}w!"#$%&'()+,-./012345<ya
|
|
- Damian Paul
- 8 years ago
- Views:
Transcription
1 }w!"#$%&'()+,-./012345<ya MASARYK UNIVERSITY FACULTY OF INFORMATICS Analysis and detection of online game cheating software BACHELOR THESIS Tomáš Čurda Brno, 2014
2 Declaration Hereby I declare, that this paper is my original authorial work, which I have worked out by my own. All sources, references and literature used or excerpted during elaboration of this work are properly cited and listed in complete reference to the due source. Advisor: RNDr. Petr Švenda, Ph.D. ii
3 Acknowledgement I would like to thank my thesis advisor RNDr. Petr Švenda, Ph.D. for his support and help. iii
4 Abstract The main goal of this thesis is to describe behavior of typical cheating software used in competitive online computer games. The first part describes a implementations of cheat software in Windows operating system environment and introduces tools used for developing cheats. Second part describes most common techniques used by cheat software. It explains how cheat software gains access to game s process and memory. It also describes methods that cheats use to modify game s behavior. The last part introduces most common anti-cheat services. One of them is analyzed by using reverse engineering in order to find out how effective are current anti-cheat technologies and what can be done to improve them. iv
5 Keywords online games, cheat, anti-cheat, code injection, function hooking v
6 Contents 1 Introduction Cheat software Cheat software in Windows operating system External vs Internal cheats User mode vs Kernel mode Cheats and Exploits Tools Cheat Engine IDA ReClass Availability of cheats Legal aspect Most common techniques used by cheats Code injection into a remote process DLL injection via CreateRemoteThread Injection of arbitrary code Injection via thread hijacking Function hooking Inline hooking Virtual method hooking Game engine exploiting Source Engine Anti-Cheating software Comparison of anti-cheats Analysis of Valve Anti-Cheat Client-Side implementation Process monitoring Code blacklisting Integrity checking Environmental checking Kernel mode cheats detection Suggested improvements Conclusion
7 Chapter 1 Introduction Video game industry has grown significantly over the last decade. More and more games are now providing online mode for playing against other players. This provides great opportunities for competitive games which gained huge popularity in last few years. Competitive gaming is now recognized as a professional sport in U.S [1]. With increased amount of players playing competitively, money involved in tournaments and every year increasing prize pools, it s now an attractive target for players who are trying to exploit those games with cheats. The motivation behind creation and usage of cheats is profit. Cheat developers are either developing their own cheats for their needs or providing cheating services to any player who can pay for the access without any knowledge of developing them. Several specialized websites are dedicated to providing their own cheat software. A price of such software varies depending on features provided by those cheats and their protection against anti-cheat detections. Some of them are designed to be used in tournaments and leagues and there are known cases of professional players using cheats [2]. Cheating is often not taken seriously by game developers although it has huge negative impact on a game. Most games are blindly relying on third party anti-cheat solutions which is often not enough to stop cheats which are getting more sophisticated. Much like anti-virus companies, anti-cheat detections are constantly bypassed and new detection methods must be developed in order to detect latest cheats. This thesis describes basics of online game cheating problem and explains current situation in arms race between cheat and anti-cheat creators. Simple game cheat source code is included as example usage of techniques described in this thesis. Most common gaming environment is described, i.e. an Intel-x86 game application running on Windows. 2
8 Chapter 2 Cheat software Cheat is anything that can be used by a player to gain an unfair gameplay advantage. Cheats are sometimes included by game developers in singleplayer games but are strictly forbidden in multiplayer games. Cheat software described in this thesis is a software which modifies game environment in a way not indented by game developers to give player an unfair gameplay advantage against other players. This unfair advantage can be provided by: displaying critical gameplay information which would be normally hidden from the player modifying game behavior to allow player to perform actions which wouldn t normally be available automating client actions, simulating mouse movements and keyboard presses Methods similar to methods used by a typical malware are used by cheat software to achieve those actions. Those are, but not limited to: code injection into remote process manipulation of remote process code and data installation of services and drivers into operating system changes to operating system configuration to hide cheat existence The main difference is that cheats are executed with full knowledge of the user with a purpose of cheating in a computer game. 3
9 2. CHEAT SOFTWARE 2.1 Cheat software in Windows operating system Just like malware, cheat software has to work around security protections of an operating system. In Windows operating system various techniques are used to ensure system stability. One of them is concept of process isolation. Every process is assigned a private range of virtual memory which can be only accessed by the owning process. It s called virtual address space [3]. Memory regions inside process address space are additionally protected by memory protection constants, limiting what operations can be performed on a memory region. For example writing into a memory region marked as read-only or executing a memory region not marked as executable will fail. If a process, for instance a debugger, needs to access address space of another process it has to do it explicitly via provided Windows API functions. These functions are also used by cheats to access game process address space External vs Internal cheats Typical and most straightforward way to inject a cheat code into another process is by creating a Dynamic-link library (DLL) and forcing game process to load this DLL. In this case cheat code operates in game s process and has access to it s whole address space just like the original game code. Cheat code can directly read all data structures, modify them and directly call game functions. In such case it is called Internal cheat. Another process, an injector, is then used to inject cheat code into game process. Injector usually terminate itself after the code injection is completed. There are several methods of code injection and most common are described in part three of this thesis. Another case are External cheats. In this case a cheat is compiled as an executable and runs as separate process with its own address space. Once the process terminates, the cheat stops operating. All memory operations between cheat process and the game are executed remotely, using Windows API functions. In both cases a new process is created to execute cheat code. In case of Internal cheat the process can exit immediately after code injection, 4
10 2. CHEAT SOFTWARE while External cheat has its process running the whole time. The difference between External and Internal approach is whether cheat is running inside the game s address space or not User mode vs Kernel mode In Windows operating system there is a major difference between a code running in user mode and code running in kernel mode [4]. Cheat developers take advantage of using kernel mode since it brings advantages over user mode solutions: cheat code and data aren t accessible to programs running in user mode cheat has full access to whole computer memory cheat can change behavior of Windows API functions, preventing attempts of detecting the cheat from user mode 2.2 Cheats and Exploits A game exploit is a glitch or a bug in game code which can be used by players to gain an unfair competitive advantage. While typical exploits can be abused by a normal game actions, there are many exploits which can be only exploited via direct memory modification or game function call with unexpected parameters. 2.3 Tools Since majority of games do not have source code available, in order to understand game internals and stored gameplay-critical data a cheat developer needs to use reverse engineering tools to identify location and structures of such data. The most common tools used are Cheat Engine, IDA Pro and ReClass. 5
11 2. CHEAT SOFTWARE Cheat Engine Cheat engine 1 is an open-source tool designed for modifying computer games behavior. It can be used to modify specific game variables and structures inside game memory, such as player health, speed, amount of gold etc, in order to make game easier or harder. Originally designed for singleplayer games as author claims on his website, it s also working in online games, where it s often used to change behavior of a client s part of the game. For example in the game Team Fortress 2, just one byte memory patch allows player to enable a developer mode in which player can then see other players trough walls (Figure 2.1). Figure 2.1: Example usage of memory patching. The main functional part s of this program are memory scanner, memory viewer and debugger. Memory scanning function has various filters which allow a user to find addresses of specific game variables and structures (Figure 2.2). Memory viewer (Figure 2.3) allows a user to display and modify whole game memory, even read-only memory, so user is able to patch functions to behave differently. Debugger part can set breakpoints on functions, detect changes of specific game variables and list all functions which access them. 1. Available from: 6
12 2. CHEAT SOFTWARE Figure 2.2: Cheat Engine main window. Cheat engine also works as a DLL injector. User can select any DLL file on his computer and Cheat Engine will force a game to load this DLL. Cheat Engine comes with several pre-made DLLs which can then be used to provide more features. For example a DLL which enables cheats, such as speedhack which enables player to move faster in-game, or a DLL which prevents Cheat Engine to be detected by a game IDA IDA 2 is a popular disassembler and debugger. It is used for both static and dynamic analysis of binaries whose source code isn t available. IDA 2. Available from: 7
13 2. CHEAT SOFTWARE Figure 2.3: Memory viewer in Cheat Engine. is commercial, offers a demo version and an older version is available for free. Disassembler portion of IDA is able to create a graphical representation of function in assembly language from instructions stored inside binary file. User is able to rename generated variables and function names to make assembly more readable. From the disassembled assembly code it s even able to generate an decompiled C-like source-code, which might look similar to the original source code. As a debugger, IDA can be attached to a running process and user is then able to set breakpoints directly into previously analyzed assembly code. IDA makes reverse engineering much easier and is a standard for malware analysis. For same reasons cheat developers are using IDA to reverse engineer games and anti-cheat services. 8
14 2. CHEAT SOFTWARE ReClass ReClass 3 is an open-source tool for reverse engineering unknown data structures and classes inside game memory. Once user attaches program into a game process and enters address of a data structure he can start describing structure members (Figure 2.4). Figure 2.4: Data representing a game structure. Program allows user to extend size of unknown data structure, add new members, change type of structure members until structure represents reasonable data. Described data structure can be also exported into c-like structure. 2.4 Availability of cheats Cheats can come from different sources. Depending on a way that users obtain a cheat, three categories exists: 1. Public cheats Available on public websites and forums as either compiled binaries, ready to compile projects or code examples. 3. Available from: 9
15 2. CHEAT SOFTWARE (2000) - forum and community focused on cheating on multiplayer games, whole content of website is created by it s users who post their cheats (database of more than 9800 cheats and tools), tutorials and source codes, users share their research on newly released games and anti-cheats, site is powered by donations. (2001) - provides free and paid cheats based on game memory patching, despite claim that they only provide cheats for singleplayer games, some of their cheats do work in multiplayer mode. (2002) - forum focused on cheating in multiplayer games, forum has over 2.9 million of registered members who share their cheats and tutorials, site is powered by advertisements. 2. Private cheats (Commercial) Companies providing ready to use cheat packages, cheat users are required to purchase it or pay monthly subscriptions to gain access to the cheat. Commercial cheats typically come with some kind of piracy protection (i.e. DRM) and are constantly updated by their authors to keep their cheats undetected. (2005) - a hacking forum with over 2 million registered members and 43 million threads created. Except computer hacking forum is also about programming, gaming and graphic design. Forum also works as a black market where people can buy various hacking programs including a cheat software for popular online games. 3. Private cheats (Personal) Developed and used by single individual. 2.5 Legal aspect It s common practice to legally protect a game from cheat providers (and by extension players exploiting it with cheats) by explicitly forbidding such actions via the end-user license agreement (EULA). This gives game 10
16 2. CHEAT SOFTWARE publisher legal ground to punish player by denying his access to multiplayer part of the game (a.k.a ban). Legal battles between game owners and cheat providers aren t very common. The most common legal method to fight cheats from a legal standpoint is the Digital Millennium Copyright Act (DMCA) Takedown. This indirect approach is used in the USA to take down sites and services which are distributing game cheats and exploits on legal grounds of copyright law. Blizzard Entertainment, Inc. (Blizzard) is known to be active in using law to enforce cheats sites and services to be shut down. In 2008 they won a 2 years long legal battle against MDY Industries, LLC (MDY) which used to sell cheats for Blizzard s popular game World of Warcraft (WoW). Court concluded that by providing the cheat, MDY is guilty of tortious interference as MDY knowingly aided WoW players in violating Blizzard s EULA. MDY assisted players in gaining an unfair advantage over other WoW players and also helped players to avoid detection by Blizzard [6]. Another case from 2013 against Ceiling Fan Software LLC (CF) was also successful for Blizzard. Just like in previously stated case, CF was found guilty of tortious interference [5]. The main problem of fighting cheats with lawsuits is the fact that cheat providers are hosting their services in various countries with different laws. Another problem is that once a cheat provider is forced to close it s service, it is often promptly replaced by a new one which makes legal battles ineffective as a long term strategy. 11
17 Chapter 3 Most common techniques used by cheats There are several Windows API functions which can be used for manipulation with other processes. Before they can be used on certain process, a process handle must be created with OpenProcess function. OpenProcess requires PID of the process and required access flag. Flags should reflect what we plan to do inside the remote process. Cheat typically need to read process memory, write into it and create remote threads. There are several cases when Windows will refuse to create a handle, for example when User Account Control (UAC) is enabled and process runs under a unprivileged user, the user will not be able to create handle to process ran by SYSTEM or Administrator. Reading and writing into remote process is done via ReadProcess- Memory and WriteProcessMemory. Both functions require a process handle, address in remote process address space and local buffer which will hold input or output data. Just by using those three Windows API functions it s possible to write a program which will read and write remote data into a remote process based on a local process algorithm. To modify static data and code, memory protection must be disabled. This is done by calling VirtualProtect function for local process address space and VirtualProtectEx for remote process address space. 3.1 Code injection into a remote process First step before injecting a code into remote process is generating the code which will be injected. The easiest way is to write a DLL and then force a remote process to load it. Another approach would be writing a code in assembly language, compiling it into raw binary code and writ- 12
18 3. MOST COMMON TECHNIQUES USED BY CHEATS ing this raw code into remote process address space. Assembly code can be compiled for example with Flat assembler 1, which is open-source x86 assembly code compiler DLL injection via CreateRemoteThread When a process needs to load certain DLL file it uses the LoadLibrary function to do so. LoadLibrary maps a DLL library into the address space of a calling process and returns handle to the loaded DLL, which can be then used to for example to call it s exported functions. To remotely execute LoadLibrary function inside different process a CreateRemoteThread Windows API function can be used. This technique of DLL Injection is the most straightforward way how a process can force another process to inject a foreign DLL file. Function has 7 parameters but only 3 of them are important for this method. Those are: 1. a process handle created by OpenProcess function 2. pointer of function from remote process address space of a function which will be executed 3. pointer to argument which will be used as parameter for executed function, zero if no argument should be passed CreateRemoteThread only has up to one parameter. This in turn means that it s only possible to remotely execute functions with either one or zero parameters. LoadLibrary function has exactly one parameter, which is a filesystem path to a DLL file. To perform this method the injection code must: 1. Open a handle to remote processes. 2. Write a path to the DLL file which should be injected into address space of remote process. 3. Create a new thread by calling CreateRemoteThread, where parameters would be the handle to remote process, pointer to Load- Library function and pointer to the DLL path string. 1. Available from: 13
19 3. MOST COMMON TECHNIQUES USED BY CHEATS 1 HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, false, processid); The path to the DLL file can be written anywhere inside remote process address space if is memory region marked as writeable. Alternatively it s possible to allocate a writable memory region inside remote process with VirtualAllocEx. 1 LPVOID remotepath = VirtualAllocEx(process, NULL, strlen(filepath) + 1, MEM_COMMIT, PAGE_READWRITE); 2 3 if(!remotepath) 4 return NULL; 5 6 if(!writeprocessmemory(process, remotepath, (LPVOID)filepath, strlen(filepath) + 1, NULL)) 7 return NULL; Next step is getting LoadLibrary location in the remote address space. LoadLibrary is exported function of Kernel32.dll library. Since Windows Vista, Address space layout randomization technique is used, which cause libraries which are compiled to support this technique, to be placed in random position in a process address space. Randomization only happens at a boot time, this means every time a process loads specific DLL, it will be placed at the same randomized address [9]. If we get address of LoadLibrary inside our local process, same address will work across all running processes. 1 FARPROC loadlibraryaddress = GetProcAddress(GetModuleHandle("KERNEL32.DLL"), "LoadLibraryA"); Remote thread can be now created which will execute LoadLibrary function with custom DLL path as a parameter. 1 HANDLE hthread = NULL; 2 if(!(hthread = CreateRemoteThread(process, NULL, NULL, (LPTHREAD_START_ROUTINE)loadLibraryAddress, 14
20 remotepath, NULL, NULL))) 3 return NULL; 3. MOST COMMON TECHNIQUES USED BY CHEATS DLL will be now loaded by remote process. Code can then, for example, wait for thread to finish, get return value of LoadLibrary function, free allocated memory region and close process handle. 1 WaitForSingleObject(hThread, INFINITE); 2 3 DWORD exitcode = NULL; 4 if (!GetExitCodeThread(hThread, &exitcode)) 5 return NULL; 6 7 CloseHandle(hThread); 8 9 if(!virtualfreeex(process, remotepath, 0, MEM_RELEASE)) 10 return NULL; return exitcode; Injection of arbitrary code This method is based on writing and executing a raw byte array into remote process. Byte array can represent just one function written in assembly language. One of the usage cases of this method is bypassing one parameter limitation of CreateRemoteThread injection method. To call a method with multiple parameters it s possible to write a parameter wrapper over this method with one or zero parameters. The wrapper will store function call of the original function and the essential parameters as local constants. To achieve this the injection code must: 1. Allocate a writeable and executable memory region in a remote process 2. Modify constant data in the wrapper function to point to correct data in remote process 3. Execute wrapper function in remote process by creating a new thread 15
21 3. MOST COMMON TECHNIQUES USED BY CHEATS Example wrapper of MessageBox function: 1 push 0x30 // MB_ICONWARNING 2 push 0 // window caption 3 push 0xcccccccc // window text 4 push 0 // main window handle 5 mov eax, 0xffffffff // address of MessageBox function 6 call eax // call the function 7 ret // return Flat assember produces following byte code: 1 byte wrapper[19] = { 2 0x6A, 0x30, 3 0x6A, 0, 4 0x68, 0xCC, 0xCC, 0xCC, 0xCC, 5 0x6A, 0, 6 0xB8, 0xFF, 0xFF, 0xFF, 0xFF, 7 0xFF, 0xD0, 8 0xC3 }; Aditionally, the memory region of remote process allocated for the wrapper code must be marked as executable. This is due to Data Execution Prevention (DEP) security feature included in Windows systems [7]. 1 LPVOID remotewrapper = VirtualAllocEx(process, NULL, sizeof(wrapper), MEM_COMMIT, PAGE_EXECUTE_READWRITE ); MessageBox has to display some text, which must be as well allocated and written into remote process. Address of this text is passed to MessageBox as second parameter (0xcccccccc) in the assembly code. 1 char* text = "Injected Hello World!"; 2 3 LPVOID remotetext = VirtualAllocEx(process, NULL, sizeof(text)+1, MEM_COMMIT, PAGE_READWRITE ); 4 5 WriteProcessMemory(process, remotetext, (LPVOID)text, strlen(text)+1, NULL); 16
22 3. MOST COMMON TECHNIQUES USED BY CHEATS Address of the allocated text in remote process will be replaced with 0xcccccccc constant. Same for address of MessageBox function in the remote process, which will be the same as an address in the local process (as explained in 3.1.1). Variable wrapper is stored in read-only memory. Memory protection must be adjusted first to allow editing via Virtual- Protect function. 1 VirtualProtect(wrapper, sizeof(wrapper), PAGE_READWRITE, NULL); 2 3 *(DWORD*)(wrapper + 5) = (DWORD)remoteText; 4 *(DWORD*)(wrapper + 12) = (DWORD)GetProcAddress(LoadLibrary("USER32.DLL"), "MessageBoxA"); Wrapper is now ready to be written into the allocated memory region and remotely executed. 1 WriteProcessMemory(process, remotewrapper, (LPVOID)wrapper, sizeof(wrapper), NULL); 2 3 CreateRemoteThread(process, NULL, NULL, (LPTHREAD_START_ROUTINE)remoteWrapper, NULL, NULL, NULL); Injection via thread hijacking In some cases a cheat or an injector may not be able to create new threads in a remote process. This might be due to an anti-virus or anti-cheat protection for example. In such case, instead of creating a new thread, one of already existing threads inside remote process can be manipulated to execute remote code. Every thread has a defined state which is represented by it s thread context which contains state of all thread registers. Windows provides GetThreadContext and SetThreadContext functions which are used to retrieve and modify thread context. To achieve this method the injection code must: 17
23 1. Suspend remote process main thread 2. Get thread s current context 3. MOST COMMON TECHNIQUES USED BY CHEATS 3. Modify EIP (instruction pointer) register to point to custom code 4. Resume thread Example source code: 1 SuspendThread(threadHandle); 2 3 CONTEXT context; 4 memset(&context, NULL, sizeof(context)); 5 context.contextflags = CONTEXT_ALL; 6 GetThreadContext(threadHandle, &context); 7 8 context.eip = remotefunction; 9 10 SetThreadContext(threadHandle, &context); 11 ResumeThread(threadHandle); Handles to all threads inside a remote process can be retrieved by Thread32First and Thread32Next WinAPI functions. 3.2 Function hooking Function hooking is used to modify behavior of an existing software of which we don t have source code. Hook is a function which is added to existing software code in other to replace functionality of an existing function. There are various methods to modify software in order to call a hooked function instead of the original one. A new hooking methods are developed in order to bypass an anti-cheat detections. Cheats often use function hooking to modify: 1. scene rendering function to display hidden information about other players 2. models and textures rendering function to draw transparent walls 18
24 3. MOST COMMON TECHNIQUES USED BY CHEATS 3. user input collecting function to fake mouse movements and keyboard pressses 4. Windows API functions behavior in order to bypass anti-cheat detections Legitimate applications also use function hooking such as debuggers and profilers. For example application Fraps 2 uses function hooking on a scene drawing function in order to display information about game rendering performance (Frames Per Seconds). Those techniques are also used by malware, which do not limit themselves to only a runtime modification of running processes but also infecting files stored on a physical media. In case of cheats it is unfeasable to modify game files in order to hook functions or any other method of code modification due to ease of detection of such integrity violation Inline hooking Inline hooking (also known as detours) takes control of a code flow right after an original function is called. First five bytes of original function are replaced with unconditional jump to a hook function. This ensures that every time original function is called, the hook function will start executing instead. Hook function cannot call original function as it would produce infinite recursion. To solve this problem a trampoline function is created. This function contains first five bytes of the original function which were overridden by the unconditional jump followed by a jump to next instruction in the original function after those modified 5 bytes. Figure 3.1 displays a diagram representing how inline hooking works. Another limitation to consider is that a memory which contains executable code is typically marked as read-only. To bypass this, protection flags can be adjusted to allow modifications of a memory page. 1 VirtualProtect(originalFunction, sizeof(byte) * 5, PAGE_EXECUTE_READWRITE, NULL); 2. Available from: 19
25 3. MOST COMMON TECHNIQUES USED BY CHEATS before hooking after hooking originalfunction: push 0x1000a433 mov eax, 0x1000 call eax ret originalfunction: jmp hook mov eax, 0x1000 call eax ret hook: custom code... jmp trampoline trampoline: push 0x1000a433 jmp originalfunction + 5 Figure 3.1: Inline hooking. Libraries with inline hooking functionality Microsoft Detours 3 is a library which provides inline hook functionality for 32bit and 64bit applications. It is commercial software which also provides a version for non-commercial usage. The function responsible for hooking is called DetourAttach. 1 LONG DetourAttach(PVOID *pppointer, PVOID pdetour); First parameter is pointer to a pointer to originalfunction. Second parameter is pointer to a hook function. Alternatively Deviare In-Process 4 can be used which provides similar functionality and it s available under GPLv3 license Virtual method hooking Virtual Method Table (VMT) implementation itself is dependant on a compiler used. Although most implementations are very similar, some compilers for example handle multiple inheritance differently. Following text will be describing Microsoft Visual C++ (MSVC) implementa- 3. Available from: detours/ 4. Available from: 20
26 3. MOST COMMON TECHNIQUES USED BY CHEATS tion. Virtual methods are implemented as indirect calls through VMT. VMT is implemented as an array of function pointers with static indexes determined on a compile time and is stored in read-only memory region. Pointers inside VMT are ordered in same order as they are specified in class definition. A code calling virtual function only needs a pointer to an instance and a function index. Pointer to VMT is stored as a hidden first member in the class instance. All instances of one class use the same VMT. If VMT is modified, it will affect all instances. Figure 3.2 displays diagram representing implementation of virtual method table. before hooking: object pointer to vmt virtual method table pointer to function01 function01:... pointer to function02 function02:... pointer to function03 Figure 3.2: Virtual method table. Hooking method based on replacing function pointer inside virtual method table. Assuming a code needs to hook the RenderFinish method of following object: 1 class Rendering 2 { 3 public: 4 virtual void RenderStart() { }; 5 virtual void RenderFinish() { printf("original function called\n"); }; 6 }; 21
27 3. MOST COMMON TECHNIQUES USED BY CHEATS If an address of virtual method table is known, for example by reverse engineering the code, it can be used directly or it can be obtained from object instance: 1 //accesing first member of the object to get address of virtual method table 2 void** vmttable = (void***)instance[0]; 3 void* function02 = vmttable[1]; //backing up pointer to the second function 4... Just like reading the pointer value, it can also be modified. Note that this part of the memory is read-only and therefore memory protection must be adjusted before the pointer can be modified. Hook in this case is a function of which pointer will be placed into VMT instead of the pointer to original function RenderFinish. 1 DWORD origprotection = 0; 2 VirtualProtect(&vmtTable[1], sizeof(void*), PAGE_EXECUTE_READWRITE, &origprotection); 3 4 vmttable[1] = &Hook; 5 6 VirtualProtect(&vmtTable[1], sizeof(void*), origprotection, NULL); A hook must have exactly the same number of parameters and use same calling convention [? ]. Virtual functions are usually using thiscall calling convention which allows callee to pass this pointer via ECX register. This calling convention isn t guaranteed to be used and as it depends on compiler optimizations. Before replacing a function in VMT a calling convention should be verified by using reverse engineering. MSVC will not allow a function to be explicitly defined as thiscall. There are two calling conventions, compatible with thiscall, which can be used instead. First is stdcall, which does not directly provide this pointer but can be obtained by accessing ECX register via assembly. Second is fastcall which passes first two parameters via ECX and EDX registers. 22
28 3. MOST COMMON TECHNIQUES USED BY CHEATS 1 2 typedef void ( thiscall* Virtual_t )( void* thisptr ); 3 Virtual_t original = (Virtual_t)function02; 4 5 //stdcall variantion 6 void stdcall Hook() { 7 DWORD instance; 8 _asm mov instance, ECX 9 10 function02(instance); //calling original function 11 printf("hook function called\n"); 12 } //fastcall variantion 15 void fastcall Hook(void* thisptr, int edx) { 16 function02(thisptr); //calling original function 17 printf("hook function called\n"); 18 } Once the hooking is done, calling RenderFinish willl produce following output: 1 Original function called 2 Hook function called Figure 3.3 represents hooking via VMT function pointer replacement. after hooking: object pointer to vmt virtual method table pointer to function01 pointer to hook function01:... hook:... pointer to function03 function02:... Figure 3.3: Replacing function pointer inside VMT. 23
29 3. MOST COMMON TECHNIQUES USED BY CHEATS Hooking method based on replacing pointer to virtual method table inside object. Another approach is to create a copy of original VMT and keep the original VMT untouched. All instances of a class must be modified so their pointer to VMT points to the copy of VMT. This approach require hooking code to have access to all instances, but has a huge advantage of modifying the read-only memory. 1 void** vmttable = (void***)instance[0]; 2 int vmtsize = 2; 3 4 void* hooktable = new void*[vmtsize]; 5 memcpy(hooktable, vmttable, sizeof(void*) * vmtsize); 6 7 //replacing VMT pointer to point to new VMT 8 (void***)instance[0] = hooktable; 9 10 //replacing pointer to a first function in new VMT 11 hooktable[1] = &Hook; Figure 3.4 represents hooking via replacing VMT pointer. 3.3 Game engine exploiting In this case we think of a game engine as a software which provides functionality cheat developers typically need to have in a working game. This usually includes scene rendering, physics, sounds, scripting, networking, etc. While reusing an game engine helps significantly with a development of a game, it also makes it easier to develop a cheat for it. If technical details about specific game engine are known, creating a cheat for any game using that engine is a trivial task. A good example of this are Call Of Duty game series. Every Call of Duty game is using the same game engine albeit this engine gets improved every year and introduces new features. Because of this, it s very easy to create cheats due to public information available about prior versions of the engine collected after years of reverse engineering. This al- 24
30 3. MOST COMMON TECHNIQUES USED BY CHEATS after hooking: object pointer to hook table virtual method table pointer to function01 pointer to function02 function01:... function02:... pointer to function03 hook table pointer to function01 function01:... pointer to hook pointer to function03 hook:... function02:... Figure 3.4: Replacing VMT pointer inside object. lowed private cheat provider (who is providing cheats for Call of Duty series) to develop a cheat for a new title Call of Duty: Modern Warfare 2 in less than 24 hours after game release date. Games based on same engine also tend to share the same game engine bugs. If a game engine happens to have a bug, the bug could get exploited across all games based on that engine Source Engine Source engine is a game engine created and developed by Valve Corporation (Valve). It comes with Source SDK which can be used to build mods or even whole new games based on Source Engine [10]. Source engine is highly modularized. Every part of engine (rendering, networking, physics, sounds, etc. ) has a independent interface which communicates with other and are used by game code. Source SDK provides access to those interfaces via C++ header files and pointers to their 25
31 3. MOST COMMON TECHNIQUES USED BY CHEATS instances. The easiest way to gain control over a game is to get access to game engine interfaces and modify them. Every engine DLL which provides interfaces has exported function CreateInterface. Prototype of this function is : 1 void* CreateInterface(const char* name, int* returncode); First parameter is a string constant telling the function which interface and version of the interface is requested. Function returns pointer to instance of the requested interface. All instances this function returns pointer to are singletons, this means whole game code uses the same instance. Example cheat code, which is attached to this thesis, works by modifying virtual method table of those interfaces. 26
32 Chapter 4 Anti-Cheating software Anti-Cheating software is designed to be a countermeasure for cheating in competitive online games. Technical implementations of anti-cheats are very similar to anti-viruses. Typical anti-cheat is checking player s computer for known cheat software. Actions followed after a cheat is detected varies between anti-cheats and is part of different anti-cheat strategies. Unlike an anti-virus, an anti-cheat is working in hostile environment. Cheats are designed have superior system permissions and are therefore able to manipulate anti-cheat to make it s detection methods ineffective. 4.1 Comparison of anti-cheats Anti-cheat software is typically required to be active when player wants to play online with other players. Anti-cheat can be either provided by a game owner and be therefore builtin into the game or it can be required to be installed as a specialized software before player is able to join specific game server or participate in a tournament. Various anti-cheat softwares can differ in several ways and therefore various categories of anticheats services exist. Table 4.1 lists most common anti-cheat services. Client side integration Depending on how integrated is client s part of anti-cheat on player s machine we can distinguish three categories. 1. Zero client integration Anti-cheat without any code running on client s part. Typically based on analyzing client s behavior by verifying incoming client 27
33 4. ANTI-CHEATING SOFTWARE network data. In this case client doesn t have access to anti-cheat code and therefore cheat developer doesn t know which client behavior triggers a detection or a time when anti-cheat is updated. 2. User mode client integration Anti-cheat implemented as a running process or a system service. Has limited access to computer memory. 3. Kernel mode client integration Anti-cheat implemented as a driver, running in kernel address space and therefore having access to whole computer memory. Most effective solution, but possibly a source of system instability. Anti-cheat can be also split into multiple modules with each module having different level of integration. For example a game can be protected by user mode service, with additional kernel mode layer and server-side analyze of incoming client network data. Game server integration To be effective, an anti-cheat must also be integrated into game servers where it s used to deny access of players who are banned to play online (Figure 4.1). It is also used to verify that client-side part of anticheat is active and functional while connecting to a secured game server. This minimal functionality can be also extended with features which give game server administrators ability to perform additional anti-cheat checks of a specific player. For example to request a capture of player s game screen. Banning strategy Once anti-cheats detects a cheat, an action can be either performed immediately or rather can be performed in the future. There can be various reason why delay the action against player who was detected to use cheat. It can be either technical reason, to create space for manual analysis of the detection to ensure the detection was correct, or it can be part of long term anti-cheat strategy. Typically are bans permanent or at least one year long. 28
34 4. ANTI-CHEATING SOFTWARE client scan game anti-cheat game traffic scan report game server player status query anti-cheat master server Figure 4.1: game. Typical anti-cheat implementation in server-client online Ban details sharing Once a player is banned or kicked from a game, anti-cheat can either provide player details about his violation, such as name of the detected program or the detection method used. The fact that player was banned can be announced to other players, for example in-game or on a game s official website. License and pricing A game developer usually relies on third party anti-cheat service instead of developing it s own. There are various anti-cheat providers with different licensing and pricing. For leagues it is typical to provide their own anti-cheat solutions. 29
35 4. ANTI-CHEATING SOFTWARE One game usually have one anti-cheat, but depending on requirements a game server owner can use anti-cheat provided by game developer and additionally purchase license for another anti-cheat with higher level of client side integration to for example provide better security on a tournament. If a different anti-cheat service is found to be active in player s computer anti-cheats are typically adjusting their behavior to prevent false detections. While using third party anti-cheat service, game developer typically doesn t have access to any administrative part of the anti-cheat. If he wants the anti-cheat to detect specific cheat he must send it to company who provides the anti-cheat service for analysis. 30
36 31 Anti-cheat Company No. games Client integration Availability Valve Anti-cheat Valve Corporation 320+ User mode Steam games Punkbuster Even Balance 17 User mode Commercial Warden Blizzard Entertainment 6 User mode Blizzard games GameGuard Inca Internet 320+ Kernel mode Commercial HackShield AhnLab 200+ Kernel mode Commercial ESL Wire Turtle Entertainment 35+ Kernel mode ESL League ESEA Client E-Sports Entertainment 3 Kernel mode ESEA League EasyAntiCheat EasyAntiCheat 13+ Kernel mode Commercial BattleEye BattlEye Innovations 3 Kernel mode Commercial FairFight GameBlocks 5+ Server only Commercial Table 4.1: List of most common anti-cheat services. 4. ANTI-CHEATING SOFTWARE
37 Chapter 5 Analysis of Valve Anti-Cheat Valve Anti-Cheat (VAC) is an anti-cheat system developed and operated by Valve Corporation. It was designed to punish players who are using cheats while playing online matches against other players by permanently banning them from playing the game online. It is integrated into Steam client and currently supports over 320 games on Steam. It works by scanning player s computer to find known cheats. It is designed to only ban for cheats that are in database of known cheats [11]. Every player is required to have registered Steam account, linked to his purchased copy of a game. Once a known cheat is detected to be active on player s computer, player s Steam account is marked for future ban. Player is then given opportunity to play with the marked Steam account for a few more days giving him a false idea that the cheat remains undetected. Once the player s Steam account gets banned, no ban details are provided to him and he must create a new Steam account and repurchase the game. Cheat providers typically provide detection status of their cheats, either detected, undetected or unknown, based on ban reports from the cheat users. This information might be highly inaccurate because of the delay between detection and the actual ban. 5.1 Client-Side implementation VAC is implemented as a library which operates in user mode and uses various scan methods to detect cheat programs running on a player s computer. Since a game is not guaranteed to be running with elevated privileges, it cannot operate within boundaries of the game s memory space and instead it is running inside Steam.exe hence all memory operations are executed remotely. If Steam happens to be ran with a limited 32
38 5. ANALYSIS OF VALVE ANTI-CHEAT permissions SteamService.exe which is registered as a Windows service comes into play. VAC is currently used in two versions, VAC2 and VAC3. VAC2 client hasn t been updated for a while and is probably only used for legacy reasons. Reading compile date inside PE Header of latest VAC2 library reveals that it was compiled on 03/11/2010. The main difference between second and third version is the way how Steam loads them. VAC2 is implemented as a single DLL called sourceinit.dat which is located in Steam directory. Once a game is ran, a function inside Steamclient.dll copies this DLL into system temp directory with a random name and loads it via LoadLibrary function. This approach has multiple disadvantages: 1. Since the library file is part of Steam client, a Steam client update is required to update anti-cheat 2. Whole anti-cheat code is stored in user s machine therefore it s much easier to analyze/circumvent it 3. It s trivial to detect anti-cheat updates (by using file checksum) Contrary to VAC2 s approach, VAC3 uses totally different method of loading. This time the loading function is located inside Steamservice.dll and VAC library isn t stored locally but downloaded from Steam servers and loaded on-the-fly anytime during playing a VAC protected game using Injection of arbitrary code method. This new approach solves all previously mentioned disadvantages of VAC2 loading method: 1. VAC library isn t part of Steam client, it can be updated anytime or even multiple libraries can be loaded at the same time 2. Instead of having single VAC library it can be split into multiple VAC libraries so cheat developer never has access to whole anticheat code at once 3. Specific VAC libraries can be used just on a small subset of total players playing the game so cheat developer cannot be sure if and when a new library has been released 33
39 5. ANALYSIS OF VALVE ANTI-CHEAT The structure of VAC library is very similar between VAC2 and VAC3, the main difference being that instead of holding whole anti-cheat like in VAC2, VAC3 usualy contains only one or two scan functions at the time. Once a VAC library is loaded, an exported function runfunc is called to execute a cheat scan. The implementation prototype of this function is: 1 int runfunc(int scanid, void* VACPacket, int packetsize, void* responsebuffer, int responsesize); int scanid - id of the scan the server wants VAC to execute void* VACPacket - structure holding parameters for the scan function, for example PID of the external process anti-cheat wants to analyze int packetsize - size of VACPacket structure void* responsebuffer - structure holding result of the scan functions int responsesize - responsebuffer size Return value can be either: 1 - scan function executed and responsebuffer holds valid data 2 - unknown error 3 - unknown scanid 4 - packetsize or responsesize is too small Loaded libraries are also ready to execute different scans with different parameters at anytime on server s request. 5.2 Process monitoring Process monitoring is important for detecting external cheats, cheat injectors and other suspicious programs which could be used for accessing game address space. It ensures that when a player runs a suspicious program, it gets reported to VAC servers with additional data required to identify the program. VAC is only active after a player joins a VAC secured game server. Because of this, the process monitor is implemented inside Steam client which allows Process monitor to detect suspicious programs even before a game starts. Once a suspicious process is detected, it is put on a 34
40 5. ANALYSIS OF VALVE ANTI-CHEAT list which is accessed by VAC once a player connects to a VAC secured gameserver. VAC then collects information about those programs and sends a report about them to VAC servers. If those programs are then identified as cheats, player gets banned for cheating. First part of process monitor implementation is listener of a process creation and termination events. If the process is created during critical time interval, for example right before a player starts a game or later when is game running, the process gets marked as a candidate for a later VAC scan. Second part is implemented in Steam API library which is loaded by a game. Steam API library is running inside a game address space therefore it is able to detect creation of new local threads and handles created by other programs. A process gets marked for a later VAC scan if it creates a new thread inside a game or creates a handle via OpenProcess function. 5.3 Code blacklisting Code injection, especially DLL injection is often used by legitimate programs, for example anti-virus software. Because of this, detection of injected code is be based on blacklisting of known libraries and binary code. VAC is scanning whole game s address space to detects all loaded DLL files and all executable memory regions. Function GetMappedFile- Name is called for all memory regions. If memory region represents a mapped file, typically a loaded DLL, GetMappedFileName returns a full file path to the file. Both the mapped memory region and the file are hashed and reported to VAC servers for identification. If memory region does not belong to a mapped file, but contains a section marked as executable, it is suspicious and further analysis is performed on the memory region by VAC. 5.4 Integrity checking Integrity checking is a process of validation of integrity of a game code and static data. All game DLL files are scanned and their read-only sec- 35
41 5. ANALYSIS OF VALVE ANTI-CHEAT tions, typically.text and.rdata, are hashed and compared to their local copy on the disk. This effectively works against hooking methods which are based on modifying read-only data. Further analysis of the modified memory modification is then performed to distinguish between a modification created by a cheat and possible memory corruption. While this method is effective in detecting new cheats, it is widely known to cheat developers and is also prone to result in a false-positive detection [13]. Figure 5.1 shows error caused by modification of critical game DLL files from game Counter-Strike. Figure 5.1: Integrity check of local files. 5.5 Environmental checking Cheat developers are often configuring operating systems on which their cheats are deployed to make VAC scans non-functional or less effective. The most common requirement by private cheats providers is that users disable DEP in order to allow cheat to hide it s code in memory regions that are not marked as executable. This effectively circumvents code blacklisting technique mentioned above. Cheats operating in kernel mode aren t typically signed by certificate, therefore require user to disable Signed Driver Enforcement to allow unsigned drivers to be used in Windows operating system [8]. Environmental checking is partially done on the client-side, where specific VAC modules check current system settings, and also on serverside, where VAC servers check reports sent by VAC modules. If VAC 36
42 5. ANALYSIS OF VALVE ANTI-CHEAT happens to find incorrect system configuration or VAC server receive incorrect or corrupted results, player will not be able to play on VAC secured servers until the issue, which prevents VAC from working, is fixed [14]. Figure 5.2 shows error caused by disabling DEP. Figure 5.2: VAC environmental checking. 5.6 Kernel mode cheats detection VAC runs in user mode and hence it does not have access to Kernel mode address space. This makes any Kernel mode code blacklisting impossible and therefore detecting specific Kernel mode cheat require to create specific method of detection. Even when is cheat running in Kernel mode it affects user space environment, for example by creating new files, registry entries, etc. which can be detected by user mode applications. Every User mode change done by kernel cheat can be used for creating a detection method. In spite of this, cheat developers typically react fast on new detection methods and work on minimizing detection vector of their cheats. There are known cases of specialized VAC modules used to detect kernel mode cheats. The most recent one was module which scanned local DNS cache. Module was looking for specific DNS records of known cheat DRM servers. Gabe Newell (co-founder of Valve) once said about kernel mode cheats:,,kernel-level cheats are expensive to create, and they are expensive to detect. Our goal is to make them more expensive for cheaters and cheat 37
Title: Bugger The Debugger - Pre Interaction Debugger Code Execution
White Paper Title: Bugger The Debugger Pre Interaction Debugger Code Execution Prepared by: Brett Moore Network Intrusion Specialist, CTO SecurityAssessment.com Date: April 2005 Abstract The use of debuggers
More informationHotpatching and the Rise of Third-Party Patches
Hotpatching and the Rise of Third-Party Patches Alexander Sotirov asotirov@determina.com BlackHat USA 2006 Overview In the next one hour, we will cover: Third-party security patches _ recent developments
More informationDetecting Malware With Memory Forensics. Hal Pomeranz SANS Institute
Detecting Malware With Memory Forensics Hal Pomeranz SANS Institute Why Memory Forensics? Everything in the OS traverses RAM Processes and threads Malware (including rootkit technologies) Network sockets,
More informationDebugging Multi-threaded Applications in Windows
Debugging Multi-threaded Applications in Windows Abstract One of the most complex aspects of software development is the process of debugging. This process becomes especially challenging with the increased
More informationSpyware Analysis. jan.monsch@csnc.ch. Security Event - April 28, 2004 Page 1
Spyware Analysis jan.monsch@csnc.ch Security Event - April 28, 2004 Page 1 Content Definition & types of spyware Statistics Hooks Static vs. dynamic software analysis Test environment for spyware Analysis
More informationAttacking Host Intrusion Prevention Systems. Eugene Tsyrklevich eugene@securityarchitects.com
Attacking Host Intrusion Prevention Systems Eugene Tsyrklevich eugene@securityarchitects.com Agenda Introduction to HIPS Buffer Overflow Protection Operating System Protection Conclusions Demonstration
More informationStorm Worm & Botnet Analysis
Storm Worm & Botnet Analysis Jun Zhang Security Researcher, Websense Security Labs June 2008 Introduction This month, we caught a new Worm/Trojan sample on ours labs. This worm uses email and various phishing
More informationBypassing Browser Memory Protections in Windows Vista
Bypassing Browser Memory Protections in Windows Vista Mark Dowd & Alexander Sotirov markdowd@au1.ibm.com alex@sotirov.net Setting back browser security by 10 years Part I: Introduction Thesis Introduction
More informationCode Injection From the Hypervisor: Removing the need for in-guest agents. Matt Conover & Tzi-cker Chiueh Core Research Group, Symantec Research Labs
Code Injection From the Hypervisor: Removing the need for in-guest agents Matt Conover & Tzi-cker Chiueh Core Research Group, Symantec Research Labs SADE: SteAlthy Deployment and Execution Introduction
More informationIntegrated Virtual Debugger for Visual Studio Developer s Guide VMware Workstation 8.0
Integrated Virtual Debugger for Visual Studio Developer s Guide VMware Workstation 8.0 This document supports the version of each product listed and supports all subsequent versions until the document
More informationIntroduction. Application Security. Reasons For Reverse Engineering. This lecture. Java Byte Code
Introduction Application Security Tom Chothia Computer Security, Lecture 16 Compiled code is really just data which can be edit and inspected. By examining low level code protections can be removed and
More informationStealth Measurements for Cheat Detection in On-line Games
Stealth Measurements for Cheat Detection in On-line Games Wu-chang Feng Portland State University Ed Kaiser Portland State University Travis Schluessler Intel ABSTRACT As a result of physically owning
More informationSoftware Vulnerabilities
Software Vulnerabilities -- stack overflow Code based security Code based security discusses typical vulnerabilities made by programmers that can be exploited by miscreants Implementing safe software in
More informationVICE Catch the hookers! (Plus new rootkit techniques) Jamie Butler Greg Hoglund
VICE Catch the hookers! (Plus new rootkit techniques) Jamie Butler Greg Hoglund Agenda Introduction to Rootkits Where to Hook VICE detection Direct Kernel Object Manipulation (DKOM) No hooking required!
More informationApplication Power Management for Mobility
Application Power Management for Mobility White Paper March 20, 2002 Copyright 2002 Intel Corporation Contents 1. Introduction... 4 1.1. Overview... 4 1.2. Audience... 4 2. Application Power Management
More informationTitanMist: Your First Step to Reversing Nirvana TitanMist. mist.reversinglabs.com
TitanMist: Your First Step to Reversing Nirvana TitanMist mist.reversinglabs.com Contents Introduction to TitanEngine.. 3 Introduction to TitanMist 4 Creating an unpacker for TitanMist.. 5 References and
More informationAdvanced Endpoint Protection Overview
Advanced Endpoint Protection Overview Advanced Endpoint Protection is a solution that prevents Advanced Persistent Threats (APTs) and Zero-Day attacks and enables protection of your endpoints by blocking
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 24 Windows and Windows Vista Security First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Windows and Windows Vista Security
More informationIntroduction. Figure 1 Schema of DarunGrim2
Reversing Microsoft patches to reveal vulnerable code Harsimran Walia Computer Security Enthusiast 2011 Abstract The paper would try to reveal the vulnerable code for a particular disclosed vulnerability,
More informationInternational Journal of Enterprise Computing and Business Systems ISSN (Online) : 2230-8849
WINDOWS-BASED APPLICATION AWARE NETWORK INTERCEPTOR Ms. Shalvi Dave [1], Mr. Jimit Mahadevia [2], Prof. Bhushan Trivedi [3] [1] Asst.Prof., MCA Department, IITE, Ahmedabad, INDIA [2] Chief Architect, Elitecore
More informationOff-by-One exploitation tutorial
Off-by-One exploitation tutorial By Saif El-Sherei www.elsherei.com Introduction: I decided to get a bit more into Linux exploitation, so I thought it would be nice if I document this as a good friend
More informationBypassing Memory Protections: The Future of Exploitation
Bypassing Memory Protections: The Future of Exploitation Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Research into reliable exploitation techniques: Heap Feng Shui in JavaScript
More informationDetecting the One Percent: Advanced Targeted Malware Detection
Detecting the One Percent: Advanced Targeted Malware Detection Tomer Teller Check Point Software Technologies Session ID: SP02-T19 Session Classification: Intermediate Antivirus 20 th+ Anniversary The
More informationCS 356 Lecture 25 and 26 Operating System Security. Spring 2013
CS 356 Lecture 25 and 26 Operating System Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control
More informationSecuring Secure Browsers
Securing Secure Browsers SESSION ID: TRM-T11 Prashant Kumar Verma Sr. Consultant & Head (Security Testing) Paladion Networks @prashantverma21 Agenda Browser Threats Secure Browsers to address threats Secure
More informationIntegrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com
SAINT Integrated Network Vulnerability Scanning and Penetration Testing www.saintcorporation.com Introduction While network vulnerability scanning is an important tool in proactive network security, penetration
More informationOperating System Structures
COP 4610: Introduction to Operating Systems (Spring 2015) Operating System Structures Zhi Wang Florida State University Content Operating system services User interface System calls System programs Operating
More informationUniFinger Engine SDK Manual (sample) Version 3.0.0
UniFinger Engine SDK Manual (sample) Version 3.0.0 Copyright (C) 2007 Suprema Inc. Table of Contents Table of Contents... 1 Chapter 1. Introduction... 2 Modules... 3 Products... 3 Licensing... 3 Supported
More informationOnline Payments Threats
July 3, 2012 Introduction...2 Tested Products...2 Used Configuration...3 Real Malware Inspiration...3 Total Scores Chart...4 Conclusion...4 About matousec.com...4 Detailed Descriptions of Tests...5 Detailed
More informationLast Class: OS and Computer Architecture. Last Class: OS and Computer Architecture
Last Class: OS and Computer Architecture System bus Network card CPU, memory, I/O devices, network card, system bus Lecture 3, page 1 Last Class: OS and Computer Architecture OS Service Protection Interrupts
More informationReturn-oriented programming without returns
Faculty of Computer Science Institute for System Architecture, Operating Systems Group Return-oriented programming without urns S. Checkoway, L. Davi, A. Dmitrienko, A. Sadeghi, H. Shacham, M. Winandy
More informationHooking Nirvana RECON 2015 ALEX IONESCU @AIONESCU 1/26/2016 COPYRIGHT 2015 ALEX IONESCU. ALL RIGHTS RESERVED. 1
Hooking Nirvana STEALTHY INSTRUMENTATION TECHNIQUES RECON 2015 ALEX IONESCU @AIONESCU 1/26/2016 COPYRIGHT 2015 ALEX IONESCU. ALL RIGHTS RESERVED. 1 WHO AM I? Chief Architect at CrowdStrike, a security
More informationAutomating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com
Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com A number of devices are running Linux due to its flexibility and open source nature. This has made Linux platform
More informationBuilding Applications Using Micro Focus COBOL
Building Applications Using Micro Focus COBOL Abstract If you look through the Micro Focus COBOL documentation, you will see many different executable file types referenced: int, gnt, exe, dll and others.
More informationAttacking Obfuscated Code with IDA Pro. Chris Eagle
Attacking Obfuscated Code with IDA Pro Chris Eagle Outline Introduction Operation Demos Summary 2 First Order Of Business MOVE UP AND IN! There is plenty of room up front I can't increase the font size
More informationHow To Port A Program To Dynamic C (C) (C-Based) (Program) (For A Non Portable Program) (Un Portable) (Permanent) (Non Portable) C-Based (Programs) (Powerpoint)
TN203 Porting a Program to Dynamic C Introduction Dynamic C has a number of improvements and differences compared to many other C compiler systems. This application note gives instructions and suggestions
More informationHow to Use Windows Firewall With User Account Control (UAC)
Keeping Windows 8.1 safe and secure 14 IN THIS CHAPTER, YOU WILL LEARN HOW TO Work with the User Account Control. Use Windows Firewall. Use Windows Defender. Enhance the security of your passwords. Security
More informationFRONT FLYLEAF PAGE. This page has been intentionally left blank
FRONT FLYLEAF PAGE This page has been intentionally left blank Abstract The research performed under this publication will combine virtualization technology with current kernel debugging techniques to
More informationEugene Tsyrklevich. Ozone HIPS: Unbreakable Windows
Eugene Tsyrklevich Eugene Tsyrklevich has an extensive security background ranging from designing and implementing Host Intrusion Prevention Systems to training people in research, corporate, and military
More informationThe Value of Physical Memory for Incident Response
The Value of Physical Memory for Incident Response MCSI 3604 Fair Oaks Blvd Suite 250 Sacramento, CA 95864 www.mcsi.mantech.com 2003-2015 ManTech Cyber Solutions International, All Rights Reserved. Physical
More informationThin@ System Architecture V3.2. Last Update: August 2015
Thin@ System Architecture V3.2 Last Update: August 2015 Introduction http://www.thinetsolution.com Welcome to Thin@ System Architecture manual! Modern business applications are available to end users as
More informationDanware introduces NetOp Remote Control in version 7.01 replacing version 7.0 as the shipping version.
Release notes version 7.01 Danware introduces NetOp Remote Control in version 7.01 replacing version 7.0 as the shipping version. It s available as a free downloadable upgrade to existing version 7.0 customers
More informationHow To Hack The Steam Voip On Pc Orchesterian Moonstone 2.5 (Windows) On Pc/Robert Kruber (Windows 2) On Linux 2.2.2 (Windows 3.5) On A Pc
ReVuln Ltd. http://revuln.com @revuln info@revuln.com Revision 3 STEAM VOIP SECURITY BY LUIGI AURIEMMA Overview and details about the security issues found in the Steam voice framework. TABLE OF CONTENTS
More informationesrever gnireenigne tfosorcim seiranib
esrever gnireenigne tfosorcim seiranib Alexander Sotirov asotirov@determina.com CanSecWest / core06 Reverse Engineering Microsoft Binaries Alexander Sotirov asotirov@determina.com CanSecWest / core06 Overview
More informationHacking Techniques & Intrusion Detection. Ali Al-Shemery arabnix [at] gmail
Hacking Techniques & Intrusion Detection Ali Al-Shemery arabnix [at] gmail All materials is licensed under a Creative Commons Share Alike license http://creativecommonsorg/licenses/by-sa/30/ # whoami Ali
More informationLASTLINE WHITEPAPER. In-Depth Analysis of Malware
LASTLINE WHITEPAPER In-Depth Analysis of Malware Abstract Malware analysis is the process of determining the purpose and functionality of a given malware sample (such as a virus, worm, or Trojan horse).
More informationFTP Client Engine Library for Visual dbase. Programmer's Manual
FTP Client Engine Library for Visual dbase Programmer's Manual (FCE4DB) Version 3.3 May 6, 2014 This software is provided as-is. There are no warranties, expressed or implied. MarshallSoft Computing, Inc.
More informationFormat string exploitation on windows Using Immunity Debugger / Python. By Abysssec Inc WwW.Abysssec.Com
Format string exploitation on windows Using Immunity Debugger / Python By Abysssec Inc WwW.Abysssec.Com For real beneficiary this post you should have few assembly knowledge and you should know about classic
More informationViolating Database - Enforced Security Mechanisms
Violating Database - Enforced Security Mechanisms Runtime Patching Exploits in SQL Server 2000: a case study Chris Anley [chris@ngssoftware.com] 18/06/2002 An NGSSoftware Insight Security Research (NISR)
More informationSkyRecon Cryptographic Module (SCM)
SkyRecon Cryptographic Module (SCM) FIPS 140-2 Documentation: Security Policy Abstract This document specifies the security policy for the SkyRecon Cryptographic Module (SCM) as described in FIPS PUB 140-2.
More informationAutomating Mimicry Attacks Using Static Binary Analysis
Automating Mimicry Attacks Using Static Binary Analysis Christopher Kruegel and Engin Kirda Technical University Vienna chris@auto.tuwien.ac.at, engin@infosys.tuwien.ac.at Darren Mutz, William Robertson,
More informationSMTP-32 Library. Simple Mail Transfer Protocol Dynamic Link Library for Microsoft Windows. Version 5.2
SMTP-32 Library Simple Mail Transfer Protocol Dynamic Link Library for Microsoft Windows Version 5.2 Copyright 1994-2003 by Distinct Corporation All rights reserved Table of Contents 1 Overview... 5 1.1
More informationOLD WIN32 CODE FOR A MODERN, SUPER-STEALTH TROJAN
OLD WIN32 CODE FOR A MODERN, SUPER-STEALTH TROJAN BLACKHAT EUROPE 2004 Eric DETOISIEN Team Rstack Eyal DOTAN Tegam International Agenda Introduction Communication model Code injection API Hooking Final
More informationManage Traps in a VDI Environment. Traps Administrator s Guide. Version 3.3. Copyright 2007-2015 Palo Alto Networks
Manage Traps in a VDI Environment Traps Administrator s Guide Version 3.3 Contact Information Corporate Headquarters: Palo Alto Networks 4401 Great America Parkway Santa Clara, CA 95054 www.paloaltonetworks.com/company/contact-us
More informationKaspersky Whitelisting Database Test
Kaspersky Whitelisting Database Test A test commissioned by Kaspersky Lab and performed by AV-Test GmbH Date of the report: February 14 th, 2013, last update: April 4 th, 2013 Summary During November 2012
More informationAPPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK
APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK John T Lounsbury Vice President Professional Services, Asia Pacific INTEGRALIS Session ID: MBS-W01 Session Classification: Advanced
More informationApplication Note. Introduction AN2471/D 3/2003. PC Master Software Communication Protocol Specification
Application Note 3/2003 PC Master Software Communication Protocol Specification By Pavel Kania and Michal Hanak S 3 L Applications Engineerings MCSL Roznov pod Radhostem Introduction The purpose of this
More informationInside Windows Rootkits
Chris Ries Security Research Engineer VigilantMinds Inc. 4736 Penn Avenue Pittsburgh, PA 15224 info@vigilantminds.com Introduction Although they have been around for quite some time, rootkits have become
More informationUnix Security Technologies. Pete Markowsky <peterm[at] ccs.neu.edu>
Unix Security Technologies Pete Markowsky What is this about? The goal of this CPU/SWS are: Introduce you to classic vulnerabilities Get you to understand security advisories Make
More informationODBC Client Driver Help. 2015 Kepware, Inc.
2015 Kepware, Inc. 2 Table of Contents Table of Contents 2 4 Overview 4 External Dependencies 4 Driver Setup 5 Data Source Settings 5 Data Source Setup 6 Data Source Access Methods 13 Fixed Table 14 Table
More informationThis report is a detailed analysis of the dropper and the payload of the HIMAN malware.
PAGE 5 Check Point Malware Research Group HIMAN Malware Analysis December 12, 2013 Researcher: Overview This report is a detailed analysis of the dropper and the payload of the HIMAN malware. This malware
More informationConfinement Problem. The confinement problem Isolating entities. Example Problem. Server balances bank accounts for clients Server security issues:
Confinement Problem The confinement problem Isolating entities Virtual machines Sandboxes Covert channels Mitigation 1 Example Problem Server balances bank accounts for clients Server security issues:
More informationDiskPulse DISK CHANGE MONITOR
DiskPulse DISK CHANGE MONITOR User Manual Version 7.9 Oct 2015 www.diskpulse.com info@flexense.com 1 1 DiskPulse Overview...3 2 DiskPulse Product Versions...5 3 Using Desktop Product Version...6 3.1 Product
More informationIllustration 1: Diagram of program function and data flow
The contract called for creation of a random access database of plumbing shops within the near perimeter of FIU Engineering school. The database features a rating number from 1-10 to offer a guideline
More informationXcode Project Management Guide. (Legacy)
Xcode Project Management Guide (Legacy) Contents Introduction 10 Organization of This Document 10 See Also 11 Part I: Project Organization 12 Overview of an Xcode Project 13 Components of an Xcode Project
More informationPattern Insight Clone Detection
Pattern Insight Clone Detection TM The fastest, most effective way to discover all similar code segments What is Clone Detection? Pattern Insight Clone Detection is a powerful pattern discovery technology
More informationTitle Release Notes PC SDK 5.14.03. Date 2012-03-30. Dealt with by, telephone. Table of Content GENERAL... 3. Corrected Issues 5.14.03 PDD...
1/15 Table of Content GENERAL... 3 Release Information... 3 Introduction... 3 Installation... 4 Hardware and Software requirements... 5 Deployment... 6 Compatibility... 7 Updates in PC SDK 5.14.03 vs.
More informationExample of Standard API
16 Example of Standard API System Call Implementation Typically, a number associated with each system call System call interface maintains a table indexed according to these numbers The system call interface
More informationHypercosm. Studio. www.hypercosm.com
Hypercosm Studio www.hypercosm.com Hypercosm Studio Guide 3 Revision: November 2005 Copyright 2005 Hypercosm LLC All rights reserved. Hypercosm, OMAR, Hypercosm 3D Player, and Hypercosm Studio are trademarks
More informationSo today we shall continue our discussion on the search engines and web crawlers. (Refer Slide Time: 01:02)
Internet Technology Prof. Indranil Sengupta Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Lecture No #39 Search Engines and Web Crawler :: Part 2 So today we
More informationCatDV Pro Workgroup Serve r
Architectural Overview CatDV Pro Workgroup Server Square Box Systems Ltd May 2003 The CatDV Pro client application is a standalone desktop application, providing video logging and media cataloging capability
More informationAll Your Code Belongs To Us Dismantling Android Secrets With CodeInspect. Steven Arzt. 04.10.2015 Secure Software Engineering Group Steven Arzt 1
All Your Code Belongs To Us Dismantling Android Secrets With CodeInspect Steven Arzt 04.10.2015 Secure Software Engineering Group Steven Arzt 1 04.10.2015 Secure Software Engineering Group Steven Arzt
More informationWorkshop on Network Traffic Capturing and Analysis IITG, DIT, CERT-In, C-DAC. Host based Analysis. {Himanshu Pareek, himanshup@cdac.
Workshop on Network Traffic Capturing and Analysis IITG, DIT, CERT-In, C-DAC Host based Analysis {Himanshu Pareek, himanshup@cdac.in} {C-DAC Hyderabad, www.cdachyd.in} 1 Reference to previous lecture Bots
More informationMobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus
Mobile Application Hacking for Android and iphone 4-Day Hands-On Course Syllabus Android and iphone Mobile Application Hacking 4-Day Hands-On Course Course description This course will focus on the techniques
More informationKnocker main application User manual
Knocker main application User manual Author: Jaroslav Tykal Application: Knocker.exe Document Main application Page 1/18 U Content: 1 START APPLICATION... 3 1.1 CONNECTION TO DATABASE... 3 1.2 MODULE DEFINITION...
More informationMonitoring, Tracing, Debugging (Under Construction)
Monitoring, Tracing, Debugging (Under Construction) I was already tempted to drop this topic from my lecture on operating systems when I found Stephan Siemen's article "Top Speed" in Linux World 10/2003.
More informationFeatures Overview Guide About new features in WhatsUp Gold v14
Features Overview Guide About new features in WhatsUp Gold v14 Contents New Features in Ipswitch WhatsUp Gold v14 Welcome to WhatsUp Gold v14!... 1 About the Welcome Center About the Quick Setup Assistant...
More informationUsing Process Monitor
Using Process Monitor Process Monitor Tutorial This information was adapted from the help file for the program. Process Monitor is an advanced monitoring tool for Windows that shows real time file system,
More informationCS 377: Operating Systems. Outline. A review of what you ve learned, and how it applies to a real operating system. Lecture 25 - Linux Case Study
CS 377: Operating Systems Lecture 25 - Linux Case Study Guest Lecturer: Tim Wood Outline Linux History Design Principles System Overview Process Scheduling Memory Management File Systems A review of what
More informationADVANCED THREATS IN THE ENTERPRISE. Finding an Evil in the Haystack with RSA ECAT. White Paper
ADVANCED THREATS IN THE ENTERPRISE Finding an Evil in the Haystack with RSA ECAT White Paper With thousands of workstations and servers under management, most enterprises have no way to effectively make
More informationParasitics: The Next Generation. Vitaly Zaytsev Abhishek Karnik Joshua Phillips
Parasitics: The Next Generation. Vitaly Zaytsev Abhishek Karnik Joshua Phillips Agenda Overview W32/Xpaj analysis Overview of a virtual machine Software protection trends W32/Winemmem analysis W32/Induc
More informationHost-based Intrusion Prevention System (HIPS)
Host-based Intrusion Prevention System (HIPS) White Paper Document Version ( esnhips 14.0.0.1) Creation Date: 6 th Feb, 2013 Host-based Intrusion Prevention System (HIPS) Few years back, it was relatively
More informationReverse Engineering and Computer Security
Reverse Engineering and Computer Security Alexander Sotirov alex@sotirov.net Introduction Security researcher at Determina, working on our LiveShield product Responsible for vulnerability analysis and
More informationHTC Windows Phone 7 Arbitrary Read/Write of Kernel Memory 10/11/2011
MWR InfoSecurity Advisory HTC Windows Phone 7 Arbitrary Read/Write of Kernel Memory 10/11/2011 Package Name Date 10/11/2011 Affected Versions HTC Windows Phone 7 Phones HTC HD7 confirmed to be vulnerable.
More informationhttp://www.nologin.org Bypassing Windows Hardware-enforced Data Execution Prevention
http://www.nologin.org Bypassing Windows Hardware-enforced Data Execution Prevention Oct 2, 2005 skape mmiller@hick.org Skywing Skywing@valhallalegends.com One of the big changes that Microsoft introduced
More informationSandy. The Malicious Exploit Analysis. http://exploit-analysis.com/ Static Analysis and Dynamic exploit analysis. Garage4Hackers
Sandy The Malicious Exploit Analysis. http://exploit-analysis.com/ Static Analysis and Dynamic exploit analysis About Me! I work as a Researcher for a Global Threat Research firm.! Spoke at the few security
More informationCustom Penetration Testing
Custom Penetration Testing Compromising a Vulnerability through Discovery and Custom Exploitation Stephen Sims Advanced Penetration Testing - 2009 SANS 1 Objectives Penetration Testing Precompiled Tools
More informationESET Endpoint Security 6 ESET Endpoint Antivirus 6 for Windows
ESET Endpoint Security 6 ESET Endpoint Antivirus 6 for Windows Products Details ESET Endpoint Security 6 protects company devices against most current threats. It proactively looks for suspicious activity
More informationSandbox Roulette: Are you ready for the gamble?
Sandbox Roulette: Are you ready for the gamble? Rafal Wojtczuk rafal@bromium.com Rahul Kashyap rahul@bromium.com What is a sandbox? In computer security terminology, a sandbox is an environment designed
More informationBitrix Site Manager 4.1. User Guide
Bitrix Site Manager 4.1 User Guide 2 Contents REGISTRATION AND AUTHORISATION...3 SITE SECTIONS...5 Creating a section...6 Changing the section properties...8 SITE PAGES...9 Creating a page...10 Editing
More informationSIMATIC. WinCC V7.0. Getting started. Getting started. Welcome 2. Icons 3. Creating a project 4. Configure communication 5
SIMATIC WinCC V7.0 SIMATIC WinCC V7.0 Printout of the Online Help 1 Welcome 2 Icons 3 Creating a project 4 Configure communication 5 Configuring the Process Screens 6 Archiving and displaying values 7
More informationRSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst
ESG Lab Review RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst Abstract: This ESG Lab review documents
More informationAdobe Flash Player and Adobe AIR security
Adobe Flash Player and Adobe AIR security Both Adobe Flash Platform runtimes Flash Player and AIR include built-in security and privacy features to provide strong protection for your data and privacy,
More informationBug hunting. Vulnerability finding methods in Windows 32 environments compared. FX of Phenoelit
Bug hunting Vulnerability finding methods in Windows 32 environments compared FX of Phenoelit The goal: 0day What we are looking for: Handles network side input Runs on a remote system Is complex enough
More informationSecuring Your Business s Bank Account
Commercial Banking Customers Securing Your Business s Bank Account Trusteer Rapport Resource Guide For Business Banking January 2014 Table of Contents 1. Introduction 3 Who is Trusteer? 3 2. What is Trusteer
More informationJorix kernel: real-time scheduling
Jorix kernel: real-time scheduling Joris Huizer Kwie Min Wong May 16, 2007 1 Introduction As a specialized part of the kernel, we implemented two real-time scheduling algorithms: RM (rate monotonic) and
More informationCompute Cluster Server Lab 3: Debugging the parallel MPI programs in Microsoft Visual Studio 2005
Compute Cluster Server Lab 3: Debugging the parallel MPI programs in Microsoft Visual Studio 2005 Compute Cluster Server Lab 3: Debugging the parallel MPI programs in Microsoft Visual Studio 2005... 1
More informationProcon Frostbite 1.1 and subsequent releases End User License Agreement Revised: April 7, 2015
Procon Frostbite 1.1 and subsequent releases End User License Agreement Revised: April 7, 2015 THIS IS A LEGAL AGREEMENT between "you", the individual, company, or organisation utilising Procon Frostbite
More informationSoftware security. Buffer overflow attacks SQL injections. Lecture 11 EIT060 Computer Security
Software security Buffer overflow attacks SQL injections Lecture 11 EIT060 Computer Security Buffer overflow attacks Buffer overrun is another common term Definition A condition at an interface under which
More informationHow To Protect Your Data From Being Hacked On Security Cloud
F-SECURE SECURITY CLOUD Purpose, function and benefits October 2015 CONTENTS F-Secure Security Cloud in brief 2 Security Cloud benefits 3 How does Security Cloud work? 4 Security Cloud metrics 4 Security
More information