/* Javascripts ----------------------------------------------- */ /* * * * * * * BODY * * * * * * * ----------------------------------------------- */

Note that the title of most blog entries provides a link to the relevant document.

Saturday, November 05, 2005

Sony DRM rootkit code (#16) System Call Hooking

The posters to Mark Russinovich's recent blog entry: "More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home" have managed to use the Sony DRM code to break Windows systems by exploiting the vulernerabilities inherant in system call hooking.

In particular, if you rename the Sony drivers, then start the original, followed by the copy, then stop the original, followed by the copy, Windows systems fail. Why? Because when they load they do system call hooking, inserting themselves between the system call table and the driver that should be called for that API. But when you do it twice, each driver inserts itself at the top. So you have:
Table->module0 (original module)
But when you unload them in FIFO order (module1, module2), instead of LIFO order (module2, module1), it doesn't get cleaned up properly. When module2 is unloading, it restores the contents of the system call table to what it was when it loaded (module1), but module1 had already been unloaded. The table entry now points at the address where module1 was - but no longer is. Boom.

[+/-] show/hide this post


Anonymous Anonymous said...

best regards, nice info Care obagi skin system Running with scissors weird al Creative dxr2 graphics card driver downloads Buy didrex ship florida Jeep liberty renegade parts Ambien lethal dose human sampras tennis http://www.lesbians4.info Philadelphia phillies baseball records http://www.ford-window-motor.info Rubber tires nonbiodegradable meridia Blackberry 8700c manual tamiflu Tadalafil directions

4:11 PM  

Post a Comment

Links to this post:

Create a Link

<< Home