ido-moshe-github / cidlldemo Goto Github PK
View Code? Open in Web Editor NEWUse ci.dll API for validating Authenticode signature of files
License: MIT License
Use ci.dll API for validating Authenticode signature of files
License: MIT License
First of all, thank you very much for this publication!
I couldn't resist playing around with it but I found some inconsistencies/issues/side-effects when using CiValidateFileObject
against a custom executable signed with a DigiCert Authenticode certificate:
CN = DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
O = DigiCert, Inc.
C = US
signtool verify
appears to be happy:
signtool verify /pa test.exe
File: test.exe
Index Algorithm Timestamp
========================================
0 sha1 Authenticode
Successfully verified: test.exe
Depending on the following OS versions and TESTSIGNING states I got the following results:
OS | TESTSIGNING | Result |
---|---|---|
Windows 11 22H2 | ON | works, can parse various certificate and publisher details |
Windows 11 22H2 | OFF | fails with ERROR:policy info is empty |
Windows 10 22H2 | ON | works, can parse various certificate and publisher details |
Windows 10 22H2 | OFF | fails with STATUS_INVALID_IMAGE_HASH |
Anybody seen something similar? Is this function supposed to work with any Authenticode signed file or only on those with the Microsoft "secret sauce" trusted certificate chains?
Thanks & cheers
EDIT: to clarify; I am assuming this function is supposed to work with non-Microsoft-magic files as well, if this assumption is wrong, please rectify it for me.
Hi.
Thanks for the effort. The example driver compiles provided /SEH is turned off.
I encountered nothing but horror while trying to get this working in my kernel driver (VS2019 16.11.34
). Various errors such as
unresolved external symbol __CxxFrameHandler4
unresolved external symbol __GSHandlerCheck_EH4
I found out that if you disable C++ exceptions my driver compiled just fine. SEH exceptions are a must in any kernel driver. However the ApiValidator did not allowed the project to be compiled.
The solution:
typedef NTSTATUS(NTAPI* pCiValidateFileObject)(IN _FILE_OBJECT* fileObject, IN int a2, IN int a3,
OUT PolicyInfo* policyInfoForSigner, OUT PolicyInfo* policyInfoForTimestampingAuthority,
OUT LARGE_INTEGER* signingTime, OUT BYTE* digestBuffer, IN OUT int* digestSize, OUT int* digestIdentifier);
pCiValidateFileObject CiValidateFileObject;
PVOID pCi = GetExportedRoutine((void*)baseAddress, "CiValidateFileObject", NULL);
if (!pCi)
{
return STATUS_UNSUCCESSFUL;
}
CiValidateFileObject = (pCiValidateFileObject)pCi;
Here is the output:
00000001 0.00000000 [+] CreateProcess: ParentId: 6372 (explorer.exe) pId: 13396 ??\C:\C#\Console\bin\Debug\net8.0-windows\Console.exe
00000002 0.00002510 [+] ValidateFileUsingCiValidateFileObject
00000003 0.00341210 [+] CiValidateFileObject returned 0xC0000428
"Console.exe" is an unsigned. Your solution worked on Windows 11 Pro 22H3. Thanks!
Hello, first of all thanks for this awesome research, I'm trying to test this project at Windows 7 7601 x64 using notepad++.exe from folder ExecutablesForTesting, CiCheckSignedFile returns STATUS_SUCCESS but the problem is with policyInfo returned by CiCheckSignedFile, it's wrong, when i open notepad++.exe from ExecutablesForTesting folder it always fail in range check inside parsePolicyInfo function, it seems like that ptrToCertChainMembers is invalid, how fix it?
I've followed your fantastic writeup and also wrote a function to calculate PE digests for CiCheckSignedFile.
But what do I do when the signature isn't contained within the security directory of the PE (+ VA) but in a catalog file? I suppose I need to use CiVerifyHashInCatalog and CiFindPageHashesInCatalog but I have been unable to find any documentation on those exports.
Could you please give us prototypes for the above mentioned functions?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.