Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

What does kernel code signing EKU do? How can i still load a driver without kernel code signing EKU?

henrik_meidahenrik_meida Member Posts: 102

I recently got my hands on a new certificate, and it came to my notice that it did not have kernel mode code signing EKU in the certificate, but it did have code signing EKU.

I thought for sure that if i use this to sign a driver, it should not load. But it actually did!

So my question is, what does kernel mode code signing EKU in the certificate actually do? How can i load a driver that is signed with a cert without kernel mode code signing EKU?

Comments

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,793

    I am not aware of a special kernel mode code signing EKU. Can you tell me what that OID is?

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • henrik_meidahenrik_meida Member Posts: 102

    @Peter_Viscarola_(OSR) said:
    I am not aware of a special kernel mode code signing EKU. Can you tell me what that OID is?

    Peter

    The OID is the following:

    Kernel Mode Code Signing (1.3.6.1.4.1.311.61.1.1)

    What's the point of this OID then? I just noticed that some of the certificates that are used to sign drivers don't even have this, and some do. I always thought this OID is required for drivers?

  • henrik_meidahenrik_meida Member Posts: 102

    So.. anyone got any idea?
    Basically what I am asking is that how does kernel differentiate between a normal code signing cert and a kernel mode code signing cert? I thought that was based on EKU?

  • Peter_Viscarola_(OSR)Peter_Viscarola_(OSR) Administrator Posts: 8,793

    I was under the impression that it did not differentiate. For signing, all that I’ve understood is necessary is a Class 3 Code Signing certificate. Not a special kernel mode one.

    Of course, now this is a moot point…

    Peter

    Peter Viscarola
    OSR
    @OSRDrivers

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 14,167

    I know It was required at one point. For KMCS, this is enforced by signtool. Remember that the in-kernel KMCS checking does not look at your certificate at all. All it cares about is whether your certificate chain ends with the Microsoft Code Verification Root. As long as you could satisfy signtool and had a cross-certificate, you were golden.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Writing WDF Drivers 24 January 2022 Live, Online
Internals & Software Drivers 7 February 2022 Live, Online
Kernel Debugging 21 March 2022 Live, Online
Developing Minifilters 23 May 2022 Live, Online