Reverse engineering of Aurum Ricochet anti-cheat driver
Name: Aurum.sys
Size: 275680 bytes (269 KiB)
CRC32: 6D8C2E97
CRC64: BCFB88FF217CC4C5
SHA256: 49BD8C5CB273E1F15BB27A6BCF6F3DA4147D432103D25182B0592518B0071702
SHA1: 7F5573763DFF163D8B0F0906A671ED9F2D9CA703
BLAKE2sp: 63CF22AA2C704CF32C674318B92F2315AE424A622971F55879EF8FE5FC776B8F
# of Bytes: 258184
# of Memory Blocks: 10
# of Instructions: 0
# of Defined Data: 1227
# of Functions: 0
# of Symbols: 33
# of Data Types: 54
# of Data Type Categories: 4
Comments: Aurum Driver
CompanyName: Activision Blizzard, Inc.
Compiler: visualstudio:unknown
Created With Ghidra Version: 10.0.1
Executable Format: Portable Executable (PE)
ProductName: Aurum Driver
ProductVersion: V1.0.0.0
Relocatable: true
PDB Age: 1
PDB File: Aurum.pdb
PDB GUID: 7db1926f-b5eb-40da-9f5e-47207d60bfca
PDB Version: RSDS
Section Alignment: 4096
See full IDA disassembly at ida_disasm_full.asm
- No anti kernel debugger
- Packed by original packer
.text IMAGE_SCN_CNT_CODE | IMAGE_SCN_MEM_NOT_PAGED | IMAGE_SCN_MEM_EXECUTE | IMAGE_SCN_MEM_READ
.rdata IMAGE_SCN_CNT_INITIALIZED_DATA | IMAGE_SCN_MEM_NOT_PAGED | IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_WRITE
.data IMAGE_SCN_CNT_INITIALIZED_DATA | IMAGE_SCN_MEM_NOT_PAGED | IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_WRITE
.pdata IMAGE_SCN_CNT_INITIALIZED_DATA | IMAGE_SCN_MEM_NOT_PAGED | IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_WRITE
.INIT IMAGE_SCN_CNT_CODE | IMAGE_SCN_MEM_EXECUTE | IMAGE_SCN_MEM_READ
.rsrc IMAGE_SCN_CNT_INITIALIZED_DATA | IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_WRITE
.reloc IMAGE_SCN_CNT_INITIALIZED_DATA | IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_WRITE
.text IMAGE_SCN_CNT_CODE | IMAGE_SCN_MEM_EXECUTE | IMAGE_SCN_MEM_READ
No potential abusable section.
- nt!RtlCompareMemory
- nt!KeAcquireGuardedMutex
- nt!KeReleaseGuardedMutex
- nt!ExAllocatePoolWithTag
- nt!ExFreePoolWithTag
- nt!IoGetCurrentProcess
- nt!ZwCreateFile
- nt!ZwQueryInformationFile
- nt!ZwReadFile
- nt!ZwClose
- nt!SeLocateProcessImageName
- nt!ZwQuerySystemInformation
- nt!KeInitializeSpinLock
- nt!KeAcquireSpinLockRaiseToDpc
- nt!KeReleaseSpinLock
- nt!KeInitializeGuardedMutex
- nt!IofCompleteRequest
- nt!IoCreateDevice
- nt!IoCreateSymbolicLink
- nt!IoDeleteDevice
- nt!IoDeleteSymbolicLink
- nt!ObRegisterCallbacks
- nt!ObUnRegisterCallbacks
- nt!PsSetCreateProcessNotifyRoutineEx
- nt!PsGetProcessPeb
- nt!PsProcessType
- nt!__C_specific_handler
No MmGetSystemRoutineAddress
import, but potential hardcoded imports with low possibility.
The WIN32 device name is \\\\.\\Aurum
.
2: kd> !drvobj Aurum
Driver object (ffffc38f2664d6c0) is for:
\Driver\Aurum
The device can be opened without any privileges.
Invalid IOCTL requests will resulted in getting last error code 0xE0000001
.
hDevice = CreateFileW(L"\\\\.\\Aurum", ...);
DeviceIoControl(hDevice, 0x555); // GetLastError:0xE0000001
2: kd> !drvobj Aurum 7
Driver object (ffffc38f2664d6c0) is for:
\Driver\Aurum
Driver Extension List: (id , addr)
Device Object list:
ffffc38f27034e10
DriverEntry: fffff80074885000 Aurum
DriverStartIo: 00000000
DriverUnload: fffff80074875360 Aurum
AddDevice: 00000000
Dispatch routines:
[00] IRP_MJ_CREATE fffff80074864450 Aurum+0x14450
[01] IRP_MJ_CREATE_NAMED_PIPE fffff80074864450 Aurum+0x14450
[02] IRP_MJ_CLOSE fffff80074864450 Aurum+0x14450
[03] IRP_MJ_READ fffff80074864450 Aurum+0x14450
[04] IRP_MJ_WRITE fffff80074864450 Aurum+0x14450
[05] IRP_MJ_QUERY_INFORMATION fffff80074864450 Aurum+0x14450
[06] IRP_MJ_SET_INFORMATION fffff80074864450 Aurum+0x14450
[07] IRP_MJ_QUERY_EA fffff80074864450 Aurum+0x14450
[08] IRP_MJ_SET_EA fffff80074864450 Aurum+0x14450
[09] IRP_MJ_FLUSH_BUFFERS fffff80074864450 Aurum+0x14450
[0a] IRP_MJ_QUERY_VOLUME_INFORMATION fffff80074864450 Aurum+0x14450
[0b] IRP_MJ_SET_VOLUME_INFORMATION fffff80074864450 Aurum+0x14450
[0c] IRP_MJ_DIRECTORY_CONTROL fffff80074864450 Aurum+0x14450
[0d] IRP_MJ_FILE_SYSTEM_CONTROL fffff80074864450 Aurum+0x14450
[0e] IRP_MJ_DEVICE_CONTROL fffff80074864450 Aurum+0x14450
[0f] IRP_MJ_INTERNAL_DEVICE_CONTROL fffff80074864450 Aurum+0x14450
[10] IRP_MJ_SHUTDOWN fffff80074864450 Aurum+0x14450
[11] IRP_MJ_LOCK_CONTROL fffff80074864450 Aurum+0x14450
[12] IRP_MJ_CLEANUP fffff80074864450 Aurum+0x14450
[13] IRP_MJ_CREATE_MAILSLOT fffff80074864450 Aurum+0x14450
[14] IRP_MJ_QUERY_SECURITY fffff80074864450 Aurum+0x14450
[15] IRP_MJ_SET_SECURITY fffff80074864450 Aurum+0x14450
[16] IRP_MJ_POWER fffff80074864450 Aurum+0x14450
[17] IRP_MJ_SYSTEM_CONTROL fffff80074864450 Aurum+0x14450
[18] IRP_MJ_DEVICE_CHANGE fffff80074864450 Aurum+0x14450
[19] IRP_MJ_QUERY_QUOTA fffff80074864450 Aurum+0x14450
[1a] IRP_MJ_SET_QUOTA fffff80074864450 Aurum+0x14450
[1b] IRP_MJ_PNP fffff8006b544b80 nt!IopInvalidDeviceRequest
Device Object stacks:
!devstack ffffc38f27034e10 :
!DevObj !DrvObj !DevExt ObjectName
> ffffc38f27034e10 \Driver\Aurum 00000000 Aurum
Processed 1 device objects.
Now we know that the dispatch routine is at offset 0x14450
.
2: kd> u Aurum+0x14450
Aurum+0x14450:
fffff800`74864450 e960deffff jmp Aurum+0x122b5 (fffff800`748622b5) ; jmp
fffff800`74864455 3da7bc1300 cmp eax,13BCA7h
fffff800`7486445a 0f84f7a20000 je Aurum+0x1e757 (fffff800`7486e757)
fffff800`74864460 e9ffd00200 jmp Aurum+0x41564 (fffff800`74891564)
fffff800`74864465 4d0fafc1 imul r8,r9
fffff800`74864469 498bc0 mov rax,r8
fffff800`7486446c 48c1e820 shr rax,20h
fffff800`74864470 493bc3 cmp rax,r11
2: kd> u Aurum+0x122b5
Aurum+0x122b5:
fffff800`748622b5 48895c2408 mov qword ptr [rsp+8],rbx
fffff800`748622ba 4889742418 mov qword ptr [rsp+18h],rsi
fffff800`748622bf 57 push rdi
fffff800`748622c0 4154 push r12
fffff800`748622c2 4155 push r13
fffff800`748622c4 4156 push r14
fffff800`748622c6 4157 push r15
fffff800`748622c8 4881ec60020000 sub rsp,260h
See full disassembly at asm_Aurum%2B0x122b5.asm