Kernel-mode anticheat is a huge nope

[Foebane72]

3 hours ago, Dark Pulse said:

Bethesda bought the studio and basically is heavily invested in using id's technology for their own future products.

 

Wasn't GT Interactive and Activision formerly publishing, or distributing, Id's games in the past? Those two didn't buy Id wholesale, unlike Bethesda.

 

Id managed fine, independently, for years. I was worried when Todd Hollenshead announced the acquisition, and rightly concerned when the POS that is Doom 3 BFG came out. I mean, changing core gameplay and assets of Doom 1, 2 and 3 was heresy to me, and then Rage came along and was also complete shite. However, they steered their boat through the Straits of Magellan for four days and nights straight with no problems with Doom 2016, none as far as I recall. Then they went right back to form now with this situation with Doom Eternal.

 

[printz]

8 hours ago, Man of Doom said:

Welp, the plot thickens. Granted, it’s a case of a false positive, but to even see this in the first place is goddamn disgraceful.

They can just say that Kaspersky is Russian and dismiss it.

[Quasar]

38 minutes ago, Foebane72 said:

 

Wasn't GT Interactive and Activision formerly publishing, or distributing, Id's games in the past? Those two didn't buy Id wholesale, unlike Bethesda.

 

Id managed fine, independently, for years. I was worried when Todd Hollenshead announced the acquisition, and rightly concerned when the POS that is Doom 3 BFG came out. I mean, changing core gameplay and assets of Doom 1, 2 and 3 was heresy to me, and then Rage came along and was also complete shite. However, they steered their boat through the Straits of Magellan for four days and nights straight with no problems with Doom 2016, none as far as I recall. Then they went right back to form now with this situation with Doom Eternal.

 

Remember John Romero's initial reaction? Shame he later apologized for it because I think it has proven prescient.

[Dark Pulse]

1 hour ago, Foebane72 said:

Id managed fine, independently, for years. I was worried when Todd Hollenshead announced the acquisition, and rightly concerned when the POS that is Doom 3 BFG came out. I mean, changing core gameplay and assets of Doom 1, 2 and 3 was heresy to me, and then Rage came along and was also complete shite. 

I dunno, I wouldn't agree there.

 

First off: Some of the changes in the older Dooms was due to the Red Cross. Games really haven't used red crosses for health since about the late 90s, early 2000s. The only other change I could think of would be the censoring of MAP31/32 in Doom II, but that's due to German legal issues (and affected the original games as well).

 

Doom 3 I wasn't really a fan of. It actually bored me. I haven't played the BFG Edition, but I know I was one of those people who was irked between seeing what I'm shooting and being able to shoot.

 

Rage wasn't bad either. It was a competent game, it just didn't really have much of a soul to it. It was a solid shooter but it didn't exactly feel like it had much to pull me into its world or make me want to care about it (Loosum's cuteness aside). IMO that's kind of what really has hammered id - they've had competent tech, always, thanks to Carmack (until he left), but the guys with the ideas - the ones who'd push the envelope with crazy shit - they got rid of them in the 90s. Without a Hall or a Romero, or someone who could really step into their boots, they doomed themselves to basically sequel after sequel, retread after retread, twist on existing idea, and it just showed with Rage. It's not like post-apocalyptic hadn't been done before, after all, but it was a strictly paint-by-numbers sort of game, impressive tech aside - and it shows.

 

The one thing about guys like Romero and Tom Hall that everyone seems to forget is that yeah, not every idea of theirs is going to be great, and yeah, some of the ideas they'll have will be stinkers. Hall fell into a problem of letting his visions go wild to the point a coherent game became hard to stitch together; Romero was a victim of his own ability to be a massive hypeman (and a little bit of having ideas before the tech was solidly ready for it - as well as the double bite of that tech rapidly evolved in the late 90s/early 2000s; today's awesome engine was tomorrow's dated tech) as well as having that classic 90's 'tude.

 

But they'd churn out ideas and interesting ways to do shit, and in the end, those are the sorts of guys who you'd want to pick the brains of when you need a new IP, when you want some crazy new concept to build a game around.

 

Without someone like them, id's place was basically set - they'd make damn fine engines, and damn fine games on those engines, but nobody who was left could really create a new and interesting world to explore, even with all the money and talent that they had.

[Mr. Freeze]

I'm not the biggest Doom 3 fan, but BFG Edition didn't reel me in as much as I hoped it would. id changed the main conceit- switching between seeing what you're shooting at and actually shooting- to a point where the combat was exposed as the over-simplistic haunted house ride it was. You were always supposed to compromise between visibility and firepower...putting the flashlight on the Marine's armor removes any strategy from the encounters and it turns the combat into an absolute chore. 

 

Rage was...ok. I don't remember being particularly impressed with any one aspect of it, even "MUH MEGATEXTURES" wasn't ringing too solid when everything was super blurry at close distances. Also the game just screeches to a halt and the credits roll during what I thought was the second act. Blah. 

 

It is interesting to note that Tim Willits served as Lead Designer on D3 and "creative director" on Rage...

[seed]

2 hours ago, Quasar said:

Remember John Romero's initial reaction? Shame he later apologized for it because I think it has proven prescient.

 

Thanks for bringing this up, I wasn't aware of Romero's original reaction to the acquisition of id Software. I see he referred to it as "disgusting".

 

Well, fast forward a decade later and in retrospect, he was right after all. Oof. Honestly it originally didn't seem a horrible decision to me, although even back then there were some signs that Bethesda weren't the heroes of the old as many liked to think them of. It seemed like it was going to have some positive results, and it did up until D2016 and Bethesda not shoving shit down id's throat. That being said, starting with Fallout 4 the company became more and more villainous, up to the point everyone can see this now.

 

Theoretically speaking, how hard would it be for id to break away from Zenimax/Bethesda now, and what would they have to do in order to accomplish this feat?

[cybdmn]

12 hours ago, Quasar said:

They have betrayed their core fanbase and are going to pay for it for a long time.

 

 

Hopefully, but to be honest, ever since Steam is widely accepted i lost all hope in the sanity of gamers. It seems no matter what kind of bullshit publishers will add to their games in order to optimize their profits, they will always be bought anyway. And, which is far worse, there will always be people defending this shit, as if they have their heads deep into the publishers butt.

[intacowetrust]

30 minutes ago, seed said:

Theoretically speaking, how hard would it be for id to break away from Zenimax/Bethesda now, and what would they have to do in order to accomplish this feat?

 

Probably never going to happen since the studio is now the property of Zenimax. The only thing that seems possible to come next, aside from the studio being shutdown/dissolved, is that Zenimax itself (and by extension, id) gets acquired at some point by an even bigger company like Activision or an EA - maybe after falling on hard times. Such is the way of capitalism, the big fish keep eating up all the smaller fish... I don't see that scenario happening for a long time though, Zenimax has pretty deep pockets I'm sure right now.

[seed]

3 minutes ago, cybdmn said:

ever since Steam is widely accepted

 

How is Steam related to all this?

[cybdmn]

5 minutes ago, seed said:

 

How is Steam related to all this?

 

 

It stands for the things publishers want to have to maximize their profits, which does not actually add any value for the customers.

[printz]

11 minutes ago, intacowetrust said:

Such is the way of capitalism, the big fish keep eating up all the smaller fish...

Alternatively, employees may quit and found a new indie studio and produce games their own way. Quality and novelty of their new games would be debatable, without a big backing publisher to fund them. 

[seed]

22 minutes ago, cybdmn said:

It stands for the things publishers want to have to maximize their profits

 

Such as?

 

It's a simple distribution service with community features... I'm not seeing how that helps corporate overlords.

[Quasar]

21 minutes ago, seed said:

 

Such as?

 

It's a simple distribution service with community features... I'm not seeing how that helps corporate overlords.

Valve pretty much invented - and created the infrastructure on PC for - microtransactions and lootboxes. So there's that. They're also pro-DRM.

[ZalgoC0meth]

I'm just gonna say, there's some weird shit going on when running Doom Eternal. Problem is, I can't be sure what was "normal" then compared to what is going on now. One thing that I find a bit peculiar is ongoing connection from System to Amazon Web Server when Doom is running:

 

System    4    TCP    [My PC]    51509    ec2-63-34-205-115.eu-west-1.compute.amazonaws.com    https    ESTABLISHED    101    10,701    101    5,227                        

Administrative log with Event ID 2 telling me NVidia OpenGL driver can't communicate with GPU upon opening Doom, etc

 

E: it would also appear that PID 4 is also utilizing Denuvo Anti-cheat at port 30604:

 

System    4    TCP    [My PC]    30604    [My PC]    0    LISTENING                                        
 

[Cacodemon345]

4 minutes ago, ZalgoC0meth said:

System    4    TCP    [My PC]    51509    ec2-63-34-205-115.eu-west-1.compute.amazonaws.com    https    ESTABLISHED    101    10,701    101    5,227                

Seems to be the case for Firefox too.

[Quasar]

23 minutes ago, ZalgoC0meth said:

I'm just gonna say, there's some weird shit going on when running Doom Eternal. Problem is, I can't be sure what was "normal" then compared to what is going on now. One thing that I find a bit peculiar is ongoing connection from System to Amazon Web Server when Doom is running:

 

System    4    TCP    [My PC]    51509    ec2-63-34-205-115.eu-west-1.compute.amazonaws.com    https    ESTABLISHED    101    10,701    101    5,227                        

Administrative log with Event ID 2 telling me NVidia OpenGL driver can't communicate with GPU upon opening Doom, etc

 

E: it would also appear that PID 4 is also utilizing Denuvo Anti-cheat at port 30604:

 

System    4    TCP    [My PC]    30604    [My PC]    0    LISTENING                                        
 

That's what DAC does. It constantly streams information on everything running on your computer to Irdeto's AWS server instances. The local connection on port 30604 is for interprocess communication (IPC) between the game and the driver.

[seed]

Hence DAC having full access I guess, gonna be nice to have it sharing everything running on the PC...

 

1 hour ago, Quasar said:

Valve pretty much invented - and created the infrastructure on PC for - microtransactions and lootboxes. So there's that. They're also pro-DRM.

 

Yeah, can't argue with the MTX and lootboxes, they're the ones who did in fact start the madness and then popularized it.

 

"Pro-DRM" is a bit ambiguous though - DRM in general such as DAT, digital distribution services, or any and all forms of it?

[ZalgoC0meth]

[System Process]    0    TCP    [MY PC]    50779    ec2-52-35-196-14.us-west-2.compute.amazonaws.com    https    TIME_WAIT    1    181    3    5,247                      
[System Process]    0    TCP    [MY PC]    50778    ec2-52-35-196-14.us-west-2.compute.amazonaws.com    https    TIME_WAIT                                        
[System Process]    0    TCP    [MY PC]    50775    ec2-52-35-196-14.us-west-2.compute.amazonaws.com    https    TIME_WAIT                                        
[System Process]    0    TCP    [MY PC]    50773    ec2-52-35-196-14.us-west-2.compute.amazonaws.com    https    TIME_WAIT                                        
DOOMEternalx64vk.exe    17500    TCP    [MY PC]    50772    ec2-52-35-196-14.us-west-2.compute.amazonaws.com    https    ESTABLISHED    7    7,786    7    8,861                        
[System Process]    0    TCP    [MY PC]    50768    ec2-52-35-196-14.us-west-2.compute.amazonaws.com    https    TIME_WAIT                                        
[System Process]    0    TCP    [MY PC]    50767    ec2-52-35-196-14.us-west-2.compute.amazonaws.com    https    TIME_WAIT                                        
[System Process]    0    TCP    [MY PC]    50766    ec2-52-35-196-14.us-west-2.compute.amazonaws.com    https    TIME_WAIT                                        
[System Process]    0    TCP    [MY PC]    50764    ec2-52-35-196-14.us-west-2.compute.amazonaws.com    https    TIME_WAIT                                        
[System Process]    0    TCP    [MY PC]    50763    ec2-52-35-196-14.us-west-2.compute.amazonaws.com    https    TIME_WAIT                                        
[System Process]    0    TCP    [MY PC]    50762    ec2-52-35-196-14.us-west-2.compute.amazonaws.com    https    TIME_WAIT                                        
[System Process]    0    TCP    [MY PC]    50758    ec2-52-35-196-14.us-west-2.compute.amazonaws.com    https    TIME_WAIT    4    986    6    6,158                        
[System Process]    0    TCP    [MY PC]    50757    ec2-52-35-196-14.us-west-2.compute.amazonaws.com    https    TIME_WAIT    4    1,067    6    8,248                        
[System Process]    0    TCP    [MY PC]    50756    ec2-52-35-196-14.us-west-2.compute.amazonaws.com    https    TIME_WAIT    4    733    6    7,484                        
[System Process]    0    TCP    [MY PC]    50755    ec2-52-35-196-14.us-west-2.compute.amazonaws.com    https    TIME_WAIT    4    986    6    6,158                        
[System Process]    0    TCP    [MY PC]    50754    ec2-52-35-196-14.us-west-2.compute.amazonaws.com    https    TIME_WAIT                                        
[System Process]    0    TCP    [MY PC]    50753    65.55.44.109    https    TIME_WAIT                                        
[System Process]    0    TCP    [MY PC]    50752    8.36.80.236    https    TIME_WAIT    5    1,373    6    3,445                        
[System Process]    0    TCP    [MY PC]    50751    65.55.44.109    https    TIME_WAIT                                        
[System Process]    0    TCP    [MY PC]    50750    ec2-52-35-196-14.us-west-2.compute.amazonaws.com    https    TIME_WAIT

 

I mean...why?

[Quasar]

Every bit of info I've learned about DAC's technicals so far is astoundingly bad:

• For some reason it requires NetBIOS over TCP/IP to be enabled. ( https://steamcommunity.com/sharedfiles/filedetails/?id=2101090058  ). This is an old deprecated functionality for which the service start default in Windows 10 was changed from Automatic to Manual ( http://revertservice.com/10/lmhosts/ ).  Having it enabled increases the attack surface for malware ( https://support.hidemyass.com/hc/en-us/articles/202720396-Security-risks-Netbios-port-exposure-remote-access-removal ) and may expose additional services to WAN ( https://support.microsoft.com/en-us/help/323357/how-to-configure-tcp-ip-networking-while-netbios-is-turned-off-on-a-se ).
• The above finding indicates that the external network connection is coming from the same process that connects to the game, and instead of having least privilege, it has full System - this means it's either coming from the service or the driver itself. So there's now an open internet connection from a highly privileged component on your computer.

This almost seems like it's designed to be exploited at this point.

[seed]

3 minutes ago, Quasar said:

Every bit of info I've learned about DAC's technicals so far is astoundingly bad:

• For some reason it requires NetBIOS over TCP/IP to be enabled. ( https://steamcommunity.com/sharedfiles/filedetails/?id=2101090058  ). This is an old deprecated functionality for which the service start default in Windows 10 was changed from Automatic to Manual ( http://revertservice.com/10/lmhosts/ ).  Having it enabled increases the attack surface for malware ( https://support.hidemyass.com/hc/en-us/articles/202720396-Security-risks-Netbios-port-exposure-remote-access-removal ) and may expose additional services to WAN ( https://support.microsoft.com/en-us/help/323357/how-to-configure-tcp-ip-networking-while-netbios-is-turned-off-on-a-se ).
• The above finding indicates that the external network connection is coming from the same process that connects to the game, and instead of having least privilege, it has full System - this means it's either coming from the service or the driver itself. So there's now an open internet connection from a highly privileged component on your computer.

This almost seems like it's designed to be exploited at this point.

 

This is kinda um... terrifying to hear.

 

And idiots still think we're all being paranoid and this stuff is harmless. Yeah, harmless my ass.

[NoXion]

5 minutes ago, ZalgoC0meth said:

[snip technical stuff]

 

I mean...why?

I don't understand what's going on here. What am I looking at?

[seed]

Just now, NoXion said:

I don't understand what's going on here. What am I looking at?

 

27 minutes ago, Quasar said:

That's what DAC does. It constantly streams information on everything running on your computer to Irdeto's AWS server instances. The local connection on port 30604 is for interprocess communication (IPC) between the game and the driver.

 

5 minutes ago, Quasar said:

Every bit of info I've learned about DAC's technicals so far is astoundingly bad:

• For some reason it requires NetBIOS over TCP/IP to be enabled. ( https://steamcommunity.com/sharedfiles/filedetails/?id=2101090058  ). This is an old deprecated functionality for which the service start default in Windows 10 was changed from Automatic to Manual ( http://revertservice.com/10/lmhosts/ ).  Having it enabled increases the attack surface for malware ( https://support.hidemyass.com/hc/en-us/articles/202720396-Security-risks-Netbios-port-exposure-remote-access-removal ) and may expose additional services to WAN ( https://support.microsoft.com/en-us/help/323357/how-to-configure-tcp-ip-networking-while-netbios-is-turned-off-on-a-se ).
• The above finding indicates that the external network connection is coming from the same process that connects to the game, and instead of having least privilege, it has full System - this means it's either coming from the service or the driver itself. So there's now an open internet connection from a highly privileged component on your computer.

This almost seems like it's designed to be exploited at this point.

 

^ .

[printz]

28 minutes ago, Quasar said:

That's what DAC does. It constantly streams information on everything running on your computer to Irdeto's AWS server instances. The local connection on port 30604 is for interprocess communication (IPC) between the game and the driver.

I wonder if it would be possible to build a mock service to impersonate its behaviour so Doom Eternal thinks it's DAC.

 

Still, it's a goddamned driver. Why would they NEED the NetBios port for "interprocess" communication? Couldn't they just use READ/WRITE/IOCTL? That would also be harder to mock-up because you'd have to put your own driver and you'd need MS signature for that...

[ZalgoC0meth]

Have tried to see if I can locate this file as well...the reference could maybe be something as innocent as an uncommented line, something superfluous, but it's enough to get the attention of the system log. I don't know if I should be worried about this, or not. I mean, somewhere along the line, some function call is trying to take this file as an input and not finding it, right?

[Quasar]

Just now, printz said:

I wonder if it would be possible to build a mock service to impersonate its behaviour so Doom Eternal thinks it's DAC.

Probably? But you'd have to reverse engineer the protocol and that's the one thing they seem to be good at - preventing reverse engineering. They use all the same techniques as malware (because most of their coders are known to be ex-black-hats) - extraneous junk code, other forms of obfuscation, integration of virtual machines, int 2/int 3 anti-debugging, etc.

[ZalgoC0meth]

3 minutes ago, NoXion said:

I don't understand what's going on here. What am I looking at?

You're looking at the the output of a TCP/IP monitoring tool -- note the remote connection address for DoomEternalx64vk.exe relative to all those System Processes

[Quasar]

1 minute ago, ZalgoC0meth said:

Have tried to see if I can locate this file as well...the reference could maybe be something as innocent as an uncommented line, something superfluous, but it's enough to get the attention of the system log. I don't know if I should be worried about this, or not. I mean, somewhere along the line, some function call is trying to take this file as an input and not finding it, right?

That seems like a driver load failure. As far as I knew the only file registered as a driver was denuvo-anti-cheat.sys - seems like they've set up an extraneous extra entry somewhere? Going to wait on some expert to tell me if and how this is also a serious problem because it wouldn't surprise me.

[seed]

4 minutes ago, Quasar said:

(because most of their coders are known to be ex-black-hats)

 

...

 

I swear this is getting better and better by the minute.

[ZalgoC0meth]

Just now, Quasar said:

That seems like a driver load failure. As far as I knew the only file registered as a driver was denuvo-anti-cheat.sys - seems like they've set up an extraneous extra entry somewhere? Going to wait on some expert to tell me if and how this is also a serious problem because it wouldn't surprise me.

See, that's what I wonder about...could that somehow be exploited? Lots of very odd warnings / errors popping up. I'm not sure if the extra backslashes and ??'s are erroneous. Not sure what's up with that hex string either.

[Quasar]

Just now, ZalgoC0meth said:

See, that's what I wonder about...could that somehow be exploited? Lots of very odd warnings / errors popping up. I'm not sure if the extra backslashes and ??'s are erroneous. Not sure what's up with that hex string either.

No those are what kernel-level file paths look like, it's normal. The hex string is some kind of error code, and would come from the operating system.