This is just a common example of sensationalism...<br>I don't know where this security researcher struck before,<br>but he definitely didn't strike anything groundbreaking here :-)<br><br>This article is misleading... It confuses features
<br>from the 32-bit Vista and from the 64-bit Vista.<br><br>It talks about how only signed drivers are suppose to be allowed...<br>This is only for 64-bits... It doesn't really apply to the 32-bit<br>version... <br><br>
The tool that this security researcher released would work<br>only on the 32-bit version because it actually hides a simple<br>driver in the executable. First, it calls RtlAdjustPrivilege<br>to be able to install a driver (meaning that if you don't
<br>have admin priviledges it's not gonna work). Then it<br>drops its hidden driver calling RtlDecompressBuffer,<br>creating a hidden alternative data stream in the crusoe.sys <br>driver. Next it sets up a registry entry for this hidden driver
<br>and calls NtLoadDriver. The driver itself simply grabs<br>the process id (passed by the user through what seems<br>to be the KUSER_SHARED_DATA region), calls<br>PsLookupProcessByProcessId(pid<div id="mb_1">,&pEprocess), and if the call is successful
<br>it simply clears the 'ProtectedProcess' flag <br>(pEprocess->Flags2.ProtectedProcess = 0).<br><br>This is the same approach used to unlock files that were<br>open for exclusive I/O operations... you go into the kernel
<br>finding the corresponding data structure and then set the bit<br>that prevents you from accessing your target :-)<br><br>This wouldn't work if the driver really needed to be signed<br>(which would be the case for the 64-bit version of Vista) unless
<br>somebody finds an exploit to load unsigned code.<br><br>Overall, it's not really worse than what you'd have with XP...<br>I'm not a big fan of Vista, but this is definitely not what<br>people make it to be.
<br><br>Kyle</div>