I’ve been sitting on this one for a while (over a year), awaiting confirmation of a final key component in the procedure, but I’ve now been able to test my method.
I will be spending tomorrow finishing up the paper and exploit code on my test Virtual PC image. Before you get all excited, please keep in mind this is a local, administrative-account-required workaround for the driver-signing requirement in Vista 64-bit and has no security implications what so ever.
Since I wasn’t able to get a working POC until now, I haven’t made a lot of noise about it… if I get it working right tomorrow, I will probably send a little note to Microsoft to make sure they don’t go medieval on my ass — it has zero customer impact so I don’t think they will, but I apologize if I’ll have to can it.