Government Security
Network Security Resources

Jump to content

Photo

Hacking Deepfreeze


  • Please log in to reply
11 replies to this topic

#1 Travis

Travis

    Specialist

  • Sergeant Major
  • 2,101 posts

Posted 18 April 2003 - 09:30 AM

I hate deepfreeze in the sense that i can't leave installed games on my school computer... heres an indepth tutorial on how to remove it :) (I have installed games on my computer now :D )




Deepfreeze does NOT place any restrictions on a machine, so whatever
you want to do, whether it's downloading mp3's or downloading and
installing ICQ or browser add-ons or WHATEVER, deepfreeze does not
prevent it. What matters much more is how you are logged in: as User,
or Power User, or Administrator. True, you'll have to install/download
your stuff every time you sit down at the computer, but hey! you CAN
do so. That's the beauty of deepfreeze: it places no restrictions on
the machine. Take a look at M$ TechNet:
Default Access Control Settings
http://www.microsoft...ity/secdefs.asp
The entire white paper is very helpful in understanding the difference
between Users, Power Users, and Administrators. NOT understanding this
issue causes more problems on Windows 2000 than all other problems put
together. Example: you installed winzip and don't understand why the
*uck it won't work. Answer: you were not logged in as administrator
when you installed it.
And, along these lines, you can ask your teacher/computer lab admin to
promote you to Power User. Cuz Power Users have access to HKLM
(HKEY_LOCAL_MACHINE) in the registry, and can manipulate a lot more on
the system (read the paper). For example, let's say there is a nasty
content filtering program such as CyberPatrol preventing you from
accessing 2600 or other web sites. Such a program probably starts
automatically from a key in HKLM under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Simply delete the key and then restart the computer, and the program
will not be running.
So... try to become a Power user. If you explain to your teacher that
being just a User is a real pain in the butt and that you NEED to be
PowerUser in order to do things, he/she MIGHT make you one. You don't
know until you try.
Now, about hacking DeepFreeze. DeepFreeze was developed with sneaky
little hackers like you, intent on *ucking up computers, in the
FOREFRONT of the developer's minds. The developers of DeepFreeze knew
and know how to think like hackers. They were in high-school once,
too!! And, if that were not enough, they also know how to program at a
very low-level (we're talking LOW, LOW level!!) in order to protect
the computer. Do you know how to hack/load/unload kernel-mode device
drivers? NO?! Do you know how to program in assembly REALLY well??
NO?! Do you understand encryption and how it functions in a program?
NO?! Do you know how to best pack your program so that it is strongly
resistant to reverse engineering? NO?? You mean you don't even know
what "pack" means? JEEZ! I don't think you're gonna hack DeepFreeze
then, O Miserable One!!!
On Windows 95/98/Me:
DeepFreeze is a VxD (Virtual Device Driver) located in
c:\windows\system\iosubsys\persifrz.vxd The only hope for most
hackers of "hacking" DeepFreeze is to boot from a boot-disk and delete
this file. All the other filez in c:\progra~1\hypert~1\deepfr~1 are
just other program filez. The most important file to delete is the
actual DeepFreeze driver, persifrz.vxd. It IS true though, that if you
delete the other filez in the DeepFreeze folder FROM A BOOT DISK that
DeepFreeze will no longer load. i'm just giving you the best and
easiest way. Delete persifrz.vxd and DeepFreeze is deader than a
doorknob. AND it's only one file. persifrz.vxd IS DeepFreeze.
Cant' boot to any drive except c:\? And BIOS setup is
password-protected? Oh well, you're not gonna hack DeepFreeze. And
DeepFreeze prevents, BY DESIGN, BIOS password-crackers from working.
On Windows 2000/XP DeepFreeze consists of several important filez:
There are 2 drivers and 1 service (i'll let you figure out the paths):
DepFrzLo.sys (kernel driver)
DepFrzHi.sys (filesystem driver)
dfserv.exe (service)
frzstate.exe (password dialog)
persis00.sys (password file and "on/off switch")
Probably you will need NTFSDOSPRO to boot up and mount an NTFS drive.
And if you're elite, you won't have any problem getting that from
someone or finding it, or carding it from an internet cafe...
If you do card it from a cafe though, don't use a yahoo or hotmail
e-mail address. And make sure you know the CVV on the card. Use
something different like boxfrog.com or rock.com. It's available from
http://www.sysinternals.com and costs $300. True: there is a free
LINUX boot-disk which also mounts NTFS drives, but it's not nearly as
good. One last thing about NTFSDOSPRO. There is no free support AND it
is kinda tricky creating and using the NTFSDOSPRO boot disk. You have
to first boot with a regular boot disk, then put in your NTFSDOSPRO
boot disk to mount the NTFS drive. You'll see what I mean, it's not
very user-friendly and little explanation is given on how to really go
through with the entire operation.
Using NTFSDOSPRO, if you replace persis00.sys with your own
persis00.sys containing your own password, then you can thaw
deepfreeze using your own password. You see, persis00.sys contains the
password and the on/off switch which the driver checks to see if it
should start the computer in thawed mode or frozen mode. This is
preferable to deleting the entire DeepFreeze program on Windows
2000/XP with a boot disk. All pertinent encryption seems to be
contained in this one file. And, a persis00.sys from a totally
different DeepFreeze doesn't seem to matter (as in one from a trial
version). Post here if you discover differently.
Before attempting to delete the drivers on Windows 2000 with a boot
disk though, try it at home first. Because the computer may not start
up. In other words, it may be necessary to delete certain keys in the
registry as well, in order for the computer to not "crash" before it
even starts! Use InCtrl5 to monitor your own installation of
DeepFreeze 2000/XP. Available here:
http://common.ziffda...027/inctrl5.zip
It will tell you each and every file and registry key installed by the
program. There may be serious problems if you don't delete certain
important "pointers" and "references" to the DeepFreeze driver on the
Windows 2000 platform. I don't know. Try it and see. Maybe not.
Now, here are TWO methods of hacking DeepFreeze you probably haven't
thought of:
#1 IF your school/lab is using the trial version of DeepFreeze (and
this is more common than you think: schools are really hurting for
money nowadays!!), and IF you can access BIOS setup, you can forward
the date and DeepFreeze will no longer work (you'll see the blinking
red X flashing on the DeepFreeze system-tray icon.) Then simply
uninstall DeepFreeze. By the way, there are two keys in the registry
under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
which must be deleted in order to be able to re-install a fresh trial
version of DeepFreeze. One starts with Rebar, and i'll let you figure
out the other one. It may be only the Rebar that is necessary to
delete.
#2 Find out which computer your computer lab administrator has the
DeepFreeze Administrator program installed on. At his desk? In his
office? Most of the time now, administrators are taking advantage of
DeepFreeze's OTP (One-Time Password) feature. In order to thaw
DeepFreeze, they go to the computer which needs to be "thawed" and
shift+double-click on the DeepFreeze icon in the system tray, which
brings up the password dialog box (frzstate.exe). They then jot down
the token which appears in the window's title bar. They then go back
to THEIR computer which has the DeepFreeze Administrator program, open
up DFAdmin, and input the token in order to generate a one-time
password. This OTP will then work, one time only, to restart the
computer in thawed mode. After restarting a second time, the computer
is frozen once again, automatically. Now, IF you can get your hands on
a DeepFreeze Administrator program, maybe by purchasing it from
HyperTechnologies... then, all you need to do is copy one file from
your administrator's DFAdmin program, take it home, place it in your
DFAdmin program, and you can generate OTP's for your school's
computers. JUST ONE FILE: dfadmin.exe is necessary to copy and
replace, and it is small enough to save to a floppy or e-mail to
yourself. You see, when DeepFreeze Administrator is first set up, the
administrator chooses a phrase or master password which is used to
make the encryption unique for his/her network. And this encryption is
contained totally in dfadmin.exe You might want to think of a way to
get your administrator to thaw the computer, and then watch which
computer he goes to to obtain the OTP. Are you with me?
#3 IF your administrator is naive enough to be using permanent
passwords for DeepFreeze, then you can use something called KeyKatch.
Go to http://www.keykatch.com This puppy works great. Just be sure to
install it in the keyboard port, NOT the mouse port -- an easy
mistake. Regular software-based keyloggers, etc., won't work because
they will not be there when the computer is restarted. Think about it:
the administrator is never going to enter the password and then NOT
restart the computer! And when he/she restarts the computer, of
course, the keylogger would be gone. UNLESS your school's computers
have two drives, and one is not frozen, and you can configure your
keylogger to save the log file to the unfrozen drive. Of course,
you'll have to re-install the keylogger program to read your log file.
As you can see, except for #1 above, there is no EASY way to hack
DeepFreeze. Cuz whatever you do, you're not really doing, it all goes
away when you restart the computer. I hope this little post helps you
to understand more about how it might be done though, IF a person is
DETERMINED to beat it. Of course, being THAT determined might get you
in serious trouble at your school, too. So, remember that, first and
foremost.
Of course, you might approach your computer science teacher/network
administrator and tell him or her that you know how to hack DeepFreeze
and you would like his/her permission to hack it (he'll KNOW you
can't). Then, once permission is secured, get access somehow to the
computer with DFAdministrator on it and copy dfadmin.exe If you have
permission to hack DeepFreeze, you might even be able to get help from
a janitor or the assistant principle or something in order to get
physical access to the computer. You'll have to have your own copy of
DFAdmin first, and then you'll have to be able to log on to the
computer with DFAdmin on it. If winlogon greets you and you can't log
on, you'll need NTFSDOSPRO to copy dfadmin.exe using a boot disk. The
only other possibility would be to somehow e-mail the administrator a
trojan which would allow you to access his computer remotely and copy
dfadmin.exe. (SubSeven, BackOrifice, etc.) I think that's how the FBI
would do it! he-he...


http://groups.google...ogle.com&rnum=1

Some Helpful Links :)

NTFS Pro
NTFS Pro Update Patch

#2 blazeking

blazeking

    Private First Class

  • Members
  • 35 posts

Posted 11 February 2004 - 08:43 AM

I had deepfreeze installed on a few machines at school, but I installed them, I worked there. Then one day something very bad happened. I needed to remove deepfreeze, but it was stuck as enabled. Also had this problem:

"Cant' boot to any drive except c:\? And BIOS setup is
password-protected? Oh well, you're not gonna hack DeepFreeze. And
DeepFreeze prevents, BY DESIGN, BIOS password-crackers from working."

But just reset the BIOS (removing the battery), password went bye-bye. I could boot to a: then.

#3 Guest_liquidSilver_*

Guest_liquidSilver_*
  • Guests

Posted 11 February 2004 - 10:31 AM

Nice tut. My school is running DeepFreeze aswell, alot of fun is awaiting! :rolleyes:

#4 Sblader5

Sblader5

    Private First Class

  • Members
  • 33 posts

Posted 11 February 2004 - 01:23 PM

the easyest way is the otp generation. It was on our sys admins shared drive. Just look around!

#5 kyriakosnicola

kyriakosnicola

    Private

  • Members
  • 19 posts

Posted 01 June 2004 - 10:18 AM

another smart thing to do is to use system restore on winXP machines. restoring the pc to a day before deepfreeze is installed.

btw nice tut. i'll give it a try when i get back to school :)

#6 JDog45

JDog45

    Staff Sergeant

  • Members
  • 257 posts

Posted 01 June 2004 - 06:59 PM

Very nice tut, dissolutions. I can just see sysadmins going...Hmmm.... :blink:

#7 Sblader5

Sblader5

    Private First Class

  • Members
  • 33 posts

Posted 04 June 2004 - 12:50 PM

or u could just get dfadmin...
ME

#8 PiP

PiP

    Corporal

  • Members
  • 172 posts

Posted 04 June 2004 - 11:01 PM

Very nice tut, dissolutions.  I can just see sysadmins going...Hmmm.... :blink:

I can't, unless the Admin is a fool, most of those techniques are pretty much common knowleadge with out being "elite" :huh:, but a nice tutorial none the less.

The one mistake allot of admins make when admining a schools network is underestimating students knowleadge, which is usually more then the Administrators (at least from my experience).

I was hopping someone figured out how to bypass it when re-setting the bios is just not feasable ;) - I think the makers of deep freeze are offering a prize to anyone who does bypass there software, when the system is configured right

one thing though

Regular software-based keyloggers, etc., won't work because
they will not be there when the computer is restarted. Think about it:
the administrator is never going to enter the password and then NOT
restart the computer! And when he/she restarts the computer, of
course, the keylogger would be gone. UNLESS your school's computers
have two drives, and one is not frozen, and you can configure your
keylogger to save the log file to the unfrozen drive.


or get it to save to a network share, chances are the admin / school will have at least one with fullaccess - if not, create one if you can - maybe on a PC that wont be shutdown anytime soon

or to your usb drive u have pluged in, although that would only work if u can use usb drives and if the admin is very trusting

or deepfreeze dosnt wipe the data of the hard drive, just 'deletes', it can be recovered - but thats not practical here.

#9 Sblader5

Sblader5

    Private First Class

  • Members
  • 33 posts

Posted 05 June 2004 - 03:32 PM

on some of the comps i've worked with theres been a space called "thawspace" and u this isn't "frozen"
ME

#10 withdraw

withdraw

    Private First Class

  • Members
  • 72 posts

Posted 24 August 2004 - 09:53 AM

ROFL
I remember deepfreeze. I like how it stores the pw in plain text so the admin can assign the same exact password for the windows admin account and the domain controller. :D

#11 animorph840

animorph840

    Private

  • Members
  • 15 posts

Posted 04 September 2004 - 09:20 PM

If you are alone with the computer wouldn't it be kinda easy to disconnect the hard drive (so the bios goes to the next boot device) and boot to a cd/floppy to crack the bios password? After you get that you could swap the boot order, boot with a linux cd, and have your way with deepfreeze. Or perhaps BeOS personal editon could do something since (if I recall) it booted without completely restarting the computer...

#12 yakusacyberlink

yakusacyberlink

    Private

  • Members
  • 1 posts

Posted 23 August 2010 - 06:24 PM

I hate deepfreeze in the sense that i can't leave installed games on my school computer... heres an indepth tutorial on how to remove it :) (I have installed games on my computer now :D )




Deepfreeze does NOT place any restrictions on a machine, so whatever
you want to do, whether it's downloading mp3's or downloading and
installing ICQ or browser add-ons or WHATEVER, deepfreeze does not
prevent it. What matters much more is how you are logged in: as User,
or Power User, or Administrator. True, you'll have to install/download
your stuff every time you sit down at the computer, but hey! you CAN
do so. That's the beauty of deepfreeze: it places no restrictions on
the machine. Take a look at M$ TechNet:
Default Access Control Settings
http://www.microsoft...ity/secdefs.asp
The entire white paper is very helpful in understanding the difference
between Users, Power Users, and Administrators. NOT understanding this
issue causes more problems on Windows 2000 than all other problems put
together. Example: you installed winzip and don't understand why the
*uck it won't work. Answer: you were not logged in as administrator
when you installed it.
And, along these lines, you can ask your teacher/computer lab admin to
promote you to Power User. Cuz Power Users have access to HKLM
(HKEY_LOCAL_MACHINE) in the registry, and can manipulate a lot more on
the system (read the paper). For example, let's say there is a nasty
content filtering program such as CyberPatrol preventing you from
accessing 2600 or other web sites. Such a program probably starts
automatically from a key in HKLM under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Simply delete the key and then restart the computer, and the program
will not be running.
So... try to become a Power user. If you explain to your teacher that
being just a User is a real pain in the butt and that you NEED to be
PowerUser in order to do things, he/she MIGHT make you one. You don't
know until you try.
Now, about hacking DeepFreeze. DeepFreeze was developed with sneaky
little hackers like you, intent on *ucking up computers, in the
FOREFRONT of the developer's minds. The developers of DeepFreeze knew
and know how to think like hackers. They were in high-school once,
too!! And, if that were not enough, they also know how to program at a
very low-level (we're talking LOW, LOW level!!) in order to protect
the computer. Do you know how to hack/load/unload kernel-mode device
drivers? NO?! Do you know how to program in assembly REALLY well??
NO?! Do you understand encryption and how it functions in a program?
NO?! Do you know how to best pack your program so that it is strongly
resistant to reverse engineering? NO?? You mean you don't even know
what "pack" means? JEEZ! I don't think you're gonna hack DeepFreeze
then, O Miserable One!!!
On Windows 95/98/Me:
DeepFreeze is a VxD (Virtual Device Driver) located in
c:\windows\system\iosubsys\persifrz.vxd The only hope for most
hackers of "hacking" DeepFreeze is to boot from a boot-disk and delete
this file. All the other filez in c:\progra~1\hypert~1\deepfr~1 are
just other program filez. The most important file to delete is the
actual DeepFreeze driver, persifrz.vxd. It IS true though, that if you
delete the other filez in the DeepFreeze folder FROM A BOOT DISK that
DeepFreeze will no longer load. i'm just giving you the best and
easiest way. Delete persifrz.vxd and DeepFreeze is deader than a
doorknob. AND it's only one file. persifrz.vxd IS DeepFreeze.
Cant' boot to any drive except c:\? And BIOS setup is
password-protected? Oh well, you're not gonna hack DeepFreeze. And
DeepFreeze prevents, BY DESIGN, BIOS password-crackers from working.
On Windows 2000/XP DeepFreeze consists of several important filez:
There are 2 drivers and 1 service (i'll let you figure out the paths):
DepFrzLo.sys (kernel driver)
DepFrzHi.sys (filesystem driver)
dfserv.exe (service)
frzstate.exe (password dialog)
persis00.sys (password file and "on/off switch")
Probably you will need NTFSDOSPRO to boot up and mount an NTFS drive.
And if you're elite, you won't have any problem getting that from
someone or finding it, or carding it from an internet cafe...
If you do card it from a cafe though, don't use a yahoo or hotmail
e-mail address. And make sure you know the CVV on the card. Use
something different like boxfrog.com or rock.com. It's available from
http://www.sysinternals.com and costs $300. True: there is a free
LINUX boot-disk which also mounts NTFS drives, but it's not nearly as
good. One last thing about NTFSDOSPRO. There is no free support AND it
is kinda tricky creating and using the NTFSDOSPRO boot disk. You have
to first boot with a regular boot disk, then put in your NTFSDOSPRO
boot disk to mount the NTFS drive. You'll see what I mean, it's not
very user-friendly and little explanation is given on how to really go
through with the entire operation.
Using NTFSDOSPRO, if you replace persis00.sys with your own
persis00.sys containing your own password, then you can thaw
deepfreeze using your own password. You see, persis00.sys contains the
password and the on/off switch which the driver checks to see if it
should start the computer in thawed mode or frozen mode. This is
preferable to deleting the entire DeepFreeze program on Windows
2000/XP with a boot disk. All pertinent encryption seems to be
contained in this one file. And, a persis00.sys from a totally
different DeepFreeze doesn't seem to matter (as in one from a trial
version). Post here if you discover differently.
Before attempting to delete the drivers on Windows 2000 with a boot
disk though, try it at home first. Because the computer may not start
up. In other words, it may be necessary to delete certain keys in the
registry as well, in order for the computer to not "crash" before it
even starts! Use InCtrl5 to monitor your own installation of
DeepFreeze 2000/XP. Available here:
http://common.ziffda...027/inctrl5.zip
It will tell you each and every file and registry key installed by the
program. There may be serious problems if you don't delete certain
important "pointers" and "references" to the DeepFreeze driver on the
Windows 2000 platform. I don't know. Try it and see. Maybe not.
Now, here are TWO methods of hacking DeepFreeze you probably haven't
thought of:
#1 IF your school/lab is using the trial version of DeepFreeze (and
this is more common than you think: schools are really hurting for
money nowadays!!), and IF you can access BIOS setup, you can forward
the date and DeepFreeze will no longer work (you'll see the blinking
red X flashing on the DeepFreeze system-tray icon.) Then simply
uninstall DeepFreeze. By the way, there are two keys in the registry
under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
which must be deleted in order to be able to re-install a fresh trial
version of DeepFreeze. One starts with Rebar, and i'll let you figure
out the other one. It may be only the Rebar that is necessary to
delete.
#2 Find out which computer your computer lab administrator has the
DeepFreeze Administrator program installed on. At his desk? In his
office? Most of the time now, administrators are taking advantage of
DeepFreeze's OTP (One-Time Password) feature. In order to thaw
DeepFreeze, they go to the computer which needs to be "thawed" and
shift+double-click on the DeepFreeze icon in the system tray, which
brings up the password dialog box (frzstate.exe). They then jot down
the token which appears in the window's title bar. They then go back
to THEIR computer which has the DeepFreeze Administrator program, open
up DFAdmin, and input the token in order to generate a one-time
password. This OTP will then work, one time only, to restart the
computer in thawed mode. After restarting a second time, the computer
is frozen once again, automatically. Now, IF you can get your hands on
a DeepFreeze Administrator program, maybe by purchasing it from
HyperTechnologies... then, all you need to do is copy one file from
your administrator's DFAdmin program, take it home, place it in your
DFAdmin program, and you can generate OTP's for your school's
computers. JUST ONE FILE: dfadmin.exe is necessary to copy and
replace, and it is small enough to save to a floppy or e-mail to
yourself. You see, when DeepFreeze Administrator is first set up, the
administrator chooses a phrase or master password which is used to
make the encryption unique for his/her network. And this encryption is
contained totally in dfadmin.exe You might want to think of a way to
get your administrator to thaw the computer, and then watch which
computer he goes to to obtain the OTP. Are you with me?
#3 IF your administrator is naive enough to be using permanent
passwords for DeepFreeze, then you can use something called KeyKatch.
Go to http://www.keykatch.com This puppy works great. Just be sure to
install it in the keyboard port, NOT the mouse port -- an easy
mistake. Regular software-based keyloggers, etc., won't work because
they will not be there when the computer is restarted. Think about it:
the administrator is never going to enter the password and then NOT
restart the computer! And when he/she restarts the computer, of
course, the keylogger would be gone. UNLESS your school's computers
have two drives, and one is not frozen, and you can configure your
keylogger to save the log file to the unfrozen drive. Of course,
you'll have to re-install the keylogger program to read your log file.
As you can see, except for #1 above, there is no EASY way to hack
DeepFreeze. Cuz whatever you do, you're not really doing, it all goes
away when you restart the computer. I hope this little post helps you
to understand more about how it might be done though, IF a person is
DETERMINED to beat it. Of course, being THAT determined might get you
in serious trouble at your school, too. So, remember that, first and
foremost.
Of course, you might approach your computer science teacher/network
administrator and tell him or her that you know how to hack DeepFreeze
and you would like his/her permission to hack it (he'll KNOW you
can't). Then, once permission is secured, get access somehow to the
computer with DFAdministrator on it and copy dfadmin.exe If you have
permission to hack DeepFreeze, you might even be able to get help from
a janitor or the assistant principle or something in order to get
physical access to the computer. You'll have to have your own copy of
DFAdmin first, and then you'll have to be able to log on to the
computer with DFAdmin on it. If winlogon greets you and you can't log
on, you'll need NTFSDOSPRO to copy dfadmin.exe using a boot disk. The
only other possibility would be to somehow e-mail the administrator a
trojan which would allow you to access his computer remotely and copy
dfadmin.exe. (SubSeven, BackOrifice, etc.) I think that's how the FBI
would do it! he-he...


http://groups.google...ogle.com&rnum=1

Some Helpful Links :)

NTFS Pro
NTFS Pro Update Patch


you can visite my website www.trickskomputer.com simple and easy with tools undeeppreeze all version 100% WORKING




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users