Wrong output data returned by CiCheckSignedFile in Windows 7 7601 x64

[elchv]

Hello, first of all thanks for this awesome research, I'm trying to test this project at Windows 7 7601 x64 using notepad++.exe from folder ExecutablesForTesting, CiCheckSignedFile returns STATUS_SUCCESS but the problem is with policyInfo returned by CiCheckSignedFile, it's wrong, when i open notepad++.exe from ExecutablesForTesting folder it always fail in range check inside parsePolicyInfo function, it seems like that ptrToCertChainMembers is invalid, how fix it?

[Ido-Moshe-Github]

Thank you for your kind words. As mentioned in the article, these structs have changed significantly along Windows versions:

Both PolicyInfo and CertChainInfo structures begin with the size of the struct. Since these structs were expanded across OS versions, you must check this size before attempting to access the other struct members.

Many of the struct members we mentioned in the article did not exist on earlier Windows versions. Unfortunately, we did not have time to map the exact struct for each windows version. We encourage you to add upon what we've done :)