一種基于內(nèi)核事件的Windows系統(tǒng)游戲反外掛方法

傅建明; 楊錚; 羅陳可; 黃堅(jiān)偉

doi:10.11999/JEIT190695

一種基于內(nèi)核事件的Windows系統(tǒng)游戲反外掛方法

doi: 10.11999/JEIT190695

武漢大學(xué)國家網(wǎng)絡(luò)安全學(xué)院空天信息安全與可信計(jì)算教育部重點(diǎn)實(shí)驗(yàn)室武漢 430072

基金項(xiàng)目: 國家自然科學(xué)基金(61972297, U1636107)

詳細(xì)信息

作者簡介:
傅建明：男，1969年生，教授，研究方向?yàn)閻阂獯a檢測和漏洞檢測與防御

楊錚：男，1995年生，碩士生，研究方向?yàn)橄到y(tǒng)安全

羅陳可：男，1996年生，碩士生，研究方向?yàn)橄到y(tǒng)安全與二進(jìn)制安全

黃堅(jiān)偉：男，1996年生，碩士生，研究方向?yàn)榫W(wǎng)絡(luò)安全

通訊作者:
傅建明　jmfu@whu.edu.cn

中圖分類號: TN918; TP309
計(jì)量
- 文章訪問數(shù): 4173
- HTML全文瀏覽量: 3395
- PDF下載量: 201
- 被引次數(shù): 0
出版歷程
- 收稿日期: 2019-09-09
- 修回日期: 2020-06-13
- 網(wǎng)絡(luò)出版日期: 2020-07-18
- 刊出日期: 2020-09-27

An Anti-cheat Method of Game Based on Windows Kernel Events

Key Laboratory of Aerospace Information Security and Trusted Computing of Ministry of Education, School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, China

Funds: The National Natural Science Foundation of China(61972297, U1636107)

摘要

摘要: 針對目前客戶端反外掛方法的諸多局限，該文提出一種基于內(nèi)核事件的網(wǎng)絡(luò)游戲反外掛方法，并實(shí)現(xiàn)了反外掛系統(tǒng)CheatBlocker。該方法通過監(jiān)控Windows系統(tǒng)中的內(nèi)核事件監(jiān)視和攔截進(jìn)程間的異常訪問及異常模塊注入，同時從內(nèi)核注入反外掛動態(tài)加載庫(DLL)用以阻斷鼠標(biāo)鍵盤的模擬。實(shí)驗(yàn)結(jié)果表明，CheatBlocker可防御進(jìn)程模塊注入外掛和用戶輸入模擬類外掛，且具有較低的性能開銷。而且，CheatBlocker無需修改內(nèi)核數(shù)據(jù)或代碼，相比于目前的反外掛系統(tǒng)具有更好的通用性與兼容性。
- 游戲外掛 /
- 反外掛 /
- 模塊注入 /
- 內(nèi)核事件
Abstract: In view of many limitations of current client anti plug-in methods, an anti-cheat method based on kernel events is proposed, and the network game anti-cheat system called CheatBlocker is implemented. This method uses the kernel event monitoring provided by Windows to intercept the abnormal access between processes and the injection of abnormal modules. At the same time, the anti-cheat Dynamic Loaded Library (DLL) injected from the kernel can block the simulation of the mouse keyboard. The experimental results show that CheatBlocker can defend against process module injection cheating and user input simulation cheating, and has low performance overhead. Moreover, CheatBlocker does not need to modify the kernel data or code which ensures the integrity of the kernel and is more compatible than the current anti-cheat systems.
- Game cheating /
- Anti-cheating /
- Module injection /
- Kernel event

HTML全文

圖 1 基于跨進(jìn)程訪問的注入方法

下載: 全尺寸圖片幻燈片

圖 2 基于系統(tǒng)機(jī)制的注入方法

下載: 全尺寸圖片幻燈片

圖 3 反外掛系統(tǒng)

下載: 全尺寸圖片幻燈片

圖 4 模塊注入防御

下載: 全尺寸圖片幻燈片

圖 5 防御用戶輸入模擬

下載: 全尺寸圖片幻燈片

表 1 反外掛DLL Hook函數(shù)

模擬類型	相關(guān)API	API 描述
WindowSimulation	SendMessage	直接向指定窗口發(fā)送消息
	PostMessage	將消息至于指定窗口的消息隊(duì)列上
	RtlUserSendMessage	SendMessage內(nèi)部調(diào)用API
	RtlUserPostMessage	PostMessage內(nèi)部調(diào)用API
GlobalSimulation	SendInput	直接模擬鼠標(biāo)或鍵盤操作
	mouse_event	模擬鼠標(biāo)
	keyboard_event	模擬鍵盤

下載: 導(dǎo)出CSV

表 2 實(shí)驗(yàn)環(huán)境

VM	CPU	內(nèi)存	操作系統(tǒng)
VM1	2 cores	1 GB	Win7 SP1 (64 bit)
VM2	2 cores	1 GB	Win7 SP1 (32 bit)

下載: 導(dǎo)出CSV

表 3 外掛測試樣本

	外掛工具	相關(guān)外掛技術(shù)	外掛行為描述
FIFA 10	FIFA Cheater 0.5	CreateRemoteThread 注入	內(nèi)存修改
	Mr.Anti.Fun Cheat	CreateRemoteThread 注入	內(nèi)存修改
	CPY FIFA Cheater	QueueUserApc 注入	代碼注入
	FIFA Auto Runner	窗口模擬	掛機(jī)腳本
CROSS FIRE	Sniper Rifle 1.0	CreateRemoteThread 注入	內(nèi)存修改
	LOCK Health Cheater	QueueUserApc 注入	內(nèi)存修改
	Ice Modz 6041 Rc1	Hook Windows 消息注入	內(nèi)存修改
	Crossfire Hacker	線程劫持注入	代碼注入
	Remote Dll Injector	所有注入技術(shù)	DLL注入
	Assassin Wall Cf	窗口模擬	掛機(jī)腳本
	Auto-Shooter	輸入法注入/全局模擬	掛機(jī)腳本
	Antifun GOLD Getter	線程劫持注入/窗口模擬	掛機(jī)腳本

下載: 導(dǎo)出CSV

表 4 反外掛系統(tǒng)防御效果對比

外掛技術(shù)	反外掛系統(tǒng)
外掛技術(shù)	CheatBlocker	Nprotect	Xray	Warden	GameGuard	EasyAntiCheat
創(chuàng)建遠(yuǎn)程線程注入	√	√	√	√	√	√
插入APC注入	√	√	×	×	√	√
線程劫持注入	√	√	×	√	√	√
Hook Windows消息注入	√	×	√	×	√	√
輸入法注入	√	×	×	×	√	√
全局模擬	√	×	×	×	√	×
窗口模擬	√	×	×	×	√	×
是否支持64位系統(tǒng)	√	√	√	√	×	√

下載: 導(dǎo)出CSV

表 5 反外掛系統(tǒng)系統(tǒng)開銷對比

系統(tǒng)開銷	No Anti-Cheat	CheatBlocker	Nprotect	Xray	Warden	GameGuard	EasyAntiCheat
平均CPU占用 (%)	23.5	28.7	25.8	26.4	23.3	30.8	29.4
平均內(nèi)存占用(%)	35.3	35.8	34.7	37.5	36.5	36.7	35.8
平局啟動時間(s)	20.1	24.6	23.4	22.8	22.3	28.9	25.7

下載: 導(dǎo)出CSV

參考文獻(xiàn)(20)

騰訊游戲研發(fā)部游戲安全中心. 游戲安全: 手游安全技術(shù)入門[M]. 北京: 電子工業(yè)出版社, 2016.

Game Security Center of Tencent Game R & D Department. Game Security: Introduction to Mobile Security Technology[M]. Beijing: Electronic Industry Press, 2016.

YAN J J and CHOI H J. Security issues in online games[J]. The Electronic Library, 2002, 20(2): 125–133. doi: 10.1108/02640470210424455

YAN J and RANDELL B. A systematic classification of cheating in online games[C]. The 4th ACM SIGCOMM Workshop on Network and System Support for Games, New York, USA, 2005: 1–9. doi: 10.1145/1103599.1103606.

KABUS P, TERPSTRA W W, CILIA M, et al. Addressing cheating in distributed MMOGs[C]. The 4th ACM SIGCOMM Workshop on Network and System Support for Games, New York, USA, 2005: 1–6. doi: 10.1145/1103599.1103607.

CHOI Y, CHANG S J, KIM Y, et al. Detecting and monitoring game bots based on large-scale user-behavior log data analysis in multiplayer online games[J]. The Journal of Supercomputing, 2016, 72(9): 3572–3587. doi: 10.1007/s11227-015-1545-2

羅平, 徐倩華. 網(wǎng)絡(luò)游戲外掛技術(shù)及檢測[J]. 計(jì)算機(jī)工程與設(shè)計(jì), 2007, 28(6): 1273–1276. doi: 10.3969/j.issn.1000-7024.2007.06.011

LUO Ping and XU Qianhua. Hack technology and detection of online games[J]. Computer Engineering and Design, 2007, 28(6): 1273–1276. doi: 10.3969/j.issn.1000-7024.2007.06.011

楊英杰, 冷強(qiáng), 常德顯, 等. 基于屬性攻擊圖的網(wǎng)絡(luò)動態(tài)威脅分析技術(shù)研究[J]. 電子與信息學(xué)報(bào), 2019, 41(8): 1838–1846. doi: 10.11999/JEIT181025

YANG Yingjie, LENG Qiang, CHANG Dexian, et al. Research on network dynamic threat analysis technology based on attribute attack graph[J]. Journal of Electronics &Information Technology, 2019, 41(8): 1838–1846. doi: 10.11999/JEIT181025

CHANG H and ATALLAH M J. Protecting software code by guards[C]. ACM CCS-8 Workshop DRM on Security and Privacy in Digital Rights Management, Berlin, Germany, 2001: 160–175. doi: 10.1007/3-540-47870-1_10.

THE L B and KHANH V N. GameGuard: A windows-based software architecture for protecting online games against hackers[C]. The Symposium on Information and Communication Technology, Hanoi, Vietnam, 2010: 171–178. doi: 10.1145/1852611.1852643.

梁光輝, 龐建民, 單征. 基于代碼進(jìn)化的惡意代碼沙箱規(guī)避檢測技術(shù)研究[J]. 電子與信息學(xué)報(bào), 2019, 41(2): 341–347. doi: 10.11999/JEIT180257

LIANG Guanghui, PANG Jianmin, and SHAN Zheng. Malware sandbox evasion detection based on code evolution[J]. Journal of Electronics &Information Technology, 2019, 41(2): 341–347. doi: 10.11999/JEIT180257

WOO J, KANG A R, and KIM H K. The contagion of malicious behaviors in online games[J]. ACM SIGCOMM Computer Communication Review, 2013, 43(4): 543–544. doi: 10.1145/2534169.2491712

AHMAD M A, KEEGAN B, SRIVASTAVA J, et al. Mining for gold farmers: Automatic detection of deviant players in mmogs[C]. 2009 International Conference on Computational Science and Engineering, Vancouver, Canada, 2009: 340–345. doi: 10.1109/cse.2009.307.

KWON H, MOHAISEN A, WOO J, et al. Crime scene reconstruction: Online gold farming network analysis[J]. IEEE Transactions on Information Forensics and Security, 2017, 12(3): 544–556. doi: 10.1109/tifs.2016.2623586

CHUNG Y, PARK C Y, KIM N R, et al. Game bot detection approach based on behavior analysis and consideration of various play styles[J]. ETRI Journal, 2013, 35(6): 1058–1067. doi: 10.4218/etrij.13.2013.0049

DUH H B L and CHEN V H. Cheating behaviors in online gaming[C]. The 3rd International Conference on Online Communities and Social Computing, Berlin, Germany, 2009: 567–573. doi: 10.1007/978-3-642-02774-1_61.

傅建明, 彭碧琛, 杜浩. 一種組件加載漏洞的動態(tài)檢測[J]. 清華大學(xué)學(xué)報(bào): 自然科學(xué)版, 2012, 52(10): 1356–1363, 1369. doi: 10.16511/j.cnki.qhdxxb.2012.10.007

FU Jianming, PENG Bichen, and DU Hao. Dynamic detection of component loading vulnerability[J]. Journal of Tsinghua University:Science and Technology, 2012, 52(10): 1356–1363, 1369. doi: 10.16511/j.cnki.qhdxxb.2012.10.007

HOGLUND G and MCGRAW G. Exploiting Online Games: Cheating Massively Distributed Systems[M]. New York, USA: Addison-Wesley Professional, 2007: 119–125.

WEBB S D and SOH S. Cheating in networked computer games: A review[C]. The 2nd International Conference on Digital Interactive Media in Entertainment and Arts, Perth, Australia, 2007: 105–112. doi: 10.1145/1306813.1306839.

LIU H I and LO Y T. DaCAP-a distributed Anti-Cheating peer to peer architecture for massive multiplayer on-line role playing game[C]. The 8th IEEE International Symposium on Cluster Computing and the Grid (CCGRID), Lyon, France, 2008: 584–589. doi: 10.1109/ccgrid.2008.49.

SEBASTIO S, AMORETTI M, MURGA J R, et al. Honest vs Cheating Bots in PATROL-based Real-time Strategy MMOGs[M]. CAGNONI S, MIROLLI M, and VILLANI M. Evolution, Complexity and Artificial Life. Heidelberg: Germaay, Springer, 2014: 225–238. doi: 10.1007/978-3-642-37577-4_15.

相關(guān)文章

施引文獻(xiàn)

資源附件(0)

訪問統(tǒng)計(jì)