madConfigDrv creates wrong checksum

c++ / delphi package - dll injection and api hooking
Post Reply
psy2391
Posts: 7
Joined: Thu Feb 11, 2016 3:16 am

madConfigDrv creates wrong checksum

Post by psy2391 »

ex)
madConfigDrv DemoDriver32.sys HookProcessCreationDemoDriver HookProcessCreation32.dll -unsafeStopAllowed
madConfigDrv DemoDriver64.sys HookProcessCreationDemoDriver HookProcessCreation32.dll HookProcessCreation64.dll -unsafeStopAllowed

When created a Hooking Driver with reference to the above example,
The CheckSum value of IMAGE_OPTIONAL_HEADER in PE structure of sys file contained an invalid value.
If digitally signed the hooking driver by signtool.exe in Windows 10, driver wasn't loaded due to a checksum problem.
(In Windows 8.1 and earlier versions, it puts correct CheckSums after digitally signing.)

I am currently using madCodeHook 3.1.10.
Is it possible to check the problem and patch for the problem above?
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: madConfigDrv creates wrong checksum

Post by madshi »

The signtool used to correct the checksum. It has to, because it changes the contents of the file. Does it no longer do that? I wonder how that could possibly work! If madConfigDrv writes the correct checksum into the header, after signtool added the signatures, the checksum will not longer be valid!
psy2391
Posts: 7
Joined: Thu Feb 11, 2016 3:16 am

Re: madConfigDrv creates wrong checksum

Post by psy2391 »

First, thank you for your a quick answer.

In windows 10, To correct the checksum of digital signed drivers, original driver's checksum must be correct.
The test results, it was confirmed that the checksum of DemoDriver64.sys is same before and after performing the following command.

madConfigDrv DemoDriver64.sys HookProcessCreationDemoDriver HookProcessCreation32.dll HookProcessCreation64.dll -unsafeStopAllowed

Is it right?

If so, I think that madConfigDrv must change cheksum value of the driver since madConfigDrv changed the contents of the driver.
Ultimately, I wonder whether this part will be reflected in the next patch.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: madConfigDrv creates wrong checksum

Post by madshi »

Sorry for the late reply. I just wanted to implement this, but the functionality is already there (although undocumented). Simply add "-fixCheckSum" parameter to the madConfigDrv command line. I'll automatically do this for the next build.
psy2391
Posts: 7
Joined: Thu Feb 11, 2016 3:16 am

Re: madConfigDrv creates wrong checksum

Post by psy2391 »

I'm so glad to hear that the problem was fixed in 3.1.11 patch.
Thank you for your support.
Post Reply