NorthstarLauncher icon indicating copy to clipboard operation
NorthstarLauncher copied to clipboard

Published 20 hours ago verified publisher icon R2Northstar

Implement AntiRCE: Malicious file access/write detection

Open KittenPopo opened this issue 2 years ago • 2 comments

This is a system I made a few months ago, from le old giant PR.

Currently, it only checks file access, to prevent Titanfall from accessing files it should never access.

If an attacker utilizes an RCE, reading/creating files is a great go-to for doing damage, spreading a malicious binary, or stealing user information (i.e. discord token).

AntiRCE stops any file access outside of Titanfall's directory and user data folder (apart from loading system fonts).

This PR still needs more testing to find any potential false positives, but has proved very effective thus far.

Overview of AntiRCE system:

  • Hook filesystem_stdio file handle opening at the lowest level
  • When this hook fires, determine the true path of the target file and compare it against Titanfall's installation and user data folders (also check file type)
  • If the file is outside of where Titanfall should be able to access, or is a binary/executable file (i.e. RCE trying to overwrite game DLLs), then the whole process is halted, an error is displayed, and the game will be shut down after with a custom exit code (666).

New Commit Addition:

  • Hook all file accesses via the lowest level before kernel transition (Nt/ZwCreateFile)
  • Check if the file creation access has write permissions
  • If it's write access, and the file has a binary extension, trigger the AntiRCE emergency detection

NOTE: There is a very slight possibility that some wacky game-injected external system/overlay/whatever writes to a binary file, leading to a false-positive, however I believe this is extremely rare and would be very unusual.

Testing: I have tested the AntiRCE system quite a bit myself, with as many overlay programs and injected (legimiate) software I could find - I have yet to find any false positives. However, it is important that others test this PR incase there is any genuine false positive that needs to be checked for that I didn't encounter or think of.

KittenPopo avatar Jun 19 '22 23:06 KittenPopo

I don't know if I missed something but can you maybe try to print some debug info like callstack or something when the hook is triggered

RoyalBlue1 avatar Jun 24 '22 01:06 RoyalBlue1

I don't know if I missed something but can you maybe try to print some debug info like callstack or something when the hook is triggered

I think you might have missed something.

image image

KittenPopo avatar Jun 27 '22 21:06 KittenPopo

Closing as stale

ASpoonPlaysGames avatar Sep 02 '23 16:09 ASpoonPlaysGames