Microsoft added resource heavy DRM processes to Windows Vista in a move to “please†the content industry. I can't think of another reason why they would add this kind of mechanisms if there would not be some kind of agreement between them and the content industry. Microsoft would have made such a big impact if Vista would not enforce digital rights management protections on content. The system would probably be more stable, faster and more resource friendly. Well, Microsoft decided to ensure that not only the needs of the consumers but also those of the content owners would be supported which makes me wonder which consumer would actually be pro DRM.
There have been actually two announcements this year that bypass driver and code signing in Windows Vista which essentially means that DRM can by bypassed and unprotected HD content can be watched in HD quality on your computer. The first, which dates back to January this year was described by Alex Ionescu in his own blog.
This feature is the ability of the PMP to notify A/V applications that there are unsigned drivers on the system, as well as provide a list of unsigned drivers. The idea is that the application can either outright refuse to play content, or that it can scan for known anti-DRM drivers which might be attempting to hook onto the unencrypted stream. This leads me to believe that it's up to applications, not the OS, to enforce this DRM check.
The great thing about the code I've written is that it does NOT use test signing mode and it does NOT load an unsigned driver into the system. Therefore, to any A/V application running, the system seems totally safe — when in fact, it's not. Now, because I'm still booting with a special flag, it's possible for Microsoft to patch the PMP and have it report that this flag is set, thereby disabling premium content. However, beause I already have kernel-mode code running at this point, I can disable this flag in memory, and PMP will never know that it was enabled. Again, Microsoft could fight this by caching the value, or obfuscating it somewhere inside PMP's kernel-mode code, but as long as it's in kernel-mode, and I've got code in kernel-mode, I can patch it.
Alex fears an expensive law suite and ponders how he should publish his findings without being sued by the content owners. I think that this is one of the tactics that they use to enforce DRM. It has nothing to do with hardware or software, they put pressure on governments, software companies, hardware manufacturers and individuals. Fear is one of their strongest weapons. They apply the same tactics by suing a handful of individual file sharers and announce it widely on the world wide web. The hope is of course to create fear in others who will stop file sharing over p2p because of this.
NvLabs announced a bootloader called Vbootkit which they demonstrated on the Black Hat Conference in Amsterdam three days ago.
We have been recently researching on Vista. Meanwhile, our research for fun lead us to some important findings.Vista is still vulnerable to unsigned code execution.vbootkit is the name we have chosen ( V stands for Vista and boot kit is just a termed coined which is a kit which lets you doctor boot process).vbootkit concept presents how to insert arbitrary code into RC1 and RC2, thus effectively bypassing the famous Vista policy for allowing only digitally signed code to be loaded into kernel. The presented attack works using the custom boot sectors.Custom boot sector are modified boot sectors which hook booting process of the system & thus, gains control of the system.Meanwhile, the OS continues to boot and goes on with normal execution.
There have been actually two announcements this year that bypass driver and code signing in Windows Vista which essentially means that DRM can by bypassed and unprotected HD content can be watched in HD quality on your computer. The first, which dates back to January this year was described by Alex Ionescu in his own blog.
This feature is the ability of the PMP to notify A/V applications that there are unsigned drivers on the system, as well as provide a list of unsigned drivers. The idea is that the application can either outright refuse to play content, or that it can scan for known anti-DRM drivers which might be attempting to hook onto the unencrypted stream. This leads me to believe that it's up to applications, not the OS, to enforce this DRM check.
The great thing about the code I've written is that it does NOT use test signing mode and it does NOT load an unsigned driver into the system. Therefore, to any A/V application running, the system seems totally safe — when in fact, it's not. Now, because I'm still booting with a special flag, it's possible for Microsoft to patch the PMP and have it report that this flag is set, thereby disabling premium content. However, beause I already have kernel-mode code running at this point, I can disable this flag in memory, and PMP will never know that it was enabled. Again, Microsoft could fight this by caching the value, or obfuscating it somewhere inside PMP's kernel-mode code, but as long as it's in kernel-mode, and I've got code in kernel-mode, I can patch it.
Alex fears an expensive law suite and ponders how he should publish his findings without being sued by the content owners. I think that this is one of the tactics that they use to enforce DRM. It has nothing to do with hardware or software, they put pressure on governments, software companies, hardware manufacturers and individuals. Fear is one of their strongest weapons. They apply the same tactics by suing a handful of individual file sharers and announce it widely on the world wide web. The hope is of course to create fear in others who will stop file sharing over p2p because of this.
NvLabs announced a bootloader called Vbootkit which they demonstrated on the Black Hat Conference in Amsterdam three days ago.
We have been recently researching on Vista. Meanwhile, our research for fun lead us to some important findings.Vista is still vulnerable to unsigned code execution.vbootkit is the name we have chosen ( V stands for Vista and boot kit is just a termed coined which is a kit which lets you doctor boot process).vbootkit concept presents how to insert arbitrary code into RC1 and RC2, thus effectively bypassing the famous Vista policy for allowing only digitally signed code to be loaded into kernel. The presented attack works using the custom boot sectors.Custom boot sector are modified boot sectors which hook booting process of the system & thus, gains control of the system.Meanwhile, the OS continues to boot and goes on with normal execution.
