Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

How to verify signatures of a PE in kernel mode?

ANTUCWANTUCW Member Posts: 9

I am writing a mini-filter driver and I need to check the signature of a PE file in it. I know how to do it in user mode and it works fine. Now I need to do the same in my driver, I am clueless. Any suggestions on how to verify PE signatures in kernel mode?

Thanks in advance. Can you provide any solution.

Comments

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,142

    Do it in user mode. See FltCreateSectionForDataScan.

    And, just for completeness, this does only check the signature of the file on disk. It might not really have anything to do with the running executable (e.g. due to process hollowing).

    -scott
    OSR

  • ANTUCWANTUCW Member Posts: 9

    HI i am trying to find the file type by reading first four bytes of a file. can you provide any solution for this.

  • AlbertAlbert Member - All Emails Posts: 409
    via Email
    How about using Windows code integrity apis?
  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,142

    @ANTUCW I have now replied to three of your posts. Each time you have ignored the response and just asked the same question again. Clearly you're not looking for help and just want/need someone to give you code to do this so I'm going to stop wasting my time.

    -scott
    OSR

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Developing Minifilters 29 July 2019 OSR Seminar Space
Writing WDF Drivers 23 Sept 2019 OSR Seminar Space
Kernel Debugging 21 Oct 2019 OSR Seminar Space
Internals & Software Drivers 18 Nov 2019 Dulles, VA