diff options
Diffstat (limited to 'csgo-loader/csgo-client/Security')
| -rw-r--r-- | csgo-loader/csgo-client/Security/RuntimeSecurity.cpp | 169 |
1 files changed, 122 insertions, 47 deletions
diff --git a/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp b/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp index f9825c0..ab2ea87 100644 --- a/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp +++ b/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp @@ -135,8 +135,12 @@ namespace Security #define CheckStatus() if(Status != MH_OK) { return false; }
#define SafeCallTo(Function) Status = Function; CheckStatus();
+#pragma optimize("", off)
+
bool RuntimeSecurity::ApplyApiHooks()
{
+ WRAP_IF_RELEASE(MUTATE_START);
+
// Make sure that MinHook is initialized properly.
CreateMinHook();
CheckStatus();
@@ -155,8 +159,12 @@ namespace Security SafeCallTo(MH_EnableHook(&send));
return true;
+
+ WRAP_IF_RELEASE(MUTATE_END);
}
+#pragma optimize("", on)
+
void RuntimeSecurity::PatchDebugFunctions()
{
WRAP_IF_RELEASE(VM_EAGLE_WHITE_START);
@@ -181,7 +189,7 @@ namespace Security uintptr_t Exports[] = {
Export_DbgUiRemoteBreakin,
Export_DbgBreakPoint,
- //Export_NtContinue // This causes a lot of crashes ATM while debugging, leave this out till release.
+ Export_NtContinue // This causes a lot of crashes ATM while debugging, leave this out till release.
};
for(auto &It : Exports)
@@ -224,20 +232,24 @@ namespace Security {
WRAP_IF_RELEASE(VM_EAGLE_BLACK_START);
- // Yeah, um, your code did absolutely fuck all in my analysis VM.
- int32_t VirtualMachineChecksum = 0x4000;
+ for(;;)
+ {
+ // Yeah, um, your code did absolutely fuck all in my analysis VM.
+ int32_t VirtualMachineChecksum = 0x4000;
- WRAP_IF_RELEASE(
- CHECK_VIRTUAL_PC(VirtualMachineChecksum, 0x2000);
+ WRAP_IF_RELEASE(
+ CHECK_VIRTUAL_PC(VirtualMachineChecksum, 0x2000);
- WRAP_IF_RELEASE(STR_ENCRYPT_START);
+ WRAP_IF_RELEASE(STR_ENCRYPT_START);
if(VirtualMachineChecksum != 0x2000)
SecurityCallback(__FUNCSIG__);
- WRAP_IF_RELEASE(STR_ENCRYPT_END);
- );
+ WRAP_IF_RELEASE(STR_ENCRYPT_END);
+ );
+
+ // Don't put too much stress on the CPU.
+ Sleep(VirtualMachineChecksum);
+ }
- // Don't put too much stress on the CPU.
- Sleep(VirtualMachineChecksum);
WRAP_IF_RELEASE(VM_EAGLE_BLACK_END);
}
@@ -245,21 +257,60 @@ namespace Security void RuntimeSecurity::CheckForDebugger()
{
WRAP_IF_RELEASE(VM_EAGLE_BLACK_START);
+ WRAP_IF_RELEASE(STR_ENCRYPT_START);
- // Read the PEB from the TIB.
- // Offset for x86 is 0x30 ; mov ..., dword ptr fs:[0x30]
- // Offset for x64 is 0x60 ; mov ..., qword ptr gs:[0x60]
- PEB *ProcessEnvBlock = (PEB *)__readgsqword(0x60);
-
- // if(ProcessEnvBlock->BeingDebugged)
- // SecurityCallback();
-
- // TODO: Check for x64dbg window?
+ for(;;)
+ {
+ // Read the PEB from the TIB.
+ // Offset for x86 is 0x30 ; mov ..., dword ptr fs:[0x30]
+ // Offset for x64 is 0x60 ; mov ..., qword ptr gs:[0x60]
+ PEB *ProcessEnvBlock = (PEB *)__readgsqword(0x60);
+
+ //if(ProcessEnvBlock->BeingDebugged)
+ // SecurityCallback(__FUNCSIG__);
+
+ // TODO: Check for x64dbg window?
+ /*
+ ------------------------------
+ HWND: 000305A4
+ HWND->m_Class = "ID"
+ HWND->m_Text = "Immunity
+ ------------------------------
+ HWND: 00060574
+ HWND->m_Class = || NON CONSTANT ||
+ HWND->m_Text = "x64dbg"
+ ------------------------------
+ HWND: 002C0680
+ HWND->m_Class = || NON CONSTANT ||
+ HWND->m_Text = "Progress Telerik Fiddler Web Debugger"
+ ------------------------------
+ HWND: 000406E4
+ HWND->m_Class = "OLLYDBG"
+ HWND->m_Text = "OllyDbg"
+ ------------------------------
+ */
+ using WindowParams = std::pair<const char *, const char *>;
+ static std::vector<WindowParams> BlackListedWindows = {
+ {"ID", "Immunity"}, // Immunity Debugger
+ {"Qt5QWindowIcon", "x64dbg"}, // x64dbg
+ {"Qt5QWindowIcon", "x32dbg"}, // x32dbg
+ {"OLLYDBG", "OllyDbg"}, // OllyDbg
+ {nullptr, "Progress Telerik Fiddler Web Debugger"}, // Telerik Fiddler
+ };
+
+ for(auto &It : BlackListedWindows)
+ {
+ // size_t Index = std::distance(...);
+ if(FindWindowA(It.first, It.second))
+ SecurityCallback(__FUNCSIG__);
+ }
- // Don't put too much stress on the CPU.
- Sleep(150);
+ // Don't put too much stress on the CPU.
+ Sleep(150);
+ }
+ WRAP_IF_RELEASE(STR_ENCRYPT_END);
WRAP_IF_RELEASE(VM_EAGLE_BLACK_END);
}
@@ -267,10 +318,16 @@ namespace Security {
WRAP_IF_RELEASE(VM_EAGLE_BLACK_START);
- // TODO:
+ // TODO: Check if test-signing mode is on
+ // TODO: Check if safe-mode is on
- // Don't put too much stress on the CPU.
- Sleep(150);
+ // TODO: Check for disallowed drivers
+ for(;;)
+ {
+
+ // Don't put too much stress on the CPU.
+ Sleep(150);
+ }
WRAP_IF_RELEASE(VM_EAGLE_BLACK_END);
}
@@ -279,28 +336,32 @@ namespace Security {
WRAP_IF_RELEASE(VM_EAGLE_BLACK_START);
- int32_t CodeIntegrityChecksum = 0x2000;
+ for(;;)
+ {
+ int32_t CodeIntegrityChecksum = 0x2000;
- WRAP_IF_RELEASE(
- CHECK_CODE_INTEGRITY(CodeIntegrityChecksum, 0x4000);
+ WRAP_IF_RELEASE(
+ CHECK_CODE_INTEGRITY(CodeIntegrityChecksum, 0x4000);
- WRAP_IF_RELEASE(STR_ENCRYPT_START);
+ WRAP_IF_RELEASE(STR_ENCRYPT_START);
if(CodeIntegrityChecksum != 0x4000)
SecurityCallback(__FUNCSIG__);
- WRAP_IF_RELEASE(STR_ENCRYPT_END);
- );
+ WRAP_IF_RELEASE(STR_ENCRYPT_END);
+ );
- WRAP_IF_RELEASE(
- CHECK_PROTECTION(CodeIntegrityChecksum, 0x4000);
+ WRAP_IF_RELEASE(
+ CHECK_PROTECTION(CodeIntegrityChecksum, 0x4000);
- WRAP_IF_RELEASE(STR_ENCRYPT_START);
- if(CodeIntegrityChecksum != 0x4000)
- SecurityCallback(__FUNCSIG__);
- WRAP_IF_RELEASE(STR_ENCRYPT_END);
- );
+ WRAP_IF_RELEASE(STR_ENCRYPT_START);
+ if(CodeIntegrityChecksum != 0x4000)
+ SecurityCallback(__FUNCSIG__);
+ WRAP_IF_RELEASE(STR_ENCRYPT_END);
+ );
+
+ // Don't put too much stress on the CPU.
+ Sleep(CodeIntegrityChecksum);
+ }
- // Don't put too much stress on the CPU.
- Sleep(CodeIntegrityChecksum);
WRAP_IF_RELEASE(VM_EAGLE_BLACK_END);
}
@@ -331,21 +392,24 @@ namespace Security return HardwareIdentifier{};
}
+#pragma optimize("", off)
+
MEMORY_BASIC_INFORMATION RuntimeSecurity::QueryMemory(void *Address)
{
static auto ZwQueryVirtualMemory = Syscalls->Find<long(__stdcall *)(HANDLE, void *, int, void *, uint32_t, uint32_t *)>(FNV("ZwQueryVirtualMemory"));
- MEMORY_BASIC_INFORMATION Result;
-
- NTSTATUS Status = ZwQueryVirtualMemory(GetCurrentProcess(), Address, 0, &Result, sizeof Result, nullptr);
+ MEMORY_BASIC_INFORMATION Result{};
+ NTSTATUS Status = ZwQueryVirtualMemory((HANDLE)-1, Address, 0, &Result, sizeof Result, nullptr);
if(NT_ERROR(Status))
{
-
char ReasonParameter[64];
WRAP_IF_DEBUG(sprintf_s(ReasonParameter, "[QueryMemory] NTSTATUS: %08x", Status));
- WRAP_IF_RELEASE(sprintf_s(ReasonParameter, "[00DF:%08x] There was an error with accessing a process.", Status));
+ WRAP_IF_RELEASE(
+ sprintf_s(ReasonParameter, "[00DF:%08x] There was an error with accessing a process.", Status);
+ ERROR_ASSERT(ReasonParameter);
+ );
// yeet
SecurityCallback(ReasonParameter);
@@ -358,21 +422,32 @@ namespace Security {
WRAP_IF_RELEASE(VM_FISH_WHITE_START);
- // TODO: Implement something that bans the user or notifies
- // you if someone tampers with the loader.
static bool TriggeredCallback = false;
if(!TriggeredCallback)
{
WRAP_IF_RELEASE(STR_ENCRYPT_START);
+
+ // You can use the reason parameters to debug the security in case
+ // something weird starts going on with it.
char Buffer[2048];
sprintf_s(Buffer, "Security callback was called. Reason parameter: \"%s\"\n", Reason);
-
+
MessageBoxA(0, Buffer, "Information", MB_ICONINFORMATION | MB_OK);
+
+
+ // The process will straight up die on Release mode.
+ // Compile with FuckMSVC to debug this.
+ WRAP_IF_RELEASE(
+ ExitProcess(rand() % RAND_MAX);
+ );
+
TriggeredCallback = true;
WRAP_IF_RELEASE(STR_ENCRYPT_END);
}
WRAP_IF_RELEASE(VM_FISH_WHITE_END);
}
+
+#pragma optimize("", on)
}
\ No newline at end of file |