Jump to content

acme_pjz

Community Newbie
  • Content Count

    1
  • Joined

  • Last visited

Community Reputation

0 Neutral

About acme_pjz

  • Rank
    Tiro
  1. Hello all developers, I'm a Windows user and recently I download and installed 0 A.D. alpha8 version. After installation I surprisingly found some kernel-mode driver (sys) files in the game's binary folder, and there aren't any READMEs or documentations which explains what these drivers are and what they will use for. And in file property dialog I found that these drivers have invalid digital signatures (this situation often occurs in malicious software, namely 'fake digital signature'). You know that nowadays the Internet are full of malicious software, virus, trojans, backdoors and rootkits, and ordinal software should not contain any kernel-mode (Ring0) code, so at first I thought these files are rootkits and delete them immediately. After that I searched the 0 A.D. forum and the source code, found that these files are high resolution timers which reads HPET timer, and the kernel-mode driver exports functions including manipulating \\Device\\PhysicalMemory, manipulating ports and reading/writing MSR register and so on. According to my experience and Windows experts, MSR register is used by SYSENTER instruction and reading/writing it can do some malicious stuff such as kernel function hook. And send malicious commands to certain port could lead to some behavior which can be used by malicious software, for example send commands to shut down the power immediately. Moreover, manipulating \\Device\\PhysicalMemory can read/write any position of kernel memory, including SSDT, shadow SSDT and other important function tables so one can use this to make malicious program or rootkits. I believe that 0 A.D. contains no malicious code, but once the game loads the kernel-mode driver, then other malicious program can make use of this driver to perform harmful operations so the driver can be a huge security loophole of the system. I strongly recommend move all the HPET timer operations to the driver and remove the public export function of manipulating \\Device\\PhysicalMemory and ports and MSR register. IMHO the best solution is completely remove the kernel-mode driver (at least for normal players), because the usage of high resolution timer post on the forum says that it will be used on profiling only.
×
×
  • Create New...