bDjHL4hJ

1The original post comes from Tencent Game Safety Laboratory
2Background:
3VAC, full name VALVE ANTI-CHEAT, is an anti-cheating system developed by VALVE Company (V Society). VAC is a general anti-cheating secure access scheme for step platform games (DOTA2 and CS: GO both use VAC).
4This paper takes CS:GO as the analysis target, and makes a basic analysis of the security scheme adopted on CS:GO.
52. Analytical conclusions:
6Through dynamic debugging, static analysis and hook verification, we find that the VAC scheme on CS:GO is as follows:
7Static protection:
8N-shell: All PE files are not enclosed
9N code obfuscation: no code obfuscation
10Dynamic confrontation:
11N Drive Protection: Not Discovered
12N Debugging: Simple Abnormal Interference
13N Debugging Detection: Simple Debugging Detection
14Module detection:
15N window detection: not found
16N process detection: enumerated process module behavior
17N Thread Detection: Perceptive Thread Creation Behavior
18N module detection: not found
19N Stack Detection: Stack Backtracking Detection
20N Memory Detection: Not Found
21Other:
22N API: Key API
23N VAC2.DLL: Storage security scheme embedded, but not loaded in CS:GO
24N Unopened Detection:
25U Discover Multiple Debugger Detections
26U Finds Multiple Stack Detections
27U Discovered Game Status Detection
28Note: The analysis of the game is incomplete due to the use of single-player combat and offline analysis.
293. Analytical process:
303.1 Game Security Analysis:
313.1.1 Game Structure Analysis
32CSGO's game starter is stored in the root directory, where there are also steps client-related dlls. Steam compiles 32-bit and 64-bit versions.
33
343.1.2 Game Startup Analysis
35
36CS: GO currently only has 32-bit version, the national uniform will replace steam.exe with csgolauncher.exe, as a game starter, the game pulls the process as follows:
37
38Steam web helper still uses chrome's CEF framework to start three processes
39
40After the start of the game, there are no driver loading, no kernel modification, no global hook settings. However, there are a lot of functions hooked in the process, including load class, file operation class, key-related, Dx class API is hooked, hook jumping, ZwOpenFile is taken over by csgo.exe, and other functions are pointed to gameoverlayrender.dll
41
42
433.1.3 Static Protection Analysis
44Selected the important PE files in the game - csgo.exe, engine.dll, client.dll, server.dll, tier0.dll, tier0_s.dll are not encapsulated, IDA can be decompiled normally.It can be seen that VAC does not encapsulate key game modules, add flowers and other common PE protection.
453.1.4 Dynamic Protection Analysis
46Anti dump
47Without anti-dump processing, the game module can dump directly.
48Inverse injection
49Without backinjection, the module can be injected into the game at will.
50Debugger Attachment
51Without dealing with common breakpoint APIs, debuggers can attach arbitrarily, without confrontation about attachments.
523.2 Drive Protection and Detection
53Pchunter did not detect VAC-related driver loading in the game
54Pchuner did not detect kernel hook
55No related driver files were found by traversing the directory
56Hook ZwCreateFile, no driver file creation found
57Hook NtLoadDriver, no driver load found
58Hook DeviceIoControl, no driver communication found
59In summary, VAC does not use drivers to protect the game, nor does it use drivers to detect.
603.3 Debugger Detection
61Common API detection
62Hook IsDebugger Present, Check Remote Debugger Present, perceives that the game has basic detection, trigger module in tier0.dll, tier0_s.dll
63
64It is true that the game is detected by calling a simple api, but for 32-bit OD with many plug-ins, the significance and effect of this detection is not great.
65Hardware Breakpoint Detection
66Hook NtGetContextThread, NtSetContextThread, NtContinue, KiUserException Dispatcher. No relevant detection of Dr registers was found.
67Debugger feature detection
68Text Violent Search IDA, ollydbg, windbg, CE, _Plugingetvalue
69Character search such as _ODBG_Plugininit... No corresponding text has been found yet.
70anomaly detection
71Remove the debugger's anti-debugging function and find that when entering the game, the debugger receives anomaly notifications from the game.
72
73Trace the exception trigger point to confirm that the exception will be thrown actively in tier0_s.dll
74
75Cross-reference game actively throws exceptions, found that in addition, there are many will throw exceptions
76
77During the course of the game, some exceptions will be triggered passively, as follows
78
79These exception handling can be ignored by debuggers or bypassed by plug-ins.
803.4 Detection of Illegal Modules
813.4.1 Window Detection:
82General form enumeration:
83Hook common enumeration window apis, including EnumWindows, FindWindow, EnumChildWindows, have not been found to detect windows
84Further in-depth hook, hook Enmu Windows underlying implementation api:
85_ Internal EnumWindow, _BuildHwndList, _NtUserBuildHwndList also found no abnormal calls.
86Enumeration of windows and class names:
87Hook GetClassNameA, GetWindows TextA, verifies that the game obtains the name of the class through the class function of the A family, but does not perceive the function call.
88Triggered window detection:
89Monitoring key api: SetWindows HookEx, SetEventHook, no related function calls were found
90In summary, VAC does not use common window detection methods to detect suspicious modules.
913.4.2 Process Detection:
92Conventional enumeration process:
931. ToolsHelp interface enumeration:
94Hook api: CreateToolhelp32Snapshot, Process32First, Process32Next, steamclient.dll, at intervals, enumerates all processes
95
962. Psapi interface enumeration: hook EnumProcesses, EnumProcess Modules, GetModuleFileNameEx:
97Steamclient.dll enumerates processes
98
993. Wtsapi32 interface enumeration: hook WTSOpenServer, WTSEnumerateProcess
100Relevant function calls were not retrieved
1014. Native API enumeration: hook NtQuery System Information, ZwQuery System Information
102Track to enumprocess calls in modules in steamclient
103
104Handle enumeration process
1051. Enumeration of violent handles, OpenProcess + GetProcessImageFileName
106Unmonitored related calls
1072. General enumeration, ZwQuery System Information
108Monitoring and tracking to steamclient, with enumprocess
1093. Other process enumeration handles, OpenProcess + GetProcessImageFileName / GetProcessId
110Unmonitored suspicious calls from game modules
111Drive enumeration
112VAC unloaded driver, this type of detection is unlikely
113Triggered enumeration
114VAC does not have a global hook installed. This type of detection is unlikely.
115To sum up, similar to the previous security scheme in dota2, VAC is created through the perception module, and finally calls ZwCreateFile and GetFile Information ByHandle for file information reporting.
116
1173.4.3 Module Detection
1181. Traditional module enumeration: hook Create Tool help32Snapshot, Module32First, Module32Next, Heap32First, GetModuleBaseName
119No related calls were found
1202. Traversing the PEB module, hook ZwQuery Information Process, no direct calls from the game module were found.
1213.4.4 Thread Detection
122Thread enumeration
123Common api-Create Tool help32Snapshot, Thread32First, Thread32Next for Hook thread enumeration, detection not found
124DLL_THREAD_ATTACH Perception
125When a new thread is created, the system tells the process-tired DLL through DLL_THREAD_ATTACH. Hook ZwQuery System Information, ZwQuery Information Thread. Module calls from steamclient were found
126
127Locate further to the code
128
129Further analysis shows that VAC obtains the module name through GetModuleHandleEx and GetModuleFileName, and finally reports through CreateFile and GetFileInformation ByHandle.
130
131Cross-reference analysis to determine event awareness from DLL_THREAD_ATTACH
132
1333.4.5 Memory Detection
134Code/Data Integrity Detection:
135Anomaly perception: The breakpoints under key codes are analyzed with exception handling function to verify whether the game is checked by anomaly takeover, page attribute modification and active data reading.
136During the analysis of exceptions, it was found that in-game exception handling was more than dump correlation.
137
138Code/Data Logic Detection
139Logic detection is mostly carried out through data acquisition and security strategy, etc., but it is not analyzed here.
1403.4.6 stack detection
141API backtracking
142Hook Rtl CaptureStackBackTrace, detected calls from game modules
143
144TLS/ThreadFrame Detection
145Hook RtlPushFrame, RtlGetFrame, RtlPopFrame, did not intercept direct API calls from the game
146In conclusion, the game itself module has basic stack backtracking detection for key points, but the detection frequency is not high. This paper simply analyses the API calls commonly used in downstack backtracking. It does not exclude that the policy code in the game will detect the validity of the return address and the validity of the parameter address.
147IV. Other Analysis
1484.1 API processing:
149There are a large number of API processing in the game, and a large number of key API addresses are obtained. To some extent, it can bypass API detection tools and carry out some dark pile detection.
150
1514.2 VAC2.DLL
152In the game directory. \\resource\sourceinit.dat is actually VAC 2.dll.
153
154Current analysis shows that the DLL is not loaded into memory.
1554.3 Unopened Detection
156In order to avoid being labeled as much as possible, the author mostly uses single-player game and offline analysis. The detection strategy of the game is not fully opened. Only static analysis of tier0.dll and tier0_s.dll can discover a large number of detection and monitoring codes, such as the detection of flag bits.
157
158The stack detection is shown below.
159
160Select function to follow up analysis and call RtlCaptureStackBackTrace, but these APIs are not monitored by our hook to call.
161
162Further analysis seems that some checks of the stack by the game are not only this, but also different checking methods are used.
163
164After analyzing other functions, it is found that besides these routine checks, the functions also seem to check the state of the game itself.
165
166Epilogue
167From the analysis conclusion, only simple feature reporting can be perceived by VAC on CS:GO at present. Considering that CS:GO also adopts security schemes such as video surveillance and real-name authentication, it has not adopted more countermeasures and monitoring strategies, but it can be seen that VAC still has a lot of embedded detection logic, which may be in the form of video surveillance and real-name authentication. In specific business scenarios, open with dynamic solutions.