RMTers discuss P1999 dsetup.dll "includes some NSA-level intrusive scans on your PC"

[Stormfists]

Quote:

Originally Posted by arsenalpow [You must be logged in to view images. Log in or Register.]

You're

You're.

[Ostros]

Fucking lol. I was hoping this would end up on RnF.

"YOU WON'T BELIEVE WHAT ROGAIN IS UP TO NOW. PLAYERBASES HATE HIM. FIND OUT WHAT HE CAN DO WITH A SINGLE DYNAMIC LINK LIBRARY."

You ultra-libertarian tinfoils make me confident in life.

[Oleris]

rogean nsa spy confirmed.

[simp403]

So how could the EQClient executable access information outside of the access privelages it is granted when it's installed on the system? Swapping out a .dll file won't change these, meaning that P1999 can only access data within the process's allotted memory, in the locations on secondary storage specified by said access privelages, and data that is shared with the process by other processes it interacts with.

So how would the addition of a .dll file allow the EQClient to grab data from the web browser, which is an entirely separate process that does not interact with it whatsoever? How does this executable suddenly get full access to the file management system simply through the addition of a dll? Can someone please let me know if this is possible? I knly just graduated from Comp Sci, but all of these claims seem to be full of shit to me. Am I missing something here?

[SyanideGas]

Quote:

Originally Posted by simp403 [You must be logged in to view images. Log in or Register.]

So how could the EQClient executable access information outside of the access privelages it is granted when it's installed on the system? Swapping out a .dll file won't change these, meaning that P1999 can only access data within the process's allotted memory, in the locations on secondary storage specified by said access privelages, and data that is shared with the process by other processes it interacts with.

So how would the addition of a .dll file allow the EQClient to grab data from the web browser, which is an entirely separate process that does not interact with it whatsoever? How does this executable suddenly get full access to the file management system simply through the addition of a dll? Can someone please let me know if this is possible? I knly just graduated from Comp Sci, but all of these claims seem to be full of shit to me. Am I missing something here?

This sounds pretty legit

[Alaron01]

Quote:

Originally Posted by simp403 [You must be logged in to view images. Log in or Register.]

So how could the EQClient executable access information outside of the access privelages it is granted when it's installed on the system? Swapping out a .dll file won't change these, meaning that P1999 can only access data within the process's allotted memory, in the locations on secondary storage specified by said access privelages, and data that is shared with the process by other processes it interacts with.

So how would the addition of a .dll file allow the EQClient to grab data from the web browser, which is an entirely separate process that does not interact with it whatsoever? How does this executable suddenly get full access to the file management system simply through the addition of a dll? Can someone please let me know if this is possible? I knly just graduated from Comp Sci, but all of these claims seem to be full of shit to me. Am I missing something here?

Here's where to start: https://en.wikipedia.org/wiki/DLL_injection

It usually involves more than just swapping out a DLL. It's easiest to have an executable that can do the injection (see bullet point #3 in the wiki for how-to).

Once you can get another process to load your DLL, then your DLL main function will be called. This is where the process that's being injected into loses all control, and this is precisely why a detection mechanism for cheating would target foreign DLLs. An attacker can have all kinds of fun in here since they are executing in the other process' address space.

So, rough sketch of how P1999 staff could theoretically make your EQClient grab data from your web browser:
1) Inject a DLL into EQClient through the launcher.
2) Now the DLL main function will get called by EQClient. They put the code for DLL injection into the DLL that's being injected though! So now this DLL main will make EQClient inject the very same DLL into your web browser. If you are feeling fancy (or kinky) you could do something like hooking the function for receiving tells and trigger this to happen only when "gay elf love" is contained in the text.
3) The same thing happens inside the web browser except it starts snapping screenshots. Hide yo kids, hide yo wife.

The claim that it's possible is not full of shit.. I wouldn't miss any sleep over worrying about it though.

PS: I see you've worked out more of this while I wrote this post. Cool. Gonna post it anyway in case you find something interesting.

[simp403]

Quote:

Originally Posted by Alaron01 [You must be logged in to view images. Log in or Register.]

PS: I see you've worked out more of this while I wrote this post. Cool. Gonna post it anyway in case you find something interesting.

No, this is good shit. Thanks for posting it!

Quote:

Originally Posted by Alaron01 [You must be logged in to view images. Log in or Register.]

They put the code for DLL injection into the DLL that's being injected though! So now this DLL main will make EQClient inject the very same DLL into your web browser.

So how exactly would the EQClient be able to inject this code into the web browser if it does not have access permission to touch the web browser?

I had a feeling that there was some way to include malicious code in the dll file but I thought that it would also require specific conditions with the executable loading it, as well. Is it possible to know whether or not the EQClient can be used this way? Does the swapped dll file alter the executable file to inject code in this way, and how could it access other programs if the access permissions to do so were not originally granted to the executable loading the dll file?

[Ostros]

Quote:

Originally Posted by simp403 [You must be logged in to view images. Log in or Register.]

No, this is good shit. Thanks for posting it!



So how exactly would the EQClient be able to inject this code into the web browser if it does not have access permission to touch the web browser?

I had a feeling that there was some way to include malicious code in the dll file but I thought that it would also require specific conditions with the executable loading it, as well. Is it possible to know whether or not the EQClient can be used this way? Does the swapped dll file alter the executable file to inject code in this way, and how could it access other programs if the access permissions to do so were not originally granted to the executable loading the dll file?

Without setting off every red flag for your AV/Anti-Malware? It can't. That's why it's bullshit. That it's possible is irrelevant. Process hijacking is a heuristic that's like....dead giveaways 101 for malicious software.

[simp403]

Quote:

Originally Posted by Ostros [You must be logged in to view images. Log in or Register.]

Without setting off every red flag for your AV/Anti-Malware? It can't. That's why it's bullshit. That it's possible is irrelevant. Process hijacking is a heuristic that's like....dead giveaways 101 for malicious software.

Ok, yeah, I figured that this would be very easy to prevent or otherwise detect.

[Alaron01]

Quote:

Originally Posted by simp403 [You must be logged in to view images. Log in or Register.]

Does the swapped dll file alter the executable file to inject code in this way, and how could it access other programs if the access permissions to do so were not originally granted to the executable loading the dll file?

IIRC it prompts for admin privileges -- it's been a while. [You must be logged in to view images. Log in or Register.]

I didn't intend to claim it was practical!