API tools faq
paste
Advertisement
Guest User

glass houses copy

a guest
Oct 21st, 2019
79
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.25 KB | None | 0 0
raw download clone embed print report
  1. TL;DR: TacoNBanana employs a LUA script called gcap that can not only view your screen, but your steam overlay and any window sitting in front of it, enabling them to read your chats. This has been utilized for years (possibly dating back to the beginning of the last HL2 iteration) to eavesdrop on personal conversations.
  2.  
  3. I know about this because Bennet Dyson showed me my own screen a few years ago as a joke. I kept it under my hat, and I acknowledge that this was a poor decision on my part; people should have known, long ago, that the owner of their community voyeurs on their personal discourse. However, I don’t expect my word alone to stand as evidence, particularly given recent turbulence. Proof is required. Scilicet:
  4.  
  5. My first attempt at working out which script was being used was to look for similar functionality. ServerGuard was my first stop.
  6.  
  7. ServerGuard is a Garry’s Mod steam administration tool similar to ULX, but with some additional features. One of these features is the ability to capture a user's screen. The purpose of this feature is to allow admins to view snapshots of the entire space in front of the game to detect overlays that may give them an advantage, however it can also be utilized to view the Steam or Discord overlay and allow conversations to be eavesdropped on in close to real time.
  8.  
  9. In order to test this, I spun up my own server running an older version of ServerGuard, as newer ones removed Steam overlay viewing over privacy concerns.
  10.  
  11. I didn’t hide anything in order to make it as noisy as possible and find as many ways to passively detect the script as I could. It turns out that when you don’t make an effort to hide the tool’s use, it prints in console, chat, saves data to your garry’s mod configuration, and generally makes a lot of noise.
  12.  
  13. Most of these are easy to modify the source code to disable, but after digging through a dump of my RAM, I found a section of live memory with a very well labeled section of variables. This is on my test box:
  14.  
  15. https://i.imgur.com/pYKPcW4.png
  16.  
  17. ServerGuard’s presence, cleanly labeled, very distinct, and unlikely to have been scrubbed during Bennet’s efforts to obfuscate ServerGuard’s use. Through this effort, I discovered that sometime in 2016-2017, “render.Capture”, the function used to pull a user's full screen, was patched to only capture the game window if it’s not buffered with “PostRender”. This meant that the old version I had would only return a black screen.
  18.  
  19. https://i.imgur.com/6rx2jIt.png
  20.  
  21. However, I pushed on just to see if there was any evidence of use. To test, I cleaned my machine of all the local files and restarted to clear my RAM from the indicators I already found. I made sure there wasn’t any trace of it in my memory by running a fresh dump, and found two symlinks much further down the heap. I made a note to discount these if they were the only thing I could find while on TnB’s server, as they would have been false positives:
  22.  
  23. https://i.imgur.com/w7wNkAw.png
  24.  
  25. I hopped on TRP and dumped my memory:
  26.  
  27. Nothing but the false positive from earlier. I figured I’d have to dive a little deeper to find the information I was looking for. I loaded up a handy little injection to pull down all of TRP’s files (some information is redacted to avoid personal attribution, others because I don’t want to detail my exact methodology for dumping a server’s files - however, to cover my ass: there was no unauthorized access of TnB’s box to acquire these files).
  28.  
  29. https://i.imgur.com/zD3k5VW.png
  30.  
  31. Proof that these are indeed TRP’s files:
  32.  
  33. https://i.imgur.com/ORDoVGj.png
  34.  
  35. I started searching around for anything related for ServerGuard, including render.Capture and come up with nothing. I then start manually crawling through the files I pulled down. Among the addons I find gcap:
  36.  
  37. https://i.imgur.com/t35PYUE.png
  38.  
  39. Gcap is more or less a standalone version of ServerGuard’s screencap function, whereby the user’s screen is captured, and it’s sent back to the caller via chunked, base-64 encoded binary and decoded into a pretty HTML wrapper.
  40.  
  41. https://i.imgur.com/UfLiiMx.png
  42.  
  43. To check this script out I grabbed myself a copy of gcap to port the code over to its modern implementation:
  44.  
  45. https://i.imgur.com/Bow7XPZ.png
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!