D2
Администратор
- Регистрация
- 19 Фев 2025
- Сообщения
- 4,380
- Реакции
- 0
11:27 / 19 May, 2021
The driver checks all the names of running processes on the system and compares them with a list of 19 video games.
Cybersecurity researcher (Alex Ionescu) has identified a disguised AMD driver on his Windows 10 test computer. The driver is able to change the system settings depending on what video games are running on the device. According to the information security expert, such actions can cause problems for the cybersecurity of the system and allow the exploitation of vulnerabilities.
Ionescu found the AMDPciDev.sys file, WHQL certified as a PnP PCI driver and installed in the operating system as a "dummy PCIe function" device.
After reverse engineering the driver, the researcher recorded unusual features of its behavior, including the operation of the hashing algorithm, as well as tracking the creation and completion of new processes in the system and monitoring them during the execution of tasks. As it turns out, the driver checks all the names of the running processes on the system and compares them against an internal list of 19 hashed video game names. If there is a match, the driver changes the MSR bit on the system to disable or enable certain hardware optimizations, including disabling or managing the instruction cache.
This behavior can lead to problems with the system under load, but improve the performance of the game. According to the expert, the problem is the "very weak 32-bit hash (CRC or XOR)" used by the driver.
Another issue is the fact that security settings allow any user-mode application to use an unprivileged driver interface. An attacker could thus cause the system to crash using a one-line command in PowerShell.
According to Ionescu, only the B1 versions of the Zen 1 (Ryzen 1xxx) and Zen 2 XT (Ryzen 3xxx) series processors are affected, but the risks could be much greater.
https://www.securitylab.ru/news/520344.php
The driver checks all the names of running processes on the system and compares them with a list of 19 video games.
Cybersecurity researcher (Alex Ionescu) has identified a disguised AMD driver on his Windows 10 test computer. The driver is able to change the system settings depending on what video games are running on the device. According to the information security expert, such actions can cause problems for the cybersecurity of the system and allow the exploitation of vulnerabilities.
Ionescu found the AMDPciDev.sys file, WHQL certified as a PnP PCI driver and installed in the operating system as a "dummy PCIe function" device.
After reverse engineering the driver, the researcher recorded unusual features of its behavior, including the operation of the hashing algorithm, as well as tracking the creation and completion of new processes in the system and monitoring them during the execution of tasks. As it turns out, the driver checks all the names of the running processes on the system and compares them against an internal list of 19 hashed video game names. If there is a match, the driver changes the MSR bit on the system to disable or enable certain hardware optimizations, including disabling or managing the instruction cache.
This behavior can lead to problems with the system under load, but improve the performance of the game. According to the expert, the problem is the "very weak 32-bit hash (CRC or XOR)" used by the driver.
Another issue is the fact that security settings allow any user-mode application to use an unprivileged driver interface. An attacker could thus cause the system to crash using a one-line command in PowerShell.
According to Ionescu, only the B1 versions of the Zen 1 (Ryzen 1xxx) and Zen 2 XT (Ryzen 3xxx) series processors are affected, but the risks could be much greater.
https://www.securitylab.ru/news/520344.php