Driver signing with Microsoft account
Driver signing with Microsoft account
Hello,
Has anyone succeeded in signing the driver using the procedures described in this article?
https://blog.morphisec.com/windows-driv ... signatures
I applied and activated MS hardware developer account and will start to signing process. I am planning to support only Win10 and Win11 OSes. Any tips tricks appreciated.
Has anyone succeeded in signing the driver using the procedures described in this article?
https://blog.morphisec.com/windows-driv ... signatures
I applied and activated MS hardware developer account and will start to signing process. I am planning to support only Win10 and Win11 OSes. Any tips tricks appreciated.
Re: Driver signing with Microsoft account
That article helped me many years ago as well and I essentially do the same thing as they are doing. It's the older but proven way and still works to this day. HLK testing isn't for the faint of heart and there are several steps so my best advice is to not skip a single step otherwise you'll end up either getting the controller to not package your driver or something required may be left out and fail the MS dashboard submission.
Best of luck to you!
--Iconic
Best of luck to you!
--Iconic
Re: Driver signing with Microsoft account
Thanks iconic.
Driver world is another dimension for me
I checked windows hlk page and it seems bit confusing for me.
https://learn.microsoft.com/en-us/windo ... /test/hlk/
In this page there is a table. (to certify -> download). For example I downloaded "Virtual HLK (VHLK) for Windows 11, version 21H2". I installed this on Hyper-V. When I start VM a Windows server 2022 booted up. I think this VM has only controller and studio installation. But what is the purpose of "Windows 11" in the download link.
Driver world is another dimension for me
I checked windows hlk page and it seems bit confusing for me.
https://learn.microsoft.com/en-us/windo ... /test/hlk/
In this page there is a table. (to certify -> download). For example I downloaded "Virtual HLK (VHLK) for Windows 11, version 21H2". I installed this on Hyper-V. When I start VM a Windows server 2022 booted up. I think this VM has only controller and studio installation. But what is the purpose of "Windows 11" in the download link.
Re: Driver signing with Microsoft account
Hello,
The Virtual HLK (VHLK) is Microsoft's newer, easier way *they claim* to perform the required driver tests (HVCI etc.) That article you mentioned in your last post was only using the old way which required a separate physical machine running the controller on something like Windows Server 2012 R2 (it's what I use for tests) and your driver would be on one of the test machines running Windows 10, 11 etc.
I haven't tried their virtual HLK solution because I still use the original method that works for me and one that I am comfortable with now after having approximately 100+ drivers tested and co-signed by Microsoft. As far as driver development compared to usermode development, yes night and day difference!
--Iconic
The Virtual HLK (VHLK) is Microsoft's newer, easier way *they claim* to perform the required driver tests (HVCI etc.) That article you mentioned in your last post was only using the old way which required a separate physical machine running the controller on something like Windows Server 2012 R2 (it's what I use for tests) and your driver would be on one of the test machines running Windows 10, 11 etc.
I haven't tried their virtual HLK solution because I still use the original method that works for me and one that I am comfortable with now after having approximately 100+ drivers tested and co-signed by Microsoft. As far as driver development compared to usermode development, yes night and day difference!
--Iconic
Re: Driver signing with Microsoft account
Hi madshi,
Every change on hook dll will need reconfigure the driver. And it will also need HLK tests again. Can you implement new way to configure the injection driver? For example you may add whitelist EVs (signer organization etc). Or you can allow it by comparing whether the driver digital signature and the dll digital signature are the same.
Every change on hook dll will need reconfigure the driver. And it will also need HLK tests again. Can you implement new way to configure the injection driver? For example you may add whitelist EVs (signer organization etc). Or you can allow it by comparing whether the driver digital signature and the dll digital signature are the same.
Re: Driver signing with Microsoft account
See -cert parameter during the madConfigDrv process, it will do what you wish. This way the DLLs injected can be modified and as long as the certificate remains the same it's considered "trusted"Or you can allow it by comparing whether the driver digital signature and the dll digital signature are the same
While this allows your to-be-injected DLLs to be loaded per process with the same certificate into all processes this does not change the fact that if you are using an updated driver (say later on? Any driver update)... HLK tests will need to be run again as Windows wants any *different* driver to be resubmitted and approved regardless of how small the change. The -cert parameter only helps with the DLL part of the puzzle, not using a different driver version HLK test-wise.
--Iconic
Re: Driver signing with Microsoft account
Ouch. How could I not have seen this before?
I guess the driver doesn't get frequent updates.
I guess the driver doesn't get frequent updates.
Re: Driver signing with Microsoft account
The driver gets plenty of updates over the years You can see the changes in the changelog always posted on the main website URL per new madCollection release
--Iconic
2023-03-08
madCodeHook 4.2.2 comes with the following changes:
· updated user mode DLL injection to match latest driver
2021-12-27
madCodeHook 4.2.1 comes with the following changes (compared to 4.1.3):
· rewrite of many assembler stubs to make Intel CET happy
· fixed: GetStoredThreadState() sometimes failed
· fixed some vulnerabilities
· improved IPC reliability under heavy stress
· fixed rare crash when installing API hook
· fixed rare issue with user mode injection into DotNet
· fixed rare crash with weird docker configurations
· added INJECT_ALLOW_THREAD flag
· [driver] made driver device more secure to avoid vulnerabilities
· [driver] added even more checks to prevent vulnerabilities
· [driver] changed injection stubs to make Intel CET happy
· [driver] fixed crash when process was created while uninjecting
· [driver] "secure" processes are no longer injected
· [driver] added support for 4096 bit keys
Credit to Michael Gorelik (@smgoreli), Assaf Kachlon and Andrey Diment from Morphisec for finding and reporting two driver vulnerabilities, which of course are fixed by this new build.
2020-07-16
madCodeHook 4.1.3 comes with the following changes:
· return to trusted "old" user mode injection method
· fixed potential thread timing bug in DestroyIpcQueue
· fixed potential memory leak in CopyFunction
· improved multi-threading for PatchCreateRemoteThread
· added SET_SAFE_HOOKING_TIMEOUT option
· SendIpcMessage now defaults to not handle messages
· [driver] fixed vulnerability (redirecting dll file via junction)
· [driver] added several checks to prevent vulnerabilities
· [driver] only admin users can now open the driver in user land
· [driver] fix for rare BSOD when using approval callback
· [driver] fixed CFG problem when accessing user land memory
Credit goes to Kyriakos Economou (@kyREcon) from Nettitude for finding and reporting a new vulnerability (the hook dll file path could be redirected by using a junction in a tricky way). Which is fixed by this new build.
2018-11-29
madCodeHook 4.1.2 comes with the following changes:
· [driver] optimized image load notification handling for older OSs
· [driver] added protection against invalid x86 allocation address
· [driver] added further file access hardening to prevent future vulnerabilities
2018-11-17
madCodeHook 4.1.1 comes with the following changes:
· added ex/including Metro app injection functionality
· added support for selectively activating IAT injection
· improved static lib smart linking support
· [driver] fixed potential (rare) blue screen
· [driver] fixed privilege escalation vulnerability
--Iconic