«
»

Introducting D-Pin Purr v1.0 – 32bit Edition

As promised in my earlier blog post, I’ve finalized the utility and made it available for download here. I won’t be releasing source code for the moment because I don’t want to encourage people to start adding this kind of code into their own malware programs, nor to encourage the Symantec folks to start unprotecting every process on the system.

So until then, have fun with the tool, whether it is to explore previously protected processes, or to try out various system and application behaviour when certain processes are made protected. Here’s a screenshot of audiodg.exe after being unprotected. Try it on your own system to see the before/after difference.

This entry was posted on Thursday, April 5th, 2007 at 8:29 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

22 Responses to “Introducting D-Pin Purr v1.0 – 32bit Edition”

  1. Vista Güvenliði(mi?) says:
    April 7, 2007 at 11:52 am

    [...] Vista’nýn tüm "mükemmel" korumalarýný geçebiliyor. Site ve deneme programý için; Alex Ionescu’s Blog » Introducting D-Pin Purr v1.0 – 32bit Edition Kaðýttan bir gemiyim özenle buruþturulmuþ, Üfürülmüþ yelkenime tüm çocukluðum, [...]

  2. Ayyas says:
    April 7, 2007 at 12:00 pm

    Vista Güvenliði(mi?)

    Vista g…

  3. BlogAllAlong » Facts About Widows Vista Security says:
    April 8, 2007 at 1:26 am

    [...] Ionescu posted a proof of concept program that utilizes Vista Protected Processes to it’s own advantage, making evil malicious programs [...]

  4. dark says:
    April 8, 2007 at 8:05 am

    Why the program deletes the drmkaud.sys and not
    crusoe.sys:drmkaud.sys when finishing?
    Also I’m curious, what is the meaning of 12th bit
    of dword @offset 224h in EPROCESS ?
    Lock/unlock proc?

  5. Caen los procesos (des)protegidos en Vista | Zona Hard says:
    April 9, 2007 at 5:58 am

    [...] Ionescu no se a limitado a simples palabras, sino que para demostrarlo ha publicado D-Pin Purr v1.0 32bit Edition, que es una herramienta que puede descargarse pero no analizarse en profundidad, puesto que el [...]

  6. hammerjammer says:
    April 10, 2007 at 3:41 am

    So, how do I download and try this applet??? Do not seem to find download button here??? Thanx

  7. Legomax says:
    April 15, 2007 at 10:55 am

    the word here is actually a link. =P

    don’t worry, i understand that it’s hard to notice a four letter link.

  8. Windows Vista DRM = rootkit? - scruffydan.com/blog -not associated with reality says:
    April 15, 2007 at 3:17 pm

    [...] Ionescu developed the program, called D-Pin Purr, to show that Vista features designed to protect media files can also be used to protect other [...]

  9. la-res-publica.com.ar » Blog Archive » Vista: la versión más segura de Windows… para los programadores de virus says:
    April 16, 2007 at 12:02 pm

    [...] parece, también un riesgo de seguridad. El desarrollador Alex Ionescu habría logrado desarrollar un programa que permite, utilizando el sistema de DRM de Windows, esconder procesos maliciosos como virus y [...]

  10. BlindWanderer says:
    April 18, 2007 at 3:22 pm

    I don’t know if the application does what it says but it runs without error on Windows XP :p

  11. Segurança na Microsoft says:
    April 25, 2007 at 2:04 am

    Processos Protegidos no Windows Vista

    O paper da McAfee citado no post anterior faz um belo trabalho em descrever as técnicas usadas pelos

  12. dfranklin says:
    May 22, 2007 at 7:41 pm

    C0000034 – Internal Error !!

  13. Зеркало: Кузнецов Виталий [MSP] says:
    June 4, 2007 at 10:34 am

    Защищенные процессы Висты оказались не слишком защищенными

    Алекс Ионеску (Alex Ionescu) выложил в открытый доступ утилиту, позволяющую прои

  14. molotov says:
    September 3, 2007 at 10:07 pm

    @dfranklin – I had to create [HKLM\SYSTEM\CurrentControlSet\Services\drmkaud] and add a REG_DWORD value named Type. Once I did that, dpinpurr worked. Previously, it displayed the same error (“[C0000034] – Internal error.”).

  15. molotov says:
    September 5, 2007 at 7:41 am

    @dfranklin – I got the same error, until I created [HKLM\SYSTEM\CurrentControlSet\Services\drmkaud] and added a REG_DWORD named “Type”.

  16. ericuday says:
    January 20, 2008 at 9:39 pm

    Hi Alex, thanks for the info on protected processes and your POC tool. Unfortunately, I am unable to download the tool (dpinpurr.zip) from the link provided. Seems as though the link is broken? I am in the process of writing a white paper on user-mode memory scanning (on 32-bit and 64-bit Windows) for malicious content, which requires enumerating all processes and reading their virtual address space (commit pages). I would like to try out the tool on protected processes on Vista. Also, how do you go about reading a protected process’s address space in Vista from user-mode? or kernel-mode? For memory scanning on Vista, in case of protected process, would it be useful to simply un-protect the process, read its virtual address space and then protect it back again? If the memory content is found to be malicious, it could then be flagged as malicious.

    Regards,
    Eric Kumar
    http://fightmalware.blogspot.com

  17. Randnotiz: Noch ein Argument gegen DRM - Bibliothekarisch.de - Ehemals Chaoslinie.de says:
    November 19, 2008 at 3:17 pm

    [...] Lage sein, DRM-geschützte Prozesse bei “Bedarf” ein- und auszuschalten. In seinem Weblog zeigt er entsprechende Screenshots, die die einwandfreie Funktion der Software belegen [...]

  18. HOWTO: Protect and unprotect Vista’s DRM-protected processes! « wblog3 says:
    January 25, 2009 at 5:20 am

    [...] 25, 2009 I could only find two previous attempts at doing this – D-Pin Purr, which is heavily obfuscated, and this PDF which contains the solution but doesn’t present [...]

  19. ¿Quien vigila al vigilante? « Noticias del web says:
    February 4, 2009 at 4:32 pm

    [...] anuncian que han roto esa protección. El investigador de seguridad que lo ha roto ha publicado la utilidad para proteger y desproteger archivos en Vista, pero no publica las [...]

  20. dpcowx says:
    April 14, 2009 at 12:29 pm

    Hi Alex,

    The download link seems dead. Can you please update?

    Thanks,
    Danny

  21. Telebuzz says:
    April 15, 2010 at 6:32 pm

    Telebuzz…

    Я подписался на RSS ленту, но сообщения почему-то в виде каких-то иероглифов :( Как это исправить? http://woman911.ru/ ….

  22. Bitmix says:
    April 21, 2010 at 1:43 pm

    Bitmix…

    Радует, что ваш блог постоянно развивается. Такие посты только прибавляют популярности. http://questiontourism.ru/ ….

Leave a Reply

You must be logged in to post a comment.