Windows Systems and Code Signing Protection - Hack.lu 2016

Explore the intricacies of Microsoft's code signing mechanism (authenticode) for Windows systems in this 31-minute conference talk. Delve into the kernel implications and impacts on driver development, uncovering how rootkit developers have found ways to bypass this protection. Examine techniques used by notorious rootkits like Derusbi, Uroburos, and GrayFish to circumvent driver signature requirements. Conclude with an analysis of user-land security, focusing on the new library injection protection based on code signing implemented in Windows 10 TH2, with special attention to the Edge process.