they found another backdoor...

Поделиться
HTML-код
  • Опубликовано: 24 дек 2024

Комментарии • 782

  • @LowLevelTV
    @LowLevelTV  Месяц назад +178

    wow no way that happened wouldnt it be cool if you learned to code at lowlevel.academy (ok)

    • @Cody_one
      @Cody_one Месяц назад +19

      4:29 "All my computers are designed around this" based

    • @LowLevelTV
      @LowLevelTV  Месяц назад +17

      shit I did that again

    • @yeetyeet7070
      @yeetyeet7070 Месяц назад +5

      does this have courses that go beyond what is taught at W3schools? asking for a friend

    • @leandro-ds2vn
      @leandro-ds2vn Месяц назад +4

      please put purchase power parity into the pricing

    • @belkacemF
      @belkacemF Месяц назад +1

      well how can u see the source of the code to know?

  • @PeterZaitcev
    @PeterZaitcev Месяц назад +1182

    In Factorio, all mods are Lua scripts which are executed by the custom patch of Lua engine with all I/O removed.

    • @RealMasterKush420
      @RealMasterKush420 Месяц назад +177

      Yeah it's safer but unfortunately it also mean we are very limited in what mod we can write, there is a trade-off. A mod for a Unity game can change anything in the game without restriction, you have access to everything the game developer has. Factorio mods can only touch what the game developer exposed to the modders, so it's very limited. I would rather have less restrictions and better mods to be honest.

    • @pwii
      @pwii Месяц назад +282

      @@RealMasterKush420 except that in the case of Factorio, pretty much everything you need is exposed and if you want something new, there's a decent chance that they will add it to the API if you make a forum post with a good reason for it.

    • @RealMasterKush420
      @RealMasterKush420 Месяц назад +95

      @@pwii Not really, I'm working on a few mods and there is a lot of frustrating limitations. Like you can not modify bot behavior or train pathing or modify vanilla UI. And they even added more restrictions in the 2.0 update, like you can't even zoom out more than the vanilla game anymore. And those are just some examples there is a bunch of small things that should've been exposed years ago but still aren't.

    • @uponeric36
      @uponeric36 Месяц назад +46

      @@RealMasterKush420 Have you tried? Far too many things don't happen because nobody thought to complain.

    • @SamTuffman
      @SamTuffman Месяц назад +11

      Unfortunately thats not an end all solution, there really isnt one. Theres still numerous reported rce's with many lua versions, luajit and even custom ones like rlua, glua, and even ravi.

  • @vincentbrumfield7434
    @vincentbrumfield7434 Месяц назад +1995

    I remember downloading minecraft hacked clients from the web as a kid with no care about security on my moms computer.

    • @LowLevelTV
      @LowLevelTV  Месяц назад +535

      millennials + limewire name a better duo

    • @zs2977
      @zs2977 Месяц назад +30

      Nodus lmao

    • @Lord0x
      @Lord0x Месяц назад +19

      @@LowLevelTV millennials and dialup

    • @LivvieLynn
      @LivvieLynn Месяц назад +77

      Will be every kid throughout history. Don't be cheap and share your computer with your kids. Let them have their own honey pots.

    • @BastetFurry
      @BastetFurry Месяц назад +14

      @@LivvieLynn maybe one reason why i got my own 386 back in 1992 when i was nine. 😅

  • @muizzsiddique
    @muizzsiddique Месяц назад +726

    I thought it was ridiculous that a game mod would be distributed as a DLL binary, then I realised all of Skyrim's most versatile mods are DLLs for SKSE.

    • @deadoon
      @deadoon Месяц назад +137

      This is actually very normal for unity games due to modding those is most reliably done via injection of bepinex.

    • @nordgaren2358
      @nordgaren2358 Месяц назад +58

      My patches for Elden Ring are also DLLs. If you want to patch the code in the game, you have to inject into it somehow, and a dll is the best way.

    • @keithl3789
      @keithl3789 Месяц назад +50

      Yeah, if a game doesn't support mods with their own sandboxing, either the modding community would have to develop and maintain their own system, or else just use the operating systems built in functionality, which may or may not come with guard rails.

    • @1vader
      @1vader Месяц назад +30

      Yeah, even if it weren't distributed as a DLL, at the end of the day, mods need to modify the code of the game and run their own code. The only way mods can be completely safe is if the game (or a well-trusted modding framework) provides a built-in modding framework that only loads plain data or limits and sandboxes any way to run code, e.g. by running a Lua or WebAssembly interpreter that can only run certain methods specifically provided by the game which don't give unrestricted access to any other system resources. But this also inevitably restricts what mods can do to the things exposed by that modding framework.

    • @cerulity32k
      @cerulity32k Месяц назад +24

      C# assemblies are DLLs, so it's basically standard that mods for games made in C# (Terraria, Celeste) are DLLs.

  • @EricParker
    @EricParker Месяц назад +113

    8:50 Interesting thing about the second stage is because it's done dynamically, it doesn't get caught as packed by most tools (IE DIE).

  • @Alevice
    @Alevice Месяц назад +581

    As someone who has dedicated half a lifetime into modding (about 25years now), I think they key problem is modding environments that allow direct computer access to be the major problems. Games that provide a sandbox as their moddable environemnt are generally safer. I still lament this perception agaisnt this hobby, since I think the benefits to the community outweights its potential harms. I do agree more scrutiny should be held for mods that go alter stuff like DLLs (even if part of the modding I did when younger involved such, alongside direct memory injection), but to outright dismiss the ecosystem that has allowed games to floursih for several decades and not be subject of the Live Service model feels harmful in the long term

    • @nordgaren2358
      @nordgaren2358 Месяц назад +34

      There's no way to prevent this.
      On top of that, some of the best mods are code patches that have to be applied at runtime, and the best way to do that is a dll. Even if they made an API for that, the user is going to be able to run code at one point or another, and you can do a lot with that.
      Even Lua, which is a popular scripting language for games and AI (Havok) can access the OS and read and write files to the system.

    • @keithl3789
      @keithl3789 Месяц назад +9

      There is a way to prevent it in theory, just the coordination and implementation may be difficult to pull off. Depending on what the OS or particular game support you might end up having to place your trust in a community developed solution but that's better than placing full trust in every random developer.

    • @nordgaren2358
      @nordgaren2358 Месяц назад +1

      @@keithl3789 That would just paint a big target on a single project...

    • @Deniil2000
      @Deniil2000 Месяц назад

      @@nordgaren2358 Depends on how you implement Lua in your game. The only game i know where Lua is used is Garry's Mod, and it doesn't allow full access to the system, you can only alter files in a game's subdirectory 'data'. Calls to edit files outside throw an error

    • @autohmae
      @autohmae Месяц назад

      @@nordgaren2358 "There's no way to prevent this."
      You are running a Javascript sandbox in your browser many times every day, just like billions of people around the world.
      The trick is: don't give the language/runtime any functions to call go outside of where it's supposed to go.

  • @KieranDevvs
    @KieranDevvs Месяц назад +191

    Its worth noting that not all game engines are the same and that mod support doesn't have to mean arbitrary execution of code. Some game engines offer a modding API that only lets you interact with the game and not the machine, take note of 7 days to die's XML config based "modlet" approach (people have made injection mods into the unity dlls), or factorio's prototype mod system. Other game engines allow arbitrary code execution but run all mods under a sandboxed environment / VM.

    • @Mernom
      @Mernom Месяц назад +17

      I very much enjoy Factorio's modding system.

    • @piisfun
      @piisfun Месяц назад +5

      None of them should be allowing ARBITRARY code execution. UNSIGNED code execution is usually needed (unless the devs build a whole signing system), but never Arbitrary code execution.

    • @jMewsi
      @jMewsi Месяц назад +6

      The most used approach i am used to is LUA scripting for mods. Kinda shocked Skylines 2 just loads DLLs like that. That's malicious from the get go. wtf

    • @ShilohFox
      @ShilohFox Месяц назад +4

      factorio is a great mention. i have developed some mods using their system, and made personal projects with factorio's prototype mod system as inspiration because it's really interesting and surprisingly versatile. such systems as those are really cool and have a lot of potential.

    • @_M_643
      @_M_643 Месяц назад

      As long as a mod involves injecting custom code into into the game, wouldn't that be potentially malicious. Other methods methods are not as powerful.

  • @jacoblojewski8729
    @jacoblojewski8729 Месяц назад +438

    While the overall intro has good points - I want to push back a little bit on it. A large portion of mods are not, in fact code. And a bigger portion of them do have code, but not code with free reign.
    What do I mean? A ton of mods fall under (aka: assets only):
    - Textures
    - Models
    - Data files that feed into the game's engine to do quests, etc.
    - Some combination of the above.
    These are nearly completely safe. Of course there's always the possibility of a vulnerability in one of the game's libraries used to parse/load those assets, then a mod shipping a maliciously malformed asset to exploit that vulnerability.
    The next level of mostly safe mods do include code, but:
    - It's either a custom language or
    - Some interpreted language run within a sandboxed interpreter, so it only has access to the game data itself
    These are still usually safe, but again could exploit a vulnerability in the game's script running engine to break out and access your system.
    The ones that you absolutely need to be careful about are ones that *do* ship outside code: exe's, dll's, etc. Common ones here are some generic (as in they are not game specific) injectors that are meant to provide better graphics. ReShade, FXAA injectors, GShade, etc.
    Users of mods should be aware of what kind of data they're downloading, and know when they have to be more careful with them.

    • @qlx-i
      @qlx-i Месяц назад +18

      It's the fact the format _allows_ such things to be done.
      Take Minecraft, for example. It has resourcepacks, datapacks and mods. Resourcepacks are a template that is only being interpreted as images & text, datapacks are stupidly hacky code that is being ran entirely within the confines of the games' sandbox, with interpreter not even allowing to consider asking for an external library. And now consider mods. There are datapacks that are distributed as mods, there are even some mods that do some advanced textring.
      However you cannot guarantee anymore that the thing a mod does will not affect files it shouldn't, because rather than being a text file interpreted by the game, it now has MORE priviledge than the game itself, being capable of calling everything a program does AND overriding the games' code.

    • @imgladnotu9527
      @imgladnotu9527 Месяц назад +11

      @@qlx-i this whole situation wouldeve been entirely avoided if devs just included a scripting engine that's comprehensive enough to do mods beyond the scope of the game, but its sandboxed enough so that whatever the script does, it should heavily hamper or outright discourage any efforts that would be performed by a would be threat actor

    • @Adamussim
      @Adamussim Месяц назад +5

      Funny that you mentioned GShade, they are excellent example, since they did insert malicious code in their installer around a year ago.
      Since then GShade is untrusted (by me at least, but there was an outrage too, so probably not many ppl trusting them either).

    • @qlx-i
      @qlx-i Месяц назад +5

      @@imgladnotu9527 problem is, you can't predict what mods would do. There's sodium which just optimizes the hell out of the game, there's Iris that adds shaders to that. Despite mahjong slowly turning minecraft data-driven, many things still can't be done. And besides, the way datapacks work was initially more of a hack than anything. O think many would agree that kotlin just feels way more natural than even Lua.
      And from gamedev perspective it would be much harder than it looks.

    • @hoodieninja_7203
      @hoodieninja_7203 Месяц назад

      Most games' mod support also essentially has mods be sandboxed to a certain degree. However, how sandboxed a mod is depends on the game, and sandboxing can be imperfect.

  • @kyouko5363
    @kyouko5363 Месяц назад +90

    This is such a prime example of why game developers should encourage actual support for modding inside of their games; when you say "when you install modifications to games, depending on how the game's written, most of the time you just install a DLL" this right here is the core issue. Games with proper mod support provide you with tools to create mods via a tailor made set of API functions you can call. In the case of Skyrim, they have a limited scripting language called Papyrus. In the case of many other games, it's usually stripped down Lua with a game specific API.
    The second you need a DLL to mod a game, you're already entering "unofficial" territory. GTA's modding scene for instance, is absolutely full of DLLs, DLLs which provide an API to write mods in C# and load .NET DLLs even, none of which is officially supported and had to be reverse engineered. Skyrim is completely safe except for one attack vector: SKSE, Skyrim Script Extender, which as the name suggests, extends Papyrus because its limited functionality makes it a pain to work with, but the extensions themselves are perfectly safe, but now we're entering unofficial territory where you need a DLL in order for 90% of the mods on Nexusmods to work, because they all depend on SKSE. Attack that and you've screwed everyone over.
    If the developers simply provided the means, there'd be no need for ScriptHook, SKSE, and other such nonsense. By discouraging mods (which was GTA's stance up until a while ago, yet they've yet to provide any tools), you're not changing the fact that people are going to mod your game, you're just making it more dangerous to do so by forcing users to inject third party executable instructions into your game's memory with the same privilege as the game itself and not providing a sandboxed environment that meets the requirements of the modders (which Papyrus doesn't, it's almost *too* sandboxed, hence SKSE.dll)

    • @MajoraZero
      @MajoraZero Месяц назад +10

      If you raise the bar of requiring any kind of modding support to be fully safe, then all you get is games not having modding support.

    • @kyouko5363
      @kyouko5363 Месяц назад +2

      @@MajoraZero I agree with that, although if that's a response to a point I made and not just a statement, then I think you may have misunderstood what I'm trying to say. Mod support doesn't refer to whether a game can or can't be modded; a game can *always* be modded, more on that later. Let me first get some definitions straight to avoid confusion.
      At a low level, a game is ultimately an executable binary, ran as a process, and a game "mod" is a modification of either:
      1.) The static executable file itself on the disk, or related static assets (e.g. textures
      2.) The game's process memory allocated at runtime.
      In more abstract terms, the behavior of a process, the game, is modified in one way or another.
      When I say "mod support" it means that modification of a game's behavior is an intended feature that the game is aware of. The game has a system built into it that recognizes mods and actively chooses whether to incorporate them or not.
      More importantly, the developers having control over that process means they can explicitly define what the game should consider a valid "mod" and how those mods are incorporated, whether that be a Lua runtime with limited access to the game's state (every MMO ever), or statically loading the mod's assets when the game launches (think Skyrim) which includes scripts that get executed at runtime (Papyrus in Skyrim's case) by an interpreter or JIT Compiler baked into the game itself.
      This is all deliberately included by the developer of the game, and they have control over every step in that process. They make the decision to expose X game state, or wrappers to Y internal functions, all via the API provided to mod authors. They control what the game recognizes as a valid mod.
      The modding ecosystem of a game with official mod support will grow around the developer provided facilities. Every ESO mod ever is a `.lua` file with a metadata file, because the developers of ESO provided the facilities for client-side mod support. That doesn't mean it *has* to be a `.lua` file.
      There's nothing stopping you from achieving the same result from a standard Lua mod that.. I don't know, adds a minimap, by writing a DLL that performs a trampoline hook on DX11's IDXGISCPresent function in order to call your own set of functions before returning to IDXGISCPresent's execution, and as your DLL is already injected into the process, you have complete access to the process memory, so you can draw yourself that same minimap, either through your own custom approach, or by calling the exact same functions the Lua API would have called to render said minimap.
      It doesn't matter if a game has official mod support or not, anything can be modded.
      The only reason it's called "modding" in the case where a game doesn't have official mod support purely boils down to the intent, but make no mistake, developing a cheat menu for a game that gives you infinite money uses the exact same method as a "mod" for a game with no official mod support that simply adds new features to the game.
      In both cases, the developer has not provided you with any official method or API to access the game state and make those modifications, so the only other way is injecting your code into the process in a way which the game is completely oblivious to, with no idea what a mod even is, or that its memory has been modified.
      In conclusion / key takeaways:
      - A game can and will be modded regardless of whether or not it has mod support. There's a fine line of intent that separates it from just outright hacking in the case of the latter. A GTA V mod, is no different than a GTA V hack/cheat. GTA V does not have mod support. Hence, ScriptHookV.dll (keyword: hook) being a pre-requisite for every GTA V mod.
      - Games with no mod support with a community that wants to mod it, will form an ecosystem of mods based around injecting arbitrary code into a process with the same level of system privilege and access to process memory as the process itself.
      - Games with mod support and a community that wants to mod it, will form an ecosystem of mods that come in the shape of what the developers provided their community with, because believe me, between having to develop your own "API" by figuring out what's what via live debugging the game and staring at x86 instructions for 6 hours to deduce 3 function signatures, and being provided a Lua API or DSL with all the functions you need to mod the game, absolutely nobody would opt for the former if it's not absolutely necessary (SKSE) or if it's recreational.
      - If developers don't provide an official way to mod their game through an API under their control, with limited access to anything outside of what's necessary to create a mod, and a community is intent on modding that game, then you end up with an ecosystem of mods that inject arbitrary code into the game process, with zero restrictions. This video being an example of this going wrong.
      On the other hand, if a simple, basic, bare minimum Lua API is provided to be able to modify basic state like the character's position, or having FFI access to existing functions in the game's code responsible for.. idk, modifying the quest log, then you avoid the problem of fostering an ecosystem where a DLL files are normalized as "the way this game is modded" when it's really the option that has to be resorted to due to the lack of an official, developer-provided framework, through which you can access the same state, without injecting arbitrary third party code into a running executable with nothing stopping it from just deciding to crawl through your disk for sensitive data, load Winsock at runtime, establish a connection, and send all of that data to a malicious actor.
      There is absolutely zero reason why an official API would even permit you access to anything but the game's state, and maybe a math library or basic essentials, but no way in hell would you be given access to anything FFI related. In fact, SKSE's existence speaks to how limited and locked down official modding API's tend to be that the community had to go out of their way to extent it.

    • @berkeleyblue4247
      @berkeleyblue4247 Месяц назад +4

      @@kyouko5363 To be fair: City Skylines Developer allows and has support for mods directly in the game

    • @kyouko5363
      @kyouko5363 Месяц назад +2

      @@berkeleyblue4247 Yeah, you're right, I do remember there being a Steam Workshop, which doesn't distribute DLLs, at least I'd hope not. Though if there is is a thriving third party modding ecosystem where mods as DLLs is something normal? I'd take that as an indicator that their mod support, while technically present, is lacking.
      It's one thing if it's just a one off incident where one mod happens to be a DLL because there is no other way (SKSE being a prime example), but it's a whole other story if mods as DLLs is just a normal thing in the Cities Skylines modding community.
      I'd make the same argument for GTA5's modding scene where DLLs are just another Tuesday, although at least Cities Skylines I assume made an attempt to provide adequate support, but it just didn't quite cut it or was too restrictive. If you're at that point where people are having to resort to third party sources and mod through DLLs, it's going to create an unsafe modding ecosystem where stuff like this becomes possible.
      I'd argue Cities Skylines should provide the missing access to whatever internals modders need that is forcing them to go the third party DLL do it yourself route. If a framework already exists for mod support, it's not that hard of a task to just expose more of the game's internals. I'm not sure what the extent of their support is, but for argument's sake: whatever you need a DLL to access, simply provide access to that through your existing Lua API (assuming they even use Lua), and don't give your community a reason to DIY.
      It's better than no support, but inadequate support still leads to the same problem in the end.
      On the other hand, if this is actually how the game is officially meant to be modded, then that is a massive security blunder.
      DLL modding should never be the answer unless absolutely necessary. It should not be a normal thing, but most people don't understand the difference and don't realize the security risks involved by not staying within the game's "sanbox"

    • @Js17011
      @Js17011 Месяц назад +1

      my current skyrim modlist contains 194 dll files hehe

  • @otso648
    @otso648 Месяц назад +100

    Please don't do fearmongering. Most mods are not distributed via dll but various scripting languages like lua or other custom solution. Any DLL in modern modding scene is usually a single helper dll that provides framework for other mods to take advantage of by expanding the modding API.

    • @takujaba6746
      @takujaba6746 Месяц назад +8

      @@otso648 Skyrim's mods (probably the biggest modding scene out there) would like to have a word with you.

    • @aiedenoldstien9751
      @aiedenoldstien9751 Месяц назад +1

      @@takujaba6746 It's funny you mention that. I remember seeing a reddit post about a mod that "was a virus". Which in the mod itself wasn't the virus. It was a notepad with a link to the virus.

    • @nan_cat
      @nan_cat 16 дней назад +3

      @@otso648 Minecraft mods are just JAR files with executable code in them

  • @Decateron
    @Decateron Месяц назад +338

    Why in 2024 desktop operating systems still let most applications run with no sandboxing is beyond me.

    • @tablettablete186
      @tablettablete186 Месяц назад +39

      Well, Windows doesn't have a proper sandbox (the closest are AppContainers)

    • @AEleven-4-Podcasts
      @AEleven-4-Podcasts Месяц назад

      @@tablettablete186 Or Windows Sandbox (lol) which is exclusive to Pro users (and adds an ugly yellow border)

    • @seeibe
      @seeibe Месяц назад +20

      This is why I prefer to run Steam with flatpak these days. Not foolproof but better than nothing.

    • @ougonce
      @ougonce Месяц назад +22

      @@seeibe It literally isn't

    • @tablettablete186
      @tablettablete186 Месяц назад +32

      @@ougonce Flatpaks are a sandbox. They use namespaces for isolations and a SECCOMP filter.

  • @awesomecronk7183
    @awesomecronk7183 Месяц назад +81

    This is the one point where Lua is a good thing: it's sandboxable. That makes it ideal for game mods because it's easyish to read/write and can be run untrusted with virtually no security risk.

    • @1vader
      @1vader Месяц назад +21

      @@awesomecronk7183 But this also restricts what mods can do to only the things exposed to the Lua sandbox. And ofc, this only works if a game has this stuff built in, which most games don't, since it's a lot of work to do it properly. But yeah, if done well, it's definitely a good option.

    • @foobarf8766
      @foobarf8766 Месяц назад

      Lua is a fucking major risk because it can make http requests to load malicious modules

    • @SamTuffman
      @SamTuffman Месяц назад +10

      unfortunately, sandboxing lua isnt an end all solution though, by default lua has io library, luajit allows C code execution through FFI, and every major version of lua has has RCEs from rLua to gLua.
      I absolutely love lua, and have spent more time programming in lua than any other language, but its not an automatic solution to the problem. The true solution is only downloading from valid verifiable sources (open source software, and checking the code yourself)

    • @1vader
      @1vader Месяц назад +5

      @@SamTuffman For security, using something sandboxed is definitely much better than relying on trust and reading the source (as if the average person will or even ca do that). Yes, it's obviously not 100% bulletproof but exploits in Lua can be found and fixed and may not be easy to exploit. That's definitely much better than just hoping/trusting you're not going to get pwned. But ofc, sandboxing also puts limitations on mods, as mentioned previously.

    • @yarghhargh9345
      @yarghhargh9345 Месяц назад +1

      Again you are still just running code from strangers on your computer.

  • @nomore6167
    @nomore6167 Месяц назад +21

    The problem with something like this is that people will see the "support" number (the number of downloads, reviews, subscriptions, likes, etc), and they'll equate a high number (such as 300k in this example) with a high level of trust, especially if they have no other way to measure trust.

  • @ItsErikCubed
    @ItsErikCubed Месяц назад +107

    I just had a little panic attack because I was playing Cities: Skylines 1 with a Traffic Manager mod earlier.

    • @zerotwo7319
      @zerotwo7319 Месяц назад +9

      T h a n k y o u f o r t h e E t h e r.

    • @everythingpony
      @everythingpony Месяц назад

      It also effected the first game too

    • @ItsErikCubed
      @ItsErikCubed Месяц назад +8

      @@everythingpony Everything I’m reading was for CS2. Paradox put an announcement on CS2 but not CS1.

    • @KingLeno
      @KingLeno Месяц назад +8

      @@everythingpony it did not apply to nor AFFECT the first game

  • @seeibe
    @seeibe Месяц назад +17

    My intuition is that while this can happen, getting infected by an npm or pip package is still far more likely.

    • @Rudxain
      @Rudxain Месяц назад +1

      Deno to the rescue! ... I guess?

  • @matthewstott3493
    @matthewstott3493 Месяц назад +30

    Supply chain attack injecting payload into a game mod. Surprised it took this long. Pretty obvious target rich environment to capture a whole lot of gamer machines on a zombie net.

    • @loldoctor
      @loldoctor Месяц назад +9

      This comment reads like dialogue from a cyberpunk game.

    • @itsnotsam_
      @itsnotsam_ Месяц назад

      @@loldoctor that explanation is spot on

    • @pieterveenders9793
      @pieterveenders9793 Месяц назад

      with a lot of combined processor power for distributed cryptomining or hash/password cracking....

  • @TheLexikitty
    @TheLexikitty Месяц назад +9

    I run a separate machine for games, but modding is kinda half the joy of most of my favorite fames. Far too many games lock all their stuff down so that you can only have fun The Correct Way.

  • @FireStormOOO_
    @FireStormOOO_ Месяц назад +12

    I feel like the smarter takeaway would've been just don't bank or handle sensitive data on the same machine you consume media on. Some game devs take cyber-security seriously, but they're the exception. Serious media decoding bugs are also a dime a dozen.

    • @boomergames8094
      @boomergames8094 Месяц назад +3

      99% of people don't have other systems hanging out just for sensitive data, unless they have a work computer, for work, that work may be monitoring...

  • @Dosenwerfer
    @Dosenwerfer Месяц назад +40

    The actual issue is why the fuck is executing everything without compartmentalization by the OS the norm? Almost no game should have permission to interact with the filesystem other than its own files that it shipped with (or were dropped in, e.g. modded), certainly no crypto wallet application. That's insane. On mobile, we have had this whole class of issues solved for 10+ years now by having sane and very limited default permissions of what an app can do outside itself.

    • @Lizzardar
      @Lizzardar Месяц назад +12

      Well... Windows kinda was trying to do compartmentalization with the Windows store apps... The issue is there is a *lot* of older software that was designed with no compartmentalization in mind and stores/access data everywhere on PC and can self-modify itself. This leads to Windows relying on old way of interacting with things. If you look at MacOS and most recent Linux distributions they are trying to implement proper access management which leads to their own headaches for app developers and users but kinda works.

  • @PostNoteIt
    @PostNoteIt Месяц назад +21

    Explaining a Windows DLL in terms of a Linux Shared Object is such a power move. I'm in awe.

  • @bryan0x05
    @bryan0x05 Месяц назад +35

    2:11, you only install DLL some of the time. Most games use scripts that access the game's API and that's a most safer way of doing it.

    • @nordgaren2358
      @nordgaren2358 Месяц назад +2

      Not always. It really depends on the games scripting engine. If it's something like LUA, you could run into the same issues.

    • @samuelhulme8347
      @samuelhulme8347 Месяц назад +1

      In Cities Skylines all code mods are DLLs

    • @electricnezumi
      @electricnezumi Месяц назад +8

      ​@@nordgaren2358 lua is a terrible example. it is specifically made to be sandboxed. if a game has a lua modding API and still has ways for mods to execute arbitrary malicious code outside of the scope of the game, that is because the game implemented the lua sandbox wrong.

    • @nordgaren2358
      @nordgaren2358 Месяц назад

      @electricnezumi this isn't true at all.

    • @nordgaren2358
      @nordgaren2358 Месяц назад

      @electricnezumi if a game has to implement the sandboxing, then it's not the default, is it?

  • @inzanozulu
    @inzanozulu Месяц назад +9

    FYI DLLs have entry points. DllMain is called when the DLL is loaded, the intention being initializing whatever state it might need

    • @1nt1c4t10n
      @1nt1c4t10n Месяц назад

      Not every DLL does have an entry point. It's optional and only implemented if necessary.

  • @dudaseifert
    @dudaseifert Месяц назад +139

    hey low level, i'm just wondering: did you really quit league after vanguard? i quit and my friends still think i'm being extreme, but i came to the same conclusion as you, i'm not installing a root kit in my pc, that's just asking for trouble

    • @LowLevelTV
      @LowLevelTV  Месяц назад +222

      yup, i havent touched it since the start of S14. and as a shock to no one, my mental health significantly improved :)

    • @Buizie
      @Buizie Месяц назад +24

      ​@@LowLevelTVgood. Quitting league also improved my health LMAO

    • @hungrymusicwolf
      @hungrymusicwolf Месяц назад +20

      @@LowLevelTV The only good thing about vanguard: whenever the temptation to return to league strikes I just remember that Vanguard still exists and I like an internet and laptop not controlled by a Chinese company.
      Quitting league really makes a massive difference. League's effect on your mental health is just like gambling on steroids, with the reward being the rush of victory instead of actual money.

    • @Z_fentomFentom
      @Z_fentomFentom Месяц назад +1

      Your friends are idiots i have no other way to put it

    • @unconnectedbedna
      @unconnectedbedna Месяц назад +4

      Holy crap, the improvement of my mental health after leaving league was very noticeable for me!
      I am glad to read others have come to the same realization!

  • @LiEnby
    @LiEnby Месяц назад +37

    “Very sketchy calls”
    - creating a thread
    - connecting to the internet
    - writing a file
    Gotta say it’s weird for a math library but in general that’s very normal shit

    • @bigombrello
      @bigombrello Месяц назад +8

      They’re sketchy BECAUSE they’re in a math library

    • @LiEnby
      @LiEnby Месяц назад +1

      @@bigombrello i mean creating a thread isn’t that sketchy
      Anyway issue is an AV doesn’t really know it’s a math library, and going “these are suspicious” generally would be stupid as hell

    • @illegalcoding
      @illegalcoding Месяц назад

      Yeah I really didn't understand that bit lol, saying that if you see a program using basic threading stuff and WinSock2 it's almost always malware seems silly

    • @MyFedora
      @MyFedora Месяц назад

      Yeah, crazy right? Clearly, all software updaters are malware.

    • @aiedenoldstien9751
      @aiedenoldstien9751 Месяц назад

      "Yo why is my math library downloading my credit card information and uploading it to the internet"

  • @Dominik-K
    @Dominik-K Месяц назад +16

    I'm currently researching into making plugins, game mods and other software modifications strategies safer, by employing safety layers, sandboxes and quite some WASM / sandboxed languages ... And its harder than it looks on first sight. This topic is very important though, and safety of data and software integrity will only become more and more important

    • @boblol1465
      @boblol1465 Месяц назад

      i think minetest does this well(?)

  • @Lewisking50
    @Lewisking50 Месяц назад +10

    TBH If there's backdoors in my OS, my browser or really almost any program, then worrying about backdoors in my mods would just drive me crazy.
    At least I'm pretty sure there's no backdoors in the mods I made myself. But then again, I generally need other programs to make mods in the first place...

    • @SineN0mine3
      @SineN0mine3 Месяц назад +1

      If you run windows they don't need a back door because the front door is propped open with a brick so that they can train their AI off your data.

  • @jong2359
    @jong2359 Месяц назад +246

    This is a game design issue. VERY few mods for games require a 3rd party DLL. There are common exceptions for games that don't require DLL's (stuff like skyrim script extender) -- so always be cautious... but really this is terrible game design from cities skylines.

    • @crusaderanimation6967
      @crusaderanimation6967 Месяц назад +50

      Yea firtst that came to my mind is factorio enabling modding with mods being just lua script with acces to Factorio API and without acess to system.

    • @tablettablete186
      @tablettablete186 Месяц назад +8

      ​@@crusaderanimation6967Factorio is just GOAT

    • @kamipls6790
      @kamipls6790 Месяц назад +17

      Ahhh DLLs; the spicy DLC

    • @nordgaren2358
      @nordgaren2358 Месяц назад +10

      That's not true at all. Even if the code wasn't in a dll, it's still code.

    • @Dygear
      @Dygear Месяц назад +1

      Metamod for the Counter-Strike 1.5 / Source Based games. It hooked the VTable to capture a lot of information about the game state.

  • @MrProfizmus
    @MrProfizmus Месяц назад +6

    Lots of mods are non-code asset modifications only, such as texture and model replacement mods, so if you blanket avoid all mods, that's on you. Especially considering that you can and do know better. Some while do touch code, they patch a couple bytes at most (such as aspect ratio or framerate uncapping mods). Some more elaborate mods are even open source / source available / well documented. Minecraft mods are also a particularly bad example, because it's just Java (if you play the Java Edition). Not saying everyone goes and audits those mods, but the barrier of entry is way lower. It's like telling people that piracy is a boogeyman and they're all getting hacked. They don't.

  • @apillow8724
    @apillow8724 Месяц назад +6

    This is only tangentially related, but messing around with Neovim packages and Neovim package managers like Lazy makes me super worried. I always feel like it would be incredibly easy to conduct a supply chain attack with it.

  • @m4rt_
    @m4rt_ Месяц назад +4

    Malicious mods have been a thing in Minecraft for a while, both in the form of mods being designed to be malware or copies of mods being made with malware in them, and infecting existing mods with malware. So it isn't very surprising that it's happening elsewhere too.

  • @samuelbruce8837
    @samuelbruce8837 Месяц назад +5

    "John Hammond sent me some code" - can't wait for the "I hacked low level" video

  • @mdev3987
    @mdev3987 Месяц назад +7

    after this i hope that modders will learn more about git permissions

  • @philippefutureboy7348
    @philippefutureboy7348 Месяц назад +12

    How obfuscated do you want this?
    Yes.

  • @OfficialViper
    @OfficialViper Месяц назад +3

    "Author uses 2FA" should be a quality label on a mods page

  • @Sebastian-ys8sn
    @Sebastian-ys8sn Месяц назад +5

    I think you nailed this video again, with just the right level of detail on the matter

  • @mu11668B
    @mu11668B Месяц назад +1

    Hash-based PEB walking is actually very hard to detect, even for behavior-based detection engines. Most of the time AVs just hook onto certain system module exports and try to log what a program does. Parsing or even emulating long sequence of assembly is too resource intensive to be useful.

  • @paxdriver
    @paxdriver Месяц назад +2

    This is one of my favourite videos. I don't really play games but I love how you break down that giant mov sequence that got reconstructed by the seemingly benign prof-blah DLL. This was really neat, even for novice programmer like me looking for coding challenges to practise on. I can't wait to try to break a hello world down and rebuild it to run with another function in another file just for fun.

  • @EraAnibra
    @EraAnibra Месяц назад +4

    the hashing part was genius work tbh I'm very impressed

    • @martinzihlmann822
      @martinzihlmann822 Месяц назад

      love that trick, will use it to confuse my coworkers.

    • @montz1757
      @montz1757 Месяц назад

      @@martinzihlmann822 lmao

  • @pihungliu35
    @pihungliu35 Месяц назад +7

    This let me think about the "fractureiser" malware on Minecraft five months ago that specifically attack the modding ecosystem of Minecraft to distribute.

    • @Arcensyl-f6h
      @Arcensyl-f6h Месяц назад +1

      Same. I remember watching as news came out on Fractureiser in real time; it was interesting seeing people break down and eventually counter it. It was wild to me how Fractureiser tried to inject its first stage into other JAR files as an attempt to spread.

    • @sillythewanderer4221
      @sillythewanderer4221 Месяц назад

      @@Arcensyl-f6hsame lol. Now when I launch the game I have it set to always scan for fracturiser, just in case.
      There was also some weird stuff with serialization recently.

    • @Arcensyl-f6h
      @Arcensyl-f6h Месяц назад

      @@sillythewanderer4221 I should probably scan JARs for it more honestly. I'm curious, how did you set it up to automatically run the scanner before the game starts?

    • @sillythewanderer4221
      @sillythewanderer4221 Месяц назад

      @@Arcensyl-f6h I have been just using ATLaucher (not tlauncher that is a virus) and whenever I launch a mod pack it scans for fracturiser, but I think most non vanilla launchers also do it.
      What launcher do you use?

    • @pihungliu35
      @pihungliu35 Месяц назад +2

      @@Arcensyl-f6h Some launcher will do that for you if you set it up. I'm using ATLauncher for my modded minecraft instances and whenever it launches an instance there is a step where it is "scanning for fractureiser"; I haven't checked but there should be a setting in there.

  • @PeterZaitcev
    @PeterZaitcev Месяц назад +2

    Imagine if that fastmath DLL actually had exposed some math functions like fastinvsqrt, fastmul, and so on. That would be literally undetectable.

  • @dashcharger24
    @dashcharger24 Месяц назад +3

    The most shocking about this: people actually having friends.

  • @kuhluhOG
    @kuhluhOG Месяц назад +1

    If a game is vulnerable via mods depends on how mods are implemented.
    In some games it's Lua and you need to go through the game's functions to do ANYTHING (and some don't let you touch the filesystems or heavily restrict it).
    In other games it's literally just an XML (or similar) with a few assets (like textures or audio). Sure, one could theoretically exploit a vulnerability in e.g. the parser of these files, but that's pretty darn hard (and at that point I could one would need to consider EVERY program which parses user-provided files of any kind vulnerable).

  • @massivgrass
    @massivgrass Месяц назад +9

    1:13 Never realized it's an emulator. So I can attach it to a real city?

    • @chipsafan1
      @chipsafan1 Месяц назад

      @@massivgrass 😂😂😂

  • @AUATUWVSH
    @AUATUWVSH Месяц назад +2

    as far for skyrim mods, the only "code" that exists is SKSE plugins (DLLs, and people rarely provide sourcecode, but they provide the *.psc papyrus source code most of the time), papyrus scripts (pex files ether loose or inside BSAs) and VMAD records (inside the ESP/M/L files, but they are super limited) unless there's some exploit, there probly is many, the game segfaults and crashes more frequently than the rust people say c applications do

  • @pengpleb
    @pengpleb Месяц назад +1

    This looks exactly like the technique you are taught in OSED for writing custom shellcode. You use a custom hashing function to search for the functions you need, mainly because string comparing in plain assembly is quite painful.

    • @nikauswien5863
      @nikauswien5863 Месяц назад +1

      if it's that common i'm surprised that an export address table walker is not picked up by security products via heuristic or behaviour analysis. Btw, benny/29a & crew demonstrated that technique in 1998. Yes, it's that old. On the shoulders of giants!

  • @vicca4671
    @vicca4671 Месяц назад +1

    Things like this makes me wonder if there are competitions to develop obfuscated software. This is basically one intricate (albeit dangerous) puzzle.

  • @yellows111
    @yellows111 Месяц назад +2

    3:48 I've actually seen legitimate software that provides code via a dynamically importable library without any exports. It makes debugging it slightly harder, since it's probably all initialized in the DllMain or just has a hardcoded VTable in the main executable.
    One example I can name is Microsoft V-Chat's VCHATHLP module.

  • @Aves_1
    @Aves_1 Месяц назад +1

    Title and thumbnail had me worried cs1 was effected.
    and to the people who say it doesn't matter, only the first part is general. The rest is about a specific mod for cs2

  • @agx93
    @agx93 Месяц назад +4

    This is why I have a gaming PC on a completely separate network with nothing but steam and discord. That’s all I use it for. Trust nothing.

    • @Sebastian-bo7vj
      @Sebastian-bo7vj 12 дней назад

      @@agx93 I just containerise all my games

  • @santitabnavascues8673
    @santitabnavascues8673 Месяц назад +1

    Reminds me of the old DOS viruses, patching the interruptions vector, but instead of in memory, on the DLL exception handlers, also, using hashes to disguise the names of the DLLs it looks for is clever, yet, is sad, because they take advantage of people who only want to enjoy their games more.

  • @blueboy4625
    @blueboy4625 Месяц назад +41

    A mod is someone else's code just like the cloud is someone else's computer. Don't trust other people if you don't know them.

    • @balsalmalberto8086
      @balsalmalberto8086 Месяц назад +6

      And your private data stored and "secured" by "company X" is someone else's treasure trove.

    • @null-0x
      @null-0x Месяц назад +15

      A game is also other people's code.

    • @blueboy4625
      @blueboy4625 Месяц назад

      @@null-0x Hence why I don't trust them unless they're from a known reputable creator.

    • @keithl3789
      @keithl3789 Месяц назад

      It would be the same if you downloaded a game from some random website. But companies have a financial interest in not letting their customers get hacked. Sometimes you have two independent parties with an interest in protecting their customers (developer and platform).

    • @cartanfan-youtube
      @cartanfan-youtube Месяц назад +7

      @@blueboy4625 idc bro I’m gonna keep downloading mods. Not worth this level of paranoia. just have common sense about where you get your mods from, keep proper backups, and keep your important files stored someplace safe like an encrypted flash drive not constantly plugged into your computer

  • @sykosysganadora2293
    @sykosysganadora2293 Месяц назад +1

    "If its Riot games don't play the game at all" And thats why I upvoted this video.

  • @temp50
    @temp50 28 дней назад

    Dlls - as you show it - absolutely have entry points. Back in the day I wrote some very simple Photoshop plugins. Once the given plugin was loaded by Photoshop, the entry pint of the dll had the control to initialize the plugin.

  • @philippefutureboy7348
    @philippefutureboy7348 Месяц назад +1

    You know, alternatively an even more obfuscated malware would read assets (images, textures, etc) that contain code embedded via steganography. That way your DLL does what it’s expected to do - process an asset, and then the new program can be loaded

  • @Terszel
    @Terszel 24 дня назад

    This is why exposing an interface to the game engine for mod creators is so important. In fact, I'm suprised it is done any other way.

  • @ThylineTheGay
    @ThylineTheGay Месяц назад +2

    The problem with lua scripting is you can't modify the game, i know that's the _point_ of it, but some of the best Minecraft mods would be impossible like that

  • @kamilkardel2792
    @kamilkardel2792 Месяц назад +2

    Wouldn't it be a good practice for game studios to make games moddable through providing some kind of sandboxed environment where all the code of a mod would be in a scripting language (like LUA or Python) and the capabilities would be limited (no meddling with the operating system, no Internet connections)?

  • @Т1000-м1и
    @Т1000-м1и Месяц назад

    This tickled whatever I have left in there from trying to learn programming all those years ago

  • @MrGrugsy
    @MrGrugsy Месяц назад +2

    The fearmongering is unecessary my dude. There are thousands of mods for hundreds of games and malicious mods are extremely rare occurrences that usually never make it to the end user because the hosting platform/clients/websites like Curse, Nexus, Steam Workshop, etc. check the code before allowing them to be posted for download.

  • @h7hj59fh3f
    @h7hj59fh3f Месяц назад +6

    Couldn't antimalware software monitor DLL/EXEs more closely if they're unsigned and have that sort of obfuscation in them? then the antimalware would pick up on all of those methods getting called and flag it / mark it as PUA / send it upstream for analysis / etc. One downside, though, is the game modder could simply tell their users to ignore false positive malware warning lol

    • @nordgaren2358
      @nordgaren2358 Месяц назад +2

      Sure they can, but most of a packer/stage ones job is to make sure that the antivirus doesn't pick up on anything.
      Tbh, idk why they didn't pickup the peb crawl.
      Another thing that is dangerous is that a lot of people put games as an exception in their antivirus for one reason or another.

    • @SergeantExtreme
      @SergeantExtreme Месяц назад

      @@nordgaren2358 Because they're using hacks. That's why they put their games as exceptions in their antivirus!

    • @BlackLixt
      @BlackLixt Месяц назад

      @@nordgaren2358 the reason for exceptions is that it can perform better

  • @adsan7787
    @adsan7787 Месяц назад

    Mods can generally be trusted if the engine runs script type mods, where there is no actual compiled code but an abstract interpreted custom "programming language". That way, modders can do only the particular things that the devs allow them to, which is great for security but probably annoying for mod creators

  • @mattshu
    @mattshu Месяц назад

    Just wanna say thank you for the push towards low level learning! I’ve taught myself C#, Java, python, etc but the low level ones like C and assembly always scared me! I have to consider your course because I love your style and energy.

  • @howabout2138
    @howabout2138 Месяц назад +2

    just run games on linux, even if there's a trojan inside mod then it's not gonna steal anything as each game is sandboxed and gets own "copy" of windows directories

  • @AbsintheBabe
    @AbsintheBabe 26 дней назад

    There's a big different between code mods and content mods. A lot of games that support mods will have ways of integrating user generated content without them needing to run any code at all. It's important to make that distinction because modding a game can bring huge enhancements to it that you might miss out on.

  • @turbopanda7012
    @turbopanda7012 Месяц назад +13

    When I download Minecraft mods, I don't get the latest version unless it's been out for around a month or more. Curseforge doesnt let you make changes to already uploaded versions. Of course its not a perfect solution, but it helps to make sure that in events similar to this, I (hopefully) wont have the version with malware.

    • @ougonce
      @ougonce Месяц назад +5

      How did you come to the conclusion that running outdated software is more secure?

    • @aster_ISK
      @aster_ISK Месяц назад +7

      @@ougonce that is a hilarious take on this situation lmao xD

    • @j-twd930
      @j-twd930 Месяц назад +6

      @@ougonce How would you know that newly released mod is safe?

    • @theairaccumulator7144
      @theairaccumulator7144 Месяц назад +8

      Curseforge mods can't be heavily obfuscated by the rules so they can be reviewed when they're uploaded. This means that you can also decompile them yourself and review them to make sure they aren't doing anything shady. Most of the time they aren't though there has been an instance where many mods were compromised through malware targetting the developers themselves.

    • @uponeric36
      @uponeric36 Месяц назад

      @@theairaccumulator7144 Yup, generally, if you stick to mod packs that aren't updated daily or cutting edge, that are popular - you will never have an issue. Minecraft virus in particular have a target problem, let's say you do, finally, infect a developer to begin spreading the virus. Well first they have to not notice, then you have to hope they're involved in something popular, then you have to infect that and get into the next release... You also have to hope no random users noticed your thing is virus before all of that.
      You can target devs directly to make this a bit more likely, but also it's a community - they will tell their other dev friends that an infection attempt was made if it happens enough.
      So yeah that's why despite this seemingly crazy idea of running a bunch of random jar files has only had really one major virus incident in a decade long history. Much worse ones have happened because of Java itself.

  • @Milosz_Ostrow
    @Milosz_Ostrow Месяц назад

    Another takeaway from this video is that one should not be installing software willy-nilly from unknown or untrusted sources on one's computer that is used for banking, email, and other "serious" functions. For those running open-source systems, it may be as simple as obtaining a second hard drive for games and the like and booting from one drive or the other. For those running Microsoft Windows or Mac OS, it would mean having to buy a second license for a second copy of the operating system to run on another drive or getting another computer outright.

  • @lizardkeeper100
    @lizardkeeper100 Месяц назад +1

    I am impressed with how they hid the imports ngl. I feel like a good antivirus should be able to catch it but I am not sure many companies know how to make good programs. it just makes life easier for hackers

  • @rnbpl
    @rnbpl Месяц назад +1

    i've always assumed this was the case. i've made C:S assets: you upload unity packages which contain code that the game will run, no questions asked

  • @ErikPlay2Learn
    @ErikPlay2Learn Месяц назад

    What you also might take away is that Steam and the game developer should provide a safe way to install plug-ins and show you how much they tested them.

  • @lezlienewlands1337
    @lezlienewlands1337 Месяц назад

    Reminds me of the Gbombs backdoor for Gmod.
    IIRC the author put in backdoors that allowed him to spawn money and items on DarkRP servers, and even run admin level commands and spawn admin restricted items.
    It got discovered when a server admin noticed suspicious commands being run in server logs.

  • @the_addon
    @the_addon Месяц назад +4

    Curious, why did they write it to disk.. instead of just jumping into the actual code, created by the newly created buffer, and running that directly?

    • @nordgaren2358
      @nordgaren2358 Месяц назад +3

      Because then you would have to manually map the DLL into memory or use a more advanced technique like hollowong and herpaderping. The DLL doesn't come mapped. Mapping happens at runtime by the windows loader.
      It's harder to load a pe into memory that hasn't been mapped yet.
      You can't pre map it, either, as you need to know what memory address and the address of any Import functions (not exports) the binary might need.

    • @GokEnsar
      @GokEnsar Месяц назад +1

      maybe cuz creating a RW buffer and writing it and then making it RX and then running it is SUS af.

    • @the_addon
      @the_addon Месяц назад +1

      @@nordgaren2358 Oh right, that makes sense!! Thanks

    • @nordgaren2358
      @nordgaren2358 Месяц назад

      @@GokEnsar no, they do that in stage two, actually, with manual syscall code.

    • @GokEnsar
      @GokEnsar Месяц назад

      ​@@nordgaren2358 stage 2 doesn't mean you're free to go, defender will still apply its regular runtime checks and that means it is risky.

  • @Nullref_Arcana
    @Nullref_Arcana Месяц назад

    Such a clever way to obfuscate a malware, I'm impressed it was distributed through a Cities Skylines 2 mod of all places.

  • @Veptis
    @Veptis Месяц назад +2

    Wait, you can obfuscate your binary to crash the decompiler?

  • @Irsu85
    @Irsu85 Месяц назад

    As a Mario Kart Wii modder, I can tell you most mods don't include code, only assets (They are known as assets only Riivolution or My Stuff mods inside the MKW modding community). Of course some mods like CTGPR and Pulsar packs do include code to extend the track limit of 32 (lets not talk about LECODE, thats depricated) but thats about it

  • @Suyalus
    @Suyalus Месяц назад +3

    well, you wanted traffic, you got (internet) traffic XD

  • @notjustforme
    @notjustforme Месяц назад

    I absolutely love the fact that you used shared objects to explain what a .dll is. You know your audience!

  • @TU7OV
    @TU7OV Месяц назад

    I remember this was one of the reasons why Quake 3 had a built in virtual machine to run mods on.

  • @bluegizmo1983
    @bluegizmo1983 Месяц назад

    Im surprised that such a well hidden, obfuscated, and undetectable payload system would be used to target such a small number of users who play a videogame with that specific mod.

    • @AM-yk5yd
      @AM-yk5yd Месяц назад +2

      I'm almost 100% sure the author uses the same approach in other mods and applications

  • @MatthijsvanDuin
    @MatthijsvanDuin Месяц назад

    12:32 That "hash" is just standard crc-32 without the post-inversion (which was probably folded into the constant they're testing against by the compiler)

  • @antontsau
    @antontsau 16 дней назад

    The main rule - do not mix sensitive information, like passwords, wallets, emails, access to somewhere and so on, and pile of shit for your beloved game with zoo of mods, fresh updates and no one knows what else. In this case you maximum loss is steam account or so, not a million RL bucks.

  • @electricindigoball1244
    @electricindigoball1244 Месяц назад

    A mod doesn't have to include code. It depends on the game of course, but some games have mod support set up in such a way that it's possible to mod the game without including any executable code as long as you're not adding completely new functionality. Going forward I think more games with mod support should implement this model if possible to limit cases like this.

  • @u9vata
    @u9vata Месяц назад

    Lol, the mov operation trick is something that was being taught at a Hungarian university years (now decades?) ago for the low level classes. Exactly the same pattern. It makes me wonder if this was some state sponsored backdoor coming from us maybe haha. Would have been so cool ;-)

  • @milkom666
    @milkom666 Месяц назад +42

    i think the best way is to have a gaming pc, only for gaming. no shopping or socializing...etc. unfortunately being lazy stops me to always follow my own advice.

    • @1KiloDepartment
      @1KiloDepartment Месяц назад +20

      That feels a little far, as most people only ever have a single PC (and those who can't afford another PC probably mod older games, from Quake to Minecraft depending on how far their hardware goes).
      Creating a second partition to your main drive and installing another Windows on that could work!
      And of course, Linux users have it easier, thanks to Qubes and Vanilla OSs (at least you don't have to worry about compatibility that often with older games).

    • @AliveDeejay
      @AliveDeejay Месяц назад +4

      As a freelancer, i bought a laptop to do my work on. When i'm at home i connect to my laptop from my PC via Microsoft native remote desktop ("rdp"). I'm not a security expert, but i think it's much better to separate private from business stuff to different systems/devices. I also want to mirror the stuff from my laptop to a third device, just for backup, but that's a plan for the future.
      You're right, it would be better to seperate even further, but i feel confident enough about the stuff i do privately (gaming/shopping etc.).

    • @milkom666
      @milkom666 Месяц назад +3

      @@1KiloDepartment that is why i don't sell or throw away my old phones and pc's. you can always keep a crappy pc or phone for payments, surfing and socials

    • @Freddisred
      @Freddisred Месяц назад +3

      Virtualization is always improving, you can have a Linux host run a Windows VM and still get strong graphical performance.

    • @seeibe
      @seeibe Месяц назад +4

      ​@@1KiloDepartmentHaving a Windows install on a second disk is exactly what I did. That disk will stay on Windows 10 forever.

  • @chris582
    @chris582 Месяц назад +1

    Oooohhh… IIRC that’s a pretty old school technique.

  • @eitantal726
    @eitantal726 Месяц назад +2

    If I had crypto (I don't), I'd have it airgapped somewhere on a dedicated machine. Not on my main computer, ffs

  • @Stratelier
    @Stratelier Месяц назад

    If a game has a mod-friendly design then most mods are actually just packages of custom assets and/or custom scripting for the game's engine to read and utilize, and _not_ executable code in the traditional sense.

    • @amak1131
      @amak1131 Месяц назад +2

      A lot of games are not and people have to develop plugins tools. I know a lot of Command and Conquer games were like this (I dabbled in modding as a teen) and the only time custom code ever came in was when people starting modding the .exe directly to add new engine features or fix bugs. I think the common one for YR is Aeries or something.

  • @igori3532
    @igori3532 Месяц назад

    It's kinda supply chain attack.
    It's not only mods, but could be a library or container image

  • @UltimatePerfection
    @UltimatePerfection Месяц назад

    That's why I always run my games inside a VM that's inside a Docker container, that's inside another VM.

  • @smakfu1375
    @smakfu1375 20 дней назад

    If you’re loading code in-process, and the interfaces accessible by that lib or module aren’t very, very carefully designed (and fuzz tested), you basically should assume that code has all the rights and privileges of the host process. Given that programmatic game modding (sanctioned or otherwise) runs directly contrary to highly restricted interfaces (because the whole point of mods is to fundamental augment or change base program functionality) you should be extremely suspicious of all programmatic game mods. To be clear, I’m not talking about config mods, I’m talking about actual programmatic mods and plugins that have a callable entrypoint that leads to 3rd party code execution.

  • @TuxTuxedo-oc9kg
    @TuxTuxedo-oc9kg Месяц назад

    I'm happy that they find the backdoors. Imagine they wouldn't and someone else would...

  • @tsuaririndoku
    @tsuaririndoku Месяц назад

    This is why I’m still enjoy the first game and use Mods from the workshop. I felt like Workshop mods are slightly safer

  • @luketurner314
    @luketurner314 Месяц назад +1

    So a PEB walk is kinda like searching the Table of Contents instead of the whole book one page at a time?

  • @SkylerLinux
    @SkylerLinux Месяц назад

    I do know some games that use XML for their "Modding" mostly Values but you can do quite a bit with the XML. Before needing deeper Mods

  • @kyouko5363
    @kyouko5363 Месяц назад +1

    12:20 - I genuinely do wonder, why go through all this trouble to avoid static analysis, when you can load functions from WinAPI at runtime whose offset you do know, such as GetModuleBaseAddress and some such, that will give you that exact information, and just encrypt those instructions? They already went through the trouble of packing a second DLL file which they XOR'd, so why not just obfuscate the WinAPI imports and base address lookups? I mean, I get that it would look very suspicious to runtime analysis of the DLL, but as you said yourself, walking the PEB is already suspicious to runtime analysis, so if this was all for the sake of avoiding static analysis, why opt for this method when a much simpler option is available? If an AV couldn't pick up that it was dumping an XOR'd DLL onto the disk, surely it wouldn't pick the same, except it's obfuscated instructions that import and run a WinAPI function, would it? Don't know how advanced heuristics are nowadays, but, packed data is present in a lot of binaries, how can it distinguish if it's malicious or not without running the thing that unpacks the data ?

  • @LordKane773
    @LordKane773 25 дней назад

    a similar thing just hit simcity 4, it happened on october 4th but it wasnt discovered until YESTERDAY.

  • @Yyhhggtt
    @Yyhhggtt Месяц назад +1

    this looks exactly like 3arc's anticheat for bo2 pc, they use the same Module list hashing to obfus imports

  • @nomadshiba
    @nomadshiba Месяц назад +5

    maybe support mods natively with sandboxed scripts

  • @omeg666
    @omeg666 Месяц назад

    It's funny that this malware is considered interesting. Back in the days manual import/export walk with name hash checking was pretty standard. I guess back at times of 29a writing low level stuff was mostly done for curiosity and experimentation, not to get easy cash by script kiddies.

  • @jkobain
    @jkobain Месяц назад

    One day we'll witness some malware capable of escaping VM in the cloud. I wonder what happens if it will specifically be targeted to take the cloud over.

  • @Raptorialand
    @Raptorialand Месяц назад

    I've never thought about the risk that someone hacking a trusted modder.
    I imagine this video will bring many hackers on new ideas.

    • @Trainguyrom
      @Trainguyrom Месяц назад +1

      This is known as a supply chain attack, compromise a trusted software provider to distribute the malicious code through trusted channels to their user base, and then compromise the user base. It's becoming increasingly common as companies tend to have lots of vendors they work with, and by having a legitimate vendor unwittingly distribute your malware you can compromise a large number of companies and individuals for the amount of effort of compromising one

    • @KaitouKaiju
      @KaitouKaiju Месяц назад

      @@Raptorialand not a particularly new idea

    • @Raptorialand
      @Raptorialand Месяц назад

      @@KaitouKaiju So if i install mods on my VR quest 3, i have a potential risk that someone could activate the camera? That would be a little bit concerning. Could someone try how hard it is to set this off?