Remember when they told you that kernel-mode anticheat was perfectly safe?
Once these drivers are signed by Microsoft, they can be loaded into *any* Windows system, even if you don't play the game they're from.
They just ship the .sys file separately, ask the OS to load it, and then they can abuse it. The driver has been "vouched for" by Microsoft.
@email@example.com Wait, I do not understand that. If a driver is signed by Microsoft, then EVEN NON-ADMIN USERS can load them?
That... sucks. But it explains finally to me why that github project that contains a huge .h file with the driver is a real PoC :)
@firstname.lastname@example.org how do you even run it if you don't have genshit installed? Also what is the implication of this for wine?
The key here is that drivers must be digitally "vouched for" by Microsoft. If Microsoft gave their signature to a driver, Windows will consider it to be valid.
So, if you're malware, you just pluck the driver file from genshin, and zip it up with the rest of the malware.
Wine is an implementation of the Win32 API and to the best of my knowledge cannot deal with Windows drivers. But I could be wrong.
@r000t @sarvo in general, I think it's a bad idea to make Windows exes directly executable through Wine. It's much safer to have to do `wine program.exe` instead of being able to do `./program.exe`. Plenty of malware, including ransomware, don't need any sort of higher privileges to do damage. If you have your home folder mapped to "C:\Users\You" in wine, that can and will be encrypted immediately, people tried this exact thing with Wannacry and it worked.
@r000t not defending kernel mode anticheats, but I think the bigger problem here is Windows's Swiss cheese level kernel module management.
@iska @r000t I'm not sure of that. After all, Linux is infamous for being an absolute pain to install kernel mode drivers, and that's when you WANT to get software into the kernel. That's why it matters so much if a processor or GPU is mainline supported. Meanwhile, Windows doesn't even ask for your password. Just a UAC prompt.
There's a higher level than any interactive administrator account on a Windows system, called NT AUTHORITY\SYSTEM, and this is the level drivers and this sort of anticheat run at.
This is the level you would need to be to start doing really nasty things like keylogging, hiding processes/network/file activity, and generally making your computer gaslight you. This also means it can gaslight any antivirus you may be running.
@r000t I’ve seen that on r/PlayOnLinux. But the worse thing is that this anticheat can be deactivated in on patch on the binary of the game. (That’s how you can launch that game on linux)
So this game come with an anticheat that embed itself in the kernel, so that players can’t cheat. But the game is mainly a solo campaign with the ability to invite others to visit. So why bothering with an anticheat on the client, just put an anticheat on the servers ! But even worse, the anticheat does nothing if you patch the game to stop calling it… so it’s not even needed for anything. This anticheat is literally a dormant virus. But then someone started to wake up this virus.
PS: I want to get a custom server, with that I could play even after the end of life of this game. Because the game itself and the story are interesting, but the implementation is bad.
A Mastodon instance for info/cyber security-minded people.