|
|
#1
June 22nd, 2006, 02:43 PM
|
|||
|
|||
High possibility of nProtect Gameguard being a rootkit.
Hi again, everyone here.
 Today I've conducted my own investigation into a application called nProtect Gameguard which is bundled along with some popular multiplayer online games. Here's how it went: I downloaded a mog MapleStory from www.maplesea.com and tried to confirm my suspicions of nProtect Gameguard functioning as a rootkit, according to several sources. http://72.14.235.104/search?q=cache:...ient=firefox-a Now, as most people know, rootkits can cloak themsleves, files, processes in windows task manager, you name it... I attempted rootkit detectors like unhackme and sysinternal's RKR but no suspects showed up. I then first decided to check the program's behaviour. Before starting the game( after logging on to windows), I made a check of the total number of processes inside task manager. BEFORE- 42 AFTER launch- 42--> (+the game should be more than 42, right?) Now I was puzzled. Shouldn't the game just like all other programs on the comp have visible processes inside windows task manager? This immediately raised my suspicion of gameguard. All the info I have points to gameguard. Some sites' describe gameguard as being capable of hiding the game application process, head on, this is rootkit behaviour, hiding a process from being visible in task manager. Next, I turned to diamondcs's free progs. Upon running openports.exe, it somehow managed to show the game's application process, details as follows: Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\nadirah>"C:\WINDOWS\Downloaded Installations\openports .exe" DiamondCS OpenPorts v1.0 (-? for help) Copyright (C) 2003, DiamondCS - http://www.diamondcs.com.au/openports/ Free for personal and educational use only. See openports.txt for more details. _______________________________________________________________________________ SYSTEM [4] TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 202.156.115.138:139 0.0.0.0:0 LISTENING UDP 202.156.115.138:138 0.0.0.0:0 LISTENING UDP 202.156.115.138:137 0.0.0.0:0 LISTENING UDP 0.0.0.0:445 0.0.0.0:0 LISTENING MapleStory.exe [636] TCP 202.156.115.138:3513 203.116.196.8:8484 ESTABLISHED lsass.exe [748] UDP 0.0.0.0:500 0.0.0.0:0 LISTENING UDP 0.0.0.0:4500 0.0.0.0:0 LISTENING svchost.exe [960] TCP 0.0.0.0:135 0.0.0.0:0 LISTENING smc.exe [1180] UDP 127.0.0.1:1029 0.0.0.0:0 LISTENING UDP 0.0.0.0:1028 0.0.0.0:0 LISTENING svchost.exe [1300] UDP 0.0.0.0:1179 0.0.0.0:0 LISTENING UDP 0.0.0.0:1032 0.0.0.0:0 LISTENING UDP 0.0.0.0:1695 0.0.0.0:0 LISTENING UDP 0.0.0.0:1025 0.0.0.0:0 LISTENING firefox.exe [1748] TCP 127.0.0.1:3514 127.0.0.1:3515 ESTABLISHED TCP 127.0.0.1:3515 127.0.0.1:3514 ESTABLISHED ashMaiSv.exe [2180] TCP 127.0.0.1:12143 0.0.0.0:0 LISTENING TCP 127.0.0.1:12110 0.0.0.0:0 LISTENING TCP 127.0.0.1:12025 0.0.0.0:0 LISTENING TCP 127.0.0.1:12119 0.0.0.0:0 LISTENING ashWebSv.exe [2248] TCP 127.0.0.1:12080 0.0.0.0:0 LISTENING |
|
#2
June 22nd, 2006, 02:54 PM
|
|||
|
|||
|
Re: High possibility of nProtect Gameguard being a rootkit.
I'm dividing this thread up into several parts, don't wanna make an extremely long post.
Next I used Advanced Process Manipulation. I found out through this program that gameguard injects itself into nearly all the running processes on my computer. Even security programs like Javacool's SpywareGuard may be compromised. Another sickening thing is: I had to risk turning off ProcessGuard just to do this check. It is just like what Wayne said about Gunbound in 2004. Result from this program: Gameguard injects itself into all the running processes on the computer. See my screenshot. Last edited by Bubba : June 22nd, 2006 at 04:28 PM. Reason: cropped pic |
|
#3
June 22nd, 2006, 03:14 PM
|
|||
|
|||
Re: High possibility of nProtect Gameguard being a rootkit.
Then I tried searching for registry keys, whatever that was related to nprotect gameguard.
Regedit- Negative. .......... Next step, I used cmdline.exe Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\nadirah>"C:\WINDOWS\Downloaded Installations\cmdline.e xe" DiamondCS Commandline Retrieval Tool for Windows NT4/2K/XP Copyright (C) 2003, DiamondCS - http://www.diamondcs.com.au --- 4 - ƒ <Error> Unable to read memory from PID 4 588 - \SystemRoot\System32\smss.exe <Error> Unable to read memory from PID 588 644 - \??\C:\WINDOWS\system32\csrss.exe <Error> Unable to read memory from PID 644 668 - \??\C:\WINDOWS\system32\winlogon.exe winlogon.exe 712 - C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\services.exe 748 - C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\lsass.exe 880 - C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost -k DcomLaunch 960 - C:\WINDOWS\system32\svchost.exe <Error> Unable to read memory from PID 960 1056 - C:\Program Files\geswall\gswserv.exe "C:\Program Files\geswall\gswserv.exe" 1128 - C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs 1180 - C:\Program Files\Sygate\SPF\smc.exe "C:\Program Files\Sygate\SPF\smc.exe" 1300 - C:\WINDOWS\System32\svchost.exe <Error> Unable to read memory from PID 1300 1356 - C:\WINDOWS\System32\svchost.exe <Error> Unable to read memory from PID 1356 1620 - C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\spoolsv.exe 1684 - C:\Program Files\geswall\gswui.exe "C:\Program Files\geswall\gswui.exe" 1728 - C:\WINDOWS\Explorer.EXE C:\WINDOWS\Explorer.EXE 1848 - C:\WINDOWS\system32\igfxtray.exe "C:\WINDOWS\system32\igfxtray.exe" 1864 - C:\WINDOWS\system32\hkcmd.exe "C:\WINDOWS\system32\hkcmd.exe" 1932 - C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" 1940 - C:\Program Files\ProcessGuard\pgaccount.exe "C:\Program Files\ProcessGuard\pgaccount.exe" 1952 - C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" 2016 - C:\WINDOWS\system32\ctfmon.exe "C:\WINDOWS\system32\ctfmon.exe" 2040 - C:\Program Files\ProcessGuard\procguard.exe "C:\Program Files\ProcessGuard\procguard.exe" -minimize 120 - C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe -Embedding 216 - C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe "C:\Program 228 - C:\Program Files\SpywareGuard\sgmain.exe "C:\Program Files\SpywareGuard\sgmain.exe" 440 - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe" 456 - C:\Program Files\Alwil Software\Avast4\ashServ.exe "C:\Program Files\Alwil Software\Avast4\ashServ.exe" 488 - C:\Program Files\ProcessGuard\dcsuserprot.exe "C:\Program Files\ProcessGuard\dcsuserprot.exe" 540 - C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" 620 - C:\Program Files\SpywareGuard\sgbhp.exe "C:\Program Files\SpywareGuard\sgbhp.exe" 888 - C:\WINDOWS\system32\slserv.exe slserv.exe 1212 - C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe -k imgsvc 1292 - C:\Program Files\Raxco\PerfectDisk\PDSched.exe "C:\Program Files\Raxco\PerfectDisk\PDSched.exe" 1368 - C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe 1720 - C:\WINDOWS\system32\hpoipm07.exe hpoipm07.exe 2180 - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service 2212 - C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe "C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe" /DeviceID 11506 42229 /Startup 2248 - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service 2568 - C:\WINDOWS\System32\wbem\wmiprvse.exe <Error> Unable to read memory from PID 2568 152 - C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe -k usnsvc 1724 - C:\Program Files\Eraser\eraser.exe "C:\Program Files\Eraser\eraser.exe" 1748 - C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" 3176 - C:\WINDOWS\system32\cmd.exe "C:\WINDOWS\system32\cmd.exe" What's suspicious here is that some lines write: Error reading memory from PID [xxxx] I'm wondering if gameguard through its process-injection method intercepts reads to memory in some way. And also, MapleStory.exe is not in this list too! Its application process could only be unearthed by checking out all the current active network connections on my system. Therefore I'm appealing to other experienced computer guys/experts, to please help me in investigating what nProtect Gameguard does to some operating system functions, and what techniques it employs. This sneaky little but cunning program which is passed off by some game authors as 'software designed to protect the game client from cheating/hacking by game players and modifications to the game client' obviously is nothing decent. It was designed to protect the game at the expense of altering core system functions. And, the very first spark that set this whole thing off was its method of HIDING a process and concealing it to windows task manager. |
|
#4
June 22nd, 2006, 04:32 PM
|
|||
|
|||
|
Re: High possibility of nProtect Gameguard being a rootkit.
Hello,
Best way to find out if something is rootkitting. Boot with BartPE CD, and compare the active partition files and folders listing with that you get when you boot from C. You will be able to see all and any that is hidden, cloaked or rooted. And if so, I leave the decisions about what to do to you. Mrk
__________________
http://www.dedoimedo.com All your base are belong to us Linux Systems Expert / Systems Programmer, Linux System Administrator, LPIC-1, LPIC-2 (WIP), GSEC sudo /etc/init.d/windows restart |
|
#5
June 23rd, 2006, 09:25 PM
|
|||
|
|||
|
Re: High possibility of nProtect Gameguard being a rootkit.
I found out gameguard tries to terminate smss.exe everytime I start the game.
When I discovered gameguard modifying my software( such as NOD32,etc ), I stop playing games with gameguard. |
|
#6
June 25th, 2006, 02:50 AM
|
|||
|
|||
|
Re: High possibility of nProtect Gameguard being a rootkit.
Quote:
What is smss.exe? Is smss.exe spyware or a virus? Process name: Windows NT Session Manager http://www.neuber.com/img/space.gif Product: Windows http://www.neuber.com/img/space.gif Company: Microsoft http://www.neuber.com/img/space.gif File: smss.exe http://www.neuber.com/img/space.gif Security Rating: http://www.neuber.com/img/spyrate1.gif This is the session manager subsystem, which is responsible for starting the user session. This process is initiated by the system thread and is responsible for various activities, including launching the Winlogon and Win32 (Csrss.exe) processes and setting system variables. After it has launched these processes, it waits for either Winlogon or Csrss to end. If this happens "normally," the system shuts down; if it happens unexpectedly, Smss.exe causes the system to stop responding (hang). Note: The smss.exe file is located in the C:\Windows\System32 folder. In other cases, smss.exe is a virus, spyware, trojan or worm! Virus with same name: W32.Dalbug.Worm - Symantec Corporation Adware.DreamAd - Symantec Corporation W32.Resdoc - Symantec Corporation Adware.Advision - Symantec Corporation Backdoor.IRC.Flood.F - Symantec Corporation Backdoor.IRC.Aladinz.O - Symantec Corporation and more... Obviously the gameguard developers provide low-quality software. It tries to terminate smss.exe because it thinks its a virus or something suspicious, as you can see there are some viruses with the same name too, but located in different places other than system32. BTW Processguard from www.diamondcs.com.au stops this from happening. |
|
#7
June 26th, 2006, 02:26 PM
|
||||
|
||||
|
Re: High possibility of nProtect Gameguard being a rootkit.
Hi,
nProtect Gameguard is well known anti-cheater software. Simply said it uses rootkit technology. However, its functionality requires this approach. Its goal is to protect the game from all kind of cheater attack. This includes protection against manipulation with Gameguard's and game's processes. nProtect uses rootkit technology to make working with these processes unpleasant. It hides processes and protects them against access of other applications. But its protection is not limited by process protection. Since it is used to protect online game clients it rely on the Internet connection with the Gameguard server. It can be used by admins to capture screenshots from players' machines. It also scans running process for "known patterns", so it behaves just like anti-spyware programs to identify known cheater programs. This is why it works with other processes on your system. But of course all these can be misused. You will never know whether the information from your computer that goes to Gameguard servers are only those in-game screenshots. There are many less or more paranoid scenarios you can think up. But since there is stable channel between Gameguard client and server there can left any kind of information from your computer. On the other side lot of large game companies trust and uses nProtect protection. The only question is whether you trust them 
__________________
David Matousek, founder of Matousec - Transparent security |
|
#8
June 27th, 2006, 05:43 AM
|
|||
|
|||
|
Re: High possibility of nProtect Gameguard being a rootkit.
Well, it is very clear that nprotect gameguard is a program that utilises rootkit technology. Isn't this case similar to the sony rootkit saga?
This program is confirmed to be a rootkit. And on the other hand, do any legitimate computer security software programs use rootkit technology to achieve their targets? |
|
#9
June 27th, 2006, 06:00 AM
|
||||
|
||||
|
Re: High possibility of nProtect Gameguard being a rootkit.
Quote:
Yes and no. No, because you can easily find information about how nProtect works on the vendors site. Maybe something is also written in EULA. Sony's EULA missed mentioning that this technology is used there. And another "No" argument is that Sony's rootkit was easily expolitable by malicious software to hide itself but nProtect seems to protect only itself and the game and nothing else. This does not mean it can't protect malicious software but at least it means that it is not easy or that it is not known in public. I don't know EULO of nProtect so I can't say whether there is some "Yes" argument too. But it can be problematic of course. Quote:
Yes, many. In fact every personal firewall and some antivirus software as well as antirootkit detection and prevention software and also many other security software like some honeypots etc. Rootkit technology is used for a long time, "rootkit technology" is just modern term that is used for this kind of software activity. To prevent misunderstanding here it should be said that talking about rootkit technology we do not mean only hiding but also methods like hooking etc.
__________________
David Matousek, founder of Matousec - Transparent security |
|
#10
June 27th, 2006, 06:17 AM
|
|||
|
|||
|
Re: High possibility of nProtect Gameguard being a rootkit.
nProtect Gameguard does not have an EULA and I wonder why. Some cases it is bundled with the game application.
I think some games offer gameguard as a separate download while some bundle it together with the game client in 1 single download. Of all the programs I've tried out and tested with over the years , I remember Gameguard the most because its the ONLY program I've known that comes with no End User license Agreement. Is it because the developers are Korean and only know how to use basic english that they don't know how to produce an English EULA? I'm really curious about this issue. Last edited by nadirah : June 27th, 2006 at 06:28 AM. |
|
#11
June 27th, 2006, 06:34 AM
|
||||
|
||||
|
Re: High possibility of nProtect Gameguard being a rootkit.
I don't think so. The important here is to consider the relation between game developers and Gameguard. If Gameguard offers nProtect in the way it is intergrated to the game it needs no EULA and it is the responsibility of the game vendor to mention it in EULA.
__________________
David Matousek, founder of Matousec - Transparent security |
|
#12
June 27th, 2006, 12:54 PM
|
||||
|
||||
|
Re: High possibility of nProtect Gameguard being a rootkit.
Quote:
 |
|
#13
June 27th, 2006, 01:01 PM
|
||||
|
||||
|
Re: High possibility of nProtect Gameguard being a rootkit.
Quote:
It was sarcasm. I think. It is a concern of mine as well, but Gunbound keeps me entertained, and I haven't had any privacy problems with it as of yet, so it will stay.
__________________
Windows Firewall, SandboxIE. |
|
#15
July 6th, 2006, 02:34 AM
|
||||
|
||||
|
Re: High possibility of nProtect Gameguard being a rootkit.
Quote:
My point was to say that the raw fact that something is hiding itself or some other objects (or you can call it "using rootkit technology") is not malicious. If Gameguard do only what it should it is not malicious software and its behaviour is ok and also used technology is ok. The problem is that there is no easy way to verify whether it does not do something more.
__________________
David Matousek, founder of Matousec - Transparent security |
|
#16
July 6th, 2006, 09:02 AM
|
||||
|
||||
|
Re: High possibility of nProtect Gameguard being a rootkit.
Good point matousec.
But I think there is a way to see if it does something more. Throw on a packet sniffer to view everything that leaves the computer when nProtect is running. :T
__________________
Windows Firewall, SandboxIE. |
|
#17
July 6th, 2006, 09:15 AM
|
||||
|
||||
|
Re: High possibility of nProtect Gameguard being a rootkit.
Quote:
I assumed encryption of its communication when I wrote my last post. One can hardly imagine such advanced protection software not using encrypted communication ...
__________________
David Matousek, founder of Matousec - Transparent security |
|
#18
July 6th, 2006, 09:53 AM
|
||||
|
||||
|
Re: High possibility of nProtect Gameguard being a rootkit.
Ah, I apologize, I did not think a game protector would encrypt data. Wonder if anyone here can verify if it is indeed sending out bad info.
__________________
Windows Firewall, SandboxIE. |
|
#19
July 7th, 2006, 10:39 PM
|
|||
|
|||
|
Re: High possibility of nProtect Gameguard being a rootkit.
I wanted to add to the commentary about smss.exe and my experiences with NProtect.
I have a laptop that I use remotedesktop to connect to my main computer which is in my home office. Frequently my son plays Lineage2 and I noticed that whenever he is playing or starts playing, the following oddities happen: Programs I start or am using in RemoteDesktop on my main computer close randomly. My remotedesktop session closes When I connect, his game freezes. This led me to my search for answes, which led me here. Thanks for the poster who posted about smss.exe, the microsoft session manager. This is the answer. Because when you connect with remotedesktop client, you are initiating a user session, and this makes total sense now. However, I dont like it  It's a poorly implemented program. So now, I cant use my computer while he's playing and since he's only 8, he doesnt understand Thanks for the site, hope the comments above are useful to someone else looking for answers. Cheers, Mark |
|
#20
July 8th, 2006, 11:05 AM
|
|||
|
|||
Re: High possibility of nProtect Gameguard being a rootkit.
Just like the previous poster, I registered to thank you guys for that info!
The problem I had (and somehow still have) with nProtect is that whenever I lost connection with the server, Explorer and the taskbar would enter some kind of cuccumber-mode. The computer wouldn't freeze completely, but I couldn't log out/restart/shut down the computer, the task manager wouldn't respond to Ctrl+Alt+Del, basically a hard reset was required. ProcessGuard is now installed (thanks for the link!) and like LokiLoki, the program found out that nProtect would attempt to repeatedly terminate smss.exe; wonderful... However that freezing behaviour still persists, and still linked to nProtect, though I haven't found out yet exactly how. Last edited by DownWithGameGuard : July 8th, 2006 at 03:42 PM. |
|
#21
July 15th, 2006, 12:12 PM
|
|||
|
|||
|
Re: High possibility of nProtect Gameguard being a rootkit.
Bumping with some additional info:
http://discussions.virtualdr.com/sho...ht=Maple+Story "When gg starts up, it will create a temporary file (what everyone sees as dump_wmimmc.sys) sets up its hooks and then boot the game. If for any reason gg sees something it considers "threatening" it will call for a reboot. The crash you experience when quitting the game I believe starts out when the temp file is cancelled, yet the hooks remain. There's not really anything you can do as it's pretty much up to nProtect to fix this problem." State-of-the-art software, really... |
|
#22
July 16th, 2006, 01:52 AM
|
|||
|
|||
|
Re: High possibility of nProtect Gameguard being a rootkit.
here is a log file from process guard 3.200 that shows what happens wen you start a game protected by gameguard.
Code:
Last edited by snapdragin : July 16th, 2006 at 02:17 AM. Reason: log was too large so code tags added for ease of viewing |
|
#24
July 20th, 2006, 09:25 AM
|
|||
|
|||
|
Re: High possibility of nProtect Gameguard being a rootkit.
As mentioned earlier in this thread, ProcessGuard can stop gameguard from modifying, terminating or reading some processes on your computer.
I want to say something more about this program. nProtect Gameguard may be legitimate or not, I'm not so sure myself. But as with the issue with smss.exe, I honestly believe any person who reads this thread now or in the future will realise that its simply not worth the while having such programs on their systems at all. Simply because its developers are very selfish people, especially those game developers who have partnerships with inca. And it seems that INCA's employees are not good in english but that's not important at all, what's important here is what the heck do their programs do. If gameguard is so pathetic and stupid as to just terminate smss.exe or any other legitimate process without checking just because its considered suspicious by the game author and inca, it just goes to show what a lousy program they've chosen to implement in their game products. The fact that it can be stopped by other quality security products means that it is useless and ruptured. And just to add on more important details, using a disassembly program like IDA Pro from www.datarescue.com shows something about gameguard and the game client. The imports segment of this/the file is destroyed. This means that it may have been packed in such a way that makes it more difficult to analyse.....it may contain malware...... The verdict: Don't use it. Gameguard operates in a selfish manner, just like the people who made it |
|
#25
July 23rd, 2006, 02:13 PM
|
|||
|
|||
|
Re: High possibility of nProtect Gameguard being a rootkit.
Well, ProcessGuard can stop gameguard from modifying, terminating or reading some processes... 50 times if you take their "free for home use" version, apparently. A restriction which doesn't seem to be documented anywhere. Kinda shoddy IMO.
Is there any other similar program? Or did I miss something? Last edited by DownWithGameGuard : July 24th, 2006 at 08:48 AM. |
| « Previous Thread | Next Thread » |
| Thread Tools | Search this Thread |
|
|
