Signing a Windows Kernel driver without using Microsoft

[DavidXanatos]

Ah yes... driver signing, a terrible mess really...
I was lucky with my projects that I fell with it into the time where leaked certs, aside of anti malware fools getting upset were working just fine. And by the time the restrictions were tied down I became able to get my drivers properly signed.


There are a few noteworthy things that I ran across which haven't yet been mentioned:
https://github.com/Mattiwatti/EfiGuard it is a bootkit that works with modern versions of windows, as long as you don't use the microsoft hypervisor, and allows you to toggle DSE on or off.
In combination with the https://github.com/ValdikSS/Super-UEFIinSecureBoot-Disk you can even have "secure boot" and load your own drivers at will. muhahahahah.....

here is a quite verbose write down of windows driver signign policy:
https://www.geoffchappell.com/notes/security/whqlsettings/index.htm?tx=40

As well as a semi supported way of using secure boot to sign your own drivers on your own pc:
https://www.geoffchappell.com/notes/windows/license/customkernelsigners.htm
only catch this is enabled only on Chinese governmental editions of windows 10
but that said there are hacks to get it working on any windows 10:
https://github.com/HyperSine/Windows10-CustomKernelSigners

Now the method of using a custom driver to keep the
HKEY_LOCAL_MACHINE\system\ControlSet001\Control\CI\Protected
"Licensed" value set to 1 is quite hacky and every time it fails you will need to manually hack the value from win PE, a custom loader which can parse and change the value in the SYSTEM hive on disk on each boot would be the best solution, but I haven't seen one yet.

Using a custom kernel signer really gives you the best combination of security and freedom, to bad MSFT want's only the Chinese government to have this.

[Stingered]

Quote:

Originally Posted by DavidXanatos

Ah yes... driver signing, a terrible mess really...
I was lucky with my projects that I fell with it into the time where leaked certs, aside of anti malware fools getting upset were working just fine. And by the time the restrictions were tied down I became able to get my drivers properly signed.


There are a few noteworthy things that I ran across which haven't yet been mentioned:
https://github.com/Mattiwatti/EfiGuard it is a bootkit that works with modern versions of windows, as long as you don't use the microsoft hypervisor, and allows you to toggle DSE on or off.
In combination with the https://github.com/ValdikSS/Super-UEFIinSecureBoot-Disk you can even have "secure boot" and load your own drivers at will. muhahahahah.....

here is a quite verbose write down of windows driver signign policy:
https://www.geoffchappell.com/notes/security/whqlsettings/index.htm?tx=40

As well as a semi supported way of using secure boot to sign your own drivers on your own pc:
https://www.geoffchappell.com/notes/windows/license/customkernelsigners.htm
only catch this is enabled only on Chinese governmental editions of windows 10
but that said there are hacks to get it working on any windows 10:
https://github.com/HyperSine/Windows10-CustomKernelSigners

Now the method of using a custom driver to keep the
HKEY_LOCAL_MACHINE\system\ControlSet001\Control\CI\Protected
"Licensed" value set to 1 is quite hacky and every time it fails you will need to manually hack the value from win PE, a custom loader which can parse and change the value in the SYSTEM hive on disk on each boot would be the best solution, but I haven't seen one yet.

Using a custom kernel signer really gives you the best combination of security and freedom, to bad MSFT want's only the Chinese government to have this.

Yes, I've just read up on ElfGuard and Super-UEFIinSecureBoot-Disk, but the rest I can certainly spend some time.

Great info!!!

[Fyyre]

Quote:

Originally Posted by DavidXanatos

Using a custom kernel signer really gives you the best combination of security and freedom, to bad MSFT want's only the Chinese government to have this.

I assume the CCP edition of Windows 10 x64 has such a custom signer? I'm curious if anyone has performed a deep dive comparison between Windows 10 1809 CCP and version for other countries.

[DavidXanatos]

Quote:

Originally Posted by Fyyre

I assume the CCP edition of Windows 10 x64 has such a custom signer? I'm curious if anyone has performed a deep dive comparison between Windows 10 1809 CCP and version for other countries.

Well as described here: https://www.geoffchappell.com/notes/windows/license/customkernelsigners.htm
Its not like the CCP edition is different, its just a licensing restriction, you can trick any non CCP windows into enabling this, but the licensing service will disable it for the next reboot. So you need a driver to block that from happening. As described here: https://github.com/HyperSine/Windows10-CustomKernelSigners

[KNARZ]

Quote:

Originally Posted by DavidXanatos

Well as described here: https://www.geoffchappell.com/notes/windows/license/customkernelsigners.htm
Its not like the CCP edition is different, its just a licensing restriction, you can trick any non CCP windows into enabling this, but the licensing service will disable it for the next reboot. So you need a driver to block that from happening. As described here: https://github.com/HyperSine/Windows10-CustomKernelSigners

With SLShim you can overcome it way more easy. But I dont know if this workaround will still work. Unfortunatly the original repo was taken down but you can find it forked via google.

Original repo hxxps://github.com/vyvojar/slshim
His other repos are also about spp.

I worked with him as a tester while he was developing it. Somewhere I will have the latest version of his patch. If requested I can search it.

[DavidXanatos]

Quote:

Originally Posted by KNARZ

If requested I can search it.

yes please

[KNARZ]

hxxps://www.xup.in/dl,20255033/slshim-master.zip/
btw. I could need some more reputation in this board ^^