[zico_guru]

hello there,
Does any body knows Which kernel fuction is responsible for preventing to load a unsigned module.i've reversed nt!MmLoadSystemImage,,but dont get the function.I am using windows 7 (7600.16792,,x64).plz help me
zico_guru

[EP_X0FF]

MmLoadSystemImage->Some internal funcs->MmCreateSection->(check whatever image is valid)->SeValidateImageHeader which calls some callback from CI.dll->CiValidateImageData

also there exist some internal variable g_bCiEnabled which is BOOL. If not WinPE mode g_bCiEnabled = TRUE;

[zico_guru]

tankx...EP_X0FF this forum rocks!!!!!!!!!!! :D

[EP_X0FF]

Additionally regarding to CI.dll you can read attached pdf (no pass)

[_Lynn]

sorry to bump this post and correct me if I am wrong, but would this not require either;

a. a hard disk modification of ntoskrnl

or

b. an in memory patch?

each time I have attempted this (with the latter method) it has resulted in patchguard crashing my system.

I have also tried the former, I thought correcting the PE checksum would be enough but I guess not :|

[0xC0000022L]

sorry to bump this post and correct me if I am wrong, but would this not require either;

a. a hard disk modification of ntoskrnl

or

b. an in memory patch?

The latter is done by TDL, for example. IIRC TDL will enable WinPE mode (see EP_X0FF's first reply) then does the patching and then turns it off or something along that line. So yes, it's certainly not trivial but they proved it's possible.