X
Tech

Vista kernel tampering tool released, then mysteriously disappears

The race to defeat a key anti-rootkit/anti-DRM mechanism in Windows Vista has heated up again with the release of a tool that loads unsigned drivers into 64-bit Windows kernel and a swift decision by Microsoft to treat the utility as malicious spyware. But a third developer has joined the fray with "Purple Pill," a new utility that could be very troublesome for Microsoft if it works as advertised.
Written by Ryan Naraine, Contributor

The race to defeat a key anti-rootkit/anti-DRM mechanism in Windows Vista has heated up again with the release of a tool that loads unsigned drivers into 64-bit Windows kernel and a swift decision by Microsoft to treat the utility as malicious spyware.

Race heats up to tamper with, defend Vista kernel
But a third developer has joined the fray with "Purple Pill," a new utility that could be very troublesome for Microsoft if it works as advertised.

The latest contretemps was triggered by Linchpin Labs, an Australian software development shop that created and shipped Atsiv (Vista spelled backwards), a command-like tool that allows the user to load and unload signed or unsigned drivers on 32 bit (x86) and 64 bit (x64) versions of Windows XP, Windows 2K3 and Windows Vista.

Atsiv was designed to provide compatibility for legacy drivers and to allow the hobbyist community (er, rootkit researchers) to run unsigned drivers without rebooting with special boot options or denial-of-service under Vista.

It effectively offered a deliberate way to load code that conflicts with the Kernel Mode Code Signing (KMCS) policy included in Windows Vista x64 editions -- the default KMCS policy is to only allow code to load into the kernel if it has been digitally signed with a valid code signing certificate -- and could be used by stealth malware to hide deep in the bowels of the Vista kernel.

Because Atsiv used a signed certificate to get itself onto Vista, it was easy for Microsoft to fight back. The company immediately shipped a Windows Defender signature update that tagged the Atsiv driver as a spyware threat and worked with VeriSign to revoke the code signing key used to sign the Atsiv kernel driver, rendering it invalid.

Redmond's security team is also mulling a plan to add the revoked key to the kernel mode code signing revocation list,an additional defense-in-measure that would require a system reboot in order for the new revocation list to take effect, according to Scott Field, a security architect on Microsoft's Windows team.

The Microsoft counter-measures have angered the folks at Linchpin Labs. According to this Gregg Keizer report, the privately held startup is complaining that the blocking of Atsiv borders on antitrust violations.

Linchpin Labs may have conceded defeat but Alex Ionescu, a kernel developer, reverse engineer and Microsoft Student Ambassador is pushing the envelope even more with what he calls Purple Pill, a tool that relies on a driver signed with a key that perhaps more than 50% of Vista users depend on for their machine to boot.

Here's Ionescu's description of Purple Pill (this has since been removed from his site):

  • It uses the OS mechanisms for loading drivers: NtLoadDriver. The driver is loaded by the native Mm SysLdr (The internal PE Loader) without any hacks, and it is present in the PsLoadedModuleListHead.
  • Vista is perfectly aware that an unsigned driver has been loaded: you will even get a warning a bit after the driver is loaded. This also means that PMP will become aware that the driver is loaded, and disable high-definition media playback. This means that this tool will not help you bypass DRM in any way, because the original Vista protection mechanisms are still in place. Note that on Vista 32-bit, this behavior already exists by default in the OS, so it is not a “bug” of Purple Pill.
  • And the best part: Purple Pill doesn’t use any certificate of mine or driver that I’ve written (or any other particular). In fact, Purple Pill uses a driver is signed with a key that perhaps more then 50% of Vista users are currently depending on for their laptop to boot. If this key gets blacklisted, all those customers would end up with largely unusable systems. Although Purple Pill itself may be added to Windows Defender, users which want to load it can simply disable the service or whitelist the application manually. I don’t see a realistic way in which this key can be blacklisted, so the Purple Pill will always be able to load (this is not a guarantee).
  • Finally, Purple Pill can also unload the driver you've loaded.
Vista kernel tampering tool released, then mysteriously disappears

Ionescu, currently an intern at Apple, originally released the Purple Pill (screenshot above) code but, as I was preparing this blog entry, I noticed that it has since been yanked from his personal blog. (Google cache of original release).

Editorial standards