Get Certificate Information of Process?

David_F · December 12, 2017, 4:42pm

Hi,

So I see I can use IoThreadToProcess then PsGetProcessId to get the process id from a mini-filter, how do I then get the certificate information for the process. I’d like to know if the process has a valid certificate, the issuer and the name on the certificate ?

TIA!!

Scott_Noone_OSR · December 13, 2017, 8:44am

There are no documented kernel APIs for this.

-scott
OSR
@OSRDrivers

David_F · December 13, 2017, 9:36pm

Anything to at least check it, something like WinVerifyTrust for drivers? Although having the information from the certificate would be great? No way to do it at all from drivers?

Scott_Noone_OSR · December 13, 2017, 10:24pm

Not that I’m aware of.

-scott
OSR
@OSRDrivers

Gabriel_Bercea · December 14, 2017, 4:02am

You will need to call into user-mode via the many methods available and use
WinVerifyTrust.
If you want you could of course parse the PE header yourself and check for
the IMAGE_SECURITY_DIRECTORY, but this is only for files that are signed
with an embedded certificates.
This will not work files like notepad.exe for example which does not appear
to be signed ( missing the certificate ) but in fact it is signed via the
“catalog signing” method. I am not sure of the official naming for this but
the file’s authenticode hash is stored in a cat file which basically tells
the OS the file is signed. You can use signtool for this and verify that it
is in face signed and valid.

There are several API’s to verify such files, which take several parameters
like name, handle but luckily they also accept the authenticode hash which
you could calculate in the driver yourself, send it to user-mode
have a “quick” check done there and get your answer back. If you want the
full documentation on how you could achieve this search for " Windows
Authenticode Portable Executable Signature Format" from MSFT where
they describe how to calculate the authenticode hash yourself.

The day MSFT will implement WinVerifyTrust or similar for KM that would be
a great day for performance

Gabriel
www.kasardia.com

On Thu, Dec 14, 2017 at 5:24 AM, xxxxx@osr.com wrote:

> Not that I’m aware of.
>
> -scott
> OSR
> @OSRDrivers
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
>

–
Bercea. G.</http:>