Background
For Windows 7, Intel officially provides the final driver (version 25.0) that supports I219-V (7) (VEN_8086&DEV_15BC). Subsequent hardware versions, such as I219-LM (11) (VEN_8086&DEV_0D4C), we can use FPTW64.EXE to refresh the GBE part of the BIOS firmware, modify DEV to 15BC, and then install Intel’s official driver.
In the official Intel driver program, there are multiple versions including NDIS62/63/64/65/68, among which NDIS62 can be used on Windows 7, while NDIS68 can only be used on Windows 10 1709 and later versions. The NDIS version is closely related to the Windows version.
Therefore, there are two methods for driver mod as follows.
- Mod NDIS62 driver to support new hardware.
- Mod NDIS68 driver to support Windows 7 and NDIS6.20.
We continue on method 2.
Drivers used in modding
- Intel’s official driver version 25.0 based on NDIS6.20 with e1d62x64.sys’s version 12.17.8.7.
- Intel’s official driver version 25.1 based on NDIS6.80 with e1d68x64.sys’s version 12.18.9.23.
We mod driver 2 with driver 1 for reference. We can find how the same function implemented in NDIS6.20.
Modding
- Analyse driver 2 e1d68x64.sys’s IAT to find the unsupported APIs
By comparing with Excel, it can be found that some import functions of driver 2 are not exported in ntoskrnl.exe and ndis.sys in Windows 7, and WppRecord.sys does not exist in Windows 7. These import functions are all present in versions after Windows 10 and NDIS 6.30. - Patch the unsupported API
(1)ndis.sys
Functions related to Virtualization: They are all called by OidRequestHandler CB. Analysing sub_140046B94, we can find I219-LM/V NICs will not use Virtualization functions. So we patch the upper function to skip.
NdisMQueryProbedBars: Driver 1 don’t use it. So we patch the upper function to skip.
NdisMResetMiniport: e1d68x64.sys calls it under specific conditions, and driver 1 don’t use it. So we patch the upper function to skip.
(2)ntoskrnl.exe
KeInitializeSpinLock: patch to mov qword ptr [rcx], 0.
KeConvertAuxiliaryCounterToPerformanceCounter: Driver 1 don’t use it. So we patch the upper function to skip.
(3)WppRecorder.sys
Used for logging, Etw and WMI related functions have been implemented. So we patch the upper function to skip. - IAT modifying
(1) function mod
We cannot block a certain function in the middle of IAT (otherwise the modification workload is large). We can change it to another imported function with the least impact (“minimum impact function”). There are two ways to modify it.
a. If the “minimum impact function” is imported, we replace Thunk’s offset to “minimum impact function”'s in ThunkData.
b. If the “minimum impact function” is not imported, we replace Thunk’s string (function name) to “minimum impact function”'s in ThunkData.
The “minimum impact function” of ndis.sys is NdisGetVersion, which is imported. We use method a.
The “minimum impact function” of ntoskrnl.sys is rand, which is not imported. We use method b.
(2)WppRecorder.sys
We use PETools delete WppRecorder.sys’s Image Import Descriptor. The OS will not try to load WppRecorder.sys.
- DriverEntry mod
(1) We patch security_cookie checking, then the driver will not report an error if security_cookie is 2B992DDFA232h.
(2)When the driver calls NdisMRegisterMiniportDriver, the version field should be 110C1406h (or NdisMRegisterMiniportDriver fails, then DriverEntry fails)。 - Solving the problem of filling 0000 when sending packets
We analyse from SendNetBufferListsHandler entry. The driver should skip calling sub_1400154AC to avoid above problem. We patch 140018436 to jmp. - Dynamic getting API address check
We check NdisGetRoutineAddress and MmGetSystemRoutine calls, found that all APIs can be found in Windows 7. So we need not to patch. - inf modify (using WinHex suggested)
(1) Add ‘NTamd64.6.1,’.
(2)copy [Intel.NTamd64.10.0.1] section and rename with [Intel.NTamd64.6.1].
(3) modify[E153A.10.0.1.HW] sections because no pci.inf in Windows 7(machine.inf exists) and machine.inf does not contain sections in Needs. After this simple modifying, we may not able to install the driver package in Windows 10.
Include = machine.inf
Needs = PciIoSpaceNotRequired
AddReg = MSI.reg
(4) If we rename the .sys file, we should rename it in inf file. - Re-sign
(1) Finish above patches with IDA or WinHex.
(2) Re-sign the whole package.
Problems
The modified driver package is signed with self-sign certificate. Load it in test mode. (bcdedit /set {current} testsigning on)
Effects
100Mbps run at full capacity, and 1.0Gbps can reach up to 950Mbps. Complete transmission of large file. It works normal after disable and re-enable. Wireshark can detect and listen.
This mod test is only for providing ideas. I may upload the modified driver package if needed but use it at your own risk.
If discussing this topic is not appropriate, please delete it.