How Hackers Bypass Kernel Anti Cheat

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
for as long as video games have existed people trying to break those video games for their own benefit have come along with them first time I really made a cheat I was like man this is awesome I want to do this more So Lisa was a small streamer who is top 300 in the world and valerin but it quickly became obvious why he was so good viewers noticed he was shooting enemies but without even clicking the mouse over the years this has resulted in a type of defense that everyone is currently keeping their eye on League of Legends was introducing something known as vard antiche into their game but the problem with the way that anti-che works is that anti-che software is basically just a root kit that we're okay with which allows them to see the memory of your entire computer and you are legally allowing them to do this and you can't blame any anti-che software out there for them to protect their games they have to do this the Cold War of cheating has escalated to that level running at the deepest level of your system colel level entiat has been hailed as the most effective way of stopping cheaters so how do they still manage to break through let me [Music] explain but first a word from today's sponsor if you want to earn cash prizes and compete in tournaments for League 365 games.net has got you covered you can sign up to their website which is in the description and once you plug in your account details you're good to go with no download needed at the end of the month players in the top 150 will receive prizes the points of the winners will be reset to zero while the points of everyone who lost will be retained until they win so everyone's got a good chance to win something they also hold weekly giveaways with 10 winners per week with a current prize pool of $5,000 per game so everything that you need to check out 365 games.net will be down in the description below it's important to understand how the cheats themselves work in order to know how people then circumvent anti-cheats a short generalization is that for the most part important variables about your game such as the player's health or location stored in your computer's memory yeah these things that go inside your PC are actually used for something more than fancy RGB lighting all of the temporary information that programs need to store client side while they're running goes in here you can then use the windows API to read and overwrite this information programs like cheat engine are a wrapper for these sort of functions making them more accessible normally cheats like this won't work for information that stored server side such as in-game currency but there are workarounds for a lot of flash games like Club Penguin in this example you can earn coins based on how well you perform in the games what you could do for example is increase the amount of points that you've scored which is stored in your memory before being sent off to the server in return for currency an example for league is when you used to be able to adjust your masteries by using cheat engine as well this let you break certain rules within the game and you could do things like this welcome to Summoner Rift back in these days the role of anticheat and games was to intercept this third party program before it could read or write any changes to the allocated memory space the industry standard back then was Punk Buster which you've probably run into if you played any FPS games around the early 2000s your system has varying levels of user access that extend far beyond the standard user and administrator access that you can see in your control panel when the anti-cheat arms race was still fresh and before kernel level Solutions were being widely used developers would use this type of Indie cheat which run at the user level the software was able to block third party access to the necessary portions of the windows API thus preventing any information from being written to the game's memory as time went on though this two would be bypassed aside from external cheats which is what we've just covered there's also a method of cheating internally what this means is that the modified code is run internally within the game files and as such has direct access to the game's memory typically this is done by injecting custom code through dll files into the game for example this code could display a player's health and position on your screen no matter where they are on the map but again since we're directly modifying game files here it's fairly straight for for an anti to scan for changes and take care of the malicious code both hackers and developers ended up surpassing the stage pretty quickly so that leads us a bit deeper into the kernel ring zero is the most privilege level of your system where the operating system kernel exists user mode applications like what we covered before run on top of the operating system these don't get much if any access to the operating system itself the kernel level however is different this is where all of your system drivers exist and it's what allows the operating system to even run in the first place as a result they have almost complete control and visibility over your PC the majority of these are so important that they don't even get a chance to recover after they crash for the most part if one does end up crashing your PC will just instantly and you'll have to restart your entire system there are multiple ways that this can be used to a hacker's advantage in order to run cheats of their own and we are going to get into that but first let's take a look at one of the most notorious cases of a kernel level anti-che being turned against itself and used as malware now what if I told you hackers finally did abuse the actual anti-che in Late July 2022 a major vulnerability was found in mhy prot 2. CIS this was more commonly known as mios Colonel L antiche and near the developer of genjin impact due to the nature of this driver it has full read and WR access to Old system memory after some thorough reverse engineering this driver was then able to be used to disable antivirus on the victim's PCS this allowed the attackers to then go ahead and deliver ransomware to the users now that the system had no defenses in place ransomware is a type of malware that will encrypt and block access to all of the users data until they pay some of money or Ransom of course to the attacker and this is where we can begin to see some of the dangers of having kernel level drivers able to be exploited and this isn't just anti-cheat this is any kernel driver you should be put up to more scrutiny than any other developer especially when you're installing these root kits on average people's system which would descend into their system and become an exploitable Rabbit Hole where attackers could get access to their machine at a level that they as a user didn't even have access to quote during the last week of July 2022 a ransomware infection was triggered in a user environment that had endpoint protection properly configured we found that a code sign driver named mhy prot 2.is which provides the anti-che functions for gench and impact as a device driver was being abused to bypass privileges as a result commands from the colonel mode killed the endpoint protection processes as of writing this the code signing for mhy prot 2.is is still valid genin impact does not need to be installed on a victim's device for this to work so how does this make any sense genin impact's not the issue the important distinction here is that the game in this case genin impact wasn't actually ever the problem the anti-che that came along with it was able to be altered and shipped independently hackers could just grab this driver in isolation and then send it to a victim whether it's through social engineering or some other sort of compromised software and then because it had been approved by Windows which is another thing that we'll get into it was able to disable the user defenses but how is the driver even able to run in the first place shouldn't that have been picked up by the antiv virus before it even started well that's a very good question drivers aren't something that can be shipped by any solo developer there's a process called signing which has to take place before they even allowed to run on your system again there is a way around this but that's for more so when you're the one doing the hacking like if you made a driver and wanted to use it to circumvent kernel level anti cheet which we'll get to his soon anyway signing a driver involves signing up for a Microsoft developer account which involves providing identification and even a payment to Microsoft after this the driver is sent off to them where they perform their own checks and if they deem it valid they can go ahead with a process called digital signing which allows the driver to be installed and run without tripping up any security warnings and this is why when a sign driver which all of them that are currently running on your PC unless you've been up to no good is exploited it's kind of a big deal because essentially Microsoft has given the all clear for something nefarious to have full rain over your system which is why companies like Microsoft really try to push updates on you as much as possible like seriously the other and slightly more concerning component to this is that after the compromised driver was signed and released out into the well there's not a lot that can be done to go back on it it's not like Microsoft can reach out into someone's PC and just delete the driver if they still have it on their system so even in 2024 or whenever you're watching this video if someone had the old compromised driver and then sent it to someone with an older version of Windows that hadn't been updated it could still be used to this day for malicious purposes it is still rare to find a module with code signing as a device driver that can be abused the point of this case is that a legitimate device driver module with valid code signing has the capability to bypass privileges from user mode to Kernel mode even if a vendor acknowledges the privilege bypasses of vulnerability and provides a fix the module cannot be erased once it's been distributed certificate revocation and antivirus detection might help to discourage the abuse but there are no Solutions at this time [Music] so how does a hacker use all of this information to bypass a kernel level anti Che such as Vanguard they could of course try to find a sneaky bypass that allows them to work around the anti-che but these are few and far between not to mention they'd normally be patched pretty quickly kernel level anti- cheats are designed in a way so that when they detect a third party program trying to make contact with their game they can SWAT it away before it can do anything the more common method is to create a driver of your own and enter the kernel yourself but didn't you say that making drivers cost money and also has to be authorized by Microsoft well yes but there are a couple of ways that you can run unsigned drivers on your own system the first method is by enabling test signing this allows unsigned drivers to run on your PC however most of the time if an anticheat sees that this option is turned on it just won't let you run the game in the first place the alternative is to use a tool that exploits a legitimate driver to manually map your own driver into the system's memory and trust me there is truly no shortage of vulnerable system drivers for people to exploit one of the most famous instances of this can be seen as far back as 2012 with the Shimon virus it certainly was and still is you know the worst physical attack we've seen where you know destruction was what the adversary actually had in mind this malware was targeted and used against multiple large oil companies in an act of cyber warfare against what the hackers referred to as quote saudi's oppressive government the attack used the raw disc driver which is a completely legitimate commercial driver that just happened to have security flaws that could be exploded to quickly read and Destroy large amounts of data it also allowed them to do this from user mode which as we discussed before is the default state which you and I are using right now which is not too good if you're on the receiving end throughout the attack over 30,000 Windows systems were completely overwritten and had their data completely destroyed interestingly enough the company caused such a sudden surge of new hard drive purchases after the initial ones were destroyed that they actually drove up the price for hard drives worldwide so now we know that drivers are what allow your operating system to run and communicate with the physical Hardware inside of your PC because of this they need much higher privileges than they normally receive in just user mode in order to be able to run properly but what exactly causes a driver to be so vulnerable that someone can use it to cheat in a video game and why is it so common a study from late last year found as many as 34 unique vulnerable Windows drivers that could be exploded by attackers to gain full control of the devices and execute code on the underlying systems aod driver GED Dev driver and nvo clock were all included in the list of drivers that could be compromised all of which are drivers related to overclocking AMD gigabyte and Nidia devices respectively which is interesting coincidence alongside these vulnerable drivers are some extremely low-level ones such as IO access. CIS which is used to allow access to your Hardware's input and output ports seems pretty important companies spend countless hours trying to patch holes in the security of their drivers but due to the nature of software and the absolutely huge amount of drivers in existence there's always an exploit to be found somewhere it's not like companies can avoid using drivers either I mean they're necessary for your Hardware to run on your computer when you think about about it nearly every single device has to have some sort of driver in order to be able to function with your PC at all every mouse keyboard printer these all have their own potentially vulnerable drivers some examples of these exploits include taking advantage of unprotected IO control requests otherwise known as input output control this is a mechanism that allows applications in user mode to communicate with kernel level drivers it might kind of sound insecure but it's actually fairly common let's take a look at a program that allows you to overclock your hardware for example such as MS After Burner in order to actually adjust your Hardware's voltage fan speed clock speed and so on we obviously need a way of communicating with the driver that controls all of these parameters this is where IO control requests come in they allow some sort of data to be transferred between user mode and kernel mode however it's possible for these to be exploited when the driver doesn't properly validate the requests sent from the user mode application it's a lot easier for a hacker to mess around with a user level application and if the developers aren't careful an attacker can exploit this to run malicious code with kernel level privileges this is just one of the many ways that vulnerable drivers can be used by Bad actors to try and find their way around kernel level antiche it's worth noting as well that this is the reason that anti-cheats like Vanguard launch with your PC it's the most effective method for ensuring that no other drivers have been tampered with and are allow to run malicious code a large part of this is Riot and other developers keeping a database of these vulnerable drivers and doing their best to keep an eye on them or if they notice any abnormalities blocking them you can sort of imagine it like a race whichever driver manages to a boot first will nine times out of 10 be able to beat the other in accomplishing its Mission this is what sometimes leads attackers to just creating their own driver and trying to develop it in such a way that it'll load as early as possible in the boot process but kernel development is generally really finicky you'll typically need to set up a whole virtual machine to run your code during development to prevent your entire system from crushing each time you make an error this isn't the end or be all of cheating though there's one more method that I wanted to dive into after all kernel drivers are just a middleman between the user and the hardware so to avoid all of this nonsense what if we could just go straight to the hardware level think of Hardware as everything about the computer that you can physically touch your mouse keyboard speakers and so on are all Hardware they're able to run on the computer using software a hacker can directly Target the hardware by using a method called dma or direct memory access dma allows peripheral devices to have direct access to your machine's Ram or system memory one of the most popular vectors for attack here is through a PC card which are these things if you've ever built a PC or paid close attention to the back of it obviously this method requires a lot more effort but for Bad actors it is 100% worth it because by doing this you get to bypass the CPU and have direct access to the system memory anti cheats historically have had a really hard time with Hardware cheats due to the fact that they can just evade any CPU scans and also they don't need to mess around with injection or anything like that this is compounded by the fact that all the malicious code is run on a different device entirely making it even harder for the anti to to spot anything suspicious in an ideal scenario a dma setup for cheating involves two pcs one PC is to run the game on and the second PC is to run all of the cheats this helps to add another layer of protection pc1 will be the system that houses the dma board and PC2 will connect to the board by using a cable pc1 sends all of the information necessary from The Game's memory to the second PC which will then in turn process it in order to implement all of the cheats there's a couple of ways that a hacker can use this information one of the most popular in FPS games at least is is using the second PC as a radar PC where all of the wall hacks will appear on the second monitor while the main monitor stays clean this is also a really popular method for people who want to stream while using cheats because the average viewer can't see anything different it just looks normal on top of this though there's also something called fuses which allow the two displays to be combined into one this is essentially what a regular hack would look like without Hardware implementation but because it's being run on the second PC and then being fused into the first one it's a lot harder to detect in more extreme scenarios the second PC can also send inputs back to the main PC such as aiming or shooting allowing the cheater to appear as though they're playing legitimately even though this is far from true this does require even more additional Hardware though to ensure the hacker doesn't get detected the mouse and keyboard will be plugged into a device similar to this which can emulate the peripheral inputs to allow them to look like normal gameplay if you've heard the term Arduino bypass this also works in a similar way it appears like a legitimate input device and it has inputs that can mimic that of an actual player now there is a reason that I can include all of these in a video because I obviously don't want to spread methods that will just add more cheaters into games for the most part all of these methods have already been patched by all major anti- cheats especially Vanguard for example Vanguard which I'll H in on since this channel does primarily talk about leue and Riot games release an update earlier this year that patched the dma and Arduino bypass methods remember how we mentioned that dma exploits use the PCI slot of your computer whenever you launch a game that's protected by Vanguard it scans your PCI slot and extracts the data from here I can see if anything suspicious is connected and if so the player will be eventually banned this led to one of valeron's biggest ban waves ever especially when everyone thought that they were extremely safe using Hardware cheats it led to a bit of an uproar F me budy you have 7K oh no oh no what what did I do I said just saying Val five rip wait so it's not color ant problem I got Val five get five people playing [Applause] no no no no dma has sort of been the final boss of Colonel level anticheat for quite some time now so Vanguard being able to take most dma cheats down was a fairly big feather in their cap but despite its Effectiveness you can't deny that Vanguard isn't completely Flawless just this week there was a bug with it due to what Lev referred to as a backend networking issue this was causing players to be kicked out of games on mass and even coping BS due to the system thinking they were re bon in games or going AFK at the end of the day stopping cheaters has to be weighed up and balanc with user privacy and that's an issue that game devs are going to be facing at least for the foreseeable future it also poses a question for the player do you trust the developer of the game that you're playing I hope this video was educational and you learned a thing or two about how these cheats actually work of course this is all in a post anti-che age so if you're curious about what league cheats look like when they were actually possible and they weren't just scripting make sure you subscribe so you don't miss out on the next video If you want to get a bunch of cool benefits like early access to these videos or access to any of the music that I make for these videos or if you've ever just enjoyed my content and you want to support the channel then go Chuck a dollar at my patreon it helps me spend the extra time to make these videos and if you're already a supporter then thank you from the bottom of my heart [Music]
Info
Channel: Ryscu
Views: 438,799
Rating: undefined out of 5
Keywords: league of legends, riot games
Id: kzVYgg9nQis
Channel Id: undefined
Length: 19min 37sec (1177 seconds)
Published: Sun Jul 07 2024
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.