Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 02-22-2018, 18:04
Kerlingen Kerlingen is offline
VIP
 
Join Date: Feb 2011
Posts: 324
Rept. Given: 0
Rept. Rcvd 276 Times in 98 Posts
Thanks Given: 0
Thanks Rcvd at 308 Times in 95 Posts
Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299
Is editing a driver's *.inf possible?

Lets assume the following (unspecified so it's easier to understand):
I have two hardware devices with DeviceIDs PCI\001 and PCI\002 and I'm running Windows 10 x64.

Windows has a driver for PCI\001 included, but for PCI\002 it needs a vendor specific driver.

The vendor specific driver comes as a driver package:
driver.sys (signed by vendor and "Microsoft Windows Hardware Compatibility Publisher")
driver.inf (not signed)
driver.cat (signed by "Microsoft Windows Hardware Compatibility Publisher")

driver.inf says that the driver supports PCI\001 and PCI\002, but the vendor driver.sys does not support the PCI\001 device.

The fact that the driver.inf claims it would support PCI\001 makes Windows unload its own driver for PCI\001.

At this point I could either use the Windows default driver for PCI\001 and have a not working PCI\002 or I could use the vendor driver for PCI\002 and have a not working PCI\001.

So the easiest way would be to edit driver.inf and remove the line saying it supports PCI\001. However, driver.cat contains the hash for driver.inf, so if I edit driver.inf Windows will not load the driver because it has no valid signature. If I remove the driver.cat entry from driver.inf or the file driver.cat Windows will not load the driver either.

Is there any way to force Windows to ignore specific sections of *.inf files or to force it to load only its own driver? Or some way to edit *.inf files without invalidating the signature? Since driver.sys is signed and unmodified this could be possible somehow.
Reply With Quote
  #2  
Old 02-25-2018, 16:46
Syoma Syoma is offline
reverse engineer
 
Join Date: May 2009
Posts: 338
Rept. Given: 35
Rept. Rcvd 77 Times in 50 Posts
Thanks Given: 15
Thanks Rcvd at 78 Times in 51 Posts
Syoma Reputation: 77
You can try install vendor pack, then delete vendor inf and update device tree in the device manager. Or play with different cases around.
Also, if you have own certificate you can try to re-sign the whole package with edited inf
Reply With Quote
  #3  
Old 02-25-2018, 21:27
chants chants is offline
VIP
 
Join Date: Jul 2016
Posts: 725
Rept. Given: 35
Rept. Rcvd 48 Times in 30 Posts
Thanks Given: 666
Thanks Rcvd at 1,053 Times in 478 Posts
chants Reputation: 48
The correct strategy is as far as I know to update to the vendor specific driver. PCI001 will be broken, so you go into device manager, do a "driver rollback", and it will go back to a working driver for that device only, and it will blacklist the new driver for that device. Probably some special exclusion registry key gets set on a per device basis.

Changing the .inf is not the right approach as you point out because of signing. Likely there is no automatic loading. What is most certain is the driver installation oversteps. So you have to let it overstep, then undo the damage on a device by device basis such as with a rollback.
Reply With Quote
  #4  
Old 02-25-2018, 22:38
Upz Upz is offline
Friend
 
Join Date: Jul 2016
Location: Brazil
Posts: 15
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 5
Thanks Rcvd at 9 Times in 6 Posts
Upz Reputation: 0
You also can edit the .inf (if you are sure that this will work), delete the signature and then disable de driver signature enforcement feature to install the "new" driver
Reply With Quote
  #5  
Old 02-25-2018, 22:51
deepzero's Avatar
deepzero deepzero is offline
VIP
 
Join Date: Mar 2010
Location: Germany
Posts: 300
Rept. Given: 111
Rept. Rcvd 64 Times in 42 Posts
Thanks Given: 178
Thanks Rcvd at 215 Times in 92 Posts
deepzero Reputation: 64
The inf file is only used for installing, so you should check where the inf file stores the settings which devices to support, and edit it manually after installation. The question is if the .sys binary supports this at all.
Reply With Quote
  #6  
Old 02-25-2018, 23:07
chants chants is offline
VIP
 
Join Date: Jul 2016
Posts: 725
Rept. Given: 35
Rept. Rcvd 48 Times in 30 Posts
Thanks Given: 666
Thanks Rcvd at 1,053 Times in 478 Posts
chants Reputation: 48
But driver load should not cause a reinstallation (that would be a bad behavior), so it can be fixed on a device by device basis without even leaving the device manager and hand tweaking registry keys which require permission of SYSTEM.
Reply With Quote
  #7  
Old 02-26-2018, 01:01
Kerlingen Kerlingen is offline
VIP
 
Join Date: Feb 2011
Posts: 324
Rept. Given: 0
Rept. Rcvd 276 Times in 98 Posts
Thanks Given: 0
Thanks Rcvd at 308 Times in 95 Posts
Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299
Do any of these ideas work in WinPE? I would need to setup both devices during Windows setup in the preinstall environment and make sure Windows never removes one of them.

From the things I've tried so far all edits of the *.inf invalidated the signature and since the driver is a boot-time kernel-mode driver I can't just use any certificate to sign it, it would need to be a WHQL certificate from Microsoft.
Reply With Quote
  #8  
Old 02-26-2018, 01:19
chants chants is offline
VIP
 
Join Date: Jul 2016
Posts: 725
Rept. Given: 35
Rept. Rcvd 48 Times in 30 Posts
Thanks Given: 666
Thanks Rcvd at 1,053 Times in 478 Posts
chants Reputation: 48
I am assuming the driver is being included through dism add-driver option. Why not just mount the SYSTEM registry hive on the WinPE image and fix it based on seeing how the rollback blacklists it?

I think the testsigning option in the BCD should still work however even for boot level drivers.
Reply With Quote
  #9  
Old 02-27-2018, 01:16
bongos_man bongos_man is offline
Friend
 
Join Date: Aug 2016
Posts: 25
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 4
Thanks Rcvd at 25 Times in 14 Posts
bongos_man Reputation: 4
there is a lot of confusion in this thread. i have a valid code signing certificate, so i will try to clear up the misconceptions.

Quote:
Originally Posted by Upz View Post
You also can edit the .inf (if you are sure that this will work), delete the signature and then disable de driver signature enforcement feature to install the "new" driver
windows will not even load a driver that has no signature, regardless of how you boot. a pnp driver package typically needs a signed .sys and a signed .cat that vouches for it. "no signature" simply does not work.

Quote:
Originally Posted by deepzero View Post
The inf file is only used for installing, so you should check where the inf file stores the settings which devices to support, and edit it manually after installation. The question is if the .sys binary supports this at all.
you want him to take a registry comparison of before and after installing the driver and work backwards to determine what to add to the .inf? are you kidding?

Quote:
Originally Posted by Kerlingen View Post
Do any of these ideas work in WinPE? I would need to setup both devices during Windows setup in the preinstall environment and make sure Windows never removes one of them.
@chants is almost correct here, let me first correct one thing:

Quote:
Originally Posted by Kerlingen View Post
From the things I've tried so far all edits of the *.inf invalidated the signature and since the driver is a boot-time kernel-mode driver I can't just use any certificate to sign it, it would need to be a WHQL certificate from Microsoft.
an EV code signing certificate from a microsoft-approved CA is all that is required for most kernel drivers, you do not need to submit for whql except for boot-critical drivers (i am simplifying, in truth this has gotten more complicated as of windows 10 1607, but the details will not matter in your case). you can tell dism and the windows boot process to ignore the whql requirement, however you will still need to test sign your driver after you modify the .inf. this will be a multi-step process if you want the system to boot up with the drivers loaded without further manual intervention.

@Kerlingen first, please read this page in its entirety. you said your third-party driver is "boot-time kernel-mode", but kernel-mode does not imply "boot-time", or at least, it does not imply what most people think it does. since the driver for your PCI\002 device comes with a signed .cat, it is actually not boot-critical (as it would require an embedded signature), but rather a pnp driver; this is the case with nearly all drivers. the important parts of the page:

1. Adding Drivers - you will be using dism offline for this; however, see #3
2. Understanding Driver Ranking - this is how pnp will decide which driver to install
3. Understanding Digital Signature Requirements - you will need to resign the driver with a test signing certificate. you will also need to boot your image to add the test signing certificate to the image. you can *THEN* use dism to add the test-signed driver to the offline image

* how to create test signing certificates and test sign the driver. you will use a catalog file and the inf for this, not embedded signing
* how to use dism to add the driver to the offline image

i would suggest you start by trying to get windows to successfully install and load your driver on an already running system. in other words, edit the .inf, create and install the test signing certificate, create the .cat, sign it and the driver, enable test signing mode, reboot, install the driver, reboot again, and cross your fingers ;]

let me know if you have any questions and i can try to help more. this page also has some useful information if you're really stuck.

also, i'd just like to say that i spent a few hours digging up the references for this post and writing it (even though i do this stuff every day), if you (or anyone else) appreciates it, i would appreciate some rep, it seems to be given out rather sparingly these days even for high-quality posts. hard family to join ;]
Reply With Quote
The Following User Gave Reputation+1 to bongos_man For This Useful Post:
copyleft (02-27-2018)
The Following User Says Thank You to bongos_man For This Useful Post:
wild (02-27-2018)
  #10  
Old 02-27-2018, 04:40
Kerlingen Kerlingen is offline
VIP
 
Join Date: Feb 2011
Posts: 324
Rept. Given: 0
Rept. Rcvd 276 Times in 98 Posts
Thanks Given: 0
Thanks Rcvd at 308 Times in 95 Posts
Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299
Quote:
Originally Posted by bongos_man View Post
since the driver for your PCI\002 device comes with a signed .cat, it is actually not boot-critical (as it would require an embedded signature), but rather a pnp driver;
The driver is for a RAID controller and, like I wrote, driver.sys is signed both by the vendor and by Microsoft.

Quote:
i would suggest you start by trying to get windows to successfully install and load your driver on an already running system.
I can't install Windows if it doesn't detect any harddisk which could be used for installation.
If I install it with the default Microsoft driver and install the vendor driver on the running system, Windows will unload its own driver, which leads to an instant BSOD since the boot device becomes inaccessible.
I can only load the vendor driver during Windows setup, since WinPE is running from a RAM drive and losing access to the harddisk will not crash it.
Reply With Quote
  #11  
Old 02-27-2018, 05:52
bongos_man bongos_man is offline
Friend
 
Join Date: Aug 2016
Posts: 25
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 4
Thanks Rcvd at 25 Times in 14 Posts
bongos_man Reputation: 4
Quote:
Originally Posted by Kerlingen View Post
The driver is for a RAID controller and, like I wrote, driver.sys is signed both by the vendor and by Microsoft.
thank you for the clarification. distribution via windows update also, if i recall correctly, requires whql, so i figured the driver had gone through that process. i apologize for my tone; i should not have assumed that you might have not known about this detail (microsoft hardly documents it themselves).

Quote:
I can't install Windows if it doesn't detect any harddisk which could be used for installation.
If I install it with the default Microsoft driver and install the vendor driver on the running system, Windows will unload its own driver, which leads to an instant BSOD since the boot device becomes inaccessible.
I can only load the vendor driver during Windows setup, since WinPE is running from a RAM drive and losing access to the harddisk will not crash it.
is it mandatory that the windows in-box driver for your PCI\001 be working right now? in other words, can you add the vendor driver via the procedure outlined here for adding boot-critical drivers to winPE, install to a drive on the now-visible PCI\002, then use this installation to begin with the process i outlined?
Reply With Quote
  #12  
Old 02-27-2018, 17:55
Kerlingen Kerlingen is offline
VIP
 
Join Date: Feb 2011
Posts: 324
Rept. Given: 0
Rept. Rcvd 276 Times in 98 Posts
Thanks Given: 0
Thanks Rcvd at 308 Times in 95 Posts
Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299
I don't really need to integrate the drivers into Windows setup, I don't care if I need to manually load the drivers each time, I just need both of them to be loaded at the same time.

PCI\001 = SSD connected to AHCI controller
PCI\002 = HDDs connected to RAID controller

Windows will detect AHCI out of the box, but not the RAID controller. If I load the driver for the RAID controller, Windows will unload the AHCI driver (since the RAID driver.inf claims it would support the AHCI and the RAID DeviceIDs, but it only detects the RAID controller).

For obvious reasons I want to install Windows on the SSD and use the HDDs for data storage. Currently I can only use either SSD or HDDs, not both.

I deliberately asked an "unspecified" question starting the topic since I didn't want to inflate a bigger problem-complex which I already had reduced to one specific single problem.
Reply With Quote
  #13  
Old 02-28-2018, 17:29
bongos_man bongos_man is offline
Friend
 
Join Date: Aug 2016
Posts: 25
Rept. Given: 0
Rept. Rcvd 4 Times in 3 Posts
Thanks Given: 4
Thanks Rcvd at 25 Times in 14 Posts
bongos_man Reputation: 4
Quote:
Originally Posted by Kerlingen View Post
I don't really need to integrate the drivers into Windows setup, I don't care if I need to manually load the drivers each time, I just need both of them to be loaded at the same time.

PCI\001 = SSD connected to AHCI controller
PCI\002 = HDDs connected to RAID controller

Windows will detect AHCI out of the box, but not the RAID controller. If I load the driver for the RAID controller, Windows will unload the AHCI driver (since the RAID driver.inf claims it would support the AHCI and the RAID DeviceIDs, but it only detects the RAID controller).

For obvious reasons I want to install Windows on the SSD and use the HDDs for data storage. Currently I can only use either SSD or HDDs, not both.

I deliberately asked an "unspecified" question starting the topic since I didn't want to inflate a bigger problem-complex which I already had reduced to one specific single problem.
you would need to get the drivers into windows setup somehow so that you don't get the bsod issue (because you'd install onto the raid controller to prevent it, do all this work, then reinstall onto the SSDs with the new driver running PCI\001), or, you can take advantage of this thread to modify the .inf to remove the listed support for PCI\001 from your driver. better move fast on that thread, by the way ;]
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
making patch hex editing in .net js78955 General Discussion 4 01-21-2015 04:26
editing Debug Information Directory in a PE file jonwil General Discussion 6 01-15-2005 06:18
Editing a .key file? peedizzle General Discussion 1 09-09-2004 00:49


All times are GMT +8. The time now is 20:46.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )