标题: Windows文件签名简介 作者: bluerust zyh scz 创建: 2017-03-17 22:51 更新: 2023-02-26 11:31 链接: https://scz.617.cn/windows/201703172251.txt -------------------------------------------------------------------------- 目录: ☆ 签名方式 ☆ 检查方法 1) signtool.exe 2) sigcheck.exe ☆ Windows Policies ☆ 小米线刷工具安装告警 ☆ 一些讨论备忘 ☆ 用过期证书对PE签名 ☆ 参考资源 -------------------------------------------------------------------------- ☆ 签名方式 参[1],Windows文件有两种签名方式: -------------------------------------------------------------------------- a) PE文件自嵌 adding a digital signature to the PE file (embedded digital signature) b) 在catalog文件中存放文件hash adding a hash of the file to a security catalog file (filetype .cat) -------------------------------------------------------------------------- 对于第一种方式,在PE文件右键属性中可以看到"Digital Signatures"标签页,比如 Windows补丁文件和"boot-start driver"采用此种方式。第二种方式无此现象。 第一种方式只适用于PE文件,第二种方式适用于任何文件,比如inf文件。 signtool.exe、sigcheck.exe等工具检查签名时,会遍历系统目录 %systemroot%\system32\catroot\下的cat文件来查找文件hash。 另有一个目录%systemroot%\system32\catroot2\,其用途与catroot并不一致,参 [2]: -------------------------------------------------------------------------- catroot and catroot2 are Windows operating system folders that are required for the Windows Update process. When you run Windows Update, the catroot2 folder stores the signatures of the Windows Update package and helps in its installation. -------------------------------------------------------------------------- ☆ 检查方法 1) signtool.exe Windows SDK中有这个工具,一般装了Visual Studio就有。 -------------------------------------------------------------------------- $ signtool.exe /? Usage: signtool [options] Valid commands: sign -- Sign files using an embedded signature. timestamp -- Timestamp previously-signed files. verify -- Verify embedded or catalog signatures. catdb -- Modify a catalog database. For help on a specific command, enter "signtool /?" -------------------------------------------------------------------------- $ signtool.exe verify /? Usage: signtool verify [options] Use the "verify" command to verify embedded or catalog signatures. Verification determines if the signing certificate was issued by a trusted party, whether that certificate has been revoked, and whether the certificate is valid under a specific policy. Options allow you to specify requirements that must be met and to specify how to find the catalog, if appropriate. Catalogs are used by Microsoft and others to sign many files very efficiently. Catalog options: /a Automatically attempt to verify the file using all methods. First search for a catalog using all catalog databases. If the file is not signed in any catalog, attempt to verify the embedded signature. When verifying files that may or may not be signed in a catalog, such as Windows files and drivers, this option is the easiest way to ensure that the signature is found. /ad Find the catalog automatically using the default catalog database. /as Find the catalog automatically using the system component (driver) catalog database. /ag Find the catalog automatically in the specified catalog database. Catalog databases are identified by GUID. Example GUID: {F750E6C3-38EE-11D1-85E5-00C04FC295EE} /c Specify the catalog file. /o When verifying a file that is in a signed catalog, verify that the file is valid for the specified platform. Parameter format is: PlatformID:VerMajor.VerMinor.BuildNumber SignTool uses the "Windows Driver" Verification Policy by default. The options below allow you to use alternate Policies. Verification Policy options: /pa Use the "Default Authenticode" Verification Policy. /pg Specify the verification policy by GUID (also called ActionID). Signature requirement options: /r Specify the Subject Name of a Root cert that the signing cert must chain to. /tw Generate a Warning if the signature is not timestamped. Other options: /kp Perform the verification with the kernel-mode driver signing policy. /q No output on success and minimal output on failure. As always, SignTool returns 0 on success, 1 on failure, and 2 on warning. /v Print verbose success and status messages. This may also provide slightly more information on error. If you want to see information about the signer, you should use this option. /ph Print and verify page hash values. /d Print Description and Description URL. -------------------------------------------------------------------------- 常见用法示例: -------------------------------------------------------------------------- $ signtool.exe verify /a /kp /v /ph /d %systemroot%\system32\drivers\acpi.sys Verifying: C:\Windows\system32\drivers\acpi.sys File is signed in catalog: C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Common-Drivers-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.cat Hash of file (sha1): 189FCAC26B3B7351E3A6830BF0DE5DA7FDC523F2 Signing Certificate Chain: Issued to: Microsoft Root Certificate Authority Issued by: Microsoft Root Certificate Authority Expires: Mon May 10 07:28:13 2021 SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072 Issued to: Microsoft Windows Verification PCA Issued by: Microsoft Root Certificate Authority Expires: Wed Mar 16 06:05:41 2016 SHA1 hash: 5DF0D7571B0780783960C68B78571FFD7EDAF021 Issued to: Microsoft Windows Issued by: Microsoft Windows Verification PCA Expires: Tue Mar 08 05:57:40 2011 SHA1 hash: 02ECEEA9D5E0A9F3E39B6F4EC3F7131ED4E352C4 The signature is timestamped: Sun Nov 21 03:37:07 2010 Timestamp Verified by: Issued to: Microsoft Root Certificate Authority Issued by: Microsoft Root Certificate Authority Expires: Mon May 10 07:28:13 2021 SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072 Issued to: Microsoft Time-Stamp PCA Issued by: Microsoft Root Certificate Authority Expires: Sat Apr 03 21:03:09 2021 SHA1 hash: 375FCB825C3DC3752A02E34EB70993B4997191EF Issued to: Microsoft Time-Stamp Service Issued by: Microsoft Time-Stamp PCA Expires: Tue Jul 26 03:23:45 2011 SHA1 hash: 7CB0244C7CEC5283E7EFDADF5CCC58772DD67F42 Cross Certificate Chain: Issued to: Microsoft Root Certificate Authority Issued by: Microsoft Root Certificate Authority Expires: Mon May 10 07:28:13 2021 SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072 Issued to: Microsoft Windows Verification PCA Issued by: Microsoft Root Certificate Authority Expires: Wed Mar 16 06:05:41 2016 SHA1 hash: 5DF0D7571B0780783960C68B78571FFD7EDAF021 Issued to: Microsoft Windows Issued by: Microsoft Windows Verification PCA Expires: Tue Mar 08 05:57:40 2011 SHA1 hash: 02ECEEA9D5E0A9F3E39B6F4EC3F7131ED4E352C4 Description: Microsoft Windows Description URL: http://www.microsoft.com Successfully verified: C:\Windows\system32\drivers\acpi.sys Number of files successfully Verified: 1 Number of warnings: 0 Number of errors: 0 -------------------------------------------------------------------------- 工具显示acpi.sys的SHA1等于"189FCAC26B3B7351E3A6830BF0DE5DA7FDC523F2",不知 这个数据源是啥?手工求SHA1,得到"54fb26c69829d3f1d0774d4e608327ffefa34d76"。 -------------------------------------------------------------------------- $ signtool.exe verify /a /pa /v /ph /d %systemroot%\system32\ntdll.dll Verifying: C:\Windows\system32\ntdll.dll File is signed in catalog: C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_178_for_KB4012215~31bf3856ad364e35~amd64~~6.1.1.2.cat Hash of file (sha1): CB06E72F615B4CC217433B1A5A61256FDD806BC8 Signing Certificate Chain: Issued to: Microsoft Root Certificate Authority Issued by: Microsoft Root Certificate Authority Expires: Mon May 10 07:28:13 2021 SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072 Issued to: Microsoft Windows Verification PCA Issued by: Microsoft Root Certificate Authority Expires: Mon May 10 07:28:13 2021 SHA1 hash: A5EEF4E193075BD3C271793C950729360059593A Issued to: Microsoft Windows Issued by: Microsoft Windows Verification PCA Expires: Tue May 23 02:12:21 2017 SHA1 hash: 2297004E2D61F9F0F40B7651E57E6D6A69D9678A The signature is timestamped: Sun Mar 05 14:50:33 2017 Timestamp Verified by: Issued to: Microsoft Root Certificate Authority Issued by: Microsoft Root Certificate Authority Expires: Mon May 10 07:28:13 2021 SHA1 hash: CDD4EEAE6000AC7F40C3802C171E30148030C072 Issued to: Microsoft Time-Stamp PCA Issued by: Microsoft Root Certificate Authority Expires: Sat Apr 03 21:03:09 2021 SHA1 hash: 375FCB825C3DC3752A02E34EB70993B4997191EF Issued to: Microsoft Time-Stamp Service Issued by: Microsoft Time-Stamp PCA Expires: Sat Sep 08 01:58:53 2018 SHA1 hash: 1A6BFE1180E89B963BA4C6A64BF3604DBDB9EE84 Embedded page hashes: 0x00000000 142FB5EAD998ADB93BBFAB3BA27FCD62DEFDC8EC 0x00000400 D2193ED570DACD6DF3B0C92DF18607BC19F9FBB5 ... 0x001a2800 1A97E76EE0123939F51673F980D0FCCCD99B671A 0x001a2e00 0000000000000000000000000000000000000000 Description: Windows Express Security Catalogs Description URL: http://www.microsoft.com Successfully verified: C:\Windows\system32\ntdll.dll Number of files successfully Verified: 1 Number of warnings: 0 Number of errors: 0 -------------------------------------------------------------------------- 同样不知"CB06E72F615B4CC217433B1A5A61256FDD806BC8"的数据源,未深究。 2) sigcheck.exe sigcheck.exe是sysinternals的工具,缺点是新版不再支持Windows XP。 -------------------------------------------------------------------------- $ sigcheck.exe Sigcheck v2.54 - File version and signature viewer Copyright (C) 2004-2016 Mark Russinovich Sysinternals - www.sysinternals.com usage: sigcheck.exe [-a][-h][-i][-e][-l][-n][[-s]|[-c|-ct]|[-m]][-q][-r][-u][-vt][-v[r][s]][-f catalog file] usage: sigcheck.exe -d [-c|-ct] usage: sigcheck.exe -o [-vt][-v[r]] usage: sigcheck.exe -t[u][v] [-i] [-c|-ct] -a Show extended version information. The entropy measure reported is the bits per byte of information of the file's contents. -c CSV output with comma delimiter -ct CSV output with tab delimiter Specify -nobanner to avoid banner being output to CSV -d Dump contents of a catalog file -e Scan executable images only (regardless of their extension) -f Look for signature in the specified catalog file -h Show file hashes -i Show catalog name and signing chain -l Traverse symbolic links and directory junctions -m Dump manifest -n Only show file version number -o Performs Virus Total lookups of hashes captured in a CSV file previously captured by Sighcheck when using the -h option. This usage is intended for scans of offline systems. -r Disable check for certificate revocation -s Recurse subdirectories -t[u][v] Dump contents of specified certificate store ('*' for all stores). Specify -tu to query the user store (machine store is the default). Append '-v' to have Sigcheck download the trusted Microsoft root certificate list and only output valid certificates not rooted to a certificate on that list. If the site is not accessible, authrootstl.cab or authroot.stl in the current directory are used instead, if present. -u If VirusTotal check is enabled, show files that are unknown by VirusTotal or have non-zero detection, otherwise show only unsigned files. -v[rs] Query VirusTotal (www.virustotal.com) for malware based on file hash. Add 'r' to open reports for files with non-zero detection. Files reported as not previously scanned will be uploaded to VirusTotal if the 's' option is specified. Note scan results may not be available for five or more minutes. -vt Before using VirusTotal features, you must accept VirusTotal terms of service. See: https://www.virustotal.com/en/about/terms-of-service/ If you haven't accepted the terms and you omit this option, you will be interactively prompted. -nobanner Do not display the startup banner and copyright message. -------------------------------------------------------------------------- 常见用法示例: -------------------------------------------------------------------------- $ sigcheck.exe -e -h -i %systemroot%\system32\drivers\acpi.sys Sigcheck v2.54 - File version and signature viewer Copyright (C) 2004-2016 Mark Russinovich Sysinternals - www.sysinternals.com c:\windows\system32\drivers\acpi.sys: Verified: Signed Link date: 17:19 2010/11/20 Signing date: 21:32 2010/11/20 Catalog: c:\windows\system32\drivers\acpi.sys Signers: Microsoft Windows Cert Status: This certificate or one of the certificates in the certificate chain is not time valid. Valid Usage: Code Signing, NT5 Crypto Cert Issuer: Microsoft Windows Verification PCA Serial Number: 61 15 23 0F 00 00 00 00 00 0A Thumbprint: 02ECEEA9D5E0A9F3E39B6F4EC3F7131ED4E352C4 Algorithm: sha1RSA Valid from: 5:57 2009/12/8 Valid to: 5:57 2011/3/8 Microsoft Windows Verification PCA Cert Status: This certificate or one of the certificates in the certificate chain is not time valid. Valid Usage: Code Signing, NT5 Crypto Cert Issuer: Microsoft Root Certificate Authority Serial Number: 61 07 02 DC 00 00 00 00 00 0B Thumbprint: 5DF0D7571B0780783960C68B78571FFD7EDAF021 Algorithm: sha1RSA Valid from: 5:55 2005/9/16 Valid to: 6:05 2016/3/16 Microsoft Root Certificate Authority Cert Status: Valid Valid Usage: All Cert Issuer: Microsoft Root Certificate Authority Serial Number: 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65 Thumbprint: CDD4EEAE6000AC7F40C3802C171E30148030C072 Algorithm: sha1RSA Valid from: 7:19 2001/5/10 Valid to: 7:28 2021/5/10 Counter Signers: Microsoft Time-Stamp Service Cert Status: This certificate or one of the certificates in the certificate chain is not time valid. Valid Usage: Timestamp Signing Cert Issuer: Microsoft Time-Stamp PCA Serial Number: 61 03 DC F6 00 00 00 00 00 0C Thumbprint: 56E832A33DDC8CF2C916DA7CBB1175CBACABAE2C Algorithm: sha1RSA Valid from: 3:12 2008/7/26 Valid to: 3:22 2011/7/26 Microsoft Time-Stamp PCA Cert Status: Valid Valid Usage: Timestamp Signing Cert Issuer: Microsoft Root Certificate Authority Serial Number: 61 16 68 34 00 00 00 00 00 1C Thumbprint: 375FCB825C3DC3752A02E34EB70993B4997191EF Algorithm: sha1RSA Valid from: 20:53 2007/4/3 Valid to: 21:03 2021/4/3 Microsoft Root Certificate Authority Cert Status: Valid Valid Usage: All Cert Issuer: Microsoft Root Certificate Authority Serial Number: 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65 Thumbprint: CDD4EEAE6000AC7F40C3802C171E30148030C072 Algorithm: sha1RSA Valid from: 7:19 2001/5/10 Valid to: 7:28 2021/5/10 Company: Microsoft Corporation Description: ACPI Driver for NT Product: Microsoft? Windows? Operating System Prod version: 6.1.7601.17514 File version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) MachineType: 64-bit MD5: D81D9E70B8A6DD14D42D7B4EFA65D5F2 SHA1: 54FB26C69829D3F1D0774D4E608327FFEFA34D76 PESHA1: 189FCAC26B3B7351E3A6830BF0DE5DA7FDC523F2 PE256: 98ABEDD5DBE7CDB12EE75B151E6E9181377E091B3577D628892E1D02E2D7EC08 SHA256: FDAAB7E23012B4D31537C5BDEF245BB0A12FA060A072C250E21C68E18B22E002 IMP: 59C0C982EE3E674A58BF16BEFC1F212C -------------------------------------------------------------------------- $ sigcheck.exe -e -h -i %systemroot%\system32\ntdll.dll Sigcheck v2.54 - File version and signature viewer Copyright (C) 2004-2016 Mark Russinovich Sysinternals - www.sysinternals.com c:\windows\system32\ntdll.dll: Verified: Signed Link date: 0:33 2017/2/10 Signing date: 0:32 2017/2/10 Catalog: c:\windows\system32\ntdll.dll Signers: Microsoft Windows Cert Status: Valid Valid Usage: NT5 Crypto, Code Signing Cert Issuer: Microsoft Windows Verification PCA Serial Number: 33 00 00 00 47 27 42 19 51 D6 77 97 3D 00 01 00 00 00 47 Thumbprint: 2297004E2D61F9F0F40B7651E57E6D6A69D9678A Algorithm: sha1RSA Valid from: 2:12 2016/11/23 Valid to: 2:12 2017/5/23 Microsoft Windows Verification PCA Cert Status: Valid Valid Usage: All Cert Issuer: Microsoft Root Certificate Authority Serial Number: 61 0A 59 2B 00 00 00 00 00 3B Thumbprint: A5EEF4E193075BD3C271793C950729360059593A Algorithm: sha1RSA Valid from: 7:24 2016/2/12 Valid to: 7:28 2021/5/10 Microsoft Root Certificate Authority Cert Status: Valid Valid Usage: All Cert Issuer: Microsoft Root Certificate Authority Serial Number: 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65 Thumbprint: CDD4EEAE6000AC7F40C3802C171E30148030C072 Algorithm: sha1RSA Valid from: 7:19 2001/5/10 Valid to: 7:28 2021/5/10 Counter Signers: Microsoft Time-Stamp Service Cert Status: Valid Valid Usage: Timestamp Signing Cert Issuer: Microsoft Time-Stamp PCA Serial Number: 33 00 00 00 C5 96 40 60 4B F4 DE AE 2E 00 00 00 00 00 C5 Thumbprint: 7BA57715B0F79CA2CF921E5F2A72BE11C2FADC67 Algorithm: sha1RSA Valid from: 1:58 2016/9/8 Valid to: 1:58 2018/9/8 Microsoft Time-Stamp PCA Cert Status: Valid Valid Usage: Timestamp Signing Cert Issuer: Microsoft Root Certificate Authority Serial Number: 61 16 68 34 00 00 00 00 00 1C Thumbprint: 375FCB825C3DC3752A02E34EB70993B4997191EF Algorithm: sha1RSA Valid from: 20:53 2007/4/3 Valid to: 21:03 2021/4/3 Microsoft Root Certificate Authority Cert Status: Valid Valid Usage: All Cert Issuer: Microsoft Root Certificate Authority Serial Number: 79 AD 16 A1 4A A0 A5 AD 4C 73 58 F4 07 13 2E 65 Thumbprint: CDD4EEAE6000AC7F40C3802C171E30148030C072 Algorithm: sha1RSA Valid from: 7:19 2001/5/10 Valid to: 7:28 2021/5/10 Company: Microsoft Corporation Description: NT Layer DLL Product: Microsoft? Windows? Operating System Prod version: 6.1.7601.23677 File version: 6.1.7601.23677 (win7sp1_ldr.170209-0600) MachineType: 64-bit MD5: 2D7984E5338364234FB69BC7A1D3F8D9 SHA1: BBE41AC895C1AC58ADE0D896B89E2D22C1D18B6D PESHA1: CB06E72F615B4CC217433B1A5A61256FDD806BC8 PE256: 2D3A070BC0AD8DA64AB475B2767637E40EA6597C8BA75D3F2E4C5C187F4D7280 SHA256: F20FB0B46146D508169271AFA4117AFE788E9EDD0431FD1A063B79BC93F3208C IMP: n/a -------------------------------------------------------------------------- 从sigcheck.exe的输出得知,signtool.exe显示的SHA1其实是PESHA1。PESHA1的算法 细节未见正式文档,估计用IDA逆一下sigcheck.exe可知,我没这种强需求,算了。 张云海补充 PESHA1就是去掉Checksum和Security DataDirectory(包括8字节的entry)后计算的Hash ☆ Windows Policies 从Vista之后所有64-bits系统,都要求驱动有合法签名,参[3]。这里合法的意思是 指由CA颁发的证书签名。从Win10开始,这个签名必须由"Windows Hardware Dev Center Dashboard"完成。 但是经过特殊配置,Windows依旧允许自签名驱动加载,以方便开发人员进行测试, 参[4]。 bcdedit /set testsigning on bcdedit /set testsigning off bcdedit /enum {current} | findstr testsigning 参[5],启用testsigning的后果: -------------------------------------------------------------------------- When the bcdedit option for test-signing is enabled, Windows does the following: a) Displays a watermark with the text "Test Mode" in all four corners of the desktop, to remind users the system has test-signing enabled. Note Starting with Windows 7, Windows displays this watermark only in the lower left-hand corner of the desktop. b) The operating system loader and the kernel load drivers that are signed by any certificate. The certificate validation is not required to chain up to a trusted root certification authority. However, each driver image file must have a digital signature. -------------------------------------------------------------------------- 即桌面有水印,不检查根证书有效性。 ☆ 小米线刷工具安装告警 http://bigota.d.miui.com/tools/MiFlashSetup201612220.msi 在64-bits Win7上安装时,会出现好几次UAC提示: Windows can't verify the publisher 用Process Monitor监控msiexec.exe,看到msiexec.exe会写: c:\windows\inf\setupapi.dev.log 研读setupapi.dev.log,就能找到出现安装告警的原因。 -------------------------------------------------------------------------- >>> [SetupCopyOEMInf - C:\XiaoMi\XiaoMiFlash\Source\ThirdParty\Google\Driver\android_winusb.inf] ... sto: {DRIVERSTORE_IMPORT_NOTIFY_VALIDATE} 14:54:41.827 inf: Opened INF: 'C:\Windows\System32\DriverStore\Temp\{6329a400-0df8-3623-f34d-7668ae915112}\android_winusb.inf' ([strings]) sig: {_VERIFY_FILE_SIGNATURE} 14:54:41.897 sig: Key = android_winusb.inf sig: FilePath = C:\Windows\System32\DriverStore\Temp\{6329a400-0df8-3623-f34d-7668ae915112}\android_winusb.inf sig: Catalog = C:\Windows\System32\DriverStore\Temp\{6329a400-0df8-3623-f34d-7668ae915112}\xiaomiwinusba64.cat ! sig: Verifying file against specific (valid) catalog failed! (0xe0000244) ! sig: Error 0xe0000244: The software was tested for compliance with Windows Logo requirements on a different version of Windows, and may not be compatible with this version. sig: {_VERIFY_FILE_SIGNATURE exit(0xe0000244)} 14:54:41.928 sig: {_VERIFY_FILE_SIGNATURE} 14:54:41.929 sig: Key = android_winusb.inf sig: FilePath = C:\Windows\System32\DriverStore\Temp\{6329a400-0df8-3623-f34d-7668ae915112}\android_winusb.inf sig: Catalog = C:\Windows\System32\DriverStore\Temp\{6329a400-0df8-3623-f34d-7668ae915112}\xiaomiwinusba64.cat ! sig: Verifying file against specific (valid) catalog failed! (0xe0000244) ! sig: Error 0xe0000244: The software was tested for compliance with Windows Logo requirements on a different version of Windows, and may not be compatible with this version. sig: {_VERIFY_FILE_SIGNATURE exit(0xe0000244)} 14:54:41.931 !!! sto: An unexpected error occurred while validating driver package. Assuming that driver package is unsigned. Catalog = xiaomiwinusba64.cat, Error = 0xE0000244 ! sto: Driver package is considered unsigned, but user wants to install driver package anyway. sto: {DRIVERSTORE_IMPORT_NOTIFY_VALIDATE exit(0x00000000)} 14:55:25.858 -------------------------------------------------------------------------- 注意感叹号打头的行。针对android_winusb.inf检查签名失败,错误码0xe0000244, 该文件在某个版本的OS上测试过,但与当前OS版本不符。进而导致"Assuming that driver package is unsigned",最终出现安装告警,询问用户是否继续。 android_winusb.inf中指定了对应的cat文件: -------------------------------------------------------------------------- [Version] Signature = "$Windows NT$" Class = AndroidUsbDeviceClass ClassGuid = {3F966BD9-FA04-4ec5-991C-D326973B5128} Provider = %ProviderName% DriverVer = 11/03/2016,16.0.0000.00000 CatalogFile.NTx86 = xiaomiwinusb86.cat CatalogFile.NTamd64 = xiaomiwinusba64.cat -------------------------------------------------------------------------- 手工检查xiaomiwinusb86.cat: $ sigcheck.exe -d xiaomiwinusba64.cat | grep "File: android_winusb.inf" -A 4 File: android_winusb.inf OS Attributes: Windows 10 Algorithm: sha1NoSign Hash: 781970265FC7B721D9C0B8E550A95EC06669024E File: android_winusb.inf OS Attributes: Windows 10 Algorithm: sha256NoSign Hash: 5C9197A898C0C3CAF1BD84EACEF26C0AA66D098AE19B139D7BE0760B07A04F39 手工计算android_winusb.inf的SHA1、SHA256,文件hash匹配,但"OS Attributes" 是Windows 10。 这是第一个安装告警的原因。第二个安装告警的原因则不同。 -------------------------------------------------------------------------- >>> [SetupCopyOEMInf - C:\XiaoMi\XiaoMiFlash\Source\ThirdParty\Nvidia\Driver\NvidiaUsb.inf] ... sto: {DRIVERSTORE_IMPORT_NOTIFY_VALIDATE} 14:55:27.109 ! sto: Driver package does not contain a catalog file, but user wants to install anyway. sto: {DRIVERSTORE_IMPORT_NOTIFY_VALIDATE exit(0x00000000)} 14:55:32.105 -------------------------------------------------------------------------- NvidiaUsb.inf中没有指定cat文件: -------------------------------------------------------------------------- [Version] Signature = "$Windows NT$" Class = NvBoot ClassGuid={EAD8C4F6-6102-45c7-AA66-36E6D7204600} Provider = %ProviderName% DriverVer=04/01/2010,1.00.01 ; CatalogFile=MyCatFile.cat FIXME Need own catlog file, which is signed -------------------------------------------------------------------------- 第三个安装告警: -------------------------------------------------------------------------- >>> [SetupCopyOEMInf - C:\XiaoMi\XiaoMiFlash\Source\ThirdParty\Microsoft\Driver\tetherxp.inf] ... sto: {DRIVERSTORE_IMPORT_NOTIFY_VALIDATE} 14:55:33.905 ! sto: Driver package does not contain a catalog file, but user wants to install anyway. sto: {DRIVERSTORE_IMPORT_NOTIFY_VALIDATE exit(0x00000000)} 14:55:35.880 -------------------------------------------------------------------------- tetherxp.inf中指定了cat文件: -------------------------------------------------------------------------- [Version] Signature = "$CHICAGO$" Class = Net ClassGUID = {4d36e972-e325-11ce-bfc1-08002be10318} Provider = %Android% Compatible = 1 MillenniumPreferred = .ME DriverVer = 08/22/2013,7.1.0.0 ; catalog file would be used by WHQL CatalogFile.NTx86 = Android_RNDIS_86.cat CatalogFile.NTamd64 = Android_RNDIS_A64.cat -------------------------------------------------------------------------- 但Android_RNDIS_A64.cat不存在,只有Android_RNDIS_86.cat。 第四个安装告警: -------------------------------------------------------------------------- >>> [SetupCopyOEMInf - C:\XiaoMi\XiaoMiFlash\Source\ThirdParty\Microsoft\Driver\wpdmtphw.inf] ... ! inf: Could not find include INF file "layout.inf". Error = 0x00000002 ... ! inf: Could not find include INF file "layout.inf". Error = 0x00000002 ... sto: {DRIVERSTORE_IMPORT_NOTIFY_VALIDATE} 14:55:40.077 ! sto: Driver package does not contain a catalog file, but user wants to install anyway. sto: {DRIVERSTORE_IMPORT_NOTIFY_VALIDATE exit(0x00000000)} 14:55:48.771 -------------------------------------------------------------------------- wpdmtphw.inf: -------------------------------------------------------------------------- [Version] Signature = "$WINDOWS NT$" Class = WPD ClassGUID = {EEC5AD98-8080-425f-922A-DABF3DE3F69A} Provider = %Msft% LayoutFile = layout.inf DriverVer = 08/22/2013,7.1.0000.0000 CatalogFile.NTx86 = androidmtp86.cat CatalogFile.NTamd64 = androidmtpa64.cat -------------------------------------------------------------------------- androidmtpa64.cat不存在,只有androidmtp86.cat。此外,layout.inf也不存在。 第五个安装告警: -------------------------------------------------------------------------- >>> [SetupCopyOEMInf - C:\XiaoMi\XiaoMiFlash\Source\ThirdParty\Qualcomm\Driver\qcser.inf] ... sto: {DRIVERSTORE_IMPORT_NOTIFY_VALIDATE} 14:55:51.941 inf: Opened INF: 'C:\Windows\System32\DriverStore\Temp\{701a0de8-d199-1555-6405-2b1efe42f77f}\qcser.inf' ([strings]) sig: {_VERIFY_FILE_SIGNATURE} 14:55:51.977 sig: Key = qcser.inf sig: FilePath = C:\Windows\System32\DriverStore\Temp\{701a0de8-d199-1555-6405-2b1efe42f77f}\qcser.inf sig: Catalog = C:\Windows\System32\DriverStore\Temp\{701a0de8-d199-1555-6405-2b1efe42f77f}\qcser.cat ! sig: Verifying file against specific (valid) catalog failed! (0xe0000244) ! sig: Error 0xe0000244: The software was tested for compliance with Windows Logo requirements on a different version of Windows, and may not be compatible with this version. sig: {_VERIFY_FILE_SIGNATURE exit(0xe0000244)} 14:55:51.990 sig: {_VERIFY_FILE_SIGNATURE} 14:55:51.990 sig: Key = qcser.inf sig: FilePath = C:\Windows\System32\DriverStore\Temp\{701a0de8-d199-1555-6405-2b1efe42f77f}\qcser.inf sig: Catalog = C:\Windows\System32\DriverStore\Temp\{701a0de8-d199-1555-6405-2b1efe42f77f}\qcser.cat ! sig: Verifying file against specific (valid) catalog failed! (0xe0000244) ! sig: Error 0xe0000244: The software was tested for compliance with Windows Logo requirements on a different version of Windows, and may not be compatible with this version. sig: {_VERIFY_FILE_SIGNATURE exit(0xe0000244)} 14:55:51.992 !!! sto: An unexpected error occurred while validating driver package. Assuming that driver package is unsigned. Catalog = qcser.cat, Error = 0xE0000244 ! sto: Driver package is considered unsigned, but user wants to install driver package anyway. sto: {DRIVERSTORE_IMPORT_NOTIFY_VALIDATE exit(0x00000000)} 14:55:53.298 -------------------------------------------------------------------------- qcser.inf: -------------------------------------------------------------------------- [Version] signature = "$WINDOWS NT$" Class = Ports Provider = %QUALCOMM% ClassGuid = {4D36E978-E325-11CE-BFC1-08002BE10318} DriverVer = 01/04/2013,2.1.0.5 Catalogfile= qcser.cat -------------------------------------------------------------------------- $ sigcheck.exe -d qcser.cat | grep "File: qcser.inf" -A 4 File: qcser.inf OS Attributes: Windows 10 Algorithm: sha256NoSign Hash: DF6732C72386B83C127BAAE1213A74E592228C0D1B0EF9B3F67287A65F167EB1 -- File: qcser.inf OS Attributes: Windows 10 Algorithm: sha1NoSign Hash: 5DB6907A79CD9BD6317D968720153ACF79BF1180 qcser.inf告警原因同android_winusb.inf。 ☆ 一些讨论备忘 简单地说,现在默认情况下,SYS文件必须有合法签名,否则无法安装。对于INF文件 相对宽松。如果INF文件无签名或测试时的OS版本与当前OS版本不符,警告用户,用 户同意则继续。 小米线刷工具安装告警,是因为INF文件签名检查失败,但所有SYS文件都带有效签名。 -------------------------------------------------------------------------- $ sigcheck.exe -e -h -i qcusbser.sys C:\XiaoMi\XiaoMiFlash\Source\ThirdParty\Qualcomm\Driver\serial\amd64\qcusbser.sys: Verified: Signed Link date: 9:22 2013/1/15 Signing date: 14:55 2016/11/7 Catalog: C:\XiaoMi\XiaoMiFlash\Source\ThirdParty\Qualcomm\Driver\serial\amd64\qcusbser.sys Signers: Microsoft Windows Hardware Compatibility Publisher Cert Status: Valid Valid Usage: Code Signing, WHQL Crypto, 1.3.6.1.4.1.311.10.3.5.1 Cert Issuer: Microsoft Windows Third Party Component CA 2014 Serial Number: 33 00 00 00 12 B0 54 93 EA DD CE EB 4B 00 00 00 00 00 12 Thumbprint: D6882C24945DF2A25F14CAA5EB701E0F3BC7E4A2 Algorithm: sha256RSA Valid from: 8:59 2016/2/12 Valid to: 8:59 2017/5/12 Microsoft Windows Third Party Component CA 2014 Cert Status: Valid Valid Usage: All Cert Issuer: Microsoft Root Certificate Authority 2010 Serial Number: 33 00 00 00 0D 69 0D 5D 78 93 D0 76 DF 00 00 00 00 00 0D Thumbprint: 1906DCF62629B563252C826FDD874EFCEB6856C6 Algorithm: sha256RSA Valid from: 4:31 2014/10/16 Valid to: 4:41 2029/10/16 Microsoft Root Certificate Authority 2010 Cert Status: Valid Valid Usage: All Cert Issuer: Microsoft Root Certificate Authority 2010 Serial Number: 28 CC 3A 25 BF BA 44 AC 44 9A 9B 58 6B 43 39 AA Thumbprint: 3B1EFD3A66EA28B16697394703A72CA340A05BD5 Algorithm: sha256RSA Valid from: 5:57 2010/6/24 Valid to: 6:04 2035/6/24 Counter Signers: Microsoft Time-Stamp Service Cert Status: Valid Valid Usage: Timestamp Signing Cert Issuer: Microsoft Time-Stamp PCA 2010 Serial Number: 33 00 00 00 B4 43 3A 1C FE B6 BA 52 89 00 00 00 00 00 B4 Thumbprint: 07C09597AE2E4E6EC9D375F6D98951988B206D3A Algorithm: sha256RSA Valid from: 1:56 2016/9/8 Valid to: 1:56 2018/9/8 Microsoft Time-Stamp PCA 2010 Cert Status: Valid Valid Usage: All Cert Issuer: Microsoft Root Certificate Authority 2010 Serial Number: 61 09 81 2A 00 00 00 00 00 02 Thumbprint: 2AA752FE64C49ABE82913C463529CF10FF2F04EE Algorithm: sha256RSA Valid from: 5:36 2010/7/2 Valid to: 5:46 2025/7/2 Microsoft Root Certificate Authority 2010 Cert Status: Valid Valid Usage: All Cert Issuer: Microsoft Root Certificate Authority 2010 Serial Number: 28 CC 3A 25 BF BA 44 AC 44 9A 9B 58 6B 43 39 AA Thumbprint: 3B1EFD3A66EA28B16697394703A72CA340A05BD5 Algorithm: sha256RSA Valid from: 5:57 2010/6/24 Valid to: 6:04 2035/6/24 Company: QUALCOMM Incorporated Description: USB Modem/Serial Device Driver Product: QUALCOMM Incorporated USB Modem/Serial Device Driver Prod version: 2. 1. 0. 5 File version: 2. 1. 0. 5 MachineType: 64-bit MD5: 1E4F756618BC97254C577A2B91579B4C SHA1: B1B5523CEF012830CFA6DF0EE2133EC099278FDA PESHA1: 69D74302E937E26D182A1E2E27E60D33D5637E77 PE256: E1824EC480D9D88631D94855DC7CCE1B4A295988733DFD270898C8ADD1161647 SHA256: E577C47946DDD5E0A4309681666803DE387332A0E529F9E325C3591B79FF2906 IMP: 59F0E63706A4B756EFE8551DF4526EF9 -------------------------------------------------------------------------- 有人提到过: bcdedit /set loadoptions DDISABLE_INTEGRITY_CHECKS bcdedit /set testsigning on bcdedit /set loadoptions DENABLE_INTEGRITY_CHECKS bcdedit /set testsigning off 注意有个前导字符D。没找到关于loadoptions的官方文档,不知这个信息源自何处? 在F8菜单里有: Disable Driver Signature Enforcement ☆ 用过期证书对PE签名 网上有人会提供一些过期证书,若这些证书未被颁发机构吊销,只是过期,可以回调 系统时间到证书有效期范围,然后用这种证书对PE签名,在回调的时间节点进行某些 测试动作。 参[7],看雪上有人提供了几个过期证书。我只测了其中的cs20160224_w.pfx,该证 书已被证书颁发机构吊销,其他几个未测试。 云海给我一个过期证书,假设名为some.pfx。下面说说如何回调系统时间后对PE签名。 我不搞黑产、不玩驱动,所以这块完全没有研究过,临时折腾两下,描述可能有错漏, 请指正。 首先要解决一个问题,回调到哪个时间节点?假设已有pfx文件,如何知道其有效期? 若pfx文件无密码保护,直接右键,选"打开",即可查看,不要双击。但我拿到手的 pfx文件都有密码保护,此时没有缺省的GUI查看手段,只能命令行可看。 chcp 437 certutil.exe -p -dump <.pfx> certutil.exe -v -p -dump <.pfx> openssl pkcs12 -info -password pass: -in <.pfx> openssl pkcs12 -info -password pass: -in <.pfx> | openssl x509 -text -noout 推荐用certutil查看pfx文件,而不是openssl。假设下面是certutil查看some.pfx时 的输出 -------------------------------------------------------------------------- ================ Certificate 0 ================ ================ Begin Nesting Level 1 ================ Element 0: ... NotBefore: 2011/9/2 8:00 NotAfter: 2014/9/2 7:59 Subject: CN=NVIDIA Corporation ... ---------------- End Nesting Level 1 ---------------- ... ================ Certificate 1 ================ ================ Begin Nesting Level 1 ================ Element 1: ... NotBefore: 2010/2/8 8:00 NotAfter: 2020/2/8 7:59 Subject: CN=VeriSign Class 3 Code Signing 2010 CA ... ---------------- End Nesting Level 1 ---------------- ... ================ Certificate 2 ================ ================ Begin Nesting Level 1 ================ Element 2: ... NotBefore: 2006/11/8 8:00 NotAfter: 2021/11/8 7:59 Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5 ... ---------------- End Nesting Level 1 ---------------- -------------------------------------------------------------------------- 要将系统时间回调到"Element 0"的[NotBefore,NotAfter]区间,不要管"Element 1"、 "Element 2",后两者范围只会比前者大。 假设系统时间已经回调至合适的节点,手头有some.pfx和待签名的any.dll,可以用 signtool.exe进行签名操作,参[8],我用VS 2019/Win10 SDK中的signtool。 signtool.exe sign /a /f some.pfx /p any.dll 若系统时间不满足要求,签名时会报错 SignTool Error: No certificates were found that met all the given criteria. 假设已用some.pfx对any.dll签名过,可以GUI查看签名信息。 -------------------------------------------------------------------------- 右键打开any.dll的Properties Digital Signatures Signature list -------------------------------------------------------------------------- 此处一般有三列,Name of signer、Digest Algorithm、Timestamp。正常签名的第 三列Timestamp有值,即签名时间。用过期证书签名时,因为不敢联网校验时间,最 终Timestamp为空。 在Signature list中选中签名,查看详情。 -------------------------------------------------------------------------- Details General Digital Signature Information This digital signature is OK (其他信息均表示签名无效) Signer information Signing time Not available (正常签名此处有值,未联网校验时间时此处为空) Countersignatures 空 (正常签名此处有值,未联网校验时间时此处为空) View Certificate General Valid from 9/2/2011 to 9/2/2014 (Element 0) Certification Path (一般有个三级的树) VeriSign (Element 2) VeriSign Class 3 Code Signing 2010 CA (Element 1) NVIDIA Corporation (Element 0) Certificate status This certificate is OK (其他信息均表示证书无效) -------------------------------------------------------------------------- Certification Path一般有个三级的树,为叙述方便,本文约定,从上至下分别为一 级、二级、三级。分别选中每一级,可以View Certificate查看该级证书细节。三级 证书的View Certificate是灰的,因为General中已经显示过了。分别选中每一级证 书,还可以查看Certificate status,看到"This certificate is OK"就行,其他信 息均表示证书无效。这三级证书的状态并不同步,各是各的,很可能一级证书有效, 二级、三级证书均已过期失效。 针对过期证书回调系统时间,必须盯住三级证书,也就是certutil输出中的 "Element 0",盯住它的[NotBefore,NotAfter],回调系统时间使之落在前述区间。 此处有坑,certutil输出中的"Element 0"不一定是GUI中的三级证书,有可能顺序调 了个,应该看它的Issuer、Subject,最靠谱的还是GUI显示。 若some.pfx未过期,正常签名操作类似这种 signtool.exe sign /a /f some.pfx /p /t http://timestamp.digicert.com any.dll /t参数就是联网校验时间用的,将来any.dll有签名时间,Countersignatures不为空。 但手头的some.pfx已过期,本机可以回调系统时间,时间戳服务器仍然是现实时间, 对any.dll签名时不敢指定/t参数,导致将来any.dll没有签名时间, Countersignatures为空。 假设已用过期的some.pfx对any.dll签名过,恢复正常系统时间,在2022年检查 any.dll,不再显示"This digital signature is OK",而是"A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file"。2022年的any.dll 签名无效,因为2022年二级证书、三级证书均过期了,各自的Certificate status均 为"This certificate has expired or is not yet valid"。 注意,若一级证书、二级证书未过期,只是三级证书过期,三级证书的Certificate status仍有可能是"This certificate is OK",三级证书仍可能被判定有效,PE签名 仍可能被判定有效。 看sysinternals的livekd64.exe,签名时间是2020.4.27,一级证书、二级证书未过 期,三级证书有效期是2020.3.5-2021.3.4,已过期,但三级证书的Certificate status仍显示"This certificate is OK",同时仍显示"This digital signature is OK"。没研究过其中的逻辑,猜测因为签名时间落在三级证书有效期内,尽管2022年 三级证书过期了,仍判定证书有效,进而判定签名有效。 但是,对any.dll签名时没法指定/t参数,any.dll没有签名时间,在2022年检查 any.dll,三级证书过期就算无效,进而判定签名无效。可以回调至2014.7.16检查 any.dll,此时判定其签名有效。 假设在某个时间节点判定any.dll签名有效,即使其没有签名时间,可以在该时间节 点用any.dll进行某些测试动作。本节用DLL举例,SYS类似。 参[9],这篇评论区有人小结了驱动与签名的关系。 ☆ 参考资源 [1] The Case of the Missing Digital Signatures Tab - Didier Stevens [2008-01-11] https://blog.didierstevens.com/2008/01/11/the-case-of-the-missing-digital-signatures-tab/ [2] What is Catroot & Catroot2 folder, How do you reset catroot2 folder in Windows - Anand Khanse [2017-01-13] http://www.thewindowsclub.com/catroot-catroot2-folder-reset-windows [3] Driver Signing https://msdn.microsoft.com/en-us/windows/hardware/drivers/install/driver-signing Driver Signing changes in Windows 10 - Joshua Baxter [2015-04-01] https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/04/01/driver-signing-changes-in-windows-10/ [4] How to Test-Sign a Driver Package https://msdn.microsoft.com/en-us/windows/hardware/drivers/install/how-to-test-sign-a-driver-package Configuring the Test Computer to Support Test-Signing https://msdn.microsoft.com/en-us/windows/hardware/drivers/install/configuring-the-test-computer-to-support-test-signing [5] The TESTSIGNING Boot Configuration Option https://msdn.microsoft.com/en-us/windows/hardware/drivers/install/the-testsigning-boot-configuration-option [6] Windows can't verify the publisher of this driver software https://knowledge.symantec.com/support/code-signing-support/index?page=content&id=SO16763 [7] 送几个过期的数字签名给大家调试驱动用 - 醉後的温柔 [2022-05-01] https://bbs.pediy.com/thread-272573.htm (该证书已被证书颁发机构吊销) 分享正规的有效数字签名证书 - shun其自然 [2022-11-11] https://bbs.pediy.com/thread-275108.htm https://wwl.lanzouy.com/ih5Qu0fonvrg (pass:aa123123) (可用于EXE、DLL,不能用于驱动签名) [8] Using SignTool to Sign a File https://docs.microsoft.com/en-us/windows/win32/seccrypto/using-signtool-to-sign-a-file [9] ProcessHacker的驱动不需要微软的签名也能在win10上跑 - [2022-05-25] https://bbs.pediy.com/thread-272998.htm