Aizen

Aizen, a JUS cheap character, is the second (after Appetite Kanna) public cheap character that uses drivers to defeat the enemy. He was created by the Chinese author FHPQ, who demonstrated this character via BiliBili as proof that he can actually do crazy things, unlike Mathrus.

Although he's the second public AM:Driver, he's the very first to enter Ring 0 (kernel mode). He uses this to create kernel threads and to protect and hide his processes from debuggers and generally from Task Manager, making the character very invasive and annoying for the user to remove. In addition, it can also be said that he is also an AM:Registry since he also adds his keys to the user's registry; this means that every time the user turns on the computer, the driver is immediately loaded.

Unfortunately, the way the character is coded makes it extremely environment dependent, and AMD users cannot use it as Aizen uses Intel's Virtualization Technology. Therefore, this article lists assumptions as to what he can do based on decompilations and videos on BiliBili.

Files & External Attacks

In addition to the standard files (CMD, CNS, ST, SFF, SND) that are a part of most other characters, Aizen also contains several DLLs, EXEs and several SYS files. These SYS files are drivers, and Aizen has 4 of them.

The way the character works is that once he's selected, it starts by using Type Overflow (ROP) to load his DLL. After that, these DLLs will do the rest of the work, loading its drivers, which we will discuss in more detail later. Obviously, if these are deactivated, Aizen becomes a normal character with your usual JUS-type attacks, and no longer cheap.

So, why does Aizen use kernel mode to create threads? This is because kernel threads have more priority than normal threads, and in itself using drivers means having nearly perfect control over the computer. This is why Aizen can make sure that its processes are non-terminable and folders are unopenable during a MUGEN match.

Aizen also has an option file, in which the user can disable and enable external kernel-based attacks. Ones marked with a (?) are not fully understood:

• - 强力文件保护 "Strong File Protection": The user cannot open Aizen's folder and edit his files when he's in a match.
• - 特征片段篡改 "Segments Tampering": Determines whether MUGEN is allowed or denied a certain type of access. (?)
• - 内核级内存附加进程擦除 "Deleting Processes Associated with Memory at Kernel Level": Aizen will enumerate the processes present in the computer, and any that tries to modify MUGEN's memory externally will be terminated by Aizen in kernel-mode.
• - 内联call级报幕KO "KO Inline Call": Directly calls the function that makes Aizen win. (?)
• - VT-cpuid拦截 "VT-CPUID Hooking": Intercepts CPUID calls, which report CPU information; this is probably for evading antiviruses.
• - 内核强力进程保护 "Strong Process Protection at Kernel Level": You can't terminate or debug his processes. (Programs like Process Explorer, Cheat Engine, Task Manager or general debuggers cannot see Aizen's processes)
• - 内核多线程胜场数改 "Modify WinCount with Kernel Threads": Uses a kernel thread so that it can put the maximum value of wins with priority over user-mode threads.
• - 多线程强制报幕文字改 "Modify WinText with Kernel Threads": Uses a kernel thread so that it can modify the wintext parameter with "Aizen Wins" with priority over user-mode threads.
• - 寄存器控制破坏 "Destroy Registry Keys": He will delete the enemy's registry keys if they are AM:Registry tier.
• - 天命吉圣:防御最大化 "Maximum Defense: Max Defense": Aizen's threaded defense. (Kernel-mode)
• - 天命吉圣 "Heavenly Blessing": Aizen's threaded defense. (User-mode)
• - 多线程暂停 "Enemy Thread Suspension": Suspends the enemy's threads.
• - 绝对报幕 "Absolute Startup": He will restart MUGEN automatically, making Aizen win. Same as Reloaders.
• - 分线程抓取 "Separate Thread Capture": (?)
• - 灵压大招带绝对报幕 "Ultimate + Absolute Startup": He will restart MUGEN automatically, making Aizen win, this time including a threaded attack.
• - 凶恶检测 "Malevolence Detection": Aizen will create a watchdog thread to check for anomalies in MUGEN's memory.

Another thing that is not mentioned in Aizen's files, but shown in the BiliBili videos, is that Aizen can hook NTAPI functions so that they do nothing by modifying them to immediately return.

Internal Operation

Drivers normally require administrative permissions to be installed. However, in Aizen's case, there is no UAC Prompt that would normally allow for this. FHPQ uses DLLs common to their other characters, most of which are very large (1.2MB), to load the drivers.

It should be noted that these DLLs were NOT made by FHPQ, but rather by a group of Chinese programmers from an old BBS that is no longer accessible as they have closed registration since 2009. FHPQ only created the EXEs present in Aizen's folder to make the process of using them easier using EPL, a compiler popular in China as it features a full Chinese environment. Regardless, even if many internal functions are unable to be decompiled, a general flowchart was derived from these DLLs and is documented below.

The included DLLs use CreateFileA, DeviceIoControl, WriteFile and ReadFile APIs (and many more)—not LoadDriver or CreateService—to load his driver. Specifically, they open the device \\.\PhysicalDrive0 via CreateFileA, gaining direct access to the physical disk. With this approach, it could send special commands to a driver already in memory, exploiting any undocumented features or vulnerabilities to perform privileged operations. In addition, the DLLs also use DeviceIoControl with the IOCTL_STORAGE_QUERY_PROPERTY control code to obtain information about the storage device driver. So in summary, it exploits another driver in memory and runs his driver there by sending special requests via I/O functions, causing the vulnerable driver to perform operations not expected by its normal operation. As mentioned earlier, the DLLs will also create a key in Software\Microsoft\Windows\CurrentVersion\Run\, which doesn't need administrator rights, such that every time the user logs on to the operating system, it will do what is described above.

Controversy

Although Aizen used this strange but powerful technology to load drivers, create kernel threads and do many external things that no cheap character has ever done, it was not well received by the cheap community. Aizen was seen as a very invasive and downright sketchy character because of the API functions it used. As a result, he became not only one of the most powerful characters in the cheap community but also one of the most hated.