Windows 7 x64 comparability

c++ / delphi package - dll injection and api hooking

Windows 7 x64 comparability

Postby dudul » Tue Aug 15, 2017 3:11 pm

Hi,
My question is not relevant directly to the madCodeHook product, but more to the Win 7 x64 update needed for it.
My drivers is signed with my EV Certificate AND Microsoft’s Certificate (from Microsoft’s SysDev Dashboard) and it works great on all windows version(Window 7 X64 requires the update "KB3033929").

I'm building my product's setup and I want to notify the user if this update is not installed.
My problem is on some devices this update doesn't appear on the windows update list, but when trying to run the update file (msu) from Microsoft it says that it already installed.
I've tried to get the updates list from:
Code: Select all
win32_quickfixengineering
wmic qfe list
SYSTEMINFO.exe


But none of them include this update.

Is anyone familiar with this issue?
dudul
 
Posts: 20
Joined: Wed Sep 09, 2015 3:00 pm

Re: Windows 7 x64 comparability

Postby iconic » Tue Aug 15, 2017 3:32 pm

Windows Update Agent (WUA) APIs (COM Interfaces) should be what you need. See here https://stackoverflow.com/questions/597 ... n-my-syste

--Iconic
iconic
 
Posts: 807
Joined: Wed Jun 08, 2005 5:08 am

Re: Windows 7 x64 comparability

Postby madshi » Tue Aug 15, 2017 4:01 pm

Can't you sign with a conventional SHA1 certificate first, then add the EV signature on top? That way hopefully you might satisfy both older and newer OSs with just one driver file.
madshi
Site Admin
 
Posts: 9376
Joined: Sun Mar 21, 2004 5:25 pm

Re: Windows 7 x64 comparability

Postby dudul » Tue Aug 15, 2017 9:03 pm

madshi wrote:Can't you sign with a conventional SHA1 certificate first, then add the EV signature on top? That way hopefully you might satisfy both older and newer OSs with just one driver file.

What do you mean a conventional SHA1?
I have my EV signature which I can sign as SHA1 and/or as SHA2.
dudul
 
Posts: 20
Joined: Wed Sep 09, 2015 3:00 pm

Re: Windows 7 x64 comparability

Postby iconic » Tue Aug 15, 2017 9:16 pm

@dudul,

He means dual sign - sign 1st with SHA1 then SHA2 after on the same file

--Iconic
iconic
 
Posts: 807
Joined: Wed Jun 08, 2005 5:08 am

Re: Windows 7 x64 comparability

Postby dudul » Tue Aug 15, 2017 9:21 pm

iconic wrote:@dudul,

He means dual sign - sign 1st with SHA1 then SHA2 after on the same file

--Iconic


That's what I'm doing now.
Sign each of the drivers files with both SHA1 & SHA2.
Then I upload it to Microsoft’s SysDev Dashboard, download and use it.

Am I missing something?
dudul
 
Posts: 20
Joined: Wed Sep 09, 2015 3:00 pm

Re: Windows 7 x64 comparability

Postby madshi » Tue Aug 15, 2017 10:07 pm

In theory a dual signed SHA1 + SHA256 driver should not require KB3033929. That's what I was aiming at.
madshi
Site Admin
 
Posts: 9376
Joined: Sun Mar 21, 2004 5:25 pm

Re: Windows 7 x64 comparability

Postby dudul » Wed Aug 16, 2017 8:29 am

madshi wrote:In theory a dual signed SHA1 + SHA256 driver should not require KB3033929. That's what I was aiming at.


That's the current situation in my case.
The problem is that the LoadInjectionDriver() failed with error 577.
dudul
 
Posts: 20
Joined: Wed Sep 09, 2015 3:00 pm

Re: Windows 7 x64 comparability

Postby madshi » Wed Aug 16, 2017 9:37 am

That's ERROR_INVALID_IMAGE_HASH, a quite specific error code. But the driver loads fine in Windows 10?

Well, I haven't actually tried dual signing with an EV certificate, because I don't have one. Does the PrintMonitor demo work for you on a win7 x64 PC without that KB update?

http://madshi.net/PrintMonitor.zip

This demo is dual signed with SHA1 + SHA256, but no EV.
madshi
Site Admin
 
Posts: 9376
Joined: Sun Mar 21, 2004 5:25 pm

Re: Windows 7 x64 comparability

Postby dudul » Wed Aug 16, 2017 9:55 am

My drivers works great on any window 7+ OS (except 7 x64 in some cases)

it seems that the PrinterMonitor works fines.
I've noticed that you don't include the dll files on the madConfigDrv command.
Code: Select all
madConfigDrv DemoDriver32.sys PrintMonitorDemoDriver -safeStopAllowed


I've also noticed that the sha1 thumbprint(?) of the sha1 and sha256 is different. Are these a different signatures?
In my case I'm dual signing with the same thumbprint.
Code: Select all
@signtool.exe sign /sha1 3743e1253b629144d126b4a1ee86bab1d260f46c
@signtool.exe sign /sha1 34173d9ee7e9796e52bc65bb26baac7d1fd8423f
dudul
 
Posts: 20
Joined: Wed Sep 09, 2015 3:00 pm

Re: Windows 7 x64 comparability

Postby madshi » Wed Aug 16, 2017 10:05 am

Yes, I've asked GlobalSign to reissue my certificate as both SHA1 and SHA256 for best compatability. So it's more or less 2 different certificates (but only paying for one).

When using madCodeHook 4, you don't have to include the dll files when calling madConfigDrv, anymore. The driver verifies if a hook dll is "trusted" by checking if the hook dll is signed with the same certificate as the driver. This is an important new feature in v4 because it means that you only need to sign the driver once, and then you don't ever have to touch it again. Except when updating to a new driver version, of course, or when your certificate expires.
madshi
Site Admin
 
Posts: 9376
Joined: Sun Mar 21, 2004 5:25 pm

Re: Windows 7 x64 comparability

Postby dudul » Wed Aug 16, 2017 12:08 pm

madshi wrote:Yes, I've asked GlobalSign to reissue my certificate as both SHA1 and SHA256 for best compatability. So it's more or less 2 different certificates (but only paying for one).

When using madCodeHook 4, you don't have to include the dll files when calling madConfigDrv, anymore. The driver verifies if a hook dll is "trusted" by checking if the hook dll is signed with the same certificate as the driver. This is an important new feature in v4 because it means that you only need to sign the driver once, and then you don't ever have to touch it again. Except when updating to a new driver version, of course, or when your certificate expires.


I see.
What do you suggest I need to ask from GlobalSign?
The question is if it's possible with EV signature?
dudul
 
Posts: 20
Joined: Wed Sep 09, 2015 3:00 pm

Re: Windows 7 x64 comparability

Postby madshi » Wed Aug 16, 2017 12:27 pm

I don't really know, I've no experience with EV. IIRC I simply went into the GlobalSign control panel and asked for an SHA1 re-issue, or something like that.
madshi
Site Admin
 
Posts: 9376
Joined: Sun Mar 21, 2004 5:25 pm

Re: Windows 7 x64 comparability

Postby dudul » Wed Aug 16, 2017 12:59 pm

This is GlobalSign support answer:
"This is to inform you that in EV Codesigning, SHA 1 Algorithm is not possible as per the CAB guidelines."

I guess it means that is not possible to re-issue it as SHA1 (or am I wrong?)
dudul
 
Posts: 20
Joined: Wed Sep 09, 2015 3:00 pm

Re: Windows 7 x64 comparability

Postby madshi » Wed Aug 16, 2017 1:29 pm

Maybe they just say that you can't use SHA1 for the EV signing itself? But I don't have a clue...
madshi
Site Admin
 
Posts: 9376
Joined: Sun Mar 21, 2004 5:25 pm

Next

Return to madCodeHook

Who is online

Users browsing this forum: No registered users and 3 guests