69
I was recently reading an article on "Window HiJacking" at https://www.unknowncheats.me/forum/a...ay-betray.html . It explained how to "HiJack" a window a trusted window.
The author talks about that and how the HiJack can be tested to verify that it worked. When testing it was found that another hijack had already occurred and was ongoing. It was reported to be via Nvidia. You should read the entire article. Whatever Nvidia's "excuse", their security breach seems to be hooking a trusted Windows' program, and the author talks about how to use the Nvidia process to breach other programs that are using such trusted Windows' programs.
Whoever that author is: Thank you for revealing this.
The basic logic seems to be reported supporting this: An Nvidia card in a common user's computer can be used to breach the security of someone else's software. Example: Person_A writes some software; their software directly uses Nvidia graphics (not just the system using it, but their sofware directly uses it); but Nvidia in itself has an ongoing breach into that Person_A's software via Person_A's software dependency on Nvidia. That is bad.
Someone writes some software and thinks to use the supposed benefits of a market giant like Nvidia to help make their User Interaction better or smoother or in some manner easier for them to program, and then Nvidia does this? That is bad.
Here is some of that page, in case the power's that "attempt to" be remove it from the internet.
Quote from author:
Here is its code, ready to run and detect the most common overlays (don't hesitate to test your own overlays):and
OverlayFinder.cpp
Expand|Select|Wrap|Line Numbers
- #include <Windows.h>
- #include <Psapi.h>
- #include <vector>
- #include <string>
- #include <iostream>
- #define MAX_CLASSNAME 255
- #define MAX_WNDNAME MAX_CLASSNAME
- using namespace std;
- struct OverlayFinderParams {
- DWORD pidOwner = NULL;
- wstring wndClassName = L"";
- wstring wndName = L"";
- RECT pos = { 0, 0, 0, 0 }; // GetSystemMetrics with SM_CXSCREEN and SM_CYSCREEN can be useful here
- POINT res = { 0, 0 };
- float percentAllScreens = 0.0f;
- float percentMainScreen = 0.0f;
- DWORD style = NULL;
- DWORD styleEx = NULL;
- bool satisfyAllCriteria = false;
- vector<HWND> hwnds;
- };
- BOOL CALLBACK EnumWindowsCallback(HWND hwnd, LPARAM lParam);
- vector<HWND> OverlayFinder(OverlayFinderParams params);
- int main() {
- cout << "Search for suspicious windows presenting the characteristics of game cheats overlays." << endl;
- cout << "Play with it to try to detect your own overlay and improve your system accordingly." << endl;
- cout << endl;
- OverlayFinderParams params;
- params.style = WS_VISIBLE;
- params.styleEx = WS_EX_LAYERED | WS_EX_TRANSPARENT;
- params.percentMainScreen = 90.0f;
- params.satisfyAllCriteria = true;
- vector<HWND> hwnds = OverlayFinder(params);
- cout << "Searching for windows WS_VISIBLE, WS_EX_LAYERED, ES_EX_TRANSPARENT, taking 90%+ of the screen..." << endl;
- cout << endl;
- for (int i(0); i < hwnds.size(); ++i) {
- DWORD pid = 0;
- DWORD tid = GetWindowThreadProcessId(hwnds[i], &pid);
- cout << "Window #" << i+1 << " found: HWND 0x" << hex << (int)hwnds[i] << " | Thread: " << dec << tid << " | PID: " << pid << endl;
- HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pid);
- if (hProcess) {
- char cheatPath[MAX_PATH] = "";
- GetProcessImageFileNameA(hProcess, (LPSTR)&cheatPath, MAX_PATH);
- CloseHandle(hProcess);
- string cheatPathStr = cheatPath;
- cout << cheatPathStr << endl;
- }
- cout << "----------------" << endl;
- }
- cout << endl;
- system("pause");
- return EXIT_SUCCESS;
- }
- BOOL CALLBACK EnumWindowsCallback(HWND hwnd, LPARAM lParam) {
- OverlayFinderParams& params = *(OverlayFinderParams*)lParam;
- unsigned char satisfiedCriteria = 0, unSatisfiedCriteria = 0;
- // If looking for windows of a specific PDI
- DWORD pid = 0;
- GetWindowThreadProcessId(hwnd, &pid);
- if (params.pidOwner != NULL)
- if (params.pidOwner == pid)
- ++satisfiedCriteria; // Doesn't belong to the process targeted
- else
- ++unSatisfiedCriteria;
- // If looking for windows of a specific class
- wchar_t className[MAX_CLASSNAME] = L"";
- GetClassName(hwnd, className, MAX_CLASSNAME);
- wstring classNameWstr = className;
- if (params.wndClassName != L"")
- if (params.wndClassName == classNameWstr)
- ++satisfiedCriteria; // Not the class targeted
- else
- ++unSatisfiedCriteria;
- // If looking for windows with a specific name
- wchar_t windowName[MAX_WNDNAME] = L"";
- GetWindowText(hwnd, windowName, MAX_CLASSNAME);
- wstring windowNameWstr = windowName;
- if (params.wndName != L"")
- if (params.wndName == windowNameWstr)
- ++satisfiedCriteria; // Not the class targeted
- else
- ++unSatisfiedCriteria;
- // If looking for window at a specific position
- RECT pos;
- GetWindowRect(hwnd, &pos);
- if (params.pos.left || params.pos.top || params.pos.right || params.pos.bottom)
- if (params.pos.left == pos.left && params.pos.top == pos.top && params.pos.right == pos.right && params.pos.bottom == pos.bottom)
- ++satisfiedCriteria;
- else
- ++unSatisfiedCriteria;
- // If looking for window of a specific size
- POINT res = { pos.right - pos.left, pos.bottom - pos.top };
- if (params.res.x || params.res.y)
- if (res.x == params.res.x && res.y == params.res.y)
- ++satisfiedCriteria;
- else
- ++unSatisfiedCriteria;
- // If looking for windows taking more than a specific percentage of all the screens
- float ratioAllScreensX = res.x / GetSystemMetrics(SM_CXSCREEN);
- float ratioAllScreensY = res.y / GetSystemMetrics(SM_CYSCREEN);
- float percentAllScreens = ratioAllScreensX * ratioAllScreensY * 100;
- if (params.percentAllScreens != 0.0f)
- if (percentAllScreens >= params.percentAllScreens)
- ++satisfiedCriteria;
- else
- ++unSatisfiedCriteria;
- // If looking for windows taking more than a specific percentage or the main screen
- RECT desktopRect;
- GetWindowRect(GetDesktopWindow(), &desktopRect);
- POINT desktopRes = { desktopRect.right - desktopRect.left, desktopRect.bottom - desktopRect.top };
- float ratioMainScreenX = res.x / desktopRes.x;
- float ratioMainScreenY = res.y / desktopRes.y;
- float percentMainScreen = ratioMainScreenX * ratioMainScreenY * 100;
- if (params.percentMainScreen != 0.0f)
- if (percentAllScreens >= params.percentMainScreen)
- ++satisfiedCriteria;
- else
- ++unSatisfiedCriteria;
- // Looking for windows with specific styles
- LONG_PTR style = GetWindowLongPtr(hwnd, GWL_STYLE);
- if (params.style)
- if (params.style & style)
- ++satisfiedCriteria;
- else
- ++unSatisfiedCriteria;
- // Looking for windows with specific extended styles
- LONG_PTR styleEx = GetWindowLongPtr(hwnd, GWL_EXSTYLE);
- if (params.styleEx)
- if (params.styleEx & styleEx)
- ++satisfiedCriteria;
- else
- ++unSatisfiedCriteria;
- if (!satisfiedCriteria)
- return TRUE;
- if (params.satisfyAllCriteria && unSatisfiedCriteria)
- return TRUE;
- // If looking for multiple windows
- params.hwnds.push_back(hwnd);
- return TRUE;
- }
- vector<HWND> OverlayFinder(OverlayFinderParams params) {
- EnumWindows(EnumWindowsCallback, (LPARAM)¶ms);
- return params.hwnds;
- }
Further quote from the author:
The surprise that blew my mindand more:
When I first ran the overlay detector to detect my own old overlay, the detector found in fact not one but two windows.
Apparently I had on my system another window that was WS_VISIBLE, WS_EX_LAYERED, WS_EX_TRANSPARENT and completely fullscreen (1920x1080), I thought that it might be a bug in my detector, so I used Process Hacker to check that out and nope, it wasn't a bug:
Isn't that just perfect?
I was so much into my idea of hijacking a window and then make it have the properties of an overlay that I completely missed the possibility that such windows could already genuinely exist on my system!
Sooooooooo I guess instead of spawning processes then modifying windows and all this ... we can just use that window directly.
And the absolute cherry on the cake is that since it's an NVIDIA window, many, many gamers will have it too, so it makes it even harder to detect!
Nvidia and more (quote from the author):
Edit, for AMD users.This looks like a possible:
We can thank @dracorx for letting me know that AMD apparently also has an exploitable window of the same type.
It is in the solution Radeon Overlay (I haven't verified, please report if you use it)
- Nvidia security breach.
- Radeon security breach.
- Hard coded built-in video card security breach.
Deal with it. If you write software and want better or easier graphics, then consider the security cost. Someone forcing YOUR program to do nasty things that you never intended it to do, by their injecting their processes into your processes, through a "back door" via the video card, might not be what you want.
Go back to programming the graphics yourself, internal to your program, and do NOT integrate ANY dependence on ANY multimedia (sound, video, etc.) hardware.
Do not be flippant about security.
