Unable to install Driver

c++ / delphi package - dll injection and api hooking

Unable to install Driver

Postby manutai » Sat Apr 25, 2015 11:49 am

Hi,

I am not able to install drivers on Windows7 x64. The same drivers work on Win XP, Win 8 , Win 7 x86.

In event viewer it displays following error

Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

Event id : 5038


The drivers are signed and in property sheet it displays the drivers are properly signed.
We are using drivers from long time we have recently changed our code signing certificate and since then it is giving this error.
manutai
 
Posts: 81
Joined: Sun Aug 03, 2008 1:40 am

Re: Unable to install Driver

Postby madshi » Sat Apr 25, 2015 11:56 am

Sounds like a signing issue. x86 OSs are much more relaxed there. x64 OSs are stricter.

If you changed your signing certificate, did you also change the cross certificate so that it matches your new signing certificate?
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm

Re: Unable to install Driver

Postby manutai » Mon Apr 27, 2015 5:03 am

Hi,

Thanks for your response.

The new certificate which we are using to sign driver has sha2 (256 bit) instead of sha1. Does that make any difference? Is the cross certificate specific to shaXX?

Also one observation is that even after signing with sha2 ... it shows that the driver is signed with sha1 only.

Please respond.

Regards.
manutai
 
Posts: 81
Joined: Sun Aug 03, 2008 1:40 am

Re: Unable to install Driver

Postby madshi » Mon Apr 27, 2015 9:10 am

It could very well have to do with that. See also here:

viewtopic.php?f=7&t=27998

There isn't really anything I can do here. I can't reissue certificates for you, and I can't change the way the OS expects signing to be. So the only thing you can do is ask your certificate provider for help. Maybe they can reissue your certificate as SHA-1. Or you could contact Microsoft, asking why your certificate doesn't work in Windows 7 x64. There isn't really anything I can do. It's not related to madCodeHook in any way. The same problem would occur with any other driver you'd try to sign, as well... :(
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm

Re: Unable to install Driver

Postby iconic » Mon Apr 27, 2015 7:57 pm

SHA-2 support is available in Windows 8 / Server 2012 and up. Any OS prior to this does not natively support SHA-2 out of the box. Having said this, Microsoft tried to release a SHA-2 support patch for Windows 7 roughly 6 months ago, it was buggy and was pulled. Just last month MS decided to have another go at this and have released yet another fix for this applying to Windows 7/Server 2008 R2 but some users have also mentioned issues with this as well. You can read the details here http://windowsitpro.com/patch-tuesday/p ... ed-3033929

Microsoft has no intention of supporting XP, Server 2003, Vista etc. with SHA-2 etc. These operating systems are legacy and will not be supported.

@Manutai
I am not able to install drivers on Windows7 x64. The same drivers work on Win XP, Win 8 , Win 7 x86.


Without https://technet.microsoft.com/en-us/library/security/3033929.aspx it will not work on Windows 7 x64 with a SHA-2 signed driver. See the above link with issues reported. Back to your problem, the driver loads for you because Windows XP x86 and Windows 7 x86 do not enforce signature checks when loading a driver into the kernel (x64 OS do). It works on Windows 8 because SHA-2 was first introduced in this OS.

Windows 7 & Server 2008 R2 patch details:

Executive Summary

Microsoft is announcing the reissuance of an update for all supported editions of Windows 7 and Windows Server 2008 R2 to add support for SHA-2 signing and verification functionality. This update supersedes the 2949927 update that was rescinded on October 17, 2014 to address issues that some customers experienced after installation. As with the original release, Windows 8, Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows RT, and Windows RT 8.1 do not require this update because SHA-2 signing and verification functionality is already included in these operating systems. This update is not available for Windows Server 2003, Windows Vista, or Windows Server 2008.

Recommendation. Customers who have automatic updating enabled and configured to check online for updates from Microsoft Update typically will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.

For customers who install updates manually (including customers who have not enabled automatic updating), Microsoft recommends applying the update at the earliest opportunity using update management software, or by checking for updates using the Microsoft Update service. The updates are also available via the download links in the Affected Software table in this advisory.


Another negative impact worth pointing out is that if you believe you're safe from this on x86, that depends, you may not be. Some drivers even on x86 OS require signatures or their loading will be refused. Yes, that's right. An example is the more modern filtering APIs such as Vista+'s ObRegisterCallbacks for thread and process object filtering of created or duplicated handles. This API requires your driver's linker flags to include integritycheck (LINKER_FLAGS=/integritycheck) which forces the driver to be signed and validated (CI related stuff). So you see, it's not just x64 OS driver development that will suffer issues with older operating systems, this can in some circumstances affect older x86 operating systems despite them not strictly enforcing the driver signing policy with vanilla drivers.

Google wanted to make a big fuss about the "theory" of SHA-1 being broken, again this is all theoretical. Microsoft decided to jump on the bandwagon and join Google in order to phase out SHA-1, this is why effective January 1, 2016 any certificate authorities (CA) that participate in Microsoft's cross-signing program will be required to issue SHA-2 certificates exclusively. It seems that most companies jumped on this already, well before this deadline were to take effect. Now we as developers are left with this massive headache and confusion due to Microsoft's uncertainty and erratic behavior

--Iconic
iconic
 
Posts: 838
Joined: Wed Jun 08, 2005 5:08 am

Re: Unable to install Driver

Postby madshi » Tue Apr 28, 2015 7:11 am

How can *any* company release working drivers for Vista x64 after 2016 then? I'm talking about e.g. AMD, NVidia etc. Are AMD/NVidia not aware of the problem? I can't imagine that. And aren't they complaining to Microsoft? This all sounds pretty crazy to me.
madshi
Site Admin
 
Posts: 9774
Joined: Sun Mar 21, 2004 5:25 pm

Re: Unable to install Driver

Postby iconic » Tue Apr 28, 2015 10:28 am

It is crazy :crazy: I'm sure MS will make allowances for certain companies in need, much like they offer "protected process" slots to only some vendors/companies. I guess I am not too surprised considering Windows 10 is supposed to be a Free upgrade anyhow. Looks like MS isn't wasting much time in order to force previous OS' into early end of life, eh? We'll have to patiently wait and see, it's not like us developers have much of a say concerning the code signing algorithms accepted by "their" operating system. My main concern is developers who may need to change code in their previously compiled SHA-1 drivers supporting Vista and below (bug fix for example). Re-signing with SHA-2 makes this incompatible then...

--Iconic
iconic
 
Posts: 838
Joined: Wed Jun 08, 2005 5:08 am


Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 4 guests

cron