32-bit Vista digital signature Countermeasure

By tiamo

2 targets
First, load the unsigned driver. Of course, the 32-bit Vista can be loaded.
Second, close the prompt window when installing the driver.

Solution:
First, my driver is signed and a certificate issued by a trusted root organization. But it is not the certificate issued by the eight root organizations that Microsoft requires
Then, use patch to enable Windows to accept certificates from any Trusted Root institution.

Start with the second target.
When the driver is installed, setupapi. dll will call the wintrustverify function to verify whether your driver has been signed. if there is no signature or signature, but root is not the eight root organizations that Microsoft requires. the dialog box is displayed ..
If your driver is named. but not the eight root organizations that Microsoft requires. the error code returned by wintrustverify is 800b0109. that is, "untrusted root organization ". A little trace will show that this is returned in crypt32.dll. there are 4 locations in total. find a hex editing tool to find and replace it. replace 800b010b with 0. then sign your driver. find a trusted root organization (for example, my online banking certificate is used ). or set up a certificate service by yourself. send a certificate to yourself. then add the certificate to your trusted store. sign the signature and try again later. the installation will not skip the box...

The second goal is easily achieved... however. the kernel must be patched even under 32-bit. because crypt32.dll is a key file. he is also signed. vista requires that all files loaded to key processes must be signed.
In this process, the process requires that all the DLL files be loaded and the EXE files must be signed. After crypt32.dll is modified, the signature will be destroyed.

The first target is a little complicated, because kernel signature verification is layer-by-layer.
When the computer is guiding, the code in the MBR will load the bootmgr file under the Vista installation disk to the memory. Then, the execution right will be handed over to bootmgr. Then bootmgr will load system32/winload.exe.then winload.exewill begin ntoskrnl.exe.
This loading process has signature judgment step by step.

1. You can load bootmgr in MBR regardless of whether it is. I have many systems. I have used GRUB as the boot program, but not Vista.
2.bootmgr winload.exe.here, winload.exe must be named.
3.winload.exeis responsible for ntoskrnl.exe, hal.exe and all the boot packages.
4. ntoskrnl loads the remaining system start, auto start drivers, and a later import of manual restart.
Run in kernel mode.

Therefore, the patch work is clear.
1.bootmgr patch.he wants to upload winload.exe
2.winload.exe requires patch. Because all boot start drivers are determined by him. CI. dll is also determined by him.
3. CI. dll also requires patch. It is responsible for the signature judgment after it leaves the load process.

Bootmgr is a 16-bit com program and a 32-bit PE file. search for "MZ" using a hex editing tool, that is, the DOS file header, and you will see a very obvious mark. save the data starting from the position of MZ to the end of bootmgr into a new file named bootmgr. DLL. open with Ida. ida prompts him to have a debugging symbol file. ask if you want to load. you can load it .. microsoft is very generous. provide the file's PDB .. haha ....
The 16-bit com doesn't need to worry about him... let's look at this 32-bit DLL.
Bmmain is his entry function .. this function keeps going down .. there is a call to call blimgquerycodeintegritybootoptions. determine whether to execute the bmfwverifyselfintegrity function based on the call results. good. change the code in this area to JMP. skip the call of the bmfwverifyselfintegrity function.
Go to the blimgloadbootapplication function. there is also a blimgquerycodeintegritybootoptions function call in this place. imgarchpcatloadbootapplication is called. enter the archpcat function and you can see that it is loaded through the blimgloadpeimageex function. at the same time, we can see that the signature judgment is also completed in the loadpeimageex function. when the result of the 6th arg6 & 0x10 parameter of blimgloadpeimageex is not 0, the signature is determined. otherwise, skip this signature judgment. only judge the checksum of the PE Header. therefore, if this function is called, do not set the 6th bits of the 4th parameters. return to the imgarchpcatloadbootapplication function. it can be seen that the eax value entered with some judgment to generate blimgloadpeimageex 6th parameters. take a closer look and you will find that you only need to clear the 4th bits of eax before calling imgarchpcatloadbootapplication. because imgarchpcatloadbootapplication does not modify the 4th bits. so it's easy .. clear the code for setting eax. put an XOR eax directly, and eax will do it ..
Save the DLL and give it a checksum .. then copy/B +/B and combine it with the 16-bit com program just stripped out. Name it bootmgr2. this bootmgr will be cracked.
Bytes

A similar idaopen winload.exe. Load his PDB (with pdb, it is really easy and effort-saving). By the way, it supports kernel debug from winload. You can use windbg to debug winload.
Winload.exe is simpler. you can see that he has reused a lot of bootmgr code. for example, if the signature is determined, the value of arg7 & 0x10 of the 7th parameters is also used. then track back all the way to see if loadintegritycheckpolicy is 0. the winload signature is disabled. so find the place where loadintegritycheckpolicy is initialized. set layer 0, which is in the osinitializecodeintegrity function. nothing in the entire function is unnecessary. you can directly set loadintegritycheckpolicy to 0 at the beginning of the function, and then RET will do it ..
Save this winload2.exe. checksum ..
Then, use bcdedit to add a new {boot loader).use this new winload2.exe to try it. Your system should be able to boot.
By now, your boot start driver can be loaded smoothly (the 32-bit driver can be loaded ). if you use 64-bit. you can place a boot start driver here. and then take out patch guard.

Next is CI. DLL. this is much more troublesome .. it is easier to judge than the startup process. I tried to skip all signature judgment directly like winload and bootmgr. unfortunately .. no .. spsys. the sys file will be bugcheck. this is Microsoft's software license driver .. unfortunately, he does not have PDB. it is also full of instructions. I tried dynamic tracking. I have experienced n bugcheck times. I gave up the method of directly skipping all signature judgments. the current method is used.

CI. dll is complicated. In general, it has two types of judgment. The first is the judgment of the entire file, and the second is the page judgment, which is based on the Memory Page.
First. CI. dll will read Cat files under the directory system32/catroot/{fxxxxxxx. the files are parsed. in the future, when you want to determine whether a file has a signature, you just need to perform a binary search. this parse sets a flag for these cat files to indicate whether the cat has been signed by Microsoft's eight root organizations. so. our goal is to mark our cat files with Microsoft certification. follow up to find out. if our cat does not pass Microsoft authentication, the mark bit is 1. 2. so. change 1 in the OR byte PRT [ESI + 44 h] and 1 to 2. the specific location is in the mincryptverifycertificatewithpolicy function. about ebp-34 operation inside. you can change 1 to 2 if there is or on 1.
In this way, the signature judgment of the entire file is completed ..

2. Memory Page-based judgment. This is simpler than the previous one. There is a mov [ebp-20], 0c00000428h at the end of the civalidateimagedata function. Change this 0c0000428 to 0.
Save this CI. dll. checksum. This time, it can only be overwritten.

All right... all changed... guide your system...
========================================================== ============

Vista sets high permissions for these files. Even the system account can only read and cannot be modified.
You must change the owner of these files to administrator to modify these files. of course, after the modification, remember to restore his permissions to the original format .. the owner you need to call "NT Service/trustedinstaller"
Of course, you cannot replace some files when running Vista. You can enable your computer on a dual system or using winpe on the Vista disc and then replace them...
========================================================== ============

All the modifications are based on 32-bit Vista... I do not have a 64-bit installation disk here.
However, the modification in 64-Bit mode is the same. You don't have to worry about patch guard. This is not under the jurisdiction of patch guard.
Your Boot start driver can be loaded. Then, slowly fix this patch guard...

I believe you have read this theoretical foundation?
Although 32-bit is a little different from what he said, it is of great guiding significance...

In addition, there are several images...