Generate test signatures for sys/cat files

Others 2022-04-27 23:10:43 views: 0

Generate test signatures for sys/cat files

In the past few days, I want to test using DpInst to install the driver. Because the driver is not signed, the installation fails, so I will study how to generate a test signature for the Sys/cat file. This article refers to an article on the Kanxue forum: win x64 platform driver test digital signature, and some errors (may be the deviation caused by the author's two experiments before and after) have been modified.
The driver does not have a digital signature during the development/testing phase, so it usually enters F8 after booting, and chooses to prohibit digital signature enforcement, but the trouble with this method is that it has to be done every time it is booted. It will be troublesome if you miss it carefully. A solution for this on MSDN is to use test signing. Suppose the location of the compiled driver is: E:/WinDDk/my_test/objchk_win7_amd64/amd64
1. Make a digital certificate for testing:
open the command line with administrator privileges (you can use the Checked/Free Build Environment provided by DDK) to enter the driver path, and then enter the following command:
makecert -r -pe -ss PrivateCertStore -n CN=Contoso.com(Test) My_Test.cer
(Note: PrivateCertStore and Contoso.com(Test) can be named freely), this time in the directory A test certificate of My_Test.cer will be generated; it may fail if administrator privileges are not used; it may fail if cmd is used;

  1. Modify the INF file and generate a catalog file:
    modify the [version] section of the INF file, and add a
    CatalogFile.NtAMD64 = My_Test_AMD64.cat at the end of this node. It
    should be noted that this CatalogFile only has three cases: CatalogFile.NtAMD64 CatalogFile.Nt CatalogFile; The INF file is also placed in the path of the driver sys file. Enter the following command
    in the Checked/Free Build Environment:
    Inf2cat.exe /driver:E:/WinDDk/my_test/objchk_win7_amd64/amd64/ /os:7_x64
    If you want to generate other system platforms cat file, you can refer to this article: Inf2Cat application parameter usage detailed introduction (inf2cat generates cat file)

  2. Sign the cat file:
    use the command line that opens the WDK with administrator privileges, navigate to the driver path, and enter the following command:
    Signtool sign /a /v /s PrivateCertStore /n Contoso.com(Test) /t http: //timestamp.verisign.com/scripts/timestamp.dll My_Test_AMD64.cat
    needs to be connected to the Internet, there will be a warning if it is not connected to the Internet, because it needs to generate timestamps; in addition, the /s and /n parameters when executing Signtool are followed by The strings should correspond to the content of the -ss -n parameters when executing makecert respectively (the original author may have made a typo in this content, causing the signature to fail)

  3. Register the test digital certificate:
    locate the driver file path and enter the following command:
    certmgr.exe /add My_Test.cer /s /r localMachine root

  4. Sign the driver file:
    Navigate to the driver file path and enter the following command:
    Signtool sign /a /v /s PrivateCertStore /n Contoso.com(Test) /t http://timestamp.verisign.com/scripts/timestamp.dll xxxx.sys
    also needs to be connected to the Internet, there will be a warning if it is not connected to the Internet, because it needs to generate a timestamp;

  5. Install the test signature:
    On the target machine, put xxx.sys xxx.inf My_Test.cer My_Test_AMD64.cat, and certmgr.exe in a path, and then open the CMD command line with administrator privileges to navigate to this directory,

Enter the following commands to register the certificate and open the test mode:
(These two steps are very important. The author tried to use DpInst to install the signed sys and cat on the target machine without the registration certificate, and the result was that the driver package was not successfully installed)
certmgr. exe /add My_Test.cer /s /r localMachine root
certmgr.exe /add My_Test.cer /s /r localMachine trustedpublisher

cd c:/windows/system32/
bcdedit.exe /set TESTSIGNING ON

After the test mode is opened once, you don't need to set it again even if you restart the computer, unless you explicitly close it; the lower right corner of the form will prompt that you are currently in test mode, and the command to close is bcdedit.exe /set TESTSIGNING OFF
Notes:
1 . If there is no certmgr.exe on the target machine, you can directly copy a 64-bit certmgr.exe from the host computer;
2. If the sys file is regenerated without modifying the inf file, then it is only necessary to regenerate the sys file. Just execute the re-signature of the driver file; neither the test certificate nor the catalog file need to be regenerated;

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=325926172&siteId=291194637
Recommended
Face Wall Intelligence releases the Eurux-8x22B open source large model - it can be called the "science champion"
Kaiyuan Daily | Google supports Hongmeng to take over; open source Rabbit R1; Android phones supported by Docker; Microsoft’s anxiety and ambition; Haier Electric shuts down the open platform
Ranking
Jianzhi offer interview questions 68-II. The nearest common ancestor of a binary tree (recursive)
jQuery Mobile development 1-UI components
Summary of Kotlin function knowledge
[ZZ] The Naked Truth About Anisotropic Filtering
Diagnosis: record a recovery of abnormal CRASH storage caused the database to be unable to be opened normally
Redis introduction and Linux installation Redis
Experiment 2 Introduction to switches
glances open source command-line system monitoring tools introduced
Use of selector
vue3 handwriting a carousel picture
Daily
More
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)

Code World

© 2018 codetd.com