Windows XP and Windows Server 2003

Jul 30, 2007 13:34 GMT  ·  By

Want to load unassigned drivers into 32-bit and 64-bit Windows Vista, Windows XP and Windows Server 2003? Then Atsiv, a tool created by Linchpin Labs & OSR, is the right thing for you. Specifically, Atsiv will enable you to circumvent the mandatory driver signing in the 64-bit editions of Vista. Microsoft applauded the fact that in the x64 editions of Vista unsigned code could not be loaded into the kernel. The security feature aims to prevent the techniques associated with rootkits and malicious kernel drivers. According to Linchpin Labs & OSR, Atsiv is designed to deliver compatibility for legacy drivers, that would otherwise prove a pain to load as unsigned drivers into the x64 versions of Microsoft's latest operating system.

"When looking at how it did its magic the original .exe contains two resource sections: DRIVER_BIN32 and DRIVER_BIN64. These are actually signed 32-bit and 64-bit drivers. The command line tool loads the appropriate driver, which then in turn allows loading of unsigned drivers due to the implementation of their own PE loader," explained Ollie Whitehouse, Symantec Advanced Threat research Architect. "So in order for Microsoft to mitigate the risk of malicious code utilizing this signed driver to load their own, they are going to have to revoke the signing certificate. It'll be interesting to see how long it takes Microsoft to do this."

"Atsiv doesn't add the driver to the PsLoadedModuleslist so it is not visible in the standard drivers list. The loaded driver is not completely loaded into memory - the DOS header for example, is not loaded. Atsiv ignores dependencies and will load a single driver regardless of its dependencies. If a driver has dependencies ensure they have all been loaded prior to loading the driver. If loading by file name a fake registry path is passed in to the drivers DriverEntry routine. Unlike the NT Loader Atsiv allows drivers with the same name to be loaded multiple times. Some drivers are not compatible with multiple instances running," Linchpin Labs & OSR revealed.

The fact of the matter is that even if Microsoft does revoke one specific signing certificate, the process will only move on to focus on another, still valid, certificate. However, Linchpin Labs & OSR revealed that Atsiv is neither fully safe nor reliable, although all possible efforts in this matter have been done. As a result, the process - which is different from the operating system's Loader - can result in platform crashes. The developers advise the users to exercise care when deploying unsigned drivers to Vista.

Atsiv 1.01 was tested by Softpedia as being 100% Clean and is available for download here.