Macrovision's low level access bypasses ShadowDefender

Some programs out there use Macrovision's safecast as a drm mechanism, it uses a techniques of direct disk editing of sector 32 of a hdd to permanently mark that this product had been installed before for the purpose of activation.
The most common types of software using this scheme are adobe products. other products with similar macorvision protection such as CDilla include games and turbotax.

Reading that shadowdefender prevents lowlevel disk access I decided to test it against safecast by installing an old demo I had of photoshop cs2
(which I own activation keys for) in shadow mode. I have set the clock back in order to force an expiration of the software trial period.
Another reinstall of the demo (in shadow mode) after reboot triggers an activation request.
The results indicate a failure on shadowdefender's part to prevent permanent modiciation of the partition.

This was carried out on windows 7 x64 system.


The results of this test have very significant implications for members using SD as a means of securing their pcs for the obvious reason that malware utilize similar techniques for lowlevel access with much more malicious intentions.

For those of you testing, be warned that any wrong editing of the harddrive sector with winhex could result in a permanently crippled system. Make sure that the imaging solution you're using backs-up every sector -- byte to byte -- of the hdd before the installation. I am not sure how updated versions of macrovision's drm work so testers should read up on that or test the same product to reproduce results.

 

I don't get it yet....isn't this how ShadowDefender is supposed to work

 

I think that the point is there should have been no record of the trial expiration unless the drive had been modified.It should have just initiated a standard trial if there was no permanent record of it having been installed before.

 

If by 'work' you mean allowing lowlevel access then no.

 

That's not what I meant.

 

If this is true, then, it pays to have a classical HIPS guarding low level access and kernel driver loading in conjunction with light virtualiser, in effect, a Sanboxie like system-wide fortress. It will only takes a short time, that malware writers will found out in reproducing safecast's bypassing of Shadow defender and incorporate them in new malwares specifically targetted against such protection.

 

But I don't think this is even true to begin with.

 

Wow,I gotta admit Shadow Defender must be doing something good,with all these "threats" people are diggin up to throw it against Shadow Defender

 

I have discovered it is, but would appreciate if you guys go ahead and test it to verify the results

 

Not verified yet.

 

Update:
Managed to get my hands on a single partition disk and tried it out with returnil free. Same results obtained.

FYI; the program that I used for testing is from here: http://download.adobe.com/pub/adobe/photoshop/win/cs2/Photoshop_CS2.exe