Hi,
I'm interested in knowing how one can verify the integrity of the DLL from a kernel-mode driver prior to DLL being injected into the application. I'm basically looking for a kernel-mode WinVerifyTrustEx. I've seen the https://msdn.microsoft.com/en-us/librar ... s.85).aspx, but it doesn't have an alternative function that can do so easily. There is a the BCryptVerifySignature (https://msdn.microsoft.com/en-us/librar ... S.85).aspx) API, but it requires a known hash calculated in advance, which doesn't play well with updates, since when updating the DLL, the kernel driver would also need to be updated (in order to add the expected hash).
Also, the parsing of PE file for IMAGE_DIRECTORY_ENTRY_SECURITY seems to be a must, since there is no easy-to-use function that can fit the use-case here. Btw: how do the AV companies ensure the DLL that will be injected from kernel driver into the supposedly malicious user-mode process is the original DLL from the same AV company. A malicious actor can replace the DLL, so an AV would essentially inject a malicious DLL into the process. Prior to parsing the PE file format, I wanted to ask here whether there's any 'hidden' easy-to-use API or if somebody knows how AV solutions check the the installed DLLs are actually their own (from the same AV company), rather than some malicious binaries.
I'm interested in knowing how one can verify the integrity of the DLL from a kernel-mode driver prior to DLL being injected into the application. I'm basically looking for a kernel-mode WinVerifyTrustEx. I've seen the https://msdn.microsoft.com/en-us/librar ... s.85).aspx, but it doesn't have an alternative function that can do so easily. There is a the BCryptVerifySignature (https://msdn.microsoft.com/en-us/librar ... S.85).aspx) API, but it requires a known hash calculated in advance, which doesn't play well with updates, since when updating the DLL, the kernel driver would also need to be updated (in order to add the expected hash).
Also, the parsing of PE file for IMAGE_DIRECTORY_ENTRY_SECURITY seems to be a must, since there is no easy-to-use function that can fit the use-case here. Btw: how do the AV companies ensure the DLL that will be injected from kernel driver into the supposedly malicious user-mode process is the original DLL from the same AV company. A malicious actor can replace the DLL, so an AV would essentially inject a malicious DLL into the process. Prior to parsing the PE file format, I wanted to ask here whether there's any 'hidden' easy-to-use API or if somebody knows how AV solutions check the the installed DLLs are actually their own (from the same AV company), rather than some malicious binaries.
