mkstarr / installscript.vdf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
| «installscript» |
| < |
| «Run Process» |
| < |
| «x86» |
| < |
| «hasrunkey» «HKEY_LOCAL_MACHINE\\Software\\Valve\\Steam\\Apps\\CommonRedist\\vcredist\\2010» |
| «process 1» «%INSTALLDIR%\\_CommonRedist\\vcredist\\2010\\vcredist_x86.exe» |
| «command 1» «/quiet /norestart» |
| «nocleanup» «1» |
| > |
| «x64» |
| < |
| «hasrunkey» «HKEY_LOCAL_MACHINE\\Software\\Valve\\Steam\\Apps\\CommonRedist\\vcredist\\2010» |
| «process 1» «%INSTALLDIR%\\_CommonRedist\\vcredist\\2010\\vcredist_x64.exe» |
| «command 1» «/quiet /norestart» |
| «nocleanup» «1» |
| «requirement_os» |
| < |
| «is64bitwindows» «1» |
| > |
| > |
| > |
| > |
| «kvsignatures» |
| < |
| «installscript» «31b57cff9cdb418b39a2f705724e26104db31fb4fbfeec965016c7e7befe023e2d78f4997af4604ba2bd61d82ae67a85e08eca38c99bd2de4ea510576496986bd57e5baeb69a6215d1874475d6b6ee4a6e755fb29e8c32fd54611a0de7c7a361c2b4a6857a7ed685e58420814d9bf41988be6ed4fff71f3d376ead34801343c7» |
| > |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
Installscript vdf что это
Актуальная версия доступна на английском языке
Введение в систему управления контентом SteamPipe
Видеоурок Steamworks: создание игры в Steampipe
Техническое описание SteamPipe
SteamPipe uses the HTTP protocol for content delivery. Since downloads are regular web traffic, any third-party HTTP cache between the customer and Steam servers will increase download speed. Content can be hosted by external CDN providers, which can be easily added to our content network. Most consumer firewalls allow HTTP traffic and won’t block downloads.
SteamPipe has an efficient patching algorithm based on binary deltas, only changing the modified portions of existing content files. When this content is updated, only these deltas need be sent. This means both developer and user transfers are smaller and faster. Most partners will find that using a Локальный сервер контента SteamPipe not necessary since they can efficiently patch builds on private branches.
Аккаунт для сборок
Before you can create any builds on Steam, you must have a Steam account in your Steamworks account with the «Edit App Metadata» and «Publish App Changes To Steam» permissions granted. For security reasons it’s recommended that you have a dedicated build account with just those permissions, you may create a new Steam account for this purpose at https://store.steampowered.com/join.
Any administrator of your Steamworks account can add a Steam account and grant the necessary permissions. More information on this process can be found in the Управление аккаунтом Steamworks documentation. An example of what this account might look like is:
Начальная настройка приложений SteamPipe
На примере ниже представлены четыре варианта запуска, два для Windows и по одному для MacOS и Linux. Launch option 3 will only be shown on Windows if the user also owns the DLC specified.
Настройка отправок в SteamPipe через SDK
Download and unzip the latest version of the Steamworks SDK on the machine you will be uploading builds on.
The SteamPipe tools can be found within the SDK in the tools folder which contains 2 relevant sub-directories.
It’s recommended that you run steamcmd.exe directly in the builder folder for your platform once to bootstrap your build system. This should populate your builder directory with all the files it needs to build depots.
The ContentServer directory contains the tools for running your own Локальный сервер контента SteamPipe if you choose to do so.
SteamCmd на macOS
Создание файлов настроек SteamPipe
Графический интерфейс SteamPipe
If you’re running on Windows and would prefer a GUI tool to help create these config files and upload your builds you can use the SteamPipeGUI which is available in the tools folder of the Steamworks SDK. Included in the zip are additional instructions to get you started.
If you choose to use the GUI tool then reading the following sections is still recommended to help you become more familiar with how the SteamPipe system works.
Simple Build Script
Let’s start with the most basic build script possible. In our example we have a game (AppID 1000) that has one depot (DepotID 1001) and want to upload all files from a content folder and it’s subfolders. We just need a single build script for that, take a look at «simple_app_build.vdf» included in the SDK :
Обратите внимание: Your first attempt at running a build may fail due to Steam Guard. If the login fails due to Steam Guard, check your email for the Steam Guard code, and run steamcmd as: steamcmd.exe «set_steam_guard_code «, and try again. After logging in with Steam Guard once, a sentry file is used to verify the login is genuine.
If you are using steamcmd from a machine or VM that gets re-imaged frequently, you should include the sentry and config file in your image so you won’t be prompted for a Steam Guard every time. The sentry file is located in \ssfn, and the config file is located in \config\config.vdf.
The following steps occur during a SteamPipe build:
[olist]
[*] Steamcmd.exe will update itself to the latest version.
[*] Steamcmd.exe is logging into the Steam backend using the given builder Steam account.
[*] The app build start is registered with the MDS (Master Depot Server), which will ensure the user has the proper privileges to modify this app.
[*] For each depot included in the app build, a file list is generated based on the files in the content folder and the filter rules defined in depot build config file.
[*] Each file is scanned and divided into small chunks of about 1MB. If the depot has been built before, this partitioning will preserve as many of the unchanged chunks as possible.
[*] New file chunks are compressed, encrypted, and then uploaded to the MDS.
[*] A final manifest is generated for this depot version; each manifest is identified by a unique 64-bit manifest ID.
[*] Once all depots have been processed, the MDS finishes this app build and assigns it a global BuildID.
[*] After the build is done, there may be *.csm and *.csd files in the build ouput folder. These are temporary and can be deleted, but they speed up subsequent build times.[/olist]
Once the build is complete you can see it on your app builds page, in this case it would be https://partner.steamgames.com/apps/builds/1000. There you can set that build live for the default branch or any beta branch and users will be able to download this update with a couple of minutes.
Advanced Build Scripts
If your app has a lot of depots with complex file mapping rules, you can create a depot build script for each depot which will be referenced by the app build script. First let’s take a look at available parameters in the app build script:
This app build script references two depot build script files that specify all file mappings and file properties. The following instructions are available in a depot build script ( and also if the section is included directly into the app build script).
Managing Updates
Debugging Build Issues
Building Efficient Depots for SteamPipe
The old Steam content system would patch updates on a file level, which meant that if a single byte in a file changed, the entire new file would be downloaded by all users. This was especially inefficient if the game used pack files, which are collections of game content files in a single big file. Pack files can easily exceed 1 GB, so updates often led to unnecessarily large downloads. A common way to avoid these large downloads was to add new pack files that overrode content of already shipped pack files. That worked for updates, but it hurt new users long-term, since they ended up downloading unused, already-patched content.
The new content system fixes this problem by splitting each file into roughly 1-MB chunks. Each chunk is then compressed and encrypted before being distributed by the Steam content system. If the game content has large redundant parts, these chunks are reused and the user only has to download each repeated chunk once. However, the real strength of this system is building efficient update patches. While the system is building a patch, the new content is scanned for already known chunks. If it finds them, it reuses them. This means if you change or inject a few bytes in a big file, the user only has to download the changes.
This works well in most cases, but there are still a few pitfalls that need to be avoided when designing the content layout of a game. You may not want to compress or encrypt your game data. This is already done for in-flight downloads and retail discs by the Steam content system. If you do it too, it can reduce the effectiveness of delta patching. Compression and encryption are only advised if each individual asset within a package file is separately compressed and/or encrypted. Otherwise, a change to one asset will always require downloading several other potentially unchanged assets.
If you package multiple assets in a single pack file, make sure that with each re-packaging, no unnecessary changes are made. One problematic practice is including the full name of the original source files on disk, because the names may change, depending on the build machine. Another bad pattern is including build time stamps for each file. If possible, always add new content to the end of your pack files and keep the order of existing files. Also, keep your pack file’s metadata (offset and sizes to individual assets) in one place and don’t intersperse it with the asset data. Use a binary difference tool like BeyondCompare to look at two builds of your pack files to make sure that hundreds of unwanted changes don’t show up.
If you follow these rules you will minimize patch sizes and only new content will need to be downloaded. Your customers will thank you for that and you will be able to increase the quality of your product by shipping more updates.
If you suspect that your game packaging is not interacting well with the SteamPipe update process, please contact your Valve representative and we can look into enabling advanced features to help with this.
Building Retail Install Discs
Создание розничного диска с помощью бета-ветки
Установка доп. контента с розничного диска
Создание одного установочного диска/комплекта для нескольких приложений
Настройка розничного установочного диска
Preloading Games before Release
By default, all content is always encrypted, on all retail discs and on all content servers. Switching a game to preload mode means owners can download the content, but it stays encrypted on the users’ disk and can’t be played. Once the game becomes officially released, Steam will decrypt the preloaded content and the user can play the game.
Installscript vdf что это
I just purchased BL2 and steam is not downloading it properly. It gives me no install size when I go to install it. The only thing that gets downloaded to my SteamApps folder is a «installscript.vdf» file. If I try to launch borderlands 2 from steam it gives me an executable not found error. I have tried re-downloading (no luck) and checking the file integrity (steam thinks it is all good).
Any ideas / any one else?
Same problem, I am also lost on this.
Edit: Sworn’s fix worked:
«Jionts»
«This is what tech support told me to do and it seems to be working.
Exit Steam entirely.
Browse to your Steam installation (Usually C:\Program Files\Steam\)
Rename the «steamapps» folder to «old_steamapps»
Re-launch Steam and re-install the game.
Once the installation is complete, test the issue.
If this resolves the issue, you may copy the new files into the «old_steamapps» folder and rename it to «steamapps» to restore your other games without re-downloading.
If the issue is not resolved, you can rename the folder back to avoid having to re-install other games.»
Guys, as Skybane just reminded me in another thread, there is a very high chance that your download/install problems are being caused by the Steam sale. Their servers just can not handle the stress of everybody buying and downloading all at the same time.
It happens every year, during every seasonal sale. I know it blows donkey balls, but you just have to wait.
is this why my steam wont open? Dx
Do you mean the client itself just won’t open, or are you saying you can not log-in to the client?
If you can not log-in with the client, but you can log-in via your internet browser: yes, that is a server communication problem. Just keep trying.
If the client itself will not open: that is a process problem. Open your Task Manager and scroll down until you find Steam.exe. Select it and press the Delete button. The system will say «Warning, this program will stop functioning blah blah blah. » click Okay and close the Task Manager. Now restart Steam, it should be «unstuck» now.
Is unstuck a real word? I should look that up.
Installscript vdf что это gta 5
@Doctorgta Can u pm me the link to the files. Or the files that eshenk sent u?
So can anyone tell me, I let the update install correct? Then add all of the files needed to downgrade?
does someone have those other files and could upload them so I can download them plz
you need only to copy and overwrite your previous gtav.exe launcher.exe, vanilla update folder, installscript.vdf and steam_api64.dll. This will allow you to fire up gta with all previous mods and scripts working as usual
Color me confused again. Should you restore your old installscript.vdf too then? All it contains, as far as relevant info goes, is what I presume to be the version number of Social Club:
So, after the update, I take it Social Club will have been updated, no? So, either the new installscript.vdf should remain as is, or one should need to downgrade their Social Club, after the upgrade, when you restore the installscript.vdf file.
@meimeiriver you replace all the files with the ones eshenk provided. I just replaced them in the order I downloaded them. installscript.vdf was the last one to install but booted up GTA perfectly:)
So I have the Rockstar club version so you are saying that I only need to replace the GTAV, GTAVLauncher and Update.rpf files in order to revert to the previous version? I did that and when I relaunch the game it just updates again. Am I missing something?
Something happened to my backup files. And yesterday I tried to play my modded folder, it’s a no go. Could someone send me the needed files, please.
Installscript vdf что это gta 5
When I have purchased a game on Steam, after it has finished installing/downloading the data I back it up to my external drive for later use. So when I want to play it again sometime in the future I can copy it back to the steamapps/common folder. When I do this I open up Steam press install on the game and let it download about 5MB or so. Then I exit Steam copy the folder from my external drive to the steamapps/common folder. Then start up Steam again and it usually only downloads the updates I don’t have. Sometimes it wants to download the entire game again. When it attempts this I exit Steam and copy the folder from my external drive to the steamapps/common folder again. Then startup Steam again and its usually only a matter of minutes before it has all the data downloaded (if any at all)
Now my question is does this file (installscript.vdf) control the files required to be downloaded (if any at all)?
installscript does not deal directly with the game but what the game requires in order to run which nowadays is very much a default script and will be downloaded and re-downloaded whether it is required or not.
So to get to the point, the script contains instructions or commands to automate the installation of distribution files which consists mostly of DirectX, Visual Basic Runtimes and NET. Framework, etc. Not only do games require these distributions, it is also done to keep your computer up to date so these distros are vital.
Как отключить подготовку к первому запуску игр в Steam
Некоторые пользователи Steam сталкивались с проблемами при первом запуске игры, а конкретно: игра могла либо слишком долго «настраиватся» либо и вовсе не начинать. У некоторых, даже Steam отказывался работать, после начала данной проверки. В решение такой проблемы и во избежание возникновения оной, данную статью и решено было написать. Стоит отметить, что персонально под каждого тот или иной способ может не подходить, однако есть несколько вариантов решения проблемы.
Первый вариант (bat-файл):
1) Переходим в папку, где находятся все ваши игры и создаём текстовый файл с абсолютно любым названием.
2) Открываем файл, вписываем следующее:
for /R %%i in (*install*.vdf) do type «%%i» | findstr /v DXSETUP | findstr /v dxsetup | findstr /v DXSetup | findstr /v D3D11Install | findstr /v vcredist | findstr /v gfwlivesetup.exe | findstr /v PhysX | findstr /v msiexec | findstr /v dotnetfx | findstr /v Framework | findstr /v xliveredist | findstr /v Uplay | findstr /v uplay | findstr /v wmfdist11 | findstr /v UbisoftGameLauncherInstaller | findstr /v pbsvc > «%%i»
Третий вариант (удаление исполняемых файлов):
1) Переходим в директорию с игрой и удаляем исполняемые файлы (DirectX, PhysX, Vcredist и тд.)
Select one of the following categories to start browsing the latest GTA 5 PC mods:
GTA V Script Installer 2.9.1
All Versions
More mods by LedZero:
More mods in tools category:
FEATURE
-Newbie Guide
-Clean and Fast installation
-Remove unnecessary file in ZIP
-Friendly GUI
NOTES:
I know some people will bash me about this tools saying that it’s easy tool install. To me, a newbie will always need help.
v2.9.1
-log file now can be set
-fix some scripting at Settings
-fix some bugs
-added notice for newbie before install
v2.8.4
-fix bug after install
-added log file event
v2.8
-new home page
-remove validation
-direct bug reporter via email
-added misc page
-added news info
-added donation page
-gtav mods website via phone view
-code cleanup
-fix some bugs
v2.4
-fresher look
-brand new GUI
-newbie system
-validation system
-powerful scripts
-fix all major bugs
-GTAV reference dll
v1.0
-initial release
First Uploaded: August 25, 2015
Last Updated: September 15, 2015
Last Downloaded: 3 hours ago
All Versions
60 Comments
More mods by LedZero:
FEATURE
-Newbie Guide
-Clean and Fast installation
-Remove unnecessary file in ZIP
-Friendly GUI
NOTES:
I know some people will bash me about this tools saying that it’s easy tool install. To me, a newbie will always need help.
v2.9.1
-log file now can be set
-fix some scripting at Settings
-fix some bugs
-added notice for newbie before install
v2.8.4
-fix bug after install
-added log file event
v2.8
-new home page
-remove validation
-direct bug reporter via email
-added misc page
-added news info
-added donation page
-gtav mods website via phone view
-code cleanup
-fix some bugs
v2.4
-fresher look
-brand new GUI
-newbie system
-validation system
-powerful scripts
-fix all major bugs
-GTAV reference dll
v1.0
-initial release
First Uploaded: August 25, 2015
Last Updated: September 15, 2015
Last Downloaded: 3 hours ago
-readable steam for steam user
-ledzero own dll to make sure all bug are squashed
it took some times to script the DLL by my own. So, please be patient. Please FOLLOW this tools for more update and exciting new! See yah later!
@LedZero this works to install cars or just scripts mods?
i my gta it says: gtav.exe not found
sombody its working need cash in online
@jeppeno1 No
this isnt site that gonna help you get money
this site is for pc mods not for ps3 modded lobbies..
See the end of this message for details on invoking
just-in-time (JIT) debugging instead of this dialog box.
When JIT debugging is enabled, any unhandled exception
will be sent to the JIT debugger registered on the computer
rather than be handled by this dialog box.
Privilege Escalation and Persistence through Steam Install Scripts
Note: These issues were last tested with the Steam version shown below:
After playing around looking for DLL side-loading issues in System32, I started looking around on my system outside of System32 for any interesting applications I had installed that could be leveraged. One application that immediately caught my eye was Steam, since its installation directory had granted “Full Control” to all users on my system. This was atypical, to say the least.
There is one Steam component that runs with Administrator privileges, SteamService.exe. Previous research by Vasily Kravets showed that SteamService.exe could be leveraged for privilege escalation. Through symlinks, Kravets was able to abuse SteamService.exe to grant all users on a system full control over any registry key on the system. Steam had marked the issue as not within the scope of their bug bounty program, and Matt Nelson aka enigma0x3 published a PoC exploit as they had concurrently found the issue along with Kravets.
This issue was eventually patched by Steam, but it appears that further research by Xiaoyin Liu showed Steam was still vulnerable. I was unable to discover any information about whether the new issue had been fixed since it was published on August 16th.
Privilege Escalation Through Install Scripts
Given the past issues with SteamService.exe, I hoped to find a new issue that would result in privilege escalation. SteamService.exe actually exists in two directory locations, shown below:
C:\Program Files (x86)\Steam\bin is world writable. C:\Program Files (x86)\Common Files\Steam is only writable by Administrators. At first I thought, oh, just modify the SteamService.exe to be whatever binary I want in Steam\bin and restart the Steam Client Service. When the service starts, though, it checks if the SteamService.exe binary in Steam\Bin matches the binary in Common Files\Steam. If they do not match, the binary in Steam\bin is overwritten with the binary in Common Files\Steam.
I then wanted to see what SteamService.exe actually does, so I ran it in a command prompt.
I tried a few of these options, such as install and repair, but it didn’t look like I could redirect SteamService.exe to execute an arbitrary file of my choosing, or load some DLL I could place in a world writable location. The /installscript option looking enticing, as it says you can provide it a file. I then Googled for “Steam install scripts” and saw references to installscript.vdf and runasadmin.vdf files, which are run when a game is first installed. I searched through my Steam directory for these install scripts, and found a few instances of installscript.vdf that already existed.
These scripts were under Steam\steamapps\common\Steamworks Shared_CommonRedist for DirectX, VC++, and OpenAL resources that may need to be installed when a new game is first run on a system. I checked the permissions of these install scripts, and they all granted full write permissions to any user on the system.
The install scripts contained instructions to execute the installer files. An example from the VC++ installscript.vdf file is shown below:
Any user could then modify the “process 1” and “command 1” fields and have SteamService.exe execute it. To test this as a privilege escalation issue, I wanted to see if a non-admin user could modify a installscript.vdf file. I first created an unprivileged user called not-admin on my system.
I then opened installscript.vdf for VC++ as the not-admin user.
As shown above, installscript.vdf was modified to run a command to add net-admin to the local Administrators group.
I then downloaded and installed a game from my Steam library. I chose the game Jamestown because it is only 100mb so it would be quick to download and reinstall multiple times for my testing. After downloading the game, I clicked on “Play” to start it.
I was prompted to allow the Steam Services Client to install something on my system. I clicked yes, and then saw Steam saw it was installing the VC++ redistribution. That finished, and the game started normally.
I minimized the game and then checked a command prompt I had running as not-admin. Before, I could not add myself to the Administrators group. After starting Jamestown for the first time, not-admin was made a local Administrator!
So, when using a fresh install of Steam on a system, a non-admin was able to modify the installscript.vdf files for Steam’s common redistribution packages. When the regular user downloaded and installed a new game, SteamService.exe would execute the command the unprivileged user added to installscript.vdf with elevated privileges, and add the unprivileged user to the local Administrators group.
The attack scenario for this privilege escalation would be for an unprivileged attacker to modify the installscript.vdf files, and then…wait for the target user to install and run a new game. The attacker will need to hope they have a lot of time to spare waiting for the privilege escalation to trigger…
I tested this issue dozens of times to try and determine the minimum required to exploit the issue. From my experience, this appears to work 100% of the time it is run from a fresh install of Steam and for the first new game install. I did get it to work after several games were installed through Steam and had been launched more than once, but the results were inconsistent. For whatever reason, when a newly installed game was launched Steam wouldn’t always install the Common Redistribution packages. It didn’t seem dependent on the game. Sometimes a new install of Jamestown would install VC++, other times it wouldn’t. Same for other games I tried (Lovely Planet, Max Payne, LISA, etc.) That said, if Steam was just installed, and Jamestown installed and run for the first time, the privilege escalation issue would always be triggered. This makes this issue a bit of an opportunistic one for an attacker. It may not work if Steam has been installed on the system and regularly used for a while. If the attacker lands on a system that just installed Steam, it should work, though.
Making it More Consistent
Modifying the installscript.vdf file for Common Distributions such as VC++ only seemed to work once. Once VC++ was installed, Steam didn’t seem to run the installscript.vdf any more. This meant the exploit was only really viable for when a user had first installed Steam and had no prior games installed.
To get around this, I tried to create a new installscript.vdf file in a game installation folder. This time, I did it for an already installed game that I had played, Lovely Planet. This seemed like a good test because by default Lovely Planet did not already have an installscript.vdf or runasadmin.vdf file in its install directory. I would be creating an arbitrary one and placing it in the directory. Like seemingly everything under C:\Program Files (x86)\Steam\, Lovely Planet’s install directory was world writable. So, I created the following installscript.vdf file in Steam\steamapps\common\Lovely Planet.
When I launched Lovely Planet, I would get a command prompt with elevated privileges.
Steam happily read my new installscript.vdf and executed the commands I had put in with elevated privileges. Steam would only run this once. The next time I started Lovely Planet, the installscript.vdf file wouldn’t execute. However, if you made any change to the installscript.vdf file, and then restarted Lovely Planet, Steam seemed to recognize this as a new install script and would execute again. Changing my first installscript.vdf to the one below caused it to re-execute. The only changes made were from Cmd32 to Cmd64, and from the cmd.exe in the SysWOW64 directory to the System32 directory.
Placing an installscript.vdf file in any of my games’ install directories seemed to work. Steam saw a new install script, and would happily run it, regardless of whether the game was just installed or one I had played many times.
Interestingly, Valve does have an installscript_log.txt file located in C:\Program Files (x86)\Steam\logs. When I would run Lovely Planet, it would say:
According to Valve’s documentation for install scripts, install scripts are created during a game’s build process and:
While I have been using installscript.vdf files to run arbitrary processes with Administrator privileges, it looks like the documentation also allows you to write to arbitrary register keys and make changes to the Windows Firewall. Fun!
Say you don’t care about running a payload or anything on the users system, but want their credentials? Easy! Just make something like this:
Have that IP address you inserted running something like Responder, and you’ll receive a nice hashed credential. I hope Steam users use good passwords for their local accounts!
SetupSteam Privilege Escalation (kind of but not really)
While playing around with SteamService.exe, I also found an interesting error when trying to use the /setupsteam option. When you use that option, SteamService.exe gives an error saying that SetupSteam.exe was not found in the Common Files\Steam directory.
I then tried the same thing running the SteamService.exe executable from the Steam\Bin directory. It said it could not find SteamSetup.exe in Steam\Bin, making it appear that SteamService.exe was looking for SteamSetup.exe in whatever its current directory was. I tried to then copy cmd.exe from System32 to Steam\bin and rename it SetupSteam.exe, but that failed with the error that SteamService.exe would not run an unsigned EXE. My plans seemed to be foiled, but…
DLL Side-loading Valve Signed Binary for Code Execution and Persistence
While I was performing my tests, I noticed that every time I restarted Steam that the gldriverquery.exe executable would run out of the Steam\bin directory looking for a DLL called SDL2.dll. Process Monitor showed that gldriverquery.exe would look for SDL2.dll in its current directory.
Using Visual Studio’s dumpbin utility from a Visual Studio developer prompt, I found what modules gldriverquery.exe was trying to import from SDL2.dll.
I then modified FireEye’s DueDLLigence project to contain the necessary DLL exports for SDL2.dll. I used the SDL_Init module to run shellcode.
I then built DueDLLigence in Visual Studio (make sure to set the “Platform Target” to x86 in DueDLLigence’s properties under the “Build” tab), renamed it SDL2.dll, and copied it to Steam\bin.
My first test shellcode was just to start a new cmd.exe process. I generated the shellcode with msfvenom in a kali VM.
Then, when I started Steam, gldriverquery.exe launched and started a cmd.exe process.
gldriverquery.exe appeared to execute every time Steam was launched. The dll side-load issue then provided a nice persistence technique through gldriverquery.exe.
There were other executables that would load DLLs in the Steam’s installation directory. The crashhandler.dll library would be loaded by several Steam executables, including Steam.exe. When Steam was launched, the crashandler.dll would be imported and execute your code. However, during the startup process for Steam, it would check if the crashandler.dll file matched Valve’s most recent version, and if it did not, it would “update” Steam and download the correct crashhandler.dll, replacing yours. crashhandler.dll could not be replaced by the user while Steam was running because it was currently loaded. This meant that crashhandler.dll was not an ideal file to exploit for persistence since it would work once when Steam first started, and then you’d have to wait for Steam to exit before overwriting the legitimate crashhandler.dll file with your own dll.
While the gldriverquery.dll side loading issue allows for persistence on a system, it will only run your code in an unprivileged context. Based on this, it does not fall within the scope of Valve’s bug bounty program, which states the following is out of scope:
Combining with SteamSetup
To circle back to the possible SteamSetup.exe privilege escalation, my last attempt had said that SteamService.exe could not start my copied cmd.exe file because it was unsigned. The gldriverquery.exe executable is signed by Valve.
I then copied gldriverquery.exe and renamed it as SteamSetup.exe in the Steam\bin directory. I left the SDL2.dll file that I had created with DueDLLigence. I then used an Administrator cmd prompt to run SteamService.exe /setupsteam. This caused a new cmd.exe window to launch with a High integrity level.
Process Monitor confirmed that SteamService.exe was used to launch SteamSetup.exe, which was my renamed gldriverquery.exe. The renamed gldriverquery.exe then loaded my SDL2.dll file and launched cmd.exe.
While this seemed like a possible privilege escalation path, I couldn’t find a way to “naturally” get Steam to run the equivalent of Steam\bin\SteamService.exe /setupsteam, so it doesn’t look like this would ever trigger. The only way to do it was from a command prompt that already had administrator privileges. When you ran it from a command prompt that was in medium integrity but as an Administrator user, it would still prompt for UAC, so it didn’t work as a UAC bypass either. Maybe someone reading this can think of a way to get Steam to trigger this for a nice privilege escalation technique!
Weaponizing with Covenant
Using steam to run commands with administrative privileges is all fine and good, but I wanted to use it to run my favorite opensource malware, Covenant. At this point, it would be pretty trivial to get going.
First, I created a binary grunt launcher for Covenant and then downloaded the grunt. Then, using donut, got shellcode for the grunt. The current version of donut makes it very easy to get a base64 encoded string of the shellcode to be used in DueDLLigence.
This will create a loader.b64 file with the base64 encoded shellcode. Copy the encoded shellcode into DueDLLigence.cs, then build with Visual Studio.
Copy the DueDLLigence.dll file into Steam\Bin and rename it to SDL2.dll.
Create a new installscript.vdf file and have it run gldriverquery.exe.
Save the installscript.vdf file to your game of choice. “Wait” for the target user to start the game, and you should get a Covenant grunt back in high integrity.
As always, high integrity = run mimikatz right away.
Wow, a domain admin credential! What are the odds a DA is running Steam? Hopefully they have good taste in games…
Persistence with COM Hijacking
After reading through Pentest Lab’s recent blog post on COM Hijacking for persistence, I wanted to see if Steam could be used for that (it can).
First, I used Process Monitor to capture what Steam accessed when it first started. I then saved the process monitor logs to a CSV. I then used the aCOMplice tool to extract hijackable COM objects. The Pentest Lab post does a great and thorough job covering how to do this under the “Discover COM Keys – Hijack” heading, so I won’t go over that here. The results from aCOMplice looked like this:
There were a lot of options, so I chose a random CLSID / COM object that was “hijackable” and started playing around with it. The ones I tested would load my simple DLL that launched cmd.exe, but Steam would end up launching it 10+ times, and then other applications would use that same COM object when they launched, and I would end up with hundreds of cmd.exe processes running on my desktop.
To try and find something more unique to steam, I used Process Monitor with boot logging enabled to capture what COM objects were accessed during system startup. I again used aCOMplice to extract the results for all hijackable COM objects. I then pasted it all into a Google sheet and then used the following formula to find COM objects that only steam was accessing.
The CLSID 25E609E4-B259-11CF-BFC7-444553540000 looked like a good candidate, so I looked back at the Process Monitor logs to see what registry key steam was looking for.
So, I then went and created the key for that CLSID and created the InprocServer32 key as well. I used a simple DLL I created that would start cmd.exe as the default value, and set the ThreadingModel value to Both.
With the registry keys set, I started up steam with Process Monitor running. The COM hijacking was successful and I launched my cmd.exe processes.
Every time steam started up, my DLL would be loaded. I used my system normally for a while and rebooted it a few times and didn’t see any other applications accessing this COM object / CLSID, so it seemed unique to steam as a persistence technique. Googling the CLSID turned up a few results for a DirectX related DLL, so this might be triggered by other applications that use DirectX. Most of the search results seemed to be related to users running into issues trying to play Windows games in Wine.
Note: Steam would access the COM object twice when it started. Keep that in mind if you try and weaponize this: You’ll get two beacons back not just one.
