madshi.net

Hi,
My question is not relevant directly to the madCodeHook product, but more to the Win 7 x64 update needed for it.
My drivers is signed with my EV Certificate AND Microsoft’s Certificate (from Microsoft’s SysDev Dashboard) and it works great on all windows version(Window 7 X64 requires the update "KB3033929").

I'm building my product's setup and I want to notify the user if this update is not installed.
My problem is on some devices this update doesn't appear on the windows update list, but when trying to run the update file (msu) from Microsoft it says that it already installed.
I've tried to get the updates list from: But none of them include this update.

Is anyone familiar with this issue?

Windows Update Agent (WUA) APIs (COM Interfaces) should be what you need. See here https://stackoverflow.com/questions/597 ... n-my-syste

--Iconic

Can't you sign with a conventional SHA1 certificate first, then add the EV signature on top? That way hopefully you might satisfy both older and newer OSs with just one driver file.

madshi wrote:Can't you sign with a conventional SHA1 certificate first, then add the EV signature on top? That way hopefully you might satisfy both older and newer OSs with just one driver file.

What do you mean a conventional SHA1?
I have my EV signature which I can sign as SHA1 and/or as SHA2.

@dudul,

He means dual sign - sign 1st with SHA1 then SHA2 after on the same file

--Iconic

iconic wrote:@dudul,

He means dual sign - sign 1st with SHA1 then SHA2 after on the same file

--Iconic

That's what I'm doing now.
Sign each of the drivers files with both SHA1 & SHA2.
Then I upload it to Microsoft’s SysDev Dashboard, download and use it.

Am I missing something?

In theory a dual signed SHA1 + SHA256 driver should not require KB3033929. That's what I was aiming at.

madshi wrote:In theory a dual signed SHA1 + SHA256 driver should not require KB3033929. That's what I was aiming at.

That's the current situation in my case.
The problem is that the LoadInjectionDriver() failed with error 577.

That's ERROR_INVALID_IMAGE_HASH, a quite specific error code. But the driver loads fine in Windows 10?

Well, I haven't actually tried dual signing with an EV certificate, because I don't have one. Does the PrintMonitor demo work for you on a win7 x64 PC without that KB update?

http://madshi.net/PrintMonitor.zip

This demo is dual signed with SHA1 + SHA256, but no EV.

My drivers works great on any window 7+ OS (except 7 x64 in some cases)

it seems that the PrinterMonitor works fines.
I've noticed that you don't include the dll files on the madConfigDrv command. I've also noticed that the sha1 thumbprint(?) of the sha1 and sha256 is different. Are these a different signatures?
In my case I'm dual signing with the same thumbprint.

Yes, I've asked GlobalSign to reissue my certificate as both SHA1 and SHA256 for best compatability. So it's more or less 2 different certificates (but only paying for one).

When using madCodeHook 4, you don't have to include the dll files when calling madConfigDrv, anymore. The driver verifies if a hook dll is "trusted" by checking if the hook dll is signed with the same certificate as the driver. This is an important new feature in v4 because it means that you only need to sign the driver once, and then you don't ever have to touch it again. Except when updating to a new driver version, of course, or when your certificate expires.

madshi wrote:Yes, I've asked GlobalSign to reissue my certificate as both SHA1 and SHA256 for best compatability. So it's more or less 2 different certificates (but only paying for one).

When using madCodeHook 4, you don't have to include the dll files when calling madConfigDrv, anymore. The driver verifies if a hook dll is "trusted" by checking if the hook dll is signed with the same certificate as the driver. This is an important new feature in v4 because it means that you only need to sign the driver once, and then you don't ever have to touch it again. Except when updating to a new driver version, of course, or when your certificate expires.

I see.
What do you suggest I need to ask from GlobalSign?
The question is if it's possible with EV signature?

I don't really know, I've no experience with EV. IIRC I simply went into the GlobalSign control panel and asked for an SHA1 re-issue, or something like that.

This is GlobalSign support answer:
"This is to inform you that in EV Codesigning, SHA 1 Algorithm is not possible as per the CAB guidelines."

I guess it means that is not possible to re-issue it as SHA1 (or am I wrong?)

Maybe they just say that you can't use SHA1 for the EV signing itself? But I don't have a clue...