Evidence

Notes:

AlltestsweredoneusingWindowsXPSP3

Unlessspecificallystated,testsweredoneusingPokerStarsclientversion2.749aaslistedin
Help>About

Tools:

Downloadandinstallorunzipeachoftheseapplicationstoaneasilyaccessiblelocation.
1) DependencyWalkerDisplaysthenamesofdllsandfunctionsanexeimportsatloadtime
automatically:http://www.dependencywalker.com/
2) HxDHexeditorusedtoviewbinaryfiles:http://mhnexus.de/en/hxd/
3) ProcessExplorerAdvancedtaskmanagertolistloadedlibraries:
http://technet.microsoft.com/enus/sysinternals/bb896653.aspx
4) DebuggingToolsForWindowsForthefreewindbgprovidedbyMicrosoft:
http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx#a
5) Spy++Notstrictlynecessary,andnotfree,butitishelpfulifyouwanttodomore
investigation:ComeswithMicrosoftVisualStudio
6) UserModeProcessDumperDumpsthecontentsofanotherprocessesmemory:
http://www.microsoft.com/downloads/details.aspx?FamilyID=E089CA416A8740C8BF69
28AC08570B7E&displaylang=en

Test1:DeterminenetstatmechanismforlistingIPconnections

ForthistestIalreadyhadastronghunchwhatthefunctionsitwereusing,soIllsaveyouthe
tediumofopeningeverylibraryandgoingthrougheveryfunctionandjustpointyoutotheonesthatare
relevant.Ifyouweretodosoyoudfindthatthesefunctionswelocateiniphlpapi.dllaretheonlyones
usabletolistallconnections.
1) Openthedependencywalker
2) Inthedependencywalkeropennetstat.exe(normallylocatedinc:\windows\system32)via
File>Open
3) Thetreeontheleftsidewitharootofnetstat.exeisalistoflibrariesthatnetstatuses,
youshouldseeiphlpapi.dlllisted,clickonit

4) Ontherighthalf,thetoplistarethefunctionsthatareusedfromiphlpapi.dll,observethe
functioncalledAllocateAndGetTcpExTableFromStack
5) Readthedocumentationonthatfunctionfrommicrosoftswebsiteat:
http://msdn.microsoft.com/enus/library/aa365804.aspx
6) NoticethatitreturnsalistofALLconnections,theonlyfiltersyoucansetarethefamilyofIP
(ipv6oripv4)

Conclusion:NetstatusestheAllocateAndGetTcpExTableFromStackfunctionfromiphlpapi.dllto
listopenconnections.

Test2:DetermineifPokerStarsisusingfunctionsfromiphlpapi.dll

PokerStarsdoesnotlinktotheiphlpapi.dlllibrarystatically,likenetstatdoesinsteaditloadsit
dynamicallyatruntimebycallingLoadLibrary.Youcancheckthisyourselfviathedependencywalker.
IllskipthatandshowyouhowIfoundthatitwasusingiphlpapi.dllandtwofunctionswhichlistallopen
connections.ThistestwillshowthatPokerStarsusesthesetwomechanismswhichcanonlyserveto
showyouALLopenconnections,andthatPokerStarshasnotremovedthiscodeaspromised.
1) OpenHxD
2) OpenPokerStars.exeinHxD
3) Searchforiphlpapi.dllviaSearch>Find
4) Observethefollowingblock:
Iphlpapi.dll....OSPF....APDT.DKBT(02)...DTNC(2).DTNC(2.1)...sz=.1C
.1B..1A..DTNC(1).connect.userflag....AllocateAndGetTcpExTableFromStack...GetTcpT
able.
5) Aboveyouseetheiphlpapi.dll,andtwofunctionsAllocateAndGetTcpExTableFromStackand
GetTcpTable
6) Notethatnootherfunctionsfromiphlpapi.dllsuchasAddIPAddress,or
CancelSecurityHealthChangeNotifyarepresentinPokerStars.exebysearchingfortheir
name.ThisshowsthatPokerStarshasaspecificinterestinJUSTthesefunctions.
7) LookupGetTcpTableonmsdn:http://msdn.microsoft.com/en
us/library/aa366026(VS.85).aspx

8) GetTcpTableisanotherfunctionthatlistsallopenconnectionsandlike
AllocateAndGetTcpExTableFromStackitdoesnotacceptanyfilters,itcanonlybeusedtolist
ALLopenconnections
9) StartProcessExplorerandconfigureittoShowtheLowerPanebycheckingShowLower
PaneintheViewmenu,andsettheLowerPaneViewtoDLLsinthesubmenuLower
PaneViewintheViewmenu.
10) StartPokerStars,waitasecondforittofullyload
11) FindPokerStars.exeinthelistofprocessesinProcessExplorerandclickonit
12) Observeiphlpapi.dllinthelistofloadedDLLsinthelowerpane

Conclusion:PokerStarsusestwofunctionsAllocateAndGetTcpExTableFromStackand
GetTcpTablewhichareprovidedbyiphlpapi.dlltolistallopenconnectionsonyourcomputer.
GetTcpTableistheirsecondmechanismtolistallopenconnections,while
AllocateAndGetTcpExTableFromStackisthesameoneusedbynetstat.PokerStarshasNOTremovedthis
codeinanyway.

Test3:ShowthatPokerStarslistsallprocessesonyoursystem,andopenstheirmemory
ThiswilldemonstratethatPokerStarsisdirectlycallingwindowsfunctionsthatcanbeusedto
investigateotherprocesses,opentheirmemory,andreadtheirtitletext.Thefunctionsare:
1) EnumProcessesThiscanONLYbeusedtolistalloftheprocessesrunningonyoursystem:
http://msdn.microsoft.com/enus/library/ms682629(VS.85).aspx
2) OpenProcessThiscanONLYbeusedtoopenahandletoprocess,whichcanthenbe
passedtoReadProcessMemory:http://msdn.microsoft.com/enus/library/ms684320.aspx
3) ReadProcessMemoryThiscanbeusedtoreadmemoryfromthecurrentprocess,or
anotherprocessonthesystem.However,itmakesnosensetouseitonthecurrentprocess
asthereareMUCHsimplermechanismsfordoingthis:http://msdn.microsoft.com/en
us/library/ms680553.aspx
4) GetWindowThreadProcessIdThisfunctionisusedtogetaprocessIdfromawindow
handle,veryusefulforsnoopingprocessesbylistingthewindowsonyoursystem:
http://msdn.microsoft.com/enus/library/ms633522.aspx
5) GetWindowTextThisfunctionisusedtogetthetextofawindowonyoursystem,givenits
windowhandle.Itsusageisnotabnormalinawindowsapplication,butitsrepeatedpolling

ofwindowtextsfromapplicationsnotitsownimpliesitisbeingusedtosnoopopen
programs:http://msdn.microsoft.com/enus/library/ms633520(VS.85).aspx
Anyoneofthesefunctionsmightbeeasilyexplainable,butthefactthatallofthemareused
andusedrepeatedly,showsthatPokerStarsmustbekeepingtabsontheprogramsyouare
runningonyourcomputer.
1) OpenWinDbg
2) EnsurethatPokerStarsisnotrunningandthenstartitinWinDbgviaFile>Openand
navigatingtoc:\ProgramFiles\PokerStars\PokerStars.exe
3) AfterstartingPokerStars,WinDbgwillrunforabitandthenthecommandwindowwillsay
somethinglike:
ntdll!DbgBreakPoint:
7c90120eccint3
4) TypebpEnumProcessesandhitenter.YouaretellingWinDbgtostopPokerStarsfrom
runningwheneveritcallstheEnumProcessesfunction
5) Typegandhitenter.YouaretellingWinDbgtostartexecutingPokerStars.
6) PlayaroundonPokerStars,login,openatable,etc.AfteramomentWinDbgshouldbreak
andPokerStarsshouldstopexecuting.YoushouldseesomethinglikethisintheWinDbg
commandwindow:
Breakpoint0hit
eax=76bf3a76ebx=00000004ecx=029af5bcedx=029ae5bcesi=00000000edi=029af67c
eip=76bf3a76esp=029ae5a0ebp=029af5e0iopl=0nvupeiplnznaponc
cs=001bss=0023ds=0023es=0023fs=003bgs=0000efl=00000202
psapi!EnumProcesses:
76bf3a766a1cpush1Ch
7) TypekbandhitenterintheWinDbgcommandwindow,youshouldseesomethinglike
this:
0:012>kb
ChildEBPRetAddrArgstoChild
WARNING:Stackunwindinformationnotavailable.Followingframesmaybewrong.

029af5e000595b68029af67c01bbe55801dcee68psapi!EnumProcesses
029af6a80056e93a0000000001dcee900056eaf2image00400000+0x195b68
029af6b40056eaf201bbe55801dcee90006e18f8image00400000+0x16e93a
029af6dc0059d5b501dcee6c01dceeac01dceeb8image00400000+0x16eaf2
029aff3c0059d8af5d0b128c01dc1b7801dc1b78image00400000+0x19d5b5
029aff740068d16b01bbe558663845995d0b128cimage00400000+0x19d8af
029affac0068d2100012f8187c80b71301dc1b78image00400000+0x28d16b
029affec000000000068d19101dc1b7800000000image00400000+0x28d210
8) Thefarrightcolumnisofmostinterest,whatthisshowsisthatPokerStarscalledthe
EnumProcessesinpsapi.dll(psapi!EnumProcesses).Allofthelinesunderneaththefirstline
whichcontainspsapi!EnumProcessesarethepreviousfunctionswhichcalledthefunction
abovethem.Youcanseethateveryfunctionbeforethecalltopsapiisinimage00400000,
whichisPokerStarsitself(ThisisverifiableusingProcessExplorertocheckthatthebasein
memoryofPokerStars.exeisinfact0x400000).Thesignificanceofthisisthatitmeansthat
PokerStarsITSELFcalledEnumProcesses,itwasntanunintendedsideeffectofcallingsome
otherlibraryfunction.
9) TypebcintheWinDbgcommandwindowandhitenter
10) TypebpOpenProcessintheWinDbgcommandwindowandhitenter
11) TypegintheWinDbgcommandwindowandhitenter
12) RelativelyquicklyWinDbgshouldstopexecutingandyoumayseesomethinglike:
Breakpoint0hit
eax=029ad49eebx=76bf0000ecx=00000000edx=00000000esi=7c801d7bedi=00000000
eip=7c8309d1esp=029ad448ebp=76bf1ef4iopl=0nvupeiplnzacpocy
cs=001bss=0023ds=0023es=0023fs=003bgs=0000efl=00000213
kernel32!OpenProcess:
7c8309d18bffmovedi,edi
13) Typekbandhitenter
0:012>kb

ChildEBPRetAddrArgstoChild
WARNING:Stackunwindinformationnotavailable.Followingframesmaybewrong.
029ad44400595414000004100000000000000000kernel32!OpenProcess
029ad448000000000000000000000000029af67cimage00400000+0x195414
14) Ifthefifthcolumnfromtheleftonthekernel32!OpenProcesslinecontains00000000,you
shouldrepeatsteps1113untilitcontainssomethingbesideszero,somethinglike:
0:012>kb
ChildEBPRetAddrArgstoChild
WARNING:Stackunwindinformationnotavailable.Followingframesmaybewrong.
029ad4440059541400000410000000000000038ckernel32!OpenProcess
029ad44800000000000000000000038c029af67cimage00400000+0x195414
15) TheaboveshowsthattheOpenProcessfunctionisbeingcalledDIRECTLYbyPokerStarson
Process0000038c,whichis908indecimal.
16) OpenProcessExplorerandsortalloftheprocessesbyProcessIdNotethattheProcessId
isthatofanotherprocess.Onmycomputer,ProcessId908iswinlogon.exe
17) WhatthishasshownisthatPokerStarsisintentionallyopeningahandletootherprocesses
onmysystem.AfterexperimentationIwasabletocatchitintheactofopeningalmost
everyprocess,includingMozillaFirefoxandInternetExplorer.
18) IfyoucaretocontinueyoucancatchPokerStarscallingReadProcessMemory,
GetWindowThreadProcessId,andGetWindowTextonprocessesandwindowsthatarenot
itsown.

Conclusion:PokerStarsiscontinuallywatchingalloftheapplicationsrunningonyourcomputer,
openingthem,andsnoopingaroundintheirmemory.Itmaywellbedoingmorethanthat,butwe
knowitisatleastdoingthis.

Test4:ShowthatPokerStarsstillhasdomainnamesinitsdata

ThistestshowsthatPokerStarsusedtocontaintheSharkScopeIP,butnolongerdoes.Itdoes,
however,containmanymoredomainsthatitissearchingfor.Weknowthedatawefindinthememory

dumpiscomingfromtheirserversbecausethesesamestringsarenotlocatedanywhereinthe
PokerStars.exebinary(YoucanverifybyloadingitupinHxDandsearching).
1) StartPokerStars
2) Openacommandconsole(Start>Run>Cmd)
3) Navigatetosomewhereyoucaneasilyrememberinthecommandconsole,typesomething
like:cdc:\(thenhitenter)
4) Typeuserdumpp
5) Youshouldseealistofnumbersontheleft,andprocessesontheright,like:
4756calc.exe
2152pidgin.exe
5324WINWORD.EXE
4240cmd.exe
2244PokerStars.exe
5432userdump.exe
6) ThenumbertotheleftofPokerStars.exeistheprocessID,type:userdumpp<PROCESS
ID>(thenhitenter)
7) Waitforuserdumptofinishdumping.
8) OpenHxD
9) OpenthePokerStars.dmpfilewhichuserdumphascreatedviaFile>Open
10) SearchforauthohotkeyinHxD,youshouldeventuallyfindsomethinglike:
MaxScanTime:1.D.ScanInterval:1030
30.D.BehaviorCheck:on:1800?bc=1;ck=1;df=1;mm=1;ra=1;ld=1;dx=0;rd=1;sd=1;bd=1;cd=1;ob=1.D.282:1:
49.B.Toofewmousemove:10:902:0?bc>20&&mm<12*bc.B.Outsidebutton
click:20:904:0?ld>30&&ob>20.G.PPrc:5:222:0?explorer.exe:PokerStarsUpdate.exe:cmd.exe.A.Poker_Edg
e:20:501:0?A=PokerEDGE@00.A.WinHoldEm:20:502:0?A=//www.winholdem.net/.A.Poker_Prophecy:20:
503:0?A=P@00o@00k@00e@00r@00P@00r@00o@00p@00h@00e@00c@00y@00.A.Poker_Sherlock:
20:504:180?A=//pokersherlock.com/.A.WinPush:20:505:0?A=@25c@20@2508x@20@25s@0a@00pres
s@20esc@20to@20exit@0a@00@00press@20a
@25c@20to@20push@0a@00.A.PokerBotPlus:20:506:0?A=P@00B@00P@00l@00u@00s@00
@00E@00r@00r@00o@00r@004@00U@00n@00a@00b@00l@00e@00@00t@00o@00
@00a@00l@00l@00o@00c@00a@00t@00e@00@00m@00e@00m@00o@00r@00y@00

@00r@00e@00q@00u@00i@00r@00e@00d@00@00f@00o@00r@00@00b@00a@00s@00e@00
@00o@00b@00j@00e@00c@00t@00s@00.@00.A.IntelliPoker:20:508:0?A=/@00/@00w@00w@00w
@00.@00I@00n@00t@00e@00l@00l@00i@00P@00o@00k@00e@00r@00.@00N@00E@00T@00/.A.
PokerAndroid:20:509:0?A=@00PokerAndroid.frmMain.resources@00.A.Gambot:20:510:0?A=C@00l@00
o@00s@00e@00@20@00G@00a@00m@00b@00o@00t@00@20@00o@00n@00@20@00S@00h@0
0u@00t@00d@00o@00w@00n@00@00.A.PokerTableManager:20:511:0?A=http@3a//www.pokertabl
emanager.com@00.A.Gambot_0.986:20:512:0?A=@00gambot.bitmaps.pokerstars.seat_open.bmp@00.
A.AutoHotKey:10:513:0?A=http@3a//www.autohotkey.com.A.PokerSherlockor
PokerEdge:20:514:0?A=@00DisallowingGetWindowTextcalledon%xwhichhasapidof%x,notthe
currentprocess.@00.I.PokerSherlockorPokerEdge:20:515:0?I=10000000,1c000,@00Disallowing
GetWindowTextcalledon%xwhichhasapidof%x,notthecurrent
process.@00.L.SHH:20:516:0?I=429000,9000,justkeepthisapplicationrunningandopenasmanytable
windowsintheStarsclientasyoulike.Allfoundgames.L.OPI:10:517:0?I=5dd000,4000,Allnames
startingwithasinglequotearereservedbyPoker
Inspector.A.AutoIt3:10:518:0?A=@00/AutoIt3ExecuteLine@00/AutoIt3OutputDebug@00.A.WinHoldEm_
Scrape:0:519:0?A=HixoxiH@20Software@0asupport@40winholdem.net.A.WinHoldEm_Bring:0:520:0?A
=HixoxiH@20Software@0dsupport@40winholdem.net.D.283:1000.D.285:ff.D.286:1,150000,30;1,15000
0,30;1,400000,45;1,400000,45;.A.MassActionGeneratorv1:10:109:0?A=MassActionGeneratorv1.00
DuoDongZuoShenChenQi,BanBeng1.00
@00.L.OPIWiZard:10:521:0?I=52d000,1000,@08@07Caption@06@0bOPI@20Advisor@05Color.A.Open
Holdem:10:522:0?A=SelectOpenHoldemprofilefiletoOPEN.A.PokerHound:10:526:0?A=Email
support@40insightpokerhound.com,orphone4162384369,ifyouneed
assistance..A.PokerHound:10:527:0?A=PokerHoundDataSet@00.A.Detoured:10:528:0?A=@00detoured.
dll@00@3fDetoured@40@40YGPAUHINSTANCE__@40@40XZ@00
11) Intheabovepasteyoucanseeseveraldomains,autohotkey.com,winholdem.net,insight
pokerhound.com,pokersherlock.com
12) Previoustothelastpatchyoudalsohavenoticed:
Sharkscope.com:10:612:0?64.71.155.100:80.

Conclusion:AlthoughStarsdidremoveSharkScope.comfromtheirlistofdomainstosearchfor,
theycontinuetosendmanymoredomainstotheirclient.Theyhavenotstoppedsnooping,theyhave
simplyremovedSharkScope.comfromthelistofbanneddomainstheysendtotheirclient.