Installing unsigned drivers in Windows
If you install a Driver on Windows XP which is not "blessed" by Microsoft, you get a nasty Dialog box with a warning. - Microsoft tries to tell people this is for stability reasons - See [this blog entry]:http://blogs.msdn.com/oldnewthing/archive/2005/08/16/452141.aspx at "The Old New Thing" for someone arguing for it, and read the comments for reasons why this idea only sounds good in writing.
About a year ago this had also come up on the [OpenVPN]:http://openvpn.net/ mailinglist ([see here]:http://openvpn.net/archive/openvpn-users/2004-11/msg00221.html). Someone in that thread pointed out, that Microsoft says [you can't change it in your program]:http://support.microsoft.com/?kbid=298503 which tiggered my /hacker/ gene to see how this could be done anyways.
Liberal usage of [regmon]:http://www.sysinternals.com/Utilities/Regmon.html revealed that the value is indeed stored in the Policy key of "HKLM\Software\Microsoft\Driver Signing", but there was also a write to the PrivateHash key of "HKLM\Software\Microsoft\Windows\CurrentVersion\Setup".
With the help of [apispy]:http://www.internals.com/ it was easily found out that the *PrivateHash* is an MD5 hash of the 4-byte-extended value of the Policy Key and some seed. The Seed is the 4-byte value of the "seed" key from "HKLM\System\WPA\PnP").
This was quickly written down in a small proof of concept [program]:http://openvpn.net/archive/openvpn-users/2004-11/msg00341.html. - And please, don't even think about ugly things like automating a mouse click to acknowledge such a dialog box again. :)
posted at: 17:53
| Category: /rev-eng
| permanent link to this entry
| 4 comments