How to sign your own modded drivers

[Ferather]

For those interested in making their own drivers, for any reason, and would like to sign it, allowing them to share it with others.

----

Step 1:

You can create a self-signed Code Signing certificate without using third-party tools by using the PowerShell 5.0 cmdlet – New-SelfSifgnedCertificate:

$Cert = New-SelfSignedCertificate -Subject "SIGNERNAME” -Type CodeSigningCert -CertStoreLocation cert:\LocalMachine\My


Then you need to export this certificate to the pfx file with the password:

$CertPassword = ConvertTo-SecureString -String “P@ssw0rd” -Force –AsPlainText
Export-PfxCertificate -Cert $Cert -FilePath C:\DriverCert\NAME.pfx -Password $CertPassword

----

Step 2:

Download WoSignCode, and its operation manual (its very easy to use), you only need the 'Code Signing' and 'CAB/CAT' options, and internet.
You will need to make a basic powershell and command prompt batch file, and modded shortcut (example here).

Note: The tool requires internet connect for timestamps and file virus scanning.

Now .7z .zip, .rar your signed worked and share!

 

[Solaris17]

What is the example? Its just some audio installer on mega upload.

 

[Ferather]

The install shortcut and batch file. Self elevated with non admin functionality, double click install. No installer method, using official Microsoft commands.



This method allows receivers to can scan the files freely, not hidden behind installers, or password bypasses (.zip).

 

[Solaris17]

@echo

"%CD%\BIN\elevate" powershell Import-PfxCertificate -FilePath '%CD%\BIN\signed.pfx' -Password (ConvertTo-SecureString -String 'P@ss0wrd' -AsPlainText -Force) -CertStoreLocation Cert:\LocalMachine\Root

timeout 6

"%CD%\BIN\elevate" pnputil -i -a "%CD%\WIN10\*.inf"

exit

for those that don't want to download the drivers.

You should also be able to forego the elevate.exe and simply have the batch self elevate like so:

@echo off

:: Self execute as admin by creating a VBS that calls myself.
SETLOCAL EnableDelayedExpansion
for /F "tokens=1,2 delims=#" %%a in ('"prompt #$H#$E# & Echo on & for %%b in (1) do     rem"') do (
  set "DEL=%%a"
)
cls

:checkPrivileges
NET FILE 1>NUL 2>NUL
if '%errorlevel%' == '0' ( goto main) else ( goto getPrivileges )

:getPrivileges
if '%1'=='ELEV' (shift & goto main)                              
for /f "delims=: tokens=*" %%A in ('findstr /b ::- "%~f0"') do @Echo(%%A
setlocal DisableDelayedExpansion
set "batchPath=%~0"
setlocal EnableDelayedExpansion
Echo Set UAC = CreateObject^("Shell.Application"^) > "%temp%\OEgetPrivileges.vbs"
Echo UAC.ShellExecute "!batchPath!", "ELEV", "", "runas", 1 >> "%temp%\OEgetPrivileges.vbs"
"%temp%\OEgetPrivileges.vbs"
exit /B
echo.

:main
powershell Import-PfxCertificate -FilePath '%CD%\BIN\signed.pfx' -Password (ConvertTo-SecureString -String 'P@ss0wrd' -AsPlainText -Force) -CertStoreLocation Cert:\LocalMachine\Root

timeout 6

pnputil -i -a "%CD%\WIN10\*.inf"

exit

 

[Ferather]

Was being lazy. Thank you.

 

[hans_glans]

Would this work for modified kernel drivers on >=1709 to avoid testsigning mode?

 

[Ferather]

Yes, I still use it to sign drivers and files, you can even sign third party files (such as .exe), with your certificate, if they are not already signed.
If you intend to share the driver and-or files, you will need to install your certificate on the machine before anything else.

Once your certificate is installed on the machine, it will work in every way, as much as Microsoft signed files.

certutil -f -p "ThePassword" -importpfx -v trustedpublisher "location-to\signed.pfx"

----

SignTool.exe (Sign Tool) - .NET Framework

Learn about SignTool.exe, the Sign Tool. This command-line tool digitally signs files, verifies signatures in files, and applies timestamps to files.

docs.microsoft.com

How do I dual sign a file?

The quick and easy way is to use the new kSign 3 utility ! For more information - click here to read the kSign article. Dual signing attaches both a SHA1 and a SHA256 signature in to a PE format file. PE format files are .EXE .DLL .OC...

support.ksoftware.net

====

Signing Tools

MediaFire is a simple to use free service that lets you put all your photos, documents, music, and video in a single place so you can access them anywhere and share them everywhere.

www.mediafire.com

 

[AAF Optimus]

Would this work for modified kernel drivers on >=1709 to avoid testsigning mode?

No, because Microsoft implemented their well-known root certificates directly in the EFI and Legacy boot binaries and configured policies that result in the WHQL and ELAM signing programs, for example.

 

[hans_glans]

Any way to circumvent this or somehow self-sign kernel drivers in a different way?

 

[AAF Optimus]

Any way to circumvent this or somehow self-sign kernel drivers in a different way?

I am not aware of any alternative method other than WHQL.

 

[hans_glans]

Why is this method for example not sufficient?

 

[AAF Optimus]

Why is this method for example not sufficient?

Microsoft seems to have made it irrelevant. Or it is only valid for driver packages whose catalogs are signed with an unrecognized, expired certificate, or one that is not present in the Windows certificate database.

 

[Ferather]

It would depend on if he simply wants to sign a driver .inf and add a catalogue, then the posted method and tools are correct.
They will also sign .exe, .dll's and so on, as far as .sys files, they indeed need to be WHQL signed.

For example, I can write a driver .inf, modify the .exe and .dll, and sign them, no issues.
If I remove and replace the .sys signature, I will get a WHQL warning.

----

If the .exe's and .dll's and even .sys files are already signed, and recent enough, its the .inf compilation that needs to pass.
Lets say I downloaded a nomal Realtek driver, and simply added one letter to the .inf, its no longer valid.

----

Another example, if I took an admin app, that opens a yellow admin warning, with un-trusted publisher at the bottom.
If I create and install a certificate, then sign the apps .exe with it, it will now be blue, with trusted publisher.

----

If he was byte patching with something like IDA Pro, then the file signature remains untouched, and still fully valid.
If he was creating his own .sys file (not patching), it will need to be signed with a WHQL certificate.

The rest, not so much.

 

[hans_glans]

Yes it's a .sys file I need to modify. IDA Pro byte patching sounds promising then.

I actually used IDA free so far but am really new to it, is byte patching not available there?

 

[St1cky]

If he was byte patching with something like IDA Pro, then the file signature remains untouched, and still fully valid.
If he was creating his own .sys file (not patching), it will need to be signed with a WHQL certificate.

How can the signature still be valid after patching with IDA, doesn't make any sense to me. Because the checksum/hash of the file changes and the signature is therefore invalid?

 

[DeathtoGnomes]

View attachment 254394
Why is this method for example not sufficient?

That, is a security risk, keep it on warning, its only 1 extra click to avoid some virus.

 

[W1zzard]

If he was byte patching with something like IDA Pro, then the file signature remains untouched, and still fully valid.

Not true

How can the signature still be valid after patching with IDA, doesn't make any sense to me. Because the checksum/hash of the file changes and the signature is therefore invalid?

Correct

 

[Ferather]

I will explain using 'resource hacker' because its easier, lets say the file is a Realtek APO .dll file, if I right click > properties, I can see a signed file.

Now I open it with resource hacker, and edit, one letter or number, or change the file version, then apply, its still signed.
If I was to edit, the table or in some cases remove-rename entries, and save it, it will be unsigned.

The unsigned version, will still have a certificate embedded, and will fail any unsign-resign attempt.