Purple pill to counteract Vista's 64 bit driver authentication
LinchpinLabs recently developed software signed with the company's key and known as the Atsiv driver, which allowed arbitrary code to be loaded into the kernel of the 64 bit version of Vista. Because Microsoft considered this to breach their guidelines for Kernel Mode Code Signing (KMCS), the software giant revoked LinchpinLabs' certificate and issued a signature for Windows Defender that categorised Atsiv as malicious. Now former ReactOS co-developer Alex Ionescu has released PurplePill, which, according to Symantec is based on a signed but defective ATI driver and can use this to load additional unsigned code.
According to Ionescu's blog entry, the Atsiv driver has certain disadvantages. It does not utilise the operating system's standard mechanism for loading further code. This means that Microsoft's DRM system is unable to detect the software, representing a breach of the Digital Millennium Copyright Act (DMCA). In addition, the company signed the driver with its own key, thereby putting itself in jeopardy. PurplePill, by contrast, relies on a key which is in use on around half of all systems. Because the software uses official operating system mechanisms for loading code, this software will be visible to Vista which will therefore issue a warning. The DRM system is also able to react and activate 'resolution constriction', which causes high resolution content to be scaled down to low resolution.
According to Ionescu's assessment, Microsoft cannot simply revoke the ATI certificate, as this would make many users' computers unusable. Symantec believes that ATI will obtain a new certificate and distribute corrected drivers signed with the new key via Windows Update, allowing Microsoft to revoke the old certificate at a later date. The anti-virus software vendor has also released signatures which detect PurplePill as a hacking tool.
The published version of PurplePill remains at an early stage of development and could cause crashes, as the system assumes that certain functions have fixed offsets. In Vista, however, Address Space Layout Randomization ensures that offsets for functions are at random addresses.
Alex Ionescu has since deleted the blog entry, however it can still be found in the Google cache. The PurplePill archive has also disappeared from Ionescu's server. It is not clear if this has occurred under pressure from Microsoft or ATI. No response has been received to an enquiry sent by heise Security to Ionescu.
- Blog entry by Alex Ionescu in the Google cache
- Driver Signing on Vista 64 – ATI Isn't Getting a Christmas Card This Year, blog entry by Symantec
- Vista's DRM allegedly cracked , report regarding an Ionescu hack from heise Security