Windows 7 x64 comparability

c++ / delphi package - dll injection and api hooking
dudul
Posts: 27
Joined: Wed Sep 09, 2015 3:00 pm

Windows 7 x64 comparability

Post by dudul »

Hi,
My question is not relevant directly to the madCodeHook product, but more to the Win 7 x64 update needed for it.
My drivers is signed with my EV Certificate AND Microsoft’s Certificate (from Microsoft’s SysDev Dashboard) and it works great on all windows version(Window 7 X64 requires the update "KB3033929").

I'm building my product's setup and I want to notify the user if this update is not installed.
My problem is on some devices this update doesn't appear on the windows update list, but when trying to run the update file (msu) from Microsoft it says that it already installed.
I've tried to get the updates list from:

Code: Select all

win32_quickfixengineering
wmic qfe list
SYSTEMINFO.exe
But none of them include this update.

Is anyone familiar with this issue?
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Windows 7 x64 comparability

Post by iconic »

Windows Update Agent (WUA) APIs (COM Interfaces) should be what you need. See here https://stackoverflow.com/questions/597 ... n-my-syste

--Iconic
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Windows 7 x64 comparability

Post by madshi »

Can't you sign with a conventional SHA1 certificate first, then add the EV signature on top? That way hopefully you might satisfy both older and newer OSs with just one driver file.
dudul
Posts: 27
Joined: Wed Sep 09, 2015 3:00 pm

Re: Windows 7 x64 comparability

Post by dudul »

madshi wrote:Can't you sign with a conventional SHA1 certificate first, then add the EV signature on top? That way hopefully you might satisfy both older and newer OSs with just one driver file.
What do you mean a conventional SHA1?
I have my EV signature which I can sign as SHA1 and/or as SHA2.
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: Windows 7 x64 comparability

Post by iconic »

@dudul,

He means dual sign - sign 1st with SHA1 then SHA2 after on the same file

--Iconic
dudul
Posts: 27
Joined: Wed Sep 09, 2015 3:00 pm

Re: Windows 7 x64 comparability

Post by dudul »

iconic wrote:@dudul,

He means dual sign - sign 1st with SHA1 then SHA2 after on the same file

--Iconic
That's what I'm doing now.
Sign each of the drivers files with both SHA1 & SHA2.
Then I upload it to Microsoft’s SysDev Dashboard, download and use it.

Am I missing something?
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Windows 7 x64 comparability

Post by madshi »

In theory a dual signed SHA1 + SHA256 driver should not require KB3033929. That's what I was aiming at.
dudul
Posts: 27
Joined: Wed Sep 09, 2015 3:00 pm

Re: Windows 7 x64 comparability

Post by dudul »

madshi wrote:In theory a dual signed SHA1 + SHA256 driver should not require KB3033929. That's what I was aiming at.
That's the current situation in my case.
The problem is that the LoadInjectionDriver() failed with error 577.
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Windows 7 x64 comparability

Post by madshi »

That's ERROR_INVALID_IMAGE_HASH, a quite specific error code. But the driver loads fine in Windows 10?

Well, I haven't actually tried dual signing with an EV certificate, because I don't have one. Does the PrintMonitor demo work for you on a win7 x64 PC without that KB update?

http://madshi.net/PrintMonitor.zip

This demo is dual signed with SHA1 + SHA256, but no EV.
dudul
Posts: 27
Joined: Wed Sep 09, 2015 3:00 pm

Re: Windows 7 x64 comparability

Post by dudul »

My drivers works great on any window 7+ OS (except 7 x64 in some cases)

it seems that the PrinterMonitor works fines.
I've noticed that you don't include the dll files on the madConfigDrv command.

Code: Select all

madConfigDrv DemoDriver32.sys PrintMonitorDemoDriver -safeStopAllowed
I've also noticed that the sha1 thumbprint(?) of the sha1 and sha256 is different. Are these a different signatures?
In my case I'm dual signing with the same thumbprint.

Code: Select all

@signtool.exe sign /sha1 3743e1253b629144d126b4a1ee86bab1d260f46c
@signtool.exe sign /sha1 34173d9ee7e9796e52bc65bb26baac7d1fd8423f
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Windows 7 x64 comparability

Post by madshi »

Yes, I've asked GlobalSign to reissue my certificate as both SHA1 and SHA256 for best compatability. So it's more or less 2 different certificates (but only paying for one).

When using madCodeHook 4, you don't have to include the dll files when calling madConfigDrv, anymore. The driver verifies if a hook dll is "trusted" by checking if the hook dll is signed with the same certificate as the driver. This is an important new feature in v4 because it means that you only need to sign the driver once, and then you don't ever have to touch it again. Except when updating to a new driver version, of course, or when your certificate expires.
dudul
Posts: 27
Joined: Wed Sep 09, 2015 3:00 pm

Re: Windows 7 x64 comparability

Post by dudul »

madshi wrote:Yes, I've asked GlobalSign to reissue my certificate as both SHA1 and SHA256 for best compatability. So it's more or less 2 different certificates (but only paying for one).

When using madCodeHook 4, you don't have to include the dll files when calling madConfigDrv, anymore. The driver verifies if a hook dll is "trusted" by checking if the hook dll is signed with the same certificate as the driver. This is an important new feature in v4 because it means that you only need to sign the driver once, and then you don't ever have to touch it again. Except when updating to a new driver version, of course, or when your certificate expires.
I see.
What do you suggest I need to ask from GlobalSign?
The question is if it's possible with EV signature?
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Windows 7 x64 comparability

Post by madshi »

I don't really know, I've no experience with EV. IIRC I simply went into the GlobalSign control panel and asked for an SHA1 re-issue, or something like that.
dudul
Posts: 27
Joined: Wed Sep 09, 2015 3:00 pm

Re: Windows 7 x64 comparability

Post by dudul »

This is GlobalSign support answer:
"This is to inform you that in EV Codesigning, SHA 1 Algorithm is not possible as per the CAB guidelines."

I guess it means that is not possible to re-issue it as SHA1 (or am I wrong?)
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: Windows 7 x64 comparability

Post by madshi »

Maybe they just say that you can't use SHA1 for the EV signing itself? But I don't have a clue...
Post Reply