Hello,
I have enabled test signing on my Win10x64 VM and I am trying to load a protected service using an ELAM driver (using the elampsample source, of course). For that purpose I have generated two self-signing certificates: one for the driver and one for the service. That’s how I have done that:
makecert.exe -a SHA256 -r -pe -ss PrivateCertStore -n “CN=TestElam” -eku 1.3.6.1.4.1.311.61.4.1,1.3.6.1.5.5.7.3.3 -sr localmachine c:\test\TestElam.cer
makecert.exe -a SHA256 -r -pe -ss PrivateCertStore -n “CN=TestSrv” -eku 1.1.1.1,1.3.6.1.5.5.7.3.3 -sr localmachine c:\test\TestSrv.cer
I sign both binaries in the post-build step like this:
signtool.exe sign /fd SHA256 /a /v /ph /debug /s “PrivateCertStore” /n “TestElam” /t http://timestamp.verisign.com/scripts/timestamp.dll $(OutDir)elamsample.sys
signtool.exe sign /fd SHA256 /a /v /ph /debug /s “PrivateCertStore” /n “TestSrv” /t http://timestamp.verisign.com/scripts/timestamp.dll $(OutDir)Srv.exe
Afterwards I run the following command: certmgr.exe ?v $(OutDir)Srv.exe and get the hash as it is explained here:
https://msdn.microsoft.com/en-us/library/windows/desktop/dn313124(v=vs.85).aspx
I embed the following structure into the resource file of the driver:
MicrosoftElamCertificateInfo MSElamCertInfoID
{
1, // Number of entries
L"138C94AFE91287D59B972742FB7839992060649A9DFFB8900C16DDA8E1E23354", // hash obtained by running “certmgr.exe ?v $(OutDir)Srv.exe”
0x800c,
L"1.1.1.1", // EKU(s)
}
I reconfigure the service to run as protected using an external app in order not to temper with the signature like this:
Info.dwLaunchProtected = SERVICE_LAUNCH_PROTECTED_ANTIMALWARE_LIGHT;
ChangeServiceConfig2(schService, SERVICE_CONFIG_LAUNCH_PROTECTED, &Info);
Rebuild the driver and reboot. The driver loads and the system boots correctly and everything looks good, however, when I try to start my service I get error == 577 (ERROR_INVALID_IMAGE_HASH).
I think I have followed the protocol, so can anyone please help here?
Thanks a lot,
Dmitry