|
阅读:7560回复:27
请教:64位vista下,如何设置安装没有签名的驱动?
64位vista下,默认是不允许安装没有签名的驱动的。
开机的时候,按f8,选择 Allow use of unsigned drivers 但是这样的设置只对本次启动生效。 除此之外,还有一劳永逸的办法吗? 请教诸位大虾 |
|
|
|
沙发#
发布于:2007-08-27 14:10
REM Copyright (c) Microsoft Corporation. All rights reserved.
Echo off Rem Clean up environment before starting demo Rem Delete any old certificates certmgr -del -all -s PrivateCertStore >junk.txt set CERTDIR=%CD% del junk.txt set myproc=x86 Echo on cls @Echo ******************************************************************************* @Echo This script is intended to show driver signing for Windows Vista. @Echo It should run correctly on Windows XP and Windows Server 2003, @Echo however some of the instructions may not be relevant prior to Windows Vista. @Echo ******************************************************************************* @Echo For Windows Vista, this script needs to "Run as Administrator" in a @Echo WDK Build Environment Window. @Echo . @Echo Some of the tools will not run correctly if you are not "running elevated". @Echo . @Echo If you did not open the Window as Administrator, please do the following: @Echo From the Start Menu, navigate to the WDK Build Environments. @Echo Instead of left clicking on the build environment shortcut, right click. @Echo Now select "Run as Administrator" @Echo . @Echo Hit Ctrl Break to stop this script if you are not "Running as Administrator." @Echo ******************************************************************************* pause cls echo off REM CHECK for x64 if defined %PROCESSOR_ARCHITEW6432% goto AMD64 if not %PROCESSOR_ARCHITECTURE% == AMD64 goto Continue :AMD64 set myproc=AMD64 rem CHECK if testsigning is on rem bcdedit >junk.txt rem findstr /c:"testsigning Yes" junk.txt rem if %errorlevel% EQU 0 goto Continue rem bcdedit -set testsigning on cls @Echo ******************************************************************************* @ECHO On x64 Vista, Testsigning must be set on for this script to work correctly. @Echo If Testsigning is on, you will see "Test Mode" in the 4 corners of your desktop. @ECHO . @Echo If Testsigning is not on, please open a command window, running @Echo as Administrator, and issue the command: @Echo bcdedit -set testsigning on @Echo Then please reboot and rerun this script. @Echo ******************************************************************************* Pause :Continue cls Echo on @Echo ******************************************************************************* @Echo This is a demonstration of how to use the tools in the WDK to: @Echo 1. Create a certificate @Echo 2. Sign your driver package with the certificate @Echo 3. Install the certificate into your certificate store @Echo 4. Install the driver @Echo . @Echo ******************************************************************************* @Echo First, We will create a certificate with the makecert.exe tool. @Echo Syntax: Makecert -r -pe -ss YourCertStore -n "CN=TestCertName" TestCert.cer @Echo ******************************************************************************* Makecert -r -pe -ss PrivateCertStore -n "CN=TestCertforWDK" TestCert.cer Pause cls @Echo ******************************************************************************* @Echo After you have created your cert, you can use it to sign your driver package. @Echo We will use the toaster driver in our demo. @Echo . @Echo . @Echo Go to the directory with the toaster driver package. pushd %PROJECT_ROOT%\general\toaster\toastpkg\toastcd pause REM Copy the catalog files that ship with the kit If not exist *.original copy *.cat *.original cls @Echo ******************************************************************************* @Echo Then we update the INF file to indicate it is a Vista driver @Echo We can use stampinf to update the INF file. @Echo Syntax: stampinf -f inffilename.inf -d mm/dd/yyyy -v 6.n.nnnn.n (6 = Vista) @Echo ******************************************************************************* stampinf -f toastpkg.inf -d 04/01/2006 -v 6.0.9999.0 pause cls @Echo ******************************************************************************* @Echo Next, you need to create a CAT file for your driver package. @Echo You can use signability.exe to create the CAT file from your INF file. @Echo Syntax: signability /driver:path to driver location /auto /cat /os:# @Echo where # is a bitmask. See the WDK documentation for more information. @Echo ******************************************************************************* pause signability /driver:%PROJECT_ROOT%\general\toaster\toastpkg\toastcd /auto /cat /os:768 taskkill /FI "WINDOWTITLE eq signability*" cls @Echo ******************************************************************************* @Echo Now that we have a CAT file, we need to sign it. @Echo We will use signtool.exe to sign the CAT file. @Echo . @Echo Syntax: SignTool sign /s YourPrivateCertStore yourCat.cat @Echo . @Echo ******************************************************************************* SignTool sign /s PrivateCertStore %PROJECT_ROOT%\general\toaster\toastpkg\toastcd\tostx86.cat SignTool sign /s PrivateCertStore %PROJECT_ROOT%\general\toaster\toastpkg\toastcd\tstamd64.cat pause cls @Echo ******************************************************************************* @Echo IMPORTANT: If you are signing a driver for public release you should be using @Echo a Software Publisher Certificate with a Cross Certificate to the Microsoft @Echo root. And you should TIMESTAMP your signature. The syntax for production @Echo signing is: @Echo Signtool sign /v /ac CrossCertificateFile /s SPCCertificateStore @Echo /n SPCSubjectName /t http://timestamp.verisign.com /scripts/timestamp.dll @Echo yourCat.cat @Echo . @Echo For more information on signing for publication, go to: @Echo http://www.microsoft.com/whdc/winlogo/drvsign/drvsign.mspx @Echo ******************************************************************************* pause cls @Echo ******************************************************************************* @Echo We recommend that you use a different machine for testing a driver than the @Echo one you used to build your driver. Signing will normally occur on the build @Echo machine. The steps that follow will normally occur on the test machine. @Echo ******************************************************************************* pause cls @Echo ******************************************************************************* @Echo Before you can install your Driver Package you must add your test certificates @Echo into the certificate store on the target machine. @Echo . @Echo You can automate certificate installation using the certmgr.exe tool. @Echo Syntax: certmgr.exe -add TestCert.cer -s -r localMachine root @Echo ******************************************************************************* certmgr.exe -add %CERTDIR%\testcert.cer -s -r localMachine root certmgr.exe -add %CERTDIR%\testcert.cer -s -r localMachine trustedpublisher Pause cls @Echo ******************************************************************************* @Echo Finally, you can use devcon.exe to install the signed driver @Echo Syntax: devcon install INFfile HardWareID @Echo ******************************************************************************* Echo on if %myproc% == x86 %basedir%\tools\devcon\i386\devcon.exe install %PROJECT_ROOT%\general\toaster\toastpkg\toastcd\toastpkg.inf {b85b7c50-6a01-11d2-b841-00c04fad5171}\mstoaster if %myproc% == AMD64 %basedir%\tools\devcon\amd64\devcon.exe install %PROJECT_ROOT%\general\toaster\toastpkg\toastcd\toastpkg.inf {b85b7c50-6a01-11d2-b841-00c04fad5171}\mstoaster Pause popd cls @Echo ******************************************************************************* @Echo ******************************************************************************* @Echo You can see the Toaster driver successfully installed using Device Manager. @Echo You can also see the signature (unless you are running x86 Windows XP). @Echo It appears on the driver, but not the individual files of the driver. @Echo . @Echo If you are running on Windows Vista x64 and you do not have testsigning turned @Echo on, you will see an error for the toaster driver in Device Manager. @Echo . @Echo Thank you for viewing this demo. If you have problems, questions or @Echo suggestions, please send email to ddksupp@microsoft.com @Echo ******************************************************************************* @Echo ******************************************************************************* 哈哈 wdk里边的例子 贴出来大家see see |
|
|
|
板凳#
发布于:2007-08-14 13:36
引用第25楼iwill于2007-07-18 11:57发表的 : Even if these crackings work for many drivers, I don't think they can solve boot-start driver's problem. |
|
|
|
地板#
发布于:2007-07-18 09:57
I hope this would be helpful.
Signing machine Create a cert with makecert.exe makecert -sr localMachine -ss PrivateCertStore -n CN=Contoso.com(Test) testcert.cer Signing a catalog with the test certificate SignTool sign /v /s PrivateCertStore /n contoso.com(Test) /t http://timestamp.verisign.com/scripts/timestamp.dll tstamd64.cat Embedded signing with the test certificate SignTool sign /v /s PrivateCertStore /n contoso.com /t http://timestamp.verisign.com/scripts/timestamp.dll toaster.sys Test machine Adding the test certficicate to the trusted publisher store and root store certmgr /add /c /s /r localMachine CA /n “Root Agency” /s /r localMachine root certmgr.exe -add testcert.cer -s -r localMachine trustedpublisher Enable test signed code to load using the bcd option bcdedit.exe /set TestSigning on |
|
|
地下室#
发布于:2007-06-27 15:35
各位有谁对PATCH GUARD做了研究了吗?
很想一起交流一下,如何破掉 |
|
|
5楼#
发布于:2007-04-27 13:52
引用第22楼tiamo于2007-03-21 17:25发表的“”: 如果RMB升值到和$一样,你就不会抱怨了  |
|
|
|
6楼#
发布于:2007-03-21 15:25
是啊....必然是先得干掉那个patchguard才行....
不然就只能非法途径弄个证书了.... 其实ms的政策很开放的 就是那个破数字证书得要花钱.... |
|
|
7楼#
发布于:2007-03-20 15:17
引用第17楼rayyang2000于2007-03-19 07:08发表的“”: 这种可能也有,连ms还有两个假证书,不信你们找一下系统中 IE->internet选项->内容->证书-> 未受信任的证书列表 |
|
|
|
8楼#
发布于:2007-03-20 15:15
haha,你在kernel patch,又会遇到 patchguard... 又有事可做了..
|
|
|
|
9楼#
发布于:2007-03-20 14:28
验证的过程是需要root证书是ms自己发布的才行....
在crypt32.dll里面的函数名字好像是 CertDllVerifyMicrosoftRootCertificateChainPolicy (刚刚ida了一下,只是加载了一下pdb,浏览了一下找出来的名字... 曾经ida过的文件已经随着上次raid0的浮云全部没了...) 从2000开始就这样了... 可以看2000和nt的源代码... ======== 其实用户态只是需要patch掉这个函数的返回值就行了 32位下可以这样... 1.自己弄个认证服务器.生成一个证书 2.导入到目标电脑里面 3.patch掉那个root必须是ms自己的判断就行了... 64位下...我也没试过.... ========================= 凭记忆书写...错了别找我...囧 |
|
|
10楼#
发布于:2007-03-20 06:33
我觉得肯定会有很多证书可用,就像现在就算公司里买了几百万的正版软件照样会有人上传。
公司保管严密,程序员却没这份心思,证书满天飞也不稀奇。 另外,参照VISTA 模拟oem的思路来安装无签名驱动是否可行,大家来想办法。 |
|
|
11楼#
发布于:2007-03-19 07:08
引用第16楼Kalee于2007-03-17 21:39发表的“”: 可以,这样那个公司就会背黑锅了 只是不知道如果那个公司发现以后取消证书,是否会对以后的应用有问题(猜想不会,毕竟没有联网的机器是不可能知道证书取消的)不过正因为这个原因,只要懂行的公司都会很小心的保管自己的证书的 |
|
|
|
12楼#
发布于:2007-03-17 19:39
用别的大公司泄漏出来的证书签名不可以么?
我还没用过vista64,所以不知道驱动安装的要求有些什么变化, 一般现在很多公司的商业产品没有签名的非常多。 |
|
|
13楼#
发布于:2007-03-16 09:14
伪造签名不是不可能的,前提是现在的认证体系有严重bug,而且刚好被你找到:)
不过这个时间估计真的是1万年... 目前的代码签名使用的是证书体系,在目前基本上没有伪造的可能...除非你把证书验证的代码给hack了 |
|
|
|
14楼#
发布于:2007-03-16 06:37
引用第13楼wowocock于2007-03-15 11:17发表的“”: 用星星的话来说:如果这个期限是1万年... |
|
|
|
15楼#
发布于:2007-03-15 09:17
不知道这种证书伪造的可能性如何?这年头人有多大胆,地有多大产......
|
|
|
|
16楼#
发布于:2007-03-14 07:26
好像很多人都喜欢把DTM/WHQL当作driver可以在Vista上运行的前提,其实是个误解。
driver要在vista上运行,基本要求是做kernel-mode code signing(KMCS),这个是和很多网站程序、应用程序做的应用程序认证是一样的,只不过一个是user-mode,一个是kernel-mode。这2种认证都是为了保证app/driver的开发者是经过认证的,不是virus/malware的作者,最终就是大大限制了virus/malware的散布。因为如果OS强制要求app/driver必须有这个签名的话,被签名的恶意程序很容易被找到作者,也会承担相应的法律责任。 而DTM/WHQL是为了Windows的稳定性而提出的,它的目的是为了保证Windows的兼容性,不会造成某些硬件/软件在上面不能用。而厂商的程序在提交WHQL/DTM之前就要做好KMCS了(尤其是boot driver,更要把cert嵌入到.sys中)。 因此,如果你的driver过了WHQL,当然也就过了KMCS,但是这并不是driver在vista 64上运行的必要条件。如果只是做了KMCS,driver也可以在vista 64上运行,对于某些类型的driver只是会出现一个警告窗口而已。 |
|
|
|
17楼#
发布于:2007-03-05 12:29
引用第3楼haiyanfu于2007-01-19 16:36发表的“”: 不要误导人,这儿的证书有bug,不建议大家采用 |
|
|
|
18楼#
发布于:2007-03-05 11:46
每次都交钱给ms,神啊!
 |
|
|
19楼#
发布于:2007-02-27 14:38
在开发中,制作一个测试用的cat文件是很有必要和方便的,至于经过MS认证的是提交DTM 测试的LOG档后,交钱给MS就可以获得一个一劳永逸的CAT了.
|
|
上一页
下一页