I think I broke powershadow. Software loaded and survived reboot.

Discussion in 'sandboxing & virtualization' started by Horus37, Jun 11, 2007.

Thread Status:
Not open for further replies.
  1. Horus37

    Horus37 Registered Member

    Joined:
    Jan 4, 2007
    Posts:
    328
    Someone else can verifty this if they want. I downloaded HP Backup and recovery manager and installed it while fully shadowed and it installed and reported so upon reboot. I'm looking at my drive for a new hidden partition which it would install as a recovery partition yet I can't find a new drive letter however a popup stated upon reboot that it was successfully installed. WTFo_O I am horrified I just screwed up my computer and now have to resize it with partition magic. Someone with a VM want to test this out by downloading the software while in shadow mode and see what it does to your machine? I'd like to have some confirmation. I'm shocked.
     
  2. Horus37

    Horus37 Registered Member

    Joined:
    Jan 4, 2007
    Posts:
    328
    Ok on every reboot into full shadow mode I get popups stating that windows has detected new hardware and installs something and then states it needs to reboot. I think this is solid proof that this hp software breached powershadow. I have kept it in constant full powershadow mode since install and haven't rebooted to a normal mode yet so I think I will boot to a different snapshot and copy update over the snap that has this installed software and see what happens. Then I'm going to delete that snapshot. Hope it removes the hidden partition. How do you detect this with a hex editor?
     
  3. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, folks: From my own hand-on experiences w/ DeepFreeze standard, these two things would NEVER have happened. (1) anything installed in Frozen mode will not survive a reboot. (2) with DP's presence(in both thawed and frozen mode), no partition manager such as paragon partition manage or partition magic are able to alter partitions. I do not know why PS would allow these things to happen. I have long suspect that PS is creating two snapshots, one normal, the other shadow at any given time, to allow switching from normal to shadow w/o any rebooting. just my wild guess.
     
  4. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi. folks: I need to make a correction here. What I mean by never happen is actually what DF holds for true, not never . Sorry for confusion.
     
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi,

    I can recal that ZopZop had a simular problem. check posts on HP backup and PoweShadow
     
  6. Horus37

    Horus37 Registered Member

    Joined:
    Jan 4, 2007
    Posts:
    328
    Well this is confirmed now. Powershadow has been breached. This is the scarey part- While in full shadow mode I installed the hp software just to look at it. It installed fine and wanted to reboot to finish the setup. I didn't allow a reboot yet. I clicked the program to open it up and looked at the gui just to see what the options were and never choose to backup anything. Then I just went to the add/remove tab in windows and ran the uninstall thinking that would be safe to do so as to prevent any partition. The uninstall went fine all the while I'm still fully in shadow mode. Then I boot out of shadow mode and do a reboot. Upon reboot I select to go back into full shadow mode from the bootup prompt thinking I'll be doubly safe. Sure enough, as windows finishes loading I get a tray icon stating that it has finished loading new hardware device and needs to reboot again!? So evidently it thinks that a new drive has been loaded representing the new hidden partition. Under normal circumstances a new drive letter would be issued yet I get no new drive letter but I haven't it reboot in normal unshadowed mode yet as I'm afraid that will screw it up even more. I guess I'll have to Darik nuke boot disc this thing. Anyone else wanna download this thing and report how trashed your system gets? Better have a backup image to boot to if you do.
     
  7. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    Got a link to the software?
     
  8. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Seems the only way to find out is to boot back into windows.

    I tried running ghost 2003 from shadow mode with it going through the motions to make a ghost image but it just booted back into windows.
     
  9. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    "I clicked the program to open it up and looked at the gui just to see what the options were and never choose to backup anything. Then I just went to the add/remove tab in windows and ran the uninstall thinking that would be safe to do so as to prevent any partition. The uninstall went fine all the while I'm still fully in shadow mode. Then I boot out of shadow mode and do a reboot. Upon reboot I select to go back into full shadow mode from the bootup prompt thinking I'll be doubly safe. Sure enough, as windows finishes loading I get a tray icon stating that it has finished loading new hardware device and needs to reboot again!?"

    Not sure what exactly happened, but if I read this right, even though you deleted the thing in PS, when you rebooted Powershadow put it back on your box. I've never tried uninstalling software I've downloaded while in PS. I just reboot to get rid of it.

    The fact that it got past PS is a worry, if it did. It could be that PS just restored your drive to the previous shadowed state prior to uninstall.

    I'm unclear whether this is only while in shadow mode or if the new thing is there while unshadowed. From what I'm understanding, it's only in shadow mode that the drive shows. I've never run into anything like it, so am at a complete loss. I'd say boot out of powershadow and see what happens. It might be that the HP thing will disappear as it should.

    http://h20331.www2.hp.com/Hpsub/cache/312352-0-0-225-121.html

    Not a download link, but it describes the software.
     
    Last edited: Jun 11, 2007
  10. Horus37

    Horus37 Registered Member

    Joined:
    Jan 4, 2007
    Posts:
    328
    I'm convinced now after using a different FDISR snapshot to try and undo the damage which failed that HP backup and recovery manager breaks powershadow and even FDISR. I had a different snapshot I could boot into and did and tried to copy over the the bad snapshot with a known good snapshot and even that failed to remove what this Hp software did.
     
  11. poirot

    poirot Registered Member

    Joined:
    May 4, 2005
    Posts:
    299
    Horus37, you're using a car to sail and a boat to race on turf and then expect things to go the right way? Especially because you later put everything on top of one another....

    Was your PowerShadow installed properly with at least a reboot?

    1-notwithstanding the in deep-low level features of such a BackUp program
    you say you installed and then proceeded to uninstall via AddRemove.....
    but the latter part is non-existent as AR needs a reboot to be performed...

    2-then,instead of allowing a normal reboot to the machine and then you could have made other changes.... you changed the normal order of PowerShadow BEFORE a reboot was fully done by changing from single disk to an All disks coverage......
    You not only once,but twice asked for trouble upon reboot and you finally succeeded.....but what does this mean?

    dont you think that you pretended too much from PS and acted carelessly?
    If PowerShadow has been 'BREACHED' so have countless programs
    on this Earth everytime there's been a BSOD......

    Or,better said, PowerShadow has been 'breached'... by you......perhaps.
     
  12. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    Maybe the HP software created a HDA or DCO area/partition?

    http://cmrr.ucsd.edu/Hughes/HDDEraseReadMe.txt
    Also read here http://en.wikipedia.org/wiki/Host_Protected_Area for tools that can view the HPA partition.

    Mike
     
  13. Horus37

    Horus37 Registered Member

    Joined:
    Jan 4, 2007
    Posts:
    328
    I think you are assuming iI did more to powershadow than I did to make it malfunction. I did not switch from single mode to full shadow mode in the middle of a session. The shadowed session I was in was gone into from the boot prompt into a FULL Shadow mode. Everything loaded up normally on a computer that was recently rebuilt from the ground up so I know it has no software problems. I monitor my log files for any errors. None. I installed no new software on this machine nor changed any hardware. I have used powershadow for awhile now and am very familiar with it. The install of the HP software went without errors and requested a reboot to finish it's installation. I couldn't do that as it would take me out of shadow mode so I just opened the software to see if it would even function without a reboot. Sure enough it did. Brought up the GUI for the backup function. I looked at it and didn't see a function for uninstalling it from the GUI nor to uninstall any partition. I'm assuming it didn't have that because I thought i didn't make a partition yet nor did I do any sort of backup with it. I figured I'll just be safe and uninstall it with add/remove just to make sure it didn't install a partition or anything even though I was in shadow mode still. That's the only odd thing is to uninstall software in shadow mode that I just installed. But that shouldn't matter on a reboot you'd think. So the reboot went fine, no errors and i went back into full shadow mode from the boot prompt. Then as windows continued to boot up I get all these popups. From reading erik's response he gets these popups of new hardware installed when installing an image. Don't know what to think about that. My computer is running fine. No error messages now and no more popups about new hardware being installed or needing a reboot. I see no errors in my log files. I look and there is no new drive letter but I think it may be hidden like an HPA or DCO like what Flinchlock is saying. I think that is the most reasonable thing I've head and exactly what this program installs is an HPA. Thanks flinch for looking that up. I was thinking about that exact same thing however I hadn't really started looking it up or how do defeat it outside of what HP offers. Hopefully I can get this sorted out. I'll try that Dos program you listed maybe instead of darik's nuke boot cd.

    Not sure why you thought that I had switched from single mode shadow to full shadow in the middle of a session? Where did you come up with that
    ? If you're so confident that I did something wrong I dare you to download HP's backup and recovery software and install it in shadow mode and see what happens to your drive. Everyone seems scared to try this as no one wants to confirm that powershadow can be breached. Just for fun I might redo the whole thing and see if I can duplicate the hidden partition install while shadowed. However people with access to VM's should also try this.
     
    Last edited: Jun 12, 2007
  14. Horus37

    Horus37 Registered Member

    Joined:
    Jan 4, 2007
    Posts:
    328

    I think you hit the nail right on the head with that Flinchlock. That is exactly what this program does is create an HPA. What is shocking is I didn't even do the backup yet or didn't even select anything on a menu to indicate that I had created an HPA. I just installed the software and opened it up to look at the GUI. Uninstalled it then booted out of shadow mode and a normal reboot. Then BAM. I will look at how to erase this hidden partition with a proper erase utility if darik's nuke boot cd I have fails. Thanks for all your help. I'm having fun learning all this new stuff. hex editors and HPA's and DCO's and the limits of FDISR and powershadow and virtualization. It only takes me an hour to recover just using simple powershadow though and no image program as long as I can delete this pesky new hidden partition. I must say though that my computer is running fine even though all this. Found out that you can use powershadow even inside a guest account and it works. I thought it only worked in admin or limited user mode. After this I'm going to feel pretty confident how to recover from disasters.
     
  15. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    As far as hidden partitions go...

    I know for a fact the Paragon Drive Backup 8.51 Professional Edition has something called a "Backup Capsule"... "Backup Capsule to keep backup images in safe protected space on hard drive". But I have not messed with that yet.

    I think I read some where ATI? also has a special partition?

    Mike
     
  16. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Could an app that does this sort of thing with no user input/prompt or even a proper install by not rebooting be classed as malware?

    Would or could any security app have warned and stopped as such?
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Nice job! Now let,s see who tries this software against other virtualization software like ShadowSurfer, DeepFreeze etc, just for a comparison.
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,043

    No way. This isn't a valid test of anything, but what not do do. I looked at the HP page and found this:

    Easy to run, easy to restore


    HP Backup and Recovery Manager is quick and user-friendly. To run, simply go to All Programs > HP Backup & Recovery > HP Backup and Recovery Manager.

    With HP Backup & Recovery Manager, file restoration is easy. To recover a deleted file, simply use the Restore Wizard. For a full system restoration, press the F11 key during bootup and then select "Recover PC" from the menu.


    Now where on earth would the data come from, and why would you need to use the F11 key during boot up if it didn't have some kind of hidden partition to store the backup. This is standard Dell,HP,Lenovo..... fare. Now I am not a big fan of this approach but malware absolutely not. It's just working the way it was designed.

    Installing this program without the required reboot, would surely not accomplish anything. Then real menu comes up during the boot process, also Installing while in any shadow mode is a total invitation to disaster, which unfortunately is exactly what happened.

    You want some fun. Try installing Rollback while Power Shadow is in shadow mode. Again I'd just be prepared to restore a good image, cause you most likely this will an equally bad effect.

    I have no doubt the result of the above actions would equally trash Returnil, Shadow User, Deep Freeze etc.

    I don't use Power Shadow, but what has happened here in my mind reveals no weakness with Power Shadow whatsoever.

    Pete
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,043
    Of course FDISR wouldn't be able to recover. Installing a program that adds a partition and modifies the partition table and mbr while in shadow mode, and then trying to roll it back with Power Shadow did a number on the mbr/partition structure of your disk. Nothing FDISR can do to help you with that.


    Powershadow, ReturnIL, are great apps for browsing, downloading and making sure stuff is safe with the ability to get rid it.

    But to test install software in the shadow mode is just asking for trouble. I'd use FDISR,Rollback, or imaging for this.

    Pete
     
  20. Horus37

    Horus37 Registered Member

    Joined:
    Jan 4, 2007
    Posts:
    328
    If you can't trust your recovery applications to bail you out of trouble then what good are they? This is case and point. So basically all a malware has to do is install a HPA or DCO into your computer and hide whatever it wants there and nothing is going to reverse that which is commercially available to fix this sort of invasion. If FDISr can't help with this then that is a HUGE problem. If imaging can't help with this then that is a HUGE problem. And it looks like restoring an image DOES NOT remove the hidden partition. You need special software for that. After using the special removal software THEN you can use and image backup. I just did a secure delete wipe with zeros on my whole hard drive with DBAN and after that and a full format I installed FDISR again in a fresh copy of windows and loaded my offline archives into a new snapshot and booted that up and STILL get the annoying popups that state "Found new hardware" ...."System settings have changed...and I need to reboot"....So this could mean a couple things... 1. There truely is a hidden partition now since the fresh restore is having the same problems as before. 2. The computer is acting like an image restore just happened according to Erik and it's normal for it to detect new hardware and have popups stating new hardware found etc.. If this is so we need to take a poll on that. However I've never seen this happen with FDISR restores of images and I've done fresh restores before like I just did and DID NOT have the popups and messages I get now. So, I conclude that I more than likely have some sort of corruption going on or hidden partition with no data in it or something I'll need to contact hp support about. This computer DID NOT come pre installed with a hidden partiton like some computers do. I have the recovery CD's instead supplied by the oem manufacturer. 3. What good is powershadow if it can't protect the MBR or recover from a partition move? 4. What good is FDISR then if it can't help you recover from MBR corruption? Virus writers routinely hammer on the MBR. If it can't recover from this then this software is over rated since all a malware writer has to do is change your MBR or your partition. If you can break FDISR with this then you could probably break Rollback the same way. So what good are these programs unless you have the software to remove the hidden partitions? As far as this comment, "I don't use Power Shadow, but what has happened here in my mind reveals no weakness with Power Shadow whatsoever." How could you say that if it installs a partition you can't get rid of? How can you say that in good conscious? What if malware was also installed into this HPA? Would you think that bypassing powershadow is not a weakness then? I'm sure it's easy for malwriters to get ahold of this sort of code to install HPA's so if installing HPA's can bypass powershadow AND FDISR I'd say that's a weakness.
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,043
    Horus, the problem here is what you are doing.

    1. No surprise there is a hidden partition. THAT is how the HP software works. So of course it installs one. Assuming you read the web page just what did you the pressing F11 at boot was for.

    2. I am not sure what restore Erik is talking about. I've never had it with FDISR, or images. Can you guess what HP support is going to tell you. I can. First you didn't install it properly because you didn't reboot. Then you compounded it by trying to uninstall before the install was complete, and third you installed with something that was goiing to brute force make it go away. They will tell you, that you failed to follow the instructions and they can't be responsible, and they would be right.

    3. Repeat after me at least 100 times. FDISR IS NOT SECURITY SOFTWARE. It is designed to recover from things that corrupt the system like bad software installs, that almost never touch the MBR or Partition table.

    You keep saying Powershadow installed a hidden partition. It did no such thing. THe HP software did that. Remember PowerShadow is designed to undo file changes to files within the partition it protects. What do you expect when you install something that creates a new partition on the disk.

    Can malware writers design code that can circumvent these programs. OF course. Is it likely. No. There just isn't a wide enough base to make it economical.

    Horus, there is nothing wrong with experimenting and testing and playiing, but you must do two things. First you must understand how the software works or don't install it. And secondly if you are going to play like you have been, you'd be well advised to buy something like VMware's workstation. It is bullet proof, and is an excellent way to see what will happen with easy recovery. How do you think I've run the tests I've run.

    Pete
     
  22. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    This situation is where a cloned HD of the master may come in handy.o_O

    Horus I know your a tad shirty and disappointed about what's happened but surely there must be a way to fix the prob.
     
  23. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    Peter do you think Rollback can survive this?

    Thanks,

    Chris
     
  24. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Pete, please write more posts :D
     
  25. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Horus if you would like to try something.

    The link below will show how to force the Device Manager to show non present devices.

    Once you have done the required settings go into device manager and show hidden devices then have a look at Storage Volumes.See if you can see the hidden partition.
    http://www.techmentors.net/Articles/os_windows/2006_05/TID149.asp

    If it shows as a non present or ghosted device you may be able to use the right click menu items.o_O
     
Loading...
Thread Status:
Not open for further replies.