Question about how to put a date limit in driver code?

jord_Mc · September 17, 2014, 1:13am

I am wondering if there is a way that I can put a gate keeper in driver codes, lets say INIT setction, to check the system date, if the system date is expired, lets say Spet 1 to Sept 30, 2014, then the driver would unload itself? any sample codes to do this job?

Thanks.

Doron_Holan · September 17, 2014, 1:42am

Sure. You can check the date on DriverEntry and if past expiration, return !NT_SUCCESS().

d

Bent from my phone

From: xxxxx@gmail.com mailto:xxxxx
Sent: ?9/?16/?2014 10:13 PM
To: Windows System Software Devs Interest Listmailto:xxxxx
Subject: [ntdev] Question about how to put a date limit in driver code?

I am wondering if there is a way that I can put a gate keeper in driver codes, lets say INIT setction, to check the system date, if the system date is expired, lets say Spet 1 to Sept 30, 2014, then the driver would unload itself? any sample codes to do this job?

Thanks.

—
NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</mailto:xxxxx></mailto:xxxxx>

Peter_Wieland · September 17, 2014, 2:11am

If you decide you want to do this, you may want to log an error in the system event log so that the poor user has some prayer of figuring out why the driver won?t load anymore.

-p

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Doron Holan
Sent: Tuesday, September 16, 2014 10:41 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Question about how to put a date limit in driver code?

Sure. You can check the date on DriverEntry and if past expiration, return !NT_SUCCESS().

d

Bent from my phone

From: xxxxx@gmail.com mailto:xxxxx
Sent: ?9/?16/?2014 10:13 PM
To: Windows System Software Devs Interest Listmailto:xxxxx
Subject: [ntdev] Question about how to put a date limit in driver code?
I am wondering if there is a way that I can put a gate keeper in driver codes, lets say INIT setction, to check the system date, if the system date is expired, lets say Spet 1 to Sept 30, 2014, then the driver would unload itself? any sample codes to do this job?

Thanks.

—
NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

—
NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</mailto:xxxxx></mailto:xxxxx>

jord_Mc · September 17, 2014, 3:50am

Thanks. Can one simply change the date in binary file and walk around this limit?

Daniel_Terhell · September 17, 2014, 10:19am

>Thanks. Can one simply change the date in binary file and walk around this

limit?

It depends on how you write your code. By thinking from the position of an
attacker, you can make it very difficult and challenging for him to patch
right.

To allow a patched driver binary to load on 64-bit systems, they would need
to sign the binary another time which would require a certificate, or they
must have the user boot the system with driver signing disabled.

Note that without patching the binary, they could also just change the
system time or instead patch the kernel date and time functions to return a
special date for your driver.

//Daniel

Doron_Holan · September 17, 2014, 10:41am

Editing the binary on disk would invalidate the signature. Onr could.easily circumvent the check with a debugger attached

d

Bent from my phone

From: xxxxx@gmail.com mailto:xxxxx
Sent: ?9/?17/?2014 12:50 AM
To: Windows System Software Devs Interest Listmailto:xxxxx
Subject: RE:[ntdev] Question about how to put a date limit in driver code?

Thanks. Can one simply change the date in binary file and walk around this limit?

—
NTDEV is sponsored by OSR

Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev

OSR is HIRING!! See http://www.osr.com/careers

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer</mailto:xxxxx></mailto:xxxxx>

Tim_Roberts · September 17, 2014, 12:33pm

xxxxx@gmail.com wrote:

Thanks. Can one simply change the date in binary file and walk around this limit?

Yes, but Windows driver files have a checksum, so they’d have to rebuild
the checksum. That’s not rocket science, but the casual user won’t know
how to do it.

An even easier method to defeat this is to reset the date on the
computer and reboot.

This kind of protection scheme is an exercise in diminishing returns.
No matter how clever you are, NOTHING you do will protect against a
sufficiently motivated hacker. NOTHING. You need to balance how much
sophistication you want to defend against vs how much you are willing
to pay.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

OSR_Community_User · September 17, 2014, 4:09pm

The kernel is not the place where you want to implement a licensing API. A user mode service is a better place.

OSR_Community_User · September 23, 2014, 11:58pm

A simple solution to the clock hack is to encrypt the current/install date, store it in the registry and refuse to load if the current date is more than a few days behind - taking into consideration things like someone flying over the international date line, or the CMOS battery having run out. Of course if your software is popular enough then you end up getting into a war with your users with ever more sophisticated anti cracking methods.

–
Bruce

On Sep 17, 2014, at 8:17 AM, wrote:

>> Thanks. Can one simply change the date in binary file and walk around this limit?
>
> It depends on how you write your code. By thinking from the position of an attacker, you can make it very difficult and challenging for him to patch right.
>
> To allow a patched driver binary to load on 64-bit systems, they would need to sign the binary another time which would require a certificate, or they must have the user boot the system with driver signing disabled.
>
> Note that without patching the binary, they could also just change the system time or instead patch the kernel date and time functions to return a special date for your driver.
>
> //Daniel
>
>
>
>
>
>
>
>
>
>
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer