Thread: RMTers discuss P1999 dsetup.dll "includes some NSA-level intrusive scans on your PC"
View Single Post
  #41  
Old 10-19-2015, 10:42 PM
Alaron01 Alaron01 is offline
Large Rat


Join Date: Sep 2010
Posts: 6
Default
Quote:
Originally Posted by simp403 [You must be logged in to view images. Log in or Register.]
So how could the EQClient executable access information outside of the access privelages it is granted when it's installed on the system? Swapping out a .dll file won't change these, meaning that P1999 can only access data within the process's allotted memory, in the locations on secondary storage specified by said access privelages, and data that is shared with the process by other processes it interacts with.

So how would the addition of a .dll file allow the EQClient to grab data from the web browser, which is an entirely separate process that does not interact with it whatsoever? How does this executable suddenly get full access to the file management system simply through the addition of a dll? Can someone please let me know if this is possible? I knly just graduated from Comp Sci, but all of these claims seem to be full of shit to me. Am I missing something here?
Here's where to start: https://en.wikipedia.org/wiki/DLL_injection

It usually involves more than just swapping out a DLL. It's easiest to have an executable that can do the injection (see bullet point #3 in the wiki for how-to).

Once you can get another process to load your DLL, then your DLL main function will be called. This is where the process that's being injected into loses all control, and this is precisely why a detection mechanism for cheating would target foreign DLLs. An attacker can have all kinds of fun in here since they are executing in the other process' address space.

So, rough sketch of how P1999 staff could theoretically make your EQClient grab data from your web browser:
1) Inject a DLL into EQClient through the launcher.
2) Now the DLL main function will get called by EQClient. They put the code for DLL injection into the DLL that's being injected though! So now this DLL main will make EQClient inject the very same DLL into your web browser. If you are feeling fancy (or kinky) you could do something like hooking the function for receiving tells and trigger this to happen only when "gay elf love" is contained in the text.
3) The same thing happens inside the web browser except it starts snapping screenshots. Hide yo kids, hide yo wife.

The claim that it's possible is not full of shit.. I wouldn't miss any sleep over worrying about it though.

PS: I see you've worked out more of this while I wrote this post. Cool. Gonna post it anyway in case you find something interesting.