Therefore, the "run as" option in the installation wizard is disabled by default. To install the mhyprot2.sys driver, the user must click the "run as administrator" checkbox. The mhyprot2.sys driver must be installed on each system on which Genshin Impact is to be run. Due to the way that it is installed, the mhyprot2.sys driver must be the first item on the 'startup' menu or it will not be loaded. If this occurs, an error will appear in the mhyprot2.sys log, stating that the driver could not load. The mhyprot2.sys driver's 'run as administrator' restriction can be bypassed by manually loading it (i.e. by renaming the mhyprot2.sys driver to mhyprot2.sys.bak and then restarting the system). A malicious mhyprot2.sys driver could be installed by any user with system access.
Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact Impact
Installation and uninstallation of the mhyprot2.sys driver
The mhyprot2.sys driver must be installed on each system to which Genshin Impact is to be run. However, it can be removed from the system without removing Genshin Impact. To remove the mhyprot2.sys driver from a system, click on the "Delete" checkbox in the 'startup' menu, and then restart the system.
Vulnerabilities CVE-2020-36603
The mhyprot2.sys driver is vulnerable to the following vulnerabilities:
1) An elevation of privilege vulnerability due to a flaw in the way that the driver handles command line switches. This allows a local attacker with administrative privileges on a system running Genshin Impact software to execute arbitrary code as administrator.
2) A denial of service vulnerability due to a flaw in the way that the driver handles certain types of addresses during an open/close operation. This could allow a remote user to cause a denial of service condition on the impacted system by sending specially crafted packets.
3) A use after free vulnerability due to a flaw in the way that the driver handles certain kernel objects. This could allow an attacker with physical access to execute arbitrary code on the impacted system.
4) An information disclosure vulnerability due to a flaw in how objects are handled by the driver's IRP_MJDISC_IN handler. This could allow an attacker with physical access and network connectivity who specifically targets this type of object, and therefore knows its address, to read memory content or modify data on any computer they can connect over TCP/IP from within their local network range.
Windows 8.1 and 10
Windows 8.1 and 10 are the most recent versions of Microsoft's operating system for personal computers. These two versions contain a number of security-related changes, including a reduction in the number of execution exploits available to a malicious user and improvements to mitigations like Windows Defender Exploit Guard.
Timeline
Published on: 09/14/2022 22:15:00 UTC
Last modified on: 09/20/2022 16:59:00 UTC
References
- https://github.com/kagurazakasanae/Mhyprot2DrvControl
- https://web.archive.org/web/20211204031301/https://www.godeye.club/2021/05/20/001-disclosure-mhyprot.html
- https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html
- https://github.com/kkent030315/evil-mhyprot-cli
- https://www.vice.com/en/article/y3p35w/hackers-are-using-anti-cheat-in-genshin-impact-to-ransom-victims
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-36603