The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
New here, and have a question about Authenticode verification for signed user-mode code. I know this community is all about kernel driver development, but given that you pretty much have to code sign all your drivers, I thought I would ask my question here as I am hoping that someone here has a seen a similar issue when signing their code - even though I am only dealing with a user mode application.
I must be missing something. I have a trivial hello world Windows C++ user-mode console app (.EXE) that has been compiled for Release mode with the linker /integritycheck switch. This sets the IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY flag in the PE header. It is my understanding that this is supposed to force the Windows loader to verify the .EXE before execution.
If I attempt to run the application from the command line I get The system cannot execute the specified program as expected - since (I presume) the loader is attempting to verify an .EXE that has not been Authenticode code signed.
So I then sign the code using signtool.exe with a valid CA-acquired code signing certificate (that I paid good money for) using a command line similar to:
signtool.exe sign /f "MyCodeSignCert.pfx" /p password /t http://timestamp.digicert.com/authenticode /v /ph /fd sha256 helloworld.exe"
I verify the code is properly signed with:
signtool.exe verify /pa helloworld.exe
and I am able to see the Digital Signatures tab o the signed helloworld.exe when I right click it in Windows Explorer and view the signature details and view the certificate.
However, any attempt to run the helloworld.exe from the command line continues to result in:
The system cannot execute the specified program.
If I double-click the .EXE from Windows Explorer I get a bit more information:
Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be a malicious software from an unknown source.
If I recompile and relink the .EXE without the /integritycheck linker switch, the .EXE loads and runs correctly as expected, regardless of whether it is signed or not.
FYI, I built (using Microsoft Visual Studio) and tested the .EXE on 2 separate machines - Windows 8.1 and Windows Server 2016. In both of these environments Windows Defender is not running. In case it mattered (I don't see why it should) I even installed the code signing certificate on both machines and tried rerunning the .EXE, with no difference in outcome.
Finally, I copied the helloworld.exe to a Windows 10 machine on which Windows Defender is running, and double-clicked it from Windows Explorer and received the following pop-up message:
Your organization used Windows Defender Application Control to block this App...Contact your support person for more info.
All I am trying to do is mark an .EXE in such a way as to force Windows to always verify its digital signature whenever it is loaded for execution. Any thoughts on what I might be doing wrong or how to achieve this?
|Upcoming OSR Seminars|
|OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!|
|Internals & Software Drivers||15 November 2021||Live, Online|
|Writing WDF Drivers||24 January 2022||Live, Online|
|Developing Minifilters||7 February 2022||Live, Online|
|Kernel Debugging||21 March 2022||Live, Online|