TALK: Behind the Kernel: 0days in Drivers and Windows Signed Exposed
Iván Cabrera, Adrián Díaz
ABSTRACT
In this talk, we will present the results of our research on exploiting previously unknown vulnerabilities (0days) in drivers for Red Team operations.
We will demonstrate how to leverage the Windows driver signing process to generate thousands of variants of the same driver without invalidating its signature, allowing these variants to be loaded onto the system undetected.
To set the stage, we will begin with an overview of how drivers work, how they interact with user mode, and the security protections that Windows implements in its latest versions.
Next, we will share a reversing and automation methodology that has enabled us to discover over 30 0day vulnerabilities in Microsoft-signed drivers that can be loaded on the latest version of Windows (11 24H2) with all protections enabled (HVCI, Vulnerable Driver Blocklist, etc.).
Finally, we will discuss a critical weakness in the Windows driver signing process that allows the signature of any vulnerable driver to be modified, enabling it to bypass detection by certain EDR solutions.
To conclude, we will unveil a tool that collects vulnerable drivers and modifies their signatures, making it possible to load them onto the system undetected by some EDRs.
Iván Cabrera
Iván Cabrera is a Pentester at Tarlogic Security. In his free time, he researches about Windows Internals and EDR Internals. He has participated in different events such as EuskalHack, SecAdmin, Bitup, Jornadas STIC, Hacken, Cibertracks etc. and is the author of the redttps.com project
Adrián Díaz
Adrián works as a Red Teamer at Accenture, where he focuses on researching, breaking things (with permission), and exploring new ways to understand offensive security. He enjoys spending most of his time doing research and developing exploits, especially in Windows environments.
