Hi!
I am trying to use the PsSetCreateProcessNotifyRoutineEx kernel routine in my Windows 7 x86 minfilter.
To use PsSetCreateProcessNotifyRoutineEx you have to set the linker option /integritycheck and you have to sign the driver, else the PsSetCreateProcessNotifyRoutineEx routine returns access denied.
This worked fine in Windows 10x64. But when signing the Windows 7 x86 driver and loading it I get (when doing fltmc load ):
Load failed with error: 0x80070241
Windows cannot verify the digital signature for this file. A recent hardware or software change night have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
The digital signature is OK (I can see it in the .sys file properties).
The stranger is that if I don’t use the “/integritycheck” option but I keep the driver signed it works OK (I mean, the driver is loaded but the PsSetCreateProcessNotifyRoutineEx routine fails)
Thanks
Pablo Glombovsky wrote:
The digital signature is OK (I can see it in the .sys file properties).
Show the output of the following command:
signtool.exe verify /v /kp /tw your-driver.sys
I wonder, is it possible the driver is signed with a sha256 cert and your
win7x86 machine doesn’t support it (
https://technet.microsoft.com/en-us/library/security/2949927.aspx)?
/integritycheck would instruct the loader to verify the signature, which is
a step a driver on win7 x86 wouldn’t otherwise go through, so perhaps
that’s why the driver loads without that flag…
Thanks,
Alex
On Fri, Jan 13, 2017 at 10:13 AM, wrote:
> Hi!
> I am trying to use the PsSetCreateProcessNotifyRoutineEx kernel routine
> in my Windows 7 x86 minfilter.
> To use PsSetCreateProcessNotifyRoutineEx you have to set the linker
> option /integritycheck and you have to sign the driver, else the
> PsSetCreateProcessNotifyRoutineEx routine returns access denied.
> This worked fine in Windows 10x64. But when signing the Windows 7 x86
> driver and loading it I get (when doing fltmc load ):
> Load failed with error: 0x80070241
> Windows cannot verify the digital signature for this file. A recent
> hardware or software change night have installed a file that is signed
> incorrectly or damaged, or that might be malicious software from an unknown
> source.
>
> The digital signature is OK (I can see it in the .sys file properties).
> The stranger is that if I don’t use the “/integritycheck” option but I
> keep the driver signed it works OK (I mean, the driver is loaded but the
> PsSetCreateProcessNotifyRoutineEx routine fails)
>
> Thanks
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
></http:>
thanks Alex!
You were of great help here.
I saw that the .pfx file I was using had the SHA256 hashing algorithm. After installing the Windows Update (it’s an optional one) it worked fine.