Hey, i am not against the forum rules on this and i will just ask the question and expect for "IDEAS" not "CODE" (i dont want any of this used by others has malware).
On my security project i pretty much do all i can without been too invasive (its for game protecting), but i really need to block some "APIs" from beign used by all process less mine (yeah too invasive).
For this i was thinking, ok, the typical DLL injection like most of anti cheats out there does, but looking more forward there is a technique used by attackers where they copy the EPILOG of the API, execute it and later jump to the rest of the API, for avoid CRC, hook jumps, etc, etc.
So i just develop a system for copy the whole API (cant tell how) without any bug (and portable from XP to win7) to my own space and there do the checks avoiding the attacker use the EPILOG method.
Question is:
Do you know any other issue that concerns about DLL injection or the method i describe?
If you do know a better solution (lets not enter into ethic bullshit) please post it without a CODE, just the idea.
Thanks.
Quit wasting your time on this. Focus on the game. Your adversaries are smarter and better equipped.
-Clive
Quote from: clive on March 24, 2010, 01:52:46 AM
Quit wasting your time on this. Focus on the game. Your adversaries are smarter and better equipped.
-Clive
Not quiet clive, tested mine security system on many games (private servers) and still isnt bypassed.
I am not discussing if "i need to continue on the project".
I already having deals with some big game company for some ammount of money, so it isnt like thinking "my adversaries are smarter".
Also i dont want to discuss the features or any relation to what my security system does, since i will be breaking forum rules.
Just asking if there is some issue some of you guys already encounter with this kind of protection (injecting) and if know in "theory" a better way of protection without been that invasive.
PS: I do already do kernel tricks, CRC, metamorph code, obfuscation, reloc game procedures to virtual space and encript them, also server side protection too. Just asking for a better idea to protect agaisnt some "APIs".
Thanks.
Quote from: theunknownguy on March 24, 2010, 01:31:10 AM
...i really need to block some "APIs" from beign used by all process less mine
What you are trying to program is malware, abeit perhaps entertaining. Asking for ideas will probably get just as little help as asking for code. Like clive said.
-r
Quote from: redskull on March 24, 2010, 02:20:24 AM
Quote from: theunknownguy on March 24, 2010, 01:31:10 AM
...i really need to block some "APIs" from beign used by all process less mine
What you are trying to program is malware, abeit perhaps entertaining. Asking for ideas will probably get just as little help as asking for code. Like clive said.
-r
Do you guys call malware to security system like gameguard, XTrap, etc?...
I dont ask for code for dont break into rules, i am also not asking for ideas to how accomplish this, i have many knowledge about how buisness work...
Just asking if any of you guys that seems to be more intelligent than rest of other forums, know any other way to stop this without been that invasive.
This is a issue that most of game company dont like (the invasive detection).
PS: I dont post this on debate section since i am not asking for a moral opinnion if this for "you" is malware (for most games company it isnt). Also limitate to read that i am not asking for code or ideas how accomplish such things (i have everything done), has i limitated to read forum rules.
You have already introduced a serious insecurity into your product in your postings :lol, it might be best to stop now
Quote from: oex on March 24, 2010, 02:38:55 AM
You have already introduced a serious insecurity into your product in your postings :lol, it might be best to stop now
Insecurity about been too invasive, i remember this insecurity on INCA company at first too ^^...
Allmost the same insecurity symantec felt when patch guard comes.
Insecurity is part of all projects i believe, it makes you think your decisions "better".
Quote from: theunknownguy
Do you guys call malware to security system like gameguard, XTrap, etc?...
Yes, pretty much. You are trying to subvert the operating system by interfering with things outside the scope of you own executable. You want to run everyone elses code in a sandbox. Replace an OS with thousands of man years of development behind it. If you want to own the box you need an XBox or PlayStation model with a chain of custody and signed code. A PC running millions of lines of other peoples code, which you can't possibly test effectively, is not something you want to be interfering with. The ass clowns at McAfee and Norton can't get it right, and they are surely better equipped and resourced than you or I.
Hardware companies spend millions of dollars, and dozens of man years building "secure" systems. The problem is some guy in his basement with perhaps $10K worth of surplus equipment, and an afternoon to waste can break these things. Software is even worse, you have hundreds or thousands of eyes, and rapid distribution and duplication.
Your best hope is to secure everything you can on the server side, and then within your application and a device driver.
-Clive
Quote from: clive on March 24, 2010, 03:09:46 AM
Quote from: theunknownguy
Do you guys call malware to security system like gameguard, XTrap, etc?...
Software is even worse, you have hundreds or thousands of eyes, and rapid distribution and duplication.
Your best hope is to secure everything you can on the server side, and then within your application and a device driver.
-Clive
Agree, i try to secure the most i can on server side and on my device driver but its x32 and x64 mode... i would love that x32 have the patch guard.
I also dont like the invasive system but it needed,
how could i possible stop some one form using "SendInput" (example) if isnt by RING0 or RING3 hooks?
I pretty much like the idea of a secure kernel too, i do on x64 a process to detect if patch guard is edited (without touching ofc) and the driver is going to be verified by verisign.
But this is probably the last "issue" i have about secure system for "games" (the usage of some APIs for malicious usage).
Personally i feel very touched when symantec request to microsoft that security programs have to get access to kernel.
Its unfair, since an attacker dont care if he got BSOD over and over, he will finally success but the security companys cant be playing with buyers computers...
PS: A guy with 0$, Windows 7 and a full day can remove patch guard (it isnt about money, its about mind) so whats left for security companys?
There are a number of ways you can test how real user input is.... For a game it is actually rather hard to fake.... I have seen many 'automated' avatars in the past running round like headless chickens :lol
Quote from: oex on March 24, 2010, 03:37:58 AM
There are a number of ways you can test how real user input is.... For a game it is actually rather hard to fake
I actually dont see any method, and i dont believe any other anti cheat sees it too, probably you talking about somekind of AI that recognise a specific patron of inputed keys, but it will be quiet hard to detect for a player input ^^.
Also that was just an example, what happen with APIs like GetPixel, and other graphic that allows attackers to create "aimbots" interface for games?.
I see no solution around this things, if got some idea it could be very helpfull, in this way
i can avoid any kind of "malware" behaviour wich is the main idea of this thread.PS: Some players behave like headless chickens it isnt a excuse to close the game if the player wants to "get crazy" =P :lol
Keep thinking.... Both are *very* easy to block and detect :lol
Quote from: oex on March 24, 2010, 03:51:28 AM
Keep thinking.... Both are *very* easy to block and detect :lol
Meaby a tip or just talking for talking? :snooty:
Anyway thinking about SendInput structs of mouse and keyboard passed into a global struct, and a procedure on my system that verify if the actual address match or dont.
But in order to do this there must be an "exclusive" agreement between the coder team of the game and the security system (wich i believe some company games will refuse to).
About graphics i still thinking :cheekygreen:
PS: Mainly this is isnt thinked with the kernel protection, i know with that allmost all attempts can be blocked easy, but the more practical in RING3 i am the less i have to mess with kernel and thats the whole idea, to leave the dependences of RING0 behind (something that all security systems should do)
Sorry I value my membership in this forum, there are often things I also dont understand posted on the forum but the first rule of fight club is.... :lol
http://en.wikiquote.org/wiki/Fight_Club_(film)
Quote from: oex on March 24, 2010, 03:58:01 AM
Sorry I value my membership in this forum, there are often things I also dont understand posted on the forum but the first rule of fight club is.... :lol
http://en.wikiquote.org/wiki/Fight_Club_(film)
Actually if your idea is in RING3 and a normal code without anything releated to malware it isnt agaisnt forums rules.
I also value the membership. And probably better help to leave the dependences of RING0 behind, wich is probably one of the objetives of microsoft while making patch guard, so why the negative?
Or is your solution agaisnt forum rules? :naughty: ^^
It's malware related in that if I tell you how to do these things on a public forum malware software will be updated with get arounds not just against your software but against everyone's security protections....
If I email you, someone I dont know from Usama Bin Laden Brad Pitt over the internet, I could get embroyalled in your custody battle with Angelina Jolie over your six children....
Secrecy is #1 security! *oops*
Quote from: oex on March 24, 2010, 04:17:49 AM
It's malware related in that if I tell you how to do these things on a public forum malware software will be updated with get arounds not just against your software but against everyone's security protections....
If I email you, someone I dont know from Usama Bin Laden Brad Pitt over the internet, I could get embroyalled in your custody battle with Angelina Jolie over your six children....
Secrecy is #1 security! *oops*
If its malware then i dont care, you need to understand then intention behind the thread is to avoid malware behaviour.
Ofc there are pretty much ilegal ways to stop this, its not what i am looking but thanks anyway. :U
Malware is 'malicious software', it is different only from games in intent.... to say you could put a key under the mat or the most common source of entry is an open window is a great common knowledge example of where a burglar will look first before breaking your window for entry, neither of which have any risk of cutting himself and leaving dna :lol....
To talk about serious security issues is to give google keywords and thus to promote malware especially on a dedicated programming forum
The intent of having nuclear weapons is preventing nuclear war :lol
Quote from: oex on March 24, 2010, 04:29:12 AM
Malware is 'malicious software', it is different only from games in intent.... to say you could put a key under the mat or the most common source of entry is an open window is a great common knowledge example of where a burglar will look first before breaking your window for entry, neither of which have any risk of cutting himself and leaving dna :lol....
To talk about serious security issues is to give google keywords and thus to promote malware especially on a dedicated programming forum
The intent of having nuclear weapons is preventing nuclear war :lol
Again you should limitate to read that the intention is to promote not using any kind of illegal coding.
But since you dont even have an answer and i guess nobody have in a "legal" way, then this reveals somethings must be "illegal" in order to prevent.
Game companys lost 1 million usd at year caused cheats, and do you think companys like INCA (gameguard) give a deal about if they inject a DLL or dont?
What happen with symantec kernel hooks?.
Thats the main difference why you still here and they are on top winning probably 200.000$+.
Also dont look so under your nose what game security is, since loosing 1 million at year, there are some really dedicated people into the game hacking thing.
This is more like fight with bows when the other have guns :lol
>Game companys lost 1 million usd
:lol cite please :lol
Security is something serious professionals dont discuss with strangers. How many people do you know that work for your nation's secret service <--- Trick question dont answer :wink....
It has nothing to do with legality, simply common sense....
Game companies lost nothing, they made billions of usd.... Money 'lost' through hacking is simply money not made with law enforcement agencies responsible for tracking down criminal activity....
Google cant keep China out and China doesnt know whether Google is reading Chinese citizens emails but the world still goes round 24/7/365
Quote from: oex on March 24, 2010, 04:58:58 AM
Security is something serious professionals dont discuss with strangers. How many people do you know that work for your nation's secret service <--- Trick question dont answer :wink....
It has nothing to do with legality, simply common sense....
Game companies lost nothing, they made billions of usd.... Money 'lost' through hacking is simply money not made with law enforcement agencies responsible for tracking down criminal activity....
Google cant keep China out and China doesnt know whether Google is reading Chinese citizens emails but the world still goes round 24/7/365
Ye thats why GameGuard cost kind of 40.000 usd (the rumors say)
And i got a contract for 20.000 usd, they just giving money for free ^^ XD
The article about the 1 million lost usd i cant find now, its fully google with things like "how can i cheat please?" lol.
But the article say that company K2 network (wich is the one i am targeting) looses 1 million usd at year on Knight Online game.
It isnt hard to believe, lets see what are the incommings from INCA in the year 2009:
http://global.nprotect.com/aboutus/news_view.php?idx=19&page=2
6 million usd (expected for the first half)
Something releated how much K2 spent in web security:
http://www.cenzic.com/resources/reg-not-required/caseStudies/k2/
PS: If i where you guys for a income from even 1 million usd for detect lammers using aimbots or trying to unpack a protection, then yeah i will switch of job inmediatly ^^ (lucky me this is my job)
So do it, dont ask others to do it for you
Quote from: oex on March 24, 2010, 05:14:33 AM
So do it, dont ask others to do it for you
Nobody is asking to do, you really have a big problem when reading, i was asking for advice, lucky me i get some real opinnion from clive. And probably this opinion will be shared among companys, seems nobody likes "invasive" coding, so trying to switch to a more practical solution.
But again and i repeat i am not asking for you to do my home work, i am asking for an advice (not a ethical debate).
PS: I think some mod should close this, i really can imagine the opinnion from other members of the forum towards "invasive" coding, even if its for security, so ill probably waste my head trying to do some real non invasive solutions, this would make my costumers much more happy.
:lol sorry not trying to promote ethics.... my advice is simply that you are creating security holes by discussing your security implementation methods on a public forum.... If you dont know general bases to cover you shouldnt be doing job.... Games are not going towards streaming because of a lack of processing speed or because of console costs.... Even if you own the box someone is going to chip/unlock it.... It's very hard to give direct answers without giving malware tips but you should understand this working in serious security work....
Quote from: theunknownguy on March 24, 2010, 05:10:26 AM
But the article say that company K2 network (wich is the one i am targeting)
Your posts are your biggest security hole, I dont know what else to say :lol
Quote from: oex on March 24, 2010, 05:44:40 AM
:lol sorry not trying to promote ethics.... my advice is simply that you are creating security holes by discussing your security implementation methods on a public forum.... If you dont know general bases to cover you shouldnt be doing job.... Games are not going towards streaming because of a lack of processing speed or because of console costs.... Even if you own the box someone is going to chip/unlock it.... It's very hard to give direct answers without giving malware tips but you should understand this working in serious security work.... I dont know what else to say :lol
Dont worry i am not saying anything that could put in risk my job, its like talking oreans company (i got license for my products) with themida packer, talk pretty much the same things in open public.
Talking about something it doesnt mean that some one is actually going to figure it out. More when it just an "advice". Also my website is pretty much with alot of info how the anti cheat works and still isnt bypassed. Again there is a big difference between write something and explain it in details.
Also i understand that you cant give malware tips, but there is pretty much tips you can give if knowed them without breaking the forums rules.
Example heuristic scanner (i use one in my system) should not be a theme that goes agaisnt forums rules and at the same time "discussing it" should not reveal any information that could make it insecure.
But about my question and the advice i need, yeah its pretty much nothing you can say or anyone can say without giving "against rules" tips. Thats why i want some mod close this thread ^^.
http://global.ahnlab.com/en/site/product/productSubDetail.do?prod_type=P0&prod_class=P&prod_seq=9003
(I guess youll tell them that give too much info too) :P :P
PS: This is how buisness work, at least how "i understand it", reveal features and at the same time give no info how remove them, you can see this in all security system for games, they give all features and still people dont get the idea ^^.
These are *some of the* security holes:
So first to check for is this:
"PS: I do already do kernel tricks, CRC, metamorph code, obfuscation, reloc game procedures to virtual space and encript them"
Then anything other than this you probably havent accounted for:
But this is probably the last "issue" i have about secure system for "games" (the usage of some APIs for malicious usage).
You dont have a clue on this:
what happen with APIs like GetPixel
I actually dont see any method, and i dont believe any other anti cheat sees it too, probably you talking about somekind of AI that recognise a specific patron of inputed keys, but it will be quiet hard to detect for a player input
Good advice:
Quit wasting your time on this. Focus on the game. Your adversaries are smarter and better equipped.
-Clive
Forum Rules:
You should accept the forum rules in spirit not just in word.... They are for your own protection and the protection of others as well
"and at the same time "discussing it" should not reveal any information that could make it insecure"
er OK
Quote from: oex on March 24, 2010, 06:14:07 AM
These are security holes:
So first to check for is this:
"PS: I do already do kernel tricks, CRC, metamorph code, obfuscation, reloc game procedures to virtual space and encript them"
Then anything other than this you probably havent accounted for:
But this is probably the last "issue" i have about secure system for "games" (the usage of some APIs for malicious usage).
You dont have a clue on this:
what happen with APIs like GetPixel
I actually dont see any method, and i dont believe any other anti cheat sees it too, probably you talking about somekind of AI that recognise a specific patron of inputed keys, but it will be quiet hard to detect for a player input
Good advice:
Quit wasting your time on this. Focus on the game. Your adversaries are smarter and better equipped.
-Clive
Forum Rules:
You should accept the forum rules in spirit not just in word.... They are for your own protection and the protection of others as well
"and at the same time "discussing it" should not reveal any information that could make it insecure"
er OK
- Like i say you dont know how to read, i paste you 2 website of knowed companys that give all the features...
- Yes its the last issue i got, caused i want to do a legal way and not illegal or too invasive (again you read bad)
- There should be no possible way in order to stop graphics API, since i dont have controll over the graphics input and i cant, there is a limitation between what a anti cheat can do interfering with the game itself
- And finally i send you the same website before sleep:
http://global.ahnlab.com/en/site/product/productSubDetail.do?prod_type=P0&prod_class=P&prod_seq=9003
Memory Hacking Protection
* Prevents memory access of game hacking
Speed Hack Protection
* Detects and blocks speed hack programs that tempers with system timer
Debugger Protection
* Detetcts and blocks hacker's debugging tools for auditing and analyzing codes
Message Hook Protection
* Makes message hooking function of game hacking tools useless and obsolete
Auto-mouse Protection
* Detetcts and blocks auto mouse operation, making normal ones ineffective
File Change and Forgery Protection
* Detects and blocks changes or forgery of files
Hacking Tools and Blocking Detection
* Detects hacking tools and terminates client game connection from server
Run-time Forgery Protection
* Prevents from forging runtime modules of HackShield
Executable File Packing
* Protects HackShield, hacking protection functions, itself from hacking
Data File/Message Encryption
* Encrypts important data and messages in AES(Rijndael) format
Data File Encryption
* Encrypts data files passed between client and server
Server-side Crack Protection
* Regularly checks for changes or forgeries of executable files at client
Executable File Encryption
* Encrypts game executables in real-time
Consistent and Continuous Update
* Updates with new hacking tool pattern files and protection modulesOther so you can learn read better, oreans company, themida packer information:http://www.oreans.com/themida_features.php
But again you seems to have no notions about security, making an estatement so foolish has: "dont discuss your features, it could make it insecure".Since when declaring that you have metamorph code, CRC or something else is going to make an insecure estatement?...
Good night, 6 AM here.
QuoteSince when declaring that you have metamorph code, CRC or something else is going to make an insecure estatement?...
The same way that knowing a password needs to be x characters long does, it gives you a starting point. CRC can be got around, metamorphic code
is just 90% bullshit, easy to get around. Ever come across IdaPro? Or razor1911?
Once your code is in memory and running, you can look at it. Obfuscation can help but only to make it longer to get around.
Things need to be decrypted before they can be executed, that's when you look at them.
These companies are publishing the things they are confident about and understand. You are asking for advice and showing all your weaknesses. You are also publishing your expected client list. Further you are trying to get people to post more security info details potentially highlighting flaws in their understanding and judgement and their products linked to from this site.... You are also giving keyword after keyword to wannabe malware writers.... Posts like these loose games companies $millions
"But again you seems to have no notions about security"
Good.... Secrecy is #1 security
Person #1 - Can you keep a secret?
Person #2 (eagerly) - Yes!
Person #1 - So can I.
Quote from: sinsi on March 24, 2010, 06:58:58 AM
QuoteSince when declaring that you have metamorph code, CRC or something else is going to make an insecure estatement?...
The same way that knowing a password needs to be x characters long does, it gives you a starting point. CRC can be got around, metamorphic code
is just 90% bullshit, easy to get around. Ever come across IdaPro? Or razor1911?
Once your code is in memory and running, you can look at it. Obfuscation can help but only to make it longer to get around.
Things need to be decrypted before they can be executed, that's when you look at them.
It isnt the same, if i tell you i use AES then is going to make a difference? lol...
I will never say my password uses X characters longs that is insecure, but a CRC? ok you know i have a CRC where is?.
i dont want to espoil but i worked with deviance in some things, same has ARTeam and probably they just "offical games" crackers not like "cheaters".
My system is oriented to more aggresive teams like Free Cracking China Group thats why i have a deal with oreans, they cover me on top and i add my security inside.
Also metamorph doesnt means to be decrypted same has obfuscation, meaby you have never worked on it, and i cant put an example by forum rules, but a metamorph code + permutation instructions will execute generating new code without getting any "decryption". If i am allowed to post some metamorph of a CMP instruction it would be much more easier to explain.
Still not afraid, my product isnt targeting Razor1911, Daviance or other windows games crackers. My is targeting professional unpackers teams like Free Cracking China Group, wich for be hironic they always crack oreans product, so pretty much we are helping each other (with oreans) ^^.
Some moderator please close this thread seems to be no real advice that i was looking for.