NDIS 6.0 LWF problems

lordstyx · August 3, 2010, 5:35pm

Hello everyone,

I am new to developing with the DDK, and I have encountered a problem.
I am running on the 64 bit version of windows 7 Pro, and wanted to test the Sample Driver of NDIS LWF that came with DDK.

Now, I have successfully built the driver that came with the kit and installed it following the instructions on this MSDN page: http://msdn.microsoft.com/en-us/library/ff570732(v=VS.85).aspx

Now after installing, and the required reboot, windows tells me that there are no connections available When I uncheck the NDIS service from the LAN adapter everything works fine again…

Am I missing something here? I have test-signed the driver as far as I know, but I don’t exactly know what is supposed to happen with the .cat file.

Any help would be appreciated!

Thanks.

Jeffrey_Tippet_MSFT · August 3, 2010, 6:13pm

Do you have a kernel debugger attached? If not, you should get one.

Is the driver actually running? Check with “sc query ndislwf” from an elevated command prompt. If it’s not running, you need to figure out why not. Try starting it with “net start ndislwf”.

The most likely reason that you are seeing that the network is down, is because the sample filter driver is marked as a mandatory filter, so NDIS will not let the NIC start until the filter is loaded and successfully attaches to the NIC. So you should figure out why the filter hasn’t loaded yet.

A reboot isn’t normally necessary. If it’s prompting you for reboot, then something might wrong. It commonly prompts for reboot in two cases:

Some other unrelated piece of software needed a reboot, set the global “needs reboot” flag, and you haven’t rebooted yet; or
Installing the adapter failed, and the network installer is going to try again after a reboot.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: Tuesday, August 03, 2010 2:36 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] NDIS 6.0 LWF problems

Hello everyone,

I am new to developing with the DDK, and I have encountered a problem.
I am running on the 64 bit version of windows 7 Pro, and wanted to test the Sample Driver of NDIS LWF that came with DDK.

Now, I have successfully built the driver that came with the kit and installed it following the instructions on this MSDN page: http://msdn.microsoft.com/en-us/library/ff570732(v=VS.85).aspx

Now after installing, and the required reboot, windows tells me that there are no connections available When I uncheck the NDIS service from the LAN adapter everything works fine again…

Am I missing something here? I have test-signed the driver as far as I know, but I don’t exactly know what is supposed to happen with the .cat file.

Any help would be appreciated!

Thanks.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Tim_Roberts · August 3, 2010, 6:15pm

xxxxx@hotmail.com wrote:

I am new to developing with the DDK, and I have encountered a problem.
I am running on the 64 bit version of windows 7 Pro, and wanted to test the Sample Driver of NDIS LWF that came with DDK.

Now, I have successfully built the driver that came with the kit and installed it following the instructions on this MSDN page: http://msdn.microsoft.com/en-us/library/ff570732(v=VS.85).aspx

Now after installing, and the required reboot, windows tells me that there are no connections available When I uncheck the NDIS service from the LAN adapter everything works fine again…

Am I missing something here? I have test-signed the driver as far as I know, but I don’t exactly know what is supposed to happen with the .cat file.

How did you sign the driver? The x64 versions of Windows requires that
your driver be signed with a class 3 code-signing certificate from one
of the short list of approved certificate authorities, and that you use
the “cross certificate” for that authority when you sign the driver.

Alternatively, as Jeffrey suggested, you can hook up a kernel debugger,
which overrides this signature check.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

lordstyx · August 3, 2010, 6:36pm

Thanks for the quick responses!

“sc query ndislwf” gives me this:

SERVICE_NAME: ndislwf
TYPE : 1 KERNEL_DRIVER
STATE : 1 STOPPED
WIN32_EXIT_CODE : 31 (0x1f)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

So I tried to start it with “net start ndislwf”, but that gave the following error (Note: It’s translated from a non-English language): SystemError 1275. “'The driver was blocked from loading.”

Now I thought that that was due to the driver now being signed, so that’s why I went through the hassle of signing it. I suppose that I went wrong there… ? I used the tools from the DDK to sign the driver, I don’t know what class code that certificate is.

And about the kernel debugger… would windbg do?

Thanks.

Tim_Roberts · August 3, 2010, 6:44pm

xxxxx@hotmail.com wrote:

Now I thought that that was due to the driver now being signed, so that’s why I went through the hassle of signing it. I suppose that I went wrong there… ? I used the tools from the DDK to sign the driver, I don’t know what class code that certificate is.

But where did you get the certificate? If you generated the certificate
yourself, then that is the problem. You need to buy a real code-signing
certificate from a real certificate authority (like Verisign or
GlobalSign) to get an x64 driver to load. Or, hook up the kernel
debugger, which disables the check.

And about the kernel debugger… would windbg do?

It is, in fact, the only practical choice here.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

David_R_Cattley · August 3, 2010, 10:26pm

Since the LWF sample does not ‘start’ at boot time, the KM embedded signature (Cross Certificate) is not required and thus disabling boot time signature validation (with either F8 or having a debugger attached) is not really necessary.

Follow the example in the Kernel Mode Code Signing Walk-through (WHDC) when signing the binary (.SYS) and sign the .CAT as well. As long as “Test Mode” is enabled with BCDEDIT and the certificate is installed as both a ‘trusted root’ and ‘trusted publisher’ (both) the driver will load without a debugger attached.

Of course, having a debugger attached is a good idea as well.

Good Luck,
Dave Cattley

lordstyx · August 4, 2010, 7:48am

I used that walkthrough, but I have read over the line where it told me to also install the certificate as trusted publisher. Same problem occurs even after I also installed it there though.
That walkthrough also tells me to add the driver with hdwwiz.exe, but when I do that, I get an error about the driver not being compatible with my system.

When I install the driver on the way the MSDN page said (As a service on the adapter) it does install without warnings about compatibility, but it still prompts me to reboot to apply the settings.

In the windows audit log there are 2 entries with event ID 5038. “Code Integrity determined the image hash of the file \Device\HarddiskVolume2\Windows\System32\drivers\ndislwf.sys is not valid. The file could be corrupt due to unauthorized modification or indicate a potential disk device error”

On a sidenote, could anyone explain to me how to attach the debugger? Because the .sys doesn’t show up when I try to attach the debugger to a process…

Maxim_S_Shatskih · August 4, 2010, 9:11am

> In the windows audit log there are 2 entries with event ID 5038. "Code Integrity determined the image

hash of the file \Device\HarddiskVolume2\Windows\System32\drivers\ndislwf.sys is not valid.

Your digital signature is bad.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

lordstyx · August 4, 2010, 9:33am

Well yeah, but I don’t know what went wrong…
I am now running windows in test mode, kernel debugging allowed, and have a debugger running, still when I try to “net start ndislwf” it keeps saying "SystemError 1275. “The driver was blocked from loading.”

lordstyx · August 4, 2010, 9:35am

Oh (sorry for the double post) I read something about having to make a DWORD value in the registry to enable debug messages. Quote from another thread here. "Create DWORD-value “DEFAULT” of registry key “HKLM\SYSTEM\CCS\Control\Session Manager\Debug Print Filter” containing 0xFFFFFFFF "

Problem is, the entire Debug Print Filter Isn’t there…

Maxim_S_Shatskih · August 4, 2010, 9:35am

Have you test-signed the binary?

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

wrote in message news:xxxxx@ntdev…
> Well yeah, but I don’t know what went wrong…
> I am now running windows in test mode, kernel debugging allowed, and have a debugger running, still when I try to “net start ndislwf” it keeps saying "SystemError 1275. “The driver was blocked from loading.”
>
>
>

lordstyx · August 4, 2010, 9:48am

I have, and signtool verifies the .sys file with success, so I don’t know why I keep getting logs that the hash is wrong.

Maxim_S_Shatskih · August 4, 2010, 9:58am

Have you just signed it or cross-signed (as necessary)?

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

wrote in message news:xxxxx@ntdev…
>I have, and signtool verifies the .sys file with success, so I don’t know why I keep getting logs that the hash is wrong.
>

lordstyx · August 4, 2010, 10:00am

I don’t think it’s cross-signed. Can that be done free?

Maxim_S_Shatskih · August 4, 2010, 10:04am

Read the KMCS docs.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

wrote in message news:xxxxx@ntdev…
>I don’t think it’s cross-signed. Can that be done free?
>

Gary_Little-3 · August 4, 2010, 10:07am

Download the cross-certificates from Microsoft, and yes they are freely
provided. There should be info accompanying the code signing certificate
that tells you how to acquire them. For VeriSign it is located on the
VeriSign web page.

Gary G. Little
H (952) 223-1349
C (952) 454-4629
xxxxx@comcast.net

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: Wednesday, August 04, 2010 9:00 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] NDIS 6.0 LWF problems

I don’t think it’s cross-signed. Can that be done free?

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

lordstyx · August 4, 2010, 11:05am

Sorry but now I’m completely lost… I found this: http://www.microsoft.com/whdc/driver/install/drvsign/crosscert.mspx and got the Verisign certificate?
Can I use this to cross-sign the test-signed driver?

Thomas_Divine · August 4, 2010, 11:08am

For a LWF you don’t sign the binary.

You generate .CAT file from .SYS and .INF using inf2cat tool. Then sign the
.CAT file.

Thomas F. Divine

From:
Sent: Wednesday, August 04, 2010 9:33 AM
To: “Windows System Software Devs Interest List”
Subject: RE:[ntdev] NDIS 6.0 LWF problems

> Well yeah, but I don’t know what went wrong…
> I am now running windows in test mode, kernel debugging allowed, and have
> a debugger running, still when I try to “net start ndislwf” it keeps
> saying "SystemError 1275. “The driver was blocked from loading.”
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

OSR_Community_User · August 4, 2010, 11:18am

this is my bat file for signed driver, you can this command orders. "
DRIVER_TEST" is custom name of you certificat.

copy .%1.sys .\drv%1.sys
…\SignTool.exe sign /ac Output.cer /a /s DRIVER_TEST /n TestDriver /t
http://timestamp.verisign.com/scripts/timestamp.dll .\drv%1.sys
…\inf2cat.exe /driver:.\drv /os:7_X64
…\SignTool sign /a /v /ac Output.cer /s DRIVER_TEST /n TestDriver /t
http://timestamp.verisign.com/scripts/timestamp.dll .\drv%1.cat
…\Signtool verify /kp /c .\drv%1.cat .\drv%1.sys

On 4 August 2010 18:07, Thomas F. Divine wrote:

> For a LWF you don’t sign the binary.
>
> You generate .CAT file from .SYS and .INF using inf2cat tool. Then sign the
> .CAT file.
>
> Thomas F. Divine
>
>
> --------------------------------------------------
> From:
> Sent: Wednesday, August 04, 2010 9:33 AM
> To: “Windows System Software Devs Interest List”
> Subject: RE:[ntdev] NDIS 6.0 LWF problems
>
> Well yeah, but I don’t know what went wrong…
>> I am now running windows in test mode, kernel debugging allowed, and have
>> a debugger running, still when I try to “net start ndislwf” it keeps saying
>> "SystemError 1275. “The driver was blocked from loading.”
>>
>>
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Tim_Roberts · August 4, 2010, 12:37pm

xxxxx@hotmail.com wrote:

Sorry but now I’m completely lost… I found this: http://www.microsoft.com/whdc/driver/install/drvsign/crosscert.mspx and got the Verisign certificate?
Can I use this to cross-sign the test-signed driver?

If your code-signing certificate came from Verisign, then you would use
the Verisign cross-certificate.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.