Kernel Driver Memory Analysis/Loading?
#1
So, I'm growing more and more interested with game-hacking as of late, and I'm biting off something that's probably a little bigger than I can chew.
Riot Vanguard.

It got some infamy for being a kernel-mode anticheat solution, and given Riot is more or less owned by Tencent now, that didn't fly well with their playerbase given china is not known for good data practices.

So naturally, I'm trying to figure out how it works and what it actually does under the hood.

From what I've gathered so far:
--Packed with VMProtect 3.X 
--Kernelmode driver called vgk.sys
--Usermode driver called vgrl.dll

Now, with VMProtect and other virtualizing obfuscation methods, generally you just want to analyze the memory after it rebuilds the IAT to get the actual entrypoint of the application and read the actual bytecode.

See, there's a small problem with that.

Because they are actual Windows/WinAPI drivers, they use (NTSTATUS)DriverEntry, which also makes a call to _security_cookie_init. I'm assuming that cookie exists mainly as a way of keeping track of drivers loaded in the kernel to prevent duplicate loading, as well as verifying whether the driver runs in usermode or kernelmode, depending on what it's meant to do.

So, when I try to run the drivers with the Unicorn Engine, I first get problems with dependencies, i.e. loading exports from cng.sys and ntoskrnl.exe. I fixed that by making dummy files with the same exports and putting them in the same directory, but then it gets to the security cookie initialization, and then problems ensue.

The problem is that I don't know what the problem is. 
BlackBone tells me that function gets called, then it exits.
Probably because the driver is already running, but I'm honestly not sure.

Since I can't do much with the .sys driver and memory analysis of kernel-mode is hard due to Patchguard and all sorts of memory protection, I tried loading the .dll using a very basic process hollowing DLL injector I wrote in like fifteen minutes:
Code:
#include <stdio.h>
#include "Windows.h"

bool injectDLL(int pid, const char* path);

int main() {
    int pid;
    const char* dllPath = "C:\\Program Files\\Riot Vanguard\\vgrl.dll"; //hardcoded, sue me.
    printf("DLL to load: %s\nEnter the PID to inject: ", dllPath);
    scanf_s("%d", &pid);
    printf("PID: %d\n", pid);

    if (!injectDLL(pid, dllPath)) {
        printf("Failed to Inject DLL\n");
    }
    printf("DLL Injected successfully\n");
    return 0;

}

bool injectDLL(int pid, const char* path) {
    HANDLE targetProc = OpenProcess(PROCESS_ALL_ACCESS, 0, pid);
    if (!targetProc) {
        printf("Failed to open process %d.\n", pid);
        return false;
    }

    LPVOID LoadLibAddr = (LPVOID)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA");
    if (!LoadLibAddr) {
        printf("Failed to load kernel32.dll for LoadLibraryA()\n");
        return false;
    }

    LPVOID RemoteString = VirtualAllocEx(targetProc, NULL, strlen(path), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
    WriteProcessMemory(targetProc, RemoteString, path, strlen(path), NULL);
    CreateRemoteThread(targetProc, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddr, (LPVOID)RemoteString, NULL, NULL);
    return true;
}

Then injected into our favourite host program, Notepad.exe.
But, it exits after a nanosecond because again, probably that security cookie.

So how should I go about this?

I could try to patch out the security cookie initialization part, but I'm pretty sure that's an implicit call in DriverEntry(), so I don't know if that will fuck with PatchGuard or whatever have you when a driver tries to load itself without a cookie. Also keep in mind the VMProtect, so that might also cause something to start functioning incorrectly.

I'd work with Unicorn a little more, but because of all the driver's imports, that might be problematic.

My other option would be to try and write a driver of my own to try and map out the kernelspace and then maybe try to dump the memory of the vgk process, but that also sounds like a fuckload of work.

Suggestions pls.
Reply
#2
Guess I'll update with what I tried today, just so people don't waste their time.

Wrote a (vulnerable) driver using some sources I found on a different site, Windows basically considers it malware, but after fucking with Defender for a bit, I got it 'installed'.

Used sc to create a service for it, but when I try to start the service, I get an initialization fialure with code 647.

After some Googling, turns out that Vanguard actually blocks loading of other drivers when they're needed, typically unsigned. This actually blocks a number of things, including CPU-Z.

The only other option I would have is loading the driver at boot-time. Still have to figure that one out, as it looks like it's something related to BIOS.
Vanguard has protection against hypervisors too, according to unknowncheats, so that's not really an option.

I might spend tomorrow just throwing memcpy() at everything that fucking moves just to see if I can avoid BSOD's from reading protected memory and maybe getting something useful out of it. According to another unknowncheats post, the driver (or the game, was unclear language) only protects the memory about 20s after actually loading everything. That might be a good in.
Reply
#3
(09-16-2020, 01:31 AM)poppopret Wrote: I might spend tomorrow just throwing memcpy() at everything that fucking moves just to see if I can avoid BSOD's from reading protected memory and maybe getting something useful out of it. According to another unknowncheats post, the driver (or the game, was unclear language) only protects the memory about 20s after actually loading everything. That might be a good in.

Sorry, I don't have much free time this week so that's why I did not tried to help here. And even if I tried this is also way out of my league (even more than you, 'cause you seem to know what you are doing lol).

Anyways, I quoted a part of your message because I might know something related to it. However take it with a grain of salt as it is only a supposition. League does check when loading and at the start of the game, this even became popular due to this reddit post. Basically, if you search for "Cheat Engine" while game is loading or at the start League automatically "crashes".

Good luck with this project, even if I cannot provide much help I have to say I am very intrigued by it Wink
Reply
#4
I can imagine that's just the game running this:
Code:
FindWindowA(NULL, "cheat engine")
Since Vandiril also shows how he just changes the 'title' of his twitch page to 'cheat engine' causing it to crash.

Yeah, Riot doesn't have a great record for security. Stupid hacks like this don't constitute an anticheat lol.
But either way, I don't like using cheat engine anyway because it calls OpenProcess() which every anticheat system already has hooks in place for to stop that from happening. There are other ways to open a process without an actual handle, but that actually requires you to write some code.

Coffee time.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Analysis of Live Tails Memory Acquisition? whirl 3 1,045 08-11-2020, 11:58 PM
Last Post: Insider
  [YT] Analysis of malware enmafia2 3 9,376 03-12-2018, 10:13 AM
Last Post: enmafia2
  [KGM2] CrackMe Analysis Hysteresis 0 5,443 03-20-2017, 09:29 AM
Last Post: Hysteresis
  An Introduction to Malware Analysis Starfall 2 5,912 06-22-2016, 02:05 PM
Last Post: hworth