LoadInjectionDriver returns 577

c++ / delphi package - dll injection and api hooking

LoadInjectionDriver returns 577

Postby NobMiwa » Sun Apr 02, 2017 12:45 pm

Hello,

This issue is not about MadCodeHook, but I really need help.

I cannot successfully load driver with LoadInjectionDriver on Win7 64.

I copied "renameme32.sys" and "renameme64.sys" and signed by following command with my GlobalSign Certificate(SHA256 only).

signtool sign /v /ac "GlobalSign Root CA R3.crt" /a /n "common name" /tr http://rfc3161timestamp.globalsign.com/advanced /td sha256 MyDriver32.sys
signtool sign /v /ac "GlobalSign Root CA R3.crt" /a /n "common name" /tr http://rfc3161timestamp.globalsign.com/advanced /td sha256 MyDriver64.sys

# common name was changed to mine

To verify the files with "signtool verify /kp" and "/pa" showed no error.

What should I check to sign correctly ?

PrintMomnitor works fine on same machine. But once I signed with my certificate, it didn't work.

Regards,
Nobuo Miwa
NobMiwa
 
Posts: 7
Joined: Tue Mar 28, 2017 10:00 am

Re: LoadInjectionDriver returns 577

Postby madshi » Sun Apr 02, 2017 12:52 pm

Doesn't Windows 7 need a hotfix to support SHA256 signatures? I'm not sure right now. Does your driver load fine in Windows 8.1 and 10?

Personally, I'm dual signing, first with SHA1, afterwards with SHA256. You can see how I'm doing that in the "configDrivers.bat" shipping with the latest PrintMonitor demo.

I also vaguely remember that I had trouble getting SHA256 to work at all. IIRC, I had contacted GlobalSign customer support about that a couple years back and they sent me some root certificate I had to install to make it work. But it's so long ago that I don't remember the details. You could try asking GlobalSign customer support about it.
madshi
Site Admin
 
Posts: 9469
Joined: Sun Mar 21, 2004 5:25 pm

Re: LoadInjectionDriver returns 577

Postby NobMiwa » Thu Apr 06, 2017 4:27 am

Hi,

I talked with GlobalSign, but they said "Collect signed" only.

Could you give me the information of which Windows API returns 577 ?
Is it StartService() ?

Any hint welcome.
NobMiwa
 
Posts: 7
Joined: Tue Mar 28, 2017 10:00 am

Re: LoadInjectionDriver returns 577

Postby madshi » Thu Apr 06, 2017 8:12 am

Not sure what "collect signed" means.

It's usually the NtLoadDriver API which fails, when you call LoadInjectionDriver. Or CreateService or maybe StartService when you call InstallInjectionDriver.
madshi
Site Admin
 
Posts: 9469
Joined: Sun Mar 21, 2004 5:25 pm

Re: LoadInjectionDriver returns 577

Postby iconic » Thu Apr 06, 2017 10:29 pm

Doesn't Windows 7 need a hotfix to support SHA256 signatures


Yes, Windows 7 SP1 update KB2949927 hotfix is what would be required to support SHA-256 however I'm not 100% certain that Microsoft ever corrected the issue because after releasing it they realized it was botched (creating serious issues) and then recommended users NOT to install it or use the rollback OS feature. What a mess!

--Iconic
iconic
 
Posts: 811
Joined: Wed Jun 08, 2005 5:08 am

Re: LoadInjectionDriver returns 577

Postby madshi » Thu Apr 06, 2017 10:31 pm

Yes, what a mess! But I think dual signing with both SHA1 + SHA256 should work around the issue nicely, shouldn't it?
madshi
Site Admin
 
Posts: 9469
Joined: Sun Mar 21, 2004 5:25 pm

Re: LoadInjectionDriver returns 577

Postby iconic » Thu Apr 06, 2017 11:07 pm

Yes, definitely should. For those who don't have a SHA-1 cert however, it's a different story for them

--Iconic
iconic
 
Posts: 811
Joined: Wed Jun 08, 2005 5:08 am


Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 6 guests

cron