diff options
| -rw-r--r-- | csgo-loader/csgo-client/Client.cpp | 27 | ||||
| -rw-r--r-- | csgo-loader/csgo-client/RemoteCode/RemoteMapper.cpp | 161 | ||||
| -rw-r--r-- | csgo-loader/csgo-client/RemoteCode/RemoteMapper.hpp | 14 | ||||
| -rw-r--r-- | csgo-loader/csgo-client/RemoteCode/RemoteProcess.hpp | 4 | ||||
| -rw-r--r-- | csgo-loader/csgo-module/Module.cpp | 7 | ||||
| -rw-r--r-- | csgo-loader/csgo-server/Login/RemoteLogin.cpp | 7 | ||||
| -rw-r--r-- | csgo-loader/csgo-server/Server.cpp | 4 |
7 files changed, 157 insertions, 67 deletions
diff --git a/csgo-loader/csgo-client/Client.cpp b/csgo-loader/csgo-client/Client.cpp index d7b266f..5d80e97 100644 --- a/csgo-loader/csgo-client/Client.cpp +++ b/csgo-loader/csgo-client/Client.cpp @@ -25,10 +25,7 @@ people dump skeet regardless of kernel address mapping meme so what does it matter
*/
-
-#pragma optimize("", off)
-
-int __stdcall WinMain(HINSTANCE inst, HINSTANCE prev, char* str, int cmdshow)
+int __stdcall WinMain(HINSTANCE, HINSTANCE, char *, int)
{
WRAP_IF_DEBUG(
Utils::OpenConsole();
@@ -41,7 +38,7 @@ int __stdcall WinMain(HINSTANCE inst, HINSTANCE prev, char* str, int cmdshow) {
// Create a window, initialise DirectX context.
if(!UserInterface->Start())
- ERROR_ASSERT(STR("[000F:00001C00] Failed to initialize. Please contact an administrator."));
+ ERROR_ASSERT(STR("[000F:00001A00] Failed to initialize. Please contact an administrator."));
UserInterface->RunUiFrame();
}); WindowThread.detach();
@@ -56,7 +53,7 @@ int __stdcall WinMain(HINSTANCE inst, HINSTANCE prev, char* str, int cmdshow) // Initialize the runtime protection system.
if(!Protection->Start())
- ERROR_ASSERT(STR("[000F:00001A00] Failed to initialize. Please contact an administrator."));
+ ERROR_ASSERT(STR("[000F:00001C00] Failed to initialize. Please contact an administrator."));
// Wait for connection.
UserInterface->m_Data.m_ExecutionState = UserExperience::EXECUTION_WAITING;
@@ -93,7 +90,7 @@ int __stdcall WinMain(HINSTANCE inst, HINSTANCE prev, char* str, int cmdshow) ByteArray LoginResponse = Client->ReceiveBytes();
if(!LoginTransaction.TranslateResponse(LoginResponse))
- ExitProcess(0);
+ return 1;
// Echo back to server.
Client->SendBytes(LoginResponse);
@@ -107,17 +104,19 @@ int __stdcall WinMain(HINSTANCE inst, HINSTANCE prev, char* str, int cmdshow) RemoteCode::RemoteProcess Process;
if(!Process.Start(STR("explorer.exe")))
- ExitProcess(0);
+ return 1;
RemoteCode::RemoteMapper Mapper;
- if(!Mapper.Start(Process))
- ExitProcess(0);
+ if(!Mapper.Start(Process, LdrModule))
+ return 1;
- if(!Mapper.WriteCodeToMap(LdrModule))
- ExitProcess(0);
+ if(!Mapper.WriteCodeToMap())
+ return 1;
Mapper.ExecuteCodeFromMap();
-}
-#pragma optimize("", on)
\ No newline at end of file + system("pause");
+
+ return 0;
+}
\ No newline at end of file diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteMapper.cpp b/csgo-loader/csgo-client/RemoteCode/RemoteMapper.cpp index 7b72550..f724f60 100644 --- a/csgo-loader/csgo-client/RemoteCode/RemoteMapper.cpp +++ b/csgo-loader/csgo-client/RemoteCode/RemoteMapper.cpp @@ -2,16 +2,12 @@ namespace RemoteCode
{
- bool RemoteMapper::Start(RemoteProcess Process)
+ bool RemoteMapper::Start(RemoteProcess &Process, ByteArray &Code)
{
- m_Process = Process;
- return true;
- }
+ m_Code = Code;
- bool RemoteMapper::WriteCodeToMap(ByteArray Code)
- {
// Check if the PE file is valid.
- /*uint8_t *Buffer = Code.data();
+ uint8_t *Buffer = m_Code.data();
IMAGE_DOS_HEADER *DosHeader = (IMAGE_DOS_HEADER *)Buffer;
if(!DosHeader || DosHeader->e_magic != IMAGE_DOS_SIGNATURE)
@@ -25,21 +21,31 @@ namespace RemoteCode WRAP_IF_DEBUG(
printf("[DEBUG] PE file validated!\n");
);
-
- IMAGE_SECTION_HEADER *Sections = (IMAGE_SECTION_HEADER *)((uintptr_t)&NtHeaders->OptionalHeader + NtHeaders->FileHeader.SizeOfOptionalHeader);
- if(!Sections)
- return false;
+ uint32_t SizeOfImage = NtHeaders->OptionalHeader.SizeOfImage;
+
+ m_Process = Process;
// Allocate map in process.
- m_Map = m_Process.Allocate(Code.size());
+ m_Mapped.reserve(SizeOfImage);
+ m_Map = m_Process.Allocate(SizeOfImage);
if(!m_Map)
return false;
- // Ghetto workaround so heap doesn't get corrupted (i'm lazy)
- size_t SizeOfCode = Code.size();
- m_Mapped = new uint8_t[SizeOfCode];
+ return true;
+ }
+
+ bool RemoteMapper::WriteCodeToMap()
+ {
+ uint8_t *Buffer = m_Code.data();
+ IMAGE_DOS_HEADER *DosHeader = (IMAGE_DOS_HEADER *)Buffer;
+ IMAGE_NT_HEADERS *NtHeaders = (IMAGE_NT_HEADERS *)(Buffer + DosHeader->e_lfanew);
+
+ IMAGE_SECTION_HEADER *Sections = (IMAGE_SECTION_HEADER *)((uintptr_t)&NtHeaders->OptionalHeader + NtHeaders->FileHeader.SizeOfOptionalHeader);
+
+ if(!Sections)
+ return false;
uint16_t SectionCount = NtHeaders->FileHeader.NumberOfSections;
@@ -58,10 +64,8 @@ namespace RemoteCode );
// Write the data to map.
- uint8_t *Data = (uint8_t *)((uintptr_t)Buffer + PointerToData);
- void *ImageRva = (void *)((uintptr_t)&m_Mapped[0] + VirtualAddress);
-
- std::memcpy(ImageRva, Data, SizeOfData);
+ uint8_t *Data = (uint8_t *)((uintptr_t)Buffer + PointerToData);
+ std::memcpy(&m_Mapped[VirtualAddress], Data, SizeOfData);
}
// Copy over the PE header (temporarily).
@@ -75,26 +79,26 @@ namespace RemoteCode // Relocate the image.
IMAGE_BASE_RELOCATION *Reloc = (IMAGE_BASE_RELOCATION *)(&m_Mapped[0] + NtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);
-
+
uintptr_t ImageDelta = (uintptr_t)m_Map - NtHeaders->OptionalHeader.ImageBase;
-
+
while(Reloc->SizeOfBlock > 0)
{
- // address in binary where we need to relocate an address used by code
- uintptr_t RelocationAddress = (uintptr_t)&m_Mapped[Reloc->VirtualAddress];
- uintptr_t RelocationDataAddress = (uintptr_t)Reloc + sizeof IMAGE_BASE_RELOCATION;
+ // Address in binary where we need to relocate an address used by code.
+ uintptr_t RelocationAddress = (uintptr_t)(&m_Mapped[Reloc->VirtualAddress]);
+ uintptr_t RelocationDataAddress = (uintptr_t)((uintptr_t)Reloc + sizeof IMAGE_BASE_RELOCATION);
size_t RelocationCount = (Reloc->SizeOfBlock - sizeof IMAGE_BASE_RELOCATION) / sizeof uint16_t;
-
+
for(size_t i = 0; i < RelocationCount; i++)
{
uint16_t RelocationData = *(uint16_t *)(RelocationDataAddress + sizeof uint16_t * i);
uint16_t RelocationType = RelocationData >> 12;
uint16_t RelocationOffset = RelocationData & 0x0FFF;
-
+
WRAP_IF_DEBUG(
printf("[DEBUG] Processing relocation at %llx!\n", RelocationAddress + RelocationOffset);
);
-
+
switch(RelocationType)
{
case IMAGE_REL_BASED_MIPS_JMPADDR:
@@ -102,38 +106,123 @@ namespace RemoteCode case IMAGE_REL_BASED_LOW:
case IMAGE_REL_BASED_HIGHLOW:
{
- *(uint32_t*)(RelocationAddress + RelocationOffset) += ImageDelta;
+ *(uint32_t*)((uintptr_t)RelocationAddress + RelocationOffset) += ImageDelta;
break;
}
-
+
case IMAGE_REL_BASED_ABSOLUTE:
default:
break;
};
}
-
+
Reloc = (IMAGE_BASE_RELOCATION*)((uintptr_t)Reloc + Reloc->SizeOfBlock);
}
// Cripple the entire PE header.
- std::memset(&m_Mapped[0], 0, SizeOfHeaders);
-
- WRAP_IF_DEBUG(
- printf("[DEBUG] Successfully crippled PE header!\n");
- );
+ //std::memset(&m_Mapped[0], 0, SizeOfHeaders);
+ //
+ //WRAP_IF_DEBUG(
+ // printf("[DEBUG] Successfully crippled PE header!\n");
+ //);
// Write the mapped image to the process.
- m_Process.Write(m_Map, &m_Mapped[0], Code.size());*/
+ m_Process.Write(m_Map, &m_Mapped[0], m_Code.size());
return true;
}
+ // This contains any parameters that will be passed to the shellcode function once invoked.
+ struct ShellcodeParameters
+ {
+ // Base of image allocation
+ uintptr_t m_ImageBase;
+
+ // Used for fixing imports
+ uintptr_t m_GetModuleHandle;
+ uintptr_t m_LoadLibrary;
+ uintptr_t m_GetProcAddress;
+
+ // Headers
+ IMAGE_NT_HEADERS *m_NtHeaders;
+ IMAGE_IMPORT_DESCRIPTOR *m_ImportDir;
+ };
+
+ // Lazy.
+ uint8_t Shellcode[256] = {
+ 0x48, 0x89, 0x5C, 0x24, 0x08, 0x48, 0x89, 0x6C, 0x24, 0x10, 0x48, 0x89,
+ 0x74, 0x24, 0x18, 0x57, 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x41, 0x57,
+ 0x48, 0x83, 0xEC, 0x20, 0x48, 0x8B, 0x51, 0x28, 0x4C, 0x8B, 0xF1, 0x4C,
+ 0x8B, 0x69, 0x08, 0x4C, 0x8B, 0x61, 0x10, 0x48, 0x8B, 0x69, 0x18, 0x8B,
+ 0x0A, 0x85, 0xC9, 0x0F, 0x84, 0x84, 0x00, 0x00, 0x00, 0x0F, 0x1F, 0x80,
+ 0x00, 0x00, 0x00, 0x00, 0x49, 0x8B, 0x06, 0x44, 0x8B, 0x7A, 0x0C, 0x8B,
+ 0x5A, 0x10, 0x4C, 0x03, 0xF8, 0x8B, 0xF9, 0x48, 0x03, 0xD8, 0x49, 0x8B,
+ 0xCF, 0x48, 0x03, 0xF8, 0x41, 0xFF, 0xD5, 0x48, 0x8B, 0xF0, 0x48, 0x85,
+ 0xC0, 0x75, 0x0E, 0x49, 0x8B, 0xCF, 0x41, 0xFF, 0xD4, 0x48, 0x8B, 0xF0,
+ 0x48, 0x85, 0xC0, 0x74, 0x70, 0x48, 0x8B, 0x0F, 0x48, 0x85, 0xC9, 0x74,
+ 0x32, 0x48, 0x2B, 0xFB, 0x48, 0x85, 0xC9, 0x79, 0x05, 0x0F, 0xB7, 0xD1,
+ 0xEB, 0x0A, 0x49, 0x8B, 0x16, 0x48, 0x83, 0xC2, 0x02, 0x48, 0x03, 0xD1,
+ 0x48, 0x8B, 0xCE, 0xFF, 0xD5, 0x48, 0x85, 0xC0, 0x74, 0x03, 0x48, 0x89,
+ 0x03, 0x48, 0x8B, 0x4C, 0x1F, 0x08, 0x48, 0x83, 0xC3, 0x08, 0x48, 0x85,
+ 0xC9, 0x75, 0xD4, 0x49, 0x8B, 0x56, 0x28, 0x48, 0x83, 0xC2, 0x14, 0x49,
+ 0x89, 0x56, 0x28, 0x8B, 0x0A, 0x85, 0xC9, 0x75, 0x83, 0x49, 0x8B, 0x46,
+ 0x20, 0x8B, 0x48, 0x28, 0x48, 0x85, 0xC9, 0x74, 0x18, 0x49, 0x8B, 0x06,
+ 0x45, 0x33, 0xC0, 0x4C, 0x8D, 0x0C, 0x08, 0x8B, 0xC8, 0x41, 0x8D, 0x50,
+ 0x01, 0x41, 0xFF, 0xD1, 0x0F, 0xB6, 0xC0, 0xEB, 0x02, 0x33, 0xC0, 0x48,
+ 0x8B, 0x5C, 0x24, 0x50, 0x48, 0x8B, 0x6C, 0x24, 0x58, 0x48, 0x8B, 0x74,
+ 0x24, 0x60, 0x48, 0x83, 0xC4, 0x20, 0x41, 0x5F, 0x41, 0x5E, 0x41, 0x5D,
+ 0x41, 0x5C, 0x5F, 0xC3
+ };
+
bool RemoteMapper::ExecuteCodeFromMap()
{
+ uint8_t *Buffer = m_Code.data();
+ IMAGE_DOS_HEADER *DosHeader = (IMAGE_DOS_HEADER *)Buffer;
+ IMAGE_NT_HEADERS *NtHeaders = (IMAGE_NT_HEADERS *)(Buffer + DosHeader->e_lfanew);
+
WRAP_IF_DEBUG(
printf("[DEBUG] Executing payload!\n");
+ );
+
+ ShellcodeParameters ParameterPack = {
+ (uintptr_t)m_Map,
+
+ (uintptr_t)GetModuleHandleA,
+ (uintptr_t)LoadLibraryA,
+ (uintptr_t)GetProcAddress,
+
+ (IMAGE_NT_HEADERS *)((uintptr_t)m_Map + DosHeader->e_lfanew),
+ (IMAGE_IMPORT_DESCRIPTOR *)((uintptr_t)m_Map + NtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress)
+ };
+
+ // Write shellcode & parameter pack.
+ void *ShellcodeParams = m_Process.Allocate(sizeof ShellcodeParameters);
+
+ if(ShellcodeParams)
+ m_Process.Write< ShellcodeParameters >(ShellcodeParams, ParameterPack);
+
+ void *ShellcodeAlloc = m_Process.Allocate(256);
+
+ if(ShellcodeAlloc)
+ m_Process.Write(ShellcodeAlloc, &Shellcode[0], sizeof Shellcode);
+
+ system("pause");
+
+ // Create thread.
+ HANDLE Thread = CreateRemoteThread(m_Process, nullptr, 0, (LPTHREAD_START_ROUTINE)ShellcodeAlloc, ShellcodeParams, 0, nullptr);
+
+ if(Thread)
+ WaitForSingleObject(Thread, INFINITE);
+
+ WRAP_IF_DEBUG(
+ DWORD Code;
+ GetExitCodeThread(Thread, &Code);
+
+ printf("[DEBUG] Thread execution finished with code %08x!\n", Code);
)
+ system("pause");
+
return true;
}
}
\ No newline at end of file diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteMapper.hpp b/csgo-loader/csgo-client/RemoteCode/RemoteMapper.hpp index 21eb569..53bc049 100644 --- a/csgo-loader/csgo-client/RemoteCode/RemoteMapper.hpp +++ b/csgo-loader/csgo-client/RemoteCode/RemoteMapper.hpp @@ -4,10 +4,18 @@ namespace RemoteCode
{
+ struct RemoteImport
+ {
+ char m_Module[128];
+ char m_Import[128];
+ };
+
class RemoteMapper
{
RemoteProcess m_Process;
- uint8_t *m_Mapped;
+
+ ByteArray m_Code;
+ ByteArray m_Mapped;
void *m_Map;
@@ -15,10 +23,10 @@ namespace RemoteCode RemoteMapper() = default;
// Copy process & shellcode to class.
- bool Start(RemoteProcess Process);
+ bool Start(RemoteProcess &Process, ByteArray &Code);
// Writes code to process in allocated page.
- bool WriteCodeToMap(ByteArray Code);
+ bool WriteCodeToMap();
// Calls shellcode to call the library ;D
bool ExecuteCodeFromMap();
diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteProcess.hpp b/csgo-loader/csgo-client/RemoteCode/RemoteProcess.hpp index 5fb3c75..887c154 100644 --- a/csgo-loader/csgo-client/RemoteCode/RemoteProcess.hpp +++ b/csgo-loader/csgo-client/RemoteCode/RemoteProcess.hpp @@ -66,7 +66,7 @@ namespace RemoteCode void Write(void *Address, uint8_t *Data, size_t SizeOfData)
{
- WriteMemoryWrapper_Internal(Address, (void *)&Data, SizeOfData);
+ WriteMemoryWrapper_Internal(Address, (void *)Data, SizeOfData);
}
// Reads from the process memory.
@@ -81,7 +81,7 @@ namespace RemoteCode void Read(void *Address, uint8_t *Data, size_t SizeOfData)
{
- ReadMemoryWrapper_Internal(Address, &Data, SizeOfData);
+ ReadMemoryWrapper_Internal(Address, Data, SizeOfData);
}
// Allocates a memory region in the process.
diff --git a/csgo-loader/csgo-module/Module.cpp b/csgo-loader/csgo-module/Module.cpp index 1fa638c..e8fa4fc 100644 --- a/csgo-loader/csgo-module/Module.cpp +++ b/csgo-loader/csgo-module/Module.cpp @@ -38,18 +38,15 @@ DWORD ModuleThread(void *) // Header for Module.
ByteArray Header{ 0x0A, 0x32, 0x42, 0x4D };
- Client->SendRawBytes(Header);
+ Client->SendRawBytes(Header);
//////////////////////////////////////////////////////////////////////////////////////////
return 1;
}
-int __stdcall DllMain(void *, unsigned Reason, void *)
+int __stdcall DllMain(void *, unsigned, void *)
{
- if(Reason != 1)
- return false;
-
HANDLE Thread = CreateThread(nullptr, 0, ModuleThread, nullptr, 0, nullptr);
if(Thread)
diff --git a/csgo-loader/csgo-server/Login/RemoteLogin.cpp b/csgo-loader/csgo-server/Login/RemoteLogin.cpp index 0351f27..09472c9 100644 --- a/csgo-loader/csgo-server/Login/RemoteLogin.cpp +++ b/csgo-loader/csgo-server/Login/RemoteLogin.cpp @@ -36,7 +36,8 @@ namespace Login return RemoteLoginResponse::OUTDATED_CLIENT;
// TODO: Check if the user is banned.
- //return RemoteLoginResponse::USER_BANNED;
+ if(false)
+ return RemoteLoginResponse::USER_BANNED;
// TODO: Login the user.
if(strcmp(m_Header.m_Username, "betauser"))
@@ -73,10 +74,6 @@ namespace Login return RemoteLoginResponse::INTEGRITY_FAILURE;
}
- // TODO: Check if they have beta access.
- if(true)
- return RemoteLoginResponse::ACCESS_SPECIAL_USER;
-
return RemoteLoginResponse::ACCESS_AUTHORISED;
}
diff --git a/csgo-loader/csgo-server/Server.cpp b/csgo-loader/csgo-server/Server.cpp index e0f1455..fdd177c 100644 --- a/csgo-loader/csgo-server/Server.cpp +++ b/csgo-loader/csgo-server/Server.cpp @@ -29,7 +29,7 @@ namespace Handler if(LoginReply.size() != LoginReplyEcho.size())
{
- printf("[ !! ] Echo from %s invalid, dropping connection!", Connection.GetIpAddress());
+ printf("[ !! ] Echo from %s invalid, dropping connection!\n", Connection.GetIpAddress());
return;
}
@@ -93,7 +93,7 @@ namespace Handler }
}
-int __stdcall WinMain(HINSTANCE, HINSTANCE, char*, int)
+int __stdcall WinMain(HINSTANCE, HINSTANCE, char *, int)
{
// Open a debugging console.
Utils::OpenConsole();
|