BG - Invasive Roots of Anti-Cheat Software - Alissa Torres

and talking with someone some of you it sounds like last night was a huge party huge parties in series all together overlapping well thank you very much for coming out and I think I'm am separating you from lunch so I'm doubly happy to have you my name is Alyssa Torres and I'm a Sans instructor and a digital forensic examiner so everything that I say is gonna have that slant to it I taught some pentesting classes and people on my evil you know as Sans instructors we get an evail every day that we teach people on my eil said when Alyssa speaks she speaks with the authority of a digital forensic examiner but I was teaching a pentesting class so

that's not what you want to hear when you're teaching a pentesting class you want to hear that you're convincing people that you know what you're talking about

ah you're right you're right he says uh you need to do the documentation as a pentester just like a digital forensic examiner would do but I've always said that I have very poor attention to detail yeah so I'm one of those digital forens I'm like one of those WN toe digital forensic examiners yeah but there's one thing I am truly am and we were talking about this it's a Believer Justin Bieber during this conference you need to find out who infos SEC Taylor Swift is you know what I mean he or she is here I have I have a theory I have my own Theory and I've been actually doing a little surveilling of this person and watching the Twitter

feed but what can you do with Twitter feeds now what can you do with tweets you can time them them right damn it so this person I'll be watching them to see if they're infos why are you looking down are you infosec Taylor Swift you're not that clever infosec tillor Swift actually said she had to dumb down her jokes because people weren't understand them you saw that right damn I I wasn't understanding them I was actually one of those people and I was like well okay so I'm gonna find that person we are here to talk about anti-che software anti-che software has it really became very interesting to me because I was giving a presentation on um anti-analysis

mechanisms in the wild and one of the people who was in it was netsec one of the S conferences in Vegas here in Vegas one of the people said to me you know I used to write the software that caught and kickban you know the cheaters on our online gaming and I was like well I don't know that that would be such a good job but then I started thinking about it that is the most awesome sample of rootkits that I can think of for people to really get their feet wet on so I was like man I'm a I train people all the time I I teach couple hundred well probably more than that a few

hundred infosec professionals a year so I'm thinking I need some more sample sets I'm co-author of the memory Fric class at Sans U so we use tools like recall and volatility bulk extractor those those are the tools I want to throw at an a machine that's running like back valve anti-che or man punk Buster I want to see if I can capture any of this stuff so that's kind of where I started off with this presentation and of course I have to dedicate this uh presentation to my son who looked like that when he was born he totally did but he has no hope of looking like that when he's older like this dude is you know if we're talking

about Gamers the demographics the average age of a gamer is 37 37 years old most of them are dudes only 40 42% are women and they've been doing this for 12 years so is that sad is that sad do you feel bad does this Define you does this describe you yeah he raises his hands you're very kind you're very kind so if you have been in the realm in the world of online gaming for 12 years you know my I'm talking about my son he was 18 months old sitting on my my ex's lap playing um Lego Star Wars man who didn't play that that was awesome but on the keyboard yeah now you're going to

like file you know some kind of a social services visit to my house because he was playing the online games when he was that young but seriously if you've been in the community that long you know the whole well it's the cheaters versus the anti-che Technologies right why do you think companies are very invested in anti-che Technologies what's in it for them it it might not make sense to you why do they go ahead and do research and development on anti-che yeah yeah what do you think hello it's good to see you yeah so if a game sucks and everyone's cheating dude No One's Gonna want to play you're totally right we were talking about this earlier shout

out to bsides Delaware huh what bsides cyber Camp delare yeah bides too very cool good to see you so what are we talking about with the arms race of cheat versus trust and I'm borrowing from the CEO of valve when I say cheat versus trust so the people that are are crafting the the hacks and the cheats versus the people that are trying to design anti-cheats dude it is an arms race and this is a kin I mean my background is in employee investigations as well as I served at Mand I start my time at mandant doing incident handling so I've worked both sides of digital forensics um I'm really circling around and talking about AP so AP will the

whole arms race of the AP one-upsmanship is is kind of a parallel to this universe that I've kind of ventured into oh I spelled percent wrong sorry so 1% it's only 1% of online gamers are actually cheaters but it's that 1% or you could say precent if you're reading um that's are actually causing the Havoc they make games suck so if you're online and someone's cheating I mean they have the ability to kill everyone who's actually on the map that's so lame you know and it it ruins the game for everyone and often times you if you're on the forums uh you can see people complaining about this so of course as you were saying as you were saying

that the game developers are very interested in keeping the cheaters off their games and and constructing some mechanism that will not allow cheats to be effective thereby ruining the experience for the other Gamers so yeah I mean thinking about this the typical cheat subscription 10 to $25 a month and they'll keep on feeding you new cheats as they come out that's just for one game so we'll talk about this but it's quoted that no one likes to play with cheaters even cheaters themselves it's cool if you're the only one cheating but if you start playing with everyone that's doing Aimbot you know every shot is a shot to the the head or what other yeah there you go what's up JP so that

becomes very lame so uh these are my categories of game hacks or cheats anyone have a favorite well I got to ask my gamer here the only one that raised his hand that says I've been in it 12 years with the burgundy shirt on what's your favorite that you've actually seen in action I'm not gonna have you admit that you've done this

before the B the hacks oh okay yeah yeah yeah yeah what oh you have one you didn't you didn't raise your hand before now okay now you're

participating o wow that's awesome I mean you know in a very bad way it's

awesome un oh yeah yeah yeah right right yes all right all right that's

cool that that that sounds a lot like the the texture of wall hack it wasn't it was more of a map pck okay wow all right all right cool yeah the one that sounded most interesting and actually there are some companies that want to separate themselves from this one is the targeted Band cheat where innocent like honest gamers are being targeted for for uh kick bands you're laughing like you've seen this happen somehow they're framing people so so the companies are coming after them the anti anti-che uh mechanisms in place are coming after them identifying honest Gamers uh as being involved uh with that's oh that's mean that's mean so that one that one they're actually not

even owning up to that there you know most companies that are allowing or having hosting the subscription service for cheats are not even associating themselves with that but why are they in this business well there's money behind it right I mean I would say there is money behind it but realize that a lot of cheaters they don't like to pay that subscription fee remember it was1 to $25 a month and they if they can get it for free they're not going to pay for it so what do the cheat developers what did they have going on but DRM some digital Rights Management implemented yeah so when when someone's actually running a cheat on their machine uh they're expected to go out to

the DRM server and if if that doesn't happen well then it it must be a a fraudulent copy that's something that we're going to talk about later because that's exactly what uh vac was seen doing was watching the uh well looking for the DNS cache to see if the systems were going out to the DRM servers it's kind of cool it's good to know about but uh also there's a bit of social engineering going on with people that are crafting the cheats themselves because they want to make the gamers believe that these these anti-che mechanisms are actually invasive so they're actually you know encroaching upon your privacy uh and that's more of a social engineering campaign really um

unless you think it's spyware for real unless we're going to talk about some of these and you'll be able to make up your own mind but uh they want you to believe that as well as they're going to highlight the inflexible false positive band kicks because with some of these companies that are in in cahoots with the well game developers they're actually very rigid about whether they're going to bring you back whether they're going to um reactivate your account after they've banned you so these would be the things that are emphasized um and know the evolution you can see my Evolution skips quite a few years but in two I just 2000 in 2000 it

kind of started off with the punk Busters I'm G to be talking about Punk Busters it's still around although some of the games that you know it's been tracking are working with have left it behind it's part of uh Battlefield Battlefield 4 all the all the way all the battlefields so that punk punk Buster came out uh in 2000 then we have 2002 valve developed their ant their back so their valve anti-che and that was when they uh were just launching steam so I wanted to put uh 2012 there as wow man I told you this this is all about money so the gaming industry in and of itself in 2012 generated $17 billion dollar just in the us alone a

lot of that is probably our online gaming all those subscription Services um so why are rootkits the thing to do why are rootkits well the go-to tool for your anti-che mechanisms well rootkits obviously you guys know this it's all about figuring out what's going on in the system as normally it's malicious code but trying to act as a goet to catch intercepts like calls to the ssdt so that would be the windows API functions or calls to the interrupt Des scriptor table so catching keyboard interrupts that's good stuff for rootkits to act as a goet to intercept these calls and therefore trying to figure out what else is going on in the system these are

the mechanisms that are employed by the well anti-che software products so we have all of these different user kernel mode hooking techniques and that's what we're going to look for some of them some of them are going to be implemented on the server side and some of them are going to be on the user side put my water right there so of course the first thing on my list direct kernel object manipulation we'll talk about punkbuster actually does this punkbuster is one of the anti-che mechanisms anti-che software products and it actually hides the running process it hides the running process of the game um by unlinking it so this is kind of old school right

unlinking your thinking Fu root kit written by Jamie Butler you know and the fu2 root kit written by Peter soberman I mean this is all about unlinking from the dou linked list of processes right on the system so if I am hitting the box and listing out processes I'm not going to see them if I'm using task manager or task list that's why memory forensics comes into such it's a big deal memory forensics is the win so the rootkit Paradox it kind of plays into why memory forensics is for the win the rootkit Paradox says the more rootkits try to implement their hiding their covert behaviors the more they're going to stick out and that is to the memory

forensic examiner I mentioned I'm kind of into memory forensic I like that stuff um so we we call it like a highl analysis the high level is What U maybe the incident responder does when he's doing volatile data collection he hits the box and he figures out what the operating system thinks it's running right what the operating system can see as now weor connection to the like and the lowlevel or detailed analysis is going to take place when we have a memory image or system audits so there's a lot of tools out there that can get in there and generate system audits pulling back things at the lowest level so we don't need a huge memory dump like what's the

bad thing about getting a memory dump these days I used to think it was the coolest thing memory is huge it's exactly right man we need a better solution so I'm saying that and I actually I own part of the memory forensics class at stance I'm saying that and I stand there and I tell people I know you're learning this but you have to you have to already be thinking ahead this this technique it's not going to work I mean at Mandy I thought I knew something going in and being able to run volatility against an entire memory image I realized I touched volatility maybe twice I hared memory images twice the rest of it was audits

it was only because we were pulling back data from servers um and machines like gaming machines dude they have so much memory Insanity so especially if I'm doing it remotely this is going to take a long time we have to keep that in mind so we still require that high level analysis as if we're hitting the box and running task manager and we compare it to the detail analysis whether we get it from a memory dump or whether we get it from audits like process audits we're pulling back there's a couple tools out there that would do process audits of course I'm thinking of red line because I was brainwashed when I was at mandet

anyone from Mand here Welcome Friends no elsewhere yeah fire eye oh okay very cool very cool yeah so you know do you know how to use mirror yet are you still clean your your hands are still clean he's not going answer that question he's like what did you say what did that product that you just said mirr mirr what yeah you're still innocent I can see it in your eyes so yeah yeah yeah so red line but there's a lot of other ones I mean crowd strike has their uh what is IT Crowd Falcon that's kind of cool when we pull back audits as well so that's keep looking for these tools because they're up and cominging the ability to

just do process audits at the lowest level I'm going to show you red line I have a screenshot and i' I've actually run a Redline analysis against one of my machines that was running back um of course I spoke to this already we either have the implementation of trying to catch the cheater on the server side so kind of the server admin has the ability to Monitor and kind of revise the boundaries in which he's going to catch someone or it can be client side implementations so this this is normally uh pretty cut and dry whether someone's cheating we have a lot of mechanisms going on on the client side to detect those cheating so um this would be where

your root kits are going to found nice um and then of course the hybrid implementation where you have a little bit on the client and a little bit on the server and we bring those these uh uh together to make some decisions about whether the client or whether the gamer is cheating so some examples the first example I'm going to talk to you about and Shout out if you've ever been the victim of one of these uh this one is just server side and this is fairfight so fair fight is all about giving the server admin the ability to decide you know both who to ban from their server um and how long the duration is all up

to the server admin very good um so they look at player statistics and gameplay actions to try to catch some of those crazies you know some of those crazy hacks and sheets that we mentioned on a couple slides ago we also um look at server side sheet detection so they're looking for particular mechanisms they're going to be only found on the server and this is just an example of one that works only on server we look at the at the other example I'm gonna throw up there it's n protect game guard people hate it when they have stuff running on their machines like they'd rather have a server thoroughly thrashing whatever data they're sending to the server I mean that's totally cool

with them but if they have something some mechanism running on the machine it really pisses them off I mean I've been reading a lot of forums and not feeling my own anger I don't feel my own anger what you say what did you say game guard is

I heard something about someone couldn't attach this printer I mean some strange things that if I attach my printer it does not allow the machine to really

run that's horrible wow so this one's supposed to do automatic updates supposed to push out

on yeah and that's not good right certainly don't want yeah this was the one that people were talked about being like false positive uh baned not good so but largely this is on the server side rather the client side the opposite of what we just talked about with fair fight and this is the one that's going to hide the game application monitors in real time system memory of the gamer system this one's really invasive um if you're looking at old school I mean you could not have an antivirus product running on this machine with the key logging that was going on on the keyboard or you'd have to whitelist this application and uh it's anti-che

mechanisms certainly uh with it's going to jump in there and block windows API calls it's insane so that one is on the very invasive side of the house um and I I can tell you guys are just getting angry just sitting there right piss me off right now all right so punkbuster punkbuster online counter measures is you know this is the one I want to get my hands on because it it's more prevalent than I think than game guard at this point in time it's out there of course the developer perspective and there's the nice quote from uh from their website we daily battled the selfish little punks who want to ruin your favorite online games

and the hack riters who Supply them with cheats so what are they implementing real time memory scanning much like game guard um dude the server is checking as well so this one's a bit of a hybrid right because it has server mechanisms as well as client side and oh man screen captures and these screen captures can be used for uh the the server admins to make decisions as to whether people should be uh band kicked kick banned um clean player name functionality so you can actually implement this on your server if you're hosting a game game server you can say you can only use clean names that's cool yes yes real time server log streaming if you want to

uh do some centralized logging and um yes this is largely Associated right now probably is most popular is the Battlefield game series which I'm currently downloading um I'm about to set this up on my machine but yeah it's like 25 gigs and hotel internet being what it is ah my son's like yes Mom yes get it get it he's in heaven so what what you need to know about punkbuster is any game you're running has to be you have to have adal privileges as you're running it well why it's constantly accessing memory so you can't just run the game as a standard user you have to give it admin privileges because of what punkbuster needs to do the thoroughly

Thrasher machine it needs access to the kernel of course right um and The Gamers perspective this is what I caught someone talking about dude so they're they're just thrashing um one anti-che product after another he says yeah just like Punk Buster installs as a service without your permission it keeps running in the background even when you're not playing or even after you uninstall it that's cool I mean cool isn't extremely invasive you see I get very excited when artifacts are going to be obvious if they're laying out there in the open I get really excited about them being a friend examiner things are getting really hard for us especially if you're dealing with incident response right do

I have any friends friends examiners in the room thank thank you man thank you cool you know how hard things are yeah the the uh sophisticated attackers are getting more and more Savvy with NTFS they're cleaning out the registry they're actually wiping things instead of just deleting it's sad State of Affairs they they're trying to leave us a clean system is that what you're saying yeah well you you have a hand up I resent that comment all right so there's actually two consequences two consequences um and they become more severe obviously with Punk Buster punkbuster can deem your um your actual version or license to the game as uh something that's going to be barred from playing dude but that's

that's less severe than barring your actual Hardware because you can get a new license but if they borrow your Hardware they create a unique signature on your Hardware and they can identify it um you'd have to buy new hardware uh in order to run and I'm not sure what they're they're keying off of if if it was Mac address could you get around that are you serious are you sure because you have gotten around this damn to to move through the levels there of of guid banning to Hardware Banning and then get around Hardware Banning amazing

okay so getting deeper than the network awesome I mean better better right little bit better I like things that work that's why I'm always in favor of things that make sense and work so what are we agreeing to here when we're when we're jumping on board with punkbuster what are we actually agreeing to because that was part of my abstract was taking a look at the Ula and user license agreement and saying ah you know does this fit seeing as how they're going to be on my machine they have access to Kernel and can do anything they want honestly obviously they're intercepting some windows apis they're messing with ssdt um what am I agreeing to well yes

I'm agreeing to the actual transfer of screenshots so okay I know that there's a legitimate seemingly legitimate purpose for screenshots and you know I can take them myself with this mechanism that they use for Punk Buster so I understand that and and then I'm also agreeing that the invasive nature of punkbuster software is necessary in order to meet this purpose and goal in order to uh provide a good environment for everyone to play with um and then I agree that any harm or lack of privacy resulting from the installation and use of punkbuster software is not as valuable to the lensee as the potential ability to play interactive online games so my privacy is not as valuable well

some of you would probably agree with this right it's not as valuable as just my ability to play man because I need to get my play on you know so I don't know whether you ever read that or not have you have you ever read that you probably felt it in your gut what you were doing but now you know for sure you're let you're letting them do this all right so now we're gonna talk about steam um talk about right around 2002 steam came around uh is valves online game launcher or Distribution Center uh and it's pretty darn cool it has a little chat mechanism in it but what are we agreeing to with with their subscriber agreement

it's much the same hey directly or indirectly uh you will not directly or indirectly disable circumvent or otherwise interfere with the operation of software designed to prevent or report the use of cheats right so you cannot interfere with what they have going on in order to catch you um so I you know when I created I did four memory dumps and took a look at all of them I was hoping that this didn't you know violate the agreement here because I was you know minimizing my screen and creating a memory dump I don't think it did but if I had taken the action after identifying or isolating said driver whatever mechanism they had employed on my machine maybe that would

be interfering and I would have been in violation of that so what are we talking about valve anti-che with back dude it was released in 2002 with crowd strike yeah oh no no I got it wrong yes hold on boy you know who Crow strike is yeah I I have uh I have applied to them so I have a little bit of a you know what is it called when you're stuck country strike I'm kidding and I I've played I swear to God I've played before yeah man all right so Counter Strike that was 2002 dude I was playing that game in 2002 but it was a long time ago and there's been some water on the

bridge and all that all that but uh so how many how does this match up with what what we are we said 1% of our players are cheaters it looks as though that does in fact match well 1% of the total accounts that steam accounts that exist 1.28% are currently banned so is that the tip of the iceberg and we have a whole lot more you're saying yes I have one of my references was a gentleman who decided to go Rogue and become a cheater he says it took him two hours to get banned he he just wasn't very good at it he was very loud you see that this is the practice ground this is a practice

ground for being a a sophisticated

adversary you have been or your friends awesome very cool research so so I'm I'm going to be going down that road so I'm going to be going down that road I'm just I'm just beginning my my journey so if I'm going to get arrested perhaps you should let me know as I

start I'll give a black back while there oh okay okay got

it oh these guys okay so this is what I mean this is what confirmed dude I really need to look into this because of valve anti-che have you heard you probably read this article because it was covered and wired um actually the response a retort to what was talked about on Reddit uh was covered and wired you know all this no wonder you're nodding you've done all this research before but yeah this was it was actually this was this year I I didn't party last night but now you're going to remember now you're going to remember that oh my gosh that was this year she's actually talking current current current yeah you know I obviously maybe it was a vision that I

was having of of future presentations I got it 90% right so we should be impressed at my psychic ability I think I really we should turn this around and be very optimistic that's what that's what I'm saying that's what I'm saying so yeah yeah it was an article that came out in February but it was in response to the Reddit like blah blah blah you know oh my gosh what we've found is this this current version of valve anti-che is scraping the DNS cache of the actual Gamers machines which had everyone up in arms right because that ain't right and that's that's my private information it being Holly volatile I still don't want anyone to look at it because it shows

where I've been or what machine or or what machines domain names my machine has attempted to translate there to IP so the CEO actually came back and explained what was act what was actually happening well it was in fact looking at DNS cache but it was looking for the phone home of the DRM digital Rights Management function of the uh the cheeks dude it was the cheat that was a digital Rights Management for the cheat software and of itself so so um it tried to catch that in the DNS cache but only after it found some type of indication that there was a cheat in play so it didn't even start with this step it had to have

initial suspicion in order to Circle back around this is what he says had to have initial suspicion in order to take a look to see a partial match of DRM web servers and then if there was a partial match it would hash all of the values that were in the DNS cache and send that back up to the valve servers so there could be further analysis they could decide whether to kickban someone or not so that's what was really going down and I this is amazing um he he he mentions the article mentions which cited my references that this was only in play for 13 days that's how fast this arms race is moving you thought I was just

using you know a very popular term dude 13 days they thought they had something that was highly effective at catching the the cheats and it only was good for 13 days until they figured out a way around it what did you

say oh you that probably speeded it up yeah good point good point so it was easy to chop and change when you had it all laying in front of you aha all right so this is exactly what he says CEO response from valve gave Gabe newel he says trust is a critical part of a multiplayer game Community Trust in the developer trust in the system and Trust in the other players cheats are a negative some game where a minority benefits less than the majority is harmed I like it I like it so I had to throw it up there little bit of a good luck charm you know I'm doing a presentation so how to detect this stuff

that's what I'm really interested in and I of course I started off with perhaps I should have started with a punk Buster you know what I mean but the one I spent a lot of time on was V and I I largely think that V uh has a lot of server side functionality we're going to see and you'll probably agree with me after I show you what I've seen um but this is the way I approach it I want to go in there if I have a machine that's running and I want to isolate um the drivers that are at play on the server on the client side um I would go in there and do some live collection of

audits why do I want to do live collection this is this is my way to do digital signature verification you're not going to get this from a memory image you're just not so I can do this with Redline but there's other tools out there um service enumeration that's going to be key because a lot of our anti-che functionality a lot of our cheat anti-che software products are going to create a new service um so if I can get in there and enumerate Services as well as do digital signature verification against the service DLS I have a leg up right I can rule out all the crft and take a look at everything that's left it might be signed I mean on

a 64-bit machine it better be signed so I can go ahead and see okay who would who would this be signed by which particular company is going to be behind this uh and then I'm going to use my md5 white listing again to remove the corrupt because we know that cheats are going after the anti-che software so there's a bit of officiation have you ever noticed that there is a legitimate SBC host.exe in the app data local temp directory what is that SBC host.exe hell is that thing have you ever dropped that md5 thinking oh I found something good I found this is AP man boom I'm a hero and uh you drop it and it's like malware

bites why would malware bites want to name itself SBC host because it's a Target it it comes in as malware bites if it comes in as any malware cleaner on the box it's it's going to get knocked down knocked down drag out with the malware um so SBC host.exe don't get too excited md5 that thing it might come back as as something that's legit like what if if it's misspelled yeah it is a bit of a science isn't it yeah yeah I read that book so md5 wh listing can be valuable and in those regards when you're trying to rule something out and then of course we're going to look for signs of hooking because that's how they get things done

they need to act as a go-between to intercept the cause that the cheat software is making very cool all right then I mean I'm going to start with Audits and then I'll Circle back around and do some physical memory acquisition I'll be looking for the same things with the physical memory but I'll be using my favorite tools recall volatility and do process enumeration I'll look for the drivers that are loaded loaded and potentially unloaded drivers and asss for hooking we always try to use two tools when we're doing memory analysis um so we'll be doing that very same thing these are the tools I like to throw in there I like to hook and Jab

with you know we are leaning more towards the recall side have you seen anyone on the developers list of recall what have you seen how many emails are dropping out we fix this we fix this oh my God oh my God oh man it's it it is up and coming when p and p yeah man yes so if you're in the market for uh memory forensics tools of course you got to give a shout out to the volatility guys their book just came out damn that thing is huge holy crap anyone got it in the mail yeah I wanted to bring it with me but sorry I couldn't carry that sorry my and it would have put my suitcase over

50 pounds and that would have been bad so volatility of course is going to be our core memory forensics uh you know how we get things done memory Forex parser and analysis tool but recall is up and coming and it really is incredible not to have to specify that profile it figures it out on the fly yeah that's that's enough man it's just just a little user friendly features Red Line I've spoken to it a bit I'm going to show you audits that are coming back from the system again my goal is to isolate a little bit of strange hooking a little bit of a peculiar loaded modules um that I may never never have

seen before on my system and then of course bulk extractor you're going to be amazed with what I'm pulling out from bulk extractor and I'm checking time have much all right volatility there's there's some info about volatility runs on Windows yeah runs on Windows now stand alone you don't have to install python everything's in there that's what you need to know about it um as of this week I think it's going to be supporting uh Windows 8 in the trunk version so if you've been waiting for that it's coming it's coming uh I had I have Windows 8 version support so because I have the beta so what I'm what I'm showing you here is one of my uh

memory images I took from a Windows 8 system that I was running Team Fortress 2 on see I got that right Team Fortress too good it was good fun and and I'm just isolating the services that started right at the time I joined Steam and then joined a server so these aren't Services these are processes but why am I running PS scan anyone know why I have to run PS scan what's that no actually yes but what about Windows 8 service pack one it's just known man what it's just known there's something called the kwbg the colel debugging data Block it's like if you could have one thing on a on a desert island a deserted island in fact too

yeah it's encrypted the ktbg you'd crack it open like one of those huge ostrich eggs and you'd have like the lay of the land of the memory image what I'm telling you is that does not happen anymore with Windows 8 service pack one holy cow I crack I crack and I crack nothing nothing nothing so I have to I have to switch back and this is the version of volatility that supports Windows 8 what I'm showing you is there support for Windows 8 you're only getting PS scan because PS scan is look for these signature matches as it goes from the beginning of the memory image to the end it's doing uh looking for the

eprocess BLX for every process that's either running now or has been terminated but I I did a timeline analysis and only pulled out the ones that were notable right around the time I was starting steam I want to know what's happening on my system when I'm starting steam as well as launching hl2 what is hl2 original origins of hl2 thank you half life two nice I had to ask you or I was gonna screw it up all right so what does Windows 7 look like Windows 7 is largely showing us the same uh this is PS list so I could I could walk the double linked list because I had access to that ostrich egg

cracked it open and ate for days on the deserted island um yeah we're we're able to see some pretty notable processes I need to hunt that down I haven't yet the SBC host probably speaks to the very thing I'm looking for which is service instantiation the creation of new service you're looking at me like why the hell didn't you do that hello this isn't I'm I am on the road ladies and gentlemen I'm on the road check back in with me next yall have Punk Buster all up in here You' be like damn I don't touch that stuff since you told me about it um so we we also want to look at loaded and unloaded modules very

important here because that is how well a lot of our hooking is going to go down you load a kernel level driver and you have access to anything you want right so I'm enumerating in I'm just showing you that what I ran because of course this is my Windows 8 memory image I had to run mod scan again we're scanning for the loader data table entries we cannot walk the list of loaded modules so I'm going to get everything I'm G to get everything that's been loaded I'm G to get duplicate structures uh but sure enough that's why I'm going to do my live analysis I'm showing you red line here all that red line manate tool free

as long as you're not working in the same Lane as them right if you're working internal you use the red line but if you're if you're trying to compete with them don't be using Red Line you know they'll come after you right right yeah oh shoot you haven't read the Ula because because you got you're free right you can do whatever you want you can use it or not make fun of it or not it's all you all right so this this is this is the cool part about running a live audit collector you see what I got there and and what I was disappointed to see was everything was digitally signed this this is my this is my Windows 8

though right Windows 8 64-bit would you expect everything to be digitally signed for my drivers yeah so what am I looking at it's it's hooked irps interrupt routine procedures is that right interrupt dispatch routine table that's what we'll call it but uh all of these functions pertain to a driver these are the hooked ones and all of them turn out to be legit so what I'm not seeing is what I expected to see and what I will be seeing when I go to punkbuster valve has not hooked any of my driver functions nor are any of these categories being shown in Red Line showing any indication there's nothing being hooked in the ssdt system service

descriptor table that's where you're you're going to see all your windows functions like how to list the the registry keys and registry hives or how to list the files and the directories it they're just not hooking anything at this level so very interesting it must be happening on the server um so yeah you got to save book extractor for last bulk extractor tool written by Simpson garfinkle who's used this you should be using this yes it is awesome I've had some huge wins with bulk extractor because it creates all the the peak out files on the out on the out outbound uh man it parses things like you wouldn't believe open up the peap file so I I've

shown all the categories of good stuff that it's pulling out and actually he just released the newest version of as of like a week ago so if you want to go and get I think it's 1.5 amazing stuff what did I get um I started looking for aim I probably need to go a bit deeper because Aimbot has a bit of a dual meaning right was Aimbot a trojen as well fards so what yeah I I was like wait a second I see Aimbot over here and actually there was a lot of Aimbot because you know what that is right it's the ability to Target in and always have a direct hit to the head or the most

lethal part of the body um but it's also a Trojan so what do you think I've run into as you see Beast Door band do exact L we have to go in there knowing what we might run into how many times have you looked at and gotten really excited that your machine was owned by like five six seven eight different types of malware just because you see references to it yes you're smarter than me but that also said that means you're smarter than a lot of my students because they always get really excited on day six challenge they're like yes this machine is so owned and I walk over and I'm like that's the ab

signature and that's probably what we're looking at here I fully expected to find something running from back looking for these things but I did not find anything yeah so this AV yeah I thought it was that but it's not it's not because you can see there's other malware being mentioned right in there but don't copy this down yet let me let me go and change it I was going to put my sons up there thank you very much I'm almost done this is the grand finale um it does keep your username password and clear text in memory and you know true CPT ran into an issue with this right I mean true Crypt when it was alive and well

and bable ran into an issue and what did it start start doing I mean very early on 2003 four five I mean it started wait let me tell you what's up here then you can get in in on the in the interesting thing this is my username IND to go blueo and to go Blue two twice and that's my password right that's why I said don't take a picture but because I haven't changed it yet I just created the account

today yeah yeah yeah so so interestingly enough yeah yeah yeah true so interestingly enough you this this is something that a lot of our um well clipboard password clipboard keepers have taken care of you copy it in and you use it once right and it's it's wiped from memory but you can see that vac does not do that this was taken like 30 minutes because I did a lot of memory down 30 minutes after I'd already logged in um and I did not select save password password somewhere in here is whether I selected the save password option or not it's just hanging out in memory and I know we're going to see a lot of

examples of that in our software but it's always good to know what we're walking into um because dude who who hibernates their machine when they walk away who like closes the laptop like I'm about to do in like 90 seconds hibernates the machine um so therefore everything's going to be in your hibernation file all of the user credentials for your gaming yeah that's good stuff

dude I don't think so I do not think so because I think it's mine just sleeps is there a hibernation option for Mac anyone I know you know what that's the other presentation Sarah where are you Sarah did anyone to send Sarah's presentation we should have totally asked her then I know I need to sit through the Mac friendes class so I have my list of references you can see I still have I will admittedly say I'm going to tear into to punk Buster as soon as I download this thing and go crazy on it um and you can yeah I'll origin yeah yeah yeah that's what I have that's what I have wait so it's already running on my VM

with origin I thought I had to get on a server for it to I totally could have thrown that in today but I was I was like 25 gigs down and I thought I needed to be running a battlefield and get on the server yeah yeah that's good to know totally that's going to be fun totally fun

yes right okay got it it was part of the origin and user license agreement because that's how I was able to get that whole

verbage yeah yeah yeah yeah so so I'll do both I'll do both of those stages and and I will put it out on my blog I'll tweet it too I'm @ cyber tour SI i b r tour it's a commentary on you today's society because everything's cyber so I had to spell it wrong my last name is Torres so if you're looking for me but thank you so much for coming you guys were awesome and I learned a lot from you um check this out you know look for Us online Sans you know we teach them classes that's all I'm saying yeah yeah just a few thank you yeah oh go ahead we have a little bit of time for

questions anybody has a question or two all righty then thank you you guys are awesome next talk will be at two in this

room