Hi,
I’ve used the ELAM sample code from the following link, generated the .sys/.cat/.INF/.pdf files, signed it with EV code signing certificate and tried running Windows HLK tests on it.
https://github.com/Microsoft/Windows-driver-samples/tree/master/security/elam
One of the test named as “HyperVisor Code Integrity Readiness test” failed and the following error messages are printed in the log file.
" No Code Integrity statistics section found for this module"
A detailed screenshot is shown in the following link.
http://www.awesomescreenshot.com/image/3576898/7d9391661a844647e294b63242157026
Kindly let me know what are the steps that need to be incorporated in the ELAM driver to make it pass the HVCI Readiness test.
Thanks.
xxxxx@gmail.com wrote:
I’ve used the ELAM sample code from the following link, generated the .sys/.cat/.INF/.pdf files, signed it with EV code signing certificate and tried running Windows HLK tests on it.
https://github.com/Microsoft/Windows-driver-samples/tree/master/security/elam
One of the test named as “HyperVisor Code Integrity Readiness test” failed and the following error messages are printed in the log file.
" No Code Integrity statistics section found for this module"
A detailed screenshot is shown in the following link.
…
Kindly let me know what are the steps that need to be incorporated in the ELAM driver to make it pass the HVCI Readiness test.
As I understand it, the test requires that a driver run long enough so
that the Verifier can accumulate some statistics on allocations and
such. The sample driver loads and unloads so quickly there is no change
for statistics. Have you changed the driver to do something
non-trivial? The sample source code does warn that it is not
production-ready.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
As I remember, the HyperVisor Code Integrity Readiness test is about making sure your allocated data is not executable. There are a variety of places where you need to set the correct flags so all allocations have the no-execute bit set.
Jan
-----Original Message-----
From: xxxxx@lists.osr.com On Behalf Of xxxxx@gmail.com
Sent: Monday, August 27, 2018 5:12 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] HyperVisor Code Integrity Readiness test failed for ELAM driver
Hi,
I’ve used the ELAM sample code from the following link, generated the .sys/.cat/.INF/.pdf files, signed it with EV code signing certificate and tried running Windows HLK tests on it.
https://github.com/Microsoft/Windows-driver-samples/tree/master/security/elam
One of the test named as “HyperVisor Code Integrity Readiness test” failed and the following error messages are printed in the log file.
" No Code Integrity statistics section found for this module"
A detailed screenshot is shown in the following link.
http://www.awesomescreenshot.com/image/3576898/7d9391661a844647e294b63242157026
Kindly let me know what are the steps that need to be incorporated in the ELAM driver to make it pass the HVCI Readiness test.
Thanks.
—
NTDEV is sponsored by OSR
Visit the list online at: http:
MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:
To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>
Thanks Timr,
But for now I am just working on a proof of concept for how an ELAM driver
can be got signed by Microsoft.
My objective is to secure the a user mode service by registering its cert
hash inside the ELAM driver resource section. Can you describe a little
about what kind of non-trivial code could be added to the sample
implementation?
Thanks
-Masood
On Mon, Aug 27, 2018 at 8:55 PM xxxxx@probo.com wrote:
> xxxxx@gmail.com wrote:
> > I’ve used the ELAM sample code from the following link, generated the
> .sys/.cat/.INF/.pdf files, signed it with EV code signing certificate and
> tried running Windows HLK tests on it.
> >
> >
> https://github.com/Microsoft/Windows-driver-samples/tree/master/security/elam
> >
> > One of the test named as “HyperVisor Code Integrity Readiness test”
> failed and the following error messages are printed in the log file.
> > " No Code Integrity statistics section found for this module"
> >
> > A detailed screenshot is shown in the following link.
> > …
> > Kindly let me know what are the steps that need to be incorporated in
> the ELAM driver to make it pass the HVCI Readiness test.
>
> As I understand it, the test requires that a driver run long enough so
> that the Verifier can accumulate some statistics on allocations and
> such. The sample driver loads and unloads so quickly there is no change
> for statistics. Have you changed the driver to do something
> non-trivial? The sample source code does warn that it is not
> production-ready.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:>
Thanks Jan,
I also got a similar idea after reading the error detail but cant figure
out where and how to start setting those flags. Can you shed some light on
that?
-Masood
On Tue, Aug 28, 2018 at 12:59 AM xxxxx@pmatrix.com
wrote:
> As I remember, the HyperVisor Code Integrity Readiness test is about
> making sure your allocated data is not executable. There are a variety of
> places where you need to set the correct flags so all allocations have the
> no-execute bit set.
>
> Jan
>
> -----Original Message-----
> From: xxxxx@lists.osr.com <
> xxxxx@lists.osr.com> On Behalf Of xxxxx@gmail.com
> Sent: Monday, August 27, 2018 5:12 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] HyperVisor Code Integrity Readiness test failed for ELAM
> driver
>
> Hi,
>
> I’ve used the ELAM sample code from the following link, generated the
> .sys/.cat/.INF/.pdf files, signed it with EV code signing certificate and
> tried running Windows HLK tests on it.
>
>
> https://github.com/Microsoft/Windows-driver-samples/tree/master/security/elam
>
> One of the test named as “HyperVisor Code Integrity Readiness test” failed
> and the following error messages are printed in the log file.
> " No Code Integrity statistics section found for this module"
>
> A detailed screenshot is shown in the following link.
>
>
> http://www.awesomescreenshot.com/image/3576898/7d9391661a844647e294b63242157026
>
>
> Kindly let me know what are the steps that need to be incorporated in the
> ELAM driver to make it pass the HVCI Readiness test.
>
> Thanks.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:></http:>
I also seem to remember that one of the static code analyzer tools could point out most places where you had executable data. I don’t remember if it was code analysis (prefast) or static driver verifier (SDV). The easy cases where calls to ExAllocatePoolWIthTag needing NonPagedPoolNx, some less obvious ones where things like MmGetSystemAddressForMdlSafe needing the MdlMappingNoExecute flag. MSFT has a doc page about things https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/nx-pool-compatibility-issues
Jan
From: xxxxx@lists.osr.com On Behalf Of xxxxx@gmail.com
Sent: Tuesday, August 28, 2018 6:22 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] HyperVisor Code Integrity Readiness test failed for ELAM driver
Thanks Jan,
I also got a similar idea after reading the error detail but cant figure out where and how to start setting those flags. Can you shed some light on that?
-Masood
On Tue, Aug 28, 2018 at 12:59 AM xxxxx@pmatrix.commailto:xxxxx > wrote:
As I remember, the HyperVisor Code Integrity Readiness test is about making sure your allocated data is not executable. There are a variety of places where you need to set the correct flags so all allocations have the no-execute bit set.
Jan
-----Original Message-----
From: xxxxx@lists.osr.commailto:xxxxx > On Behalf Of xxxxx@gmail.commailto:xxxxx
Sent: Monday, August 27, 2018 5:12 AM
To: Windows System Software Devs Interest List >
Subject: [ntdev] HyperVisor Code Integrity Readiness test failed for ELAM driver
Hi,
I’ve used the ELAM sample code from the following link, generated the .sys/.cat/.INF/.pdf files, signed it with EV code signing certificate and tried running Windows HLK tests on it.
https://github.com/Microsoft/Windows-driver-samples/tree/master/security/elam
One of the test named as “HyperVisor Code Integrity Readiness test” failed and the following error messages are printed in the log file.
" No Code Integrity statistics section found for this module"
A detailed screenshot is shown in the following link.
http://www.awesomescreenshot.com/image/3576898/7d9391661a844647e294b63242157026
Kindly let me know what are the steps that need to be incorporated in the ELAM driver to make it pass the HVCI Readiness test.
Thanks.
—
NTDEV is sponsored by OSR
Visit the list online at: http:
MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:
To unsubscribe, visit the List Server section of OSR Online at http:
—
NTDEV is sponsored by OSR
Visit the list online at: http:
MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:
To unsubscribe, visit the List Server section of OSR Online at http:
— NTDEV is sponsored by OSR Visit the list online at: MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at To unsubscribe, visit the List Server section of OSR Online at</http:></http:></http:></http:></http:></http:></mailto:xxxxx></mailto:xxxxx></mailto:xxxxx>
Tim,
I added 250 milliseconds delay in each driver loading operation in the
code so I hope there is no issue of load/unload hurry. The error message
shown in HLK logs states that
" No Code Integrity statistics section found for this module".
I this there a way to explicitly add such a statistics section into the
driver.
-Berouz
On Mon, Aug 27, 2018 at 8:55 PM xxxxx@probo.com wrote:
> xxxxx@gmail.com wrote:
> > I’ve used the ELAM sample code from the following link, generated the
> .sys/.cat/.INF/.pdf files, signed it with EV code signing certificate and
> tried running Windows HLK tests on it.
> >
> >
> https://github.com/Microsoft/Windows-driver-samples/tree/master/security/elam
> >
> > One of the test named as “HyperVisor Code Integrity Readiness test”
> failed and the following error messages are printed in the log file.
> > " No Code Integrity statistics section found for this module"
> >
> > A detailed screenshot is shown in the following link.
> > …
> > Kindly let me know what are the steps that need to be incorporated in
> the ELAM driver to make it pass the HVCI Readiness test.
>
> As I understand it, the test requires that a driver run long enough so
> that the Verifier can accumulate some statistics on allocations and
> such. The sample driver loads and unloads so quickly there is no change
> for statistics. Have you changed the driver to do something
> non-trivial? The sample source code does warn that it is not
> production-ready.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list online at: <
> http://www.osronline.com/showlists.cfm?list=ntdev>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:>
xxxxx@gmail.com wrote:
I added 250 milliseconds delay in each driver loading operation in the
code so I hope there is no issue of load/unload hurry.
…
I this there a way to explicitly add such a statistics section into
the driver.
I don’t know how often Verifier saves its statistics. For all I know,
it’s measured in minutes. A legitimate driver lives more than 250ms.
You are wasting your time here. This is not a real driver, and was
never intended to be one. Go spend time writing your driver, then you
can chase down the signing process.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.