aaaaaaaaaaaaaaaaaaaaa

6 files changed, 80 insertions, 50 deletions

diff --git a/csgo-loader/csgo-client/Client.cpp b/csgo-loader/csgo-client/Client.cpp
index 0f29f29..38bc273 100644
--- a/csgo-loader/csgo-client/Client.cpp
+++ b/csgo-loader/csgo-client/Client.cpp
@@ -1,12 +1,44 @@
 #include <Client.hpp>

 

+/*

+	TODO:

+	- Finish off security on client:

+		- Hook OpenProcess, ExitProcess, WSARecv, WSASend and check if function is OOB.

+		- Use VM check that Nave gave me.

+		- Run a thread to check for blacklisted drivers periodically (also blacklist VBox)

+		- Run a thread to check if there is more than X threads running in the loader.

+		- Add dump protection (closes csgo.exe if a handle is detected, probably explorer shellcode)

+		- Add HWID generation

+		- Hook DbgBreakPoint and DbgUiRemoteBreakin (instead of bytepatching, some debuggers will check that)

+			- If the hook is triggered, ban the user.

+		- Don't forget about the security callback; leave implementation up to Nave.

+

+	- Apply Themida macros inside important functions:

+		- Apply mutation on Security hooks and main function.

+		- Apply fast VM on syscall manager, process functions

+		- Apply robust VM on TCP, login

+		- Apply heavy VM on Encryption, recv/send wrappers.

+

+	- Finish off shellcode execution wrapper:

+		- The shellcode can be executed via two ways

+		- Either the code is mapped and called via CreateRemoteThread (allows custom param)

+		- or the code is mapped and called via DX9 (does not allow custom param)

+		- This will probably be the easiest thing to do.

+

+	- Finish off injection wrapper:

+		- Everything is already laid out, tbh.

+

+	- Have the loader inject a .DLL :^)

+

+	TODO (Nave):

+		- Make the UI look nice.

+		- Adapt the server to work with your backend.

+*/

+

 int __stdcall WinMain(HINSTANCE inst, HINSTANCE prev, char* str, int cmdshow)

 {

 	WRAP_IF_DEBUG(Utils::OpenConsole());

 

-	WRAP_IF_RELEASE(VM_DOLPHIN_BLACK_START);

-	WRAP_IF_RELEASE(STR_ENCRYPT_START);

-

 	// Initialize the runtime protection system.

 	if(!Protection->Start())

 		ERROR_ASSERT("[000F:00001A00] Failed to initialize. Please contact an administrator.");

@@ -15,38 +47,25 @@ int __stdcall WinMain(HINSTANCE inst, HINSTANCE prev, char* str, int cmdshow)
 	if(!Syscalls->Start())

 		ERROR_ASSERT("[000F:00001A00] Failed to initialize. Please contact an administrator.");

 

-	WRAP_IF_RELEASE(STR_ENCRYPT_END);

-	WRAP_IF_RELEASE(VM_DOLPHIN_BLACK_END);

-

 	// Wait for connection.

 	UserInterface->m_Data.m_ExecutionState = UserExperience::EXECUTION_WAITING;

 

 	// Create a thread to handle UI.

 	std::thread WindowThread([]

 	{

-		WRAP_IF_RELEASE(VM_SHARK_BLACK_START);

-		WRAP_IF_RELEASE(STR_ENCRYPT_START);

-

 		// Create a window, initialise DirectX context.

 		if(!UserInterface->Start())

 			ERROR_ASSERT("[000F:00001B00] Failed to initialize. Please contact an administrator.");

 

-		WRAP_IF_RELEASE(STR_ENCRYPT_END);

-		WRAP_IF_RELEASE(VM_SHARK_BLACK_END);

-

 		// Create a loop to draw our UI.

 		UserInterface->RunUiFrame();

 	}); WindowThread.detach();

 

-	WRAP_IF_RELEASE(VM_EAGLE_BLACK_START);

-

 	// Attempt to connect to the remote server.

 	Networking::TCPClient Client;

 	if(!Client.Start(LOCAL_IP, SERVER_PORT))

 		ERROR_ASSERT("[000F:0002A000] Server did not accept the connection.");

 

-	WRAP_IF_RELEASE(VM_EAGLE_BLACK_END);

-

 	// Allow the user to input their log-in data.

 	UserInterface->m_Data.m_ExecutionState = UserExperience::EXECUTION_LOG_IN;

 

diff --git a/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp b/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp
index bff53f8..96e22bc 100644
--- a/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp
+++ b/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp
@@ -6,30 +6,26 @@ Security::RuntimeSecurityPtr Protection = std::make_unique<Security::RuntimeSecu
 

 namespace Security

 {

-	decltype(&MessageBoxA) oMessageBox;

-	int __stdcall Hooked_MessageBox(HWND Window, char *Message, char *Caption, uint32_t Type)

-	{

-		// TODO: Replace this with a Syscall so we cannot get hooked.

-		MEMORY_BASIC_INFORMATION Query;

-		if(!VirtualQuery(_ReturnAddress(), &Query, sizeof MEMORY_BASIC_INFORMATION))

-			ExitProcess(0);

+	/*

+		decltype(&MessageBoxA) oMessageBox;

+		int __stdcall Hooked_MessageBox(HWND Window, char *Message, char *Caption, uint32_t Type)

+		{

+			// TODO: Replace this with a Syscall so we cannot get hooked.

+			MEMORY_BASIC_INFORMATION Query;

+			if(!VirtualQuery(_ReturnAddress(), &Query, sizeof MEMORY_BASIC_INFORMATION))

+				ExitProcess(0);

 

-		HMODULE ReturnModule = (HMODULE)Query.AllocationBase;

+			HMODULE ReturnModule = (HMODULE)Query.AllocationBase;

 

-		if (ReturnModule != GetModuleHandleA(0))

-			ExitProcess(0);

+			if (ReturnModule != GetModuleHandleA(0))

+				ExitProcess(0);

 

-		return oMessageBox(Window, Message, Caption, Type);

-	}

+			return oMessageBox(Window, Message, Caption, Type);

+		}

+	*/

 

 	bool RuntimeSecurity::Start()

 	{

-		if(MH_Initialize() != MH_OK)

-			return false;

-

-		MH_CreateHook(&MessageBoxA, Hooked_MessageBox, (void **)&oMessageBox);

-		MH_EnableHook(&MessageBoxA);

-

 		return true;

 	}

 }
\ No newline at end of file
diff --git a/csgo-loader/csgo-client/Security/RuntimeSecurity.hpp b/csgo-loader/csgo-client/Security/RuntimeSecurity.hpp
index 2ef601d..671f67b 100644
--- a/csgo-loader/csgo-client/Security/RuntimeSecurity.hpp
+++ b/csgo-loader/csgo-client/Security/RuntimeSecurity.hpp
@@ -60,20 +60,18 @@ namespace Security
 	{

 	protected:

 		// Applies necessary API hooks.

-		void ApplyApiHooks_Internal();

+		bool ApplyApiHooks();

 

 		// Patches common debugging functions to crash the program.

-		void PatchDebugFunctions_Internal();

+		void PatchDebugFunctions();

 

 		// Dispatches security threads.

-		void DispatchSecurityThreads_Internal();

+		void DispatchSecurityThreads();

 

 		// The following functions are used in security threads to run checks.

-		bool CheckForVirtualMachine_Internal();

+		bool CheckForVirtualMachine();

 

-		bool CheckForDebugger_Internal();

-

-		bool CheckForApiHooks_Internal();

+		bool CheckForDebugger();

 

 	public:

 		// Initializes the runtime security system.

@@ -81,6 +79,9 @@ namespace Security
 

 		// Retrieves the current Hardware ID for the system.

 		HardwareIdentifier GetHardwareId();

+

+		// ...

+		MEMORY_BASIC_INFORMATION QueryMemory(void *Address);

 	};

 

 	// Readability

diff --git a/csgo-loader/csgo-client/Security/SyscallManager.cpp b/csgo-loader/csgo-client/Security/SyscallManager.cpp
index 0104dae..bab2d5f 100644
--- a/csgo-loader/csgo-client/Security/SyscallManager.cpp
+++ b/csgo-loader/csgo-client/Security/SyscallManager.cpp
@@ -81,7 +81,7 @@ namespace Wrapper
 	}

 

 	// Sick macros, retard.

-	#define GetRvaPointer(Rva) (Buffer + GetRawOffsetByRva(SectionHeader, SectionCount, FileSize, Rva))

+#define GetRvaPointer(Rva) (Buffer + GetRawOffsetByRva(SectionHeader, SectionCount, FileSize, Rva))

 

 	bool SyscallManager::Start()

 	{

diff --git a/csgo-loader/csgo-server/RemoteCode/RemoteInjectionServer.hpp b/csgo-loader/csgo-server/RemoteCode/RemoteInjectionServer.hpp
index 3a975f7..fe6da09 100644
--- a/csgo-loader/csgo-server/RemoteCode/RemoteInjectionServer.hpp
+++ b/csgo-loader/csgo-server/RemoteCode/RemoteInjectionServer.hpp
@@ -60,4 +60,17 @@ namespace RemoteCode
 		uintptr_t m_RemoteModules[6];

 	};

 

+	class RemoteInjectionServer

+	{

+	public:

+		// Receive hash of selected cheat.

+		// Reply with size of image to allocate.

+		ByteArray Start(ByteArray &Response);

+

+		// Receive client header, send over list of imported functions

+		ByteArray TransactionStart(ByteArray &Response);

+

+		// Receive list of modules & export addresses

+		ByteArray TransactionContinue(ByteArray &Response);

+	};

 }
\ No newline at end of file
diff --git a/csgo-loader/to-do list.txt b/csgo-loader/to-do list.txt
index 00f05ef..2f7f9d8 100644
--- a/csgo-loader/to-do list.txt
+++ b/csgo-loader/to-do list.txt
@@ -32,28 +32,29 @@ RemoteInjectionServer
 	ByteArray TransactionContinue

 }

 

-RemoteInjectionClient 

+class RemoteInjectionClient 

 {

+public:

 	// Select process name, prepare list of modules to load

 	// Send the hash of the cheat we want to load to server.

-	ByteArray Start( ) 

+	ByteArray Start( ) ;

 	

 	// Wait for the process to be ready, with optional timeout.

-	bool WaitForTransactionStart( uint32_t Timeout = UINT_MAX )

+	bool WaitForTransactionStart( uint32_t Timeout = UINT_MAX );

 	

 	// Receive size of image to allocate, response is the client header. 

-	ByteArray TransactionStart( ByteArray &Response )

+	ByteArray TransactionStart( ByteArray &Response );

 	

 	// Receive list of imported functions to the requested DLL.

 	// Send over list of modules and their addresses to server

-	ByteArray TransactionContinue( ByteArray &Response )

+	ByteArray TransactionContinue( ByteArray &Response );

 	

 	// Receive final module to allocate.

 	// Write the file to the process.

-	bool TransactionCommit( ByteArray &Response )

+	bool TransactionCommit( ByteArray &Response );

 	

-	RemoteServerHeader GetExecutionHeader()

-}

+	RemoteServerHeader GetExecutionHeader();

+};

 

 // this section will be posted on forums:

 [000F:xxxxxxxx]