McAfee Social Protection – broken by design

So i stumbled across this video today:

First i thought this was some old April fools’ day video, but McAfee is really working on this and they have a public beta test. Their claim:

When you upload your photos using the app, your photos will appear blurry and indistinguishable to people you don’t know. What’s more, no one – not even your friends and family who you’ve granted access to your photos – can save, print, download, or screen capture them.

Oh, really? Maybe the PR folks at McAfee should have visited an 8th graders science class. Their product is – like any DRM system – broken by design. If information is displayed, it can be copied – it’s that simple. You can’t work around the laws of physics.

So basically, whatever their software does, you can always rip the signal directly from the graphics card output. When doing this via HDMI or DVI you get a perfect digital copy of the photo. (Needless to say, if you are lazy you can simply pull out your 8-megapixel phone, take a picture and still get a acceptable result)

So at this point i could have stopped looking at this… but whatever.

First attempt to break this: screenshots. Yes, they do prevent screenshots.

Next idea: installing the whole thing in a virtual machine and then taking a screenshot from the Host operating system. Surprise here. They actually took the effort and implemented some kind of VM detection – the plugin refuses to show photos when it knows it’s running in a VM.

Clever. I didn’t feel like spending 3 hours on hiding everything that could reveal that it’s a VM, so instead i wanted to see if i can simply kill the VM detection. The VM detection is done in the DRMClient.dll and one of the functions they use is GetSystemFirmwareTable, but they also scan the registry looking for popular virtualization software, including VMWare, VirtualBox, Bochs, Parallels:

While looking trough this DRMClient.dll i also found that they check for screen recording and screenshot software, for example Fraps:

Any changes in the DRMClient.dll file will break integrity and the plugin will re-download the file.

At this point is got bored and stopped trying, so i am just publishing this to give other researchers a head start. Hint: if you want to run the plugin in a VM, you must enable Windows Aero, VirtualBox can do this. Basically, if you hide that you are running everything in a VM, you got it…(if a VirtualBox developer comes across this post: please include some kind of stealth configuration that will hide any virtualization characteristics.)

Leave a Reply