@upnorth
HKLM\System\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}
- You target this the same way as instructed in the uninstallation guide.
My suspicion was correct! If you're elevated, you can force uninstall it. An attacker would need to be elevated to attack the Master Boot Record in the first place, and then they can access the protected registry key to cause MBRFilter not to start-up on the next reboot. The MBRFilter service will still be present after the reboot but the MBR protection will be vanished after targeting the above mentioned key - don't mess it up though or you'll force yourself into a recursive BSOD at start-up related to required boot devices not being able to be found/used.
MBRFilter does mention that it is just really an experiment and should be assessed before being applied in... let's say a work environment for example. I wouldn't say it is hard to remove by default though, you can do it by default just fine if you're elevated. Considering an MBR attack would be elevated anyway.
MBR Filter is open-source and I had previously forgotten this so I took a peak at its driver source code. I should have done that at the start really to determine if there were any real mitigations regarding self-protection... Anyhow, it appears to work by controlling driver control code requests and when it gets a request for the Physical Drive (e.g. PhysicalDrive0) it will cause an alert to mention you have to be in Safe Mode to do this and block the request by returning STATUS_ACCESS_DENIED. These requests go through a mechanism known as IOCTL, where the first two characters "IO" stands for Input/Output and the CTL stands for Control. It is actually a mechanism commonly used for user-mode to kernel-mode communication (e.g. sending up a structure with data with a CTL_CODE and then the driver notices the CTL_CODE, checks the process responsible for the request via IoGetCurrentProcess() and then processes the data send up). Another technique which is not as good as the one applied by MBR Filter would be setting a hook on a function like NtWriteFile (or in kernel-mode -> FltWriteFile) to block the write requests where a handle to the physical drive is being used. The alert is caused by using a function called ExRaiseHardError in kernel-mode which can be used to cause a Message Box dialog appear (kernel-mode doesn't support GUI so instead of injecting into a user-mode process to make an alert show or having a UM component for communication to spawn an alert, it just uses that routine to get it done which is quick, easy and doesn't require UM components in-memory). However it could easily retrieve the process responsible via IoGetCurrentProcess() and then get the Process ID from the returned EPROCESS pointer structure of the process responsible and display these details along with the process name/file-path on the dialog so I am not sure why this wasn't done.
I think it would be more reliable to use a security product like Kaspersky which can protect the Master Boot Record simply because it has more thorough self-protection mechanisms. It also isn't open-source which for these sorts of things would make it more difficult to bypass in my opinion considering a malware author would have to reverse engineer to work out a work-around and that would be quite difficult when you take into account how much they'd have to go through with an AV product (because there is just so much going on constantly).
In my honest opinion it is great that people like the ones who developed MBR Filter are making things like this for the community for free. Not everyone wants to purchase a full AV suite for specific protection like MBR so this is a good alternate for those people. And also general researchers. The technique applied to protect the MBR is interesting and I like it.
