Saturday, November 05, 2005

Sony DRM rootkit code (#16) System Call Hooking Sony DRM rootkit code (#16) System Call Hooking

The posters to Mark Russinovich's recent blog entry: "More on Sony: Dangerous Decloaking Patch, EULAs and Phoning Home" have managed to use the Sony DRM code to break Windows systems by exploiting the vulernerabilities inherant in system call hooking.

In particular, if you rename the Sony drivers, then start the original, followed by the copy, then stop the original, followed by the copy, Windows systems fail. Why? Because when they load they do system call hooking, inserting themselves between the system call table and the driver that should be called for that API. But when you do it twice, each driver inserts itself at the top. So you have:
Table->module0 (original module)
But when you unload them in FIFO order (module1, module2), instead of LIFO order (module2, module1), it doesn't get cleaned up properly. When module2 is unloading, it restores the contents of the system call table to what it was when it loaded (module1), but module1 had already been unloaded. The table entry now points at the address where module1 was - but no longer is. Boom.


4:55 PM Display: Full / Chopped / Footer

Display: Full / Chopped / None

Display: Full / Footer / None

Display: Chopped / Footer / None


Post a Comment

Links to this post:

Create a Link

<< Home >>