A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #7339  by zico_guru
 Sat Jul 16, 2011 9:42 pm
hello there,
Does any body knows Which kernel fuction is responsible for preventing to load a unsigned module.i've reversed nt!MmLoadSystemImage,,but dont get the function.I am using windows 7 (7600.16792,,x64).plz help me
zico_guru
 #7347  by EP_X0FF
 Sun Jul 17, 2011 7:13 am
MmLoadSystemImage->Some internal funcs->MmCreateSection->(check whatever image is valid)->SeValidateImageHeader which calls some callback from CI.dll->CiValidateImageData

also there exist some internal variable g_bCiEnabled which is BOOL. If not WinPE mode g_bCiEnabled = TRUE;
 #7350  by EP_X0FF
 Sun Jul 17, 2011 7:45 am
Additionally regarding to CI.dll you can read attached pdf (no pass)
Attachments
(68.71 KiB) Downloaded 108 times
 #9061  by _Lynn
 Sun Oct 09, 2011 8:47 pm
sorry to bump this post and correct me if I am wrong, but would this not require either;

a. a hard disk modification of ntoskrnl

or

b. an in memory patch?

each time I have attempted this (with the latter method) it has resulted in patchguard crashing my system.

I have also tried the former, I thought correcting the PE checksum would be enough but I guess not :|
 #9096  by 0xC0000022L
 Tue Oct 11, 2011 10:24 pm
_Lynn wrote:sorry to bump this post and correct me if I am wrong, but would this not require either;

a. a hard disk modification of ntoskrnl

or

b. an in memory patch?
The latter is done by TDL, for example. IIRC TDL will enable WinPE mode (see EP_X0FF's first reply) then does the patching and then turns it off or something along that line. So yes, it's certainly not trivial but they proved it's possible.