[neviim]

Is it true that one must manually enable the TESTSIGNING and restart the computer if one were trying to install a x64 device driver? How do x64 rootkits bypass this clunky mechanism without using stolen certificates?

[Vrtule]

Hello,

64-bit versions of Windows requires the drivers to be digitally signed by a certificate generated by a trusted certificate authority (Symantec/VeriSign and GlobalSign). The restriction can be made less strict by enabling the TESTSIGNING option (drivers signed by a self-signed and untrusted certificate are also allowed to enter the kernel), or by putting the system into Debug Mode, or by exploiting a vulnerability in an existing driver that is signed properly.

So, when a malware-writer owns a stolen certificate suitable for driver signing, he/she just signs his/her malicious driver, and distributes it.

[Cr4sh]

Another common bypass scenario -- manual installation of the 3-rd party vulnerable driver (from some AV, for example) and exploiting it for running unsigned ring0 code.

Also, on SecureBoot disabled systems, you can run your unsigned code in ring0 with the MBR/VBR/$Boot (or UEFI boot loader) infection.

Also, I have seen some ugly x64 stuff that disabling driver signature enforcement with patching of the bootloader and kernel binaries on the disk (sic!)

There is a lot of ways...

[R136a1]

Bypass x64 Driver Signature Enforcement on windows7 and windows8

Presentation: http://www.powerofcommunity.net/poc2012/mj0011.pdf
POC: http://code.google.com/p/bypass-x64-dse/

[voroojax]

Most likely using some vulnerability in ring0 or other device drivers OR loading your code before driver signing procedures., for example infecting MBR/VBR/NTFS.
check these links, for more technical information.

A quick insight into the Driver Signature Enforcement
http://j00ru.vexillium.org/?p=377

Defeating Windows Driver Signature Enforcement #1: default drivers
http://j00ru.vexillium.org/?p=1169

Defeating Windows Driver Signature Enforcement #2: CSRSS and thread desktops
http://j00ru.vexillium.org/?p=1393

Defeating Windows Driver Signature Enforcement #3: The Ultimate Encounter
http://j00ru.vexillium.org/?p=1455

Defeating Driver Singing Enforcement, Not That Much Hard!
http://repret.wordpress.com/2012/11/04/ ... much-hard/

Windows Kernel Intel x64 SYSRET Vulnerability + Code Signing Bypass Bonus
http://repret.wordpress.com/2012/08/25/ ... ass-bonus/

Defeating x64: The Evolution of the TDL Rootkit - Eset
http://www.eset.com/us/resources/white- ... -2011.pdf‎

[R136a1]

Not to forget this practicle example:

Sandboxie vulnerability exploitation (admin->ring0)
http://www.kernelmode.info/forum/viewto ... =13&t=2244

[Vrtule]

DriveCrypt exploit
https://github.com/shjalayeri/DriveCryp ... DriveCrypt

[voroojax]

DriveCrypt exploit
https://github.com/shjalayeri/DriveCryp ... DriveCrypt

I think vulnerable DriveCrypt certificate has been revoked. but that's a good example for exploiting vulnerable driver to get self-signed driver installed.

[Vrtule]

voroojax:
I hope it has been revoked. I tested the vulnerability about 9 months ago... and also abou, maybe, 5 months ago... and it worked perfectly. Maybe, my revocation lists don't get updated.