valinet/ssde valinet/ssde

  • Stars
    star
    125
  • Rank 277,145 (Top 6 %)
  • Language
    C++
  • License
    MIT License
  • Created over 2 years ago
  • Updated over 2 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
valinet/ssde
github

valinet

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

SSDE is a collection of utilities that help in having Windows load your custom signed kernel drivers when Secure Boot is on and you own the system's platform key, instead of using test mode.

Self Signed Driver Enabler for Windows

SSDE is a collection of utilities that help in having Windows load your self signed (custom signed) drivers when Secure Boot is on and you own the platform key of the system, instead of resorting to running the system in test mode.

This is based off great work by the following:

I recommend reading the 2 resources above before proceeding, at least familiarizing well with what they describe. This README is not step by step, but it includes my observations on how to get this working on current Windows releases starting from the directions set by those.

Disclaimer

This is not entirely new code, but merely an adaptation of work already available in the repositories listed above. For this project, what I did was rewrite the kernel driver needed to maintaining the licensing state starting from Geoff's example and using the essential stuff from the original ckspdrv.sys driver.

Also, I also put together a helper app that interrogates this new driver and obtains the number of times the policy has been enforced on the system (ssde_info), a helper app that obtains the policy status from the registry in user mode (ssde_query) and also included the largely unchanged CustomKernelSigner enabler, with only bug fixes so that it does not boot loop anymore (ssde_enable aka EnableCKS.exe).

Precompiled binaries

Go to Releases to get precompiled files that you can use.

I have personally tested this and it works on Windows 11 build 22000.1.

How to?

Please follow the tutorial in [2] and apply what I describe in my notes below.

2.3 Build kernel code-sign certificate rules

I recommend using the policy from [1] instead of the one recommended in [2], which is available here and here (already in binary form, so that you do not necessarily require Enterprise or Education editions of Windows).

2.5 Enable CustomKernelSigners

There are 2 ways to do this:

  1. Use ssde_enable.exe method - this will reboot Windows in setup mode, where the policy can be changed from user mode, and then reboot the system; at next boot, the policy will be licensed and enabled (check HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CI\Protected\Licensed and with ssde_query)
  2. Use the trick mentioned in the end of article [1], specifically the section "Start Another Windows".

I had succes with both depending on the machines I tested on. Sometimes, you have to repeat the process multiple times. For example, on my Ryzen 5900X machine, what I did was register the ssde driver service (details below), and then reboot to a preinstallation environment and use 2. After that reboot, and the OS boots fine and loads the driver, but HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CI\Protected\Licensed was still 0x0. Reboot, try to boot, blue screen because the ssde driver is signed with a non-Microsoft certificate. Reboot again to PE, redo 2 from above, reboot, booted fine into Windows, checked the registry, now Licensed is indeed 0x1 and then any subsequent reboot maintains the state and loads my custom ssde driver just fine. So, your mileage may vary, try a few times before giving up, it can really be hit or miss. Method 2 above works only if you register the driver with start=boot, because Licensed affects only drivers loaded by the bootloader, but apparently it is enough to have everything work and the trick function, eventually.

Both of these methods will land you on the desktop being able to load any self signed driver. Do not restart, as the policy change is not permanent and will revert to previous status. You have to install the ssde.sys driver in the system in order for the status to be preserved on subsequent boots.

The reason the original EnableCKS.exe boot looped is because on newer Windows versions, only the policy CodeIntegrity-AllowConfigurablePolicy-CustomKernelSigners exists anymore. CodeIntegrity-AllowConfigurablePolicy is not available anymore and does not seem necessary to add anymore.

2.5 Persist CustomKernelSigners

Here, you have to install the driver. My command for signing it is (do this beforehand getting here, ideally):

signtool sign /fd sha256 /a /ac .\localhost-root-ca.der /f .\localhost-km.pfx /p password /tr http://sha256timestamp.ws.symantec.com/sha256/timestamp ssde.sys

2.6 Persist CustomKernelSigners

The command I use for registering the service is:

sc create ssde binpath=%windir%\system32\drivers\ssde.sys type=kernel start=boot error=normal

More Repositories

1

ExplorerPatcher

This project aims to enhance the working environment on Windows
C
20,120
star
2

Win11DisableRoundedCorners

A simple utility that cold patches dwm (uDWM.dll) in order to disable window rounded corners in Windows 11
C
667
star
3

WinCenterTitle

WinCenterTitle is a simple tool that allows you to center align the text in Windows 10 titlebars, the same way it was in Windows 8, 8.1, or even 3.1.
C
129
star
4

ThinkPadLEDControl

ThinkPad LED Control allows controlling the various LEDs present on ThinkPad laptops and linking them to various system events (disk activity, key presses etc.) on Microsoft Windows.
C#
76
star
5

ExplorerPatcher-L10N

Localizations for ExplorerPatcher
53
star
6

sws

sws (Simple Window Switcher) is an Alt-Tab replacement for Windows
C
50
star
7

ep_dwm

Implements a Windows service that removes the rounded corners for windows in Windows 11
C
41
star
8

WinOverview

WinOverview is a reproduction of the GNOME Activities (Overview) for Microsoft Windows.
C++
30
star
9

WinOverview2

WinOverview2 reimplements the classic Task View from earlier builds of Windows 10 that showed the windows around the center of the screen, without a timeline, and most importantly, lag free.
C
20
star
10

libvalinet

A header-only collection of generic implementations shared between multiple projects
C
17
star
11

IMAPNotes

This is a simple Thunderbird extension (compatible with Thunderbird 78+ as of January 2021) that allows editing notes created, edited and synced from the iPhone Notes app.
JavaScript
17
star
12

network-load-balancer

Trivial Network Load Balancer is a simple user-space daemon for balancing traffic across multiple routes which lead to the Internet.
C++
16
star
13

ThunderbirdToasts

Thunderbird Toasts is a simple framework that allows Thunderbird to send Windows 10 toasts as notifications instead of its custom popup notifications that are not native.
C
15
star
14

MonitorBrightnessControl

Monitor Brightness Control is a simple daemon for Microsoft Windows that allows changing brightness for all external monitors at once using a system tray icon.
C
15
star
15

kb_light

ThinkPad Keyboard Backlight Manager is a simple Windows service that maintains keyboard backlight across reboots and temporarily shuts it off when a full screen application is in use.
C
10
star
16

HideExplorerSearchBar

Very simple executable that hides the search bar in File Explorer and in the Open/Save dialogs in Windows 10.
C
10
star
17

ArchiveMenu

Associate your archive formats with Archive Menu, and when double clicking an archive, a popup menu will show, allowing you to open or extract the contents, using 7zip.
C
9
star
18

rt

Restarter (Restart Task) is a simple Win32 application (Windows subsystem) that continously launches an application specified in its arguments, waits for its termination, and repeats the cycle.
C
7
star
19

ShutdownDaemon

Implements a mechanism to find whether the system is shutting down or rebooting in Windows.
C++
5
star
20

valinet

This repository contains the text that is displayed in the Overview section of my GitHub profile
3
star
21

QtCreatorBlackTitlebar

Makes the title bar of Qt Creator black in Windows
C
3
star
22

audiopot-plus

AudioPot+ is the second attempt at producing a volume knob for a computer using an Arduino.
C++
3
star
23

homepi-plus

homepi+ is an Arduino based implementation of a home control system.
C++
2
star
24

AudioPot

Provides Arduino code for reporting potentiometer values and a service for interpreting and acting on the received data.
C
2
star
25

MDNSAdvertiser

Simple Win32 application that advertises a domain name for a host in the local LAN using mDNS.
C
1
star
26

homepi

homepi is a set of configuration data and front end files for the Raspberry Pi that automates my home office setup.
C
1
star
27

MonitorDaemon

A simple executable that turns on/off the monitor on certain system events.
C++
1
star
28

xps15kbfix

A simple Windows PS/2 filter driver based on the sample from Microsoft that remaps some keys on the Dell XPS 15 7590's keyboard to my personal preference.
C
1
star
29

valinet.github.io

Source code for valinet.ro
SCSS
1
star
30

SharePointLinkHelper

SharePoint Link Helper registers a protocol that can be used to open files from SharePoint in the correct local application or view the current folder in File Explorer even in modern browsers.
C
1
star
31

TMLauncher

An old project that provides a service to launch a modified Task Manager (I hardcoded IsServer=0) executable without requiring elevation.
C
1
star
32

EtherCard-MDNS

Simple multicast DNS name resolution and service discovery library for EtherCard library that works with the ENC28J60 module.
C++
1
star
33

homepi-android-client

An Android client for homepi that displays the web UI automatically by using the built-in mDNS API of the OS that is not yet exposed to the default resolver, hence most browsers on Android still cannot resolve .local addresses.
Java
1
star