is there any way to check signatures of PE files from kernel mode drivers? The intention is to sign user mode modules and check their integrity from kernel mode.
Since user mode is not generally trusted but kernel mode is (as part of the TCB), there should be a way to achieve this without spawning some user mode process and communicating with it (as this would defeat the purpose).
Absolutely.You can check signatures of PE files from kernel mode
drivers.e.g. Filesystem filter driver.You can load the PE file by using
ZwCreateFile and ZwReadFile native API etc...And then,you can check its
integrality using Hash arithmetic,for instance,MD5 or SHA-1 etc...I don't
know whether it is your want or not.By the way,you'd better reply to
NTFSD.
Ken Wang
Hi,
is there any way to check signatures of PE files from kernel mode
drivers? The intention is to sign user mode modules and check their
integrity from kernel mode.
Since user mode is not generally trusted but kernel mode is (as part of
the TCB), there should be a way to achieve this without spawning some
user mode process and communicating with it (as this would defeat the
purpose).
Thanks,
Oliver
Absolutely.You can check signatures of PE files from kernel mode
drivers.e.g. Filesystem filter driver.You can load the PE file by using
ZwCreateFile and ZwReadFile native API etc...And then,you can check its
integrality using Hash arithmetic,for instance,MD5 or SHA-1 etc...I
don't know whether it is your want or not.
thanks for your reply.
I do not want to check the driver file hash but the signature of the file (i.e. if you signed your application, or whatever).
The question was more whether there is an API for this. In user mode there exists a set of functions for these things.
If you are talking about the hot topic of Code Signing, I doubt that you can verify its signature in your driver since you need to access those certificates to achieve your verification. Furthermore, I guess you also need the private key from MS and/or VeriSign, which is absolutely *impossible*.
Currently, this stuff is the hot spot of Vista, which makes money for MS (of coz for security reasons as well, as they said). I cannot imagine that MS will share these technologies with others.
>> is there any way to check signatures of PE files from kernel mode drivers?
Well, there is. It’s built into the OS. I guess the real questions are (a) Are these functions available to anyone outside Microsoft, and (b) Are any of them documented.
I don’t see any particular reason why these functions should be “secret” – Letting people check the integrity of stuff can only be a good thing, right? But I haven’t actually seen any public discussion of these functions either.
Maybe one of our msft collegeagues can fill us in a bit more on this?
