FoolProof - FAQ

What is Foolproof ?

Foolproof is a Windoze desktop security program, used almost exclusivly by schools, or any other large institution where the people using terminals on a network (or even lone terminals) are not trusted to use the computers freely. It is a configurable program, and depending on the amount of precautions taken, certain actions are restricted. Such actions include when one right clicks, all actions other than arranging icons are disabled. Although an understandable precaution on a winblows box, it is more than the least bit annoying for anyone who uses computers for more than checking their e-mail or playing java games. Another rather pesky feature, is the inability to run any program that has not been previously okayed by administrators.

Why Foolproof sucks ?

Foolproof is not only annoying, but insulting. Ever since the days of The ICSS (Incompatable Time-Sharing System) in Tech-square at MIT, any program or routine a computer is made to preform that prevents or restricts the full power and capabilities of the computer, is foolish, insulting, and more than a little annoying. Although I too, should I find myself in charge of a network as large as the one in my former school, would cringe at the mere thought of 900 students, who know as little about computers as they do anything else, and the constant worry that they might download a canned hacking program and actually do damage. However, I feel that the use of computers is a priviledge, and comprimises must be made and the student body made aware of the limitations and appropriate uses of the system. Although my school had such an acceptable use policy, it was far too harse, limiting use of computers beyond what Foolproof ever did.

How to get around Foolproof ?

-Running Programs-

Here is where our adventures turn interesting. Foolproof, though initially intimidating, has many gaping holes. First, and most the easiest to exploit, is the fact that the routine that checks to mack sure a program is previously allowed is not path specific; in fact, it uses no recognition techniques other than the name, so by simply renaming your program to an allowed program, such as winword.exe (microsoft word) you can run it- and in the executeable logs, nothing unusual appears. This is probably the biggest vulnerability, especially considering that it is so simple, any idiot who stumbles across such a loophole could do significant damage to the system. But we don't do that. We're hackers.

-Editing System Files-

Although this varies depending on the individual system's configuration, most system files, such as system.ini, or autoexec.bat; both very important to the informed individual, are read only. As Foolproof is a boot sector program, it is often impossible to boot into ms-dos, to change file permissions. Ms-dos prompts are also restricted. Thus, if one wishes to alter such a file, do this: First, you can see the contents of the file- just open it in microsoft word (notepad is often disallowed;-) and save it as a txt file. Take it home, and make the necessary alterations, careful not to do damage(!!!!), make a backup, and (heres the funny part) upload it to an online drive- you know- a free hard drive on the internet such as www.xdrive.com. If you just brought the file into school on a disk, you couldnt move it into the folder to replace the existing file, or use any other method to switch them, but, when downloading files, one is given the option of REPLACING EXISTING FILES! Jackpot. Now, you can make those changes to run your C++ compiler, winword.exe (wink wink), without typing in that whole long ms-dos command. Yes yes, there are more malicious uses for such system file editing, but we wont do that. We're hackers.

-Fooling with Foolproof-

Now, I have never done this myself, and i certainly cannot condone a course of action which would harm a system, but there are ways to actually remove foolproof, or "0wN" it, if you will. These vary from subtle editing, to simple overwriting or removing.

First of all, with some programs, it is possible to simply ctrl-alt-delete and close the program- not so with foolproof. If you see it as an available program, it will not end if you close it. Worth a try though.

The next thing you do requires some research. The default directory for Foolproof is C:\Sss, so look around- you will find some .vxd files, and other interesting material. Look around. I never went so far as to actually edit these, but one could easily use the way of editing system files shown above to rewrite these to his/her liking. Among the files you will find are several .ini files detailing programs which are allowed- and other interesting permission material.

If you wanted to, you could just make a blank .vxd file, with the same name, and replace the existing virtual device drivers of foolproof, so that they no longer preform their intended functions. In fact, you could completely eliminate the system this way. Unfortunatly, there will undoubtably be unforseen side effects of this, and do so at your own risk (or better yet, dont).

---

My Personal Path.

Using the methods outlined above, I decided that the best way for me to obtain full access of the schools Client/server NT network, was to install a keylogger. Sure, how lame. Maybe so, but they certainly serve a purpose. I could have downloaded a crappy program, but i went top of the line, and actually bought (not cracked- programmers need to eat also) a program called "International Keylogger Stealth," by Amecisco Ind., available at ameciso.com, or Keylogger.com. This program, herein after referred to as "iks" was perfectly tailered to my needs. It was a boot sector program, and instead of using an automatic installer, you could install it just by downloading the .vxd file to the windows\system folder, and then an edited system.ini file (see below) with 2 entries added. Then, you just place a file called iks.dat, or anything else .dat somewhere on the comp, and specify the name and path in system.ini. This way, the .vxd file logs every keystroke, including NT login passwords in an encyrped form to the dat file. If someone were to open the dat file in winword or notepad, it would be unreadable, displaying random characters. However, if you upload the .dat file to your drive and download it at home, and then you run a program called datview.exe, which decyrpts it and reveals all contained within. Now, you can use other usernames or even admins passwords to have more fun. The golden fleece of this method is if you can get an admins to run foolproof's .exe program, which after prompted for a password, one can edit the configuration of foolproof. If you get this, you can do whatever you want. Also, this way you get all the benifits of keyloggers on public terminals, including the devious dial-up passwords, and other acoount information. But dont mis-use it. After all. We're hackers.

The System.ini installation.

1. There are two files you should know about:
   vikxd.vxd --- the virtual device driver that logs all keystrokes
   datview.exe --- the translator to generate the text file from binary log
2. Let's suppose that you want iks to log to c:\kitkat\kitkat1.dat, here is what you can do:
1. Copy vikxd.vxd to c:\windows\system;
2. Edit c:\windows\system.ini, in [386Enh] section, add two entries
   "device=vikxd.vxd" and "VikxdLog=c:\kitkat\kitkat1.dat". So it looks
   like:
   ......
   [386Enh]
   (other entries)
   (other entries)
   device=vikxd.vxd
   VikxdLog=c:\kitkat\kitkat1.dat
   ......
3. Reboot.

Is Foolproof Really Foolproof ?

Foolproof is a desktop security software used on Windows 9x platforms. Many school districts across the world are taking it on as their only form of internal security. Unfortunately, the name has falsely made them believe that they are secure.
I was originally given the task of checking how secure this software was for my school district while I was in my final year of high school. Upon sitting down at the machine you will notice that it loads a boot lock (won’t allow any "F" keys to be pressed unless a password is entered and once you get to a Dos prompt you will notice that there isn’t anything on the drives. If you break out a copy of Fdisk you will see that the boot lock program has changed the partitions into non-Dos partitions so they cannot be messed with). Once you boot the computer into Windows the first thing this software does is load itself into every part of memory that your computer will allow. This allows the software to prevent the use of certain programs that are specified in the settings by hogging all the memory which will stop the it from loading because there is no memory left to bring the program up. Another thing noticed is the wonderful little lock program down in your taskbar telling you the machine is locked (Doesn’t this just beg to be messed with?).
Now that I’ve given some background on the program, here comes the fun part. How to get around it.

1. 32-bit Software protection

oolproof is a 32-bit application. For some reason or another they didn’t program any 16-bit protection. If Foolproof has been setup to block the visibility of some network drives all you have to do is go into the root of your windows folder and run ‘fileman.exe’ (I realize this is stupid, but you wouldn’t believe how many school districts leave this one open). Once File Manager is open you should be able to see and access all drives that you were locked out of in My Computer.

2. Password in plaintext?

This is another one I was never able to understand. If you are going to have such a secure program, why can you take a memory dump of the machine and find the password in plain text? I’m not sure if this one works on newer versions, but on older versions you just had to do a search in the memory and find ‘Foolpr’ (that was another thing, I don’t know if they thought it would be more secure if they didn’t put the whole name or what, but that is how you find it). Usually there are two passwords you want to find. The one to get in and change settings, and a password to a higher access level then what the machine boots up to.

3. Remove it

The best way to get rid of a program is to remove it. So this is how. When you are first booting and the background to Windows first comes up hit ctrl-alt-del (Must be before anything loads. Ex. Boot logo just disappeared, background shows up, hit ctrl-alt-del). This will bring up the Close Program dialog window. Now double click outside of the window a couple of times really quickly until Task Manager comes up (you will learn that Task Manager can be your best friend in many situations. It may take you a couple of times to get Task Manager up, but it will work eventually). From this point click on File and then Run Application. Type in "deltree /y C:SSS" (this is the default directory to Foolproof. You might want to do some looking around before you decide this is the directory you want to completely delete). At this point, some computers will freeze. It’s okay. Just hit ctrl-alt-del again and close down Task Manager or whatever non-responding applications are open. Once they are closed the deltree operation should continue and delete the Foolproof directory before the registry goes to load it. Once Windows finishes it’s loading process (whether you have to login to the network first or not, load the desktop and startup applications, etc.) will be when the .dll errors will start happening. Write them down and remove them out of the registry. Now Foolproof is removed far enough to allow you full access of the local machine and whatever kind of network access your user possesses on the network.

4. Bootlock

Remember earlier where I mentioned that it turns all partitions into Non-Dos partitions? Well, lets have some fun with this. There are two ways that I know of to remove Bootlock. First, if you have a copy of Foolproof laying out on a shared network drive go grab it (it doesn’t matter if it has custom settings in it or not. If it doesn’t have custom settings in it, then why are you reading this?). Run the installer for Foolproof. When it asks you if you wish to make an emergency repair disk, say yes. Use this disk to get to a command prompt and then type ‘FPMOD -R’. This should remove Bootlock for you so you can now have access to the Dos layer of your computer if you boot with a boot disk. The second way I know of getting around Bootlock is also with a bootdisk. Make a bootdisk and put a copy of fdisk.exe and ndd.exe (found in older version of Norton Utilities. Make sure it is the Dos version) on it. Boot the computer with the disk and Fdisk all the Non-Dos partitions. Exit out of Fdisk and reboot with the disk still in the drive. Once you are back at the prompt again run ndd.exe. It will scan all hard drives and then come up asking you if you used to have a hard drive but you aren’t able to access it now. Tell it yes and it should restore the partitions without Bootlock.

5. Novell Client

If you are on a network where the Novell Netware Client is used, here is a good one for you. When at the Novell login screen hit F1. This brings up the wonderful help system for the Novell client. Like most people that program help files, they are too lazy to take out the features that aren’t needed. First go to File à Open. From this point find the Foolproof directory (usually C:SSS) and rename it to whatever you want. Exit out of the help system and login to the network. Once you are at the desktop of your computer restart your machine. When the computer boots back help you’ll get a couple of errors that have to do with Foolproof, but Foolproof will be gone. Do whatever you wish to do with Foolproof turned off and when you are done just rename the directory back to its original name. Wasn’t that simple?
I’m sure there are many more ways to get around this sorry excuse for security software, but I haven’t had the time to try any new methods. I figure if you got something that works, keep on using it till it doesn’t. I might write another article in the future, but this will be it for now. Greetz out to CyberArmy, Packetstorm, Sensimilla, Monkee, and all my friends on Efnet.