BSOD

[6b3478]

error code: 0x000021. is this checksum problem?

[Tserith]

0xC0000221 is STATUS_IMAGE_CHECKSUM_MISMATCH which could occur if the driver's size is greater than the size of the spoofed driver (filecrypt.sys). I do not know what code 0x21 could be. Please note that this project is a proof of concept and will likely not work on many systems as-is.

[6b3478]

Sorry, u r right, error code was 0xC0000221. I am compiling a test driver from this repository and its size is 2024 bytes. checksum of original filecrypt.sys == 0x0000fec3 (65219). and the checksum of the test driver after fixpe == 0x1c800(116736). is this true?

[6b3478]

also original filecrypt.sys is not DLL. is it important?

[Tserith]

FixupPe() increases the driver's size so that it matches filecrypt.sys's and then adjusts its checksum to account for the change. The checksum will not be the same as filecrypt.sys's. My filecrypt.sys has the same checksum as yours so I don't think it's the issue.

Are you signing the driver? I just tested with an unsigned driver and Windows wouldn't boot. I suspect that the unsigned driver is failing a check because test-signing the driver resolved the issue. I had to set the Driver project's Driver Signing->General->File Digest Algorithm option to SHA1 to do this in Visual Studio 2022.

[6b3478]

all good. you r 'molodec' .thx a lot ;-)