Update on Driver Signing Bypass

I apologize for the lack of news, but after attending CUSEC, I had to spend my time on catching up the two weeks of school and work that I had missed, and exploiting Vista ended up going on the backburner, especially as I had to re-install VMWare 6.0 (which wasn’t being helpful with me) and a new Vista 64-bit image.

That being said, it turns out the code I’ve written does not work out of the box on a Vista RTM system. Although it can be effective when combined with a reboot, this doesn’t provide any advantage of any of the myriad other ways that this could be done (including booting with the disable integrity checks BCD option or the /TESTSIGN flag).

However, it does bypass DRM. As part of the Protected Media Path, (PMP), Windows Vista sets up a number of requirements for A/V software and drivers in order to ensure it complies with the demandes of the media companies. One of these features, which has been heavily criticized as being the actual reason behind driver signing, is that “some premium content may be unavailable” if test signing mode is used. Originally, I assumed that this meant that the kernel would set some sort of variable, but this didn’t make sense: once your unsigned driver could load, it could disable this check. After reading the PMP documentation however, it seems to me that the “feature” explained is more likely the cause of this warning on premium content.

This feature is the ability of the PMP to notify A/V applications that there are unsigned drivers on the system, as well as provide a list of unsigned drivers. The idea is that the application can either outright refuse to play content, or that it can scan for known anti-DRM drivers which might be attempting to hook onto the unencrypted stream. This leads me to believe that it’s up to applications, not the OS, to enforce this DRM check.

The great thing about the code I’ve written is that it does NOT use test signing mode and it does NOT load an unsigned driver into the system. Therefore, to any A/V application running, the system seems totally safe — when in fact, it’s not. Now, because I’m still booting with a special flag, it’s possible for Microsoft to patch the PMP and have it report that this flag is set, thereby disabling premium content. However, beause I already have kernel-mode code running at this point, I can disable this flag in memory, and PMP will never know that it was enabled. Again, Microsoft could fight this by caching the value, or obfuscating it somewhere inside PMP’s kernel-mode code, but as long as it’s in kernel-mode, and I’ve got code in kernel-mode, I can patch it.

To continue this game, Microsoft could then use Patchguard on the obfuscated value…but that would only mean that I can simply disable Patchguard using the numerous methods that Skywing documented in his latest paper.

In the end, the only way that PMP is going to work is with a Hypervisor, and even that will probably fail.

Unfortunately, with almost 0% use for the open source community (which can use test signing mode for their drivers), documenting my method and/or releasing a sample might be viewed as an anti-DRM tool, and defintely a DMCA violation. Although used on its own, this POC doesn’t do anything or go anywhere near the PMP (I don’t even have Protected Media, HDMI, HD-DVD, nor do I know where PMP lives or how someone can intercept decrypted steams), a particularly nasty group of lawyers could still somehow associate the DMCA to it, so I’m not going to take any chances.

It’s quite ironic — Microsoft claims driver signing is to fight malware and increase system stability, so if I get sued under DMCA, wouldn’t that be an admission that driver signing is a “anti-copyright infringment tool”?.

I’d really love to release this tool to the public though, so I will look into my options — perhaps emphasizing the research aspect of it and crippling the binary would be a safe way.

136 Responses to “Update on Driver Signing Bypass”

  1. [...] are still things that it could do without turning into a global advertisement for Microsoft’s flawed DRM [...]

  2. [...] ומיקרוסופט אף פעם לא לומדים. DRM × ×•×¡×£ (ראשון?) של ויסטה היום פוצח, ולמרות שאפילו ללא פירסום קוד, ×–×” הישג. בכל מקרה אם [...]

  3. [...] the reverse engineering prodigy who came into limelight when news spread that he found a way to bypass the Microsoft Vista DRM, had interviews with 3 of the world’s top software companies – Microsoft, Google and Apple – [...]

  4. [...] in HD quality on your computer. The first, which dates back to January this year was described by Alex Ionescu in his own [...]

  5. [...] in HD quality on your computer. The first, which dates back to January this year was described by Alex Ionescu in his own blog. This feature is the ability of the PMP to notify A/V applications that there are [...]

  6. [...] de alta definición en tu ordenador. Lo primero, que viene desde Enero de este año fue descrito por Alex Ionescu en su propio blog.Esta característica es la habilidad de que un dispositivo de medios portable [...]

  7. [...] am not sure if I fully understood the whole buzz of the new Microsoft bang. Firstly, there was the woooed Vista DRM that was cracked the very same day it was released (also in Slashdot). Then there was buzz about how unsafe it was and the thousand security patches [...]

  8. Vista PMP Already Cracked?

    Update on Driver Signing Bypass (Alex Ionescu’s Blog) ( Via Engadget )| Alex Ionescu appears to have

  9. [...] Que el mismo dia que se comerciliza Vista sea hackeado su DRM [...]

  10. [...] and stop the pirates. If so, I hate to inform you that Vista’s security measures were hacked the same day Vista was released. This hack has not been made public, but it shows that once again, the only people affected by the [...]

  11. [...] Vista DRM subverted – “If I get sued under DMCA, wouldn’t that be an admission that driver s… Researcher Alex Ionesco’s hack bypasses Vista’s anti-copying technology and allows for full-res, unencrypted high-def video streams. As long as it’s in kernel-mode, and I’ve got code in kernel-mode, I can patch it. [...]

  12. [...] die FuZo berichtet wurde das digitale Rechtemanagement (DRM) in Vista angeblich bereits von Alex Ionescu, einem Mitentwickler des Betriebssystemes ReactOS, umgangen. [...]

  13. [...] then there’s the spectre of the technology getting cracked. In fact, Alex Ionescu has found a potential way to fool the Protected Media Path (called Protected Video Path in a ComputerWorld Security article) [...]

  14. [...] Artículo en el Blog de Alex Ionescu Artículo en Error500.net [...]

  15. Review: Windows XP

    I have finally decided to take the plunge. Last night I upgraded my Vista desktop machine to Windows

  16. [...] Σε κάθε περίπτωση, η υποστήριξη του DRM στα Vista δεν δούλευε ούτως ή άλλως σωστά, μόλις αυτά [...]

  17. [...] and refuse to assume that its loyal customers are criminals. In any case, the DRM built into Vista was broken shortly after its release anyway. Conclusion To be honest there is only one conclusion to be made; [...]

  18. The Advantages of Upgrading From Vista To XP

    I have finally decided to take the plunge. Last night I upgraded my Vista desktop machine to Windows

  19. [...] Gadgets, Household – Gizmodo wrote an interesting post today on Alex Ionescu’s Blog » Update on Driver Signing BypassHere’s a quick excerpt114 Responses to “Update on Driver Signing Bypass … einer der Prgrammierer der quelloffenen Windows-Alternative … on 31 Jan 2007 at 5:59 am 68. marderh.blog » Windows Vista DRM … [...]

  20. [...] Terminally Incoherent wrote an interesting post today on Alex Ionescu’s Blog » Update on Driver Signing BypassHere’s a quick excerpt … is with a Hypervisor, and even that will probably fail. … 118 Responses to “Update on Driver Signing Bypass … on 31 Jan 2007 at 5:59 am 68. marderh.blog » Windows Vista DRM … [...]

  21. [...] and refuse to assume that its loyal customers are criminals. In any case, the DRM built into Vista was broken shortly after its release [...]

  22. [...] Vista Forums wrote an interesting post today on Comment on Update on Driver Signing Bypass by Windows Update Fail »Here’s a quick excerpt[…] Terminally Incoherent wrote an interesting post today on Alex Ionescuâ… [...]

  23. sonofaglitch says:

    What we are forgetting is one simple thing.

    It doesnt matter whether or not DRM and what Microsoft’s Unsigned Driver Installation policy
    is.

    Whether or not they are GOOD or BAD.

    Those are MOOT issues, because the fact is
    what matters is CHOICE. And when one person
    takes your CHOICE away they have become your dictator.

    Socialism isnt bad per say, Communisim however was,
    and the difference was CHOICE.

    If I want to run an unsigned driver and run the risk
    of someone totally screwing up my Vista installation, it should be MY OPTION to do so.

    That is freedom.

    It does NOT matter what YOUR OPINION is.

    It is MY PERSONAL CHOICE. Get it? Freedom,
    liberty, the democratic way?

    Don’t give in to fascist regiems. Yes you can
    agree that their policy is good, fine. But
    dont take away MY – CHOICE, to ignore it.

    Thank you.

  24. sonofaglitch says:

    What you are forgetting is CHOICE.

    Doesnt matter if its good or bad policy.

    They take away your choice and they RULE you.

    If I want to run unsigned drivers and screw
    up my Vista installation, I should have the CHOICE.

    Dont follow the facist regiems.

    Socialism with a Choice is not a bad thing,
    Communism didnt give you a Choice thats
    why it was bad and failed.

  25. [...] your friends CD/DVD collection and viola, way better quality then the crap you get on the iTMS too.read more | digg [...]

  26. [...] and refuse to assume that its loyal customers are criminals. In any case, the DRM built into Vista was broken shortly after its release [...]

  27. [...] could force your customers to get friendly with hackers to bypass signing more completely – well, until M$ releases a patch around [...]

  28. fourpastmidnight says:

    Since when is MS the IP cop?? Let the media companies deal with their own IP problems so that small developers and businesses can develop for Windows without going through hoops and hurdles (and oodles of money) to create drivers/software that, as of now, require testing and signing. This is a huge loss to the computer industry. I like Windows, don’t get me wrong, but if this trend continues, I think we’ll start to see people moving more to open sorce (read Linux), making Linux a truly viable platform–even for small business (more so than it is now….).

  29. vellisis765 says:

    I do not like Vista as not cool

  30. [...] Ionescu has found a way of fooling Vista into believing DRM is working when it’s not. It allows premium content such as HD-DVDs to be played on an uncertified [...]

  31. [...] researcher Alex Ionescu claims to have successfully bypassed the much discussed DRM protection in Windows Vista, called Protected Media Path, which is designed [...]

  32. [...] in HD quality on your computer. The first, which dates back to January this year was described by Alex Ionescu in his own [...]

  33. [...] uitleg prima kunnen gebruiken voor hun eigen 'omzeilende' activiteiten. Met behulp van de methode van Ionescu kunnen beveiligde HD-films worden afgespeeld zonder dat de benodigde HDCP-apparatuur [...]

Leave a Reply

You must be logged in to post a comment.