Protector of My Digital Contents

So Cool(PL) 19th Kang, Sung won

19th Park, Jong min19th Park Gui mong

Agenda

1. Project Motive

2. Goal3. Architecture4. Detail5. Development Environment6. Division of Work7. Project Schedule8. Q & A

Protector of My Digital Contents Busan Samsung Software Membership

Project Motive

Protector of My Digital Contents Busan Samsung Software Membership

Project Motive

X?

User

Protector of My Digital Contents Busan Samsung Software Membership

Goal

Protector

Prevent Illegal Copy & Use

Unlimited

File Format

(Limited Period)

JPG

JPG

Regular Players

Protector of My Digital Contents Busan Samsung Software Membership

Entire Architecture

LicensePolicy

Contents

ProviderApplicatio

n

+

Web Server

WindowsDriver

ActiveX

LicensePolicy

LicensePolicy

Contents

User

WindowsDriver

WebServer Address

Connect(Using WebBrower)

Using ActiveX ( Automatically install Driver &

License )

Contents Transmit

Protector of My Digital Contents Busan Samsung Software Membership

Provider Architecture

ProviderApplicatio

nAdd File

Save String[]

License Setup to File

CAB File Auto Make

Add to Web Server& Running

Protector of My Digital Contents Busan Samsung Software Membership

DownLoader ArchitectureProvider User

Add File

ProviderApplicatio

n

WebServer DownFile

List

INCLUDE

Setup

RUN

WebServer DownFile

List

READ

DownlaoderFile Down

Protector of My Digital Contents Busan Samsung Software Membership

System Architecture (File System Filter Driver)

Application

I/O Manager

File System Filter

File System

Stack

User Level

Kernel Level

FilterManage

r

System Mini Filter Driver

NetworkMini FilterDriver

Protector of My Digital Contents Busan Samsung Software Membership

Detail (SSDT Hooking)

System Service Dispatch Table

XX

Keeper (Self Defender)

SystemService

Dispather

SystemService

XX

Protector of My Digital Contents Busan Samsung Software Membership

Detail (Process Hide)

Keeper Driver (Self De-fender)

SystemInformationClass

SystemInformation

….

ReturnLength

SystemInformation-Length

NewZwQuerySystemInforma-tion

Process information

DCBA

Protector of My Digital Contents Busan Samsung Software Membership

Detail (File Hide)

Keeper Driver (Self De-fender)

hFile

hEvent

….

IoApcContext

FileInfoClass

NewZwQueryDirectoryFile Hide File & Folder inform

DCBA

Protector of My Digital Contents Busan Samsung Software Membership

Detail (Active X)

Protector of My Digital Contents Busan Samsung Software Membership

Detail (Active X)

.inf File Make

.CAB File Make

Protector of My Digital Contents Busan Samsung Software Membership

Detail (Active X)

Protector of My Digital Contents Busan Samsung Software Membership

Detail (Anti-Reversing)

Anti-Reversing Techniques

Anti-Analysis

BreakPoint Detection

Garbage Code

Anti-Disassembly

Protector of My Digital Contents Busan Samsung Software Membership

Detail (Anti-Reversing)

Anti-Disassembly

Example Code

Protector of My Digital Contents Busan Samsung Software Membership

Detail (Anti-Reversing)

Anti-Disassembly

Apply

Protector of My Digital Contents Busan Samsung Software Membership

Detail (Anti-Reversing)

Anti-Disassembly

Result

Protector of My Digital Contents Busan Samsung Software Membership

Detail (Anti-Reversing)

BreakPoint Detection

Apply

Protector of My Digital Contents Busan Samsung Software Membership

Detail (Anti-Reversing)

BreakPoint Detection

Result

Will jump to the wrong memory address.

Protector of My Digital Contents Busan Samsung Software Membership

Detail (Anti-Reversing)

Garbage Code

Apply

Protector of My Digital Contents Busan Samsung Software Membership

Detail (Anti-Reversing)

Garbage Code

Result

Complex code

Protector of My Digital Contents Busan Samsung Software Membership

Detail (Anti-Capture)

Anti-Capture

Empty clipboard

Native Api Hooking

Dll Injection

Ctrl + C, PrintScreen Key to prevent use

BitBlt() Hooking

NtGdiBitBlt() HookingUser

Anti-Capture

Protector of My Digital Contents Busan Samsung Software Membership

Detail (Anti-Capture)

Anti-Capture

Native Api Hooking

NtGdiBitBlt Funtion Hooking

Win32k.sys SystemServiceDescriptorShadowTable Hook-ing

Protector of My Digital Contents Busan Samsung Software Membership

Detail (Device Driver Loader)

Device Driver Loader

Service Control Manager (SCM)

InstallHinfSection

Program Install

Registry Protection

RUNDLL32.EXE SETUPAPI.DLL,InstallHinfSection DefaultInstall 132 Driver.inf

Protector of My Digital Contents Busan Samsung Software Membership

Development Environment

Development Environment

OS : Windows Window XP SP3

IDE : Microsoft Visual Studio 2008 / 6.0

Windows Device Kit 7600.16385.0

Debug Tool : OllyDBG, WinDbg, DbgView

Virtual Machine : VMWare Workstation 6.0

Language : C#, C, C++, Assambly

Protector of My Digital Contents Busan Samsung Software Membership

Division of Work

Kang,Sung won

(PL)

Provider Application (Protector) - Digital Contents File Management - License Policy - WebSever & WebPage - ActiveX (Automatically install Driver & License)

Anti-Reversing - Garbage Code - Anti-Disassembly - Breakpoint Detection Anti Capture

Park,Jong min

Park,Gui mong

Keeper (Windows Driver) Mini Filter Driver - System Filter Driver - Network Filter Driver Driver Loader

Protector of My Digital Contents Busan Samsung Software Membership

Project Schedule

TASK 08 09 10

1 2 3 4 5 6 7 8 9 10 11 12

Protector

GUI

Contents File Manage-ment

License Policy

Web Server & Page

ActiveX (Auto Install)

AntiRevers-

ing

Garbage Code

Anti-Disassembly

Breakpoint Detection

Keeper

Anti Capture

System Filter Driver

Network Filter Driver

Driver Connection Process

Driver Loader

Keeper Driver

Anti-SSDTHooking

Unify Test & Debugging Kang, Sung won

Park, Jong min

Park, Gui mong

Question & Answer

Thank you