From e1f048c8f922613aec1f63791c2191e55cbd5132 Mon Sep 17 00:00:00 2001 From: boris Date: Thu, 3 Jan 2019 16:51:40 +1300 Subject: ricardo milos :DDDD::D:D:D: --- csgo-loader/csgo-client/Client.cpp | 14 +-- csgo-loader/csgo-client/Client.hpp | 2 +- csgo-loader/csgo-client/Login/RemoteLogin.cpp | 19 +++- csgo-loader/csgo-client/Networking/TCPClient.cpp | 40 ++++++++ .../csgo-client/RemoteCode/RemoteCodeClient.cpp | 63 ++++++++++++ .../csgo-client/RemoteCode/RemoteCodeClient.hpp | 22 +++++ .../RemoteCode/RemoteInjectionClient.hpp | 57 +++++++++++ .../csgo-client/RemoteCode/RemoteProcess.cpp | 23 ++++- .../csgo-client/Security/RuntimeSecurity.cpp | 106 +++++++++++++++------ .../csgo-client/Security/RuntimeSecurity.hpp | 8 ++ csgo-loader/csgo-client/loader.err | 1 + .../csgo-server/RemoteCode/RemoteCodeServer.cpp | 6 -- .../csgo-server/RemoteCode/RemoteCodeServer.hpp | 15 --- .../RemoteCode/RemoteInjectionServer.hpp | 68 ++++++------- csgo-loader/csgo-server/Server.cpp | 6 +- csgo-loader/csgo-server/Server.hpp | 1 - csgo-loader/csgo-server/csgo-server.vcxproj | 2 - .../csgo-server/csgo-server.vcxproj.filters | 6 -- 18 files changed, 344 insertions(+), 115 deletions(-) create mode 100644 csgo-loader/csgo-client/loader.err delete mode 100644 csgo-loader/csgo-server/RemoteCode/RemoteCodeServer.cpp delete mode 100644 csgo-loader/csgo-server/RemoteCode/RemoteCodeServer.hpp diff --git a/csgo-loader/csgo-client/Client.cpp b/csgo-loader/csgo-client/Client.cpp index 7285b6b..8972410 100644 --- a/csgo-loader/csgo-client/Client.cpp +++ b/csgo-loader/csgo-client/Client.cpp @@ -24,11 +24,13 @@ int __stdcall WinMain(HINSTANCE inst, HINSTANCE prev, char* str, int cmdshow) { - WRAP_IF_DEBUG(Utils::OpenConsole()); + WRAP_IF_DEBUG( + Utils::OpenConsole(); + ); /////////////////////////////////////////////////////////////// - VMProtectBeginMutation("EntryPoint"); + //VMProtectBeginMutation("EntryPoint"); /////////////////////////////////////////////////////////////// @@ -49,10 +51,8 @@ int __stdcall WinMain(HINSTANCE inst, HINSTANCE prev, char* str, int cmdshow) ERROR_ASSERT(STR("[000F:00001B00] Failed to initialize. Please contact an administrator.")); // Initialize the runtime protection system. - WRAP_IF_RELEASE( - if(!Protection->Start()) - ERROR_ASSERT(STR("[000F:00001A00] Failed to initialize. Please contact an administrator.")); - ); + if(!Protection->Start()) + ERROR_ASSERT(STR("[000F:00001A00] Failed to initialize. Please contact an administrator.")); // Wait for connection. UserInterface->m_Data.m_ExecutionState = UserExperience::EXECUTION_WAITING; @@ -90,7 +90,7 @@ int __stdcall WinMain(HINSTANCE inst, HINSTANCE prev, char* str, int cmdshow) /////////////////////////////////////////////////////////////// - VMProtectEnd(); + //VMProtectEnd(); /////////////////////////////////////////////////////////////// } diff --git a/csgo-loader/csgo-client/Client.hpp b/csgo-loader/csgo-client/Client.hpp index 0f89669..0f05a34 100644 --- a/csgo-loader/csgo-client/Client.hpp +++ b/csgo-loader/csgo-client/Client.hpp @@ -38,6 +38,6 @@ namespace Utils // :^) SetConsoleTitleA(STR("moneyclient $")); - printf(STR("[DEBUG] Hello!\n")); + printf(STR("[DEBUG] Ready\n")); } } \ No newline at end of file diff --git a/csgo-loader/csgo-client/Login/RemoteLogin.cpp b/csgo-loader/csgo-client/Login/RemoteLogin.cpp index 7942c3b..4a46da3 100644 --- a/csgo-loader/csgo-client/Login/RemoteLogin.cpp +++ b/csgo-loader/csgo-client/Login/RemoteLogin.cpp @@ -21,10 +21,11 @@ namespace Login Security::HardwareIdentifier HardwareId = Protection->GetHardwareId(); WRAP_IF_DEBUG( - printf("[DEBUG] LoginTransactionStart\n"); + printf("[DEBUG] RemoteLoginTransaction Start\n"); printf("[DEBUG] Processor count: %d\n", HardwareId.m_CpuCount); printf("[DEBUG] Processor architecture: %d\n", HardwareId.m_CpuArchitecture); printf("[DEBUG] Hard-drive Serial: %llx\n", HardwareId.m_HardDiskSerialHash); + printf("[DEBUG] Detail: %s\n", HardwareId.m_CustomDetail); for(int i = 0; i < 4; ++i) printf("[DEBUG] Safety check #%d: %s\n", i, HardwareId.m_SpecialMode[i] ? "TRUE" : "FALSE"); @@ -32,6 +33,10 @@ namespace Login m_Header.m_HardwareId = fnv::hash_runtime_data((void *)(&HardwareId), sizeof Security::HardwareIdentifier); + WRAP_IF_DEBUG( + printf("[DEBUG] Hardware-ID Hash: %llx\n", m_Header.m_HardwareId); + ); + // TODO: Verify integrity of system. // 0 for integrity passed, random bit for failure m_Header.m_IntegrityBit1 = HardwareId.m_SpecialMode[Security::DEBUGGING_MODE]; @@ -52,6 +57,10 @@ namespace Login { RemoteLoginResponse ServerResponse = *(RemoteLoginResponse *)&RawResponse[0]; + WRAP_IF_DEBUG( + printf("[DEBUG] RemoteLoginTransaction Finish: %02x\n", ServerResponse); + ); + switch(ServerResponse) { case RemoteLoginResponse::ACCESS_SPECIAL_USER: @@ -60,16 +69,16 @@ namespace Login case RemoteLoginResponse::ACCESS_AUTHORISED: return true; case RemoteLoginResponse::OUTDATED_CLIENT: - INFO_ASSERT(STR("[000A:%llx] Your client is outdated.\nPlease download the latest client at 'moneybot.cc'."), m_Header.m_HardwareId ^ ServerResponse); + ERROR_ASSERT(STR("[000A:%llx] Your client is outdated.\nPlease download the latest client at 'moneybot.cc'."), m_Header.m_HardwareId ^ ServerResponse); break; case RemoteLoginResponse::USER_BANNED: - INFO_ASSERT(STR("[000D:%llx] Your account is banned.\nPlease contact 'admin@moneybot.cc' for additional information."), m_Header.m_HardwareId ^ ServerResponse); + ERROR_ASSERT(STR("[000D:%llx] Your account is banned.\nPlease contact 'admin@moneybot.cc' for additional information."), m_Header.m_HardwareId ^ ServerResponse); break; case RemoteLoginResponse::INVALID_HARDWARE: - INFO_ASSERT(STR("[000D:%llx] Your Hardware-ID is incorrect!\nPlease contact a staff member."), m_Header.m_HardwareId ^ ServerResponse); + ERROR_ASSERT(STR("[000D:%llx] Your Hardware-ID is incorrect!\nPlease contact a staff member."), m_Header.m_HardwareId ^ ServerResponse); break; case RemoteLoginResponse::INVALID_CREDENTIALS: - INFO_ASSERT(STR("[000C:%llx] Your credentials are invalid. Please check your spelling and try again."), m_Header.m_HardwareId ^ ServerResponse); + ERROR_ASSERT(STR("[000C:%llx] Your credentials are invalid. Please check your spelling and try again."), m_Header.m_HardwareId ^ ServerResponse); break; case RemoteLoginResponse::INTEGRITY_FAILURE: case RemoteLoginResponse::NO_SUBSCRIPTION: diff --git a/csgo-loader/csgo-client/Networking/TCPClient.cpp b/csgo-loader/csgo-client/Networking/TCPClient.cpp index c20c831..c974f88 100644 --- a/csgo-loader/csgo-client/Networking/TCPClient.cpp +++ b/csgo-loader/csgo-client/Networking/TCPClient.cpp @@ -13,6 +13,22 @@ namespace Networking if(Result == -1) INFO_ASSERT(STR("[000F:00002B00] Server closed the connection unexpectedly.")); + + WRAP_IF_DEBUG( + size_t BreakIndex = 0; + + printf("[DEBUG] Sending data (%zd bytes):\n[DEBUG] ", Bytes.size()); + + for(auto &Byte : Bytes) + { + printf("%02x ", Byte); + + if(BreakIndex++ % 8 == 0) + printf("\n[DEBUG] "); + } + + printf("\n"); + ); } ByteArray TCPClient::ReceiveRawBytes() @@ -40,6 +56,22 @@ namespace Networking break; } + WRAP_IF_DEBUG( + size_t BreakIndex = 0; + + printf("[DEBUG] Receiving data (%zd bytes):\n[DEBUG] ", ReceivedBytes.size()); + + for(auto &Byte : ReceivedBytes) + { + printf("%02x ", Byte); + + if(BreakIndex++ % 8 == 0) + printf("\n[DEBUG] "); + } + + printf("\n"); + ); + return ReceivedBytes; } @@ -103,11 +135,19 @@ namespace Networking return false; // Initialise encryption wrapper. + WRAP_IF_DEBUG( + printf("[DEBUG] Attempting to handshake with server...\n"); + ); + ByteArray EncryptionKey = ReceiveRawBytes(); if(EncryptionKey.empty()) return false; + WRAP_IF_DEBUG( + printf("[DEBUG] Server handshake successful!\n"); + ) + std::memcpy(m_EncryptionKey, EncryptionKey.data(), EncryptionKey.size()); return true; diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.cpp b/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.cpp index 5a42b6c..21d7851 100644 --- a/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.cpp +++ b/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.cpp @@ -2,5 +2,68 @@ namespace RemoteCode { + uint8_t ShellcodeStub[] = { + 0x55, + 0x8B, 0xEC, + 0x56, + 0x8B, 0x75, 0x08, + 0x57, + 0x80, 0x3E, 0x00, + 0x74, 0x2F, + 0x8B, 0x7E, 0x14, + 0x8D, 0x45, 0x08, + 0x50, + 0x8B, 0x46, 0x18, + 0x81, 0xC7, 0xA8, 0x00, 0x00, 0x00, + 0x6A, 0x40, + 0x6A, 0x04, + 0x57, + 0xFF, 0xD0, + 0x84, 0xC0, + 0x74, 0x4D, + 0x8B, 0x46, 0x10, + 0x89, 0x07, + 0x8D, 0x45, 0x08, + 0x50, + 0xFF, 0x75, 0x08, + 0x8B, 0x46, 0x18, + 0x6A, 0x04, + 0x57, + 0xFF, 0xD0, + + 0x8B, 0x46, 0x08, + 0x85, 0xC0, + 0x74, 0x09, + 0x6A, 0x00, + 0x6A, 0x01, + 0xFF, 0x76, 0x04, + 0xFF, 0xD0, + 0x53, + 0x8B, 0x5E, 0x0C, + 0x85, 0xDB, + 0x74, 0x20, + 0x8B, 0x5B, 0x0C, + 0x33, 0xFF, + 0x8B, 0x03, + 0x85, 0xC0, + 0x74, 0x15, + 0x90, + + 0x6A, 0x00, + 0x6A, 0x01, + 0xFF, 0x76, 0x04, + 0xFF, 0xD0, + 0x8B, 0x44, 0xBB, 0x04, + 0x8D, 0x7F, 0x01, + 0x85, 0xC0, + 0x75, 0xEC, + + 0x5B, + + 0x5F, + 0x5E, + 0x5D, + 0xC2, 0x04, 0x00 + }; } \ No newline at end of file diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.hpp b/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.hpp index 964d055..84021c6 100644 --- a/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.hpp +++ b/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.hpp @@ -6,6 +6,28 @@ namespace RemoteCode { class RemoteCodeClient { + using MemProtect = bool(__stdcall *)(void *, size_t, uint32_t, uint32_t *); + struct ShellcodeParameters + { + // Specifies whether or not the thread hijacking + // exploit will be used for code execution. + uint8_t m_ThreadExploit; + + // Address of the module allocation base + uintptr_t m_AllocationBase; + + // Specifies the entry-point / optional TLS directory + // to invoke. + uintptr_t m_EntryPoint; + uintptr_t m_TlsDirectory; + + // Thread hijacking (original address & VMT) + uintptr_t m_ThreadOriginal; + uintptr_t m_ThreadVirtual; + + // Function parameters that will be passed + MemProtect m_ProtectMemory; + }; }; } \ No newline at end of file diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.hpp b/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.hpp index 6699a9e..2e5d216 100644 --- a/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.hpp +++ b/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.hpp @@ -5,8 +5,65 @@ namespace RemoteCode { + // Used for TransactionStart + using ImportedModule = char[64]; + using ImportList = std::vector; + + // Used for TransactionContinue + struct ExportedFunction + { + // I've never seen modules / functions with names + // that were larger than 64 characters. + char m_Module[64]; + char m_Function[64]; + + // Address of exported module / function + uintptr_t m_ModuleAddress; + uintptr_t m_FunctionAddress; + }; + + using ExportList = std::vector; + + // Used for TransactionCommit + struct RemoteInjectionHeader + { + // Used to decrypt the cheat header (first 1000 bytes of image sent back). + uint8_t m_HeaderKey; + + // Used to call entrypoint/TLS callbacks. + uintptr_t m_EntryPoint; + uintptr_t m_TlsDirectory; + }; + + struct RemoteInjectionCode + { + RemoteInjectionHeader m_Header; + + // Actual injection code. + ByteArray m_Code; + }; + + // Implementation of client mapping code class RemoteInjectionClient { + RemoteInjectionHeader m_Header; + RemoteProcess m_Process; + + public: + // Receive hash of selected cheat. + // Reply with size of image to allocate. + ByteArray Start(ByteArray &Response); + + // Receive client header, send over list of imported functions + ByteArray TransactionStart(ByteArray &Response); + + // Receive list of modules & export addresses + ByteArray TransactionContinue(ByteArray &Response); + + // Write the file to the + void TransactionCommit(ByteArray &Response); + RemoteProcess GetProcess() { return m_Process; } + RemoteInjectionHeader GetHeader() { return m_Header; } }; } \ No newline at end of file diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteProcess.cpp b/csgo-loader/csgo-client/RemoteCode/RemoteProcess.cpp index abed829..1bbfed0 100644 --- a/csgo-loader/csgo-client/RemoteCode/RemoteProcess.cpp +++ b/csgo-loader/csgo-client/RemoteCode/RemoteProcess.cpp @@ -29,6 +29,10 @@ namespace RemoteCode m_ProcessId = ProcessEntry.th32ProcessID; m_Process = OpenProcess(PROCESS_ALL_ACCESS, false, ProcessEntry.th32ProcessID); + WRAP_IF_DEBUG( + printf("[DEBUG] Found process \"%s\" -> %p", ProcessEntry.szExeFile, m_Process); + ); + if(!m_Process) ERROR_ASSERT(STR("[000G:%08x] There was an error with accessing a process."), GetLastError()); @@ -45,9 +49,13 @@ namespace RemoteCode static auto ZwReadVirtualMemory = Syscalls->Find(FNV("ZwReadVirtualMemory")); NTSTATUS Status = ZwReadVirtualMemory(m_Process, Address, Data, SizeOfData, nullptr); - + if(NT_ERROR(Status)) ERROR_ASSERT(STR("[00DF:%08x] There was an error with accessing a process."), Status); + + WRAP_IF_DEBUG( + printf("[DEBUG] Read %zd bytes from process\n", SizeOfData); + ); } void RemoteProcess::WriteMemoryWrapper_Internal(void *Address, void *Data, size_t SizeOfData) @@ -58,6 +66,10 @@ namespace RemoteCode if(NT_ERROR(Status)) ERROR_ASSERT(STR("[00DF:%08x] There was an error with accessing a process."), Status); + + WRAP_IF_DEBUG( + printf("[DEBUG] Wrote %zd bytes to process\n", SizeOfData); + ); } void *RemoteProcess::Allocate(size_t AllocationSize) @@ -78,6 +90,10 @@ namespace RemoteCode if(NT_ERROR(Status)) ERROR_ASSERT(STR("[00DF:%08x] There was an error with accessing a process."), Status); + WRAP_IF_DEBUG( + printf("[DEBUG] Allocated page at %p (%zd bytes)\n", AllocationAddress, AllocationSize); + ); + return AllocationAddress; } @@ -101,6 +117,11 @@ namespace RemoteCode ERROR_ASSERT(STR("[00DF:00001C00] An integrity check failed.")); CloseHandle(Toolhelp); + + WRAP_IF_DEBUG( + printf("[DEBUG] Found module \"%s\" at %p\n", ModuleEntry.szModule, ModuleEntry.hModule); + ); + return RemoteModule(ModuleEntry.hModule); } } diff --git a/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp b/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp index 7f528e3..6054790 100644 --- a/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp +++ b/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp @@ -44,6 +44,25 @@ namespace Security return oOpenProcess(AccessLevel, Inherit, ProcessId); } + + decltype(&FindWindowA) oFindWindow; + HWND __stdcall Hooked_FindWindow(const char *Class, const char *Text) + { + // Determine where the return address of the function actually points. + void *Address = _ReturnAddress(); + MEMORY_BASIC_INFORMATION Query = Protection->QueryMemory(Address); + + // If the return address points outside of the loader module, + // fail the function. + HMODULE ReturnModule = (HMODULE)Query.AllocationBase; + HMODULE LoaderModule = GetModuleHandleA(NULL); + + if(ReturnModule != LoaderModule) + return []() { Protection->SecurityCallback(STR("Malicious activity [Tampering].")); return HWND{}; }(); + + return oFindWindow(Class, Text); + } + decltype(&ExitProcess) oExitProcess; void __stdcall Hooked_ExitProcess(DWORD ExitCode) { @@ -62,7 +81,6 @@ namespace Security decltype(&recv) oWSARecv; int __stdcall Hooked_WSARecv(SOCKET Socket, char *Buffer, int Length, int Flags) { - // Determine where the return address of the function actually points. void *Address = _ReturnAddress(); MEMORY_BASIC_INFORMATION Query = Protection->QueryMemory(Address); @@ -86,7 +104,6 @@ namespace Security decltype(&send) oWSASend; int __stdcall Hooked_WSASend(SOCKET Socket, char *Buffer, int Length, int Flags) { - // Determine where the return address of the function actually points. void *Address = _ReturnAddress(); MEMORY_BASIC_INFORMATION Query = Protection->QueryMemory(Address); @@ -129,6 +146,9 @@ namespace Security // Apply any hooks. SafeCallTo(MH_CreateHook(&OpenProcess, Hooked_OpenProcess, (void **)&oOpenProcess)); SafeCallTo(MH_EnableHook(&OpenProcess)); + + SafeCallTo(MH_CreateHook(&FindWindowA, Hooked_FindWindow, (void **)&oFindWindow)); + SafeCallTo(MH_EnableHook(&FindWindowA)); SafeCallTo(MH_CreateHook(&ExitProcess, Hooked_ExitProcess, (void **)&oExitProcess)); SafeCallTo(MH_EnableHook(&ExitProcess)); @@ -148,7 +168,7 @@ namespace Security void RuntimeSecurity::PatchDebugFunctions() { - HMODULE Module = GetModuleHandleA("ntdll.dll"); + HMODULE Module = GetModuleHandleA(STR("ntdll.dll")); if(!Module) ERROR_ASSERT(STR("[000F:00001A00] Failed to initialize. Please contact an administrator.")); @@ -261,6 +281,8 @@ namespace Security void RuntimeSecurity::CheckForDrivers() { + VMProtectBeginMutation("DriverThread"); + // TODO: Check for disallowed drivers for(;;) { @@ -313,21 +335,41 @@ namespace Security // Don't put too much stress on the CPU. Sleep(1); } + + VMProtectEnd(); } void RuntimeSecurity::CheckForTampering() { + VMProtectBeginMutation("TamperThread"); + for(;;) { - if(!VMProtectIsProtected()) - SecurityCallback(STR("Malicious activity [Tampering].")); + if(m_Identifier.m_SpecialMode[SAFE_MODE]) + ERROR_ASSERT(STR("[000F:00003D00] This program cannot run under Safe Mode.\nPlease reboot your system and select 'Normal Mode'.")); + + if(m_Identifier.m_SpecialMode[TEST_SIGN_MODE]) + ERROR_ASSERT(STR("[000F:00003D00] This program cannot run under Test Signing Mode.\nPlease reboot your system and select 'Normal Mode'.")); + + if(m_Identifier.m_SpecialMode[DEBUGGING_MODE]) + SecurityCallback(STR("Malicious activity [Plausible].")); + + if(m_Identifier.m_SpecialMode[TEST_BUILD_MODE]) + SecurityCallback(STR("Malicious activity [Plausible].")); - if(!VMProtectIsValidImageCRC()) - SecurityCallback(STR("Malicious activity [Tampering].")); + // Check if the file was unpacked. + //if(!VMProtectIsProtected()) + // SecurityCallback(STR("Malicious activity [Tampering].")); + + // Check if the image in memory was partially unpacked or patched. + //if(!VMProtectIsValidImageCRC()) + // SecurityCallback(STR("Malicious activity [Tampering].")); // Don't put too much stress on the CPU. Sleep(1); } + + VMProtectEnd(); } #pragma optimize("", on) @@ -335,21 +377,6 @@ namespace Security // The following functions are exposed publicly. /////////////////////////////////////////////////////////// - bool RuntimeSecurity::Start() - { - // If hooking API functions fails, exit the program. - if(!ApplyApiHooks()) - return false; - - // Dispatch threads before patching NtContinue & co. - DispatchSecurityThreads(); - - // Patch DbgUiRemoteBreakin, DbgBreakPoint, NtContinue - // This also fucks up detours for some reason... only extra protection :-) - PatchDebugFunctions(); - - return true; - } constexpr uintptr_t KUSER_SHARED_DATA = 0x7FFE0000; @@ -399,14 +426,14 @@ namespace Security return 0; } - HardwareIdentifier RuntimeSecurity::GetHardwareId() + void RuntimeSecurity::SetupSystemIdentifier() { - VMProtectBeginMutation("HardwareIdentifier"); + VMProtectBeginUltra("SetupHWID"); HardwareIdentifier Identifier{}; // CPU information - Identifier.m_CpuCount = *(uint32_t *)(KUSER_SHARED_DATA + 0x3C0); + Identifier.m_CpuCount = *(uint32_t *)(KUSER_SHARED_DATA + 0x3C0); Identifier.m_CpuArchitecture = *(uint16_t *)(KUSER_SHARED_DATA + 0x26A); // HDD serial number @@ -425,8 +452,11 @@ namespace Security CodeIntegrityInformation Info{ sizeof CodeIntegrityInformation }; NTSTATUS Status = ZwQuerySystemInformation(0x67, &Info, sizeof Info, nullptr); + if(!VMProtectGetCurrentHWID(Identifier.m_CustomDetail, 256)) + ERROR_ASSERT(STR("[000F:00001A00] Failed to initialize. Please contact an administrator.")); + if(NT_ERROR(Status)) - ERROR_ASSERT(STR("[00CF:%08x] Critical execution error."), Status); + ERROR_ASSERT(STR("[000F:00001A00] Failed to initialize. Please contact an administrator.")); if(Info.m_Options & 0x02) Identifier.m_SpecialMode[1] = true; @@ -437,11 +467,33 @@ namespace Security if(Info.m_Options & 0x40) Identifier.m_SpecialMode[3] = true; + m_Identifier = Identifier; + VMProtectEnd(); + } + + bool RuntimeSecurity::Start() + { + WRAP_IF_RELEASE( + // If hooking API functions fails, exit the program. + if(!ApplyApiHooks()) + return false; - return Identifier; + // Dispatch threads before patching NtContinue & co. + DispatchSecurityThreads(); + + // Patch DbgUiRemoteBreakin, DbgBreakPoint, NtContinue + // This also fucks up detours for some reason... only extra protection :-) + PatchDebugFunctions(); + ); + + SetupSystemIdentifier(); + + return true; } + HardwareIdentifier RuntimeSecurity::GetHardwareId() { return m_Identifier; } + #pragma optimize("", off) __declspec(noinline) MEMORY_BASIC_INFORMATION RuntimeSecurity::QueryMemory(void *Address) diff --git a/csgo-loader/csgo-client/Security/RuntimeSecurity.hpp b/csgo-loader/csgo-client/Security/RuntimeSecurity.hpp index 06df3bf..6446a08 100644 --- a/csgo-loader/csgo-client/Security/RuntimeSecurity.hpp +++ b/csgo-loader/csgo-client/Security/RuntimeSecurity.hpp @@ -74,6 +74,9 @@ namespace Security // Hash of the hard disk serial identifier. uint64_t m_HardDiskSerialHash; + // VMP HWID + char m_CustomDetail[256]; + // Safe-mode/Test-signing mode status uint8_t m_SpecialMode[4]; }; @@ -87,6 +90,8 @@ namespace Security // any potentially malicious actions from users. class RuntimeSecurity { + HardwareIdentifier m_Identifier; + protected: // Applies necessary API hooks. bool ApplyApiHooks(); @@ -97,6 +102,9 @@ namespace Security // Dispatches security threads. void DispatchSecurityThreads(); + // Grabs all hardware data. + void SetupSystemIdentifier(); + // The following functions are used in security threads to run checks. void CheckForVirtualMachine(); diff --git a/csgo-loader/csgo-client/loader.err b/csgo-loader/csgo-client/loader.err new file mode 100644 index 0000000..c3b6aec --- /dev/null +++ b/csgo-loader/csgo-client/loader.err @@ -0,0 +1 @@ +Malicious activity [Debugging attempt]. \ No newline at end of file diff --git a/csgo-loader/csgo-server/RemoteCode/RemoteCodeServer.cpp b/csgo-loader/csgo-server/RemoteCode/RemoteCodeServer.cpp deleted file mode 100644 index 65a4306..0000000 --- a/csgo-loader/csgo-server/RemoteCode/RemoteCodeServer.cpp +++ /dev/null @@ -1,6 +0,0 @@ -#include - -namespace RemoteCode -{ - -} \ No newline at end of file diff --git a/csgo-loader/csgo-server/RemoteCode/RemoteCodeServer.hpp b/csgo-loader/csgo-server/RemoteCode/RemoteCodeServer.hpp deleted file mode 100644 index 3a31cb4..0000000 --- a/csgo-loader/csgo-server/RemoteCode/RemoteCodeServer.hpp +++ /dev/null @@ -1,15 +0,0 @@ -#pragma once - -#include -#include -#include - -using ByteArray = std::vector; - -namespace RemoteCode -{ - class RemoteCodeServer - { - - }; -} \ No newline at end of file diff --git a/csgo-loader/csgo-server/RemoteCode/RemoteInjectionServer.hpp b/csgo-loader/csgo-server/RemoteCode/RemoteInjectionServer.hpp index fe6da09..b8659ff 100644 --- a/csgo-loader/csgo-server/RemoteCode/RemoteInjectionServer.hpp +++ b/csgo-loader/csgo-server/RemoteCode/RemoteInjectionServer.hpp @@ -8,56 +8,42 @@ using ByteArray = std::vector; namespace RemoteCode { - // What the server sends to the client upon transaction start. - struct RemoteServerHeader - { - // Does the cheat support the DirectX thread execution exploit? - bool m_ThreadExploitSupported; - - // This will be used for allocating the remote memory. - uintptr_t m_SizeOfImage; - - // OPTIONAL: The cheat might be using the DllMain function - // to do injection. Make sure to call that. - uintptr_t m_EntryPoint; - - // OPTIONAL: The cheat might be using TLS callbacks to - // do injection. Make sure to call that. - uintptr_t m_TlsCallbackDirectory; - }; + // Used for TransactionStart + using ImportedModule = char[64]; + using ImportList = std::vector; - // Requests supported by the server. - // These are stored in a vector and later looked up. - struct RemoteServerRequest + // Used for TransactionContinue + struct ExportedFunction { - // Hash to look up requests by. - uint64_t m_LookupHash; - - // Name printed on the console when a user injects. - char m_DebugName[128]; - - // File name that's used to load the DLL server-side. - char m_FileName[260]; - - // Does the cheat support the DirectX exploit for creating threads? - bool m_ThreadExploitSupported; + // I've never seen modules / functions with names + // that were larger than 64 characters. + char m_Module[64]; + char m_Function[64]; + + // Address of exported module / function + uintptr_t m_ModuleAddress; + uintptr_t m_FunctionAddress; }; - // The initial header we receive from the client. - struct RemoteClientRequest + using ExportList = std::vector; + + // Used for TransactionCommit + struct RemoteInjectionHeader { - uint64_t m_LookupHash; + // Used to decrypt the cheat header (first 1000 bytes of image sent back). + uint8_t m_HeaderKey; + + // Used to call entrypoint/TLS callbacks. + uintptr_t m_EntryPoint; + uintptr_t m_TlsDirectory; }; - // The response we receive from the client upon transaction start. - struct RemoteClientHeader + struct RemoteInjectionCode { - // Address of remote allocation. - uintptr_t m_RemoteAddress; + RemoteInjectionHeader m_Header; - // Up to six remote modules. - // NOTE: Stop iterating once a module is NULL. - uintptr_t m_RemoteModules[6]; + // Actual injection code. + ByteArray m_Code; }; class RemoteInjectionServer diff --git a/csgo-loader/csgo-server/Server.cpp b/csgo-loader/csgo-server/Server.cpp index a78bb9a..f822753 100644 --- a/csgo-loader/csgo-server/Server.cpp +++ b/csgo-loader/csgo-server/Server.cpp @@ -20,13 +20,13 @@ int __stdcall WinMain(HINSTANCE, HINSTANCE, char*, int) // Create an instance of the TCP server. Networking::TCPServer Server; - // Attach our connection handler. - Server += ConnectionHandler; - bool Result = Server.Start(SERVER_PORT); if(Result) { + // Attach our connection handler. + Server += ConnectionHandler; + // Accept any incoming connections. for(;;) Server.AcceptConnection(); diff --git a/csgo-loader/csgo-server/Server.hpp b/csgo-loader/csgo-server/Server.hpp index 5a5b3f6..af07bb0 100644 --- a/csgo-loader/csgo-server/Server.hpp +++ b/csgo-loader/csgo-server/Server.hpp @@ -14,7 +14,6 @@ #include #include -#include // It looked nasty in Server.cpp, so I'm putting it here. namespace Utils diff --git a/csgo-loader/csgo-server/csgo-server.vcxproj b/csgo-loader/csgo-server/csgo-server.vcxproj index 3bd07ca..ad924f6 100644 --- a/csgo-loader/csgo-server/csgo-server.vcxproj +++ b/csgo-loader/csgo-server/csgo-server.vcxproj @@ -31,7 +31,6 @@ - @@ -41,7 +40,6 @@ - diff --git a/csgo-loader/csgo-server/csgo-server.vcxproj.filters b/csgo-loader/csgo-server/csgo-server.vcxproj.filters index 0adf29a..0480d6d 100644 --- a/csgo-loader/csgo-server/csgo-server.vcxproj.filters +++ b/csgo-loader/csgo-server/csgo-server.vcxproj.filters @@ -31,9 +31,6 @@ RemoteCode - - RemoteCode - RemoteCode @@ -54,9 +51,6 @@ RemoteCode - - RemoteCode - RemoteCode -- cgit v1.2.3