Will Device Guard Prevent Drivers from Loading?

We recently ran into issues with the new Verifier “Code Integrity” option enabled, specifically issues with the use of “NonPagedPool”; instead of the newer “NonPagedPoolNx.” (Must support Win 7 also, which does not have the Nx option) I have two questions:

  1. Will OSes with Device Guard enabled prevent drivers from loading or cause a BSOD if NonPagedPool is used?
  2. I don’t see a similar allocation type for paged memory. Is there one, or is this limited to the non-paged pools only?

Thanks…

It is possible with a single binary to support both newer versions and Win7
even though it doesn’t have support for NonPagedPoolNx, explanation here:
https://msdn.microsoft.com/en-us/library/windows/hardware/hh920402(v=vs.85).aspx

Regarding question 2, there is no similar pool allocation type for paged
pool.

On 8 October 2015 at 02:56, wrote:

> We recently ran into issues with the new Verifier “Code Integrity” option
> enabled, specifically issues with the use of “NonPagedPool”; instead of the
> newer “NonPagedPoolNx.” (Must support Win 7 also, which does not have the
> Nx option) I have two questions:
>
> 1. Will OSes with Device Guard enabled prevent drivers from loading or
> cause a BSOD if NonPagedPool is used?
> 2. I don’t see a similar allocation type for paged memory. Is there one,
> or is this limited to the non-paged pools only?
>
> Thanks…
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Are you sure loading is prevented due to this? Am I wrong that this only fails one of the NON-mandatory HCK tests?


Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

wrote in message news:xxxxx@ntdev…
> We recently ran into issues with the new Verifier “Code Integrity” option enabled, specifically issues with the use of “NonPagedPool”; instead of the newer “NonPagedPoolNx.” (Must support Win 7 also, which does not have the Nx option) I have two questions:
>
> 1. Will OSes with Device Guard enabled prevent drivers from loading or cause a BSOD if NonPagedPool is used?
> 2. I don’t see a similar allocation type for paged memory. Is there one, or is this limited to the non-paged pools only?
>
> Thanks…
>

Maxim, this only is a failure of a non-mandatory test. This is more to get an understanding of what may be an issue going forward. I currently don’t have any systems with Device Guard enabled and don’t have a copy of Enterprise to give it a quick test.

Thanks…

I was able to get a copy of Win 10 Enterprise, and our drivers loaded and function without issue.

If the drivers still load, why the new “Code Integrity” tests? Are they just “nice to have”, but not enforced? Maybe it depends on the driver type? (We really aren’t associated with security, would other drivers be more strictly handled? Just guessing at this point…)

> If the drivers still load, why the new “Code Integrity” tests? Are they just “nice to have”, but not

Just switch on the maximum security using Group Policy.

Device Guard is well-described on MSDN. It is only about a) having no 2 sections, especially .text and .data, to share the same page AND b) using NonPagedPoolNx.

The goal is to never ever have X bit on writable memory.


Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

To my knowledge, the writable vs. executable checks only happen on Device Guard if Virtualization-Based Security is also turned on.

The Device Guard configurable code integrity policy relates to signature checks. Can be configured to require EV Attestation Signing, or even WHQL signing.

> To my knowledge, the writable vs. executable checks only happen on Device Guard if Virtualization-

Based Security is also turned on.

Yes, and this is exactly the HCK test which fails due to NonPagedPoolNx and bad section alignment.


Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com