__security_init_cookie in Windows driver causes bugcheck KERNEL_SECURITY_CHECK_FAILURE
Windows 8+ is able to generate security cookie for loaded executable image. Location of security cookie is stored in LoadConfig data directory in PE header so that Windows loader can easily replace it.
The reason is that the OS should be able to generate the cookie in safe way (for example using RDRAND instruction if available and/or other random entropy sources). Also there is no need to copy cookie initialization code to every driver.
If your driver targets Windows 8 (and newer) it expects that OS will initialize the cookie. Therefore it raises BSOD if cookie wasn't changed.
On the other hand if your driver targets older OS (Windows 7), compiler has to generate code that initializes cookie if it wasn't already initialized by OS. This way the driver is compatible with all Windows versions.
I haven't found any official description of this Windows 8 feature, but here is article that describes it:
Reversing Windows8: Interesting Features of Kernel Security
When loading the kernel driver, Windows 8 calls MiProcessLoadConfigForDriver to generate security cookie, locates old security cookie in PE and replaces it.
New Windows8 kernel drivers will check if their security cookies are already replaced.
For those who build drivers in Visual studio 2015. If you need your driver to be compatible with Windows 7.
- You need Windows 10 sdk and matching WDK (revisions must match).
- In your driver project use default Target Platform Version i.e. 10.x.x.x and default Platform Toolset i.e. WindowsKernelModeDriver10. DO NOT change anything here. And don't touch _WIN32_WINNT definition.
- The platform is specified at Driver Settings - General. There you specify Target OS Version - Windows 7, Target Platform - Desktop. AND ONLY THIS ONE. If you specify Windows 8 or Windows 8.1, it's still going to crash in the security cookie check code.
p.s. the driver will still be compatible with windows 10, 8.1 and 8.