InstallDriver error code 31 after SysDev signing

c++ / delphi package - dll injection and api hooking
Post Reply
Baconzor
Posts: 17
Joined: Tue Dec 01, 2009 3:15 pm

InstallDriver error code 31 after SysDev signing

Post by Baconzor »

Past 3 months I've been having a larger number of clients reporting driver not being installed under their windows 10, it seems microsoft is slowly rolling their previous call to not trusting in the EV certificate and requiring you to go through their dashboard to get an extra signature from them

To make sure it was not something on my end, on the machines that the driver under my certificate no longer loads, will also not load PrintMonitor sample driver, disabling secureboot let's them both work as stated before by microsoft

So I went through the process on the sysdev dashboard, it requires a .cab with the driver and the .inf, and you need to submit one architecture at a time

Things went pretty straight forward(I use globalsign's EV certificate), I used the .inf provided in the last version from december 22,2017 and modified the strings and only used the 64 bits .cat due having to submit one architecture at a time

It went on successfully and I got the signed driver that now has 3 signatures (sha1, sha256 and the microsoft's sha256), so far so good

But somehow the InstallDriver method fails now, reporting error code 31, if I try the exact same driver before submiting to the sysdev dashboard(with the dual signature) it installs successfully

I first suspected it was the signature requested in the dashboard(different versions of windows 10 RS2 RS3 etc) but I specifically selected the x64 versions, I repeated the process unchecking almost all boxes to see if it could be related, same error 31 result

Then I thought that the triple signature could be related, so I tried one more time now only signing sha256, still same result

Any ideas?
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: InstallDriver error code 31 after SysDev signing

Post by iconic »

You don't need a .CAB file for dashboard signing, you need a .INF and a .CAT is all if you perform HLK testing. I've successfully had MS sign approximately 8 different product drivers (all different) and all load fine on client machines. Main thing to note is prior to Windows 8 MS' signature will likely not be understood by Windows 7 and the likes, you can deploy a SHA-1 signed driver in this case or check if the hotfix was applied which enabled SHA-2 support. As of last July MS has finally decided to enforce the dashboard signing on Windows 10 Secure Boot, as of Windows 10 1607, this also applies to 1703 and 1709 of course. If you go the HLK route your MS signed driver will also load on Server 2016 since it has the same major version as Windows 10. If you go the Attestation route only your drivers will fail to load on Server 2016. Bottom line is, your driver being co-signed by MS should allow you to load just fine on Windows 10

--Iconic
Baconzor
Posts: 17
Joined: Tue Dec 01, 2009 3:15 pm

Re: InstallDriver error code 31 after SysDev signing

Post by Baconzor »

Appreciate the info Iconic

I thought it would be a little easier to have the same driver I've been using for so long to just keep loading as before after passing through the dashboard

When submitting a new hardware on the dashboard it requires a package (.cab, .hlkx, .hckx), since I read the tutorial about HLK testings requiring a different machine to test for each OS version I thought it would be easier to go the .cab route since I got over 20k client machines of each OS and the mad driver runs fine on all of them, the dashboard clearly states that it will ignore the .cat and will create a new one after the process, the requirement is the .sys and .inf, which is what I've put into the .cab

Everything goes smoothly and the driver comes back with the MS signature perfectly, just won't load after passing through the dashboard. It gives out a warning about also sending a .pdb debug file which I do not have since it seems to be a byproduct when compiling the driver

I'm not a driver expert nor did I ever develop one for my products, the only one I use is the madshi one, I expected this process to be more or less as simple as signing with the EV certificate, but having to create all these extra files that do not come with mad's .sys is getting a little challenging, I tried to keep the EV.inf mostly the same, and inf2cat and then makecab seemed very simple to run and they all worked without a glitch, but I'm sure there is something missing for microsoft to disturb the driver in some way that makes it stop loading as before

Since everyone on this forum has to pass through this exact same process to get Mad's driver signed through sysdev, maybe someone could hint out something I could be missing in this process
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: InstallDriver error code 31 after SysDev signing

Post by iconic »

I too wish a single driver with 3 signatures (SHA-1, SHA-2 and MS Windows Hardware Compatibility) worked on all supported Windows platforms but I've had no such luck myself. I have read about some hacks which can allegedly accomplish such a feat but haven't verified them personally. Yes, you're correct in saying that MS will discard your .CAT file completely and create their own. Of course I find the entire mandated protocol rather strange considering non-PnP drivers generally don't install with a .INF file anyhow. But, as per MS' guidelines we have to develop dummy files to assist the validation process in the dashboard. Here's a minimalistic version of the .INF I use repeatedly to pass the checks and get a co-signed MS driver. I try to use the fewest fields possible and it passes InfVerif.exe's tests, HLK's "Signability" and allows you to create a .CAT (inf2cat.exe) from it with zero warnings and errors.

Code: Select all

[Version]
Signature="$WINDOWS NT$"
Class=System
DriverVer=02/24/2018, 1.0.0.0
CatalogFile=ProductName.cat
Provider=%CompanyName%
[SourceDisksNames]
1=%Desc1%,,,
[SourceDisksFiles]
ProductName.sys = 1
[DefaultInstall]
CopyFiles = CopyDriverFile
[DestinationDirs]
CopyDriverFile = 12; ; system32\drivers location
[CopyDriverFile]
ProductName.sys
[Strings]
Desc1 = "Kernel-Mode Driver for ProductName XXX"
CompanyName = "Your Company Name"
Setting up the lab for HLK testing in itself was annoying but once you bake the perfect cookie you continue with the same consistent recipe ;)

P.S: I also don't submit symbols (.PDB files) because [1] it's optional [2] it makes reversing a driver easy with said symbols and in the security field that's a big, fat NO! I'll take the DashBoard "warning" with a grain of salt and rim my margarita with it


--Iconic
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: InstallDriver error code 31 after SysDev signing

Post by madshi »

The confusing thing to me is that Windows 7 is probably too stupid to understand the 2nd/3rd signatures. It's likely to only look at the first signature, which should be SHA1. So why isn't Windows 7 happy? Seems weird to me. Unfortunately I don't have an EV certificate myself, so I can't really test it myself. In any case, this seems to not be madCodeHook specific at all, so there probably isn't anything I can do about this problem, anyway...
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: InstallDriver error code 31 after SysDev signing

Post by iconic »

Exactly, Madshi. Windows 7 and below only understands SHA-1 unless you have the SHA-2 hotfix installed with SP1. Even then I'm not 100% sure if multiple sigs can be validated in unison by Windows 7. I just detect the underlying version of Windows and extract the appropriate driver for the target, so I have 2 drivers I deploy per product. I don't see much of a choice otherwise. For those doing the same thing avoid a pitfall and do not call GetVersion() or GetVersionEx() to detect the OS version numbers (major, minor etc.) because as of Windows 8.1 those 2 APIs will return incorrect version numbers if your application isn't Windows version manifested. Example: Windows 10 1709 will report something like v6.2 ( Windows 8 ) instead of v10.x - The solution without manifesting your app is to call ntdll!RtlGetVersion() using the same structure GetVersionEx() uses (OSVERSIONINFOW or OSVERSIONINFOEXW). Happy coding!

--Iconic
Baconzor
Posts: 17
Joined: Tue Dec 01, 2009 3:15 pm

Re: InstallDriver error code 31 after SysDev signing

Post by Baconzor »

Alright I got this thing figured out now, will describe in steps below for next guy that needs this with minimal headache. Microsoft is enforcing the sysdev signature under recently installed windows 10 RS3 and forward, upgrades doesn't seem to be impacted so this is will be a slow and growing problem from now on for us madshi users

[Making the cab file](more on why you need a .cab below)

A tip on going through here is to make a signing folder with subfolders for each step, it will decrease the chances of screwing up on one of the steps

- Grab a virgin version of mad's driver renameme32 and 64(I placed these in a subfolder called virgin and renamed them mydriver32.sys and mydriver64.sys)
- Config them with your custom name using madconfigdrv as usual(Placed these in another subfolder called configured)
- Sign them as you normally would, I double signed(sha1,sha256 and placed these in a subfolder called signed)
- Make a cab\32 and cab\64 subfolders to store both signed drivers with their respective .inf's
- It's a good idea to make a .bat that runs infverif.exe(it's a tool from the wdk) to see if your .inf has any errors(warnings do not stop the process)
- Make a mydriver32.dff and mydriver64.dff file in the cab subfolder(it's a textfile with the path and options of the files to be included in the cab, will post sample below)
- Run makecab /f "path_to_the_dff_file"(I made a 32 and 64 bat with that command to create one cab at a time)
- Slowly..and carefully grab both mydriver32/64.cab and place them separetedly in a cab_signed subfolder and sign them as you signed the drivers

That's it, now on how to submit each .cab to get microsofts signature appended alongside yours

[SysDev Steps]

- Signup for microsoft's new sysdev dashboard to get the microsoft signature(I had the signup process bug in a loop when trying to use an existing microsoft account, had to create a dedicated new one for my company and it went through)

- Common issue comes when signing up for microsoft's new sysdev dashboard to get the driver signed by them, during the signup process they give you a signablefile.bin for you to download and cross-sign so they can verify your EV certificate, I tried signing as usual(dual sha1+sha2) but it always returns that they do not trust globalsign's cross certificate, same response "signtool verify" gives(since it uses driver verification policy) if you use /pa it will confirm the signature is ok from the local keychain, I wasted some time here until I noticed singtool would never trust any EV certificate except microsoft's and then I tried to ONLY signing with sha256 and not dual sign this test file and submit, this step at this point seems to reject dual signing or perhaps sha1's

- After that you can go to Hardware -> Submit new hardware, you need to set a name(for your own submission control, can be anything) and then send a package(.cab, .hlkx, .hckx), easiest way to go here is to make a .cab(which is simply a signable form of a zip file with your .sys's and .inf's inside), the requirement is the .sys and .inf, cat is ignored, mad suplies a minimal .inf that works, if you need a little bit more reference Iconic posted above a good sample too, making .hlk/.hck's are a world of pain, you need a dedicated windows server and one machine of each OS you want to test the driver against, if like Iconic you are already familiar with this process due producing other drivers you may not even be reading this, but if your focus is just to get madshi's driver to load then .cab is far easier to go

- Send your signed .cab and select the versions of windows 10 it is supposed to run, you can only submit one architecture at a time(x86 or x64) so you will need a .cab for each and submit one at a time, when selecting the windows versions(checkboxes after loading your .cab) always ignore the ARM64 and mark all the other 4 ones related to the architecture you are submiting x86 or x64

- The process should take around 10-15 minutes and it will be ready to download

[Results]

The drivers are working with triple signature(own sha1,sha2 EV cross signed from globalsign and microsofts sha2)
Tested under windows 7 32/64(pre sha2 patch which is most cases but I think after sha2 patch should work too) and 10(pre and pos RS3 1709 with secure boot enforcing driver verification policy)

Since most people will do this once maybe twice a year everytime mad launches a critical driver update, I'd guess most will do this manually, so it is worth it to go through each step carefully and separetedly, the error 31 I was getting was from forgetting to run madConfigDrv and doing everything else on top of a driver without a name

Sample DFF:

Code: Select all

;*** mydriver64.ddf example
;
.OPTION EXPLICIT     ; Generate errors
.Set CabinetFileCountThreshold=0
.Set FolderFileCountThreshold=0
.Set FolderSizeThreshold=0
.Set MaxCabinetSize=0
.Set MaxDiskFileCount=0
.Set MaxDiskSize=0
.Set CompressionType=MSZIP
.Set Cabinet=on
.Set Compress=on
;Specify file name for new cab file
.Set CabinetNameTemplate=mydriver64.cab
; Specify the subdirectory for the files.  
; Your cab file should not have files at the root level,
; and each driver package must be in a separate subfolder.
.Set DestinationDir=64
;Specify files to be included in cab file
C:\full_path_here\cab\64\mydriver64.inf
C:\full_path_here\cab\64\mydriver64.sys
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: InstallDriver error code 31 after SysDev signing

Post by madshi »

Thanks for the detailed report!

So what is the key difference to what you did before?
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: InstallDriver error code 31 after SysDev signing

Post by iconic »

Interesting! Glad you were able to get a single driver working on all supported platforms :D Care to share your exact signtool parameters? By the way, .HLKX is also really just the .ZIP format extension renamed. You can rename the package to .ZIP and examine the contents of the actual .HLKX file. I'll post a rather large HLK How-To Guide this week on the forum. I am running Server 2012 R2 as the controller with HLK Studio and of course the target is Windows 10 as the client (1709 using a 1703 PlayList for applicable tests to be run on your driver). As I've alluded to in my earlier post it's the lab setup itself and lack of familiarity with HLK that causes most developers to go the Attestation route however supporting Server 2016 was critical for my needs and based on what I've read the only way the driver will load on Server 2016 with Secure Boot and Device Guard enabled is through HLK submission. But, who knows, MS changes their mind every other minute.

--Iconic
Baconzor
Posts: 17
Joined: Tue Dec 01, 2009 3:15 pm

Re: InstallDriver error code 31 after SysDev signing

Post by Baconzor »

madshi wrote:Thanks for the detailed report!

So what is the key difference to what you did before?
When struggling to see why signtool would not recognize globalsigns root certificate(it never will using driver verification policy) I changed the signature command plenty of times signing your driver, so when I went forth with the sysdev process I ended up submitting a signed driver without configuring a name for it with madConfigDrv that was why when trying to load it, it would return error code 31. This is mainly the reason I framed it is important to setting up a process to follow the steps since forgetting one of them will ruin the recipe
iconic wrote:Interesting! Glad you were able to get a single driver working on all supported platforms :D Care to share your exact signtool parameters? By the way, .HLKX is also really just the .ZIP format extension renamed. You can rename the package to .ZIP and examine the contents of the actual .HLKX file. I'll post a rather large HLK How-To Guide this week on the forum. I am running Server 2012 R2 as the controller with HLK Studio and of course the target is Windows 10 as the client (1709 using a 1703 PlayList for applicable tests to be run on your driver). As I've alluded to in my earlier post it's the lab setup itself and lack of familiarity with HLK that causes most developers to go the Attestation route however supporting Server 2016 was critical for my needs and based on what I've read the only way the driver will load on Server 2016 with Secure Boot and Device Guard enabled is through HLK submission. But, who knows, MS changes their mind every other minute.

--Iconic
Hey Iconic, you were right afterall, I have 2 test machines(windows7) that loaded the triple microsoft signed driver but since then when rolling it out on clients the vast majority of windows 7 will simply not load it, unfortunately, gotta double all of them as you pointed out and roll out each according to the windows version

[signtool] sign /ac [rootcert] /fd sha256 /tr http://timestamp.globalsign.com/?signature=sha2 /td sha256 [file]
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Re: InstallDriver error code 31 after SysDev signing

Post by madshi »

But why does it work on some win7 PCs but not on some others? If the first certificate is SHA2, I can understand that, because then those win7 PCs which have the patch for SHA2 support installed will accept the driver. But f the first certificate is SHA1, shouldn't it work on either all or none win7 PCs?

Or maybe the patch which adds support for SHA2 is also needed to support triple signed drivers for some reason? Deson't really make too much sense to me, though. The 2nd and 3rd certificates are actually hidden in a sub-section of the first certificate, so if win7 doesn't understand triple signing, it should not be a problem. So I don't understand the reason why it doesn't work.

Maybe it's not worth getting headaches over, since if it doesn't work, there's probably nothing we can do about it, anyway. Still I wonder......
iconic
Site Admin
Posts: 1065
Joined: Wed Jun 08, 2005 5:08 am

Re: InstallDriver error code 31 after SysDev signing

Post by iconic »

My only guess is that Windows 7 does in fact enumerate all signatures and tries to validate them likely checking for any revocations etc. I don't think simply having SHA-1 as the first signature would be enough to allow the driver to load on Windows 7 machines without the SHA-2 hotfix. As Madshi pointed out it's probably not worth the headache and it's why I just deploy the appropriate of the 2 drivers after OS version checking. Microsoft messed up any potential of seamless backwards compatibility for developers here and it's all because of a theoretical SHA-1 vulnerability. What a mess :o

P.S: Thanks Baconzor for sharing the params ;)

--Iconic
Post Reply