Macrovision's low level access bypasses ShadowDefender

Discussion in 'sandboxing & virtualization' started by Serapis, Jul 25, 2010.

Thread Status:
Not open for further replies.
  1. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    Some programs out there use Macrovision's safecast as a drm mechanism, it uses a techniques of direct disk editing of sector 32 of a hdd to permanently mark that this product had been installed before for the purpose of activation.
    The most common types of software using this scheme are adobe products. other products with similar macorvision protection such as CDilla include games and turbotax.

    Reading that shadowdefender prevents lowlevel disk access I decided to test it against safecast by installing an old demo I had of photoshop cs2
    (which I own activation keys for) in shadow mode. I have set the clock back in order to force an expiration of the software trial period.
    Another reinstall of the demo (in shadow mode) after reboot triggers an activation request.
    The results indicate a failure on shadowdefender's part to prevent permanent modiciation of the partition.

    This was carried out on windows 7 x64 system.


    The results of this test have very significant implications for members using SD as a means of securing their pcs for the obvious reason that malware utilize similar techniques for lowlevel access with much more malicious intentions.

    For those of you testing, be warned that any wrong editing of the harddrive sector with winhex could result in a permanently crippled system. Make sure that the imaging solution you're using backs-up every sector -- byte to byte -- of the hdd before the installation. I am not sure how updated versions of macrovision's drm work so testers should read up on that or test the same product to reproduce results.
     
  2. nanana1

    nanana1 Frequent Poster

    Joined:
    Jun 22, 2007
    Posts:
    947
    I don't get it yet....isn't this how ShadowDefender is supposed to work o_O
     
  3. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    I think that the point is there should have been no record of the trial expiration unless the drive had been modified.It should have just initiated a standard trial if there was no permanent record of it having been installed before.
     
  4. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    If by 'work' you mean allowing lowlevel access then no.
     
  5. nanana1

    nanana1 Frequent Poster

    Joined:
    Jun 22, 2007
    Posts:
    947
    That's not what I meant.
     
  6. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    If this is true, then, it pays to have a classical HIPS guarding low level access and kernel driver loading in conjunction with light virtualiser, in effect, a Sanboxie like system-wide fortress. It will only takes a short time, that malware writers will found out in reproducing safecast's bypassing of Shadow defender and incorporate them in new malwares specifically targetted against such protection.
     
  7. nanana1

    nanana1 Frequent Poster

    Joined:
    Jun 22, 2007
    Posts:
    947
    But I don't think this is even true to begin with.:p
     
  8. Boost

    Boost Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    1,293
    Wow,I gotta admit Shadow Defender must be doing something good,with all these "threats" people are diggin up to throw it against Shadow Defender :D
     
  9. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    I have discovered it is, but would appreciate if you guys go ahead and test it to verify the results
     
  10. nanana1

    nanana1 Frequent Poster

    Joined:
    Jun 22, 2007
    Posts:
    947
    Not verified yet.:p
     
  11. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
Thread Status:
Not open for further replies.