A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about kernel-mode development.
 #19247  by Stylo
 Fri May 10, 2013 11:24 am
Still having the same issue..
I succeeded loading drivers only when i boot my machine with F8 - Disable Signature Enforcement Option :?
 #19249  by Vrtule
 Fri May 10, 2013 12:54 pm
Hello,

for driver loading, I use my own DriverLoader (http://www.vrtulex.net/download/delphi/driverloader.zip). It is really simple. Just run it under Administrator (it should show the UAC dialog if not run as admin), enter the file name of the driver, its service name (choose whatever you want here), press Install to install the service and Load to load the driver.

When DriverLoader fails, it displays a meswsage box with text of the error. In some cases, it display a blank message box which means that everything is ok.

Even when you turn driver signing enforcement off, I think that some restrictions on unsigned drivers are still present. I experienced troubles when using modern kernel interfaces like OB Filtering Model (ObRegisterCallbacks).

You also need to install the test certificate to Trusted Root Certificate Authorities. Did you perform this step on the Windows Server machine too?
 #19250  by EP_X0FF
 Fri May 10, 2013 12:55 pm
@Stylo

Not quite sure what you want to do:

1) be able to load unsigned driver permanently (it IIRC is not impossible, except kernel hack in memory or files at disk)
2) use test signing

Also I would like to know your actions step by step.

For example, based on MSDN information, I successfully signed test driver with test ceriticate and loaded it on Windows 7 SP1. Of course it will work only in test mode and only on current test machine.

turn on test mode:

1) Run cmd as admin, use bcdedit
bcdedit.exe /set TESTSIGNING ON

Do not use nointegritychecks option - it is ignored on everything higher Vista.

2) Reboot - Test Mode watermark should appear on desktop

3) Install WDK, as you playing with drivers I assume you already have it. You need signtool and makecert utilities, all located in "bin" folder, respectively to architecture used.

4) Create your own test certificate
makecert -r -n "CN=MyCertificate" -ss "MyCertStore" -sr LocalMachine
Note: "-r" is required, as we are creating selfsigned certificate

5) Now add generated certificate to the trusted root certificates -> use mmc console (see http://technet.microsoft.com/en-us/libr ... 54431.aspx for more info).

6) Sign driver. From the same console use:
signtool sign /a /v /s MyCertStore /n "MyCertificate" mydrv.sys
 #19253  by Stylo
 Fri May 10, 2013 2:04 pm
All right :)
the one thing i forgot is to create a test certificate using makecert.exe :)
It's working great,

Thanks
 #19423  by Microwave89
 Sun May 26, 2013 9:35 am
This is odd.. I never experienced any problems loading drivers when using TESTSIGNING on mode.
It didn't matter either if I created a debug version of my driver with "USERNAME"test certificate automatically
being installed or if I used "Driver Signature Enforcement Overrider" to sign the driver after some binary code modifications.
It always loaded on my Win7 SP1 x64 system.

And there was something even more strange, because when I tried to run my driver on our Win Server 2008 R2 home server with BCD testsigning option enabled too it was successful, but if I went into properties of the .sys file it was showing that the driver is signed, but the root certificate (eg. NGO when using DSEO) isn't trusted.
But it was working well though?!


Best Regards - Microwave