Jump to content











Photo
- - - - -

Idea of building a "write-blocking" Vista PE


  • Please log in to reply
19 replies to this topic

#1 st-dv

st-dv

    Frequent Member

  • Members
  • 121 posts
  •  
    Germany

Posted 26 November 2007 - 09:35 PM

Hello,

does anyone have an idea how to get a sort of "writeblocking" on a vistape-live-cd?
so that - generally - all hdds are writeblocked....

I have no idea.... anyone else ???

Thanks SDV

#2 booty#1

booty#1

    Frequent Member

  • .script developer
  • 285 posts
  • Location:Near Frankfurt
  •  
    Germany

Posted 27 November 2007 - 08:00 AM

does anyone have an idea how to get a sort of "writeblocking" on a vistape-live-cd?
so that - generally - all hdds are writeblocked....

Well in general since Windows XP even NTFS partitions can be mounted read-only but this feature is only used if the NTFS partition resides on a read-only media. Therefore it may be possible but until now I did not find any function that allows specifying mounting a hdd/volume/partitions read-only.

booty#1

#3 NightMan

NightMan

    Frequent Member

  • .script developer
  • 433 posts
  • Location:Russian, Moscow

Posted 27 November 2007 - 08:24 AM

hm... we can disable all hdd :cheers: (remove all drivers)

#4 MedEvil

MedEvil

    Platinum Member

  • .script developer
  • 7771 posts

Posted 27 November 2007 - 01:46 PM

If there is no way to simply tell Vista to mount disk X as read only.
You could get the desired result with an overlay driver like FBWF or EWF.
Those do nothing but intercept communication between the system and the actual driver.
Your driver would need to intercept and kill all writes. Maybe simply returning an error when a write stream is to be opened is enough too. ?

:cheers:

#5 Galapo

Galapo

    Platinum Member

  • .script developer
  • 3841 posts
  •  
    Australia

Posted 27 November 2007 - 07:10 PM

As far as I know, FBWF only works with non-writable media. That is, you cannot use it to stop writes to writable media, only "virtually" enable writes to non-writable media.

Regards,
Galapo.

#6 MedEvil

MedEvil

    Platinum Member

  • .script developer
  • 7771 posts

Posted 27 November 2007 - 08:06 PM

As far as I know, FBWF only works with non-writable media.

You misunderstood me.
I said an overlay filter like FBWF! Neighter FBWF nor EWF can be used for what's intended.
A very simplistic overlay filter is what i suggested.

:cheers:

#7 Galapo

Galapo

    Platinum Member

  • .script developer
  • 3841 posts
  •  
    Australia

Posted 27 November 2007 - 08:41 PM

Hi MedEvil,

A little word like "like" can make all the difference! Sorry I misunderstood you.

Do you know of any such overlay filter?

Thanks,
Galapo.

#8 MedEvil

MedEvil

    Platinum Member

  • .script developer
  • 7771 posts

Posted 27 November 2007 - 09:45 PM

Do you know of any such overlay filter?

No, but i remember reading @M$ that eighter Visual Studio or driver studio has a template for a driver like that. And since the only feature 'our' driver is about to have, is to say, sorry writing not possible, i would say, that a driver like that can also be created by someone who has no previous experience with that sort of thing.

Being able to eneble the driver only for specific drives, is where things might start to get messy. :cheers:

:cheers:

#9 st-dv

st-dv

    Frequent Member

  • Members
  • 121 posts
  •  
    Germany

Posted 04 December 2007 - 06:05 PM

The thing is:

I got a program called "WriteblockerXP".
I used this one with my Desktop-PC on XP and Vista. The Prog blocks everything (USB,IDE,optical,SATA) except the drives I want to write.

But until now the prog does not work on Vista PE.
I copied the program files per script and 4 "SYS-Files" to System32\Drivers-Folder that are needed.... but the Program doesnt work under VistaPE saying: The drivers weren't enabled....

So thats why I am searching for an other possibility...

I want to create a "Forensic" live-cd on the base of XP/Vista..... like it is realized in many Linux-Forensic-Live-CDs....

#10 Nuno Brito

Nuno Brito

    Platinum Member

  • .script developer
  • 10554 posts
  • Location:boot.wim
  • Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
  •  
    European Union

Posted 04 December 2007 - 07:10 PM

You should try to trace all steps done by this program while installing.

I would put my finger on the services - look inside your services icon inside Administrative Tools and see if any of those entries was added by your program.

One other thing that might happen - the need to register an OCX/DLL file - this may also be a cause.

Good luck.

:cheers:

#11 MedEvil

MedEvil

    Platinum Member

  • .script developer
  • 7771 posts

Posted 04 December 2007 - 07:41 PM

@st-dv
Have you trxed to only copy the 4 files to a Xp system, to see if it is working that simple at all?
I doubt that it is, but you'll never know.

In case the 4 sys files are really the whole 'program', you still need to install the drivers. For that you eighter need to include the inf file as well, or have to write the appropriate settings directly into the registry.
But i would do all my tests on a Xp based PE, so i know, that it will work, when i have all the needed things together.

:cheers:

#12 st-dv

st-dv

    Frequent Member

  • Members
  • 121 posts
  •  
    Germany

Posted 05 December 2007 - 07:26 AM

nunu brito,

thanks...

but do YOU have no other idea for realizing my idea?

#13 Alexei

Alexei

    Silver Member

  • .script developer
  • 664 posts

Posted 05 December 2007 - 11:33 AM

but do YOU have no other idea for realizing my idea?

I believe, you can find root-kit for Vista (in a prog language you're comfortable with) and make some changes that would not just declare medium read-only, but protect it from writes on "NT native" level (for double assurance).
You can also try to find famous "filemon" source and modify it for your needs (not sure about legality, though).
:cheers:
Alexei

#14 Nuno Brito

Nuno Brito

    Platinum Member

  • .script developer
  • 10554 posts
  • Location:boot.wim
  • Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
  •  
    European Union

Posted 05 December 2007 - 12:53 PM

nunu brito,

thanks...

but do YOU have no other idea for realizing my idea?


I've already told you how it should be possible to make this "WriteblockerXP" work.

It will surely be easier to follow all steps done during the install procedure of this program and then try porting them a boot disk than writing a write filter/rootkit yourself.

There's a small tutorial explaining how to create your script here --> http://www.boot-land...ript-t2665.html

To track changes on the program install use tools like RegShot, FileMon, RegMon and Dependency Walker (google for download links)

H7SE also developed a good tool to trace back these changes - he's a member on this forum and maybe you help him improve his tool with feedback.

Good luck.

:cheers:

#15 dog

dog

    Frequent Member

  • Expert
  • 236 posts

Posted 06 December 2007 - 12:44 PM

There is a thread about write blocking here:
http://www.911cd.net...&...st&p=126401
Although if it is the program mentioned, it may be difficult to get the files without being a policeman.
Also, vista is not xp, so there are no gurantees that low level software designed for xp will work with vista pe.

#16 st-dv

st-dv

    Frequent Member

  • Members
  • 121 posts
  •  
    Germany

Posted 06 December 2007 - 12:48 PM

so.....:

in the services.msc - list............. there is no entry about the program....

#17 Nuno Brito

Nuno Brito

    Platinum Member

  • .script developer
  • 10554 posts
  • Location:boot.wim
  • Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
  •  
    European Union

Posted 06 December 2007 - 01:09 PM

Track the install procedure then.

Use RegMon and FileMon to see where registry keys are read/write and which files called.

I also use dependency walker to launch the executable and see which DLL files it is using.


--------------------

Using google stumbled on another thread about this matter where this option is also mentioned:

Windows XP Service Pack 2 (SP2) introduces a new registry subkey that lets you mark USB-based storage devices such as memory sticks as read-only devices. This is a useful security capability that can prevent users from copying data from their systems and taking that data offsite via a USB device. To enable the USB write protection, perform the following steps:
1. Start the registry editor (regedit.exe).
2. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies subkey. (Create the StorageDevicePolicies subkey if it doesn't already exist.)
3. From the Edit menu, select New, DWORD Value.
4. Type the name WriteProtect and press Enter.
5. Double-click the new value and set it to 1. Click OK.
6. Close the registry editor.
7. Restart the computer.
To disable this change, you can either set WriteProtect to 0 or delete it.

http://www.forensicf...m...opic&t=1902


This seems to be same method used by this command line tool (freeware) here:
http://www.joeware.n...eprot/index.htm
http://www.joeware.n...eprot/usage.htm

And a recommendation from Joe:

Have tested Writeprot
http://www.joeware.n...s/writeprot.htm
Implemented this to my WinXpe dvd.
Seems to work fine , tested with the -unsafe parm.
on a single harddrive with Windows Xp on primary and data drive on logical.
I was NOT able to boot my normal Wndows Xp system after this,
had to boot WinXpe and remove protection again.
Now my normal Windows Xp booted and worked fine.
Must be a bit setting in the disk/partition environment detected by XP
in a early stage of the boot process.
Hoped it could work on a USB Flash stick, but NO, can't detect this type of devices.

http://www.911cd.net...&...st&p=126425

--------------------


Or maybe a hardware based solution?

http://www.datadupli.../drivelock.html
http://www.datadupli...-previewer.html

---------

:cheers:

#18 MedEvil

MedEvil

    Platinum Member

  • .script developer
  • 7771 posts

Posted 06 December 2007 - 03:24 PM

Windows XP Service Pack 2 (SP2) introduces a new registry subkey that lets you mark USB-based storage devices such as memory sticks as read-only devices. This is a useful security capability that can prevent users from copying data from their systems and taking that data offsite via a USB device. To enable the USB write protection, perform the following steps:
1. Start the registry editor (regedit.exe).
2. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies subkey. (Create the StorageDevicePolicies subkey if it doesn't already exist.)
3. From the Edit menu, select New, DWORD Value.
4. Type the name WriteProtect and press Enter.
5. Double-click the new value and set it to 1. Click OK.
6. Close the registry editor.
7. Restart the computer.
To disable this change, you can either set WriteProtect to 0 or delete it.

Nuno do you think this could work in PE too? I mean we have no security or policy settings working. :cheers:

:cheers:

#19 Nuno Brito

Nuno Brito

    Platinum Member

  • .script developer
  • 10554 posts
  • Location:boot.wim
  • Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
  •  
    European Union

Posted 06 December 2007 - 05:04 PM

Don't know because I haven't tried it myself - only passing along what google kindly provides and I've learned to never say never on these forums.. :cheers:

My personal choice would be a hardware based solution instead. :cheers:

#20 was_jaclaz

was_jaclaz

    Finder

  • Advanced user
  • 7100 posts
  • Location:Gone in the mist
  •  
    Italy

Posted 06 December 2007 - 08:28 PM

http://www.forensicf...m...opic&t=1902


The "right" link should be this one :cheers::
http://www.forensicf...m...topic&t=559

jaclaz




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users