Power Shadow

Discussion in 'sandboxing & virtualization' started by Chuck57, Jan 15, 2007.

Thread Status:
Not open for further replies.
  1. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    Assuming I am reading @idle.newbie post correctly, it appears that PS does not stop low level harddisk access... so, YES.

    Mike

    UPDATE: See bottom of post #854
     
    Last edited: Jun 9, 2007
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Hello Mike,

    Under what conditions do you think someone could gain that type of access on your machine?

    -rich
     
  3. EASTER.2010

    EASTER.2010 Guest

    Heh, i didn't know any software program was P.E.R.F.E.C.T to begin with. :D

    You have to remember, windows programmers from every walk of life are dealing with $M core internal codes, a system which is always picked apart no matter what version.

    As far as POWER SHADOW MASTER! It's as near perfect as you can get along the same lines of FD-ISR so far as STABILITY!!! THATS THE PERFECT we're after here.

    Your security software should prevent malicious low level harddisk access, and with SSM and others i don't have that concern.

    Power Shadow Master IS NOT a replacement for any security programs, including low-level disk access blockers, it's a virtualization program technique to return your system again completely intact at the exact point as it was right before entering Shadow-Mode.
     
  4. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    On MY machine, NONE. :D

    Maybe a newbie (someone that has not become paranoid by reading all the scary posts here at Wilder's) downloads a cracked warez copy of Vista. And, at the create partition for Vista screen, after you accept, the bad program changes the MBR partition table so all the drive letters are in Klingon. :rolleyes:

    Expecially my brain.exe. o_O

    You have to remember, windows programmers from every walk of life are dealing with $M core internal codes, a system which is always picked apart no matter what version.

    Yup

    Yup, I need to do that. FYI: SSM 2.0 Free Edition does not have Low level keyboard access control.

    Well, maybe...

    Right before I did this post, I used HxD - Freeware Hex Editor and Disk Editor while PS 2.6 was running. I wrote my name to sector 14. After reboot, I checked sector 14... my name was NOT there!

    So, more testing... "I'll be back." (I might have to learn Chinese to test the editor mentioned by @idle.newbie!)

    There you go folks, so much for PS being TOTALLY perfect!

    Mike
     
    Last edited: Jun 9, 2007
  5. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    With PS (2.6) running, I have been testing... trying all day to trash my harddisk, and I can not do it! :D :D

    For example, I ran Paragon Hard Disk Manager 8 Special Edition, and edited sector 0 (the MBR), and wrote about half of it with "1111111111111111111111111111111111...". :eek:

    Reboot with no problem! :D :D

    I also wrote the words "blackcoffee" in sector 100,000,000 and it also was gone after reboot. :D :D

    So, until we hear back from @idle.newbie, looks like PS is once again PERFECT! :thumb: :thumb:

    Mike
     
  6. chew

    chew Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    515
    Location:
    GeordieLand.
    Sounds good.

    I hope the develop it further without having to reboot but if not I am still happy with it.

    :)
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Hi Mike,

    Can you explain in detail how you were able to edit sector 0?


    Thanks,

    -rich
     
  8. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    [goright]Warning! Make sure you have a complete image backup!!!![/goright]

    [move]Warning! Make sure you have PowerShadow running!!!![/move]

    Using Paragon Hard Disk Manager 8 Special Edition...

    Highlight disk, <Right-Click>, Edit/View Sectors...
    PHDM-1.png


    Before...
    PHDM-2.png


    Click any place (right or left side of vertical bar), just start typing on keyboard...
    PHDM-3.png


    When you change the very first thing, the will turn green, click on green check mark to commit change....
    PHDM-4.png

    Mike
     
  9. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    [goright]Warning! Make sure you have a complete image backup!!!![/goright]

    [move]Warning! Make sure you have PowerShadow running!!!![/move]

    Using HxD - Freeware Hex Editor and Disk Editor...

    HxD-1.png

    HxD-2.png

    HxD-3.png

    HxD-4.png

    HxD-5.png

    Mike
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Hi Mike,

    That's impressive!

    But how could someone from the outside accomplish something like that?

    I don't see this as a plausible threat to one's MBR.

    How would someone get a HEX editor installed on your computer?

    regards,

    -rich
     
  11. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    OK, I just make up something, but first, you need to put on your aluminum foil hat to protect from paranoia...

    The HxD - Freeware Hex Editor and Disk Editor is only 1,572,864 bytes, but as you can see pretty damn powerful.

    So, since it is very small, I assume it would be very easy to figure out exactly what functions are called. Just recode to remove all the GUI crap and hardcode whatever, or allow it to take command line options via CMD.EXE.

    Then, split the program into a four different pieces of 393,216 bytes each. (nothing magic, just divided by four)

    Put these four program pieces on some popular web site with lots of repeat visitors. Over at least four visits, the program splits can be copied to the target PC.

    Later on, some little program would recombine the pieces back together...
    green = four program pieces
    red = final bad program

    Mike ;)
     
  12. EASTER.2010

    EASTER.2010 Guest

    Thanks for the link Mike. That one and SectorEditor are both new to me where WinHex is not. Also haven't bothered with the Paragon sector editor either, nice. :thumb:

    You're getting deep in the disk lately, thanks again. I not delved to this level since messing with rootkits and other kernel hiders. Certainly drives the curiosity in the right direction though because it's very beneficial to fully understand those facts from your own findings.

    Good stuff ;)
     
  13. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,121
    Location:
    Mountaineer Country
    Thanks Mike! I would really like to try that, but unfortunately my backup solution isn't really a solution at the moment. My burner isn't burning. It sounds like a fun test though :cool: .

    Edited to add that I understand the seriousness of the possible results of such a test.
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    SSM,OA,AE etc would shut it down at the last stage.
     
  15. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    Crap... my attempt of world domination has failed again! ;)

    Mike
     
  16. EASTER.2010

    EASTER.2010 Guest

    And you don't know why?

    Like everyone else, you're also up against a Microsoft production. :D
     
  17. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    SectorEditor v1.05 by Julie.Lau

    Well, after trading PMs with @idle.newbie and me running SectorEditor.exe (03/06/2007 07:19 PM 200,704 bytes), it does in fact write to the harddisk even when PS is active! :eek:

    SectorEditor.exe is all in English. (It has one typo, Inport instead of Import.)

    SectorEditor.exe creates C:\WINDOWS\system32\drivers\sioctl.sys (5,888 bytes). (After I reboot out of PS, this file is gone.)

    Searching for sioctl.sys on Google returns three hits, one here at Wilder's, and two in Chinese. The two Chinese hits are talking about debugging Windows dynamically loaded drivers... WAY beyond what I know!

    The only reference (via Google) I can find about sioctl.c (source code) is What does MmProbeAndLockPages actually lock.

    I also found info on page 29 & 30 on this Word doc Memory Management: What Every Driver Writer Needs to Know.

    I am at a loss for words. :blink:

    Mike
     
  18. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Your a very clever and brave man Mike and thanks for the very deadly testings and the so far good results.:)

    The way your going do you think that you may eventually to able to compromise PS?
     
  19. EASTER.2010

    EASTER.2010 Guest

    Monitoring by System Safety Monitor quickly picks up (via fast polling of course), the sioctl.sys driver loaded. Upon closing SectorEditor, SSM also confirms a timely clean removal too. Some programmers either don't or can't fashion their code to release drivers after the main program is completed. That's why i keep on hand a ton of utilities to do it for them.
     
  20. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    On my system, sioctl.sys is not deleted. WTF

    I am NOT giving up on testing. :mad:

    Mike
     
  21. chew

    chew Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    515
    Location:
    GeordieLand.
    flinchlock,

    Are you saying PS is being compromised?



    EASTER.2010,

    Are you using SSM Free or Pro?

    So are you saying the SSM prevent sioctl.sys driver being loaded?

    o_O
     
  22. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    Well, that is hard to say, and I am still testing. I have been getting weird results this moring testing. I need to slow down and write down step-by-step what I am trying to see if I can see what is going on.

    This moring, it looked like I could only write to the 1st cluster (sectors 0-62). Those sectors are not considered a harddisk, ie: C:, D:, E:, etc. So, maybe in the protection provided by PS (protect system disk C:, or ALL disks), maybe these sectors are not protected?

    So, overall, I think PS is 99.999% secure.

    Some of the stuff I have been trying to compromise my harddisk with, would have a very difficult time of even happening anyway... I have a vivid imagination. o_O

    So, please do not freak out... hang in there.

    Mike
     
  23. Horus37

    Horus37 Registered Member

    Joined:
    Jan 4, 2007
    Posts:
    328
    Download and run Hp backup and recovery manager as I think it just busted through my 2.6 version of Powershadow. Upon reboot it had told me it finished modifying system settings and needs to reboot. YIKES!!! This hp program was installed in full shadow mode. It appears to me I just might have found it's achilles heel.
     
  24. EASTER.2010

    EASTER.2010 Guest

    NO, i'm saying SSM simply reports the driver loading and then upon closing SectorEditor SSM (Modules Alert) prompts (mine is set to close in 2 sec.), that the driver is removed.

    I used my services tools to confirm it indeed unloads the driver completely, nothing new there. Any such program should.

    Now then, this thing with a program writing to disk in PS shaodow-mode is disturbing if true. Means there is certainly a hole in the virtualization or else is able to completely bypass directly to the disc.

    (Waiting to read more results)
     
  25. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,772
    Location:
    New Mexico, USA
    But you booted back into shadow mode, if I read your post in the other thread correctly. What puzzles me is why, if you uninstalled the HP program in shadow mode it came back. Unless, as I posted in the other thread, PS restored your computer to what it was before the uninstall, which doesn't make sense to me.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.