Windows 10 support

c++ / delphi package - dll injection and api hooking

Re: Windows 10 support

Postby iconic » Wed Dec 09, 2015 7:14 am

Kernel mode driver signing (requiring a cross-certificate) and more common usermode authenticode signing are treated very differently. Usermode is considered "untrusted" to begin with, it's why the kernel is considered privileged level/ring 0. Microsoft knows this and it's why they've hardened security on their 64-bit OS builds requiring signed drivers, unlike their x86 brothers. Windows 10 is finally taking it a step further and for good reason, despite developers being shafted to some degree. All we can do is wait a few weeks and hope that Microsoft figures out whatever they are doing and hopefully it's not a developer's disaster especially with backwards compatibility. This wouldn't be happening at all if SHA-1 were proven to be secure from a cryptographic perspective =( Another important thing to note is that Certificate Authorities still issuing certs let alone SHA-1 to individuals are much harder to find, GlobalSign and DigiCert require organizations/companies and will not issue to single developers, in case anyone wants a personal code signing cert

--Iconic
iconic
 
Posts: 846
Joined: Wed Jun 08, 2005 5:08 am

Re: Windows 10 support

Postby dcsoft » Wed Dec 09, 2015 2:43 pm

This topic is discussed in great detail here: http://www.osronline.com/showthread.cfm?link=268241

Scroll to the very end:

> Just wanted to point out that there is a very helpful section in a MSFT
Hardware Dev Center document for "Code Signing FAQ", which succinctly summarizes
the code signing situation. Includes a good "OS Support Summary" table at the
end. Here is the link:
>
[url]https://msdn.microsoft.com/en-us/library/windows/hardware/hh801887#code_signing_f
aq[/url]

There's a very interesting note here that I do not recall seeing before:

*Windows 10 Earlier Certificate Transition Signing*

* A driver signed with any certificate issued after July 29th,
2015, with time stamping, is not recommended for Windows 10.
* A driver signed with any certificate that expires after July
29th, 2015, without time stamping, will work on Windows 10 until
the certificate expires.

What this SAYS is that the old driver signing scheme will continue to
work for Windows 10 forever, but you have to feel guilty for using it.
This finally matches the actual experience in the field, which is that
attestation is not actually required for Windows 10, even with a brand
new SHA1 certificate.

--
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.



Prior in the thread, they discuss one reason not to use SHA-1 for Windows 10: the policy to allow drivers signed by SHA-1 can be changed on Windows 10 Enterprise. The feature is called "Device Guard".

So, it seems getting a SHA-1 cert for the max time possible is the best thing to do. I hope it is still possible for individuals (in addition to companies) to do this before the end of the year. Seems GlobalSign and DigiCert will still give them, but perhaps only for companies?

Thanks,
David
dcsoft
 
Posts: 380
Joined: Sat Dec 11, 2004 2:11 am
Location: San Francisco Bay Area, CA USA

Re: Windows 10 support

Postby dcsoft » Mon Dec 14, 2015 3:58 pm

If you are interested in using a SHA-1 certificate, the last day to purchase a new or renewed one is December 31, 2015. I've written a post here: https://dcsoft.wordpress.com/2015/12/14/renew-your-windows-code-signing-certificates-by-december-31-2015/

Thanks,
David
dcsoft
 
Posts: 380
Joined: Sat Dec 11, 2004 2:11 am
Location: San Francisco Bay Area, CA USA

Re: Windows 10 support

Postby Masakazu Takahashi » Thu Jul 05, 2018 10:51 am

I am using madcodeHook 4.0.5.
In order to load the madcodehook driver even in an environment where secure boot is effective, I am trying to register to the Windows Hardware Dev Center dashboard and receive a signature of Microsofut.
madashi:
Other users seem to have already done it, but do not you need your permission?
I will try to refer to the registration method that you are introducing if you do not mind.

Thanks
M.Takahashi
Masakazu Takahashi
 
Posts: 1
Joined: Thu Oct 12, 2017 8:44 am

Re: Windows 10 support

Postby madshi » Thu Jul 05, 2018 10:55 am

Where/why would you need my permission? If you have a valid madCodeHook license (I'm sure you do), then that license grants you the right to use the driver. That includes permission to send it in to Microsoft for EV signing. No problem for me at all.

There's an "inf" file in the driver folder that may help you get going. I'm not really an expert on EV signing myself, though, because I don't have an EV certificate. The "inf" file was kindly provided by a madCodeHook user.
madshi
Site Admin
 
Posts: 9830
Joined: Sun Mar 21, 2004 5:25 pm

Previous

Return to madCodeHook

Who is online

Users browsing this forum: Baidu [Spider] and 9 guests