Enabling driver verifier on ntoskrnl.exe causes a different FltRegisterFilter to be imported

NTDEV
1

The version of windows (Windows 11 x64 22H2):

Windows 10 Kernel Version 22621 MP (2 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Edition build lab: 22621.1.amd64fre.ni_release.220506-1250
Kernel base = 0xfffff804`6da1c000 PsLoadedModuleList = 0xfffff804`6e62f410
Debug session time: Fri Mar 21 08:49:52.198 2025 (UTC + 3:00)

Enabled all verifier options except:

  • low resource
  • systematic low resource
  • code integrity checks

I also added ntoskrnl.exe to the verified driver list (along with my driver).
Loading the driver, when it calls FltStartFiltering, it will bugcheck with the following stack trace:

0b ffffa80b`a5fec220 fffff804`6edf53a8     : 00000000`0000000d 00000000`00000000 00000000`00000000 ffffe68d`a830ccf8 : FLTMGR!FltpvValidateVerifierState+0x85
0c ffffa80b`a5fec250 fffff804`6edcb6dc     : ffffe68d`a950ec50 00000000`00000000 00000000`00000000 00000000`00000001 : FLTMGR!FltvInstanceSetup+0x38
0d ffffa80b`a5fec2b0 fffff804`6edcc420     : 00000000`00000000 ffffe68d`a830cc30 ffffe68d`82d367c4 ffffe68d`a950ec50 : FLTMGR!FltpDoInstanceSetupNotification+0x7c
0e ffffa80b`a5fec320 fffff804`6edcba94     : 00000000`00000000 fffff804`6e62f400 ffffe68d`00000001 ffffa80b`a5fec420 : FLTMGR!FltpInitInstance+0x490
0f ffffa80b`a5fec3c0 fffff804`6edcb853     : 00000000`00000000 ffffe68d`82d36790 ffffe68d`82d367a0 00000000`0000001a : FLTMGR!FltpCreateInstanceFromName+0x1e0
10 ffffa80b`a5fec4a0 fffff804`6eddb87d     : 00000000`0000002c ffffe68d`82d367a0 ffffe68d`81e36948 ffffffff`80002e20 : FLTMGR!FltpEnumerateRegistryInstances+0xe3
11 ffffa80b`a5fec530 fffff804`6eddb75b     : 00000000`00000000 ffffe68d`bfaeee01 ffffe68d`cacd7001 00000000`00010246 : FLTMGR!FltpDoVolumeNotificationForNewFilter+0xa5
12 ffffa80b`a5fec570 fffff800`34b10c05     : 00000000`00000000 00000000`00000000 ffffe68d`cacd7001 fffff800`34afd330 : FLTMGR!FltStartFiltering+0x2b

The cause of the bugcheck in the verifier function is because the VerifierExtension (of _FLT_VERIFIER_EXTENSION type) structure has it's Flags (_FLT_VERIFIER_EXTENSION_FLAGS) set to 0, when it should be FLTVFL_REGISTER_FILTER_THUNK (0x80000000):

0: kd> u FLTMGR!FltpvValidateVerifierState+70
FLTMGR!FltpvValidateVerifierState+0x70:
fffff804`6edac470 833800          cmp     dword ptr [rax],0
fffff804`6edac473 7c10            jl      FLTMGR!FltpvValidateVerifierState+0x85 (fffff804`6edac485)
fffff804`6edac475 b950000000      mov     ecx,50h
fffff804`6edac47a 4c8bc7          mov     r8,rdi
fffff804`6edac47d 488bd3          mov     rdx,rbx
fffff804`6edac480 e857240400      call    FLTMGR!FltpvPrintErrors (fffff804`6edee8dc)

When ntoskrnl.exe is not verified, this check will not cause a bugcheck, because the FLTMGR!FltRegisterFilter correctly sets the flags value to FLTVFL_REGISTER_FILTER_THUNK, because the actual imported function will be FLTMGR!FltvRegisterFilter (with the "v"), which actually calls FltRegisterFilter and sets the flag:

fffff804`6edf5ded e85e6cfeff      call    FLTMGR!FltRegisterFilter (fffff804`6eddca50)
fffff804`6edf5df2 8bf8            mov     edi,eax
fffff804`6edf5df4 85c0            test    eax,eax
fffff804`6edf5df6 7819            js      FLTMGR!FltvRegisterFilter+0x31 (fffff804`6edf5e11)
fffff804`6edf5df8 488b0b          mov     rcx,qword ptr [rbx]
fffff804`6edf5dfb 488b91e8000000  mov     rdx,qword ptr [rcx+0E8h]
fffff804`6edf5e02 f0810a00000080  lock or dword ptr [rdx],80000000h
fffff804`6edf5e09 488b0b          mov     rcx,qword ptr [rbx]

When ntoskrnl.exe is verified, the imported function will be directly FLTMGR!FltRegisterFilter, which does not set the flag in the VerifierExtension structure.

2

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.