How can I install this driver?

About

Asked 6/6, 2014 at 22:57 Answered 7/6, 2014 at 0:14

Solved c++visual-c++driver code-signing wdm

I downloaded the IOCTL sample driver from MSDN. I am trying to run an executable in this example to load the driver from its SYS file, but I get this error when it calls StartService:

StartService failure! Error = 577
Unable to install driver.
ControlService failed!  Error = 1062

577, according to error code documentation, means:

ERROR_INVALID_IMAGE_HASH
577 (0x241)
Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

I don't get why it won't start it up because in Visual Studio I went to the project settings on the driver and set these on it:

Sign Mode -> "Test Sign"

Test Certificate -> I used the "Create Test Certificate" option to create and then select a test certificate.

So what's the problem now? How can I get this driver to install?

Approachable answered 6/6, 2014 at 22:57 Comment(5)

have you installed the test certificate on the system? – Dendy 6/6, 2014 at 23:3

@Dendy Yeah, its installed, I can see it in MMC, but like...is it supposed to be in a particular location? When you create a test certificate like I did it installs it in Current User -> Personal. – Approachable 6/6, 2014 at 23:6

I'm not sure what is going here, all I can offer is to make sure you follow all of the instructions at the bottom of the documentation here msdn.microsoft.com/en-us/library/windows/hardware/… – Dendy 6/6, 2014 at 23:9

Have you booted with the test signing option? – Tingly 6/6, 2014 at 23:19

No, this I have not. I will try it. – Approachable 6/6, 2014 at 23:23

Starting with Windows Vista 64-bit, Microsoft began requiring signed drivers unless bypassed using boot-time developer options.

There are options for both unsigned drivers (F8 option or attaching a kernel debugger) and test-signed drivers (TESTSIGNING boot configuration). The easiest bypass is to press F8 at boot time and select "Disable Driver Signature Enforcement", which will last until the next boot.

Tingly answered 7/6, 2014 at 0:14 Comment(4)

If I do not choose either option - what - I have to either buy a Code Signing certificate from some third party issuer for $180 a year?! These guys crazy? Haha... – Approachable 7/6, 2014 at 1:53

@Approachable I think it's less than that, but you do have to pay to deploy a production driver. Did enabling the TESTSIGNING boot config (or other bypass) get things to work? – Tingly 7/6, 2014 at 2:23

Yes, confirmed it works now. This was the problem. I didn't want to accept the answer just yet without testing first. Worked perfectly. The whole process around driver signatures sucks in both cases. For unsigned drivers, you open your computer up to vulnerabilities (any kernel-mode driver can be installed on your system by a malicious application without you knowing it). For test signed drivers, you need to disable Secure Boot, so you're now exposed to rootkits. Bcdedit.exe -set TESTSIGNING ON requires Secure Boot to be off. I guess all these hoops are for security purposes to protect people. – Approachable 7/6, 2014 at 15:9

It seems redundant though, because anyone can buy a Code Signing certificate, even a malicious individual. The only safety is in being able to revoke their certificate once you figure out the kernel mode driver is malicious, but figuring that out may never happen...kernel drivers can fly completely under the radar. By the way, thanks for posting such a complete answer that includes both test-signing drivers and unsigned drivers! – Approachable 7/6, 2014 at 15:12

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags