Secret Sector Backdoor / Security Breach

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hello everyone,

Recently I've realized that Windows XP Pro (SP1) secretly writes data
to hard-disk sector(s) that were beyond its
installation-partition boundaries; at that time I used a
basic Windows XP installation on a 3-GB partition,
and the rest of the harddisk was unformatted, for all Windows cared.

I should also mention that my WinXP partition is formatted on FAT32,
but I am capable of accessing NTFS partitions, if need be, using
NTFS4DOS, (which I didn't).

Obviously I was only able to have discovered that with
an MSDOS-run Disk Editor capable of accessing all 160 million
sectors of my 80GB hard disk, and making a text-based datafile
containing sector numbers (Cyl., Head, Sector + Index),
that was runnable under pure MSDOS mode avaiable by booting
from a BootCD / BootDVD.

I wasn't quite sure what the nature of that data was,
and whether or not it was a copy of the swapfile
(e.g., PageFile.SYS), or some other data off RAM,
or maybe password(s) or other sensitive data
that I may have been working on prior to re-booting
from my BootDVD.

So my questions are:

1. Would anybody be familiar with that sector-writing stuff?
2. If so, what is the nature of the data written?
3. Would password(s) typed at MSDOS-based program(s), run within
   Dos-Box windows, be secretly saved there too?
4. How Am I do prevent that from happening?
5. How Am I to erase such data?

Thanks much,

Re: Secret Sector Backdoor / Security Breach

Quoting Security.Concerned.User on Mon, 22 Oct 2007 17:02:09 +0000:

Quoted text here. Click to load it

Problem exists between keyboard and chair.

There is NO way the OS can write beyond the partition; for the OS, the
rest of the drive does not exist.

Re: Secret Sector Backdoor / Security Breach

Mark Trimble wrote:

Quoted text here. Click to load it

Likely, but not clear from the mentioned stuff.

Quoted text here. Click to load it

It can. Trivially. It has RAW access to the drive, and not touching various
partition is a self-respecting limitation of the volume manager.

Quoted text here. Click to load it

Of course it does. It just typically doesn't care unless you instruct it to
do so.

As for what I think it could be: Windows read the partition table and found
it to be incorrect/inconsistent/imprecise, and therefore corrected it. Maybe
it was an x64 version and added an additional GUID-based partition table.
Maybe it considered the other partition as a dynamic volume and wrote a
specific signature into it.

Or, most likely, it's just the user seeing things that aren't there.

Re: Secret Sector Backdoor / Security Breach

Quoted text here. Click to load it

A number of manufacturers include a small, non-Windows partition to store
BIOS configuration information and some limited set of Windows configuration
files.  In principle, they can then restore a completely dead system to at
least working in a relatively automated fashion.  I've also seen laptop
manufacturers keep their hibernate image on a "hidden" partition, although I
haven't seen that in a while.


Re: Secret Sector Backdoor / Security Breach wrote:
Quoted text here. Click to load it

  Was the XP partition the *first* partition (C:)? If not, then there's
your answer, because XP needs stuff on C: to boot.

  Is your XP software a *retail* version (i.e. a box which you bought in
a store), or an 'OEM' version which came with your/a computer? If the
latter, than it may contain extra software which is stored in a hidden
partition. For example my HP OmniBook vt6200 has a hidden partition with
diagnostic programs.

  As xpyttl mentioned, it may well be a hibernate partition. XP normally
uses a hibernate file, but IIRC it can still use a hibernate partition
(like Windows 2000).

  BTW. *how* did you determine that XP/something writes beyond the
partition? You mentioned the *tool* you used ("an MSDOS-run Disk
Editor"), but not what the tool *showed*, let alone what made you look
in the first place.


Site Timeline