I can't make test signed drivers work in 64-bit Vista

  • Thread starter Thread starter Ladislav Zezula
  • Start date Start date
L

Ladislav Zezula

Hi,

I am author of a system tool called FileSpy. It's similar tool like the
famous FileMon from Mark Russinovich.

Now I want to move to the 64-bit Vista with it, which brings
the need of signing drivers. I decided to use test signing for now.

Like for Filemon, there is no installation procedure for FileSpy as well.
It unpacks drivers, installs them as services and loads them.
I would keep this functionalty for 64-bit Vista too.

But I am unable to make the signatures for the drivers properly
("properly" means being able to load them when test signing is allowed).

This is what I did to make a proper driver signature:

1) I allowed test signed drivers using Bcdedit.exe
2) I created a test signing certificate using makecert.exe
3) I have signed the kernel driver using signtool
4) I created the CDF file and made a CAT file from it,
using cross certificate file downloaded from MS.
5) Compiled the main application's EXE. Resources
of this EXE contain both signed CAT file and signed SYS file.
6) Verified the SYS file signature.

This is what the main FileSpy's EXE does:

1) Unpacks the CAT file and uses CryptCATAdminAddCatalog
to add CAT file to the catalog root. After this step, the CAT
file contains two hashes (I have two drivers) and is installed in
D:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
directory.
2) Unpacks the SYS file and uses CreateSevice/RunService to
install the driver.

After that, I get error code 577 ("The hash for the image cannot
be found in the system catalogs. The image is likely corrupt or
the victim of tampering.").

Please, do you have any idea what I am doing wrong ?


Ladislav Zezula
 
Back
Top