Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results


More Info on Driver Writing and Debugging

The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.

Check out The OSR Learning Library at:

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

Checking the user-mode app's digital signature for secure communication with the user-mode?



  • Phil_BarilaPhil_Barila Member - All Emails Posts: 154

    @brad_H said:
    Well, as i said, in this scenario lets assume that i can protect my files and processes from modification (since I'm already in kernel and we assume the attacker doesn't have a driver, if he did then its obviously game over)

    You can protect files, but you can't actually protect your running process nearly as well as you think you can.

    That said, it appears that nothing anyone here says about that is going to change your mind, so I'm out.

  • MecanikMecanik Member Posts: 15

    I am really not going to comment on stuff here, because there would be too much to say.

    The least I will say @brad_H is that you are very wrong with many things, especially ObCallbacks and virtualization like VMProtect.

    To answer your question:

    • You can check for signed binaries in Kernel, Windows does it, always had since VISTA. Look at ci.dll exported function CiCheckSignedFile, it will do everything you want.
    • You cannot "secure" IOCTL's with this, find another method of communication, like shared mapping. Or even simpler, encrypt your data both ways.

    To give you a hand, do note that ci.dll has changed a lot until Windows 10 and there is no documentation for this. You have to manually reverse the structs and function parameters, generate the .lib file and link against your driver.

    dumpbin /EXPORTS c:\windows\system32\ci.dll
    lib /def:ci.def /machine:x64 /out:ci.lib



  • 0xrepnz0xrepnz Member Posts: 60

    You can check for signed binaries in Kernel, Windows does it

    The discussion here is not about whether it's possible or not, in kernel mode almost everything is possible but is it the right design choice?

    Everyone here simply mentioned it's not supported, and not worth the effort required to maintain this piece of code... Supporting code that uses undocumented structures + functions that often change is not as simple as "making it work in a test environment". The signature of this function (CiCheckSignedFile) was changed multiple times, so if you use it you have to adjust your code to the OS version and also keep testing your product against insider builds to make sure the function is not changed so you don't cause BSODs...

    - Ori Damari
  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,493


    Peter Viscarola

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Developing Minifilters 24 May 2021 Live, Online
Writing WDF Drivers 14 June 2021 Live, Online
Internals & Software Drivers 27 September 2021 Live, Online
Kernel Debugging 15 November 2021 Live, Online