DSEFix - Defeating x64 Driver Signature Enforcement

Forum for announcements and questions about tools and software.

Re: DSEFix - Defeating x64 Driver Signature Enforcement

Postby alaf1234567890 » Fri Jun 20, 2014 8:09 pm

Where can I get these 2 files :

"rtls\prtl.h"
"ntdll\winnative.h"
alaf1234567890
 
Posts: 1
Joined: Tue Jun 17, 2014 1:30 pm
Reputation point: 0

Re: DSEFix - Defeating x64 Driver Signature Enforcement

Postby EP_X0FF » Sat Jun 21, 2014 3:18 am

alaf1234567890 wrote:Where can I get these 2 files :

"rtls\prtl.h"
"ntdll\winnative.h"


Nowhere. It is our C runtime reimplementation and native API based support routines you have to implement yourself.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4759
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: DSEFix - Defeating x64 Driver Signature Enforcement

Postby Mr-Smash » Mon Jul 14, 2014 6:13 am

I get handle to the device after loading driver,
but DeviceIoControl (in ControlDSE) returns incorrect output :


#define VBoxDrvDevName L"\\\\.\\VBoxDrv"


main.cpp ========================================

hDriver = NativeOpenDevice(VBoxDrvDevName);


Winnative.cpp ===================================

HANDLE NativeOpenDevice(WCHAR DevName[BUFFER_SIZE])
{
HANDLE hDriver = CreateFileW(DevName,
FILE_ALL_ACCESS,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
FILE_FLAG_OVERLAPPED | FILE_ATTRIBUTE_NORMAL,
NULL);

return hDriver;
}


main.cpp -> ControlDSE ==========================

if (!DeviceIoControl(hDriver, SUP_IOCTL_COOKIE, &Cookie, SUP_IOCTL_COOKIE_SIZE_IN, &Cookie,
SUP_IOCTL_COOKIE_SIZE_OUT, &bytesIO, NULL)) goto fail;
You do not have the required permissions to view the files attached to this post.
User avatar
Mr-Smash
 
Posts: 2
Joined: Mon Jun 30, 2014 7:15 am
Reputation point: 0

Re: DSEFix - Defeating x64 Driver Signature Enforcement

Postby EP_X0FF » Mon Jul 14, 2014 6:24 am

Your vbox driver is different. This vulnerability is patched in higher version of vbox and won't work the same way.

viewtopic.php?p=22352#p22352
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4759
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: DSEFix - Defeating x64 Driver Signature Enforcement

Postby Mr-Smash » Sat Aug 02, 2014 3:35 pm

Winnative for this project:
You do not have the required permissions to view the files attached to this post.
User avatar
Mr-Smash
 
Posts: 2
Joined: Mon Jun 30, 2014 7:15 am
Reputation point: 0

Re: DSEFix - Defeating x64 Driver Signature Enforcement

Postby EP_X0FF » Sun Aug 03, 2014 3:06 pm

Heh. Nice work. Although we use own made string manipulation routines and Native API with Nt_Map_Zw in winnative.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4759
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: DSEFix - Defeating x64 Driver Signature Enforcement

Postby TurlaBoy » Wed Aug 06, 2014 7:25 pm

Hey EP_X0FF,

Nice work, I just wonder if MS (smoked)employees really thought someday driver signature checking would help against RKs since the begginning, you guys just need to realize you can't give users protection against undocumented stuff, and unknown attack techniques, PG is useless against thousands of attacks, and now again, a lot of malware crap are going to use this, and you guys are gonna try to protect DSE var with another USELESS stuff, and who is losing with this useless cycle?

OpenSouce projects, people who want to learn, to develop, and the cycle restarts, the snake eats it's tail
User avatar
TurlaBoy
 
Posts: 13
Joined: Tue Aug 05, 2014 9:28 pm
Reputation point: 1

Re: DSEFix - Defeating x64 Driver Signature Enforcement

Postby Vrtule » Thu Aug 07, 2014 7:04 am

TurlaBoy wrote:Hey EP_X0FF,

Nice work, I just wonder if MS (smoked)employees really thought someday driver signature checking would help against RKs since the begginning, you guys just need to realize you can't give users protection against undocumented stuff, and unknown attack techniques, PG is useless against thousands of attacks, and now again, a lot of malware crap are going to use this, and you guys are gonna try to protect DSE var with another USELESS stuff, and who is losing with this useless cycle?

OpenSouce projects, people who want to learn, to develop, and the cycle restarts, the snake eats it's tail


I agree with you. The thing of driver signing and certificates is more about business than security. AFAIK nothing really forces you to revoke your code signing certificate when a vulnerability in your driver is found, allowing to bypass DSE etc. is found. Hence, the DSE filters out only people that are developing open source software and do not want to pay and those who cannot pass the verification process (if you have a valid passport, you won't have any problem).
User avatar
Vrtule
 
Posts: 415
Joined: Sat Mar 13, 2010 9:14 pm
Location: Czech Republic
Reputation point: 92

Update 15 dec 2014

Postby EP_X0FF » Mon Dec 15, 2014 4:16 pm

Small cosmetic update to reflect latest idiotic changes in Windows 10 TP 9901 build. Compiled executable cleaned from AV detection.

https://www.virustotal.com/en/file/1865 ... /analysis/
Last edited by EP_X0FF on Tue Mar 10, 2015 10:58 am, edited 1 time in total.
Reason: removed attach
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4759
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 571

Re: Update 15 dec 2014

Postby GLOBALBANFIXED » Sat Mar 07, 2015 5:00 am

Hello EP_X0FF !
What version of VBox driver you use?
Спасибо)
GLOBALBANFIXED
 
Posts: 3
Joined: Thu Mar 05, 2015 6:44 pm
Reputation point: 0

PreviousNext

Return to Tools/Software

Who is online

Users browsing this forum: No registered users and 3 guests