they found another backdoor.

Поділитися
Вставка
  • Опубліковано 21 лис 2024

КОМЕНТАРІ • 731

  • @LowLevelTV
    @LowLevelTV  11 днів тому +155

    wow no way that happened wouldnt it be cool if you learned to code at lowlevel.academy (ok)

    • @Cody_one
      @Cody_one 11 днів тому +17

      4:29 "All my computers are designed around this" based

    • @LowLevelTV
      @LowLevelTV  11 днів тому +14

      shit I did that again

    • @yeetyeet7070
      @yeetyeet7070 11 днів тому +4

      does this have courses that go beyond what is taught at W3schools? asking for a friend

    • @leandro-ds2vn
      @leandro-ds2vn 11 днів тому +3

      please put purchase power parity into the pricing

    • @belkacemF
      @belkacemF 11 днів тому

      well how can u see the source of the code to know?

  • @PeterZaitcev
    @PeterZaitcev 11 днів тому +964

    In Factorio, all mods are Lua scripts which are executed by the custom patch of Lua engine with all I/O removed.

    • @RealMasterKush420
      @RealMasterKush420 11 днів тому +138

      Yeah it's safer but unfortunately it also mean we are very limited in what mod we can write, there is a trade-off. A mod for a Unity game can change anything in the game without restriction, you have access to everything the game developer has. Factorio mods can only touch what the game developer exposed to the modders, so it's very limited. I would rather have less restrictions and better mods to be honest.

    • @pwii
      @pwii 11 днів тому +233

      @@RealMasterKush420 except that in the case of Factorio, pretty much everything you need is exposed and if you want something new, there's a decent chance that they will add it to the API if you make a forum post with a good reason for it.

    • @RealMasterKush420
      @RealMasterKush420 11 днів тому +81

      @@pwii Not really, I'm working on a few mods and there is a lot of frustrating limitations. Like you can not modify bot behavior or train pathing or modify vanilla UI. And they even added more restrictions in the 2.0 update, like you can't even zoom out more than the vanilla game anymore. And those are just some examples there is a bunch of small things that should've been exposed years ago but still aren't.

    • @uponeric36
      @uponeric36 11 днів тому +37

      @@RealMasterKush420 Have you tried? Far too many things don't happen because nobody thought to complain.

    • @SamTuffman
      @SamTuffman 10 днів тому +8

      Unfortunately thats not an end all solution, there really isnt one. Theres still numerous reported rce's with many lua versions, luajit and even custom ones like rlua, glua, and even ravi.

  • @vincentbrumfield7434
    @vincentbrumfield7434 11 днів тому +1737

    I remember downloading minecraft hacked clients from the web as a kid with no care about security on my moms computer.

    • @LowLevelTV
      @LowLevelTV  11 днів тому +466

      millennials + limewire name a better duo

    • @zs2977
      @zs2977 11 днів тому +23

      Nodus lmao

    • @Lord0x
      @Lord0x 11 днів тому +15

      @@LowLevelTV millennials and dialup

    • @LivvieLynn
      @LivvieLynn 11 днів тому +68

      Will be every kid throughout history. Don't be cheap and share your computer with your kids. Let them have their own honey pots.

    • @BastetFurry
      @BastetFurry 11 днів тому +13

      @@LivvieLynn maybe one reason why i got my own 386 back in 1992 when i was nine. 😅

  • @muizzsiddique
    @muizzsiddique 11 днів тому +615

    I thought it was ridiculous that a game mod would be distributed as a DLL binary, then I realised all of Skyrim's most versatile mods are DLLs for SKSE.

    • @deadoon
      @deadoon 11 днів тому +122

      This is actually very normal for unity games due to modding those is most reliably done via injection of bepinex.

    • @nordgaren2358
      @nordgaren2358 11 днів тому +50

      My patches for Elden Ring are also DLLs. If you want to patch the code in the game, you have to inject into it somehow, and a dll is the best way.

    • @keithl3789
      @keithl3789 11 днів тому +44

      Yeah, if a game doesn't support mods with their own sandboxing, either the modding community would have to develop and maintain their own system, or else just use the operating systems built in functionality, which may or may not come with guard rails.

    • @1vader
      @1vader 11 днів тому +25

      Yeah, even if it weren't distributed as a DLL, at the end of the day, mods need to modify the code of the game and run their own code. The only way mods can be completely safe is if the game (or a well-trusted modding framework) provides a built-in modding framework that only loads plain data or limits and sandboxes any way to run code, e.g. by running a Lua or WebAssembly interpreter that can only run certain methods specifically provided by the game which don't give unrestricted access to any other system resources. But this also inevitably restricts what mods can do to the things exposed by that modding framework.

    • @cerulity32k
      @cerulity32k 11 днів тому +24

      C# assemblies are DLLs, so it's basically standard that mods for games made in C# (Terraria, Celeste) are DLLs.

  • @jacoblojewski8729
    @jacoblojewski8729 11 днів тому +365

    While the overall intro has good points - I want to push back a little bit on it. A large portion of mods are not, in fact code. And a bigger portion of them do have code, but not code with free reign.
    What do I mean? A ton of mods fall under (aka: assets only):
    - Textures
    - Models
    - Data files that feed into the game's engine to do quests, etc.
    - Some combination of the above.
    These are nearly completely safe. Of course there's always the possibility of a vulnerability in one of the game's libraries used to parse/load those assets, then a mod shipping a maliciously malformed asset to exploit that vulnerability.
    The next level of mostly safe mods do include code, but:
    - It's either a custom language or
    - Some interpreted language run within a sandboxed interpreter, so it only has access to the game data itself
    These are still usually safe, but again could exploit a vulnerability in the game's script running engine to break out and access your system.
    The ones that you absolutely need to be careful about are ones that *do* ship outside code: exe's, dll's, etc. Common ones here are some generic (as in they are not game specific) injectors that are meant to provide better graphics. ReShade, FXAA injectors, GShade, etc.
    Users of mods should be aware of what kind of data they're downloading, and know when they have to be more careful with them.

    • @qlx-i
      @qlx-i 9 днів тому +15

      It's the fact the format _allows_ such things to be done.
      Take Minecraft, for example. It has resourcepacks, datapacks and mods. Resourcepacks are a template that is only being interpreted as images & text, datapacks are stupidly hacky code that is being ran entirely within the confines of the games' sandbox, with interpreter not even allowing to consider asking for an external library. And now consider mods. There are datapacks that are distributed as mods, there are even some mods that do some advanced textring.
      However you cannot guarantee anymore that the thing a mod does will not affect files it shouldn't, because rather than being a text file interpreted by the game, it now has MORE priviledge than the game itself, being capable of calling everything a program does AND overriding the games' code.

    • @imgladnotu9527
      @imgladnotu9527 7 днів тому +10

      @@qlx-i this whole situation wouldeve been entirely avoided if devs just included a scripting engine that's comprehensive enough to do mods beyond the scope of the game, but its sandboxed enough so that whatever the script does, it should heavily hamper or outright discourage any efforts that would be performed by a would be threat actor

    • @Adamussim
      @Adamussim 7 днів тому +5

      Funny that you mentioned GShade, they are excellent example, since they did insert malicious code in their installer around a year ago.
      Since then GShade is untrusted (by me at least, but there was an outrage too, so probably not many ppl trusting them either).

    • @qlx-i
      @qlx-i 7 днів тому +4

      @@imgladnotu9527 problem is, you can't predict what mods would do. There's sodium which just optimizes the hell out of the game, there's Iris that adds shaders to that. Despite mahjong slowly turning minecraft data-driven, many things still can't be done. And besides, the way datapacks work was initially more of a hack than anything. O think many would agree that kotlin just feels way more natural than even Lua.
      And from gamedev perspective it would be much harder than it looks.

    • @hoodieninja_7203
      @hoodieninja_7203 7 днів тому

      Most games' mod support also essentially has mods be sandboxed to a certain degree. However, how sandboxed a mod is depends on the game, and sandboxing can be imperfect.

  • @otso648
    @otso648 6 днів тому +52

    Please don't do fearmongering. Most mods are not distributed via dll but various scripting languages like lua or other custom solution. Any DLL in modern modding scene is usually a single helper dll that provides framework for other mods to take advantage of by expanding the modding API.

    • @takujaba6746
      @takujaba6746 2 дні тому +3

      @@otso648 Skyrim's mods (probably the biggest modding scene out there) would like to have a word with you.

    • @aiedenoldstien9751
      @aiedenoldstien9751 День тому

      @@takujaba6746 It's funny you mention that. I remember seeing a reddit post about a mod that "was a virus". Which in the mod itself wasn't the virus. It was a notepad with a link to the virus.

  • @Alevice
    @Alevice 11 днів тому +511

    As someone who has dedicated half a lifetime into modding (about 25years now), I think they key problem is modding environments that allow direct computer access to be the major problems. Games that provide a sandbox as their moddable environemnt are generally safer. I still lament this perception agaisnt this hobby, since I think the benefits to the community outweights its potential harms. I do agree more scrutiny should be held for mods that go alter stuff like DLLs (even if part of the modding I did when younger involved such, alongside direct memory injection), but to outright dismiss the ecosystem that has allowed games to floursih for several decades and not be subject of the Live Service model feels harmful in the long term

    • @nordgaren2358
      @nordgaren2358 11 днів тому +32

      There's no way to prevent this.
      On top of that, some of the best mods are code patches that have to be applied at runtime, and the best way to do that is a dll. Even if they made an API for that, the user is going to be able to run code at one point or another, and you can do a lot with that.
      Even Lua, which is a popular scripting language for games and AI (Havok) can access the OS and read and write files to the system.

    • @keithl3789
      @keithl3789 11 днів тому +7

      There is a way to prevent it in theory, just the coordination and implementation may be difficult to pull off. Depending on what the OS or particular game support you might end up having to place your trust in a community developed solution but that's better than placing full trust in every random developer.

    • @nordgaren2358
      @nordgaren2358 11 днів тому +1

      @@keithl3789 That would just paint a big target on a single project...

    • @Deniil2000
      @Deniil2000 11 днів тому

      @@nordgaren2358 Depends on how you implement Lua in your game. The only game i know where Lua is used is Garry's Mod, and it doesn't allow full access to the system, you can only alter files in a game's subdirectory 'data'. Calls to edit files outside throw an error

    • @autohmae
      @autohmae 11 днів тому

      @@nordgaren2358 "There's no way to prevent this."
      You are running a Javascript sandbox in your browser many times every day, just like billions of people around the world.
      The trick is: don't give the language/runtime any functions to call go outside of where it's supposed to go.

  • @EricParker
    @EricParker 11 днів тому +87

    8:50 Interesting thing about the second stage is because it's done dynamically, it doesn't get caught as packed by most tools (IE DIE).

  • @KieranDevvs
    @KieranDevvs 11 днів тому +168

    Its worth noting that not all game engines are the same and that mod support doesn't have to mean arbitrary execution of code. Some game engines offer a modding API that only lets you interact with the game and not the machine, take note of 7 days to die's XML config based "modlet" approach (people have made injection mods into the unity dlls), or factorio's prototype mod system. Other game engines allow arbitrary code execution but run all mods under a sandboxed environment / VM.

    • @Mernom
      @Mernom 11 днів тому +16

      I very much enjoy Factorio's modding system.

    • @piisfun
      @piisfun 11 днів тому +4

      None of them should be allowing ARBITRARY code execution. UNSIGNED code execution is usually needed (unless the devs build a whole signing system), but never Arbitrary code execution.

    • @jMewsi
      @jMewsi 11 днів тому +5

      The most used approach i am used to is LUA scripting for mods. Kinda shocked Skylines 2 just loads DLLs like that. That's malicious from the get go. wtf

    • @ShilohFox
      @ShilohFox 11 днів тому +4

      factorio is a great mention. i have developed some mods using their system, and made personal projects with factorio's prototype mod system as inspiration because it's really interesting and surprisingly versatile. such systems as those are really cool and have a lot of potential.

    • @_M_643
      @_M_643 11 днів тому

      As long as a mod involves injecting custom code into into the game, wouldn't that be potentially malicious. Other methods methods are not as powerful.

  • @kyouko5363
    @kyouko5363 11 днів тому +76

    This is such a prime example of why game developers should encourage actual support for modding inside of their games; when you say "when you install modifications to games, depending on how the game's written, most of the time you just install a DLL" this right here is the core issue. Games with proper mod support provide you with tools to create mods via a tailor made set of API functions you can call. In the case of Skyrim, they have a limited scripting language called Papyrus. In the case of many other games, it's usually stripped down Lua with a game specific API.
    The second you need a DLL to mod a game, you're already entering "unofficial" territory. GTA's modding scene for instance, is absolutely full of DLLs, DLLs which provide an API to write mods in C# and load .NET DLLs even, none of which is officially supported and had to be reverse engineered. Skyrim is completely safe except for one attack vector: SKSE, Skyrim Script Extender, which as the name suggests, extends Papyrus because its limited functionality makes it a pain to work with, but the extensions themselves are perfectly safe, but now we're entering unofficial territory where you need a DLL in order for 90% of the mods on Nexusmods to work, because they all depend on SKSE. Attack that and you've screwed everyone over.
    If the developers simply provided the means, there'd be no need for ScriptHook, SKSE, and other such nonsense. By discouraging mods (which was GTA's stance up until a while ago, yet they've yet to provide any tools), you're not changing the fact that people are going to mod your game, you're just making it more dangerous to do so by forcing users to inject third party executable instructions into your game's memory with the same privilege as the game itself and not providing a sandboxed environment that meets the requirements of the modders (which Papyrus doesn't, it's almost *too* sandboxed, hence SKSE.dll)

    • @MajoraZero
      @MajoraZero 9 днів тому +8

      If you raise the bar of requiring any kind of modding support to be fully safe, then all you get is games not having modding support.

    • @kyouko5363
      @kyouko5363 9 днів тому +2

      @@MajoraZero I agree with that, although if that's a response to a point I made and not just a statement, then I think you may have misunderstood what I'm trying to say. Mod support doesn't refer to whether a game can or can't be modded; a game can *always* be modded, more on that later. Let me first get some definitions straight to avoid confusion.
      At a low level, a game is ultimately an executable binary, ran as a process, and a game "mod" is a modification of either:
      1.) The static executable file itself on the disk, or related static assets (e.g. textures
      2.) The game's process memory allocated at runtime.
      In more abstract terms, the behavior of a process, the game, is modified in one way or another.
      When I say "mod support" it means that modification of a game's behavior is an intended feature that the game is aware of. The game has a system built into it that recognizes mods and actively chooses whether to incorporate them or not.
      More importantly, the developers having control over that process means they can explicitly define what the game should consider a valid "mod" and how those mods are incorporated, whether that be a Lua runtime with limited access to the game's state (every MMO ever), or statically loading the mod's assets when the game launches (think Skyrim) which includes scripts that get executed at runtime (Papyrus in Skyrim's case) by an interpreter or JIT Compiler baked into the game itself.
      This is all deliberately included by the developer of the game, and they have control over every step in that process. They make the decision to expose X game state, or wrappers to Y internal functions, all via the API provided to mod authors. They control what the game recognizes as a valid mod.
      The modding ecosystem of a game with official mod support will grow around the developer provided facilities. Every ESO mod ever is a `.lua` file with a metadata file, because the developers of ESO provided the facilities for client-side mod support. That doesn't mean it *has* to be a `.lua` file.
      There's nothing stopping you from achieving the same result from a standard Lua mod that.. I don't know, adds a minimap, by writing a DLL that performs a trampoline hook on DX11's IDXGISCPresent function in order to call your own set of functions before returning to IDXGISCPresent's execution, and as your DLL is already injected into the process, you have complete access to the process memory, so you can draw yourself that same minimap, either through your own custom approach, or by calling the exact same functions the Lua API would have called to render said minimap.
      It doesn't matter if a game has official mod support or not, anything can be modded.
      The only reason it's called "modding" in the case where a game doesn't have official mod support purely boils down to the intent, but make no mistake, developing a cheat menu for a game that gives you infinite money uses the exact same method as a "mod" for a game with no official mod support that simply adds new features to the game.
      In both cases, the developer has not provided you with any official method or API to access the game state and make those modifications, so the only other way is injecting your code into the process in a way which the game is completely oblivious to, with no idea what a mod even is, or that its memory has been modified.
      In conclusion / key takeaways:
      - A game can and will be modded regardless of whether or not it has mod support. There's a fine line of intent that separates it from just outright hacking in the case of the latter. A GTA V mod, is no different than a GTA V hack/cheat. GTA V does not have mod support. Hence, ScriptHookV.dll (keyword: hook) being a pre-requisite for every GTA V mod.
      - Games with no mod support with a community that wants to mod it, will form an ecosystem of mods based around injecting arbitrary code into a process with the same level of system privilege and access to process memory as the process itself.
      - Games with mod support and a community that wants to mod it, will form an ecosystem of mods that come in the shape of what the developers provided their community with, because believe me, between having to develop your own "API" by figuring out what's what via live debugging the game and staring at x86 instructions for 6 hours to deduce 3 function signatures, and being provided a Lua API or DSL with all the functions you need to mod the game, absolutely nobody would opt for the former if it's not absolutely necessary (SKSE) or if it's recreational.
      - If developers don't provide an official way to mod their game through an API under their control, with limited access to anything outside of what's necessary to create a mod, and a community is intent on modding that game, then you end up with an ecosystem of mods that inject arbitrary code into the game process, with zero restrictions. This video being an example of this going wrong.
      On the other hand, if a simple, basic, bare minimum Lua API is provided to be able to modify basic state like the character's position, or having FFI access to existing functions in the game's code responsible for.. idk, modifying the quest log, then you avoid the problem of fostering an ecosystem where a DLL files are normalized as "the way this game is modded" when it's really the option that has to be resorted to due to the lack of an official, developer-provided framework, through which you can access the same state, without injecting arbitrary third party code into a running executable with nothing stopping it from just deciding to crawl through your disk for sensitive data, load Winsock at runtime, establish a connection, and send all of that data to a malicious actor.
      There is absolutely zero reason why an official API would even permit you access to anything but the game's state, and maybe a math library or basic essentials, but no way in hell would you be given access to anything FFI related. In fact, SKSE's existence speaks to how limited and locked down official modding API's tend to be that the community had to go out of their way to extent it.

    • @berkeleyblue4247
      @berkeleyblue4247 8 днів тому +4

      @@kyouko5363 To be fair: City Skylines Developer allows and has support for mods directly in the game

    • @kyouko5363
      @kyouko5363 8 днів тому +2

      @@berkeleyblue4247 Yeah, you're right, I do remember there being a Steam Workshop, which doesn't distribute DLLs, at least I'd hope not. Though if there is is a thriving third party modding ecosystem where mods as DLLs is something normal? I'd take that as an indicator that their mod support, while technically present, is lacking.
      It's one thing if it's just a one off incident where one mod happens to be a DLL because there is no other way (SKSE being a prime example), but it's a whole other story if mods as DLLs is just a normal thing in the Cities Skylines modding community.
      I'd make the same argument for GTA5's modding scene where DLLs are just another Tuesday, although at least Cities Skylines I assume made an attempt to provide adequate support, but it just didn't quite cut it or was too restrictive. If you're at that point where people are having to resort to third party sources and mod through DLLs, it's going to create an unsafe modding ecosystem where stuff like this becomes possible.
      I'd argue Cities Skylines should provide the missing access to whatever internals modders need that is forcing them to go the third party DLL do it yourself route. If a framework already exists for mod support, it's not that hard of a task to just expose more of the game's internals. I'm not sure what the extent of their support is, but for argument's sake: whatever you need a DLL to access, simply provide access to that through your existing Lua API (assuming they even use Lua), and don't give your community a reason to DIY.
      It's better than no support, but inadequate support still leads to the same problem in the end.
      On the other hand, if this is actually how the game is officially meant to be modded, then that is a massive security blunder.
      DLL modding should never be the answer unless absolutely necessary. It should not be a normal thing, but most people don't understand the difference and don't realize the security risks involved by not staying within the game's "sanbox"

    • @Js17011
      @Js17011 2 дні тому +1

      my current skyrim modlist contains 194 dll files hehe

  • @Decateron
    @Decateron 11 днів тому +318

    Why in 2024 desktop operating systems still let most applications run with no sandboxing is beyond me.

    • @tablettablete186
      @tablettablete186 11 днів тому +37

      Well, Windows doesn't have a proper sandbox (the closest are AppContainers)

    • @AEleven-4-Podcasts
      @AEleven-4-Podcasts 11 днів тому

      @@tablettablete186 Or Windows Sandbox (lol) which is exclusive to Pro users (and adds an ugly yellow border)

    • @seeibe
      @seeibe 11 днів тому +19

      This is why I prefer to run Steam with flatpak these days. Not foolproof but better than nothing.

    • @ougonce
      @ougonce 11 днів тому +21

      @@seeibe It literally isn't

    • @tablettablete186
      @tablettablete186 11 днів тому +31

      @@ougonce Flatpaks are a sandbox. They use namespaces for isolations and a SECCOMP filter.

  • @dudaseifert
    @dudaseifert 11 днів тому +137

    hey low level, i'm just wondering: did you really quit league after vanguard? i quit and my friends still think i'm being extreme, but i came to the same conclusion as you, i'm not installing a root kit in my pc, that's just asking for trouble

    • @LowLevelTV
      @LowLevelTV  11 днів тому +213

      yup, i havent touched it since the start of S14. and as a shock to no one, my mental health significantly improved :)

    • @Buizie
      @Buizie 11 днів тому +22

      ​@@LowLevelTVgood. Quitting league also improved my health LMAO

    • @hungrymusicwolf
      @hungrymusicwolf 11 днів тому +19

      @@LowLevelTV The only good thing about vanguard: whenever the temptation to return to league strikes I just remember that Vanguard still exists and I like an internet and laptop not controlled by a Chinese company.
      Quitting league really makes a massive difference. League's effect on your mental health is just like gambling on steroids, with the reward being the rush of victory instead of actual money.

    • @Z_fentomFentom
      @Z_fentomFentom 11 днів тому +1

      Your friends are idiots i have no other way to put it

    • @marcusjohansson668
      @marcusjohansson668 11 днів тому +4

      Holy crap, the improvement of my mental health after leaving league was very noticeable for me!
      I am glad to read others have come to the same realization!

  • @nomore6167
    @nomore6167 11 днів тому +20

    The problem with something like this is that people will see the "support" number (the number of downloads, reviews, subscriptions, likes, etc), and they'll equate a high number (such as 300k in this example) with a high level of trust, especially if they have no other way to measure trust.

  • @ItsErikCubed
    @ItsErikCubed 11 днів тому +94

    I just had a little panic attack because I was playing Cities: Skylines 1 with a Traffic Manager mod earlier.

    • @zerotwo7319
      @zerotwo7319 11 днів тому +8

      T h a n k y o u f o r t h e E t h e r.

    • @everythingpony
      @everythingpony 7 днів тому

      It also effected the first game too

    • @ItsErikCubed
      @ItsErikCubed 7 днів тому +6

      @@everythingpony Everything I’m reading was for CS2. Paradox put an announcement on CS2 but not CS1.

    • @KingLeno
      @KingLeno 6 днів тому +6

      @@everythingpony it did not apply to nor AFFECT the first game

  • @TheLexikitty
    @TheLexikitty 8 днів тому +8

    I run a separate machine for games, but modding is kinda half the joy of most of my favorite fames. Far too many games lock all their stuff down so that you can only have fun The Correct Way.

  • @awesomecronk7183
    @awesomecronk7183 11 днів тому +76

    This is the one point where Lua is a good thing: it's sandboxable. That makes it ideal for game mods because it's easyish to read/write and can be run untrusted with virtually no security risk.

    • @1vader
      @1vader 11 днів тому +21

      @@awesomecronk7183 But this also restricts what mods can do to only the things exposed to the Lua sandbox. And ofc, this only works if a game has this stuff built in, which most games don't, since it's a lot of work to do it properly. But yeah, if done well, it's definitely a good option.

    • @foobarf8766
      @foobarf8766 11 днів тому

      Lua is a fucking major risk because it can make http requests to load malicious modules

    • @SamTuffman
      @SamTuffman 10 днів тому +8

      unfortunately, sandboxing lua isnt an end all solution though, by default lua has io library, luajit allows C code execution through FFI, and every major version of lua has has RCEs from rLua to gLua.
      I absolutely love lua, and have spent more time programming in lua than any other language, but its not an automatic solution to the problem. The true solution is only downloading from valid verifiable sources (open source software, and checking the code yourself)

    • @1vader
      @1vader 10 днів тому +5

      @@SamTuffman For security, using something sandboxed is definitely much better than relying on trust and reading the source (as if the average person will or even ca do that). Yes, it's obviously not 100% bulletproof but exploits in Lua can be found and fixed and may not be easy to exploit. That's definitely much better than just hoping/trusting you're not going to get pwned. But ofc, sandboxing also puts limitations on mods, as mentioned previously.

    • @yarghhargh9345
      @yarghhargh9345 5 днів тому +1

      Again you are still just running code from strangers on your computer.

  • @bryan0x05
    @bryan0x05 11 днів тому +29

    2:11, you only install DLL some of the time. Most games use scripts that access the game's API and that's a most safer way of doing it.

    • @nordgaren2358
      @nordgaren2358 11 днів тому +2

      Not always. It really depends on the games scripting engine. If it's something like LUA, you could run into the same issues.

    • @samuelhulme8347
      @samuelhulme8347 11 днів тому +1

      In Cities Skylines all code mods are DLLs

    • @electricnezumi
      @electricnezumi 10 днів тому +6

      ​@@nordgaren2358 lua is a terrible example. it is specifically made to be sandboxed. if a game has a lua modding API and still has ways for mods to execute arbitrary malicious code outside of the scope of the game, that is because the game implemented the lua sandbox wrong.

    • @nordgaren2358
      @nordgaren2358 10 днів тому

      @electricnezumi this isn't true at all.

    • @nordgaren2358
      @nordgaren2358 10 днів тому

      @electricnezumi if a game has to implement the sandboxing, then it's not the default, is it?

  • @matthewstott3493
    @matthewstott3493 11 днів тому +22

    Supply chain attack injecting payload into a game mod. Surprised it took this long. Pretty obvious target rich environment to capture a whole lot of gamer machines on a zombie net.

    • @loldoctor
      @loldoctor 8 днів тому +6

      This comment reads like dialogue from a cyberpunk game.

    • @itsnotsam_
      @itsnotsam_ 4 дні тому

      @@loldoctor that explanation is spot on

    • @pieterveenders9793
      @pieterveenders9793 2 дні тому

      with a lot of combined processor power for distributed cryptomining or hash/password cracking....

  • @jong2359
    @jong2359 11 днів тому +234

    This is a game design issue. VERY few mods for games require a 3rd party DLL. There are common exceptions for games that don't require DLL's (stuff like skyrim script extender) -- so always be cautious... but really this is terrible game design from cities skylines.

    • @crusaderanimation6967
      @crusaderanimation6967 11 днів тому +49

      Yea firtst that came to my mind is factorio enabling modding with mods being just lua script with acces to Factorio API and without acess to system.

    • @tablettablete186
      @tablettablete186 11 днів тому +8

      ​@@crusaderanimation6967Factorio is just GOAT

    • @kamipls6790
      @kamipls6790 11 днів тому +17

      Ahhh DLLs; the spicy DLC

    • @nordgaren2358
      @nordgaren2358 11 днів тому +10

      That's not true at all. Even if the code wasn't in a dll, it's still code.

    • @Dygear
      @Dygear 11 днів тому +1

      Metamod for the Counter-Strike 1.5 / Source Based games. It hooked the VTable to capture a lot of information about the game state.

  • @LiEnby
    @LiEnby 10 днів тому +33

    “Very sketchy calls”
    - creating a thread
    - connecting to the internet
    - writing a file
    Gotta say it’s weird for a math library but in general that’s very normal shit

    • @bigombrello
      @bigombrello 9 днів тому +5

      They’re sketchy BECAUSE they’re in a math library

    • @LiEnby
      @LiEnby 8 днів тому +1

      @@bigombrello i mean creating a thread isn’t that sketchy
      Anyway issue is an AV doesn’t really know it’s a math library, and going “these are suspicious” generally would be stupid as hell

    • @illegalcoding
      @illegalcoding 6 днів тому

      Yeah I really didn't understand that bit lol, saying that if you see a program using basic threading stuff and WinSock2 it's almost always malware seems silly

    • @MyFedora
      @MyFedora 5 днів тому

      Yeah, crazy right? Clearly, all software updaters are malware.

    • @aiedenoldstien9751
      @aiedenoldstien9751 День тому

      "Yo why is my math library downloading my credit card information and uploading it to the internet"

  • @Dominik-K
    @Dominik-K 11 днів тому +16

    I'm currently researching into making plugins, game mods and other software modifications strategies safer, by employing safety layers, sandboxes and quite some WASM / sandboxed languages ... And its harder than it looks on first sight. This topic is very important though, and safety of data and software integrity will only become more and more important

    • @boblol1465
      @boblol1465 11 днів тому

      i think minetest does this well(?)

  • @seeibe
    @seeibe 11 днів тому +12

    My intuition is that while this can happen, getting infected by an npm or pip package is still far more likely.

    • @Rudxain
      @Rudxain 8 днів тому +1

      Deno to the rescue! ... I guess?

  • @FireStormOOO_
    @FireStormOOO_ 11 днів тому +10

    I feel like the smarter takeaway would've been just don't bank or handle sensitive data on the same machine you consume media on. Some game devs take cyber-security seriously, but they're the exception. Serious media decoding bugs are also a dime a dozen.

    • @boomergames8094
      @boomergames8094 8 днів тому +2

      99% of people don't have other systems hanging out just for sensitive data, unless they have a work computer, for work, that work may be monitoring...

  • @Sebastian-ys8sn
    @Sebastian-ys8sn 11 днів тому +5

    I think you nailed this video again, with just the right level of detail on the matter

  • @paxdriver
    @paxdriver 11 днів тому +2

    This is one of my favourite videos. I don't really play games but I love how you break down that giant mov sequence that got reconstructed by the seemingly benign prof-blah DLL. This was really neat, even for novice programmer like me looking for coding challenges to practise on. I can't wait to try to break a hello world down and rebuild it to run with another function in another file just for fun.

  • @Dosenwerfer
    @Dosenwerfer 11 днів тому +33

    The actual issue is why the fuck is executing everything without compartmentalization by the OS the norm? Almost no game should have permission to interact with the filesystem other than its own files that it shipped with (or were dropped in, e.g. modded), certainly no crypto wallet application. That's insane. On mobile, we have had this whole class of issues solved for 10+ years now by having sane and very limited default permissions of what an app can do outside itself.

    • @Lizzardar
      @Lizzardar 8 днів тому +11

      Well... Windows kinda was trying to do compartmentalization with the Windows store apps... The issue is there is a *lot* of older software that was designed with no compartmentalization in mind and stores/access data everywhere on PC and can self-modify itself. This leads to Windows relying on old way of interacting with things. If you look at MacOS and most recent Linux distributions they are trying to implement proper access management which leads to their own headaches for app developers and users but kinda works.

  • @inzanozulu
    @inzanozulu 10 днів тому +6

    FYI DLLs have entry points. DllMain is called when the DLL is loaded, the intention being initializing whatever state it might need

    • @1nt1c4t10n
      @1nt1c4t10n 5 днів тому

      Not every DLL does have an entry point. It's optional and only implemented if necessary.

  • @mdev3987
    @mdev3987 11 днів тому +7

    after this i hope that modders will learn more about git permissions

  • @apillow8724
    @apillow8724 11 днів тому +6

    This is only tangentially related, but messing around with Neovim packages and Neovim package managers like Lazy makes me super worried. I always feel like it would be incredibly easy to conduct a supply chain attack with it.

  • @PostNoteIt
    @PostNoteIt 8 днів тому +16

    Explaining a Windows DLL in terms of a Linux Shared Object is such a power move. I'm in awe.

  • @EraAnibra
    @EraAnibra 11 днів тому +3

    the hashing part was genius work tbh I'm very impressed

    • @martinzihlmann822
      @martinzihlmann822 10 днів тому

      love that trick, will use it to confuse my coworkers.

    • @montz1757
      @montz1757 8 днів тому

      @@martinzihlmann822 lmao

  • @MrProfizmus
    @MrProfizmus 11 днів тому +4

    Lots of mods are non-code asset modifications only, such as texture and model replacement mods, so if you blanket avoid all mods, that's on you. Especially considering that you can and do know better. Some while do touch code, they patch a couple bytes at most (such as aspect ratio or framerate uncapping mods). Some more elaborate mods are even open source / source available / well documented. Minecraft mods are also a particularly bad example, because it's just Java (if you play the Java Edition). Not saying everyone goes and audits those mods, but the barrier of entry is way lower. It's like telling people that piracy is a boogeyman and they're all getting hacked. They don't.

  • @Lewisking50
    @Lewisking50 11 днів тому +8

    TBH If there's backdoors in my OS, my browser or really almost any program, then worrying about backdoors in my mods would just drive me crazy.
    At least I'm pretty sure there's no backdoors in the mods I made myself. But then again, I generally need other programs to make mods in the first place...

    • @SineN0mine3
      @SineN0mine3 День тому +1

      If you run windows they don't need a back door because the front door is propped open with a brick so that they can train their AI off your data.

  • @mu11668B
    @mu11668B 10 днів тому +1

    Hash-based PEB walking is actually very hard to detect, even for behavior-based detection engines. Most of the time AVs just hook onto certain system module exports and try to log what a program does. Parsing or even emulating long sequence of assembly is too resource intensive to be useful.

  • @m4rt_
    @m4rt_ 11 днів тому +4

    Malicious mods have been a thing in Minecraft for a while, both in the form of mods being designed to be malware or copies of mods being made with malware in them, and infecting existing mods with malware. So it isn't very surprising that it's happening elsewhere too.

  • @notjustforme
    @notjustforme 5 днів тому

    I absolutely love the fact that you used shared objects to explain what a .dll is. You know your audience!

  • @mattshu
    @mattshu 11 днів тому

    Just wanna say thank you for the push towards low level learning! I’ve taught myself C#, Java, python, etc but the low level ones like C and assembly always scared me! I have to consider your course because I love your style and energy.

  • @pihungliu35
    @pihungliu35 11 днів тому +7

    This let me think about the "fractureiser" malware on Minecraft five months ago that specifically attack the modding ecosystem of Minecraft to distribute.

    • @Arcensyl-f6h
      @Arcensyl-f6h 11 днів тому +1

      Same. I remember watching as news came out on Fractureiser in real time; it was interesting seeing people break down and eventually counter it. It was wild to me how Fractureiser tried to inject its first stage into other JAR files as an attempt to spread.

    • @sillythewanderer4221
      @sillythewanderer4221 11 днів тому

      @@Arcensyl-f6hsame lol. Now when I launch the game I have it set to always scan for fracturiser, just in case.
      There was also some weird stuff with serialization recently.

    • @Arcensyl-f6h
      @Arcensyl-f6h 10 днів тому

      @@sillythewanderer4221 I should probably scan JARs for it more honestly. I'm curious, how did you set it up to automatically run the scanner before the game starts?

    • @sillythewanderer4221
      @sillythewanderer4221 10 днів тому

      @@Arcensyl-f6h I have been just using ATLaucher (not tlauncher that is a virus) and whenever I launch a mod pack it scans for fracturiser, but I think most non vanilla launchers also do it.
      What launcher do you use?

    • @pihungliu35
      @pihungliu35 9 днів тому +2

      @@Arcensyl-f6h Some launcher will do that for you if you set it up. I'm using ATLauncher for my modded minecraft instances and whenever it launches an instance there is a step where it is "scanning for fractureiser"; I haven't checked but there should be a setting in there.

  • @Т1000-м1и
    @Т1000-м1и 5 днів тому

    This tickled whatever I have left in there from trying to learn programming all those years ago

  • @sabzchetty
    @sabzchetty 11 днів тому +1

    Super interesting. Always wondered how DLL’s work. Top notch explanations

  • @philippefutureboy7348
    @philippefutureboy7348 11 днів тому +10

    How obfuscated do you want this?
    Yes.

  • @PeterZaitcev
    @PeterZaitcev 11 днів тому +2

    Imagine if that fastmath DLL actually had exposed some math functions like fastinvsqrt, fastmul, and so on. That would be literally undetectable.

  • @Nullref_Arcana
    @Nullref_Arcana 9 днів тому

    Such a clever way to obfuscate a malware, I'm impressed it was distributed through a Cities Skylines 2 mod of all places.

  • @agx93
    @agx93 11 днів тому +4

    This is why I have a gaming PC on a completely separate network with nothing but steam and discord. That’s all I use it for. Trust nothing.

  • @samuelbruce8837
    @samuelbruce8837 8 днів тому +2

    "John Hammond sent me some code" - can't wait for the "I hacked low level" video

  • @massivgrass
    @massivgrass 11 днів тому +9

    1:13 Never realized it's an emulator. So I can attach it to a real city?

    • @chipsafan1
      @chipsafan1 11 днів тому

      @@massivgrass 😂😂😂

  • @dashcharger24
    @dashcharger24 11 днів тому +2

    The most shocking about this: people actually having friends.

  • @u9vata
    @u9vata 6 днів тому

    Lol, the mov operation trick is something that was being taught at a Hungarian university years (now decades?) ago for the low level classes. Exactly the same pattern. It makes me wonder if this was some state sponsored backdoor coming from us maybe haha. Would have been so cool ;-)

  • @yellows111
    @yellows111 11 днів тому +2

    3:48 I've actually seen legitimate software that provides code via a dynamically importable library without any exports. It makes debugging it slightly harder, since it's probably all initialized in the DllMain or just has a hardcoded VTable in the main executable.
    One example I can name is Microsoft V-Chat's VCHATHLP module.

  • @rnbpl
    @rnbpl 11 днів тому +1

    i've always assumed this was the case. i've made C:S assets: you upload unity packages which contain code that the game will run, no questions asked

  • @Para0234
    @Para0234 9 днів тому

    Randomly found this video.
    And well, it's really excellent. You earned my subscribe.

  • @vicca4671
    @vicca4671 11 днів тому +1

    Things like this makes me wonder if there are competitions to develop obfuscated software. This is basically one intricate (albeit dangerous) puzzle.

  • @ThylineTheGay
    @ThylineTheGay 11 днів тому +2

    The problem with lua scripting is you can't modify the game, i know that's the _point_ of it, but some of the best Minecraft mods would be impossible like that

  • @sykosysganadora2293
    @sykosysganadora2293 6 днів тому

    "If its Riot games don't play the game at all" And thats why I upvoted this video.

  • @Suyalus
    @Suyalus 9 днів тому +2

    well, you wanted traffic, you got (internet) traffic XD

  • @pengpleb
    @pengpleb 11 днів тому +1

    This looks exactly like the technique you are taught in OSED for writing custom shellcode. You use a custom hashing function to search for the functions you need, mainly because string comparing in plain assembly is quite painful.

    • @nikauswien5863
      @nikauswien5863 11 днів тому +1

      if it's that common i'm surprised that an export address table walker is not picked up by security products via heuristic or behaviour analysis. Btw, benny/29a & crew demonstrated that technique in 1998. Yes, it's that old. On the shoulders of giants!

  • @rackay12
    @rackay12 10 днів тому

    Would love more content like this. wish you'd explain what APIs are called when malware is about to do a process injection, Process hollowing, DLL sideloading etch

  • @MatthijsvanDuin
    @MatthijsvanDuin 6 днів тому

    12:32 That "hash" is just standard crc-32 without the post-inversion (which was probably folded into the constant they're testing against by the compiler)

  • @eitantal726
    @eitantal726 11 днів тому +2

    If I had crypto (I don't), I'd have it airgapped somewhere on a dedicated machine. Not on my main computer, ffs

  • @omeg666
    @omeg666 8 днів тому

    It's funny that this malware is considered interesting. Back in the days manual import/export walk with name hash checking was pretty standard. I guess back at times of 29a writing low level stuff was mostly done for curiosity and experimentation, not to get easy cash by script kiddies.

  • @howabout2138
    @howabout2138 День тому +2

    just run games on linux, even if there's a trojan inside mod then it's not gonna steal anything as each game is sandboxed and gets own "copy" of windows directories

  • @santitabnavascues8673
    @santitabnavascues8673 11 днів тому +1

    Reminds me of the old DOS viruses, patching the interruptions vector, but instead of in memory, on the DLL exception handlers, also, using hashes to disguise the names of the DLLs it looks for is clever, yet, is sad, because they take advantage of people who only want to enjoy their games more.

  • @GameNobz
    @GameNobz 6 днів тому

    They still prove to me that the first game is all we need.

  • @TU7OV
    @TU7OV 7 днів тому

    I remember this was one of the reasons why Quake 3 had a built in virtual machine to run mods on.

  • @Aves_1
    @Aves_1 10 днів тому +1

    Title and thumbnail had me worried cs1 was effected.
    and to the people who say it doesn't matter, only the first part is general. The rest is about a specific mod for cs2

  • @philippefutureboy7348
    @philippefutureboy7348 11 днів тому +1

    You know, alternatively an even more obfuscated malware would read assets (images, textures, etc) that contain code embedded via steganography. That way your DLL does what it’s expected to do - process an asset, and then the new program can be loaded

  • @blueboy4625
    @blueboy4625 11 днів тому +41

    A mod is someone else's code just like the cloud is someone else's computer. Don't trust other people if you don't know them.

    • @balsalmalberto8086
      @balsalmalberto8086 11 днів тому +6

      And your private data stored and "secured" by "company X" is someone else's treasure trove.

    • @null-0x
      @null-0x 11 днів тому +15

      A game is also other people's code.

    • @blueboy4625
      @blueboy4625 11 днів тому

      @@null-0x Hence why I don't trust them unless they're from a known reputable creator.

    • @keithl3789
      @keithl3789 11 днів тому

      It would be the same if you downloaded a game from some random website. But companies have a financial interest in not letting their customers get hacked. Sometimes you have two independent parties with an interest in protecting their customers (developer and platform).

    • @cartanfan-youtube
      @cartanfan-youtube 11 днів тому +6

      @@blueboy4625 idc bro I’m gonna keep downloading mods. Not worth this level of paranoia. just have common sense about where you get your mods from, keep proper backups, and keep your important files stored someplace safe like an encrypted flash drive not constantly plugged into your computer

  • @Irsu85
    @Irsu85 8 днів тому

    As a Mario Kart Wii modder, I can tell you most mods don't include code, only assets (They are known as assets only Riivolution or My Stuff mods inside the MKW modding community). Of course some mods like CTGPR and Pulsar packs do include code to extend the track limit of 32 (lets not talk about LECODE, thats depricated) but thats about it

  • @lizardkeeper100
    @lizardkeeper100 11 днів тому +1

    I am impressed with how they hid the imports ngl. I feel like a good antivirus should be able to catch it but I am not sure many companies know how to make good programs. it just makes life easier for hackers

  • @chris582
    @chris582 10 днів тому +1

    Oooohhh… IIRC that’s a pretty old school technique.

  • @nomadshiba
    @nomadshiba 11 днів тому +5

    maybe support mods natively with sandboxed scripts

  • @lezlienewlands1337
    @lezlienewlands1337 7 днів тому

    Reminds me of the Gbombs backdoor for Gmod.
    IIRC the author put in backdoors that allowed him to spawn money and items on DarkRP servers, and even run admin level commands and spawn admin restricted items.
    It got discovered when a server admin noticed suspicious commands being run in server logs.

  • @seedmole
    @seedmole 8 днів тому

    Woooooo!!! Someone shared this in the Fromsoft Modding discord, where Nordgaren spends a lot of time. Cool to see him mentioned! And wild attack, very interesting obfuscation method. Brb never downloading mods ever again lol.

  • @foobarf8766
    @foobarf8766 11 днів тому +2

    Kinda mind blowing people are claiming "Lua fixes this" when the LuaJIT was abandonware that's barely been salvaged, and can load malicious modules over http

    • @a_random_lemurian
      @a_random_lemurian 11 днів тому +1

      That's because they're not using LuaJIT, they're using the regular Lua interpreter instead

    • @electricnezumi
      @electricnezumi 10 днів тому +2

      ...then don't let it use http?

  • @kuhluhOG
    @kuhluhOG 11 днів тому

    If a game is vulnerable via mods depends on how mods are implemented.
    In some games it's Lua and you need to go through the game's functions to do ANYTHING (and some don't let you touch the filesystems or heavily restrict it).
    In other games it's literally just an XML (or similar) with a few assets (like textures or audio). Sure, one could theoretically exploit a vulnerability in e.g. the parser of these files, but that's pretty darn hard (and at that point I could one would need to consider EVERY program which parses user-provided files of any kind vulnerable).

  • @OfficialViper
    @OfficialViper 11 днів тому +1

    "Author uses 2FA" should be a quality label on a mods page

  • @Myne1001
    @Myne1001 11 днів тому

    People seeing the thumbnail are probably panicking right now thinking CS1 is hacked when he's just talking about CS2 Traffic Mod

  • @Rowlesisgay
    @Rowlesisgay 9 днів тому +1

    love the riot games roast at the end

  • @jamesbond_007
    @jamesbond_007 11 днів тому

    Wow -- these guys are very clever. I think I would have come up with the hashing technique for looking up the dlls, but the moves to set up data I don't think I would have ever thought of (too many years thinking about writing more optimal code to think of deliberately deoptimizing to obfuscate). Thanks!!!

  • @AUATUWVSH
    @AUATUWVSH 11 днів тому +2

    as far for skyrim mods, the only "code" that exists is SKSE plugins (DLLs, and people rarely provide sourcecode, but they provide the *.psc papyrus source code most of the time), papyrus scripts (pex files ether loose or inside BSAs) and VMAD records (inside the ESP/M/L files, but they are super limited) unless there's some exploit, there probly is many, the game segfaults and crashes more frequently than the rust people say c applications do

  • @tsuaririndoku
    @tsuaririndoku 10 днів тому

    This is why I’m still enjoy the first game and use Mods from the workshop. I felt like Workshop mods are slightly safer

  • @h7hj59fh3f
    @h7hj59fh3f 11 днів тому +6

    Couldn't antimalware software monitor DLL/EXEs more closely if they're unsigned and have that sort of obfuscation in them? then the antimalware would pick up on all of those methods getting called and flag it / mark it as PUA / send it upstream for analysis / etc. One downside, though, is the game modder could simply tell their users to ignore false positive malware warning lol

    • @nordgaren2358
      @nordgaren2358 11 днів тому +2

      Sure they can, but most of a packer/stage ones job is to make sure that the antivirus doesn't pick up on anything.
      Tbh, idk why they didn't pickup the peb crawl.
      Another thing that is dangerous is that a lot of people put games as an exception in their antivirus for one reason or another.

    • @SergeantExtreme
      @SergeantExtreme 11 днів тому

      @@nordgaren2358 Because they're using hacks. That's why they put their games as exceptions in their antivirus!

    • @BlackLixt
      @BlackLixt День тому

      @@nordgaren2358 the reason for exceptions is that it can perform better

  • @igori3532
    @igori3532 12 годин тому

    It's kinda supply chain attack.
    It's not only mods, but could be a library or container image

  • @TazziedoesWT
    @TazziedoesWT 5 днів тому +1

    Killing Steam Modding, Killed CS2 for me. Made some great mates in the mod community, loved everytime an airpott or plane and its livery was created combined with the enthusiastic community from Keralis to Conflicted etc etc. That steam community was amazing. While I understand this introduces the Xbox community, and as someone who did play on Xbox for a while, where no mods did annoy me, why they didnt let steam and their own internal mod page both be platforms for mods baffles me, and makes me so incredibly not enthusiastic for the game. Played its a couple times, got a few cities to 100k, and then went on hiatus.

  • @UltimatePerfection
    @UltimatePerfection 8 днів тому

    That's why I always run my games inside a VM that's inside a Docker container, that's inside another VM.

  • @ichoupettev4661
    @ichoupettev4661 10 днів тому +3

    ok, i'm scared now. Thanks :3

  • @adsan7787
    @adsan7787 11 днів тому

    Mods can generally be trusted if the engine runs script type mods, where there is no actual compiled code but an abstract interpreted custom "programming language". That way, modders can do only the particular things that the devs allow them to, which is great for security but probably annoying for mod creators

  • @GamingBren
    @GamingBren 11 днів тому +7

    CS content creator here, please change the thumbnail to use the CS2 logo, I legitimately thought there was ANOTHER issue for CS1 when this appeared in my feed.

  • @ErikPlay2Learn
    @ErikPlay2Learn 7 днів тому

    What you also might take away is that Steam and the game developer should provide a safe way to install plug-ins and show you how much they tested them.

  • @kamilkardel2792
    @kamilkardel2792 11 днів тому +2

    Wouldn't it be a good practice for game studios to make games moddable through providing some kind of sandboxed environment where all the code of a mod would be in a scripting language (like LUA or Python) and the capabilities would be limited (no meddling with the operating system, no Internet connections)?

  • @Milosz_Ostrow
    @Milosz_Ostrow 10 днів тому

    Another takeaway from this video is that one should not be installing software willy-nilly from unknown or untrusted sources on one's computer that is used for banking, email, and other "serious" functions. For those running open-source systems, it may be as simple as obtaining a second hard drive for games and the like and booting from one drive or the other. For those running Microsoft Windows or Mac OS, it would mean having to buy a second license for a second copy of the operating system to run on another drive or getting another computer outright.

  • @pixobit5882
    @pixobit5882 11 днів тому +1

    That sponsored segment completely destroys the flow of the video. You were talking about the way the library distributed stage 2 and 3, then comes the sponsore and then some other topic.

  • @2012Accounts
    @2012Accounts 11 днів тому +2

    I thought it was CS1 because of the thumbnail, oof

  • @Raptorialand
    @Raptorialand 11 днів тому

    I've never thought about the risk that someone hacking a trusted modder.
    I imagine this video will bring many hackers on new ideas.

    • @Trainguyrom
      @Trainguyrom 11 днів тому +1

      This is known as a supply chain attack, compromise a trusted software provider to distribute the malicious code through trusted channels to their user base, and then compromise the user base. It's becoming increasingly common as companies tend to have lots of vendors they work with, and by having a legitimate vendor unwittingly distribute your malware you can compromise a large number of companies and individuals for the amount of effort of compromising one

    • @KaitouKaiju
      @KaitouKaiju 11 днів тому

      @@Raptorialand not a particularly new idea

    • @Raptorialand
      @Raptorialand 10 днів тому

      @@KaitouKaiju So if i install mods on my VR quest 3, i have a potential risk that someone could activate the camera? That would be a little bit concerning. Could someone try how hard it is to set this off?

  • @CodeEleven_86
    @CodeEleven_86 11 днів тому

    This! This is why I don't like mods. It's just straight up scary when these things happens. Tho my main reason is to enjoy game much more in vanilla way. Patches for bug fix tho, I still like to install it

  • @sakamocat
    @sakamocat 11 днів тому +2

    this situation reminds me a lot of the minecraft fracturizer exploit

  • @luketurner314
    @luketurner314 11 днів тому +1

    So a PEB walk is kinda like searching the Table of Contents instead of the whole book one page at a time?

  • @bluegizmo1983
    @bluegizmo1983 11 днів тому

    Im surprised that such a well hidden, obfuscated, and undetectable payload system would be used to target such a small number of users who play a videogame with that specific mod.

    • @AM-yk5yd
      @AM-yk5yd 11 днів тому +2

      I'm almost 100% sure the author uses the same approach in other mods and applications

  • @marshallodom1388
    @marshallodom1388 11 днів тому

    Now I want to write malware just to watch Low Level break it all down and expose my own vulnerabilities.
    Unreal Tournament never had DLLs. My maps mods are still downloadable nearly 20 years later lol

  • @protonmaster76
    @protonmaster76 11 днів тому +1

    Very clever how it hides what it is doing