On Thu, Apr 02, 2020 at 21:16:48 +0300, Samuli Seppänen wrote:
> So, with 7zip on Windows I opened
>
> openvpn-install-2.4.8-i602-Win10.exe
> -> $TEMP
> -> tap-windows.exe
> -> driver
>
> That contains OemVista.inf, tap0901.cat and tap0901.sys in three
> flavors: i386, amd64 and arm64. I extracted the cat and sys files and
> checked their signatures. They were all signed by Microsoft. With
> "Get-AuthenticodeSignature <filename>" all showed SignerCertificate
> starting with 87D211E3. Checking the File Properties showed that
> corresponds to Microsoft.
>
> The installer I extracted had a sha1sum of
>
> 9c3fa39b6dc1ca9a02bf940c0509cf58a13fdf7d
So...
I took our copy of openvpn-install-2.4.8-i602-Win10.exe and was able
extract tap-windows.exe out of it. (In case it helps anyone following
along on this thread later, I found that the "p7zip-full" Ubuntu
package, and the "7z" command, was needed in order to unpack the NSIS
installer executable.)
=====
$ sha1sum openvpn-install-2.4.8-I602-Win10.exe
9c3fa39b6dc1ca9a02bf940c0509cf58a13fdf7d openvpn-install-2.4.8-I602-Win10.exe
$ 7z e openvpn-install-2.4.8-I602-Win10.exe '$TEMP/tap-windows.exe'
7-Zip [64] 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18
p7zip Version 9.20 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,8 CPUs)
Processing archive: openvpn-install-2.4.8-I602-Win10.exe
Extracting $TEMP/tap-windows.exe
Everything is Ok
Size: 587928
Compressed: 4335648
$ sha1sum tap-windows.exe
2dc03ec37fa11783f1d1965961a93237cde12f69 tap-windows.exe
$ 7z x tap-windows.exe
[... bunch of files extracted...]
=====
When I did that second extraction, the three flavors you mention all
unpacked into the same subdirectory (which had a non-ASCII directory
name), but I assume that's just a side-effect of the NSIS archive format
somehow. To proceed with the unpacking I chose the "A(u)to rename
all" option so all the duplicate files were renamed as they unpacked.
Anyway the main point from that is that all nine files unpacked in the
.../drivers/ subdirectory were dated 10/23:
=====
$ ls -lR
[...]
./???/driver:
total 176
-rw-rw-r-- 1 nathanst nathanst 7537 Oct 23 04:38 OemVista_1.inf
-rw-rw-r-- 1 nathanst nathanst 7533 Oct 23 04:37 OemVista_2.inf
-rw-rw-r-- 1 nathanst nathanst 7537 Oct 23 04:38 OemVista.inf
-rw-rw-r-- 1 nathanst nathanst 10861 Oct 23 06:00 tap0901_1.cat
-rw-rw-r-- 1 nathanst nathanst 40128 Oct 23 06:00 tap0901_1.sys
-rw-rw-r-- 1 nathanst nathanst 10866 Oct 23 05:02 tap0901_2.cat
-rw-rw-r-- 1 nathanst nathanst 35008 Oct 23 05:02 tap0901_2.sys
-rw-rw-r-- 1 nathanst nathanst 10711 Oct 23 04:58 tap0901.cat
-rw-rw-r-- 1 nathanst nathanst 39920 Oct 23 04:58 tap0901.sys
[...]
=====
(and, consistent with what you found under windows, all three .sys files
contain the string "Microsoft Windows Hardware Compatibility
Publisher" no file contains the string "OpenVPN, Inc.").
In this case, the non-auto-renamed files are the amd64 flavor of the
driver:
=====
$ grep amd *.inf
OemVista.inf: %Provider% = tap0901, NTamd64
OemVista.inf:[tap0901.NTamd64]
$ file *.sys
tap0901_1.sys: PE32+ executable (native), for MS Windows
tap0901_2.sys: PE32 executable (native) Intel 80386, for MS Windows
tap0901.sys: PE32+ executable (native) x86-64, for MS Windows
$ ls -l OemVista.inf tap0901.*
-rw-rw-r-- 1 nathanst nathanst 7537 Oct 23 04:38 OemVista.inf
-rw-rw-r-- 1 nathanst nathanst 10711 Oct 23 04:58 tap0901.cat
-rw-rw-r-- 1 nathanst nathanst 39920 Oct 23 04:58 tap0901.sys
=====
So, turning my attention to the Windows box where the installation
failed, I found that the c:\program files\ files do match the
amd64-flavor files unpacked above.
=====
Directory of C:\Program Files\TAP-Windows\driver
03/27/2020 11:09 AM <DIR> .
03/27/2020 11:09 AM <DIR> ..
10/23/2019 04:38 AM 7,537 OemVista.inf
10/23/2019 04:58 AM 10,711 tap0901.cat
10/23/2019 04:58 AM 39,920 tap0901.sys
=====
However, when I search under c:\windwos\, the tap0901.sys files found
are different:
=====
C:\Windows>dir /s tap0901.*
Volume in drive C is Windows
Volume Serial Number is 0687-5D0C
Directory of C:\Windows\System32\drivers
10/31/2019 02:09 AM 30,720 tap0901.sys
1 File(s) 30,720 bytes
Directory of
C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_6d4bec28a2ef0cdf
10/31/2019 02:11 AM 10,042 tap0901.cat
10/31/2019 02:09 AM 30,720 tap0901.sys
2 File(s) 40,762 bytes
Total Files Listed:
3 File(s) 71,482 bytes
0 Dir(s) 79,828,119,552 bytes free
=====
These two files .sys files are indeed identical, and looking inside them
with "strings" it appears they are not signed. (The strings "Microsoft"
and "Hardware" don't occur, and the spot at the end of the file where
the various strings that appear to be related to the signing certificate
in the Oct 23/39,920-byte version of the file has no similar strings in
this Oct 31 version.)
(Actually, if I run a diff on the "strings" output from the two .sys
files, the _only_ difference is that the older file has all the
Microsoft-signing-related strings at the end of the output; if I compare
the hexdumps of the two files only a few scattered bytes are different
in the first 30,720 bytes of each.)
Interestingly, though, the oemvista.inf_amd64_6d4bec28a2ef0cdf
directory seems to have a timestamp from when the OpenVPN installer was
run:
=====
Directory of C:\Windows\System32\DriverStore\FileRepository
03/27/2020 11:09 AM <DIR> oemvista.inf_amd64_6d4bec28a2ef0cdf
=====
... but I can't say if the directory was newly created then, or just
modified....
The sha1sums of the two versions of the file are:
=====
$ sha1sum *{program,system32}*tap09*
42189b6a1b8c736397113bfc2283f5e1e1a44e8e failed_program-files_tap0901.sys
[the 39,920-byte file]
841a86f416a882b0743fd6d9c9f29baf3ed06b6a failed_system32-drivers_tap0901.sys
[the 30,720-byte file]
=====
So.. do you recognize this 30,720-byte file at all, or have any ideas
where it might have originated from?
(I'll continue looking through the various directories under \Windows\ to
see if I can find any more clues.)
Nathan
----------------------------------------------------------------------------
Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region
Ray Ontko & Co. - Software consulting services - http://www.ontko.com/
GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239
Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
