First I will introduce myself, I´m Sblade the Securom Crusader. I´m well experienced on Securom. I´m also a member of the R-force, the guys that caused Ubisoft to give up Starforce on his games.
You can look for my Securom Technical FAQ on the Atari forums or the NWN 2 official forums.
To the guy who started this thread:
Securom runs in RING0 as there is no other way to detect Daemon Tools and Alcohol stealth emulated drives than RING0.
Securom is a Starforce clone. Runs in RING0.
Securom is a TrojanKIT. The only difference between a rootkit and a TrojanKit. You do not need specialist tools to find a TrojanKIT however they are just as stubborn to get rid of and also compromise system security.
Definition of a TrojanKIT:
1. Security Applications installed without end user consent.
2. Software that grants Ring 0 access to Ring 3 (user level) applications.
3. Interferes with other software such as virtual drives, SCSI/SATA etc.
4. Puts its own virtual protection drivers on the system.
5. Interferes with other applications Windows registry settings.
6. Can be exploited with replacement malicious versions to grant Full Ring 0 access
I copy paste the virtual protection drivers proof from youw own forums:
#ESC00000004: Sony MAPI Layer 220.127.116.11 *rooted to WinAPI (explorer.exe)
#ESC00000121: SSECROM DLApi v8.2.2 *rooted to WinAPI (explorer.exe)
#ESC000002C1: SSECDLL Miniport services *rooted to core (kernel Win32 layer)
Securom is also a clone of Starforce in the spin/phase rate transfer access. That´s mean when when Securom receives data not within the tolerance it expected it tries again and again.
SCSI/IDE/SATA protocols determines this to be a read problem and it changes to PIO 16 bit mode, decreasing dramatically the lifespawn of DVD drives.
im ready for any challenge. I fight for what's right.
ps. vor degene die niet weten wat ring zijn in een OS
They're the like the opposite of Dante's Inferno - Instead of Ring 9 being where Satan chews on Brutus, Judas, and Ted Kaczinsky, it's Ring 0. Except Satan is giving it to you in *YOUR* "ring 0".
More specifically, you know how there's that "hidden system files" option? Have you ever tried to look inside certain folders ("System Volume Information", for example) even as administrator just to be told 'Access is denied'? These files operate on a lower 'ring', thereby superseding admin access.
Windows operates on Rings, each specifying a level of access. User-level is Ring 3. I'm unsure how administrator accounts work, they may be Ring 3 as well. It's easier to think of levels of access. Above Ring 3 and you're operating on a restricted diet. You can't do certain things, see certain things, etc. As you get closer to Ring 0 you can do more and more.
Ring 0 is the eye of the storm. You can see and do everything from Ring 0. Everything is a-go from there. No joke, there is absolutely nothing you can't see, do, break into, modify, or override from Ring 0.
Ring 0 is where critical process and hardware/firmware typically runs. The code that tells your sound card how to behave? Ring 0. The code that makes your DVD drive run at all? Ring 0.
It's important to remember that rings only work upwards. Ring 1 cannot modify Ring 0, for example, but Ring 0 can modify Ring 1.
Bioshock runs on Ring 3, as it's a user-level application.
Securom has processes that run on Ring 0 so it's can spy on you, to make sure you don't have stuff Securom doesn't like hiding below Ring 3 (Daemon Tools, for example).
In order for a Ring 3 process to work with a Ring 0 process, it has a little leash, so both can talk to each other. Bioshock tells Securom when to do its malware thing, and Securom tells Bioshock not to run for no fucking reason at all.
That's the vulnerability, that leash. You get a piece of code that targets Bioshock's leash, it travels down the leash and compromises Ring 0. Next thing you know, your entire system is absolutely fucked, to the point where it can even compromise firmware itself. It's theoretically possible that with an extremely nasty Ring 0 infection, certain hardware (ie: a sound card) could have the firmware modified in a way where the card will no longer function.
Sounds like an acceptable risk to stop the pirates from cracking the game for a whole of 1 day, right?
[Reactie gewijzigd door tntkiller op 27 augustus 2007 18:47]