Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 09-25-2024, 09:48
tame_mpeg tame_mpeg is offline
Friend
 
Join Date: Oct 2023
Posts: 8
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 3
Thanks Rcvd at 15 Times in 4 Posts
tame_mpeg Reputation: 0
Patching in your own kernel signing certificate

I need a signing certificate which is completely trusted by an up to date version of windows.
Test signing is an option for some purposes, but many applications don't like it being enabled. I’m also aware of tools to disable PatchGuard and DSE.
There are leaked certificates and timestamp spoofing tools but they don't play well with up to date versions of windows and kernel driver signing.

I came across this writeup which describes a process of patching bootmgfw.efi to replace the signature of an unimportant Microsoft Test signing certificate with your own certificate. The final result of doing this is you get your own certificate which can sign drivers without compromising the security or stability of Windows.
The writeup:
https://github.com/Avery3R/re-writeups/blob/master/windows-ci/part1_on_disk_patching.md

The writeup doesn't go into much detail and I don't know if I could figure out how to try it myself.
Has anyone else done something like this? Do you think it would still work?
Anyone have links to any other resources or tools which could help do the things in that writeup?
Reply With Quote
  #2  
Old 09-25-2024, 17:51
Kerlingen Kerlingen is offline
VIP
 
Join Date: Feb 2011
Posts: 328
Rept. Given: 0
Rept. Rcvd 277 Times in 99 Posts
Thanks Given: 0
Thanks Rcvd at 329 Times in 100 Posts
Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299
Quote:
I attached a kernel debugger to my VM and tried to load the driver with devcon
This is already the first mistake made in the article: As soon as a kernel debugger is attached, many of the kernel protection features are automatically disabled, including the kernel signature verification. Drivers do not even need a test signed certificate in this case, they will load even without any signature.

Quote:
manually added my root certificate to the trusted roots store the normal way
This is also total nonsense. The root certificates for kernel signing are hard-coded in the executable files, they are never read from the trusted roots store. The whole article seems to focus on removing certificate warnings in the GUI, a part which has absolutely nothing to do with the decision if a kernel driver is permitted to load or not.
Reply With Quote
The Following 3 Users Say Thank You to Kerlingen For This Useful Post:
SofTw0rm (09-25-2024), tame_mpeg (09-25-2024), tonyweb (09-29-2024)
  #3  
Old 09-25-2024, 19:20
KostyantynX KostyantynX is offline
Friend
 
Join Date: Oct 2023
Posts: 7
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 0
Thanks Rcvd at 8 Times in 4 Posts
KostyantynX Reputation: 1
Quote:
Originally Posted by tame_mpeg View Post
I
The writeup:
https://github.com/Avery3R/re-writeups/blob/master/windows-ci/part1_on_disk_patching.md

The writeup doesn't go into much detail and I don't know if I could figure out how to try it myself.
Has anyone else done something like this? Do you think it would still work?
Anyone have links to any other resources or tools which could help do the things in that writeup?
In that writeup the author ends by saying "If you have any questions or comments, feel free to get in touch with me on reddit /u/Avery3R or twitter @Avery3R."
Did you try to contact him directly?
You may get better answers directly from the author?
Reply With Quote
  #4  
Old 09-25-2024, 20:37
tame_mpeg tame_mpeg is offline
Friend
 
Join Date: Oct 2023
Posts: 8
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 3
Thanks Rcvd at 15 Times in 4 Posts
tame_mpeg Reputation: 0
Quote:
Originally Posted by Kerlingen View Post
This is already the first mistake made in the article: As soon as a kernel debugger is attached, many of the kernel protection features are automatically disabled, including the kernel signature verification. Drivers do not even need a test signed certificate in this case, they will load even without any signature.



This is also total nonsense. The root certificates for kernel signing are hard-coded in the executable files, they are never read from the trusted roots store. The whole article seems to focus on removing certificate warnings in the GUI, a part which has absolutely nothing to do with the decision if a kernel driver is permitted to load or not.
Thanks for the insight.

I don't suppose it's viable to permanently patch in any of your own certificates then.




Does anyone know if there a central location where windows stores blacklisted certificates? Could this be easier to tamper with?

I recently cracked a program by patching a dll. The parent process won't load if any of its dlls are unsigned. Signing with your own certificate which you added to the trusted store does not work. I had to sign it with a leaked NVIDIA cert and then everything worked fine.
After updating windows the cracked program won't load anymore due to an invalid signature error on that dll. even through Windows explorer still shows it as validly signed. I assume the update bundled some kind of blacklist which broke that signing. Would be nice if I could keep the updates but get rid of the blacklisted certificates they include.
Reply With Quote
  #5  
Old 09-25-2024, 21:27
KostyantynX KostyantynX is offline
Friend
 
Join Date: Oct 2023
Posts: 7
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 0
Thanks Rcvd at 8 Times in 4 Posts
KostyantynX Reputation: 1
Quote:
Originally Posted by tame_mpeg View Post
Thanks for the insight.

I don't suppose it's viable to permanently patch in any of your own certificates then.




Does anyone know if there a central location where windows stores blacklisted certificates? Could this be easier to tamper with?

I recently cracked a program by patching a dll. The parent process won't load if any of its dlls are unsigned. Signing with your own certificate which you added to the trusted store does not work. I had to sign it with a leaked NVIDIA cert and then everything worked fine.
After updating windows the cracked program won't load anymore due to an invalid signature error on that dll. even through Windows explorer still shows it as validly signed. I assume the update bundled some kind of blacklist which broke that signing. Would be nice if I could keep the updates but get rid of the blacklisted certificates they include.
Windows maintains a list of blacklisted certificates in a few different locations, primarily through the use of the Certificate Revocation List (CRL) and the Online Certificate Status Protocol (OCSP). These mechanisms are designed to ensure that certificates that have been compromised or are no longer valid are not trusted by the system.

1. Certificate Revocation List (CRL): This is a list of certificates that have been revoked by the Certificate Authority (CA) before their expiration date. Windows checks this list when validating certificates.

2. Trusted Root Certification Authorities: Windows has a store for trusted root certificates, but it also has a mechanism for blacklisting certificates that are no longer trusted.

3. Windows Update: Microsoft periodically updates the list of trusted and untrusted certificates through Windows Update. This can include adding new root certificates and blacklisting compromised ones.

Tampering with these lists is not straightforward and can lead to system instability or security vulnerabilities. Additionally, modifying system files or settings to bypass security measures can violate the terms of service for Windows and may expose your system to risks.

If you're encountering issues with a patched program after a Windows update, it's likely that the update included a new blacklist or modified the way signatures are validated. Unfortunately, there isn't a simple or safe way to selectively remove blacklisted certificates from Windows updates without risking system integrity.

For your specific situation, you might consider:

- Using a Virtual Machine: Run the patched program in a virtual machine with an older version of Windows that doesn't have the updated blacklist.
- Reverting Updates: If possible, you could revert to a previous version of Windows before the update that caused the issue, but this is not always feasible or secure.
- Exploring Alternative Patching Methods: Look for other ways to patch the program that do not rely on certificate signing.

Keep in mind that modifying software in this way can have legal and ethical implications, and it's important to consider the risks involved.

I still suggest that you consider contacting the author of the writeup.
Reply With Quote
The Following User Says Thank You to KostyantynX For This Useful Post:
niculaita (09-26-2024)
  #6  
Old 09-26-2024, 01:42
chants chants is online now
VIP
 
Join Date: Jul 2016
Posts: 807
Rept. Given: 44
Rept. Rcvd 50 Times in 31 Posts
Thanks Given: 721
Thanks Rcvd at 1,114 Times in 515 Posts
chants Reputation: 51
So this is implying the certificate manager API is useless in context of AuthentiCode certs? I assumed that as long as the TRCA has it and Trusted Publishers, you would be good, but i think this changed some years back.

So presumably Microsoft maintains TRCA, Trusted Publishers, revocations for Authenticide on kernel drivers in some hard coded way in the loader or near it at least. The question of where exactly is definetly an interesting one, though with memory integrity and signature checks on load, it won't be easy to patch the OS kernel. Doesn't look like an elegant solution exists beyond using test certificates in test signing mode.
Reply With Quote
  #7  
Old 09-26-2024, 04:37
niculaita's Avatar
niculaita niculaita is offline
Family
 
Join Date: Jun 2011
Location: here
Posts: 1,405
Rept. Given: 969
Rept. Rcvd 89 Times in 61 Posts
Thanks Given: 4,682
Thanks Rcvd at 484 Times in 343 Posts
niculaita Reputation: 89
If you have a valid and trusted certificate, please sign these files https://we.tl/t-It39b2B9cv for me, so that I will not use test signing anymore!
__________________
Decode and Conquer
Reply With Quote
  #8  
Old 09-27-2024, 17:58
Fyyre's Avatar
Fyyre Fyyre is offline
Fyyre
 
Join Date: Dec 2009
Location: 0°N 0°E / 0°N 0°E / 0; 0
Posts: 273
Rept. Given: 89
Rept. Rcvd 86 Times in 39 Posts
Thanks Given: 167
Thanks Rcvd at 340 Times in 118 Posts
Fyyre Reputation: 86
Quote:
Originally Posted by Kerlingen View Post
This is also total nonsense. The root certificates for kernel signing are hard-coded in the executable files, they are never read from the trusted roots store. The whole article seems to focus on removing certificate warnings in the GUI, a part which has absolutely nothing to do with the decision if a kernel driver is permitted to load or not.
Right.. GUI warnings are not important.

Whole point of UPGDSED was to implement my "six byte pg/ds kill" in a more eleoquent manner.

Motivation came from wanting to keep making utility rootkits for x64 Windows - when Microsoft came out with signing for drivers. Signing is much bigger ass pain than KPP .. disable of KPP is same last version of Windows 11 I check...

Neat people still want to do this. Personally, I never cared enough to mess with the UEFI crap... not so sure its going to be all that different with it..

change exection flow, change the world.
Reply With Quote
The Following User Says Thank You to Fyyre For This Useful Post:
niculaita (09-27-2024)
  #9  
Old 09-27-2024, 18:00
Fyyre's Avatar
Fyyre Fyyre is offline
Fyyre
 
Join Date: Dec 2009
Location: 0°N 0°E / 0°N 0°E / 0; 0
Posts: 273
Rept. Given: 89
Rept. Rcvd 86 Times in 39 Posts
Thanks Given: 167
Thanks Rcvd at 340 Times in 118 Posts
Fyyre Reputation: 86
Quote:
Originally Posted by niculaita View Post
If you have a valid and trusted certificate, please sign these files https://we.tl/t-It39b2B9cv for me, so that I will not use test signing anymore!
Sure.. not sure it will load a driver, but my company has valid code signing cert.. will DM you result, test then let me know.
__________________
Best Wishes,

Fyyre

--

https://github.com/Fyyre
Reply With Quote
The Following User Says Thank You to Fyyre For This Useful Post:
niculaita (09-27-2024)
  #10  
Old 09-27-2024, 23:51
niculaita's Avatar
niculaita niculaita is offline
Family
 
Join Date: Jun 2011
Location: here
Posts: 1,405
Rept. Given: 969
Rept. Rcvd 89 Times in 61 Posts
Thanks Given: 4,682
Thanks Rcvd at 484 Times in 343 Posts
niculaita Reputation: 89
Problem was/are cat files. Have to be signed too same certificate as sys files.
__________________
Decode and Conquer

Last edited by niculaita; 09-28-2024 at 00:54.
Reply With Quote
  #11  
Old 09-28-2024, 00:53
niculaita's Avatar
niculaita niculaita is offline
Family
 
Join Date: Jun 2011
Location: here
Posts: 1,405
Rept. Given: 969
Rept. Rcvd 89 Times in 61 Posts
Thanks Given: 4,682
Thanks Rcvd at 484 Times in 343 Posts
niculaita Reputation: 89
The hash for the file (Exetools.sys) is not present in the specified catalog file. The file is likely corrupt or the victim of tampering.
închidere
__________________
Decode and Conquer
Reply With Quote
  #12  
Old 09-28-2024, 02:11
niculaita's Avatar
niculaita niculaita is offline
Family
 
Join Date: Jun 2011
Location: here
Posts: 1,405
Rept. Given: 969
Rept. Rcvd 89 Times in 61 Posts
Thanks Given: 4,682
Thanks Rcvd at 484 Times in 343 Posts
niculaita Reputation: 89
So, please again sign again sys and cat acording to name, .sys and .inf files!
In .inf file DriverVer=08/05/2024,1.0.0.0001
__________________
Decode and Conquer
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 15:06.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )