Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.More Info on Driver Writing and Debugging
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
RE: ELAM driver and protected process problem
OSR_Community_User
Member Posts: 110,217
In the MSDN page, you have:
"Note SHA256 file/page hashes must be used, though certificates may continue to be SHA1"
Error 577 is returned by InstallELAMCertificateInfo when the driver is signed with a file hash algorithm that is not strong enough (sha1).
In the driver signing property page, set the 'File Hash Algorithm' to 'sha256' (at least). Use the same algorithm for the user binary.
it should work with two self-signed certificates for test-signing (2 EKU for the driver, namely ELAM and Code Signing, and only Code Signing EKU for the user certificate).
The certificates are created with the following commands (no admin privilèges needed):
makecert.exe -a SHA256 -r -pe -ss my -n "CN=TestSrv" -eku 1.3.6.1.5.5.7.3.3 TestSrv.cer
makecert.exe -a SHA256 -r -pe -ss my -n "CN=TestElam" -eku 1.3.6.1.4.1.311.61.4.1,1.3.6.1.5.5.7.3.3 TestElam.cer
Certificates are stored in the user personal store (dev machine). They are listed by signtool along with their SHA1 fingerprint when signtool is launched with the /v (verbose) option.
Don’t forget to add both certificates to the target machine’s approved editors and approved root CA stores.
Here is the resource added to the driver's binary:
MicrosoftElamCertificateInfo MSElamCertInfoID
{
1, // count of entries, number of maximum entries allowed is 3
L"F84AD274007D589BA3416CC800F3632D9FC1CEF115E81F51C2841098E1E90D5C\0", // certmgr.exe /v path\to\user\binary.exe
0x800C, // the user binary is signed with the sha256 file hash algorith (like the driver binary).
L"\0", //No EKU other then code signing EKU is present in the certificate used to sign the user binary.
}
The user service is a basic service written with a C# VS template documented there:
https://docs.microsoft.com/en-us/dotnet/framework/windows-services/walkthrough-creating-a-windows-service-application-in-the-component-designer
The user binary is signed with the following command (Post-build):
"C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" sign /fd SHA256 /a /v /ph /sha1 6EAE19B1271E74E937D21DB886308F9F09816114 "$(TargetDir)$(TargetFileName)"
The user certificate is identified with its SHA1 fingerprint but the binary is signed with the sha256 file hash algorithm (/fd sha256).
It is working perfectly:
PROCESS ffffb58de616f600
SessionId: 0 Cid: 095c Peb: e4e6f65000 ParentCid: 0240
DirBase: 3d23e000 ObjectTable: ffff8b80d96df540 HandleCount: 183.
Image: MyWindowsService.exe
kd> dt nt!_EPROCESS Protection ffffb58de616f600
+0x6ca Protection : _PS_PROTECTION
kd> dt nt!_PS_PROTECTION ffffb58de616f600+0x6ca
+0x000 Level : 0x31 '1'
+0x000 Type : 0y001
+0x000 Audit : 0y0
+0x000 Signer : 0y0011
Type is 1, indicating that the service is a protected process.
H. G.
"Note SHA256 file/page hashes must be used, though certificates may continue to be SHA1"
Error 577 is returned by InstallELAMCertificateInfo when the driver is signed with a file hash algorithm that is not strong enough (sha1).
In the driver signing property page, set the 'File Hash Algorithm' to 'sha256' (at least). Use the same algorithm for the user binary.
it should work with two self-signed certificates for test-signing (2 EKU for the driver, namely ELAM and Code Signing, and only Code Signing EKU for the user certificate).
The certificates are created with the following commands (no admin privilèges needed):
makecert.exe -a SHA256 -r -pe -ss my -n "CN=TestSrv" -eku 1.3.6.1.5.5.7.3.3 TestSrv.cer
makecert.exe -a SHA256 -r -pe -ss my -n "CN=TestElam" -eku 1.3.6.1.4.1.311.61.4.1,1.3.6.1.5.5.7.3.3 TestElam.cer
Certificates are stored in the user personal store (dev machine). They are listed by signtool along with their SHA1 fingerprint when signtool is launched with the /v (verbose) option.
Don’t forget to add both certificates to the target machine’s approved editors and approved root CA stores.
Here is the resource added to the driver's binary:
MicrosoftElamCertificateInfo MSElamCertInfoID
{
1, // count of entries, number of maximum entries allowed is 3
L"F84AD274007D589BA3416CC800F3632D9FC1CEF115E81F51C2841098E1E90D5C\0", // certmgr.exe /v path\to\user\binary.exe
0x800C, // the user binary is signed with the sha256 file hash algorith (like the driver binary).
L"\0", //No EKU other then code signing EKU is present in the certificate used to sign the user binary.
}
The user service is a basic service written with a C# VS template documented there:
https://docs.microsoft.com/en-us/dotnet/framework/windows-services/walkthrough-creating-a-windows-service-application-in-the-component-designer
The user binary is signed with the following command (Post-build):
"C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" sign /fd SHA256 /a /v /ph /sha1 6EAE19B1271E74E937D21DB886308F9F09816114 "$(TargetDir)$(TargetFileName)"
The user certificate is identified with its SHA1 fingerprint but the binary is signed with the sha256 file hash algorithm (/fd sha256).
It is working perfectly:
PROCESS ffffb58de616f600
SessionId: 0 Cid: 095c Peb: e4e6f65000 ParentCid: 0240
DirBase: 3d23e000 ObjectTable: ffff8b80d96df540 HandleCount: 183.
Image: MyWindowsService.exe
kd> dt nt!_EPROCESS Protection ffffb58de616f600
+0x6ca Protection : _PS_PROTECTION
kd> dt nt!_PS_PROTECTION ffffb58de616f600+0x6ca
+0x000 Level : 0x31 '1'
+0x000 Type : 0y001
+0x000 Audit : 0y0
+0x000 Signer : 0y0011
Type is 1, indicating that the service is a protected process.
H. G.
Post edited by Peter_Viscarola_(OSR) on
Howdy, Stranger!
| Upcoming OSR Seminars | ||
|---|---|---|
| OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | ||
| Kernel Debugging | 16-20 October 2023 | Live, Online |
| Developing Minifilters | 13-17 November 2023 | Live, Online |
| Internals & Software Drivers | 4-8 Dec 2023 | Live, Online |
| Writing WDF Drivers | 10-14 July 2023 | Live, Online |
Comments
MicrosoftElamCertificateInfo structure in the .rc file. The MSDN document is hard to understand.
Dmitry
Hi Team
It is really helpful and I am achieved following your steps and worked fine for me. Now , I need to stop the protected mode service which started by ELAM driver through a user mode application. how can it be done? please