Post AMvreaAyPmp02CQi4e by sapphire@shortstackran.ch
(DIR) More posts by sapphire@shortstackran.ch
(DIR) Post #AMvj4fJt0vPFvfxepk by r000t@infosec.exchange
2022-08-26T19:52:34Z
31 likes, 43 repeats
Remember when they told you that kernel-mode anticheat was perfectly safe?Once these drivers are signed by Microsoft, they can be loaded into *any* Windows system, even if you don't play the game they're from.
(DIR) Post #AMvjFsQecAmDlvTNNA by mint@plagu.ee
2022-08-26T19:54:43.898933Z
1 likes, 0 repeats
@r000t Might not even need loading in some cases, I've seen people complaining that Genshit keeps the driver in system even after being uninstalled. Once again, anticheat is cancer.
(DIR) Post #AMvjeipjQZsTFf39Ga by r000t@infosec.exchange
2022-08-26T19:59:06Z
1 likes, 1 repeats
@s8nI don't understand how so many people fell for something literally called "Gotcha!"
(DIR) Post #AMvkF5ei3JwUSUEgeu by fuggy@skippers-bin.com
2022-08-26T20:05:41.695Z
6 likes, 5 repeats
@r000t@infosec.exchange remind me why a anime gacha game needs a kernel level driver?
(DIR) Post #AMvnH7Pum55UMYyU8O by eviloatmeal@linuxrocks.online
2022-08-26T20:39:39Z
7 likes, 3 repeats
@r000t "Kernel mode anti-cheat", or as it used to be called, a rootkit.
(DIR) Post #AMvqBuMcB7diIGdcgq by lunch@cybre.space
2022-08-26T21:12:19Z
1 likes, 0 repeats
@r000t capcom.sys all over again
(DIR) Post #AMvrGG7HLPq4s36Sx6 by PhenomX6@fedi.pawlicker.com
2022-08-26T21:24:20.205695Z
3 likes, 1 repeats
@roboneko @r000t @eviloatmeal Sony would be proudhttps://en.wikipedia.org/wiki/Sony_BMG_copy_protection_rootkit_scandal
(DIR) Post #AMvreaAyPmp02CQi4e by sapphire@shortstackran.ch
2022-08-26T21:28:44.466492Z
1 likes, 0 repeats
@r000t and I thought the only non genshin players who got fucked by genshin were the people who came to the porn
(DIR) Post #AMvuKXDtz1hwwnvpbs by eviloatmeal@linuxrocks.online
2022-08-26T21:36:50Z
1 likes, 0 repeats
@PhenomX6 @roboneko @r000t Good ol' XCP.
(DIR) Post #AMvv4UpJE5SKpqLQxM by ae@pleroma.envs.net
2022-08-26T21:47:32.754704Z
0 likes, 0 repeats
@r000t wait how does it work if you don't have Genshin Impact installed?
(DIR) Post #AMvv4VMHFVpMU5llLM by r000t@infosec.exchange
2022-08-26T22:07:00Z
0 likes, 0 repeats
@aeThey just ship the .sys file separately, ask the OS to load it, and then they can abuse it. The driver has been "vouched for" by Microsoft.
(DIR) Post #AMvyrXFjIJ18PamIEq by 9gcarz2naIwb0S3nkm.JoYo@thejoyo.com
2022-08-26T22:49:29.057127Z
0 likes, 0 repeats
@r000t stadia doesn’t sound so bad now.
(DIR) Post #AMw5HVdGXahedlYUXA by cobra@fedi.vern.cc
2022-08-27T00:01:25Z
0 likes, 0 repeats
@r000t i don't want to say i called it, but i hella called it
(DIR) Post #AMwI9E3vHT6XEeP8Zk by idiot@shitposter.club
2022-08-27T02:25:36.325516Z
1 likes, 0 repeats
@r000t
(DIR) Post #AMwIARZOXrqJPyhpXk by fiskfan1999@nixnet.social
2022-08-26T23:28:37.795322Z
1 likes, 0 repeats
@r000t Watch: Once this bug is patched, the kernel anticheat will be 100% safe, trust me
(DIR) Post #AMwIOXR7WwXVfPYYzI by sarvo@novoa.nagoya
2022-08-27T02:28:22.547Z
0 likes, 0 repeats
@r000t@infosec.exchange how do you even run it if you don't have genshit installed? Also what is the implication of this for wine?
(DIR) Post #AMwITXQSzsDH59dQ0W by idiot@shitposter.club
2022-08-27T02:29:10.347643Z
0 likes, 0 repeats
@r000t And can I just add as a quick postscript to this "I told you so" gamer moment:>Jack off to jpegs in a video game>Computer ruined>Don't jack off to jpegs in a video game>Computer still ruined>Jack off to jpegs on a booru>Computer not ruinedChalk up another W for the secondary^W tertiary coomers that just want to blast rope to your favorite gatchashit wife on rule34.xxx. They can't keep getting away with it.
(DIR) Post #AMwQ6hedbIUDmJsxxA by AgreeableLandscape@mastodon.social
2022-08-27T03:54:46Z
1 likes, 0 repeats
@r000t not defending kernel mode anticheats, but I think the bigger problem here is Windows's Swiss cheese level kernel module management.
(DIR) Post #AMwS7AxaqHxIZp6ZO4 by r000t@infosec.exchange
2022-08-27T04:17:16Z
2 likes, 1 repeats
@sarvoThe key here is that drivers must be digitally "vouched for" by Microsoft. If Microsoft gave their signature to a driver, Windows will consider it to be valid. So, if you're malware, you just pluck the driver file from genshin, and zip it up with the rest of the malware. Wine is an implementation of the Win32 API and to the best of my knowledge cannot deal with Windows drivers. But I could be wrong.
(DIR) Post #AMwUn4u1xCrnrQXxtA by slash@cdrom.tokyo
2022-08-27T04:47:13.897384Z
1 likes, 1 repeats
@r000t How familiar.
(DIR) Post #AMwp8wSq0VZr8vWxNo by iska@mstdn.starnix.network
2022-08-27T08:35:18Z
0 likes, 0 repeats
@AgreeableLandscape @r000t The same would happen on Linux.
(DIR) Post #AMwr3EKargiWjA4vkO by cyberspook@soc.redeyes.site
2022-08-27T08:56:40.072018Z
0 likes, 0 repeats
@fuggy*gacha game wanting to install a kernel driver*Oh, no, you fucking don't.@r000t
(DIR) Post #AMwvcpIPp1UBK9Hxz6 by AgreeableLandscape@mastodon.social
2022-08-27T09:47:54Z
0 likes, 0 repeats
@iska @r000t I'm not sure of that. Linux is infamous for being an absolute pain to install kernel mode drivers, that's why it matters so much if a processor or GPU is mainline supported. Meanwhile, Windows doesn't even ask for your password. Just a UAC prompt.
(DIR) Post #AMwvlocBivGHolp7dQ by AgreeableLandscape@mastodon.social
2022-08-27T09:49:32Z
0 likes, 0 repeats
@iska @r000t I'm not sure of that. After all, Linux is infamous for being an absolute pain to install kernel mode drivers, and that's when you WANT to get software into the kernel. That's why it matters so much if a processor or GPU is mainline supported. Meanwhile, Windows doesn't even ask for your password. Just a UAC prompt.
(DIR) Post #AMx03R1Qa0RrfuHoJ6 by AgreeableLandscape@mastodon.social
2022-08-27T10:37:33Z
0 likes, 0 repeats
@r000t @sarvo in general, I think it's a bad idea to make Windows exes directly executable through Wine. It's much safer to have to do `wine program.exe` instead of being able to do `./program.exe`. Plenty of malware, including ransomware, don't need any sort of higher privileges to do damage. If you have your home folder mapped to "C:\Users\You" in wine, that can and will be encrypted immediately, people tried this exact thing with Wannacry and it worked.
(DIR) Post #AMx0AfQPQccoN7Q5RY by AgreeableLandscape@mastodon.social
2022-08-27T10:38:52Z
1 likes, 0 repeats
@r000t @sarvo in general, I think it's a bad idea to make Windows exes directly executable through Wine. It's much safer to have to do `wine program.exe` instead of being able to do `./program.exe`. Plenty of malware, including ransomware, don't need any sort of higher privileges to do damage. If you have your home folder mapped to "C:\Users\You" in wine, that can and will be encrypted immediately, people tried this exact thing with Wannacry and it worked.
(DIR) Post #AMx0RQzmKXGyXgxVK4 by AgreeableLandscape@mastodon.social
2022-08-27T10:41:53Z
0 likes, 0 repeats
@r000t @ae this is what I'm talking about. Vouched for by Microsoft or not, it's bullshit that a kernel module can be installed without your explicit instruction. I'm assuming that because Microsoft approved it, it doesn't need admin/UAC authorisation like unvalidated drivers do?
(DIR) Post #AMx31093ptwfbKO6me by iska@mstdn.starnix.network
2022-08-27T11:10:44Z
2 likes, 1 repeats
@AgreeableLandscape @r000t sudo modprobe anti~christ~cheatJust a UAC promptOnly true when you use admin(root) account.
(DIR) Post #AMx42amjCBwVTtGRto by AgreeableLandscape@mastodon.social
2022-08-27T11:22:13Z
0 likes, 0 repeats
@iska @r000t yeah, but this specific vulrnability hinges on not requiring UAC authorisation to install the anticheat. Like, if you need to sudo it, it's a lot less if a problem.
(DIR) Post #AMx4Xgx0JzkLa4tsae by AgreeableLandscape@mastodon.social
2022-08-27T11:27:51Z
0 likes, 0 repeats
@iska @r000t yeah, but this specific vulrnability hinges on not requiring UAC authorisation to install the anticheat. Like, if you need to sudo it, it's a lot less of a threat.
(DIR) Post #AMx4glstLbyvUMJ2qO by Soy_Magnus@shitposter.club
2022-08-27T11:29:29.287746Z
0 likes, 0 repeats
@iska @AgreeableLandscape @r000t bit the real question is what will it do and I'm going to use someone else's phone to find out
(DIR) Post #AMxFEFmkCGxjK32EIC by r000t@infosec.exchange
2022-08-27T13:27:35Z
0 likes, 0 repeats
@AgreeableLandscapeThere's a higher level than any interactive administrator account on a Windows system, called NT AUTHORITY\SYSTEM, and this is the level drivers and this sort of anticheat run at. This is the level you would need to be to start doing really nasty things like keylogging, hiding processes/network/file activity, and generally making your computer gaslight you. This also means it can gaslight any antivirus you may be running. @iska
(DIR) Post #AMxFe8uMO9iXWRwTUe by Mek101@mstdn.io
2022-08-27T13:32:16Z
0 likes, 0 repeats
@r000t Fucking lmfao
(DIR) Post #AMxFyISEbZwovCOfCK by Mek101@mstdn.io
2022-08-27T13:35:50Z
1 likes, 0 repeats
@r000t @sarvo Windows drivers are in no way compatible with the linux kernel. It's tge main reason why you can't play Genshin or Valorant through wine
(DIR) Post #AMxFyJQqyCR9xCl4gS by inference@plr.inferencium.net
2022-08-27T13:35:49.319265Z
0 likes, 0 repeats
@AgreeableLandscape @iska @r000t You shouldn't be daily driving an admin account exactly for this reason. Same as root on Unix.Max out UAC, don't use admin, safe.
(DIR) Post #AMxG0R43Z2dMCj6jTc by Mek101@mstdn.io
2022-08-27T13:33:18Z
0 likes, 0 repeats
@fuggy @r000t Try valorant lmao
(DIR) Post #AMxG0Rb1aT0NqyX3rc by fuggy@skippers-bin.com
2022-08-27T13:36:19.111Z
0 likes, 0 repeats
@Mek101@mstdn.io @r000t@infosec.exchange I already suck at CSGO seems like a knock off of that but you get banned for being toxic in voice chatIdk seems kinda cringe
(DIR) Post #AMxG3ev6VQJE2sSPI0 by inference@plr.inferencium.net
2022-08-27T13:36:52.526501Z
0 likes, 0 repeats
@Mek101 @r000t @sarvo The reason they don't want to add support (which would easily be done) is because custom kernels are an issue, whereas Windows kernels are the same and are known to be running a specific configuration.
(DIR) Post #AMxGB7lBg4U1WCNWc4 by Mek101@mstdn.io
2022-08-27T13:38:13Z
0 likes, 0 repeats
@iska @AgreeableLandscape @r000t Nay, on linux you still need to perform the operation as root. Plus the kernel module API/ABI is not even stable, so you would have to package a different module for almost any combination of distro/kernel version you want to attack
(DIR) Post #AMxICAVJA3TiE5ZokS by iska@mstdn.starnix.network
2022-08-27T14:00:50Z
0 likes, 0 repeats
@AgreeableLandscape @r000t ITS NOT A VULNERABILITYYou consented to install a rootkit.
(DIR) Post #AMxIKksPoQ4DLoTmcq by iska@mstdn.starnix.network
2022-08-27T14:02:23Z
0 likes, 0 repeats
@Mek101 @AgreeableLandscape @r000t On windows you need root to install the kernel module.
(DIR) Post #AMxJjjzIM2zpmsAvaK by Mek101@mstdn.io
2022-08-27T13:43:20Z
0 likes, 0 repeats
@inference @r000t @sarvo The solutions are two:1 - make the modules FOSS, so that distros ship them2 - publish FOSS adapters that bridge the kernel API to a stable ABI you can link against
(DIR) Post #AMxJjkPslCGP7KcA1g by inference@plr.inferencium.net
2022-08-27T14:18:03.085453Z
0 likes, 0 repeats
@Mek101 @r000t @sarvo Unsure if you're talking compatibility here, but I'm talking custom kernels designed for cheating.Can't happen on Windows without a critical exploit, but Linux allows this as part of kernel compiliation.
(DIR) Post #AMxPSYYKDRqN7lkWH2 by sarvo@novoa.nagoya
2022-08-27T15:22:14.717Z
0 likes, 0 repeats
@Mek101@mstdn.io @r000t@infosec.exchange oh but you can
(DIR) Post #AMxPvknpkVifW0vSjo by Mek101@mstdn.io
2022-08-27T15:24:24Z
0 likes, 0 repeats
@sarvo @r000t Via binary patching. Known that, did that, but keeping up the genshin patch is 1 guy in a notabug repo. I wouldn't be surprised if he already took the project down
(DIR) Post #AMxPvlJNrCxN5rgeum by sarvo@novoa.nagoya
2022-08-27T15:27:31.282Z
0 likes, 0 repeats
@Mek101@mstdn.io @r000t@infosec.exchange it isn't, it grow a lot actually
(DIR) Post #AMxQ5ZO139vP0IWwXw by Mek101@mstdn.io
2022-08-27T15:27:53Z
0 likes, 0 repeats
@sarvo @r000t link?
(DIR) Post #AMxQ5Ztv8XRgbFSQHA by sarvo@novoa.nagoya
2022-08-27T15:29:12.042Z
0 likes, 0 repeats
@Mek101@mstdn.io @r000t@infosec.exchange its like the fight club but you can send me a dm or a message on xmpp
(DIR) Post #AMxZ7jZt1pNWmLBomW by AgreeableLandscape@mastodon.social
2022-08-27T17:10:30Z
0 likes, 0 repeats
@r000t @iska this just goes with the theme that you don't own your Windows system that Microsoft is going for. You're merely a guest on the OS you paid for.
(DIR) Post #AMz4jk5Et7qH5XPz4i by hecko@fluffcord.social
2022-08-28T10:39:25Z
0 likes, 0 repeats
@iska please note the subtitleBest part? You don't need to have installed Genshin Impact.it's not the user who consented, it's microsoft who did it on their behalf by signing italso it seems to bypass uac too according to the table at the bottom of this page https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html
(DIR) Post #AMz4kND3Q0GaR4NHAe by hecko@fluffcord.social
2022-08-28T10:39:34Z
0 likes, 0 repeats
@iska please note the subtitleBest part? You don't need to have installed Genshin Impact.it's not the user who consented, it's microsoft who did it on their behalf by signing italso it seems to bypass uac too according to the table at the bottom of this page https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html
(DIR) Post #AMznG3ysqD9S36fRM8 by iska@mstdn.starnix.network
2022-08-28T18:58:19Z
0 likes, 1 repeats
@hecko wait, do "approved" kernel modules just bypass all security?microsoft wtf
(DIR) Post #AN1HLOYWxlCP5ll9No by paoloredaelli@mastodon.uno
2022-08-29T12:10:07Z
0 likes, 0 repeats
@r000tAnd I'm so fool that I tried to run #GenshinImpact on my daughter's Ubuntu laptop using #wine 😀
(DIR) Post #AOHg2hbSzrDVY3hH3g by cat567@mstdn.social
2022-10-06T07:54:21Z
0 likes, 0 repeats
@r000t imagine using windows