Api to tell if a driver is verified?

Dejan_Maksimovic · June 16, 2023, 8:39am

Hello, Is there an API way a driver can tell it is verified? The driver in question is not a production driver, and it NEEDS verifier to properly work (it needs special pool to do something like Unit tests). Registry is not an option, because the settinga are there before reboot also. Regards, Dejan.

tnodir · June 16, 2023, 8:57am

Maybe this will help: https://www.cybereason.com/blog/code-integrity-in-the-kernel-a-look-into-cidll

Dejan_Maksimovic · June 16, 2023, 9:24am

This looks like signature verification only, not Driver Verifier check?

Mark_Roddy · June 16, 2023, 12:10pm

You could cheat and look up your device stack to see what is on top of you. But that is all wrong and you shouldn’t do that.

Dejan_Maksimovic · June 16, 2023, 12:42pm

Wouldn’t verifier be below and not above the driver?
This is not a production driver, so verifiable non-production ideas are ok.

Mark_Roddy · June 16, 2023, 8:54pm

Wouldn’t verifier be below and not above the driver?
I’d have to go look, but I think it wraps the driver? Any way, in either direction you can take a look, although, perversely, verifier might complain.

Doron_Holan · June 16, 2023, 11:14pm

Dumping the kernel exports, either MmIsDriverVerifying or
MmIsDriverVerifyingByAddress Could work

Bent from my phone.

From: Mark_Roddy
Sent: Friday, June 16, 2023 1:54:48 PM
To: Doron_Holan <doron_holan>
Subject: Re: [NTDEV] Api to tell if a driver is verified?

OSR https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcommunity.osr.com%2F&data=05|01||0f2e14298f1a417c5c9808db6eabed16|84df9e7fe9f640afb435aaaaaaaaaaaa|1|0|638225456928923464|Unknown|TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D|3000|||&sdata=ZyKuNNAzSLyUXwzGWCEDEf2Cx6Z214wVJSkOpi%2FfMa4%3D&reserved=0 https:</https:>

Mark_Roddy commented on Api to tell if a driver is verified?

> Wouldn’t verifier be below and not above the driver?

I’d have to go look, but I think it wraps the driver? Any way, in either direction you can take a look, although, perversely, verifier might complain.</doron_holan>

Dejan_Maksimovic · June 17, 2023, 9:34am

I knewI saw some API, but didn’t remember Mm was the prefix!
Many thanks!

Doron_Holan · June 17, 2023, 6:20pm

link /dump /exports ntoskrnl.exe | findstr /i verif

From: Dejan_Maksimovic
Sent: Saturday, June 17, 2023 2:34:17 AM
To: Doron_Holan <doron_holan>
Subject: Re: [NTDEV] Api to tell if a driver is verified?

OSR https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcommunity.osr.com%2F&data=05|01||5b03484e5eb547ce074a08db6f160674|84df9e7fe9f640afb435aaaaaaaaaaaa|1|0|638225912608260718|Unknown|TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D|3000|||&sdata=VHWTB00IfprZS9UC2wToC1Zd4D%2BrncaUYfK5Ra1ULo0%3D&reserved=0 https:</https:>

Dejan_Maksimovic commented on Api to tell if a driver is verified?

I knewI saw some API, but didn’t remember Mm was the prefix!
Many thanks!</doron_holan>