GameGuard
From Wikipedia, the free encyclopedia
GameGuard is a rootkit developed by nProtect. It is bundled with many multiplayer online games specifically to reduce or elimate cheating. It hides the game application process, monitors the entire memory range, terminates applications defined by the game vendor and nProtect to be cheats, blocks certain calls to DirectX functions, Windows APIs and auto-updates itself to change as new threats surface.
Contents |
[edit] Stealth and Anti-Cheat Methods
[edit] Anti-Debugging
GameGuard modules and game executables are protected from debugging, reportedly using polymorphism to make reverse-engineering GameGuard and the game even more difficult. It is packed with a modified version of UPX.
[edit] Process cloaking
GameGuard cloaks GameMon.des and the game process by Direct Kernel Object Manipulation (DKOM) in order to fend-off the average cheater.
[edit] Hooking
[edit] Userland
GameGuard hooks many functions in the Windows userland, including ReadProcessMemory, WriteProcessMemory, OpenProcess, and SendKeys. These hooked functions are determined to be commonly used by bots or hacks to read or modify the game, or to send input to and from the game. GameGuard hooks these functions by injecting the file npggNT.des on Windows NT and npgg9x.des on Windows 9x.
[edit] Kernel
GameGuard hooks NtDeviceIoControlFile, NtOpenProcess, NtProtectVirtualMemory, NtReadVirtualMemory, NtWriteVirtualMemory, and by extension the Zw<*> stubs of these functions.
[edit] Detection
[edit] Memory Detection
One method of detection is to periodically scanning the computer's RAM (without using ReadProcessMemory) for certain string of bytes that are known to be in blacklisted programs. This is a real problem for public programs, and is not easy to defend against.
[edit] Detected Programs
When a "malicious" program is detected, GameGuard will usually reboot the user's computer. If there is an unspecified modification to GameGuard or its modules, it will close the game with an error. Rebooting the computer is a very aggressive method, but can cause corruption, errors, or system instability.
[edit] Bypassing GameGuard
While it is not impossible, the many techniques used by GameGuard make this a very involved process that requires a fair amount of reverse-engineering skill and optional rootkit knowledge. The changing nature of GameGuard makes it nearly impossible to make a public bypass or program for a GameGuard protected game. When a public bypass is created, GameGuard merely patches the hole it exploits. When a program is made, GameGuard can just add it to its blacklist.
[edit] Criticisms
GameGuard, though noble in its essential goals, resorts to very sketchy means to accomplish its goals. It stoops down to the level of a trojan and rootkit, and does many invasive things like inject DLLs into every running process, communicate semi-personal information to nProtect, as well as read and write memory.
[edit] Sources
- nProtect GameGuard website
- Security Focus
- National Vulnerability Database - nProtect GameGuard
- Rootkit.com
- Hacker Defender Project Website
