LoadInjectionDriver() returning 577 on Vista/64

c++ / delphi package - dll injection and api hooking
Post Reply
foxglove
Posts: 3
Joined: Sat Apr 25, 2015 6:39 am

LoadInjectionDriver() returning 577 on Vista/64

Post by foxglove »

Hi madshi,

LoadInjectionDriver() is returning 577 on my Vista x64 virtual machine. It's a clean image with nothing installed on it other than all applicable Windows Updates and VMware Tools. I'm calling LoadInjectionDriver() from a process that is launched from a service that is running as SYSTEM. As near as I can tell the driver is correctly configured and signed, including the cross certificate. 'signtool verify' returns success with both the /pa and the /kp options, and the driver loads without error on Windows 7 x64. The certificate is issued by DigiCert Assured ID Code Signing CA and is valid from 2015-02-18 to 2017-02-23. I'm cross signing with DigiCert Assured ID Root CA.crt.

Any idea what the problem might be?
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: LoadInjectionDriver() returning 577 on Vista/64

Post by madshi »

First check should always be: Does the same problem occur with the precompiled demos?

http://madshi.net/PrintMonitor.zip
http://madshi.net/HookProcessCreation.zip
http://madshi.net/HookProcessTermination.zip
foxglove
Posts: 3
Joined: Sat Apr 25, 2015 6:39 am

Re: LoadInjectionDriver() returning 577 on Vista/64

Post by foxglove »

The demos (unsurprisingly) work fine on Vista/64.

Since the driver loads on Windows 7/64 I'm assuming that I'm signing it correctly. Also, this is code that used to work fine on Vista/64 three years ago (it's been in hiatus). All that's changed is the certificate provider (used to be VeriSign, now is DigiCert) and the version of madCodeHook. I've tried using three different versions of signtool.exe (from the 7.0, 7.1, and 8.1 SDKs), all to no avail.

So given all of that, could it be the certificate itself? Do you know of any issues with respect to DigiCert certificates on Vista/64? I've tried Googling it but I haven't found anything.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: LoadInjectionDriver() returning 577 on Vista/64

Post by madshi »

Have you used the correct cross certificate? You can't use the VeriSign cross certificate, it has to be the DigiCert cross cert (if there is one). I'm not sure why Windows 7 x64 works for you while Vista x64 doesn't, but if the demos work then it is still very likely that either the configuration and signing isn't correct.

A good test might be to take the demo, keep all the files (dll+exe), and just recreate the driver, using your own certificate. Since the driver created by me works, if the driver created by you doesn't work, then you know for sure that the way you create the driver must have an issue. The demos are all created with the latest madCodeHook 3.1.9 build, so use the driver files from that version.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: LoadInjectionDriver() returning 577 on Vista/64

Post by iconic »

FoxGlove,

Sign a driver file and right-click it choosing "Digital Signatures" tab then take a look at "Digest Algorithm" column... if it says SHA-2 then there is your problem. SHA-1 is being phased out so this is likely your issue as more and more CA's are issuing SHA-2 exclusively these days.

--Iconic
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: LoadInjectionDriver() returning 577 on Vista/64

Post by madshi »

Haven't thought about that. Oh man, I hate it. Why are they making life so hard to us devs?
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: LoadInjectionDriver() returning 577 on Vista/64

Post by iconic »

Hey Mathias,

If you recall I mentioned this a couple months ago in email with you. I was put through the gauntlet and had to move mountains in order for my CA company to reissue my personal code signing cert as SHA-1, since I too needed backwards OS compatibility and SHA-2 wasn't compatible. I'd consider making an announcement or a forum sticky about the SHA-1 deprecation and phase out effective January 1, 2016. Microsoft still hasn't figured out what they need to do and their last hotfix for support for previous OS support was rescinded after 2 or 3 days, it was buggy and they urged users to uninstall the update. I don't know about everyone else but the thought of forcing my user base or a client to install a magical hotfix on a base install (no updates) of an OS doesn't seem practical to me, I don't like this at all. Anyhow, I have a feeling that this is FoxGlove's issue indeed. If you read his other post he mentions the cert expiration date which appears to be a 2 year renewal period and CA's would undoubtedly issue a SHA-2 cert, sadly.

--Iconic
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: LoadInjectionDriver() returning 577 on Vista/64

Post by madshi »

I've two active threads now about signing issues. One says it works on Windows 7 x64, but not on Vista x64. The other thread reports the exact opposite. I'm not really sure what to write in an announcement post. Is it Vista x64 which is the problem? Or Windows 7 x64? Or both? How about XP/2003 x64? Windows Server 2008 (R2)? Maybe it depends on which OS has a SHA-2 hotfix installed? But does such a hotfix exist for every OS? Is it installed by Windows Update or does it have to be installed manually? Is it unstable on all OSs or just some? In order to write an announcement post I'd have to have all that information, but I don't have that atm...
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: LoadInjectionDriver() returning 577 on Vista/64

Post by iconic »

Anyone reading this thread should also see here

viewtopic.php?f=7&t=27999&p=48387#p48387

--Iconic
foxglove
Posts: 3
Joined: Sat Apr 25, 2015 6:39 am

Re: LoadInjectionDriver() returning 577 on Vista/64

Post by foxglove »

Thanks everyone for your replies.

The certificate definitely supports SHA-1; that's what it's using now. I'd come across the SHA-1 phase-out issue while I was trying to debug this and so I experimented with using signtool to sign with SHA-2 (/fd switch), but Vista x64 didn't like that either. Though at least I got a different error number back when I tried to load it.

The fact is, the driver loads successfully on ever 32-bit and 64-bit client and server OS, including the Windows 10 technology preview, except for Vista x64. Since madshi's sample drivers signed with his GlobalSign cert load fine on Vista x64, and since my driver used to work on Vista x64 with a VeriSign cert (software changed companies, so different cert), I can't think of any explanation other than DigiCert certificates just don't work with Vista x64 device drivers.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: LoadInjectionDriver() returning 577 on Vista/64

Post by madshi »

That sounds really weird. Two suggestions:

1) Try creating an "empty" driver, or compile some demo driver. Does that still not work?
2) Try another Vista x64 installation (e.g. some VM) to double check that it's a general Vista x64 problem, or maybe it's specific to your PC?

If it seems to be a general problem, I'd strongly recommend to contact DigiCert customer support about it. They might already be aware of the problem and may be able to provide some sort of fix. If it's specific to one Vista x64 machine, but not a general problem, then it might be hard to fix the problem, because nobody but you may be able to reproduce the problem. In any case, you could still try to contact DigiCert and ask about it. After all, if the driver signed by me works, and the driver signed by you doesn't, all the evidence points towards DigiCert.

There's one more thing that could be wrong: Maybe the way you're signing is somehow different to the way I'm signing, and maybe that makes a difference on that one specific Vista x64 machine, for some weird reason. Are you using the same signing command line I'm using (adjusted for your certificate, of course)? Also, try signing on a different machine. Maybe the signtool is broken on your dev machine, or something...
Post Reply