joshfinley · March 31, 2025 16:36
diff --git a/SignELAM.bat b/SignELAM.bat
 @echo off
 REM ============================================================
 REM Simple ELAM Driver Signing Script
 REM ============================================================
 REM   To integrate with Visual Studio, update your SDK version
 REM   paths below, disable default test signing, and add
 REM   a post-build event to your build configurations in the
 REM   driver VCXPROJ. For example, near the top, add:
 REM
 REM   <PropertyGroup>
 REM     <SignMode>Off</SignMode>
 REM   </PropertyGroup>
 REM
 REM   And then in your build configurations, add the post-build action:
 REM
 REM   <PostBuildEvent>
 REM     <Command>call "$(ProjectDir)CustomDriverSigning.bat" "$(TargetPath)"</Command>
 REM     <Message>Custom signing driver with makecert and signtool</Message>
 REM   </PostBuildEvent>

 setlocal enabledelayedexpansion
 echo Starting ELAM driver signing process...

 REM Set paths to tools based on your system
 set MAKECERT_PATH="C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x86\MakeCert.exe"
 set SIGNTOOL_PATH="C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x86\signtool.exe"

 REM Set certificate details
 set CERT_NAME=DevElamCert
 set CERT_SUBJECT_NAME="CN=DevElamCert"
 set CERT_STORE=PrivateCertStore
 set CERT_FILENAME=%cd%\DevElamCert.cer

 REM Parse command line arguments
 set DRIVER_FILE=%1
 if "%DRIVER_FILE%"=="" (
    echo Error: Please specify the driver file to sign.
    echo Usage: %0 [driver_file]
    exit /b 1
 )

 echo Driver file: %DRIVER_FILE%

 REM Create ELAM certificate
 echo Creating ELAM certificate...
 %MAKECERT_PATH% -a SHA256 -r -pe -ss %CERT_STORE% -n %CERT_SUBJECT_NAME% -sr currentuser -eku 1.3.6.1.4.1.311.61.4.1,1.3.6.1.5.5.7.3.3 %CERT_FILENAME%

 if errorlevel 1 (
    echo Error: Failed to create certificate.
    echo Make sure you're running this script as Administrator.
    exit /b 1
 )

 echo Certificate created successfully at %CERT_FILENAME%

 REM Sign the driver
 echo Signing ELAM driver...
 %SIGNTOOL_PATH% sign /fd SHA256 /a /ph /s %CERT_STORE% /n %CERT_NAME% /td sha256 /tr http://timestamp.digicert.com %DRIVER_FILE%

 if errorlevel 1 (
    echo Error: Failed to sign the driver.
    echo Trying alternative timestamp server...
    %SIGNTOOL_PATH% sign /fd SHA256 /a /ph /s %CERT_STORE% /n %CERT_NAME% /td sha256 /tr http://timestamp.sectigo.com %DRIVER_FILE%
    
    if errorlevel 1 (
        echo Error: All signing attempts failed.
        exit /b 1
    )
 )

 echo ELAM driver signed successfully.
 echo.
 echo IMPORTANT: To use this custom-signed ELAM driver:
 echo 1. Enable test signing mode: bcdedit /set testsigning on
 echo 2. You may need to add the certificate to your trusted root certificates
 echo 3. Restart your computer
 echo.

 exit /b 0
	@echo off
	REM ============================================================
	REM Simple ELAM Driver Signing Script
	REM ============================================================
	REM To integrate with Visual Studio, update your SDK version
	REM paths below, disable default test signing, and add
	REM a post-build event to your build configurations in the
	REM driver VCXPROJ. For example, near the top, add:
	REM
	REM <PropertyGroup>
	REM <SignMode>Off</SignMode>
	REM </PropertyGroup>
	REM
	REM And then in your build configurations, add the post-build action:
	REM
	REM <PostBuildEvent>
	REM <Command>call "$(ProjectDir)CustomDriverSigning.bat" "$(TargetPath)"</Command>
	REM <Message>Custom signing driver with makecert and signtool</Message>
	REM </PostBuildEvent>

	setlocal enabledelayedexpansion
	echo Starting ELAM driver signing process...

	REM Set paths to tools based on your system
	set MAKECERT_PATH="C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x86\MakeCert.exe"
	set SIGNTOOL_PATH="C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x86\signtool.exe"

	REM Set certificate details
	set CERT_NAME=DevElamCert
	set CERT_SUBJECT_NAME="CN=DevElamCert"
	set CERT_STORE=PrivateCertStore
	set CERT_FILENAME=%cd%\DevElamCert.cer

	REM Parse command line arguments
	set DRIVER_FILE=%1
	if "%DRIVER_FILE%"=="" (
	echo Error: Please specify the driver file to sign.
	echo Usage: %0 [driver_file]
	exit /b 1
	)

	echo Driver file: %DRIVER_FILE%

	REM Create ELAM certificate
	echo Creating ELAM certificate...
	%MAKECERT_PATH% -a SHA256 -r -pe -ss %CERT_STORE% -n %CERT_SUBJECT_NAME% -sr currentuser -eku 1.3.6.1.4.1.311.61.4.1,1.3.6.1.5.5.7.3.3 %CERT_FILENAME%

	if errorlevel 1 (
	echo Error: Failed to create certificate.
	echo Make sure you're running this script as Administrator.
	exit /b 1
	)

	echo Certificate created successfully at %CERT_FILENAME%

	REM Sign the driver
	echo Signing ELAM driver...
	%SIGNTOOL_PATH% sign /fd SHA256 /a /ph /s %CERT_STORE% /n %CERT_NAME% /td sha256 /tr http://timestamp.digicert.com %DRIVER_FILE%

	if errorlevel 1 (
	echo Error: Failed to sign the driver.
	echo Trying alternative timestamp server...
	%SIGNTOOL_PATH% sign /fd SHA256 /a /ph /s %CERT_STORE% /n %CERT_NAME% /td sha256 /tr http://timestamp.sectigo.com %DRIVER_FILE%

	if errorlevel 1 (
	echo Error: All signing attempts failed.
	exit /b 1
	)
	)

	echo ELAM driver signed successfully.
	echo.
	echo IMPORTANT: To use this custom-signed ELAM driver:
	echo 1. Enable test signing mode: bcdedit /set testsigning on
	echo 2. You may need to add the certificate to your trusted root certificates
	echo 3. Restart your computer
	echo.

	exit /b 0