signtool sign /debug /d "xxx" /fd sha256 /tr http://timestamp.digicert.com MyDriver.sys
pause
"C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x86\Inf2Cat.exe" /v /os:10_19H1_X64 /driver:E:\folder_where_inf_is\
pauseMakeCab /f cabinput.ddf
pausesigntool sign /debug /d "XXX" /fd sha256 /tr http://timestamp.digicert.com yourdriver.cab
pause
Thakns BroMicrosoft.
I might be wrong, but I don't think you can load a driver with a EV cert, maybe it works under old windows versions, I am not sure about this.
Personally, I have drivers that are signed that can be loaded under some old versions but not on latest Windows 10 24H2, maybe its worth for you to test and find a certificate to test it. (These are not cross-signed).
What's an EV certificate?
Extended Validation Certificate is a form of certificate, in which the purchaser (company) is thoroughly verified. It is the highest level certificate type you can purchase, and it's considered the most trusted for browsers and code-signing. An EV certificate is also required to sign kernel-mode drivers on Windows systems.
Keep in mind there's a difference between a EV SSL certificate and EV Code signing certificate. tl;dr an EV SSL certificate is for your website, the browser will show you a green padlock, indicating the visitor that this website is trusted and a verified business.
Requirements
- Own or operate a legal entity
For the purposes of this thread, I'll only discuss the most common forms:
- A limited liability company (LLC)
- A sole-proprietorship (common in EU)
To put it in simple terms, the main difference between an LLC and a sole-proprietorship is property. In case of any legal action taken against you, there's no distinction between your "proprietorship's" and personal property (including the property of your wife/husband). In case of a single-person LLC, you are personally only liable for some amount of money, depending on country, for example 5 000 EUR.
- Proof of legal existance (Articles of incorporation, Name of Incorporating Agency)
- Proof of physical existance (Entity location listed in a qualified information source (business on google maps))
- Proof of operational experience (Entity name listed in a qualified information source)
- Business phone number, and e-mail
- A domain for your business, that's owned and paid for by the company (this is important later with Microsoft)
- Government-issued identification to verify you as the owner/executive officer of the company on par with public records
Certificate authorities are careful when verifying your information, to prevent shell companies from malware developers, etc. The verification process can take anywhere from 3 days to a couple months. It all depends on how much information you can provide, and the reliability of it. I personally bought an aged company and listed as much public information everywhere as possible.
If you want to hide your personal information from the public's eyes, look into purchasing an off-shore company with an assigned executive officer that will have their name on the papers. This is offered in a lot of states, and could even give you certain bonuses, such as lower taxes, etc. You can virtually get an off-shore country anywhere, be it Asia, USA, EU or Africa. Keep in mind that if you require a delivery being made for your company, it would have to get re-shipped to you from the company's country.
I personally find this restrictive, and if you're doing something that could lead to potential lawsuits or legal problems, the off-shore companies won't protect you. It's simply a way to keep the general public from doxing you.
The process becomes significantly easier if you register for a DUNS number.
Finding a certificate authority
This mainly matters on your budget. I personally went with SSL.com, they have really quick to respond support, and offer very cheap EV certificates. The verification process was swift, and I received my Yubikey with the EV certificate in a matter of days (USA->EU express shipping).
Other notable ones are DigiCert and Sectigo.
SSL.com also offers a cloud signing service, where you don't need to pay extra for a yubikey at all, and can sign files via their website.
Extended validation process
After making your deposit, you will be required to send-in a number of documents. Most of this is just office & government paper gathering. It's useful to have an accountant help you with this. You will have to sign a partnership agreement with the certificate authority, along with some other papers. It doesn't take too long to prepare, just be prepared to run around the city a bit. If you want a list of papers, take a look at the requirements.
Receiving your EV certificate
For some time, due to previous leaks and such, .pfx certificates are usually no longer distributed (with an exception for enterprise companies and manufacturers). It's most likely that you will have to purchase an additional FIPS yubikey via your certificate authority, where the certificate is safely stored. A guide on how to install the required software and use it for code-signing will be provided on the website you purchased your certificate from.
Microsoft Partner Program
For driver-signing, you will need to register with the Microsoft Hardware Program, and therefore with the Microsoft Partner Program as well. This can be hectic, especially if you're a new company. They will ask for pretty much the same things as the certificate authority, additionally, they might ask for invoices for your domain, and tell you off that they only let manufacturers with a line of products into the programme. You will most likely fail with verification process, unless you're aged, or have a DUNS number. If that's the case (after 1 month of unsuccessful attempts), you will have to open a ticket and write to Microsoft support, with the intended purposes, of course sprinkled with some sense of a legit purpose that doesn't involve game cheating and kernel manipulation, and you will get declined again. After you respond to it however, a human will finally take a look at it properly and get you verified.
Why is Microsoft Partner Program required?
Systems running secure-boot or newer versions of Windows will refuse to load a driver that's not signed by Microsoft.
- Purchase EV CodeSigning cert
We purchased a 1 year code signing certificate from digicert. Your experience might be different with other certificate authorities. The verification process is nonsense as expected. Roughly 2-3 weeks is spent at this stage.
- Test hardware token
The EV certificate arrives in the mail on a USB token. A 3rd party utility is required to manage it.
Test sign a file to confirm it's working correctly.
Code:
Код:signtool sign /debug /d "xxx" /fd sha256 /tr http://timestamp.digicert.com MyDriver.sys pause
If the token is plugged in and SafeNet client is running a window will pop up to prompt you for a password.
- Sign up for Microsoft Hardware Developer Program
Link to microsoft site. This will force you to create an Azure AD if you don't have one already.
- Register your EV certificate on the hardware center
Register EV page. You download a fake 4kb PE file and sign it with your EV certificate.
- Create inf and cat file
Replace yourdriver in this file with your driver's name
[Version]
Signature="$WINDOWS NT$"
Class=System
ClassGuid={4d36e97d-e325-11ce-bfc1-08002be10318}
Provider="Sample Provider"
DriverVer=12/12/2017,10.0.0.1
CatalogFile=yourdriver.cat
PnpLockdown=1
[DestinationDirs]
DefaultDestDir = 12
; ================= Device Install section =====================
[Manufacturer]
%ManufacturerString%=Sample_Manufacturer,NTx86, NTamd64, NTARM, NTARM64
; For XP and later
[Sample_Manufacturer.NTx86]
%yourdriver.DRVDESC%=yourdriver_Inst,root\yourdriver
[Sample_Manufacturer.NTARM]
%yourdriver.DRVDESC%=yourdriver_Inst,root\yourdriver
[Sample_Manufacturer.NTARM64]
%yourdriver.DRVDESC%=yourdriver_Inst,root\yourdriver
[Sample_Manufacturer.NTamd64]
%yourdriver.DRVDESC%=yourdriver_Inst,root\yourdriver
[yourdriver_Inst.NT]
CopyFiles=yourdriver.CopyFiles
[yourdriver.CopyFiles]
yourdriver.sys
[yourdriver_Inst.NT.Services]
AddService=yourdriver,0x00000002,yourdriver_Service
[yourdriver_Service]
DisplayName = %yourdriver.SVCDESC%
ServiceType = 1 ; SERVICE_KERNEL_DRIVER
StartType = 1 ; SERVICE_SYSTEM_START
ErrorControl = 1 ; SERVICE_ERROR_NORMAL
ServiceBinary = %12%\yourdriver.sys
[DeviceInstall32]
AddDevice=ROOT\Samples\0001,,YourDriverM
[YourDriverM]
HardwareIds=root\yourdriver
; ================= Source Media Section =====================
[SourceDisksFiles]
yourdriver.sys=1
[SourceDisksNames.x86]
1 = %DISK_NAME%,,,
[SourceDisksNames.amd64]
1 = %DISK_NAME%,,,
[SourceDisksNames.ARM]
1 = %DISK_NAME%,,,
[SourceDisksNames.ARM64]
1 = %DISK_NAME%,,,
[Strings]
ManufacturerString = "Sample Manufacturer"
ClassName = "Sample Drivers"
yourdriver.SVCDESC = "Sample Service"
yourdriver.DRVDESC = "Sample Driver"
DISK_NAME = "Utility"
Convert to cat:
Code:
Код:"C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x86\Inf2Cat.exe" /v /os:10_19H1_X64 /driver:E:\folder_where_inf_is\ pause
- Create CAB Archive
MS requires that each driver and it's associated files are in separate directories. If you have a driver in the root of the archive it will automatically fail.
This is a DDF file you pass into makecab
.OPTION EXPLICIT ; Generate errors
.Set CabinetFileCountThreshold=0
.Set FolderFileCountThreshold=0
.Set FolderSizeThreshold=0
.Set MaxCabinetSize=0
.Set MaxDiskFileCount=0
.Set MaxDiskSize=0
.Set CompressionType=MSZIP
.Set Cabinet=on
.Set Compress=on
;Specify file name for new cab file
.Set CabinetNameTemplate=yourdriver.cab
; Specify the subdirectory for the files.
; Your cab file should not have files at the root level,
; and each driver package must be in a separate subfolder.
.Set DestinationDir=yourdriver
;Specify files to be included in cab file
yourdriver\yourdriver.sys
yourdriver\yourdriver.pdb
yourdriver\yourdriver.inf
yourdriver\yourdriver.cat
Code:
Код:MakeCab /f cabinput.ddf pause
Sign the cab file:
Code:
Код:signtool sign /debug /d "XXX" /fd sha256 /tr http://timestamp.digicert.com yourdriver.cab pause
- Submit Archive to Microsoft
Microsoft Link
A recommendation is to find drivers with suspicious imports: MmMapIoSpace, MmMapIoSpaceEx, MmMapLockedPages, MmMapLockedPagesSpecifyCache, MmMapLockedPagesWithReservedMapping...
An option could be to exploit a driver such as iqvw64e.sys to manually map non-signed drivers in memory (tipically known as KDMapper).
https://github.com/TheCruZ/kdmapper
I don't know if its going to work, but it is tipically used and updated. I don't use that. I don't think will work fine with the "Core Isolation", "Memory Integrity", "Microsoft Vulnerable Driver Blocklist", "Kernel mode hardware enforced stack protection" and the "Tamper Protection" options are enabled. I think that if you find a loader which starts before the hvci hypervisor could probably works. Intercepting the moment when securekernel is mapped in memory, and can then be tampered with like normal kernel at this stage (sk entry point even runs in vtl0). You might want to give it a try...