A fresh update for Capcom’s Street Fighter V includes a knock-out move, a secret rootkit that gives any installed application kernel-level privileges.
Kernel level refers to the fact that any malicious software on the system can use a suspicious driver to completely take over the Windows machine. Capcom claims it’s using the driver to stop people cheating in-game.
The technical details are as follows. The capcom.sys kernel-level driver provides an IOCTL service to applications that disables SMEP on the computer, executes code at a given pointer, and then reenables SMEP. In other words, it switches off a crucial security defense in the operating system, then runs whatever instructions are given to it by the application, and then switches the protection back on.
SMEP is a feature in modern Intel and AMD x86 processors that, when enabled, prevents kernel-level software from executing code in user-owned memory pages. It’s there to stop hackers from tricking the operating system into running malicious software smuggled into an application’s virtual memory space – the OS should only be able to run its own trusted code, not anything provided by any app.
Capcom.sys blows this away on Windows, an application needs only to pass control codes 0xAA012044 and 0xAA013044 to the IOCTL, and a pointer to some instructions, and the driver will then jump to that block of code with full kernel permissions.
Capcom claims that its intentions are noble, allowing its user-mode game to poke around the machine at the lowest level to spot any cheating attempts by the player. This tool was bundled with an update, to Street Fighter V that that introduced a new character, Urien.
“As a part of the new content and system update releasing later today, we’re also rolling out an updated anti-crack solution (note: not DRM) that prevents certain users from hacking the executable,” a Capcom rep explained on Thursday.
“The solution also prevents memory address hack that are commonly used for cheating and illicitly obtaining in-game currency and other entitlements that haven’t been purchased yet.
“The anti-crack solution does not require online connectivity in order to play the game in offline mode; however, players will be required to click-confirm each time they boot up the game. This step allows ‘handshake’ to take place between the executable and the dependent driver prior to launch.”
Gamers first that something was amiss when the upgrade brought in a new driver and demanded operating-system-grade access to the computer before the game started. A number of players say they couldn’t even get the new version to work at all. A full-blown online meltdown ensued.
A Capcom rep has since tweeted:
“We are in the process of rolling back the security measures added to the PC version of Street Fighter V. After the rollback process to the PC version, all new content from the September update will still be available to players. We apologize for the inconvenience and will have an update on the time-frame for the PC rollback solution soon.”
