This may ramble on a bit, but it explains my desire to create this tool.

I was working on a project for myself, an emulated console arcade. I had the need for a good controller interface to a computer that would be hooked up to my TV. I found MotioninJoy as a suitable driver, but wanted more functionality than was provided by default. Specifically I wanted to be able to get the battery status of bluetooth connected DS3 controllers, as I was implementing a PS3 style XMB overlay. So, I started digging around in the DS3_Tool.exe program that comes with the MotioninJoy driver. At first, I was only going to extract the values of the actual battery charge status that shows in DS3_Tool.exe, and I discovered that this was next to impossible because DS3_Tool.exe uses an Internet Explorer server, specifically the WebBrowser control, and I can only assume that for security reasons, the operating system doesn’t allow this to be hooked.

This got me curious as to why the author decided to build DS3_Tool.exe in this manner. I was also determined to achieve what I described previously. I first noticed outbound connections over the internet, which I assumed at first was to deliver ads in the main screen. However, it does more than that.

You see, all the heavy lifting is done by DS3_Tool.exe locally, however, it has no application logic whatsoever to determine when it should interface with the MIJFilter driver, this is all decided by the green “GUI” that is presented to you via HTML and JavaScript inside of that WebBrowser control. This HTML and JavaScript comes from a remote server out on the internet, this is where things become somewhat nefarious in my opinion.

DS3_Tool.exe is signed with the same digital certificate that the MIJFilter driver is signed with. I assume this is to overcome the driver signing requirements in x64 systems. The problem however is, DS3_Tool.exe, being signed will occasionally request administrative privileges. To do certain housekeeping tasks, like updating, or managing the MIJFilter driver installed in your system. Since the “GUI” tells the trusted and signed DS3_Tool.exe what to do, this means that all the active content that’s delivered to your computer from a remote server is also trusted. Since DS3_Tool.exe is just acting as a proxy for whatever the remotely delivered “GUI” tells it to do. This connection to the server is not protected by SSL, it’s also hard-coded as a domain name in the DS3_Tool.exe itself. This leaves open a couple of avenues of exploitation by an attacker. First off, the man in the middle scenario since the connection to the “GUI” is not secured with SSL. Secondly, what if the author abandons this domain, and an attacker buys it up? DS3_Tool.exe will execute the JavaScript contained on this new domain without question. This to me is troublesome, the driver itself works well enough. But DS3_Tool.exe is just terrible.

There are a couple of other odd things to point out here, DS3_Tool.exe stores files at …\”UserProfile”\AppData\Roaming\MotioninJoy\DS3tool. These files are Base64 encoded DES encrypted files which contain some offline JavaScript routines, as well as the configuration information for DS3_Tool.exe itself. Why would the author of MotioninJoy go through this much trouble? Surely it’d be easier to create a fully native application for managing the driver. I can’t say for sure if the author is using this method to just deliver ads, or to be able to quickly update the functionality of the program without users downloading an update, or for some other purpose. But DS3_Tool.exe does have the ability to download files from a remote location and execute them.

To me this is the very definition of a Trojan horse.

So, I made this replacement for DS3_Tool.exe.

I hope you enjoy it.