locked
How to sign a kernel mode intermediate NDIS driver RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello,

    I need to sign a driver in order to have an authenticated driver and not have a pop-up during driver installation.

    I need to install my driver on the following OS : Win XP SP3 32 bits, Win 7 32 bits and Win 7 64 bits.

    This driver is, has told is the title, is an NDIS intermediate driver which is operates in kernel mode. So it has 2 interfaces (.INF).

    I didn't found information about signing this type of driver.

    I succeeded to generate a catalog (.CAT) for one of the .INF. I signed the catalog and driver binary with a certificate and signtool.

    When I verify the signature of the driver (.sys), I see that a catalog is found, that the binary is signed but that signtool didn't found the root certificate.

    So will test (I can't test by now) to add a cross-certificate on my command line ( with something like : signtool sign /a /ac CrossCert.cert /v /t http... Driver.sys)

    But I'm not sure it will succeed.

    Does anyone have more information about it ? Because documentation is very weak.

    Thanks.

    Gaël

    Thursday, July 5, 2012 3:56 PM

Answers

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello,

    I need to sign a driver in order to have an authenticated driver and not have a pop-up during driver installation.

    I need to install my driver on the following OS : Win XP SP3 32 bits, Win 7 32 bits and Win 7 64 bits.

    This driver is, has told is the title, is an NDIS intermediate driver which is operates in kernel mode. So it has 2 interfaces (.INF).

    I didn't found information about signing this type of driver.

     

    You will need to use Windows Logo Kit (WLK) and Unclassified Signature Program to achieve this on Windows XP (and newer). WLK will be superseded by Windows Hardware Certification Kit (HCK) http://msdn.microsoft.com/en-us/windows/hardware/hh975438

    On Windows 7, you can use Authenticode certificate. Have you read Kernel-Mode Code Signing Walkthrough document? Please note that "NDIS 4.0 and 5.x intermediate filter drivers install and run in Windows Vista, but they are deprecated." You should use NDIS LWF driver on Windows 7. http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/DrvCompat_Vista.doc

    BR, Antti

    Friday, July 6, 2012 6:10 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

     Thank for the answer.

    I need to add some informations : I can't move to NDIS 6.X and I can't apply to WHQL.

    I have already read Kernel-Mode Code Signing Walkthrough. On your advice I looked to Authenticode but I believe I can't use it.

    I would be very interested in having information about generating a catalog for a driver with 2 INF files.

    Thanks.

    Gaël

    Friday, July 6, 2012 12:52 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    If you can't apply to WHQL, then there isn't much to do on Windows XP to prevent popups.

    For driver with 2 .inf files, just generate seperate .cat for both of .inf files. And sign both .cat files.

    -- Antti

    Friday, July 6, 2012 3:25 PM