Topic created on: July 1, 2009 13:15 CDT by
jeremy28 
.
Hi there!
I want to break security on Windows XP(signature checking procedure) and
think a Kernel debugger for Windows would help me!!
For example, when a CSP DLL is being loaded, Windows XP checks if it's
signature is valid (issued by Microsoft) or not!
I want to watch and analyse this procedure through Kernel Debugger to know
how would be possible to hack or break this security mechanism?!!
I would ask you How Could I see this mechanism in "WinDBG.exe"?
Because I'm so new to Windows debugging issue;
I've debugged some VC++ programs with Visual Studio debugger,but I've not
any experience in Windows debugging so far and I'm not so familiar with
Windows Kernel operations;
Is it possible to see this checking procedure in "WinDBG.exe" in Assembly or
any other form?!
I've not read the "WinDBG" documentation yet, because first I'd rather to be
sure of this possibility and also need to experienced people's guidance for
this;
Please help!!
Thanks in Advance.
jeremy28
> I want to break security on Windows XP
> (signature checking procedure) (1)
> and think a Kernel debugger for Windows would help me!!
> For example, when a CSP DLL is being loaded, (2)
> Windows XP checks if it's signature is valid (issued by Microsoft)
a driver has a digital signature, dll has a certificate, if you're talking about signatures (1), it means you're talking about drivers. if you're talking about DLLs (2), you actually keep certifications in your mind.
debugger (particularly the kernel one) is the last resort, especially if you have no idea how the system works and what you actually look for. so, the question is: what we're looking for. ok, here we go. you don't know what the certificate is obviously, but it something that's stored inside DLL, right? and DLL is PE file, so go to Google and type "MS PE Specification". it's free. download it, read it and find out that there is a Certificate Table and Certificate API, implemented in Imagehlp.dll. for example, ImageRemoveCertificate removes the specified certificate from the given file. is this what you're looking for?
guess, not. you want to patch the kernel, right? well, download pdb files for KERNEL32.DLL, NTDLL.DLL (and possibly for ntoskrnl.exe) and look for any "cert" strings ("cert", not "certificate", because MS uses the short form, how did I know it? well, just intuition :-). whatever, you are going to find a lot of references.
btw, maybe you will be interested in http://www.symantec.com/avcenter/reference/Windows_Vista_Kernel_Mode_Security.pdf
> I want to watch and analyse this procedure
"this procedure" sounds like you have done 99% of your job. what is "this procedure"?! of course, you can start to debug "LoadLibraryA", but... it's not easy to find where the security checks are actually performed. of course, you can set break points on the certificate section or perform memory search and set break points where you will find the content... but... anyway, before to do it, you have to get the full view. so, reading specifications and disassembling dlls is the shorter way. and only when you will have found the procedure you looked for - it's worth to ask for debugger.
> through Kernel Debugger to know
user-level works fine.
> how would be possible to hack or break this security mechanism?!!
um, maybe before break something better to try to use it? :-) I mean to read specifications and learn the legal tools provided by ms to work with certificates?
> I would ask you How Could I see this mechanism in "WinDBG.exe"?
> Because I'm so new to Windows debugging issue;
the rule of debugging: if you don't know how to find something with debugger, don't use it. and don't forget about reading manuals :-)
> Is it possible to see this checking procedure in "WinDBG.exe"
> in Assembly or any other form?!
do you prefer source-level? well, download wine :-)
> I've not read the "WinDBG" documentation yet, because
> first I'd rather to be sure of this possibility and also need to
> experienced people's guidance for this;
_everything_, I mean _everything_ could be broken, disabled or bypassing. and quite often there is a legal way to do it. not necessary to be a hacker to read manuals :-) just try to understand - WinDBG is just a wheel and your brain is an engine. forgot about debuggers, use your brain, man! the first step of hacking is to find a way how to do it, and the second way is to pick up the appropriate tools. having a brain you will hack the security checks even with HIEW.
WinDBG is not rune-staff nor divining-rod...
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}