Hello,
I developed a device driver that runs under Win7-64
Is there a way to bypass driver sign check ?
I’m aware this is not recommended by Microsoft.
I know the ‘F8’ way but I’m looking for a procedure without user
interference.
Best regards,
Z.V
The only other way would be to run with the debugger attached.
While it doesn’t BYPASS the security check, you can always sign the driver with your own self-issued certificate and then have the user install that cert in their trust root certification authorities certificate store on the target machine.
But those are really the only options…
If it was easy to bypass, it wouldn’t be much of a security check, would it?
Peter
OSR
@OSRDrivers
I was under the impression that the “bypass” method required a recognized
cert (from VeriSign for example) not a self signed cert, and it isn’t a
BYPASS, it is the MSFT documented “Release Signed Driver” mechanism.
Mark Roddy
On Mon, Dec 15, 2014 at 8:54 AM, wrote:
>
>
> The only other way would be to run with the debugger attached.
>
> While it doesn’t BYPASS the security check, you can always sign the driver
> with your own self-issued certificate and then have the user install that
> cert in their trust root certification authorities certificate store on the
> target machine.
>
> But those are really the only options…
>
> If it was easy to bypass, it wouldn’t be much of a security check, would
> it?
>
> Peter
> OSR
> @OSRDrivers
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
Well, to be fair, I specifically said it wasn’t a BYPASS.
You can use a self-signed cert with test signing enabled, or sign with a real cert without test signing.
Peter
OSR
@OSRDrivers
use to build driver using vs2013 in properties select for driver signing and enable test sign.
then install your driver using ur inf or whatever…
on reboot hit f8 and do disable test signing on.that’s it.
You may also run command before installing your driver.
Bcdedit.exe -set TESTSIGNING ON
Then do a reboot.
Just wish to make sure what I understood is correct - I can create a self
issued certificate, and install it to the trusted root certification
authorities in a “fresh installed system”, then install my driver like any
other “signed” driver. right?
In this case I need not enable test mode, right?
Thanks,
Lloyd
On Mon, Dec 15, 2014 at 7:24 PM, wrote:
>
>
>
> The only other way would be to run with the debugger attached.
>
> While it doesn’t BYPASS the security check, you can always sign the driver
> with your own self-issued certificate and then have the user install that
> cert in their trust root certification authorities certificate store on the
> target machine.
>
> But those are really the only options…
>
> If it was easy to bypass, it wouldn’t be much of a security check, would
> it?
>
> Peter
> OSR
> @OSRDrivers
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
Mostly wrong for 64-bit systems (which nowadays is most systems), you can use a self-signed certificate, BUT you must enable test mode, which nobody on production system wants to do.
If you get a certificate from an supported CA, you sign your driver and can install that certificate in the correct root and approved vendor certificate stores (like with a setup program) and then you will not get the dialog notifying you the certificate is unknown. I haven’t done this in a little while so defer to somebody else EXACTLY which store you need to put the certificate into.
There were some reports here that self-signed certificates, installed in the root store, worked for ancient OS versions (I.e. Win XP). I can’t confirm or challenge this.
For modern Windows OS’s, which would be Win 7 or later, if you want to ship kernel code, you simply have to get a signing certificate from an approved vendor. If you get WHQL certification, which involves passing a bunch of tests, Microsoft will sign the driver, and you will not need to install your certificate, the OS will just trust it.
A code signing certificate may cost between $99 and $500, per year, depending on which vendor you use, and which discounts you qualify for. I generally find Verisign certificates are less trouble, unless you find a discount, can at the expensive end. Of course spending a few days of developer time fooling with a certificate that doesn’t quite work right is generally a lot more expensive.
Also note, you probably can no longer get SHA-1 certificates, and Win 7 needs an OS update to work correctly with SHA-2 certificates. It might be appropriate for a setup program to verify if that update is installed if it wants to install a SHA-2 signed driver. There was a discussion about this here a few months ago.
Also note 2, kernel code signing and PnP driver install signatures on a .cat are different things, and have slightly different requirements. What YOUR driver needs depends on what kind of driver it is.
Jan
From: Lloyd >
Reply-To: Windows List >
Date: Monday, December 15, 2014 at 9:23 PM
To: Windows List >
Subject: Re: [ntdev] Win7-64 bypass driver sign
Just wish to make sure what I understood is correct - I can create a self issued certificate, and install it to the trusted root certification authorities in a “fresh installed system”, then install my driver like any other “signed” driver. right?
In this case I need not enable test mode, right?
Thanks,
Lloyd
On Mon, Dec 15, 2014 at 7:24 PM, > wrote:
The only other way would be to run with the debugger attached.
While it doesn’t BYPASS the security check, you can always sign the driver with your own self-issued certificate and then have the user install that cert in their trust root certification authorities certificate store on the target machine.
But those are really the only options…
If it was easy to bypass, it wouldn’t be much of a security check, would it?
Peter
OSR
@OSRDrivers
—
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
— NTDEV is sponsored by OSR Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See http://www.osr.com/careers For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Dear Members,
Here are the steps I ran:
makecert -r -pe -ss PrivateCertStore -n CN=Contoso.com(Test)
signtool sign /v /s ProvateCertStore /n Contoso.com(Test) wdfsimple.sys
I got:
The following certificate was selected:
Issued to: Contoso.com(Test)
Issued by: Root Agency
Expires: Sun Jan 01 01:59:59 2040
SHA1 hash: E02AD5405F5C552ED0AE74ABF658F2E82739B212
Done Adding Additional Store
SignTool Error: The signer’s certificate is not valid for signing.
SignTool Error: An error occurred while attempting to sign: wdfsimple.sys
Number of files successfully Signed: 0
Number of warnings: 0
Number of errors: 1
Can you help ?
I’m aware a certificate is cheap. But I have an urgent delivery and I do not have the time to purchase certificate.
Best regards,
Zvika
Dear Members,
It works fine.
I had an error in the makecert command.
No error in the command listed above.
Thank you,
Z.V
Thank you Jan for your very detailed explanation.
This is the first kernel code I am writing, so I thought of testing the
installer before purchasing the certificate. When I check other driver
installers, what I saw is they are using “class 3 code signing
certificate”. So I think this is the certificate we need to purchase.
I am talking in the context of a “Virtual Storport Miniport driver”. If my
knowledge is right (I checked the docs, but have no clear idea), this
belongs to the PnP category. I read that PnP driver needs to pass WHQL
certification. Also I remember reading that, if WHQL is not passed (or not
submitted) , OS will show only a harmless “Yes/No” message box. So I hope
that by buying a SHA2, class 3 code signing certificate and signing, I can
successfully install my driver in the client side.
Thanks again,
Lloyd
On Tue, Dec 16, 2014 at 11:59 AM, Jan Bottorff
wrote:
>
> Mostly wrong for 64-bit systems (which nowadays is most systems), you
> can use a self-signed certificate, BUT you must enable test mode, which
> nobody on production system wants to do.
>
> If you get a certificate from an supported CA, you sign your driver and
> can install that certificate in the correct root and approved vendor
> certificate stores (like with a setup program) and then you will not get
> the dialog notifying you the certificate is unknown. I haven’t done this in
> a little while so defer to somebody else EXACTLY which store you need to
> put the certificate into.
>
> There were some reports here that self-signed certificates, installed in
> the root store, worked for ancient OS versions (I.e. Win XP). I can’t
> confirm or challenge this.
>
> For modern Windows OS’s, which would be Win 7 or later, if you want to
> ship kernel code, you simply have to get a signing certificate from an
> approved vendor. If you get WHQL certification, which involves passing a
> bunch of tests, Microsoft will sign the driver, and you will not need to
> install your certificate, the OS will just trust it.
>
> A code signing certificate may cost between $99 and $500, per year,
> depending on which vendor you use, and which discounts you qualify for. I
> generally find Verisign certificates are less trouble, unless you find a
> discount, can at the expensive end. Of course spending a few days of
> developer time fooling with a certificate that doesn’t quite work right is
> generally a lot more expensive.
>
> Also note, you probably can no longer get SHA-1 certificates, and Win 7
> needs an OS update to work correctly with SHA-2 certificates. It might be
> appropriate for a setup program to verify if that update is installed if it
> wants to install a SHA-2 signed driver. There was a discussion about this
> here a few months ago.
>
> Also note 2, kernel code signing and PnP driver install signatures on a
> .cat are different things, and have slightly different requirements. What
> YOUR driver needs depends on what kind of driver it is.
>
> Jan
>
>
> From: Lloyd
> Reply-To: Windows List
> Date: Monday, December 15, 2014 at 9:23 PM
> To: Windows List
> Subject: Re: [ntdev] Win7-64 bypass driver sign
>
>
>
> Just wish to make sure what I understood is correct - I can create a
> self issued certificate, and install it to the trusted root certification
> authorities in a “fresh installed system”, then install my driver like any
> other “signed” driver. right?
>
> In this case I need not enable test mode, right?
>
> Thanks,
> Lloyd
>
>
> On Mon, Dec 15, 2014 at 7:24 PM, wrote:
>>
>>
>>
>> The only other way would be to run with the debugger attached.
>>
>> While it doesn’t BYPASS the security check, you can always sign the
>> driver with your own self-issued certificate and then have the user install
>> that cert in their trust root certification authorities certificate store
>> on the target machine.
>>
>> But those are really the only options…
>>
>> If it was easy to bypass, it wouldn’t be much of a security check, would
>> it?
>>
>> Peter
>> OSR
>> @OSRDrivers
>>
>>
>> —
>> NTDEV is sponsored by OSR
>>
>> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>>
>> OSR is HIRING!! See http://www.osr.com/careers
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
> — NTDEV is sponsored by OSR Visit the list at:
> http://www.osronline.com/showlists.cfm?list=ntdev OSR is HIRING!! See
> http://www.osr.com/careers For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
Mr. Lloyd,
Get a Class 3 Code Signing Certificate. Sign the binary and sign the CAT file. It’s all automatic in VS… just set the build up for Production Signing (as opposed to test signing) and choose the right cert.
Nope. Not at all.
Yes, THAT is correct (and in fact contradicts what you said in the previous sentence).
Peter
OSR
@OSRDrivers
> submitted) , OS will show only a harmless “Yes/No” message box.
[/quote]
Yes, THAT is correct (and in fact contradicts what you said in the previous sentence).
More so, on Vista+ the box is only shown during driver package install and NOT during devnode creation.
–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com
Although it requires the use of exploits, there’s many ways to bypass driver signing verification on Win7 and Win8, depending on what updates you have installed. There’s many exploit code public just google.
It is possible to bypass driver signing on a fully patched Win7 and Win8 machine, but like anything good this information is not public. But several authors of previous exploits have shown as much proof as they can without revealing exploit source code.
Zzzzzzzzzzzzzzzzzzzzz…
Peter
OSR
@OSRDrivers
Thank you Peter and Maxim for the clarification.
On Tue, Dec 16, 2014 at 8:41 PM, Maxim S. Shatskih
wrote:
>
> > submitted) , OS will show only a harmless “Yes/No” message box.
> >
[/quote]
> >
> > Yes, THAT is correct (and in fact contradicts what you said in the
> previous sentence).
>
> More so, on Vista+ the box is only shown during driver package install and
> NOT during devnode creation.
>
> –
> Maxim S. Shatskih
> Microsoft MVP on File System And Storage
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
So, the user’s system will fail on next Windows Update? or you want to ask the customer to install such kind of things?
Thank you very much 
–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com
wrote in message news:xxxxx@ntdev…
> Although it requires the use of exploits, there’s many ways to bypass driver signing verification on Win7 and Win8, depending on what updates you have installed. There’s many exploit code public just google.
>
> It is possible to bypass driver signing on a fully patched Win7 and Win8 machine, but like anything good this information is not public. But several authors of previous exploits have shown as much proof as they can without revealing exploit source code.
>