SoftICE DEAD?

you will be allowed to start unsigned drivers on windows vista according to http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/x64KMSigning.doc
theres a discussion about it on woodmann http://www.woodmann.net/forum/showthread.php?t=7748&highlight=vista
but nevertheless drivers in freeware apps will become a problem if they are not signed cause the average user wont boot with F8 to use these apps

[ricnar456]

This mail was writen 10/04/06 from Oleh:


v1.x is closed. V2.0 is under development, but advances slowly. But, earlier or later, it will be released.

Sincerely,

Olly



Ricardo Narvaja
PD:And is a bad notice than softice death, but will be the time of all ring3 packers look the new themida all ring3 and don´t is ring0 any more for the same reason, i think will be better for the security,for me is bad any program can run drivers in your machine freely.

[taos]

Uhmmm! Good news about OLLY.To my mind comes some Ring0 protections... STARFORCE & ILOK from PACE (a lot of audio plugins protected in the NET) .
Will be 2 ways? Rich & poor protections... So rich will use Ring0 and the rest Ring3?.
I think like you that it's time to Ring3 but at the other side I don't believe that SF & ILOK migrates to it. We must wait!

Only allowing "signed by Microsoft" drivers is not the only problem which we will have to face on Windows Vista. Even when only debugging your own Ring3 applications, a Ring0 Debugger has some advanced features which are not available in Ring3.

Quote from Microsoft on the topic "patch protection" (implemented in Win2003 x64 and Vista x86/x64):

Quote:

Q. What happens if an application or driver attempts to patch the kernel on a system that supports patch protection?
A. If the operating system detects an application or driver that patches the kernel, it generates a bug check and shuts down the system. Modifications that trigger this behavior are:
- Modifying system service tables

- Modifying the interrupt descriptor table (IDT)

- Modifying the global descriptor table (GDT)

- Using kernel stacks that are not allocated by the kernel

- Patching any part of the kernel (detected on AMD64-based systems only)

Over time, patch protection will be extended to protect additional kernel resources.

An IDT protection for example prevents anybody from using hardware breakpoints. (since INT 01 can't be "hooked" any more)

Kayaker posted a link on woodmann to an article which describes the patch guard protection in detail.it also gives working sample code how to bypass it.patchguard is only a software based protection so bypassing it wont be a big problem for the rce community.i dont expect m$ to improve on it if it is broken i think they only want that the average user is protected from rootkits and the like.heres the article http://uninformed.org/index.cgi?v=3&a=3&t=sumry

dont worry it will be improved with next cpus, like amd64, also intel will add hardware guards. but every guard can be switched,unguarded and fooled. well for me i think best way of protection will be on boot 1 time hardware guard setting. why because when vista patches, nobody have rights to do it again till next boot, if starforce takes control of it at boot, then vista will not load. and i doubt someone will buy games with that crap

[JCB]

Also remember that more motherboards are introducing Trusted platform chips (Think about Palladium which is part of Vista) It will really make it difficult to run applications that are not "authorized" on your PC if you decide to use Vista and you have the hardware to enforce the protection. Currently everything I have seen so far you can disable but who knows how long that will last.

[taos]

Quote:

Originally Posted by JCB

Also remember that more motherboards are introducing Trusted platform chips (Think about Palladium which is part of Vista) It will really make it difficult to run applications that are not "authorized" on your PC if you decide to use Vista and you have the hardware to enforce the protection. Currently everything I have seen so far you can disable but who knows how long that will last.

This will be enable/disable like PENTIUM serial number, because you can put a demand to hardware factory because they can fail (with others SO for example)

Trusted HW with trusted soft, its sounds like IPOD or PSP protection and you know what is the result...

BTW:

M$ informs that the need to use signed drivers ARE ONLY FOR 64 BITS version. Maybe to stability.

Link:
hxxp://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/DrvCompat_Vista.doc


• Digital signatures are required for 64-bit kernel-mode drivers. Signed catalog (.cat) files are required for all kernel-mode packages that are to be installed on the 64-bit editions of Windows Vista. This applies to any software module that loads in kernel mode, including device drivers, filter drivers, and kernel services. The operating system does not load unsigned kernel modules that lack a signed catalog file.
There are two ways to obtain an appropriately signed catalog file:
• Obtain a Windows Vista logo. Drivers that pass Windows Hardware Quality Lab (WHQL) testing receive a catalog file that is signed with the WHQL certificate.
• Obtain a publisher identity certificate (PIC) and use the PIC to sign the package¡¯s catalog file. To obtain a PIC, a publisher must first obtain a VeriSign Class 3 Commercial Software Publisher Certificate and then use that certificate to obtain a PIC from Microsoft that can be used to sign kernel-mode modules intended for 64-bit Windows Vista.
For boot drivers, hardware manufacturers must also use a PIC to embed a signature in the driver binaries. This requirement applies to CD-ROM and disk drivers, ATA/ATAPI controllers, mouse and other pointing devices, SCSI and RAID controllers, and system devices.
Solution: Sign all catalog files for 64-bit drivers by using a PIC or get a WHQL-signed catalog file by obtaining a Windows Vista logo. Sign boot driver binaries by using a PIC.
For more information, see the white paper titled ¡°Digital Signatures for Kernel Modules on x64-based Systems Running Windows Vista.¡±

[peleon]

taos, thanks for the information. I though it applied to 32 and 64 bits version, but it looks that only for 64 bits.

Anyway, no words to describe my feelings about SoftICE is dead...how many lovely nights I have been with "him"

[MarcElBichon]

In 0day :
Compuware.DriverStudio.v3.2-Lz0 (Dupe)
Compuware.DevPartner64.v1.0.1-Lz0

i can't up on FTP today, sorry

[taos]

I don't understand you, 3.2 version is old, why in 0day?
can you put the nfo file?

[deroko]

It is sad to hear such news about SoftICE, and this thing with signed drivers makes me more unhappy

Hello guys,

1. All Drivers can be signed unless they dont contain hooking of functions. A certification is only required (from $99-$400/year depends on the provider).
2. Hooking of functions are allowed in some cases for example if software is antivirus, firewall or any-other security related. Requirement: Hooking must not slow-down system performance. (How Norton certified driver turns my PC to 486, this is a mystery).
3. In Windows vista by default windows unsigned drivers cannot be installed. Why? Because in Vista, Microsoft introduces a new technology that normal non-admin users would be able to install programs. Those programs may install system-wide elements such as drivers. Thats why the system is stricted.
4. Windows Vista will have an option in Administration Panel (Local Security Panel) that will allow administrator to DISABLE this rule. Then, all drivers can be installed freely. Signed and non-signed.
5. As far as all security policy elements are registry keys, developers would be able to programmatically disable this restrictrion, ask for reboot and then install the driver.

Generally, this is surviving for legal developers (to install unsigned drivers) BUT it will kick-out those transparent driver installations (ie rootkits). This is what Microsoft want to defeat.

Hope that helps!