一種基于內(nèi)核事件的Windows系統(tǒng)游戲反外掛方法
doi: 10.11999/JEIT190695
-
武漢大學(xué)國家網(wǎng)絡(luò)安全學(xué)院 空天信息安全與可信計(jì)算教育部重點(diǎn)實(shí)驗(yàn)室 武漢 430072
An Anti-cheat Method of Game Based on Windows Kernel Events
-
Key Laboratory of Aerospace Information Security and Trusted Computing of Ministry of Education, School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, China
-
摘要: 針對目前客戶端反外掛方法的諸多局限,該文提出一種基于內(nèi)核事件的網(wǎng)絡(luò)游戲反外掛方法,并實(shí)現(xiàn)了反外掛系統(tǒng)CheatBlocker。該方法通過監(jiān)控Windows系統(tǒng)中的內(nèi)核事件監(jiān)視和攔截進(jìn)程間的異常訪問及異常模塊注入,同時從內(nèi)核注入反外掛動態(tài)加載庫(DLL)用以阻斷鼠標(biāo)鍵盤的模擬。實(shí)驗(yàn)結(jié)果表明,CheatBlocker可防御進(jìn)程模塊注入外掛和用戶輸入模擬類外掛,且具有較低的性能開銷。而且,CheatBlocker無需修改內(nèi)核數(shù)據(jù)或代碼,相比于目前的反外掛系統(tǒng)具有更好的通用性與兼容性。Abstract: In view of many limitations of current client anti plug-in methods, an anti-cheat method based on kernel events is proposed, and the network game anti-cheat system called CheatBlocker is implemented. This method uses the kernel event monitoring provided by Windows to intercept the abnormal access between processes and the injection of abnormal modules. At the same time, the anti-cheat Dynamic Loaded Library (DLL) injected from the kernel can block the simulation of the mouse keyboard. The experimental results show that CheatBlocker can defend against process module injection cheating and user input simulation cheating, and has low performance overhead. Moreover, CheatBlocker does not need to modify the kernel data or code which ensures the integrity of the kernel and is more compatible than the current anti-cheat systems.
-
Key words:
- Game cheating /
- Anti-cheating /
- Module injection /
- Kernel event
-
表 1 反外掛DLL Hook函數(shù)
模擬類型 相關(guān)API API 描述 WindowSimulation SendMessage 直接向指定窗口發(fā)送消息 PostMessage 將消息至于指定窗口的消息隊(duì)列上 RtlUserSendMessage SendMessage內(nèi)部調(diào)用API RtlUserPostMessage PostMessage內(nèi)部調(diào)用API GlobalSimulation SendInput 直接模擬鼠標(biāo)或鍵盤操作 mouse_event 模擬鼠標(biāo) keyboard_event 模擬鍵盤 下載: 導(dǎo)出CSV
表 2 實(shí)驗(yàn)環(huán)境
VM CPU 內(nèi)存 操作系統(tǒng) VM1 2 cores 1 GB Win7 SP1 (64 bit) VM2 2 cores 1 GB Win7 SP1 (32 bit) 下載: 導(dǎo)出CSV
表 3 外掛測試樣本
外掛工具 相關(guān)外掛技術(shù) 外掛行為描述 FIFA 10 FIFA Cheater 0.5 CreateRemoteThread 注入 內(nèi)存修改 Mr.Anti.Fun Cheat CreateRemoteThread 注入 內(nèi)存修改 CPY FIFA Cheater QueueUserApc 注入 代碼注入 FIFA Auto Runner 窗口模擬 掛機(jī)腳本 CROSS FIRE Sniper Rifle 1.0 CreateRemoteThread 注入 內(nèi)存修改 LOCK Health Cheater QueueUserApc 注入 內(nèi)存修改 Ice Modz 6041 Rc1 Hook Windows 消息注入 內(nèi)存修改 Crossfire Hacker 線程劫持注入 代碼注入 Remote Dll Injector 所有注入技術(shù) DLL注入 Assassin Wall Cf 窗口模擬 掛機(jī)腳本 Auto-Shooter 輸入法注入/全局模擬 掛機(jī)腳本 Antifun GOLD Getter 線程劫持注入/窗口模擬 掛機(jī)腳本 下載: 導(dǎo)出CSV
表 4 反外掛系統(tǒng)防御效果對比
外掛技術(shù) 反外掛系統(tǒng) CheatBlocker Nprotect Xray Warden GameGuard EasyAntiCheat 創(chuàng)建遠(yuǎn)程線程注入 √ √ √ √ √ √ 插入APC注入 √ √ × × √ √ 線程劫持注入 √ √ × √ √ √ Hook Windows消息注入 √ × √ × √ √ 輸入法注入 √ × × × √ √ 全局模擬 √ × × × √ × 窗口模擬 √ × × × √ × 是否支持64位系統(tǒng) √ √ √ √ × √ 下載: 導(dǎo)出CSV
表 5 反外掛系統(tǒng)系統(tǒng)開銷對比
系統(tǒng)開銷 No Anti-Cheat CheatBlocker Nprotect Xray Warden GameGuard EasyAntiCheat 平均CPU占用 (%) 23.5 28.7 25.8 26.4 23.3 30.8 29.4 平均內(nèi)存占用(%) 35.3 35.8 34.7 37.5 36.5 36.7 35.8 平局啟動時間(s) 20.1 24.6 23.4 22.8 22.3 28.9 25.7 下載: 導(dǎo)出CSV
-
騰訊游戲研發(fā)部游戲安全中心. 游戲安全: 手游安全技術(shù)入門[M]. 北京: 電子工業(yè)出版社, 2016.Game Security Center of Tencent Game R & D Department. Game Security: Introduction to Mobile Security Technology[M]. Beijing: Electronic Industry Press, 2016. YAN J J and CHOI H J. Security issues in online games[J]. The Electronic Library, 2002, 20(2): 125–133. doi: 10.1108/02640470210424455 YAN J and RANDELL B. A systematic classification of cheating in online games[C]. The 4th ACM SIGCOMM Workshop on Network and System Support for Games, New York, USA, 2005: 1–9. doi: 10.1145/1103599.1103606. KABUS P, TERPSTRA W W, CILIA M, et al. Addressing cheating in distributed MMOGs[C]. The 4th ACM SIGCOMM Workshop on Network and System Support for Games, New York, USA, 2005: 1–6. doi: 10.1145/1103599.1103607. CHOI Y, CHANG S J, KIM Y, et al. Detecting and monitoring game bots based on large-scale user-behavior log data analysis in multiplayer online games[J]. The Journal of Supercomputing, 2016, 72(9): 3572–3587. doi: 10.1007/s11227-015-1545-2 羅平, 徐倩華. 網(wǎng)絡(luò)游戲外掛技術(shù)及檢測[J]. 計(jì)算機(jī)工程與設(shè)計(jì), 2007, 28(6): 1273–1276. doi: 10.3969/j.issn.1000-7024.2007.06.011LUO Ping and XU Qianhua. Hack technology and detection of online games[J]. Computer Engineering and Design, 2007, 28(6): 1273–1276. doi: 10.3969/j.issn.1000-7024.2007.06.011 楊英杰, 冷強(qiáng), 常德顯, 等. 基于屬性攻擊圖的網(wǎng)絡(luò)動態(tài)威脅分析技術(shù)研究[J]. 電子與信息學(xué)報(bào), 2019, 41(8): 1838–1846. doi: 10.11999/JEIT181025YANG Yingjie, LENG Qiang, CHANG Dexian, et al. Research on network dynamic threat analysis technology based on attribute attack graph[J]. Journal of Electronics &Information Technology, 2019, 41(8): 1838–1846. doi: 10.11999/JEIT181025 CHANG H and ATALLAH M J. Protecting software code by guards[C]. ACM CCS-8 Workshop DRM on Security and Privacy in Digital Rights Management, Berlin, Germany, 2001: 160–175. doi: 10.1007/3-540-47870-1_10. THE L B and KHANH V N. GameGuard: A windows-based software architecture for protecting online games against hackers[C]. The Symposium on Information and Communication Technology, Hanoi, Vietnam, 2010: 171–178. doi: 10.1145/1852611.1852643. 梁光輝, 龐建民, 單征. 基于代碼進(jìn)化的惡意代碼沙箱規(guī)避檢測技術(shù)研究[J]. 電子與信息學(xué)報(bào), 2019, 41(2): 341–347. doi: 10.11999/JEIT180257LIANG Guanghui, PANG Jianmin, and SHAN Zheng. Malware sandbox evasion detection based on code evolution[J]. Journal of Electronics &Information Technology, 2019, 41(2): 341–347. doi: 10.11999/JEIT180257 WOO J, KANG A R, and KIM H K. The contagion of malicious behaviors in online games[J]. ACM SIGCOMM Computer Communication Review, 2013, 43(4): 543–544. doi: 10.1145/2534169.2491712 AHMAD M A, KEEGAN B, SRIVASTAVA J, et al. Mining for gold farmers: Automatic detection of deviant players in mmogs[C]. 2009 International Conference on Computational Science and Engineering, Vancouver, Canada, 2009: 340–345. doi: 10.1109/cse.2009.307. KWON H, MOHAISEN A, WOO J, et al. Crime scene reconstruction: Online gold farming network analysis[J]. IEEE Transactions on Information Forensics and Security, 2017, 12(3): 544–556. doi: 10.1109/tifs.2016.2623586 CHUNG Y, PARK C Y, KIM N R, et al. Game bot detection approach based on behavior analysis and consideration of various play styles[J]. ETRI Journal, 2013, 35(6): 1058–1067. doi: 10.4218/etrij.13.2013.0049 DUH H B L and CHEN V H. Cheating behaviors in online gaming[C]. The 3rd International Conference on Online Communities and Social Computing, Berlin, Germany, 2009: 567–573. doi: 10.1007/978-3-642-02774-1_61. 傅建明, 彭碧琛, 杜浩. 一種組件加載漏洞的動態(tài)檢測[J]. 清華大學(xué)學(xué)報(bào): 自然科學(xué)版, 2012, 52(10): 1356–1363, 1369. doi: 10.16511/j.cnki.qhdxxb.2012.10.007FU Jianming, PENG Bichen, and DU Hao. Dynamic detection of component loading vulnerability[J]. Journal of Tsinghua University:Science and Technology, 2012, 52(10): 1356–1363, 1369. doi: 10.16511/j.cnki.qhdxxb.2012.10.007 HOGLUND G and MCGRAW G. Exploiting Online Games: Cheating Massively Distributed Systems[M]. New York, USA: Addison-Wesley Professional, 2007: 119–125. WEBB S D and SOH S. Cheating in networked computer games: A review[C]. The 2nd International Conference on Digital Interactive Media in Entertainment and Arts, Perth, Australia, 2007: 105–112. doi: 10.1145/1306813.1306839. LIU H I and LO Y T. DaCAP-a distributed Anti-Cheating peer to peer architecture for massive multiplayer on-line role playing game[C]. The 8th IEEE International Symposium on Cluster Computing and the Grid (CCGRID), Lyon, France, 2008: 584–589. doi: 10.1109/ccgrid.2008.49. SEBASTIO S, AMORETTI M, MURGA J R, et al. Honest vs Cheating Bots in PATROL-based Real-time Strategy MMOGs[M]. CAGNONI S, MIROLLI M, and VILLANI M. Evolution, Complexity and Artificial Life. Heidelberg: Germaay, Springer, 2014: 225–238. doi: 10.1007/978-3-642-37577-4_15. -