Power Shadow

Assuming I am reading @idle.newbie post correctly, it appears that PS does not stop low level harddisk access... so, YES.

Mike

UPDATE: See bottom of post #854

 

Hello Mike,

Under what conditions do you think someone could gain that type of access on your machine?

-rich

 

Heh, i didn't know any software program was P.E.R.F.E.C.T to begin with.

You have to remember, windows programmers from every walk of life are dealing with $M core internal codes, a system which is always picked apart no matter what version.

As far as POWER SHADOW MASTER! It's as near perfect as you can get along the same lines of FD-ISR so far as STABILITY!!! THATS THE PERFECT we're after here.

Your security software should prevent malicious low level harddisk access, and with SSM and others i don't have that concern.

Power Shadow Master IS NOT a replacement for any security programs, including low-level disk access blockers, it's a virtualization program technique to return your system again completely intact at the exact point as it was right before entering Shadow-Mode.

 

On MY machine, NONE.

Maybe a newbie (someone that has not become paranoid by reading all the scary posts here at Wilder's) downloads a cracked warez copy of Vista. And, at the create partition for Vista screen, after you accept, the bad program changes the MBR partition table so all the drive letters are in Klingon.

Expecially my brain.exe.

You have to remember, windows programmers from every walk of life are dealing with $M core internal codes, a system which is always picked apart no matter what version.

Yup

Yup, I need to do that. FYI: SSM 2.0 Free Edition does not have Low level keyboard access control.

Well, maybe...

Right before I did this post, I used HxD - Freeware Hex Editor and Disk Editor while PS 2.6 was running. I wrote my name to sector 14. After reboot, I checked sector 14... my name was NOT there!

So, more testing... "I'll be back." (I might have to learn Chinese to test the editor mentioned by @idle.newbie!)

There you go folks, so much for PS being TOTALLY perfect!

Mike

 

With PS (2.6) running, I have been testing... trying all day to trash my harddisk, and I can not do it!

For example, I ran Paragon Hard Disk Manager 8 Special Edition, and edited sector 0 (the MBR), and wrote about half of it with "1111111111111111111111111111111111...".

Reboot with no problem!

I also wrote the words "blackcoffee" in sector 100,000,000 and it also was gone after reboot.

So, until we hear back from @idle.newbie, looks like PS is once again PERFECT!

Mike

 

Sounds good.

I hope the develop it further without having to reboot but if not I am still happy with it.

 

Hi Mike,

Can you explain in detail how you were able to edit sector 0?


Thanks,

-rich

 

[goright]Warning! Make sure you have a complete image backup!!!![/goright]

[move]Warning! Make sure you have PowerShadow running!!!![/move]

Using Paragon Hard Disk Manager 8 Special Edition...

Highlight disk, <Right-Click>, Edit/View Sectors...



Before...



Click any place (right or left side of vertical bar), just start typing on keyboard...



When you change the very first thing, the √ will turn green, click on green check mark to commit change....


Mike

 

[goright]Warning! Make sure you have a complete image backup!!!![/goright]

[move]Warning! Make sure you have PowerShadow running!!!![/move]

Using HxD - Freeware Hex Editor and Disk Editor...











Mike

 

Hi Mike,

That's impressive!

But how could someone from the outside accomplish something like that?

I don't see this as a plausible threat to one's MBR.

How would someone get a HEX editor installed on your computer?

regards,

-rich

 

OK, I just make up something, but first, you need to put on your aluminum foil hat to protect from paranoia...

The HxD - Freeware Hex Editor and Disk Editor is only 1,572,864 bytes, but as you can see pretty damn powerful.

So, since it is very small, I assume it would be very easy to figure out exactly what functions are called. Just recode to remove all the GUI crap and hardcode whatever, or allow it to take command line options via CMD.EXE.

Then, split the program into a four different pieces of 393,216 bytes each. (nothing magic, just divided by four)

Put these four program pieces on some popular web site with lots of repeat visitors. Over at least four visits, the program splits can be copied to the target PC.

Later on, some little program would recombine the pieces back together...

green = four program pieces
red = final bad program

Mike

 

Thanks for the link Mike. That one and SectorEditor are both new to me where WinHex is not. Also haven't bothered with the Paragon sector editor either, nice.

You're getting deep in the disk lately, thanks again. I not delved to this level since messing with rootkits and other kernel hiders. Certainly drives the curiosity in the right direction though because it's very beneficial to fully understand those facts from your own findings.

Good stuff

 

Thanks Mike! I would really like to try that, but unfortunately my backup solution isn't really a solution at the moment. My burner isn't burning. It sounds like a fun test though .

Edited to add that I understand the seriousness of the possible results of such a test.

 

Crap... my attempt of world domination has failed again!

Mike

 

And you don't know why?

Like everyone else, you're also up against a Microsoft production.

 

SectorEditor v1.05 by Julie.Lau

Well, after trading PMs with @idle.newbie and me running SectorEditor.exe (03/06/2007 07:19 PM 200,704 bytes), it does in fact write to the harddisk even when PS is active!

SectorEditor.exe is all in English. (It has one typo, Inport instead of Import.)

SectorEditor.exe creates C:\WINDOWS\system32\drivers\sioctl.sys (5,888 bytes). (After I reboot out of PS, this file is gone.)

Searching for sioctl.sys on Google returns three hits, one here at Wilder's, and two in Chinese. The two Chinese hits are talking about debugging Windows dynamically loaded drivers... WAY beyond what I know!

The only reference (via Google) I can find about sioctl.c (source code) is What does MmProbeAndLockPages actually lock.

I also found info on page 29 & 30 on this Word doc Memory Management: What Every Driver Writer Needs to Know.

I am at a loss for words.

Mike

 

Your a very clever and brave man Mike and thanks for the very deadly testings and the so far good results.

The way your going do you think that you may eventually to able to compromise PS?

 

Monitoring by System Safety Monitor quickly picks up (via fast polling of course), the sioctl.sys driver loaded. Upon closing SectorEditor, SSM also confirms a timely clean removal too. Some programmers either don't or can't fashion their code to release drivers after the main program is completed. That's why i keep on hand a ton of utilities to do it for them.

 

On my system, sioctl.sys is not deleted. WTF

I am NOT giving up on testing.

Mike

 

flinchlock,

Are you saying PS is being compromised?



EASTER.2010,

Are you using SSM Free or Pro?

So are you saying the SSM prevent sioctl.sys driver being loaded?

 

Well, that is hard to say, and I am still testing. I have been getting weird results this moring testing. I need to slow down and write down step-by-step what I am trying to see if I can see what is going on.

This moring, it looked like I could only write to the 1st cluster (sectors 0-62). Those sectors are not considered a harddisk, ie: C:, D:, E:, etc. So, maybe in the protection provided by PS (protect system disk C:, or ALL disks), maybe these sectors are not protected?

So, overall, I think PS is 99.999% secure.

Some of the stuff I have been trying to compromise my harddisk with, would have a very difficult time of even happening anyway... I have a vivid imagination.

So, please do not freak out... hang in there.

Mike

 

Download and run Hp backup and recovery manager as I think it just busted through my 2.6 version of Powershadow. Upon reboot it had told me it finished modifying system settings and needs to reboot. YIKES!!! This hp program was installed in full shadow mode. It appears to me I just might have found it's achilles heel.

 

NO, i'm saying SSM simply reports the driver loading and then upon closing SectorEditor SSM (Modules Alert) prompts (mine is set to close in 2 sec.), that the driver is removed.

I used my services tools to confirm it indeed unloads the driver completely, nothing new there. Any such program should.

Now then, this thing with a program writing to disk in PS shaodow-mode is disturbing if true. Means there is certainly a hole in the virtualization or else is able to completely bypass directly to the disc.

(Waiting to read more results)

 

But you booted back into shadow mode, if I read your post in the other thread correctly. What puzzles me is why, if you uninstalled the HP program in shadow mode it came back. Unless, as I posted in the other thread, PS restored your computer to what it was before the uninstall, which doesn't make sense to me.