Kernel driver

> … I would then import it back with the option set to

not allow exporting. …

Are you referring to the Windows certificate store? How secure is the “do not allow export of private key” option? In days gone by (XP era) the only thing preventing you exporting the private key was that the export checkbox got disabled when the private key was marked as not exportable. There was a tool that attached to the mmc process and enabled the disabled checkbox and you could then export the private key.

James

>Thank you again, Mr. Kelly, for the continued updates.

The only problem is that the OP posted his update to the wrong thread. To be honest, first I was a bit puzzled by such a dramatic leap from the system shutdown to driver signing (i.e completely unrelated topic that was not anywhere in sight on this thread), but then I realised that this post belongs on another thread started by the OP…

Anton Bassov

I will pay more attention, new to this list using email.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@hotmail.com
Sent: Sunday, March 06, 2016 6:03 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Kernel driver

Thank you again, Mr. Kelly, for the continued updates.

The only problem is that the OP posted his update to the wrong thread. To be honest, first I was a bit puzzled by such a dramatic leap from the system shutdown to driver signing (i.e completely unrelated topic that was not anywhere in sight on this thread), but then I realised that this post belongs on another thread started by the OP…

Anton Bassov


NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>

Tim Kelly wrote:

  1. You do NOT need a CAT file but you have to reference one in your INF file.

Correct. If you include one, they throw it away.

  1. The Microsoft Dashboard hangs if the CAB file doesn’t have an INF file inside or if it is NOT properly formatted. What I mean by hang is it just reports ‘pending’ status forever.
    a. What would be nice if you could but all your binaries into one CAB and MS just sign everything. I can only assume they sign differently to root CA’s based on where the INF files says they are to be placed? Or something?

No, as long as you have a proper INF file, they will sign every
executable in your CAB, whether it is referenced in the INF or not. I
discovered this quite by accident.

  1. If you sign the CAB file with an EV Cert but cross sign the drivers not adding a Cert you get an email and the Dashboard informs you to reload the package with properly signed binaries. It would be nice if it would do this every time there is a problem instead of just showing ‘pending’.

I don’t understand what you mean here. I signed my drivers with a
cross-cert and submitted the package. What I got back had the Microsoft
certificate in ADDITION to my original certificate chain. Such a
multiply-signed package will not work on the older systems.

  1. I have not been able to get x64 and x32 drivers signed using one CAB and one INF file. I gave up on that, out of frustration, and just submit two packages.

I got this to work just fine, by submitting a cabinet that looked like
my install package, underneath a master fake folder:

FakeDir1 \ xxxx.inf
FakeDir1 \ common.exe
FakeDir1 \ 32 \ xxxx32.dll
FakeDir1 \ 32 \ xxxx32.sys
FakeDir1 \ 64 \ xxxx64.dll
FakeDir1 \ 64 \ xxxx64.sys

As I said, when it came back, everything that was executable had been
signed.

Overall: This is a real pain to get going, at least it was for me.

That it is.

ToDo: I would like to get one CAB file and INF file working for x64 and x32 and earlier versions of my drivers cross signed with SH256 back to XP with a simplified CAB. But for now, I at least have Windows 10 drivers signed and working.

I hope you have realized that you simply cannot use an
attestation-signed package in XP. The CAT file only authorizes Win 10,
XP can’t handle the SHA256 certificate, and XP cannot handle multiple
chains if you sign it yourself as well. You will need two packages.

That, to me, is one of the most annoying aspects of this. Folks in
Redmond don’t have to spend time thinking about Windows 8, Windows 7,
Vista, and XP, but those of us in the real world certainly do.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Thanks, I was unaware they would sign everything in the CAB even if it is not in the INF. This will help out a lot.

I have decided to keep different versions of the drivers for XP to Windows 8.1 that are only cross signed the aka the old way. For Windows 10, I am only signing with an EV Cert and submitting them to the dashboard.

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
Sent: Monday, March 07, 2016 1:38 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Kernel driver

Tim Kelly wrote:

  1. You do NOT need a CAT file but you have to reference one in your INF file.

Correct. If you include one, they throw it away.

  1. The Microsoft Dashboard hangs if the CAB file doesn’t have an INF file inside or if it is NOT properly formatted. What I mean by hang is it just reports ‘pending’ status forever.
    a. What would be nice if you could but all your binaries into one CAB and MS just sign everything. I can only assume they sign differently to root CA’s based on where the INF files says they are to be placed? Or something?

No, as long as you have a proper INF file, they will sign every executable in your CAB, whether it is referenced in the INF or not. I discovered this quite by accident.

  1. If you sign the CAB file with an EV Cert but cross sign the drivers not adding a Cert you get an email and the Dashboard informs you to reload the package with properly signed binaries. It would be nice if it would do this every time there is a problem instead of just showing ‘pending’.

I don’t understand what you mean here. I signed my drivers with a cross-cert and submitted the package. What I got back had the Microsoft certificate in ADDITION to my original certificate chain. Such a multiply-signed package will not work on the older systems.

  1. I have not been able to get x64 and x32 drivers signed using one CAB and one INF file. I gave up on that, out of frustration, and just submit two packages.

I got this to work just fine, by submitting a cabinet that looked like my install package, underneath a master fake folder:

FakeDir1 \ xxxx.inf
FakeDir1 \ common.exe
FakeDir1 \ 32 \ xxxx32.dll
FakeDir1 \ 32 \ xxxx32.sys
FakeDir1 \ 64 \ xxxx64.dll
FakeDir1 \ 64 \ xxxx64.sys

As I said, when it came back, everything that was executable had been signed.

Overall: This is a real pain to get going, at least it was for me.

That it is.

ToDo: I would like to get one CAB file and INF file working for x64 and x32 and earlier versions of my drivers cross signed with SH256 back to XP with a simplified CAB. But for now, I at least have Windows 10 drivers signed and working.

I hope you have realized that you simply cannot use an attestation-signed package in XP. The CAT file only authorizes Win 10, XP can’t handle the SHA256 certificate, and XP cannot handle multiple chains if you sign it yourself as well. You will need two packages.

That, to me, is one of the most annoying aspects of this. Folks in Redmond don’t have to spend time thinking about Windows 8, Windows 7, Vista, and XP, but those of us in the real world certainly do.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.


NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>