Log in

View Full Version : Killing drivers... Deepfreeze


matthew
February 23rd, 2002, 23:40
There is a program called Deepfreeze that monitors what you do to the computer and then undoes them when you reboot. That's to stop people from monitoring public and school computers. (I'm not actually sure how it works exactly).

It loads two drivers into windows...
DepFrzHi.sys and DepFrzLow.sys..

That way you cannot close down the programs. And if the computer is properly setup you can't boot to dos and delete them either.

So, does anybody know of a way to unload drivers while windows is running? If thats possible...

I've also thought that the program doesn't monitor the master boot record, so i could write something into the MBR, and then have it delete the drivers before they load...

Any thoughts?

Kayaker
February 24th, 2002, 00:46
Hi Matthew

I'm assuming this is a totally academic question, asked only in the pursuit of knowledge with no hacking intent

I guess the problem here is that these would be statically loaded vxd's, else you could probably use a vxd call such as VXDLDR_UnloadDevice to unload the drivers.

From the Win98DDK:

A dynamically loadable VxD can be loaded and unloaded at any time. (By contrast, static VxDs can be loaded only when the system is initialized and cannot be unloaded.)

(For statically loaded drivers)
The VMM32 loader loads VxDs in three distinct steps:

1. Base drivers specified in the registry
2. Static VxDs for devices enumerated by other VxDs
3. Static VxDs specified in SYSTEM.INI

Have you found how/where the drivers are loaded yet? I haven't looked at the program, but I'd guess DeepFreeze was using methods 1 or 2. Number 2 sounds like how Softice loads (via autoexec.bat). There may be no way to unload the drivers per se, but if #1 is being used you may be able to modify the registry so they aren't loaded on reboot. The drivers to be loaded from the registry are in

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD

Of course, it's possible the program checks the integrity of its driver loading as you shutdown, in which case any changes you've made might be detected. Also check C:/Windows/wininit.ini for any changes. Your MBR trick might work, though I have no idea about that, and there may be other ways the drivers are loaded as TSR's.

Cheers,
Kayaker

matthew
February 24th, 2002, 02:49
I'll have to wait untill Monday to try this out.. I've got deepfreeze 2000, but the target computer has deepfreeze 98...

target being my testbed computer for completely legal testing applications.

curious_lurker
March 3rd, 2002, 02:32
This is an interesting program... and one that ive sort of thought about taking a look at for a while... but have always said "after i finish this project" and this one runs into another one etc...

lol

oh well i finally have some free time... and think i could have some fun with this one.. gonna try installing it on my old machine and see what i can find... if i find anything you might find useful i will let you know

i remember one time reading that it ~supposedly~ still works even if you try to fdisk... dont know whether it was true or just marketing propaganda... if it is though maybe it might do wierd things with the filesystem itself?
play with the fat or something?

DakienDX
March 3rd, 2002, 11:26
Quote:
Originally posted by curious_lurker
i remember one time reading that it ~supposedly~ still works even if you try to fdisk... dont know whether it was true or just marketing propaganda... if it is though maybe it might do wierd things with the filesystem itself?
play with the fat or something?

Hello curious_lurker !

What do you mean by trying FDISK? If you delete a partition with FDISK or even only format it, the FAT will be erased. What should the program hide in it anyway? You've just 2 bits of the file attribute and 16 bits reserved for NT left in a directory for setting any security restrictions.

matthew
March 6th, 2002, 06:36
Well, when we had the computer lab all to ourselves we
popped the case and cleared the bios. Then gave the
BIOS a new password and made floppy disks bootable.

I saw something in the autoexec.bat about deepfreeze
and I removed it, but the drivers are still loading from
somewhere. I've taken a look into the registry but couldn't
see anything.

And I STILL don't know the name of the drivers so I cannot
just kill them. Windows 2000 deepfreeze is easy enough to
disable, except Windows 2000 has nice new protection which
offsets the easy kill and makes it really difficult. (NTFS)

As soon as I can be bothered to put Win98 on my own
computer and monitor the files it installs I'll be done, but
as we've ALL said...... "i'll do it later"

I doubt deepfreeze does anything with the MBR as it's so
easy to repair it with deepfreeze, i'm guessing it starts from
the registry... just need the driver file name.

curious_lurker
March 7th, 2002, 00:32
Deep freeze can be sort of an erm... persistent program can't it?

i guess it might help to persist


of course i havent looked at the nt version... so i dont know if this makes any sense for it or not

curious_lurker
March 7th, 2002, 00:38
also forgot to mention.... (again this might not be the case with the nt version) that the registry entries ive found were under hkeylocalmachine/software/hypertechnology

altho the keys werent really necessary for what i did