I have enabled the driver verifier in win10, the driver verifier option ?code integrity check? is giving the BSOD. My driver is a proper signed driver. On kernel debugging, I am getting the assertion ?The image filename.sys contains section that is not page aligned (name version).? This is happening while the driver is getting loaded.
Is it some linker switch that can fix this?
Can someone help me how to page align the sections.
Thanks.
xxxxx@gmail.com wrote:
I have enabled the driver verifier in win10, the driver verifier option ?code integrity check? is giving the BSOD. My driver is a proper signed driver. On kernel debugging, I am getting the assertion ?The image filename.sys contains section that is not page aligned (name version).? This is happening while the driver is getting loaded.
Is it some linker switch that can fix this?
Can someone help me how to page align the sections.
How are you building the driver? Which WDK? Is it just an info
message, or does it actually halt? If you do this:
link /dump /headers filename.sys
in the “OPTIONAL HEADER VALUES”, is “section alignment” set to 1000?
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Note that the “Code Integrity Check” option in Verifier is for drivers built using the Win10 WDK only. IIUC, drivers built using previous WDKs will not pass this check. This is by design.
We’ve discussed this here before…
Peter
OSR
@OSRDrivers
On Jul 11, 2015, at 8:18 AM, xxxxx@osr.com wrote:
Note that the “Code Integrity Check” option in Verifier is for drivers built using the Win10 WDK only. IIUC, drivers built using previous WDKs will not pass this check. This is by design.
We’ve discussed this here before…
Have we? I don’t remember that coming up. There really hasn’t been an awful lot of Win 10 specific info, although perhaps I have just blocked it out…
—
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Yup… See:
http:
Doron (maybe?) also mentioned this somewhere here, IIRC.
Peter
OSR
@OSRDrivers</http:>
The problem with not enabling this parameter is that Verifier can be run
by customers. Having some obscure documentation telling a customer not
to enable this option will not stop it from being enabled.
Bill Wandel
On 2015-07-11 21:06, xxxxx@osr.com wrote:
Yup… See:
http:
>
> Doron (maybe?) also mentioned this somewhere here, IIRC.
>
> Peter
> OSR
> @OSRDrivers
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev [2]
>
> OSR is HIRING!! See http://www.osr.com/careers [3]
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars [4]
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer [5]
Links:
------
[1] http://osronline.com/ShowThread.cfm?link=265937
[2] http://www.osronline.com/showlists.cfm?list=ntdev
[3] http://www.osr.com/careers
[4] http://www.osr.com/seminars
[5] http://www.osronline.com/page.cfm?name=ListServer</http:>
Also, if you haven’t looked at http://blogs.msdn.com/b/windows_hardware_certification/archive/2015/05/22/driver-compatibility-with-device-guard-in-windows-10.aspx this explains much of the stuff.
Don Burn
Windows Driver Consulting
Website: http:</http:> http://www.windrvr.com
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@bwandel.com
Sent: Sunday, July 12, 2015 11:55 AM
To: Windows System Software Devs Interest List
Cc: xxxxx@lists.osr.com; xxxxx@osr.com
Subject: RE:[ntdev] Driver Verifier - Code Integrity Check
The problem with not enabling this parameter is that Verifier can be run by customers. Having some obscure documentation telling a customer not to enable this option will not stop it from being enabled.
Bill Wandel
On 2015-07-11 21:06, xxxxx@osr.com wrote:
Yup… See:
http:
Doron (maybe?) also mentioned this somewhere here, IIRC.
Peter
OSR
@OSRDrivers
—
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</http:>
My biggest problem with this new verifier check is that Microsoft (and OSR) have not been warning people that it was coming for the long haul. This has the challenge that if you have built a driver for Windows 7 and not planned for this (by upgrading to at least the Windows 8 WDK, and doing the magic overrides) your driver will get nailed by the checks. Harder yet if you still have clients who want Windows XP compatibility, and you have not broken the Windows XP driver out to be a separate binary, you will get nailed.
Perhaps it is the lack of conferences like DDC and WinHEC (and no expecting everyone to go to China is not viable), but at one point in time we would have been getting warnings about this from before the time Windows 8 shipped. Doing a web search you basically find this hasn’t been well publicized at all.
Don Burn
Windows Driver Consulting
Website: http:</http:> http://www.windrvr.com
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Don Burn
Sent: Sunday, July 12, 2015 12:09 PM
To: Windows System Software Devs Interest List
Cc: xxxxx@lists.osr.com; xxxxx@osr.com
Subject: RE: [ntdev] Driver Verifier - Code Integrity Check
Also, if you haven’t looked at http://blogs.msdn.com/b/windows_hardware_certification/archive/2015/05/22/driver-compatibility-with-device-guard-in-windows-10.aspx this explains much of the stuff.
Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com http:</http:>
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@bwandel.com
Sent: Sunday, July 12, 2015 11:55 AM
To: Windows System Software Devs Interest List
Cc: xxxxx@lists.osr.com; xxxxx@osr.com
Subject: RE:[ntdev] Driver Verifier - Code Integrity Check
The problem with not enabling this parameter is that Verifier can be run by customers. Having some obscure documentation telling a customer not to enable this option will not stop it from being enabled.
Bill Wandel
On 2015-07-11 21:06, xxxxx@osr.com wrote:
Yup… See:
http:
Doron (maybe?) also mentioned this somewhere here, IIRC.
Peter
OSR
@OSRDrivers
—
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
—
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</http:>
Stop dramatizing. This isn’t a big deal. It will be an issue for a small number of customers, in very specific environments. I suspect it will first be an issue on Server systems… and Windows Server .Next doesn’t have a public release date, and the “rules” for publishing drivers for it haven’t even been made public by Microsoft yet (and some of the leaked information is either wrong in important details or badly misleading, so I won’t cite it here).
You know what MY biggest problem is? People who sit on the sidelines, insist that they use outdated technology against all recommendation and reason, don’t do anything to pro-actively to discover what’s happening, and then complain that they weren’t warned of the consequences of their actions. Annoys the SHIT out of me.
Here’s my warning Don, for you personally… though you’ve heard it before here on NTDEV multiple times: USE THE LATEST TOOLS. Not doing so risks writing a driver that doesn’t work and/or that’s not up to “best practices”.
And I’m tired of hearing this plaint about XP compatibility… I’ve just spent the last month writing two KMDF device drivers that (use heavy SAL V2 annotations and) build with WDK 10 Update and VS 2013 (in the Win7 target environment, with KMDF 1.9) that run without a hitch on every OS from XP to Win 8.1 (they haven’t been tested on Win10). So, at least in some cases, compatibility is CAN BE DONE, and it’s very practical.
Sure, there are SOME number of drivers that HAVE to be built using the old Win7 WDK. If those drivers run on newer platforms (and not, say, JUST Windows XP Embedded) that’s no reason to not build these drivers ALSO with the new tools. PITA? Probably. But, hey… you’re getting paid, right? So quiet down and get on with it.
The level of inertia (of rest) in the Windows driver development community never ceases to amaze me. Don’t give me this “We haven’t been warned” crap… Listen to Trinity, Don: “The answer is out there”
Peter
OSR
@OSRDrivers
(shortened from a MUCH more lengthy, and less temperate, rant)
xxxxx@osr.com wrote:
Stop dramatizing. This isn’t a big deal. It will be an issue for a small number of customers, in very specific environments.
I have mixed feelings. I encountered this situation last month. I’m
doing work for a company whose name rhymes with “Lycrasoft”. They
reported that a driver I wrote for them was getting a hard Driver
Verifier failure on Windows 10. The problem turned out to be the use of
ExAllocatePool for NonPagedPool, which is now forbidden. Drivers must
use NonPagedPoolNx.
I was struck by a number of conflicting thoughts here. If you wanted to
mandate Nx, which is not a bad idea, then why wouldn’t you just redefine
“NonPagedPool” to be Nx, and add new option for RWX? Wouldn’t that have
automatically boosted the security for the 99.99% of drivers in the
world that don’t need RWX memory, and instead put the burden on the
dangerous 0.001% of drivers that do? I don’t see how the chosen design
can possibly be called the best compatibility choice, if EVERY pre-Win8
driver binary is now going to fail Driver Verifier.
Now, was this a crisis? No. Was it embarrassing? Yes. Should I have
known? Tough call. I certainly DIDN’T know until I looked up the
verifier code.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
Look: The bottom line is that until something forces us to adopt a change like this… stop, look into it, and make some code changes and learn for the future… we’re all too damn busy to follow every development. It’s tough to sort through the ones we DO know about just to decide if we care. And while we here at OSR try to do a lot of this sorting and parsing for the community, even if you READ about it in our blog or The NT Insider the info is likely to go right past you… until you have a specific need for that information.
This NonPagedPoolNx stuff was *well* publicized around Windows 8. Remember all those confusing POOL_NX_OPTIN and POOL_NX_OPTOUT (or whatever they are) settings? I remember them all very clearly. Well, I remember very clearly being confused… and also having something to actually DO that had a deadline that prevented me from worrying about POOL_NX_SOMETHING_ELSE… And that was that. I haven’t once typed the term NonPagePoolNx before right now. In fact, I hadn’t given it a second thought until you (Mr. Roberts) mentioned it in passing last week here on NTDEV (“oh, yeah… NonPagedPoolNx… I should probably DO something about that sometime”).
Is that Microsoft’s fault? Of course not. Is it OSR’s fault for not writing a special article in The NT Insider about NX? Of course not.
You don’t care until you care. And what makes you care is needing the information. Forcing you to need the info is passing some test, or some client requirement.
I can’t wait to hear people wail about Win10 Client driver signing. I CAN’T WAIT. “Why didn’t you guys warn me.” Right… the MINUTE (literally) the rules were public OSR published multiple statements on this. I guarantee you people will start whining in about 6 weeks when they try to sign their drivers. “Nobody told us. You didn’t warn me…”
Peter
OSR
@OSRDrivers
When is that deadline actually ? Not July 29th ? Thanks OSR for covering
this but I think MS should have been much clearer on this than just publish
some obscure article about it on some hardware blog without much
information, leaving a lot to be guessed.
//Daniel
I guarantee you people will start whining in about 6 weeks when they try to
sign their drivers. “Nobody told us. You didn’t warn me…”
xxxxx@resplendence.com wrote:
When is that deadline actually ? Not July 29th ? Thanks OSR for covering
this but I think MS should have been much clearer on this than just publish
some obscure article about it on some hardware blog without much
information, leaving a lot to be guessed.
Where would you suggest that they publish this?
I have often had the “gosh, they should have told us” experience, but to
be honest, I don’t know where they would put it so that all of us would
read it. I’ve sometimes mused that it would be nice to have a place to
go with “all the changes” for a given release, but the list would be so
large that our eyes would glaze over before we got to the parts we needed.
It’s a no-win situation. Like Peter said, we all learn about the issue
when we run up against them. That’s just the way it is.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.