The driver of the computer game Street Fighter V disables the built-in protection mechanism of Windows
Drivers of computer games that are used to protect the integrity of the game files, as well as the legitimacy of these players are not uncommon. Previously published several reviews of the most famous such drivers, for example, nProtect GameGuard and Blizzard Lockdown . Such drivers can use for their own purposes interceptions of API calls at the Windows kernel level, constant scanning of the virtual address space of processes, tracking access of operations to the system registry, etc.
A few days ago, Capcom notified its users of an update to the anti-hack driver (Capcom.sys), which is used to monitor the integrity of the game files and prevents possible compromise of the contents of the game process’s memory in order to prevent cheating. However, users in this update were in for an unpleasant surprise in one of the driver functions. It allows you to disable the protective measure of the SMEP kernel and execute the code according to a pointer obtained from user mode.
')
SMEP (Supervisor Mode Execution Prevention) is already a fairly well-known measure, about which several reviews have been written . It requires support from both the microprocessor and the OS (Windows 8+). SMEP is used to block the operation of executing user mode code (Ring 3) in kernel mode (RIng 0). However strange it may seem (the kernel mode code is the most privileged and has access to all the memory in the system), SMEP is a good measure to block the activity of LPE exploits, which often transfer control to the code block located in the user’s part of the virtual address space .
Windows drivers are organized in such a way that to interact with the client from Ring 3, a special interface called IOCTL is used. The driver registers a special handler in the Windows kernel, which can be used from the user mode by the well-known API function DeviceIoControl . The application, when using this API, transmits the code of the required function, the set of arguments to the driver, and indicates the input and output memory buffers for passing arguments and getting the result.
The new Capcom.sys update uses the IOCTL interface and two functions with codes 0xAA012044, 0xAA013044. The peculiarity of these functions is that they allow the client of the user mode to execute code in the kernel mode according to the pointer received from there, and before this disables the SMEP. After executing the function, the SMEP is turned back on by setting the corresponding bit of the CR4 register. Obviously, disabling is used to execute code in kernel mode from user mode.
Fig. Capcom.sys function that executes the function specified in the IOCTL request with SMEP disabled.
Obviously, since the computer game driver is digitally signed and provides such a potentially dangerous interface for access from user mode, it creates a backdoor in the system. Third-party code can use this driver to execute its code in Ring 0.
Capcom has already released a game update that closes the vulnerability.
A few days ago, Capcom notified its users of an update to the anti-hack driver (Capcom.sys), which is used to monitor the integrity of the game files and prevents possible compromise of the contents of the game process’s memory in order to prevent cheating. However, users in this update were in for an unpleasant surprise in one of the driver functions. It allows you to disable the protective measure of the SMEP kernel and execute the code according to a pointer obtained from user mode.
')
SMEP (Supervisor Mode Execution Prevention) is already a fairly well-known measure, about which several reviews have been written . It requires support from both the microprocessor and the OS (Windows 8+). SMEP is used to block the operation of executing user mode code (Ring 3) in kernel mode (RIng 0). However strange it may seem (the kernel mode code is the most privileged and has access to all the memory in the system), SMEP is a good measure to block the activity of LPE exploits, which often transfer control to the code block located in the user’s part of the virtual address space .
Windows drivers are organized in such a way that to interact with the client from Ring 3, a special interface called IOCTL is used. The driver registers a special handler in the Windows kernel, which can be used from the user mode by the well-known API function DeviceIoControl . The application, when using this API, transmits the code of the required function, the set of arguments to the driver, and indicates the input and output memory buffers for passing arguments and getting the result.
The new Capcom.sys update uses the IOCTL interface and two functions with codes 0xAA012044, 0xAA013044. The peculiarity of these functions is that they allow the client of the user mode to execute code in the kernel mode according to the pointer received from there, and before this disables the SMEP. After executing the function, the SMEP is turned back on by setting the corresponding bit of the CR4 register. Obviously, disabling is used to execute code in kernel mode from user mode.
Fig. Capcom.sys function that executes the function specified in the IOCTL request with SMEP disabled.
Obviously, since the computer game driver is digitally signed and provides such a potentially dangerous interface for access from user mode, it creates a backdoor in the system. Third-party code can use this driver to execute its code in Ring 0.
Capcom has already released a game update that closes the vulnerability.
If you are on the street, you’ll have to go. We will update you for a PC rollback solution soon.
Source: https://habr.com/ru/post/310950/
All Articles