From 4db29589a61f2e7cb663c5734f911c02206c7997 Mon Sep 17 00:00:00 2001 From: boris Date: Wed, 9 Jan 2019 20:51:16 +1300 Subject: whole buncha shit FIXME: loader currently corrupts heap on injection because i am retarded --- .../csgo-client/RemoteCode/RemoteCodeClient.cpp | 69 ---------- .../csgo-client/RemoteCode/RemoteCodeClient.hpp | 33 ----- .../RemoteCode/RemoteInjectionClient.cpp | 6 - .../RemoteCode/RemoteInjectionClient.hpp | 69 ---------- .../csgo-client/RemoteCode/RemoteMapper.cpp | 139 +++++++++++++++++++++ .../csgo-client/RemoteCode/RemoteMapper.hpp | 26 ++++ .../csgo-client/RemoteCode/RemoteProcess.cpp | 2 +- .../csgo-client/RemoteCode/RemoteProcess.hpp | 10 +- 8 files changed, 171 insertions(+), 183 deletions(-) delete mode 100644 csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.cpp delete mode 100644 csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.hpp delete mode 100644 csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.cpp delete mode 100644 csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.hpp create mode 100644 csgo-loader/csgo-client/RemoteCode/RemoteMapper.cpp create mode 100644 csgo-loader/csgo-client/RemoteCode/RemoteMapper.hpp (limited to 'csgo-loader/csgo-client/RemoteCode') diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.cpp b/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.cpp deleted file mode 100644 index 21d7851..0000000 --- a/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.cpp +++ /dev/null @@ -1,69 +0,0 @@ -#include - -namespace RemoteCode -{ - uint8_t ShellcodeStub[] = { - 0x55, - 0x8B, 0xEC, - 0x56, - 0x8B, 0x75, 0x08, - 0x57, - 0x80, 0x3E, 0x00, - 0x74, 0x2F, - 0x8B, 0x7E, 0x14, - 0x8D, 0x45, 0x08, - 0x50, - 0x8B, 0x46, 0x18, - 0x81, 0xC7, 0xA8, 0x00, 0x00, 0x00, - 0x6A, 0x40, - 0x6A, 0x04, - 0x57, - 0xFF, 0xD0, - 0x84, 0xC0, - 0x74, 0x4D, - 0x8B, 0x46, 0x10, - 0x89, 0x07, - 0x8D, 0x45, 0x08, - 0x50, - 0xFF, 0x75, 0x08, - 0x8B, 0x46, 0x18, - 0x6A, 0x04, - 0x57, - 0xFF, 0xD0, - - 0x8B, 0x46, 0x08, - 0x85, 0xC0, - 0x74, 0x09, - 0x6A, 0x00, - 0x6A, 0x01, - 0xFF, 0x76, 0x04, - 0xFF, 0xD0, - - 0x53, - 0x8B, 0x5E, 0x0C, - 0x85, 0xDB, - 0x74, 0x20, - 0x8B, 0x5B, 0x0C, - 0x33, 0xFF, - 0x8B, 0x03, - 0x85, 0xC0, - 0x74, 0x15, - 0x90, - - 0x6A, 0x00, - 0x6A, 0x01, - 0xFF, 0x76, 0x04, - 0xFF, 0xD0, - 0x8B, 0x44, 0xBB, 0x04, - 0x8D, 0x7F, 0x01, - 0x85, 0xC0, - 0x75, 0xEC, - - 0x5B, - - 0x5F, - 0x5E, - 0x5D, - 0xC2, 0x04, 0x00 - }; -} \ No newline at end of file diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.hpp b/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.hpp deleted file mode 100644 index 84021c6..0000000 --- a/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.hpp +++ /dev/null @@ -1,33 +0,0 @@ -#pragma once - -#include - -namespace RemoteCode -{ - class RemoteCodeClient - { - using MemProtect = bool(__stdcall *)(void *, size_t, uint32_t, uint32_t *); - - struct ShellcodeParameters - { - // Specifies whether or not the thread hijacking - // exploit will be used for code execution. - uint8_t m_ThreadExploit; - - // Address of the module allocation base - uintptr_t m_AllocationBase; - - // Specifies the entry-point / optional TLS directory - // to invoke. - uintptr_t m_EntryPoint; - uintptr_t m_TlsDirectory; - - // Thread hijacking (original address & VMT) - uintptr_t m_ThreadOriginal; - uintptr_t m_ThreadVirtual; - - // Function parameters that will be passed - MemProtect m_ProtectMemory; - }; - }; -} \ No newline at end of file diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.cpp b/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.cpp deleted file mode 100644 index 01f52be..0000000 --- a/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.cpp +++ /dev/null @@ -1,6 +0,0 @@ -#include - -namespace RemoteCode -{ - -} \ No newline at end of file diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.hpp b/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.hpp deleted file mode 100644 index 2e5d216..0000000 --- a/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.hpp +++ /dev/null @@ -1,69 +0,0 @@ -#pragma once - -#include -#include - -namespace RemoteCode -{ - // Used for TransactionStart - using ImportedModule = char[64]; - using ImportList = std::vector; - - // Used for TransactionContinue - struct ExportedFunction - { - // I've never seen modules / functions with names - // that were larger than 64 characters. - char m_Module[64]; - char m_Function[64]; - - // Address of exported module / function - uintptr_t m_ModuleAddress; - uintptr_t m_FunctionAddress; - }; - - using ExportList = std::vector; - - // Used for TransactionCommit - struct RemoteInjectionHeader - { - // Used to decrypt the cheat header (first 1000 bytes of image sent back). - uint8_t m_HeaderKey; - - // Used to call entrypoint/TLS callbacks. - uintptr_t m_EntryPoint; - uintptr_t m_TlsDirectory; - }; - - struct RemoteInjectionCode - { - RemoteInjectionHeader m_Header; - - // Actual injection code. - ByteArray m_Code; - }; - - // Implementation of client mapping code - class RemoteInjectionClient - { - RemoteInjectionHeader m_Header; - RemoteProcess m_Process; - - public: - // Receive hash of selected cheat. - // Reply with size of image to allocate. - ByteArray Start(ByteArray &Response); - - // Receive client header, send over list of imported functions - ByteArray TransactionStart(ByteArray &Response); - - // Receive list of modules & export addresses - ByteArray TransactionContinue(ByteArray &Response); - - // Write the file to the - void TransactionCommit(ByteArray &Response); - - RemoteProcess GetProcess() { return m_Process; } - RemoteInjectionHeader GetHeader() { return m_Header; } - }; -} \ No newline at end of file diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteMapper.cpp b/csgo-loader/csgo-client/RemoteCode/RemoteMapper.cpp new file mode 100644 index 0000000..7b72550 --- /dev/null +++ b/csgo-loader/csgo-client/RemoteCode/RemoteMapper.cpp @@ -0,0 +1,139 @@ +#include + +namespace RemoteCode +{ + bool RemoteMapper::Start(RemoteProcess Process) + { + m_Process = Process; + return true; + } + + bool RemoteMapper::WriteCodeToMap(ByteArray Code) + { + // Check if the PE file is valid. + /*uint8_t *Buffer = Code.data(); + IMAGE_DOS_HEADER *DosHeader = (IMAGE_DOS_HEADER *)Buffer; + + if(!DosHeader || DosHeader->e_magic != IMAGE_DOS_SIGNATURE) + return false; + + IMAGE_NT_HEADERS *NtHeaders = (IMAGE_NT_HEADERS *)(Buffer + DosHeader->e_lfanew); + + if(!NtHeaders || NtHeaders->Signature != IMAGE_NT_SIGNATURE) + return false; + + WRAP_IF_DEBUG( + printf("[DEBUG] PE file validated!\n"); + ); + + IMAGE_SECTION_HEADER *Sections = (IMAGE_SECTION_HEADER *)((uintptr_t)&NtHeaders->OptionalHeader + NtHeaders->FileHeader.SizeOfOptionalHeader); + + if(!Sections) + return false; + + // Allocate map in process. + m_Map = m_Process.Allocate(Code.size()); + + if(!m_Map) + return false; + + // Ghetto workaround so heap doesn't get corrupted (i'm lazy) + size_t SizeOfCode = Code.size(); + m_Mapped = new uint8_t[SizeOfCode]; + + uint16_t SectionCount = NtHeaders->FileHeader.NumberOfSections; + + // Write each section to the process. + for(uint16_t n{}; n < SectionCount; n++) + { + uint32_t VirtualAddress = Sections[n].VirtualAddress; + uint32_t PointerToData = Sections[n].PointerToRawData; + uint32_t SizeOfData = Sections[n].SizeOfRawData; + + WRAP_IF_DEBUG( + printf("[DEBUG] Writing PE section #%d!\n", n); + printf("[DEBUG] Virtual address: 0x%x\n", VirtualAddress); + printf("[DEBUG] Pointer to data: 0x%x\n", PointerToData); + printf("[DEBUG] Size of data : %d bytes\n", SizeOfData); + ); + + // Write the data to map. + uint8_t *Data = (uint8_t *)((uintptr_t)Buffer + PointerToData); + void *ImageRva = (void *)((uintptr_t)&m_Mapped[0] + VirtualAddress); + + std::memcpy(ImageRva, Data, SizeOfData); + } + + // Copy over the PE header (temporarily). + uint32_t SizeOfHeaders = NtHeaders->OptionalHeader.SizeOfHeaders; + std::memcpy(&m_Mapped[0], Buffer, SizeOfHeaders); + + WRAP_IF_DEBUG( + printf("[DEBUG] Successfully copied over PE header!\n"); + printf("[DEBUG] Relocating image...\n"); + ); + + // Relocate the image. + IMAGE_BASE_RELOCATION *Reloc = (IMAGE_BASE_RELOCATION *)(&m_Mapped[0] + NtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress); + + uintptr_t ImageDelta = (uintptr_t)m_Map - NtHeaders->OptionalHeader.ImageBase; + + while(Reloc->SizeOfBlock > 0) + { + // address in binary where we need to relocate an address used by code + uintptr_t RelocationAddress = (uintptr_t)&m_Mapped[Reloc->VirtualAddress]; + uintptr_t RelocationDataAddress = (uintptr_t)Reloc + sizeof IMAGE_BASE_RELOCATION; + size_t RelocationCount = (Reloc->SizeOfBlock - sizeof IMAGE_BASE_RELOCATION) / sizeof uint16_t; + + for(size_t i = 0; i < RelocationCount; i++) + { + uint16_t RelocationData = *(uint16_t *)(RelocationDataAddress + sizeof uint16_t * i); + uint16_t RelocationType = RelocationData >> 12; + uint16_t RelocationOffset = RelocationData & 0x0FFF; + + WRAP_IF_DEBUG( + printf("[DEBUG] Processing relocation at %llx!\n", RelocationAddress + RelocationOffset); + ); + + switch(RelocationType) + { + case IMAGE_REL_BASED_MIPS_JMPADDR: + case IMAGE_REL_BASED_HIGH: + case IMAGE_REL_BASED_LOW: + case IMAGE_REL_BASED_HIGHLOW: + { + *(uint32_t*)(RelocationAddress + RelocationOffset) += ImageDelta; + break; + } + + case IMAGE_REL_BASED_ABSOLUTE: + default: + break; + }; + } + + Reloc = (IMAGE_BASE_RELOCATION*)((uintptr_t)Reloc + Reloc->SizeOfBlock); + } + + // Cripple the entire PE header. + std::memset(&m_Mapped[0], 0, SizeOfHeaders); + + WRAP_IF_DEBUG( + printf("[DEBUG] Successfully crippled PE header!\n"); + ); + + // Write the mapped image to the process. + m_Process.Write(m_Map, &m_Mapped[0], Code.size());*/ + + return true; + } + + bool RemoteMapper::ExecuteCodeFromMap() + { + WRAP_IF_DEBUG( + printf("[DEBUG] Executing payload!\n"); + ) + + return true; + } +} \ No newline at end of file diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteMapper.hpp b/csgo-loader/csgo-client/RemoteCode/RemoteMapper.hpp new file mode 100644 index 0000000..21eb569 --- /dev/null +++ b/csgo-loader/csgo-client/RemoteCode/RemoteMapper.hpp @@ -0,0 +1,26 @@ +#pragma once + +#include + +namespace RemoteCode +{ + class RemoteMapper + { + RemoteProcess m_Process; + uint8_t *m_Mapped; + + void *m_Map; + + public: + RemoteMapper() = default; + + // Copy process & shellcode to class. + bool Start(RemoteProcess Process); + + // Writes code to process in allocated page. + bool WriteCodeToMap(ByteArray Code); + + // Calls shellcode to call the library ;D + bool ExecuteCodeFromMap(); + }; +} \ No newline at end of file diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteProcess.cpp b/csgo-loader/csgo-client/RemoteCode/RemoteProcess.cpp index 1bbfed0..a6b90d4 100644 --- a/csgo-loader/csgo-client/RemoteCode/RemoteProcess.cpp +++ b/csgo-loader/csgo-client/RemoteCode/RemoteProcess.cpp @@ -30,7 +30,7 @@ namespace RemoteCode m_Process = OpenProcess(PROCESS_ALL_ACCESS, false, ProcessEntry.th32ProcessID); WRAP_IF_DEBUG( - printf("[DEBUG] Found process \"%s\" -> %p", ProcessEntry.szExeFile, m_Process); + printf("[DEBUG] Found process \"%s\" -> %p\n", ProcessEntry.szExeFile, m_Process); ); if(!m_Process) diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteProcess.hpp b/csgo-loader/csgo-client/RemoteCode/RemoteProcess.hpp index a58320f..5fb3c75 100644 --- a/csgo-loader/csgo-client/RemoteCode/RemoteProcess.hpp +++ b/csgo-loader/csgo-client/RemoteCode/RemoteProcess.hpp @@ -48,11 +48,11 @@ namespace RemoteCode } // Release the handle when the process goes out of scope. - ~RemoteProcess() - { - if(m_Process) - CloseHandle(m_Process); - } + //~RemoteProcess() + //{ + // if(m_Process) + // CloseHandle(m_Process); + //} // Find the process ID and initialise the process. bool Start(const char *ProcessName); -- cgit v1.2.3