Skip to content

Instantly share code, notes, and snippets.

@rhaym-tech

rhaym-tech/VGK DriverEntry Analysis.md

Created February 2, 2025 18:42
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save rhaym-tech/f636b76deeca15528e70304b5ee95980 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save rhaym-tech/f636b76deeca15528e70304b5ee95980 to your computer and use it in GitHub Desktop.
Download ZIP
A well detailed Riot Vanguard Kernel AntiCheat (vgk.sys) analysis
Raw
VGK DriverEntry Analysis.md

Overall threshold and difficulty

Vanguard's anti-cheating system is a protection system that pays more attention to the threshold, and the overall design and realization of the national re-examination anti-cheating system is still not the same. Here we first discuss the threshold and the difficulty of analysis, and then discuss these in blocks later.

  1. After the game is installed, Riot Vanguard will be installed to C:\Program Files\Riot Vanguard Under the catalog. Its overall anti-cheating is driven by vgk.sys And the three-ring program vgc.exe achieve
  2. The VGK-driven boot is turned on, and the boot mode is activated. When the game is activated, it will be verified that this state cannot be turned on if it is not turned on. VGK drive will intercept all unsigned, loophole-driven and black-driven loading. That is, all public ARK and some Rootkit tools, even Dbgview, cannot be used. However, after testing, the driver can be successfully loaded with a time-poke signature.
  3. Neither Ring3 nor Ring0 can write game memory (MmCopyVirtualMemory returns to STATUS_MEMORY_NOT_ALLOCATED)
  4. FAKE UWorld
  5. There will be special testing for certain analytical tools, and after the detection, a mark will be written to black the machine
  6. Almost all registrations of various types (process, thread, object, mirror loading, registration form, etc.)

Debugging

Ring 0 (Operating System Protection Ring 0: Kernel)

Because VGK-driven boot-on + is not a conventional VMP shell, ARK tools cannot be used or analyzed with a conventional simulation execution framework, so I hope to be able to commission on its drive module. Three options were tried, none of which succeeded:

  • Go to feature Vmware+VirtualKD
  • Go to feature Vmware+VmwareHardenedLoader+IDA+gdb ida+gdbstub+qemu+virtio
  • Looking at the extranet seems to qemu remove characteristics + memflow-KVM + USB/card penetration This scheme can be debugged. The problem of time has not been tried, and subsequent analysis is done with simulators, visible VGK drive analysis section.

Ring 3 (Operating System Protection Ring 3: User land)

Many methods have been tried, including VT debugs, without success. The overall anti-cheating system combination drive has a strong anti-tuning threshold. Limited to time reasons, temporarily suspended for analysis in other directions.

Anti-write protections? One of Vanguard’s thresholds is that it cannot write memory. The specific performance is that Ring3's call to ReadProcessMemory and WriteProcessMemory return failed, and Ring0 called MmCopyVirtualMemory back to STATUS_MEMORY_NOT_ALLOCATED. Because the debugging question card has not been possible for a long time. VGK-driven Hook was found to have an introduction table for all other drivers, and Hook was performed on dangerous functions (such as MmCopyVirtualMemory). Just print the address in the drive to verify:

SYSTEM_MODULE_INFORMATION_ENTRY ntoskrnl =  {  0  }, VGK =  {  0  }, QSafe =  {  0  };

if (Utils::find_kernel_module("ntoskrnl.exe",  &VGK)  == TRUE)
	kprintf("[QSafe] : ntoskrnl.exe : 0x%p : 0x%X\n",  VGK.image_base,  VGK.image_size);
else
	kprintf("[QSafe] : Not find ntoskrnl.exe\n");

if (Utils::find_kernel_module("VGK.sys",  &VGK)  == TRUE)
	kprintf("[QSafe] : VGK.sys : 0x%p : 0x%X\n",  VGK.image_base,  VGK.image_size);
else
	kprintf("[QSafe] : Not find VGK.sys\n"); 

if (Utils::find_kernel_module("QSafe.sys",  &QSafe)  == TRUE)
	kprintf("[QSafe] : QSafe.sys : 0x%p : 0x%X\n",  QSafe.image_base,  QSafe.image_size);
else
	kprintf("[QSafe] : Not find QSafe.sys\n");

kprintf("[QSafe] : MmCopyMemory : %p\n", MmCopyMemory);
kprintf("[QSafe] : MmCopyVirtualMemory : %p\n", MmCopyVirtualMemory);
kprintf("[QSafe] : MmGetSystemRoutineAddress : %p\n", MmGetSystemRoutineAddress);
kprintf("[QSafe] : ZwProtectVirtualMemory : %p\n", ZwProtectVirtualMemory);
[QSafe] : ntoskrnl.exe : 0xFFFFF8004AE00000 : 0x1046000
[QSafe] : VGK.sys : 0xFFFFF80054940000 : 0x1506000
[QSafe] : QSafe.sys : 0xFFFFF80096F50000 : 0x4DD000
[QSafe] : MmCopyMemory : FFFFF8004B13F7B0
[QSafe] : MmCopyVirtualMemory : FFFFF8005496726C
[QSafe] : MmGetSystemRoutineAddress : FFFFF80054967390
[QSafe] : ZwProtectVirtualMemory : 0xfffff8004b1f4510

It can be seen that VGK IAT Hook my-driven MmCopyVirtualMemory to achieve surveillance-driven reading and writing memory. But it does not have Hook MmCopyMemory, MmGetSystemRoutineAddress and ZwProtectVirtualMemory functions. So you can get the real function address by MmGetSystemRoutineAddress and then call it to bypass its IAT Hook

// anti VGK hook MmCopyVirtualMemory
UNICODE_STRING usMmCopyVirtualMemory = { 0 };
Utils::string::CHAR_TO_UNICODE_STRING("MmCopyVirtualMemory", &usMmCopyVirtualMemory);
PVOID rawMmCopyVirtualMemory = MmGetSystemRoutineAddress(&usMmCopyVirtualMemory);
kprintf("[QSafe] : rawMmCopyVirtualMemory : %p\n", rawMmCopyVirtualMemory);
 
SIZE_T BytesRead = 0;
if (protocol == READ_PROTOCOL) // ReadVirtualMemory
  nStatus = Utils::call<NTSTATUS>(rawMmCopyVirtualMemory, ProcessObj, BaseAddress, PsGetCurrentProcess(), (void*)OutputAddress, RegionSize, PreviousMode, &BytesRead);
else if (protocol == WRITE_PROTOCOL)// WriteVirtualMemory
  nStatus = Utils::call<NTSTATUS>(rawMmCopyVirtualMemory, PsGetCurrentProcess(), BaseAddress, ProcessObj, (void*)OutputAddress, RegionSize, PreviousMode, &BytesRead);

So far, it can drive the memory of literacy games.

The conclusion is:

  • Use the first start-up features of VGK.sys to intercept all subsequent drive loads, and Hook-driven IAT to achieve monitoring sensitive function calls without triggering PatchGuard's effect (because Hook's IAT is not InlineHook). The bypass scheme is to obtain the real site of the API function by other means (MmGetSystemRoutineAddress or all-round output table can) and call

  • The monitoring of this method is indeed effective, but it is very radical, because it will follow up all the driven IAT of Hook, and it is easy to conflict with other security schemes or tools such as soft killing.

Fake UWorld

A threshold scheme implemented by the PACKMAN shell and VGK-driven linkage. The starting point is to combat cross-process inter-category exterior. At present, it does have a good effect. (The extranet does not see information about the inter-process exterior of overseas clothing. Hang inside and outside the process). The PACKMAN shell revises UWorldStateKey to ensure that the game is written into Magic Number to UE GWORLD, which appears to point to an invalid memory from the outside. The following code is UWorldProxy:perate= function, r14 is the real GWorld address after decryption, and r15 is the World pointer to be valued. The space they point to seems inaccessible to the external process.

To ensure normal access to the game itself, VGK drives Hook ntoskrnl.exe. KiClearLastBranchRecordStack.g_LbrClearStack, which will be called at SwapContext. VGK drives to replace CR3 with the white list of game lines in SwapContext, and restore the real GWorld address (Magic Number written by PACKMAN) and the memory page with real World objects to ensure that the white list of games access the correct World object through the World pointer. Since the other lines did not perform the replacement CR3 operation in SwapContext, they believed that the real GWorld address and the memory page pointed by the World pointer were inaccessible.

According to the information on the extranet, the hanging outside often walks down the sword to bypass this protection. VGK maintains a memory page with real data on a pool memory with a fixed size tag, and hangs a pool memory (uc called Guard Region) with a specific size in the core. Find this memory page and find it from it Real World pointer. I personally analyzed VALORANT + VGK in August 2024 and found that this memory +0x60 offset still holds the Wolrd pointer, but the memory space pointed by this World pointer is also invisible for other processes. The game process space must be injected to read the game data through the World pointer.

Injection

High-level injection, PML4, these nuclear bomb play methods are not discussed for the time being. The following analysis of Vanguard's confrontation with other more conventional injection methods.

Message hook injection

Found a standard message hook injection method for testing: Setwindowshookex injector

The entire behavior sequence: FindWindowW->GetWindowThreadProcessId->LoadLibraryEx->GetProcAddress->SetWindowsHookEx(WH_GETMESSAGE<TAG>) They were all successful, but there was no effect after the injection, and the anti-cheating system should filter the final news.

Subsequent tests found that if the injected dll is signed, it can be successfully injected through the message hook; if not signed, the dll's memory can be mapped into the game but has no injection effect (DllMain is not executed)

InlineHook + ManualMap

Call VirtualAlloc by driving to apply for memory in the game process and write it in DLL and Shellcode to find Hook points in the game to perform ManualMap Shellcode to load DLL. After bypass VGK's memory reading and writing protection, I ran through this method.

But there are pits in the memory attribute. I apply for readable, writeable and executable memory for injecting DLL, after a period of time the game will crash

However, if the driving application can be readable and write the non-executable memory, the X-bit is modified by the page table to make the memory have the execution authority, and this problem disappears. It is inferred that Vanguard scanned the memory section of VAD with executive authority.

CR3 cr3{ };
cr3.Flags = __readcr3();
CR4 cr4{};
cr4.Flags = __readcr4();
cr4.Flags &= ~CR4_SMEP_ENABLE_FLAG;
cr4.Flags &= ~CR4_SMAP_ENABLE_FLAG;
__writecr4(cr4.Flags);
for (uintptr_t current_address = address; current_address < address + size; current_address += 0x1000)
{
  const PAGE_INFORMATION page_information = get_page_information((void*)current_address, cr3);
  page_information.PDE->ExecuteDisable = 0;
  __invlpg((void*)current_address);
 
  if (!page_information.PDE || (page_information.PTE && !page_information.PTE->Present))
  { }
  else
  {
    page_information.PTE->ExecuteDisable = 0;
    __invlpg((void*)current_address);
  }
  __invlpg((void*)current_address);
}
cr3.Flags &= 0x7FFFFFFFFFFFFFFF;
__writecr3(cr3.Flags);

unwind info

Anti-CE

Run the CE game and play the window directly to exit.

After analysis, it was found that anti-cheating scanned the CE characteristics during operation, and when the CE process started, it drove the callback interception of the CE process initialization process and checked. For the detection of scanning CE characteristics during the operation of the anti-cheating system, I avoided the CE source code modification and binary file enclosure. The main source modification points are: Title, icon, For Windows Name, Target file name, Caption, Form Name, Version Info, Service Name, DBKernel Nutame, ico, Deb. After the source code is modified and re-edited, the shell is added, and the CE is run first, and the game will not be played by the window.

But if you run the game first, then run the CE, you will still be bombed. I also analyzed the reason for this problem Observational performance, after the game is started, the CE process will not appear, but the game slideshot only appears after the window is closed. It is believed that a callback intercepted the start of CE or the start of CE. Considering that starting the CE before running the game is not withdrawn by the bullet window, it is believed that the static features in the CE process should be all erased, and the probability of being detected at the start is a certain step of initialization. Analyze the CE source code and find that when CE is activated, it will write a key value to the registration form for service registration and drive communication operations. At the same time, Vanguard registered the return of the registration form, so it is considered that it is very likely that the step of writing a key value to the registration form when CE started was intercepted by the test. The specific verification has not been implemented because of the time relationship.

VGK stack analysis

[INFO] VGK version during analysis: 1.15.15.9

Because VGK is not driven by traditional VMP variation, the conventional simulation execution frame cannot run out of things. I have magically changed a framework. The principle is to use Unicorn+VEH for simulation execution, mapping system modules, Hook instruction memory reading and instruction writing interruption, tracking API calls and key structural body reading and writing. VGK's technical strength should be quite high. At present, he only ran DriverEntry, and you can see that the content is more complicated and messy. Some analysis conclusions are based on their own experience and speculation to a certain extent. Here first output the conclusion.

In the VGK-driven entrance function DriverEntry:

  1. VGK drive to write logs to C:\Program Files\Riot Vanguard\Logs folder
  2. VGK driver relies on writing the document VGKbootstatus.dat determines whether the current driver is self-operated
  3. VGK drive initialization ZwQuerySystemInformation SystemModuleInformation(0x4D) Scan existing modules in the system and scan their memory for black
  4. VGK detects whether the current system is in PG status
  5. VGK drives the use of multiple counter-testing techniques and multiple calls, including not limited to: DbgPrompt, hard-cut register clearing, registered SEH to receive unsolicited anomalies, reading KdDebuggerEnabled and KdDebuggerNotPresent variables, using wrong MSR instructions, MSR_IA32_DEBUGCTL, artq command, etc.
  6. VGK drive to test simulator by means of error transmission
  7. VGK Drive Modification Instantly Write MSR_LSTAR Test VT
  8. VGK-drive entrance read LastBranchFromIP_MSR and MSR_LASTBRANCH_TOS test simulated mouse exterior
  9. VGK drive Hook ntoskrnl.KiClearLastBranchRecordStack.g_LbrClearStack gets the execution time at SwapContext, replacing the real-page table with correct game data with the game white list range
  10. VGK drives the registration of callback functions such as the process, thread, object, mirror loading, registration form, power state, shutdown, etc. completed within the DriverEntry function.
  11. VGK drive DriverEntry function verifies the signature and integrity of the existing drive module by CiCheckSignedFile to determine legality
  12. VGK drive DriverEntry functions will collect hardware information, including Boot GUID, hard disk serial number, etc.
  13. The following is based on the results of simulated execution, and in accordance with the execution order driven by VGK, the implementation details are analyzed. There are still some rules on the whole, so I simply divide its DriverEntry function into several stages

The first part of the initialization and status testing phase Starting at DriverEntry, first registered the driving unloading function Code:

[19d8]  Executing ntoskrnl.exe!RtlDuplicateUnicodeString
[19d8]  	RtlDuplicateUnicodeString : \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VGK = 0
[19d8]  Emulating write to MainModule.DriverObject+00000068     // _DRIVER_OBJECT.DriverUnload

Then get the current time of the system and create log files

[19d8]  Emulating read from KUSER_SHARED_DATA+00000014	// SystemTime
[19d8]  Executing ntoskrnl.exe!ExSystemTimeToLocalTime
[19d8]  Executing ntoskrnl.exe!RtlTimeToTimeFields
[19d8]  Executing ntoskrnl.exe!vswprintf_s
[19d8]  	Result : 2024-08-29_04-03-33
[19d8]  Executing ntoskrnl.exe!ExAllocatePoolWithTag
[19d8]  Executing ntoskrnl.exe!swprintf_s
[19d8]  	Result : \??\c:\Program Files\Riot Vanguard\Logs\VGK_2024-08-29_04-03-33.log
[19d8]  Executing ntoskrnl.exe!ExFreePool
[19d8]  Executing ntoskrnl.exe!RtlInitUnicodeString
[19d8]  Executing ntoskrnl.exe!IoCreateFileEx
[19d8]  	Creating file : \??\c:\Program Files\Riot Vanguard\Logs\
[19d8]  	Return : c000003a
[19d8]  Executing ntoskrnl.exe!ZwClose
[19d8]  	Closing Kernel Handle : 0
[19d8]  Executing ntoskrnl.exe!RtlInitUnicodeString
[19d8]  Executing ntoskrnl.exe!IoCreateFileEx
[19d8]  	Creating file : \??\c:\Program Files\Riot Vanguard\Logs\VGK_2024-08-29_04-03-33.log
[19d8]  Executing ntoskrnl.exe!ExFreePool

And you can see that the date version number and other information and system version number are written into it Code:

[19d8]  Executing ntoskrnl.exe!RtlTimeToTimeFields
[19d8]  Executing ntoskrnl.exe!vswprintf_s
[19d8]  Result : 2024-08-29_04-03-33
[19d8]  Executing ntoskrnl.exe!vswprintf_s
[19d8]  Result : 1000004A
[19d8]  Executing ntoskrnl.exe!ExAllocatePoolWithTag
[19d8]  Executing ntoskrnl.exe!_vsnwprintf
[19d8]  Executing ntoskrnl.exe!ExAllocatePoolWithTag
[19d8]  Executing ntoskrnl.exe!swprintf_s
[19d8]  Result : [2024-08-29_04-03-33] [!] [1000004A]: 1.15.15.9 ; Thu Aug 08 16:13:35 2024
[19d8]  Emulating read from KUSER_SHARED_DATA+0000026c	// NtMajorVersion
[19d8]  Emulating read from KUSER_SHARED_DATA+00000260	// NtBuildNumber
[19d8]  Emulating read from KUSER_SHARED_DATA+00000270	// NtMinorVersion
[19d8]  Emulating read from KUSER_SHARED_DATA+00000014  // SystemTime
[19d8]  Executing ntoskrnl.exe!RtlTimeToTimeFields
[19d8]  Executing ntoskrnl.exe!vswprintf_s
[19d8]  	Result : 2023-01-29_04-03-33
[19d8]  Executing ntoskrnl.exe!vswprintf_s
[19d8]  	Result : 1000004E
[19d8]  Executing ntoskrnl.exe!ExAllocatePoolWithTag
[19d8]  Executing ntoskrnl.exe!_vsnwprintf
[19d8]  Executing ntoskrnl.exe!ExAllocatePoolWithTag
[19d8]  Executing ntoskrnl.exe!swprintf_s
[19d8]  Result : [2024-08-29_04-03-33] [!] [1000004E]: 10 ; 0 ; 22631 // Windows 10 22631 ( Windows 11 23H2)
[19d8]  Executing ntoskrnl.exe!ExFreePool
[19d8]  Executing ntoskrnl.exe!ExFreePool

Next, the VGK driver will write the key document VGKbootstatus.dat, and the content of the document should be related to whether the driver is boot. When the game starts, you will read the document to determine whether the VGK-driven start is self-operated, and if not, the user will be required to restart the computer. ( Ensure that the game runs the turn on VGK drive boot and intercepts the external wall drive loading to ensure that the time for the external drive to start must be after VGK drive)

[19d8]  Emulating read from KUSER_SHARED_DATA+0000026c  // NtMajorVersion
[19d8]  Emulating read from KUSER_SHARED_DATA+00000270  // NtMinorVersion
[19d8]  Executing ntoskrnl.exe!wcscpy_s
[19d8]  Executing ntoskrnl.exe!wcscat_s
[19d8]  Executing ntoskrnl.exe!wcscat_s
[19d8]  Executing ntoskrnl.exe!RtlInitUnicodeString
[19d8]  Executing ntoskrnl.exe!IoCreateFileEx
[19d8]  	Creating file : \??\C:\Windows\VGKbootstatus.dat
[19d8]  	Return : 00000000
[19d8]  Executing ntoskrnl.exe!ZwWriteFile
[19d8]  Executing ntoskrnl.exe!ZwFlushBuffersFile
[19d8]  Executing ntoskrnl.exe!ZwClose
[19d8]  	Closing Kernel Handle : 160

I tried to intercept the VGK drive to write the file, the VGK drive would write the wrong log and return to STATUS_FAILED_DRIVER_ENTRY direct loading failure

[0708]  Executing ntoskrnl.exe!swprintf_s
[0708]          Result : [2023-01-12_08-36-59] [-] [E0000050]: C0000365
[0708]  Executing ntoskrnl.exe!ExFreePool
[0708]  Executing ntoskrnl.exe!ExFreePool
[0708]  Main Thread Done! Return = c0000365	// STATUS_FAILED_DRIVER_ENTRY

Next VGK drive called KeIpiGenericCall to call a function, which cleared all nuclear DR7 hard-broken register. The KeIpiGenericCall function will call the BroadcastFunction function, and the IPI (Inter-Processor Interrupt) will enable all cores to perform a function, that is, the execution of the function will not be subject to other nuclear interference. Here is to clear all nuclear DR7. In the follow-up, this method was used many times.

[19d8]  Executing ntoskrnl.exe!KeIpiGenericCall
[19d8]  	BroadcastFunction: VGK.sys + 0x1b5c
[19d8]  	Content: 0
[19d8]  Clearing Interrupts
[19d8]  Writing 0 to DR7
[19d8]  Restoring Interrupts
[19d8]  	IPI Returned : 0

VGK then called ZwQuerySystemInformation and passed the SystemInformationClass parameter to SystemModuleInformation(0x4D) enumerating the system module information, that is, trying to obtain the drive information loaded before the VGK drive to judge

[19d8]  Reading CR0
[19d8]  Executing ntoskrnl.exe!_stricmp
[19d8]  Executing ntoskrnl.exe!ZwQuerySystemInformation
[19d8]  	Class 0000004d status : c0000004
[19d8]  Executing ntoskrnl.exe!ExAllocatePoolWithTag
[19d8]  Executing ntoskrnl.exe!ZwQuerySystemInformation
[19d8]  	Class 0000004d status : 00000000            
[19d8]  	Class 0000004d success
[19d8]  	Base is : 7ff6770f0000
[19d8]  Executing ntoskrnl.exe!ExFreePool
[19d8]  Executing ntoskrnl.exe!ZwQuerySystemInformation
[19d8]  	Class 0000004d status : c0000004
[19d8]  Executing ntoskrnl.exe!ExAllocatePoolWithTag
[19d8]  Executing ntoskrnl.exe!ZwQuerySystemInformation
[19d8]  	Class 0000004d status : 00000000
[19d8]  	Class 0000004d success
[19d8]  	Base is : 7ff6770f0000
[19d8]  Executing ntoskrnl.exe!ExFreePool
[19d8]  Executing ntoskrnl.exe!ZwQuerySystemInformation
[19d8]  	Class 0000004d status : c0000004
[19d8]  Executing ntoskrnl.exe!ExAllocatePoolWithTag
[19d8]  Executing ntoskrnl.exe!ZwQuerySystemInformation
[19d8]  	Class 0000004d status : 00000000
[19d8]  	Class 0000004d success
[19d8]  	Base is : 7ff6770f0000

Then read the relevant data in large quantities, thinking that it is to obtain the relevant information of the existing drive module

[19d8]  Getting data @ ntoskrnl.exe!MmHighestUserAddress
[19d8]  Getting data @ ntoskrnl.exe!MmHighestUserAddress
[19d8]  Getting data @ ntoskrnl.exe!MmHighestUserAddress
[19d8]  Getting data @ ntoskrnl.exe!MmHighestUserAddress
................................................................

Then, VGK created an event object, a clock object, and a callback object

[19d8]  Executing ntoskrnl.exe!KeInitializeEvent
[19d8]  	Event object : 7ff6addb82f8
[19d8]  Executing ntoskrnl.exe!KeInitializeTimer
[19d8]  Executing ntoskrnl.exe!KeSetTimer
[19d8]  	Timer object : 7ff6addb9350
[19d8]  	DPC object : 0
[19d8]  Executing ntoskrnl.exe!ExCreateCallback
[19d8]  	Callback object : 92790fefd8
[19d8]  	*Callback object : 0
[19d8]  	Callback name : \Callback\542875F90F9B47F497B64BA219CACF69

At this location, the initialization phase of the first part is completed, and the VGK drive begins to detect the debug.

Countermeasure stage

During the counter-testing phase, VGK drivers will continuously call a variety of different counter-testing, anti-simulator and PG testing methods. And this continuous process appeared repeatedly in the back. It is believed that the entire stage is encapsulated as a function and interspersed multiple times.

VGK drive first used int20 to test whether it is currently in the ByPassPG environment. int20 will execute KiSwInterrupt, and if there is no PatchGuard Context, the blue screen will be cleared. So in fact, this method is not so much a test of PG as an active trigger of PG test. If the system ByPassPG is a blue screen.

[19d8]  [Info] Checking for Patchguard (int 20)

Then registered SEH to call DbgPrompt. The API will request input from the user when there is an internal nuclear debugger addition. If there is no debugger, it will throw anomaly and forward it to SEH. Test the debugger by whether anomalies are accepted in SEH.

[19d8]  Executing ntoskrnl.exe!DbgPrompt
[19d8]  Executing ntoskrnl.exe!__C_specific_handler

Empty the hardened register Dr7

[19d8]  Writing 0 to DR7

I read the internal nuclear commissioning sign variables KdDebuggerEnabled and KdDebuggerNotPresent, and I went directly to KUSER_SHARED_DATA to read it once to prevent the replacement of the output table. After the variable test, call KdChangeOption to determine whether the return value is STATUS_DEBUGER_INACTIVE, and then remove the hard-broken register after completion.

[19d8]  Getting data @ ntoskrnl.exe!KdDebuggerEnabled
[19d8]  Getting data @ ntoskrnl.exe!KdDebuggerNotPresent
[19d8]  Emulating read from KUSER_SHARED_DATA+000002d4  // KdDebuggerEnabled
[19d8]  Executing ntoskrnl.exe!KdChangeOption
[19d8]  Writing 0 to DR7

Gave a wrong MSR instruction and took the initiative to enter SEH abnormal

[19d8]  Reading from unsupported MSR : 4b564d00
[19d8]  Failed to emulate instruction
[19d8]  Executing ntoskrnl.exe!__C_specific_handler

Quick writing transient MSR_IA32_DEBUGCTL

[19d8]  Clearing Interrupts
[19d8]  Reading MSR DBGCTL_MSR : 0
[19d8]  Writing MSR DBGCTL_MSR : 3
[19d8]  Reading MSR DBGCTL_MSR : 3
[19d8]  Writing MSR DBGCTL_MSR : 0
[19d8]  Restoring Interrupts

Perform IRETQ command counter-review anti-simulator

[19d8]  Clearing Interrupts
[19d8]  [Info] IRET Timing Emulation
[19d8]  Restoring Interrupts
[19d8]  Clearing Interrupts
[19d8]  [Info] IRET Timing Emulation
[19d8]  Restoring Interrupts
[19d8]  Clearing Interrupts
[19d8]  [Info] IRET Timing Emulation
[19d8]  Restoring Interrupts
[19d8]  Clearing Interrupts
[19d8]  [Info] IRET Timing Emulation
[19d8]  Restoring Interrupts
[19d8]  Clearing Interrupts
[19d8]  [Info] IRET Timing Emulation
[19d8]  Restoring Interrupts

This concludes the counter-testing phase

Core initialization stage

After the first call of the counter-test function, VGK obtained the current EROCESS and System process EROCESS

[19d8]  Executing ntoskrnl.exe!IoGetCurrentProcess
[19d8]  Emulating read from PID4.ETHREAD+000000b8       // ethread->Tcb.ApcState.Process
[19d8]  	Returning : 7ff7b9bc1000
[19d8]  Getting data @ ntoskrnl.exe!PsInitialSystemProcess

And VGK drive tried to open the VGK object, which does not exist on my system, so I returned to failure. It is not clear for the time being what is the use. Guessing may be related to machine code containment.

[19d8]  Executing ntoskrnl.exe!ZwOpenSection
[19d8]  	Section name : \Device\VGK_PLZNOHACK, access : f001f, ret : c0000034

Created a callback object

[19d8]  Executing ntoskrnl.exe!ExCreateCallback
[19d8]  	Callback object : 92790fef60
[19d8]  	*Callback object : 0
[19d8]  	Callback name : \Callback\542875F90F9B47F497B64BA219CACF69

Next, through ZwQuerySystemInformation and PsLoadedModuleList, obtain the drive module information, and obtain the physical memory for access scanning

[19d8]  Executing ntoskrnl.exe!ZwQuerySystemInformation
[19d8]  	Class 0000004d status : c0000004
[19d8]  Executing ntoskrnl.exe!ExAllocatePoolWithTag
[19d8]  Executing ntoskrnl.exe!ZwQuerySystemInformation
[19d8]  Executing ntoskrnl.exe!ExFreePool
[19d8]  Getting data @ ntoskrnl.exe!MmHighestUserAddress
[19d8]  Getting data @ ntoskrnl.exe!PsLoadedModuleList
[19d8]  Emulating read from LdrEntry.ntoskrnl.exe+00000110
[19d8]  Executing ntoskrnl.exe!MmIsAddressValid
[19d8]  Reading CR3
[19d8]  Executing ntoskrnl.exe!MmGetPhysicalAddress
[19d8]  	Getting Physical address for 8040201000
[19d8]  	Return : 8040201
[19d8]  Executing ntoskrnl.exe!MmGetPhysicalAddress
[19d8]  	Getting Physical address for 10080402000
[19d8]  	Return : 10080402
[19d8]  Executing ntoskrnl.exe!MmGetPhysicalAddress
[19d8]  	Getting Physical address for 180c0603000
[19d8]  	Return : 180c0603
[19d8]  Executing ntoskrnl.exe!MmGetPhysicalAddress
[19d8]  	Getting Physical address for 20100804000
[19d8]  	Return : 20100804
................................................................

After scanning

Next, I used MDL to apply for an internal nuclear space and called RtlRandomEx 2048 times to obtain 2048 numbers. Each random number of seeds transmitted is different.

[19d8]  Executing ntoskrnl.exe!ExAllocatePoolWithTag
[19d8]  Executing ntoskrnl.exe!ExAllocatePoolWithTag
[19d8]  Executing ntoskrnl.exe!IoAllocateMdl
[19d8]  Executing ntoskrnl.exe!MmBuildMdlForNonPagedPool
[19d8]  Executing ntoskrnl.exe!IoAllocateMdl
[19d8]  Executing ntoskrnl.exe!MmBuildMdlForNonPagedPool
[19d8]  Executing ntoskrnl.exe!RtlRandomEx
[19d8]  Seed is a7dee806
[19d8]  Executing ntoskrnl.exe!RtlRandomEx
[19d8]  Seed is 64d0ad0c
[19d8]  Executing ntoskrnl.exe!RtlRandomEx
[19d8]  Seed is cede0f85
[19d8]  Executing ntoskrnl.exe!RtlRandomEx
[19d8]  Seed is 2e75bc4e
[19d8]  Executing ntoskrnl.exe!RtlRandomEx
[19d8]  Seed is a42e3fef
[19d8]  Executing ntoskrnl.exe!RtlRandomEx
[19d8]  Seed is 11a9341
[19d8]  Executing ntoskrnl.exe!RtlRandomEx
[19d8]  Seed is ac485ec
.
.
.
[19d8]  Executing ntoskrnl.exe!RtlRandomEx
[19d8]  	Seed is 8n263uf

Then two lines were created, but these two lines have been calling KeDelayExecutionThread to wait for the event, and the specific role has not been analyzed for the time being.

[19d8]  Executing ntoskrnl.exe!PsCreateSystemThread
[2e90]  Thread Initialized, starting...
[19d8]  Executing ntoskrnl.exe!PsCreateSystemThread
[271c]  Thread Initialized, starting...
[2e90]  Executing ntoskrnl.exe!KeDelayExecutionThread
[2e90]  	Sleep : 500
[271c]  Executing ntoskrnl.exe!KeDelayExecutionThread
[271c]  	Sleep : 500
................................................................

Next, the main thread reads two signs for detecting the mouse simulation type drive

[19d8]  Reading MSR LastBranchFromIP_MSR : 0
[19d8]  Reading MSR MSR_LASTBRANCH_TOS : 0

VGK reads the MSR sign to judge whether to open the function of collecting LBR (Last Branch Recorder) information. If the LBR information collection function is turned on, the CPU will record the source and destination of the last branch jump. LBR was opened by default on the Windows 10. I did not open it because it was a simulated environment. VGK found that LBR did not open it. Because FPS need to simulate the mouse for self-targeting, they often call the MouseClassServiceCallback function. After VGK linked this function, it read the last branch execution address. If an unknown address is found, it is considered abnormal. The bypass idea of this detection method is: call MouseClassServiceCallback function closes LBR collection immediately before, and resumes immediately after calling.

At the same time, the LBR hardware mechanism is often used in conjunction with PMI (Performance Monitoring Interrupt). CPU provides a performance monitoring (PM) function that triggers an interruption when the PMC counter spills, thereby obtaining the timing of collecting information. windows designed an interface for this function to collect information, which is PMI. This function is very powerful and can even monitor the inter-process inter-access memory reading ( Snow watching-[Original ] Based on PMI to perform literacy testing ) In conjunction with it, mechanisms such as PEBs/Intel PT are used.

Next, the registration callback began, first registering the process, thread, object, mirror loading, registration form callback.

[19d8]  Executing ntoskrnl.exe!PsSetCreateProcessNotifyRoutine
[19d8]  Executing ntoskrnl.exe!PsSetCreateProcessNotifyRoutineEx
[19d8]  Executing ntoskrnl.exe!PsSetCreateThreadNotifyRoutine
[19d8]  Executing ntoskrnl.exe!PsSetLoadImageNotifyRoutine
[19d8]  Executing ntoskrnl.exe!ObRegisterCallbacks
[19d8]  Executing ntoskrnl.exe!CmRegisterCallbackEx

Then registered the power state callback, which will be called when the system power feature changes

[19d8]  Executing ntoskrnl.exe!ExCreateCallback
[19d8]  Callback object : 7ff6addb83e8
[19d8]  Callback object : 0
[19d8]  Callback name : \Callback\PowerState
[19d8]  Executing ntoskrnl.exe!ExRegisterCallback

Next, the program will determine the signature information of the driving module in the current system through a series of functions and write a log

[19d8]  Emulating read from KUSER_SHARED_DATA+0000026c
[19d8]  Executing ntoskrnl.exe!IoCreateFileEx
[19d8]  Executing ntoskrnl.exe!ZwQueryInformationFile
[19d8]  QueryInformationFile with class 00000005		// FileStandardInformation 
[19d8]  Executing ntoskrnl.exe!ExAllocatePoolWithTag
[19d8]  Executing ntoskrnl.exe!ZwReadFile
[19d8]  Executing cng.sys!BCryptOpenAlgorithmProvider
[19d8]  Executing cng.sys!BCryptGetProperty
[19d8]  Executing cng.sys!BCryptCreateHash
[19d8]  Executing cng.sys!BCryptHashData
[19d8]  Executing cng.sys!BCryptGetProperty
[19d8]  Executing cng.sys!BCryptFinishHash
[19d8]  Executing CI.dll!CiCheckSignedFile
[19d8]  Executing CI.dll!CiFreePolicyInfo
[19d8]  Executing ntoskrnl.exe!ExFreePool

Next, start the process of enlargement. At the beginning of the enumeration process, VGK drive passed N°= 0 PID to each API to try to query information. N°= 0 PID should not exist, and it may be a deliberate anti-simulator operation.

[19d8]  Executing ntoskrnl.exe!PsLookupProcessByProcessId
[19d8]  Process 00000000 EPROCESS being retrieved
[19d8]  Executing ntoskrnl.exe!PsGetProcessImageFileName

The VGK driver then obtained the ProcessImageFileName of N°= 4 PID (System process), thinking that it might be possible to do operations such as anti-simulators. Followed by a large number of calls to PsLookupProcessByProcessId's violent burdens.

[19d8]  Executing ntoskrnl.exe!PsLookupProcessByProcessId
[19d8]  Process 00000004 EPROCESS being retrieved
[19d8]  Executing ntoskrnl.exe!PsGetProcessImageFileName
[19d8]  Emulating read from PID4.EPROCESS+000005a8          // unsigned char ImageFileName[15];

Next, the VGK-drive off is interrupted to write the MSR_LSTAR domain of the MSR register, which holds the address of the system call function KiSystemCall64. This operation has two uses:

Can be anti-VT. Some rubbish VT preserves this wrong address without judging the legality of the address after WRMSR, and then uses the illegal address when VT handles RDMSR, it explodes Refresh LSTAR domain

[19d8]  Clearing Interrupts
[19d8]  Reading MSR MSR_LSTAR : 10000
[19d8]  Writing MSR MSR_LSTAR : 7ff6add4148c
[19d8]  Writing MSR MSR_LSTAR : 10000
[19d8]  Restoring Interrupts

Next VGK drives read the content of hal.dll and calls the series Hash function for hashash verification

[19d8]  Executing ntoskrnl.exe!RtlInitAnsiString
[19d8]  Executing ntoskrnl.exe!RtlAnsiStringToUnicodeString
[19d8]  Executing ntoskrnl.exe!IoCreateFileEx
[19d8]  	Creating file : \SystemRoot\system32\hal.dll
[19d8]  	Return : 00000000
[19d8]  Executing ntoskrnl.exe!ZwQueryInformationFile
[19d8]  	QueryInformationFile with class 00000005
[19d8]  Executing ntoskrnl.exe!ExAllocatePoolWithTag
[19d8]  Executing ntoskrnl.exe!ZwReadFile

Hal.dll (Hardware Abstraction Layer DLL), is the Windows hardware abstract layer module and a core module. I don’t know why VGK drive focuses on testing this dll. And during the test, it was found that if the machine code was blocked and the game could not be activated due to the operation of special tools, the Vanguard bullet window was also sent to the machine’s hal.dll was sentenced to black Then VGK drives to try to acquire the size of the physical memory and write a log

[19d8]  Executing ntoskrnl.exe!ZwOpenKey
[19d8]  	Try to open \REGISTRY\MACHINE\HARDWARE\RESOURCEMAP\System Resources\Physical Memory : 00000000
[19d8]  Executing ntoskrnl.exe!ZwQueryValueKey
[19d8]  Executing ntoskrnl.exe!ExAllocatePoolWithTag
[19d8]  Executing ntoskrnl.exe!ZwQueryValueKey

Next, VGK drive will get hardware information Boot GUID

[19d8]  Executing ntoskrnl.exe!ExGetFirmwareEnvironmentVariable
[19d8]  Reading UEFI Var : BootCurrent - GUID : xxxxxxxx-xxxx-xxxx-xxxxxxxxxx
[19d8]  Requested length : 2
[19d8]  Executing ntoskrnl.exe!swprintf_s
[19d8]  Result : Boot0000
[19d8]  Executing ntoskrnl.exe!ExAllocatePoolWithTag
[19d8]  Executing ntoskrnl.exe!ExGetFirmwareEnvironmentVariable
[19d8]  Reading UEFI Var : Boot0000 - GUID : xxxxxxxx-xxxx-xxxx-xxxxxxxxxx
[19d8]  Requested length : 1000

Go on, VGK drive the current drive module through the LDR chain, read DllBase and SizeOfImage to a list, and call QSort API for sorting. ( I want to vomit this QSort here) Anyway, it takes more than a minute for my simulator to sort this function. Even if it is replaced with a real machine, it will take a few seconds to lose performance. I don’t know what the author thinks.

[19d8]  Executing ntoskrnl.exe!ExAllocatePoolWithTag
[19d8]  Getting data @ ntoskrnl.exe!PsLoadedModuleList
[19d8]  Emulating read from LdrEntry.ntoskrnl.exe+00000030  // DllBase
[19d8]  Emulating read from LdrEntry.ntoskrnl.exe+00000000  // InLoadOrderLinks
[19d8]  Getting data @ ntoskrnl.exe!PsLoadedModuleList
[19d8]  Emulating read from LdrEntry.CEA.sys+00000030
[19d8]  Emulating read from LdrEntry.CEA.sys+00000040       // SizeOfImage
[19d8]  Emulating read from LdrEntry.CEA.sys+00000030
[19d8]  Emulating read from LdrEntry.ntoskrnl.exe+00000000
[19d8]  Emulating read from LdrEntry.CEA.sys+00000000
[19d8]  Getting data @ ntoskrnl.exe!PsLoadedModuleList
[19d8]  Emulating read from LdrEntry.BOOTVID.dll+00000030
[19d8]  Emulating read from LdrEntry.BOOTVID.dll+00000000
................................................................
[19d8]  Executing ntoskrnl.exe!qsort

After the incident, MmGetPhysicalAddress was called to sweep the memory violently in pages. It felt like sweeping all physical memory, with a continuous and large number of addresses.

[19d8]  Executing ntoskrnl.exe!MmGetPhysicalAddress
[19d8]  Getting Physical address for fffff80441e20000
[19d8]  Return : fffff80441e20
[19d8]  Executing ntoskrnl.exe!MmGetPhysicalAddress
[19d8]  Getting Physical address for fffff80441e21000
[19d8]  Return : fffff80441e21
................................................................

Next, go to obtain the equipment environment variable

[19d8]  Getting data @ ntoskrnl.exe!MmHighestUserAddress
[19d8]  Executing ntoskrnl.exe!ExAllocatePoolWithTag
[19d8]  Executing ntoskrnl.exe!ExGetFirmwareEnvironmentVariable
[19d8]  Reading UEFI Var : Boot0000 - GUID : xxxxxxxx-xxxx-xxxx-xxxxxxxxxx
[19d8]  Requested length : 1000
[19d8]  Executing ntoskrnl.exe!ExGetFirmwareEnvironmentVariable
[19d8]  Reading UEFI Var : Boot0001 - GUID : xxxxxxxx-xxxx-xxxx-xxxxxxxxxx
[19d8]  Requested length : 1000
[19d8]  Executing ntoskrnl.exe!ExGetFirmwareEnvironmentVariable
[19d8]  Reading UEFI Var : Boot0002 - GUID : xxxxxxxx-xxxx-xxxx-xxxxxxxxxx
[19d8]  Requested length : 1000
[19d8]  Executing ntoskrnl.exe!ExGetFirmwareEnvironmentVariable
[19d8]  Reading UEFI Var : Boot0003 - GUID : xxxxxxxx-xxxx-xxxx-xxxxxxxxxx
[19d8]  Requested length : 1000
[19d8]  Executing ntoskrnl.exe!ExGetFirmwareEnvironmentVariable
[19d8]  Reading UEFI Var : Boot0004 - GUID : xxxxxxxx-xxxx-xxxx-xxxxxxxxxx
[19d8]  Requested length : 1000
[19d8]  Executing ntoskrnl.exe!ExGetFirmwareEnvironmentVariable
[19d8]  Reading UEFI Var : Boot0005 - GUID : xxxxxxxx-xxxx-xxxx-xxxxxxxxxx
[19d8]  Requested length : 1000
[19d8]  Executing ntoskrnl.exe!ExGetFirmwareEnvironmentVariable
[19d8]  Reading UEFI Var : Boot0006 - GUID : xxxxxxxx-xxxx-xxxx-xxxxxxxxxx
[19d8]  Requested length : 1000
[19d8]  Executing ntoskrnl.exe!ExGetFirmwareEnvironmentVariable
[19d8]  Reading UEFI Var : Boot0007 - GUID : xxxxxxxx-xxxx-xxxx-xxxxxxxxxx
[19d8]  Requested length : 1000
[19d8]  Executing ntoskrnl.exe!ExGetFirmwareEnvironmentVariable
[19d8]  Reading UEFI Var : Boot0008 - GUID : xxxxxxxx-xxxx-xxxx-xxxxxxxxxx
[19d8]  Requested length : 1000
[19d8]  Executing ntoskrnl.exe!ExGetFirmwareEnvironmentVariable
[19d8]  Reading UEFI Var : Boot0009 - GUID : xxxxxxxx-xxxx-xxxx-xxxxxxxxxx
[19d8]  Requested length : 1000

Then create a line, first perform the counter-testing function within the line, and then violently cite the process again, perform PsIsProtectedProcessLight, PsIsProtectedProcess for each existing process to determine its protection status and then obtain filename, and then withdraw after all cleaning

[3ad0]  Thread Initialized, starting...
[3ad0]  Reading MSR MSR_0_P5_IP_ADDR : fff

// Anti Debug
[3ad0]  Executing ntoskrnl.exe!KeReadStateTimer
[3ad0]  Executing ntoskrnl.exe!ExAcquireSpinLockShared
[3ad0]  Executing ntoskrnl.exe!ExReleaseSpinLockShared
 
[3ad0]  Executing ntoskrnl.exe!ZwQuerySystemInformation
[3ad0]  Class 00000005 status : c0000004
[3ad0]  Executing ntoskrnl.exe!ExAllocatePoolWithTag
[3ad0]  Executing ntoskrnl.exe!ZwQuerySystemInformation
[3ad0]  Class 00000005 status : 00000000
[3ad0]  Class 00000005 success
 
[3ad0]  Executing ntoskrnl.exe!PsLookupProcessByProcessId
[3ad0]  Process 00000000 EPROCESS being retrieved
[3ad0]  Executing ntoskrnl.exe!PsIsProtectedProcessLight
[3ad0]  Executing ntoskrnl.exe!PsIsProtectedProcess
[3ad0]  Executing ntoskrnl.exe!PsGetProcessId
[3ad0]  Executing ntoskrnl.exe!ExAcquireSpinLockShared
[3ad0]  Executing ntoskrnl.exe!ExReleaseSpinLockShared
[3ad0]  Executing ntoskrnl.exe!ExAcquireSpinLockShared
[3ad0]  Executing ntoskrnl.exe!ExReleaseSpinLockShared
[3ad0]  Executing ntoskrnl.exe!PsGetProcessImageFileName
[3ad0]  Executing ntoskrnl.exe!ObReferenceProcessHandleTable
[3ad0]  Executing ntoskrnl.exe!ObDereferenceObject
[3ad0]  Executing ntoskrnl.exe!PsLookupProcessByProcessId
[3ad0]  Process 00000004 EPROCESS being retrieved
[3ad0]  Executing ntoskrnl.exe!PsIsProtectedProcessLight
[3ad0]  Executing ntoskrnl.exe!PsIsProtectedProcess
[3ad0]  Emulating read from PID4.EPROCESS+00000440			// UniqueProcessId
[3ad0]  Executing ntoskrnl.exe!ObDereferenceObject
[3ad0]  Executing ntoskrnl.exe!PsLookupProcessByProcessId
[3ad0]  Process 000000ac EPROCESS being retrieved
[3ad0]  Executing ntoskrnl.exe!PsLookupProcessByProcessId
[3ad0]  Process 00000260 EPROCESS being retrieved
[3ad0]  Executing ntoskrnl.exe!PsLookupProcessByProcessId
[3ad0]  Process 000003bc EPROCESS being retrieved
...................................................
 
[3ad0]  Executing ntoskrnl.exe!ExFreePool
[3ad0]  Executing ntoskrnl.exe!KeWaitForMutexObject
[3ad0]  Executing ntoskrnl.exe!PsTerminateSystemThread

Then create a line, first perform the counter-testing function within the line, and then violently cite the process again, perform PsIsProtectedProcessLight, PsIsProtectedProcess for each existing process to determine its protection status and then obtain filename, and then withdraw after all cleaning

[3ad0]  Thread Initialized, starting...
[3ad0]  Reading MSR MSR_0_P5_IP_ADDR : fff
 
// Anti Debug
 
[3ad0]  Executing ntoskrnl.exe!KeReadStateTimer
[3ad0]  Executing ntoskrnl.exe!ExAcquireSpinLockShared
[3ad0]  Executing ntoskrnl.exe!ExReleaseSpinLockShared
 
[3ad0]  Executing ntoskrnl.exe!ZwQuerySystemInformation
[3ad0]  Class 00000005 status : c0000004
[3ad0]  Executing ntoskrnl.exe!ExAllocatePoolWithTag
[3ad0]  Executing ntoskrnl.exe!ZwQuerySystemInformation
[3ad0]  Class 00000005 status : 00000000
[3ad0]  Class 00000005 success
 
[3ad0]  Executing ntoskrnl.exe!PsLookupProcessByProcessId
[3ad0]  Process 00000000 EPROCESS being retrieved
[3ad0]  Executing ntoskrnl.exe!PsIsProtectedProcessLight
[3ad0]  Executing ntoskrnl.exe!PsIsProtectedProcess
[3ad0]  Executing ntoskrnl.exe!PsGetProcessId
[3ad0]  Executing ntoskrnl.exe!ExAcquireSpinLockShared
[3ad0]  Executing ntoskrnl.exe!ExReleaseSpinLockShared
[3ad0]  Executing ntoskrnl.exe!ExAcquireSpinLockShared
[3ad0]  Executing ntoskrnl.exe!ExReleaseSpinLockShared
[3ad0]  Executing ntoskrnl.exe!PsGetProcessImageFileName
[3ad0]  Executing ntoskrnl.exe!ObReferenceProcessHandleTable
[3ad0]  Executing ntoskrnl.exe!ObDereferenceObject
[3ad0]  Executing ntoskrnl.exe!PsLookupProcessByProcessId
[3ad0]  Process 00000004 EPROCESS being retrieved
[3ad0]  Executing ntoskrnl.exe!PsIsProtectedProcessLight
[3ad0]  Executing ntoskrnl.exe!PsIsProtectedProcess
[3ad0]  Emulating read from PID4.EPROCESS+00000440			// UniqueProcessId
[3ad0]  Executing ntoskrnl.exe!ObDereferenceObject
[3ad0]  Executing ntoskrnl.exe!PsLookupProcessByProcessId
[3ad0]  Process 000000ac EPROCESS being retrieved
[3ad0]  Executing ntoskrnl.exe!PsLookupProcessByProcessId
[3ad0]  Process 00000260 EPROCESS being retrieved
[3ad0]  Executing ntoskrnl.exe!PsLookupProcessByProcessId
[3ad0]  Process 000003bc EPROCESS being retrieved
...................................................
 
[3ad0]  Executing ntoskrnl.exe!ExFreePool
[3ad0]  Executing ntoskrnl.exe!KeWaitForMutexObject
[3ad0]  Executing ntoskrnl.exe!PsTerminateSystemThread

Then create a line, first perform the counter-testing function within the line, and then violently cite the process again, perform PsIsProtectedProcessLight, PsIsProtectedProcess for each existing process to determine its protection status and then obtain filename, and then withdraw after all cleaning

At the same time, the main thread created another thread, which was written into the VGKbootstatus.dat file, then a counter-test was performed, and then it was withdrawn.

[279c]  Thread Initialized, starting...
[279c]  Reading MSR MSR_0_P5_IP_ADDR : fff
[279c]  Writing 0 to DR7
[279c]  Reading CR0
[279c]  Executing ntoskrnl.exe!KeReadStateTimer
[279c]  Executing ntoskrnl.exe!wcscpy_s
[279c]  Executing ntoskrnl.exe!wcscat_s
[279c]  Executing ntoskrnl.exe!wcscat_s
[279c]  Executing ntoskrnl.exe!RtlInitUnicodeString
[279c]  Executing ntoskrnl.exe!IoCreateFileEx
[279c]  Creating file : \??\C:\Windows\VGKbootstatus.dat
[279c]  Return : 00000000
[279c]  Executing ntoskrnl.exe!ZwWriteFile
[279c]  Executing ntoskrnl.exe!ZwClose
[279c]  Closing Kernel Handle : 1c8
 
// AntiDebug
[279c]  Executing ntoskrnl.exe!ExAcquireSpinLockShared
[279c]  Executing ntoskrnl.exe!ExReleaseSpinLockShared
[279c]  Executing ntoskrnl.exe!ExAcquireSpinLockShared
[279c]  Executing ntoskrnl.exe!ExReleaseSpinLockShared
[279c]  Executing ntoskrnl.exe!ExAllocatePoolWithTag
[279c]  Executing ntoskrnl.exe!ExFreePool
[279c]  Executing ntoskrnl.exe!KeWaitForMutexObject
[279c]  Executing ntoskrnl.exe!PsTerminateSystemThread
[279c]  thread boom

Next, the main line registration shutdown is turned back, and the construction is prepared VGK_PLZNOHACK (Huh? This name...), and then create a VGK driver symbol link.

[TID:000031f0]  Executing ntoskrnl.exe!IoCreateDevice
[TID:000031f0]  Created device : \Device\VGK_PLZNOHACK
[TID:000031f0]  Executing ntoskrnl.exe!IoRegisterShutdownNotification
[TID:000031f0]  Executing ntoskrnl.exe!IoCreateSymbolicLink
[TID:000031f0]  Symbolic Link Name : \DosDevices\VGK
[TID:000031f0]  DeviceName : \Device\VGK_PLZNOHACK

When I first saw this, I thought I was tested. Plz no hack was cheating reminder information. The reloading game behind was activated without any tools. Seeing that the name of the device is this, it means that the analysis should be correct.

Finally, the main thread is withdrawn and DriverEntry is analyzed

[TID:000031f0]  Executing ntoskrnl.exe!ZwOpenKey
[TID:000031f0]  Try to open \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VGK
[TID:000031f0]  Main Thread Done! Return = 0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment