A forum for reverse engineering, OS internals and malware analysis 

 #29616  by ccoleman
 Fri Nov 25, 2016 3:47 pm
Hello,

I've been following the following tutorial and getting started on my first driver - http://www.codeproject.com/Articles/950 ... to-Drivers

I wanted to quickly clarify the following: Is it absolutely necessary to be in the test signing boot mode in order to get a test mode driver installed? For whatever reason, I thought the point of a test signature meant that the developing computer could load it without needing to boot into this mode.

Thank you!
 #29617  by ccoleman
 Fri Nov 25, 2016 4:45 pm
Oy I'm dumb. I found the answer using the search functionality here in the forums. It appears this is the case. Here are some of the links in case this thread isn't deleted and is found via a google search or something (I couldn't find any helpful stuff via a google search - I bet I was using the wrong keywords though):

1. Loading x64 Kernel Mode Code - http://www.kernelmode.info/forum/viewto ... =14&t=3067
2. Signing and Loading Drivers - http://www.kernelmode.info/forum/viewto ... 698&p=2502
3. Defeating x64 Driver Signature Enforcement - http://www.kernelmode.info/forum/viewto ... =11&t=3322
4. Kernel Mode Signing - http://www.kernelmode.info/forum/viewto ... f=2&t=2777
5. Driver Signing for x64 Windows - http://www.kernelmode.info/forum/viewto ... =14&t=1824

This had an interesting piece of info:
yes it's true. either you purchase a cert from a root CA or you boot with testsigning enabled. Third option would be to just bypass the check in MmLoadSystemImage but in your case that would require modification of not only the kernel but the windows boot sequence as well.

Also, the actual raw data for the text in the bottom right "Test Mode" is stored in user32.dll.mui and you can easily null it out. - everdox
Also, it had a few hints to a few cheap options to get your own signing. $100? Still looking for it, but it gave me hope.

6.Installing Test-Signed Driver Packages - https://msdn.microsoft.com/en-us/window ... r-packages

Hope it helps someone!
 #29620  by Vrtule
 Fri Nov 25, 2016 8:25 pm
Hello,

yes, there are some CAs that sell KMCS certificates for quite a low price. But keep in mind that you need to verify yourself (or your company) to them before they issue you a certificate. The verification process might be quite tricky since different laws apply in different countries. Some of the CAs also do not issue certificates to individuals, only to companies.

Furthermore, WIndows 10 Anniversary update placed additional restrictions (if not, MS plans to do so). To load drivers on such systems (with Secure Boot enabled), you need an EV certificate which is AFAIK issued only to companies and is more expensive ($750 from Symantec). In the present, my certificate, bought last year, seems working so far but I think the new one would not be the case (KMCS certificates are usually valid for one year).

I hope Microsoft does something about this, so we, the hobbyists, will be able to continue our work.

Vrtule
 #29650  by tangptr
 Tue Nov 29, 2016 9:07 am
There are some issues which should be noticed.
If your driver is developped for Intel x86-32, no matter what the boot mode is, it could be loaded if not blocked deliberately and purposefully by other sort of interception, for example, Anti-Virus.
If your driver is developped for AMD64, it requires TESTSIGNING boot mode if the DSE, the acronym that stands for Digital Signature Enforcement, is not disabled.
 #29651  by tangptr
 Tue Nov 29, 2016 9:24 am
Vrtule wrote:Hello,

yes, there are some CAs that sell KMCS certificates for quite a low price. But keep in mind that you need to verify yourself (or your company) to them before they issue you a certificate. The verification process might be quite tricky since different laws apply in different countries. Some of the CAs also do not issue certificates to individuals, only to companies.

Furthermore, WIndows 10 Anniversary update placed additional restrictions (if not, MS plans to do so). To load drivers on such systems (with Secure Boot enabled), you need an EV certificate which is AFAIK issued only to companies and is more expensive ($750 from Symantec). In the present, my certificate, bought last year, seems working so far but I think the new one would not be the case (KMCS certificates are usually valid for one year).

I hope Microsoft does something about this, so we, the hobbyists, will be able to continue our work.

Vrtule
I couldn't agree more. Nevertheless, the digital signature in China is typically not so difficult to purchase. Something worst is that the personal information could be bought for about ¥100(approximately $15). In addition, the price of EV certificate is about ¥4900(approximately $710) if you buy it from WoSign. To summarize, the EV Digital Signature could be bought cheaper than buying from Symantec with no/weak verification, for the information could be correct but incorrect.
 #29656  by Vrtule
 Tue Nov 29, 2016 6:15 pm
I heard that WoSign has some trust-related problems with their SSL certificates, so I am not sure how long they will be trusted by the kernel.

Symantec was quite strict when verifying my identity. I had to sign a letter connecting me and my passport to online information provided to Symantec the certificate order. I had to sign the letter in front of a Notary Public which proved to be really non-trivial to accomplish, since standard Czech notaries refused to do this. The fact that none of them was able to advice me what to do (I contacted three of them) was even more frustrating. After some time, I got an advice to visit US embassy that provides also notarization services and that worked perfectly (although it cost me some extra $50). Well, ladies at Symantec/VeriSign support were really nice and polite to me, however, not very helpful.

The good thing was that certificate renewal was really smooth (I just proved ownership of the private key) until this year. It seems they have a new interface for certificate purchase, so I hope that my user information were not lost, since I really do not wish to go through the verification process once more :-).
 #29658  by Brock
 Wed Nov 30, 2016 2:39 am
I can definitely attest to what VrTule has said, my original vetting process with multiple companies (GlobalSign, Verisign, Comodo etc.) were quite stringent and strict. Once you're cleared however the renewal process is much smoother since you've already been established within their system. Good information VrTule, it will help many others undoubtedly. Thanks!
 #29678  by Vrtule
 Fri Dec 02, 2016 3:43 pm
Well, Symantec stopped issuing KMCS certificates for individuals, so it seems I need to look around for another CA and go through the verification process once again :-(.

@Brock:

1) You seem to have some experience with obtaining KMCS certificates (and possibly the EV ones for Windows 10). Can you elaborate a little bit on how the verification process is done for companies (I am interested both in OV and EV cases).

2) do I still need two KMCS certificates (the "normal" (OV) one and the EV one) to make my drivers working on all Windows versions, or did somehting changed in these matters? I remember that there were (and probably are) many tales and confusion related to driver signing in past few years.

Tahnks.
 #30606  by Vrtule
 Sun Jul 16, 2017 12:29 am
I found out that Certum still allows individuals to purchase (kernel mode) code signing certificates. They even have a kind of discount for open source developers which is fine. The identity verification process, seems to be much smoother than with VeriSign/Symantec – I have just sent necessary documents (ID, utility bill) and got a certificate.

The good-and-bad thing is that the private key seems to be distributed on smart cards only which may complicate the signing process a little bit since my Visual Studio 2015 shows some signs of being broken (at least in the project properties dialogs).