A
Archimedes.Syracuse
Guest
Hello, I've been experimenting with the ELAM driver sample (MS Github) and ELAM sample. However following MS docs Protecting Anti-Malware Services - Win32 apps I can not start the service as protected and get an error at the last stage StartService() 0x241 "Windows cannot verify the digital signature for this file"
My environment is: Win 10 1909, with Test Mode enabled. Both ELAM driver and ELAM service signed with same self created ELAM key as followed by the above link, and ELAM driver has sha256 hash from ELAM service (certmgr generated) embedded inside it's .RC.
The (test signed) ELAM boot driver starts fine and monitors all boot drivers, then unload at end of Windows boot as per ELAM requirements. But I've tried dynamically opening the handle to the ELAM driver from the service and attempting to make it protected as the above link states, and loading it from boot. Both methods produce the cert issue err.
Do I need to cross-sign with Microsoft, even just for basic testing of ELAM capability in Test Mode? We want to evaluate the process protections it gives before investing in the Microsoft MVI thing for ELAM certs.
Continue reading...
My environment is: Win 10 1909, with Test Mode enabled. Both ELAM driver and ELAM service signed with same self created ELAM key as followed by the above link, and ELAM driver has sha256 hash from ELAM service (certmgr generated) embedded inside it's .RC.
The (test signed) ELAM boot driver starts fine and monitors all boot drivers, then unload at end of Windows boot as per ELAM requirements. But I've tried dynamically opening the handle to the ELAM driver from the service and attempting to make it protected as the above link states, and loading it from boot. Both methods produce the cert issue err.
Do I need to cross-sign with Microsoft, even just for basic testing of ELAM capability in Test Mode? We want to evaluate the process protections it gives before investing in the Microsoft MVI thing for ELAM certs.
Continue reading...