Process Hacker and Windows discussion

 
JohnTitor
Member
Posts: 5
Joined: 28 Sep 2018 01:38
OS: Windows 10 x64, Ubuntu 18.04

Xigncode anti-cheat

28 Sep 2018 01:43

Hey there party people

I am an avid PH user and recently some anti cheat service named "xigncode 3" has detected that PH is suspicious or malicious.. I know this is not PH's fault or anything but it made me wonder if it is somehow possible to disguise or hide the program from being detected by other applications, just like magisk disguises itself with a random package name on android, i wondered if this could be implemented into PH as well..
 
User avatar
dmex
Admin
Posts: 1555
Joined: 17 Jan 2011 05:43
Location: Australia

Re: Other application detects PH as malicious

28 Sep 2018 19:26

Hi John,

Thank you for emailing me those screenshots yesterday. I'll update the thread when I have more information :thumbup:
Last edited by dmex on 01 Oct 2018 01:43, edited 2 times in total.
Reason: merged duplicate thread from Astara
 
User avatar
Astara
Member
Posts: 25
Joined: 03 Oct 2011 21:15
OS: Win7-64, Suse11.4-x64

Xigncode anti-cheat

01 Oct 2018 00:32

This wasn't a problem before, but the malware writers (disguised as game security Software) XIGNCODE by Wellbia.com are picking up kprocesshacker.sys as malware (they call it a suspicious file, but kill off the game upon detection).

Before, there was a check on program startup for some banned software, like processMonitor -- which also has a driver, but 2 things made that more tolerable -- it was only checked at startup and I didn't use it that often. So when I did I'd just know it I'd need to reboot before re-entering the game (which I often kept up for days in background). I see it being used with 2 games -- Blade&Soul (BnS) and Tera, but oddly, with Tera, it doesn't seem to protest, possibly because the game crashes immediately and I only ever get as far as the launcher in that game.

However, with BnS, been playing that for about 9 months. It's "free to play" -- meaning you download and run it with an account (also free), so it is theoretically free to test with should you be so inclined. It only starts detection after you have typed in your password and your PIN (need both -- both free from NCsofts website). So the game launches, but IGNCODE kills the game before you get out of the lobby.

So far have only tried contacting wellbia -- when it kills the game it puts up a popup + code to check at their website. That tells you to send the XIGNORE log file to their support address and they send back the name of the problem-causing file. So far, it seems they only are complaining about the .SYS files, telling you to quit the program you are running and try again.

Is it impossible to unload the driver after it has been unloaded w/o rebooting your system?

At least it would make testing things a bit easier. Tried renaming install pathname, but that makes no difference. Don't know if they are using a name or sig based protection. I have asked them to remove it but not gotten an answer -- I have yet to contact game support to see if they'll contact wellbia, as this is much more invasive -- they even tell my I should always run a virus scanner before running the game to get these things out of memory. So far, don't know of any virus detectors that detect this as a virus, though maybe there are some...dunno.

Only other thing to try would be to randomize the driver name and maybe the sig checksum on each load like MS does for their
malware scanner. Interestingly, MS launches a malware scanner everytime wellbia launches, that persists until IGNCODE exits. Seems they might be observing IGNCODE, dunno. Either way it has be dead in the water, since I use PH as a task manager as well as having it auditing program launch+exit.

I need to try contacting them again...I have little confidence they are even reading my email, let along going to respond to it.

Ideas?
Thanks....
P.s. current PH version I have is 3.0.1847 running on Win7SP1x64.
I'm running the 64-bit version of BnS. Lemme know if you need anymore info
 
User avatar
Astara
Member
Posts: 25
Joined: 03 Oct 2011 21:15
OS: Win7-64, Suse11.4-x64

Re: Xigncode anti-cheat

09 Oct 2018 23:39

What screen shots are you referring to?
 
JohnTitor
Member
Posts: 5
Joined: 28 Sep 2018 01:38
OS: Windows 10 x64, Ubuntu 18.04

Re: Xigncode anti-cheat

09 Oct 2018 23:43

Hey astara. I am working with dmex on getting this issue resolved... I am coming from the bns community as well and i find it really frustrating too.. However if you disable kernel mode drivers (hacker->options->advanced->uncheck "enable kernel mode driver"), xigncode should tolerate PS.
I also encourage you to file a support ticket with ncsoft to get them to act and see how it affects their user base.. Don't be too pushing though or you might get banned from using support..

The screenshots dmex is referring to are screenshots i have sent him privately..
 
User avatar
Astara
Member
Posts: 25
Joined: 03 Oct 2011 21:15
OS: Win7-64, Suse11.4-x64

Re: Xigncode anti-cheat

09 Oct 2018 23:46

BTW, this one of the replies from the game support (tried wellbia.com, but they haven't answered).

Xigncode kills the game if it finds either the driver OR the program now.
I don't know why they changed their classification -- must have found it on some cheaters machine.

-----------
Mae (Blade and Soul)

Oct 3, 13:00 PDT
Hi Astara,

I apologize for the delay in our reply.

After reviewing your issue, the process you mentioned has been identified as malicious and has been blocked in relation to our services. So long as you are running this process you will be unable to access our services, and there is no way for us to override this or provide an exception.

I understand that this is not the resolution you were looking for, and I know you've been a loyal customer, but there's nothing support can do for you regarding this issue. You will simply need to remove the service from your system if you wish to continue accessing Blade & Soul.

Regards,

Mae
NCSOFT Support Team
 
User avatar
Astara
Member
Posts: 25
Joined: 03 Oct 2011 21:15
OS: Win7-64, Suse11.4-x64

Re: Xigncode anti-cheat

10 Oct 2018 05:53

oh you can believe I contacted support. And what do you mean that " xigncode should tolerate PS"?
It doesn't tolerate the running program without the driver if that was what you meant?
 
JohnTitor
Member
Posts: 5
Joined: 28 Sep 2018 01:38
OS: Windows 10 x64, Ubuntu 18.04

Re: Xigncode anti-cheat

10 Oct 2018 05:57

You'll need to kill the ps service after disabling the kernel driver..
sc stop kprocesshacker3
should kill the service.
Also I think I have had troubles with launching bns and having ps open at the same time so yeah..
 
User avatar
Astara
Member
Posts: 25
Joined: 03 Oct 2011 21:15
OS: Win7-64, Suse11.4-x64

Re: Xigncode anti-cheat

10 Oct 2018 06:13

what service?
the only kprocesshacker I saw was kprocesshacker3.sys which was the driver.

I rebooted after disabling the driver to make sure it was cleared out of memory.

Now, igncode "only" kills the game should I re-enter PH -- but since I have it set to not use the driver, I can run
the game again after exiting the .exe (since there is no driver in memory).

I also tried going back to PH2, but that doesn't work either (even with just the exe running).

Not having the driver is a pain, as already I am unable to kill some procs, though not being able to run PH at all while game is up, is also a big pain. (sigh)
 
JohnTitor
Member
Posts: 5
Joined: 28 Sep 2018 01:38
OS: Windows 10 x64, Ubuntu 18.04

Re: Xigncode anti-cheat

10 Oct 2018 06:14

Oh well that is new behaviour.. I am unable to help then.. Dmex might be able to though
 
jb99
New User
Posts: 1
Joined: 30 Oct 2018 16:44

Re: Xigncode anti-cheat

30 Oct 2018 16:48

@dmex

HI there

the XignCODE still has problem with process hacker . I play a game called HOUNDS THE LAST HOPE and it protected with this one so when process hacker installed on pc or opened on task bar the game reports a suspicious program . so i hope if there is a way or trick to keep PH on and same time the game continue runing

thnx
 
User avatar
Astara
Member
Posts: 25
Joined: 03 Oct 2011 21:15
OS: Win7-64, Suse11.4-x64

Re: Xigncode anti-cheat

30 Oct 2018 23:27

it gets worse than it simply disallowing coexistence. If your prog (PH or ProcessMonitor from sysinternals -- sort of an uncle to PH) loads a driver -- then, later, even if PH and PM are not running, it will claim that they are because they have drivers in memory. It seems to be the case that drivers can't be easily unloaded in Windows (?), so once you load those drivers -- the only way you can run a protected game is to reboot first -- really sucks.
 
Dajova

Re: Xigncode anti-cheat

22 Dec 2018 17:59

Yeah, i've noticed in several games (mostly eastern MMORPGs, like BDO) that uses this anti-cheat engine completly blocks the use of PH2, not only BnS.

And just recently, it seems that Warlords Awakening also blocks this program, even tho it uses a completly different anti-cheat program (GameGuard more specifically). It doesn't detect it instantly, it takes like 5m for it to error out and just close the game.
 
User avatar
Astara
Member
Posts: 25
Joined: 03 Oct 2011 21:15
OS: Win7-64, Suse11.4-x64

Re: Xigncode anti-cheat

23 Dec 2018 01:22

don't suppose there is any progress in randomizing the exe and driver names like malware scanners have to do to avoid malware detecting them?
 
Dajova

Re: Xigncode anti-cheat

25 Dec 2018 20:17

Just got a reply from the support from Warlords Awakening (which also detects PH2 as mailicious) and here's what they said about why it's detected:
The problem with ProcessHacker is that it is also a debugger, it haves ways to manipulate a program and its sub-processes, obtain information of a software that you are not supposed to get and other functions.
That's the main reason anticheats and even some antiviruses blocks it.
So is there a way to only disable the debugging-service? Since that's seems to be the trigger for all of them.
 
User avatar
viksoftru
Member
Posts: 617
Joined: 15 Aug 2011 06:01
OS: Win7 (Live! DVD), BSD
Location: Russia

Re: Xigncode anti-cheat

26 Jan 2019 16:56

VirusTotal, 26.01.2019 latest "antivirus" wrong detect for KProcessHacker*.*:

CAT-QuickHeal Risktool.Prochack 20190125
Cylance Unsafe 20190126
DrWeb Tool.ProcessHacker.1 20190126
Fortinet Riskware/ProcHack 20190126
Jiangmin RiskTool.ProcHack.d 20190126
K7AntiVirus Adware ( 005447321 ) 20190126
K7GW Adware ( 005447321 ) 20190126
Kaspersky not-a-virus:HEUR:RiskTool.Win32.ProcHack.gen 20190126
Rising Malware.Undefined!8.C (CLOUD) 20190126
Sophos AV Process Hacker Kernel Driver (PUA) 20190126
ZoneAlarm by Check Point not-a-virus:HEUR:RiskTool.Win32.ProcHack.gen 20190126

As usual, this is just a business and nothing personal, and the instigators are those who are really bad at all - "let it be scandalous, but apply advertising to poverty!". :lol:
 
User avatar
Astara
Member
Posts: 25
Joined: 03 Oct 2011 21:15
OS: Win7-64, Suse11.4-x64

Re: Xigncode anti-cheat

27 Jan 2019 00:36

FWIW, I also found that XignCode has 2 hidden streams attached to it:
> ll
total 5068
-rwxrw-rw- 1 28 Jan 26 16:41 XignCode_{4A705BBE-C39C-4059-9658-2F0F8F0A4F12}.stream*
-rwxrw-rw- 1 5185536 Jan 26 16:41 XignCode_{B6B3D3B5-E6DA-4ac3-B20B-7AD145E0AF58}.stream*
Ishtar:/h/streams/2> sha1sum *
956b60dc5346487588162f32993df547b196ca8a XignCode_{4A705BBE-C39C-4059-9658-2F0F8F0A4F12}.stream
b41d90e4b3b2e8746a9ef9fa4423b358a0760532 XignCode_{B6B3D3B5-E6DA-4ac3-B20B-7AD145E0AF58}.stream

"??Adware??

Seems to be the same on 2 different systems.

Another important detail:
I'm "effectively" banned ...

My account works on somone else's machine here at my house (where it would have the same external IP).

But on my machine, xigncode exits before handing off some 'start code' to 'Client.exe'
 
User avatar
Astara
Member
Posts: 25
Joined: 03 Oct 2011 21:15
OS: Win7-64, Suse11.4-x64

Re: Xigncode anti-cheat

28 Jan 2019 02:53

p.s. - wondering if they are sabotaging software as well as scanning your computer for things they consider "malicious"...

A few other problems i've seen with wellbia. As part of their propaganda about protecting you from malware -- they monitor every program you start. They monitor your usage and possession of other programs including what other "hacking tools" they discover -- and they decide they found too much on a machine -- they lock it out as mine is now.

Even did an uppgrade in place. My account -- friend's machine -- but
on my same network (outside IP would be same) I can log in. If
I create a new account -- on this machine -- then I can't get in on this
machine either.

Also had an odd coincidence or two -- Had problems getting
Photoshop CS5 on my GTX1080, but was sure it was working before. I have
two licenses for it, but of course now they will only respond to
licensing questions for older (not subscription) via chat...where
they don't respond, but their SW mysteriously shuts off the GLX features.

Been disabled for a while: frustrating After the reinstall of windows -- this time -- PS5 is working again!! All great -- til later after
more BNS trials, the GLX features are disabled again.

I'm wondering if they look at other SW on your system they think is
unlicensed or cracked and disable it -- like then approaching other
companies and offering to check on legit checks or licenses. I'm
guessing they wouldn't be able to actually check licenses, so if
something "looks" suspicious, they might disable something do you have
to call in for a new licence -- something you couldn't do if not registered, but if you can't get through to them on chat, I wonder
if you can get through to them at all!

Anyway, I started having more problems pop up after they PH's restricted the kernel driver -- am wondering if they start doing
more invasive scans after that. But if they are working with other
companies and putting people on a black list, they might be not only guilty "conspiracy to deny people their property and their rights w/o
due process of law -- vigilantism. I even have somewhat legitimate rights to look at security software, I say somewhat from the
perspective that I do have an engineering degree in computer science, and research is part of most science.

I notice more than one anti-virus SW flagging wellbia