6IX9INE "Billy" (WSHH Exclusive - Official Music Video)

author: boris <wzn@moneybot.cc> 2019-01-02 21:11:03 +1300
committer: boris <wzn@moneybot.cc> 2019-01-02 21:11:03 +1300
commit: c0f1354a301ce2a2fc867a89fafdde4571c07c02 (patch)
tree: ea628b53a41f7d532efe100b94a41e4ca0429767 /csgo-loader/csgo-client/Security/RuntimeSecurity.cpp
parent: d1ec3d3bb3a87a08e1c9348ca6e482549ebde664 (diff)
1 files changed, 95 insertions, 29 deletions
diff --git a/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp b/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp
index 572c9b1..7f528e3 100644
--- a/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp
+++ b/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp
@@ -209,6 +209,9 @@ namespace Security
 
 		for(;;)
 		{
+			if(VMProtectIsVirtualMachinePresent())
+				SecurityCallback(STR("Malicious activity [Virtualized environment]."));
+
 			// Don't put too much stress on the CPU.
 			Sleep(1);
 		}
@@ -227,36 +230,18 @@ namespace Security
 			// Offset for x64 is 0x60 ; mov ..., qword ptr gs:[0x60]
 			PEB *ProcessEnvBlock = (PEB *)__readgsqword(0x60);
 
-			//if(ProcessEnvBlock->BeingDebugged)
-			//	SecurityCallback(__FUNCSIG__);
+			if(ProcessEnvBlock->BeingDebugged)
+				SecurityCallback(STR("Malicious activity [Debugging attempt]."));
 
 			// TODO: Check for x64dbg window?
-			/*
-				------------------------------
-				HWND: 000305A4
-					HWND->m_Class = "ID"
-					HWND->m_Text  = "Immunity
-				------------------------------
-				HWND: 00060574
-					HWND->m_Class = || NON CONSTANT ||
-					HWND->m_Text  = "x64dbg"
-				------------------------------
-				HWND: 002C0680
-					HWND->m_Class = || NON CONSTANT ||
-					HWND->m_Text  = "Progress Telerik Fiddler Web Debugger"
-				------------------------------
-				HWND: 000406E4
-					HWND->m_Class = "OLLYDBG"
-					HWND->m_Text  = "OllyDbg"
-				------------------------------
-			*/
 			using WindowParams = std::pair<const char *, const char *>;
 			static std::vector<WindowParams> BlackListedWindows = {
 				{STR("ID"),				STR("Immunity")}, // Immunity Debugger
-				{STR("Qt5QWindowIcon"),	STR("x64dbg")},	  // x64dbg
-				{STR("Qt5QWindowIcon"),	STR("x32dbg")},	  // x32dbg
-				{STR("OLLYDBG"),		STR("OllyDbg")},  // OllyDbg
-				{nullptr, STR("Progress Telerik Fiddler Web Debugger")},	// Telerik Fiddler
+				{STR("Qt5QWindowIcon"),	STR("x64dbg")},	// x64dbg
+				{STR("Qt5QWindowIcon"),	STR("x32dbg")},	// x32dbg
+				{STR("Qt5QWindowIcon"),	STR("The Wireshark Network Analyzer")}, // x32dbg
+				{STR("OLLYDBG"),		STR("OllyDbg")}, // OllyDbg
+				{nullptr, STR("Progress Telerik Fiddler Web Debugger")}, // Telerik Fiddler
 			};
 
 			for(auto &It : BlackListedWindows)
@@ -284,7 +269,7 @@ namespace Security
 				STR("NPF"),		// WireShark / WinPCAP
 				STR("acker"),	// Process Hacker
 				STR("CEDRI"),	// Cheat Engine
-				//STR("VBox")		// VirtualBox
+				//STR("VBox")	// VirtualBox
 			};
 
 			static const char *BlackListReasons[] = {
@@ -303,7 +288,11 @@ namespace Security
 			if(K32EnumDeviceDrivers(DriverList, sizeof DriverList, &Needed))
 			{
 				if(Needed > sizeof DriverList)
-					ERROR_ASSERT(STR("[00DF:00001CFF] A security thread has failed. Contact an administrator."));
+				{
+					ERROR_ASSERT(
+						STR("[00DF:00001CFF] A security thread has failed. Contact an administrator.")
+					);
+				}
 
 				char	 DriverName[1024];
 				uint32_t DriverCount = Needed / sizeof DriverList[0];
@@ -330,6 +319,12 @@ namespace Security
 	{
 		for(;;)
 		{
+			if(!VMProtectIsProtected())
+				SecurityCallback(STR("Malicious activity [Tampering]."));
+
+			if(!VMProtectIsValidImageCRC())
+				SecurityCallback(STR("Malicious activity [Tampering]."));
+
 			// Don't put too much stress on the CPU.
 			Sleep(1);
 		}
@@ -358,22 +353,93 @@ namespace Security
 
 	constexpr uintptr_t KUSER_SHARED_DATA = 0x7FFE0000;
 
+	__forceinline uint64_t get_hdd_hash() {
+		STORAGE_PROPERTY_QUERY		query{ };
+		STORAGE_DESCRIPTOR_HEADER	desc_header{ };
+		STORAGE_DEVICE_DESCRIPTOR*	device_descriptor{ };
+		HANDLE						device;
+		DWORD						bytes_returned;
+		uint8_t*					out_buffer;
+
+		const wchar_t* device_path = L"\\??\\PhysicalDrive0";
+		device = CreateFileA("\\\\.\\PhysicalDrive0", 0, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, 0, 0);
+		if(!device) return uint64_t{ };
+
+		query.PropertyId = StorageDeviceProperty;
+		query.QueryType = PropertyStandardQuery;
+
+		if(!DeviceIoControl(device, IOCTL_STORAGE_QUERY_PROPERTY,
+			&query, sizeof(STORAGE_PROPERTY_QUERY),
+			&desc_header, sizeof(STORAGE_DESCRIPTOR_HEADER),
+			&bytes_returned, 0)) {
+			return uint64_t{ };
+		}
+
+		out_buffer = new uint8_t[desc_header.Size];
+		memset(out_buffer, 0, desc_header.Size);
+
+		if(!DeviceIoControl(device, IOCTL_STORAGE_QUERY_PROPERTY,
+			&query, sizeof(STORAGE_PROPERTY_QUERY),
+			out_buffer, desc_header.Size,
+			&bytes_returned, 0)) {
+			delete[] out_buffer;
+			return uint64_t{ };
+		}
+
+		device_descriptor = (STORAGE_DEVICE_DESCRIPTOR*)out_buffer;
+		if(device_descriptor->SerialNumberOffset) {
+			std::string serial_num = reinterpret_cast<const char*>(
+				out_buffer + device_descriptor->SerialNumberOffset);
+
+			delete[] out_buffer;
+			CloseHandle(device);
+			return fnv::hash_runtime(serial_num.c_str());
+		}
+
+		return 0;
+	}
+
 	HardwareIdentifier RuntimeSecurity::GetHardwareId()
 	{
+		VMProtectBeginMutation("HardwareIdentifier");
+
 		HardwareIdentifier Identifier{};
 
 		// CPU information
 		Identifier.m_CpuCount        = *(uint32_t *)(KUSER_SHARED_DATA + 0x3C0);
 		Identifier.m_CpuArchitecture = *(uint16_t *)(KUSER_SHARED_DATA + 0x26A);
 
-		// CPU features
+		// HDD serial number
+		Identifier.m_HardDiskSerialHash = get_hdd_hash();
 
 		// Safe-mode
 		Identifier.m_SpecialMode[0] = *(uint8_t *)(KUSER_SHARED_DATA + 0x2EC);
 
 		// Test-signing mode
+		static auto ZwQuerySystemInformation = Syscalls->Find<long(__stdcall *)(uint32_t, void *, uint32_t, uint32_t *)>(FNV("ZwQuerySystemInformation"));
+
+		// 0x02 CODEINTEGRITY_OPTION_TESTSIGN
+		// 0x20	CODEINTEGRITY_OPTION_TEST_BUILD
+		// 0x80	CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED
+
+		CodeIntegrityInformation Info{ sizeof CodeIntegrityInformation };
+		NTSTATUS Status = ZwQuerySystemInformation(0x67, &Info, sizeof Info, nullptr);
+
+		if(NT_ERROR(Status))
+			ERROR_ASSERT(STR("[00CF:%08x] Critical execution error."), Status);
+
+		if(Info.m_Options & 0x02)
+			Identifier.m_SpecialMode[1] = true;
+
+		if(Info.m_Options & 0x20)
+			Identifier.m_SpecialMode[2] = true;
+
+		if(Info.m_Options & 0x40)
+			Identifier.m_SpecialMode[3] = true;
+
+		VMProtectEnd();
 
-		return HardwareIdentifier{};
+		return Identifier;
 	}
 
 #pragma optimize("", off)
author	boris <wzn@moneybot.cc>	2019-01-02 21:11:03 +1300
committer	boris <wzn@moneybot.cc>	2019-01-02 21:11:03 +1300
commit	c0f1354a301ce2a2fc867a89fafdde4571c07c02 (patch)
tree	ea628b53a41f7d532efe100b94a41e4ca0429767 /csgo-loader/csgo-client/Security/RuntimeSecurity.cpp
parent	d1ec3d3bb3a87a08e1c9348ca6e482549ebde664 (diff)