Page 1 of 1

madConfigDrv creates wrong checksum

Posted: Thu Feb 11, 2016 6:52 am
by psy2391
ex)
madConfigDrv DemoDriver32.sys HookProcessCreationDemoDriver HookProcessCreation32.dll -unsafeStopAllowed
madConfigDrv DemoDriver64.sys HookProcessCreationDemoDriver HookProcessCreation32.dll HookProcessCreation64.dll -unsafeStopAllowed

When created a Hooking Driver with reference to the above example,
The CheckSum value of IMAGE_OPTIONAL_HEADER in PE structure of sys file contained an invalid value.
If digitally signed the hooking driver by signtool.exe in Windows 10, driver wasn't loaded due to a checksum problem.
(In Windows 8.1 and earlier versions, it puts correct CheckSums after digitally signing.)

I am currently using madCodeHook 3.1.10.
Is it possible to check the problem and patch for the problem above?

Re: madConfigDrv creates wrong checksum

Posted: Thu Feb 11, 2016 7:53 am
by madshi
The signtool used to correct the checksum. It has to, because it changes the contents of the file. Does it no longer do that? I wonder how that could possibly work! If madConfigDrv writes the correct checksum into the header, after signtool added the signatures, the checksum will not longer be valid!

Re: madConfigDrv creates wrong checksum

Posted: Fri Feb 12, 2016 8:11 am
by psy2391
First, thank you for your a quick answer.

In windows 10, To correct the checksum of digital signed drivers, original driver's checksum must be correct.
The test results, it was confirmed that the checksum of DemoDriver64.sys is same before and after performing the following command.

madConfigDrv DemoDriver64.sys HookProcessCreationDemoDriver HookProcessCreation32.dll HookProcessCreation64.dll -unsafeStopAllowed

Is it right?

If so, I think that madConfigDrv must change cheksum value of the driver since madConfigDrv changed the contents of the driver.
Ultimately, I wonder whether this part will be reflected in the next patch.

Re: madConfigDrv creates wrong checksum

Posted: Wed Mar 09, 2016 5:58 pm
by madshi
Sorry for the late reply. I just wanted to implement this, but the functionality is already there (although undocumented). Simply add "-fixCheckSum" parameter to the madConfigDrv command line. I'll automatically do this for the next build.

Re: madConfigDrv creates wrong checksum

Posted: Mon Mar 28, 2016 3:02 am
by psy2391
I'm so glad to hear that the problem was fixed in 3.1.11 patch.
Thank you for your support.