diff options
Diffstat (limited to 'csgo-loader/csgo-client/Security/RuntimeSecurity.cpp')
| -rw-r--r-- | csgo-loader/csgo-client/Security/RuntimeSecurity.cpp | 194 |
1 files changed, 76 insertions, 118 deletions
diff --git a/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp b/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp index ab2ea87..6a5ce20 100644 --- a/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp +++ b/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp @@ -19,8 +19,6 @@ namespace Security decltype(&OpenProcess) oOpenProcess;
HANDLE __stdcall Hooked_OpenProcess(DWORD AccessLevel, bool Inherit, DWORD ProcessId)
{
- WRAP_IF_RELEASE(VM_EAGLE_WHITE_START);
-
// Determine where the return address of the function actually points.
void *Address = _ReturnAddress();
MEMORY_BASIC_INFORMATION Query = Protection->QueryMemory(Address);
@@ -32,9 +30,7 @@ namespace Security if(ReturnModule != LoaderModule)
{
- WRAP_IF_RELEASE(STR_ENCRYPT_START);
- Protection->SecurityCallback(__FUNCSIG__);
- WRAP_IF_RELEASE(STR_ENCRYPT_END);
+ Protection->SecurityCallback("Malicious activity [Tampering].");
[&](decltype(&OpenProcess) A)
{
@@ -46,15 +42,11 @@ namespace Security // Call original function
return oOpenProcess(AccessLevel, Inherit, ProcessId);
-
- WRAP_IF_RELEASE(VM_EAGLE_WHITE_END);
}
decltype(&ExitProcess) oExitProcess;
void __stdcall Hooked_ExitProcess(DWORD ExitCode)
{
- WRAP_IF_RELEASE(VM_EAGLE_WHITE_START);
-
WRAP_IF_DEBUG(oExitProcess(ExitCode));
WRAP_IF_RELEASE(
@@ -65,14 +57,11 @@ namespace Security A(NullPointer);
}(oExitProcess);
);
-
- WRAP_IF_RELEASE(VM_EAGLE_WHITE_END);
}
decltype(&recv) oWSARecv;
int __stdcall Hooked_WSARecv(SOCKET Socket, char *Buffer, int Length, int Flags)
{
- WRAP_IF_RELEASE(VM_EAGLE_WHITE_START);
// Determine where the return address of the function actually points.
void *Address = _ReturnAddress();
@@ -86,21 +75,17 @@ namespace Security // Let's meme anyone who tries to reverse this.
if(ReturnModule != LoaderModule)
{
- WRAP_IF_RELEASE(STR_ENCRYPT_START);
- return []() { Protection->SecurityCallback(__FUNCSIG__); return -1; }();
- WRAP_IF_RELEASE(STR_ENCRYPT_END);
+ return []() { Protection->SecurityCallback("Malicious activity [Tampering]."); return -1; }();
}
// Call original function
return oWSARecv(Socket, Buffer, Length, Flags);
- WRAP_IF_RELEASE(VM_EAGLE_WHITE_END);
}
decltype(&send) oWSASend;
int __stdcall Hooked_WSASend(SOCKET Socket, char *Buffer, int Length, int Flags)
{
- WRAP_IF_RELEASE(VM_EAGLE_WHITE_START);
// Determine where the return address of the function actually points.
void *Address = _ReturnAddress();
@@ -114,15 +99,11 @@ namespace Security // Let's meme anyone who tries to reverse this.
if(ReturnModule != LoaderModule)
{
- WRAP_IF_RELEASE(STR_ENCRYPT_START);
- return []() { Protection->SecurityCallback(__FUNCSIG__); return -1; }();
- WRAP_IF_RELEASE(STR_ENCRYPT_END);
+ return []() { Protection->SecurityCallback("Malicious activity [Tampering]."); return -1; }();
}
// Call original function
return oWSASend(Socket, Buffer, Length, Flags);
-
- WRAP_IF_RELEASE(VM_EAGLE_WHITE_END);
}
#pragma optimize("", on)
@@ -139,8 +120,6 @@ namespace Security bool RuntimeSecurity::ApplyApiHooks()
{
- WRAP_IF_RELEASE(MUTATE_START);
-
// Make sure that MinHook is initialized properly.
CreateMinHook();
CheckStatus();
@@ -159,17 +138,12 @@ namespace Security SafeCallTo(MH_EnableHook(&send));
return true;
-
- WRAP_IF_RELEASE(MUTATE_END);
}
#pragma optimize("", on)
void RuntimeSecurity::PatchDebugFunctions()
{
- WRAP_IF_RELEASE(VM_EAGLE_WHITE_START);
- WRAP_IF_RELEASE(STR_ENCRYPT_START);
-
HMODULE Module = GetModuleHandleA("ntdll.dll");
if(!Module)
@@ -199,26 +173,19 @@ namespace Security ERROR_ASSERT("[000F:00001A00] Failed to initialize. Please contact an administrator.");
// Patch to __asm { jmp oExitProcess; };
- *(uint8_t *)It = 0xE9;
- *(uint32_t *)(It + 1) = (uintptr_t)oExitProcess;
+ *(uint8_t *)It = 0xE9;
+ *(uintptr_t *)(It + 1) = (uintptr_t)oExitProcess;
VirtualProtect((void *)It, sizeof uintptr_t + 1, OldProtection, &OldProtection);
}
-
- WRAP_IF_RELEASE(STR_ENCRYPT_END);
- WRAP_IF_RELEASE(VM_EAGLE_WHITE_END);
}
void RuntimeSecurity::DispatchSecurityThreads()
{
- WRAP_IF_RELEASE(MUTATE_START);
-
std::thread DebugThread (&RuntimeSecurity::CheckForDebugger, this); DebugThread.detach();
std::thread VMThread (&RuntimeSecurity::CheckForVirtualMachine, this); VMThread.detach();
std::thread DriverThread(&RuntimeSecurity::CheckForDrivers, this); DriverThread.detach();
std::thread TamperThread(&RuntimeSecurity::CheckForTampering, this); TamperThread.detach();
-
- WRAP_IF_RELEASE(MUTATE_END);
}
// The following functions are only called internally.
@@ -230,35 +197,15 @@ namespace Security void RuntimeSecurity::CheckForVirtualMachine()
{
- WRAP_IF_RELEASE(VM_EAGLE_BLACK_START);
-
for(;;)
{
- // Yeah, um, your code did absolutely fuck all in my analysis VM.
- int32_t VirtualMachineChecksum = 0x4000;
-
- WRAP_IF_RELEASE(
- CHECK_VIRTUAL_PC(VirtualMachineChecksum, 0x2000);
-
- WRAP_IF_RELEASE(STR_ENCRYPT_START);
- if(VirtualMachineChecksum != 0x2000)
- SecurityCallback(__FUNCSIG__);
- WRAP_IF_RELEASE(STR_ENCRYPT_END);
- );
-
// Don't put too much stress on the CPU.
- Sleep(VirtualMachineChecksum);
+ Sleep(1);
}
-
-
- WRAP_IF_RELEASE(VM_EAGLE_BLACK_END);
}
void RuntimeSecurity::CheckForDebugger()
{
- WRAP_IF_RELEASE(VM_EAGLE_BLACK_START);
- WRAP_IF_RELEASE(STR_ENCRYPT_START);
-
for(;;)
{
// Read the PEB from the TIB.
@@ -303,67 +250,73 @@ namespace Security // size_t Index = std::distance(...);
if(FindWindowA(It.first, It.second))
- SecurityCallback(__FUNCSIG__);
+ SecurityCallback("Malicious activity [Debugging attempt].");
}
// Don't put too much stress on the CPU.
- Sleep(150);
+ Sleep(1);
}
-
- WRAP_IF_RELEASE(STR_ENCRYPT_END);
- WRAP_IF_RELEASE(VM_EAGLE_BLACK_END);
}
void RuntimeSecurity::CheckForDrivers()
{
- WRAP_IF_RELEASE(VM_EAGLE_BLACK_START);
-
- // TODO: Check if test-signing mode is on
- // TODO: Check if safe-mode is on
-
// TODO: Check for disallowed drivers
for(;;)
{
+ static const char *BlackListedDrivers[] = {
+ "Sbie", // Sandboxie
+ "NPF", // WireShark / WinPCAP
+ "acker", // Process Hacker
+ "CEDRI" // Cheat Engine
+ "VBox", // VirtualBox
+ };
+
+ static const char *BlackListReasons[] = {
+ "Please uninstall Sandboxie.",
+ "Please uninstall WireShark.",
+ "Please close Process Hacker.",
+ "Please close Cheat Engine.",
+ "Please uninstall VirtualBox."
+ };
+
+ uint16_t Length = sizeof BlackListedDrivers / sizeof(BlackListedDrivers[0]);
+
+ void *DriverList[1024];
+ DWORD Needed;
+
+ if(K32EnumDeviceDrivers(DriverList, sizeof DriverList, &Needed))
+ {
+ if(Needed > sizeof DriverList)
+ ERROR_ASSERT("[00DF:00001CFF] A security thread has failed. Contact an administrator.");
+
+ char DriverName[1024];
+ uint32_t DriverCount = Needed / sizeof DriverList[0];
+
+ for(size_t n{}; n < DriverCount; ++n)
+ {
+ if(K32GetDeviceDriverBaseNameA(DriverList[n], DriverName, sizeof DriverName / sizeof DriverList[0]))
+ {
+ for(size_t j{}; j < Length; ++j)
+ {
+ if(strstr(DriverName, BlackListedDrivers[j]))
+ ERROR_ASSERT(BlackListReasons[j]);
+ }
+ }
+ }
+ }
// Don't put too much stress on the CPU.
- Sleep(150);
+ Sleep(1);
}
-
- WRAP_IF_RELEASE(VM_EAGLE_BLACK_END);
}
void RuntimeSecurity::CheckForTampering()
{
- WRAP_IF_RELEASE(VM_EAGLE_BLACK_START);
-
for(;;)
{
- int32_t CodeIntegrityChecksum = 0x2000;
-
- WRAP_IF_RELEASE(
- CHECK_CODE_INTEGRITY(CodeIntegrityChecksum, 0x4000);
-
- WRAP_IF_RELEASE(STR_ENCRYPT_START);
- if(CodeIntegrityChecksum != 0x4000)
- SecurityCallback(__FUNCSIG__);
- WRAP_IF_RELEASE(STR_ENCRYPT_END);
- );
-
- WRAP_IF_RELEASE(
- CHECK_PROTECTION(CodeIntegrityChecksum, 0x4000);
-
- WRAP_IF_RELEASE(STR_ENCRYPT_START);
- if(CodeIntegrityChecksum != 0x4000)
- SecurityCallback(__FUNCSIG__);
- WRAP_IF_RELEASE(STR_ENCRYPT_END);
- );
-
// Don't put too much stress on the CPU.
- Sleep(CodeIntegrityChecksum);
+ Sleep(1);
}
-
-
- WRAP_IF_RELEASE(VM_EAGLE_BLACK_END);
}
#pragma optimize("", on)
@@ -387,32 +340,43 @@ namespace Security return true;
}
+ constexpr uintptr_t KUSER_SHARED_DATA = 0x7FFE0000;
+
HardwareIdentifier RuntimeSecurity::GetHardwareId()
{
+ HardwareIdentifier Identifier{};
+
+ // CPU information
+ Identifier.m_CpuCount = *(uint32_t *)(KUSER_SHARED_DATA + 0x3C0);
+ Identifier.m_CpuArchitecture = *(uint16_t *)(KUSER_SHARED_DATA + 0x26A);
+
+ // CPU features
+
+ // Safe-mode
+ Identifier.m_SpecialMode[0] = *(uint8_t *)(KUSER_SHARED_DATA + 0x2EC);
+
+ // Test-signing mode
+
return HardwareIdentifier{};
}
#pragma optimize("", off)
- MEMORY_BASIC_INFORMATION RuntimeSecurity::QueryMemory(void *Address)
+ __declspec(noinline) MEMORY_BASIC_INFORMATION RuntimeSecurity::QueryMemory(void *Address)
{
- static auto ZwQueryVirtualMemory = Syscalls->Find<long(__stdcall *)(HANDLE, void *, int, void *, uint32_t, uint32_t *)>(FNV("ZwQueryVirtualMemory"));
-
MEMORY_BASIC_INFORMATION Result{};
- NTSTATUS Status = ZwQueryVirtualMemory((HANDLE)-1, Address, 0, &Result, sizeof Result, nullptr);
+
+ // VirtualQuery is also referenced in MinHook lib, will be a pain to find anyway
+ // especially if I have VMP encrypt all this shit.
+ bool Success = VirtualQuery(Address, &Result, sizeof Result);
- if(NT_ERROR(Status))
+ if(!Success)
{
- char ReasonParameter[64];
+ char ReasonParameter[64];
+ uint32_t Status = GetLastError();
- WRAP_IF_DEBUG(sprintf_s(ReasonParameter, "[QueryMemory] NTSTATUS: %08x", Status));
- WRAP_IF_RELEASE(
- sprintf_s(ReasonParameter, "[00DF:%08x] There was an error with accessing a process.", Status);
- ERROR_ASSERT(ReasonParameter);
- );
-
- // yeet
- SecurityCallback(ReasonParameter);
+ sprintf_s(ReasonParameter, "[00DF:%08x] There was an error with accessing a process.", Status);
+ ERROR_ASSERT(ReasonParameter);
}
return Result;
@@ -420,13 +384,10 @@ namespace Security void RuntimeSecurity::SecurityCallback(const char *Reason)
{
- WRAP_IF_RELEASE(VM_FISH_WHITE_START);
-
static bool TriggeredCallback = false;
if(!TriggeredCallback)
{
- WRAP_IF_RELEASE(STR_ENCRYPT_START);
// You can use the reason parameters to debug the security in case
// something weird starts going on with it.
@@ -443,10 +404,7 @@ namespace Security );
TriggeredCallback = true;
- WRAP_IF_RELEASE(STR_ENCRYPT_END);
}
-
- WRAP_IF_RELEASE(VM_FISH_WHITE_END);
}
#pragma optimize("", on)
|