About GameGuard

GameGuard
For those of you interested in exactly what GameGuard is doing on your computer, I'll go ahead and compile what i know, along with a famous example of inca's carelessness in allowing access to your system. For that sake of those who aren't interested, along with the length of the post, I will LJ-cut the entire thing.

Basics------------------------------------------------------------

Okay first off, what IS GameGuard exactly?

Well obviously it is a game protection software, but more specifically, it is a rootkit, specifically 2 kinds:
http://en.wikipedia.org/wiki/Rootkit

Userland: http://en.wikipedia.org/wiki/Userland
and
Kernal: http://en.wikipedia.org/wiki/Kernel_%28computer_science%29

This basically means that it can monitor and control information both inside and outside of your computers lowest regions of security.

Hiding Processes ------------------------------------------------------------
One of the things that GameGuard (GG) does is hide the program from your processlist, if you open up your task manager you will see neither Maplestory nor Gamemon.des (gameguard) running, this is because they are hidden.

The reason for this is so that programs cannot just directly attach to the program, this defeats many attempts at creating cheat trainers for the game, it is also harder to attach memory editing programs to it.

This can be rather frustrating if you need to close maple, or if GG freezes or decides not to shut down all of the way, in which case a complete restart is the only way to reopen maple.

This can be defeated by writing a specialized window spy dll and having it injected into GG apon startup, or by targeting maple during initialization period.

Monitoring Memory------------------------------------------------------------
GG is always monitoring your running processes, and what is loaded into your memory.

Note that it is not just scanning for programs by name, but searching through the programs for any matching strings that are found in these programs.

If it finds a program that INCA has deemed a "threat" it will take 2 courses of action:
1) Close down maple(or the protected game) and give you a message saying that a hack has been detected, however it is worth noting that the shutdown method it can employ is a rather agressive one that can lead to stability problems
2) It causes an internal error in your system (the specifics which i am unfamiliar with) and causes your computer to crash. Don't confuse this with it causing your computer to restart. All data is imediately lost, all programs have no time to close what so ever, it is essentialling giving you a BSOD (blue screen of death: http://en.wikipedia.org/wiki/BSOD)

Imagine working on a term paper while playing a little maple, GG mistakes a regular program for a modified cheat program, and goes ahead and crashes your computer, without notifying you, warning you, or anything else. Lovely isn't it?

Hooking functions-------------------------------------------------
These are the functions GG hooks within your system and within each program you use, this means that GG is accessing and modifying every process on your computer, here is the list from the 896 rev of GG

Kernel32.dll
ReadProcessMemory
WriteProcessMemory
GetProcAddress
VirtualProtect
VirtualProtectEx
LoadLibraryExW
CreateProcessInternalW
OpenProcess
DebugActiveProcess
MoveFileW
MapViewOfFile
MapViewOfFileEx

User32.dll
SendInput
keybd_event
mouse_event
PostMessageA
PostMessageW
77D448B80 (?)
SendMessageA
SendMessageW
GetWindowThreadProcessId

Gdi32.dll
GetPixel

ntdll.dll
ZwOpenProcess
ZwProtectVirtualMemory
ZwSuspendProcess
ZwSuspendThread
ZwTerminateThread
ZwQuerySystemInformation

A lot of these are core to your system, and nowhere in the EULA for Maple do you give them permission to be operating at such a low level within your system, and to do it to every program that you run.

Vulnerability-------------------------------------------------------

This is an older vulnerability that was found within the GG system for so carelessly taking so much power from your system. If you dont want to read it I will sum it up beforehand. Basically people were able to use the functions within GG to give their own programs the same level of access. This allows a hacker to turn your computer into (pardon my french community monitors) his bitch. While I doubt this particular exploit is viable, and the POC doesnt work, so I wont even post it, but this is a great chance to see how much access GG has in your system, and how it is for a malicious party to exploit the access you grant it.

--------------------------------------------------------------------------------

Methods of propagation:
http://eng.nprotect.com/partner.htm

Vulnerable Operating Systems:
Windows 2000
Windows XP
Windows 2003

Non-Vulnerable Operating Systems:
Windows 9x

Vulnerability:
nProtect Gameguard is an application bundled with multiplayer games which
hides the game application process, monitors the entire memory range,
terminates applications defined by the game vendor and INCA to be cheats,
blocks certain calls to DirectX functions, and auto-updates itself.

To achieve some of these ends the program uses a kernel driver by the name
of nppt9x.vxd (Windows9x) and npptnt2.sys (Windows NT).

Due to the nature of Windows 9x design, the vulnerability we are about to
discuss has no bearing. A malicious individual could achieve the same ends
on Windows 9x without the need of the npptnt2.vxd driver.

This kernel mode driver allows any process to access it, and it modifies the
I/O permission mask for the calling process to allow unrestricted I/O in
user mode. The design of modern operating systems does not generally allow
for any I/O access from user mode code for system stability and security.

The driver uses undocumented kernel function Ke386SetIoAccessMap and
Ke386IoSetAccessProcess to achieve this; the driver is very similar to the
PortTalk sample available at
http://www.beyondlogic.org/porttalk/porttalk.htm.

Allowing a process unrestricted I/O access has the following risks:

1. If the process behaves unexpectedly (for example, a stack corruption
returning to arbitrary code), I/O instructions could be issued, leading to
potential problems with the system, bad data, etc.
2. A malicious process could elevate its privilege level on the system by
using direct hardware access to read / write the hard disk, program the DMA
controller, etc., or it could damage the system by resetting CMOS,
formatting the hard drive, etc.

The driver is installed as a system service. Even when Gameguard and the
multiplayer game(s) are closed, the driver continues running. The driver is
accessible under a non-admin account and is activated every boot. It does
not uninstall when the application is removed and in fact will not even
uninstall if selected in Device Manager and told to uninstall. The driver
must be deleted manually, and the registry must be edited to remove the
remaining reference.

It is true that even with this vulnerabilty the user must still be tricked
into running a malicious application that exploits it. However, in South
Korea, where the Gameguard service is widely used, net cafes have become
part of the social fabric. These machines are ripe fruit for damage.

At the more challenging level, one could use this hardware access to turn
the PC into a zombie. One could datamine information (bypassing NTFS
permissions), commit DDoS attacks, or escalate privileges on the system, by
putting the IDE controller into PIO mode, searching the disk for the system
DLLs, and replacing them with code altered to grant admin privilege. The
possibilities at this level of hardware access are nearly endless.

Conclusion--------------------------------------
While there is a ton more information I could write about, its time to get ready for work. I believe that from reading this you will gain a much better appreciation for what a horrible program GG is.
_________________
5xBandit , Banned [FattyPencil]
1xNoob , Banned [GayMast3r]
8xDragon Knight , Active [Private]
11x Crusader , Active [Private]