diff options
Diffstat (limited to 'csgo-loader/csgo-client/Security')
| -rw-r--r-- | csgo-loader/csgo-client/Security/RuntimeSecurity.cpp | 106 | ||||
| -rw-r--r-- | csgo-loader/csgo-client/Security/RuntimeSecurity.hpp | 8 |
2 files changed, 87 insertions, 27 deletions
diff --git a/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp b/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp index 7f528e3..6054790 100644 --- a/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp +++ b/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp @@ -44,6 +44,25 @@ namespace Security return oOpenProcess(AccessLevel, Inherit, ProcessId);
}
+
+ decltype(&FindWindowA) oFindWindow;
+ HWND __stdcall Hooked_FindWindow(const char *Class, const char *Text)
+ {
+ // Determine where the return address of the function actually points.
+ void *Address = _ReturnAddress();
+ MEMORY_BASIC_INFORMATION Query = Protection->QueryMemory(Address);
+
+ // If the return address points outside of the loader module,
+ // fail the function.
+ HMODULE ReturnModule = (HMODULE)Query.AllocationBase;
+ HMODULE LoaderModule = GetModuleHandleA(NULL);
+
+ if(ReturnModule != LoaderModule)
+ return []() { Protection->SecurityCallback(STR("Malicious activity [Tampering].")); return HWND{}; }();
+
+ return oFindWindow(Class, Text);
+ }
+
decltype(&ExitProcess) oExitProcess;
void __stdcall Hooked_ExitProcess(DWORD ExitCode)
{
@@ -62,7 +81,6 @@ namespace Security decltype(&recv) oWSARecv;
int __stdcall Hooked_WSARecv(SOCKET Socket, char *Buffer, int Length, int Flags)
{
-
// Determine where the return address of the function actually points.
void *Address = _ReturnAddress();
MEMORY_BASIC_INFORMATION Query = Protection->QueryMemory(Address);
@@ -86,7 +104,6 @@ namespace Security decltype(&send) oWSASend;
int __stdcall Hooked_WSASend(SOCKET Socket, char *Buffer, int Length, int Flags)
{
-
// Determine where the return address of the function actually points.
void *Address = _ReturnAddress();
MEMORY_BASIC_INFORMATION Query = Protection->QueryMemory(Address);
@@ -129,6 +146,9 @@ namespace Security // Apply any hooks.
SafeCallTo(MH_CreateHook(&OpenProcess, Hooked_OpenProcess, (void **)&oOpenProcess));
SafeCallTo(MH_EnableHook(&OpenProcess));
+
+ SafeCallTo(MH_CreateHook(&FindWindowA, Hooked_FindWindow, (void **)&oFindWindow));
+ SafeCallTo(MH_EnableHook(&FindWindowA));
SafeCallTo(MH_CreateHook(&ExitProcess, Hooked_ExitProcess, (void **)&oExitProcess));
SafeCallTo(MH_EnableHook(&ExitProcess));
@@ -148,7 +168,7 @@ namespace Security void RuntimeSecurity::PatchDebugFunctions()
{
- HMODULE Module = GetModuleHandleA("ntdll.dll");
+ HMODULE Module = GetModuleHandleA(STR("ntdll.dll"));
if(!Module)
ERROR_ASSERT(STR("[000F:00001A00] Failed to initialize. Please contact an administrator."));
@@ -261,6 +281,8 @@ namespace Security void RuntimeSecurity::CheckForDrivers()
{
+ VMProtectBeginMutation("DriverThread");
+
// TODO: Check for disallowed drivers
for(;;)
{
@@ -313,21 +335,41 @@ namespace Security // Don't put too much stress on the CPU.
Sleep(1);
}
+
+ VMProtectEnd();
}
void RuntimeSecurity::CheckForTampering()
{
+ VMProtectBeginMutation("TamperThread");
+
for(;;)
{
- if(!VMProtectIsProtected())
- SecurityCallback(STR("Malicious activity [Tampering]."));
+ if(m_Identifier.m_SpecialMode[SAFE_MODE])
+ ERROR_ASSERT(STR("[000F:00003D00] This program cannot run under Safe Mode.\nPlease reboot your system and select 'Normal Mode'."));
+
+ if(m_Identifier.m_SpecialMode[TEST_SIGN_MODE])
+ ERROR_ASSERT(STR("[000F:00003D00] This program cannot run under Test Signing Mode.\nPlease reboot your system and select 'Normal Mode'."));
+
+ if(m_Identifier.m_SpecialMode[DEBUGGING_MODE])
+ SecurityCallback(STR("Malicious activity [Plausible]."));
+
+ if(m_Identifier.m_SpecialMode[TEST_BUILD_MODE])
+ SecurityCallback(STR("Malicious activity [Plausible]."));
- if(!VMProtectIsValidImageCRC())
- SecurityCallback(STR("Malicious activity [Tampering]."));
+ // Check if the file was unpacked.
+ //if(!VMProtectIsProtected())
+ // SecurityCallback(STR("Malicious activity [Tampering]."));
+
+ // Check if the image in memory was partially unpacked or patched.
+ //if(!VMProtectIsValidImageCRC())
+ // SecurityCallback(STR("Malicious activity [Tampering]."));
// Don't put too much stress on the CPU.
Sleep(1);
}
+
+ VMProtectEnd();
}
#pragma optimize("", on)
@@ -335,21 +377,6 @@ namespace Security // The following functions are exposed publicly.
///////////////////////////////////////////////////////////
- bool RuntimeSecurity::Start()
- {
- // If hooking API functions fails, exit the program.
- if(!ApplyApiHooks())
- return false;
-
- // Dispatch threads before patching NtContinue & co.
- DispatchSecurityThreads();
-
- // Patch DbgUiRemoteBreakin, DbgBreakPoint, NtContinue
- // This also fucks up detours for some reason... only extra protection :-)
- PatchDebugFunctions();
-
- return true;
- }
constexpr uintptr_t KUSER_SHARED_DATA = 0x7FFE0000;
@@ -399,14 +426,14 @@ namespace Security return 0; }
- HardwareIdentifier RuntimeSecurity::GetHardwareId()
+ void RuntimeSecurity::SetupSystemIdentifier()
{
- VMProtectBeginMutation("HardwareIdentifier");
+ VMProtectBeginUltra("SetupHWID");
HardwareIdentifier Identifier{};
// CPU information
- Identifier.m_CpuCount = *(uint32_t *)(KUSER_SHARED_DATA + 0x3C0);
+ Identifier.m_CpuCount = *(uint32_t *)(KUSER_SHARED_DATA + 0x3C0);
Identifier.m_CpuArchitecture = *(uint16_t *)(KUSER_SHARED_DATA + 0x26A);
// HDD serial number
@@ -425,8 +452,11 @@ namespace Security CodeIntegrityInformation Info{ sizeof CodeIntegrityInformation };
NTSTATUS Status = ZwQuerySystemInformation(0x67, &Info, sizeof Info, nullptr);
+ if(!VMProtectGetCurrentHWID(Identifier.m_CustomDetail, 256))
+ ERROR_ASSERT(STR("[000F:00001A00] Failed to initialize. Please contact an administrator."));
+
if(NT_ERROR(Status))
- ERROR_ASSERT(STR("[00CF:%08x] Critical execution error."), Status);
+ ERROR_ASSERT(STR("[000F:00001A00] Failed to initialize. Please contact an administrator."));
if(Info.m_Options & 0x02)
Identifier.m_SpecialMode[1] = true;
@@ -437,11 +467,33 @@ namespace Security if(Info.m_Options & 0x40)
Identifier.m_SpecialMode[3] = true;
+ m_Identifier = Identifier;
+
VMProtectEnd();
+ }
+
+ bool RuntimeSecurity::Start()
+ {
+ WRAP_IF_RELEASE(
+ // If hooking API functions fails, exit the program.
+ if(!ApplyApiHooks())
+ return false;
- return Identifier;
+ // Dispatch threads before patching NtContinue & co.
+ DispatchSecurityThreads();
+
+ // Patch DbgUiRemoteBreakin, DbgBreakPoint, NtContinue
+ // This also fucks up detours for some reason... only extra protection :-)
+ PatchDebugFunctions();
+ );
+
+ SetupSystemIdentifier();
+
+ return true;
}
+ HardwareIdentifier RuntimeSecurity::GetHardwareId() { return m_Identifier; }
+
#pragma optimize("", off)
__declspec(noinline) MEMORY_BASIC_INFORMATION RuntimeSecurity::QueryMemory(void *Address)
diff --git a/csgo-loader/csgo-client/Security/RuntimeSecurity.hpp b/csgo-loader/csgo-client/Security/RuntimeSecurity.hpp index 06df3bf..6446a08 100644 --- a/csgo-loader/csgo-client/Security/RuntimeSecurity.hpp +++ b/csgo-loader/csgo-client/Security/RuntimeSecurity.hpp @@ -74,6 +74,9 @@ namespace Security // Hash of the hard disk serial identifier.
uint64_t m_HardDiskSerialHash;
+ // VMP HWID
+ char m_CustomDetail[256];
+
// Safe-mode/Test-signing mode status
uint8_t m_SpecialMode[4];
};
@@ -87,6 +90,8 @@ namespace Security // any potentially malicious actions from users.
class RuntimeSecurity
{
+ HardwareIdentifier m_Identifier;
+
protected:
// Applies necessary API hooks.
bool ApplyApiHooks();
@@ -97,6 +102,9 @@ namespace Security // Dispatches security threads.
void DispatchSecurityThreads();
+ // Grabs all hardware data.
+ void SetupSystemIdentifier();
+
// The following functions are used in security threads to run checks.
void CheckForVirtualMachine();
|