Signing help

c++ / delphi package - dll injection and api hooking

Signing help

Postby Erick » Thu Jan 05, 2017 6:06 pm

I'm a long-time madshi hook user, but this is my first foray into Windows 10 and I'm not having luck trying to sign/run the DemoDriver for HookProcessCreation.

I don't expect Madshi himself to be able to answer my question, it's more for others who have previously failed.

I downloaded and tried his PrintMonitor, and it works. But me compiling/signing HooKProcessCreation does not. So it's a user problem.

To start with, I have a globalsign EV certificate with dongle and the latest 4.x code from MadShi and Delphi 10.1.

I've compiled the HookProcessCreation binaries, and followed the example "config drivers and sign everything" but am having problems with it. Signtool distributed with Win10 doesn't support the options in that batch file, eg /t so I've followed GlobalSign's web pages, but still have no success. DllInjector fails to load the device driver.

Here's my test signing with the parameters suggested by globalsign
D:\mad>"C:\Program Files (x86)\Windows Kits\10\bin\x86\signtool" sign /ph /v /a /tr http://timestamp.globalsign.com/scripts/timestamp.dll /td SHA256 /ac n:r1cross.cer demodriver64.sys
The following certificate was selected:
Issued to: University of Waterloo
Issued by: GlobalSign Extended Validation CodeSigning CA - SHA256 - G2
Expires: Fri Feb 08 09:40:49 2019
SHA1 hash: 15DD8072F09DD489FD329DD6551A571EB8414CEC

Cross certificate chain (using machine store):
Issued to: GlobalSign Root CA
Issued by: GlobalSign Root CA
Expires: Fri Jan 28 07:00:00 2028
SHA1 hash: B1BC968BD4F49D622AA89A81F2150152A41D829C

Issued to: GlobalSign
Issued by: GlobalSign Root CA
Expires: Mon Mar 18 05:00:00 2019
SHA1 hash: 4765557AF418C68A641199146A7E556AA8242996

Issued to: GlobalSign Extended Validation CodeSigning CA - SHA256 - G2
Issued by: GlobalSign
Expires: Fri Aug 02 05:00:00 2019
SHA1 hash: 4F5EA6A9E4BA30A4575DEAD4E4E9D3B2DA66EA7B

Issued to: University of Waterloo
Issued by: GlobalSign Extended Validation CodeSigning CA - SHA256 - G2
Expires: Fri Feb 08 09:40:49 2019
SHA1 hash: 15DD8072F09DD489FD329DD6551A571EB8414CEC

Done Adding Additional Store
Successfully signed: DemoDriver64.sys

Number of files successfully Signed: 1
Number of warnings: 0
Number of errors: 0

I've only done SHA256 because I only need Win10 compatibility at this point. I don't see Microsoft listed anywhere in the chain, could that be the problem?

I've been trying things all day, this seemed the closest to a solution so far.
Thanks for any suggestions,
Erick
Erick
 
Posts: 9
Joined: Thu Nov 06, 2008 6:33 pm
Location: Canada

Re: Signing help

Postby Erick » Thu Jan 05, 2017 7:02 pm

BTW, I checked, my machine is not using SecureBoot.
Erick
 
Posts: 9
Joined: Thu Nov 06, 2008 6:33 pm
Location: Canada

Re: Signing help

Postby madshi » Fri Jan 06, 2017 6:08 pm

Which version does your SignTool.exe have? Mine says 6.3.9600.16384. I got it from one of the many SDKs on my harddisk. Not sure which SDK or how it got on my harddisk. Probably came with one of the MSVC++ versions installed.

According to this website:

https://msdn.microsoft.com/en-us/librar ... z(v=vs.110).aspx

The "/t" parameter should work. If it doesn't, then your signtool version seems "weird".

If you right click on your signed driver file, does the Explorer claim it's valid?
madshi
Site Admin
 
Posts: 9431
Joined: Sun Mar 21, 2004 5:25 pm

Re: Signing help

Postby Erick » Tue Jan 10, 2017 5:18 pm

Wouldn't you know, the link is now dead :?

Yes, it indicates I have a valid SYS file. I'm contacted GlobalSign to get them to help, I've certainly paid enough for an EV, but their docs only cover 7/8.

E
Erick
 
Posts: 9
Joined: Thu Nov 06, 2008 6:33 pm
Location: Canada

Re: Signing help

Postby madshi » Tue Jan 10, 2017 5:36 pm

Link got broken somehow. But you can easily find it by browsing the first google hit for "signtool parameters".

EV certs may be special, I think you need to send them in to Microsoft for cross signing. Well, at least that's necessary for SecureBoot compatability. I don't know if EV certs always need that to work? Non-EV certs certainly don't. But I've never used an EV cert yet, so I don't know for sure. But probably GlobalSign support will be able to help. They've helped me in the past when I had a problem. At one time they sent me a special root certificate I had to install for signing to succeed, IIRC.
madshi
Site Admin
 
Posts: 9431
Joined: Sun Mar 21, 2004 5:25 pm


Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 3 guests

cron