API tools faq
paste
hlsdk

Documentation in progress k

hlsdk
Jul 28th, 2010
71
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.19 KB | None | 0 0
raw download clone embed print report
  1. Valve is in your computer, snooping at your programs.
  2.  
  3. Documentation of Scan #9 (that's the 10th entry in the jumptable)
  4.  
  5. This is one of many scan features used by VAC and could also be a bit invasive.
  6. It's a simple process scan which is also uploading the names of executables to the Steam servers.
  7.  
  8. They will loop through the list of processes, selecting random processes and putting them into an array somewhere.
  9. They'll also grab the EXE's as they exist in memory.
  10.  
  11. Once they build this table, they then pull random winners out of a hat to determine whether to hash the file,
  12. the executable in memory, or both.
  13.  
  14. Example:
  15. OpenProcess: Process 3628, desired access 0x00000410
  16. Copy string uTorrent.exe -> 0x003CF97C
  17. ReadProcessMemory Handle 00000048, Read 0x00001000 bytes at 0x00400000
  18. Produced MD5 Hash 090fa5f64cfb050b8ffaec7f57c31834
  19.  
  20. They then write this out to the packet, and repeat the process a few more times.
  21. The final packet ends up looking like this:
  22.  
  23. 00000000 80 00 04 00 00 00 00 00 06 00 01 00 00 00 00 00 ................
  24. 00000010 07 00 00 00 00 01 00 00 04 00 00 00 00 00 00 00 ................
  25. 00000020 09 0F A5 F6 4C FB 05 0B 8F FA EC 7F 57 C3 18 34 ....L.......W..4
  26. 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  27. 00000040 03 00 40 00 01 00 40 00 75 54 6F 72 72 65 6E 74 ..@[email protected]
  28. 00000050 2E 65 78 65 00 00 00 00 82 61 59 67 BF F0 FB F2 .exe.....aYg....
  29. 00000060 64 C1 45 13 78 7C DD 3B CB 31 07 8F 93 7F F0 B2 d.E.x|.;.1......
  30. 00000070 89 E4 D1 E6 D7 36 69 72 02 00 2B 01 01 00 2B 01 .....6ir..+...+.
  31. 00000080 6D 73 70 64 62 73 72 76 2E 65 78 65 00 00 00 00 mspdbsrv.exe....
  32. 00000090 05 0C 86 59 B3 07 13 E3 D4 39 59 44 2E D5 8A C4 ...Y.....9YD....
  33. 000000A0 0B 35 09 C6 27 8B DE B3 99 70 52 61 C9 3D 82 A0 .5..'....pRa.=..
  34. 000000B0 02 00 57 2F 01 00 57 2F 64 65 76 65 6E 76 2E 65 ..W/..W/devenv.e
  35. 000000C0 78 65 00 00 00 00 00 00 FA 28 77 1E C7 B5 CC 10 xe.......(w.....
  36. 000000D0 FA C9 6C D3 02 82 95 80 73 5F A8 C5 B1 5F 64 98 ..l.....s_..._d.
  37. 000000E0 F0 B1 A4 75 EF D1 FD 62 02 00 13 00 01 00 13 00 ...u...b........
  38. 000000F0 52 65 70 6C 61 79 37 2E 65 78 65 00 00 00 00 00 Replay7.exe.....
  39.  
  40. And there you have it; Valve knows what programs we use.
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!