»Bypassing Windows Driver Signature Enforcement«
2018-10-16, 13:30–17:30, Echternach - Diekirch

Microsoft does a great effort to harden the Windows kernel and limit attackers to load their custom drivers (kernel rootkits) with the introduction of Driver Signature Enforcement in Win7x64. In this 4 hour workshop we will learn the limitation of this enforcement and practice how we can bypass it. We will explore 4 different methods (from very easy to difficult) on various versions of Windows, including Windows 10. We will see how and why they work, and which malware used them in the past. First we will see how we can use leaked certificates to overcome DSE as well as how we can turn it OFF by design, and what are its limitations. Then we will use WinDBG to look into the kernel and find the various flags used to control DSE and use the HackSysExtremeVulnerableDriver to do kernel exploitation for setting those to the value we require. We will use a simple dummy driver to demonstrate unsigned driver loading.

Detailed Outline: 1. First we will talk about what is Windows DSE, and overview the various bypass techniques. 2. Bypass #1 - We will see how we can disable the DSE by design (not really a bypass), what are its limitations and why it's the most difficult one from an attacker's point. This is the TESTSIGNING bit method. 3. Bypass #2 - Using leaked certificates. We will use a publicly available leaked certificate (already revoked and expired in 2013) to sign the HackSysExtremeVulnerableDriver. We will explore why we can still use this, and why possibly this is the biggest limitations of DSE. I will briefly cover my MSRC case with Microsoft, and their response when reporting this issue. 4. We will cover how the various kernel flags control the DSE and then we will use WinDBG to find those, and how to identify their offsets. 5. We will create a dummy, unsigned driver what we will use demonstrating loading unsigned drivers. 6. We will cover the basics of how to load a driver with Windows API, and make our script doing that. 7. Bypass #3 - We will use the previously signed HEVD driver to introduce a kernel vulnerability to the system and exploit it to overwrite the g_cienabled kernel flag and why we can 'bypassing' patchguard, this will happen on Windows 7. 8. Bypass #4 - Same as #3 we will patch the g_cioptions kernel flag to achieve the same result. This methid will be done in later versions of Windows (8+)