WHQL driver signing check

WHQL driver signing ensure that a particular driver has been certified for use with Windows 2000 or Windows XP.
How can I check if a file (.sys,.exe,.dll) is WHQL-signed with Delphi? I need the source of a function like IsFileWHQLsigned('explorer.exe').
(Explorer.exe has no Authenticode signature, but the file is WHQL-signed. Check this with sigverif.exe.)
KannAsked:
Who is Participating?
 
TOndrejConnect With a Mentor Commented:
It's not clear whether you want to check an already installed file or an external file before installation.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q224404
http://www.microsoft.com/windows2000/en/datacenter/help/default.asp?url=/windows2000/en/datacenter/help/code_signing.htm

There are utilities to check already installed files, like sfc and sigverif.

It seems that WHQL signature is a standard Authenticode signature of a .cat file that comes with the driver. This .cat file was specified in the .inf file during installation.

sigverif imports WinVerifyTrust API from wintrust.dll and that supports my theory (WinVerifyTrust uses the standard CryptoAPI functions). I guess you need to call WinVerifyTrust, passing it the catalog file (.cat).

Sorry I don't have more details.
0
 
KannAuthor Commented:
Read this hint about "WHQL driver signing":
The confusion here is that we are talking about two TOTALLY DIFFERENT types of signatures: code signing (i.e., Authenticode) vs. WHQL driver signing. The first one, code signing, is used to authenticate the author of an executable.  The second is to ensure that a particular driver has been certified for use with Windows 2000 or
Windows XP.
0
 
TOndrejCommented:
I've just found out that you can use the crypttest2 utility from your previous question on .cat files in %SystemRoot%\CatRoot\... subdirectories.
The question is how to determine which .cat file is associated with a particular driver file (.sys, .dll)...
I have no idea about this.
0
Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

 
TOndrejCommented:
Do a Google on 'WinVerifyTrust', you'll find interesting info, e.g.
http://www.winntmag.com/Articles/Index.cfm?ArticleID=7088&pg=1
0
 
KannAuthor Commented:
Hello TOndrej,

I want to check an already installed file.

> The question is how to determine which .cat file is associated with a particular driver file (.sys, .dll)...

Yes, that is the question. I study sigverif.exe, which checks if a file is WHQL-signed. Sigverif.exe use this API:

MSCAT32.dll
           6     CryptCATAdminReleaseContext
          15     CryptCATCatalogInfoFromContext
           4     CryptCATAdminEnumCatalogFromHash
           1     CryptCATAdminAcquireContext
           5     CryptCATAdminReleaseCatalogContext
          33     IsCatalogFile
           3     CryptCATAdminCalcHashFromFileHandle
WINTRUST.dll
         107     WinVerifyTrust

Perhaps this can help you?
0
 
TOndrejCommented:
Sorry, I couldn't find any documentation on mscat32.dll and its functions.
0
 
TOndrejCommented:
(My understanding of MSDN is that) if you just want to check if the file is in the WHQL-approved list then you can use SfcIsFileProtected API.
For the complete list of WHQL-approved files, you can use SfcGetNextProtectedFile API.

Here is a quick sample that demonstrates how to use these APIs:

program crypttest3;

{$APPTYPE CONSOLE}

uses
  SysUtils, Windows;

type
  PProtectedFileData = ^TProtectedFileData;
  TProtectedFileData = packed record
    FileName: array[0..MAX_PATH + 1] of WideChar;
    FileNumber: DWORD;
  end;

const
  BoolStrs: array[Boolean] of string = ('No', 'Yes');

var
  SFC: THandle = 0;
  SfcGetNextProtectedFile: function(RpcHandle: THandle; var ProtFileData: TProtectedFileData): BOOL; stdcall = nil;
  SfcIsFileProtected: function(RpcHandle: THandle; ProtFileName: PWideChar): BOOL; stdcall = nil;

  ProtFileData: TProtectedFileData;
begin
  try
    // include OS checks here; exit if not running Win98, Win2K or newer
    SFC := LoadLibrary('sfc.dll');
    if SFC = 0 then
      raise Exception.Create('Cannot load SFC.DLL');
    try
      @SfcGetNextProtectedFile := GetProcAddress(SFC, 'SfcGetNextProtectedFile');
      if @SfcGetNextProtectedFile = nil then
        raise Exception.Create('Cannot find SfcGetNextProtectedFile');
      @SfcIsFileProtected := GetProcAddress(SFC, 'SfcIsFileProtected');
      if @SfcIsFileProtected = nil then
        raise Exception.Create('Cannot find SfcIsFileProtected');

      FillChar(ProtFileData, SizeOf(TProtectedFileData), 0);
      while SfcGetNextProtectedFile(0, ProtFileData) do
      begin
        Writeln(ProtFileData.FileName, ': ', BoolStrs[SfcIsFileProtected(ProtFileData.FileName)]);
        Inc(ProtFileData.FileNumber);
      end;
    finally
      FreeLibrary(SFC);
    end;
  except
    on E: Exception do
      ShowException(E, ExceptAddr);
  end;
end.

If you're after retrieving the actual driver signature then sorry, I'm stuck... sigverif seems to use a lot of undocumented functions. :-(
Some of the stuff is described in the links I posted.
Good luck, anyway.

HTH
TOndrej
0
 
KannAuthor Commented:
Not every signed driver is also write-protected. (But the most signed driver seems to be write-protected.)
I will get you the point, because you have done a good work. Perhaps you can answer the following question (this will solve the problem 100%):

I found in the links you posted:
<<After obtaining the file hash, SfcValidateFileSignature uses another CryptoAPI to obtain a reference to the catalog file that contains the hashed file's digital signature.>>
Do you have an idea which CryptoAPI obtain a reference to the catalog file?

Thank you very much!
0
 
TOndrejCommented:
> Do you have an idea which CryptoAPI obtain a reference to the catalog file?

Sorry, no idea. I think it's using the CryptCATxxx functions exported in mscat32.dll but I couldn't find any info about them anywhere in the MSDN. Even Google didn't help, either.

I suggest you keep your points. I cannot help you with the problem.
0
 
KannAuthor Commented:
I will give you the point - perhaps I need your help again ;-)

(If you found somethink interestig about this topic feel free to email me: kann@sharepower.virtualave.net)
0
 
TOndrejCommented:
OK but no promises. <g>
0
 
KannAuthor Commented:
Here comes the points.

If you have some Delphi source how to use:
  WIN_SPUB_ACTION_NT_ACTIVATE_IMAGE
  WINTRUST_ACTION_GENERIC_VERIFY_V2
I would be happy if you show this me. (Sorry for my bad English.)
0
 
TOndrejCommented:
They look like C constant declarations, they're probably declared in one of the header (.h) files in MS Platform SDK. What do you mean, how to use them?

Thanks for the undeserved points.
0
 
KannAuthor Commented:
The function WinVerifyTrust() used this constants. Perhaps do you have a piece of source code how to use this?
0
 
TOndrejCommented:
I have MS Platform SDK of November 2001 and I've found the following:

WINTRUST_ACTION_GENERIC_VERIFY_V2 is declared in SoftPub.h
WIN_SPUB_ACTION_NT_ACTIVATE_IMAGE is declared in WinTrust.h

The Pascal translations are:

const
(*
#define     WIN_SPUB_ACTION_NT_ACTIVATE_IMAGE                    \
            { 0x8bc96b00,                                        \
              0x8da1,                                            \
              0x11cf,                                            \
              {0x87, 0x36, 0x00, 0xaa, 0x00, 0xa4, 0x85, 0xeb}   \
            }
*)
  WIN_SPUB_ACTION_NT_ACTIVATE_IMAGE: TGUID = '{8BC96B00-8DA1-11CF-8736-00AA00A485EB}';

(*
//////////////////////////////////////////////////////////////////////////////
//
// WINTRUST_ACTION_GENERIC_VERIFY_V2 Guid  (Authenticode)
//----------------------------------------------------------------------------
//  Assigned to the pgActionID parameter of WinVerifyTrust to verify the
//  authenticity of a file/object using the Microsoft Authenticode
//  Policy Provider,
//
//          {00AAC56B-CD44-11d0-8CC2-00C04FC295EE}
//
#define WINTRUST_ACTION_GENERIC_VERIFY_V2                       \
            { 0xaac56b,                                         \
              0xcd44,                                           \
              0x11d0,                                           \
              { 0x8c, 0xc2, 0x0, 0xc0, 0x4f, 0xc2, 0x95, 0xee } \
            }
*)
  WINTRUST_ACTION_GENERIC_VERIFY_V2: TGUID = '{00AAC56B-CD44-11d0-8CC2-00C04FC295EE}';

HTH
TOndrej
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.