From 6c20307070e096456d3a36722f65ddaa38bcb100 Mon Sep 17 00:00:00 2001 From: boris Date: Thu, 10 Jan 2019 15:44:40 +1300 Subject: aaaaaajh --- csgo-loader/csgo-client/Client.cpp | 27 ++-- .../csgo-client/RemoteCode/RemoteMapper.cpp | 161 ++++++++++++++++----- .../csgo-client/RemoteCode/RemoteMapper.hpp | 14 +- .../csgo-client/RemoteCode/RemoteProcess.hpp | 4 +- csgo-loader/csgo-module/Module.cpp | 7 +- csgo-loader/csgo-server/Login/RemoteLogin.cpp | 7 +- csgo-loader/csgo-server/Server.cpp | 4 +- 7 files changed, 157 insertions(+), 67 deletions(-) diff --git a/csgo-loader/csgo-client/Client.cpp b/csgo-loader/csgo-client/Client.cpp index d7b266f..5d80e97 100644 --- a/csgo-loader/csgo-client/Client.cpp +++ b/csgo-loader/csgo-client/Client.cpp @@ -25,10 +25,7 @@ people dump skeet regardless of kernel address mapping meme so what does it matter */ - -#pragma optimize("", off) - -int __stdcall WinMain(HINSTANCE inst, HINSTANCE prev, char* str, int cmdshow) +int __stdcall WinMain(HINSTANCE, HINSTANCE, char *, int) { WRAP_IF_DEBUG( Utils::OpenConsole(); @@ -41,7 +38,7 @@ int __stdcall WinMain(HINSTANCE inst, HINSTANCE prev, char* str, int cmdshow) { // Create a window, initialise DirectX context. if(!UserInterface->Start()) - ERROR_ASSERT(STR("[000F:00001C00] Failed to initialize. Please contact an administrator.")); + ERROR_ASSERT(STR("[000F:00001A00] Failed to initialize. Please contact an administrator.")); UserInterface->RunUiFrame(); }); WindowThread.detach(); @@ -56,7 +53,7 @@ int __stdcall WinMain(HINSTANCE inst, HINSTANCE prev, char* str, int cmdshow) // Initialize the runtime protection system. if(!Protection->Start()) - ERROR_ASSERT(STR("[000F:00001A00] Failed to initialize. Please contact an administrator.")); + ERROR_ASSERT(STR("[000F:00001C00] Failed to initialize. Please contact an administrator.")); // Wait for connection. UserInterface->m_Data.m_ExecutionState = UserExperience::EXECUTION_WAITING; @@ -93,7 +90,7 @@ int __stdcall WinMain(HINSTANCE inst, HINSTANCE prev, char* str, int cmdshow) ByteArray LoginResponse = Client->ReceiveBytes(); if(!LoginTransaction.TranslateResponse(LoginResponse)) - ExitProcess(0); + return 1; // Echo back to server. Client->SendBytes(LoginResponse); @@ -107,17 +104,19 @@ int __stdcall WinMain(HINSTANCE inst, HINSTANCE prev, char* str, int cmdshow) RemoteCode::RemoteProcess Process; if(!Process.Start(STR("explorer.exe"))) - ExitProcess(0); + return 1; RemoteCode::RemoteMapper Mapper; - if(!Mapper.Start(Process)) - ExitProcess(0); + if(!Mapper.Start(Process, LdrModule)) + return 1; - if(!Mapper.WriteCodeToMap(LdrModule)) - ExitProcess(0); + if(!Mapper.WriteCodeToMap()) + return 1; Mapper.ExecuteCodeFromMap(); -} -#pragma optimize("", on) \ No newline at end of file + system("pause"); + + return 0; +} \ No newline at end of file diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteMapper.cpp b/csgo-loader/csgo-client/RemoteCode/RemoteMapper.cpp index 7b72550..f724f60 100644 --- a/csgo-loader/csgo-client/RemoteCode/RemoteMapper.cpp +++ b/csgo-loader/csgo-client/RemoteCode/RemoteMapper.cpp @@ -2,16 +2,12 @@ namespace RemoteCode { - bool RemoteMapper::Start(RemoteProcess Process) + bool RemoteMapper::Start(RemoteProcess &Process, ByteArray &Code) { - m_Process = Process; - return true; - } + m_Code = Code; - bool RemoteMapper::WriteCodeToMap(ByteArray Code) - { // Check if the PE file is valid. - /*uint8_t *Buffer = Code.data(); + uint8_t *Buffer = m_Code.data(); IMAGE_DOS_HEADER *DosHeader = (IMAGE_DOS_HEADER *)Buffer; if(!DosHeader || DosHeader->e_magic != IMAGE_DOS_SIGNATURE) @@ -25,21 +21,31 @@ namespace RemoteCode WRAP_IF_DEBUG( printf("[DEBUG] PE file validated!\n"); ); - - IMAGE_SECTION_HEADER *Sections = (IMAGE_SECTION_HEADER *)((uintptr_t)&NtHeaders->OptionalHeader + NtHeaders->FileHeader.SizeOfOptionalHeader); - if(!Sections) - return false; + uint32_t SizeOfImage = NtHeaders->OptionalHeader.SizeOfImage; + + m_Process = Process; // Allocate map in process. - m_Map = m_Process.Allocate(Code.size()); + m_Mapped.reserve(SizeOfImage); + m_Map = m_Process.Allocate(SizeOfImage); if(!m_Map) return false; - // Ghetto workaround so heap doesn't get corrupted (i'm lazy) - size_t SizeOfCode = Code.size(); - m_Mapped = new uint8_t[SizeOfCode]; + return true; + } + + bool RemoteMapper::WriteCodeToMap() + { + uint8_t *Buffer = m_Code.data(); + IMAGE_DOS_HEADER *DosHeader = (IMAGE_DOS_HEADER *)Buffer; + IMAGE_NT_HEADERS *NtHeaders = (IMAGE_NT_HEADERS *)(Buffer + DosHeader->e_lfanew); + + IMAGE_SECTION_HEADER *Sections = (IMAGE_SECTION_HEADER *)((uintptr_t)&NtHeaders->OptionalHeader + NtHeaders->FileHeader.SizeOfOptionalHeader); + + if(!Sections) + return false; uint16_t SectionCount = NtHeaders->FileHeader.NumberOfSections; @@ -58,10 +64,8 @@ namespace RemoteCode ); // Write the data to map. - uint8_t *Data = (uint8_t *)((uintptr_t)Buffer + PointerToData); - void *ImageRva = (void *)((uintptr_t)&m_Mapped[0] + VirtualAddress); - - std::memcpy(ImageRva, Data, SizeOfData); + uint8_t *Data = (uint8_t *)((uintptr_t)Buffer + PointerToData); + std::memcpy(&m_Mapped[VirtualAddress], Data, SizeOfData); } // Copy over the PE header (temporarily). @@ -75,26 +79,26 @@ namespace RemoteCode // Relocate the image. IMAGE_BASE_RELOCATION *Reloc = (IMAGE_BASE_RELOCATION *)(&m_Mapped[0] + NtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress); - + uintptr_t ImageDelta = (uintptr_t)m_Map - NtHeaders->OptionalHeader.ImageBase; - + while(Reloc->SizeOfBlock > 0) { - // address in binary where we need to relocate an address used by code - uintptr_t RelocationAddress = (uintptr_t)&m_Mapped[Reloc->VirtualAddress]; - uintptr_t RelocationDataAddress = (uintptr_t)Reloc + sizeof IMAGE_BASE_RELOCATION; + // Address in binary where we need to relocate an address used by code. + uintptr_t RelocationAddress = (uintptr_t)(&m_Mapped[Reloc->VirtualAddress]); + uintptr_t RelocationDataAddress = (uintptr_t)((uintptr_t)Reloc + sizeof IMAGE_BASE_RELOCATION); size_t RelocationCount = (Reloc->SizeOfBlock - sizeof IMAGE_BASE_RELOCATION) / sizeof uint16_t; - + for(size_t i = 0; i < RelocationCount; i++) { uint16_t RelocationData = *(uint16_t *)(RelocationDataAddress + sizeof uint16_t * i); uint16_t RelocationType = RelocationData >> 12; uint16_t RelocationOffset = RelocationData & 0x0FFF; - + WRAP_IF_DEBUG( printf("[DEBUG] Processing relocation at %llx!\n", RelocationAddress + RelocationOffset); ); - + switch(RelocationType) { case IMAGE_REL_BASED_MIPS_JMPADDR: @@ -102,38 +106,123 @@ namespace RemoteCode case IMAGE_REL_BASED_LOW: case IMAGE_REL_BASED_HIGHLOW: { - *(uint32_t*)(RelocationAddress + RelocationOffset) += ImageDelta; + *(uint32_t*)((uintptr_t)RelocationAddress + RelocationOffset) += ImageDelta; break; } - + case IMAGE_REL_BASED_ABSOLUTE: default: break; }; } - + Reloc = (IMAGE_BASE_RELOCATION*)((uintptr_t)Reloc + Reloc->SizeOfBlock); } // Cripple the entire PE header. - std::memset(&m_Mapped[0], 0, SizeOfHeaders); - - WRAP_IF_DEBUG( - printf("[DEBUG] Successfully crippled PE header!\n"); - ); + //std::memset(&m_Mapped[0], 0, SizeOfHeaders); + // + //WRAP_IF_DEBUG( + // printf("[DEBUG] Successfully crippled PE header!\n"); + //); // Write the mapped image to the process. - m_Process.Write(m_Map, &m_Mapped[0], Code.size());*/ + m_Process.Write(m_Map, &m_Mapped[0], m_Code.size()); return true; } + // This contains any parameters that will be passed to the shellcode function once invoked. + struct ShellcodeParameters + { + // Base of image allocation + uintptr_t m_ImageBase; + + // Used for fixing imports + uintptr_t m_GetModuleHandle; + uintptr_t m_LoadLibrary; + uintptr_t m_GetProcAddress; + + // Headers + IMAGE_NT_HEADERS *m_NtHeaders; + IMAGE_IMPORT_DESCRIPTOR *m_ImportDir; + }; + + // Lazy. + uint8_t Shellcode[256] = { + 0x48, 0x89, 0x5C, 0x24, 0x08, 0x48, 0x89, 0x6C, 0x24, 0x10, 0x48, 0x89, + 0x74, 0x24, 0x18, 0x57, 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x41, 0x57, + 0x48, 0x83, 0xEC, 0x20, 0x48, 0x8B, 0x51, 0x28, 0x4C, 0x8B, 0xF1, 0x4C, + 0x8B, 0x69, 0x08, 0x4C, 0x8B, 0x61, 0x10, 0x48, 0x8B, 0x69, 0x18, 0x8B, + 0x0A, 0x85, 0xC9, 0x0F, 0x84, 0x84, 0x00, 0x00, 0x00, 0x0F, 0x1F, 0x80, + 0x00, 0x00, 0x00, 0x00, 0x49, 0x8B, 0x06, 0x44, 0x8B, 0x7A, 0x0C, 0x8B, + 0x5A, 0x10, 0x4C, 0x03, 0xF8, 0x8B, 0xF9, 0x48, 0x03, 0xD8, 0x49, 0x8B, + 0xCF, 0x48, 0x03, 0xF8, 0x41, 0xFF, 0xD5, 0x48, 0x8B, 0xF0, 0x48, 0x85, + 0xC0, 0x75, 0x0E, 0x49, 0x8B, 0xCF, 0x41, 0xFF, 0xD4, 0x48, 0x8B, 0xF0, + 0x48, 0x85, 0xC0, 0x74, 0x70, 0x48, 0x8B, 0x0F, 0x48, 0x85, 0xC9, 0x74, + 0x32, 0x48, 0x2B, 0xFB, 0x48, 0x85, 0xC9, 0x79, 0x05, 0x0F, 0xB7, 0xD1, + 0xEB, 0x0A, 0x49, 0x8B, 0x16, 0x48, 0x83, 0xC2, 0x02, 0x48, 0x03, 0xD1, + 0x48, 0x8B, 0xCE, 0xFF, 0xD5, 0x48, 0x85, 0xC0, 0x74, 0x03, 0x48, 0x89, + 0x03, 0x48, 0x8B, 0x4C, 0x1F, 0x08, 0x48, 0x83, 0xC3, 0x08, 0x48, 0x85, + 0xC9, 0x75, 0xD4, 0x49, 0x8B, 0x56, 0x28, 0x48, 0x83, 0xC2, 0x14, 0x49, + 0x89, 0x56, 0x28, 0x8B, 0x0A, 0x85, 0xC9, 0x75, 0x83, 0x49, 0x8B, 0x46, + 0x20, 0x8B, 0x48, 0x28, 0x48, 0x85, 0xC9, 0x74, 0x18, 0x49, 0x8B, 0x06, + 0x45, 0x33, 0xC0, 0x4C, 0x8D, 0x0C, 0x08, 0x8B, 0xC8, 0x41, 0x8D, 0x50, + 0x01, 0x41, 0xFF, 0xD1, 0x0F, 0xB6, 0xC0, 0xEB, 0x02, 0x33, 0xC0, 0x48, + 0x8B, 0x5C, 0x24, 0x50, 0x48, 0x8B, 0x6C, 0x24, 0x58, 0x48, 0x8B, 0x74, + 0x24, 0x60, 0x48, 0x83, 0xC4, 0x20, 0x41, 0x5F, 0x41, 0x5E, 0x41, 0x5D, + 0x41, 0x5C, 0x5F, 0xC3 + }; + bool RemoteMapper::ExecuteCodeFromMap() { + uint8_t *Buffer = m_Code.data(); + IMAGE_DOS_HEADER *DosHeader = (IMAGE_DOS_HEADER *)Buffer; + IMAGE_NT_HEADERS *NtHeaders = (IMAGE_NT_HEADERS *)(Buffer + DosHeader->e_lfanew); + WRAP_IF_DEBUG( printf("[DEBUG] Executing payload!\n"); + ); + + ShellcodeParameters ParameterPack = { + (uintptr_t)m_Map, + + (uintptr_t)GetModuleHandleA, + (uintptr_t)LoadLibraryA, + (uintptr_t)GetProcAddress, + + (IMAGE_NT_HEADERS *)((uintptr_t)m_Map + DosHeader->e_lfanew), + (IMAGE_IMPORT_DESCRIPTOR *)((uintptr_t)m_Map + NtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress) + }; + + // Write shellcode & parameter pack. + void *ShellcodeParams = m_Process.Allocate(sizeof ShellcodeParameters); + + if(ShellcodeParams) + m_Process.Write< ShellcodeParameters >(ShellcodeParams, ParameterPack); + + void *ShellcodeAlloc = m_Process.Allocate(256); + + if(ShellcodeAlloc) + m_Process.Write(ShellcodeAlloc, &Shellcode[0], sizeof Shellcode); + + system("pause"); + + // Create thread. + HANDLE Thread = CreateRemoteThread(m_Process, nullptr, 0, (LPTHREAD_START_ROUTINE)ShellcodeAlloc, ShellcodeParams, 0, nullptr); + + if(Thread) + WaitForSingleObject(Thread, INFINITE); + + WRAP_IF_DEBUG( + DWORD Code; + GetExitCodeThread(Thread, &Code); + + printf("[DEBUG] Thread execution finished with code %08x!\n", Code); ) + system("pause"); + return true; } } \ No newline at end of file diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteMapper.hpp b/csgo-loader/csgo-client/RemoteCode/RemoteMapper.hpp index 21eb569..53bc049 100644 --- a/csgo-loader/csgo-client/RemoteCode/RemoteMapper.hpp +++ b/csgo-loader/csgo-client/RemoteCode/RemoteMapper.hpp @@ -4,10 +4,18 @@ namespace RemoteCode { + struct RemoteImport + { + char m_Module[128]; + char m_Import[128]; + }; + class RemoteMapper { RemoteProcess m_Process; - uint8_t *m_Mapped; + + ByteArray m_Code; + ByteArray m_Mapped; void *m_Map; @@ -15,10 +23,10 @@ namespace RemoteCode RemoteMapper() = default; // Copy process & shellcode to class. - bool Start(RemoteProcess Process); + bool Start(RemoteProcess &Process, ByteArray &Code); // Writes code to process in allocated page. - bool WriteCodeToMap(ByteArray Code); + bool WriteCodeToMap(); // Calls shellcode to call the library ;D bool ExecuteCodeFromMap(); diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteProcess.hpp b/csgo-loader/csgo-client/RemoteCode/RemoteProcess.hpp index 5fb3c75..887c154 100644 --- a/csgo-loader/csgo-client/RemoteCode/RemoteProcess.hpp +++ b/csgo-loader/csgo-client/RemoteCode/RemoteProcess.hpp @@ -66,7 +66,7 @@ namespace RemoteCode void Write(void *Address, uint8_t *Data, size_t SizeOfData) { - WriteMemoryWrapper_Internal(Address, (void *)&Data, SizeOfData); + WriteMemoryWrapper_Internal(Address, (void *)Data, SizeOfData); } // Reads from the process memory. @@ -81,7 +81,7 @@ namespace RemoteCode void Read(void *Address, uint8_t *Data, size_t SizeOfData) { - ReadMemoryWrapper_Internal(Address, &Data, SizeOfData); + ReadMemoryWrapper_Internal(Address, Data, SizeOfData); } // Allocates a memory region in the process. diff --git a/csgo-loader/csgo-module/Module.cpp b/csgo-loader/csgo-module/Module.cpp index 1fa638c..e8fa4fc 100644 --- a/csgo-loader/csgo-module/Module.cpp +++ b/csgo-loader/csgo-module/Module.cpp @@ -38,18 +38,15 @@ DWORD ModuleThread(void *) // Header for Module. ByteArray Header{ 0x0A, 0x32, 0x42, 0x4D }; - Client->SendRawBytes(Header); + Client->SendRawBytes(Header); ////////////////////////////////////////////////////////////////////////////////////////// return 1; } -int __stdcall DllMain(void *, unsigned Reason, void *) +int __stdcall DllMain(void *, unsigned, void *) { - if(Reason != 1) - return false; - HANDLE Thread = CreateThread(nullptr, 0, ModuleThread, nullptr, 0, nullptr); if(Thread) diff --git a/csgo-loader/csgo-server/Login/RemoteLogin.cpp b/csgo-loader/csgo-server/Login/RemoteLogin.cpp index 0351f27..09472c9 100644 --- a/csgo-loader/csgo-server/Login/RemoteLogin.cpp +++ b/csgo-loader/csgo-server/Login/RemoteLogin.cpp @@ -36,7 +36,8 @@ namespace Login return RemoteLoginResponse::OUTDATED_CLIENT; // TODO: Check if the user is banned. - //return RemoteLoginResponse::USER_BANNED; + if(false) + return RemoteLoginResponse::USER_BANNED; // TODO: Login the user. if(strcmp(m_Header.m_Username, "betauser")) @@ -73,10 +74,6 @@ namespace Login return RemoteLoginResponse::INTEGRITY_FAILURE; } - // TODO: Check if they have beta access. - if(true) - return RemoteLoginResponse::ACCESS_SPECIAL_USER; - return RemoteLoginResponse::ACCESS_AUTHORISED; } diff --git a/csgo-loader/csgo-server/Server.cpp b/csgo-loader/csgo-server/Server.cpp index e0f1455..fdd177c 100644 --- a/csgo-loader/csgo-server/Server.cpp +++ b/csgo-loader/csgo-server/Server.cpp @@ -29,7 +29,7 @@ namespace Handler if(LoginReply.size() != LoginReplyEcho.size()) { - printf("[ !! ] Echo from %s invalid, dropping connection!", Connection.GetIpAddress()); + printf("[ !! ] Echo from %s invalid, dropping connection!\n", Connection.GetIpAddress()); return; } @@ -93,7 +93,7 @@ namespace Handler } } -int __stdcall WinMain(HINSTANCE, HINSTANCE, char*, int) +int __stdcall WinMain(HINSTANCE, HINSTANCE, char *, int) { // Open a debugging console. Utils::OpenConsole(); -- cgit v1.2.3