Hi there!

I want to break security on Windows XP(signature checking procedure) and
think a Kernel debugger for Windows would help me!!
For example, when a CSP DLL is being loaded, Windows XP checks if it's
signature is valid (issued by Microsoft) or not!

I want to watch and analyse this procedure through Kernel Debugger to know
how would be possible to hack or break this security mechanism?!!

I would ask you How Could I see this mechanism in "WinDBG.exe"?

Because I'm so new to Windows debugging issue;

I've debugged some VC++ programs with Visual Studio debugger,but I've not
any experience in Windows debugging so far and I'm not so familiar with
Windows Kernel operations;

Is it possible to see this checking procedure in "WinDBG.exe" in Assembly or
any other form?!

I've not read the "WinDBG" documentation yet, because first I'd rather to be
sure of this possibility and also need to experienced people's guidance for
this;

Please help!!

Thanks in Advance

1. You don't need a kernel-mode debugger to debug this. Usermode should be fine.
2. The API call is probably to WinVerifyTrust(...) (http://msdn.microsoft.com/en-us/library/aa388208(VS.85).aspx) and/or a combination of Crypt*(...) functions from ADVAPI32.DLL.

Hi and Thanks of your reply!

Yes,you're right!

The target DLL is advapi32.dll, but I don't know how could I watch this procedure in user mode of windbg.exe!

I've read some sort of "documentation", I take it that should load ".pdb" file to debugger in user mode;

I have a sample code consists of some "CryptoAPI" functions and after building it, an ".pdb" file has been created,
Should I load this symbol file to Windbg.exe to see singnature checking mechanism?

One other question:

I want to install an unsigned CSP DLL on others computer than of mine!
Is it possible to make a setup program to install the CSP dll in others computer with bypassing the signature checking on their systems?!!

I found a patch for advapi32.dll to ignore signature checking procedure, but this is useful only on my own computer(Windows) not others's!

If I could watch this procedure precisely, it might be possible to reach this purpose!

I would greatly appreciate you If you help me again!

Best Regards.

Why is the patch only useful on your computer?

If what you mean is that you cannot patch the operating system on other people's computers before duping them into running your code, then what you're looking for is an exploit to by pass driver signature checking from the driver that is being checked itself, without any prior interaction with the computer in question? Such a vulnerability would result in an immediate patch from Microsoft if it was discovered, so no one else has (officially) found such a thing yet, or exploited it in the wild, and judging from your (lack of) familiarity with debuggers, I'd say you would have a very hard time finding such a vulnerability even if it was there I'm afraid...

But maybe I misunderstood your question?

dELTA, it looks like he's dealing with CSP DLLs, not drivers.

Then it looks like you should read the documentation for WinDbg.

The first link here tells you how to do this: http://lmgtfy.com/?q=writing+a+csp

Hi and thanks!


Yes,Exactly!
Because I would need others computer's Administrator privilages,herein!



I think should find this vulnerability with debugging, But currently I'm reading and learning debugging in user mode with "WinDBG.exe"!

So,after a while I would ask you to help me,if I had any question about writing such an exploit!

BTW,I've heard there are several tools to find vulnerabilities in Softwares!

Is there any tool donig so for Windows XP SP3?

And finally, any guidance and pointer beforehand about how this procedure checking would be done better or faster and more technical in Windbg.exe, would be greatly appreciated!

Thanks a lot!

Hi and Thanks!

Yes,I'm dealing with CSP DLLs and wish to bypass signature checking for them in Windows XP;

I've implemented a CSP and Want to deploy it on Windows without legally signing it by Microsoft,So sould break this security and find a vulnerability in a best way to reach my purpose!

I'm reading documentation now, but any other help about it would be welcome!

Good Luck.

What you're talking about is not a vulnerability. If it involves tricking people into executing your code with administrative privileges, then it's a social-engineering attack, not an inherent software security issue. And since it looks like you're going to be using this for malicious purposes, don't expect any more help from most of the people on this message board.

I don't have any malicious purpose!
I just want to watch this mechanism in debugger and try to crack it for learning purposes not to distribute this fraud!

And my intention about bypassing this mechanism on others computer is just to bypass the checking procedure despite "Administrative Privilages" issue as well!
I think basically the purpose of cracking is this!

Of course,because I'm not a Pro-cracker,I think so and suppose this purpose would be placed into "Cracking Issue" not "social-engineering";

Perhaps,I've made a mistake,
If I'm wrong,correct me please!

Thank you.

jeremy28 just wants to obtain admin-privileges.