How to patch 'winload.exe' to support unsigned drivers in Secure UEFI Booting ?

Hi 'ChrisR'...

http://reboot.pro/topic/19868-ultimate-super-smart-secret-removable-usb-drive-with-mega-booting/page-3#entry188980

In above post 'cdob' tell us that 'Win8.1SE' patches 'winload.exe/winload.efi' in order to support Unsigned Driver in Secure UEFI Booting..

Can you please tell us about "How to patch any (Specially Win8.1 and Win10) 'winload.exe/winload.efi' so that It allow us for Secure UEFI Booting even after integrating Unsigned 'microdriver' (cfadisk) within 32/64-bit Windows Installer 'boot.wim' ?

Please help.......

Thanks in Advance

You should write, Hi FX, rather, thanks to him
However, you can look at his post #25 here: http://theoven.org/index.php?topic=866.msg11055#msg11055

Thanks for the Link........

But Can you please provide me a Step by Step tutorial for patching 'winload.exe/winload.efi' Here ?

Please.........

One more question......

Does 'Win8.1SE' integrate any unsigned driver within default 'Win8.1SE_x64_boot.wim' ?

If 'Yes', then

Is unsigned driver injected 'Win8.1SE_x64_boot.wim' able to do Secure UEFI Booting ?

Thanks & Regards.....

More colors, please.

Why do you use so many color, because you are visually impaired or more a strange style ?
For the patch, look at "Build\1-files.script", section BypassDriverSigning
In default Win8.1SE, there is only the original boot.wim drivers.

Sorry Sir........for using multiple Colors........

I am a visually handicapped (with Night Blindness). And due to these disability COLORS of my life become disappeared. And Due to this Darkness around me all over the day and night, I gradually disliked BLACK color too much. And whenever I see options for any different colors, then I can't prevent myself to use them. I know my this activity irritate most to all of you. And I sorry for that to all of you. I know My habit is very BAD and I also want to give up it .......But you can understand........BAD HABITS are BAD....

Thanks to all of you for your Great help and Support......

Regards....

In default Win8.1SE, there is only the original boot.wim drivers.

Chris, i just checked the default settings of latest "Win8.1_SE" package and it seems that "Accessgain" is selected by default. If i am not mistaken, that driver is only test signed. So i think the quickest way to check whether a test signed driver will work with "SecureBoot" is to build either "Win8PE_SE x64" or "Win8.1_SE x64" with default settings and try booting it on a "SecureBoot" enabled Desktop/Laptop ( and check whether accessgain really works). I will check and report if i can get my hands on a newer laptop.

If i remember correctly, Kayronix's "diskmod" is test signed but am not sure about the modified versions of "cfadisk". May be we can test sign it our self using "Digital signature enforcement overrider".

  http://theoven.org/index.php?topic=729.0

1) Enable testsigning to ON in BCD by using the command 'bcdedit /set TESTSIGNING ON'.
Previously it does not seem to work since I applied only to the BIOS version of BCD (file /boot/BCD) and not to the
UEFI version (file /EFI/Microsoft/boot/BCD). After a reboot, you get the watermark "Test mode" at the bottom right
of your destop together with the Windows version and build number.

It looks like even this guy did some testing on UEFI, but the Secure Boot was Off/Disabled - which made the system behaved as if it was in BIOS mode.
AFAIK, if Secure Boot is On/Enabled, those BCD parameters don't have any effects.

I forgot UnSigned AcessGain driver
I do not have a PC with the secure boot on hand and I have not tested DSEO.
The best way is, indeed, to test it. Let me know when you have the required hardware  . Perhaps devdevadev has 

Hi ChrisR

I did some quick tests and it seems that integrating unsigned driver is not possible with UEFI mode ( even if "SecureBoot" is off )  . I used VMware for testing and created two virtual machines - one with default settings and another with EFI as the firmware to emulate UEFI. Since the included "Accessgain" binaries are not signed, i used DSEO to test-sign the driver myself for better compatibility. After the builder finished creating the ISO, i checked both "\Boot\BCD" and "\EFI\Microsoft\BCD" to make sure that "DisableIntegrityChecks"  option is enabled.

In MBR mode, "Win8.1SE" loaded "Accessgain" happily.



In UEFI mode, it totally failed to load the driver. Manually trying to start the driver using SC resulted in a warning message complaining about the driver's signature.



I checked the script "1-files" and indeed only "Winload.exe" is patched and "Winload.efi" is untouched so "DisableIntegrityChecks" has no effect in UEFI mode.

Code: [Select]

[BypassDriverSigning]
If,Not,ExistFile,%Tools%\gsar.exe,If,Not,ExistFile,%Tools%\PEChecksum.exe,Call,Echo,"Gsar.exe and PEChecksum.exe are required in Tools folder to bypass Driver signing",Warn
ShellExecute,Hide,%Tools%\gsar.exe,"-o -s:x44:x00:x49:x00:x53:x00:x41:x00:x42:x00:x4C:x00:x45:x00:x5F:x00:x49:x00:x4E:x00:x54:x00:x45:x00:x47:x00:x52:x00:x49:x00:x54:x00:x59:x00:x5F:x00:x43:x00:x48:x00:x45:x00:x43:x00:x4B:x00:x53:x00 -r:x58:x00:x49:x00:x53:x00:x41:x00:x42:x00:x4C:x00:x45:x00:x5F:x00:x49:x00:x4E:x00:x54:x00:x45:x00:x47:x00:x52:x00:x49:x00:x54:x00:x59:x00:x5F:x00:x43:x00:x48:x00:x45:x00:x43:x00:x4B:x00:x53:x00 #$q%Target_Sys%\winload.exe#$q"
If,Not,%ExitCode%,Equal,0,Echo,"Update winload.exe failed, exit code : %ExitCode%"
ShellExecute,Hide,%Tools%\PEChecksum.exe,"#$q%Target_Sys%\winload.exe#$q"
If,Not,%ExitCode%,Equal,0,Echo,"Update the checksum failed, exit code : %ExitCode%"
Filecopy,%Target_Sys%\winload.exe,%Target_Sys%\Boot\winload.exe,NoWarn

I think patching "Winload.efi" will break "SecureBoot" compatibility so JFX omitted it purposefully (damn SecureBoot  ).

http://theoven.org/index.php?topic=866.msg11080#msg11080


Since SC complains about driver signature, i am afraid that loading driver on the fly using "drvload" may also fail in UEFI mode. I have to play with "Accessgain" , "cfadisk" and "diskmod" to confirm whether "on the fly loading" will work or not. Will report back soon.

@devdevadev

Can you please try your "Filter Driver On-the-Fly v1.1" on a UEFI mode booted "Win8.1PE" ?.

Sorry....I am unable to test Secure UEFI Booting due to lack of any real UEFI machines...I am also waiting for your findings....

It's looking that 'JFX' had not patched 'winload.efi'. Is it not possible to patch 'winload.efi' ?
 
In 'Secure UEFI Booting', Does driver's signature verified/checked by Hardware (System UEFI Firmware) instead of Software files in Windows Installer (winload.efi) ?
 
Regards....

I did some quick tests and it seems that integrating unsigned driver is not possible with UEFI mode ( even if "SecureBoot" is off )  .
...
Since SC complains about driver signature, i am afraid that loading driver on the fly using "drvload" may also fail in UEFI mode. I have to play with "Accessgain" , "cfadisk" and "diskmod" to confirm whether "on the fly loading" will work or not. Will report back soon.

I don't know what's wrong with "Accessgain". But diskmod and cfadisk work (Windows(PE) will just popup the Red Warning box and we'll have to click to accept the installation).
As you didn't mention in your post, I'd like to note that you might also need to ENABLE the BCD parameter "Testsigning".
And yes, I'm talking about UEFI mode with SecureBoot Off on my REAL hardware.

Here is my checklist on integrating diskmod/cfadisk for your reference:
a. BIOS Mode: Winx86 works without any concern about Testsigning.
b. BIOS Mode: Winx64 works ONLY when Testsigning is ON/ENABLED.
c. UEFI Mode but Secure Boot is OFF/DISABLED: Winx86 works without any concern about Testsigning.
d. UEFI Mode but Secure Boot is OFF/DISABLED: Winx64 works ONLY when Testsigning is ON/ENABLED.
e. UEFI Mode and Secure Boot is ON/ENABLED: No matter how you try to change BCD boot options or settings, BOTH Winx86 and Winx64 can't work.

As you didn't mention in your post, I'd like to note that you might also need to ENABLE the BCD parameter "Testsigning".

I figured it out myself just before reading your post. Yes, "Accessgain" loads fine if "bcdedit /set testsigning on" is applied against "efi\Microsoft\boot\bcd". A watermark with "Test mode" is appeared on the lower right corner and test signed drivers seems to work okay ( SecureBoot is off ). As you said, Windows seems to ignore the test mode setting if "SecureBoot" is enabled ( i tested on a HP laptop with SecureBoot functionality).

A possible solution may be is to patch the digital signature check after the PE loads (if somehow it is possible  ). I think PECMD already do some "on the fly" patching to enable the shutdown button  ( http://theoven.org/index.php?topic=1005.msg12102#msg12102 ).


@devdevadev

If you really want to create a "SecureBoot" compatible USB disk with hidden partitions that can boot boot to either Legacy/UEFI mode without changing any BIOS settings, i would suggest to buy a USB fixed disk ( those are not costlier this days ). You can partition a UFD just as simple as a HDD and hide all partitions except the one you wanted to access from regular Windows. At the same time you can easily auto mount the hidden partitions from a WinPE without using USB filter drivers.

Thank you both for these tests, informations and to enlighten me also
If I have well understood, the secure boot plays well its role.
It will be hard to bypass and so to use unsigned drivers without disabling the secure boot in Bios settings + Bcdedit.exe -set TestSigning ON 

@devdevadev

If you really want to create a "SecureBoot" compatible USB disk with hidden partitions that can boot boot to either Legacy/UEFI mode without changing any BIOS settings, i would suggest to buy a USB fixed disk ( those are not costlier this days ). You can partition a UFD just as simple as a HDD and hide all partitions except the one you wanted to access from regular Windows. At the same time you can easily auto mount the hidden partitions from a WinPE without using USB filter drivers.

Thanks  for reminding me about this Final Solution. Actually I knew about this Ultimate solution but I wanted to implement the same in 'Removable USB Drive'. But now It's looking that some things are more secure than that I was expecting. So I will have to use your suggested method in near future if could not manage any alternative solution for my 'Removable USB Drive'......

Thanks & Regards....

If I have well understood, the secure boot plays well its role.
It will be hard to bypass and so to use unsigned drivers without disabling the secure boot in Bios settings + Bcdedit.exe -set TestSigning ON 

Yes, indeed "SecureBoot" is doing it's job fine. Although we power users hate it, it will be good for a normal user as malware authors will have hard time to bypass the security checking and installing a malicious driver to do their dirty work ( like the infamous "zero access" doing).

Chris, may i suggest making some small modifications to "Access Gain" and "Driver Integration" scripts ?.

1. "AccessGain" script should be updated with test signed binaries (DSEO can do that ) and exclude "Accessgain" from default selected scripts. On the script interface add an info box stating that "SecureBoot" should be turned off to make "Accessgain" working with UEFI firmware. Also the script should be updated to enable "test signing" on "efi\boot\Microsoft\bcd" store (this is not needed with "boot\bcd" since "Winload.exe" is patched by default. 


2. Add an optional check box in "Driver integration" script to enable test signing mode. A warning message about "SecureBoot" and perhaps a link to  DSEO download page will be helpful for newbies.

I agree Anshad 
The logical continuation of this subject
I will try to add all this next week 

Hi all.

I've been following the discussion in this thread and at the linked one by OP at reboot.pro. A working solution has been finally suggested to devdevadev, but after reading the posts about test setups and results I still have some doubts. Could @anshad and/or @loveleeyoungae kindly clarify the following points?

1. According to JFX post (*1) in Reply #1, In BIOS mode winload.exe requires patching in order to the "Disable_Integrity_Checks" setting at BCD not being ignored. And because of winload.exe patching, BCD also requires "NoIntegrityChecks 1" setting to accept patched winload.exe. But, what about "TestSigning ON" BCD setting, is it not required in BIOS mode when using patched winload.exe and previous 2 BCD settings?

2. It is known that while current Win8.1 SE includes applies winload.exe patching, it doesn't for winload.efi. However anshad and loveleeyoungae report succesful UEFI mode (SecureBoot OFF) tests by setting "TestSigning ON" at efi\Microsoft\boot\bcd. So is that winload.efi doesn't require patching for that setting t work, contrary to winload.exe? Are the three BCD settings (D_I_C, NIC1, TSON) set in efi-BCD in your test or just TSON is enough?

3. Finally, it seems clear that *integrated* test-signed drivers yield a Win8.1 SE WIM/ISO that won't boot in UEFI mode (SecureBoot ON), no matter of efi-BCD and winload.efi patching. However was the *on-the-fly* method (description link (*2), updated package link (*3)) *with* test-signed (DSEO) drivers *and* efi-BCD (D_I_C, NIC1, TSON) tested? It's been reported (*4) that WIM/ISO will boot then (nothing looks wrong to SecureBoot), but on-the-fly driver injection will fail. However it's not clear if drivers were test-signed and efi-BCD "properly" set.

Thanks in advance.

(1) http://theoven.org/index.php?topic=866.msg11055#msg11055
(2) reboot.pro/topic/19868-ultimate-super-smart-secret-removable-usb-drive-with-mega-booting/page-3#entry188944
(3) reboot.pro/topic/19868-ultimate-super-smart-secret-removable-usb-drive-with-mega-booting/page-3#entry189005
(4) reboot.pro/topic/19868-ultimate-super-smart-secret-removable-usb-drive-with-mega-booting/page-4#entry189026

1. "AccessGain" script should be updated with test signed binaries (DSEO can do that ) and exclude "Accessgain" from default selected scripts. On the script interface add an info box stating that "SecureBoot" should be turned off to make "Accessgain" working with UEFI firmware. Also the script should be updated to enable "test signing" on "efi\boot\Microsoft\bcd" store (this is not needed with "boot\bcd" since "Winload.exe" is patched by default. 

2. Add an optional check box in "Driver integration" script to enable test signing mode. A warning message about "SecureBoot" and perhaps a link to  DSEO download page will be helpful for newbies.

Perfect, all is done
In default of hardware, I only tested on legacy BIOS based computer with the original Winload.exe
It should be good also on UEFI firmware if you can give it a try anyway.

Here are the screenshots plugins, correct me if it is not clear for users.





 DriverIntegration+AccesGain.7z (39.6 kB - downloaded 144 times.)

@ChrisR

Script interface looks perfectly fine. I will test the modified scripts and report back soon.


@starla

1. According to JFX post (*1) in Reply #1, In BIOS mode winload.exe requires patching in order to the "Disable_Integrity_Checks" setting at BCD not being ignored. And because of winload.exe patching, BCD also requires "NoIntegrityChecks 1" setting to accept patched winload.exe. But, what about "TestSigning ON" BCD setting, is it not required in BIOS mode when using patched winload.exe and previous 2 BCD settings?

No, with a patched "Winload.exe", enabling "Test Mode" is not required. In my testings, "AccessGain" works fine in legacy/MBR mode without the need to enable test signing - thanks to the patch by JFX.

2. It is known that while current Win8.1 SE includes applies winload.exe patching, it doesn't for winload.efi. However anshad and loveleeyoungae report succesful UEFI mode (SecureBoot OFF) tests by setting "TestSigning ON" at efi\Microsoft\boot\bcd. So is that winload.efi doesn't require patching for that setting t work, contrary to winload.exe? Are the three BCD settings (D_I_C, NIC1, TSON) set in efi-BCD in your test or just TSON is enough?

Enabling "Test Mode" will cause a watermark to appear on the lower right corner of the desktop. Moreover, all drivers should be at least test signed if "Winload.exe/Winload.efi" is not patched.I think  JFX choose to only patch "Winload.exe" because ;

1. Winload.exe" is only used at legacy/csm boot mode. If it is patched,  driver signature requirement can be bypassed. You can load unsigned drivers like "AccessGain" etc without worrying about digital signature.

2. "Winload.efi" is used at UEFI boot mode and most of the time "SecureBoot" will be enabled too. If "Winload.efi" is patched, "SecureBoot" will refuse to boot the PE. So he decided it is best not to patch the loader to keep compatibility with "SecureBoot".

3. Finally, it seems clear that *integrated* test-signed drivers yield a Win8.1 SE WIM/ISO that won't boot in UEFI mode (SecureBoot ON), no matter of efi-BCD and winload.efi patching. However was the *on-the-fly* method (description link (*2), updated package link (*3)) *with* test-signed (DSEO) drivers *and* efi-BCD (D_I_C, NIC1, TSON) tested? It's been reported (*4) that WIM/ISO will boot then (nothing looks wrong to SecureBoot), but on-the-fly driver injection will fail. However it's not clear if drivers were test-signed and efi-BCD "properly" set.

All tests are done after all BCD parameters are set. But if "SecureBoot" is enabled, the loader will simply ignore that settings completely. Enabling "SecureBoot" will lock the kernel in a way that it will only run Microsoft cross signed drivers. Microsoft made it clear officially ;

 http://msdn.microsoft.com/en-us/library/windows/desktop/hh848062(v=vs.85).aspx

Integrating the unsigned "accesgain" driver doesn't seems to prevent the PE from booting even if "SecureBoot" is enabled. Rather Windows will refuse to load the driver and manually trying to load will resulting in an error message complaining about missing digital signature. The same applies to "on the fly" loading.

If "SecureBoot" is disabled and "test mode" is enabled, PE will load and execute the driver without complaining.