AnyDVD Trial Research

In this guide I am not going to show you how to reset the trial of AnyDVD but instead give you an insight on what techniques are being used to hide the trial information from the user.

The first file is stored simply inside a folder and protected by making it hidden and a system file. So in order to view it you have to enable “Show hidden files and folders” and uncheck “Hide system protected files”. Deleting this file though will not result in a trial reset…which would have been too easy.

A parent-child system was created so if this file was deleted (which is the child), the parent would recreate the file. In the last 2 versions the way the parent file was hidden has been changed:

In a more previous version AnyDVD used ADS (Alternating Data Streams), a very unknown feature of the NTFS system. Widely used by malware, ADS allows you to basically “link” a file to another file or directory. Only if you know the directory name e.g. “C:\Windows:625317261” (ADS uses a colon to create ADS names) you can find the file. Windows Explorer does not show these files. In the previous version a shadow copy of the original file (child) was hidden through ADS.

In a more recent version AnyDVD must have realized that ADS is detected by AVs and switched over to another method: Since AnyDVD has Kernel access through the installed drivers, my guess is that this file is now hidden through kernel hooks. This is a very common method used by rootkits to hide the presence of files. This problem can be circumvented by starting in safe mode because the driver is not loaded in safe mode thus the kernel hook is not installed and the file is viewable.

Leave a message

Your email address will not be published. Required fields are marked *