Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page Signing a Windows Kernel driver without using Microsoft
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 01-27-2023, 10:10
Elisa3167 Elisa3167 is offline
Friend
  
Join Date: Dec 2022
Posts: 4
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 1
Thanks Rcvd at 10 Times in 3 Posts
Elisa3167 Reputation: 0
Another thing you could do... Fake the timestamp-server response.

The /tr http://timestamp.example.com/ and use DNS redirect to your private time-stamp server.

https://github.com/Jemmy1228/TimeStampResponder-CSharp
Reply With Quote
  #2  
Old 01-27-2023, 23:06
Kerlingen Kerlingen is offline
VIP
  
Join Date: Feb 2011
Posts: 338
Rept. Given: 0
Rept. Rcvd 278 Times in 100 Posts
Thanks Given: 0
Thanks Rcvd at 358 Times in 110 Posts
Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299
Quote:
Originally Posted by chants View Post
There is always hacking the private key of a trusted signing authority.
No, there is not. The only trusted authority which has ever existed is Microsoft itself and all intermediate cross-certificates signed by Microsoft have expired at least two years ago.

Quote:
Originally Posted by chants View Post
Also you could crack Windows to not check, although if on EFI, might have to hack that private key as well. Or fallback to MBR.
If you don't want Windows to check driver signatures on your own computer, then you can just turn it off. Windows provides several official ways to load drivers without proper signatures, but they are all limited to your computer and will not work when trying to distribute the driver to regular Windows systems without modifications. Microsoft is not like Apple, so Windows still allows you to switch off security features.

Quote:
Originally Posted by Elisa3167 View Post
Another thing you could do... Fake the timestamp-server response.
And why would Windows trust your fake timeserver's signature? Also, as explained above, the timestamp doesn't really matter for kernel driver signatures.
Reply With Quote
The Following 3 Users Say Thank You to Kerlingen For This Useful Post:
Stingered (01-28-2023), tonyweb (01-29-2023), yoza (01-27-2023)
  #3  
Old 01-28-2023, 02:23
chants chants is offline
VIP
  
Join Date: Jul 2016
Posts: 826
Rept. Given: 47
Rept. Rcvd 50 Times in 31 Posts
Thanks Given: 737
Thanks Rcvd at 1,140 Times in 529 Posts
chants Reputation: 51
Quote:
Originally Posted by Kerlingen View Post
No, there is not. The only trusted authority which has ever existed is Microsoft itself and all intermediate cross-certificates signed by Microsoft have expired at least two years ago.
But your earlier post said if you are signed by an old cross certificate it loads, so hacking the private key to these expired certificates should allow arbitrary driver loading.

I agree cracking the OS isn't necessary but seems a lot of research is known in that area with enough details to easily do it. But more than just driver signing policy changes is needed to justify the troublem
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Hybrid Mode Hybrid Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Disable PatchGuard & Driver Signing Fyyre x64 OS 61 04-21-2025 02:12
Patching in your own kernel signing certificate tame_mpeg General Discussion 11 09-28-2024 02:11
Hades:Windows kernel driver lets reverse engineers monitor user and kernel mode code sh3dow Source Code 0 05-12-2016 03:15
Driver Signing on x64 Windows _MAX_ x64 OS 7 10-22-2012 15:47


All times are GMT +8. The time now is 19:41.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )