Didier Stevens

Ariad

Ariad started as a tool to prevent inserted USB sticks from executing code. Technically, it achieves this goal with a minifilter driver by blocking access to \autorun.inf on USB sticks. When you try to access autorun.inf on USB sticks, you’ll get an access denied error. Hence the name Ariad (AutoRun.Inf Access Denied).

But Ariad has evolved and now restricts access to several file types on different media types (not only USB sticks).

Ariad’s many idiosyncrasies stem from the design process. In stead of defining a feature set for this tool, I explored the technical possibilities of minifilter drivers and let the features emerge from it.

Ariad is a minifilter driver, and as such, operates inside the Windows Kernel. Bugs in kernel software can have grave consequences: the dreaded BSOD. So please test this software first on a test machine you can miss.

The 32-bit version of Ariad is more than a year old now and the previous version (0.0.0.7, never published) has run for more than a year on Windows XP SP2, SP3, Windows Vista SP1 without causing a single BSOD. Ariad was also tested on Windows 7 in a VM. So I consider the 32-bit version of Ariad stable now.

Ariad V0.0.0.7 has proven to be very reliable in the environments I use. Ariad V0.0.0.8 is very similar to V0.0.0.7: I just added .LNK to the blacklist of executable files, and added a couple of debugprint statements.

Version 0.0.0.9 has a minor change in the source code (a pointer cast), but the big difference is that I’ve compiled it with WDK 7.1 for Windows 7 x64 machines. And I’ve signed this version with a SPC valid for kernel drivers. This 64-bit version is identical in its operation to the 32-bit version. And you use the Ariad.exe 32-bit GUI to configure it.

THIS IS BETA SOFTWARE OPERATING IN THE KERNEL, SO TEST THIS FIRST ON 64-BIT TEST MACHINES WITH FILES YOU CAN MISS.

I’ve compiled the 32-bit version on Windows XP SP2 32 bit, and installed it on Windows XP SP2 (virtual and physical), Windows XP SP3 (virtual and physical) Windows Vista SP1 (physical), Windows 7 Beta (virtual) and Windows 2000 Professional SP4 with Update Rollup 1 (virtual).

I’ve compiled the 64-bit version on Windows 7 SP1 32-bit, and installed it on Windows 7 SP1 64-bit.

Download 32-bit:

Ariad_V0_0_0_8.zip (https)

MD5: B8E46212CA56B7BD056BA30E84DF8596

SHA256: 99620D77B23C21BC1C020352C5E9CCC467A4C450E0C69AA6FFBCE7227063964C

Download 64-bit (only Ariad.sys, get the .inf and ariad.exe files from the 32-bit download):

Ariad_V0_0_0_9.zip (https)
MD5: C41EFF12D1C454595C5F8B8EBB09DA69
SHA256: DC0F40BA397E19FDFED67E287E0CF24FB55314B9760477D3783D492043FFF698

Installing Ariad:

I provide 2 ways to install Ariad. When you look inside the install folder of the ZIP file, you’ll find the driver file (ariad.sys) and two install files: ariad-manual.inf and ariad-boot.inf

You need admin rights to install Ariad. I recommend you start installing with ariad-manual.inf. This will install the ariad.sys driver but will not start it, it has to be started manually. To start the Ariad minifilter, issue command: sc start ariad

Now you’ve started Ariad and you can observe if your system is still stable. When you reboot your machine, Ariad will not be started automatically. You need to run command sc start ariad to start it again. This is your fail-safe mode. If Ariad makes your system unstable, you just have to reboot it (power-cycling it as a last resort) to disable Ariad.

After you’re satisfied with the reliability of Ariad and want to run it permanently, you can install it with ariad-boot.inf. This installs Ariad the same way as the first installer, except for the startup parameter: in stead of requiring a manual start, it will start at boot time.

If you’ve problems with Ariad starting in boot mode, you’ll need to disable it with sc. Worst case, you’ll need to boot from a Live CD and delete ariad.sys from %system32%\drivers. So don’t use a machine with full disk encryption to test this.

Configuring Ariad

Ariad comes with a GUI application that runs in userspace: ariad.exe You use it to configure the behavior of the ariad.sys minifilter.

Before explaining the many configuration options, I need to explain how to minifilter works.

The minifilter operates in the file system driver and filters file system requests. The minifilter is instantiated each time a file system is mounted. So Ariad does not only work on USB sticks, but also on CD-ROMs, harddisks (fixed and USB) and network shares. If a particular file system does not require to be filtered, the Ariad minifilter is not instantiated for this file system.

When you start Ariad.exe, you’ll see this dialog:

For security reasons, Ariad.exe requires local admin rights to change configurations. This way, you can prevent your users with a LUA to change the configuration. Ariad.exe will elevate on systems with UAC.

All changes are written to the registry immediately when a change is made in the dialog box. All configuration settings will be applied to new instances of the minifilter, and not to existing instances. For example, if you’ve inserted a USB stick with read-only option toggled on, this setting will remain until you remove the USB stick. Changing the read-only toggle for USB drive in the dialog box does not affect the USB stick you already inserted. It will only be applicable to new USB sticks you insert.

If you need to change the setting for an existing USB stick, you’ll need to eject it first, change the setting, and then re-insert it. This is by design.

Ariad was designed for 2 types of users: very technical users who understand the working of the underlying OS; and IT-agnostic users, whom will be protected by Ariad installed and configured by an administrator that makes all the configuration choices for them. These users don’t see Ariad at all, they will just encounter the occasional access denied. As an administrator, you don’t give access to ariad.exe to these LUA users.

This is also the reason why I don’t provide a one-click setup program that installs the driver and the GUI. I don’t want inexperienced users to install this. This tool is not user-friendly.

The configuration options

Remember that all the settings in the Ariad configuration dialogbox apply to new instances: i.e. a drive that will be mounted, not drives that are already mounted.

Every change performed in the dialogbox is immediately active and saved in the registry, there is no Save or Apply button.

To exclude particular drives from Ariad’s filtering, add the drive letters to the “Allow drives” textbox. A good idea is to add your system harddrives to this textbox, like C.

To temporarily prevent Ariad from instantiating an instance for a drive you want to insert, click on the button “Disable Ariad for newly inserted disks during 60s”. Every drive inserted within 60s after clicking the button, will no be restricted by Ariad. Use this feature if you need full access to some USB drives you trust.

Ariad identifies 4 types of drives:

  1. USB Drive (these are USB sticks, not external USB harddisks)
  2. CDROM (DVDs too of course)
  3. Harddisk (build-in harddisks and external USB harddisks)
  4. Network (shares mounted as network drives)

I made the distinction between USB sticks and USB harddisks because users of my USBVirusScan tool requested this, and I want to apply the same logic here.

Be careful when configuring harddisks, you might make your system unstable and unbootable. Be sure to exclude your system harddisks before you do this.

For each of these 4 drive types, you can define up to 5 filtering options:

- no autorun.inf: denies all access to \autorun.inf (that’s in the root directory of the disk, not in subdirectories)

- no executables: denies all access to executables identified by their file extension. Here is the list of extensions hardcoded in version 0.0.0.8:

BAT
CMD
COM
CPL
DLL
EXE
OCX
PIF
SCR
SYS
VB
VBE
VBS
WSF
WSH
LNK

This is a hardcoded blacklist. I plan to provide this list in the registry in a future version, and also implement a whitelist.

I have not tested alternate data streams.

- block all: denies access to the complete drive. The filesystem is mounted, but every access to files is denied

- read-only: files can’t be written to. You could use this for forensic investigations if you don’t have an hardware blocker.

- no file execute: this is a very special option. It prevents files from being mapped into memory. When executables are loaded (creating a process with an .EXE, LoadLibrary of a DLL, …) they are mapped into memory. This setting prevents this. The effect is that executable files can be read and copied, but not launched from the mounted drive. The advantage of this setting is that it blocks binary executables independently of the file extension they have. For example, LoadLibrary of dll.tmp will be prevented.

Further plans

- Add whitelist

- Export hardcoded extension list to registry

README.TXT

THIS IS EARLY BETA SOFTWARE OPERATING IN THE KERNEL,
SO ONLY USE THIS ON TEST MACHINES WITH FILES YOU CAN MISS.

Source code put in public domain by Didier Stevens, no Copyright

https://DidierStevens.com

Use at your own risk. It's beta software running inside the kernel

Ariad (AutoRun.Inf Access Denied) is a minifilter that started as a way to
block access to \autorun.inf on USB sticks, but now blocks several file types on
several media types.
USB Sticks are identified by their FILE_REMOVABLE_MEDIA device characteristics.
USB HDD will not be recognized as USB sticks but as harddisks
autorun.inf files not in the root directory of the USB stick are accesible

Ariad.sys is the minifilter and runs in the kernel
Ariad.exe is a GUI to configure the filter and runs in user space. It requires admin rights.
Before you install this driver, you'll have to decide if this driver must
start when your machine boots, or if you want to start/stop it when you want to.

To upgrade:
first stop the minifilter: sc stop ariad
then proceed with install

To install and start/stop manually:

use ariad-manual.inf
You'll have to start the driver manually (also after each boot):
net start ariad

To install and start at boot time:

use ariad-boot.inf
You'll be prompted to restart your machine. This is because ariad will
start a boot time. If you don't want to reboot, no problem. Cancel the reboot prompt
and start the driver manually: net start ariad
Next boot, ariad will be running automatically
I advice to use ariad-boot.inf only after you've worked with the
manual start option and are satisfied that your system is stable

To uninstall:
sc stop ariad
sc delete ariad
del \%windowsdir%\system32\drivers\ariad.inf

To stop the driver (for example to allow autorun.inf)
net stop ariad

Bugs:

36 Comments »

  1. As promised in the GSEC forum. It will be several days before I have access to a PC that I don’t mind trying it on though!

    Comment by Dave — Sunday 25 January 2009 @ 18:37

  2. Thanks!

    Comment by Didier Stevens — Sunday 25 January 2009 @ 19:13

  3. ARIAD – AutoRun.Inf Access Denied…

    Viruses using the autorun.inf file of removable media such as flash sticks and iPods to automatically execute and install themselves whenever they are plugged into a machine can now be thwarted by Ariad. This is a big vector at the moment.
    It’s a fi…

    Trackback by Dominic White — Sunday 25 January 2009 @ 21:21

  4. [...] referencia a una herramienta interesante que sienta las bases para poder expandirla. Se trata de Ariad, un minifilter que sirve para evitar que se pueda leer el archivo autorun.inf, el que provoca que [...]

    Pingback by MiniFilter Driver « hSec — Friday 27 March 2009 @ 10:54

  5. [...] — Didier Stevens @ 13:42 Today I tested @Ivanlef0u ‘s .LNK PoC with my latest Ariad [...]

    Pingback by Mitigating .LNK Exploitation With Ariad « Didier Stevens — Sunday 18 July 2010 @ 13:42

  6. [...] Stevens explique sur son blog comment l’outil qu’il a développé (Ariad) permet aussi de se protéger contre cette [...]

    Pingback by Faille de sécurité des raccourcis sous Windows « Criminalités numériques — Sunday 18 July 2010 @ 14:56

  7. Didier, nice work. I won’t have a chance to test this right away, but it looks like a HIPS in the making.

    Comment by Curtw — Monday 19 July 2010 @ 4:41

  8. Dear Didier,

    Thank you very much for your wise tool!!

    Only one comment: I think it would be a good idea, to add “msi” files in your list of executables.

    Regards,
    Spiros
    spiros”@”ldk.gr

    Comment by Spiros Kollias — Monday 19 July 2010 @ 6:59

  9. @Spiros Thanks. I’m sure my list is incomplete, that’s why I want to use the registry for my list, so you can add your own extensions without having to modify the code.

    Comment by Didier Stevens — Monday 19 July 2010 @ 7:44

  10. js extension is dangerous too. Plz keep silence to open html files ^)

    Comment by Anonymous — Monday 19 July 2010 @ 8:06

  11. [...] .lnk files, from running from a USB or CD drive. He also urged users to read Ariad’s online documentation, and warned them that running it could be risky. “Ariad is a mini-filter drive, and as such [...]

    Pingback by Windows ‘shortcut’ attack code goes public | IT Security, Hacking, Vulnerability alerts, IT Leadership and more — Monday 19 July 2010 @ 14:56

  12. @Didier, btw could you make this so you can choose which drives to block? Am just asking cause I usually prefer to attach drives through ata instead usb. If I could use it like that it would be a perfect tool for a Windows Forensic Environment.

    Comment by bonarez — Monday 19 July 2010 @ 17:23

  13. @bonarez Yes, I could do that, but you can also exclude all the drives except the one you want to mount.
    And this tool needs some extra research for forensic purposes. For the moment, I’m filtering requests for the file system. I don’t expect it will block sector operations on a drive…

    Comment by Didier Stevens — Monday 19 July 2010 @ 22:06

  14. [...] .lnk files, from running from a USB or CD drive. He also urged users to read Ariad’s online documentation , and warned them that running it could be risky. “Ariad is a mini-filter drive, and as such [...]

    Pingback by Windows «shortcut» attack code goes public « The College of Arts and Sciences – Gathering Point for Technology at the University of Oregon — Tuesday 20 July 2010 @ 21:30

  15. Dear Didier, thank you for your prompt reply. At this moment, I apply your driver to 70+ machines (WinXpSP2, SP3). Only a question: how can I massively change some settings (“no file execute” for example) ?

    Comment by Spiros Kollias — Thursday 22 July 2010 @ 6:30

  16. @Spiros The settings are in the registry, I still have to document it. Take a look at the following path:

    HKLM\SYSTEM\CurrentControlSet\Services\Ariad
    The no file execute parameter (and all the other toggles) are in the value “Settings”.
    You should be able to export this part of the registry on your staging workstation, and then import it on your workstations or use a GPO to set the registry.

    Comment by Didier Stevens — Thursday 22 July 2010 @ 19:11

  17. Question, when you stated how to “exclude particular drives” from Ariad, does that mean the whole hard drive only, or does this mean the partitions setup on a hard drive? A PC can have more than one hard drive or only one hard drive with multiple partitions, be primary, dynamic or logical. So, before applying your software, I just like some clarification on the matter…

    Also, what is the syntax required to input multiple hard drives and or multiple partitions into the Ariad settings?

    Example: “CDEF” or “C,D,E,F” or “C D E F” without the quotes?

    Comment by Rospo — Friday 23 July 2010 @ 11:03

  18. @Rospo As Ariad is a file system filter, it is filtering filesystem on partitions. The syntax is CDEF, just a sequence of drive letters you want to exclude without any separator.
    I’ll clarify this in the documentation.

    Comment by Didier Stevens — Friday 23 July 2010 @ 11:29

  19. What about excluding either fixed hard drives or at least %SystemDrive% by default? You could really hurt yourself if you forget to explicitly exclude this, and at least for %SystemDrive% there’s no reason why you’d ever want to block this since it’ll make your machine onbootable.

    Comment by Dave — Tuesday 3 August 2010 @ 13:48

  20. @Dave Excluding %SystemDrive% by default is not a bad idea.

    Comment by Didier Stevens — Wednesday 4 August 2010 @ 15:37

  21. [...] [...]

    Pingback by USB Belleklerdeki Risk - SDN — Wednesday 1 September 2010 @ 17:53

  22. *Scratches head*
    Isn’t this like Software Restriction Policy (SRP) as found in Windows XP/Vista/7 Professional or Business Editions?
    OR
    Even Trust-No-Exec from 2004?
    => http://www.beyondlogic.org/solutions/trust-no-exe/trust-no-exe.htm
    (Although, this solution is no longer maintained…)

    As for ariad, it would be awesome if you had an option whereby you can specify the list of file-types as well as directories to allow or deny. (It will help with Home versions of Windows; as that does NOT have SRP like the Professional or better editions.)

    Comment by aussiebear — Sunday 3 October 2010 @ 23:03

  23. @aussiebear The main difference is that Ariad can restrict access to non-executable file-types too. And unlike SRP (before Applocker), it runs completely in the kernel and can thus not be bypassed by a LUA user.

    Adding new configuration features like the ones you suggest is on my todo list.

    Comment by Didier Stevens — Monday 4 October 2010 @ 6:20

  24. Awesome. Can’t wait until you release a new version then!

    Out of curiosity, why release under “public domain” instead of something like GPL, LGPL, or BSD license?

    Comment by aussiebear — Monday 4 October 2010 @ 15:17

  25. @aussiebear By releasing it under public domain, anybody can do whatever with it.

    Comment by Didier Stevens — Monday 4 October 2010 @ 16:00

  26. Sorry for my English :)
    Sometimes you have to mount the partition not as disk with the letter, but as a folder. I did so on my notebook – the first partition hidden – Factory Recovery, second partition is drive C:, third partition is not drive D:, but the folder “C:\Documents and Settings\user”. I have enabled in Ariad’s settings the protection of hard disks and exclude drive C. File “C:\Program Files\SomeProgram\foo.exe” started normally, but “C:\Documents and Settings\user\Desktop\foo.exe” will not start – Ariad does not allow this.
    This problem is not Ariad-specific and may occur with other software.

    Comment by akar — Monday 11 October 2010 @ 9:07

  27. @akar The real path of your program is D:\Desktop\fo.exe, and this is what the file system driver stack passes on to Ariad. That explains why Ariad refuses access to the file.

    Comment by Didier Stevens — Monday 11 October 2010 @ 16:51

  28. No, D: is USB-drive. Third HDD-partition has no such letter, mounted only as “C:\Documents and Settings\user” – you can make this with diskmgmt.msc

    Comment by akar — Tuesday 12 October 2010 @ 2:42

  29. Well, I definitely had setups similar to that @akar mentioned with some NTFS-Volumes (basically identified by their volume GUIDs) solely mounted on a (empty) directory on another NTFS-Volume. These could be easily created either within the diskmanagment-GUI or with the mountvol command line tool and as far as I remember the documentation explicitly mentioned that as a means to use more volumes than there are (drive) letters available.

    Comment by mIstA — Thursday 4 November 2010 @ 10:19

  30. [...] [...]

    Pingback by USB Belleklerden Korkun! — Wednesday 29 December 2010 @ 14:31

  31. One wish more :) My cell phone when connected to a computer can operate in three modes – “Media Player”, “PC Studio” and “USB flash”. In “USB flash” Ariad works fine. In the “Media Player” phone also does not have the letter, and Ariad will not work with it – executable file when you click on it copied from the phone into the folder “Temp” and runs from it.

    Comment by akar — Sunday 23 January 2011 @ 2:03

  32. @akar Interesting, I’ll have to find a similar device and test.

    Comment by Didier Stevens — Sunday 23 January 2011 @ 16:48

  33. What programming language and compiler is Ariad written in?

    Comment by Mike_S — Thursday 12 May 2011 @ 22:09

  34. C, usermode exe compiled with Borland C++ and driver compiled with Microsoft WDK.

    Comment by Didier Stevens — Friday 13 May 2011 @ 6:57

  35. Thank god some bloggers can still write. My thanks for this read!!!

    Comment by Jesse Dziedzic — Thursday 20 October 2011 @ 14:42

  36. [...] You can now download a 64-bit version of my Ariad driver. [...]

    Pingback by Ariad 64-bit « Didier Stevens — Wednesday 2 November 2011 @ 19:35


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 221 other followers

%d bloggers like this: