Game Blocks Anti Cheat
This Anti-Cheat system implements a variety of techniques to invalidate any memory injection into your most important stored values during game runtime. Just like CheatEngine injects code in your game, this Plugin enables you to fight back and punch the cheater in non intrusive ways. So, Riot Games, are we finally going to see Valorant’s Vanguard anti-cheat in action? I think it’s already too late, and you need to step up your game, and instead of blocking Gigabyte’s RGB Fusion, exile the cheaters out of honest player’s ways. A user on Reddit said they cannot access their files even while outside the game and suspects Vanguard’s is used for data mining more than just being an anti-cheat software. The software apparently blocks programs such as OpenHardware Monitor, CoreTemp, MSI AfterBurner, MSI Mystic Light and other motherboard apps for RGB and fan control. Hello guys, My Streamlabs Settings: Game capture mode and i use the anti-cheat compatibility hook. When i want to stream CS GO in unstrusted mode with '-allowthirdpartysoftware' without Faceit Anti cheat my game doesn't crash, but when i start it with faceit's anti cheat my game will automatically crash. 'Many games that use anti-cheat software have released fixes for the issue causing PCs to bugcheck (GSOD),' the company wrote in an update last night (via OnMSFT). The Windows maker added that 'the. There's been a lot of buzz the past few days about VALORANT's anti-cheat operating at the kernel level, so I looked into this a bit. Whether this persuades you that VALORANT is safe or that you should be more wary in other games, here is a list of other popular games that use kernel-level anti-cheat systems, specifically Easy Anti-Cheat and BattlEye.
Developer(s) | INCA Internet Co., Ltd. |
---|---|
Operating system | Microsoft Windows |
Type | Anti-cheating |
License | Proprietary |
Website | nprotect.com |
nProtect GameGuard (sometimes called GG) is an anti-cheatingrootkit developed by INCA Internet. It is widely installed in many online games to block possibly malicious applications and prevent common methods of cheating.[1][2][3] nProtect GameGuard provides B2B2C (Business to Business to Consumer) security services for online game companies and portal sites. The software is considered to be one of three software programs which 'dominate the online game security market'.[4]
GameGuard uses rootkits to proactively prevent cheat software from running.[5] GameGuard hides the game application process, monitors the entire memory range, terminates applications defined by the game vendor and INCA Internet to be cheats (QIP for example[citation needed]), blocks certain calls to Direct X functions and Windows APIs, keylogs keyboard input[citation needed], and auto-updates itself to change as new possible threats surface.[1]
Since GameGuard essentially works like a rootkit,[2][6] players may experience unintended and potentially unwanted side effects. If set, GameGuard blocks any installation or activation of hardware and peripherals (e.g., a mouse) while the program is running. Since GameGuard monitors any changes in the computer's memory, it will cause performance issues when the protected game loads multiple or large resources all at once.[7]
Additionally, some versions of GameGuard had an unpatched privilege escalation bug, allowing any program to issue commands as if they were running under an Administrator account.[8]
GameGuard possesses a database on game hacks based on security references from more than 260 game clients. Some editions of GameGuard are now bundled with INCA Internet's Tachyon anti-virus/anti-spyware library, and others with nProtect Key Crypt, an anti-key-logger software that protects the keyboard input information.
List of online games using GameGuard[edit]
GameGuard is used in many online games.[3][9][10]
- Elsword (no longer used as of March 29th, 2017)[11]
- Lineage 1 & 2
References[edit]
- ^ abStevens, Scott M.; Saldamarco, Shirley, eds. (2008). Entertainment Computing – ICEC 2008: 7th International Conference. Springer Science+Business Media. p. 96. ISBN978-3-540-89221-2.
- ^ abFahey, Mike (18 September 2009). 'Hooray! Aion Drops GameGuard For Launch'. Kotaku. Retrieved 2 February 2016.
- ^ able Ricque, Edouard (25 November 2011). 'L.A. Noire sur PC : Kaspersky n'aime pas'. Tom's Guide France. Archived from the original on 26 November 2011. Retrieved 2 February 2016.
- ^Sung-mi, Kim (11 September 2012). 'Wiselogic, the Hidden Champion in Online Game Security'. The Korea IT Times. Seoul, South Korea. Retrieved 2 February 2016.
- ^Cano, Nick (2016). Game Hacking: Developing Autonomous Bots for Online Games. William Pollock. p. 248. ISBN1593276699.
- ^'RootRepeal – Rootkit Detector'. Google. Retrieved 3 February 2016.
...many antivirus programs and some games (for example, nProtect GameGuard) use rootkit-like technology to hide or protect themselves.
- ^Spohn, Steve (14 September 2009). 'GameGuard Shuts Down Disabled Gamers'. The AbleGamers Foundation. Archived from the original on 20 November 2009. Retrieved 4 February 2016.
- ^'CVE-2005-0295 : npptnt2.sys in nProtect Gameguard provides unrestricted I/O to any process that calls it, which allows local users to gain privileges'. Retrieved 25 February 2017.
- ^'nProtect gameGuard Partner'. Archived from the original on 18 August 2012. Retrieved 27 August 2007.
- ^'GameGuard Errors'. NCSOFT. Retrieved 3 February 2016.
- ^'Announcing Our New Anti-Hacking Partner XIGNCODE3'. elsword.koggames.com. Retrieved 23 November 2020.
Game Blocks Anti Cheat Age Of Empires 2
External links[edit]
This is a brief informational piece for the readers that don’t come from a deep technical background regarding cheats/anti-cheats/drivers or related. It’s come to our attention that many people are wondering why certain anti-cheats block or log when a player has overclocking/tuning software open. I’ll start off by explaining why these types of software require drivers, then show a few examples of why they’re dangerous and provide information about the dangerous recycling of code that makes the end-user vulnerable. Recycling code out of convenience at the risk of your end-users is a lazy decision that can result in damage to your system. In this case, the code is recycled from sites like kernelmode.info, OSR Online, and so on. The drivers that are used by this software are particularly problematic and would be the first targets I’d look for if I was looking to exploit a large population of people - gamers and tech enthusiasts would be a good crowd because of the tools presented below. This is by no means an exhaustive list, I’m only addressing a few drivers that are/have been exploited in cheating communities. There are dozens if not hundreds in the wild. Let’s cover the reasoning for a driver with these types of software.
Notice: We are not affiliated with game publishers or anti-cheat vendors, paid or otherwise.
Hardware monitoring/overclocking tools have been rising in popularity in the last half-decade with the growth in professional gaming, and technical requirements to run certain games. These tools query various system components like GPU, CPU, thermal sensors, and so on, however, this information isn’t easily acquired by a user. For example, to query the on-die digital temperature sensor to get temperature data for the CPU an application would need to perform a read on a model-specific register. These model-specific registers and the intrinsics to read/write them are only available when operating at a higher privilege level such as ring-0 (where drivers operate.) A model-specific register (MSR) is a type of register that is part of the x86 instruction set. As the name suggests, some registers are present on certain processors while others are not - making them model-specific. They’re primarily used for storing platform specific information, and CPU feature information; they can also be used in performance monitoring or thermal sensor monitoring. Intel decided to provide two instructions in the x86 ISA that allowed for privileged software (operating system or otherwise) to read or write model-specific registers. The instructions are rdmsr
and wrmsr
, and allow a privileged actor to modify or query the state of one of these registers. There is an extensive list of MSRs that are available for Intel and AMD processors that can be found in their respective SDM/APM. The significance of this is that much of the information in these MSRs should not be modified by any tasks privileged or not. There is rarely a need to do so even when writing device drivers.
Many drivers for hardware monitoring software allow an unprivileged task (in terms of privilege level, excluding Admin requirements) to read/write arbitrary MSRs. How does that work? Well, the drivers must have a mode of communication available so that they can read privileged data from an unprivileged application, and these drivers provide that interface. It’s important to reiterate that the majority of hardware monitoring/overclocking drivers that come packaged with the client application have much more, albeit unnecessary, functionality available through this communication protocol. The client application, let’s say the CPUZ desktop application, uses a Windows API function named DeviceIoControl. In the simplest sense, CPUZ calls DeviceIoControl with an IO control code that is known to the developers to perform a read of an MSR like the on-die digital temperature sensor. This isn’t an inherently dangerous thing. What’s problematic is that these drivers implement additional functionality that is outside the scope of the software and expose it through this same interface - like writing to MSRs, or physical memory.
So, if only the developers know the codes then why is it an issue? Reverse engineering is a fruitful endeavor. All an attacker has to do is get a copy of the driver, load it into their desired disassembler like IDA Pro, and look for the IOCTL handler. This is an IOCTL code in the CPUZ driver which is used to send 2 bytes out 2 different I/O ports - 0xB2 (broadcast SMI) and 0x84 (output port 4). This is interesting because you can force SMI using port 0xB2 which allows entry to System Management Mode. However, this doesn’t really accomplish anything significant it’s just interesting to note. The SMI port is primarily used for debugging.
Now, let’s take a look at a driver, shipped from Intel, that allows every operation an attacker could dream of.
Undisclosed Intel driver
This driver was packaged with a diagnostic tool created by Intel. It allows for many different operations, the most problematic is the ability for an unprivileged application to write directly to a memory page in physical memory.
Note: Unprivileged application meaning an application running at a low privilege level (ring-3), despite the requirement of Admin rights to carry out the DeviceIoControl request.
Among other things, it allows direct port IO (which is supposed to be a privileged operation) which can be abused to cause all sorts of issues on a target machine. From a malicious actor, it could be used to perform a denial-of-service by writing to an IO port that can be used to hard reset the processor.
As a diagnostic tool from Intel, the operations make some sense. However, this is a signed driver associated with a public tool and in the wrong hands could be abused to wreak havoc, in this case, on a game. The ability to read and write physical memory means that an attacker can access a game’s memory without having to do traditional things like open a handle to the process and use Windows APIs to assist in reading the virtual memory. It’s a bit of work for the attacker, but that’s never stopped any motivated individual. Well, I don’t use this diagnostic tool - so who cares? Take a look at the next two tools that use vulnerable drivers.
HWMonitor
I’ve seen it mentioned before around different communities for overclocking, general diagnostics, and for people that don’t have enough fans in their case to prevent them from overheating. This tool carries a driver that is also quite problematic with the functionality provided. The screenshot below shows a different method of reading a portion of physical memory via MmMapIoSpace. This would be useful for an attacker to use against a game under the guise of being a trusted hardware monitoring tool. What about writing to those model-specific registers? This tool has no business writing to any MSRs yet exposes a control case where the right code allows a user to write to any model-specific register. Here’s two images of different IOCTL blocks in HWMonitor.
As a bonus, the driver that HWMonitor uses is also the driver the CPUZ uses! If an anti-cheat were to simply block HWMonitor - the application - from running the attacker could simply pull up CPUZ and have the same capabilities. This is an issue because, as mentioned earlier, model-specific registers are meant to be read/written to by system software. Exposing these registers to the user through any sort of unchecked interface gives an attacker the ability to modify system data they should otherwise not have access to. It allows attackers to circumvent protections that may be put in place by a third-party such as an anti-cheat. An anti-cheat can register callbacks such as the ExCbSeImageVerificationDriverInfowhich allows the driver to get information about a loaded driver. Utilizing a trusted driver lets the attackers go undetected. Many personally signed drivers are logged/flagged/dumped by some anti-cheats and certain ones that are WHQL or from a vendor like Intel are inherently trusted. This callback is also one method anti-cheats use to prevent drivers, like the packaged driver for CPUZ, from loading; or just noting that they are present even if the name of the driver is modified.
Easy Anti Cheat Games
MSI Afterburner
At this point, it’s probably clear why many of these drivers are blocked from loading by anti-cheat software. I’ll let this exploit-db page speak for MSI Afterburner. It’s just as bad as the aforementioned drivers and to preserve the integrity of the system and game it’s reasonable for anti-cheats to prevent it from loading.
These vulnerabilities have since been patched, this is merely an example of the type of behavior in many tools. While MSI responded appropriately and updated Afterburner, not all OC/monitoring tools have been updated.
It should make sense now, regardless of how unfortunate, why some anti-cheats prevent the loading of these types of drivers. I’ve seen various arguments against this tactic, but in the end, the anti-cheats job is to protect the integrity of the game and maximize the quality of gameplay. If that means you can’t run your hardware monitoring tool then you’re just going to have to shut it off to play. Cheaters in games have been using these drivers since late 2015/2016, and maybe even before that (however, the first PoC wasn’t public on a large cheating forum before then). Blocking them is necessary to ensure that the anti-cheat is not being tampered with through a trusted third-party driver and that the game is protected from hackers using this method of attack. It’s understandable that being unable to use monitoring tools is frustrating, but rather than blame the anti-cheat blame the vendors of these types of software that are recycling dangerous code and putting your system at risk regardless of the game you play. If I were an attacker, I would definitely consider using one of these many drivers to compromise a system.
A solution for some of the companies would be to simply remove the unnecessary code like mapping physical memory, writing to model-specific registers, writing to control registers, and so on. Maintaining the read-only of thermal sensors and other component related data would be much less of an issue.
Epic Games Anti Cheat Download
This is by no means an extensive article, just a brief information piece to help players/users understand why their hardware monitoring/overclocking tools are blocked by an anti-cheat.