Sec, blogmal! - rev-eng - driversign

Categories:

Everything

Dezember '14

MoMoMoMoMoMoMo
1234567
891011121314
15161718192021
22232425262728
2930311234

Archive:

Flattr me:

Flattr this

Wed, 07 Dec 2005

Installing unsigned drivers in Windows
If you install a Driver on Windows XP which is not "blessed" by Microsoft, you get a nasty Dialog box with a warning. - Microsoft tries to tell people this is for stability reasons - See [this blog entry]:http://blogs.msdn.com/oldnewthing/archive/2005/08/16/452141.aspx at "The Old New Thing" for someone arguing for it, and read the comments for reasons why this idea only sounds good in writing. About a year ago this had also come up on the [OpenVPN]:http://openvpn.net/ mailinglist ([see here]:http://openvpn.net/archive/openvpn-users/2004-11/msg00221.html). Someone in that thread pointed out, that Microsoft says [you can't change it in your program]:http://support.microsoft.com/?kbid=298503 which tiggered my /hacker/ gene to see how this could be done anyways. Liberal usage of [regmon]:http://www.sysinternals.com/Utilities/Regmon.html revealed that the value is indeed stored in the Policy key of "HKLM\Software\Microsoft\Driver Signing", but there was also a write to the PrivateHash key of "HKLM\Software\Microsoft\Windows\CurrentVersion\Setup". With the help of [apispy]:http://www.internals.com/ it was easily found out that the *PrivateHash* is an MD5 hash of the 4-byte-extended value of the Policy Key and some seed. The Seed is the 4-byte value of the "seed" key from "HKLM\System\WPA\PnP"). This was quickly written down in a small proof of concept [program]:http://openvpn.net/archive/openvpn-users/2004-11/msg00341.html. - And please, don't even think about ugly things like automating a mouse click to acknowledge such a dialog box again. :) -- Sec
posted at: 17:53 | Category: /rev-eng | permanent link to this entry | 4 comments (trackback)
 

Your Comment
 
Name:
URL/Email: [http://... or mailto:you@wherever] (optional)
Title: (optional)
Comment:
Save my Name and URL/Email for next time
(Note that comments will be rejected unless you enter 42 in the following box: )

powered by blosxom
in 0.00 s