Kernel unsigned driver loader , KDP compatible, leveraging gdrv.sys's write primitive
Tested on Windows 10 21H2 and 22H2
load target driver-> Loader.exe gdrv.sys driver.sys
unload target driver -> Loader.exe driver.sys
Driver Signature Enforcement is implemented within CI.dll. Based on Reverse Engineering of the signature validation process we know nt!SeValidateImageHeader calls CI!CiValidateImageHeader.
the return status from CiValidateImageHeader determines whether the signature is valid or not.
Based on Reverse Engineering of nt!SeValidateImageHeader we understand it uses an array - SeCiCallbacks to retrieve the address of CiValidateImageHeader before calling it.
SeCiCallbacks is initialized by CiInitialize. to be precise, a pointer to nt!SeCiCallbacks is passed to CiInitialize as an argument allowing us to map ntoskrnl.exe to usermode and perform the following:
sig scan for the lea instruction prior to the CiIntialize call.
calculate the address of SeCiCallbacks in usermode
calculate the offset from the base of ntoskrnl in usermode
add the same offset to the base of ntoskrnl.exe in kernelmode.
once we have the address of SeCiCallbacks in kernel, all we need to do is to add a static offset to CiValidateImageHeader's entry in the array.
leverage the write primitive to replace the address of CiValidateImageHeader with the address of ZwFlushInstructionCache, or any function that will always return NTSTATUS SUCCESS with the same prototype of CiValidateImageHeader.
-
in case loading gdrv.sys fails, its likely due to Microsoft's driver blocklist/cert expired, just modify the code to use an alternative vulnerable driver , there are plenty of them.
-
you can also disable the driver blocklist via the following command : reg add HKLM\SYSTEM\CurrentControlSet\Control\CI\Config /v "VulnerableDriverBlocklistEnable" /t REG_DWORD /d 0 /f
-
whilst the implemented technique does not require a read primitive , we do use the read primitive to restore the original CiValidateImageHeader after the unsigned driver is loaded.
you can modify the code to not use the read primitive and it will work just fine since SeCiCallbacks is not PatchGuard protected (EDIT : protected in Windows 11 23H2) -
built on top of the core of gdrv-loader