Chapter 5: Methods of Revealing Protection Mechanisms

Locking and Unlocking the EJECT Button

If the application interacting with the CD carries out an operation that must not be interrupted under any circumstances, it is possible to use the IOCTL command for blocking the tray IOCTL_CDROM_MEDIA_REMOVAL (0x24804) . In this case, any attempt to eject the disc from my PHILIPS CDRW triggers malicious blinking of the red LED, showing that the disc is IN , but locked. The disc cannot be ejected until the tray is unlocked by the pin or by means of rebooting the system.

This circumstance alone creates a rich set of possibilities for numerous intruders or for simply incorrectly operating programs that can fall slain by a crucial fault before unlocking the media. Is it possible to overcome the situation? It s easy. Just unlock the tray on your own!

The point is that the system does not require the unlocking procedure to be carried out in the context of the process that has carried out the blocking. It simply counts the locks and, if the counter is equal to zero, then the tray is free. Consequently, if the block counter is equal to six, we must give the unlocking command six times before the CD can be ejected.

The utility (the source code of which is provided in Listing 5.4) allows us to manipulate the block counter according to our needs. The + command line argument increases the counter by one, while ˆ’ carries out an inverse operation. When the counter value reaches 0, any attempts of decreasing it will bring no result.

Listing 5.4: The [/etc/CD.lock.c] Utility for locking/unlocking the CD-ROM tray

 /*------------------------------------------------------------------------------------  *  *                  LOCKS AND UNLOCKS THE CD-ROM TRAY   *                  =====================================   *   * build 0x001 @ 0.4.06.2003  ----------------------------------------------------------------------------------------*/  #include <windows.h>  #include <winioct1.h>  #include <stdio.h>  #define IOCTL_CDROM_MEDIA_REMOVAL 0x24804  main(int argc, char **argv)  {        BOOL                        act;        DWORD                       xxxx;        HANDLE                      hCD;        PREVENT_MEDIA_REMOVAL       pmrLockCDROM;        // CHECKING ARGUMENTS        if (argc<3){printf("USAGE: CD.lock.exe \\.\X: {+,   }\n"); return   1;}        if (argv[2] [0]=='+') act=TRUE;              // INCREMENT THE LOCK COUNTER             else if (argv[2] [0]=='   ') act=FALSE;  // DECREMENT THE LOCK COUNTER                   else {printf(stderr, "   ERR: in arg %c\n", argv[2] [0]); return   1;}        // GET THE DEVICE DESCRIPTOR        hCD=CreateFile(argv[1],GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,0,0);        if (hCD == INVALID_HANDLE_VALUE) {printf("   ERR: get CD-ROM\n"); return   1;}        // LOCK OR UNLOCK THE CD-ROM TRAY        pmrLockCDROM.PreventMediaRemoval = act;        DeviceIoControl (hCD, IOCTL_CDROM_MEDIA_REMOVAL,                   &pmrLockCDROM, sizeof(pmrLockCDROM), NULL, 0, &xxxx, NULL);  } 

 

How can we use this? Suppose, for example, that the untimely ejection of the disc has occurred before the burning operation has been accomplished, which is certainly useful for experimentation. Another application is as follows : When leaving your computer for several minutes, you can lock the disc to make sure that no one takes it away. If someone still manages to do this (by rebooting the computer), lock the trays of their CD-ROM drives and make them reboot!