monitor - intercept raw disk Access

NTDEV
1

as i know there are some method for write raw data in disk sector ( my attention MBR ) from user mode

msdn : http://msdn.microsoft.com/en-us/library/windows/hardware/jj856974.aspx
<<<
In addition to the various WriteFile APIs, there are device I/O control requests that may be used to issue writes to a volume or to a disk

IOCTL_STORAGE_MANAGE_DATA_SET_ATTRIBUTES
IOCTL_SCSI_PASS_THROUGH
IOCTL_SCSI_PASS_THROUGH_DIRECT

>>

according to my test “disk class upper filter” cant filter this IOCTL
so what i must develop to filter all possible way for deny user mode raw disk write ( specially MBR )

if possible i want see requester process ID ( as i remember in disk level i cant see it )

tax in advance

2

There is no need for that. Regular users don’t have permission for raw writes. The permissions to write to the boot volume are not given even to administrators.

3

Maybe not directly, but there are plenty of ways for an admin to modify the boot sector/partition table. IOCTL_DISK_RESET_SNAPSHOT_INFO for one …

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@broadcom.com
Sent: Saturday, June 01, 2013 4:14 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] monitor - intercept raw disk Access

There is no need for that. Regular users don’t have permission for raw writes. The permissions to write to the boot volume are not given even to administrators.

NTDEV is sponsored by OSR

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

4

@grigora
The permissions to write to the boot volume are not given even to
administrators. yes but it was some sector you can write to it like
MBR ( check above link )
my aim is protect MBR - as you know Bootkit can be able write to MBR
i going on to research more :slight_smile:

5

> @grigora

The permissions to write to the boot volume are not given even to
administrators. yes but it was some sector you can write to it like
MBR ( check above link )
my aim is protect MBR - as you know Bootkit can be able write to MBR
i going on to research more :slight_smile:

One of the continuing themes throughout this list is that once you have
malware in the kernel, all bets are off. If it wants to rewrite the boot
record, there is absolutely nothing you can do to stop it. It probably
won't use the file system stack, but execute direct I/O requests to the
device. Figuring out which of a very limited set of hardware registers
that a device uses can't be all that hard (I've solved problems like this
many times), and there is absolutely nothing you can do to prevent or
detect such accesses. Now, if the disk drive issued a public key on
demand, and commands went out encrypted with that key, then the drive
itself can prevent access to "unregistered" users, providing the key can
be kept secret. That pushes the problem out by one level of indirection,
and still can't prevent malware access if the malware can generate its own
key request. I know sonething about how this might be done, but remember
that old joke about "I could tell you, but then I'd have to kill you"? I
signed an NDA that boiled down to "If I even /think/ about telling you, I
have to kill myself". It's by no means as simple as that description
suggests; the actual description runs for many pages, and no document
describing it could leave the building, under threat of eternal damnation
(let's just say this client was bigger than a multinational, and had
offices and factories on other planes of existence).
joe

NTDEV is sponsored by OSR

OSR is HIRING!! See Careers – OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
OSR Seminars – OSR

To unsubscribe, visit the List Server section of OSR Online at
ListServer/Forum