WinVerifyTrust returns CERT_E_UNTRUSTEDROOT for a valid (loaded) driver

990 views Asked by At

In the following code snippet, WinVerifyTrust returns CERT_E_UNTRUSTEDROOT for a kernel driver file (.sys) that is loaded and running on the system:

   GUID guidAction = DRIVER_ACTION_VERIFY;
   WINTRUST_FILE_INFO sWintrustFileInfo = { 0 };
   WINTRUST_DATA      sWintrustData = { 0 };
   HRESULT            hr = 0;

   sWintrustFileInfo.cbStruct = sizeof(WINTRUST_FILE_INFO);
   sWintrustFileInfo.pcwszFilePath = argv[1];
   sWintrustFileInfo.hFile = NULL;

   sWintrustData.cbStruct            = sizeof(WINTRUST_DATA);
   sWintrustData.dwUIChoice          = WTD_UI_NONE;
   sWintrustData.fdwRevocationChecks = WTD_REVOKE_NONE;
   sWintrustData.dwUnionChoice       = WTD_CHOICE_FILE;
   sWintrustData.pFile               = &sWintrustFileInfo;
   sWintrustData.dwStateAction       = WTD_STATEACTION_VERIFY;

   hr = WinVerifyTrust((HWND)INVALID_HANDLE_VALUE, &guidAction, &sWintrustData);

A few interesting points: - The driver is signed with a valid (purchased) certificate using SHA-256. - KB3033929 is installed on the system (Win7/32) - When viewing the certificate from the file properties, the entire certification chain shows up as valid

Am I calling WinVerifyTrust wrong?

Alternative question: is there another way of knowing (by the presence of a registry key or something similar) that SHA-256 based code signing verification is available on the target system? (I need to verify this during installation...)

Thanks :)

1

There are 1 answers

0
Sreejith. D. Menon On
DRIVER_ACTION works good for WHQL afaik. Try
GUID WINTRUST_ACTION_GENERIC_VERIFY_V2

Here is something else you can refer to http://gnomicbits.blogspot.in/2016/03/how-to-verify-pe-digital-signature.html