This is just a common example of sensationalism... I don't know where this security researcher struck before, but he definitely didn't strike anything groundbreaking here :-)
This article is misleading... It confuses features from the 32-bit Vista and from the 64-bit Vista. It talks about how only signed drivers are suppose to be allowed... This is only for 64-bits... It doesn't really apply to the 32-bit version... The tool that this security researcher released would work only on the 32-bit version because it actually hides a simple driver in the executable. First, it calls RtlAdjustPrivilege to be able to install a driver (meaning that if you don't have admin priviledges it's not gonna work). Then it drops its hidden driver calling RtlDecompressBuffer, creating a hidden alternative data stream in the crusoe.sys driver. Next it sets up a registry entry for this hidden driver and calls NtLoadDriver. The driver itself simply grabs the process id (passed by the user through what seems to be the KUSER_SHARED_DATA region), calls PsLookupProcessByProcessId(pid,&pEprocess), and if the call is successful it simply clears the 'ProtectedProcess' flag (pEprocess->Flags2.ProtectedProcess = 0). This is the same approach used to unlock files that were open for exclusive I/O operations... you go into the kernel finding the corresponding data structure and then set the bit that prevents you from accessing your target :-) This wouldn't work if the driver really needed to be signed (which would be the case for the 64-bit version of Vista) unless somebody finds an exploit to load unsigned code. Overall, it's not really worse than what you'd have with XP... I'm not a big fan of Vista, but this is definitely not what people make it to be. Kyle
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/