Search This Blog

Tuesday, February 1, 2011

Signing your driver

Here I'm going to discuss how to sign your (awesome) driver.

You could just go to MSDN and download the .DOC file that describes how to do it but it may take a while before you can actually get it to work. Also, the document has been written a while ago and some of the stuff is a little out of date.

So, to make it a bit easier, I am going to give a sequence of commands to run in order to sign your stuff.

All the following is executed from:

/Projects/Sandbox/Manu/mydriver/

--- Creating the self cert ---
makecert -pe -ss PrivateCertStore -n CN=mycompany.com -r mycompany.cer

--- Add the cert to trusted root ---
certmgr.exe /add mycompany.cer /s /r localMachine root

--- Create the CAT file ---
inf2cat /v /driver:c:\projects\Sandbox\Manu\mydriver /os:7_X86

--- Sign the cat file ---
signtool sign /v /s PrivateCertStore /n mycompany.com /t "http://timestamp.verisign.com/scripts/timstamp.dll" mydriver.cat

--- Verify the signature and all ---
signtool verify /pa /v /c mydriver.cat mydriver.inf

--- Sign the driver in case the above stuff don't work ---
signtool sign /v /s PrivateCertStore /n mycompany.com /t "http://timestamp.verisign.com/scripts/timstamp.dll" chk_win7_x86\i386\mydriver.sys

Obviously, all those commands are on one line. The formatting on the page forces the line breaks.
The last command may be used to sign the driver (.sys) itself. You may resort to that if the rest of the stuff does not work. Normally what happens is that you create the signature and self certificate and then, you create a catalog file that the .inf refers to. Meaning that you don't have to sign the driver.

The reason you don't want to sign the driver is that when you are debugging it, all you need to do is to copy it into your folder and then, right click the .inf and select the 'install' option. Which, will verify the signature as well as copy the .sys into the proper location.

This is required when developing drivers for 64Bit Windows. Also, the OS should be booted in test mode for the self cert to work. You could also not sign the driver and boot Windows with the ignore option. But what would happen then is that some APIs will no longer be available to you (like for instance: PsSetCreateProcessNotifyRoutineEx).

I have used that with the DDK version 7600.16385.1
Can't garantee that it will work with the previous ones or even later releases but you can always experiment.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)