PC Ekspert Forum - ATI-evi driveri postali metom Purple Pill projekta

Ovo je originalni post sa bloga Alexa Ionescua ( http://www.alex-ionescu.com ) vezan za današnju vijest na PC Ekspertu. Disclaimer je namjerno na engleskom jeziku.

Please note that PC Ekspert Portal strongly discourages using information from the article quoted below. We have chosen to publish this post only to prove that freedom of independent media still exists. The public has the right to know that the product they bought may harm their property (computers and data that they own), so they can protect their property before the vendor does that for them. We enforce very strict rules about posting illegal and/or harmful content on our forum, so please do not make us remove this post.

Citiraj:

Purple Pill: Defeating Vista x64 Driver Signing (without a private certificate!)

As most Windows security experts know, more then a week ago, a tool called “Atsiv” was released by Linchpin Labs, which supposedly allowed people to load their own unsigned drivers into Vista 64-bit, which contains a policy against such unsigned drivers. Although the effort is defintely noteworthy, there were several problems with Atsiv:

*It did not use OS facilities to load the driver: PsModuleListHead did not contain the driver, the OS did not process imports, etc. The driver code is just loaded into a random place in memory: this isn’t really useful.

*Because of the above, the PMP mechanism in Vista, which I’ve covered earlier, cannot detect these drivers. You may think this is a good thing, if you’re out there to bypass DRM, but such a tool is a clear DMCA violation.

*The software developers put their company in jeopardy by signing what Microsoft considers a malicious tool with their own key. Microsoft banned their key, as well as the driver, so as of the next Windows Defender update, the driver won’t load anymore. In the future, Microsoft may even blacklist the entire key in the kernel, making all of Linchpin’s software useless unless they obtain a new key.

All in all, Atsiv was a good proof of concept, which unfortunately didn’t work too well in the first place, and now won’t work at all. I’ve therefore decided to introduce an actually useful tool, which solves all the problems above: Purple Pill. Part of the reason why this works so nicely is due to some discoveries made by 90210, which Johanna presented at her Blackhat talk, so I thank both of them, and therefore named the tool as such.

Here’s a brief overview of what Purple Pill does:

*It uses the OS mechanisms for loading drivers: NtLoadDriver. The driver is loaded by the native Mm SysLdr (The internal PE Loader) without any hacks, and it is present in the PsLoadedModuleListHead.

*Vista is perfectly aware that an unsigned driver has been loaded: you will even get a warning a bit after the driver is loaded. This also means that PMP will become aware that the driver is loaded, and disable high-definition media playback. This means that this tool will not help you bypass DRM in any way, because the original Vista protection mechanisms are still in place. Note that on Vista 32-bit, this behavior already exists by default in the OS, so it is not a “bug” of Purple Pill.

*And the best part: Purple Pill doesn’t use any certificate of mine or driver that I’ve written (or any other particular). In fact, Purple Pill uses a driver is signed with a key that perhaps more then 50% of Vista users are currently depending on for their laptop to boot. If this key gets blacklisted, all those customers would end up with largely unusable systems. Although Purple Pill itself may be added to Windows Defender, users which want to load it can simply disable the service or whitelist the application manually. I don’t see a realistic way in which this key can be blacklisted, so the Purple Pill will always be able to load (this is not a guarantee).

*Finally, Purple Pill can also unload the driver you’ve loaded.

I’ve made Purple Pill available here. It also comes with a simple unsigned.sys driver which prints something on the debug buffer, sets up some dummy IOCTL handlers, and an unload routine.

Please send me any feedback if the tool doesn’t work for you as I’ve only tested it on a couple of Vista systems. If you get any errors while loading or unloading unsigned.sys, I’ll be glad to update the tool to fix any bugs.

Some final notes:

*The unsigned driver must be in the same directory as Purple Pill.

*Purple Pill makes some assumptions about certain kernel binary locations. Although it’s written to handle ASLR, it depends on a static offset inside the actual executable. All Vista systems I’ve seen use the same kernel binary, however, a newer Purple Pill will actually find the right offset on your system. Therefore, if this location does not match, Purple Pill may crash your system.

Enjoy!