473,574 Members | 2,971 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Nvidia security breach.

69 New Member
Computer systems security : Pay attention to it.

I was recently reading an article on "Window HiJacking" at https://www.unknowncheats.me/forum/a...ay-betray.html . It explained how to "HiJack" a window a trusted window.

The author talks about that and how the HiJack can be tested to verify that it worked. When testing it was found that another hijack had already occurred and was ongoing. It was reported to be via Nvidia. You should read the entire article. Whatever Nvidia's "excuse", their security breach seems to be hooking a trusted Windows' program, and the author talks about how to use the Nvidia process to breach other programs that are using such trusted Windows' programs.

Whoever that author is: Thank you for revealing this.

The basic logic seems to be reported supporting this: An Nvidia card in a common user's computer can be used to breach the security of someone else's software. Example: Person_A writes some software; their software directly uses Nvidia graphics (not just the system using it, but their sofware directly uses it); but Nvidia in itself has an ongoing breach into that Person_A's software via Person_A's software dependency on Nvidia. That is bad.

Someone writes some software and thinks to use the supposed benefits of a market giant like Nvidia to help make their User Interaction better or smoother or in some manner easier for them to program, and then Nvidia does this? That is bad.

Here is some of that page, in case the power's that "attempt to" be remove it from the internet.

Quote from author:
Here is its code, ready to run and detect the most common overlays (don't hesitate to test your own overlays):

OverlayFinder.c pp

Expand|Select|Wrap|Line Numbers
  1.     #include <Windows.h>
  2.     #include <Psapi.h>
  3.     #include <vector>
  4.     #include <string>
  5.     #include <iostream>
  7.     #define MAX_CLASSNAME 255
  10.     using namespace std;
  12.     struct OverlayFinderParams {
  13.         DWORD pidOwner = NULL;
  14.         wstring wndClassName = L"";
  15.         wstring wndName = L"";
  16.         RECT pos = { 0, 0, 0, 0 }; // GetSystemMetrics with SM_CXSCREEN and SM_CYSCREEN can be useful here
  17.         POINT res = { 0, 0 };
  18.         float percentAllScreens = 0.0f;
  19.         float percentMainScreen = 0.0f;
  20.         DWORD style = NULL;
  21.         DWORD styleEx = NULL;
  22.         bool satisfyAllCriteria = false;
  23.         vector<HWND> hwnds;
  24.     };
  26.     BOOL CALLBACK EnumWindowsCallback(HWND hwnd, LPARAM lParam);
  27.     vector<HWND> OverlayFinder(OverlayFinderParams params);
  29.     int main() {
  30.         cout << "Search for suspicious windows presenting the characteristics of game cheats overlays." << endl;
  31.         cout << "Play with it to try to detect your own overlay and improve your system accordingly." << endl;
  32.         cout << endl;
  34.         OverlayFinderParams params;
  35.         params.style = WS_VISIBLE;
  36.         params.styleEx = WS_EX_LAYERED | WS_EX_TRANSPARENT;
  37.         params.percentMainScreen = 90.0f;
  38.         params.satisfyAllCriteria = true;
  39.         vector<HWND> hwnds = OverlayFinder(params);
  41.         cout << "Searching for windows WS_VISIBLE, WS_EX_LAYERED, ES_EX_TRANSPARENT, taking 90%+ of the screen..." << endl;
  42.         cout << endl;
  44.         for (int i(0); i < hwnds.size(); ++i) {
  45.             DWORD pid = 0;
  46.             DWORD tid = GetWindowThreadProcessId(hwnds[i], &pid);
  47.             cout << "Window #" << i+1 << " found: HWND 0x" << hex << (int)hwnds[i] << " | Thread: " << dec << tid << " | PID: " << pid << endl;
  48.             HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pid);
  49.             if (hProcess) {
  50.                 char cheatPath[MAX_PATH] = "";
  51.                 GetProcessImageFileNameA(hProcess, (LPSTR)&cheatPath, MAX_PATH);
  52.                 CloseHandle(hProcess);
  53.                 string cheatPathStr = cheatPath;
  54.                 cout << cheatPathStr << endl;
  55.             }
  56.             cout << "----------------" << endl;
  57.         }
  59.         cout << endl;
  60.         system("pause");
  62.         return EXIT_SUCCESS;
  63.     }
  65.     BOOL CALLBACK EnumWindowsCallback(HWND hwnd, LPARAM lParam) {
  66.         OverlayFinderParams& params = *(OverlayFinderParams*)lParam;
  68.         unsigned char satisfiedCriteria = 0, unSatisfiedCriteria = 0;
  70.         // If looking for windows of a specific PDI
  71.         DWORD pid = 0;
  72.         GetWindowThreadProcessId(hwnd, &pid);
  73.         if (params.pidOwner != NULL)
  74.             if (params.pidOwner == pid)
  75.                 ++satisfiedCriteria; // Doesn't belong to the process targeted
  76.             else
  77.                 ++unSatisfiedCriteria;
  79.         // If looking for windows of a specific class
  80.         wchar_t className[MAX_CLASSNAME] = L"";
  81.         GetClassName(hwnd, className, MAX_CLASSNAME);
  82.         wstring classNameWstr = className;
  83.         if (params.wndClassName != L"")
  84.             if (params.wndClassName == classNameWstr)
  85.                 ++satisfiedCriteria; // Not the class targeted
  86.             else
  87.                 ++unSatisfiedCriteria;
  89.         // If looking for windows with a specific name
  90.         wchar_t windowName[MAX_WNDNAME] = L"";
  91.         GetWindowText(hwnd, windowName, MAX_CLASSNAME);
  92.         wstring windowNameWstr = windowName;
  93.         if (params.wndName != L"")
  94.             if (params.wndName == windowNameWstr)
  95.                 ++satisfiedCriteria; // Not the class targeted
  96.             else
  97.                 ++unSatisfiedCriteria;
  99.         // If looking for window at a specific position
  100.         RECT pos;
  101.         GetWindowRect(hwnd, &pos);
  102.         if (params.pos.left || params.pos.top || params.pos.right || params.pos.bottom)
  103.             if (params.pos.left == pos.left && params.pos.top == pos.top && params.pos.right == pos.right && params.pos.bottom == pos.bottom)
  104.                 ++satisfiedCriteria;
  105.             else
  106.                 ++unSatisfiedCriteria;
  108.         // If looking for window of a specific size
  109.         POINT res = { pos.right - pos.left, pos.bottom - pos.top };
  110.         if (params.res.x || params.res.y)
  111.             if (res.x == params.res.x && res.y == params.res.y)
  112.                 ++satisfiedCriteria;
  113.             else
  114.                 ++unSatisfiedCriteria;
  116.         // If looking for windows taking more than a specific percentage of all the screens
  117.         float ratioAllScreensX = res.x / GetSystemMetrics(SM_CXSCREEN);
  118.         float ratioAllScreensY = res.y / GetSystemMetrics(SM_CYSCREEN);
  119.         float percentAllScreens = ratioAllScreensX * ratioAllScreensY * 100;
  120.         if (params.percentAllScreens != 0.0f)
  121.             if (percentAllScreens >= params.percentAllScreens)
  122.                 ++satisfiedCriteria;
  123.             else
  124.                 ++unSatisfiedCriteria;
  126.         // If looking for windows taking more than a specific percentage or the main screen
  127.         RECT desktopRect;
  128.         GetWindowRect(GetDesktopWindow(), &desktopRect);
  129.         POINT desktopRes = { desktopRect.right - desktopRect.left, desktopRect.bottom - desktopRect.top };
  130.         float ratioMainScreenX = res.x / desktopRes.x;
  131.         float ratioMainScreenY = res.y / desktopRes.y;
  132.         float percentMainScreen = ratioMainScreenX * ratioMainScreenY * 100;
  133.         if (params.percentMainScreen != 0.0f)
  134.             if (percentAllScreens >= params.percentMainScreen)
  135.                 ++satisfiedCriteria;
  136.             else
  137.                 ++unSatisfiedCriteria;
  139.         // Looking for windows with specific styles
  140.         LONG_PTR style = GetWindowLongPtr(hwnd, GWL_STYLE);
  141.         if (params.style)
  142.             if (params.style & style)
  143.                 ++satisfiedCriteria;
  144.             else
  145.                 ++unSatisfiedCriteria;
  147.         // Looking for windows with specific extended styles
  148.         LONG_PTR styleEx = GetWindowLongPtr(hwnd, GWL_EXSTYLE);
  149.         if (params.styleEx)
  150.             if (params.styleEx & styleEx)
  151.                 ++satisfiedCriteria;
  152.             else
  153.                 ++unSatisfiedCriteria;
  155.         if (!satisfiedCriteria)
  156.             return TRUE;
  158.         if (params.satisfyAllCriteria && unSatisfiedCriteria)
  159.             return TRUE;
  161.         // If looking for multiple windows
  162.         params.hwnds.push_back(hwnd);
  163.         return TRUE;
  164.     }
  166.     vector<HWND> OverlayFinder(OverlayFinderParams params) {
  167.         EnumWindows(EnumWindowsCallback, (LPARAM)&params);
  168.         return params.hwnds;
  169.     }

Further quote from the author:
The surprise that blew my mind

When I first ran the overlay detector to detect my own old overlay, the detector found in fact not one but two windows.
Apparently I had on my system another window that was WS_VISIBLE, WS_EX_LAYERED, WS_EX_TRANSPARE NT and completely fullscreen (1920x1080), I thought that it might be a bug in my detector, so I used Process Hacker to check that out and nope, it wasn't a bug:
and more:
Isn't that just perfect?
I was so much into my idea of hijacking a window and then make it have the properties of an overlay that I completely missed the possibility that such windows could already genuinely exist on my system!
Sooooooooo I guess instead of spawning processes then modifying windows and all this ... we can just use that window directly.
And the absolute cherry on the cake is that since it's an NVIDIA window, many, many gamers will have it too, so it makes it even harder to detect!

Nvidia and more (quote from the author):
Edit, for AMD users.
We can thank @dracorx for letting me know that AMD apparently also has an exploitable window of the same type.
It is in the solution Radeon Overlay (I haven't verified, please report if you use it)
This looks like a possible:
  • Nvidia security breach.
  • Radeon security breach.
  • Hard coded built-in video card security breach.

Deal with it. If you write software and want better or easier graphics, then consider the security cost. Someone forcing YOUR program to do nasty things that you never intended it to do, by their injecting their processes into your processes, through a "back door" via the video card, might not be what you want.

Go back to programming the graphics yourself, internal to your program, and do NOT integrate ANY dependence on ANY multimedia (sound, video, etc.) hardware.

Do not be flippant about security.
Jan 24 '20 #1
0 2917

Sign in to post your reply or Sign up for a free account.

Similar topics

by: Marcus | last post by:
Hi all, I've been reading as much as I can on this matter but I still am not totally clear on what I need to do, so here goes... sorry if the question isn't totally PHP related, but my entire project is coded in PHP so I figured this would be as good a place as any to ask. If I have two PHP scripts, both protected by SSL, and the second...
by: Tim Tyler | last post by:
Here's what this morning's security advisory read here: ``In the last 3 months we have noticed an marked increase in the number of web-server attacks and successful compromise on our network. These are mostly PHP-script exploits and are giving hackers easy shell access to virtual servers, as mentioned in the PHP Security Advisory in the News...
by: Andy Worms | last post by:
I'm using CGIHTTPServer to try some scripts, apparently as a first step of building a real server. The CGIHTTPServer source code has a comment that warns of potential security problems: SECURITY WARNING: DON'T USE THIS CODE UNLESS YOU ARE INSIDE A FIREWALL -- it may execute arbitrary Python code or external programs. Does someone know how...
by: Nicolae Fieraru | last post by:
Hi All, I am working on a web site in asp which will be hosted on a Windows 2003 server. I use the following code to connect to the database: Set objConn = Server.CreateObject("ADODB.Connection") Set objRS1 = Server.CreateObject("ADODB.Recordset") objConn.Provider = "Microsoft.Jet.OLEDB.4.0"
by: Aravind | last post by:
I would like to know in what manner dangling pointers affect the security of a application developed using C++.What are the loopholes that are created by dangling pointers and how they could be exploited by hackers?. Aravind
by: KKramsch | last post by:
My code is generating this type of error: Security Error: Content at http://nonexistent.org/somepage.html may not load data from about:blank. The "about:blank" page mentioned in the error message is a pop-up window, whose content is 100% dynamically-generated, and which is in fact *owes its existence* to code in the referring page...
by: DFS | last post by:
Architecture: Access 2003 client, Oracle 9i repository, no Access security in place, ODBC linked tables. 100 or so users, in 3 or 4 groups (Oracle roles actually): Admins, Updaters and ReadOnly. Each group sees a different set of menu options when they open the client and login to Oracle. For the sake of speed I use pass-through queries...
by: Steve Kershaw | last post by:
Hello, This is an interesting question.... In the Web.Config file one can set up users login by including the following code: <authentication mode="Forms"> <forms defaultUrl="Default.aspx" loginUrl="Login.aspx" path="/" enableCrossAppRedirects="false" protection="All" name="MyCookie"
by: hsyq8xg | last post by:
From Google, translated to English from French: www.google.com/translate?u=http%3A%2F%2Fwww.pcinpact.com%2Factu%2Fnews%2F43165-premier-supercalculateur-GPU-France-Tesla.htm&langpair=fr%7Cen&hl=en&ie=UTF8 "A hybrid system composed of 1068 CPU octocoeurs new generation, with 48 modules GPU to make a maximum of parallel calculations." ...
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main...
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. ...
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that...
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then...
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes...
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert...
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.