Print Page | Close Window

Fix for SecuROM bug

Printed From: Sysinternals
Category: Sysinternals Utilities
Forum Name: Process Explorer
Forum Description: Process Explorer questions, suggestions, comments and bug reports
URL: http://forum.sysinternals.com/forum_posts.asp?TID=11086
Printed Date: 18 April 2014 at 7:11pm


Topic: Fix for SecuROM bug
Posted By: throx
Subject: Fix for SecuROM bug
Date Posted: 15 June 2007 at 1:00pm
I consider the fact that SecuROM doesn't allow you to run an app even after PE has closed a simple bug in their detection algorithm.  Here's a workaround (binary and source included):

http://www.chase.net.au/HidePE100.zip - http://www.chase.net.au/HidePE100.zip

Note - there's code there to specifically prevent you from running PE at the same time so this *isn't* a circumvention of their protection.  If they don't want PE running, fine, just don't make us reboot to run apps when we may well have long running background tasks on our workstations.

If you think this is a bad idea to post, please remove it.  Just wanted to share something that will relieve a bunch of my frustration with not wanting to reboot for a quick 15 minute game between working.

The simple rundown on how it works is pretty obvious - it just creates an empty DACL and applies it to the PROCEXP100 symlink in the object manager.  When the app is done, it just resets the DACL to the original value.  I included a "reset" switch as well just in case something happens and you need to reset it manually.

Hope that helps some folks out there.



Replies:
Posted By: Matts_User_Name
Date Posted: 18 June 2007 at 8:32am

Ah, Very nice work. I see it basically "Hides" the driver from displaying causing SecuROM to go blow =].

 
Thanks for this.
 
Question, isn't this a method that is used in rootkits? I think I recall something similar in the fu Rootkit. which I was gonna use to bypass the C&C Loader. Although I never got a chance to test it since I found a No DVD Patch for the game which bypasses the loader.
 
But this is still very valuable. Ill prolly test it out when I encounter another game with SecuROM loaded as a protection.
 
BTW thanks for including the source. It will come in handy for learning some C++ in the near future.


-------------


http://forum.sysinternals.com/forum_posts.asp?TID=14317 - My PE Fix - Run On Startup


Posted By: molotov
Date Posted: 18 June 2007 at 8:36am
Quote It will come in handy for learning some C++ in the near future
Actually, the source for HidePE is in C... Clown


-------------
Daily affirmation:
net helpmsg 4006


Posted By: EP_X0FF
Date Posted: 18 June 2007 at 9:15am
Originally posted by Matts_User_Name Matts_User_Name wrote:

Question, isn't this a method that is used in rootkits?


No, actually, real rootkits don't need symbolic links and they do not create them.

@throx

Really nice.

But I hope that Mark will add in PE ability to unload driver at exit, and  SecuROM will understand that their "ban list" can't prevent crackers and hax0rs from subverting their so-called defense.


-------------
Ring0 - the source of inspiration


Posted By: Matts_User_Name
Date Posted: 18 June 2007 at 1:30pm
@ molotov
 
Hmm well I guess you can tell im a noobie to anything with C since I have no Idea what the difference is between them. haha.
 
All I know is that I wana learn C since it seems way more flexible than VB from all the varied source codes around the net.
 
@ EP_X0FF
Hmm yes that would be nice, but didn't we have like a big topic before about how it is very unsafe to unload drivers, and in truth, is there really a way to do it? I have never seen an API function for that really.


-------------


http://forum.sysinternals.com/forum_posts.asp?TID=14317 - My PE Fix - Run On Startup


Posted By: molotov
Date Posted: 18 June 2007 at 1:39pm
Quote I have no Idea what the difference is between them.
Hence the clown, thought you'd get a smile out of it. Smile 
 
Drivers can be unloaded.  However...
Originally posted by <font color='#0000FF'>http://blogs.technet.com/markrussinovich/archive/2005/11/04/more-on-sony-dangerous-decloaking-patch-eulas-and-phoning-home.aspx</font> - Mark http://blogs.technet.com/markrussinovich/archive/2005/11/04/more-on-sony-dangerous-decloaking-patch-eulas-and-phoning-home.aspx - Mark wrote:

]It is never safe to unload a driver that patches the system call table since some thread might be just about to execute the first instruction of a hooked function when the driver unloads; if that happens the thread will jump into invalid memory. Thereís no way for a driver to protect against this occurrence, but the Aries driver supports unloading and tries to keep track of whether any threads are executing its code. The programmer failed to consider the race condition Iíve described.
 
 


-------------
Daily affirmation:
net helpmsg 4006


Posted By: EP_X0FF
Date Posted: 18 June 2007 at 8:09pm
Process Explorer doesn't installs any kernel mode interceptors and it is absolutely unknown why its not unloading its driver at exit.

However everything is not safe, including driver loading in the first. So I can't agree with such statements. The same Blue Screen can happened when you installing hooks by the same criteria.


-------------
Ring0 - the source of inspiration


Posted By: throx
Date Posted: 19 June 2007 at 12:08am
It would be very nice if PE could unload the driver when it's done. 

I don't actually mind SecuROM having a "ban list", even when it's pretty obvious that it only cuts out people that probably don't have the skills to reverse it anyway.  What I do mind is when their "ban list" gets a little overzealous and interacts badly with apps that really should be unloading drivers when they are finished.  In any case, it's still a level of niceness above StarForce.


Posted By: molotov
Date Posted: 19 June 2007 at 9:42am
Quote Process Explorer doesn't installs any kernel mode interceptors
Right - I didn't mean to infer this, only wished to indicate what type of drivers Mark indicated were unsafe to unload.
 
Quote it is absolutely unknown why its not unloading its driver at exit
Perhaps some legacy HandleEx action?
 
EP_X0FF - I've moved our discussion about loading / unloading / SSDT hooking into its own topic in Internals - " http://forum.sysinternals.com/forum_posts.asp?TID=11138&PN=1 - Unsafe to load a driver that hooks SSDT? "


-------------
Daily affirmation:
net helpmsg 4006


Posted By: PzAz04Maus
Date Posted: 29 July 2007 at 11:45pm
Uhm.. Hey, new guy here (who  also is not very good with programming languages, or even knows about anything to do with them besides their purpose). I'm sorry, but how exactly do you use this? Most of the installations and edits that I've done were simply placing files in proper locations (ala mods) at a per-file basis, or just getting an easy installer to do it for me, so this, I'm not even sure where to start with. Do you run the .exe (which seems to be the source code if the readme is telling me right).

In other words, the readme didn't help a relative luddite at all, so how is this used? It seems that SecuriRom also has expanded to the World in Conflict Beta, along with C&C 3, so now it's even deeper into the hole.


So far as I can tell, it's programming language that I put somewhere (do you put it into a certain set of code for a program or something, or is it something that is an exe?).

 Wouldn't this SecuROM also technically be illegal, since that the other software is forcing you to not use another set of software for it to run at all? It's a game, but still, if Photoshop wanted to, they could do this whole bull**** to, for instance, copies of GIMP. Basically it's forced incompatability issues against another program, which could be malicious since I love Process Explorer much more than the Microsoft default ever did.

In Short, how do I gain the benefits of this program, what are the potential problems, and if it'd help, how to uninstall? Many thanks to those who can help out someone dumber than they in this certain field of knowledge.



Posted By: throx
Date Posted: 29 August 2007 at 12:29am
Originally posted by PzAz04Maus PzAz04Maus wrote:

Uhm.. Hey, new guy here (who  also is not very good with programming languages, or even knows about anything to do with them besides their purpose). I'm sorry, but how exactly do you use this? Most of the installations and edits that I've done were simply placing files in proper locations (ala mods) at a per-file basis, or just getting an easy installer to do it for me, so this, I'm not even sure where to start with. Do you run the .exe (which seems to be the source code if the readme is telling me right).

In other words, the readme didn't help a relative luddite at all, so how is this used? It seems that SecuriRom also has expanded to the World in Conflict Beta, along with C&C 3, so now it's even deeper into the hole.


So far as I can tell, it's programming language that I put somewhere (do you put it into a certain set of code for a program or something, or is it something that is an exe?).

 Wouldn't this SecuROM also technically be illegal, since that the other software is forcing you to not use another set of software for it to run at all? It's a game, but still, if Photoshop wanted to, they could do this whole bull**** to, for instance, copies of GIMP. Basically it's forced incompatability issues against another program, which could be malicious since I love Process Explorer much more than the Microsoft default ever did.

In Short, how do I gain the benefits of this program, what are the potential problems, and if it'd help, how to uninstall? Many thanks to those who can help out someone dumber than they in this certain field of knowledge.

Sorry - missed this post.  It's probably best to email me as well if you want a faster response!

To use the program in a simple manual way, extract the .exe from the .zip file to somewhere on your system (I'll use c:\util as an example).  Next, create a shortcut on your desktop (or wherever) to "c:\util\hidepe100 -m".  Running this shortcut will hide the Process Explorer driver from SecuROM as long as Process Explorer itself isn't running.

You can have it automatically start the game by putting the full path to the game instead of the "-m" but I'll leave that to your experimentation.  As an example, my shortcut for C&C3 points to:

C:\util\HidePE100.exe "C:\Program Files (x86)\Electronic Arts\Command & Conquer 3\CNC3.exe"

The "programming language" bit is just the code that I wrote that actually makes the .exe file.  You don't need this.  It's simply for complete disclosure of what is in the program if you're one of those paranoid types who suspects I may be distributing a virus (after all, you don't know me).  This would allow you to either make the program yourself or ask someone you trust more than me to make it for you.

Legally, SecuROM can do whatever it wants to and prevent you from running whatever it wants to on your machine at the same time it's running.  You legally have the option of not purchasing and running the game if that bothers you too much.  As I documented, my correspondence with Sony leads me to believe that the behavior of SecuROM in preventing a game from being run even after you close Process Explorer itself is a bug in their code, so I am simply providing a workaround to that bug.  I have heard nothing from SecuROM themselves, and have provided their CS folks with the same .zip file posted on my site for their perusal.  They've not contacted me in any way over it, so I can only assume that they don't mind.

To uninstall it - just delete the .exe from your system.  It installs nothing into your registry, installs nothing on your HDD, and does nothing permanent to your machine after running.

Again, sorry for the delay posting.  Just for reference, it also works against BioShock (both the demo and Steam versions that I've tested so far), but requires the "-m" method I initially recommended because the game itself runs itself.  No clue on why it does, but I can't track grandchild processes quite as simply.

Anyway - if you have any more questions, shoot me an email or post here.  I'll do my best to answer.

Cheers.


Posted By: PzAz04Maus
Date Posted: 29 August 2007 at 4:37pm
*yeys!* Works! Didn't work the first time, as I didn't know that you could change targets with modifiers like that. ^-^. Danke shoen!


Posted By: throx
Date Posted: 05 September 2007 at 9:12am
Note that the new v11 of the Process Explorer driver is not detected by SecuROM.  The running executable is, but just exiting Process Explorer v11 will let you play your games for now.

I suspect Sony will update SecuROM in the near future to throw a fit at the v11 driver.  I'm also going to look at the code posted by EP_X0FF on another thread to see if I can't just unload the driver manually.


Posted By: x5450
Date Posted: 22 February 2008 at 2:00pm
Throx

i am trying to run a backup of my game it is called "World In Conflict"
securom keeps blocking it do u have an idea of how to get around it.


Posted By: x-faktor
Date Posted: 26 February 2008 at 7:35am
we need the sysinternals universal unloader :)


Posted By: EP_X0FF
Date Posted: 26 February 2008 at 9:47am
Quote we need the sysinternals universal unloader :)


Well it is possible to write universal unloaded for Process Explorer any version, if Mark don't mind. But this can lead to unknown consequences for some tools like Regmon/Filemon/Procmon.


-------------
Ring0 - the source of inspiration


Posted By: Matts_User_Name
Date Posted: 30 July 2008 at 12:37am
Hey throx, how did you code this without using the .net framework since it was in the VS.net 2005 IDE?

I've tried doing this before but was unable to succeed (although this was using VS.net 2005 - VB, perhaps C++ is different?) Did you select console application or something?

Also I was going to mess around with your code a little bit and do some testing, although I keep getting this error when Debugging, or Building (compiling):
fatal error LNK1104: cannot open file '..\..\winddk\3790.1830\lib\wxp\i386\ntdll.lib'    HidePE100


How would I fix something like this?
I am thinking it might have something to do with this line #pragma comment(lib, "ntdll.lib") although I am unsure.

ntdll.lib is included in the Solution Explorer window, so I am not really sure what is wrong. Do I have to point some option in the project properties to ntdll.lib?



-------------


http://forum.sysinternals.com/forum_posts.asp?TID=14317 - My PE Fix - Run On Startup


Posted By: molotov
Date Posted: 30 July 2008 at 12:55am
One need not use .NET to use VS 2005.
 
You can get ntdll.lib from the http://www.microsoft.com/whdc/devtools/wdk/default.mspx - WinDDK  (it may be listed in the project, but the file itself does not exist).


-------------
Daily affirmation:
net helpmsg 4006


Posted By: Matts_User_Name
Date Posted: 30 July 2008 at 2:18am
Hmm, I never knew that. I swear I've tried this in VB.net 2005 and it seemed to take no affect (I refuse to program in the .net framework due to the slow  application load time =[ )

Sry about the ntdll.lib, I swear it was included in the folder, but I guess not.
I just deleted that one referenced in the project and added it from where I put the DDK (I guess the wnet version is correct)
P:\WINDDK\3790.1830\lib\wnet\i386


In any case. I am very surprised that this works. In fact I don't really understand why replacing a driver's symbolic link security descriptor with nothing does anything. (Actually, I didn't even know drivers have symbolic links...)




-------------


http://forum.sysinternals.com/forum_posts.asp?TID=14317 - My PE Fix - Run On Startup


Posted By: molotov
Date Posted: 30 July 2008 at 2:27am
Originally posted by molotov molotov wrote:

One need not use .NET to use VS 2005.
Originally posted by Matt Matt wrote:

I swear I've tried this in VB.net 2005
VC++ 2005 projects need not use C++/CLI.  C# and VB.NET, of course, will require the .NET FW.

-------------
Daily affirmation:
net helpmsg 4006


Posted By: Matts_User_Name
Date Posted: 30 July 2008 at 2:49am

Ok so now I am really confused.

It appears that what this code does it make PE's driver ("\\GLOBAL??\\PROCEXP100") have an invalid symbolic link. It causes NtOpenSymbolicLinkObject to basically fail (which can even be shown in WinObj where it says <Error querying link>)

So basically, replacing an object's SD with a null SD, forces it to be unable to be opened (in this case it is a Symbolic Link Object for a Driver). I guess this makes sense since it erases any DACL, making the ACEs not exists, and if a permission (in this case all of them) doesn't exists it is denied.
In this case, we are doing this to PE's Driver's Symbolic Link.
I would love it we could just rename a window's class, to hide PE from SR and not have to shut it down while starting a game, but I guess some things just can be bypassed...



But why would this make SecuROM not find it. It obviously is still loaded and could be easily found using NtQuerySystemInformation (Specifer 11 = SystemModuleInformation = Return the drivers in SMI structures)
This is even demonstrated by PE showing System's Modules and also using NirSoft's DriverView, and even manually doing that code yourself, so it doesn't make sense why SR doesn't find it.

My attempt was using the FU rootkit to PE's driver but that did not work. So SR must not check the loaded driver list, but how did Throx know this that forcing the driver's symbolic link to disallow being opened, will make the SR check succeed?

SR must also be using a window class check to find PE's window to identify if the process itself is running. I not only tried using FU to hide the process, but also deleted its entire window title name, and it still detects it (even after using this fix) It must use FindWindow using "PROCEXPL" as the class, and null as the text so that is FindWindow returns a handle that is not 0 then SR shows and error and refuses to run. So for the fact that possibly does not enum the processes, and since we proved it does not enum the drivers, I guess it uses some unique little tricks to check for application existence.

But like I said before, the driver routine that it does still confuses me. Does it try to use NtOpenSymbolicLinkObject to query the driver's SM....
If it does why did it choose such an odd way, that is demonstrated here to be easily bypassed, and why does it not enum the loaded drivers instead and look for PROCEXP100...


-------------


http://forum.sysinternals.com/forum_posts.asp?TID=14317 - My PE Fix - Run On Startup


Posted By: molotov
Date Posted: 30 July 2008 at 12:40pm
Quote It causes NtOpenSymbolicLinkObject to basically fail
Did you try it?  What status was returned?
 
Quote replacing an object's SD with a null SD,
Careful - http://msdn.microsoft.com/en-us/library/aa379286%28VS.85%29.aspx - a null DACL is not the same as an empty DACL .
 
Quote But why would this make SecuROM not find it
Because their detection apparently relies on it. 
 
Quote how did Throx know this that forcing the driver's symbolic link to disallow being opened, will make the SR check succeed
Probably, an educated guess based off of behavior analysis, perhaps combined with a little RE...
 
Originally posted by Matt Matt wrote:

why does it not enum the loaded drivers instead and look for PROCEXP100
Originally posted by Matt Matt wrote:

using the FU rootkit to [hide] PE's driver
Perhaps you answered your own question?


-------------
Daily affirmation:
net helpmsg 4006


Posted By: Diablo
Date Posted: 30 July 2008 at 6:03pm
Originally posted by Matt Matt wrote:

Does it try to use NtOpenSymbolicLinkObject to query the driver's SM....

It is AFAIK calling ZwCreateFile in the SecuROM driver. The best way to hide PE from SecuROM will be unloading Process Explorer driver, because future versions of the SecuROM instead of trying to open Symbolic link will simple enumerate all available devices, or directly try to open Process Explorer device. FU not FU2 rootkits won't help, because they doesn't provides required stealth level.

To completely hide Process Explorer driver from SecuROM self-defense it is required unlink it from loaded modules list, unlink it from devices/drivers chains, fake object header to avoid memory brute-force (as for example made in StarForce3). Once Process Explorer driver will be removed from PsLoadedModulesList (FU2 doing exactly this) ALL kernel mode exception handling inside Process Explorer driver become unworkable, all _try _except blocks will be ignored, due to SEH nature (once exception is occured it lookups driver through PsLoadedModulesList for internal operations). So Process explorer driver will be vulnerable to any kind of internal exceptions even if they were handled by exception handlers blocks. And this means only this -> Welcome Blue Screens Of Death

Process Explorer is Process Explorer it is not stealth rootkit and it can't become it. So forcing driver to unload is the only one perspective.


Posted By: Matts_User_Name
Date Posted: 31 July 2008 at 1:28am


Thank you both for your replies.

@Diablo
Even though I understood only like 3/4 of what you said (not your fault, its mine since I have yet to touch driver development and internal kernel routines), I enjoy that you took some time to consider what would happen as a consequence of making PE's driver 100% stealthed (in which PE would fail to communicate with its driver), and also game some technical info on what needs to be done to have an object (well driver object specifically) hidden completely.
Object invisibility intrigues me a lot, although perhaps that is due to the fact that I really don't understand why Executive APIs like DeviceIOControl can hide Kernel objects, haha.

-->"The best way to hide PE from SecuROM will be unloading Process Explorer driver"
I agree, but there is no foolproof method that I know of to unload drivers =[.
Sure, you can use the command: net stop [driver regkey name] but this is no where near a solid method to remove those drivers from the kernal address space.

using "net stop", is kind of like using task manager to kill processes.
1. If the regkey doesn't exist it wont unload. This is similar to task manager complaining about the process being a "critical system process"
2. If the driver refuses to unload, then you are dead in the water. This is similar to a process denying the NtTerminateProcess API (The only way to fix this is usually something like IceSword)

Well I have constantly been on the hunt for the IceSword equivalent of a driver unloader. (Yes I know it might cause a BSOD, but what is to say that killing a process, closing a handle, unloading a remote dll, or using 'net stop' to make the service host unload a cooperating driver, won't...)
So, any suggestions for a tool that can unload drivers?

 


-------------


http://forum.sysinternals.com/forum_posts.asp?TID=14317 - My PE Fix - Run On Startup


Posted By: Diablo
Date Posted: 31 July 2008 at 3:38am
http://forum.sysinternals.com/forum_posts.asp?TID=11892 - http://forum.sysinternals.com/forum_posts.asp?TID=11892


Posted By: Nerf_Jihad
Date Posted: 03 October 2008 at 7:26am
I'm not quite sure how to use this program, actually. A little help?


Posted By: molotov
Date Posted: 03 October 2008 at 11:20am
Hi Mike,

Which program - Process Explorer, or "HidePE"?


-------------
Daily affirmation:
net helpmsg 4006



Print Page | Close Window