About sign and Event Viewer message of 6281

c++ / delphi package - dll injection and api hooking

About sign and Event Viewer message of 6281

Postby power888 » Tue May 12, 2015 1:59 am

Hi..

I have question.
I had used madCHook 3.1.8,
and about signing driver and dll, it's worked well.. (worked well for hooking several API)

But very often, [security] of Event-Viewer display following message for every test machine.

Event ID : 6281
Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error

I had used following method to link sys and dll, and for signing driver.
(I used signing for dll too, and of course before madConfigDrv, first signing dll))

"madConfigDrv.exe" myDrv.sys myDrv myDll01.Dll myDll02.Dll myDll03.Dll ... -unsafeStopAllowed
"madConfigDrv.exe" myDrv64.sys myDrv myDll01.Dll myDll01-64.Dll myDll02.Dll myDll02-64.Dll myDll03.Dll ... -unsafeStopAllowed
C:\WinDDK\..\x86\Signtool sign /ph /v /ac xxx.crt /s my /n "xxx" /t http://timestamp.verisign.com/scripts/timestamp.dll myDrv.sys myDrv64.sys

** Message of [security] of Event-Viewer
for x86 : display 6281 error for dlls related madCHook (don't displayed sys file)
namely : myDll01.Dll myDll02.Dll myDll03.Dll

for x64 : display 6281 error for dlls related madCHook (don't displayed sys file)
BTW, in x64, only dislapy 64 dll (not display 32 dll)
namely : myDll01-64.Dll myDll02-64.Dll myDll03-64.Dll

But Dll/Sys is worked well

Is there any method to solve ?
power888
 
Posts: 50
Joined: Sat May 23, 2009 8:55 am

Re: About sign and Event Viewer message of 6281

Postby madshi » Tue May 12, 2015 9:13 am

Your sign command line looks slightly different to the one used in madCodeHook demos and in the madCodeHook documentation. I don't know if the difference explains the problem, but it's always a good idea to use something which is already tried and proven:

http://help.madshi.net/mchDrvSign.htm

I haven't ever seen such "Code Integrity" warnings on any of my PCs. But I don't really know if that's because of the different way of calling signtool. Could have other reasons, too.

Questions: Does this problem occur every time on some specific PCs? Or does it only occur sometimes? If it only occurs sometimes, does it occur randomly with the same sys file, sometimes yes, sometimes no? Or is it always one sys file which works perfectly, and another sys file which produces these problems?
madshi
Site Admin
 
Posts: 9822
Joined: Sun Mar 21, 2004 5:25 pm

Re: About sign and Event Viewer message of 6281

Postby power888 » Tue May 12, 2015 2:26 pm

Hi. thanks for reply.

Then I had changed method of signing,

Questions:

Does this problem occur every time on some specific PCs? Or does it only occur sometimes?
=> occur every time on every PCs.

If it only occurs sometimes, does it occur randomly with the same sys file, sometimes yes, sometimes no?
Or is it always one sys file which works perfectly, and another sys file which produces these problems?
=> "Code integrity" happen for dll files not sys files.
=> and happen all dlls for related madCHook.sys.
(Evenif no signing to dll)

** But dll/sys are worked well...
power888
 
Posts: 50
Joined: Sat May 23, 2009 8:55 am

Re: About sign and Event Viewer message of 6281

Postby madshi » Tue May 12, 2015 2:31 pm

I've a bit confused. You say "But dll/sys are worked well". What does that mean? It seems to contradict the rest of your post.

What happens if you run any of the madCodeHook demos? Same problem there?

http://madshi.net/PrintMonitor.zip
http://madshi.net/HookProcessCreation.zip
http://madshi.net/HookProcessTermination.zip
madshi
Site Admin
 
Posts: 9822
Joined: Sun Mar 21, 2004 5:25 pm

Re: About sign and Event Viewer message of 6281

Postby power888 » Tue May 12, 2015 2:44 pm

Hi.. Thanks

"But dll/sys are worked well". What does that mean?
=> Evenif EventViewer display warning 6281,
The function of Dll/Sys are worked well. (so, can protect terminate some processes or protect print and etc..)
Except EventViewer Message, everything is worked well..

And, I will test your dll/sys now...
power888
 
Posts: 50
Joined: Sat May 23, 2009 8:55 am

Re: About sign and Event Viewer message of 6281

Postby power888 » Tue May 12, 2015 4:18 pm

Now, Event ID 5038 is displayed..

I have used GlobalSign - CA-G2.

so I will get new .cer from Microsoft (https://msdn.microsoft.com/en-us/librar ... 54(v=vs.85).aspx)
but there is only crt file existed..

How can I get .cer for Global sign?
power888
 
Posts: 50
Joined: Sat May 23, 2009 8:55 am

Re: About sign and Event Viewer message of 6281

Postby madshi » Tue May 12, 2015 4:27 pm

I think a got a file from GlobalSign customer support, but it's many months ago, so I don't remember. Please contact GlobalSign customer support, they'll help you out.
madshi
Site Admin
 
Posts: 9822
Joined: Sun Mar 21, 2004 5:25 pm


Return to madCodeHook

Who is online

Users browsing this forum: Baidu [Spider] and 10 guests

cron