By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
446,276 Members | 1,979 Online
Bytes IT Community
Submit an Article
Got Smarts?
Share your bits of IT knowledge by writing an article on Bytes.

Nvidia security breach.

rollerbladegirl
P: 69
Computer systems security : Pay attention to it.

I was recently reading an article on "Window HiJacking" at https://www.unknowncheats.me/forum/a...ay-betray.html . It explained how to "HiJack" a window a trusted window.

The author talks about that and how the HiJack can be tested to verify that it worked. When testing it was found that another hijack had already occurred and was ongoing. It was reported to be via Nvidia. You should read the entire article. Whatever Nvidia's "excuse", their security breach seems to be hooking a trusted Windows' program, and the author talks about how to use the Nvidia process to breach other programs that are using such trusted Windows' programs.

Whoever that author is: Thank you for revealing this.

The basic logic seems to be reported supporting this: An Nvidia card in a common user's computer can be used to breach the security of someone else's software. Example: Person_A writes some software; their software directly uses Nvidia graphics (not just the system using it, but their sofware directly uses it); but Nvidia in itself has an ongoing breach into that Person_A's software via Person_A's software dependency on Nvidia. That is bad.

Someone writes some software and thinks to use the supposed benefits of a market giant like Nvidia to help make their User Interaction better or smoother or in some manner easier for them to program, and then Nvidia does this? That is bad.

Here is some of that page, in case the power's that "attempt to" be remove it from the internet.

Quote from author:
Here is its code, ready to run and detect the most common overlays (don't hesitate to test your own overlays):


OverlayFinder.cpp
and


Expand|Select|Wrap|Line Numbers
  1.     #include <Windows.h>
  2.     #include <Psapi.h>
  3.     #include <vector>
  4.     #include <string>
  5.     #include <iostream>
  6.  
  7.     #define MAX_CLASSNAME 255
  8.     #define MAX_WNDNAME MAX_CLASSNAME
  9.  
  10.     using namespace std;
  11.  
  12.     struct OverlayFinderParams {
  13.         DWORD pidOwner = NULL;
  14.         wstring wndClassName = L"";
  15.         wstring wndName = L"";
  16.         RECT pos = { 0, 0, 0, 0 }; // GetSystemMetrics with SM_CXSCREEN and SM_CYSCREEN can be useful here
  17.         POINT res = { 0, 0 };
  18.         float percentAllScreens = 0.0f;
  19.         float percentMainScreen = 0.0f;
  20.         DWORD style = NULL;
  21.         DWORD styleEx = NULL;
  22.         bool satisfyAllCriteria = false;
  23.         vector<HWND> hwnds;
  24.     };
  25.  
  26.     BOOL CALLBACK EnumWindowsCallback(HWND hwnd, LPARAM lParam);
  27.     vector<HWND> OverlayFinder(OverlayFinderParams params);
  28.  
  29.     int main() {
  30.         cout << "Search for suspicious windows presenting the characteristics of game cheats overlays." << endl;
  31.         cout << "Play with it to try to detect your own overlay and improve your system accordingly." << endl;
  32.         cout << endl;
  33.  
  34.         OverlayFinderParams params;
  35.         params.style = WS_VISIBLE;
  36.         params.styleEx = WS_EX_LAYERED | WS_EX_TRANSPARENT;
  37.         params.percentMainScreen = 90.0f;
  38.         params.satisfyAllCriteria = true;
  39.         vector<HWND> hwnds = OverlayFinder(params);
  40.  
  41.         cout << "Searching for windows WS_VISIBLE, WS_EX_LAYERED, ES_EX_TRANSPARENT, taking 90%+ of the screen..." << endl;
  42.         cout << endl;
  43.  
  44.         for (int i(0); i < hwnds.size(); ++i) {
  45.             DWORD pid = 0;
  46.             DWORD tid = GetWindowThreadProcessId(hwnds[i], &pid);
  47.             cout << "Window #" << i+1 << " found: HWND 0x" << hex << (int)hwnds[i] << " | Thread: " << dec << tid << " | PID: " << pid << endl;
  48.             HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pid);
  49.             if (hProcess) {
  50.                 char cheatPath[MAX_PATH] = "";
  51.                 GetProcessImageFileNameA(hProcess, (LPSTR)&cheatPath, MAX_PATH);
  52.                 CloseHandle(hProcess);
  53.                 string cheatPathStr = cheatPath;
  54.                 cout << cheatPathStr << endl;
  55.             }
  56.             cout << "----------------" << endl;
  57.         }
  58.  
  59.         cout << endl;
  60.         system("pause");
  61.  
  62.         return EXIT_SUCCESS;
  63.     }
  64.  
  65.     BOOL CALLBACK EnumWindowsCallback(HWND hwnd, LPARAM lParam) {
  66.         OverlayFinderParams& params = *(OverlayFinderParams*)lParam;
  67.  
  68.         unsigned char satisfiedCriteria = 0, unSatisfiedCriteria = 0;
  69.  
  70.         // If looking for windows of a specific PDI
  71.         DWORD pid = 0;
  72.         GetWindowThreadProcessId(hwnd, &pid);
  73.         if (params.pidOwner != NULL)
  74.             if (params.pidOwner == pid)
  75.                 ++satisfiedCriteria; // Doesn't belong to the process targeted
  76.             else
  77.                 ++unSatisfiedCriteria;
  78.  
  79.         // If looking for windows of a specific class
  80.         wchar_t className[MAX_CLASSNAME] = L"";
  81.         GetClassName(hwnd, className, MAX_CLASSNAME);
  82.         wstring classNameWstr = className;
  83.         if (params.wndClassName != L"")
  84.             if (params.wndClassName == classNameWstr)
  85.                 ++satisfiedCriteria; // Not the class targeted
  86.             else
  87.                 ++unSatisfiedCriteria;
  88.  
  89.         // If looking for windows with a specific name
  90.         wchar_t windowName[MAX_WNDNAME] = L"";
  91.         GetWindowText(hwnd, windowName, MAX_CLASSNAME);
  92.         wstring windowNameWstr = windowName;
  93.         if (params.wndName != L"")
  94.             if (params.wndName == windowNameWstr)
  95.                 ++satisfiedCriteria; // Not the class targeted
  96.             else
  97.                 ++unSatisfiedCriteria;
  98.  
  99.         // If looking for window at a specific position
  100.         RECT pos;
  101.         GetWindowRect(hwnd, &pos);
  102.         if (params.pos.left || params.pos.top || params.pos.right || params.pos.bottom)
  103.             if (params.pos.left == pos.left && params.pos.top == pos.top && params.pos.right == pos.right && params.pos.bottom == pos.bottom)
  104.                 ++satisfiedCriteria;
  105.             else
  106.                 ++unSatisfiedCriteria;
  107.  
  108.         // If looking for window of a specific size
  109.         POINT res = { pos.right - pos.left, pos.bottom - pos.top };
  110.         if (params.res.x || params.res.y)
  111.             if (res.x == params.res.x && res.y == params.res.y)
  112.                 ++satisfiedCriteria;
  113.             else
  114.                 ++unSatisfiedCriteria;
  115.  
  116.         // If looking for windows taking more than a specific percentage of all the screens
  117.         float ratioAllScreensX = res.x / GetSystemMetrics(SM_CXSCREEN);
  118.         float ratioAllScreensY = res.y / GetSystemMetrics(SM_CYSCREEN);
  119.         float percentAllScreens = ratioAllScreensX * ratioAllScreensY * 100;
  120.         if (params.percentAllScreens != 0.0f)
  121.             if (percentAllScreens >= params.percentAllScreens)
  122.                 ++satisfiedCriteria;
  123.             else
  124.                 ++unSatisfiedCriteria;
  125.  
  126.         // If looking for windows taking more than a specific percentage or the main screen
  127.         RECT desktopRect;
  128.         GetWindowRect(GetDesktopWindow(), &desktopRect);
  129.         POINT desktopRes = { desktopRect.right - desktopRect.left, desktopRect.bottom - desktopRect.top };
  130.         float ratioMainScreenX = res.x / desktopRes.x;
  131.         float ratioMainScreenY = res.y / desktopRes.y;
  132.         float percentMainScreen = ratioMainScreenX * ratioMainScreenY * 100;
  133.         if (params.percentMainScreen != 0.0f)
  134.             if (percentAllScreens >= params.percentMainScreen)
  135.                 ++satisfiedCriteria;
  136.             else
  137.                 ++unSatisfiedCriteria;
  138.  
  139.         // Looking for windows with specific styles
  140.         LONG_PTR style = GetWindowLongPtr(hwnd, GWL_STYLE);
  141.         if (params.style)
  142.             if (params.style & style)
  143.                 ++satisfiedCriteria;
  144.             else
  145.                 ++unSatisfiedCriteria;
  146.  
  147.         // Looking for windows with specific extended styles
  148.         LONG_PTR styleEx = GetWindowLongPtr(hwnd, GWL_EXSTYLE);
  149.         if (params.styleEx)
  150.             if (params.styleEx & styleEx)
  151.                 ++satisfiedCriteria;
  152.             else
  153.                 ++unSatisfiedCriteria;
  154.  
  155.         if (!satisfiedCriteria)
  156.             return TRUE;
  157.  
  158.         if (params.satisfyAllCriteria && unSatisfiedCriteria)
  159.             return TRUE;
  160.  
  161.         // If looking for multiple windows
  162.         params.hwnds.push_back(hwnd);
  163.         return TRUE;
  164.     }
  165.  
  166.     vector<HWND> OverlayFinder(OverlayFinderParams params) {
  167.         EnumWindows(EnumWindowsCallback, (LPARAM)&params);
  168.         return params.hwnds;
  169.     }
and

Further quote from the author:
The surprise that blew my mind

When I first ran the overlay detector to detect my own old overlay, the detector found in fact not one but two windows.
Apparently I had on my system another window that was WS_VISIBLE, WS_EX_LAYERED, WS_EX_TRANSPARENT and completely fullscreen (1920x1080), I thought that it might be a bug in my detector, so I used Process Hacker to check that out and nope, it wasn't a bug:
and more:
Isn't that just perfect?
I was so much into my idea of hijacking a window and then make it have the properties of an overlay that I completely missed the possibility that such windows could already genuinely exist on my system!
Sooooooooo I guess instead of spawning processes then modifying windows and all this ... we can just use that window directly.
And the absolute cherry on the cake is that since it's an NVIDIA window, many, many gamers will have it too, so it makes it even harder to detect!

Nvidia and more (quote from the author):
Edit, for AMD users.
We can thank @dracorx for letting me know that AMD apparently also has an exploitable window of the same type.
It is in the solution Radeon Overlay (I haven't verified, please report if you use it)
This looks like a possible:
  • Nvidia security breach.
  • Radeon security breach.
  • Hard coded built-in video card security breach.

Deal with it. If you write software and want better or easier graphics, then consider the security cost. Someone forcing YOUR program to do nasty things that you never intended it to do, by their injecting their processes into your processes, through a "back door" via the video card, might not be what you want.

Go back to programming the graphics yourself, internal to your program, and do NOT integrate ANY dependence on ANY multimedia (sound, video, etc.) hardware.

Do not be flippant about security.
4 Weeks Ago #1
Share this Article
Share on Google+