but then
crashed when you tried to use it? What was the BSOD? Have you run an
“!analyze -v”?

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

OSR_Community_User · June 5, 2017, 4:20pm

Let me suggest you learn kernel debugging with WinDbg.

Before you load your driver, break into the debugger with the pause button. In the ‘Debug’ menu, choose ‘Event filters’,
then select ‘Load modules’. In the ‘Execution’ group, check ‘Enabled’, and in the ‘Continue’ group check ‘Handled’. Then
click the ‘Close’ button.

Now the debugger should break anytime a new driver is loaded. When this happens, the RCX register contains the address of a counted ANSI string.
It is the path of the binary. The RDX register contains the address where the base address of the binary is stored.

kd> dt nt!_STRING @RCX
“\Windows\System32\Drivers\crashdmp.sys”
+0x000 Length : 0x26
+0x002 MaximumLength : 0x27
+0x008 Buffer : 0xffffaa8c`c57a3900 “\Windows\System32\Drivers\crashdmp.sys”

kd> dp @RDX L1
ffff9601be1264b0 fffff804d2be0000 <— Base address used with the !dh (Display Headers command)

Now run the the !dh command with the base address to obtain the offset of the entry point. The output is long so you will have to scroll up!

kd> !dh POI(@RDX)
…
17010 address of entry point <---- This is the offset (from the base address) of the very first instruction the driver will execute.
1000 base of code
…

Then run a simple disas command for the entry point:

kd> u POI(@RDX) + 17010
crashdmp!GsDriverEntry:
fffff804d2bf7010 4883ec28 sub rsp,28h fffff804d2bf7014 4c8bc1 mov r8,rcx
fffff804d2bf7017 e814000000 call crashdmp!_security_init_cookie (fffff804d2bf7030)
fffff804d2bf701c 498bc8 mov rcx,r8 fffff804d2bf701f 4883c428 add rsp,28h
fffff804d2bf7023 e948d4ffff jmp crashdmp!DriverEntry (fffff804d2bf4470)
fffff804d2bf7028 cc int 3 fffff804d2bf7029 cc int 3

You are ready to set a breakpoint:

kd> bp POI(@RDX) + 17010

Finally hit the F5 key to let the target run again. The debugger should break at fffff804`d2bf7010:

kd> g
Breakpoint 0 hit
crashdmp!GsDriverEntry:
fffff804`d2bf7010 4883ec28 sub rsp,28h

Now you can perform a step by step debugging.