Didier Stevens

Monday 26 March 2007

Playing with Safe Mode

Filed under: Hacking — Didier Stevens @ 21:23

Safe Mode has been on my mind lately, now that I discovered that the SafeBoot registry keys simply reference devices, services and drivers that have to be enabled when booting into Safe Mode. Could it be that one can easily configure his own service to run in Safe Mode? Yes, one can!

Here is a very simple service I programmed to test my idea. This service just writes a string to debug output every second. You can view the debug output with Sysinternal’s DebugView utility.

You install the service with this command (admin rights are needed to install services):

  MySafeModeService -i

This will configure the Service Control Manager to automatically start MySafeModeService when the machine is booted (for now, the service is just installed, it is not started).
During the installation of the service, the following registry keys are created:

  HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Minimal\\MySafeModeService, Default = Service
  HKLM\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\Network\\MySafeModeService, Default = Service

The HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot registry key is where all Safe Mode settings are persisted, deleting this key prevents you from booting into Safe Mode.
The subkeys Minimal and Network are for the 2 Safe Boot modes: without and with networking. Adding a subkey to Minimal with the name of your service and a default value set to Service, makes that your service will be started when you boot into Safe Mode without networking. The same applies for the Network subkey.

Boot into Safe Mode after installing MySafeModeService. Start DebugView, you’ll get an error, but just ignore it:

sms_debugviewerror.PNG

sms_mysafemodeservice.PNG

When I asked Mikko Hyponen if he knew of a virus that would add itself to the SafeBoot key, he came up with a surprising answer: the Sony Rootkit!

Blog at WordPress.com.