nProtect GameGuard kind of Rootkit?

[XxharCs]

Hello,
i hit on the Anti-Cheat System GameGuard. It seems to be much more powerfull than HS or some other Anti-Cheat Systems.

As i could see GameGuard hides itself and the Game. (You cant see them anymore on TaskManager, ProcessManager, ..)

After some researching i came up with, that GameGuard is a kind of a rootkit itself, and injects itself in every process(!) on your system that is running.
=>If a process dissapears and injects itself in every process then it is rootkit behaviour or?

Also my Antimalware popups when i am starting the game that is using GameGuard:



So i started some reverse engineering on GameMon.des and came to this info:
It hooks a lot of API functions..

Code:

[B]Ring3[/B]:

[B]advapi32.dll[/B]:
CreateProcessWithLogonW

[B]gdi32.dll[/B]:
GetPixel

[B]kernel32.dll[/B]:
CreateProcessInternalW
DebugActiveProcess
DeviceIoControl
GetProcAddress
LoadLibraryExW
MapViewOfFile
MapViewOfFileEx
MoveFileW
OpenProcess
ReadProcessMemory
VirtualProtect
VirtualProtectEx
WriteProcessMemory

[B]ntdll.dll:[/B]
NtLoadDriver
NtOpenProcess
NtProtectVirtualMemory
NtQuerySystemInformatio
NtReadVirtualMemory
NtSuspendProcess
NtSuspendThread
NtTerminateProcess
NtTerminateThread
NtWriteVirtualMemory
RtlGetNativeSystemInfor
ZwLoadDriver
ZwOpenProcess
ZwProtectVirtualMemory
ZwQuerySystemInformatio
ZwReadVirtualMemory
ZwSuspendProcess
ZwSuspendThread
ZwTerminateProcess
ZwTerminateThread
ZwWriteVirtualMemory

[B]user32.dll[/B]:
GetWindowThreadProcessI
PostMessageA
PostMessageW
SendInput
SendMessageA
SendMessageW
SetCursorPos
SetWindowsHookExA
SetWindowsHookExW
keybd_event
mouse_event
//--------------------------
[B]Ring0[/B]:

NtConnectPort
ZwConnectPort
NtOpenProcess
ZwOpenProcess
NtProtectVirtualMemory
ZwProtectVirtualMemory
NtReadVirtualMemory
ZwReadVirtualMemory
NtWriteVirtualMemory
ZwWriteVirtualMemory
SendInput

How to get in with this kind of system, if it`s a kind of rootkit?
Is there need to write a driver?
Or how?

Thanks

[​Tension]

Quote:

nProtect GameGuard (sometimes called GG) is an anti-cheating root kit developed by INCA Internet

Source: Wikipedia nProtect GameGuard

I think you want to write a bypass or?
I've found an interesting E-Book from E.T (Google it )
but i don't know if they changed GameGuard since the release of it ( How it works ).
Defeating is no problem but you have to emulate the HeartBeat. I've already tried to get into GameGuard but im not good in Unpacking, so i've used a dump. I would like to share more about GameGuard soon, because i think it's an really interesting Topic for me.

[MrSm!th]

That's kind of standard for most Anti-Cheats.

There is most likely a driver for x86 systems, so yes, you either need a driver or you have to block GG's driver and emulate it / patch the keep-alive checks (since it's not gonna be like the game won't check whether the driver is still alive).
On x64 it probably injects a dll into every process to do the necessary hooks, so it's a bit easier there.
Although that might be wrong. Wiselogic (XTrap devs) already signed their driver so that it can be loaded on x64 systems as well.

[XxharCs]

The funny thing is, that when i run a rootkit killer, GameMon.des and GameMon64.des terminates, but the game is still running (lol).
With the terminating i can see the Game again..

But i cant see the service! Maybe also hidden? Are hidden services possible?

With Process ID Bruteforce you can get the hidden processes (or through CSRSS process handle enumeration), is it possible to get hidden services with some similar techniques?
I was thinking about, like the process handle enumeration, but enumerating processes with the NtControlPipe handle.

Possible?
I am just making some notes, and thinking abot theory ways of detection of hidden services. If i am wrong, then correct me please


Why did i came up with a hidden service?
I avoided CreateMutexA to have the possibilty to start the client a few times, when i run a rootkit killer GameMon.des and GameMon64.des get terminated, and the game is still running.
But when i try to start the client again, my internet explorer opens with a FAQ of GameGuard. It says that one service per game is possible and such things. So the service should be hidden..

If i am missing something then mention it please ):

[​Tension]

I don't think that there is a hidden service ( I don't know if it's possible too.. ).

[XxharCs]

Ah i failed, it has some shorter name then nProtect... And it isnt running o.ô


Hmm, then i dont understand something. The game is running without the service, without the GameGuard but is still detecting things and says that the GameGuard is running?

[​Tension]

Yeah had that problem too.
The game starts gameguard more than 1 time.

[MrSm!th]

Killing the rootkit actually means killing the service. The service probably hides itself. But it's interesting that the game process seems to be hidden by usermode code.


Btw. Why is it funny that the game is not terminated?

[XxharCs]

Quote:

Originally Posted by MrSm!th

Btw. Why is it funny that the game is not terminated?

Shouldn´t the game terminate after some time because the service isn´t running and the GameGuard is terminated?
Or is it still running because there is still some hidden GG service running?

[​Tension]

I think they don't need to close the game, because if the heartbeat-communication between the server, client and gameguard is disabled the client is not able to connect to the server.

[MrSm!th]

Quote:

Originally Posted by XxharCs

Shouldn´t the game terminate after some time because the service isn´t running and the GameGuard is terminated?
Or is it still running because there is still some hidden GG service running?

I don't know the time interval. It doesn't have to terminate immediately.
In addition, the processes you kill sound like monitoring/notification processes - the game might not really need them to be protected.