Page 1 of 1

LoadInjectionDriver returns 577

Posted: Sun Apr 02, 2017 12:45 pm
by NobMiwa
Hello,

This issue is not about MadCodeHook, but I really need help.

I cannot successfully load driver with LoadInjectionDriver on Win7 64.

I copied "renameme32.sys" and "renameme64.sys" and signed by following command with my GlobalSign Certificate(SHA256 only).

signtool sign /v /ac "GlobalSign Root CA R3.crt" /a /n "common name" /tr http://rfc3161timestamp.globalsign.com/advanced /td sha256 MyDriver32.sys
signtool sign /v /ac "GlobalSign Root CA R3.crt" /a /n "common name" /tr http://rfc3161timestamp.globalsign.com/advanced /td sha256 MyDriver64.sys

# common name was changed to mine

To verify the files with "signtool verify /kp" and "/pa" showed no error.

What should I check to sign correctly ?

PrintMomnitor works fine on same machine. But once I signed with my certificate, it didn't work.

Regards,
Nobuo Miwa

Re: LoadInjectionDriver returns 577

Posted: Sun Apr 02, 2017 12:52 pm
by madshi
Doesn't Windows 7 need a hotfix to support SHA256 signatures? I'm not sure right now. Does your driver load fine in Windows 8.1 and 10?

Personally, I'm dual signing, first with SHA1, afterwards with SHA256. You can see how I'm doing that in the "configDrivers.bat" shipping with the latest PrintMonitor demo.

I also vaguely remember that I had trouble getting SHA256 to work at all. IIRC, I had contacted GlobalSign customer support about that a couple years back and they sent me some root certificate I had to install to make it work. But it's so long ago that I don't remember the details. You could try asking GlobalSign customer support about it.

Re: LoadInjectionDriver returns 577

Posted: Thu Apr 06, 2017 4:27 am
by NobMiwa
Hi,

I talked with GlobalSign, but they said "Collect signed" only.

Could you give me the information of which Windows API returns 577 ?
Is it StartService() ?

Any hint welcome.

Re: LoadInjectionDriver returns 577

Posted: Thu Apr 06, 2017 8:12 am
by madshi
Not sure what "collect signed" means.

It's usually the NtLoadDriver API which fails, when you call LoadInjectionDriver. Or CreateService or maybe StartService when you call InstallInjectionDriver.

Re: LoadInjectionDriver returns 577

Posted: Thu Apr 06, 2017 10:29 pm
by iconic
Doesn't Windows 7 need a hotfix to support SHA256 signatures
Yes, Windows 7 SP1 update KB2949927 hotfix is what would be required to support SHA-256 however I'm not 100% certain that Microsoft ever corrected the issue because after releasing it they realized it was botched (creating serious issues) and then recommended users NOT to install it or use the rollback OS feature. What a mess!

--Iconic

Re: LoadInjectionDriver returns 577

Posted: Thu Apr 06, 2017 10:31 pm
by madshi
Yes, what a mess! But I think dual signing with both SHA1 + SHA256 should work around the issue nicely, shouldn't it?

Re: LoadInjectionDriver returns 577

Posted: Thu Apr 06, 2017 11:07 pm
by iconic
Yes, definitely should. For those who don't have a SHA-1 cert however, it's a different story for them

--Iconic