Helpless and useless Disk "Shield"

3DNow · July 5, 2008, 7:08am

So weak , kill it under ring3 with just less than 100 lines of code

from:

[attachment deleted by admin]

system · July 5, 2008, 8:07am

This is a BETA. It’s ONLY used for testing purposes.

I suggest you wait till the final version.

Josh

3DNow · July 5, 2008, 8:11am

yeah , I’ll waiting for your legendary “final version” and bypass it use my old “BypassDisk.exe”

take it easy

(:WIN)

3DNow · July 5, 2008, 8:26am

yes , you release it for testing purposes ,so I download and test it .

I find its so weak even cannot stop attacker from user mode.and its driver just like a copy of the famous open source project “filedisk”( (:CLP))

so I think this protection system will always be bypassed if you do not use more powerful technique and do not remove your "plagiarize " driver code

Melih · July 5, 2008, 10:24am

hi 3dnow

we appreicate you testing it and providing useful feedback.

Can you tell me which version you tested pls?
thanks
Melih

3DNow · July 5, 2008, 11:09am

I tested the newest version (1.0.1.18) of diskshield

doskey · July 5, 2008, 12:18pm

Hi, 3DNow.
Thanks for your support firstly.
DiskShield 1.0.1.18 is a BETA version. It’s ONLY used for testing purposes.
Protection of RAW access should only effect in regard to RING3 application in this version. Just like you see. This version of protection of RAW access is NOT full-blown. If you can provide any binary of your testing application, we should resist it in future version.

In addtition, I don’t think our developers plagiarized any codes. We don’t need to plagiarize any codes.

Anyway, Our developers should make CDS more powerfully in future.

Thanks
Doskey.

3DNow · July 5, 2008, 1:27pm

protection of the RAW Access to disk (seems DiskShield use fsd filter of \FileSystem\RAW and so on)can not stop attacker from user mode

there are a lot of methods can bypass the fsd\disk\port filter,even Disk IoPort Hook

you see , It’s not so easy to stop disk attack, Good luck (:WAV) :■■■■

doskey · July 5, 2008, 2:24pm

Hi, 3DNow.
Thanks for you again.
We all know there are many ways to bypass any filters, such as FSD filter, Volume filter and Disk filter.
We think that DISK I/O hooking should NOT be the final solution.For any hooking should make system unsafe or unstable.
We prefer to choose the more stable and more effective way to protect your PC. Although it is not powerful enough now. But we will improve it continuous in the future.
If you need to protect your disk, even I/O disk access from OS, I suggest you can choose some hardware protection produces to protect your PC — Although it maybe make more issues of application.

Thanks
Doskey.

3DNow · July 6, 2008, 3:52am

Oh! what is the most stably security software ?

— no security software at all!!

No more CPU and memory cost

No more sick message box (and stupidly let me choice yes or no , block or allow)

No more bule screen (even your driver use M$ standard framework and functions)

but , tell me , why user should install your security software ? even cost some money for it ? because your driver is steady ? because your driver in BSOD probability is less then the others?

No , the reason is your software can stop attacker ,your software can protect their PC ! It is your Promise .
If you can’t , your software will be nothing .

system · July 6, 2008, 7:10am

3D Now.

We do appreciate the testing… But please have some patience & let’s keep things cool here. The Developers are working ■■■■■■■ CDS.

Josh

Melih · July 6, 2008, 12:28pm

You claim you have found a way to bypass the security.
Will you share your method with us so that we can fix it?

We suspect what you are doing is using a vulnerable windows OS to bypass the security rather than bypass CDS. Of course we are not ruling out anything here, hence we would appreciate if you could provide the details.

thanks
Melih

3DNow · July 6, 2008, 1:02pm

No , I just use the standard method which provided by Microsoft(but you ignored).

I am told that you cannot protect raw access to disk with just block the access to \FileSystem\RAW even if attacker only under ring3

Disk attacker can access harddisk without use neither any of Windows function nor any of Windows system relative things (for example, IRP or IoPacket) even its in user mode. :SMLR

We love research of Windows kernel because its have so many secrets , and always been ignorant of security software developers

Certainly, I am also a security software developer, so I do not want to publish the details so easy to improve the levels of both blackhat & whitehat . Maybe you can see this technique on some security conference in the future :■■■■

salmonela · July 6, 2008, 9:30pm

So you are here 3DNow to say: “look your software cannot do this, haHa”?
You know, I could also fabricate some images and paste it here…

panic · July 7, 2008, 2:23am

Ease up. He knows what he’s on about. Have a look at some of the links referenced in his posts. I don’t doubt his ability to do what he says he can. Similarly I don’t doubt Comodo’s ability to improve CDS.

Ewen

Zeus · July 22, 2008, 5:56am

I hope below can give some helps to comodo, which was from a article that is wrote by somebody to introduce her(3Dnow, if 3Dnow was her) husband’s work on security technic.

I think one word is useful.
‘There is a way to through protection system(Sandbox,Shiedl …by translator) directly without instaling driver under user mode. As harddisk system provides a set of instructions, these instructions can get harddisk informations and even acces harddisk sector directly while need not to sent request to harddisk. The instruction IDE/SCSI/ATA PassThrough can bypass protection system when use Deviceiocontral function sending request under RING3.Mostly protection system haven’t been inspecting this or have been inspecting it but is not so strictly.’

My English is poor and is a little knowledge of relevant field,The translations is not so exactly.

Below is origianl, hope your somebody can read it.

The whole article can find on http://tech.qq.com/a/20080320/000261.htm
还有一种方法，这是方法不使用驱动程序，直接在用户模式穿透还原系统。磁盘系统提供一套passthrough指令，不向磁盘发送直接请求，就可以获取磁盘信息甚至直接读写磁盘扇区。IDE/SCSI/ATA Pass Through指令穿透还原，RING3下使用Devicelocontrel函数发送请求。大多数还原系统对此过滤不严或根本未过滤，导致在RING3下即可达成攻击。

panic · July 22, 2008, 7:07am

On behalf of the development team, thank you for your kind efforts in translating this.

Ewen

system · July 22, 2008, 10:14am

The whole article can find on http://tech.qq.com/a/20080320/000261.htm
还有一种方法，这是方法不使用驱动程序，直接在用户模式穿透还原系统。磁盘系统提供一套passthrough指令，不向磁盘发送直接请求，就可以获取磁盘信息甚至直接读写磁盘扇区。IDE/SCSI/ATA Pass Through指令穿透还原，RING3下使用Devicelocontrel函数发送请求。大多数还原系统对此过滤不严或根本未过滤，导致在RING3下即可达成攻击。
[/quote]
That’s some coding!

Good work!

Cheers,
Josh

doskey · July 22, 2008, 2:34pm

Hi, Zeus.
We have read your article. Thanks for your help.
And we have a improved version coming soon. This version will be safer, stable and easy-to-use.
Please let us know if this new version is vulnerable to attacks you mention. We will continously improve CDS and look forward to everyone’s input to make it better.

Thanks,
Doskey

Zeus · July 23, 2008, 2:42am

Thank you for your confidence.

I cann’t find the test tool which 3Dnow used in internet, because she never released it(she said so).
Althoug, I’m willing to do something.

The attachment maybe is useful to you

[attachment deleted by admin]