We in Fuddata have done a lot of research about that how we can build product(s) which would allow our customers to make their environments more secure and do that in way that it would no directly compete with any existing solution but support those in their important function.
As part of one of those researches we did go through this process to be come Microsoft partner and to be able to publish Windows Certified drivers (WHQL).
On Friday, July 19, 2024 update to the CrowdStrike agent caused blue screen to a large number of computers in all over the world.
The question which many have been asking that that how this is possible?
Why it wasn't detected during testing? Either by CrowdStrike or by Microsoft on those mandatory driver certification tests.
Even when we don't have insides about CrowdStrike testing process we can investigate what can be found from public sources and test those with Windows Hardware Lab Kit
Even when we don't know for sure if it true, this post in X suggest that CrowdStrike driver CSAgent.sys was trying to read invalid memory address 0x9c which why Windows kills that driver and as always when kernel mode process is killed the result was blue screen. There was also suggestion that problematic channel file would be full of zeros but at least that part looks to be debunked by CrowdStrike in this blog post.
Never the less, I found my self of thinking that would it be possible to build kernel mode driver which causes blue screen by trying to read 0x9c and got it Microsoft certified? It definitely is you can see from this certification report.
I found answer by realising that these Windows Hardware Lab Kit actually only test those parts of the code which are active at the time. So I added simple check to code that it will not do anything Monday, July 22, 2024.
But why it is called for Blue Screen Once? Well, because nobody likes blue screens and even less boot loops caused by them so I set starting mode manual and only start driver in install script.
Unlike on many more modern programming languages in C/C++ developer is responsible to do memory allocation, initialization and deallocation. This is powerful because data does not need to be copied in memory when it is needed by different parts of code but instead of it can be referenced with pointer.
Downside of this however is that if developer does bad job by referencing parts of the memory addresses which aren't valid or properly initialized the result is crash of the application. This is true for all C and C++ applications.
However, as kernel mode drivers run with same rights than Windows it selves it is not possible to crash only this problematic driver but instead of Windows don't have other choices than show the blue screen and save memory dump to the disk.
So even when it does not feel like that from end user's point of view, blue screen is actually Windows feature which purpose is prevent permanent damages to system and collect those memory dump which can be used to find root cause of the issue.
Even if you are not C/C++ developer code in Driver.c is very simple to understand.
If you want to try build this driver, you would need:
- Two computers and preferably at least one of the should be virtual machine where you are able to take and revert snapshots.
- First one is used for development and the virtual machine for testing.
- Visual Studio installed with "Workloads: Desktop development with C++" and "Individual components: MSCVC C++ x64/x86 Spectre-mitigated libs (Latest), Windows SDK and Windows Driver Kit"
Normally 3rd party drivers does not make pdb files public so you actually cannot see that which code line it crashed but here those are available.
However, you have three options:
- Check result of crash dump analysis from here
- Download driver and ready made memory dump from releases and analyze it
- Actually install this driver to some computer, collect memory dump from it and analyze it.
Be warned one more time, this driver WILL CAUSE BLUE SCREEN on you Windows. So do not use it on any critical system.
That been said. Here is installation guide:
- Download latest release
- Extract zip file.
- Right click over
install.cmdand select "Run as Administrator". - See blue screen happening.
You can disable driver by running script disable.cmd
You can permanently uninstall by (please open issue/pull request if you know better way to this):
- Open cmd with Run as Administrator.
- Stop driver with command
sc stop BlueScreenOnce(however, it should not be running unless you have moved date back to past). - Check with command
pnputil /enum-driversthat which oemX number your driver got. - Uninstall driver file with command
pnputil /delete-driver oemX.inf - Delete driver service with command
sc delete BlueScreenOnce
At least one thing which we can learn from this study is that Microsoft Certification is not that strong as you would expect. Neither to prevent unstable drivers to be published or as security boundary.
However, because process to get in that point that company is able to get certification for their drivers is quite long and expensive it at least makes bad actors work harder.