Follow

Remember when they told you that kernel-mode anticheat was perfectly safe?

Once these drivers are signed by Microsoft, they can be loaded into *any* Windows system, even if you don't play the game they're from.

@r000t Might not even need loading in some cases, I've seen people complaining that Genshit keeps the driver in system even after being uninstalled. Once again, anticheat is cancer.

@mint @r000t Used to be that way, but they changed that after the backslash

@s8n
I don't understand how so many people fell for something literally called "Gotcha!"

@r000t it makes more sense when you realize there are people on the fediverse who named themselves "lolifeet"

@Mek101@mstdn.io @r000t@infosec.exchange I already suck at CSGO seems like a knock off of that but you get banned for being toxic in voice chat

Idk seems kinda cringe

@r000t "Kernel mode anti-cheat", or as it used to be called, a rootkit.

@r000t wait how does it work if you don't have Genshin Impact installed?

@ae
They just ship the .sys file separately, ask the OS to load it, and then they can abuse it. The driver has been "vouched for" by Microsoft.

@r000t Oh, lol, I forgot to read your second sentence.

@r000t @ae this is what I'm talking about. Vouched for by Microsoft or not, it's bullshit that a kernel module can be installed without your explicit instruction. I'm assuming that because Microsoft approved it, it doesn't need admin/UAC authorisation like unvalidated drivers do?

@AgreeableLandscape @r000t It's so stupid. They went out of their way to make it less secure.

@ae @r000t if you have execute access you install the anti cheat or grab the DLLs needed, ???, Win

@r000t@infosec.exchange Wait, I do not understand that. If a driver is signed by Microsoft, then EVEN NON-ADMIN USERS can load them?

That... sucks. But it explains finally to me why that github project that contains a huge .h file with the driver is a real PoC :)

@r000t Watch: Once this bug is patched, the kernel anticheat will be 100% safe, trust me

@r000t i don't want to say i called it, but i hella called it

@r000t And can I just add as a quick postscript to this "I told you so" gamer moment:
>Jack off to jpegs in a video game
>Computer ruined
>Don't jack off to jpegs in a video game
>Computer still ruined
>Jack off to jpegs on a booru
>Computer not ruined
Chalk up another W for the secondary^W tertiary coomers that just want to blast rope to your favorite gatchashit wife on rule34.xxx. They can't keep getting away with it.

@r000t@infosec.exchange how do you even run it if you don't have genshit installed? Also what is the implication of this for wine?

@sarvo
The key here is that drivers must be digitally "vouched for" by Microsoft. If Microsoft gave their signature to a driver, Windows will consider it to be valid.

So, if you're malware, you just pluck the driver file from genshin, and zip it up with the rest of the malware.

Wine is an implementation of the Win32 API and to the best of my knowledge cannot deal with Windows drivers. But I could be wrong.

@r000t @sarvo in general, I think it's a bad idea to make Windows exes directly executable through Wine. It's much safer to have to do `wine program.exe` instead of being able to do `./program.exe`. Plenty of malware, including ransomware, don't need any sort of higher privileges to do damage. If you have your home folder mapped to "C:\Users\You" in wine, that can and will be encrypted immediately, people tried this exact thing with Wannacry and it worked.

@r000t @sarvo Windows drivers are in no way compatible with the linux kernel. It's tge main reason why you can't play Genshin or Valorant through wine

@Mek101 @r000t @sarvo The reason they don't want to add support (which would easily be done) is because custom kernels are an issue, whereas Windows kernels are the same and are known to be running a specific configuration.

@inference @r000t @sarvo The solutions are two:
1 - make the modules FOSS, so that distros ship them
2 - publish FOSS adapters that bridge the kernel API to a stable ABI you can link against

@Mek101 @r000t @sarvo Unsure if you're talking compatibility here, but I'm talking custom kernels designed for cheating.

Can't happen on Windows without a critical exploit, but Linux allows this as part of kernel compiliation.

@sarvo @r000t Via binary patching. Known that, did that, but keeping up the genshin patch is 1 guy in a notabug repo. I wouldn't be surprised if he already took the project down

@Mek101@mstdn.io @r000t@infosec.exchange its like the fight club but you can send me a dm or a message on xmpp

@r000t not defending kernel mode anticheats, but I think the bigger problem here is Windows's Swiss cheese level kernel module management.

@iska @r000t I'm not sure of that. After all, Linux is infamous for being an absolute pain to install kernel mode drivers, and that's when you WANT to get software into the kernel. That's why it matters so much if a processor or GPU is mainline supported. Meanwhile, Windows doesn't even ask for your password. Just a UAC prompt.

@iska @r000t also, make sure you can never, ever do `sudo wine [whatever]` on your machine. That's just asking to be screwed.

@AgreeableLandscape
> Windows doesn't even ask for your password. Just a UAC prompt.

Depends on security policy on current machine. Mine for example asks admin password on UAC.

@iska @r000t

@AgreeableLandscape @r000t
sudo modprobe anti~christ~cheat

Just a UAC prompt

Only true when you use admin(root) account.

@iska @r000t yeah, but this specific vulrnability hinges on not requiring UAC authorisation to install the anticheat. Like, if you need to sudo it, it's a lot less of a threat.

@AgreeableLandscape
There's a higher level than any interactive administrator account on a Windows system, called NT AUTHORITY\SYSTEM, and this is the level drivers and this sort of anticheat run at.

This is the level you would need to be to start doing really nasty things like keylogging, hiding processes/network/file activity, and generally making your computer gaslight you. This also means it can gaslight any antivirus you may be running.
@iska

@r000t @iska this just goes with the theme that you don't own your Windows system that Microsoft is going for. You're merely a guest on the OS you paid for.

@iska @AgreeableLandscape @r000t bit the real question is what will it do and I'm going to use someone else's phone to find out
@AgreeableLandscape @iska @r000t You shouldn't be daily driving an admin account exactly for this reason. Same as root on Unix.

Max out UAC, don't use admin, safe.

@iska @AgreeableLandscape @r000t Nay, on linux you still need to perform the operation as root. Plus the kernel module API/ABI is not even stable, so you would have to package a different module for almost any combination of distro/kernel version you want to attack

@r000t I’ve seen that on r/PlayOnLinux. But the worse thing is that this anticheat can be deactivated in on patch on the binary of the game. (That’s how you can launch that game on linux)

So this game come with an anticheat that embed itself in the kernel, so that players can’t cheat. But the game is mainly a solo campaign with the ability to invite others to visit. So why bothering with an anticheat on the client, just put an anticheat on the servers ! But even worse, the anticheat does nothing if you patch the game to stop calling it… so it’s not even needed for anything. This anticheat is literally a dormant virus. But then someone started to wake up this virus.

PS: I want to get a custom server, with that I could play even after the end of life of this game. Because the game itself and the story are interesting, but the implementation is bad.

@r000t@infosec.exchange I want GNU/Genshin Impact now I know they have a kernel.

@r000t
And I'm so fool that I tried to run #GenshinImpact on my daughter's Ubuntu laptop using #wine 😀

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.