Location>code7788 >text

Microsoft CrowdStrike driver blue screen and kernel signature

Popularity:357 ℃/2024-07-23 10:39:17

rationale

When the Windows operating system encounters a serious error that causes the system to crash, the screen appears blue, usually accompanied by an error code and message, which is known as the "Blue Screen of Death" (BSOD).

/newsDetail_forward_28126297 The impact of this blue screen event is very wide, the main reason is the kernel driver upgrade CrowdStrike, CrowdStrike is a widely used foreign security software vendors, similar to the domestic Poison 360 and so on.

Microsoft says 8.5M systems hit by CrowdStrike BSOD, releases USB recovery tool When reboots don't work, bootable USB sticks may help ease fixes for some PCs.

Microsoft has released a fix note for this, which at its core means that you use a PE tool to get into the system and then delete the CrowdStrike kernel driver C-00000291*.sys, and voila.

/en-us/topic/kb5042421-crowdstrike-issue-impacting-windows-endpoints-causing-an-0x50-or-0x7e-error-message-on-a-blue-screen-b1c700e0-7317-4e95-aeee-5d67dd35b92f

What is a sys file

The .sys format file is actually a kernel driver file for Window, which is more or less known to engineers who do software development. The kernel driver directly accesses the underlying resources of the operating system, if this file has a bug, the system is very easy to blue screen, and can not be recovered, because when rebooting it will be automatically loaded again.

Let's first look at the level that .sys is at in the widnows OS, very low level

What devices need kernel drivers

Tasks or devices that require operating system kernel resources can essentially write a kernel driver to invoke kernel resources. Usually windows peripherals, such as graphics cards, USB devices, self-developed PCIe devices, serial devices all need corresponding kernel drivers to realize the interaction with the hardware, especially pcie devices, only with the kernel driver code can access the corresponding resources to drive the peripheral.

Kernel Driver Security Policy

Mandatory digital signatures.

Digital signatures play an important role in Windows operating systems, especially to enhance system stability and security. A digital signature is a cryptographic technique used to verify the origin and integrity of software. In a Windows environment, digital signatures are used to ensure that drivers and other software come from a trusted publisher and have not been tampered with since their release.

Here are a few key roles of digital signatures in Windows systems:

  • Verification of origin: A digital signature confirms that the software was created by a known and trusted developer or company, which helps prevent the spread of malware and viruses.
  • Ensure Integrity: The signing process uses public key cryptography to create a unique digital fingerprint. If the software is modified in transit or after installation, the digital signature will no longer match, alerting the user that the software may have been tampered with.
  • Improve system stability: Windows enforces digital signatures on all kernel-mode drivers to ensure that they follow Microsoft's operating system programming specifications, thus reducing the number of blue screen events caused by drivers.
  • Driver Authentication: In Windows Vista and later, the operating system enables driver signature enforcement by default, meaning that all drivers loaded into the kernel must carry a valid digital signature. This helps prevent incompatible or malicious drivers from being loaded, thus reducing the risk of system crashes.

digital signature

Windows Device Installation utilizes digital signatures to verify the integrity of the driver package and to confirm the identity of the vendor (software publisher) that provided the driver package. In addition, the kernel-mode code signing policy for the 64-bit version of Windows Vista and subsequent versions of Windows dictates that kernel-mode drivers must be signed before they can be loaded.

Kernel-mode drivers for Windows 10 desktop editions (Home, Professional, Enterprise, and Education) and Windows Server 2016 must be signed by Windows Hardware Quality Labs (WHQL), the Windows hardware developer center, which requires an Extended Validation (EV) certificate. See Driver Signing Policy for details.

All drivers signed by the Hardware Developer Center for Windows 10 (starting with version 1507, Threshold 1) are signed using the SHA2 algorithm. For detailed signing requirements for specific OS versions, see Signing Requirements by Version.

Prior to WIN10, a user's kernel driver could be recognized by the operating system as long as it was signed with an EV certificate, but in practice this strategy is very insecure because EV certificate signatures are easy to obtain, and even if it is not for an illegal purpose, random kernel driver EV signatures may frequently cause the system to BSOD failures or get stuck, because the driver developer cannot guarantee that its test items cover all the necessary scenarios.

How to get a signature

/en-us/windows-hardware/drivers/dashboard/get-started-dashboard-submissions

  • First of all, you have to have an EV certificate, which you need to buy from a third-party authority. There is no way you can generate a recognized certificate out of thin air to sign your kernel driver.
  • Go to Microsoft and sign up for an account.
  • There are tests that need to be done for driver code, and Microsoft has a set of generalized test lists, which before Win10 was called HCK./en-us/windows/win32/w8cookbook/windows-hardware-certification-kit It's called HLK after Win10./en-us/windows-hardware/test/hlk/
  • After you pass the test, package it and upload it. Wait for Microsoft to sign it.

Let's see what a certified driver signature looks like.

How to test and sign for the driver will be documented later.

Why is CrowdStrike still crashing after authentication?

The probability is that CrowdStrike has drilled Microsoft's loophole, because the test steps for digital signatures are very cumbersome, and it takes at least one day to do one test, and Microsoft signatures don't check the date of the current driver's packaged file, so as long as you've done a successful test once and retained the log file, then theoretically, you can skip the test and let Microsoft sign it.

This will most likely lead to problems. Some current intermediaries on the market, claiming to do WHQL certification, actually use this same tactic; it doesn't test you at all, it just secretly packages your driver into a file that's already been tested, and then signs it, at no cost to you.