Home windows’ Driver Signature Enforcement, the coverage requiring all kernel-mode drivers to be digitally signed by a trusted Certificates Authority (CA), doesn’t test certificates revocation lists at kernel load time. Researchers famous this to be a legacy habits that continues to be exploitable due to backward compatibility options launched years in the past that permit an exception for drivers signed with certificates issued earlier than July 29, 2015, that chain to a supported cross-signed CA.
The EnCase driver incorporates a timestamp from a VeriSign service, which the authentication test nonetheless considers legitimate. “When code is signed with a timestamp, Home windows validates the signature towards the time the signature was created, not the present date,” the researchers famous. “As a result of the driving force was timestamped whereas the certificates was nonetheless legitimate (earlier than January 31, 2010), the signature stays legitimate indefinitely, despite the fact that the certificates has since expired.”
As soon as within the kernel, the driving force exposes an IOCTL interface that lets the malware terminate arbitrary processes with full system privileges. Among the many performance uncovered are course of termination instructions that bypass user-mode safeguards for Protected Course of Mild (PPL) processes, the defenses EDR programs depend upon to keep away from tampering.
