Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

If you make modifications to a driver package and need to re-sign the package, the easiest method is to sign it with a
Microsoft Authenticode code singing certificate. This can be done with the following procedure:
1. Start from a known working driver package .inf file from the latest MLA release.
2. Modify the .inf as desired. The .inf file is a plain text (ex: editable with Notepad) installation instruction/information file that
tells the OS what driver needs to be used for the hardware, and anything else that may need to happen during the driver
installation process. When changing the .inf file device list sections, please remove all existing Microchip VID/PIDs, before
replacing them with your own. The manufacturer and product strings should also be updated as applicable for your device.
3. Delete the security catalog file (.cat) that is already supplied with the package. After modifying the .inf file, the security
catalog file will no longer be valid and you will need to create a new one.
4. Download the latest version of the Windows Driver Kit (WDK) from Microsoft (this is currently at:
http://msdn.microsoft.com/en-us/library/windows/hardware/gg487428.aspx). Version 8.0 or later is needed (prior versions
don’t have awareness of Windows 8 specifics).
5. Use the “Inf2Cat” utility in the WDK to re-generate a new .cat file from the modified .inf file.
1. Inf2Cat is a command line utility. Open a command prompt, navigate to the directory of the inf2cat tool, and then run it at
the command line to get a small help/explanation of usage syntax. The program is typically located in the following location:
C:\Program Files\Windows Kits\8.0\bin\x64 (or \x86 folder for 32-bit OS)
2. Typical usage syntax would be similar to the following (all on one line):
inf2cat /driver:C:\[path to dir with .inf file]
/os:XP_X86,XP_X64,Vista_X86,Vista_X64,7_X86,7_X64,8_X86,8_X64,Server2003_X86,Server2003_X64,Server2008_X86,
Server2008_X64,Server2008R2_X64,Server8_X64
Assuming the inf2cat utility runs successfully, it will generate a “raw” .cat file. The .cat file will still need to be signed, in order
to be useful.
6. If your organization does not already have one, purchase a code signing certificate from a Certificate Authority (CA) such
as VeriSign (now Symantec Corporation). See the section “Obtaining a Microsoft Authenticode Code Signing Certificate” for
more details.
7. Use the “signtool.exe” utility, along with the signing certificate purchased from the CA, to sign the .cat file. The signtool
utility is small Microsoft program that is distributed in the Windows SDK (and/or in older versions of the WDK, prior to v8.0).
The Windows SDK can currently be obtained from:
http://msdn.microsoft.com/en-us/windows/desktop/hh852363.aspx
Typical syntax when using the signtool would be as follows (when executed in the directory of the .cat file, assuming
directory to the signtool is in the path, and the certificate has a .pfx extension without a password, and that the certificate
resides on "E:", like a typical USB flash drive):
signtool sign /v /f "E:\[path to certificate]\[certificate file name].pfx" /t http://timestamp.verisign.com/scripts/timestamp.dll
[FileNameToSign.cat]
8. Verify that the signature has been properly applied using the verify command line option:
1.7 Appendix (FAQs, Important MLA - USB Library Help Driver Signing and Windows 8
299

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh