Verify the embedded signature

 

So i had this week I had to figure out how to determine if a driver is signed for a little project of mine. This involves being signed by a code certificate OR by Microsoft via WHQL (which includes checking cat files). Documentation on MSDN for this was horrible at best. Very little explained, and very few examples. And these functions calls have a tons of paramenters, some to which I don't even really understand what they do. I got my code working, thought I'm not sure I understand 100% of how everything works. I got little snippets of codes from a couple of places, did some of my own, and together came up with this. If anyone has improvementes or find any errors, please let me know!! thanks, hope this helps!

 

#include <windows.h> #include <Softpub.h> #include <wincrypt.h> #include <wintrust.h> #include <Mscat.h> BOOL VerifyEmbeddedSignature(LPCWSTR pwszSourceFile) { LONG lStatus; GUID WintrustVerifyGuid = DRIVER_ACTION_VERIFY; GUID DriverActionGuid = DRIVER_ACTION_VERIFY; HANDLE hFile; DWORD dwHash; BYTE bHash[100]; HCATINFO hCatInfo; HCATADMIN hCatAdmin; WINTRUST_DATA wd = { 0 }; WINTRUST_FILE_INFO wfi = { 0 }; WINTRUST_CATALOG_INFO wci = { 0 }; DRIVER_VER_INFO dvi = {0}; dvi.cbStruct = sizeof(dvi); ////set up structs to verify files with cert signatures memset(&wfi, 0, sizeof(wfi)); wfi.cbStruct = sizeof( WINTRUST_FILE_INFO ); wfi.pcwszFilePath = pwszSourceFile; wfi.hFile = NULL; wfi.pgKnownSubject = NULL; memset(&wd, 0, sizeof(wd)); wd.cbStruct = sizeof( WINTRUST_DATA ); wd.dwUnionChoice = WTD_CHOICE_FILE; wd.pFile = &wfi; wd.dwUIChoice = WTD_UI_NONE; wd.fdwRevocationChecks = WTD_REVOKE_NONE; wd.dwStateAction = 0; wd.dwProvFlags = WTD_SAFER_FLAG; wd.hWVTStateData = NULL; wd.pwszURLReference = NULL; wd.pPolicyCallbackData = &dvi; wd.pSIPClientData = NULL; wd.dwUIContext = 0; lStatus = WinVerifyTrust( NULL, &WintrustVerifyGuid, &wd ); ////if failed, try to verify using catalog files if (lStatus != ERROR_SUCCESS) { //open the file hFile = CreateFileW(pwszSourceFile, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (hFile == INVALID_HANDLE_VALUE) return FALSE; dwHash = sizeof(bHash); if (!CryptCATAdminCalcHashFromFileHandle(hFile, &dwHash, bHash, 0)) { CloseHandle(hFile); return FALSE; } //Create a string form of the hash (used later in pszMemberTag) LPWSTR pszMemberTag = new WCHAR[dwHash * 2 + 1]; for ( DWORD dw = 0; dw < dwHash; ++dw ) { wsprintfW( &pszMemberTag[dw * 2], L"%02X", bHash[dw] ); } if (!CryptCATAdminAcquireContext(&hCatAdmin, &DriverActionGuid, 0)) { CloseHandle(hFile); return FALSE; } //find the catalog which contains the hash hCatInfo = CryptCATAdminEnumCatalogFromHash(hCatAdmin, bHash, dwHash, 0, NULL); if ( hCatInfo ) { CATALOG_INFO ci = { 0 }; CryptCATCatalogInfoFromContext( hCatInfo, &ci, 0 ); memset(&wci, 0, sizeof(wci)); wci.cbStruct = sizeof( WINTRUST_CATALOG_INFO ); wci.pcwszCatalogFilePath = ci.wszCatalogFile; wci.pcwszMemberFilePath = pwszSourceFile; wci.pcwszMemberTag = pszMemberTag; memset(&wd, 0, sizeof(wd)); wd.cbStruct = sizeof( WINTRUST_DATA ); wd.dwUnionChoice = WTD_CHOICE_CATALOG; wd.pCatalog = &wci; wd.dwUIChoice = WTD_UI_NONE; wd.fdwRevocationChecks = WTD_STATEACTION_VERIFY; wd.dwProvFlags = 0; wd.hWVTStateData = NULL; wd.pwszURLReference = NULL; wd.pPolicyCallbackData = &dvi; wd.pSIPClientData = NULL; wd.dwUIContext = 0; lStatus = WinVerifyTrust( NULL, &WintrustVerifyGuid, &wd ); CryptCATAdminReleaseCatalogContext( hCatAdmin, hCatInfo, 0 ); } CryptCATAdminReleaseContext( hCatAdmin, 0 ); delete[] pszMemberTag; CloseHandle(hFile); } printf( "version:%S/nsigner:%S", dvi.wszVersion, dvi.wszSignedBy ); //I believe we have to clean up our cert context CertFreeCertificateContext(dvi.pcSignerCertContext); if (lStatus != ERROR_SUCCESS) return false; else return true; } int main() { VerifyEmbeddedSignature( L"C://windows//system32//drivers//i8042prt.sys" ); }

#include <windows.h>
#include <Softpub.h>
#include <wincrypt.h>
#include <wintrust.h>
#include <Mscat.h>

BOOL VerifyEmbeddedSignature(LPCWSTR pwszSourceFile)
{
LONG lStatus;
GUID WintrustVerifyGuid = DRIVER_ACTION_VERIFY;
GUID DriverActionGuid = DRIVER_ACTION_VERIFY;
HANDLE hFile;
DWORD dwHash;
BYTE bHash[100];
HCATINFO hCatInfo;
HCATADMIN hCatAdmin;
WINTRUST_DATA wd = { 0 };
WINTRUST_FILE_INFO wfi = { 0 };
WINTRUST_CATALOG_INFO wci = { 0 };
DRIVER_VER_INFO dvi = {0};

dvi.cbStruct = sizeof(dvi);

////set up structs to verify files with cert signatures
memset(&wfi, 0, sizeof(wfi));
wfi.cbStruct = sizeof( WINTRUST_FILE_INFO );
wfi.pcwszFilePath = pwszSourceFile;
wfi.hFile = NULL;
wfi.pgKnownSubject = NULL;

memset(&wd, 0, sizeof(wd));
wd.cbStruct = sizeof( WINTRUST_DATA );
wd.dwUnionChoice = WTD_CHOICE_FILE;
wd.pFile = &wfi;
wd.dwUIChoice = WTD_UI_NONE;
wd.fdwRevocationChecks = WTD_REVOKE_NONE;
wd.dwStateAction = 0;
wd.dwProvFlags = WTD_SAFER_FLAG;
wd.hWVTStateData = NULL;
wd.pwszURLReference = NULL;
wd.pPolicyCallbackData = &dvi;
wd.pSIPClientData = NULL;
wd.dwUIContext = 0;

lStatus = WinVerifyTrust( NULL, &WintrustVerifyGuid, &wd );

////if failed, try to verify using catalog files
if (lStatus != ERROR_SUCCESS)
{
//open the file
hFile = CreateFileW(pwszSourceFile, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE)
return FALSE;

dwHash = sizeof(bHash);
if (!CryptCATAdminCalcHashFromFileHandle(hFile, &dwHash, bHash, 0))
{
CloseHandle(hFile);
return FALSE;
}

//Create a string form of the hash (used later in pszMemberTag)
LPWSTR pszMemberTag = new WCHAR[dwHash * 2 + 1];
for ( DWORD dw = 0; dw < dwHash; ++dw )
{
wsprintfW( &pszMemberTag[dw * 2], L"%02X", bHash[dw] );
}

if (!CryptCATAdminAcquireContext(&hCatAdmin, &DriverActionGuid, 0))
{
CloseHandle(hFile);
return FALSE;
}

//find the catalog which contains the hash
hCatInfo = CryptCATAdminEnumCatalogFromHash(hCatAdmin, bHash, dwHash, 0, NULL);

if ( hCatInfo )
{
CATALOG_INFO ci = { 0 };
CryptCATCatalogInfoFromContext( hCatInfo, &ci, 0 );

memset(&wci, 0, sizeof(wci));
wci.cbStruct = sizeof( WINTRUST_CATALOG_INFO );
wci.pcwszCatalogFilePath = ci.wszCatalogFile;
wci.pcwszMemberFilePath = pwszSourceFile;
wci.pcwszMemberTag = pszMemberTag;

memset(&wd, 0, sizeof(wd));
wd.cbStruct = sizeof( WINTRUST_DATA );
wd.dwUnionChoice = WTD_CHOICE_CATALOG;
wd.pCatalog = &wci;
wd.dwUIChoice = WTD_UI_NONE;
wd.fdwRevocationChecks = WTD_STATEACTION_VERIFY;
wd.dwProvFlags = 0;
wd.hWVTStateData = NULL;
wd.pwszURLReference = NULL;
wd.pPolicyCallbackData = &dvi;
wd.pSIPClientData = NULL;
wd.dwUIContext = 0;

lStatus = WinVerifyTrust( NULL, &WintrustVerifyGuid, &wd );

CryptCATAdminReleaseCatalogContext( hCatAdmin, hCatInfo, 0 );
}

CryptCATAdminReleaseContext( hCatAdmin, 0 );
delete[] pszMemberTag;
CloseHandle(hFile);
}

printf( "version:%S/nsigner:%S", dvi.wszVersion, dvi.wszSignedBy );

//I believe we have to clean up our cert context
CertFreeCertificateContext(dvi.pcSignerCertContext);

if (lStatus != ERROR_SUCCESS)
return false;
else
return true;
}

int main()
{

VerifyEmbeddedSignature( L"C://windows//system32//drivers//i8042prt.sys" );
}

#include <windows.h> #include <Softpub.h> #include <wincrypt.h> #include <wintrust.h> #include <Mscat.h> BOOL VerifyEmbeddedSignature(LPCWSTR pwszSourceFile) { LONG lStatus; GUID WintrustVerifyGuid = DRIVER_ACTION_VERIFY; GUID DriverActionGuid = DRIVER_ACTION_VERIFY; HANDLE hFile; DWORD dwHash; BYTE bHash[100]; HCATINFO hCatInfo; HCATADMIN hCatAdmin; WINTRUST_DATA wd = { 0 }; WINTRUST_FILE_INFO wfi = { 0 }; WINTRUST_CATALOG_INFO wci = { 0 }; DRIVER_VER_INFO dvi = {0}; dvi.cbStruct = sizeof(dvi); ////set up structs to verify files with cert signatures memset(&wfi, 0, sizeof(wfi)); wfi.cbStruct = sizeof( WINTRUST_FILE_INFO ); wfi.pcwszFilePath = pwszSourceFile; wfi.hFile = NULL; wfi.pgKnownSubject = NULL; memset(&wd, 0, sizeof(wd)); wd.cbStruct = sizeof( WINTRUST_DATA ); wd.dwUnionChoice = WTD_CHOICE_FILE; wd.pFile = &wfi; wd.dwUIChoice = WTD_UI_NONE; wd.fdwRevocationChecks = WTD_REVOKE_NONE; wd.dwStateAction = 0; wd.dwProvFlags = WTD_SAFER_FLAG; wd.hWVTStateData = NULL; wd.pwszURLReference = NULL; wd.pPolicyCallbackData = &dvi; wd.pSIPClientData = NULL; wd.dwUIContext = 0; lStatus = WinVerifyTrust( NULL, &WintrustVerifyGuid, &wd ); ////if failed, try to verify using catalog files if (lStatus != ERROR_SUCCESS) { //open the file hFile = CreateFileW(pwszSourceFile, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (hFile == INVALID_HANDLE_VALUE) return FALSE; dwHash = sizeof(bHash); if (!CryptCATAdminCalcHashFromFileHandle(hFile, &dwHash, bHash, 0)) { CloseHandle(hFile); return FALSE; } //Create a string form of the hash (used later in pszMemberTag) LPWSTR pszMemberTag = new WCHAR[dwHash * 2 + 1]; for ( DWORD dw = 0; dw < dwHash; ++dw ) { wsprintfW( &pszMemberTag[dw * 2], L"%02X", bHash[dw] ); } if (!CryptCATAdminAcquireContext(&hCatAdmin, &DriverActionGuid, 0)) { CloseHandle(hFile); return FALSE; } //find the catalog which contains the hash hCatInfo = CryptCATAdminEnumCatalogFromHash(hCatAdmin, bHash, dwHash, 0, NULL); if ( hCatInfo ) { CATALOG_INFO ci = { 0 }; CryptCATCatalogInfoFromContext( hCatInfo, &ci, 0 ); memset(&wci, 0, sizeof(wci)); wci.cbStruct = sizeof( WINTRUST_CATALOG_INFO ); wci.pcwszCatalogFilePath = ci.wszCatalogFile; wci.pcwszMemberFilePath = pwszSourceFile; wci.pcwszMemberTag = pszMemberTag; memset(&wd, 0, sizeof(wd)); wd.cbStruct = sizeof( WINTRUST_DATA ); wd.dwUnionChoice = WTD_CHOICE_CATALOG; wd.pCatalog = &wci; wd.dwUIChoice = WTD_UI_NONE; wd.fdwRevocationChecks = WTD_STATEACTION_VERIFY; wd.dwProvFlags = 0; wd.hWVTStateData = NULL; wd.pwszURLReference = NULL; wd.pPolicyCallbackData = &dvi; wd.pSIPClientData = NULL; wd.dwUIContext = 0; lStatus = WinVerifyTrust( NULL, &WintrustVerifyGuid, &wd ); CryptCATAdminReleaseCatalogContext( hCatAdmin, hCatInfo, 0 ); } CryptCATAdminReleaseContext( hCatAdmin, 0 ); delete[] pszMemberTag; CloseHandle(hFile); } printf( "version:%S/nsigner:%S", dvi.wszVersion, dvi.wszSignedBy ); //I believe we have to clean up our cert context CertFreeCertificateContext(dvi.pcSignerCertContext); if (lStatus != ERROR_SUCCESS) return false; else return true; } int main() { VerifyEmbeddedSignature( L"C://windows//system32//drivers//i8042prt.sys" ); }