Security issues

[theunknownguy]

Hey, i am not against the forum rules on this and i will just ask the question and expect for "IDEAS" not "CODE" (i dont want any of this used by others has malware).

On my security project i pretty much do all i can without been too invasive (its for game protecting), but i really need to block some "APIs" from beign used by all process less mine (yeah too invasive).

For this i was thinking, ok, the typical DLL injection like most of anti cheats out there does, but looking more forward there is a technique used by attackers where they copy the EPILOG of the API, execute it and later jump to the rest of the API, for avoid CRC, hook jumps, etc, etc.

So i just develop a system for copy the whole API (cant tell how) without any bug (and portable from XP to win7) to my own space and there do the checks avoiding the attacker use the EPILOG method.

Question is:

Do you know any other issue that concerns about DLL injection or the method i describe?

If you do know a better solution (lets not enter into ethic bullshit) please post it without a CODE, just the idea.

Thanks.

[clive]

Quit wasting your time on this. Focus on the game. Your adversaries are smarter and better equipped.

-Clive

[theunknownguy]

Quit wasting your time on this. Focus on the game. Your adversaries are smarter and better equipped.

-Clive

Not quiet clive, tested mine security system on many games (private servers) and still isnt bypassed.

I am not discussing if "i need to continue on the project".

I already having deals with some big game company for some ammount of money, so it isnt like thinking "my adversaries are smarter".

Also i dont want to discuss the features or any relation to what my security system does, since i will be breaking forum rules.

Just asking if there is some issue some of you guys already encounter with this kind of protection (injecting) and if know in "theory" a better way of protection without been that invasive.

PS: I do already do kernel tricks, CRC, metamorph code, obfuscation, reloc game procedures to virtual space and encript them, also server side protection too. Just asking for a better idea to protect agaisnt some "APIs".

Thanks.

[redskull]

...i really need to block some "APIs" from beign used by all process less mine

What you are trying to program is malware, abeit perhaps entertaining.  Asking for ideas will probably get just as little help as asking for code.  Like clive said.

-r

[theunknownguy]

...i really need to block some "APIs" from beign used by all process less mine

What you are trying to program is malware, abeit perhaps entertaining.  Asking for ideas will probably get just as little help as asking for code.  Like clive said.

-r

Do you guys call malware to security system like gameguard, XTrap, etc?...

I dont ask for code for dont break into rules, i am also not asking for ideas to how accomplish this, i have many knowledge about how buisness work...

Just asking if any of you guys that seems to be more intelligent than rest of other forums, know any other way to stop this without been that invasive.

This is a issue that most of game company dont like (the invasive detection).

PS: I dont post this on debate section since i am not asking for a moral opinnion if this for "you" is malware (for most games company it isnt). Also limitate to read that i am not asking for code or ideas how accomplish such things (i have everything done), has i limitated to read forum rules.

[oex]

You have already introduced a serious insecurity into your product in your postings :lol, it might be best to stop now

[theunknownguy]

You have already introduced a serious insecurity into your product in your postings :lol, it might be best to stop now

Insecurity about been too invasive, i remember this insecurity on INCA company at first too ^^...

Allmost the same insecurity symantec felt when patch guard comes.

Insecurity is part of all projects i believe, it makes you think your decisions "better".

[clive]

Do you guys call malware to security system like gameguard, XTrap, etc?...

Yes, pretty much. You are trying to subvert the operating system by interfering with things outside the scope of you own executable. You want to run everyone elses code in a sandbox. Replace an OS with thousands of man years of development behind it. If you want to own the box you need an XBox or PlayStation model with a chain of custody and signed code. A PC running millions of lines of other peoples code, which you can't possibly test effectively, is not something you want to be interfering with. The ass clowns at McAfee and Norton can't get it right, and they are surely better equipped and resourced than you or I.

Hardware companies spend millions of dollars, and dozens of man years building "secure" systems. The problem is some guy in his basement with perhaps $10K worth of surplus equipment, and an afternoon to waste can break these things. Software is even worse, you have hundreds or thousands of eyes, and rapid distribution and duplication.

Your best hope is to secure everything you can on the server side, and then within your application and a device driver.

-Clive

[theunknownguy]

Do you guys call malware to security system like gameguard, XTrap, etc?...

Software is even worse, you have hundreds or thousands of eyes, and rapid distribution and duplication.

Your best hope is to secure everything you can on the server side, and then within your application and a device driver.

-Clive

Agree, i try to secure the most i can on server side and on my device driver but its x32 and x64 mode... i would love that x32 have the patch guard.

I also dont like the invasive system but it needed, how could i possible stop some one form using "SendInput" (example) if isnt by RING0 or RING3 hooks?


I pretty much like the idea of a secure kernel too, i do on x64 a process to detect if patch guard is edited (without touching ofc) and the driver is going to be verified by verisign.

But this is probably the last "issue" i have about secure system for "games" (the usage of some APIs for malicious usage).

Personally i feel very touched when symantec request to microsoft that security programs have to get access to kernel.
Its unfair, since an attacker dont care if he got BSOD over and over, he will finally success but the security companys cant be playing with buyers computers...

PS: A guy with 0$, Windows 7 and a full day can remove patch guard (it isnt about money, its about mind) so whats left for security companys?

[oex]

There are a number of ways you can test how real user input is.... For a game it is actually rather hard to fake.... I have seen many 'automated' avatars in the past running round like headless chickens :lol

[theunknownguy]

There are a number of ways you can test how real user input is.... For a game it is actually rather hard to fake

I actually dont see any method, and i dont believe any other anti cheat sees it too, probably you talking about somekind of AI that recognise a specific patron of inputed keys, but it will be quiet hard to detect for a player input ^^.

Also that was just an example, what happen with APIs like GetPixel, and other graphic that allows attackers to create "aimbots" interface for games?.

I see no solution around this things, if got some idea it could be very helpfull, in this way i can avoid any kind of "malware" behaviour wich is the main idea of this thread.

PS: Some players behave like headless chickens it isnt a excuse to close the game if the player wants to "get crazy" =P  :lol

[oex]

Keep thinking.... Both are *very* easy to block and detect :lol

[theunknownguy]

Keep thinking.... Both are *very* easy to block and detect :lol

Meaby a tip or just talking for talking?  :snooty:

Anyway thinking about SendInput structs of mouse and keyboard passed into a global struct, and a procedure on my system that verify if the actual address match or dont.

But in order to do this there must be an "exclusive" agreement between the coder team of the game and the security system (wich i believe some company games will refuse to).

About graphics i still thinking  :cheekygreen:

PS: Mainly this is isnt thinked with the kernel protection, i know with that allmost all attempts can be blocked easy, but the more practical in RING3 i am the less i have to mess with kernel and thats the whole idea, to leave the dependences of RING0 behind (something that all security systems should do)

[oex]

Sorry I value my membership in this forum, there are often things I also dont understand posted on the forum but the first rule of fight club is.... :lol

http://en.wikiquote.org/wiki/Fight_Club_(film)

[theunknownguy]

Sorry I value my membership in this forum, there are often things I also dont understand posted on the forum but the first rule of fight club is.... :lol

http://en.wikiquote.org/wiki/Fight_Club_(film)

Actually if your idea is in RING3 and a normal code without anything releated to malware it isnt agaisnt forums rules.

I also value the membership. And probably better help to leave the dependences of RING0 behind, wich is probably one of the objetives of microsoft while making patch guard, so why the negative?

Or is your solution agaisnt forum rules?  :naughty: ^^