Installing unsigned drivers in Windows - Sec, blogmal!

Categories:

ekelig - 5
go - 10
misc - 47
moblog - 5
pastimes - 7
patches - 4
rev-eng - 7
sniffer - 1
soapbox - 1
tidbits - 51
urlaub - 3

Februar '12

Mo	Di	Mi	Do	Fr	Sa	So
30	31	1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	1	2	3	4

Flattr me:

Wed, 07 Dec 2005

Installing unsigned drivers in Windows

If you install a Driver on Windows XP which is not blessed by Microsoft, you get a nasty Dialog box with a warning. - Microsoft tries to tell people this is for stability reasons - See this blog entry at The Old New Thing for someone arguing for it, and read the comments for reasons why this idea only sounds good in writing.

About a year ago this had also come up on the OpenVPN mailinglist (see here). Someone in that thread pointed out, that Microsoft says you can't change it in your program which tiggered my hacker gene to see how this could be done anyways.

Liberal usage of regmon revealed that the value is indeed stored in the Policy key of HKLM\Software\Microsoft\Driver Signing, but there was also a write to the PrivateHash key of HKLM\Software\Microsoft\Windows\CurrentVersion\Setup.

With the help of apispy it was easily found out that the PrivateHash is an MD5 hash of the 4-byte-extended value of the Policy Key and some seed. The Seed is the 4-byte value of the seed key from HKLM\System\WPA\PnP).

This was quickly written down in a small proof of concept program. - And please, don't even think about ugly things like automating a mouse click to acknowledge such a dialog box again. :)

– Sec

posted at: 17:53 | Category: /rev-eng | permanent link to this entry | 3 comments (trackback)

Re: Installing unsigned drivers in Windows
Sec wrote on Tue, 27 Nov 2007 10:17

Checking my referrer logs I found a longish discussion about this program on another forum. While most of the posts pertain to their attempts to convert this to some scripting language, there is one posting here which mentions that I might have gotten the last parameter of the CryptAcquireContext() function wrong. They say it should be CRYPT_VERIFYCONTEXT instead of simply "0".
Take care.

Reply
Majstorovo ćoše » Blog Archive » Unattended (silent) OpenVPN install
Pingback wrote on Wed, 05 Mar 2008 14:52

Pingback from http://www.dualsoft.net/majstorije/?p=6
Reply
Re: Installing unsigned drivers in Windows
Bill Lutton wrote on Tue, 29 Apr 2008 05:34

Thanks for this code. I was actually interested in being able to change the Policy value for HKLM\Software\Microsoft\Non-Driver Signing which is also protected by the PrivateHash. It turns out that the non-driver value is simply the 0th byte of your "input" array. Thanks for the key to solving my problem. Best regards, Bill L.

Reply

About:

I am Sec and this is my blog.
This is the place where I intend to share snippets, hacks or other tidbits with you. I do hope you enjoy your stay.
If you want, you can visit my Homepage for personal details.

Last Tweets:

@Iruka_k grmpf. Sollte erst alles lesen. Sorry :-)
@Iruka_k Ich empfehle die noscript Extension für Firefox

Your Comment


Name:
URL/Email:	[http://... or mailto:you@wherever] (optional)
Title:	(optional)
Comment:
Save my Name and URL/Email for next time
(Note that comments will be rejected unless you enter 42 in the following box: )