Genshin Security Impact

An MMORPG with cute anime-style characters and maybe a bit too much inspiration taken from another classic Nintento franchise, Genshin Impact is a relatively popular game across the PlayStation, iOS, Android, and PC platforms. That last one has already generated a bit of controversy, since the PC version game includes an anti-cheat kernel driver that runs in the Windows kernel context, and on initial release that module kept running even after the game was closed.

That anti-cheat driver is back in the news, with Trend Micro discovering a ransomware campaign that includes mhyprot2.sys, the anti-cheat driver, as a component of the infection. The module is known to have vulnerabilities, and is still a signed kernel driver, so the malware campaign loads the driver and uses its functions to disable anti-malware protections.

The rest of the campaign is straightforward. Starting with access to a single domain-connected machine, an attacker uses that foothold to gain access to the domain controller. The malicious script is hosted on shared storage, and PsExec is used to run it on all the domain member machines. The real novelty here is the use of the vulnerable anti-cheat kernel driver as the anti-malware bypass. As far as we can tell, this driver is *still* signed and considered trustworthy by Windows. We join the call to Microsoft, to revoke this vulnerable driver, as it’s now actively being used in ongoing malware campaigns. For more on security, check out our weekly column on the topic,

RF Burns And Exploding PC Speakers: Sophos Looks At The Evidence

Every year in the month of June, someone by the unlikely name of [R.F. Burns] posts a question to the Linux Kernel Mailing List asking whether a Linux kernel module is possible that would blow the PC speaker. It’s fairly obviously a joke, which is why the UK-based anti-virus company Sophos have devoted a light-hearted blog post to it.

The post is an interesting diversion into early PC sounds, when the only hardware guaranteed to be present was a small speaker hooked up to a bit on an output port. The bit could be cycled for square wave beeps, or with a lot of clever manipulation could put out a low-bitrate PWM that delivered almost intelligible sounds including music and voice. They conclude that since the speaker would have been designed to be at the full amplitude of the 5-volt output bit all the time it should be impossible to blow it from software, and we’d be inclined to agree. There’s a remote possibility that some speakers might have a resonant frequency that could be found in software, but we’re not entirely convinced.

Your Hackaday scribe might have spent a while in a university computer lab back in the day trying and failing to write C code that would produce a usable PWM on an XT speaker, but those with long memories might recall the PC speaker driver for Windows 3.1. If you’re a fan of chiptune music there are even entire albums written for this most basic of instruments.

Header image: MKFI, Public domain.

Lattice ICE40 FPGA Configured By Linux Kernel

The Linux kernel recently added support for loading firmware into an FPGA via the FPGA Manager Framework. [OpenTechLab] has built a driver for the Lattice iCE40 FPGA (same chip used on the iCEStick and other development boards). One attraction to the iCE40 is there is an open source toolchain called iCEStorm.

Even if you aren’t specifically interested in FPGAs, the discussion about Linux device drivers is good background. The principles would apply to other drivers, and would definitely apply if you want to write another FPGA loader.

Continue reading “Lattice ICE40 FPGA Configured By Linux Kernel”