Data Leak Prevention Bypass

I was testing the capabilities of Data Leak Prevention software which ran on a Windows PC and prevents the use of devices such as USB Drives so that files cannot be copied. The software side was easy enough to get around, more of the same old stuff, so I wanted to do something more interesting. I created a proof of concept hardware device to allow the copying of data from a locked down machine.

I first did this project back in 2008 but after getting it working and demonstratng the concept I didn't get around to doing a any kind of writeup until now.

How It Works

The DLP software prevents the use of certain types of devices on various ports, such as the obvious USB Mass Storage class of device. However, in most modern environments USB keyboards have to be allowed so the users can type.

I programmed a microcontroller to emulate a USB keyboard so when it is plugged in it is allowed to function (as a keyboard of course). USB keyboards communicate with the computer over the HID(Human Interface Device) protocol. The HID protocol allows communication in both directions by sending and receiving reports and feature requests. I've utilised this control channel to allow the PC to transfer files over the HID protocol to the device, which writes the files to a MicroSD card. This doesn't require any special drivers or admin rights but it does need a small custom written executable to communicate using our own protocol over HID. To get this executable onto the PC an old pentesting trick is used - since the device acts as a keyboard it types out a VBScript into Notepad which includes an encoded binary. When run, the VBScript can decode the binary and save it to disk from where it can be run. An alternative version is to create a .bat file which pipes a hex encoded binary into debug.com to create the binary.

Prototypes

The first prototype was made on stripboard using an ATMega168 and did USB all in software with the amazing V-USB library. Data sent from the PC was written to the eeprom (so storage was very limited).

The second prototype added a uALFAT-USB board so that the ATMega168 could write the data out to a USB stick with simple serial commands:

DLP Bypass Prototype 2

The next revision used a Teensy which has hardware USB on the microcontroller. It also utilised a MicroSD card in SPI mode for built-in storage.

DLP Bypass Prototype 3