Hacking Deep Freeze
Sergei Polonov
95/98/Me and 2000/XP and is pushing all other security programs in the
same category out of the market. FullControl, Fortres 101, and
FoolProof are being replaced by DeepFreeze in many schools,
universities and libraries. So why is it garnishing so much respect
and capturing so much market? because programs like FoolProof and
FullControl are worthless, easily-defeated pieces of crap. And
DeepFreeze is top-quality, like a flawless diamond! It's light-years
closer to being truly "hack-proof" than anything else out there, AS
LONG AS THE COMPUTER IS CONFIGURED TO BOOT STRAIGHT TO C:\ AND CMOS IS
PASSWORD PROTECTED.
DeepFreeze http://www.deepfreezeusa.com does not place any
restrictions on a machine like FoolProof or FullControl does. So
whatever you want to do, whether it's downloading mp3's or downloading
and installing ICQ or browser add-ons or WHATEVER, DeepFreeze does not
prevent it. What matters much more as far as that goes is how you are
logged in: as User, Power User, or Administrator. True, on a
DeepFreeze protected computer you'll have to install/download your
stuff every time you sit down at the computer, but hey! you CAN!
That's the beauty of DeepFreeze: it places no restrictions on the
machine. Take a look at Microsoft TechNet:
Default Access Control Settings
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/windows2000serv/maintain/security/secdefs.asp
The entire white paper is very helpful in understanding the difference
between Users, Power Users, and Administrators. NOT understanding this
issue causes more problems on Windows 2000 than all other problems put
together. Example: you installed WinZip and don't understand why the
fuck it won't work right, or only half works. Answer: you were not
logged in as administrator when you installed it.
And, along these lines, you can ask your teacher/computer lab admin to
promote you to Power User, because Power Users have access to HKLM
(HKEY_LOCAL_MACHINE) in the registry and can manipulate a lot more on
the system (read the paper). For example, let's say there is an
annoying content filtering program such as CyberPatrol preventing you
from accessing 2600 or other web sites. CyberPatrol starts
automatically from a key in HKLM under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Simply delete the key and restart the computer, and the program will
not be running. A User cannot do this, a Power User can. So... try to
become a Power user. If you explain to your teacher that being just a
User is a real pain in the butt and that you NEED to be PowerUser in
order to do things, he/she MIGHT make you one. You don't know until
you try. Frequently, they will think it is an innocent request,
because they are too stupid to know the difference.
Now, about hacking DeepFreeze. DeepFreeze was developed with sneaky
hackers, intent on getting into computers, in the FOREFRONT of the
developer's minds. The developers of DeepFreeze knew and know how to
think like hackers. They were in high-school once, too!! And, if that
were not enough, they also know how to program at a very low-level
(we're talking LOW, LOW level!!) in order to protect the computer. Do
you know how to load and unload kernel-mode device drivers which you
did not write and develop? NO?! Do you know how to program in assembly
REALLY well?? NO?! Do you understand encryption and how it interacts
in different parts of a program? NO?! Do you know how to determine how
a program is packed in order to reverse-engineer it? NO?? Well, these
are the skillz you would need before even having a ghost of a chance
getting around DeepFreeze.
On Windows 95/98/Me:
DeepFreeze is a Ring 0 VxD (Virtual Device Driver) located in
c:\windows\system\iosubsys\persifrz.vxd The only way to hack
DeepFreeze is to boot from a boot-disk and delete this file if booting
to the a:\ has not been disabled. Deleting the filez in
c:\progra~1\hypert~1\deepfr~1 works also to prevent DeepFreeze from
running, because it contains persis0.sys, the password file. And
DeepFreeze won't start without reading it. The most important file to
delete though is the actual DeepFreeze driver, persifrz.vxd. I'm just
giving you the best and easiest way. Delete persifrz.vxd and
DeepFreeze is deader than a doorknob. AND it's only one file.
persifrz.vxd IS DeepFreeze.
If you CAN boot to a:\ then you can delete persi0.sys and replace it
with your own copy containing a known password. From my experience,
the persi0.sys filez from the trial versions work to replace the one's
from regular installations. persi0.sys also runs in Ring 0 and cannot
be deleted while DeepFreeze is running. Not with a process killer, not
with DOS, not with Process Explorer. If you ever figure it out, post
it for all to see and congratulate you!
Can't boot to any drive except c:\? And CMOS setup is
password-protected? Oh well, you're not gonna hack DeepFreeze.
DeepFreeze prevents, BY DESIGN, BIOS password-crackers from working.
HOWEVER, some newer computers , especially Compaq's, now have
motherboards with a simple pushbutton to reset the CMOS to its
defaults. Open up the case, push a small red button on the motherboard
and the CMOS is reset! Yeah! You can then boot to a:\.
The following instructions come straight out of the online .pdf
motherboard manual for Compaq Evo Deskpro D300 and D500, available
here:
ftp://ftp.compaq.com/pub/supportinformation/papers/265668-003_rev3_us.pdf
Clearing CMOS:
The computer's configuration (CMOS) may occasionally be corrupted. If
it is, it is necessary to clear the CMOS memory using switch SW50.
To clear and reset the configuration, perform the following procedure:
1. Prepare the computer for disassembly. CAUTION: The power cord must
be disconnected from the power source before pushing the Clear CMOS
Button (NOTE: All LEDs on the board should be OFF). Failure to do so
may damage the system board.
2. Remove the access panel.
3. Press the CMOS button located on the system board and keep it
depressed for 5 seconds.
4. Replace the access panel.
5. Turn the computer on and run F10 Computer Setup (delete-utility) to
reconfigure the system. When the CMOS button is pushed or the jumper
is removed, both the power-on password and the setup password become
invalid because both are stored in the configuration memory. You will
need to reset the passwords.
If you hit PAUSE during POST, you can note the BIOS manufacturer, BIOS
version, and BIOS date of manufacture. There MAY be a permanent,
hard-coded master password you can use, if you can research it and
find out what it is. (Probably too hard to be a pragmatic solution)
Most of the BIOS password lists you find on the internet are
worthless.
Go to the computer manufacturer's web site and download the
motherboard manual for your school's computer and look up how to reset
the CMOS. If it's designed to be a tool-free process, like on
Compaq's, AND you can open up the computer case without drawing
attention to yourself and getting in big trouble, then this might be
an option for you. And, of course, if you can boot to a:\, it's all
over. If you have an NTFS drive though, you'll need NTFSPRO from
Sysinternals. ;-)
On Windows 2000/XP DeepFreeze consists of several important filez:
There are 2 drivers and 1 service (i'll let you figure out the paths):
DepFrzLo.sys (kernel driver)
DepFrzHi.sys (filesystem driver)
dfservex.exe (service)
frzstate.exe (password dialog)
persi0.sys (password file and "on/off switch") This file strangely
becomes over 7MB immediately after installing DeepFreeze, yet the
setup program is less than 2MB. And it cannot be copied on 2000/XP
while the system is running. Focus on this one.
Probably you will need NTFSDOSPRO to boot up and mount an NTFS drive:
there's not too many FAT32 drives any more. And if you're elite, you
won't have any problem getting that from someone or finding it, or
carding it from an internet cafe... If you do card it from a cafe
though, don't use a yahoo or hotmail e-mail address. And make sure you
know the CVV on the card. Use something different like boxfrog.com or
rock.com. NTFSDOSPRO is available from http://www.sysinternals.com and
costs $300. True: there is a free LINUX boot-disk which also mounts
NTFS drives, but it's not nearly as good. One last thing about
NTFSDOSPRO. There is no free support AND it is kinda tricky creating
and using the NTFSDOSPRO boot disk(s). IT DOES NOT COME READY TO USE
(shame on them for being so friggin smart, and not making it
user-friendly). After using the program to create three different
disks, of which only the first is necessary, but not enough, you have
to then boot with a regular boot disk, then put in your NTFSDOSPRO
boot disk to mount the NTFS drive. You'll see what I mean, it's not
very user-friendly and little explanation is given on how to really go
through with the entire operation. But being tech-savvy, you'll
figure it out. Also, it becomes very confusing also if the NTFS drive
you're mounting has a c: and a d:.
persi0.sys is the file containing the password. persi0.sys contains
the password and the on/off switch which the driver checks to see if
it should start the computer in thawed mode or frozen mode. Replacing
persi0.sys with your own copy containing a known password is
preferable to deleting the DeepFreeze driver filez on Windows 2000/XP
with a boot disk. All pertinent encryption seems to be contained in
this one file. And, a persi0.sys from a totally different DeepFreeze
installation doesn't seem to matter (as in one from a trial version).
After replacing it and thawing the computer, you can uninstall
DeepFreeze if you choose. Before attempting to delete the drivers on
Windows 2000 with a boot disk, try it at home. Because the computer
may not start up. In other words, it may be necessary to delete
certain keys in the registry as well, in order for the computer to
not "crash" before it even starts! Use InCtrl5 to monitor your own
installation of DeepFreeze 2000/XP. Available here:
http://common.ziffdavisinternet.com/download/0/1027/inctrl5.zip
It will tell you each and every file and registry key installed by the
program. There may be serious problems if you don't delete certain
important "pointers" and "references" to the DeepFreeze drivers in the
registry. I don't know. Try it and see. Maybe not. Make a batch file
to delete all the filez and registry keys/entries, if that's the route
you want to go.
Now, here are TWO methods of hacking DeepFreeze you probably haven't
thought of:
#1 IF your school/lab is using the trial version of DeepFreeze (and
this is more common than you think: schools are really hurting for
money nowadays!!), and IF you can access BIOS setup, you can forward
the BIOS date more than 90 days and DeepFreeze will no longer work
(you'll see the blinking red X flashing on the DeepFreeze system-tray
icon.) Then simply uninstall DeepFreeze. The same .exe is used to
install and uninstall. By the way, there are two keys in the registry
under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
which must be deleted in order to be able to re-install a fresh trial
version of DeepFreeze: Rebar and NAffinityConfig
#2 Find out which computer your computer lab administrator has the
DeepFreeze Administrator program installed on. At his desk? In his
office? Most of the time now, administrators are taking advantage of
DeepFreeze's OTP (One-Time Password) feature. In order to thaw
DeepFreeze, they go to the computer which needs to be "thawed" and
shift+double-click on the DeepFreeze icon in the system tray. This
brings up the password dialog box (frzstate.exe). They then jot down
the token which appears in the window's title bar. They then go back
to THEIR computer which has the DeepFreeze Administrator program, open
up DFAdmin, and enter the token in order to generate a one-time
password. This OTP will work, one time only, to restart the computer
in thawed mode. After restarting a second time, the computer is frozen
once again, automatically. Now, IF you can get your hands on a
DeepFreeze Administrator program, maybe by purchasing it from
HyperTechnologies... then, all you need to do is copy one file from
your administrator's DFAdmin program, take it home, place it in your
DFAdmin program, and you can generate OTP's for your school's
computers. JUST ONE FILE: dfadmin.exe is necessary to copy and
replace, and it is small enough to save to a floppy or e-mail to
yourself. You see, when DeepFreeze Administrator is first set up, the
administrator chooses a phrase or MASTER PASSWORD which is used to
make the encryption unique for his/her own DeepFreeze installations.
And this encryption is contained totally in dfadmin.exe. You might
want to think of a way to get your administrator to thaw the computer,
and then watch which computer he goes to to obtain the OTP. NOTE: the
Master Password is not a permanent password. It is entered only once
when installing DeepFreeze Administrator. Are you with me?
#3 IF your administrator is naive enough to be using permanent
passwords for DeepFreeze, then you can use something called KeyKatch.
Go to http://www.keykatch.com This puppy works great. Just be sure to
install it in the keyboard port, NOT the mouse port -- an easy
mistake. Regular software-based keyloggers, etc., won't work because
they will not be there when the computer is restarted. Think about it:
the administrator is never going to enter the password and then NOT
restart the computer! And when he/she restarts the computer, of
course, the keylogger would be gone. UNLESS your school's computers
have two drives, and one is not frozen, and you can configure your
keylogger to save the log file to the unfrozen drive. Of course,
you'll have to re-install the keylogger program to read your log file.
As you can see, except for #1 above, there is no EASY way to hack
DeepFreeze. Because whatever you do, you're not really doing. It all
goes away when you restart the computer. I hope this little post helps
you to understand more about how it might be done though, IF a person
is DETERMINED to beat it. Of course, being THAT determined might get
you in serious trouble at your school, too. So, remember that, first
and foremost.
One way to become a hero: approach your computer science
teacher/network administrator and tell him or her that you know how to
hack DeepFreeze and you would like his/her permission to hack it
(they'll K*N*O*W you can't). Then, once permission is secured, get
access somehow to the computer with DFAdministrator on it and copy
dfadmin.exe. If you have permission to hack DeepFreeze, you might
even be able to get help from another teacher or teacher's assistant
or someone in a position to help you get physical access to the
computer which has DeepFreeze Administrator on it. You'll have to have
your own copy of DFAdmin first. And then you'll have to be able to log
on to the computer with DFAdmin on it. If winlogon greets you and you
can't log on, you'll need NTFSDOSPRO to copy dfadmin.exe using a boot
disk. The only other possibility would be to somehow e-mail the
administrator a trojan which would allow you to access his computer
remotely and copy dfadmin.exe. (SubSeven, BackOrifice, etc.) I think
that's how the FBI would do it! he-he...
And just for your information, DeepFreeze is not the only program out
there which does what it does, the way it does it. BUT IT IS THE BEST.
The details of exactly how these programs work has yet to come out
(I'm sure it will in time). Some say they take a snapshot of the
master boot record? or a copy of the FAT? Whoever knows FOR SURE, NO
SPECULATING, please post it. But here are some other programs which do
the same thing DeepFreeze does, only not nearly as well, in my
opinion:
WinRollBack
http://www.datapol.de/en/index.htm (click on the All Products link at
the top, then look under Desktop Security Business)
DriveShield
http://www.driveshield.net/driveshield.htm
CleanSlate
http://www.fortres.com/products/cleanslate.htm
Hopefully, after reading this, you won't feel as if you "have met your
match." Finally, you have some information to use to conquer a
formidable foe: DeepFreeze.