好友 阅读权限 10
听众 最后登录 1970-1-1
本帖最后由 whdfog 于 2024-10-11 19:35 编辑 看论坛内帖子“从Sandboxie源码分析软件注册机制及逆向思路”(https://www.52pojie.cn/thread-1793118-1-1.html)发现最后加载驱动时要关闭驱动程序强制签名,而关闭强制签名会被部分游戏或程序检测到导致程序拒绝启动。如果能够不关闭强制签名去加载内核驱动,对系统的影响是最小的。 Custom Kernel Signers(CKS) 是Windows10(可能从1703开始)支持的一种产品策略。这个产品策略的全名是CodeIntegrity-AllowConfigurablePolicy-CustomKernelSigners,它允许用户自定义内核代码证书,从而使得用户可以摆脱“驱动必须由微软签名”的强制性要求。 于是跟随项目内教程(https://github.com/HyperSine/Windows10-CustomKernelSigners/blob/master/asset/build-your-own-pki.zh-CN.md)创建了3个证书(localhost-root-ca,localhost-km,localhost-pk),localhost-root-ca作为根证书用于签发localhost-km和localhost-pk,localhost-km用于给要加载的内核驱动签名,localhost-pk作为PK 证书用于导入UEFI 固件。[Shell] 纯文本查看 复制代码
sudo apt install efitools [Shell] 纯文本查看 复制代码
cert-to-efi-sig-list -g "$(cat GUID.txt)" "localhost-pk.crt" "localhost-pk.esl"
sign-efi-sig-list -k localhost-pk.key -c localhost-pk.crt PK localhost-pk.esl PK.auth
sign-efi-sig-list -g "$(cat GUID.txt)" -k localhost-pk.key -c localhost-pk.crt PK /dev/null WipePK.auth
openssl x509 -inform der -outform pem -in "microsoft corporation kek 2k ca 2023.crt" -out "microsoft corporation kek 2k ca 2023.pem"
openssl x509 -inform der -outform pem -in "MicCorKEKCA2011_2011-06-24.crt" -out "MicCorKEKCA2011_2011-06-24.pem"
cert-to-efi-sig-list -g 77fa9abd-0359-4d32-bd60-28f4e78f784b "microsoft corporation kek 2k ca 2023.pem" "microsoft corporation kek 2k ca 2023.esl"
cert-to-efi-sig-list -g 77fa9abd-0359-4d32-bd60-28f4e78f784b "MicCorKEKCA2011_2011-06-24.pem" "MicCorKEKCA2011_2011-06-24.esl"
cat "kek 2k ca 2023.esl" "MicCorKEKCA2011_2011-06-24.esl" > "kek.esl"
sign-efi-sig-list -k localhost-pk.key -c localhost-pk.crt KEK kek.esl KEK.auth
openssl x509 -inform der -outform pem -in "MicCorUEFCA2011_2011-06-27.crt" -out "MicCorUEFCA2011_2011-06-27.pem"
openssl x509 -inform der -outform pem -in "microsoft uefi ca 2023.crt" -out "microsoft uefi ca 2023.pem"
openssl x509 -inform der -outform pem -in "MicWinProPCA2011_2011-10-19.crt" -out "MicWinProPCA2011_2011-10-19.pem"
openssl x509 -inform der -outform pem -in "windows uefi ca 2023.crt" -out "windows uefi ca 2023.pem"
cert-to-efi-sig-list -g 77fa9abd-0359-4d32-bd60-28f4e78f784b "MicCorUEFCA2011_2011-06-27.pem" "MicCorUEFCA2011_2011-06-27.esl"
cert-to-efi-sig-list -g 77fa9abd-0359-4d32-bd60-28f4e78f784b "microsoft uefi ca 2023.pem" "microsoft uefi ca 2023.esl"
cert-to-efi-sig-list -g 77fa9abd-0359-4d32-bd60-28f4e78f784b "MicWinProPCA2011_2011-10-19.pem" "MicWinProPCA2011_2011-10-19.esl"
cert-to-efi-sig-list -g 77fa9abd-0359-4d32-bd60-28f4e78f784b "windows uefi ca 2023.pem" "windows uefi ca 2023.esl"
cert-to-efi-sig-list -g "$(cat GUID.txt)" "cert_uefidb.crt" "cert_uefidb.esl"
cat "MicCorUEFCA2011_2011-06-27.esl" "microsoft uefi ca 2023.esl" "MicWinProPCA2011_2011-10-19.esl" "windows uefi ca 2023.esl" "cert_uefidb.esl" > "db.esl"
sign-efi-sig-list -k localhost-pk.key -c localhost-pk.crt DB db.esl DB.auth
sign-efi-sig-list -k localhost-pk.key -c localhost-pk.crt DBX x64_DBXUpdate.bin DBX.auth
需要在运行Shell的目录下创建一个GUID.txt,文件内容是自己生成的8-4-4-4-12格式的GUID(如微软的所有者 GUID:77fa9abd-0359-4d32-bd60-28f4e78f784b)。 [Shell] 纯文本查看 复制代码
openssl pkcs12 -export -in localhost-pk.crt -inkey localhost-pk.key -out localhost-pk.pfx 导出localhost-pk.pfx时会提示输入密码,全部留空直接回车即可。 规则生成并签名后需要移动到当前系统的EFI目录下(以下提供的命令可自动完成)。 [PowerShell] 纯文本查看 复制代码
if(!([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator')) {
Start-Process -FilePath PowerShell.exe -Verb RunAs -ArgumentList ("-NoExit",("cd {0} ;" -f $PSScriptRoot),("`"$($MyInvocation.MyCommand.Path)`" $($MyInvocation.UnboundArguments)"))
Exit
}
Write-Host "本脚本同目录下需要有signtool.exe/localhost-km.crt/localhost-pk.pfx 3个文件"
Set-Location -path "$(Get-Location)"
New-CIPolicy -FilePath SiPolicy.xml -Level RootCertificate -ScanPath C:\windows\System32\
Add-SignerRule -FilePath .\SiPolicy.xml -CertificatePath localhost-km.crt -Kernel -Update -Supplemental
Set-RuleOption -FilePath .\SiPolicy.xml -Option 2 -Delete #2 - Required:WHQL
Set-RuleOption -FilePath .\SiPolicy.xml -Option 3 -Delete #3 - Enabled:Audit Mode (Default)
Set-RuleOption -FilePath .\SiPolicy.xml -Option 12 -Delete #12 - Required:Enforce Store Applications
Set-RuleOption -FilePath .\SiPolicy.xml -Option 6 #6 - Enabled:Unsigned System Integrity Policy
Set-RuleOption -FilePath .\SiPolicy.xml -Option 9 #9 - Enabled:Advanced Boot Options Menu
Set-RuleOption -FilePath .\SiPolicy.xml -Option 10 #10 - Enabled:Boot Audit on Failure
Set-RuleOption -FilePath .\SiPolicy.xml -Option 17 #17 - Enabled: Allow Supplemental Policies
Set-CIPolicyVersion -FilePath .\SiPolicy.xml -Version 10.0.0.0
Write-Host ""
Write-Host " <!-- For Wellknown CertRoot `"01`" the certificate chain is too long or "
Write-Host " reaches a certificate whose issuer is not in the chain and does not "
Write-Host " have the same name as any known Microsoft root. -->"
Write-Host " <Signer ID=`"ID_SIGNER_KNOWNROOT_1`" Name=`"Unknown Root`">"
Write-Host " <CertRoot Type=`"Wellknown`" Value=`"01`" />"
Write-Host " </Signer>"
Write-Host " <!-- For Wellknown CertRoot `"02`" the certificate chain reaches a "
Write-Host " certificate that is its own issuer but which does not have the same "
Write-Host " public key as any known Microsoft root. -->"
Write-Host " <Signer ID=`"ID_SIGNER_KNOWNROOT_2`" Name=`"Self-Signed Root`">"
Write-Host " <CertRoot Type=`"Wellknown`" Value=`"02`" />"
Write-Host " </Signer>"
Write-Host ""
Write-Host " <AllowedSigner SignerId=`"ID_SIGNER_KNOWNROOT_1`" />"
Write-Host " <AllowedSigner SignerId=`"ID_SIGNER_KNOWNROOT_2`" />"
Write-Host ""
Read-Host -Prompt "修改SiPolicy.xml完成后按任意键继续"
ConvertFrom-CIPolicy -XmlFilePath .\SiPolicy.xml -BinaryFilePath .\SiPolicy.bin
signtool.exe sign /v /p7 . /p7co 1.3.6.1.4.1.311.79.1 /fd sha256 /ac localhost-root-ca.crt /f localhost-pk.pfx SiPolicy.bin
Move-Item -Force -Path .\SiPolicy.bin.p7 -Destination .\SiPolicy.p7b
mountvol X: /s
Copy-Item -Force -Path .\SiPolicy.p7b -Destination X:\EFI\Microsoft\Boot\
Write-Host "(EFI)SiPolicy.p7b签名状态:"
certutil.exe -asn X:\EFI\Microsoft\Boot\SiPolicy.p7b
mountvol X: /d
Read-Host -Prompt "已完成,请按任意键继续"
$host.SetShouldExit(0)
需要根据脚本的提示修改生成的SiPolicy.xml内Signers和AllowedSigners项的内容。 CKS 的开关保存在HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions键的ProductPolicy值里。 但微软在新系统中删除了CodeIntegrity-AllowConfigurablePolicy这个产品策略,运行EnableCKS.exe后程序无法开启CodeIntegrity-AllowConfigurablePolicy会导致无限重启。(如果已经无限重启,可进PE的注册表编辑器,点击HKEY_LOCAL_MACHINE,再点击文件-加载配置单元,选择C:\Windows\System32\config文件夹下的SYSTEM文件,修改加载的注册表HKEY_LOCAL_MACHINE\SYSTEM\Setup下SetupType的值为0即可。修改完成后记得卸载配置单元保存修改。) CustomKernelSigners持久化 ssde项目的作者同样编译了一个驱动ssde.sys来持久化 CKS,但是这个驱动没有签名。需要通过以下命令用localhost-km证书签名ssde.sys [Shell] 纯文本查看 复制代码
signtool sign /v /fd sha1 /ac localhost-root-ca.crt /f localhost-km.pfx /tr "http://timestamp.digicert.com" ssde.sys
signtool sign /v /fd sha256 /as /ac localhost-root-ca.crt /f localhost-km.pfx /tr "http://timestamp.digicert.com" ssde.sys
将签名完成的ssde.sys复制到%SystemRoot%\System32\drivers\目录下(一般都是C:\Windows\System32\drivers\)。 [Shell] 纯文本查看 复制代码
sc create ssde binpath=%SystemRoot%\System32\drivers\ssde.sys type=kernel start=auto error=normal 注意命令中的%SystemRoot%最好不要替换为%Windir%,尽管%SystemRoot%和%Windir%的值应该都是C:\Windows\,但个人实测使用%Windir%会导致驱动无法启动,而用%SystemRoot%驱动就可以启动。IDA nce):
查看全部评分
发帖前要善用【论坛搜索 】 功能,那里可能会有你要找的答案或者已经有人发布过相同内容了,请勿重复发帖。
[复制链接]
发表于 2024-10-11 18:41
|
发表于 2024-10-18 16:17
