Thread: starforce 4.7 emulation detection tricks explained
View Single Post
  #1  
Old 03-13-2007, 19:48
niom niom is offline
Friend
  
Join Date: Jul 2004
Posts: 21
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 0 Times in 0 Posts
niom Reputation: 0
starforce 4.7 emulation detection tricks explained
sf uses atleast 2 checks to figure out if its real deal or mounted.

check 1 - device stack:

basically, it checks if the topleveldeviceobjects of 2 devices are identically.
are they identically, its a real dvdrom, arent they, its daemontools. why this works
can be easily seen in tools like DeviceTree.

the code goes like this:

Code:
first it queries the toplevel deviceobject for the current drive:
	UNICODE_STRING driveName;
	RtlInitUnicodeString(&driveName, L"\\DosDevices\\d:");
	FILE_OBJECT *driveFO;
	DEVICE_OBJECT *driveDO;
	IoGetDeviceObjectPointer(&driveName, STANDARD_RIGHTS_READ, &driveFO, &driveDO);

then it loops over all attached cdrom devices:
	wchar_t *deviceNames;
	IoGetDeviceInterfaces(&GUID_DEVINTERFACE_CDROM, NULL, 0, &deviceNames);
	for (wchar_t *deviceNamesPos = deviceNames; *deviceNamesPos; deviceNamesPos += wcslen(deviceNamesPos) + 1)
	{

and queries the matching deviceobject for each device:
		UNICODE_STRING deviceName;
		RtlInitUnicodeString(&deviceName, deviceNamesPos);

		OBJECT_ATTRIBUTES attributes;
		InitializeObjectAttributes(&attributes, &deviceName, OBJ_CASE_INSENSITIVE, NULL, NULL);

		HANDLE device;
		IO_STATUS_BLOCK status;
		ZwCreateFile(&device, SYNCHRONIZE | FILE_READ_DATA, &attributes, &status, NULL, FILE_ATTRIBUTE_NORMAL, FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN, FILE_SYNCHRONOUS_IO_NONALERT, NULL, 0);

		FILE_OBJECT *deviceFileObject;
		ObReferenceObjectByHandle(device, FILE_READ_DATA, *IoFileObjectType, KernelMode, (void **)&deviceFileObject, NULL);

then it gets the stack top of that deviceobject
		DEVICE_OBJECT *deviceTop = IoGetAttachedDeviceReference(deviceFileObject->DeviceObject);

and compares it to the drive toplevel devobj, if they are identically, its a real cdrom
		if (deviceTop == driveDO)
			DbgPrint("hi, im a real cdrom\n");
		else
			DbgPrint("hi, im fake actually\n");
	}

check 2 - DPC:
starforce raises the IRQL to super high, then it queues a DPC. the DPC proc is pretty simple: it just writes 1
to some memoryaddr. then starforce starts an atapi read command. the trick is: the IRQL gets never lowered
when its a real cdrom and without lowering the IRQL, the DPC gets never executed, so the 1 gets never written.
but if daemontools was used, the IRQL drops sooner or later and the DPC gets executed, so the 1 gets written...
Reply With Quote