Driver Signing


The madCodeHook injection drivers need to be configured and signed. If you skip one of these steps, the drivers won't work at all.

How To Get A Code Signing Certificate

For signing you need to have your own Microsoft Authenticode code signing certificate. There are several so-called "Certificate Authorities" which are offering such certificates. The best known Certificate Authority is probably Verisign. Please be aware that some certificates support signing drivers, while others don't. GlobalSign and Verisign definitely support it. A good value option seems to be GlobalSign. They offer code signing certificates for relatively affordable 219 USD per year.

The Certificate Authority usually requires you to provide some legal documentation that will validate your company name. If you lack such documentation for whatever reason, you can register for a DUNS (Dun and Bradstreet) number here. Please note that the whole DUNS registration process can take months. So if you may need such a DUNS number at some time in the future, I'd suggest to go ahead and register as soon as possible, as it's a free service, IIRC.

Windows 10 SecureBoot compatability - EV certificates

Sometimes I hate Microsoft. As if code signing wasn't already expensive and complicated enough, now for Windows 10 SecureBoot compatability we need to buy the more expensive EV certificates. Furthermore, you need to send your EV signed drivers in to Microsoft to have them co-signed by them. Really ugly. Alternatively ask your users to disable SecureBoot, then the conventional certificates will still work fine.

SHA1 vs SHA256

Older OSs only support SHA1 certificates. Newer OSs require SHA256 certificates, if you don't want to get nasty complaints in Microsoft Edge/IE. Probably the only proper solution is to sign with both SHA1 and SHA256 certificates. Or alternatively use SHA256, but some older OSs only support that after the user applied a patch. Ouch.

File Signing Preparations

From your Certificate Authority you will get two files: The private key ("privateKey.pvk") and the certificate ("certificate.spc"). In addition to that you need a matching cross certificate from Microsoft ("msCross.cer"), which you can download here. You will also need two tools, both of which are part of the "Windows Driver Kit", which you can download here. The tools we need are "pvk2pfx.exe" and "signtool.exe".

The two files you got from your Certificate Authority are hard to work with. Because of that we combine them into a more comfortable file format ("combined.pfx") by using the following command:

pvk2pfx -pvk privateKey.pvk -spc certificate.spc -pfx combined.pfx

Now on your development PC right click on the "combined.pfx" file and choose "install". Your development PC is now ready for signing.

How To Sign A Driver

In order to sign a file, you can now run the "signtool" on your development PC. You need to feed it quite a long list of parameters. Also for the timestamping to work correctly, your development PC must have internet access. If you timestamp the driver, the signature will stay valid even after the certificate has expired. If you don't timestamp the driver, the signature will get invalid in the moment when the certificate expires, which is usually not the desired behaviour, so timestamping is recommended. Here are the parameters I'm using myself:

signtool sign /ph /v /n "Your Company Name" /ac msCross.cer /t /d "DriverFileDescription" /du "" c:\whatever\driver.sys