ido-moshe-github / cidlldemo Goto Github PK

First of all, thank you very much for this publication!

I couldn't resist playing around with it but I found some inconsistencies/issues/side-effects when using CiValidateFileObject against a custom executable signed with a DigiCert Authenticode certificate:

Issuer

CN = DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
O = DigiCert, Inc.
C = US

Verification

signtool verify appears to be happy:

signtool verify /pa test.exe
File: test.exe
Index  Algorithm  Timestamp
========================================
0      sha1       Authenticode

Successfully verified: test.exe

Test results

Depending on the following OS versions and TESTSIGNING states I got the following results:

Anybody seen something similar? Is this function supposed to work with any Authenticode signed file or only on those with the Microsoft "secret sauce" trusted certificate chains?

Thanks & cheers

EDIT: to clarify; I am assuming this function is supposed to work with non-Microsoft-magic files as well, if this assumption is wrong, please rectify it for me.

Hi.

Thanks for the effort. The example driver compiles provided /SEH is turned off.

I encountered nothing but horror while trying to get this working in my kernel driver (VS2019 16.11.34
). Various errors such as

unresolved external symbol __CxxFrameHandler4
unresolved external symbol __GSHandlerCheck_EH4

I found out that if you disable C++ exceptions my driver compiled just fine. SEH exceptions are a must in any kernel driver. However the ApiValidator did not allowed the project to be compiled.

The solution:

typedef NTSTATUS(NTAPI* pCiValidateFileObject)(IN _FILE_OBJECT* fileObject, IN int a2, IN int a3,
OUT PolicyInfo* policyInfoForSigner, OUT PolicyInfo* policyInfoForTimestampingAuthority,
OUT LARGE_INTEGER* signingTime, OUT BYTE* digestBuffer, IN OUT int* digestSize, OUT int* digestIdentifier);

pCiValidateFileObject CiValidateFileObject;

PVOID pCi = GetExportedRoutine((void*)baseAddress, "CiValidateFileObject", NULL);

	if (!pCi)
	{
		return STATUS_UNSUCCESSFUL;
	}

	CiValidateFileObject = (pCiValidateFileObject)pCi;

Here is the output:

00000001 0.00000000 [+] CreateProcess: ParentId: 6372 (explorer.exe) pId: 13396 ??\C:\C#\Console\bin\Debug\net8.0-windows\Console.exe
00000002 0.00002510 [+] ValidateFileUsingCiValidateFileObject
00000003 0.00341210 [+] CiValidateFileObject returned 0xC0000428

"Console.exe" is an unsigned. Your solution worked on Windows 11 Pro 22H3. Thanks!

Hello, first of all thanks for this awesome research, I'm trying to test this project at Windows 7 7601 x64 using notepad++.exe from folder ExecutablesForTesting, CiCheckSignedFile returns STATUS_SUCCESS but the problem is with policyInfo returned by CiCheckSignedFile, it's wrong, when i open notepad++.exe from ExecutablesForTesting folder it always fail in range check inside parsePolicyInfo function, it seems like that ptrToCertChainMembers is invalid, how fix it?

I've followed your fantastic writeup and also wrote a function to calculate PE digests for CiCheckSignedFile.
But what do I do when the signature isn't contained within the security directory of the PE (+ VA) but in a catalog file? I suppose I need to use CiVerifyHashInCatalog and CiFindPageHashesInCatalog but I have been unable to find any documentation on those exports.
Could you please give us prototypes for the above mentioned functions?