diff options
Diffstat (limited to 'csgo-loader/csgo-client/Security/RuntimeSecurity.cpp')
| -rw-r--r-- | csgo-loader/csgo-client/Security/RuntimeSecurity.cpp | 124 |
1 files changed, 95 insertions, 29 deletions
diff --git a/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp b/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp index 572c9b1..7f528e3 100644 --- a/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp +++ b/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp @@ -209,6 +209,9 @@ namespace Security for(;;)
{
+ if(VMProtectIsVirtualMachinePresent())
+ SecurityCallback(STR("Malicious activity [Virtualized environment]."));
+
// Don't put too much stress on the CPU.
Sleep(1);
}
@@ -227,36 +230,18 @@ namespace Security // Offset for x64 is 0x60 ; mov ..., qword ptr gs:[0x60]
PEB *ProcessEnvBlock = (PEB *)__readgsqword(0x60);
- //if(ProcessEnvBlock->BeingDebugged)
- // SecurityCallback(__FUNCSIG__);
+ if(ProcessEnvBlock->BeingDebugged)
+ SecurityCallback(STR("Malicious activity [Debugging attempt]."));
// TODO: Check for x64dbg window?
- /*
- ------------------------------
- HWND: 000305A4
- HWND->m_Class = "ID"
- HWND->m_Text = "Immunity
- ------------------------------
- HWND: 00060574
- HWND->m_Class = || NON CONSTANT ||
- HWND->m_Text = "x64dbg"
- ------------------------------
- HWND: 002C0680
- HWND->m_Class = || NON CONSTANT ||
- HWND->m_Text = "Progress Telerik Fiddler Web Debugger"
- ------------------------------
- HWND: 000406E4
- HWND->m_Class = "OLLYDBG"
- HWND->m_Text = "OllyDbg"
- ------------------------------
- */
using WindowParams = std::pair<const char *, const char *>;
static std::vector<WindowParams> BlackListedWindows = {
{STR("ID"), STR("Immunity")}, // Immunity Debugger
- {STR("Qt5QWindowIcon"), STR("x64dbg")}, // x64dbg
- {STR("Qt5QWindowIcon"), STR("x32dbg")}, // x32dbg
- {STR("OLLYDBG"), STR("OllyDbg")}, // OllyDbg
- {nullptr, STR("Progress Telerik Fiddler Web Debugger")}, // Telerik Fiddler
+ {STR("Qt5QWindowIcon"), STR("x64dbg")}, // x64dbg
+ {STR("Qt5QWindowIcon"), STR("x32dbg")}, // x32dbg
+ {STR("Qt5QWindowIcon"), STR("The Wireshark Network Analyzer")}, // x32dbg
+ {STR("OLLYDBG"), STR("OllyDbg")}, // OllyDbg
+ {nullptr, STR("Progress Telerik Fiddler Web Debugger")}, // Telerik Fiddler
};
for(auto &It : BlackListedWindows)
@@ -284,7 +269,7 @@ namespace Security STR("NPF"), // WireShark / WinPCAP
STR("acker"), // Process Hacker
STR("CEDRI"), // Cheat Engine
- //STR("VBox") // VirtualBox
+ //STR("VBox") // VirtualBox
};
static const char *BlackListReasons[] = {
@@ -303,7 +288,11 @@ namespace Security if(K32EnumDeviceDrivers(DriverList, sizeof DriverList, &Needed))
{
if(Needed > sizeof DriverList)
- ERROR_ASSERT(STR("[00DF:00001CFF] A security thread has failed. Contact an administrator."));
+ {
+ ERROR_ASSERT(
+ STR("[00DF:00001CFF] A security thread has failed. Contact an administrator.")
+ );
+ }
char DriverName[1024];
uint32_t DriverCount = Needed / sizeof DriverList[0];
@@ -330,6 +319,12 @@ namespace Security {
for(;;)
{
+ if(!VMProtectIsProtected())
+ SecurityCallback(STR("Malicious activity [Tampering]."));
+
+ if(!VMProtectIsValidImageCRC())
+ SecurityCallback(STR("Malicious activity [Tampering]."));
+
// Don't put too much stress on the CPU.
Sleep(1);
}
@@ -358,22 +353,93 @@ namespace Security constexpr uintptr_t KUSER_SHARED_DATA = 0x7FFE0000;
+ __forceinline uint64_t get_hdd_hash() { + STORAGE_PROPERTY_QUERY query{ }; + STORAGE_DESCRIPTOR_HEADER desc_header{ }; + STORAGE_DEVICE_DESCRIPTOR* device_descriptor{ }; + HANDLE device; + DWORD bytes_returned; + uint8_t* out_buffer; + + const wchar_t* device_path = L"\\??\\PhysicalDrive0"; + device = CreateFileA("\\\\.\\PhysicalDrive0", 0, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, 0, 0); + if(!device) return uint64_t{ }; + + query.PropertyId = StorageDeviceProperty; + query.QueryType = PropertyStandardQuery; + + if(!DeviceIoControl(device, IOCTL_STORAGE_QUERY_PROPERTY, + &query, sizeof(STORAGE_PROPERTY_QUERY), + &desc_header, sizeof(STORAGE_DESCRIPTOR_HEADER), + &bytes_returned, 0)) { + return uint64_t{ }; + } + + out_buffer = new uint8_t[desc_header.Size]; + memset(out_buffer, 0, desc_header.Size); + + if(!DeviceIoControl(device, IOCTL_STORAGE_QUERY_PROPERTY, + &query, sizeof(STORAGE_PROPERTY_QUERY), + out_buffer, desc_header.Size, + &bytes_returned, 0)) { + delete[] out_buffer; + return uint64_t{ }; + } + + device_descriptor = (STORAGE_DEVICE_DESCRIPTOR*)out_buffer; + if(device_descriptor->SerialNumberOffset) { + std::string serial_num = reinterpret_cast<const char*>( + out_buffer + device_descriptor->SerialNumberOffset); + + delete[] out_buffer; + CloseHandle(device); + return fnv::hash_runtime(serial_num.c_str()); + } + + return 0; + }
+
HardwareIdentifier RuntimeSecurity::GetHardwareId()
{
+ VMProtectBeginMutation("HardwareIdentifier");
+
HardwareIdentifier Identifier{};
// CPU information
Identifier.m_CpuCount = *(uint32_t *)(KUSER_SHARED_DATA + 0x3C0);
Identifier.m_CpuArchitecture = *(uint16_t *)(KUSER_SHARED_DATA + 0x26A);
- // CPU features
+ // HDD serial number
+ Identifier.m_HardDiskSerialHash = get_hdd_hash();
// Safe-mode
Identifier.m_SpecialMode[0] = *(uint8_t *)(KUSER_SHARED_DATA + 0x2EC);
// Test-signing mode
+ static auto ZwQuerySystemInformation = Syscalls->Find<long(__stdcall *)(uint32_t, void *, uint32_t, uint32_t *)>(FNV("ZwQuerySystemInformation"));
+
+ // 0x02 CODEINTEGRITY_OPTION_TESTSIGN
+ // 0x20 CODEINTEGRITY_OPTION_TEST_BUILD
+ // 0x80 CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED
+
+ CodeIntegrityInformation Info{ sizeof CodeIntegrityInformation };
+ NTSTATUS Status = ZwQuerySystemInformation(0x67, &Info, sizeof Info, nullptr);
+
+ if(NT_ERROR(Status))
+ ERROR_ASSERT(STR("[00CF:%08x] Critical execution error."), Status);
+
+ if(Info.m_Options & 0x02)
+ Identifier.m_SpecialMode[1] = true;
+
+ if(Info.m_Options & 0x20)
+ Identifier.m_SpecialMode[2] = true;
+
+ if(Info.m_Options & 0x40)
+ Identifier.m_SpecialMode[3] = true;
+
+ VMProtectEnd();
- return HardwareIdentifier{};
+ return Identifier;
}
#pragma optimize("", off)
|