nProtect GameGuard kind of Rootkit?

11/01/2013 20:11 XxharCs#1

Hello,
i hit on the Anti-Cheat System GameGuard. It seems to be much more powerfull than HS or some other Anti-Cheat Systems.

As i could see GameGuard hides itself and the Game. (You cant see them anymore on TaskManager, ProcessManager, ..)

After some researching i came up with, that GameGuard is a kind of a rootkit itself, and injects itself in every process(!) on your system that is running.
=>If a process dissapears and injects itself in every process then it is rootkit behaviour or?

Also my Antimalware popups when i am starting the game that is using GameGuard:
[Only registered and activated users can see links. Click Here To Register...]

So i started some reverse engineering on GameMon.des and came to this info:
It hooks a lot of API functions..

Code:

[B]Ring3[/B]:

[B]advapi32.dll[/B]:
CreateProcessWithLogonW

[B]gdi32.dll[/B]:
GetPixel

[B]kernel32.dll[/B]:
CreateProcessInternalW
DebugActiveProcess
DeviceIoControl
GetProcAddress
LoadLibraryExW
MapViewOfFile
MapViewOfFileEx
MoveFileW
OpenProcess
ReadProcessMemory
VirtualProtect
VirtualProtectEx
WriteProcessMemory

[B]ntdll.dll:[/B]
NtLoadDriver
NtOpenProcess
NtProtectVirtualMemory
NtQuerySystemInformatio
NtReadVirtualMemory
NtSuspendProcess
NtSuspendThread
NtTerminateProcess
NtTerminateThread
NtWriteVirtualMemory
RtlGetNativeSystemInfor
ZwLoadDriver
ZwOpenProcess
ZwProtectVirtualMemory
ZwQuerySystemInformatio
ZwReadVirtualMemory
ZwSuspendProcess
ZwSuspendThread
ZwTerminateProcess
ZwTerminateThread
ZwWriteVirtualMemory

[B]user32.dll[/B]:
GetWindowThreadProcessI
PostMessageA
PostMessageW
SendInput
SendMessageA
SendMessageW
SetCursorPos
SetWindowsHookExA
SetWindowsHookExW
keybd_event
mouse_event
//--------------------------
[B]Ring0[/B]:

NtConnectPort
ZwConnectPort
NtOpenProcess
ZwOpenProcess
NtProtectVirtualMemory
ZwProtectVirtualMemory
NtReadVirtualMemory
ZwReadVirtualMemory
NtWriteVirtualMemory
ZwWriteVirtualMemory
SendInput

How to get in with this kind of system, if it`s a kind of rootkit?
Is there need to write a driver?
Or how?

Thanks

11/01/2013 22:29 Tension#2

Quote:

nProtect GameGuard (sometimes called GG) is an anti-cheating root kit developed by INCA Internet

Source: Wikipedia nProtect GameGuard

I think you want to write a bypass or?
I've found an interesting E-Book from E.T (Google it ;) )
but i don't know if they changed GameGuard since the release of it ( How it works ).
Defeating is no problem but you have to emulate the HeartBeat. I've already tried to get into GameGuard but im not good in Unpacking, so i've used a dump. I would like to share more about GameGuard soon, because i think it's an really interesting Topic for me.

11/02/2013 00:47 MrSm!th#3

That's kind of standard for most Anti-Cheats.

There is most likely a driver for x86 systems, so yes, you either need a driver or you have to block GG's driver and emulate it / patch the keep-alive checks (since it's not gonna be like the game won't check whether the driver is still alive).
On x64 it probably injects a dll into every process to do the necessary hooks, so it's a bit easier there.
Although that might be wrong. Wiselogic (XTrap devs) already signed their driver so that it can be loaded on x64 systems as well.

11/02/2013 13:22 XxharCs#4

The funny thing is, that when i run a rootkit killer, GameMon.des and GameMon64.des terminates, but the game is still running (lol).
With the terminating i can see the Game again..

But i cant see the service! Maybe also hidden? Are hidden services possible?

With Process ID Bruteforce you can get the hidden processes (or through CSRSS process handle enumeration), is it possible to get hidden services with some similar techniques?
I was thinking about, like the process handle enumeration, but enumerating processes with the NtControlPipe handle.

Possible?
I am just making some notes, and thinking abot theory ways of detection of hidden services. If i am wrong, then correct me please :)

Why did i came up with a hidden service?
I avoided CreateMutexA to have the possibilty to start the client a few times, when i run a rootkit killer GameMon.des and GameMon64.des get terminated, and the game is still running.
But when i try to start the client again, my internet explorer opens with a FAQ of GameGuard. It says that one service per game is possible and such things. So the service should be hidden..

If i am missing something then mention it please ): :)

11/02/2013 13:43 Tension#5

[Only registered and activated users can see links. Click Here To Register...]
I don't think that there is a hidden service ( I don't know if it's possible too.. ).

11/02/2013 14:33 XxharCs#6

Ah i failed, it has some shorter name then nProtect... And it isnt running o.�
[Only registered and activated users can see links. Click Here To Register...]

Hmm, then i dont understand something. The game is running without the service, without the GameGuard but is still detecting things and says that the GameGuard is running?

11/02/2013 15:21 Tension#7

Yeah had that problem too.
The game starts gameguard more than 1 time.

11/02/2013 16:19 MrSm!th#8

Killing the rootkit actually means killing the service. The service probably hides itself. But it's interesting that the game process seems to be hidden by usermode code.

Btw. Why is it funny that the game is not terminated?

11/02/2013 18:03 XxharCs#9

Quote:

Originally Posted by MrSm!th

Btw. Why is it funny that the game is not terminated?

Shouldn�t the game terminate after some time because the service isn�t running and the GameGuard is terminated?
Or is it still running because there is still some hidden GG service running?

11/02/2013 19:28 Tension#10

I think they don't need to close the game, because if the heartbeat-communication between the server, client and gameguard is disabled the client is not able to connect to the server.

11/03/2013 01:28 MrSm!th#11

Quote:

Originally Posted by XxharCs

Shouldn�t the game terminate after some time because the service isn�t running and the GameGuard is terminated?
Or is it still running because there is still some hidden GG service running?

I don't know the time interval. It doesn't have to terminate immediately.
In addition, the processes you kill sound like monitoring/notification processes - the game might not really need them to be protected.