DSE, KDP And Everything In Between: Novel Techniques To Run Unsigned Rootkits
Code Integrity is a threat protection feature first introduced by Microsoft over 15 years ago. On x64-based versions of Windows, kernel drivers must be digitally signed and checked each time they are loaded into memory. This is also referred to as Driver Signature Enforcement (DSE). To overcome this restriction, attackers use valid digital certificates, either issued to them or they stole, or disable DSE during runtime instead. Obtaining a certificate is a logistical obstacle but tampering on the other hand is a technical challenge. Recent years prove the latter tactic only grew in popularity by various APTs as they continued to leverage the well-known DSE tampering technique.
Meanwhile, Microsoft rolled out new mitigations: driver blocklists and Kernel Data Protection (KDP), a new platform security technology for preventing data-oriented attacks. Since using blocklist only narrows the attack vector, we focused on how KDP was applied in this case to eliminate the attack surface.
We’ll present two novel techniques we found to bypass KDP-protected DSE. Furthermore, they work on all Windows versions, starting with the first release of DSE. Each technique will be demonstrated on live machines. We’ll also suggest a mitigation to cope with the issue, building upon the same premises as attackers, until HVCI becomes prevalent and really eliminates this attack surface.
Omri Misgav
Omri has over a decade of experience in cyber-security. He serves as the CTO of a security research group at Fortinet focused on OS internals, malware and vulnerabilities and spearheads development of new offensive and defensive techniques. Prior to Fortinet, Omri was the security research team leader at enSilo. Before that, He led the R&D of unique network and endpoint security products for large-scale enterprise environments and was part of an incident response team, conducting investigations and hunting for nation-state threat actors.