- 1 year ago
How to load kmdf driver (wfp/inspect) on system boot
To load a Kernel-Mode Driver Framework (KMDF) driver, such as the Windows Filtering Platform (WFP) inspection driver, on system boot, you need to perform the following steps:
Compile and Sign the Driver:
Ensure that your KMDF driver is compiled and signed properly. Driver signing is necessary for loading the driver during system boot on Windows systems with Secure Boot enabled.Install the Driver:
Install the driver on the target system. You can use thedevcon
utility or the Device Manager to install the driver. If you are usingdevcon
, run the following command from an elevated Command Prompt:swiftdevcon install "path\to\your\driver.inf" <hardware_id>
Replace
"path\to\your\driver.inf"
with the path to your driver's INF file, and<hardware_id>
with the hardware ID of the device the driver is associated with.Add Driver Service Entry:
To load the driver on system boot, you need to create a service entry for the driver in the system registry. Open the Registry Editor (regedit.exe
) and navigate to the following key:sqlHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
Create a new key under
Services
with the name of your driver's service (e.g.,"MyDriver"
).Set Driver Properties:
Within the new service key, set the required properties for the driver. At a minimum, you need to set the following values:ImagePath
: The full path to your driver's.sys
file. For example,"C:\Windows\System32\drivers\mydriver.sys"
.DisplayName
: A descriptive name for your driver (displayed in the Services list).Type
: Set to1
(KERNEL_DRIVER).Start
: Set to0x3
(SYSTEM_START).ErrorControl
: Set to0x1
(NORMAL).
You can set additional properties as needed for your specific driver.
Load Driver at Boot:
To ensure the driver is loaded at system boot, set theStart
value to0x3
(SYSTEM_START). This value indicates that the driver should be loaded during system startup.Start the Driver:
Reboot the system or use thesc
(Service Control) command to start the driver manually:sqlsc start MyDriver
Replace
"MyDriver"
with the name of your driver's service entry.Verify Driver Loading:
After rebooting, verify that the driver is loaded and running using the Device Manager or other relevant tools. You can also check the system's event logs for any driver-related messages.
Please note that installing and managing drivers can have significant impacts on system stability and security. It is essential to thoroughly test and validate your driver before loading it at system boot, especially if it interacts with critical system components like WFP. Additionally, ensure that you are familiar with Windows driver development and the potential consequences of driver issues before proceeding with these steps.