Howdy, Stranger!
It looks like you're new here. If you want to get involved, click one of these buttons!
Quick Links
TCoS should ditch its rootkit...
This discussion has been closed.
It looks like you're new here. If you want to get involved, click one of these buttons!
Comments
Oops, a little testing and research and I found more...
Title: INCA nProtect Gameguard Unprivileged Arbitrary Read/Write Access Vulnerability
Severity: HIGH
Description:
INCA nProtect Gameguard is a Microsoft Windows kernel driver that is designed to maintain the integrity of computer game installations and protect them from external tampering.
It is reported that the INCA nProtect Gameguard kernel driver (npptnt2.sys) provides functionality that may impact the security model of a Windows NT/2000/XP computer. Reports indicate the affected kernel driver is accessible by any process even if the calling process is unprivileged. The driver provides functionality to modify the I/O permission mask of the process that invokes the affected driver to allow for unrestricted I/O operations in unprivileged user-mode. It is reported that the functions Ke386SetIoAccessMap() and Ke386IoSetAccessProcess() are used to provide this functionality.
An unprivileged attacker that has obtained local interactive access to a computer that is running the vulnerable kernel mode driver may exploit the reported functionality to make arbitrary read and write operations to a specified hardware device.
**Update: It is reported that an updated version of the nProtect Gameguard driver was released. Reports indicate that while the updated driver was modified so that arbitrary access to all I/O ports is not granted, the driver can still be used to access the I/O port ranges:
'0x40-0x47' and '0x60-0x67'
It is reported that the I/O port range '0x60-0x67' is the range that is used by the 8042 keyboard and the mouse controller, this may facilitate keystroke and mouse event reconnaissance for unprivileged applications.
And this...
GameGuard
is an application developed by nProtect, bundled with multiplayer games which hides the game application process, monitors the entire memory range, terminates applications defined by the game vendor and nProtect to be cheats, blocks certain calls to DirectX functions, Windows APIs and auto-updates itself.
The application installs itself as part of the operating system so that it can do its work. What makes it problematic is the fact that uninstalling the game that it came with does not uninstall it. Furthermore, even when the game is not running, GameGuard still sits in the background. Even clicking the 'uninstall' button in device manager does not get rid of it -- a user must manually delete both it, and the registry keys that refer to it.
GameGuard uses a variety of techniques to prevent cheaters from succeeding; hooking Windows APIs such as SendKeys (this is used in many automated botting programs), checking for cheating programs defined by the vendor and using rootkit technology to hide the processes of itself (GameMon.des) and the game that it is bundled with.
When a hacking threat is detected, GameGuard recently implemented the strategy of restarting the user's computer. This is made possible because part of GameGuard runs as a kernel driver (dump_wmimmc.sys), allowing it access to most functions on a system. If a problem occurs then GameGuard will normally exit with an error message and request that the user sends GameGuard's error log files (*.erl) which contain details of the error and a snapshot of the user's system to an e-mail address. Recently however, this has become compulsory because GameMon.des will automatically send these files.
This program leaves a computer running Windows 2000 or XP exposed to the vulnerability of unprivileged arbitrary read/write access.
- MapleWiki (wiki site for one of GameGuards games)
And for a read on the general subject of software that obscures its operation to the detriment of the user check this excellent article out. No doubt the way GameGuard installs in a stealth manner and refuses to uninstall and the invasive manner of GameGuard put it over the top but even just considering the way it uses a person's computer without their knowledge or approval is what this article is talking about. The article ends making the point that while it is often hard to detect malicious intent it is far easier to detect obfuscation and the only solution to the arms race of malware VS software is to get to a point that obfuscated software is presumed malicious.
"Obfuscation by itself is not good or bad but it has led to the situation where users can’t determine if the behavior of obfuscated software is good or bad. While it would be a controversial measure, perhaps it's time to treat any code that exhibits unknown behavior as bad.
...
In warfare, such a battle is known as a war of attrition. Both the reverse engineer and the software writer are attempting to wear the other down. As far as I can tell neither side is worn down and it is simply the user that loses. Sun Tzu, the famous military theorist, warned against getting into a war of attrition — even if you could win, it would be a pyrrhic victory as the cost would be very high.
...
The good news is — even if we can’t determine if software is going to cause harm — it is relatively easy to detect if it is trying to hide its behavior. We can scan binary code statically and detect self modifying code, root kit behavior, and anti-debugging code. By looking for these indications we have a good idea whether or not the software developer is trying to hide something from us, the user."
And this ...
--------------------------------
Achiever 60.00%, Socializer 53.00%, Killer 47.00%, Explorer 40.00%
Intel Core i7 Quad, Intel X58 SLi, 6G Corsair XMS DDR3, Intel X-25 SSD, 3 WD Velociraptor SATA SuperTrak SAS EX8650 Array, OCZ 1250W PS, GTX 295, xFi, 32" 1080p LCD
Thanks for the heads up AgtSmith
Don't let the people who seem so bizarrely angry about you pointing out a potential risk get you down
Time for a trip into the registry /sigh
Did they send you special code because you are so good at enabling their practices? It is a hidden process and the driver and hooks are hidden as well so each tmie yoru system boots it is loaded as any other driver. We are not talking about things at the childish level here folks, there are many more programs and processes running on you computer than have windows above the desktop and tabs on the taskbar or icons down by the clock.
My god, it is stunning hos readily uninformed people will post arguing about things they know nothing about, or so little about as to clearly disqualify them from the argument. It is sad.
lol...so...it's hidden...but you know where it is...and I wouldn't?
nice try...it ISN'T THERE...and ISN'T LOADED AS ANY DRIVER!!!
(down by the clock?...is this your official explanation?)
I know how to find blind processes....thanx
use your window admin tools smarty pants.
i have this error every single day after installing GG twice for 2 games.
The npkcrypt service failed to start due to the following error:
The system cannot find the path specified.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
^ npkcrypt is the hidden crap for GG. you cant get rid of it. as i removed both the physical file and the reg file. but i guess i missed one some where....
BUT i forgot GG doesnt hide stuff eh.. its clear as day ... its all under c:programfilesgamenameGameGaurd ... eh...
GG tries to run every time i restart my pc. even when i havent touched a GG game in 1yr and 4months.... totally didnt uninstall when i got rid of the game. as well.
I have TCoS installed and didn't find any "npkcrypt" files/registry entries on my computer. From what I read on the internet, people with older games had issues with this as well, but the service pointed to files that I simply don't have on my computer. If you removed a registry entry before and it didn't solve your problem, you probably grabbed a backup out of your controlset entries and not the currentcontrolset. You should be able to ditch the error you're getting by running the command 'sc delete npkcrypt' (removing the service if you don't want to muck around in your registry.)
I did find "npggsvc" which shows up under services as "nProtect GameGuard Service." I guess TCoS uses a new version or something? Is it plausible that they fixed the odd behavior you saw in the past? Anyway, I did not find anything extra running in the background when TCoS is not running. It doesn't look to me like they are really trying to hide anything sneaky with their monitoring. If I am mistaken, I'd appreciate a little more information on exactly what sensitive information is being gathered and how people are coming to that conclusion.
On a side note, I absolutely hate PunkBuster and will not play a game that uses it unless it has changed since I last tried it. I get where you're coming from in hating excess crap bloating up your system--that just doesn't seem to be the case with TCoS. I want to make sure I have rock solid evidence before I go and write off a good game, especially the ulta-rare quality MMO.
Cry me a river, Build a bridge, and get the fuck over it....
Any state regulated college takes wiki as a cite credit. Either you have your own little private school in your basement or I'm going to call bs.
The full post is here to read.
http://www.mmorpg.com/discussion2.cfm/post/2795325
So these security holes have been there for a long time, I assume.
Are there any (known) actual exploits done on Gameguard?
Surely there must have be some evil programmer around trying to exploit this.
As for Kaspersky. Would it farfetched to believe that Kaspersky would make this noticification aswell, when a program makes that assumed exploit. (If it would not, what is there to say that it would detect a program exploiting any other (not Gameguard) weakness?)
I'm so broke. I can't even pay attention.
"You have the right not to be killed"
Unless you barely have an elementary school reading level the three sentences I replied to him with are very clear, crystal clear - I even included (in the original post) definitions of the adjectives I used.
It's double-speak at best, a lie at worst.
You say it is 'evil and unscrupulous'.
You tell people they should reconsider installing it because it hands over 'complete control of you computer' to a third party company, reinforcing that 'that is exactly what they can do with this software installed.'
You call it an unknown third party program that 'hides is method and capability from you and obfuscates your removal even if you find out about it to just not do something inappropriate?'
You cite the abuses/corruption at 'AIG or Enron' as reasons to avoid GameGuard. Logically, since the same can be said about ANY company or service - bank, credit agency, mail order company, PayPal, MMO subs, etc - your singling out this one indicates that you feel they are more prone to malice or misdeeds than others.
So it really doesn't matter how many times you want to claim you aren't calling the program malicious. The fact of the matter is that you not only have repeatedly reinforced that you feel it is malicious, but have gone leaps and bounds beyond that in calling it EVIL.
Dude, this isn't the first time you began a crusade against an MMO and it certainly won't be the last. You'd probably have a lot more fun if you spent your time playing the ones you enjoy instead of warning the masses of the dangers of the malicious ones run by evil companies.
- RPG Quiz - can you get all 25 right?
- FPS Quiz - how well do you know your shooters?
hehe this is all such a nothing...
We have, on one side, some guys who want to stir up hate and get into a fight, saying this game uses a application that I don't like, not because of what it does but because of how it works blah blah blah!!
On the other we have the guys saying, we don't particularly like how it works either, but it isnt malicious or harmful, no matter how much you try and insinuate it is in all your convoluted blah blah blah and double speak, so theres no harm in it!!
But it all boils down to the same thing... no, we all don't like the way that it works necessarily, but we all agree that it isnt malicious or harmful, especially the version that TCoS uses, so there isnt any actual harm being done by any software in this game.
Enough of all the blah blah blah lol
By the way, am I right in thinking that although GG acts like a rootkit in some ways, it isnt actually one, and the OP knows that, so the title of this thread is purposefully lieing to mislead people?
Wow... Agntsmith really needs to take a holiday lol
Any state regulated college takes wiki as a cite credit. Either you have your own little private school in your basement or I'm going to call bs.
Um, in the U.S. there is no such thing as state college regulations. I can accept any source or I can deny it, it is my choice as a professor (and yes I do teach at a state college).It all comes down to what is or isn't a valid source.
No professors, in my department, will accept any Wiki as credit because it is a user-edited database where anything can be posted. It is not a reliable source of information and can be wrong or biased badly. I have gone to Wiki's in class and shown my students where the information posted is highly incorrect just to show them it is a worthless site.
Now Wiki's are okay is you are looking for general information about your topic (primarily if your topic is something general like sports or entertainment) but for purposes or a research paper, it is not an acceptable source.
lol...yeah...that was funny to me to temp
"This may hurt a little, but it's something you'll get used to. Relax....."
Two sources, albeit older ones (not hard to understand given that this program is mostly used in Asia and not North America):
NIST (US government vulnerability database)
Security Focus (very reputable computer security resource)
And again, for those not technically proficient enough to see hidden processes and drivers such as GameGuard uses there is a program called ProcessGuard that will show you, in real time, exactly how GameGuard is attaching itself to a number of system services in the background. Also, as I named before the driver files left behind are located in the %system% folder named npptnt2.dll and/or nppt9x.vxd. There is also a couple registry entries which must be removed to removed the driver which otherwise loads whenever Windows boots. At least for the version I got with TCoS these registry entries where revealed with a search for GameGuard and NPPTNT2 (can also search just for NPPTNT as a string). Do NOT edit the registry if you are not familiar with the process, you can destroy a Windows installation by improperly modifying the registry.
So the files are there, the warnings from Kapersky, AVG, even Symantic and McAffee. TCoS boards are full of people posting about A/V programs setting off alerts as well as problems with GameGuard arbitrarily closing legitimate user programs (one user reports GameGuard shutting down Steam as a cheat and the Acclaim moderator has the balls to say it is a problem with Steam). I found it interesting that in most all of these threads about gameGuard problems one or more of the people arguing with me here so strongly is found posting and excusing Gamueguard, hrm). This may or may not be a malicious program, probably not, but its behaves in a way that itself is dangerous, reckless, and violates user control of their own system (I.E. GameGuard going so far as to reboot a users computer if it choose).
Any state regulated college takes wiki as a cite credit. Either you have your own little private school in your basement or I'm going to call bs.
Um, in the U.S. there is no such thing as state college regulations. I can accept any source or I can deny it, it is my choice as a professor (and yes I do teach at a state college).It all comes down to what is or isn't a valid source.
No professors, in my department, will accept any Wiki as credit because it is a user-edited database where anything can be posted. It is not a reliable source of information and can be wrong or biased badly. I have gone to Wiki's in class and shown my students where the information posted is highly incorrect just to show them it is a worthless site.
Now Wiki's are okay is you are looking for general information about your topic (primarily if your topic is something general like sports or entertainment) but for purposes or a research paper, it is not an acceptable source.
First of all, this is not an academic forum, so Wikipedia is a legitimate reference for the circumstance. But even if you want to dismiss it outright are you saying that NIST, SecurityFocus, and several prominent security software programs are all without weight on this subject? Come on, is it really so hard to believe that the industry that gave us Sony's rootkit, SecureROM, StarForce, and myriad other invasive programs designed to turn users computers into tools for corporate purposes (be it a purpose like 'DRM' or one like 'anti cheat' or whatever). The problem everyone should have with this is that we are the consumer and as such should not be burdened to have our machines do the work of a game developer, especially not without or full knowledge and permission.
--------------------------------
Achiever 60.00%, Socializer 53.00%, Killer 47.00%, Explorer 40.00%
Intel Core i7 Quad, Intel X58 SLi, 6G Corsair XMS DDR3, Intel X-25 SSD, 3 WD Velociraptor SATA SuperTrak SAS EX8650 Array, OCZ 1250W PS, GTX 295, xFi, 32" 1080p LCD
No issues here with GG. A lot of games use it, so what is the problem?
Great so now you are suggesting that TCoS is infected with a virus.
:S
Without even managing to reply to a simple question.
Is there any known situation where Gameguard have been exploited?
(That question is hard to answer, is any program able to be affected by a virus (or pick a better word.)
Thanks, great thread, bye.
I'm so broke. I can't even pay attention.
"You have the right not to be killed"
No, AVG, Kapersky, and a number of other prominent security software programs (links and pictures provided) are saying the the behavior I describe in this thread is dangerous, that is why it is triggering alerts. I have been quite clear that my objection to GameGuard is the method it operates, installs, and refuses to uninstall and the potential for abuse that comes with that method. As I said, A/V programs today look at behavior and if something behaves inappropriately it triggers and alert whether it is malicious or benign. The actions GameGuard uses are the red flag, it really doesn't matter if it is malicious or not because it should not operate the way it clearly does operate.
I have posted a number of links (NIST and SecurityFocus among them) to known exploits in GameGuard, heck someone even posted the code that can exploit GameGuard. All posted multiple times in this thread:
NIST (US government vulnerability database)
Security Focus (very reputable computer security resource)
Juniper.net (another reputable resource for computer security information)
You continue to harp on Wikipedia despite sources such as NIST, Security Focus, AVG, Kapersky, and so on. Just how far in the sand will you stick you head to avoid the obvious and reasonable conclusion that this program is operating in a way that violates best practices and that is inappropriate and potentially dangerous.
For anyone not looking to avoid the truth of the matter I have been very clear. I said it was illicit and dangerous and I said I was not claiming it was malicious. The intent behind GameGuard (that which would determine if it is malicious or not) is irrelevant to the way it subverts user choice and control on their own system, avoids detection and removal through normal means, and the vulnerabilities that come with a program operating in the way it operates.
Did you not follow the provided links to TCoS' own boards showing a myriad of issues people are having with security programs throwing up red flags? Did you not follow the provided links and read up on people having GameGuard closing legitimate programs such as Steam, Daemon Tools, and others and even going so far as to force a reboot of user's computers without their approval? The information is posted all throughout this thread and elsewhere, don't attack me because you refuse to get your head out of the sand and approach the subject with intellectual honesty.
And for every case of anything dangerous I can likely argue that most times such dangerous activity does not result in a bad outcome, the question is of risk and the validity of the methodology employed. Is a program such as this, even if it is 100% non malicious, worth the risk introduced? Is it worth the risk that it can be hacked with known and published exploits? Is it worth the risk of nProtect misuse of the memory information it monitors and/or user data it collects and reports? Is it worth the risk that they could be hacked and that information acquired and misused by someone who compromises their servers or data stores be that a disgruntled employee or outside individual? Is it worth the risk that the local control GameGuard has to terminate not only any program the user is running but to reboot or shut down the users system? Additionally, it installs without user confirmation and remains active when the game is not running and it remains installed and active even if the user removes the game. That is a great deal of risk the user is forced to accept without knowledge or informed consent to do the work that should be the developers responsibility in the first place (securing their service).
And on top of all that risk and the bad practices of secret installation and no uninstaller the purported purpose of GameGuard is one it is known to fail at anyways. The reality is all that risk for the user is a waste because those bent on circumventing GameGuard can do so easily (a simple google search finds you half a myriad of ways).
--------------------------------
Achiever 60.00%, Socializer 53.00%, Killer 47.00%, Explorer 40.00%
Intel Core i7 Quad, Intel X58 SLi, 6G Corsair XMS DDR3, Intel X-25 SSD, 3 WD Velociraptor SATA SuperTrak SAS EX8650 Array, OCZ 1250W PS, GTX 295, xFi, 32" 1080p LCD
I'll see your "intellectual honesty" and raise you with a "paranoid delusions". Every post you make is full of misinformation and half truths with the intention of creating drama. Do you really think you're doing the community some kind of service here?
Are you waiting for someone to tell you that you're a genius because you figured out that programs that execute GameGuard can have I/O access? Now name me one program that uses GameGuard to access your PC's IO in a way that is malicious. After you're done doing that, tell me why you would ever deliberately run a malicious program that exploits GameGuard in that way in the first place. And if you've already got malicious programs running on your system that may exploit things, then GameGuard is probably the least of your worries.
Seriously dude, quit making a fool of yourself. You're OS already provides plenty of ways to do nasty things to your system that don't need a rootkit or other exploit to take advantage of it. Don't be a moron and run malicious programs. Its as simple as that.
You are sadly naive, and I think, willfully making justifications to support your predetermined position. There is a big difference between a program that crashes and causes a blue screen and a program that intentionally subverts the user and forces a reboot of his system. There is a difference between a program that inadvertently causes trouble with another program and a program that intentionally disables or disrupts the operation of another program. And there is a big difference between programs that have errors uninstalling or operating and that by design hide their installation, operation, and removal from users. GameGuard operates outside the users control and discretion, it has published exploits that open the user to serious risk, and it exudes a level of control over the users system that is simply inappropriate and potentially dangerous to the user’s privacy and system stability.
--------------------------------
Achiever 60.00%, Socializer 53.00%, Killer 47.00%, Explorer 40.00%
Intel Core i7 Quad, Intel X58 SLi, 6G Corsair XMS DDR3, Intel X-25 SSD, 3 WD Velociraptor SATA SuperTrak SAS EX8650 Array, OCZ 1250W PS, GTX 295, xFi, 32" 1080p LCD
By your juvenile logic any risk could be shrugged off, I mean after all if nothing has happened yet despite very risky behavior/actions then why worry and even though something acts in a way that is far less than above board you should still fully trust it. Or just because there are other things that are risky why worry about this thing that is risky. Of course, who cares that the program installs without consent (funny how you dropped that excuse when I posted the EULA which clearly doesn't mention it) and that it won't uninstall and that it remains active even if the game is inactive. Heck, why worry about those bad things since there are other bad things in the world. People like you are the reason computers are so plagued with troubles - unabridged nativity. You are unwilling to accept the truth of the matter and you obviously will go to any extent no matter how illogical, incorrect, or irrational to justify your pre-determined position. P.T. was right, there is a sucker born everyday.
--------------------------------
Achiever 60.00%, Socializer 53.00%, Killer 47.00%, Explorer 40.00%
Intel Core i7 Quad, Intel X58 SLi, 6G Corsair XMS DDR3, Intel X-25 SSD, 3 WD Velociraptor SATA SuperTrak SAS EX8650 Array, OCZ 1250W PS, GTX 295, xFi, 32" 1080p LCD
You know what else is extremely invasive and ever-present?
People who cheat at online games.
If you want to cheat yourself on your own, that's fine, but when you cheat in a shared multiplayer environment I'm playing in, it's personal. Whether through simple ignorance or deliberate criminal intent, these individuals can be found destroying the sanctity of my online gaming wherever I go. As a lifetime habitual gamer, the sanctity of my online gaming is very important to me.
I hate cheaters of shared multiplayer environments. I really hate them. I fantasize of doing them them lasting physical and mental harm. Just enough that they would be incapable of hijacking my games, perhaps because I removed their hands, or perhaps because they'll be too busy coping what's left of their broken, shattered lives.
Yes, it's war for me, a crusade which provokes all-American bloodlust with little provocation. However, until that war is officially declared so I can find cheaters and disembowel them with a rusty bayonet in some muddy trench, I'll settle for a lesser evil of a program that is ever-present and invasive specifically for the goal to thwart cheaters.
Be glad that GameGuard exists as a mechanism to enforce less cheating in the game, because you don't want people me to be the ones to do it. Embrace as it you would any civil liberty restriction society puts on you to prevent you from pushing your neighbor to murder you in your bed.
The marketing program, on the other hand, I could do without.
GameGuard does jack $%#$ to stop cheats, all it does it what most all things of its sort do - burden legitimate users while doing nothing to the asshats we all hate who are cheating or stealing. But GameGuard does more than just burden the user it takes his own computer and turns it in to a weapon that nProtect can use as it sees fit, all without permission, and all without any removal allowed. Sure, perhaps today it is harmless (other than the risks associated with software that runs in this way and the noted exploits) but as we saw with Sony the line easily gets crossed between just burdening a user and maliciously abusing them.
--------------------------------
Achiever 60.00%, Socializer 53.00%, Killer 47.00%, Explorer 40.00%
Intel Core i7 Quad, Intel X58 SLi, 6G Corsair XMS DDR3, Intel X-25 SSD, 3 WD Velociraptor SATA SuperTrak SAS EX8650 Array, OCZ 1250W PS, GTX 295, xFi, 32" 1080p LCD
Simply by limiting which calls can be made to Spellborn, Gameguard does more than "jack $%#$," and that's not all it does.
That is self-evident. As you so firmly believe otherwise, you're delusional. I won't waste my time with you.
So as not to be tempted, I've blocked/ignored you. Sorry, I've just better things to do than butt heads on a forum with people who are so off the end of arguing their side that they're missing such fundamentally obvious points. Also, I'm nipping any compulsive streak of my own to participate thusly. I sorely regret all of my time I've wasted in the past in doing so, as I've never convinced anyone of anything on a forum, and I doubt I ever will.
I will, however, savor the irony of your naming yourself after a movie character who is all about asserting his authority upon others.