Kann
asked on
WHQL driver signing check
WHQL driver signing ensure that a particular driver has been certified for use with Windows 2000 or Windows XP.
How can I check if a file (.sys,.exe,.dll) is WHQL-signed with Delphi? I need the source of a function like IsFileWHQLsigned('explorer .exe').
(Explorer.exe has no Authenticode signature, but the file is WHQL-signed. Check this with sigverif.exe.)
How can I check if a file (.sys,.exe,.dll) is WHQL-signed with Delphi? I need the source of a function like IsFileWHQLsigned('explorer
(Explorer.exe has no Authenticode signature, but the file is WHQL-signed. Check this with sigverif.exe.)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I've just found out that you can use the crypttest2 utility from your previous question on .cat files in %SystemRoot%\CatRoot\... subdirectories.
The question is how to determine which .cat file is associated with a particular driver file (.sys, .dll)...
I have no idea about this.
The question is how to determine which .cat file is associated with a particular driver file (.sys, .dll)...
I have no idea about this.
Do a Google on 'WinVerifyTrust', you'll find interesting info, e.g.
http://www.winntmag.com/Articles/Index.cfm?ArticleID=7088&pg=1
http://www.winntmag.com/Articles/Index.cfm?ArticleID=7088&pg=1
ASKER
Hello TOndrej,
I want to check an already installed file.
> The question is how to determine which .cat file is associated with a particular driver file (.sys, .dll)...
Yes, that is the question. I study sigverif.exe, which checks if a file is WHQL-signed. Sigverif.exe use this API:
MSCAT32.dll
6 CryptCATAdminReleaseContex t
15 CryptCATCatalogInfoFromCon text
4 CryptCATAdminEnumCatalogFr omHash
1 CryptCATAdminAcquireContex t
5 CryptCATAdminReleaseCatalo gContext
33 IsCatalogFile
3 CryptCATAdminCalcHashFromF ileHandle
WINTRUST.dll
107 WinVerifyTrust
Perhaps this can help you?
I want to check an already installed file.
> The question is how to determine which .cat file is associated with a particular driver file (.sys, .dll)...
Yes, that is the question. I study sigverif.exe, which checks if a file is WHQL-signed. Sigverif.exe use this API:
MSCAT32.dll
6 CryptCATAdminReleaseContex
15 CryptCATCatalogInfoFromCon
4 CryptCATAdminEnumCatalogFr
1 CryptCATAdminAcquireContex
5 CryptCATAdminReleaseCatalo
33 IsCatalogFile
3 CryptCATAdminCalcHashFromF
WINTRUST.dll
107 WinVerifyTrust
Perhaps this can help you?
Sorry, I couldn't find any documentation on mscat32.dll and its functions.
(My understanding of MSDN is that) if you just want to check if the file is in the WHQL-approved list then you can use SfcIsFileProtected API.
For the complete list of WHQL-approved files, you can use SfcGetNextProtectedFile API.
Here is a quick sample that demonstrates how to use these APIs:
program crypttest3;
{$APPTYPE CONSOLE}
uses
SysUtils, Windows;
type
PProtectedFileData = ^TProtectedFileData;
TProtectedFileData = packed record
FileName: array[0..MAX_PATH + 1] of WideChar;
FileNumber: DWORD;
end;
const
BoolStrs: array[Boolean] of string = ('No', 'Yes');
var
SFC: THandle = 0;
SfcGetNextProtectedFile: function(RpcHandle: THandle; var ProtFileData: TProtectedFileData): BOOL; stdcall = nil;
SfcIsFileProtected: function(RpcHandle: THandle; ProtFileName: PWideChar): BOOL; stdcall = nil;
ProtFileData: TProtectedFileData;
begin
try
// include OS checks here; exit if not running Win98, Win2K or newer
SFC := LoadLibrary('sfc.dll');
if SFC = 0 then
raise Exception.Create('Cannot load SFC.DLL');
try
@SfcGetNextProtectedFile := GetProcAddress(SFC, 'SfcGetNextProtectedFile') ;
if @SfcGetNextProtectedFile = nil then
raise Exception.Create('Cannot find SfcGetNextProtectedFile');
@SfcIsFileProtected := GetProcAddress(SFC, 'SfcIsFileProtected');
if @SfcIsFileProtected = nil then
raise Exception.Create('Cannot find SfcIsFileProtected');
FillChar(ProtFileData, SizeOf(TProtectedFileData) , 0);
while SfcGetNextProtectedFile(0, ProtFileData) do
begin
Writeln(ProtFileData.FileN ame, ': ', BoolStrs[SfcIsFileProtecte d(ProtFile Data.FileN ame)]);
Inc(ProtFileData.FileNumbe r);
end;
finally
FreeLibrary(SFC);
end;
except
on E: Exception do
ShowException(E, ExceptAddr);
end;
end.
If you're after retrieving the actual driver signature then sorry, I'm stuck... sigverif seems to use a lot of undocumented functions. :-(
Some of the stuff is described in the links I posted.
Good luck, anyway.
HTH
TOndrej
For the complete list of WHQL-approved files, you can use SfcGetNextProtectedFile API.
Here is a quick sample that demonstrates how to use these APIs:
program crypttest3;
{$APPTYPE CONSOLE}
uses
SysUtils, Windows;
type
PProtectedFileData = ^TProtectedFileData;
TProtectedFileData = packed record
FileName: array[0..MAX_PATH + 1] of WideChar;
FileNumber: DWORD;
end;
const
BoolStrs: array[Boolean] of string = ('No', 'Yes');
var
SFC: THandle = 0;
SfcGetNextProtectedFile: function(RpcHandle: THandle; var ProtFileData: TProtectedFileData): BOOL; stdcall = nil;
SfcIsFileProtected: function(RpcHandle: THandle; ProtFileName: PWideChar): BOOL; stdcall = nil;
ProtFileData: TProtectedFileData;
begin
try
// include OS checks here; exit if not running Win98, Win2K or newer
SFC := LoadLibrary('sfc.dll');
if SFC = 0 then
raise Exception.Create('Cannot load SFC.DLL');
try
@SfcGetNextProtectedFile := GetProcAddress(SFC, 'SfcGetNextProtectedFile')
if @SfcGetNextProtectedFile = nil then
raise Exception.Create('Cannot find SfcGetNextProtectedFile');
@SfcIsFileProtected := GetProcAddress(SFC, 'SfcIsFileProtected');
if @SfcIsFileProtected = nil then
raise Exception.Create('Cannot find SfcIsFileProtected');
FillChar(ProtFileData, SizeOf(TProtectedFileData)
while SfcGetNextProtectedFile(0,
begin
Writeln(ProtFileData.FileN
Inc(ProtFileData.FileNumbe
end;
finally
FreeLibrary(SFC);
end;
except
on E: Exception do
ShowException(E, ExceptAddr);
end;
end.
If you're after retrieving the actual driver signature then sorry, I'm stuck... sigverif seems to use a lot of undocumented functions. :-(
Some of the stuff is described in the links I posted.
Good luck, anyway.
HTH
TOndrej
ASKER
Not every signed driver is also write-protected. (But the most signed driver seems to be write-protected.)
I will get you the point, because you have done a good work. Perhaps you can answer the following question (this will solve the problem 100%):
I found in the links you posted:
<<After obtaining the file hash, SfcValidateFileSignature uses another CryptoAPI to obtain a reference to the catalog file that contains the hashed file's digital signature.>>
Do you have an idea which CryptoAPI obtain a reference to the catalog file?
Thank you very much!
I will get you the point, because you have done a good work. Perhaps you can answer the following question (this will solve the problem 100%):
I found in the links you posted:
<<After obtaining the file hash, SfcValidateFileSignature uses another CryptoAPI to obtain a reference to the catalog file that contains the hashed file's digital signature.>>
Do you have an idea which CryptoAPI obtain a reference to the catalog file?
Thank you very much!
> Do you have an idea which CryptoAPI obtain a reference to the catalog file?
Sorry, no idea. I think it's using the CryptCATxxx functions exported in mscat32.dll but I couldn't find any info about them anywhere in the MSDN. Even Google didn't help, either.
I suggest you keep your points. I cannot help you with the problem.
Sorry, no idea. I think it's using the CryptCATxxx functions exported in mscat32.dll but I couldn't find any info about them anywhere in the MSDN. Even Google didn't help, either.
I suggest you keep your points. I cannot help you with the problem.
ASKER
I will give you the point - perhaps I need your help again ;-)
(If you found somethink interestig about this topic feel free to email me: kann@sharepower.virtualave .net)
(If you found somethink interestig about this topic feel free to email me: kann@sharepower.virtualave
OK but no promises. <g>
ASKER
Here comes the points.
If you have some Delphi source how to use:
WIN_SPUB_ACTION_NT_ACTIVAT E_IMAGE
WINTRUST_ACTION_GENERIC_VE RIFY_V2
I would be happy if you show this me. (Sorry for my bad English.)
If you have some Delphi source how to use:
WIN_SPUB_ACTION_NT_ACTIVAT
WINTRUST_ACTION_GENERIC_VE
I would be happy if you show this me. (Sorry for my bad English.)
They look like C constant declarations, they're probably declared in one of the header (.h) files in MS Platform SDK. What do you mean, how to use them?
Thanks for the undeserved points.
Thanks for the undeserved points.
ASKER
The function WinVerifyTrust() used this constants. Perhaps do you have a piece of source code how to use this?
I have MS Platform SDK of November 2001 and I've found the following:
WINTRUST_ACTION_GENERIC_VE RIFY_V2 is declared in SoftPub.h
WIN_SPUB_ACTION_NT_ACTIVAT E_IMAGE is declared in WinTrust.h
The Pascal translations are:
const
(*
#define WIN_SPUB_ACTION_NT_ACTIVAT E_IMAGE \
{ 0x8bc96b00, \
0x8da1, \
0x11cf, \
{0x87, 0x36, 0x00, 0xaa, 0x00, 0xa4, 0x85, 0xeb} \
}
*)
WIN_SPUB_ACTION_NT_ACTIVAT E_IMAGE: TGUID = '{8BC96B00-8DA1-11CF-8736- 00AA00A485 EB}';
(*
////////////////////////// ////////// ////////// ////////// ////////// ////////// //
//
// WINTRUST_ACTION_GENERIC_VE RIFY_V2 Guid (Authenticode)
//------------------------ ---------- ---------- ---------- ---------- ---------- --
// Assigned to the pgActionID parameter of WinVerifyTrust to verify the
// authenticity of a file/object using the Microsoft Authenticode
// Policy Provider,
//
// {00AAC56B-CD44-11d0-8CC2-0 0C04FC295E E}
//
#define WINTRUST_ACTION_GENERIC_VE RIFY_V2 \
{ 0xaac56b, \
0xcd44, \
0x11d0, \
{ 0x8c, 0xc2, 0x0, 0xc0, 0x4f, 0xc2, 0x95, 0xee } \
}
*)
WINTRUST_ACTION_GENERIC_VE RIFY_V2: TGUID = '{00AAC56B-CD44-11d0-8CC2- 00C04FC295 EE}';
HTH
TOndrej
WINTRUST_ACTION_GENERIC_VE
WIN_SPUB_ACTION_NT_ACTIVAT
The Pascal translations are:
const
(*
#define WIN_SPUB_ACTION_NT_ACTIVAT
{ 0x8bc96b00, \
0x8da1, \
0x11cf, \
{0x87, 0x36, 0x00, 0xaa, 0x00, 0xa4, 0x85, 0xeb} \
}
*)
WIN_SPUB_ACTION_NT_ACTIVAT
(*
//////////////////////////
//
// WINTRUST_ACTION_GENERIC_VE
//------------------------
// Assigned to the pgActionID parameter of WinVerifyTrust to verify the
// authenticity of a file/object using the Microsoft Authenticode
// Policy Provider,
//
// {00AAC56B-CD44-11d0-8CC2-0
//
#define WINTRUST_ACTION_GENERIC_VE
{ 0xaac56b, \
0xcd44, \
0x11d0, \
{ 0x8c, 0xc2, 0x0, 0xc0, 0x4f, 0xc2, 0x95, 0xee } \
}
*)
WINTRUST_ACTION_GENERIC_VE
HTH
TOndrej
ASKER
The confusion here is that we are talking about two TOTALLY DIFFERENT types of signatures: code signing (i.e., Authenticode) vs. WHQL driver signing. The first one, code signing, is used to authenticate the author of an executable. The second is to ensure that a particular driver has been certified for use with Windows 2000 or
Windows XP.