Awesome
Leveraging PTT to defeat DSE and run Kernel Drivers with Secure Boot Enabled
... With a Test Signing Certificate and No Extended Validation.
Code Signing is an amazing thing, But it has a glaring flaw depending on your motherboard which allows you to run Test Signed Kernel Drivers in a full trust environment with no indication to the OS that something may be wrong.
Before you start you need to install the Windows Driver Kit
1. Creating the Certificates
To begin, we need to create our own CA
and SPC
and a PFX
we can use as a Production Certificate
later.
You should rename these
makecert -r -pe -n "CN=Demo_CA_Root" -ss CA -sr CurrentUser ^
-a sha256 -cy authority -sky signature ^
-sv Demo_CA_Root.pvk Demo_CA_Root.cer ^
-e 02/22/2023
makecert -pe -n "CN=Demo_SPC_Code_Signing" -a sha256 -cy end ^
-sky signature ^
-ic Demo_CA_Root.cer -iv Demo_CA_Root.pvk ^
-sv Demo_SPC_Code_Signing.pvk Demo_SPC_Code_Signing.cer ^
-eku 1.3.6.1.5.5.7.3.3 ^
-e 02/22/2023
pvk2pfx -pvk Demo_SPC_Code_Signing.pvk -spc Demo_SPC_Code_Signing.cer ^
-pfx Demo_SPC_PFX.pfx ^
-po x
3. USB Drive
Put the Demo_SPC_Code_Signing.cer
and Demo_CA_Root.cer
Certificate onto a USB stick, we are going to import the Certificates into the BIOS
so the Kernel will trust our Signature
and install/run our driver as if Microsoft had signed it themselves.
4. Restart PC and Enter the Bios
(These steps may vary slightly depending on your BIOS but the concept is the same)
Select the Secure Boot Menu
in your Bios
In the Key Management
section select Authorized Signatures
(Or wherever the Microsoft Production PCA Certificate
is located)
Select Append/Add
from the Menu that pops up
Locate Demo_SPC_Code_Signing.cer
and Demo_CA_Root.cer
on your USB
, pressing enter twice when selecting them.
The second time you press enter you'll be prompted to confirm you want to update the Certificate Store, Select Yes
.
5. Success, We are now an "Extended Validator" on this PC.
The certificates you just added to the BIOS
can now be used for "Extended Validation" of Kernel Drivers without using any exploits, essentially bypassing Driver Signing Enforcement (DSE) because there is no third party involved and you just sign it yourself without the extra steps.
6. Trust the CA Certificate
Restart the computer and open the Demo_CA_Root.cer
certificate
Install the certificate to the Trusted Root
of the Local Machine
Now drivers signed by Demo_SPC_PFX.pfx
will be trusted.
7. BUILDING THE DRIVER
Now you can Production Sign your driver instead of Test Signing
Demo_SPC_Code_Signing.cer
is the Cross-Signing Certificate
Demo_SPC_PFX.pfx
is the Production Certificate
7. CREATE AND SIGN THE SECURITY CATALOG / TIMESTAMP DRIVER
DSE will stop us from installing the Kernel Driver if the catalog isn't signed correctly, manually run these commands.
inf2cat /os:10_x64 /driver:.\x64\Release /uselocaltime
SignTool sign /fd sha256 /td SHA256 /tr "http://sha256timestamp.ws.symantec.com/sha256/timestamp" /f .\CERT\Demo_SPC_PFX.pfx /p x /v .\x64\Release\KMDFDriver\kmdfdriver.cat
SignTool sign /fd sha256 /td SHA256 /tr "http://sha256timestamp.ws.symantec.com/sha256/timestamp" /f .\CERT\Demo_SPC_PFX.pfx /p x /v .\x64\Release\KMDFDriver\KMDFDriver.sys
8. Install your Driver
Now you can install and run your driver without configuring BCEDIT
9. Run your Driver
With your CA Root Certificate
in Authorized Signatures
in the BIOS
the Kernel won't stop your Driver from running and you can make Production Certificates
whenever you want for use on your own PC.
Tested on a motherboard with the Z490 Chipset
OS: Windows 10 Professional - Full Strip & Lockdown Edition - 21H2
This may not work on earlier chipsets, It may be removed in later ones.
Whether this works or not totally depends on your Motherboard/CPU combination.