PDA

View Full Version : Game wants to attack sptd.sys



VanguardLH
20.10.2008, 11:55
Daemon-Tools Lite v4.30.0
Windows XP Pro SP-3
Comodo Firewall Pro v3.0.25.378 (Defense+ HIPS enabled)

I installed a game (FEAR Gold). When I go to run the game, Comodo will alert that the game is attempting several suspicious action. One was to modify a file with dinput8.dll. That's Microsoft's DirectX support library that gets injected in a program's files to add DX support, so I allow that change by the game. Some other alerts were about the game trying to install some global hooks. I haven't made up my mind what to do about those attempted actions; so far, I've blocked them. The one I'm concerned about is the game wants to modify sptd.sys. I'm no expert at this copy-protection paranoia so please bear with me as some of my conclusions based on a couple hour's of browsing and reading could be inaccurate.

sptd.sys, although it is described as SCSI Pass-Through Driver, doesn't really seem to be its intended purpose but rather to behave in rootkit-like fashion to operate at kernel-mode level to hide or deny access to some registry keys and perhaps to some files. One of the HIPS alerts from Comodo is that the game is trying to modify sptd.sys. Obviously this is not a file that is part of the game so the game is trying to modify files that don't belong to it. So far, I've chosen to block that attempt to modify sptd.sys but I'm not sure that I have to. If DT is protecting itself, perhaps it provides a bogus target for this file so it can appear to get modified but not really happen. I don't know if DT protects the sptd.sys file. I certainly can't look inside using a hex editor (I get denied access).

From what I've read, it looks like the game uses some version of SecureROM. I'm not keen on the game's startup trying to modify any file that isn't part of the game itself, like sptd.sys that DT uses. However, if it is just a bogus target that DT will replace if it gets modified or DT prevents modification of its files then I could see what happens if I allow Comodo to let the game to modify sptd.sys.

While allowing some actions by the game start to occur, like direct screen access, direct keyboard control, and injecting dinput8.dll into its files, I have blocked the global hooking and modification of sptd.sys. The result is that the game starts, plays its intro screens and movie, and then the game hangs at a black screen and hangs the host so I have to hit the Reset button to restart Windows. So I'm blocking more actions than the game can tolerate.

Understand that I am NOT trying to play the game from a DT virtual drive. I don't mind putting the game's DVD into the drive and let it check for its protection. My question is about the game wanting to modify DT's files and if I should permit the game to [try to] make those changes.

evlncrn8
20.10.2008, 13:13
i think your information is incredibly inaccurate...
sptd.sys can't be modified, its locked and hidden by daemon tools..



One was to modify a file with dinput8.dll.


you totally sure about that? if so, virus scan your system, games do not do this... perhaps it was from the installer updating directx?...

i think you've got your firewall on paranoid settings, if any program did the things you described it'd not exist for very long...



From what I've read, it looks like the game uses some version of SecureROM. I'm not keen on the game's startup trying to modify any file that isn't part of the game itself, like sptd.sys that DT uses. However, if it is just a bogus target that DT will replace if it gets modified or DT prevents modification of its files then I could see what happens if I allow Comodo to let the game to modify sptd.sys.

don't believe all the paranoia out there, if such a thing was happening the forum here would be full of posts like this...
are you sure its actually 'modifying' files?.. and not just accessing them?... there's quite a difference between the 2..

but from the looks of things you've set your firewall to a rediculous security level its a wonder anything works at all...and you're getting paranoid because of its 'alerts' (which are probably all false positives)...

... check this link..

Spore gets summoned [Part 2] - coldbluesun (http://coldbluesun.com/b/2008/10/spore-gets-summoned-part-2/)

and you'll see the part where the poster mentions comodo...

"I personally recommend Comodo and Avast! Both of which have had zero problems with either Spore or SecuROM."

...

VanguardLH
20.10.2008, 21:35
Below are the HIPS alerts, comments about them, and my action taken regarding those alerts. An allow or block is permanent (remembered by HIPS) unless noted as temporary (not remembered so I can retest with a different choice).

Alert: explorer.exe wants to run fear.exe.
Comment: Obviously required to load the game.
Action: Allow

Alert: fear.exe trying to install global hook in dinput8.dll.
Comment: dinput*.dll are DirectC libraries for DirectX support of input devices, like joysticks. From prior testing, and after I allowed this change, I did a binary file compare on the original dinput8.dll file (in \windows\system32) against a copy of it that was saved beforehand. They were the same. Don't know why the game wants write access to this file rather than use DX calls to access the methods in this library file.
Action: Allow

Alert: fear.exe wants to create the CmdLineExtInstallerExe.exe file in a temp folder.
Comment: This process unrolls or extracts this other program from the game's files so this file doesn't exist until you run the game. It is part of the SecureROM protection. The game checks if there is a copy of cmdlineext.dll on the host and if not or if the wrong version then it creates this file which creates the next file described in the next alert. cmdlineext.dll is not on my host so the game's startup must extract and run this other program to create it.
Action: Allow

Alert: CmdLineExtInstallerExe.exe wants to create the cmdlineext.dll file.
Comment: From what I've read, cmdlineext.dll has methods for SecureROM to detect emulated drives, like those produced by DT. I have Sony's SecureROM Uninstaller utility; however, this leaves behind license data in files and registry which I have to manually delete (by using RegDelNul from SysInternals to get rid of the entries with null characters in the key names which prevent using normal system API calls by regedit.exe from writing/deleting those keys and by deleting the hidden SecureROM license folder under my %userprofile%).
Action: Allow

Alert: CmdLineExtInstallerExe.exe wants to modify a couple registry keys.
Comment: One registry key is "HKEY_CLASSES_ROOT\CLSID\{9869EFB4-18E9-11D3-A837-00104B9E30B5}" which defines its InProcServer32 to be the cmdlineext.dll file (but no command line parameters to specify a method entry point so it must have a main method to execute when it gets loaded). The other registry key it creates is "HKEY_CLASSES_ROOT\CLSID\{F0407C3D-349C-42b9-B83E-821E31623DF9}" whose InProcServer32 entry also points at cmdlineext.dll (and again without any command-line parameters to specify a method in the library file).
Action: Allow

Alert: fear.exe wants direct access to the screen.
Comment: This is typical of games. However, it also means that my analysis will get blocked when it takes over the screen. I can load utilities like SysInternals ProcessExplorer and Task Manager but I can't get at their windows.
Action: Allow

Alert: fear.exe wants to modify sptd.sys.
Comment: This is were the game appear to attack DT's sptd.sys file by wanting write permission to the file and possibly wanting to analyze or write into it.
Action: Block (temporary)

Alert: fear.exe wants to elevate its privileges to include Debug permission.
Comment: This means it can alter behavior in other processes. I don't see why any game would need this elevated privilege so I suspect it is part of the SecureROM copy protection. If I block this request, the game will crash.
Action: Allow (temporary)

Alert: fear.exe wants to access System in memory.
Comment: The game wants to control the target application that is in memory. Also something a game shouldn't need to do. The game is attempting to further elevate its privileges. The following system processes must also be allowed for access by the game to prevent the game from crashing.
Action: Allow (temporary)

At this point, the game wanted access to every process that was running. I temporarily allowed these requests during this test. It wanted to interrogate:
smss.exe (Session Manager SubSystem)
csrss.exe
winlogon.exe
services.exe and every svchost.exe under it
lsass.exe
GeSWall (an app policy enforcer for security protection)
VMWare Server (virtual machines)
Avast (anti-virus),
and every other process.
I temporarily allowed the request on each of these.

Alert: fear.exe is trying to modify J:\AutoRun.exe.
Comment: J: is my DVD drive. Obviously files there are read-only. Don't know what tricks the game is trying here but it wants to interogate the DVD disc probably to check if it is legit. This is when the DVD disc spins because of the access.
Action: Allow

Alert: fear.exe wants to install a global hook in fear.exe
Comment: The game wants to modify itself or, at least, look inside itself.
Action: Allow

Alert: fear.exe wants access to a COM interface.
Comment: Turns out the classID for this was for Microsoft's WMI function. Later it also asks for access to the wbem logfile.
Action: Allow

Alert: fear.exe wants to access the service control manager.
Comment: This is a high-level privilege that lets the process or user to stop, start, and delete services. Obviously something a game wouldn't need to do but something maybe a dynamically loaded service might want to do, like a copy protection program trying to get itself started.
Action: Allow (temporary)

Alert: fear.exe wants direct access to the keyboard.
Comment: Typical of most games.
Action: None - alert disappeared before I could add the comment and then select an action.

The game changed the screen resolution (to much smaller). Access to the windows for Task Manager was denied (couldn't display it to kill fear.exe and restart the test to get the the prior step to make sure I could select an action). After a couple minutes of looking at a black screen, the game started up.

I then retested the above but denied Debug privilege to the game. I also blocked its access to one alert about trying to access one of the instances of svchost.exe and then later blocked its access to services.exe and service control manager. All the alerts about the game trying to gain access to System and all the running processes did not appear. Now there were alerts about the game trying to access the Internet. I chose to block those. The game started much faster (I only bothered to get past the intro movies and to the menu inside the game).

So the game will start if I block it from modifying sptd.sys but it did want to access that file. The game wants to elevate its privileges to gain Debug privilege and access and control of the service control manager but they weren't really required for the game to start. However, before all the interogation of services and processes and other alerts typical of games, there was the prompt to get at the sptd.sys file right after the auto-generated .exe and .dll files for the game were allowed.

The sptd.sys file is NOT hidden. I can see in in Windows Explorer but access to it is denied. I can see it in the directory list but cannot open it in a hex editor to look inside it. If a process were trying to only read a file, there usually isn't a problem unless another process has a lock on the file. I'm not sure opening a file for write mode necessarily creates a lock (as I recall, it is possible to open for non-exclusive write mode but maybe the default is exclusive mode for write mode). Sometimes the alerts were about accessing a process or file. Sometimes the alerts were about an attempt to modify the file or process. Those were noted above in the log of the HIPS alerts that I saw when starting the game.

What was obvious was the separate attempt to get at the sptd.sys file. That's when I started to wonder if DT protects its own files. Yes, as a user process (Windows Explorer) I could not access the file but that wouldn't itself be sufficient protection. Access control tables don't really protect files very well and why products like GeSWall and DefenseWall exist to enforce application-level policies that are not possible with just ACL.

By the way, I do use Comodo Firewall Pro v3 (with Defense+ HIPS enabled, including its SafeSurf feature rather than using the separate Memory Firewall both of which catch buffer overruns presumably not caught by DEP). It is because of CFP's Defense+ HIPS function that I can see what is happening on my host and gives me control over what can load and what the loaded process can do. I would never have the level of granularity in seeing and controlling what happens on my host without some HIPS program. Avast! is my antivirus of choice (free version). I also use GeSWall Free as a safety net in case I make a wrong choice for Comodo's Defense+ HIPS alerts. Returnil is used in this testing scenario to let me snapshot back to the prior disk state rather than having to save and restore backup images. I have VMWare Server to test unknown software in virtual machines but these are not acceptable for testing games because the emulated hardware (everything other than the CPU) would never meet the minimal system hardware requirements for these games and incure such severe performance degradation as to make the game unusable.

I can leave HIPS configured to block the game from ever accessing or trying to modify sptd.sys. However, maybe DT or this driver already attempt to protect that file. Trying to get good info on the sptd.sys file other than it means "SCSI Pass-Through Driver" (which seems a bogus description for what it probably really does). I've seen some mention that it might hide or protect some registry keys and maybe some files. Not enough info to make an informed decision.

Sblade
12.11.2008, 18:06
VanguardLH....

I see your post very interesting....

So What´s your opinion about fear.exe? does it runs at userland level (Ring3) or this game uses RING0 processes?

VanguardLH
12.11.2008, 21:25
I used Zsoft Uninstaller to monitor the install of FEAR. I scanned through its recorded changes pretty quickly and did not see anything that looked like a driver was getting installed.

The actions that I found suspect was that the game specifically targeted the sptd.sys file. It may target other CD/DVD drive emulators, as well. I've seen mention when Googling around that the game wants to check if it is running from an virtual CD/DVD drive.

Also of interest was that the game wanted elevated privileges via Debug mode and access to the System process (with its greater permissions) to go hunting inside other processes. The game wanted access to the Service Control Manager which could start, stop, delete, create, or disable any NT service (run "sc" in a DOS shell to see what you can do with it).

All of these appeared to be user-level processes but it is suspicious that the game wants to elevated privileges and goes digging around like it does. I suspect its all part of the SecureROM copy protection crap and Sony is known for doing nasty tricks with their software (wasn't too long ago they had the impotent rootkit-like scheme to hide some of their files installed from music CDs). A lot of the alerts for this game have nothing to do with playing the game and several seem just way too invasive. The copy protection scheme digs into the system way more than its seems necessary just to protect their interests in controlling piracy of their product. I have the SecureROM uninstaller to use after I uninstall the game.

Sblade
12.11.2008, 22:01
That SC controller is very interesting.... can you please tell me here or by PM how to reproduce the output to see the game wants to access the SC?

VanguardLH
12.11.2008, 23:59
I was using Comodo Firewall Pro which includes its Defense+ feature which is a HIPS (host intrusion protecion system). Defense+ was set to Safe mode (rather than Clean mode which assumes anything already on the host when CFP was installed was okay). A HIPS-only program would also probably be just as good, like SSM (System Safety Monitor).