Hi!
For research purpose i want exactly this:
1. Read some kernel mode module, for instance, driver.sys from disk to kernel memory, verify it's digital signature that it is allowed to be loaded in kernel
2. If digital signature of driver.sys on disk is valid i need to check that driver.sys image in memory ( system process ) is not modified and its code completely = code of driver.sys file
As i know so far:
For 1) i can use ci.dll.CiCheckSignedFile exported function for that
2 ) As i understand i can use CiValidateImageHeader and CiValidateImageData functions inside ci.dll, but these function use g_CiOptions, which can be corrupted.
Maybe it is a bad idea to use ci.dll? Can somebody advice me example of reading embedded signature inside PE file and verifying it using some crypto library like OpenSSL or mbedtls that is suitable for kernel mode too?
Thanks
For research purpose i want exactly this:
1. Read some kernel mode module, for instance, driver.sys from disk to kernel memory, verify it's digital signature that it is allowed to be loaded in kernel
2. If digital signature of driver.sys on disk is valid i need to check that driver.sys image in memory ( system process ) is not modified and its code completely = code of driver.sys file
As i know so far:
For 1) i can use ci.dll.CiCheckSignedFile exported function for that
2 ) As i understand i can use CiValidateImageHeader and CiValidateImageData functions inside ci.dll, but these function use g_CiOptions, which can be corrupted.
Maybe it is a bad idea to use ci.dll? Can somebody advice me example of reading embedded signature inside PE file and verifying it using some crypto library like OpenSSL or mbedtls that is suitable for kernel mode too?
Thanks
