Problems signing after using EV certificates

c++ / delphi package - dll injection and api hooking
Post Reply
kimjw0820
Posts: 35
Joined: Fri Sep 11, 2015 1:54 am

Problems signing after using EV certificates

Post by kimjw0820 »

hello,
I used it well as a code signing certificate.
However, an EV certificate is required for sys distribution.
so I received an EV certificate for madcodehook.sys distribution.

The win32 process is fine.
However, there is a windbg error in the metro process.

Is there a workaround?

windows 10 64bit.
madchook : 3.1.12

windbg message.

--

******************************************************************
* This break indicates this binary is not signed correctly: \Device\HarddiskVolume3\Program Files (x86)\kimjw0820\x64.dll
* and does not meet the system policy.
* The binary was attempted to be loaded in the process: \Device\HarddiskVolume3\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftPdfReader.exe
* This is not a failure in CI, but a problem with the failing binary.
* Please contact the binary owner for getting the binary correctly signed.
******************************************************************
Break instruction exception - code 80000003 (first chance)
fffff800`61765aca cc int 3


******************************************************************
* This break indicates this binary is not signed correctly: \Device\HarddiskVolume3\Program Files (x86)\kimjw0820\x64.dll
* and does not meet the system policy.
* The binary was attempted to be loaded in the process: \Device\HarddiskVolume3\Windows\System32\Windows.WARP.JITService.exe
* This is not a failure in CI, but a problem with the failing binary.
* Please contact the binary owner for getting the binary correctly signed.
******************************************************************
Break instruction exception - code 80000003 (first chance)
fffff800`61765aca cc int 3
iconic
Site Admin
Posts: 1064
Joined: Wed Jun 08, 2005 5:08 am

Re: Problems signing after using EV certificates

Post by iconic »

Edge and extensions for Edge (Pdf Reader) may expect the DLL to be signed by Microsoft in order to be correctly loaded. Maybe this is your problem?

--Iconic
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Re: Problems signing after using EV certificates

Post by madshi »

Iconic could be right. Is your hook dll signed? Try signing it the same way you sign the driver, maybe it helps? I'm not completely sure, though.
iconic
Site Admin
Posts: 1064
Joined: Wed Jun 08, 2005 5:08 am

Re: Problems signing after using EV certificates

Post by iconic »

Blocking unwelcome code injection with Module Code Integrity
Starting with EdgeHTML 13, Microsoft Edge defends the user’s browsing experience by blocking injection of DLLs into the browser unless they are Windows components or signed device drivers. DLLs that are either Microsoft-signed, or WHQL-signed, will be allowed to load, and all others will be blocked. “Microsoft-signed” allows for Edge components, Windows components, and other Microsoft-supplied features to be loaded. WHQL (Windows Hardware Quality Lab) signed DLLs are device drivers for things like the webcam, some of which need to run in-process in Edge to work. For ordinary use, users should not notice any difference in Microsoft Edge.
Source: https://blogs.windows.com/msedgedev/201 ... integrity/

--Iconic
madshi
Site Admin
Posts: 10749
Joined: Sun Mar 21, 2004 5:25 pm

Re: Problems signing after using EV certificates

Post by madshi »

Good catch, thanks!
kimjw0820
Posts: 35
Joined: Fri Sep 11, 2015 1:54 am

Re: Problems signing after using EV certificates

Post by kimjw0820 »

oh thank you!
I decided to add it to the exclude list :)
iconic
Site Admin
Posts: 1064
Joined: Wed Jun 08, 2005 5:08 am

Re: Problems signing after using EV certificates

Post by iconic »

That's what I do too ;) *be it my own lib or Madshi's* Microsoft's Edge is a pain in the behind when it comes to this kind of stuff but I understand Microsoft's reasoning behind it after Internet Explorer (IE) was a security nightmare. Bypassing a lot of the security enhancements isn't hard however end-users could be left compromised and that's simply something I'll not ever negotiate even if it means my standard method for DLL injection is denied by it. Good call on your part

--Iconic
ExPx
Posts: 34
Joined: Fri Oct 21, 2016 3:20 pm

Re: Problems signing after using EV certificates

Post by ExPx »

Hello iconic. Can you contact me.
iconic
Site Admin
Posts: 1064
Joined: Wed Jun 08, 2005 5:08 am

Re: Problems signing after using EV certificates

Post by iconic »

I prefer email correspondence. You can reach me @ bindshell <at> gmail <dot> com

--Iconic
Post Reply