Sign your own x64 drivers for vista and 7?

[forsberg]

I found a document that shows how you can sign your own drivers.
Would that be interesting for anyone here?

I have no programming skills but I thought that this info should be highly interesting.

Edit: I found the site where i downloaded the info.
but i cant post that link

I try to add it obfuscated, sorry about that.
Before you click on it, my personal rule is: do NOT to click on ANY obfuscated link without any sandbox'ing.

Code: Select all

Copy to address field and execute:
1185237253/newsletters/nws0903.htm

It seems that this worked
That link will take you to a World Wide Web site called minasi on a commercial domain that has a sub-folder called newsletter that has a document called nws0903.htm

Scroll down to 'Tech Section' and read from there.

[Balderstrom]

Ok, thats odd... that goes to:
http://70.165.73.5/newsletters/nws0903.htm ||

Mark Minasi's Windows Networking Tech Page
Issue #76 March 2009, How to sign your own drivers.

[forsberg]

thats correct, it should, the IP address is in DWord format, thats why it looks like that.

could you change it to:
World Wide Web site called minasi on a commercial domain

[ghisler(Author)]

That's a clever idea to sign the driver with your self-created cert, and then install the certification authority on the user's computer. I didn't know that this worked, I thought that Microsoft only accepts Verisign certificates for drivers...

[forsberg]

I have my own mail server (for me and my friends) and i sign my own certificates because i don't wanna pay 995$ to verisign.

This is practically the same.

I really want someone to test this because if it works im gonna spread this info to everyone making freeware applications.

I'm currently running Windows 7 x64 so I could try it (if someone makes it).

[ghisler(Author)]

The optimum would of course be to write an installer which would install the root cert automatically, so the user doesn't have to go through all these dialogs. It could certainly be done with CertOpenSystemStore and companion functions...

[forsberg]

If you could do that it would be even better.
And I'll test it even if it crashes my comp. I think this is more important then a reinstall snag.

[SQUIRE]

Some other ways to deal with unsigned drivers:

http://www.raymond.cc/blog/archives/2009/08/24/loading-unsigned-drivers-in-windows-7-and-vista-64-bit-x64/

[forsberg]

Thanks for that!
Thru that link i found this: (since i cant post links I'll copy the post)

Code: Select all

#include 
#pragma comment (lib, "Cryptui.lib")

//////////////////////////////////////////////////////////////////////////////////////////////////
//
// Function: SignFile
//
// Purpose: Sign PE file with certificate. (*.pvk and *.cer)
//
// Arguments:
// pszExeFile [in] The PE file name.
// pszPvkFile [in] The private key file name. (*.pvk)
// pszCertFile [in] The certificate file name. (*.cer, *.spc)
//
// Returns: 
// If success, return TURE.
//
// Notes:
//
// Last modified: 2009.01.20

BOOL SignFile(LPTSTR pszExeFile, LPTSTR pszPvkFile, LPTSTR pszCertFile)
{
CRYPTUI_WIZ_DIGITAL_SIGN_INFO signInfo;
CRYPTUI_WIZ_DIGITAL_SIGN_CERT_PVK_INFO pvkInfo;
CRYPTUI_WIZ_DIGITAL_SIGN_PVK_FILE_INFO pvkFileInfo;
BOOL bResult;

pvkFileInfo.dwSize = sizeof(CRYPTUI_WIZ_DIGITAL_SIGN_PVK_FILE_INFO);
pvkFileInfo.pwszPvkFileName = pszPvkFile;
pvkFileInfo.pwszProvName = NULL;
pvkFileInfo.dwProvType = PROV_RSA_FULL;

pvkInfo.dwSize = sizeof(CRYPTUI_WIZ_DIGITAL_SIGN_CERT_PVK_INFO);
pvkInfo.pwszSigningCertFileName = pszCertFile;
pvkInfo.dwPvkChoice = CRYPTUI_WIZ_DIGITAL_SIGN_PVK_FILE;
pvkInfo.pPvkFileInfo = &pvkFileInfo;

signInfo.dwSize = sizeof(CRYPTUI_WIZ_DIGITAL_SIGN_INFO);
signInfo.dwSubjectChoice = CRYPTUI_WIZ_DIGITAL_SIGN_SUBJECT_FILE;
signInfo.pwszFileName = pszExeFile;
signInfo.dwSigningCertChoice = CRYPTUI_WIZ_DIGITAL_SIGN_PVK;
signInfo.pSigningCertPvkInfo = &pvkInfo;
signInfo.pwszTimestampURL = NULL;
signInfo.dwAdditionalCertChoice = CRYPTUI_WIZ_DIGITAL_SIGN_ADD_CHAIN;
signInfo.pSignExtInfo = NULL;

bResult = CryptUIWizDigitalSign(CRYPTUI_WIZ_NO_UI, NULL, NULL, &signInfo, NULL);

return bResult;

} // SignFile()

this is like this from cmd.exe && WDK? (sample for signing driver)
del /q vusbbus/*.cat
:makecert.exe -$ individual -r -pe -ss "Jes Certificate Store" -n CN="Jes" "Jes.cer"
inf2cat /driver:vusbbus /os:XP_X64,Vista_X64,7_X64 /v
signtool.exe sign /v /s "Jes Certificate Store" vusbbus\vusbbus.cat
signtool.exe sign /v /s "Jes Certificate Store" /n "Jes" /t http://timestamp.verisign.com/scripts/timestamp.dll vusbbus\vusbbus.sys

certmgr.exe -add Jes.cer -s -r localMachine root
certmgr.exe -add Jes.cer -s -r localMachine trustedpublisher

Hope this will be a peace to the puzzle

[Flint]

Unfortunately, the Mark Minasi's article is wrong, I tried it. Using this method, one indeed can sign the driver so that Windows showed "The digital signature is OK" in the file properties dialog, but nevertheless the driver is not loaded because, quoting the error message text, "Windows is unable to verify the driver signature".

As far as I know, there is absolutely no way to load self-signed drivers in Windows x64 (Vista and 7), except by setting the test signing mode via bcdedit.exe (or pressing F8 on Windows boot and selecting the appropriate menu item). There are special program in the Internet that make Windows load such drivers, but all they do is turn the test sign mode on and (sometimes) hide the "Test Mode" desktop watermark. And if one set the test sign mode, there is no need to import any certificate, Windows in this mode load drivers with any signature, no matter valid or invalid, verified or not verified.

[forsberg]

I really hope that's wrong. Other vice there's a sad future for us all.
Anyone making a freeware or a plugin for TC is not going to pay 300$ to micro$oft and if they do its not a freeware anymore.

Btw, i have W7 x64 and I installed MagicDisk yesterday and i got the same message "Windows is unable to verify the driver signature" and the application works perfectly. I installed it on a Vista machine today but there you have to right click on the setup and choose Run as Administrator other vice it wont install the driver and Vista says the same, "Windows is unable to verify the driver signature" but the application works.

No testmode is enabled on anyone.

[gigaman]

The optimum would of course be to write an installer which would install the root cert automatically, so the user doesn't have to go through all these dialogs. It could certainly be done with CertOpenSystemStore and companion functions...

I certainly hope it's not possible - otherwise, the whole driver-signing feature is completely useless and any malware can bypass it.

I really hope that's wrong. Other vice there's a sad future for us all.
Anyone making a freeware or a plugin for TC is not going to pay 300$ to micro$oft and if they do its not a freeware anymore.

I thought we were talking about drivers... how many plugins require its own driver code?

[forsberg]

The malware will be installed because they will pay the 300 and the whole driver-signing feature IS completely useless.

They make US$ 10 000+/day/malware.
http://www.securitysa.com/news.aspx?pklNewsId=33243&pklCategoryID=11

[gigaman]

I'm not saying it's 100% of course, but... to get the certificate, you have to identify yourself - which is a certain limitation (not the price, sure).
Also, the certificates can be revoked, right?

[forsberg]

The identity they give is not likely real.
I don't know if they can revoke certificates but I guess it will take 2 months before anyone reacts. The malware community will act allot faster then Microsoft. And 2 weeks is all they ever need.

Sorry but as I see it, it's like drive by shooting with a machine gun. To many innocent gets killed to get the bad guy.

PS.
Thanks for arguing with me
If I seem rude for any reason, I'm sorry, that was not intended.