Yeah it's safer but unfortunately it also mean we are very limited in what mod we can write, there is a trade-off. A mod for a Unity game can change anything in the game without restriction, you have access to everything the game developer has. Factorio mods can only touch what the game developer exposed to the modders, so it's very limited. I would rather have less restrictions and better mods to be honest.
@@RealMasterKush420 except that in the case of Factorio, pretty much everything you need is exposed and if you want something new, there's a decent chance that they will add it to the API if you make a forum post with a good reason for it.
@@pwii Not really, I'm working on a few mods and there is a lot of frustrating limitations. Like you can not modify bot behavior or train pathing or modify vanilla UI. And they even added more restrictions in the 2.0 update, like you can't even zoom out more than the vanilla game anymore. And those are just some examples there is a bunch of small things that should've been exposed years ago but still aren't.
Unfortunately thats not an end all solution, there really isnt one. Theres still numerous reported rce's with many lua versions, luajit and even custom ones like rlua, glua, and even ravi.
I thought it was ridiculous that a game mod would be distributed as a DLL binary, then I realised all of Skyrim's most versatile mods are DLLs for SKSE.
Yeah, if a game doesn't support mods with their own sandboxing, either the modding community would have to develop and maintain their own system, or else just use the operating systems built in functionality, which may or may not come with guard rails.
Yeah, even if it weren't distributed as a DLL, at the end of the day, mods need to modify the code of the game and run their own code. The only way mods can be completely safe is if the game (or a well-trusted modding framework) provides a built-in modding framework that only loads plain data or limits and sandboxes any way to run code, e.g. by running a Lua or WebAssembly interpreter that can only run certain methods specifically provided by the game which don't give unrestricted access to any other system resources. But this also inevitably restricts what mods can do to the things exposed by that modding framework.
While the overall intro has good points - I want to push back a little bit on it. A large portion of mods are not, in fact code. And a bigger portion of them do have code, but not code with free reign. What do I mean? A ton of mods fall under (aka: assets only): - Textures - Models - Data files that feed into the game's engine to do quests, etc. - Some combination of the above. These are nearly completely safe. Of course there's always the possibility of a vulnerability in one of the game's libraries used to parse/load those assets, then a mod shipping a maliciously malformed asset to exploit that vulnerability. The next level of mostly safe mods do include code, but: - It's either a custom language or - Some interpreted language run within a sandboxed interpreter, so it only has access to the game data itself These are still usually safe, but again could exploit a vulnerability in the game's script running engine to break out and access your system. The ones that you absolutely need to be careful about are ones that *do* ship outside code: exe's, dll's, etc. Common ones here are some generic (as in they are not game specific) injectors that are meant to provide better graphics. ReShade, FXAA injectors, GShade, etc. Users of mods should be aware of what kind of data they're downloading, and know when they have to be more careful with them.
It's the fact the format _allows_ such things to be done. Take Minecraft, for example. It has resourcepacks, datapacks and mods. Resourcepacks are a template that is only being interpreted as images & text, datapacks are stupidly hacky code that is being ran entirely within the confines of the games' sandbox, with interpreter not even allowing to consider asking for an external library. And now consider mods. There are datapacks that are distributed as mods, there are even some mods that do some advanced textring. However you cannot guarantee anymore that the thing a mod does will not affect files it shouldn't, because rather than being a text file interpreted by the game, it now has MORE priviledge than the game itself, being capable of calling everything a program does AND overriding the games' code.
@@qlx-i this whole situation wouldeve been entirely avoided if devs just included a scripting engine that's comprehensive enough to do mods beyond the scope of the game, but its sandboxed enough so that whatever the script does, it should heavily hamper or outright discourage any efforts that would be performed by a would be threat actor
Funny that you mentioned GShade, they are excellent example, since they did insert malicious code in their installer around a year ago. Since then GShade is untrusted (by me at least, but there was an outrage too, so probably not many ppl trusting them either).
@@imgladnotu9527 problem is, you can't predict what mods would do. There's sodium which just optimizes the hell out of the game, there's Iris that adds shaders to that. Despite mahjong slowly turning minecraft data-driven, many things still can't be done. And besides, the way datapacks work was initially more of a hack than anything. O think many would agree that kotlin just feels way more natural than even Lua. And from gamedev perspective it would be much harder than it looks.
Most games' mod support also essentially has mods be sandboxed to a certain degree. However, how sandboxed a mod is depends on the game, and sandboxing can be imperfect.
As someone who has dedicated half a lifetime into modding (about 25years now), I think they key problem is modding environments that allow direct computer access to be the major problems. Games that provide a sandbox as their moddable environemnt are generally safer. I still lament this perception agaisnt this hobby, since I think the benefits to the community outweights its potential harms. I do agree more scrutiny should be held for mods that go alter stuff like DLLs (even if part of the modding I did when younger involved such, alongside direct memory injection), but to outright dismiss the ecosystem that has allowed games to floursih for several decades and not be subject of the Live Service model feels harmful in the long term
There's no way to prevent this. On top of that, some of the best mods are code patches that have to be applied at runtime, and the best way to do that is a dll. Even if they made an API for that, the user is going to be able to run code at one point or another, and you can do a lot with that. Even Lua, which is a popular scripting language for games and AI (Havok) can access the OS and read and write files to the system.
There is a way to prevent it in theory, just the coordination and implementation may be difficult to pull off. Depending on what the OS or particular game support you might end up having to place your trust in a community developed solution but that's better than placing full trust in every random developer.
@@nordgaren2358 Depends on how you implement Lua in your game. The only game i know where Lua is used is Garry's Mod, and it doesn't allow full access to the system, you can only alter files in a game's subdirectory 'data'. Calls to edit files outside throw an error
@@nordgaren2358 "There's no way to prevent this." You are running a Javascript sandbox in your browser many times every day, just like billions of people around the world. The trick is: don't give the language/runtime any functions to call go outside of where it's supposed to go.
Its worth noting that not all game engines are the same and that mod support doesn't have to mean arbitrary execution of code. Some game engines offer a modding API that only lets you interact with the game and not the machine, take note of 7 days to die's XML config based "modlet" approach (people have made injection mods into the unity dlls), or factorio's prototype mod system. Other game engines allow arbitrary code execution but run all mods under a sandboxed environment / VM.
None of them should be allowing ARBITRARY code execution. UNSIGNED code execution is usually needed (unless the devs build a whole signing system), but never Arbitrary code execution.
The most used approach i am used to is LUA scripting for mods. Kinda shocked Skylines 2 just loads DLLs like that. That's malicious from the get go. wtf
factorio is a great mention. i have developed some mods using their system, and made personal projects with factorio's prototype mod system as inspiration because it's really interesting and surprisingly versatile. such systems as those are really cool and have a lot of potential.
Please don't do fearmongering. Most mods are not distributed via dll but various scripting languages like lua or other custom solution. Any DLL in modern modding scene is usually a single helper dll that provides framework for other mods to take advantage of by expanding the modding API.
@@takujaba6746 It's funny you mention that. I remember seeing a reddit post about a mod that "was a virus". Which in the mod itself wasn't the virus. It was a notepad with a link to the virus.
This is such a prime example of why game developers should encourage actual support for modding inside of their games; when you say "when you install modifications to games, depending on how the game's written, most of the time you just install a DLL" this right here is the core issue. Games with proper mod support provide you with tools to create mods via a tailor made set of API functions you can call. In the case of Skyrim, they have a limited scripting language called Papyrus. In the case of many other games, it's usually stripped down Lua with a game specific API. The second you need a DLL to mod a game, you're already entering "unofficial" territory. GTA's modding scene for instance, is absolutely full of DLLs, DLLs which provide an API to write mods in C# and load .NET DLLs even, none of which is officially supported and had to be reverse engineered. Skyrim is completely safe except for one attack vector: SKSE, Skyrim Script Extender, which as the name suggests, extends Papyrus because its limited functionality makes it a pain to work with, but the extensions themselves are perfectly safe, but now we're entering unofficial territory where you need a DLL in order for 90% of the mods on Nexusmods to work, because they all depend on SKSE. Attack that and you've screwed everyone over. If the developers simply provided the means, there'd be no need for ScriptHook, SKSE, and other such nonsense. By discouraging mods (which was GTA's stance up until a while ago, yet they've yet to provide any tools), you're not changing the fact that people are going to mod your game, you're just making it more dangerous to do so by forcing users to inject third party executable instructions into your game's memory with the same privilege as the game itself and not providing a sandboxed environment that meets the requirements of the modders (which Papyrus doesn't, it's almost *too* sandboxed, hence SKSE.dll)
@@MajoraZero I agree with that, although if that's a response to a point I made and not just a statement, then I think you may have misunderstood what I'm trying to say. Mod support doesn't refer to whether a game can or can't be modded; a game can *always* be modded, more on that later. Let me first get some definitions straight to avoid confusion. At a low level, a game is ultimately an executable binary, ran as a process, and a game "mod" is a modification of either: 1.) The static executable file itself on the disk, or related static assets (e.g. textures 2.) The game's process memory allocated at runtime. In more abstract terms, the behavior of a process, the game, is modified in one way or another. When I say "mod support" it means that modification of a game's behavior is an intended feature that the game is aware of. The game has a system built into it that recognizes mods and actively chooses whether to incorporate them or not. More importantly, the developers having control over that process means they can explicitly define what the game should consider a valid "mod" and how those mods are incorporated, whether that be a Lua runtime with limited access to the game's state (every MMO ever), or statically loading the mod's assets when the game launches (think Skyrim) which includes scripts that get executed at runtime (Papyrus in Skyrim's case) by an interpreter or JIT Compiler baked into the game itself. This is all deliberately included by the developer of the game, and they have control over every step in that process. They make the decision to expose X game state, or wrappers to Y internal functions, all via the API provided to mod authors. They control what the game recognizes as a valid mod. The modding ecosystem of a game with official mod support will grow around the developer provided facilities. Every ESO mod ever is a `.lua` file with a metadata file, because the developers of ESO provided the facilities for client-side mod support. That doesn't mean it *has* to be a `.lua` file. There's nothing stopping you from achieving the same result from a standard Lua mod that.. I don't know, adds a minimap, by writing a DLL that performs a trampoline hook on DX11's IDXGISCPresent function in order to call your own set of functions before returning to IDXGISCPresent's execution, and as your DLL is already injected into the process, you have complete access to the process memory, so you can draw yourself that same minimap, either through your own custom approach, or by calling the exact same functions the Lua API would have called to render said minimap. It doesn't matter if a game has official mod support or not, anything can be modded. The only reason it's called "modding" in the case where a game doesn't have official mod support purely boils down to the intent, but make no mistake, developing a cheat menu for a game that gives you infinite money uses the exact same method as a "mod" for a game with no official mod support that simply adds new features to the game. In both cases, the developer has not provided you with any official method or API to access the game state and make those modifications, so the only other way is injecting your code into the process in a way which the game is completely oblivious to, with no idea what a mod even is, or that its memory has been modified. In conclusion / key takeaways: - A game can and will be modded regardless of whether or not it has mod support. There's a fine line of intent that separates it from just outright hacking in the case of the latter. A GTA V mod, is no different than a GTA V hack/cheat. GTA V does not have mod support. Hence, ScriptHookV.dll (keyword: hook) being a pre-requisite for every GTA V mod. - Games with no mod support with a community that wants to mod it, will form an ecosystem of mods based around injecting arbitrary code into a process with the same level of system privilege and access to process memory as the process itself. - Games with mod support and a community that wants to mod it, will form an ecosystem of mods that come in the shape of what the developers provided their community with, because believe me, between having to develop your own "API" by figuring out what's what via live debugging the game and staring at x86 instructions for 6 hours to deduce 3 function signatures, and being provided a Lua API or DSL with all the functions you need to mod the game, absolutely nobody would opt for the former if it's not absolutely necessary (SKSE) or if it's recreational. - If developers don't provide an official way to mod their game through an API under their control, with limited access to anything outside of what's necessary to create a mod, and a community is intent on modding that game, then you end up with an ecosystem of mods that inject arbitrary code into the game process, with zero restrictions. This video being an example of this going wrong. On the other hand, if a simple, basic, bare minimum Lua API is provided to be able to modify basic state like the character's position, or having FFI access to existing functions in the game's code responsible for.. idk, modifying the quest log, then you avoid the problem of fostering an ecosystem where a DLL files are normalized as "the way this game is modded" when it's really the option that has to be resorted to due to the lack of an official, developer-provided framework, through which you can access the same state, without injecting arbitrary third party code into a running executable with nothing stopping it from just deciding to crawl through your disk for sensitive data, load Winsock at runtime, establish a connection, and send all of that data to a malicious actor. There is absolutely zero reason why an official API would even permit you access to anything but the game's state, and maybe a math library or basic essentials, but no way in hell would you be given access to anything FFI related. In fact, SKSE's existence speaks to how limited and locked down official modding API's tend to be that the community had to go out of their way to extent it.
@@berkeleyblue4247 Yeah, you're right, I do remember there being a Steam Workshop, which doesn't distribute DLLs, at least I'd hope not. Though if there is is a thriving third party modding ecosystem where mods as DLLs is something normal? I'd take that as an indicator that their mod support, while technically present, is lacking. It's one thing if it's just a one off incident where one mod happens to be a DLL because there is no other way (SKSE being a prime example), but it's a whole other story if mods as DLLs is just a normal thing in the Cities Skylines modding community. I'd make the same argument for GTA5's modding scene where DLLs are just another Tuesday, although at least Cities Skylines I assume made an attempt to provide adequate support, but it just didn't quite cut it or was too restrictive. If you're at that point where people are having to resort to third party sources and mod through DLLs, it's going to create an unsafe modding ecosystem where stuff like this becomes possible. I'd argue Cities Skylines should provide the missing access to whatever internals modders need that is forcing them to go the third party DLL do it yourself route. If a framework already exists for mod support, it's not that hard of a task to just expose more of the game's internals. I'm not sure what the extent of their support is, but for argument's sake: whatever you need a DLL to access, simply provide access to that through your existing Lua API (assuming they even use Lua), and don't give your community a reason to DIY. It's better than no support, but inadequate support still leads to the same problem in the end. On the other hand, if this is actually how the game is officially meant to be modded, then that is a massive security blunder. DLL modding should never be the answer unless absolutely necessary. It should not be a normal thing, but most people don't understand the difference and don't realize the security risks involved by not staying within the game's "sanbox"
This is the one point where Lua is a good thing: it's sandboxable. That makes it ideal for game mods because it's easyish to read/write and can be run untrusted with virtually no security risk.
@@awesomecronk7183 But this also restricts what mods can do to only the things exposed to the Lua sandbox. And ofc, this only works if a game has this stuff built in, which most games don't, since it's a lot of work to do it properly. But yeah, if done well, it's definitely a good option.
unfortunately, sandboxing lua isnt an end all solution though, by default lua has io library, luajit allows C code execution through FFI, and every major version of lua has has RCEs from rLua to gLua. I absolutely love lua, and have spent more time programming in lua than any other language, but its not an automatic solution to the problem. The true solution is only downloading from valid verifiable sources (open source software, and checking the code yourself)
@@SamTuffman For security, using something sandboxed is definitely much better than relying on trust and reading the source (as if the average person will or even ca do that). Yes, it's obviously not 100% bulletproof but exploits in Lua can be found and fixed and may not be easy to exploit. That's definitely much better than just hoping/trusting you're not going to get pwned. But ofc, sandboxing also puts limitations on mods, as mentioned previously.
The problem with something like this is that people will see the "support" number (the number of downloads, reviews, subscriptions, likes, etc), and they'll equate a high number (such as 300k in this example) with a high level of trust, especially if they have no other way to measure trust.
Supply chain attack injecting payload into a game mod. Surprised it took this long. Pretty obvious target rich environment to capture a whole lot of gamer machines on a zombie net.
I run a separate machine for games, but modding is kinda half the joy of most of my favorite fames. Far too many games lock all their stuff down so that you can only have fun The Correct Way.
@@nordgaren2358 lua is a terrible example. it is specifically made to be sandboxed. if a game has a lua modding API and still has ways for mods to execute arbitrary malicious code outside of the scope of the game, that is because the game implemented the lua sandbox wrong.
This is a game design issue. VERY few mods for games require a 3rd party DLL. There are common exceptions for games that don't require DLL's (stuff like skyrim script extender) -- so always be cautious... but really this is terrible game design from cities skylines.
The actual issue is why the fuck is executing everything without compartmentalization by the OS the norm? Almost no game should have permission to interact with the filesystem other than its own files that it shipped with (or were dropped in, e.g. modded), certainly no crypto wallet application. That's insane. On mobile, we have had this whole class of issues solved for 10+ years now by having sane and very limited default permissions of what an app can do outside itself.
Well... Windows kinda was trying to do compartmentalization with the Windows store apps... The issue is there is a *lot* of older software that was designed with no compartmentalization in mind and stores/access data everywhere on PC and can self-modify itself. This leads to Windows relying on old way of interacting with things. If you look at MacOS and most recent Linux distributions they are trying to implement proper access management which leads to their own headaches for app developers and users but kinda works.
I feel like the smarter takeaway would've been just don't bank or handle sensitive data on the same machine you consume media on. Some game devs take cyber-security seriously, but they're the exception. Serious media decoding bugs are also a dime a dozen.
I'm currently researching into making plugins, game mods and other software modifications strategies safer, by employing safety layers, sandboxes and quite some WASM / sandboxed languages ... And its harder than it looks on first sight. This topic is very important though, and safety of data and software integrity will only become more and more important
hey low level, i'm just wondering: did you really quit league after vanguard? i quit and my friends still think i'm being extreme, but i came to the same conclusion as you, i'm not installing a root kit in my pc, that's just asking for trouble
@@LowLevelTV The only good thing about vanguard: whenever the temptation to return to league strikes I just remember that Vanguard still exists and I like an internet and laptop not controlled by a Chinese company. Quitting league really makes a massive difference. League's effect on your mental health is just like gambling on steroids, with the reward being the rush of victory instead of actual money.
Holy crap, the improvement of my mental health after leaving league was very noticeable for me! I am glad to read others have come to the same realization!
“Very sketchy calls” - creating a thread - connecting to the internet - writing a file Gotta say it’s weird for a math library but in general that’s very normal shit
@@bigombrello i mean creating a thread isn’t that sketchy Anyway issue is an AV doesn’t really know it’s a math library, and going “these are suspicious” generally would be stupid as hell
Yeah I really didn't understand that bit lol, saying that if you see a program using basic threading stuff and WinSock2 it's almost always malware seems silly
TBH If there's backdoors in my OS, my browser or really almost any program, then worrying about backdoors in my mods would just drive me crazy. At least I'm pretty sure there's no backdoors in the mods I made myself. But then again, I generally need other programs to make mods in the first place...
Lots of mods are non-code asset modifications only, such as texture and model replacement mods, so if you blanket avoid all mods, that's on you. Especially considering that you can and do know better. Some while do touch code, they patch a couple bytes at most (such as aspect ratio or framerate uncapping mods). Some more elaborate mods are even open source / source available / well documented. Minecraft mods are also a particularly bad example, because it's just Java (if you play the Java Edition). Not saying everyone goes and audits those mods, but the barrier of entry is way lower. It's like telling people that piracy is a boogeyman and they're all getting hacked. They don't.
This is only tangentially related, but messing around with Neovim packages and Neovim package managers like Lazy makes me super worried. I always feel like it would be incredibly easy to conduct a supply chain attack with it.
This is one of my favourite videos. I don't really play games but I love how you break down that giant mov sequence that got reconstructed by the seemingly benign prof-blah DLL. This was really neat, even for novice programmer like me looking for coding challenges to practise on. I can't wait to try to break a hello world down and rebuild it to run with another function in another file just for fun.
Malicious mods have been a thing in Minecraft for a while, both in the form of mods being designed to be malware or copies of mods being made with malware in them, and infecting existing mods with malware. So it isn't very surprising that it's happening elsewhere too.
Hash-based PEB walking is actually very hard to detect, even for behavior-based detection engines. Most of the time AVs just hook onto certain system module exports and try to log what a program does. Parsing or even emulating long sequence of assembly is too resource intensive to be useful.
This let me think about the "fractureiser" malware on Minecraft five months ago that specifically attack the modding ecosystem of Minecraft to distribute.
Same. I remember watching as news came out on Fractureiser in real time; it was interesting seeing people break down and eventually counter it. It was wild to me how Fractureiser tried to inject its first stage into other JAR files as an attempt to spread.
@@Arcensyl-f6hsame lol. Now when I launch the game I have it set to always scan for fracturiser, just in case. There was also some weird stuff with serialization recently.
@@sillythewanderer4221 I should probably scan JARs for it more honestly. I'm curious, how did you set it up to automatically run the scanner before the game starts?
@@Arcensyl-f6h I have been just using ATLaucher (not tlauncher that is a virus) and whenever I launch a mod pack it scans for fracturiser, but I think most non vanilla launchers also do it. What launcher do you use?
@@Arcensyl-f6h Some launcher will do that for you if you set it up. I'm using ATLauncher for my modded minecraft instances and whenever it launches an instance there is a step where it is "scanning for fractureiser"; I haven't checked but there should be a setting in there.
3:48 I've actually seen legitimate software that provides code via a dynamically importable library without any exports. It makes debugging it slightly harder, since it's probably all initialized in the DllMain or just has a hardcoded VTable in the main executable. One example I can name is Microsoft V-Chat's VCHATHLP module.
as far for skyrim mods, the only "code" that exists is SKSE plugins (DLLs, and people rarely provide sourcecode, but they provide the *.psc papyrus source code most of the time), papyrus scripts (pex files ether loose or inside BSAs) and VMAD records (inside the ESP/M/L files, but they are super limited) unless there's some exploit, there probly is many, the game segfaults and crashes more frequently than the rust people say c applications do
If a game is vulnerable via mods depends on how mods are implemented. In some games it's Lua and you need to go through the game's functions to do ANYTHING (and some don't let you touch the filesystems or heavily restrict it). In other games it's literally just an XML (or similar) with a few assets (like textures or audio). Sure, one could theoretically exploit a vulnerability in e.g. the parser of these files, but that's pretty darn hard (and at that point I could one would need to consider EVERY program which parses user-provided files of any kind vulnerable).
This looks exactly like the technique you are taught in OSED for writing custom shellcode. You use a custom hashing function to search for the functions you need, mainly because string comparing in plain assembly is quite painful.
if it's that common i'm surprised that an export address table walker is not picked up by security products via heuristic or behaviour analysis. Btw, benny/29a & crew demonstrated that technique in 1998. Yes, it's that old. On the shoulders of giants!
Just wanna say thank you for the push towards low level learning! I’ve taught myself C#, Java, python, etc but the low level ones like C and assembly always scared me! I have to consider your course because I love your style and energy.
Reminds me of the old DOS viruses, patching the interruptions vector, but instead of in memory, on the DLL exception handlers, also, using hashes to disguise the names of the DLLs it looks for is clever, yet, is sad, because they take advantage of people who only want to enjoy their games more.
It would be the same if you downloaded a game from some random website. But companies have a financial interest in not letting their customers get hacked. Sometimes you have two independent parties with an interest in protecting their customers (developer and platform).
@@blueboy4625 idc bro I’m gonna keep downloading mods. Not worth this level of paranoia. just have common sense about where you get your mods from, keep proper backups, and keep your important files stored someplace safe like an encrypted flash drive not constantly plugged into your computer
Title and thumbnail had me worried cs1 was effected. and to the people who say it doesn't matter, only the first part is general. The rest is about a specific mod for cs2
Dlls - as you show it - absolutely have entry points. Back in the day I wrote some very simple Photoshop plugins. Once the given plugin was loaded by Photoshop, the entry pint of the dll had the control to initialize the plugin.
Reminds me of the Gbombs backdoor for Gmod. IIRC the author put in backdoors that allowed him to spawn money and items on DarkRP servers, and even run admin level commands and spawn admin restricted items. It got discovered when a server admin noticed suspicious commands being run in server logs.
Couldn't antimalware software monitor DLL/EXEs more closely if they're unsigned and have that sort of obfuscation in them? then the antimalware would pick up on all of those methods getting called and flag it / mark it as PUA / send it upstream for analysis / etc. One downside, though, is the game modder could simply tell their users to ignore false positive malware warning lol
Sure they can, but most of a packer/stage ones job is to make sure that the antivirus doesn't pick up on anything. Tbh, idk why they didn't pickup the peb crawl. Another thing that is dangerous is that a lot of people put games as an exception in their antivirus for one reason or another.
12:32 That "hash" is just standard crc-32 without the post-inversion (which was probably folded into the constant they're testing against by the compiler)
You know, alternatively an even more obfuscated malware would read assets (images, textures, etc) that contain code embedded via steganography. That way your DLL does what it’s expected to do - process an asset, and then the new program can be loaded
The problem with lua scripting is you can't modify the game, i know that's the _point_ of it, but some of the best Minecraft mods would be impossible like that
Wouldn't it be a good practice for game studios to make games moddable through providing some kind of sandboxed environment where all the code of a mod would be in a scripting language (like LUA or Python) and the capabilities would be limited (no meddling with the operating system, no Internet connections)?
I am impressed with how they hid the imports ngl. I feel like a good antivirus should be able to catch it but I am not sure many companies know how to make good programs. it just makes life easier for hackers
Lol, the mov operation trick is something that was being taught at a Hungarian university years (now decades?) ago for the low level classes. Exactly the same pattern. It makes me wonder if this was some state sponsored backdoor coming from us maybe haha. Would have been so cool ;-)
Killing Steam Modding, Killed CS2 for me. Made some great mates in the mod community, loved everytime an airpott or plane and its livery was created combined with the enthusiastic community from Keralis to Conflicted etc etc. That steam community was amazing. While I understand this introduces the Xbox community, and as someone who did play on Xbox for a while, where no mods did annoy me, why they didnt let steam and their own internal mod page both be platforms for mods baffles me, and makes me so incredibly not enthusiastic for the game. Played its a couple times, got a few cities to 100k, and then went on hiatus.
Mods can generally be trusted if the engine runs script type mods, where there is no actual compiled code but an abstract interpreted custom "programming language". That way, modders can do only the particular things that the devs allow them to, which is great for security but probably annoying for mod creators
The fearmongering is unecessary my dude. There are thousands of mods for hundreds of games and malicious mods are extremely rare occurrences that usually never make it to the end user because the hosting platform/clients/websites like Curse, Nexus, Steam Workshop, etc. check the code before allowing them to be posted for download.
As a Mario Kart Wii modder, I can tell you most mods don't include code, only assets (They are known as assets only Riivolution or My Stuff mods inside the MKW modding community). Of course some mods like CTGPR and Pulsar packs do include code to extend the track limit of 32 (lets not talk about LECODE, thats depricated) but thats about it
There's a big different between code mods and content mods. A lot of games that support mods will have ways of integrating user generated content without them needing to run any code at all. It's important to make that distinction because modding a game can bring huge enhancements to it that you might miss out on.
Woooooo!!! Someone shared this in the Fromsoft Modding discord, where Nordgaren spends a lot of time. Cool to see him mentioned! And wild attack, very interesting obfuscation method. Brb never downloading mods ever again lol.
Another takeaway from this video is that one should not be installing software willy-nilly from unknown or untrusted sources on one's computer that is used for banking, email, and other "serious" functions. For those running open-source systems, it may be as simple as obtaining a second hard drive for games and the like and booting from one drive or the other. For those running Microsoft Windows or Mac OS, it would mean having to buy a second license for a second copy of the operating system to run on another drive or getting another computer outright.
Would love more content like this. wish you'd explain what APIs are called when malware is about to do a process injection, Process hollowing, DLL sideloading etch
It's funny that this malware is considered interesting. Back in the days manual import/export walk with name hash checking was pretty standard. I guess back at times of 29a writing low level stuff was mostly done for curiosity and experimentation, not to get easy cash by script kiddies.
What you also might take away is that Steam and the game developer should provide a safe way to install plug-ins and show you how much they tested them.
12:20 - I genuinely do wonder, why go through all this trouble to avoid static analysis, when you can load functions from WinAPI at runtime whose offset you do know, such as GetModuleBaseAddress and some such, that will give you that exact information, and just encrypt those instructions? They already went through the trouble of packing a second DLL file which they XOR'd, so why not just obfuscate the WinAPI imports and base address lookups? I mean, I get that it would look very suspicious to runtime analysis of the DLL, but as you said yourself, walking the PEB is already suspicious to runtime analysis, so if this was all for the sake of avoiding static analysis, why opt for this method when a much simpler option is available? If an AV couldn't pick up that it was dumping an XOR'd DLL onto the disk, surely it wouldn't pick the same, except it's obfuscated instructions that import and run a WinAPI function, would it? Don't know how advanced heuristics are nowadays, but, packed data is present in a lot of binaries, how can it distinguish if it's malicious or not without running the thing that unpacks the data ?
wow no way that happened wouldnt it be cool if you learned to code at lowlevel.academy (ok)
4:29 "All my computers are designed around this" based
shit I did that again
does this have courses that go beyond what is taught at W3schools? asking for a friend
please put purchase power parity into the pricing
well how can u see the source of the code to know?
In Factorio, all mods are Lua scripts which are executed by the custom patch of Lua engine with all I/O removed.
Yeah it's safer but unfortunately it also mean we are very limited in what mod we can write, there is a trade-off. A mod for a Unity game can change anything in the game without restriction, you have access to everything the game developer has. Factorio mods can only touch what the game developer exposed to the modders, so it's very limited. I would rather have less restrictions and better mods to be honest.
@@RealMasterKush420 except that in the case of Factorio, pretty much everything you need is exposed and if you want something new, there's a decent chance that they will add it to the API if you make a forum post with a good reason for it.
@@pwii Not really, I'm working on a few mods and there is a lot of frustrating limitations. Like you can not modify bot behavior or train pathing or modify vanilla UI. And they even added more restrictions in the 2.0 update, like you can't even zoom out more than the vanilla game anymore. And those are just some examples there is a bunch of small things that should've been exposed years ago but still aren't.
@@RealMasterKush420 Have you tried? Far too many things don't happen because nobody thought to complain.
Unfortunately thats not an end all solution, there really isnt one. Theres still numerous reported rce's with many lua versions, luajit and even custom ones like rlua, glua, and even ravi.
I remember downloading minecraft hacked clients from the web as a kid with no care about security on my moms computer.
millennials + limewire name a better duo
Nodus lmao
@@LowLevelTV millennials and dialup
Will be every kid throughout history. Don't be cheap and share your computer with your kids. Let them have their own honey pots.
@@LivvieLynn maybe one reason why i got my own 386 back in 1992 when i was nine. 😅
I thought it was ridiculous that a game mod would be distributed as a DLL binary, then I realised all of Skyrim's most versatile mods are DLLs for SKSE.
This is actually very normal for unity games due to modding those is most reliably done via injection of bepinex.
My patches for Elden Ring are also DLLs. If you want to patch the code in the game, you have to inject into it somehow, and a dll is the best way.
Yeah, if a game doesn't support mods with their own sandboxing, either the modding community would have to develop and maintain their own system, or else just use the operating systems built in functionality, which may or may not come with guard rails.
Yeah, even if it weren't distributed as a DLL, at the end of the day, mods need to modify the code of the game and run their own code. The only way mods can be completely safe is if the game (or a well-trusted modding framework) provides a built-in modding framework that only loads plain data or limits and sandboxes any way to run code, e.g. by running a Lua or WebAssembly interpreter that can only run certain methods specifically provided by the game which don't give unrestricted access to any other system resources. But this also inevitably restricts what mods can do to the things exposed by that modding framework.
C# assemblies are DLLs, so it's basically standard that mods for games made in C# (Terraria, Celeste) are DLLs.
8:50 Interesting thing about the second stage is because it's done dynamically, it doesn't get caught as packed by most tools (IE DIE).
While the overall intro has good points - I want to push back a little bit on it. A large portion of mods are not, in fact code. And a bigger portion of them do have code, but not code with free reign.
What do I mean? A ton of mods fall under (aka: assets only):
- Textures
- Models
- Data files that feed into the game's engine to do quests, etc.
- Some combination of the above.
These are nearly completely safe. Of course there's always the possibility of a vulnerability in one of the game's libraries used to parse/load those assets, then a mod shipping a maliciously malformed asset to exploit that vulnerability.
The next level of mostly safe mods do include code, but:
- It's either a custom language or
- Some interpreted language run within a sandboxed interpreter, so it only has access to the game data itself
These are still usually safe, but again could exploit a vulnerability in the game's script running engine to break out and access your system.
The ones that you absolutely need to be careful about are ones that *do* ship outside code: exe's, dll's, etc. Common ones here are some generic (as in they are not game specific) injectors that are meant to provide better graphics. ReShade, FXAA injectors, GShade, etc.
Users of mods should be aware of what kind of data they're downloading, and know when they have to be more careful with them.
It's the fact the format _allows_ such things to be done.
Take Minecraft, for example. It has resourcepacks, datapacks and mods. Resourcepacks are a template that is only being interpreted as images & text, datapacks are stupidly hacky code that is being ran entirely within the confines of the games' sandbox, with interpreter not even allowing to consider asking for an external library. And now consider mods. There are datapacks that are distributed as mods, there are even some mods that do some advanced textring.
However you cannot guarantee anymore that the thing a mod does will not affect files it shouldn't, because rather than being a text file interpreted by the game, it now has MORE priviledge than the game itself, being capable of calling everything a program does AND overriding the games' code.
@@qlx-i this whole situation wouldeve been entirely avoided if devs just included a scripting engine that's comprehensive enough to do mods beyond the scope of the game, but its sandboxed enough so that whatever the script does, it should heavily hamper or outright discourage any efforts that would be performed by a would be threat actor
Funny that you mentioned GShade, they are excellent example, since they did insert malicious code in their installer around a year ago.
Since then GShade is untrusted (by me at least, but there was an outrage too, so probably not many ppl trusting them either).
@@imgladnotu9527 problem is, you can't predict what mods would do. There's sodium which just optimizes the hell out of the game, there's Iris that adds shaders to that. Despite mahjong slowly turning minecraft data-driven, many things still can't be done. And besides, the way datapacks work was initially more of a hack than anything. O think many would agree that kotlin just feels way more natural than even Lua.
And from gamedev perspective it would be much harder than it looks.
Most games' mod support also essentially has mods be sandboxed to a certain degree. However, how sandboxed a mod is depends on the game, and sandboxing can be imperfect.
As someone who has dedicated half a lifetime into modding (about 25years now), I think they key problem is modding environments that allow direct computer access to be the major problems. Games that provide a sandbox as their moddable environemnt are generally safer. I still lament this perception agaisnt this hobby, since I think the benefits to the community outweights its potential harms. I do agree more scrutiny should be held for mods that go alter stuff like DLLs (even if part of the modding I did when younger involved such, alongside direct memory injection), but to outright dismiss the ecosystem that has allowed games to floursih for several decades and not be subject of the Live Service model feels harmful in the long term
There's no way to prevent this.
On top of that, some of the best mods are code patches that have to be applied at runtime, and the best way to do that is a dll. Even if they made an API for that, the user is going to be able to run code at one point or another, and you can do a lot with that.
Even Lua, which is a popular scripting language for games and AI (Havok) can access the OS and read and write files to the system.
There is a way to prevent it in theory, just the coordination and implementation may be difficult to pull off. Depending on what the OS or particular game support you might end up having to place your trust in a community developed solution but that's better than placing full trust in every random developer.
@@keithl3789 That would just paint a big target on a single project...
@@nordgaren2358 Depends on how you implement Lua in your game. The only game i know where Lua is used is Garry's Mod, and it doesn't allow full access to the system, you can only alter files in a game's subdirectory 'data'. Calls to edit files outside throw an error
@@nordgaren2358 "There's no way to prevent this."
You are running a Javascript sandbox in your browser many times every day, just like billions of people around the world.
The trick is: don't give the language/runtime any functions to call go outside of where it's supposed to go.
Its worth noting that not all game engines are the same and that mod support doesn't have to mean arbitrary execution of code. Some game engines offer a modding API that only lets you interact with the game and not the machine, take note of 7 days to die's XML config based "modlet" approach (people have made injection mods into the unity dlls), or factorio's prototype mod system. Other game engines allow arbitrary code execution but run all mods under a sandboxed environment / VM.
I very much enjoy Factorio's modding system.
None of them should be allowing ARBITRARY code execution. UNSIGNED code execution is usually needed (unless the devs build a whole signing system), but never Arbitrary code execution.
The most used approach i am used to is LUA scripting for mods. Kinda shocked Skylines 2 just loads DLLs like that. That's malicious from the get go. wtf
factorio is a great mention. i have developed some mods using their system, and made personal projects with factorio's prototype mod system as inspiration because it's really interesting and surprisingly versatile. such systems as those are really cool and have a lot of potential.
As long as a mod involves injecting custom code into into the game, wouldn't that be potentially malicious. Other methods methods are not as powerful.
Please don't do fearmongering. Most mods are not distributed via dll but various scripting languages like lua or other custom solution. Any DLL in modern modding scene is usually a single helper dll that provides framework for other mods to take advantage of by expanding the modding API.
@@otso648 Skyrim's mods (probably the biggest modding scene out there) would like to have a word with you.
@@takujaba6746 It's funny you mention that. I remember seeing a reddit post about a mod that "was a virus". Which in the mod itself wasn't the virus. It was a notepad with a link to the virus.
@@otso648 Minecraft mods are just JAR files with executable code in them
This is such a prime example of why game developers should encourage actual support for modding inside of their games; when you say "when you install modifications to games, depending on how the game's written, most of the time you just install a DLL" this right here is the core issue. Games with proper mod support provide you with tools to create mods via a tailor made set of API functions you can call. In the case of Skyrim, they have a limited scripting language called Papyrus. In the case of many other games, it's usually stripped down Lua with a game specific API.
The second you need a DLL to mod a game, you're already entering "unofficial" territory. GTA's modding scene for instance, is absolutely full of DLLs, DLLs which provide an API to write mods in C# and load .NET DLLs even, none of which is officially supported and had to be reverse engineered. Skyrim is completely safe except for one attack vector: SKSE, Skyrim Script Extender, which as the name suggests, extends Papyrus because its limited functionality makes it a pain to work with, but the extensions themselves are perfectly safe, but now we're entering unofficial territory where you need a DLL in order for 90% of the mods on Nexusmods to work, because they all depend on SKSE. Attack that and you've screwed everyone over.
If the developers simply provided the means, there'd be no need for ScriptHook, SKSE, and other such nonsense. By discouraging mods (which was GTA's stance up until a while ago, yet they've yet to provide any tools), you're not changing the fact that people are going to mod your game, you're just making it more dangerous to do so by forcing users to inject third party executable instructions into your game's memory with the same privilege as the game itself and not providing a sandboxed environment that meets the requirements of the modders (which Papyrus doesn't, it's almost *too* sandboxed, hence SKSE.dll)
If you raise the bar of requiring any kind of modding support to be fully safe, then all you get is games not having modding support.
@@MajoraZero I agree with that, although if that's a response to a point I made and not just a statement, then I think you may have misunderstood what I'm trying to say. Mod support doesn't refer to whether a game can or can't be modded; a game can *always* be modded, more on that later. Let me first get some definitions straight to avoid confusion.
At a low level, a game is ultimately an executable binary, ran as a process, and a game "mod" is a modification of either:
1.) The static executable file itself on the disk, or related static assets (e.g. textures
2.) The game's process memory allocated at runtime.
In more abstract terms, the behavior of a process, the game, is modified in one way or another.
When I say "mod support" it means that modification of a game's behavior is an intended feature that the game is aware of. The game has a system built into it that recognizes mods and actively chooses whether to incorporate them or not.
More importantly, the developers having control over that process means they can explicitly define what the game should consider a valid "mod" and how those mods are incorporated, whether that be a Lua runtime with limited access to the game's state (every MMO ever), or statically loading the mod's assets when the game launches (think Skyrim) which includes scripts that get executed at runtime (Papyrus in Skyrim's case) by an interpreter or JIT Compiler baked into the game itself.
This is all deliberately included by the developer of the game, and they have control over every step in that process. They make the decision to expose X game state, or wrappers to Y internal functions, all via the API provided to mod authors. They control what the game recognizes as a valid mod.
The modding ecosystem of a game with official mod support will grow around the developer provided facilities. Every ESO mod ever is a `.lua` file with a metadata file, because the developers of ESO provided the facilities for client-side mod support. That doesn't mean it *has* to be a `.lua` file.
There's nothing stopping you from achieving the same result from a standard Lua mod that.. I don't know, adds a minimap, by writing a DLL that performs a trampoline hook on DX11's IDXGISCPresent function in order to call your own set of functions before returning to IDXGISCPresent's execution, and as your DLL is already injected into the process, you have complete access to the process memory, so you can draw yourself that same minimap, either through your own custom approach, or by calling the exact same functions the Lua API would have called to render said minimap.
It doesn't matter if a game has official mod support or not, anything can be modded.
The only reason it's called "modding" in the case where a game doesn't have official mod support purely boils down to the intent, but make no mistake, developing a cheat menu for a game that gives you infinite money uses the exact same method as a "mod" for a game with no official mod support that simply adds new features to the game.
In both cases, the developer has not provided you with any official method or API to access the game state and make those modifications, so the only other way is injecting your code into the process in a way which the game is completely oblivious to, with no idea what a mod even is, or that its memory has been modified.
In conclusion / key takeaways:
- A game can and will be modded regardless of whether or not it has mod support. There's a fine line of intent that separates it from just outright hacking in the case of the latter. A GTA V mod, is no different than a GTA V hack/cheat. GTA V does not have mod support. Hence, ScriptHookV.dll (keyword: hook) being a pre-requisite for every GTA V mod.
- Games with no mod support with a community that wants to mod it, will form an ecosystem of mods based around injecting arbitrary code into a process with the same level of system privilege and access to process memory as the process itself.
- Games with mod support and a community that wants to mod it, will form an ecosystem of mods that come in the shape of what the developers provided their community with, because believe me, between having to develop your own "API" by figuring out what's what via live debugging the game and staring at x86 instructions for 6 hours to deduce 3 function signatures, and being provided a Lua API or DSL with all the functions you need to mod the game, absolutely nobody would opt for the former if it's not absolutely necessary (SKSE) or if it's recreational.
- If developers don't provide an official way to mod their game through an API under their control, with limited access to anything outside of what's necessary to create a mod, and a community is intent on modding that game, then you end up with an ecosystem of mods that inject arbitrary code into the game process, with zero restrictions. This video being an example of this going wrong.
On the other hand, if a simple, basic, bare minimum Lua API is provided to be able to modify basic state like the character's position, or having FFI access to existing functions in the game's code responsible for.. idk, modifying the quest log, then you avoid the problem of fostering an ecosystem where a DLL files are normalized as "the way this game is modded" when it's really the option that has to be resorted to due to the lack of an official, developer-provided framework, through which you can access the same state, without injecting arbitrary third party code into a running executable with nothing stopping it from just deciding to crawl through your disk for sensitive data, load Winsock at runtime, establish a connection, and send all of that data to a malicious actor.
There is absolutely zero reason why an official API would even permit you access to anything but the game's state, and maybe a math library or basic essentials, but no way in hell would you be given access to anything FFI related. In fact, SKSE's existence speaks to how limited and locked down official modding API's tend to be that the community had to go out of their way to extent it.
@@kyouko5363 To be fair: City Skylines Developer allows and has support for mods directly in the game
@@berkeleyblue4247 Yeah, you're right, I do remember there being a Steam Workshop, which doesn't distribute DLLs, at least I'd hope not. Though if there is is a thriving third party modding ecosystem where mods as DLLs is something normal? I'd take that as an indicator that their mod support, while technically present, is lacking.
It's one thing if it's just a one off incident where one mod happens to be a DLL because there is no other way (SKSE being a prime example), but it's a whole other story if mods as DLLs is just a normal thing in the Cities Skylines modding community.
I'd make the same argument for GTA5's modding scene where DLLs are just another Tuesday, although at least Cities Skylines I assume made an attempt to provide adequate support, but it just didn't quite cut it or was too restrictive. If you're at that point where people are having to resort to third party sources and mod through DLLs, it's going to create an unsafe modding ecosystem where stuff like this becomes possible.
I'd argue Cities Skylines should provide the missing access to whatever internals modders need that is forcing them to go the third party DLL do it yourself route. If a framework already exists for mod support, it's not that hard of a task to just expose more of the game's internals. I'm not sure what the extent of their support is, but for argument's sake: whatever you need a DLL to access, simply provide access to that through your existing Lua API (assuming they even use Lua), and don't give your community a reason to DIY.
It's better than no support, but inadequate support still leads to the same problem in the end.
On the other hand, if this is actually how the game is officially meant to be modded, then that is a massive security blunder.
DLL modding should never be the answer unless absolutely necessary. It should not be a normal thing, but most people don't understand the difference and don't realize the security risks involved by not staying within the game's "sanbox"
my current skyrim modlist contains 194 dll files hehe
I just had a little panic attack because I was playing Cities: Skylines 1 with a Traffic Manager mod earlier.
T h a n k y o u f o r t h e E t h e r.
It also effected the first game too
@@everythingpony Everything I’m reading was for CS2. Paradox put an announcement on CS2 but not CS1.
@@everythingpony it did not apply to nor AFFECT the first game
This is the one point where Lua is a good thing: it's sandboxable. That makes it ideal for game mods because it's easyish to read/write and can be run untrusted with virtually no security risk.
@@awesomecronk7183 But this also restricts what mods can do to only the things exposed to the Lua sandbox. And ofc, this only works if a game has this stuff built in, which most games don't, since it's a lot of work to do it properly. But yeah, if done well, it's definitely a good option.
Lua is a fucking major risk because it can make http requests to load malicious modules
unfortunately, sandboxing lua isnt an end all solution though, by default lua has io library, luajit allows C code execution through FFI, and every major version of lua has has RCEs from rLua to gLua.
I absolutely love lua, and have spent more time programming in lua than any other language, but its not an automatic solution to the problem. The true solution is only downloading from valid verifiable sources (open source software, and checking the code yourself)
@@SamTuffman For security, using something sandboxed is definitely much better than relying on trust and reading the source (as if the average person will or even ca do that). Yes, it's obviously not 100% bulletproof but exploits in Lua can be found and fixed and may not be easy to exploit. That's definitely much better than just hoping/trusting you're not going to get pwned. But ofc, sandboxing also puts limitations on mods, as mentioned previously.
Again you are still just running code from strangers on your computer.
The problem with something like this is that people will see the "support" number (the number of downloads, reviews, subscriptions, likes, etc), and they'll equate a high number (such as 300k in this example) with a high level of trust, especially if they have no other way to measure trust.
Why in 2024 desktop operating systems still let most applications run with no sandboxing is beyond me.
Well, Windows doesn't have a proper sandbox (the closest are AppContainers)
@@tablettablete186 Or Windows Sandbox (lol) which is exclusive to Pro users (and adds an ugly yellow border)
This is why I prefer to run Steam with flatpak these days. Not foolproof but better than nothing.
@@seeibe It literally isn't
@@ougonce Flatpaks are a sandbox. They use namespaces for isolations and a SECCOMP filter.
Supply chain attack injecting payload into a game mod. Surprised it took this long. Pretty obvious target rich environment to capture a whole lot of gamer machines on a zombie net.
This comment reads like dialogue from a cyberpunk game.
@@loldoctor that explanation is spot on
with a lot of combined processor power for distributed cryptomining or hash/password cracking....
I run a separate machine for games, but modding is kinda half the joy of most of my favorite fames. Far too many games lock all their stuff down so that you can only have fun The Correct Way.
2:11, you only install DLL some of the time. Most games use scripts that access the game's API and that's a most safer way of doing it.
Not always. It really depends on the games scripting engine. If it's something like LUA, you could run into the same issues.
In Cities Skylines all code mods are DLLs
@@nordgaren2358 lua is a terrible example. it is specifically made to be sandboxed. if a game has a lua modding API and still has ways for mods to execute arbitrary malicious code outside of the scope of the game, that is because the game implemented the lua sandbox wrong.
@electricnezumi this isn't true at all.
@electricnezumi if a game has to implement the sandboxing, then it's not the default, is it?
This is a game design issue. VERY few mods for games require a 3rd party DLL. There are common exceptions for games that don't require DLL's (stuff like skyrim script extender) -- so always be cautious... but really this is terrible game design from cities skylines.
Yea firtst that came to my mind is factorio enabling modding with mods being just lua script with acces to Factorio API and without acess to system.
@@crusaderanimation6967Factorio is just GOAT
Ahhh DLLs; the spicy DLC
That's not true at all. Even if the code wasn't in a dll, it's still code.
Metamod for the Counter-Strike 1.5 / Source Based games. It hooked the VTable to capture a lot of information about the game state.
My intuition is that while this can happen, getting infected by an npm or pip package is still far more likely.
Deno to the rescue! ... I guess?
The actual issue is why the fuck is executing everything without compartmentalization by the OS the norm? Almost no game should have permission to interact with the filesystem other than its own files that it shipped with (or were dropped in, e.g. modded), certainly no crypto wallet application. That's insane. On mobile, we have had this whole class of issues solved for 10+ years now by having sane and very limited default permissions of what an app can do outside itself.
Well... Windows kinda was trying to do compartmentalization with the Windows store apps... The issue is there is a *lot* of older software that was designed with no compartmentalization in mind and stores/access data everywhere on PC and can self-modify itself. This leads to Windows relying on old way of interacting with things. If you look at MacOS and most recent Linux distributions they are trying to implement proper access management which leads to their own headaches for app developers and users but kinda works.
I feel like the smarter takeaway would've been just don't bank or handle sensitive data on the same machine you consume media on. Some game devs take cyber-security seriously, but they're the exception. Serious media decoding bugs are also a dime a dozen.
99% of people don't have other systems hanging out just for sensitive data, unless they have a work computer, for work, that work may be monitoring...
I'm currently researching into making plugins, game mods and other software modifications strategies safer, by employing safety layers, sandboxes and quite some WASM / sandboxed languages ... And its harder than it looks on first sight. This topic is very important though, and safety of data and software integrity will only become more and more important
i think minetest does this well(?)
hey low level, i'm just wondering: did you really quit league after vanguard? i quit and my friends still think i'm being extreme, but i came to the same conclusion as you, i'm not installing a root kit in my pc, that's just asking for trouble
yup, i havent touched it since the start of S14. and as a shock to no one, my mental health significantly improved :)
@@LowLevelTVgood. Quitting league also improved my health LMAO
@@LowLevelTV The only good thing about vanguard: whenever the temptation to return to league strikes I just remember that Vanguard still exists and I like an internet and laptop not controlled by a Chinese company.
Quitting league really makes a massive difference. League's effect on your mental health is just like gambling on steroids, with the reward being the rush of victory instead of actual money.
Your friends are idiots i have no other way to put it
Holy crap, the improvement of my mental health after leaving league was very noticeable for me!
I am glad to read others have come to the same realization!
Explaining a Windows DLL in terms of a Linux Shared Object is such a power move. I'm in awe.
“Very sketchy calls”
- creating a thread
- connecting to the internet
- writing a file
Gotta say it’s weird for a math library but in general that’s very normal shit
They’re sketchy BECAUSE they’re in a math library
@@bigombrello i mean creating a thread isn’t that sketchy
Anyway issue is an AV doesn’t really know it’s a math library, and going “these are suspicious” generally would be stupid as hell
Yeah I really didn't understand that bit lol, saying that if you see a program using basic threading stuff and WinSock2 it's almost always malware seems silly
Yeah, crazy right? Clearly, all software updaters are malware.
"Yo why is my math library downloading my credit card information and uploading it to the internet"
"John Hammond sent me some code" - can't wait for the "I hacked low level" video
FYI DLLs have entry points. DllMain is called when the DLL is loaded, the intention being initializing whatever state it might need
Not every DLL does have an entry point. It's optional and only implemented if necessary.
TBH If there's backdoors in my OS, my browser or really almost any program, then worrying about backdoors in my mods would just drive me crazy.
At least I'm pretty sure there's no backdoors in the mods I made myself. But then again, I generally need other programs to make mods in the first place...
If you run windows they don't need a back door because the front door is propped open with a brick so that they can train their AI off your data.
Lots of mods are non-code asset modifications only, such as texture and model replacement mods, so if you blanket avoid all mods, that's on you. Especially considering that you can and do know better. Some while do touch code, they patch a couple bytes at most (such as aspect ratio or framerate uncapping mods). Some more elaborate mods are even open source / source available / well documented. Minecraft mods are also a particularly bad example, because it's just Java (if you play the Java Edition). Not saying everyone goes and audits those mods, but the barrier of entry is way lower. It's like telling people that piracy is a boogeyman and they're all getting hacked. They don't.
I think you nailed this video again, with just the right level of detail on the matter
This is only tangentially related, but messing around with Neovim packages and Neovim package managers like Lazy makes me super worried. I always feel like it would be incredibly easy to conduct a supply chain attack with it.
How obfuscated do you want this?
Yes.
after this i hope that modders will learn more about git permissions
This is one of my favourite videos. I don't really play games but I love how you break down that giant mov sequence that got reconstructed by the seemingly benign prof-blah DLL. This was really neat, even for novice programmer like me looking for coding challenges to practise on. I can't wait to try to break a hello world down and rebuild it to run with another function in another file just for fun.
Malicious mods have been a thing in Minecraft for a while, both in the form of mods being designed to be malware or copies of mods being made with malware in them, and infecting existing mods with malware. So it isn't very surprising that it's happening elsewhere too.
the hashing part was genius work tbh I'm very impressed
love that trick, will use it to confuse my coworkers.
@@martinzihlmann822 lmao
"Author uses 2FA" should be a quality label on a mods page
The most shocking about this: people actually having friends.
Hash-based PEB walking is actually very hard to detect, even for behavior-based detection engines. Most of the time AVs just hook onto certain system module exports and try to log what a program does. Parsing or even emulating long sequence of assembly is too resource intensive to be useful.
This let me think about the "fractureiser" malware on Minecraft five months ago that specifically attack the modding ecosystem of Minecraft to distribute.
Same. I remember watching as news came out on Fractureiser in real time; it was interesting seeing people break down and eventually counter it. It was wild to me how Fractureiser tried to inject its first stage into other JAR files as an attempt to spread.
@@Arcensyl-f6hsame lol. Now when I launch the game I have it set to always scan for fracturiser, just in case.
There was also some weird stuff with serialization recently.
@@sillythewanderer4221 I should probably scan JARs for it more honestly. I'm curious, how did you set it up to automatically run the scanner before the game starts?
@@Arcensyl-f6h I have been just using ATLaucher (not tlauncher that is a virus) and whenever I launch a mod pack it scans for fracturiser, but I think most non vanilla launchers also do it.
What launcher do you use?
@@Arcensyl-f6h Some launcher will do that for you if you set it up. I'm using ATLauncher for my modded minecraft instances and whenever it launches an instance there is a step where it is "scanning for fractureiser"; I haven't checked but there should be a setting in there.
This tickled whatever I have left in there from trying to learn programming all those years ago
3:48 I've actually seen legitimate software that provides code via a dynamically importable library without any exports. It makes debugging it slightly harder, since it's probably all initialized in the DllMain or just has a hardcoded VTable in the main executable.
One example I can name is Microsoft V-Chat's VCHATHLP module.
Imagine if that fastmath DLL actually had exposed some math functions like fastinvsqrt, fastmul, and so on. That would be literally undetectable.
Things like this makes me wonder if there are competitions to develop obfuscated software. This is basically one intricate (albeit dangerous) puzzle.
1:13 Never realized it's an emulator. So I can attach it to a real city?
@@massivgrass 😂😂😂
well, you wanted traffic, you got (internet) traffic XD
"If its Riot games don't play the game at all" And thats why I upvoted this video.
as far for skyrim mods, the only "code" that exists is SKSE plugins (DLLs, and people rarely provide sourcecode, but they provide the *.psc papyrus source code most of the time), papyrus scripts (pex files ether loose or inside BSAs) and VMAD records (inside the ESP/M/L files, but they are super limited) unless there's some exploit, there probly is many, the game segfaults and crashes more frequently than the rust people say c applications do
Super interesting. Always wondered how DLL’s work. Top notch explanations
If a game is vulnerable via mods depends on how mods are implemented.
In some games it's Lua and you need to go through the game's functions to do ANYTHING (and some don't let you touch the filesystems or heavily restrict it).
In other games it's literally just an XML (or similar) with a few assets (like textures or audio). Sure, one could theoretically exploit a vulnerability in e.g. the parser of these files, but that's pretty darn hard (and at that point I could one would need to consider EVERY program which parses user-provided files of any kind vulnerable).
This is why I have a gaming PC on a completely separate network with nothing but steam and discord. That’s all I use it for. Trust nothing.
@@agx93 I just containerise all my games
This looks exactly like the technique you are taught in OSED for writing custom shellcode. You use a custom hashing function to search for the functions you need, mainly because string comparing in plain assembly is quite painful.
if it's that common i'm surprised that an export address table walker is not picked up by security products via heuristic or behaviour analysis. Btw, benny/29a & crew demonstrated that technique in 1998. Yes, it's that old. On the shoulders of giants!
Just wanna say thank you for the push towards low level learning! I’ve taught myself C#, Java, python, etc but the low level ones like C and assembly always scared me! I have to consider your course because I love your style and energy.
Reminds me of the old DOS viruses, patching the interruptions vector, but instead of in memory, on the DLL exception handlers, also, using hashes to disguise the names of the DLLs it looks for is clever, yet, is sad, because they take advantage of people who only want to enjoy their games more.
Such a clever way to obfuscate a malware, I'm impressed it was distributed through a Cities Skylines 2 mod of all places.
I absolutely love the fact that you used shared objects to explain what a .dll is. You know your audience!
Oooohhh… IIRC that’s a pretty old school technique.
A mod is someone else's code just like the cloud is someone else's computer. Don't trust other people if you don't know them.
And your private data stored and "secured" by "company X" is someone else's treasure trove.
A game is also other people's code.
@@null-0x Hence why I don't trust them unless they're from a known reputable creator.
It would be the same if you downloaded a game from some random website. But companies have a financial interest in not letting their customers get hacked. Sometimes you have two independent parties with an interest in protecting their customers (developer and platform).
@@blueboy4625 idc bro I’m gonna keep downloading mods. Not worth this level of paranoia. just have common sense about where you get your mods from, keep proper backups, and keep your important files stored someplace safe like an encrypted flash drive not constantly plugged into your computer
Title and thumbnail had me worried cs1 was effected.
and to the people who say it doesn't matter, only the first part is general. The rest is about a specific mod for cs2
Dlls - as you show it - absolutely have entry points. Back in the day I wrote some very simple Photoshop plugins. Once the given plugin was loaded by Photoshop, the entry pint of the dll had the control to initialize the plugin.
Reminds me of the Gbombs backdoor for Gmod.
IIRC the author put in backdoors that allowed him to spawn money and items on DarkRP servers, and even run admin level commands and spawn admin restricted items.
It got discovered when a server admin noticed suspicious commands being run in server logs.
This is why exposing an interface to the game engine for mod creators is so important. In fact, I'm suprised it is done any other way.
I'm happy that they find the backdoors. Imagine they wouldn't and someone else would...
Couldn't antimalware software monitor DLL/EXEs more closely if they're unsigned and have that sort of obfuscation in them? then the antimalware would pick up on all of those methods getting called and flag it / mark it as PUA / send it upstream for analysis / etc. One downside, though, is the game modder could simply tell their users to ignore false positive malware warning lol
Sure they can, but most of a packer/stage ones job is to make sure that the antivirus doesn't pick up on anything.
Tbh, idk why they didn't pickup the peb crawl.
Another thing that is dangerous is that a lot of people put games as an exception in their antivirus for one reason or another.
@@nordgaren2358 Because they're using hacks. That's why they put their games as exceptions in their antivirus!
@@nordgaren2358 the reason for exceptions is that it can perform better
i've always assumed this was the case. i've made C:S assets: you upload unity packages which contain code that the game will run, no questions asked
love the riot games roast at the end
12:32 That "hash" is just standard crc-32 without the post-inversion (which was probably folded into the constant they're testing against by the compiler)
2024 has more Backdoors than a Diddy Party
I remember this was one of the reasons why Quake 3 had a built in virtual machine to run mods on.
You know, alternatively an even more obfuscated malware would read assets (images, textures, etc) that contain code embedded via steganography. That way your DLL does what it’s expected to do - process an asset, and then the new program can be loaded
The problem with lua scripting is you can't modify the game, i know that's the _point_ of it, but some of the best Minecraft mods would be impossible like that
Wouldn't it be a good practice for game studios to make games moddable through providing some kind of sandboxed environment where all the code of a mod would be in a scripting language (like LUA or Python) and the capabilities would be limited (no meddling with the operating system, no Internet connections)?
Randomly found this video.
And well, it's really excellent. You earned my subscribe.
That's why I always run my games inside a VM that's inside a Docker container, that's inside another VM.
I am impressed with how they hid the imports ngl. I feel like a good antivirus should be able to catch it but I am not sure many companies know how to make good programs. it just makes life easier for hackers
They still prove to me that the first game is all we need.
Lol, the mov operation trick is something that was being taught at a Hungarian university years (now decades?) ago for the low level classes. Exactly the same pattern. It makes me wonder if this was some state sponsored backdoor coming from us maybe haha. Would have been so cool ;-)
Killing Steam Modding, Killed CS2 for me. Made some great mates in the mod community, loved everytime an airpott or plane and its livery was created combined with the enthusiastic community from Keralis to Conflicted etc etc. That steam community was amazing. While I understand this introduces the Xbox community, and as someone who did play on Xbox for a while, where no mods did annoy me, why they didnt let steam and their own internal mod page both be platforms for mods baffles me, and makes me so incredibly not enthusiastic for the game. Played its a couple times, got a few cities to 100k, and then went on hiatus.
15:10
I rage quit league once. After alt-F4, taskkill /f, nor task manager would forcefully stop the process - it turned into a rage quit *forever*.
SuperF4 is your friend
this situation reminds me a lot of the minecraft fracturizer exploit
ok, i'm scared now. Thanks :3
Mods can generally be trusted if the engine runs script type mods, where there is no actual compiled code but an abstract interpreted custom "programming language". That way, modders can do only the particular things that the devs allow them to, which is great for security but probably annoying for mod creators
The fearmongering is unecessary my dude. There are thousands of mods for hundreds of games and malicious mods are extremely rare occurrences that usually never make it to the end user because the hosting platform/clients/websites like Curse, Nexus, Steam Workshop, etc. check the code before allowing them to be posted for download.
As a Mario Kart Wii modder, I can tell you most mods don't include code, only assets (They are known as assets only Riivolution or My Stuff mods inside the MKW modding community). Of course some mods like CTGPR and Pulsar packs do include code to extend the track limit of 32 (lets not talk about LECODE, thats depricated) but thats about it
There's a big different between code mods and content mods. A lot of games that support mods will have ways of integrating user generated content without them needing to run any code at all. It's important to make that distinction because modding a game can bring huge enhancements to it that you might miss out on.
Very clever how it hides what it is doing
Woooooo!!! Someone shared this in the Fromsoft Modding discord, where Nordgaren spends a lot of time. Cool to see him mentioned! And wild attack, very interesting obfuscation method. Brb never downloading mods ever again lol.
IDK but that's one weird looking "p" character in your terminal.
Another takeaway from this video is that one should not be installing software willy-nilly from unknown or untrusted sources on one's computer that is used for banking, email, and other "serious" functions. For those running open-source systems, it may be as simple as obtaining a second hard drive for games and the like and booting from one drive or the other. For those running Microsoft Windows or Mac OS, it would mean having to buy a second license for a second copy of the operating system to run on another drive or getting another computer outright.
I'm starting to think I should run everything sandboxed.
a similar thing just hit simcity 4, it happened on october 4th but it wasnt discovered until YESTERDAY.
Would love more content like this. wish you'd explain what APIs are called when malware is about to do a process injection, Process hollowing, DLL sideloading etch
It's funny that this malware is considered interesting. Back in the days manual import/export walk with name hash checking was pretty standard. I guess back at times of 29a writing low level stuff was mostly done for curiosity and experimentation, not to get easy cash by script kiddies.
Today I learned Cities: Skylines has a modding community
@@ccf_1004 Today I learned someone learned that Cities: Skylines has a modding community
Its like the only fun way to play the game since Paradox is a fuck
This is why I’m still enjoy the first game and use Mods from the workshop. I felt like Workshop mods are slightly safer
I thought it was CS1 because of the thumbnail, oof
7:12 in my programs it's more like "what's really interesting is, none of them are"
What you also might take away is that Steam and the game developer should provide a safe way to install plug-ins and show you how much they tested them.
12:20 - I genuinely do wonder, why go through all this trouble to avoid static analysis, when you can load functions from WinAPI at runtime whose offset you do know, such as GetModuleBaseAddress and some such, that will give you that exact information, and just encrypt those instructions? They already went through the trouble of packing a second DLL file which they XOR'd, so why not just obfuscate the WinAPI imports and base address lookups? I mean, I get that it would look very suspicious to runtime analysis of the DLL, but as you said yourself, walking the PEB is already suspicious to runtime analysis, so if this was all for the sake of avoiding static analysis, why opt for this method when a much simpler option is available? If an AV couldn't pick up that it was dumping an XOR'd DLL onto the disk, surely it wouldn't pick the same, except it's obfuscated instructions that import and run a WinAPI function, would it? Don't know how advanced heuristics are nowadays, but, packed data is present in a lot of binaries, how can it distinguish if it's malicious or not without running the thing that unpacks the data ?
If I had crypto (I don't), I'd have it airgapped somewhere on a dedicated machine. Not on my main computer, ffs