Jump to content

Client protectors using drivers?


Fyyre

Recommended Posts

Having reconnected with an old friend, he catching me up on things that change over the years.

One such mention was "anti cheat / client protector" using kernel mode device drivers (one that require user to boot into test signing mode none the less!)

My question is:  ...why?

Do you really need callbacks (unless are total moron and hooking ntoskrnl in 2017..) to stop a user mode process?  This is sad, not only that -- you are placing user at risk, as a driver as access to every part of the player's system.. (we staying to ring3 & ring0 for this, not going into hypervisor).  Why should they trust your product, period.

While it is true, somethings cannot perform from user mode.  Example my "HideToolz" , "Hidecon" and soon to be released open source Windows 10 process hide... all use driver to remove process from EPROCESS list and handle table... yet, for example, with HideToolz... you can detect with simple FindWindow call.

Thanks for entertaining my question,

 

Link to comment
Share on other sites

yeah with smartguard saying they're converting over to driver and akumu's very public credibility problems it'll be interesting to see what happens going forward, all I know is I haven't run a smart client outside of an isolated system since his little transgressions came to light cuz I don't trust his usermode shit, so I'm sure as shit never gonna run his ring0 stuff on anything even on the same network as anything I value

Link to comment
Share on other sites

2 hours ago, eressea said:

Running random shit in ring 0 is equal to playing russian roulette

The entire process of writing drivers is different from user land.

One need not look any further than GameGuard's ioctl ab-use-able dump_wmimmc driver for this  :D

1 hour ago, Anarchy said:

yeah with smartguard saying they're converting over to driver and akumu's very public credibility problems it'll be interesting to see what happens going forward, all I know is I haven't run a smart client outside of an isolated system since his little transgressions came to light cuz I don't trust his usermode shit, so I'm sure as shit never gonna run his ring0 stuff on anything even on the same network as anything I value

Anyone asking the user to run in test signing mode, has problems period.  I understand a certain bot can bypass the driver protection anyway, which is beyond pathetic.  Kids should stick to their Delphi.

Link to comment
Share on other sites

2 hours ago, Fyyre said:

Anyone asking the user to run in test signing mode, has problems period.  I understand a certain bot can bypass the driver protection anyway, which is beyond pathetic.  Kids should stick to their Delphi.

i'm sure smartguard's driver will be run through the MS cert program and all that but we all know adrenalin will still work there, not just because smartguard is working with adrenalin developer but because adrenalin has already bypassed other drivers

issue is i don't think players really understand the risk posed with a driver from a guy like that, yeah there's risk period when running his soft but at least user mode shit you can do a pretty good job of monitoring wtf he's doing but in kernel it's gonna be a whoooole different story

Link to comment
Share on other sites

Players don't read such stuff and will be kept in the dark, they didn't get it anyway.

Server admin don't care about user protection, the fact they are storing password in clear text says it all, and they didn't get it as well anyway.

Unless something better shed light on this crap, with someone willing to play catch with bot program on a daily basis, there is no hope for such crap to be gone.

 

Link to comment
Share on other sites

Well, no player is going to appreciate having to use a driver to connect to a server, also most of them are going to have compatibility or installation issues arising from antiviruses or other software. So I believe ring 0, 1 or 2 are not good options.

Well this changes if all server owners decide to use a common platform under an opensource protocol that does this job for the L2 client, forcing the player pool to adapt or no-play.

Link to comment
Share on other sites

2 hours ago, xxdem said:

Well, no player is going to appreciate having to use a driver to connect to a server, also most of them are going to have compatibility or installation issues arising from antiviruses or other software. So I believe ring 0, 1 or 2 are not good options.

Well this changes if all server owners decide to use a common platform under an opensource protocol that does this job for the L2 client, forcing the player pool to adapt or no-play.

On Intel platforms, we only deal with ring 0 & 3 (unless we are to count the lower level rings, which include Hyper-visor, and SMM).

While I agree, an open source platform is an ideal solution.. the ones creating cheats also benefit from this given the full transparency of open source.  I do not believe this will work.  Having returned to L2 from stopping in 2012 -- I am caught off guard, by how little some who wish to run L2 actually know about the server side itself... which no doubt benefits those who sell crappy 'guards'.

With remarks to even if the driver author shells out the 5k for a KMCS certificate -- this gives the driver no more validity than it being unsigned.  However this is doubtful, as most cheats are using pirated versions of protectors which light up most a/v like a Christmas tree.

Link to comment
Share on other sites

13 hours ago, Fyyre said:

On Intel platforms, we only deal with ring 0 & 3 (unless we are to count the lower level rings, which include Hyper-visor, and SMM).

While I agree, an open source platform is an ideal solution.. the ones creating cheats also benefit from this given the full transparency of open source.  I do not believe this will work.  Having returned to L2 from stopping in 2012 -- I am caught off guard, by how little some who wish to run L2 actually know about the server side itself... which no doubt benefits those who sell crappy 'guards'.

With remarks to even if the driver author shells out the 5k for a KMCS certificate -- this gives the driver no more validity than it being unsigned.  However this is doubtful, as most cheats are using pirated versions of protectors which light up most a/v like a Christmas tree.

Being open source doesn't necessarily mean unsecure in theory, for example the AES encryption algorithm and being an open source standard din't make it less secure due to the fact that the behavior of the algorithm is affected directly by the key.

Link to comment
Share on other sites

8 minutes ago, xxdem said:

Being open source doesn't necessarily mean unsecure in theory

Yes, being closed source is just security by obscurity which is in fact no security at all.

Unfortunately you need to supply player with something that is able to work with your server so you have to give them everything they need to make bot. Then, security by obscurity is the only chance to make it bit worse for bot developers but unless you're low target, they'll always be able to adapt quickly. It's really just playing catch as Sdw wrote.

Link to comment
Share on other sites

1 hour ago, eressea said:

Yes, being closed source is just security by obscurity which is in fact no security at all.

Unfortunately you need to supply player with something that is able to work with your server so you have to give them everything they need to make bot. Then, security by obscurity is the only chance to make it bit worse for bot developers but unless you're low target, they'll always be able to adapt quickly. It's really just playing catch as Sdw wrote.

 

Yes, security via obscurity is no security at all (I work in Info Sec..) that being said -- what I wrote above, still is valid.  If you would like to create an open source solution for an anti cheat and prove me wrong, by  all menas...

Link to comment
Share on other sites

signing driver, pathguard, possible bsod's fest on various windows versions, I would want to see that happening just for entertainment :D

 

I did come across similar crap few weeks ago in cheat for LoL moba, they used exploitable signed driver to set like 19 ssdt hooks and "hide" their process. To put it short maybe 50% of possible users made it work, and there was still trivial ways left for antibots to detect it running, so banwave is just matter of time.

Link to comment
Share on other sites

4 hours ago, AlmostGood said:

signing driver, pathguard, possible bsod's fest on various windows versions, I would want to see that happening just for entertainment :D

 

I did come across similar crap few weeks ago in cheat for LoL moba, they used exploitable signed driver to set like 19 ssdt hooks and "hide" their process. To put it short maybe 50% of possible users made it work, and there was still trivial ways left for antibots to detect it running, so banwave is just matter of time.

 

SSDT hooks? =) wow, has been long time since I see this used.

Not required for hooking ssdt .. somethink like this working fine .. of course require disable patchguard...

PsActiveProcessHead = (PLIST_ENTRY)ADDBYTE(PsSiloContextPagedType, 8);
void
InsertProcessEntry(
    PEPROCESS pProcess
)
{
    InsertTailList( PsActiveProcessHead, &pProcess->ActiveProcessLinks );
}

void
RemoveProcessEntry(
    PEPROCESS pProcess
)
{
    RemoveEntryList( &pProcess->ActiveProcessLinks );
}

for standard removal of process from eproces list .. regardless, can still detect.  not sure if walking CSR_PROCESS and CSR_THREAD (csrss.exe) still working .. but is virtually impossible to safely remove process from this list, without making system unstable =)

Edited by Fyyre
Link to comment
Share on other sites

Hi Fyrre, good to know you're back in l2 (or just visiting), this community needs people like you!

I'm not a programmer on such level, but I'm very into the politics behind it. 

 

Let's say, AA (the only driver based protection atm) is a company in Belarus, a real company with all the docs and stuff, they're basically a group of programmers that made a driver protection for AION, about 1.5 year ago, they decided to move to L2, basically their "driver" solution sounds like a real hit at the time, but they knew nothing about l2 therefore their clientele remains very limited. I won't tell why, because I don't wanna give tips to competitors =)

Now as I read above, players and majority admins don't read anything about security, they don't know how this stuff works, and to be honest I didn't know much about protection world before we started our protection campaign, because smart was very expensive and asked about 900$ to upgrade 1 client to new chronicle and extorted 500-600$ per license for our classic clients. So when somebody hears about "driver based protection" it seems that they lose their mind and think that no bot will work there. Now that's a good move for smart guard who's constantly trying to make people forget about what they've learnt at the beginning of this year. for example let's say this:

Akumu few weeks ago:(google translation) We update the protection weekly, most often before the weekend, and as practice shows, the Adrenaline bot on average takes a long time to bypass the new restrictive measures.
If you say that we are not taking any action - you are either mistaken or misleading others. On our website there is a complete statistics on the bot detection, there are clearly visible waves of detects and bans.

 

Yet we all know its bullshit, he keeps doing "business as usual" with the same business template as before, why's that? because instead of fighting adrenalin, he became his best friend, what leads to 2 years of 0 doing with an exception of 1 new bot over few years, making him and adrenalin the only solution at the market. So let's say he will do a good job with his new driver module, would something change for adrenalin? ofc not, that's the total bullshit, he has 0 experience and he will never cross his friend, cause he'll be out of the market faster than a bullet. It will just give more credability and they will try to restore the "old world order" in which both smart and pcoder are the only solution to everything, which can lead to incredible incomes.

Now he knows that continue marketing within the +- same protection circle won't bring him back the same gross income like before, cause we have strix, sguard, aa and even ex-guard has its clientele, something that wasn't here just a year ago. So with regards his cake has been cut atleast 50% and he's very stubborn he will jump to driver burring down all his work since 2012-13 , why? its simple, people think driver is their best solution against adrenalin and other less popular bots and he wants "his" money back with a "brand new solution". Does he has a vision? I doubt it, there's a reason why AA is driver from day 0 and everybody else is not and make no such plans, its all about marketing trick.

Now, driver based solutions distributed widely have to be properly attended, when you lay down on 1 person company to maintain thousands of people, you may be at risk, probably you will be at risk, because he has no liability over the damage he may do to you. Now this part is true about any kind of service givers, yet, there's a definitive reason why we prefer NOT to go to driver, one of the main reason, that we lack of personnel and won't be able to maintain as it should be maintained. But hey, when you lose money, you can lose your head to restore it all.

So at the end, your question "why" is ended with the same old answer - money.

  • Like 1
Link to comment
Share on other sites

On 9/17/2017 at 7:17 PM, l2-scripts said:

Hi Fyrre, good to know you're back in l2 (or just visiting), this community needs people like you!

I'm not a programmer on such level, but I'm very into the politics behind it. 

 

Let's say, AA (the only driver based protection atm) is a company in Belarus, a real company with all the docs and stuff, they're basically a group of programmers that made a driver protection for AION, about 1.5 year ago, they decided to move to L2, basically their "driver" solution sounds like a real hit at the time, but they knew nothing about l2 therefore their clientele remains very limited. I won't tell why, because I don't wanna give tips to competitors =)

Now as I read above, players and majority admins don't read anything about security, they don't know how this stuff works, and to be honest I didn't know much about protection world before we started our protection campaign, because smart was very expensive and asked about 900$ to upgrade 1 client to new chronicle and extorted 500-600$ per license for our classic clients. So when somebody hears about "driver based protection" it seems that they lose their mind and think that no bot will work there. Now that's a good move for smart guard who's constantly trying to make people forget about what they've learnt at the beginning of this year. for example let's say this:

Akumu few weeks ago:(google translation) We update the protection weekly, most often before the weekend, and as practice shows, the Adrenaline bot on average takes a long time to bypass the new restrictive measures.
If you say that we are not taking any action - you are either mistaken or misleading others. On our website there is a complete statistics on the bot detection, there are clearly visible waves of detects and bans.

 

Yet we all know its bullshit, he keeps doing "business as usual" with the same business template as before, why's that? because instead of fighting adrenalin, he became his best friend, what leads to 2 years of 0 doing with an exception of 1 new bot over few years, making him and adrenalin the only solution at the market. So let's say he will do a good job with his new driver module, would something change for adrenalin? ofc not, that's the total bullshit, he has 0 experience and he will never cross his friend, cause he'll be out of the market faster than a bullet. It will just give more credability and they will try to restore the "old world order" in which both smart and pcoder are the only solution to everything, which can lead to incredible incomes.

Now he knows that continue marketing within the +- same protection circle won't bring him back the same gross income like before, cause we have strix, sguard, aa and even ex-guard has its clientele, something that wasn't here just a year ago. So with regards his cake has been cut atleast 50% and he's very stubborn he will jump to driver burring down all his work since 2012-13 , why? its simple, people think driver is their best solution against adrenalin and other less popular bots and he wants "his" money back with a "brand new solution". Does he has a vision? I doubt it, there's a reason why AA is driver from day 0 and everybody else is not and make no such plans, its all about marketing trick.

Now, driver based solutions distributed widely have to be properly attended, when you lay down on 1 person company to maintain thousands of people, you may be at risk, probably you will be at risk, because he has no liability over the damage he may do to you. Now this part is true about any kind of service givers, yet, there's a definitive reason why we prefer NOT to go to driver, one of the main reason, that we lack of personnel and won't be able to maintain as it should be maintained. But hey, when you lose money, you can lose your head to restore it all.

So at the end, your question "why" is ended with the same old answer - money.

Hi l2-scripts!

Thank you for the kind words, I plan to stay.  I found the website of this 'company' and notice they claim support for a number of games .. WoW, L2, Aion and Perfect World (seeing PW on the list is very amusing ... for reasons I cannot detail).. anyways:

Money, yes - I agree with you .. is always reason -- always.  Ignorant server owners, in awe of bot maker with 10k+ month income who make non-stop updates, or corrupt creator of anti cheat pulling out driver because it is 'unknown' and sound impressive.  Defense is always behind offense  .. yet no one understand and want solution now, now now .. again, not reality.

All of this, make me think of new things to do with free time -- I have special hatred of ring0 solutions for ring3 problems, perhaps some problems to give driver author.

-Fyyre

 

Edited by Fyyre
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...