I have question.
I had used madCHook 3.1.8,
and about signing driver and dll, it's worked well.. (worked well for hooking several API)
But very often, [security] of Event-Viewer display following message for every test machine.
Event ID : 6281
Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error
I had used following method to link sys and dll, and for signing driver.
(I used signing for dll too, and of course before madConfigDrv, first signing dll))
"madConfigDrv.exe" myDrv.sys myDrv myDll01.Dll myDll02.Dll myDll03.Dll ... -unsafeStopAllowed
"madConfigDrv.exe" myDrv64.sys myDrv myDll01.Dll myDll01-64.Dll myDll02.Dll myDll02-64.Dll myDll03.Dll ... -unsafeStopAllowed
C:\WinDDK\..\x86\Signtool sign /ph /v /ac xxx.crt /s my /n "xxx" /t http://timestamp.verisign.com/scripts/timestamp.dll myDrv.sys myDrv64.sys
** Message of [security] of Event-Viewer
for x86 : display 6281 error for dlls related madCHook (don't displayed sys file)
namely : myDll01.Dll myDll02.Dll myDll03.Dll
for x64 : display 6281 error for dlls related madCHook (don't displayed sys file)
BTW, in x64, only dislapy 64 dll (not display 32 dll)
namely : myDll01-64.Dll myDll02-64.Dll myDll03-64.Dll
But Dll/Sys is worked well
Is there any method to solve ?
I haven't ever seen such "Code Integrity" warnings on any of my PCs. But I don't really know if that's because of the different way of calling signtool. Could have other reasons, too.
Questions: Does this problem occur every time on some specific PCs? Or does it only occur sometimes? If it only occurs sometimes, does it occur randomly with the same sys file, sometimes yes, sometimes no? Or is it always one sys file which works perfectly, and another sys file which produces these problems?
Then I had changed method of signing,
Does this problem occur every time on some specific PCs? Or does it only occur sometimes?
=> occur every time on every PCs.
If it only occurs sometimes, does it occur randomly with the same sys file, sometimes yes, sometimes no?
Or is it always one sys file which works perfectly, and another sys file which produces these problems?
=> "Code integrity" happen for dll files not sys files.
=> and happen all dlls for related madCHook.sys.
(Evenif no signing to dll)
** But dll/sys are worked well...
What happens if you run any of the madCodeHook demos? Same problem there?
"But dll/sys are worked well". What does that mean?
=> Evenif EventViewer display warning 6281,
The function of Dll/Sys are worked well. (so, can protect terminate some processes or protect print and etc..)
Except EventViewer Message, everything is worked well..
And, I will test your dll/sys now...
I have used GlobalSign - CA-G2.
so I will get new .cer from Microsoft (https://msdn.microsoft.com/en-us/librar ... s.85).aspx)
but there is only crt file existed..
How can I get .cer for Global sign?