Introduction
The madCodeHook 3.0 injection drivers need to be
configured and signed. If you skip one of these
steps, the drivers won't work at all.
How To Get A Code Signing Certificate
For signing you need to have your own Microsoft Authenticode code signing
certificate. There are several so-called "Certificate Authorities" which
are offering such certificates. The best known Certificate Authority is
probably Verisign. Please be aware that some certificates support signing
drivers, while others don't. E.g. Thawte certificates can't properly sign
drivers, but Verisign certificates definitely can. A Verisign certificate
currently (January 2010) costs 499 USD per year. You can order it
here.
A good value option seems to be
GlobalSign. They offer
code signing certificates for relatively affordable 229 USD per year.
The Certificate Authority usually requires you to provide some legal
documentation that will validate your company name. If you lack such
documentation for whatever reason, you can register for a DUNS (Dun and
Bradstreet) number here. Please note that
the whole DUNS registration process can take months. So if you may need such
a DUNS number at some time in the future, I'd suggest to go ahead and
register as soon as possible, as it's a free service, IIRC.
File Signing Preparations
From your Certificate Authority you will get two files: The private key
("privateKey.pvk") and the certificate ("certificate.spc"). In addition to
that you need a matching cross certificate from Microsoft ("msCross.cer"),
which you can download
here.
You will also need two tools, both of which are part of the "Windows Driver
Kit", which you can download here.
The tools we need are "pvk2pfx.exe" and "signtool.exe".
The two files you got from your Certificate Authority are hard to work with.
Because of that we combine them into a more comfortable file format
("combined.pfx") by using the following command:
 |
pvk2pfx -pvk privateKey.pvk -spc certificate.spc -pfx combined.pfx
|
|
Now on your development PC right click on the "combined.pfx" file and choose
"install". Your development PC is now ready for signing.
How To Sign A Driver
In order to sign a file, you can now run the "signtool" on your development
PC. You need to feed it quite a long list of parameters. Also for the
timestamping to work correctly, your development PC must have internet
access. If you timestamp the driver, the signature will stay valid even
after the certificate has expired. If you don't timestamp the driver, the
signature will get invalid in the moment when the certificate expires, which
is usually not the desired behaviour, so timestamping is recommended. Here
are the parameters I'm using myself:
|
signtool sign /v /n "Your Company Name" /ac msCross.cer /t http://timestamp.verisign.com/scripts/timestamp.dll /d "DriverFileDescription" /du "www.yourCompany.com" c:\whatever\driver.sys
|
|