
自建时间戳服务器实现伪签名驱动证书 Implementing Pseudo Signature with Self-Sign Timestamp Servers

Primary LanguagePowerShellMIT LicenseMIT


Drivers Signning with Self-Sign Fake Timestamp Servers




项目介绍 / Introduction


Purchasing a code signing certificate is very expensive, and on the Windows platform, driver signing requires an EV code signing certificate for WHQL authentication, which costs several thousand yuan per year. As an individual developer or test driver, purchasing an EV code signing certificate from an authoritative organization is very uneconomical, and requires company certification, which is a very complicated time process. Microsoft suspended the issuance of EV cross drive signing certificate CA in July 2019, which means that EV code signing cannot be directly used after that and WHQL authentication is required. But certificates issued before this can be directly signed to complete authentication. There are some leaked EV code signature certificates online, which can be used to Implement Pseudo Signature Driver Certificates through Self-built Timestamp Services The timestamp function completes the forgery of signatures, allowing the signature timestamp to be within the validity period of the leaked certificate, achieving driver signature and authentication.

免责声明 / Disclaimers


This article involves network security experiments. Reading this article means that you have read, fully understood, and committed to complying with all the following terms and conditions:

"Drivers Signning with Self-Sign Fake Timestamp Servers" Disclaimers - English

Welcome to research and conduct the experiment on "Drivers Signning with Self-Sign Fake Timestamp Servers"

Before using this experiment,Please carefully read and agree to the following disclaimer license terms.

Continuing means that you agree to all the terms.If you do not agree with any content of this license term,

Please immediately stop conducting this experiment and delete all content and its derivative data.

  1. Explanation of Terms
    1. "Experimental Content": This includes the technology (including but not limited to code, files, steps) and its derivative content provided by this website experiment.
    2. "Violation of laws and regulations": refers to a violation of the relevant laws and regulations mentioned in this agreement and in your country or region, as well as their relevant provisions.
    3. "Author": The provider of this experimental technology, including the creator of this document, website provider, and other assistance providers.
    4. "User": The subject who uses the technology provided in this experiment (including but not limited to: code, files, steps) and its derivative content.
  2. Experimental Purpose
    1. This experiment aims to provide practical learning and technical research on network security technology.
    1. This experiment is only for individuals or groups to conduct non commercial technological exploration.
  1. Usage Restrictions
    1. You promise that the principles of this experiment will only be used for experiments and safety technology testing and technical experiments, and will not be used in confidential or important production environments.
    2. You are not allowed to use it for any activities that violate laws and regulations, including but not limited to criminal behavior, fraud, damage to computer information systems, etc.
    1. You comply with the Cybersecurity Law of the People's Republic of China and are not allowed to use any technology on this website for illegal or criminal activities.
    2. You shall comply with Article 286 (1) of the Criminal Law of the People's Republic of China and shall not use any technology on this website to damage the computer information system.
    3. You shall comply with Article 32 of the Electronic Signature Law of the People's Republic of China and shall not use any technology of this website to forge, impersonate, or embezzle the electronic signature of others
    4. You shall comply with the laws and regulations of China and other countries and regions where you are located, and shall not use any technology on this website to violate laws and regulations, or cause problems or losses to any other individual or group.
  2. Disclaimer
    1. This experiment is only for technical and safety technical testing purposes and is not responsible for the user's behavior
    2. The principles of this experiment are published on Github and can be freely accessed and used by anyone. The author is not responsible for the user behavior of the experiment.
    3. The principle of this experiment may have technical, safety, or other issues, and users are required to bear the risk of use and take necessary safety measures to protect their own and others' interests.
    4. The author shall not be liable for any direct or indirect losses arising from the use of the principles of this experiment, including but not limited to profit losses, data losses, business interruptions, etc.
    5. This website reserves the right to interrupt or terminate this service at any time without prior notice to users.
  3. Violations
    1. If you violate any of the above terms, you will fully and independently bear any legal and other responsibilities and consequences that may arise


    Please carefully read and understand the above disclaimer terms before using this service.

    If you agree and accept the above terms, please continue to use this experiment.

    If you have any questions or need further explanation, please contact us.

《自建时间戳服务器实现伪签名驱动证书》免责声明 - 简体中文




  1. 术语解释
    1. “实验内容”:包括本网站实验所提供的技术(包括但不限于代码、文件、步骤)及其衍生内容。

    2. “违反法律法规”:指违反本协议所提及的和您所在国家或地区的相关法律法规,及其相关规定。

    3. “作者”:本实验技术的提供者,包括本文档创建人,网站提供者,以及其他提供帮助的主体等。

    4. “使用者”:使用本实验提供的技术(包括但不限于:代码、文件、步骤)及其衍生内容的主体。



  2. 实验目的
    1. 本实验旨在提供网络安全技术的实践学习和技术研究。

    2. 本实验仅供个人或团体进行非商业性质的技术探索。

  3. 使用限制
    1. 必须承诺本实验的原理仅用于实验和安全技术测试和技术实验,不用于需保密或者重要生产环境。

    2. 不得用于任何违反法律法规的活动,包括但不限于犯罪行为、欺诈、破坏计算机信息系统等。

  4. 法律合规
    1. 必须遵守《中华人民共和国网络安全法》,不得使用本网站任何技术进行违法犯罪活动。

    2. 必须遵守《中华人民共和国刑法》第286条第1款规定,不得使用本网站的任何技术破坏计算机信息系统。

    3. 必须遵守《中华人民共和国电子签名法》第32条,不得使用本网站的任何技术伪造、冒用、盗用他人的电子签名

    4. 必须遵守**以及其他所在国家和地区的法律法规,不得使用本网站的任何技术违反法律法规,或者给其他任何个人、团体造成问题或者损失。

  5. 免责声明
    1. 本实验提供技术实验和安全技术测试之用,不对使用者的行为负责

    2. 本实验的原理发布在Github上,任何人均可自由获取和使用,作者不对实验的使用者行为负责。

    3. 本实验的原理可能存在技术问题、安全问题或其他问题,使用者需自行承担使用风险,并采取必要的安全措施保护自身和他人的利益。

    4. 作者对于使用本实验的原理所产生的任何直接或间接损失,包括但不限于利润损失、数据损失、业务中断等,不承担责任。

    5. 本网站保留在任何时候中断或终止本服务的权利,而无需提前通知使用者。

  6. 违规情形




简易使用 / Quick Usage

简易使用方法 / Easy Way to Sign Drivers

  1. 下载时间证书信任工具:数字证书安装工具,双击EXE,根据安装流程信任证书文件

    (Download Time Certificate Trust Tool: Digital Certificate Installation Tool

    如果需要静默安装,则应该运行(If silent installation is required, it should be run):

    PikachuTestCert.exe /VERYSILENT # 隐藏任何安装窗口和提示(需要管理员权限)
    PikachuTestCert.exe /SILENT     # 隐藏安装确认但显示进度(需要管理员权限)
  2. 安装泄露驱动签名证书:我不提供任何证书,你可以去查找(FuckCertVerifyTime

    (Install leaked driver signature certificate: **I do not provide any certificate **(FuckCertVerifiyTime) )

  3. 下载驱动代码签名工具:亚洲诚信签名工具,打开软件选择[自定义时间戳]进行签名:

    (Download the driver code signing tool: Asia Integrity Signature Tool, and then: )

    1. 首先需要修改inf文件,修改DriverVer的日期部分,修改到签名证书的时间范围内:

      It is necessary to open the .inf files and modify the DriverVer to the time range of the signning certificate:

      DriverVer = 01/01/2015,
    2. 签名*.SYS和其他文件(.dll.exe等),签名的时间需要大于或等于第一步的驱动版本时间

      Signature *.SYS and other files, **sign time needs to be greater than or equal to the DriverVer time **:

      1. 修改hook.ini,将TimeStamp内的值修改为不低于上一步时间的值

        Modify hook.ini to change the value in 'Timestamptamp' to not lower than the value of the previous step time:

      2. 打开DSignTool.exe,点击[规则管理]——[添加]——勾选[将时间戳添加到数据中] ——选中 [定义的时间戳]

        Open DSignTool.exe*, click [Rule Management] - [Add] - check [Add Timestamp] - select [Defined Timestamp]

      3. 点击[数字签名]——拖入待签名的*.SYS和其他文件(.dll.exe等),点击[数字签名]——选[双签名]或[SHA1]——驱动模式

        Click on [Digital Signature] - drag in the *.sys other files to be signed

        Click on [Digital Signature] - select [Double Signature] or [SHA1] - [Drive Mode]

    3. 修改系统时间,修改的时间需要大于或等于第一步的驱动版本时间,修改命令如下:

      Modify the system time, The time needs to be greater than or equal to the driver version time of the first step.

      The modification command is as follows:

      date 2015/01/01 && time 08:00:00
    4. 使用infcat创建CAT目录文件,需要先安装 Windows 驱动程序工具包 (WDK)

      To create a CAT directory file by infcat, you need to first install the Windows Driver Kit (WDK)

      1. X86和X64驱动签名命令(X86 and X64 signning commands):

        inf2cat /v /os:XP_X86,Vista_X86,Vista_X64,7_X86,7_X64,8_X86,8_X64,6_3_X86,6_3_X64,10_X86,10_X64 /driver:.
      2. X86和X64完整签名命令(X86 and X64 fully signning commands):

        inf2cat /v /os:2000,XP_X86,XP_X64,Vista_X86,Vista_X64,7_X86,7_X64,8_X86,8_X64,6_3_X86,6_3_X64,10_X86,10_X64,10_AU_X86,10_AU_X64,10_RS2_X86,10_RS2_X64,10_RS3_X86,10_RS3_X64,10_RS4_X86,10_RS4_X64,10_RS5_X86,10_RS5_X64,10_19H1_X86,10_19H1_X64,10_VB_X86,10_VB_X64,10_CO_X64,10_NI_X64,Server2003_X86,Server2003_X64,Server2008_X86,Server2008_X64,Server2008R2_X64,Server8_X64,Server6_3_X64,Server10_X64,SERVER2016_X64,ServerRS5_X64 /driver:.
      3. A64和I64驱动签名命令(ARM and A64 driver signning commands):

         inf2cat /os:Server2003_IA64,Server2008_IA64,Server2008R2_IA64,Server10_ARM64,ServerRS5_ARM64,ServerFE_ARM64,10_RS3_ARM64,10_RS4_ARM64,10_RS5_ARM64,10_19H1_ARM64,10_VB_ARM64,10_CO_ARM64,10_NI_ARM64 /v /driver:.
    5. 签名*.cat文件,签名的时间需要大于或等于第三步的CAT时间

    Sign the *.cat file, and the signing time needs to be greater than or equal to the CAT time of the third step

    1. 修改hook.ini,将TimeStamp内的值修改为不低于上一步时间的值

      Modify hook.ini to change the value in 'Timestamptamp' to not lower than the value of the previous step time:

      1. 打开DSignTool.exe,点击[规则管理]——[添加]——勾选[将时间戳添加到数据中] ——选中 [定义的时间戳]

      Open DSignTool.exe*, click [Rule Management] - [Add] - check [Add Timestamp] - select [Defined Timestamp]

    2. 点击[数字签名]——拖入待签名的*.cat文件,点击[数字签名]——选[双签名]或[SHA1]——[驱动模式]签名即可

      Click on [Digital Signature] - drag in the *.cat to be signed

      Click on [Digital Signature] - select [Double Signature] or [SHA1] - [Drive Mode]

  4. 备注信息 / Notice:

    1. 上述教程无需自建TSA服务,如有需要自己搭建的,可以直接前往皮卡丘公共服务测试根证书申请您的时间戳证书

    2. 签名时间顺序:驱动版本时间<=sys/dll签名时间<=CAT创建时间<=CAT签名时间

    3. The above tutorial does not require building your own TSA service.

      If you need to build it yourself, go to Pikachu Public Test CA Apply for your timestamp certificate

    4. Signing time sequence: Driver version time<=sys/dll Signature time<=CAT creation time<=CAT signature time


Windows 版本 版本标识符
Windows 11,版本 22H2 x64 Edition 10_NI_X64
Windows 11,版本 22H2 Arm64 版本 10_NI_ARM64
Windows 11,版本 21H2 x64 Edition 10_CO_X64
Windows 11,版本 21H2 Arm64 版本 10_CO_ARM64
Windows Server 2022 x64 版本 ServerFE_X64
Windows Server 2022 Arm64 Edition ServerFE_ARM64
Windows 10,版本 22H2、21H2、21H1、20H2、2004 x86 版本 10_VB_X86
Windows 10,版本 22H2、21H2、21H1、20H2、2004 x64 版本 10_VB_X64
Windows 10,版本 22H2、21H2、21H1、20H2、2004 Arm64 版本 10_VB_ARM64
Windows 10,版本 1909、1903 x86 版本 10_19H1_X86
Windows 10,版本 1909、1903 x64 版本 10_19H1_X64
Windows 10,版本 1909、1903 Arm64 Edition 10_19H1_ARM64
Windows 10 版本 1809 x86 版本 10_RS5_X86
Windows 10 版本 1809 x64 版本 10_RS5_X64
Windows 10 版本 1809 Arm64 版本 10_RS5_ARM64
Windows Server 2019 x64 Edition ServerRS5_X64
Windows Server 2019 Arm64 Edition ServerRS5_ARM64
Windows 10,版本 1803 x86 Edition 10_RS4_X86
Windows 10,版本 1803 x64 Edition 10_RS4_X64
Windows 10,版本 1803 Arm64 Edition 10_RS4_ARM64
Windows 10,版本 1709 x86 Edition 10_RS3_X86
Windows 10,版本 1709 x64 Edition 10_RS3_X64
Windows 10,版本 1709 Arm64 Edition 10_RS3_ARM64
Windows 10,版本 1703 x86 Edition 10_RS2_X86
Windows 10,版本 1703 x64 Edition 10_RS2_X64
Windows 10版本 1607 x86 Edition 10_AU_X86
Windows 10,版本 1607 x64 Edition 10_AU_X64
Windows Server 2016 x64 版本 SERVER2016_X64
Windows 10 x86 版本 10_X86
Windows 10 x64 版本 10_X64
Windows Server 2016 Server10_X64
arm 上的Windows Server 2016 Server10_ARM64







部署时间证书 / Deploy Timestamp Server





二合一整合包 / TSA Server + Signtool 2in1





驱动生成CAT / Driver Cat Create Usage

inf2cat /v /os:XP_X86,Vista_X86,Vista_X64,7_X86,7_X64,8_X86,8_X64,6_3_X86,6_3_X64,10_X86,10_X64 /driver:.

添加时间方法 / Time Signature Methods

signtool timestamp /t "http://<ServerHost:Port>/{SHA1|SHA256}/YYYY-MM-DDTHH:mm:ss" <待签名程序>

添加时间示例 / Signature Examples

signtool timestamp /tp 1 /tr "http://test.timer.us.kg/2011-01-01T00:00:00" test.exe
signtool.exe sign /f Cert.pfx /p password /tr "http://test.timer.us.kg/2011-01-01T00:00:00" /as /v test.exe
signtool.exe sign /f Cert.pfx /p password /fd sha256 /tr "http://test.timer.us.kg/2011-01-01T00:00:00" /td sha256 /as /v test.exe

实现原理 / Principles

  • 微软内核模式驱动代码签名要求:


    适用于: Windows Vista、Windows 7;带安全启动的 Windows 8+ Windows 8、Windows 8.1、Windows 10 版本 1507、1511 以及安全启动 Windows 10 版本 1607、1703、1709 以及安全启动 Windows 10 版本 1803 及安全启动
    架构: 仅 64 位,32 位不需要签名 64 位、32 位 64 位、32 位 64 位、32 位
    需要签名: 嵌入文件或目录文件 嵌入文件或目录文件 嵌入文件或目录文件 嵌入文件或目录文件
    签名算法: SHA2 SHA2 SHA2 SHA2
    证书: 代码完整性信任的标准根 代码完整性信任的标准根 Microsoft 根证书颁发机构 2010、Microsoft 根证书颁发机构、Microsoft 根证书颁发机构 Microsoft 根证书颁发机构 2010、Microsoft 根证书颁发机构、Microsoft 根证书颁发机构
  • 微软禁用内核驱动强制签名方法:

    • Windows 10 1607 之后UEFI引导模式,并且开启Secure Boot选项:

      • 无法开启测试模式,不能通过修改BCD解决可以使用EFIGuard

      • 每次可以开机进入高级模式-选择禁用内核驱动强制签名启动

    • Windows 10 1607 之前,Win8/8.1/7/Vista,或者关闭Secure Boot:

      • 开启测试模式

        bcdedit /enum all
        bcdedit /set {default} testsigning on
        bcdedit /set nointegritychecks on
        bcdedit /set testsigning on
        bcdedit /debug ON
        bcdedit /bootdebug ON
      • 也可以每次可以开机进入高级模式-选择禁用内核驱动强制签名启动

  • 伪造签名原理


    • 自建伪造时间戳服务器


      • 自建CA证书(CA=TRUE,密钥用法=Certificate Signing, Off-line CRL Signing, CRL Signing,增强型密钥用法=

      • 自签时间戳签名证书(密钥用途=Digital Signature,增强型密钥用法=时间戳 ,OCSP-URL,CRL-URL)

      • 设置CRL地址(推荐Nginx,把CRL文件放入对应地址),或者设置OCSP服务器(OpenSSL OCSP)

      • 搭建并启动时间戳响应服务器(RFC3161以及Authenticode格式 ,需要同时支持SHA1+SHA256)

自建时间服务 / TSA Server


The above tutorial does not require building your own TSA service.

If you need to build it yourself, go to Pikachu Public Test CA Apply for your timestamp certificate


  • 打开文件

      "listen_path": "/TSA/",
      "listen_addr": "localhost",
      "listen_port": "1003",
      "server_urls": "http://test.timer.us.kg/",
      "server_cert": "TSA.crt",
      "server_keys": "TSA.key",
      "server_fake": "true",
      "windows_url": "",
      "linuxos_url": "",
      "signers_url": "",
      "githubs_url": "https://github.com/PIKACHUIM/FakeSign",
      "article_url": "https://code.52pika.cn/index.php/archives/277/",
      "service_url": "https://test.certs.us.kg/"


  • 下载项目

    git clone https://github.com/PIKACHUIM/FakeSign.git
  • 修改代码



    static readonly string supportFake = @"true";
  • 编译构建



  1. 创建一个CA和时间戳证书,参考XCA自制CA证书并签发时间戳证书
  2. 放置证书文件到当前的运行目录内,需要参考下面的文件说明:
    • TSA.crt 证书Base64编码
    • TSA.key 密钥Base64编码
  3. 双击:TimeStamping.exe即可运行



sudo dpkg --add-architecture i386
sudo apt-get install wine mono-complete winetricks wine32 winbind


  • 自动安装
    sudo winetricks dotnet45
  • 手动安装

    1. 下载文件 wine-mono-7.4.0-x86.msi

    2. wine uninstaller
      wine64 uninstaller


  • 运行服务



    • TSA.crt 证书Base64编码
    • TSA.key 密钥Base64编码
    wine TimeStamping.exe

构建签名工具 / Build Sign Tool


Under normal circumstances, it is not necessary to set up a server on your own.

If you need to use your own server, please continue reading.


  • 修改文件



  • 下载项目

    git clone https://github.com/PIKACHUIM/FakeSign.git
  • 修改代码



    wcscat(buf, L"http://*********/fake/RSA/");
  • 编译构建


参考资料 / Reference

[1] 时间戳签名库以及本地Demo服务器,可以倒填时间制造有效签名,JemmyloveJenny,吾爱破解,https://www.52pojie.cn/thread-908684-1-1.html

[2] 亚洲诚信数字签名工具修改版 自定义时间戳 驱动签名,JemmyloveJenny,吾爱破解,https://www.52pojie.cn/thread-1027420-1-1.html

[3] 关于Windows驱动签名认证的大致总结,ANY_LNK,BiliBili,https://www.bilibili.com/read/cv17812616

[4] 数字证书伪造与利用(仅方便用于驱动开发人员的调试,不得非法使用),MIAIONE,BiliBili,https://www.bilibili.com/read/cv9802857/