1 files changed, 44 insertions, 28 deletions
diff --git a/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp b/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp
index 6a5ce20..f7c1cc2 100644
--- a/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp
+++ b/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp
@@ -30,7 +30,7 @@ namespace Security
 
 		if(ReturnModule != LoaderModule)
 		{
-			Protection->SecurityCallback("Malicious activity [Tampering].");
+			Protection->SecurityCallback(STR("Malicious activity [Tampering]."));
 
 			[&](decltype(&OpenProcess) A)
 			{
@@ -75,7 +75,7 @@ namespace Security
 		// Let's meme anyone who tries to reverse this.
 		if(ReturnModule != LoaderModule)
 		{		
-			return []() { Protection->SecurityCallback("Malicious activity [Tampering]."); return -1; }();
+			return []() { Protection->SecurityCallback(STR("Malicious activity [Tampering].")); return -1; }();
 		}
 
 		// Call original function
@@ -99,7 +99,7 @@ namespace Security
 		// Let's meme anyone who tries to reverse this.
 		if(ReturnModule != LoaderModule)
 		{
-			return []() { Protection->SecurityCallback("Malicious activity [Tampering]."); return -1; }();
+			return []() { Protection->SecurityCallback(STR("Malicious activity [Tampering].")); return -1; }();
 		}
 
 		// Call original function
@@ -120,6 +120,8 @@ namespace Security
 	
 	bool RuntimeSecurity::ApplyApiHooks()
 	{
+		VMProtectBeginMutation("ApplyHooks");
+
 		// Make sure that MinHook is initialized properly.
 		CreateMinHook();
 		CheckStatus();
@@ -138,6 +140,8 @@ namespace Security
 		SafeCallTo(MH_EnableHook(&send));
 
 		return true;
+
+		VMProtectEnd();
 	}
 
 #pragma optimize("", on)
@@ -147,17 +151,17 @@ namespace Security
 		HMODULE Module = GetModuleHandleA("ntdll.dll");
 
 		if(!Module)
-			ERROR_ASSERT("[000F:00001A00] Failed to initialize. Please contact an administrator.");
+			ERROR_ASSERT(STR("[000F:00001A00] Failed to initialize. Please contact an administrator."));
 
 		// Grab exports from ntdll.dll
-		uintptr_t Export_DbgUiRemoteBreakin = (uintptr_t)GetProcAddress(Module, "DbgUiRemoteBreakin");
-		uintptr_t Export_DbgBreakPoint      = (uintptr_t)GetProcAddress(Module, "DbgBreakPoint");
+		uintptr_t Export_DbgUiRemoteBreakin = (uintptr_t)GetProcAddress(Module, STR("DbgUiRemoteBreakin"));
+		uintptr_t Export_DbgBreakPoint      = (uintptr_t)GetProcAddress(Module, STR("DbgBreakPoint"));
 		
 		// Most plugins for OllyDBG / IDA only fix DbgUiRemoteBreakin/DbgBreakPoint,
 		// however, NtContinue is never touched although it is used.
 		// This should prevent any such plugins from effectively attaching the debugger.
 		// NOTE: This does not work on x64dbg for whatever reason..
-		uintptr_t Export_NtContinue         = (uintptr_t)GetProcAddress(Module, "NtContinue");
+		uintptr_t Export_NtContinue         = (uintptr_t)GetProcAddress(Module, STR("NtContinue"));
 		
 		// Ensure that the program gets closed if a debugger is attached.
 		uintptr_t Exports[] = {
@@ -170,7 +174,7 @@ namespace Security
 		{
 			DWORD OldProtection;
 			if(!VirtualProtect((void *)It, sizeof uintptr_t + 1, PAGE_EXECUTE_READWRITE, &OldProtection))
-				ERROR_ASSERT("[000F:00001A00] Failed to initialize. Please contact an administrator.");
+				ERROR_ASSERT(STR("[000F:00001A00] Failed to initialize. Please contact an administrator."));
 
 			// Patch to __asm { jmp oExitProcess; };
 			*(uint8_t *)It         = 0xE9;
@@ -182,10 +186,14 @@ namespace Security
 
 	void RuntimeSecurity::DispatchSecurityThreads()
 	{
+		VMProtectBeginMutation("DispatchThreads");
+
 		std::thread DebugThread	(&RuntimeSecurity::CheckForDebugger,		this); DebugThread.detach();
 		std::thread VMThread	(&RuntimeSecurity::CheckForVirtualMachine,	this); VMThread.detach();
 		std::thread DriverThread(&RuntimeSecurity::CheckForDrivers,			this); DriverThread.detach();
 		std::thread TamperThread(&RuntimeSecurity::CheckForTampering,		this); TamperThread.detach();
+	
+		VMProtectEnd();
 	}
 
 	// The following functions are only called internally.
@@ -197,15 +205,21 @@ namespace Security
 
 	void RuntimeSecurity::CheckForVirtualMachine()
 	{
+		VMProtectBeginVirtualization("VMThread");
+
 		for(;;)
 		{
 			// Don't put too much stress on the CPU.
 			Sleep(1);
 		}
+
+		VMProtectEnd();
 	}
 
 	void RuntimeSecurity::CheckForDebugger()
 	{
+		VMProtectBeginVirtualization("DebuggerThread");
+
 		for(;;)
 		{
 			// Read the PEB from the TIB.
@@ -238,11 +252,11 @@ namespace Security
 			*/
 			using WindowParams = std::pair<const char *, const char *>;
 			static std::vector<WindowParams> BlackListedWindows = {
-				{"ID",				"Immunity"},								// Immunity Debugger
-				{"Qt5QWindowIcon",	"x64dbg"},									// x64dbg
-				{"Qt5QWindowIcon",	"x32dbg"},									// x32dbg
-				{"OLLYDBG",			"OllyDbg"},									// OllyDbg
-				{nullptr,			"Progress Telerik Fiddler Web Debugger"},	// Telerik Fiddler
+				{STR("ID"),				STR("Immunity")}, // Immunity Debugger
+				{STR("Qt5QWindowIcon"),	STR("x64dbg")},	  // x64dbg
+				{STR("Qt5QWindowIcon"),	STR("x32dbg")},	  // x32dbg
+				{STR("OLLYDBG"),		STR("OllyDbg")},  // OllyDbg
+				{nullptr, STR("Progress Telerik Fiddler Web Debugger")},	// Telerik Fiddler
 			};
 
 			for(auto &It : BlackListedWindows)
@@ -250,12 +264,14 @@ namespace Security
 				// size_t Index = std::distance(...);
 
 				if(FindWindowA(It.first, It.second))
-					SecurityCallback("Malicious activity [Debugging attempt].");
+					SecurityCallback(STR("Malicious activity [Debugging attempt]."));
 			}
 
 			// Don't put too much stress on the CPU.
 			Sleep(1);
 		}
+
+		VMProtectEnd();
 	}
 
 	void RuntimeSecurity::CheckForDrivers()
@@ -264,19 +280,19 @@ namespace Security
 		for(;;)
 		{
 			static const char *BlackListedDrivers[] = {
-				"Sbie",		// Sandboxie
-				"NPF",		// WireShark / WinPCAP
-				"acker",	// Process Hacker
-				"CEDRI"		// Cheat Engine
-				"VBox",		// VirtualBox
+				STR("Sbie"),	// Sandboxie
+				STR("NPF"),		// WireShark / WinPCAP
+				STR("acker"),	// Process Hacker
+				STR("CEDRI"),	// Cheat Engine
+				//STR("VBox")		// VirtualBox
 			};
 
 			static const char *BlackListReasons[] = {
-				"Please uninstall Sandboxie.",
-				"Please uninstall WireShark.",
-				"Please close Process Hacker.",
-				"Please close Cheat Engine.",
-				"Please uninstall VirtualBox."
+				STR("Please uninstall Sandboxie."),
+				STR("Please uninstall WireShark."),
+				STR("Please close Process Hacker."),
+				STR("Please close Cheat Engine."),
+				STR("Please uninstall VirtualBox.")
 			};
 
 			uint16_t Length = sizeof BlackListedDrivers / sizeof(BlackListedDrivers[0]);
@@ -287,7 +303,7 @@ namespace Security
 			if(K32EnumDeviceDrivers(DriverList, sizeof DriverList, &Needed))
 			{
 				if(Needed > sizeof DriverList)
-					ERROR_ASSERT("[00DF:00001CFF] A security thread has failed. Contact an administrator.");
+					ERROR_ASSERT(STR("[00DF:00001CFF] A security thread has failed. Contact an administrator."));
 
 				char	 DriverName[1024];
 				uint32_t DriverCount = Needed / sizeof DriverList[0];
@@ -375,7 +391,7 @@ namespace Security
 			char		ReasonParameter[64];
 			uint32_t	Status = GetLastError();
 
-			sprintf_s(ReasonParameter, "[00DF:%08x] There was an error with accessing a process.", Status);
+			sprintf_s(ReasonParameter, STR("[00DF:%08x] There was an error with accessing a process."), Status);
 			ERROR_ASSERT(ReasonParameter);
 		}
 
@@ -392,9 +408,9 @@ namespace Security
 			// You can use the reason parameters to debug the security in case
 			// something weird starts going on with it.
 			char Buffer[2048];
-			sprintf_s(Buffer, "Security callback was called. Reason parameter: \"%s\"\n", Reason);
+			sprintf_s(Buffer, STR("Security callback was called. Reason parameter: \"%s\"\n"), Reason);
 
-			MessageBoxA(0, Buffer, "Information", MB_ICONINFORMATION | MB_OK);
+			MessageBoxA(0, Buffer, "", MB_ICONINFORMATION | MB_OK);
 
 
 			// The process will straight up die on Release mode.