Sec, blogmal! - rev-eng - driversign



April '18



Wed, 07 Dec 2005

Installing unsigned drivers in Windows

If you install a Driver on Windows XP which is not blessed by Microsoft, you get a nasty Dialog box with a warning. - Microsoft tries to tell people this is for stability reasons - See this blog entry at The Old New Thing for someone arguing for it, and read the comments for reasons why this idea only sounds good in writing.

About a year ago this had also come up on the OpenVPN mailinglist (see here). Someone in that thread pointed out, that Microsoft says you can't change it in your program which tiggered my hacker gene to see how this could be done anyways.

Liberal usage of regmon revealed that the value is indeed stored in the Policy key of HKLM\Software\Microsoft\Driver Signing, but there was also a write to the PrivateHash key of HKLM\Software\Microsoft\Windows\CurrentVersion\Setup.

With the help of apispy it was easily found out that the PrivateHash is an MD5 hash of the 4-byte-extended value of the Policy Key and some seed. The Seed is the 4-byte value of the seed key from HKLM\System\WPA\PnP).

This was quickly written down in a small proof of concept program. - And please, don't even think about ugly things like automating a mouse click to acknowledge such a dialog box again. :)

– Sec

posted at: 17:53 | Category: /rev-eng | permanent link to this entry | 4 comments (trackback)

Your Comment
URL/Email: [http://... or mailto:you@wherever] (optional)
Title: (optional)
Save my Name and URL/Email for next time
(Note that comments will be rejected unless you enter 42 in the following box: )

powered by blosxom
in 0.00 s