Digital Certificated

Anatoly_Greenblatt · December 17, 2010, 7:35pm

Hi,

How can a driver check digital certificate of the file used to create a calling process?

Thanks,
Anatoly.

Doron_Holan · December 17, 2010, 10:38pm

are you asking if you can check if the file opening your driver is your special application?

d

Anatoly_Greenblatt · December 18, 2010, 4:37am

Hi Doron,

I’d say yes, for the first step I need to compare driver’s and calling process certificates.
But I also need tne ability to check other certificates.

Thanks,
Anatoly.

mm1 · December 18, 2010, 4:43am

In general, you might want to take a look at the docs for the Crypto API:
http://msdn.microsoft.com/en-us/library/aa381975(VS.85).aspx

Good luck,

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Saturday, December 18, 2010 4:41 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Digital Certificated

Hi Doron,

I’d say yes, for the first step I need to compare driver’s and calling
process certificates.
But I also need tne ability to check other certificates.

Thanks,
Anatoly.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Rossetoecioccolato · December 18, 2010, 11:35am

I believe the OP say that he wanted to do this from a driver, in which case
this might be a more useful link:

http://msdn.microsoft.com/en-us/library/aa376210(v=VS.85).aspx.

In particular, see the documentation for BCryptVerifySignature.
http://msdn.microsoft.com/en-us/library/aa375515(v=VS.85).aspx.

Regards,

George.
“Martin O’Brien” wrote in message
news:xxxxx@ntdev…
> In general, you might want to take a look at the docs for the Crypto API:
> http://msdn.microsoft.com/en-us/library/aa381975(VS.85).aspx
>
>
> Good luck,
>
> mm
>

Anatoly_Greenblatt · December 19, 2010, 8:04am

Thanks, George.

Any hints how retrieve the certificate from the process file?

Thanks again,
Anatoly.

Gary_Little-3 · December 19, 2010, 2:08pm

You want to extract the certificate from a signed package? Why? What do you
intend to do with this?

Gary G. Little
H (952) 223-1349
C (952) 454-4629
xxxxx@comcast.net

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Sunday, December 19, 2010 7:08 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Digital Certificated

Thanks, George.

Any hints how retrieve the certificate from the process file?

Thanks again,
Anatoly.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

__________ Information from ESET Smart Security, version of virus signature
database 5716 (20101219) __________

The message was checked by ESET Smart Security.

http://www.eset.com

Anatoly_Greenblatt · December 19, 2010, 4:27pm

Gary,

Are you saying that comparison can be done w/o extraction?

Thanks,
Anatoly.

Gary_Little-3 · December 19, 2010, 5:06pm

Again, what are you trying to do? If all it is, is look at the certificate,
then right click on the SYS file in Explorer, and select the Digital
Signature tab.

Gary G. Little
H (952) 223-1349
C (952) 454-4629
xxxxx@comcast.net

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Sunday, December 19, 2010 3:31 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Digital Certificated

Gary,

Are you saying that comparison can be done w/o extraction?

Thanks,
Anatoly.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

__________ Information from ESET Smart Security, version of virus signature
database 5716 (20101219) __________

The message was checked by ESET Smart Security.

http://www.eset.com

Rossetoecioccolato · December 19, 2010, 8:20pm

Anatoly,

Any hints how retrieve the certificate from the process file?

Parse the PE header and look for the IMAGE_DIRECTORY_ENTRY_SECURITY data
directory of the optional header.

pCertInfo =
pNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].VirtualAddress
;

dwCertInfoSize =
pNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_SECURITY].Size;

That will give you the cert info blob. See CI!I_PEImageGetCertInfo.
Verifying the digital signature on PE executables is what Code Integrity
does on Vista and later. You can take a look at CI!I_PEVerifyBootDrivers
for an example of how digital signatures are verified. Of course these
functions aren’t available to you as a driver writer, but they show how it
can be done. See e.g. CI!HashKComputeFirstPageHash and
CI!HashKComputeImageHash.

Probably you are looking for a kernel mode equivalent to WinVerifyTrustr.
I don’t know if there is anything that high level available. Perhaps
someone from MS can clarify this.

Regards,

George.

wrote in message news:xxxxx@ntdev…
> Thanks, George.
>
> Any hints how retrieve the certificate from the process file?
>
> Thanks again,
> Anatoly.
>
>