[evelyette]

Hi,

I'm interested in knowing how one can verify the integrity of the DLL from a kernel-mode driver prior to DLL being injected into the application. I'm basically looking for a kernel-mode WinVerifyTrustEx. I've seen the https://msdn.microsoft.com/en-us/librar ... s.85).aspx, but it doesn't have an alternative function that can do so easily. There is a the BCryptVerifySignature (https://msdn.microsoft.com/en-us/librar ... S.85).aspx) API, but it requires a known hash calculated in advance, which doesn't play well with updates, since when updating the DLL, the kernel driver would also need to be updated (in order to add the expected hash).

Also, the parsing of PE file for IMAGE_DIRECTORY_ENTRY_SECURITY seems to be a must, since there is no easy-to-use function that can fit the use-case here. Btw: how do the AV companies ensure the DLL that will be injected from kernel driver into the supposedly malicious user-mode process is the original DLL from the same AV company. A malicious actor can replace the DLL, so an AV would essentially inject a malicious DLL into the process. Prior to parsing the PE file format, I wanted to ask here whether there's any 'hidden' easy-to-use API or if somebody knows how AV solutions check the the installed DLLs are actually their own (from the same AV company), rather than some malicious binaries.

[Brock]

Unfortunately (from what I know anyhow) BCrypt is only available on newer/modern versions of Windows. If you plan to support legacy OS then you'll likely have to implement this by hand I guess. I have a friend who did exactly this by writing his own authenticode/ASN parser, implementing his own SHA and RSA routines, extending the Crypto++ feature set etc. It's a painful process and to answer your other inquiry about the to-be-injected DLL being replaced after the integrity is checked, it's possible and not easy to circumvent. Basically, it can be a headache depending on desired OS support.

[evelyette]

My plan is to support versions from Windows 7 (including) upwards; however if this is considerably easier in Windows 8.1+ I might not bother with Windows 7. Can you provide a link to BCrypt? So all other AV vendors out there are also doing this manually, which makes this a likely issue where they get it wrong and worth investigating. Would it be possible to obtain any comments from your friend stating the problems he had implementing this crypto stuff, which might not be obvious when he started working on the solution. I would like to fully understand the possible problems prior to jumping right into the implementation.

[Vrtule]

Hello,

CNG API (BCrypt) is available in Windows Vista and later, so you can safely use it on Windows 7 (unless you are using some features added in later versions).

Talking about "do-it-yourself" solutions, I have a good experience with libsodium library. It can be viewed as a simpler version of NaCl library and it is quite easy to port it into the kernel world. Yes, you need to do signatures and verifications yourself. The simplest way probably is to make detached signatures and place them separately (since only a plublic key is required for verification, no one can forge you, especially if your public key is part of your driver, thus protected by Authenticode signature).

Vrtule