4

Having a bit of trouble signing my kernel mode driver and creating a service for it.

So, I've created a self-signed certificate using makecert:

makecert -r -pe -n "CN=XXX" -ss "XXX" -sr LocalMachine

then using the certificate management snap-in I exported the certificate to a .pfx file and signed the .sys driver using signtool:

signtool sign /f myCert.pfx /p xxx /t http://timestamp.comodoca.com/authenticode driver.sys

Which was successful. Upon using signtool to verify, I received:

Verifying: driver.sys Hash of file (sha1): 9A...7F

Signing Certificate Chain:
    Issued to: XXX
    Issued by: xxx
    Expires:   Sat Dec 31 16:59:59 2039
    SHA1 hash: 12...46

The signature is timestamped: Sun Jun 10 03:35:21 2012
Timestamp Verified by:
    Issued to: UTN-USERFirst-Object
    Issued by: UTN-USERFirst-Object
    Expires:   Tue Jul 09 11:40:36 2019
    SHA1 hash: E1...46

        Issued to: COMODO Time Stamping Signer
        Issued by: UTN-USERFirst-Object
        Expires:   Sun May 10 16:59:59 2015
        SHA1 hash: 3D...C8

Successfully verified: driver.sys

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

However, when I try to create a service for it:

sc create ncd binPath= C:\Windows\System32\drivers\driver.sys type= kernel

(the binpath is verified to exist), the service is created, but about 10-20 seconds later, the "Program Compatibility Assistant" appears with the annoying "Windows requires a digitally signed driver" dialog.

Program Compatibility Assistant

What gives? It's proven to be signed. I've tried the process three times over, with no luck. I've tried starting the service, but I get a BSOD with a BC code that refers to this issue (the unsigned driver works just fine on XP/32-bit 7).

Qix - MONICA WAS MISTREATED
  • 12,202
  • 13
  • 73
  • 131
  • 5
    Self-signing is not enough; it also needs to be cross-signed with Microsoft cert which only supports real CA certs. For testing purposes you can enable [test signing](http://msdn.microsoft.com/en-us/library/windows/hardware/ff553484%28v=vs.85%29.aspx). – Luke Jun 10 '12 at 11:31
  • @Luke Alright figured that out - I'm in test signing mode and it's working fine. However, I've found the list of cross-signing certs but I'm not sure how to use them. I have the zip file with the .cer and the thumbprint sha1, but the certificate manager asks for a URL. – Qix - MONICA WAS MISTREATED Jun 10 '12 at 11:33
  • 1
    I don't know the exact process, but you have to 1) sign your binary with a supported CA cert (VeriSign, etc.) then 2) cross-sign your binary with the corresponding cross-signing cert provided by Microsoft. – Luke Jun 10 '12 at 16:30
  • @Luke Could you make an answer? That seems to be the issue. – Qix - MONICA WAS MISTREATED Jun 13 '12 at 04:17

1 Answers1

0

Some useful documentation you can find here: http://msdn.microsoft.com/en-us/library/windows/hardware/dn170454(v=vs.85).aspx

As Luke said you need both steps, the link provided explains step 2. And with the cross-certificate obtained from Microsoft you should sign those drivers. The signing is done with Win sdk tools.

Lucian
  • 750
  • 10
  • 29