64-bit Windows Vista kernel protection is divided into two dimensions: PatchGuard and Mandatory Kernel Mode and Driver Signing. Kaspersky has made their perspective on the Kernel Patch Protection public, calling
it more of a joke than a serious security barrier against rootkits. And the Mandatory Kernel Mode and Driver Signing was not overlooked by the Russian antivirus maker.
Kaspersky revealed that there are a set of documented methods designed to disable signature checking. With x64 Vista, digital signature for any module or driver at kernel level is mandatory. “There are several documented methods for disabling signature checking, among them methods which are designed to simplify the driver development and testing process. This is because the issue of how to develop drivers is real – it’s impossible to ask for a digital signature for every build prior to testing – which is why there are several ways to disable signature checking,” stated Alisa Shevchenko, Virus analyst, Kaspersky Lab.
In this regard, connecting a system debugger, booting into a mode with no drivers control or monitoring and enabling support for test signatures are all valid methods of disabling Mandatory Kernel Mode and Driver Signing. Kaspersky claims that the methods of disabling Mandatory Kernel Mode and Driver Signing are not limited to these three examples and that there is plenty of room for experiments.
“We anticipate a multitude of methods designed to get around kernel mode protection by loading unsigned components. Once again, the verdict is the same: yes, this function protects the operating system against malicious code, but it is not as effective as the developers claim,” Shevchenko concluded.
Microsoft, Windows Vista, How To