Hello,
So this is a kinda sketchy question, so before “will we regret answering you”, I was hired to develop a fairly high-end Anti-Cheat(consider it an targeted AV), for competitive videogames.
While most of the stuff is driver based and can be build around reading and writing process memory, some stuff requires invocation off user-mode functions, and some stuff would generally just be a lot easier to do a user-mode level, inside the process.
However we’re not the company who develops the games, the anti-cheat needs to be able to act without any modification to game we scan.
So on user-mode this would been achieved by simply injecting a DLL by using CreateRemoteThread and LoadLibrary. (for the sake of anti-transparency i actually manually mapped the DLL from within the driver instead)
However i’m currently looking for a way to invoke the entry point (or export) of the injected DLL.
I wasn’t really expecting this to be a problem, since on user level you can simply call CreateRemoteThread, however on driver level that doesn’t seem to be any “public” equivalent.
So before i go down the path of something hacky like invoking ZwCreateThread, or abusing a virtual table hook in the target process.
Does anyone have a suggest for a more reasonable method of invoking a user-mode function?
Thanks.
If you want a kernel thread running in the context of an user process you could attach the thread to that process. The thread will then have access to the address space of the process.
To my understanding, creating a kernel thread does not give me the ability to call user level system functions, even if i am in the contexts of its process.
So why doesn’t your driver level code simply communicate with a user mode
privileged application (a “service”) that does whatever you need to do in
user mode?
Mark Roddy
On Thu, Nov 27, 2014 at 7:37 PM, wrote:
> Hello,
>
> So this is a kinda sketchy question, so before “will we regret answering
> you”, I was hired to develop a fairly high-end Anti-Cheat(consider it an
> targeted AV), for competitive videogames.
> While most of the stuff is driver based and can be build around reading
> and writing process memory, some stuff requires invocation off user-mode
> functions, and some stuff would generally just be a lot easier to do a
> user-mode level, inside the process.
>
> However we’re not the company who develops the games, the anti-cheat needs
> to be able to act without any modification to game we scan.
>
> So on user-mode this would been achieved by simply injecting a DLL by
> using CreateRemoteThread and LoadLibrary. (for the sake of
> anti-transparency i actually manually mapped the DLL from within the driver
> instead)
>
> However i’m currently looking for a way to invoke the entry point (or
> export) of the injected DLL.
>
> I wasn’t really expecting this to be a problem, since on user level you
> can simply call CreateRemoteThread, however on driver level that doesn’t
> seem to be any “public” equivalent.
>
> So before i go down the path of something hacky like invoking
> ZwCreateThread, or abusing a virtual table hook in the target process.
>
> Does anyone have a suggest for a more reasonable method of invoking a
> user-mode function?
>
> Thanks.
>
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
That is one of the options i am considering, the thing is that the user mode functionality needs to be executed in the context of the process.
I could use a user-mode process simply to call CreateRemoteThread for me, but i kinda want to avoid that, because if i do i need to defend the user-mode process from people messing with it.
The system thread running in the process context will allow you inspect the process memory at any time, and the privileged service will let you call the usermode functions. Which usermode API do you need to call in the target process?
The main hurdle is that there are a handful of hooks placed on the WinAPI but also internally in the target process, which i can’t really do without making the page writable using VirtualProtect.
Pretty much the same for VirtualQuery, which also seems to have no driver equivalent.
There are also some procedures that are written against Direct3D.
There is quite a bit of other stuff, but most of that is replicatable on driver level.
CreateRemoteThread is a debugging API. It is not a good idea to use it for “injecting” a binary into the address space of a process.
Because the target is probably a GUI application, you should consider using SetWindowsHookEx. Note that the hooking DLL may not be the DLL involved in the protection mechanism but a helper DLL whose HOOKPROC procedure would load the actual protection DLL if the current process is the target process.
Remember that you should never call LoadLibrary from DllMain because a user mode lock is held when DllMain is invoked by the loader.
Call UnhookWindowsHookEx as soon as possible (when the target process is located and the protection DLL is loaded) because hooking hurts system performance quite badly.
I understand that what i am trying to do is not what its meant for, i am completely Ok with that. There are various reasons/functionality beyond stuff surrounded by this problem why the AntiCheat needs to operate on a driver level.
It is a complex application, and there is large amounts of functionality beyond the stuff that i explained.
The technical complexity, and the sophistication of the cheats, is far beyond the level of something i can protect an application against by the use of a Service and ReadProcessMemory, we have passed that point a very long time ago.
So once more,
I am looking for a way to invoke user-level code inside a user-level process from a driver, either by creating a thread, hijacking a thread or something better.
Anyway to mimic VirtualProtect inside the target process would be fine too.
Lose the attitude.
What you’re trying to do is architecturally aberrant. You may gave “good reasons” for wanting to do it, but that doesn’t make it any less gross.
A bad hack is just that… A bad hack. The reason for the hack can’t make it a good hack.
If you want to do stuff that’s edgy, you have to work very hard, and hire very very good, very experienced, people, to see if you can possibly design something that works within the limits of the architecture. But you DO have to respect the architecture. Otherwise, whatever system running this code will eventually be screwed.
Peter
OSR
@OSRDrivers
I am sorry, i din’t mean to come across as, “having an attitude”.
I understand that what i am trying to do is a hack, but its a piece of functionality that i can’t replicate in a different way. (And sorry but ReadProcessMemory from a user-level isn’t equivalent.)
The hack that i described in my original post isn’t unstable, unmaintainable and works across a range of Windows versions and is likely to still do so in the future. Its an abuse of the systems and the kernel environment, which i don’t really care about(sorry?) … and i am not sure why i should.
While this is an orthodox use for a driver, this isn’t the first Anti-Cheat that went down this route, and many Cheats go down the same route.
Eventually, all the logic of the multiplayer games will be moved to the servers, leaving the client only for rendering. Clipping will be done on the server, too, so you won’t see through the walls.
Koen, have you thought of using windows diagnostic framework. it may be
helpful.
On Sat, Nov 29, 2014 at 10:56 AM, wrote:
> Eventually, all the logic of the multiplayer games will be moved to the
> servers, leaving the client only for rendering. Clipping will be done on
> the server, too, so you won’t see through the walls.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
Hmmmm… The fact that it’s been done before doesn’t make it wise. Or stable.
The last time we (OSR) were approached to develop a powerful anti-cheat system for videogames, we declined to help due to the level of hideousness required. We just couldn’t stomach it. This was several years back. We flat-out told the company to find somebody else to do their hackery. Perhaps the requirements with which you are dealing are different.
OK, so… no bullshit: I am not aware of any architecturally appropriate way to do what you’re asking, short of NtCreateThread and friends. Then again, there should be no reason why that family of functions wouldn’t work for your purposes.
Be aware that these APIs are undocumented for a number of reasons, not the least of which are that they can have side effects you might not anticipate and the parameters can (and DO) change among OS versions (or even service packs). You can never be sure of the stability of these interfaces because their parameters or behaviors could change in a FUTURE service pack or hot fix. And that’s not just random scare tactics. (For one example: I just had a discussion with another dev here at OSR about an “internal use only” API that was exposed in a public header file but never documented… the NUMBER OF PARAMETERS the function took changed between OS versions. Seriously.).
OK, so enough lecturing from me. Understand I’m not just writing for you, Mr. Spanjer… I’m writing for other who read this (including the archives).
Short of doing what you want to do via a service in user-mode, which I would still encourage, these *are* the most architecturally appropriate functions for doing what you want.
I have no idea if any of the above will be useful to you,
Peter
OSR
@OSRDrivers
In the end, an anti-cheat is only a good attempt at something impossible.
To guard your game at runtime, you can control access to the game process
by using ObRegisterCallbacks.
you can control the desired access by fliping the access rights. This is
one of the many options for process security.
On Sun, Nov 30, 2014 at 8:18 AM, wrote:
> In the end, an anti-cheat is only a good attempt at something impossible.
>
> —
> NTDEV is sponsored by OSR
>
> Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
>
> OSR is HIRING!! See http://www.osr.com/careers
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
This will overload the Internet connection immediately.
–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com
wrote in message news:xxxxx@ntdev…
> Eventually, all the logic of the multiplayer games will be moved to the servers, leaving the client only for rendering. Clipping will be done on the server, too, so you won’t see through the walls.
>
> The technical complexity, and the sophistication of the cheats, is far beyond the level of something i
Even with the driver it does not work.
The people can invent the way to remove your driver from the system and run the app (probably patched) without it.
This is like a DRM thing. For DRM to really work, you need a) UEFI Secure Boot AND b) KMCS.
KMCS alone is known to be bypassable by hacks.
Also, the “jail” of the mobile devices (whose primary intent, according to Apple sources, including some articles by Steve Jobs himself, is to prevent making of unauthorized analogs of iTunes Store and AppStore, with pirated stuff in them) is a similar thing. People do find new and new ways of jailbreaking them.
–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com
> The technical complexity, and the sophistication of the cheats
Also: I can understand that the driver solution is at least some approach to DRM/cheat protection/jail, which looks rather hard (but not 100% unbreakable) to circumvent.
But it only looks hard. Yes, the initial effort of breaking is high, but, if the “attack is scriptable”, as security guys say, then the broken EXE will be placed to BitTorrent, and the end user’s cost of circumventing the protection will be next to zero.
At least the DRM must protect against such scriptable attacks.
Also: in the US (and probably only in the US), making DRM “cracks” is a criminal offence. Not so in many other countries. Also, even in the US, jailbreaking of an iPhone is NOT legally equal to DRM cracking and is not a crime (you can find references to appropriate judiciary decisions by googling).
I expect so are the cheats.
–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com
You can’t.
The main vulnerability of this stuff is not in “how to make a driver”. It is in a “how to prevent running the game with the driver being turned off”.
“rohan kumbhar” wrote in message news:xxxxx@ntdev…
To guard your game at runtime, you can control access to the game process by using ObRegisterCallbacks.
you can control the desired access by fliping the access rights. This is one of the many options for process security.
On Sun, Nov 30, 2014 at 8:18 AM, wrote:
In the end, an anti-cheat is only a good attempt at something impossible.
—
NTDEV is sponsored by OSR
Visit the list at: http://www.osronline.com/showlists.cfm?list=ntdev
OSR is HIRING!! See http://www.osr.com/careers
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer