diff options
18 files changed, 344 insertions, 115 deletions
diff --git a/csgo-loader/csgo-client/Client.cpp b/csgo-loader/csgo-client/Client.cpp index 7285b6b..8972410 100644 --- a/csgo-loader/csgo-client/Client.cpp +++ b/csgo-loader/csgo-client/Client.cpp @@ -24,11 +24,13 @@ int __stdcall WinMain(HINSTANCE inst, HINSTANCE prev, char* str, int cmdshow)
{
- WRAP_IF_DEBUG(Utils::OpenConsole());
+ WRAP_IF_DEBUG(
+ Utils::OpenConsole();
+ );
///////////////////////////////////////////////////////////////
- VMProtectBeginMutation("EntryPoint");
+ //VMProtectBeginMutation("EntryPoint");
///////////////////////////////////////////////////////////////
@@ -49,10 +51,8 @@ int __stdcall WinMain(HINSTANCE inst, HINSTANCE prev, char* str, int cmdshow) ERROR_ASSERT(STR("[000F:00001B00] Failed to initialize. Please contact an administrator."));
// Initialize the runtime protection system.
- WRAP_IF_RELEASE(
- if(!Protection->Start())
- ERROR_ASSERT(STR("[000F:00001A00] Failed to initialize. Please contact an administrator."));
- );
+ if(!Protection->Start())
+ ERROR_ASSERT(STR("[000F:00001A00] Failed to initialize. Please contact an administrator."));
// Wait for connection.
UserInterface->m_Data.m_ExecutionState = UserExperience::EXECUTION_WAITING;
@@ -90,7 +90,7 @@ int __stdcall WinMain(HINSTANCE inst, HINSTANCE prev, char* str, int cmdshow) ///////////////////////////////////////////////////////////////
- VMProtectEnd();
+ //VMProtectEnd();
///////////////////////////////////////////////////////////////
}
diff --git a/csgo-loader/csgo-client/Client.hpp b/csgo-loader/csgo-client/Client.hpp index 0f89669..0f05a34 100644 --- a/csgo-loader/csgo-client/Client.hpp +++ b/csgo-loader/csgo-client/Client.hpp @@ -38,6 +38,6 @@ namespace Utils // :^)
SetConsoleTitleA(STR("moneyclient $"));
- printf(STR("[DEBUG] Hello!\n"));
+ printf(STR("[DEBUG] Ready\n"));
}
}
\ No newline at end of file diff --git a/csgo-loader/csgo-client/Login/RemoteLogin.cpp b/csgo-loader/csgo-client/Login/RemoteLogin.cpp index 7942c3b..4a46da3 100644 --- a/csgo-loader/csgo-client/Login/RemoteLogin.cpp +++ b/csgo-loader/csgo-client/Login/RemoteLogin.cpp @@ -21,10 +21,11 @@ namespace Login Security::HardwareIdentifier HardwareId = Protection->GetHardwareId();
WRAP_IF_DEBUG(
- printf("[DEBUG] LoginTransactionStart\n");
+ printf("[DEBUG] RemoteLoginTransaction Start\n");
printf("[DEBUG] Processor count: %d\n", HardwareId.m_CpuCount);
printf("[DEBUG] Processor architecture: %d\n", HardwareId.m_CpuArchitecture);
printf("[DEBUG] Hard-drive Serial: %llx\n", HardwareId.m_HardDiskSerialHash);
+ printf("[DEBUG] Detail: %s\n", HardwareId.m_CustomDetail);
for(int i = 0; i < 4; ++i)
printf("[DEBUG] Safety check #%d: %s\n", i, HardwareId.m_SpecialMode[i] ? "TRUE" : "FALSE");
@@ -32,6 +33,10 @@ namespace Login m_Header.m_HardwareId = fnv::hash_runtime_data((void *)(&HardwareId), sizeof Security::HardwareIdentifier);
+ WRAP_IF_DEBUG(
+ printf("[DEBUG] Hardware-ID Hash: %llx\n", m_Header.m_HardwareId);
+ );
+
// TODO: Verify integrity of system.
// 0 for integrity passed, random bit for failure
m_Header.m_IntegrityBit1 = HardwareId.m_SpecialMode[Security::DEBUGGING_MODE];
@@ -52,6 +57,10 @@ namespace Login {
RemoteLoginResponse ServerResponse = *(RemoteLoginResponse *)&RawResponse[0];
+ WRAP_IF_DEBUG(
+ printf("[DEBUG] RemoteLoginTransaction Finish: %02x\n", ServerResponse);
+ );
+
switch(ServerResponse)
{
case RemoteLoginResponse::ACCESS_SPECIAL_USER:
@@ -60,16 +69,16 @@ namespace Login case RemoteLoginResponse::ACCESS_AUTHORISED:
return true;
case RemoteLoginResponse::OUTDATED_CLIENT:
- INFO_ASSERT(STR("[000A:%llx] Your client is outdated.\nPlease download the latest client at 'moneybot.cc'."), m_Header.m_HardwareId ^ ServerResponse);
+ ERROR_ASSERT(STR("[000A:%llx] Your client is outdated.\nPlease download the latest client at 'moneybot.cc'."), m_Header.m_HardwareId ^ ServerResponse);
break;
case RemoteLoginResponse::USER_BANNED:
- INFO_ASSERT(STR("[000D:%llx] Your account is banned.\nPlease contact 'admin@moneybot.cc' for additional information."), m_Header.m_HardwareId ^ ServerResponse);
+ ERROR_ASSERT(STR("[000D:%llx] Your account is banned.\nPlease contact 'admin@moneybot.cc' for additional information."), m_Header.m_HardwareId ^ ServerResponse);
break;
case RemoteLoginResponse::INVALID_HARDWARE:
- INFO_ASSERT(STR("[000D:%llx] Your Hardware-ID is incorrect!\nPlease contact a staff member."), m_Header.m_HardwareId ^ ServerResponse);
+ ERROR_ASSERT(STR("[000D:%llx] Your Hardware-ID is incorrect!\nPlease contact a staff member."), m_Header.m_HardwareId ^ ServerResponse);
break;
case RemoteLoginResponse::INVALID_CREDENTIALS:
- INFO_ASSERT(STR("[000C:%llx] Your credentials are invalid. Please check your spelling and try again."), m_Header.m_HardwareId ^ ServerResponse);
+ ERROR_ASSERT(STR("[000C:%llx] Your credentials are invalid. Please check your spelling and try again."), m_Header.m_HardwareId ^ ServerResponse);
break;
case RemoteLoginResponse::INTEGRITY_FAILURE:
case RemoteLoginResponse::NO_SUBSCRIPTION:
diff --git a/csgo-loader/csgo-client/Networking/TCPClient.cpp b/csgo-loader/csgo-client/Networking/TCPClient.cpp index c20c831..c974f88 100644 --- a/csgo-loader/csgo-client/Networking/TCPClient.cpp +++ b/csgo-loader/csgo-client/Networking/TCPClient.cpp @@ -13,6 +13,22 @@ namespace Networking if(Result == -1)
INFO_ASSERT(STR("[000F:00002B00] Server closed the connection unexpectedly."));
+
+ WRAP_IF_DEBUG(
+ size_t BreakIndex = 0;
+
+ printf("[DEBUG] Sending data (%zd bytes):\n[DEBUG] ", Bytes.size());
+
+ for(auto &Byte : Bytes)
+ {
+ printf("%02x ", Byte);
+
+ if(BreakIndex++ % 8 == 0)
+ printf("\n[DEBUG] ");
+ }
+
+ printf("\n");
+ );
}
ByteArray TCPClient::ReceiveRawBytes()
@@ -40,6 +56,22 @@ namespace Networking break;
}
+ WRAP_IF_DEBUG(
+ size_t BreakIndex = 0;
+
+ printf("[DEBUG] Receiving data (%zd bytes):\n[DEBUG] ", ReceivedBytes.size());
+
+ for(auto &Byte : ReceivedBytes)
+ {
+ printf("%02x ", Byte);
+
+ if(BreakIndex++ % 8 == 0)
+ printf("\n[DEBUG] ");
+ }
+
+ printf("\n");
+ );
+
return ReceivedBytes;
}
@@ -103,11 +135,19 @@ namespace Networking return false;
// Initialise encryption wrapper.
+ WRAP_IF_DEBUG(
+ printf("[DEBUG] Attempting to handshake with server...\n");
+ );
+
ByteArray EncryptionKey = ReceiveRawBytes();
if(EncryptionKey.empty())
return false;
+ WRAP_IF_DEBUG(
+ printf("[DEBUG] Server handshake successful!\n");
+ )
+
std::memcpy(m_EncryptionKey, EncryptionKey.data(), EncryptionKey.size());
return true;
diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.cpp b/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.cpp index 5a42b6c..21d7851 100644 --- a/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.cpp +++ b/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.cpp @@ -2,5 +2,68 @@ namespace RemoteCode
{
+ uint8_t ShellcodeStub[] = {
+ 0x55,
+ 0x8B, 0xEC,
+ 0x56,
+ 0x8B, 0x75, 0x08,
+ 0x57,
+ 0x80, 0x3E, 0x00,
+ 0x74, 0x2F,
+ 0x8B, 0x7E, 0x14,
+ 0x8D, 0x45, 0x08,
+ 0x50,
+ 0x8B, 0x46, 0x18,
+ 0x81, 0xC7, 0xA8, 0x00, 0x00, 0x00,
+ 0x6A, 0x40,
+ 0x6A, 0x04,
+ 0x57,
+ 0xFF, 0xD0,
+ 0x84, 0xC0,
+ 0x74, 0x4D,
+ 0x8B, 0x46, 0x10,
+ 0x89, 0x07,
+ 0x8D, 0x45, 0x08,
+ 0x50,
+ 0xFF, 0x75, 0x08,
+ 0x8B, 0x46, 0x18,
+ 0x6A, 0x04,
+ 0x57,
+ 0xFF, 0xD0,
+
+ 0x8B, 0x46, 0x08,
+ 0x85, 0xC0,
+ 0x74, 0x09,
+ 0x6A, 0x00,
+ 0x6A, 0x01,
+ 0xFF, 0x76, 0x04,
+ 0xFF, 0xD0,
+ 0x53,
+ 0x8B, 0x5E, 0x0C,
+ 0x85, 0xDB,
+ 0x74, 0x20,
+ 0x8B, 0x5B, 0x0C,
+ 0x33, 0xFF,
+ 0x8B, 0x03,
+ 0x85, 0xC0,
+ 0x74, 0x15,
+ 0x90,
+
+ 0x6A, 0x00,
+ 0x6A, 0x01,
+ 0xFF, 0x76, 0x04,
+ 0xFF, 0xD0,
+ 0x8B, 0x44, 0xBB, 0x04,
+ 0x8D, 0x7F, 0x01,
+ 0x85, 0xC0,
+ 0x75, 0xEC,
+
+ 0x5B,
+
+ 0x5F,
+ 0x5E,
+ 0x5D,
+ 0xC2, 0x04, 0x00
+ };
}
\ No newline at end of file diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.hpp b/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.hpp index 964d055..84021c6 100644 --- a/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.hpp +++ b/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.hpp @@ -6,6 +6,28 @@ namespace RemoteCode {
class RemoteCodeClient
{
+ using MemProtect = bool(__stdcall *)(void *, size_t, uint32_t, uint32_t *);
+ struct ShellcodeParameters
+ {
+ // Specifies whether or not the thread hijacking
+ // exploit will be used for code execution.
+ uint8_t m_ThreadExploit;
+
+ // Address of the module allocation base
+ uintptr_t m_AllocationBase;
+
+ // Specifies the entry-point / optional TLS directory
+ // to invoke.
+ uintptr_t m_EntryPoint;
+ uintptr_t m_TlsDirectory;
+
+ // Thread hijacking (original address & VMT)
+ uintptr_t m_ThreadOriginal;
+ uintptr_t m_ThreadVirtual;
+
+ // Function parameters that will be passed
+ MemProtect m_ProtectMemory;
+ };
};
}
\ No newline at end of file diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.hpp b/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.hpp index 6699a9e..2e5d216 100644 --- a/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.hpp +++ b/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.hpp @@ -5,8 +5,65 @@ namespace RemoteCode
{
+ // Used for TransactionStart
+ using ImportedModule = char[64];
+ using ImportList = std::vector<ImportedModule>;
+
+ // Used for TransactionContinue
+ struct ExportedFunction
+ {
+ // I've never seen modules / functions with names
+ // that were larger than 64 characters.
+ char m_Module[64];
+ char m_Function[64];
+
+ // Address of exported module / function
+ uintptr_t m_ModuleAddress;
+ uintptr_t m_FunctionAddress;
+ };
+
+ using ExportList = std::vector<ExportedFunction>;
+
+ // Used for TransactionCommit
+ struct RemoteInjectionHeader
+ {
+ // Used to decrypt the cheat header (first 1000 bytes of image sent back).
+ uint8_t m_HeaderKey;
+
+ // Used to call entrypoint/TLS callbacks.
+ uintptr_t m_EntryPoint;
+ uintptr_t m_TlsDirectory;
+ };
+
+ struct RemoteInjectionCode
+ {
+ RemoteInjectionHeader m_Header;
+
+ // Actual injection code.
+ ByteArray m_Code;
+ };
+
+ // Implementation of client mapping code
class RemoteInjectionClient
{
+ RemoteInjectionHeader m_Header;
+ RemoteProcess m_Process;
+
+ public:
+ // Receive hash of selected cheat.
+ // Reply with size of image to allocate.
+ ByteArray Start(ByteArray &Response);
+
+ // Receive client header, send over list of imported functions
+ ByteArray TransactionStart(ByteArray &Response);
+
+ // Receive list of modules & export addresses
+ ByteArray TransactionContinue(ByteArray &Response);
+
+ // Write the file to the
+ void TransactionCommit(ByteArray &Response);
+ RemoteProcess GetProcess() { return m_Process; }
+ RemoteInjectionHeader GetHeader() { return m_Header; }
};
}
\ No newline at end of file diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteProcess.cpp b/csgo-loader/csgo-client/RemoteCode/RemoteProcess.cpp index abed829..1bbfed0 100644 --- a/csgo-loader/csgo-client/RemoteCode/RemoteProcess.cpp +++ b/csgo-loader/csgo-client/RemoteCode/RemoteProcess.cpp @@ -29,6 +29,10 @@ namespace RemoteCode m_ProcessId = ProcessEntry.th32ProcessID;
m_Process = OpenProcess(PROCESS_ALL_ACCESS, false, ProcessEntry.th32ProcessID);
+ WRAP_IF_DEBUG(
+ printf("[DEBUG] Found process \"%s\" -> %p", ProcessEntry.szExeFile, m_Process);
+ );
+
if(!m_Process)
ERROR_ASSERT(STR("[000G:%08x] There was an error with accessing a process."), GetLastError());
@@ -45,9 +49,13 @@ namespace RemoteCode static auto ZwReadVirtualMemory = Syscalls->Find<long(__stdcall *)(void *, void *, void *, size_t, void *)>(FNV("ZwReadVirtualMemory"));
NTSTATUS Status = ZwReadVirtualMemory(m_Process, Address, Data, SizeOfData, nullptr);
-
+
if(NT_ERROR(Status))
ERROR_ASSERT(STR("[00DF:%08x] There was an error with accessing a process."), Status);
+
+ WRAP_IF_DEBUG(
+ printf("[DEBUG] Read %zd bytes from process\n", SizeOfData);
+ );
}
void RemoteProcess::WriteMemoryWrapper_Internal(void *Address, void *Data, size_t SizeOfData)
@@ -58,6 +66,10 @@ namespace RemoteCode if(NT_ERROR(Status))
ERROR_ASSERT(STR("[00DF:%08x] There was an error with accessing a process."), Status);
+
+ WRAP_IF_DEBUG(
+ printf("[DEBUG] Wrote %zd bytes to process\n", SizeOfData);
+ );
}
void *RemoteProcess::Allocate(size_t AllocationSize)
@@ -78,6 +90,10 @@ namespace RemoteCode if(NT_ERROR(Status))
ERROR_ASSERT(STR("[00DF:%08x] There was an error with accessing a process."), Status);
+ WRAP_IF_DEBUG(
+ printf("[DEBUG] Allocated page at %p (%zd bytes)\n", AllocationAddress, AllocationSize);
+ );
+
return AllocationAddress;
}
@@ -101,6 +117,11 @@ namespace RemoteCode ERROR_ASSERT(STR("[00DF:00001C00] An integrity check failed."));
CloseHandle(Toolhelp);
+
+ WRAP_IF_DEBUG(
+ printf("[DEBUG] Found module \"%s\" at %p\n", ModuleEntry.szModule, ModuleEntry.hModule);
+ );
+
return RemoteModule(ModuleEntry.hModule);
}
}
diff --git a/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp b/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp index 7f528e3..6054790 100644 --- a/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp +++ b/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp @@ -44,6 +44,25 @@ namespace Security return oOpenProcess(AccessLevel, Inherit, ProcessId);
}
+
+ decltype(&FindWindowA) oFindWindow;
+ HWND __stdcall Hooked_FindWindow(const char *Class, const char *Text)
+ {
+ // Determine where the return address of the function actually points.
+ void *Address = _ReturnAddress();
+ MEMORY_BASIC_INFORMATION Query = Protection->QueryMemory(Address);
+
+ // If the return address points outside of the loader module,
+ // fail the function.
+ HMODULE ReturnModule = (HMODULE)Query.AllocationBase;
+ HMODULE LoaderModule = GetModuleHandleA(NULL);
+
+ if(ReturnModule != LoaderModule)
+ return []() { Protection->SecurityCallback(STR("Malicious activity [Tampering].")); return HWND{}; }();
+
+ return oFindWindow(Class, Text);
+ }
+
decltype(&ExitProcess) oExitProcess;
void __stdcall Hooked_ExitProcess(DWORD ExitCode)
{
@@ -62,7 +81,6 @@ namespace Security decltype(&recv) oWSARecv;
int __stdcall Hooked_WSARecv(SOCKET Socket, char *Buffer, int Length, int Flags)
{
-
// Determine where the return address of the function actually points.
void *Address = _ReturnAddress();
MEMORY_BASIC_INFORMATION Query = Protection->QueryMemory(Address);
@@ -86,7 +104,6 @@ namespace Security decltype(&send) oWSASend;
int __stdcall Hooked_WSASend(SOCKET Socket, char *Buffer, int Length, int Flags)
{
-
// Determine where the return address of the function actually points.
void *Address = _ReturnAddress();
MEMORY_BASIC_INFORMATION Query = Protection->QueryMemory(Address);
@@ -129,6 +146,9 @@ namespace Security // Apply any hooks.
SafeCallTo(MH_CreateHook(&OpenProcess, Hooked_OpenProcess, (void **)&oOpenProcess));
SafeCallTo(MH_EnableHook(&OpenProcess));
+
+ SafeCallTo(MH_CreateHook(&FindWindowA, Hooked_FindWindow, (void **)&oFindWindow));
+ SafeCallTo(MH_EnableHook(&FindWindowA));
SafeCallTo(MH_CreateHook(&ExitProcess, Hooked_ExitProcess, (void **)&oExitProcess));
SafeCallTo(MH_EnableHook(&ExitProcess));
@@ -148,7 +168,7 @@ namespace Security void RuntimeSecurity::PatchDebugFunctions()
{
- HMODULE Module = GetModuleHandleA("ntdll.dll");
+ HMODULE Module = GetModuleHandleA(STR("ntdll.dll"));
if(!Module)
ERROR_ASSERT(STR("[000F:00001A00] Failed to initialize. Please contact an administrator."));
@@ -261,6 +281,8 @@ namespace Security void RuntimeSecurity::CheckForDrivers()
{
+ VMProtectBeginMutation("DriverThread");
+
// TODO: Check for disallowed drivers
for(;;)
{
@@ -313,21 +335,41 @@ namespace Security // Don't put too much stress on the CPU.
Sleep(1);
}
+
+ VMProtectEnd();
}
void RuntimeSecurity::CheckForTampering()
{
+ VMProtectBeginMutation("TamperThread");
+
for(;;)
{
- if(!VMProtectIsProtected())
- SecurityCallback(STR("Malicious activity [Tampering]."));
+ if(m_Identifier.m_SpecialMode[SAFE_MODE])
+ ERROR_ASSERT(STR("[000F:00003D00] This program cannot run under Safe Mode.\nPlease reboot your system and select 'Normal Mode'."));
+
+ if(m_Identifier.m_SpecialMode[TEST_SIGN_MODE])
+ ERROR_ASSERT(STR("[000F:00003D00] This program cannot run under Test Signing Mode.\nPlease reboot your system and select 'Normal Mode'."));
+
+ if(m_Identifier.m_SpecialMode[DEBUGGING_MODE])
+ SecurityCallback(STR("Malicious activity [Plausible]."));
+
+ if(m_Identifier.m_SpecialMode[TEST_BUILD_MODE])
+ SecurityCallback(STR("Malicious activity [Plausible]."));
- if(!VMProtectIsValidImageCRC())
- SecurityCallback(STR("Malicious activity [Tampering]."));
+ // Check if the file was unpacked.
+ //if(!VMProtectIsProtected())
+ // SecurityCallback(STR("Malicious activity [Tampering]."));
+
+ // Check if the image in memory was partially unpacked or patched.
+ //if(!VMProtectIsValidImageCRC())
+ // SecurityCallback(STR("Malicious activity [Tampering]."));
// Don't put too much stress on the CPU.
Sleep(1);
}
+
+ VMProtectEnd();
}
#pragma optimize("", on)
@@ -335,21 +377,6 @@ namespace Security // The following functions are exposed publicly.
///////////////////////////////////////////////////////////
- bool RuntimeSecurity::Start()
- {
- // If hooking API functions fails, exit the program.
- if(!ApplyApiHooks())
- return false;
-
- // Dispatch threads before patching NtContinue & co.
- DispatchSecurityThreads();
-
- // Patch DbgUiRemoteBreakin, DbgBreakPoint, NtContinue
- // This also fucks up detours for some reason... only extra protection :-)
- PatchDebugFunctions();
-
- return true;
- }
constexpr uintptr_t KUSER_SHARED_DATA = 0x7FFE0000;
@@ -399,14 +426,14 @@ namespace Security return 0; }
- HardwareIdentifier RuntimeSecurity::GetHardwareId()
+ void RuntimeSecurity::SetupSystemIdentifier()
{
- VMProtectBeginMutation("HardwareIdentifier");
+ VMProtectBeginUltra("SetupHWID");
HardwareIdentifier Identifier{};
// CPU information
- Identifier.m_CpuCount = *(uint32_t *)(KUSER_SHARED_DATA + 0x3C0);
+ Identifier.m_CpuCount = *(uint32_t *)(KUSER_SHARED_DATA + 0x3C0);
Identifier.m_CpuArchitecture = *(uint16_t *)(KUSER_SHARED_DATA + 0x26A);
// HDD serial number
@@ -425,8 +452,11 @@ namespace Security CodeIntegrityInformation Info{ sizeof CodeIntegrityInformation };
NTSTATUS Status = ZwQuerySystemInformation(0x67, &Info, sizeof Info, nullptr);
+ if(!VMProtectGetCurrentHWID(Identifier.m_CustomDetail, 256))
+ ERROR_ASSERT(STR("[000F:00001A00] Failed to initialize. Please contact an administrator."));
+
if(NT_ERROR(Status))
- ERROR_ASSERT(STR("[00CF:%08x] Critical execution error."), Status);
+ ERROR_ASSERT(STR("[000F:00001A00] Failed to initialize. Please contact an administrator."));
if(Info.m_Options & 0x02)
Identifier.m_SpecialMode[1] = true;
@@ -437,11 +467,33 @@ namespace Security if(Info.m_Options & 0x40)
Identifier.m_SpecialMode[3] = true;
+ m_Identifier = Identifier;
+
VMProtectEnd();
+ }
+
+ bool RuntimeSecurity::Start()
+ {
+ WRAP_IF_RELEASE(
+ // If hooking API functions fails, exit the program.
+ if(!ApplyApiHooks())
+ return false;
- return Identifier;
+ // Dispatch threads before patching NtContinue & co.
+ DispatchSecurityThreads();
+
+ // Patch DbgUiRemoteBreakin, DbgBreakPoint, NtContinue
+ // This also fucks up detours for some reason... only extra protection :-)
+ PatchDebugFunctions();
+ );
+
+ SetupSystemIdentifier();
+
+ return true;
}
+ HardwareIdentifier RuntimeSecurity::GetHardwareId() { return m_Identifier; }
+
#pragma optimize("", off)
__declspec(noinline) MEMORY_BASIC_INFORMATION RuntimeSecurity::QueryMemory(void *Address)
diff --git a/csgo-loader/csgo-client/Security/RuntimeSecurity.hpp b/csgo-loader/csgo-client/Security/RuntimeSecurity.hpp index 06df3bf..6446a08 100644 --- a/csgo-loader/csgo-client/Security/RuntimeSecurity.hpp +++ b/csgo-loader/csgo-client/Security/RuntimeSecurity.hpp @@ -74,6 +74,9 @@ namespace Security // Hash of the hard disk serial identifier.
uint64_t m_HardDiskSerialHash;
+ // VMP HWID
+ char m_CustomDetail[256];
+
// Safe-mode/Test-signing mode status
uint8_t m_SpecialMode[4];
};
@@ -87,6 +90,8 @@ namespace Security // any potentially malicious actions from users.
class RuntimeSecurity
{
+ HardwareIdentifier m_Identifier;
+
protected:
// Applies necessary API hooks.
bool ApplyApiHooks();
@@ -97,6 +102,9 @@ namespace Security // Dispatches security threads.
void DispatchSecurityThreads();
+ // Grabs all hardware data.
+ void SetupSystemIdentifier();
+
// The following functions are used in security threads to run checks.
void CheckForVirtualMachine();
diff --git a/csgo-loader/csgo-client/loader.err b/csgo-loader/csgo-client/loader.err new file mode 100644 index 0000000..c3b6aec --- /dev/null +++ b/csgo-loader/csgo-client/loader.err @@ -0,0 +1 @@ +Malicious activity [Debugging attempt].
\ No newline at end of file diff --git a/csgo-loader/csgo-server/RemoteCode/RemoteCodeServer.cpp b/csgo-loader/csgo-server/RemoteCode/RemoteCodeServer.cpp deleted file mode 100644 index 65a4306..0000000 --- a/csgo-loader/csgo-server/RemoteCode/RemoteCodeServer.cpp +++ /dev/null @@ -1,6 +0,0 @@ -#include <RemoteCode/RemoteCodeServer.hpp>
-
-namespace RemoteCode
-{
-
-}
\ No newline at end of file diff --git a/csgo-loader/csgo-server/RemoteCode/RemoteCodeServer.hpp b/csgo-loader/csgo-server/RemoteCode/RemoteCodeServer.hpp deleted file mode 100644 index 3a31cb4..0000000 --- a/csgo-loader/csgo-server/RemoteCode/RemoteCodeServer.hpp +++ /dev/null @@ -1,15 +0,0 @@ -#pragma once
-
-#include <cstdint>
-#include <vector>
-#include <algorithm>
-
-using ByteArray = std::vector<uint8_t>;
-
-namespace RemoteCode
-{
- class RemoteCodeServer
- {
-
- };
-}
\ No newline at end of file diff --git a/csgo-loader/csgo-server/RemoteCode/RemoteInjectionServer.hpp b/csgo-loader/csgo-server/RemoteCode/RemoteInjectionServer.hpp index fe6da09..b8659ff 100644 --- a/csgo-loader/csgo-server/RemoteCode/RemoteInjectionServer.hpp +++ b/csgo-loader/csgo-server/RemoteCode/RemoteInjectionServer.hpp @@ -8,56 +8,42 @@ using ByteArray = std::vector<uint8_t>; namespace RemoteCode
{
- // What the server sends to the client upon transaction start.
- struct RemoteServerHeader
- {
- // Does the cheat support the DirectX thread execution exploit?
- bool m_ThreadExploitSupported;
-
- // This will be used for allocating the remote memory.
- uintptr_t m_SizeOfImage;
-
- // OPTIONAL: The cheat might be using the DllMain function
- // to do injection. Make sure to call that.
- uintptr_t m_EntryPoint;
-
- // OPTIONAL: The cheat might be using TLS callbacks to
- // do injection. Make sure to call that.
- uintptr_t m_TlsCallbackDirectory;
- };
+ // Used for TransactionStart
+ using ImportedModule = char[64];
+ using ImportList = std::vector<ImportedModule>;
- // Requests supported by the server.
- // These are stored in a vector and later looked up.
- struct RemoteServerRequest
+ // Used for TransactionContinue
+ struct ExportedFunction
{
- // Hash to look up requests by.
- uint64_t m_LookupHash;
-
- // Name printed on the console when a user injects.
- char m_DebugName[128];
-
- // File name that's used to load the DLL server-side.
- char m_FileName[260];
-
- // Does the cheat support the DirectX exploit for creating threads?
- bool m_ThreadExploitSupported;
+ // I've never seen modules / functions with names
+ // that were larger than 64 characters.
+ char m_Module[64];
+ char m_Function[64];
+
+ // Address of exported module / function
+ uintptr_t m_ModuleAddress;
+ uintptr_t m_FunctionAddress;
};
- // The initial header we receive from the client.
- struct RemoteClientRequest
+ using ExportList = std::vector<ExportedFunction>;
+
+ // Used for TransactionCommit
+ struct RemoteInjectionHeader
{
- uint64_t m_LookupHash;
+ // Used to decrypt the cheat header (first 1000 bytes of image sent back).
+ uint8_t m_HeaderKey;
+
+ // Used to call entrypoint/TLS callbacks.
+ uintptr_t m_EntryPoint;
+ uintptr_t m_TlsDirectory;
};
- // The response we receive from the client upon transaction start.
- struct RemoteClientHeader
+ struct RemoteInjectionCode
{
- // Address of remote allocation.
- uintptr_t m_RemoteAddress;
+ RemoteInjectionHeader m_Header;
- // Up to six remote modules.
- // NOTE: Stop iterating once a module is NULL.
- uintptr_t m_RemoteModules[6];
+ // Actual injection code.
+ ByteArray m_Code;
};
class RemoteInjectionServer
diff --git a/csgo-loader/csgo-server/Server.cpp b/csgo-loader/csgo-server/Server.cpp index a78bb9a..f822753 100644 --- a/csgo-loader/csgo-server/Server.cpp +++ b/csgo-loader/csgo-server/Server.cpp @@ -20,13 +20,13 @@ int __stdcall WinMain(HINSTANCE, HINSTANCE, char*, int) // Create an instance of the TCP server.
Networking::TCPServer Server;
- // Attach our connection handler.
- Server += ConnectionHandler;
-
bool Result = Server.Start(SERVER_PORT);
if(Result)
{
+ // Attach our connection handler.
+ Server += ConnectionHandler;
+
// Accept any incoming connections.
for(;;)
Server.AcceptConnection();
diff --git a/csgo-loader/csgo-server/Server.hpp b/csgo-loader/csgo-server/Server.hpp index 5a5b3f6..af07bb0 100644 --- a/csgo-loader/csgo-server/Server.hpp +++ b/csgo-loader/csgo-server/Server.hpp @@ -14,7 +14,6 @@ #include <RemoteCode/FileReader.hpp>
#include <RemoteCode/RemoteInjectionServer.hpp>
-#include <RemoteCode/RemoteCodeServer.hpp>
// It looked nasty in Server.cpp, so I'm putting it here.
namespace Utils
diff --git a/csgo-loader/csgo-server/csgo-server.vcxproj b/csgo-loader/csgo-server/csgo-server.vcxproj index 3bd07ca..ad924f6 100644 --- a/csgo-loader/csgo-server/csgo-server.vcxproj +++ b/csgo-loader/csgo-server/csgo-server.vcxproj @@ -31,7 +31,6 @@ <ClCompile Include="Networking\TCPServer.cpp" />
<ClCompile Include="Networking\WebSocket.cpp" />
<ClCompile Include="RemoteCode\FileReader.cpp" />
- <ClCompile Include="RemoteCode\RemoteCodeServer.cpp" />
<ClCompile Include="RemoteCode\RemoteInjectionServer.cpp" />
<ClCompile Include="Security\Encryption.cpp" />
<ClCompile Include="Server.cpp" />
@@ -41,7 +40,6 @@ <ClInclude Include="Networking\TCPServer.hpp" />
<ClInclude Include="Networking\WebSocket.hpp" />
<ClInclude Include="RemoteCode\FileReader.hpp" />
- <ClInclude Include="RemoteCode\RemoteCodeServer.hpp" />
<ClInclude Include="RemoteCode\RemoteInjectionServer.hpp" />
<ClInclude Include="Security\Encryption.hpp" />
<ClInclude Include="Security\FnvHash.hpp" />
diff --git a/csgo-loader/csgo-server/csgo-server.vcxproj.filters b/csgo-loader/csgo-server/csgo-server.vcxproj.filters index 0adf29a..0480d6d 100644 --- a/csgo-loader/csgo-server/csgo-server.vcxproj.filters +++ b/csgo-loader/csgo-server/csgo-server.vcxproj.filters @@ -31,9 +31,6 @@ <ClCompile Include="RemoteCode\FileReader.cpp">
<Filter>RemoteCode</Filter>
</ClCompile>
- <ClCompile Include="RemoteCode\RemoteCodeServer.cpp">
- <Filter>RemoteCode</Filter>
- </ClCompile>
<ClCompile Include="RemoteCode\RemoteInjectionServer.cpp">
<Filter>RemoteCode</Filter>
</ClCompile>
@@ -54,9 +51,6 @@ <ClInclude Include="RemoteCode\FileReader.hpp">
<Filter>RemoteCode</Filter>
</ClInclude>
- <ClInclude Include="RemoteCode\RemoteCodeServer.hpp">
- <Filter>RemoteCode</Filter>
- </ClInclude>
<ClInclude Include="RemoteCode\RemoteInjectionServer.hpp">
<Filter>RemoteCode</Filter>
</ClInclude>
|