- Windows Kudinga amasignesha edijithali asebenzayo kubashayeli abaningi be-64-bit, ikakhulukazi abashayeli be-kernel-mode, ukuqinisekisa ubuqotho nokuphepha.
- Isiginesha singasetshenziswa kokubili kuma-binary kanye namakhathalogi, kusetshenziswa amathuluzi anjenge-SignTool noma i-Visual Studio kanye nezitifiketi ezikhishwe yizinhlangano ezithembekile.
- Izitifiketi ezizisayinile zenza kube lula ukuthuthukiswa nokuhlolwa kwe abashayeli okungasayiniwe Windows 78.1 kanye no-10 x64, kodwa azithathi indawo yesiginesha yezentengiselwano yokusatshalaliswa komphakathi.
- Ukuhambisana phakathi kwezinguqulo ze-Windows kuncike ekusebenziseni ama-algorithms e-hash afanele (njenge-SHA2) kanye nokulandela iziqondiso ze-Microsoft kanye ne-WHQL.
Ukusayina umshayeli ku-Windows kungase kubonakale, ekuqaleni, njengento engenziwa ngabathuthukisi abaphambili kuphela, kodwa uma usebenza nayo amadivayisi, abashayeli abangokwezifiso, noma izindawo zokuhlolaNgokushesha noma kamuva, uzobhekana nalesi sidingo. Ezinhlelweni zesimanje, ikakhulukazi izinhlelo ezingama-64-bit, i-Windows ayisathembi noma iyiphi i-binary ezama ukungena ngokunyenya ku-kernel: ifuna amasignesha edijithali asebenzayo, ama-algorithms esimanje njenge-SHA2, futhi, ezimweni eziningi, isitifiketi nge-Microsoft.
Emigqeni elandelayo sizohlola ngokuthula ukuthi kusho ukuthini ngempela ukusayina isilawuli, umehluko okhona phakathi kwalokhu imodi ye-kernel kanye nemodi yomsebenzisiIndlela ethinta ngayo i-64-bit Windows 7, 8, 8.1 kanye ne-10, ukuthi yimaphi amathuluzi endima afana ne-SignTool noma i-Visual Studio adlalayo, nokuthi yiziphi izinketho onazo kokubili ezindaweni zokuthuthukiswa (izitifiketi zokuhlola noma ezisayinwe nguwe) kanye nokukhishwa komphakathi ngezitifiketi ezikhishwe yigunya elithembekile.
Kuyini ukusayina umshayeli ku-Windows futhi kungani kuyimpoqo?
Ukusayinwa komshayeli ku-Windows kuhilela ukuhlanganisa i- isiginesha yedijithali kuphakheji yomshayeli (amafayela amabili, amafayela e-INF, ikhathalogi, njll.) ukuze kuqinisekiswe izinto ezimbili: ukuthi akekho oye washintsha amafayela selokhu adalwe nokuthi avela ngempela kumshicileli okhonjisiwe (umhlinzeki wesofthiwe noma umenzi we- hardware).
Empeleni, ngesikhathi sokufakwa kwedivayisi ye-Windows, lezi zisayini zedijithali zisetshenziselwa qinisekisa ubuqotho bephakheji kanye nobunikazi bomshicileli. Uma kukhona okungahambisani (isiginesha eyonakele, isitifiketi esingathembekile, i-hash engalungile, njll.), uhlelo luzobonisa izixwayiso, luvimbele ukufakwa, noma lumane lwenqabe ukulayisha umshayeli.
Kusukela ku-Windows Vista 64-bit kuqhubeke, futhi ikakhulukazi ku-Windows 7, 8, 8.1 kanye no-10 x64, inqubomgomo yokuphepha ye-kernel-mode icacile: noma yimuphi umshayeli ozosebenza ku-kernel Kumelwe kusayinwe kahle.Uma kungenjalo, umshayeli ngeke alayishe, idivayisi ingase ingasebenzi, futhi izikrini eziluhlaza okwesibhakabhaka zingase zivele uma ama-binary angavumelekile ephoqeleka ukulayisha.
Uma unquma ukuqinisekisa umshayeli wakho nge-Microsoft, ungawuthumela enkambisweni yokuqinisekisa ye-Windows Hardware Quality Labs (WHQL). Uma iphakheji yomshayeli iphumelela ukuhlolwa kokuqinisekiswa, i-Microsoft inikeza isitifiketi sayo. isiginesha esisemthethweni se-WHQLLokhu akugcini nje ngokuthuthukisa ukwethembana nokuhambisana, kodwa futhi kukuvumela ukuthi usabalalise umshayeli ngokusebenzisa I-Windows Update kanye nezinye iziteshi zokusabalalisa ezisekelwa yi-Microsoft.
Kubalulekile ukukhumbula ukuthi kusukela ku-Windows 10 inguqulo 1507, bonke abashayeli abasayinwe nge-Microsoft Hardware Development Center basayinwa kusetshenziswa I-SHA2 njenge-algorithm ye-hashI-SHA1 isiphelelwe yisikhathi kulezi zimo, futhi ukuxuba izitifiketi ezindala kungabangela izinkinga, ikakhulukazi ezinhlelweni ezintsha.
Umehluko phakathi kweziginesha zomshayeli kwimodi ye-kernel nemodi yomsebenzisi
I-Windows isekela abashayeli abasebenza ngaphakathi imodi ye-kernel kanye nemodi yomsebenzisiInqubomgomo yokusayina ayifani ncamashi kuzo zombili izindawo, yize ivame ukuba lukhuni ngenguqulo ngayinye entsha yesistimu yokusebenza.
Abashayeli be-Kernel-mode yibo abazwela kakhulu ngoba basebenza ku-kernel yesistimu futhi banokufinyelela okufanelekile kwimemori kanye nehadiwe. Ezinguqulweni ezingama-64-bit ze-Windows Vista nezakamuva, laba bashayeli Kudingeka ukuthi basayinwe ukuze ukhokhiswe. Lo mkhawulo uhlobene ngqo nokuzinza kwesistimu kanye nokuvikelwa ku- I-malware ukuthi izama ukujova ngezinga eliphansi.
Ngakolunye uhlangothi, abashayeli abasebenza kwimodi yomsebenzisi (isibonelo, abashayeli abaningi bephrinta kanye nezingxenye ezengeziwe) ekuqaleni babengenaso isibopho esiqinile kangaka. Eqinisweni, ezinguqulweni ezindala ze-Windows Kwakungeyona imfuneko ephelele ukuthi lawa bashayeli asayinwe. Kodwa-ke, iMicrosoft ibilokhu incoma ukuthi basayinwe ngenxa yezizathu zokuphepha, futhi kusukela ku-Windows 8 kunezimo lapho kudingeka khona ukusayinwa kwezinhlobo ezithile zabashayeli abasebenzisa.
Isibonelo esijwayelekile: umshayeli wephrinta ofakwe kukhompyutha ye-x64 uvame ukubonisa ibhokisi lengxoxo ngesikhathi senqubo yokufaka ecela ukuqinisekiswa komsebenzisi. Empeleni, lelo phakheji Kumelwe kusayinwe kahle ukuze ukufakwa kuqhubeke ngaphandle kokuvinjelwa noma izexwayiso zokuphepha ezibalulekile.
Umqondo ojwayelekile uwukuthi, yize isidingo singeyona yonke indawo kwimodi yomsebenzisi, iMicrosoft iyayicindezela kakhulu ukuthi yonke isofthiwe ehlobene nomshayeli kumele isayiniweUkuzisayina kuvumela ukuqinisekiswa okuthembekile kokuthi ubani owazidala, ukutholakala kokuphazamiseka, kanye nokunciphisa ingozi yokuthi izingxenye ezinonya zingene ngenkathi zizenza abalawuli abasemthethweni.
Izidingo zesiginesha kanye nama-algorithms e-SHA ezinguqulweni ezahlukene ze-Windows
Esinye sezici eziyinkinga kakhulu ukuhambisana phakathi kwezinguqulo zeWindows kanye nama-algorithms e-hash afana nalawa I-SHA1 ne-SHA2Abathuthukisi abaningi bahlangana nabashayeli abasebenza ohlelweni olulodwa kodwa hhayi kolunye, futhi iningi lecala lisekushintsheni kwezinqubomgomo zokusayina.
Ezinhlelweni ezindala, njenge-64-bit Windows 7 noma 8, kwakujwayelekile ukusebenza ngezitifiketi kanye nezisayini ezisekelwe ku-SHA1, yize iMicrosoft isivele ixwayisile ngalokho. I-SHA1 yehlulekile ekuphepheniNjengoba intuthuko iye yenziwa ku-Windows 8.1 kanye ne-10, i-SHA2 isibe yindinganiso yekhodi kanye nezisayini zomshayeli.
Empeleni, abanye abakhiqizi bakhethe ukusayina ama-binary e-kernel-mode ngokufaka izitifiketi ezimbili (i-SHA1 ne-SHA2) ezikhishwe yizinhlangano ezingezona i-Microsoft. Lawa ma-binary asayinwe kabili, kwezinye izimo, Bayahluleka ukulayisha ezinguqulweni zangaphambilini zeWindows 10futhi kwezinye izinhlelo ze-Windows 10 zingabangela ngisho nokuphahlazeka okukhulu noma izikrini eziluhlaza okwesibhakabhaka.
Ukuze kuncishiswe lezi zinkinga, iMicrosoft ikhiphe ama-patches athile, njengokubuyekeza i-KB 3081436. Ukufaka lesi sibuyekezo ezinhlelweni ezithintekile kulungisa ukungahambisani nabashayeli abathile abasayinwe yi-SHA2 futhi kunikeza uhlu lwazo amanani e-SHA hash abhekisela kuwo esigabeni esithi “Ulwazi Olwengeziwe – Ulwazi lwe-hash yefayela” saleso sihloko sokusekela.
Uma uzosabalalisa abashayeli abadinga ukusebenza ezinguqulweni eziningi ze-Windows, kubalulekile ukubuyekeza izidingo zesiginesha ngenguqulo ngayinye Kuchazwe kabanzi yi-Microsoft. Lapho kucacisiwe ukuthi yimaphi ama-algorithms asebenzayo, ukuthi ukuhambisana okungemuva kuphathwa kanjani, nokuthi yiziphi izinhlanganisela zesiginesha (ikhathalogi, i-binary embedded, izitifiketi eziphambene, njll.) ezamukelwa ngokusemthethweni.
Ukusayina komshayeli wemodi yomsebenzisi: izincomo nezinsiza
Nakuba i-kernel ivame ukuthola ukunakwa okukhulu, ukusayina komshayeli wemodi yomsebenzisi nakho kufanele ukunakwa. I-Microsoft ayizange ikuphoqelele ngokuqinile kusukela ekuqaleni, kodwa yakwenza... kunconywa kakhulu ukuthi kulondolozwe ukuphepha kwesistimu futhi kunikeze umsebenzisi wokugcina ukuzethemba.
Isiginesha somshayeli wemodi yomsebenzisi ngokuyisisekelo senza imisebenzi efanayo naleyo ekwimodi ye-kernel: ikhomba umhlinzeki wesilawuli (umenzi, i-ISV, njll.) futhi iqinisekisa ukuthi iphakheji ayikashintshwa selokhu yasayinwa. Uma umsebenzisi efaka, isibonelo, iphrinta enabashayeli bemodi yomsebenzisi kukhompyutha ye-x64, iwizadi yokufaka ingabonisa ibhokisi lengxoxo ebuza ukuthi umshicileli uthembekile yini. Uma isiginesha sisebenza futhi isitifiketi singesenkampani eyaziwayo, ukufakwa kubushelelezi futhi kunezixwayiso ezimbalwa kakhulu.
I-Microsoft inikeza uchungechunge lwemibhalo kanye nezifundo ezigxila ngokujulile enkambisweni yokusayina, eziningi zazo zaklanywa ekuqaleni ngemodi ye-kernel kodwa futhi zisebenza nakwimodi yomsebenzisi. Isihloko esiyinhloko mayelana isignesha yomshayeli kanye nesihloko esithi “Indlela yokusayina imojuli ye-kernel” ngaphakathi kwesifundo sokusayina ikhodi ye-kernel-mode kuyizindawo ezinhle zokuqala zokuqonda umqondo ojwayelekile wokusayina ikhodi ku-Windows.
Ngaphezu kwalokho, ukufakwa kwe-Windows Driver Kit (WDK) kufaka phakathi ifayela losizo elibizwa ngokuthi selfsign_readme.htm, etholakala enkombeni ukuzisayinaLo mbhalo uchaza indlela yokukhiqiza izitifiketi zokuhlola nokuthi ungazisebenzisa kanjani ngesikhathi sokuthuthukiswa, okuwusizo kakhulu uma ungakabi nesitifiketi esikhishwe yigunya elithembekile lempande.
Ngamafuphi, yize umshayeli wemodi yomsebenzisi engasebenza ngaphandle kwesiginesha kwezinye izimo, kufanele aphathwe njengokungathi kuyimpoqo. Lokhu kungenxa yokuphepha, isithombe somkhiqizo, kanye nokuhambisana nezihlakaniphi zokufaka zeWindows. Ukusayina umshayeli kuyinto enengqondo kakhulu ongayenza..
Ukusayina abashayeli bemodi ye-kernel ku-Windows 7 no-8 kusetshenziswa i-SignTool
Uma usebenza ne-64-bit Windows 7 kanye ne-8, enye yezindlela ezivame kakhulu zokusayina abashayeli be-kernel-mode ukusebenzisa ithuluzi lomugqa womyalo. imiyalo SignToolIfakwe ku-Windows SDK, le nsizakalo ikuvumela ukuthi usayine amafayela futhi uqinisekise amasignesha akhona, futhi inikeza izinketho eziningi ezifanela izimo ezahlukene.
Ezinye zezinketho ezibaluleke kakhulu Izici ze-SignTool zimi kanje:
- /ac: icacisa isitifiketi esengeziwe, isibonelo, isitifiketi esihlanganisa isitifiketi sakho negunya lempande elithembekile.
- /f: ikhombisa ifayela eliqukethe isitifiketi sokusayina (ngokuvamile i-.pfx).
- /p: inikeza iphasiwedi ehlotshaniswa nesitifiketi sokusayina esigcinwe kufayela le-.pfx.
- /fd: ichaza i-algorithm ye-hash esetshenziswa lapho kudalwa isiginesha yefayela, isibonelo, /fd sha256 ukukhiqiza isiginesha esekelwe ku-SHA256 (uma kungekho lutho olucacisiwe, i-SHA1 imvamisa iyinani elizenzakalelayo ezinguqulweni ezindala).
- /n "Igama elijwayelekile lesitifiketi": ikuvumela ukuthi ukhethe isitifiketi esithile esitolo sesitifiketi se-Windows ngokusekelwe egameni laso elivamile (CN).
- /t: icacisa iseva yokumisa isikhathi ehambisana nohlelo lwe-Microsoft Authenticode.
- /tr: ikhombisa iseva yesitembu sesikhathi ehambisana ne-RFC 3161, yesimanje kakhulu futhi enconywayo ekusetshenzisweni okusha.
Uma usebenza kuphrojekthi yakho yomshayeli, kubalulekile ukwazi ukuthi yimaphi amafayela okudingeka asayinwe. Ukuze umshayeli afake kahle ku-Windows 7 noma 8, kumele asayinwe. zonke izindatshana ezifanele zephrojekthi (isibonelo, amafayela e-.sys) kanye nefayela lekhathalogi (.cat) elihlanganisa isethi yamafayela kuphakheji.
Unezinketho ezimbili eziyinhloko: ungakopisha lawo mafayela kufolda yokusebenza lapho une-SignTool etholakalayo, noma ngqo zihambise kufolda yebhini ye-Windows SDK bese usebenzisa ithuluzi kusukela lapho. Into ebalulekile ukuthi ube nezinombolo ezimbili kanye nezitifiketi ozozisebenzisela ukusayina.
Isimo esivamile sihilela ukuthola isitifiketi sokusayina ikhodi esifanele, isibonelo, Isitifiketi "se-Microsoft Cross Certificate" ekhishwe yi-GlobalSign noma elinye igunya elithembekile. Ubeka leso sitifiketi esiphambene (CrossCert.crt) kufolda yakho yokusebenza kanye nesitifiketi sakho esiyinhloko sokusayina ikhodi (isibonelo, i-CodeSign.pfx) bese usebenzisa umyalo ofana nalona:
uphawu lwe-signtool /ac CrossCert.crt /f CodeSign.pfx /p password1234 /tr http://timestamp.globalsign.com/tsa/r6advanced1 filter.sys
Lo myalo udala isiginesha kufaka phakathi isitifiketi esiphambene futhi ithola isitembu sesikhathi kuseva ye-RFC 3161 ye-GlobalSign. Isitembu sesikhathi siyisihluthulelo ngoba sifakazela ukuthi ifayela lasayinwa ngosuku lapho isitifiketi sasisebenza khona, noma ngabe siphelelwa yisikhathi kamuva.
Ngemva kokusayina ifayela, sekuyisikhathi sokuqinisekisa ukuthi konke kulungile. Lokhu kuvame ukwenziwa kusetshenziswa umyalo wokuqinisekisa ofana nalokhu:
i-signtool verify -v -kp filename.sys
Okukhethwa kukho -v Iphoqa umphumela onemininingwane, obonisa ulwazi olunemininingwane mayelana nochungechunge lwesitifiketi, kanye nenketho -kp Iqinisekisa isiginesha ngokwemigomo yokusayina ikhodi ethile yomshayeli we-kernel-mode. Uma konke kuhamba kahle, uzobona umphumela obonisa ukuthi isiginesha kanye nochungechunge lwesitifiketi kulungile.
Ekugcineni kuyanconywa Phinda inqubo efanayo yokusayina nokuqinisekisa ngefayela le-.cat yephakheji. Uma kokubili ama-binary kanye nekhathalogi sekusayinwe kahle, idrayivu ingafakwa ku-Windows 7 kanye ne-8 x64 ngaphandle kwezinkinga zokuphepha, futhi ngesikhathi sokufaka iwizadi, ulwazi lomshicileli othembekile kanye namafasitela esistimu ajwayelekile kufanele avele.
Ukuze uhlole ngokujulile zonke izinhlobo zaleli thuluzi, iMicrosoft igcina ireferensi yomyalo we-SignTool ephelele, kanye ne- Isifundo esithile sokusayina ikhodi kumodi ye-kernel kanye nemibhalo enikezelwe kuma-signature edijithali amamojula e-kernel ku-Windows. Lezi zinsiza zichaza izimo ezikhethekile, amapharamitha athuthukile, kanye nezici zenguqulo ngayinye yesistimu.
Umbhali oshisekayo ngomhlaba wamabhayithi nobuchwepheshe ngokujwayelekile. Ngiyathanda ukwabelana ngolwazi lwami ngokubhala, futhi yilokho engizokwenza kule bhulogi, ngikubonise zonke izinto ezithakazelisayo kakhulu ngamagajethi, isofthiwe, ihadiwe, izitayela zobuchwepheshe, nokuningi. Inhloso yami ukukusiza ukuthi uzulazule emhlabeni wedijithali ngendlela elula nejabulisayo.