New
#131
:).
:).
My understanding of the boot process:
1 - boot Bootmgr is the boot image.
it uses bootmgr.exe.mui for proper language.
bootmgr checks for checksum and digital signature on files such as WinLoad.exe and BootRes.dll and then uses bootmgr.exe.mui to display the errors in the proper language.
2 - bootmgr writes to bootstat.dat to record if there was a successful boot, what progress was made during boot ( "windows did not start up previously, do you want safe mode?" etc... is recorded in it for the next time you start your PC)
3 - it then passes on to winload.exe to actually load windows and records in bootsect.dat that it passed on to WinLoad.exe
if i'm correct in this, then what needs to be done is:
1 - replace bootmgr with a boot image file that doesn't check certs.
2 - replace bootsect.dat with a "i checked certs and passed on to winload" log.
3 - patch/replace winload.exe to load a custom bootres.dll (2nd check for cert in winload?)
4 - patch/replace bootres.dll with the new one for boot animation
5 - keep a process in the background - new process ensures that when MS Update replaces bootmgr with new cert checks the custom bootmgr is restored before next boot.
there still isn't a lot of info on the net concerning the win7 boot file process so alot of this is assumptions. but the theory may be sound.
PS: unsure where the grldr file comes in on all of this.
what i'm basing this theory on:
*bootmgr is a boot image file.
*bootmgr has several replacements in windows update temp files (updating cert checks that way?)
*bootmgr.exe.mui (the language file for bootmgr) contains such strings as:
#9018, "The file is possibly corrupt. Its header checksum does not match the computed checksum."
#9019, "Windows cannot verify the digital signature for this file."
*Winload.exe calls bootres.dll
a possible way to go get around the cert checks:
1 - use BCDEdit to:
bcdedit -set loadoptions DISABLE_INTEGRITY_CHECKS
bcdedit -set TESTSIGNING ON
copy the new bootmgr after the edit.
copy the bootsect.dat before rebooting (to keep the "do checks" log in tact)
2 - customize your winload.exe and your bootres.dll (keep backups) for custom boot screen.
3 - wright a background process to replace the bootmgr image with your edited one and copy the bootsect.dat backup back to bootsect.dat
A - before every reboot
B - after every windows update
C - after the bootmgr is edited by any other process
after any boot menu edits the process will have to be redone to save the new boot menu with the DISABLE_INTEGRITY_CHECKS and TESTSIGNING flags and still keep the new boot menu.
thoughts on this?
is anyone able to decompile the Bootmgr image file for verification of this theory?
Also - i only have a retail win7 32bit ultimate edition to draw theories on.
sounds awesome keep up the good work im gonna start Heavy work on this in about an hour or two
I await with bated breath the fruits of this endeavor.
im starting to get tired of all this signing and all that
btw tha you should make a gui tool for all this stuff it would make it a billion times better
is signing a command line function?
if so then post up so links on how to do it.
I can do a GUI in VB or something.
i dont have any links but here is a easy way of finding the command line parameters
copy all files from my windows 7 SDK archive to %HomeDrive%
click the start menu the type cmd tap control-shift-enter click yes (if UAC is enabled)
then type CD %HomeDrive%
then makecert.exe /?
and so on for all the files
i just uploaded them for your convience there are no viruses or any of that bullshit
Link
Hey, long time no post. My laptop was broke for the last week, and I have been busy.
Anyways, I have a few comments on things said here. I am fairly certain winload.exe does integrity checks. At least with the RC versions of Windows 7 it was the only thing that did the integrity checks. It even did the check on itself. Now with a retail version maybe bootmgr is doing it, or maybe now they are both doing it. I know that the methods for disabling winload.exe's integrity checks no longer works in retail versions.
About the certificate signing. It is easily amenable to a GUI with some minor exceptions.
First, given the tools marcusj posted, you can do most of the signing process automated. You would need 3 pieces of information: a dummy name, a name for the certificate file, and a password. Also, many of these "command line tools" use dialog boxes for the password entries. You will need to use the SendInput function (part of the Win API) to simulate typing into them.
I have re-worked the self-signing commands to make them more straight-forward hopefully, and amendable to automation.
To Make a Self-Signing Certificate Authority (only need to do this once, and I recommend only doing it once, otherwise you'll get annoyed later on)
Note: Maybe the program can save some registry values to know it has already made a self-signing certificate authority and store where it saves the pvk and cer files
makecert -r -n "CN=Dummy Name" -pe -ss CA -sr LocalMachine -a sha1 -sky signature -sv NameCA.pvk NameCA.cer
(type: password, tab, password, enter, password, enter)
certutil -f -addstore Root Name.cer
To Make a Self-Signing Certificate (only need to do this once, but it doesn't hurt to do it more than once)
Note: You can delete the NameCA.cer, NameCA.pvk, Name.pvk, and Name.cer after this step as long as you save the Name.pfx file. That file is all you need to sign unlimited documents after this step.
makecert -pe -n "CN=Dummy Name" -a sha1 -ic NameCA.cer -iv NameCA.pvk -sv Name.pvk Name.cer
(type: password, tab, password, enter, password, enter, password, enter)
pvk2pfx -pvk Name.pvk -pi PASSWORD -spc Name.cer -pfx Name.pfx -f
Sign Program (needs to be done every time the program changes)
signtool sign /v /f Name.pfx /p PASSWORD /t http://timestamp.verisign.com/scripts/timestamp.dll PROGRAM.EXE
Install Certificate
Note: This is only necessary on other computers that plan to use programs signed with your certificate. If you do this all on one computer, you don't need this. Also, I haven't bothered to find an automated way to do this (unless you saved NameCA.cer).
See the post I made earlier: Change Boot Logo/Screen?
So if you make a program (I may make a program this weekend) it should probably ask you to either pick a certificate PFX that you already made or make a new one. If you are using a new one, you ask for a name, file name, a password, and a program to sign. If it's reusing another PFX you just need the password and program to sign. Then you use the commands, simulating typing as necessary, and you have signed a program!
awesome man sweet
how do we find out whitch executabole program is doing the checks and how its is being done?