CODEWITHSUNDEEP
windowscatdrivedigital-certificateinf
John
John

Reputation: 15

Windows Driver - Unable to sign my own driver correctly

I am very very beginner in windows driver development. I have written a simple DbgPrint() .sys driver.

After lots of search, I have found in x86 architecture, signing of .sys driver is optional but in x64 is mandatory. So I have created a certificate manually:

makecert -r -n "CN=MyCompany" -ss MyCompanyCertStore -sr LocalMachine

After that, I have exported it as (e.g.) GlobalSign.cer and added to my certificates list:

certmgr.exe -add GlobalSign.cer -c -s -r localMachine Root
certmgr.exe -add GlobalSign.cer -c -s -r localMachine TrustedPublisher

Then, I have putted MyDriver1.sys and MyDriver1.inf in c:\MyDriver1 folder and created the catalog file:

inf2cat /driver:"c:\MyDriver1" /os:7_x64

And have signed it:

SignTool sign /s MyCompanyCertStore /n MyCompany /t http://timestamp.verisign.com/scripts/timestamp.dll c:\MyDriver1\mydriver1.cat

Finished! But when I load MyDriver1.sys in OSR Driver Loader program, it shows this error:

---------------------------
OSRLOADER
---------------------------
Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

---------------------------
OK   
---------------------------

I dont know why.

Note There is only MyDriver1.inf entry in Security Catalog tab of catalog file and I cannot add MyDriver1.sys entry.

Here is the content of MyDriver1.inf (Originally produced by Visual Studio but I have only changed CatalogFile= to CatalogFile=mydriver1.cat)

;
; MyDriver1.inf
;

[Version]
Signature="$WINDOWS NT$"
Class=
ClassGuid=
Provider=
DriverVer=09/21/2017,21.4.29.698
CatalogFile=

[DestinationDirs]
DefaultDestDir = 12


[SourceDisksNames]
1 = %DiskName%,,,""

[SourceDisksFiles]


[Manufacturer]
%ManufacturerName%=Standard,NTamd64

[Standard.NTamd64]


[Strings]
ManufacturerName=""
ClassName=""
DiskName="MyDriver1 Source Disk"

Upvotes: 0

Views: 437

Answers (1)

conio
conio

Reputation: 3718

KMCS doesn't use the certificate store (which is implemented is user-mode, so that makes a lot of sense...).

The root certificate of the certificate chain signging your driver has to be on of the ones listed on the Cross-Certificates for Kernel Mode Code Signing page.

Upvotes: 1

Related Questions