Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Process Hacker and Secure Boot

IanMIanM Member - All Emails Posts: 34

Hi,

We have found that we can install Process Hacker 2.39124 on Windows 10 1809 17763.316 in a VMWare VM with secure boot enabled. We think that the secure boot is working correctly because it will prevent our counter-signed filter driver from being installed whereas it will allow our Microsoft cross-signed driver to be installed. Does anyone know why the Process Hacker driver kprocesshacker.sys which is only counter-signed, is able to get installed with secure boot enabled?

Thanks,

Ian.

Comments

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 12,969
    via Email
    IanM wrote:
    > We have found that we can install Process Hacker 2.39124 on Windows 10 1809 17763.316 in a VMWare VM with secure boot enabled. We think that the secure boot is working correctly because it will prevent our counter-signed filter driver from being installed whereas it will allow our Microsoft cross-signed driver to be installed. Does anyone know why the Process Hacker driver kprocesshacker.sys which is only counter-signed, is able to get installed with secure boot enabled?

    It is grandfathered.  To avoid invalidating the millions of driver
    packages that exist in the wild, a driver signed and cross-signed with a
    certificate issued prior to July 2015 is accepted without attestation or
    WHQL.   The Process Hacker driver was signed in March of 2016, and the
    certificate they used was issued in 2013.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • IanMIanM Member - All Emails Posts: 34

    Thanks very much Tim. We were aware of the grandfathering issue and I don't think it applies to the driver in Process Hacker 2.39124. However, in our attempt to double-check that, we have noticed that the driver is cross-signed using a "Microsoft Code Verification Root" certificate (below). This is different to the root of the certificate that we get when we cross sign ("Microsoft Root Certificate Authority 2010").

    The "Microsoft Code Verification Root" certificate isn't mentioned here but do you think it's just that the documentation is out of date?

    C:\Users\Admin\Desktop>signtool.exe verify /v /all /kp processhacker-2.39-bin\kprocesshacker.sys

    Verifying: processhacker-2.39-bin\kprocesshacker.sys

    Signature Index: 0 (Primary Signature)
    Hash of file (sha1): C2B8C1B34F09A91EFE196F646EF7F9A11190FB8E

    Signing Certificate Chain:
    Issued to: DigiCert High Assurance EV Root CA
    Issued by: DigiCert High Assurance EV Root CA
    Expires: Mon Nov 10 01:00:00 2031
    SHA1 hash: 5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25

        Issued to: DigiCert High Assurance Code Signing CA-1
        Issued by: DigiCert High Assurance EV Root CA
        Expires:   Tue Feb 10 13:00:00 2026
        SHA1 hash: E308F829DC77E80AF15EDD4151EA47C59399AB46
    
            Issued to: Wen Jia Liu
            Issued by: DigiCert High Assurance Code Signing CA-1
            Expires:   Wed Jan 04 13:00:00 2017
            SHA1 hash: 32387AEC09EB287F202E98398189B460F4C61A0D
    

    The signature is timestamped: Mon Mar 28 19:21:05 2016
    Timestamp Verified by:
    Issued to: DigiCert Assured ID Root CA
    Issued by: DigiCert Assured ID Root CA
    Expires: Mon Nov 10 01:00:00 2031
    SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43

        Issued to: DigiCert Assured ID CA-1
        Issued by: DigiCert Assured ID Root CA
        Expires:   Wed Nov 10 01:00:00 2021
        SHA1 hash: 19A09B5A36F4DD99727DF783C17A51231A56C117
    
            Issued to: DigiCert Timestamp Responder
            Issued by: DigiCert Assured ID CA-1
            Expires:   Tue Oct 22 01:00:00 2024
            SHA1 hash: 614D271D9102E30169822487FDE5DE00A352B01D
    

    Cross Certificate Chain:
    Issued to: Microsoft Code Verification Root
    Issued by: Microsoft Code Verification Root
    Expires: Sat Nov 01 14:54:03 2025
    SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

        Issued to: DigiCert High Assurance EV Root CA
        Issued by: Microsoft Code Verification Root
        Expires:   Thu Apr 15 20:55:33 2021
        SHA1 hash: 2F2513AF3992DB0A3F79709FF8143B3F7BD2D143
    
            Issued to: DigiCert High Assurance Code Signing CA-1
            Issued by: DigiCert High Assurance EV Root CA
            Expires:   Tue Feb 10 13:00:00 2026
            SHA1 hash: E308F829DC77E80AF15EDD4151EA47C59399AB46
    
                Issued to: Wen Jia Liu
                Issued by: DigiCert High Assurance Code Signing CA-1
                Expires:   Wed Jan 04 13:00:00 2017
                SHA1 hash: 32387AEC09EB287F202E98398189B460F4C61A0D
    

    Signature Index: 1
    Hash of file (sha256): 4EE2A56C1592FF0E951B452C0DE064EBA05B7C98E3ADD04C8AA3B4A84EB797A5

    Signing Certificate Chain:
    Issued to: DigiCert High Assurance EV Root CA
    Issued by: DigiCert High Assurance EV Root CA
    Expires: Mon Nov 10 01:00:00 2031
    SHA1 hash: 5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25

        Issued to: DigiCert SHA2 High Assurance Code Signing CA
        Issued by: DigiCert High Assurance EV Root CA
        Expires:   Sun Oct 22 13:00:00 2028
        SHA1 hash: F7E0F449F1A2594F88856C0758F8E6F627E5F5A2
    
            Issued to: Wen Jia Liu
            Issued by: DigiCert SHA2 High Assurance Code Signing CA
            Expires:   Wed Jan 04 13:00:00 2017
            SHA1 hash: 190D956129DDE6972D46F46EF98BD86B982E6633
    

    The signature is timestamped: Mon Mar 28 19:21:05 2016
    Timestamp Verified by:
    Issued to: DigiCert Assured ID Root CA
    Issued by: DigiCert Assured ID Root CA
    Expires: Mon Nov 10 01:00:00 2031
    SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43

        Issued to: DigiCert SHA2 Assured ID Timestamping CA
        Issued by: DigiCert Assured ID Root CA
        Expires:   Tue Jan 07 13:00:00 2031
        SHA1 hash: 3BA63A6E4841355772DEBEF9CDCF4D5AF353A297
    
            Issued to: DigiCert SHA2 Timestamp Responder
            Issued by: DigiCert SHA2 Assured ID Timestamping CA
            Expires:   Tue Jan 07 01:00:00 2025
            SHA1 hash: C636F4DDA87CEE3D8263BF9A2514B4533468D75E
    

    Cross Certificate Chain:
    Issued to: Microsoft Code Verification Root
    Issued by: Microsoft Code Verification Root
    Expires: Sat Nov 01 14:54:03 2025
    SHA1 hash: 8FBE4D070EF8AB1BCCAF2A9D5CCAE7282A2C66B3

        Issued to: DigiCert High Assurance EV Root CA
        Issued by: Microsoft Code Verification Root
        Expires:   Thu Apr 15 20:55:33 2021
        SHA1 hash: 2F2513AF3992DB0A3F79709FF8143B3F7BD2D143
    
            Issued to: DigiCert SHA2 High Assurance Code Signing CA
            Issued by: DigiCert High Assurance EV Root CA
            Expires:   Sun Oct 22 13:00:00 2028
            SHA1 hash: F7E0F449F1A2594F88856C0758F8E6F627E5F5A2
    
                Issued to: Wen Jia Liu
                Issued by: DigiCert SHA2 High Assurance Code Signing CA
                Expires:   Wed Jan 04 13:00:00 2017
                SHA1 hash: 190D956129DDE6972D46F46EF98BD86B982E6633
    

    Successfully verified: processhacker-2.39-bin\kprocesshacker.sys

    Number of signatures successfully Verified: 2
    Number of warnings: 0
    Number of errors: 0

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 12,969
    via Email
    IanM wrote:
    > Thanks very much Tim. We were aware of the grandfathering issue and I don't think it applies to the driver in Process Hacker 2.39124.

    Why?  It looks to me like the timing is right, and there's no other good
    explanation.


    > However, in our attempt to double-check that, we have noticed that the driver is cross-signed using a "Microsoft Code Verification Root" certificate (below). This is different to the root of the certificate that we get when we cross sign ("Microsoft Root Certificate Authority 2010").

    I suspect that's just an artifact of which cross-certificate you end up
    matching.  My cert is from Digicert, and I end up with "Microsoft Code
    Verification Root".


    > The "Microsoft Code Verification Root" certificate isn't mentioned here but do you think it's just that the documentation is out of date?

    Isn't mentioned where?

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Developing Minifilters 29 July 2019 OSR Seminar Space
Writing WDF Drivers 23 Sept 2019 OSR Seminar Space
Kernel Debugging 21 Oct 2019 OSR Seminar Space
Internals & Software Drivers 18 Nov 2019 Dulles, VA