Defeating driver signing...
 Alex Ionescu (AlexIonescu) <aionescu gmail com> |
Friday, August 4 2006 18:26.29 CDT |
I got sick on the eve of my flight to Vegas, so I missed BH, but I've heard that the 64-bit driver signing hack relies on forcing the kernel to pageout some code, then editing the pagefile.sys and letting the kernel page the code back in later.
I must say I'm extremly disappointed and I'm echoing Myria from pagetable.com
I'd also like to add that this first perfectly with my first post on this blog. The one about testing your exploit/code on SMP, various service packs, settings etc.
While I don't want to go into all the ways this can possibly break and seriously damage your data on SMP machines, I'm going to point out something even simpler. (Yes, I know it works on SMP, but a race condition can happen only 0.001% of the time).
I personally run Windows with a semi-hidden registry flag which disables paging of the kernel and loads it in memory. It's for machines with > 512MB, but it's a pretty good speed optimization since the kernel never gets paged out. So, how exactly will this hack work on my system? Oh, that's right, it won't.
And let's not talk about people that don't use pagefiles at all, or that are running in Live/Network mode without access to the disk.
So, kudos for the work, but I doubt this will be used by anything else then rootkits (which I guess was the point).
I really hope FOSS driver developers won't go anywhere this method in order to avoid driver signing. If you want to avoid driver signing, please use test sign mode.
Comments
| Posted: Wednesday, December 31 1969 18:00.00 CST | |