How to verify signatures of a PE in kernel mode?

I am writing a mini-filter driver and I need to check the signature of a PE file in it. I know how to do it in user mode and it works fine. Now I need to do the same in my driver, I am clueless. Any suggestions on how to verify PE signatures in kernel mode?

Thanks in advance. Can you provide any solution.

Do it in user mode. See FltCreateSectionForDataScan.

And, just for completeness, this does only check the signature of the file on disk. It might not really have anything to do with the running executable (e.g. due to process hollowing).

1 Like

HI i am trying to find the file type by reading first four bytes of a file. can you provide any solution for this.

How about using Windows code integrity apis?

@ANTUCW I have now replied to three of your posts. Each time you have ignored the response and just asked the same question again. Clearly you’re not looking for help and just want/need someone to give you code to do this so I’m going to stop wasting my time.