Driver Signing

Windows 要求有數位簽章的 kernel driver 才能載入，但還是有方法可以繞過的 (ex: 開啟測試模式)。

<aside> 💡 Windows device installation uses digital signatures to verify the integrity of driver packages and to verify the identity of the vendor (software publisher) who provides the driver packages. In addition, the kernel-mode code signing policy for 64-bit versions of Windows Vista and later versions of Windows specifies that a kernel-mode driver must be signed for the driver to load.

</aside>

Setup

Kernel Debug & Test Signing

1. 開啟 Kernel Debug

   bcdedit -debug on
   

2. 開啟測試模式 (Test Signing)

   bcdedit -set loadoptions DDISABLE_INTEGRITY_CHECKS
   bcdedit -set nointegritychecks on
   bcdedit -set testsigning on
   

Tools

• 有 Snapshot 功能的 VM
  • 玩 Kernel 容易把環境搞壞，一定要先建個 Snapshot 維護乾淨的研究環境。
• VirtualKD-Redux (雙機 debug)
• WinDbg
• Visual Studio 2017
• Dbgview
• KmdManager
• Detect It Easy
• python3

I/O Request Packet (IRP)