Can I have any way to detect the Driver Signing Policy status?

Question

I have a modified driver and must be installed when driver signing is disabled, so I want to detect this status to remind users to reboot to SafeMode. I had tried this command :

Answer 1

Use the following code to detect whether or not TESTSIGNING is enabled:

#include <Winternl.h>
#pragma comment(lib, "ntdll.lib")


//Check if testsigning is enabled
SYSTEM_CODEINTEGRITY_INFORMATION sci = {0};
ULONG dwcbSz = 0;
sci.Length = sizeof(sci);
if(NtQuerySystemInformation(
    /*SystemCodeIntegrityInformation*/ (SYSTEM_INFORMATION_CLASS)0x67, 
    &sci, 
    sizeof(sci), 
    &dwcbSz) >= 0 &&
    dwcbSz == sizeof(sci))
{
    BOOL bTestsigningEnabled = !!(sci.CodeIntegrityOptions & /*CODEINTEGRITY_OPTION_TESTSIGN*/ 0x2);
    //Note that testsigning will play no role if bit CODEINTEGRITY_OPTION_ENABLED (or 0x1) is not set in sci.CodeIntegrityOptions

}

Answer 2

I would rather wrap this into a nicer function like so:

bool IsSystemCodeIntegrityEnabled() {
        typedef NTSTATUS(__stdcall* td_NtQuerySystemInformation)(
                ULONG           SystemInformationClass,
                PVOID           SystemInformation,
                ULONG           SystemInformationLength,
                PULONG          ReturnLength
                );

        struct SYSTEM_CODEINTEGRITY_INFORMATION {
                ULONG Length;
                ULONG CodeIntegrityOptions;
        };

        static td_NtQuerySystemInformation NtQuerySystemInformation = (td_NtQuerySystemInformation)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtQuerySystemInformation");

        SYSTEM_CODEINTEGRITY_INFORMATION Integrity ={ sizeof(SYSTEM_CODEINTEGRITY_INFORMATION), 0 };
        NTSTATUS status = NtQuerySystemInformation(103, &Integrity, sizeof(Integrity), NULL);

        return (NT_SUCCESS(status) && (Integrity.CodeIntegrityOptions & 1));
}