Developing Windows Kernel Drivers in C++: Understanding PnPLockdown in INF Files

The pnpLockdown problem

If you’ve been involved in Windows kernel driver development, you might have encountered a somewhat cryptic warning from the Windows Driver Kit (WDK): “warning 1324: [Version] section should specify PnPLockdown=1.”

What is this warning, and why does it matter? In this blog post, we’ll delve into the world of Windows kernel drivers, INF files, and the enigmatic PnPLockdown setting.

A Mysterious Warning

In recent times, the WDK has started issuing a warning that goes something like this:

warning 1324: [Version] section should specify PnPLockdown=1.

For those of us who dabble in kernel driver development, this warning might seem puzzling at first. What does it mean, and should you follow its advice? Let’s break it down.

Understanding PnPLockdown

When you set PnPLockdown=1 in your INF (Information) file, you essentially designate the Trusted Installer as the owner of your driver’s executable image (the .SYS file). This action prevents applications from deleting, modifying, or even renaming the file. In a production environment, this is a desirable security feature.

So, it seems logical to include PnPLockdown=1 in your INF file, right? Well, the answer is not that simple.

The Debugging Dilemma

During the development and debugging phase of your driver, enabling PnPLockdown=1 can complicate your life. Here’s why:

1. Updating the Driver: When you need to update the driver’s version on the target machine, you typically:
2. • Disable the driver on the target system (using Device Manager or a similar tool).
   • Replace the old .sys file with the new version in the \Windows\System32\drivers directory on the target system.
   • Re-enable the driver.
3. PnPLockdown’s Impact: Setting PnPLockdown=1 prevents this straightforward update process. You can’t overwrite or rename the old driver version. This added protection can be frustrating during the debugging phase when frequent updates are common.

To Set or Not to Set

At Secured Globe, Inc. we deal a lot with Kernel Drivers, and have our own policy regarding to whether we should include PnPLockdown=1 in our kernel driver’s INF files:

• For Production Releases: when it comes to some commercial products such as lawful interception systems, we always specify PnPLockdown=1 in our INF. This enhances security and ensures that our driver’s executable image remains tamper-proof. However, in products such as our File / Folder hiding system, when we would like to enable fast switching between invisible and visible modes, we set it to 0.
• During Debugging and Development: During the development and debugging of our drivers, we do not specify PnPLockdown at all.

This approach might seem a bit counterintuitive, especially when you strive for clean builds without any errors or warnings. However, it’s a deliberate choice made by many seasoned kernel driver developers to maintain efficiency during the development phase.

Conclusion

In the world of Windows kernel driver development, PnPLockdown is a crucial, yet sometimes puzzling, setting in your INF file. It provides valuable security for production releases but can hinder your development process. As a best practice, remember to set PnPLockdown=1 in your INF for the final product, and leave it out while you’re debugging. This nuanced approach strikes a balance between security and practicality in the world of kernel drivers.

If you ever find yourself wondering about this warning, rest assured, you’re not alone. It’s all part of the intricate journey of Windows kernel driver development.

45% off – only on May 13th

Our publisher is selling our book for a 45% discount, only on May 13th.

Deal of the Day May 13:Save 45% on my book Learning C++ and other selected titles @ManningBooks #cplusplus #cplusplus20 #learning: http://mng.bz/WrEx

Learning C++

Deal of the Day May 13: Save 45% on my book Learning C++ and other selected titles @ManningBooks #cplusplus #cplusplus20 #learning: http://mng.bz/WrEx

View original post

Returning to Auckland Aero Club

A few weeks ago I returned back to my favorite Aero Club in New Zealand

Almost 30 years ago, back in 1994, I tried to feel for the first time how it is to fly an airplane at Auckland Aero Club in New Zealand.

Back then, I was sent to New Zealand for a week on behalf of Amdocs, in order to conduct meetings with a local Telecom company that worked with the Ministry of Tourism, offering them the development of Information Kiosks.

I used an old 8mm video I filmed back in 1994, in order to locate my old flying school. Here is a snapshot of Auckland Aero Club from that old video:

Here is Auckland back then (1994).

Luckily, I kept the Pilot Log Book with the information about the flying lessons I took back then, and during my recent visit, (almost 2 months this time), after I took some flying lessons in other countries, I came back wishing to continue from where I left off…

That morning, at 7:00 AM, I went jogging in Auckland. I ran 12 Km from Auckland to Mission Bay and back.

_{My Facebook post that morning}

A few hours later, I flew a Cessna 172 Skyhawk, with the guidance of William Lee-Johnson, to Auckland, and above Mission Bay, the same area I ran to that morning (12 Km run).

From my running app

Taking off…

Auckland from above

Ruth, sat at the back and took some amazing photos.

The instructor, William Lee-Johnson, was very cooperative and filled my Log Book (from 1996) after we landed.

Looking forward to my next flight! To be continued…

PDF to Text

As part of a Secured Globe, Inc. project with Freedom Scientific, Inc., the creators of JAWS, and as part of adding support to Albanian, I developed a small tool for converting PDF files into text so another piece of software we develop can convert thousands of e-books in Albanian and using AI techniques, create an optimal list of sentences in the Albanian language that can be recorded and added to the JAWS platform.

Github Repo

https://github.com/securedglobernd/SG_PDF2Text

Download Link

https://gograb.site/SG_PDF2TXT.exe

My script for backing up Alexa recordings

Download link

A while ago I developed a Python script for backing up Alexa‘s (Amazon Echo devices) voice recordings. Many of these recordings are just random voice recordings captured for no reason while other are commands given to Alexa.

I have written the following article in CodeProject.

Following a touching email I received from someone who was able to get his late mother’s recording after she passed away and thanked me, It went vital in Reddit . It broke the all times record being the highest voted post of all times!

 

40.712775
-74.005973

My Music

I recently created my own recording studio. It is based on a Roland Keyboard, Roland TD 50KV Drums, an MPC X and a Zoom recorder. I also purchased a Roland Integra 7.

My Music is available at Apple Music, Amazon Music, and all the other services.

 

אמי

בתאריך 9.12.2019 נפטרה אמי. ביום הולדתה ה-87 אותו לא זכתה לחגוג, התקיים טקס בעין מור שם פוזר אפרה.

הכנתי סרט על טקס זה.

Maintaining huge amounts of data

I have around 50 external hard drives, 20 internal ones (form old PCs since 1994 and until today), floppy disks, CDs, DVDs and thumb drives. After purchasing the best NAS I could find – Synology Diskstation 2415+

I started looking for NAS (Red) hard drives to fill it up. I purchased 12 x 6TB ones but recently began replacing them with 10TB each (having the potential storage size of 120TB !

Synology offers Hybrid RAID, which allows the safety of having the data backed up in several places in case of a failure. The “price” for that is 1/3 of the storage space which is used to provide the necessary tolerance to faults and loss of data. Each drive of the 12 is part of a group of 3 (“Volume”) and you can take out and throw away one drive of the three, and yet the data will be preserved.

That doesn’t come instead of backing up the entire data, which wasn’t an easy task due to the huge amount of data to back up. Typical Cloud services allow up to 1TB (for example: Dropbox). More professional services such as Amazon allows unlimited data to be backed up for a quite expensive monthly cost per each MB.

Speaking of Dropbox, one of the advantages of using a NAS is that it can entirely replace services such as Dropbox, Google Docs, etc. You have your own cloud. You can give access to specific documents or folders, run your in-house Chat service (instead of using WhatsApp), host web sites, create your own Emailing system, FTP, etc.

Costs:

NAS                                                       $1,313.71

12 x 10TB Drives                                  $4,775.88

Total (before Tax)                               $6,089.59

You can then organize your files based on subjects, themes, types and dates.

For example, organizing all photos (or videos) by year and then by month.

Since Synology gives you the ability to create your own Cloud and avoid using external Cloud services, it is quite easy to back up all photos from your cellphone automatically. You can of course insert external USB drives and purge their data to the NAS.

I travel a lot and since my wife is a photographer, there are many camera files to back up. I carry a 4TB external drives when I travel and first backup the memory cards to the drive. Then, I upload the contents of the drive to my NAS remotely from anywhere.

Add to that tools to keep your PCs backed up, access the NAS from an iPhone and so on.

Finding data is also an important consideration. Synology provides a quite fast mechanism for finding files, including from the iPhone App. Searching for files based on a criteria can take hours, especially in my case where I have millions of files. For example, an open query for all .doc files (Word) can take 1 hour to run (found already  310,000 files and still searching…).

 

One of the advantages of Synology NAS is the ability to remotely connect to surveillance cameras, but in addition there are many possible add-on’s to use.

For example, the Video Station scans all videos stored and provide easy access from a Smart TV. Please note that there are many issues with Samsung Start TV which we own. This TV is very impressing with the curve style but has many connectivity issues. Our Surface Pro‘s can’t be projected to the TV. Other streamers such as Roku have similar issues, some of which have been resolved since. In many cases we had problems with service providers such as Netflix, HBO, CBS, NBC, etc. and in most cases they were specific to our Samsung… However when it comes to projecting videos form the NAS to our TV, that works excellent.

As for protecting your NAS from outside hacking, here are some guidelines:

• Use SSL (I purchased an SSL certificate for my NAS)
• Use Two Factor Authentication – its impossible to log in (even if the password is known) without operating an hardware device which generate a one-time code. Banks use it (in the US) and it can be applied to other accounts such as NAS, Gmail, Facebook, etc.
• Other security measures such as an internal Firewall running on the NAS (which has its own OS), blocking certain ports and protocols, etc.

Embed a resource to a static library (nothing is impossible)

I needed to embed a resource (icon) to a static library so we can deploy just the .lib and .h files with no need to include any graphics or .rc files.

I wanted my static library to be used by any application including such that don’t have any graphic user interface, i.e. Console applications, etc.

I posted a question in Stack Overflow and Code Project and the responses were: That’s not possible…

Here is the question I have posted:

Is there a way to embed resources (such as icons, dialogs) in a c++ (Win32 API) static library? My purpose is to embed an icon in the static library in a way that functions that use LoadIcon will work as if it was a normal .exe so the main application can only link to the static library and include a header file, with no requirement to add other files such as .rc files, or .ico files, etc. Clearly the main application who uses the static library doesn’t have this resource so LoadIcon will fail, however I was wondering if there is a workaround to make it work. A static array with the icon data can work as long as the standard API calls (such as LoadIcon) will work.

To explain further, the person who will be using the static library will only have 2 files: .lib and .h and will not have any .rc file

 

Comments that followed:

“It is not possible, you can stop looking. Consider a DLL project instead.“

At Code Project I was pointed to the following Stack Overflow thread:

” I read them but we wish to deploy 2 files: .lib and .h. These solutions require deploying the .rc file and having whoever uses our static library to link / include it as well.”

 

“Then there is no solution from my point of view.
The SO thread covers it all.”

Here is the solution I have found after some research I found a way. Using my method, an icon can be used as an integral part of a static library and such library can be used by any type of application, including a console one (which doesn’t have any resource segment whatsoever).

1. Icon is converted to a static array of BYTE. bin2c can be used for that.

2. Data is converted into a HICON handle. Here is how I have done that:

HICON GetIcon()
{ 
   DWORD dwTmp;
   int offset;
   HANDLE hFile;
   HICON hIcon = NULL;
   offset = LookupIconIdFromDirectoryEx(s_byIconData, TRUE, 0, 0, LR_DEFAULTCOLOR);
   if (offset != 0)
   {
      hIcon = CreateIconFromResourceEx(s_byIconData + offset, 0, TRUE, 0x00030000, 0, 0, LR_DEFAULTCOLOR | LR_DEFAULTSIZE);
   }
   return hIcon;  
}

3. GetIcon is used instead of LoadIcon.
Instead of calling:

m_hIcon = ::LoadIcon(hInstanceIcon, MAKEINTRESOURCE(pXMB->nIcon));

I call

m_hIcon = GetIcon()

To test it, I created a Console application and a new static library. I added to the static library the XMessageBox class which allows using a custom icon.
The Console application just calls a function located at the static library and the icon is displayed!

See also:

Code Project question and answer

Stack Overflow question and answer

Flawless Integration with PayPal

We have recently added a unique feature to Wizdome: payment processing embedded in your program using just few lines of source code.

Wizdome has a built-in payment processing engine which allows you to accept payments from any credit card holder (regardless of being a PayPal customer) and pay for unlocking your software or for specific features. As part of Datattoo Recovery, one of our other products, the customer can pay per each MB of successfully restored data.

To process payments you need to choose 2 routes:

1. Apply as a PayPal developers and obtain your own PayPal credentials
2. Use Wizdome credentials and receive all payments from Secured Globe, Inc.

Technically, the SG_PayPal API is used as described below. Following, your program can continue as before, while Wizdome will continue monitor the status of each payment initiated and in the event of a successful payment to a Pending Transaction, the credit (“max” value) of the associated Restriction, will be updated accordingly, so if your program checks the allowed maximum value per each per-defined Restriction, the value will become higher and your software can give additional access flawlessly.

Void InitPayPal(BOOL Sandbox, LPTSTR User, LPTSTR password, LPTSTR signature, LPTSTR successUrl, LPTSTR failedURL)

Sandbox – indicates whether you are testing your integration using PayPal's Sandbox account, or going live.

User – your PayPal user name

Password – your PayPal password

Signature – you PayPal signature

successUrl – a url leading to a web page which you wish to be shown after successful payment.

failedURL – a url leading to a web page which you wish to be shown after failed / cancalled payment.

Initiating a payment

When you wish to initiate a payment, you call

BOOL InitiatePaypalPayment(int nUnits, int PricePerUnit, LPWSTR UnitName, LPWSTR RestrictionName)

nUnits (integer) - number of unique needed to be purchased

PricePerUnit (integer) - cost per each unit (in default currency).

UnitName (string) - the name of the unit to be purchased

RestrictionName (string) - optional - the name of any restriction tied to this transaction

For example: if you would like a data recovery software to allow recovery of 15 MB for the price of $15, and provided that a Restriction named “MB_RESTRICTION” was defined, you call this function using the following parameters:

InitiatePaypalPayment(15,1,L”MB”,L”MB_RESTRICTION”);

Currency

By default the currency used for transactions is USD, however that can be changed.

Tying a transaction to a Restriction

Wizdome allows you to tie a transaction (payment) to a Restriction. When you do so, the user will be able to lift or change a Restriction by making a payment and without having to switch versions, restart your program or restart any work done by your end-users.