A forum for reverse engineering, OS internals and malware analysis 

Verifying digital signature in kernel on runtime using ci.dll

Forum for discussion about kernel-mode development.

Verifying digital signature in kernel on runtime using ci.dll

 #33066  by Hippey
 Tue Jul 09, 2019 1:01 pm
Hi!

For research purpose i want exactly this:
1. Read some kernel mode module, for instance, driver.sys from disk to kernel memory, verify it's digital signature that it is allowed to be loaded in kernel
2. If digital signature of driver.sys on disk is valid i need to check that driver.sys image in memory ( system process ) is not modified and its code completely = code of driver.sys file

As i know so far:
For 1) i can use ci.dll.CiCheckSignedFile exported function for that
2 ) As i understand i can use CiValidateImageHeader and CiValidateImageData functions inside ci.dll, but these function use g_CiOptions, which can be corrupted.

Maybe it is a bad idea to use ci.dll? Can somebody advice me example of reading embedded signature inside PE file and verifying it using some crypto library like OpenSSL or mbedtls that is suitable for kernel mode too?

Thanks

Re: Verifying digital signature in kernel on runtime using ci.dll

 #33067  by Vrtule
 Tue Jul 09, 2019 8:28 pm
As for 1), the only documented way I know of is to perform the signature verification/validation by an usermode service (WinVerifyTrust).

I am not sure how much the ci.dll solution is compatible accross various Windows versions.
2 ) As i understand i can use CiValidateImageHeader and CiValidateImageData functions inside ci.dll, but these function use g_CiOptions, which can be corrupted.
And what if the ci.dll itself is corrupted (its code/data modified)? AFAIK the DLL and also the g_CiOptions variable are protected by KPP. Also, if you expect to run together with a kernel malware, the malware may always trick you (in theory).

Re: Verifying digital signature in kernel on runtime using ci.dll

 #33068  by Hippey
 Wed Jul 10, 2019 1:05 am
Vrtule wrote:As for 1), the only documented way I know of is to perform the signature verification/validation by an usermode service (WinVerifyTrust).

I am not sure how much the ci.dll solution is compatible accross various Windows versions.
2 ) As i understand i can use CiValidateImageHeader and CiValidateImageData functions inside ci.dll, but these function use g_CiOptions, which can be corrupted.
And what if the ci.dll itself is corrupted (its code/data modified)? AFAIK the DLL and also the g_CiOptions variable are protected by KPP. Also, if you expect to run together with a kernel malware, the malware may always trick you (in theory).
Thanks for your answer, i decided not to use any of ci.dll code and will verify signature myself. I'm currently in process of making asn.1 parser for authenticode pkcs7 signature format
 Return to “Kernel-Mode Development”