Securom ring-3 smoke screen explained (RUNS AT RING-0)

Sblade · #1 09-02-2007

Before I start I will say again that Securom is not a Rootkit. It may have Rootkit like behaviour but IT IS NOT a rootkit.

I comeback to list more issues, except for 2 or 3 people, I´m getting some good feedback so I think its worth listing Securom issues. This time I´ll try to simplify my report

Simple Windows Operating structure:

A device in Ring 0 has more authority than anything in any other run level.

So any checks or interception in Run level 2 or 3 can be easily bypassed by Stealthed CD/DVD emulation. Running in Ring 0.

When stealthed, unless the DRM also runs in Ring 0, it cannot find it. If it does manage to find one or more of it's services. The likes of Daemon Tools or Alcohol 120% quickly write an update patch to compensate for this.

You can feed false data from Ring-0 to Ring-3 not the other way around.

in this link the picture of the Intel Ia32 protection rings is self explained:

http://www.extremetech.com/article2/...1156611,00.asp

Level 0 : Operating system Kernel (highest privilege)
Level 1 : Operating System Services (Device Drivers.etc)
Level 2 : " " As above
Level 3 : Applications (lowest Privilege)

As we know Virtual devices emulating hardware by definition, so the O/S sees it is easily as a genuine hardware.

Well:
DevStudio ASM

#ESC00000004: Sony MAPI Layer 2.4.17.1 *rooted to WinAPI (explorer.exe)
#ESC00000121: SSECROM DLApi v8.2.2 *rooted to WinAPI (explorer.exe)
#ESC000002C1: SSECDLL Miniport services *rooted to core (kernel Win32 layer)

The last one, a Minicom driver? hmm what would be the purpose of a Minicom driver other than communicate a Virtual Device with the Kernel? This Device is a virtual Network Interface Card, ans my point is that is used for activation purposes.

Ask yourselves?
What would be the purpose of this driver if is not working as I have said? How would be useful if this Minicom driver runs at Ring-3, and installing a Virtual Device NIC in ¿Ring3? and anyone of the higher Rings can false feed data to this driver rendering this useless?

All this drivers may SIT in ring-3, but that´s just a smoke screen as the basic O/S structure PROOFS (yes AJ crowd, for honest readers this is a proof, common sense, logic etc.). So it SITS at ring-3 but it has RING0 access because....

Before I say the reason I will speak about emulation.

To allow the emulation to run faster on lower end systems, most code writers code as HLE (High level emulation) in which you only emulate what is specifically needed in the hardware at any given point in time.

The PC based N64 emulator is good example of HLE in use.

Because of this HLE approach, Any DRM running as a (Virtual App) , with higher access in Ring 0 can expose the lack of the other registers if they look in the right place at the right time.

You cannot do this from Ring 2 or 3 as your driver/application does not have the authority to make such enquiries of the hardware from there. Normal Window Security protocols prevent it.

Although not impossible to do form those run levels. If you circumvent the windows security protocols. Then your DRM stops being a DRM and is legally classified as a virus and you will be prosecuted.

So Securom has 2 options: Running in Ring0 or circumvent Windows Security protocols.

AJ, I would like your answer other than "proof this" or similar troll response.

Warmest Regards
Sblade

Kyorisu · #2 09-02-2007

I loled.

10 chars.

Elbart · #3 09-02-2007

Thanks, Sblade, nice and somehow disturbing article.

SyNMaN · #4 09-02-2007

hmmmmmmmmmmmmmmmmm

yogibbear · #5 09-02-2007

Quote:

Originally Posted by Elbart

Thanks, Sblade, nice and somehow disturbing article.

QFT, my exact thoughts.

AJ Rimmer · #6 09-02-2007

Quote:

Originally Posted by Kyorisu

I loled.

10 chars.

you lol`d ?

i started lolling here >

Quote: