首页
论坛
课程
招聘
[原创]去除驱动安装数字签名的终极解决方案------适用win2000,winxp,win2003
2009-2-7 11:03 17627

[原创]去除驱动安装数字签名的终极解决方案------适用win2000,winxp,win2003

2009-2-7 11:03
17627
主要有两种方法:
       一、向”签署驱动程序“对话框发送模拟消息,使之置于”忽略“位置。
          本代码修正了LIUTANG大牛代码”2003-01-28_如何去掉xp下的数字签名.rar“
          1、uDriverSigningButtonID在XP、2003中与2000中并不一致
          2、上述代码使用MFC库,造成执行文件过大的问题,修正代码中消息模拟全部用Windows API实现
      二、修改注册表的方法
          1、windows 2000
           HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Driver Signing\Policy (键值改为0)
           HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Non-Driver Signing\Policy (键值改为0)
           HKEY_CURRENT_USER\SOFTWARE\Microsoft\Driver Signing\Policy (键值改为0)
         2、windows XP及Windows 2003
           除修改上述三个键值外,还需要修改HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\PrivateHash,而该值是由种子值HKLM\\SYSTEM\\WPA\\PnP\\seed哈希散列得来,每个机器均不同;如果该值未改或改得不对,windows的注册表监控机制会将上述修改恢复,造成失败。

鸣谢:http://blogmal.42.org/rev-eng/            LIUTANG大牛等

其他方法:
          一、同上述一,只是钩子钩住 ”继续安装“那个对话框
          二、有人说,可以修改sigtab.dll中的某个函数,经windbg调试,这种方法可能有效,未试验。

         源代码测试通过2000,xp,2003!

[看雪官方培训] Unicorn Trace还原Ollvm算法!《安卓高级研修班》2021年秋季班火热招生!!

上传的附件:
收藏
点赞0
打赏
分享
最新回复 (6)
雪    币: 141
活跃值: 活跃值 (15)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
XSJS 活跃值 2009-2-7 11:13
2
0
LZ说的是驱动签名档验证吧?钩住一个函数就够了
WinVerifyTrust
另外,MS是只有WDM驱动安装的时候才会验证数字签名,NT驱动不会。。。。
我都是乱说的。。。。请大牛指正
雪    币: 141
活跃值: 活跃值 (15)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
XSJS 活跃值 2009-2-7 11:15
3
0
如果有权限去修改注册表中这项那项,还能钩住有权限安装驱动的进程。。。。。。
我觉得装个驱动不过是小菜而已。。。。犯不着去弄数字签名。。。。
雪    币: 308
活跃值: 活跃值 (55)
能力值: ( LV12,RANK:470 )
在线值:
发帖
回帖
粉丝
zhuwg 活跃值 11 2009-2-7 16:42
4
0
楼上没说错
只有WDM设备驱动,就是用inf安装的那种驱动才验证签名
不过vista之后貌似验证加强了...不知道.
雪    币: 308
活跃值: 活跃值 (55)
能力值: ( LV12,RANK:470 )
在线值:
发帖
回帖
粉丝
zhuwg 活跃值 11 2009-2-7 16:47
5
0
顺便附上VB的WinVerifyTrust 代码
来自http://topic.csdn.net/u/20081113/19/6373c04a-736b-4719-a7bb-ba15b77a13dd.html

Public Declare Sub RtlFillMemory Lib "kernel32.dll" (Destination As Long, Length As Long, Fill As Byte)
Public Declare Function WinVerifyTrust Lib "Wintrust.dll" (hWnd As Long, pgActionID As Long, pWVTData As Long) As Long
Public Declare Function GetLastError Lib "kernel32.dll" () As Long

Const ERROR_SUCCESS = 0&
Const TRUST_E_NOSIGNATURE = &H800B0100
Const TRUST_E_EXPLICIT_DISTRUST = &H800B0111
Const TRUST_E_SUBJECT_NOT_TRUSTED = &H800B0004
Const CRYPT_E_SECURITY_SETTINGS = &H80092026


Const WTD_UI_ALL = 1& 'Display all UI.

Const WTD_UI_NONE = 2& ' Display no UI.

Const WTD_UI_NOBAD = 3& ' Do not display any negative UI.

Const WTD_UI_NOGOOD = 4& ' Do not display any positive UI.



Const WTD_REVOKE_NONE = 0& 'No additional revocation checking will be done.

Const WTD_REVOKE_WHOLECHAIN = 1& ' Revocation checking will be done on the whole chain.



Const WTD_CHOICE_FILE = 1& ' Use the file pointed to by pFile.

Const WTD_CHOICE_CATALOG = 2& ' Use the catalog pointed to by pCatalog.

Const WTD_CHOICE_BLOB = 3& ' Use the BLOB pointed to by pBlob.

Const WTD_CHOICE_SIGNER = 4& ' Use the WINTRUST_SGNR_INFO structure pointed to by pSgnr.

Const WTD_CHOICE_CERT = 5& ' Use the certificate pointed to by pCert.

Const WTD_SAFER_FLAG = 256&

Type GUID
D1 As Long
D2 As Integer
D3 As Integer
D4(0 To 7) As Byte
End Type

Type WINTRUST_FILE_INFO
cbStruct As Long
pcwszFilePath As Long
hFile As Long
pgKnownSubject As Long
End Type



Type WINTRUST_DATA
cbStruct As Long
pPolicyCallbackData As Long
pSIPClientData As Long
dwUIChoice As Long
fdwRevocationChecks As Long
dwUnionChoice As Long
'Union
pUnionData As Long
dwStateAction As Long
hWVTStateData As Long
pwszURLReference As Long
dwProvFlags As Long
dwUIContext As Long
End Type



Public Function VerifyEmbeddedSignature(pwszSourceFile As String) As Boolean
Dim lStatus As Long
Dim dwLastError As Long

' Initialize the WINTRUST_FILE_INFO structure.

Dim FileData As WINTRUST_FILE_INFO

RtlFillMemory ByVal VarPtr(FileData), ByVal LenB(FileData), ByVal 0

FileData.cbStruct = LenB(FileData)
FileData.pcwszFilePath = StrPtr(pwszSourceFile)
FileData.hFile = 0
FileData.pgKnownSubject = 0

Dim WVTPolicyGUID As GUID

'=WINTRUST_ACTION_GENERIC_VERIFY_V2
WVTPolicyGUID.D1 = &HAAC56B
WVTPolicyGUID.D2 = &HCD44
WVTPolicyGUID.D3 = &H11D0
WVTPolicyGUID.D4(0) = &H8C
WVTPolicyGUID.D4(1) = &HC2
WVTPolicyGUID.D4(2) = &H0
WVTPolicyGUID.D4(3) = &HC0
WVTPolicyGUID.D4(4) = &H4F
WVTPolicyGUID.D4(5) = &HC2
WVTPolicyGUID.D4(6) = &H95
WVTPolicyGUID.D4(7) = &HEE

Dim WinTrustData As WINTRUST_DATA

'// Initialize the WinVerifyTrust input data structure.

'// Default all fields to 0.
RtlFillMemory ByVal VarPtr(WinTrustData), ByVal LenB(WinTrustData), ByVal 0
WinTrustData.cbStruct = LenB(WinTrustData)
'// Use default code signing EKU.
WinTrustData.pPolicyCallbackData = 0
'// No data to pass to SIP.
WinTrustData.pSIPClientData = 0
'// Disable WVT UI.
WinTrustData.dwUIChoice = WTD_UI_NONE
'// No revocation checking.
WinTrustData.fdwRevocationChecks = WTD_REVOKE_NONE
'// Verify an embedded signature on a file.
WinTrustData.dwUnionChoice = WTD_CHOICE_FILE
'// Default verification.
WinTrustData.dwStateAction = 0
'// Not applicable for default verification of embedded signature.
WinTrustData.hWVTStateData = 0
'// Not used.
WinTrustData.pwszURLReference = 0
'// Default.
WinTrustData.dwProvFlags = WTD_SAFER_FLAG

' // This is not applicable if there is no UI because it changes
' // the UI to accommodate running applications instead of
' // installing applications.
WinTrustData.dwUIContext = 0

'// Set pFile.
WinTrustData.pUnionData = VarPtr(FileData)

'// WinVerifyTrust verifies signatures as specified by the GUID
'// and Wintrust_Data.
lStatus = WinVerifyTrust(ByVal 0, ByVal VarPtr(WVTPolicyGUID), ByVal VarPtr(WinTrustData))

Select Case (lStatus)
Case ERROR_SUCCESS

MsgBox "The file """ & pwszSourceFile & """ is signed and the signature was verified."



Case TRUST_E_NOSIGNATURE

dwLastError = GetLastError()
If (TRUST_E_NOSIGNATURE = dwLastError) Or (TRUST_E_SUBJECT_FORM_UNKNOWN = dwLastError) Or (TRUST_E_PROVIDER_UNKNOWN = dwLastError) Then

'// The file was not signed.
MsgBox "The file """ & pwszSourceFile & """ is not signed."

Else

' // The signature was not valid or there was an error
' // opening the file.
MsgBox "An unknown error occurred trying to verify the signature of the """ & pwszSourceFile & """ file."

End If

Case TRUST_E_EXPLICIT_DISTRUST
' // The hash that represents the subject or the publisher
' // is not allowed by the admin or user.
MsgBox "The signature is present, but specifically disallowed."


Case TRUST_E_SUBJECT_NOT_TRUSTED
'// The user clicked "No" when asked to install and run.
MsgBox "The signature is present, but not trusted."


Case CRYPT_E_SECURITY_SETTINGS

MsgBox "CRYPT_E_SECURITY_SETTINGS - The hash " & _
"representing the subject or the publisher wasn't " & _
"explicitly trusted by the admin and admin policy " & _
"has disabled user trust. No signature, publisher " & _
"or timestamp errors."


Case Else
' // The UI was disabled in dwUIChoice or the admin policy
' // has disabled user trust. lStatus contains the
' // publisher or time stamp chain error.
MsgBox "Error is: 0x" & Hex(lStatus) & "."
End Select

VerifyEmbeddedSignature = True



End Function

雪    币: 308
活跃值: 活跃值 (55)
能力值: ( LV12,RANK:470 )
在线值:
发帖
回帖
粉丝
zhuwg 活跃值 11 2009-2-7 16:49
6
0
C的
来自http://msdn.microsoft.com/en-us/library/aa382384.aspx
//-------------------------------------------------------------------
// Copyright (c) Microsoft Corporation. All rights reserved.
// Example of verifying the embedded signature of a PE file by using
// the WinVerifyTrust function.

#define _UNICODE 1
#define UNICODE 1

#include <tchar.h>
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <Softpub.h>
#include <wincrypt.h>
#include <wintrust.h>

// Link with the Wintrust.lib file.
#pragma comment (lib, "wintrust")

BOOL VerifyEmbeddedSignature(LPCWSTR pwszSourceFile)
{
LONG lStatus;
DWORD dwLastError;

// Initialize the WINTRUST_FILE_INFO structure.

WINTRUST_FILE_INFO FileData;
memset(&FileData, 0, sizeof(FileData));
FileData.cbStruct = sizeof(WINTRUST_FILE_INFO);
FileData.pcwszFilePath = pwszSourceFile;
FileData.hFile = NULL;
FileData.pgKnownSubject = NULL;

/*
WVTPolicyGUID specifies the policy to apply on the file
WINTRUST_ACTION_GENERIC_VERIFY_V2 policy checks:

1) The certificate used to sign the file chains up to a root
certificate located in the trusted root certificate store. This
implies that the identity of the publisher has been verified by
a certification authority.

2) In cases where user interface is displayed (which this example
does not do), WinVerifyTrust will check for whether the
end entity certificate is stored in the trusted publisher store,
implying that the user trusts content from this publisher.

3) The end entity certificate has sufficient permission to sign
code, as indicated by the presence of a code signing EKU or no
EKU.
*/

GUID WVTPolicyGUID = WINTRUST_ACTION_GENERIC_VERIFY_V2;
WINTRUST_DATA WinTrustData;

// Initialize the WinVerifyTrust input data structure.

// Default all fields to 0.
memset(&WinTrustData, 0, sizeof(WinTrustData));

WinTrustData.cbStruct = sizeof(WinTrustData);

// Use default code signing EKU.
WinTrustData.pPolicyCallbackData = NULL;

// No data to pass to SIP.
WinTrustData.pSIPClientData = NULL;

// Disable WVT UI.
WinTrustData.dwUIChoice = WTD_UI_NONE;

// No revocation checking.
WinTrustData.fdwRevocationChecks = WTD_REVOKE_NONE;

// Verify an embedded signature on a file.
WinTrustData.dwUnionChoice = WTD_CHOICE_FILE;

// Default verification.
WinTrustData.dwStateAction = 0;

// Not applicable for default verification of embedded signature.
WinTrustData.hWVTStateData = NULL;

// Not used.
WinTrustData.pwszURLReference = NULL;

// Default.
WinTrustData.dwProvFlags = WTD_SAFER_FLAG;

// This is not applicable if there is no UI because it changes
// the UI to accommodate running applications instead of
// installing applications.
WinTrustData.dwUIContext = 0;

// Set pFile.
WinTrustData.pFile = &FileData;

// WinVerifyTrust verifies signatures as specified by the GUID
// and Wintrust_Data.
lStatus = WinVerifyTrust(
NULL,
&WVTPolicyGUID,
&WinTrustData);

switch (lStatus)
{
case ERROR_SUCCESS:
/*
Signed file:
- Hash that represents the subject is trusted.

- Trusted publisher without any verification errors.

- UI was disabled in dwUIChoice. No publisher or
time stamp chain errors.

- UI was enabled in dwUIChoice and the user clicked
"Yes" when asked to install and run the signed
subject.
*/
wprintf_s(L"The file \"%s\" is signed and the signature "
L"was verified.\n",
pwszSourceFile);
break;

case TRUST_E_NOSIGNATURE:
// The file was not signed or had a signature
// that was not valid.

// Get the reason for no signature.
dwLastError = GetLastError();
if (TRUST_E_NOSIGNATURE == dwLastError ||
TRUST_E_SUBJECT_FORM_UNKNOWN == dwLastError ||
TRUST_E_PROVIDER_UNKNOWN == dwLastError)
{
// The file was not signed.
wprintf_s(L"The file \"%s\" is not signed.\n",
pwszSourceFile);
}
else
{
// The signature was not valid or there was an error
// opening the file.
wprintf_s(L"An unknown error occurred trying to "
L"verify the signature of the \"%s\" file.\n",
pwszSourceFile);
}

break;

case TRUST_E_EXPLICIT_DISTRUST:
// The hash that represents the subject or the publisher
// is not allowed by the admin or user.
wprintf_s(L"The signature is present, but specifically "
L"disallowed.\n");
break;

case TRUST_E_SUBJECT_NOT_TRUSTED:
// The user clicked "No" when asked to install and run.
wprintf_s(L"The signature is present, but not "
L"trusted.\n");
break;

case CRYPT_E_SECURITY_SETTINGS:
/*
The hash that represents the subject or the publisher
was not explicitly trusted by the admin and the
admin policy has disabled user trust. No signature,
publisher or time stamp errors.
*/
wprintf_s(L"CRYPT_E_SECURITY_SETTINGS - The hash "
L"representing the subject or the publisher wasn't "
L"explicitly trusted by the admin and admin policy "
L"has disabled user trust. No signature, publisher "
L"or timestamp errors.\n");
break;

default:
// The UI was disabled in dwUIChoice or the admin policy
// has disabled user trust. lStatus contains the
// publisher or time stamp chain error.
wprintf_s(L"Error is: 0x%x.\n",
lStatus);
break;
}

return true;
}

int _tmain(int argc, _TCHAR* argv[])
{
if(argc > 1)
{
VerifyEmbeddedSignature(argv[1]);
}

return 0;
}
雪    币: 8671
活跃值: 活跃值 (665)
能力值: ( LV12,RANK:760 )
在线值:
发帖
回帖
粉丝
cvcvxk 活跃值 10 2009-2-7 19:31
7
0
其实伪造签名不是梦想~~只是太恶心了~
游客
登录 | 注册 方可回帖
返回