From 00b271f265450850336c8bcfdacc8671dbc8406a Mon Sep 17 00:00:00 2001 From: boris Date: Tue, 1 Jan 2019 20:53:10 +1300 Subject: yah --- .../csgo-client/Security/RuntimeSecurity.cpp | 72 +++++++++++++--------- 1 file changed, 44 insertions(+), 28 deletions(-) (limited to 'csgo-loader/csgo-client/Security/RuntimeSecurity.cpp') diff --git a/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp b/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp index 6a5ce20..f7c1cc2 100644 --- a/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp +++ b/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp @@ -30,7 +30,7 @@ namespace Security if(ReturnModule != LoaderModule) { - Protection->SecurityCallback("Malicious activity [Tampering]."); + Protection->SecurityCallback(STR("Malicious activity [Tampering].")); [&](decltype(&OpenProcess) A) { @@ -75,7 +75,7 @@ namespace Security // Let's meme anyone who tries to reverse this. if(ReturnModule != LoaderModule) { - return []() { Protection->SecurityCallback("Malicious activity [Tampering]."); return -1; }(); + return []() { Protection->SecurityCallback(STR("Malicious activity [Tampering].")); return -1; }(); } // Call original function @@ -99,7 +99,7 @@ namespace Security // Let's meme anyone who tries to reverse this. if(ReturnModule != LoaderModule) { - return []() { Protection->SecurityCallback("Malicious activity [Tampering]."); return -1; }(); + return []() { Protection->SecurityCallback(STR("Malicious activity [Tampering].")); return -1; }(); } // Call original function @@ -120,6 +120,8 @@ namespace Security bool RuntimeSecurity::ApplyApiHooks() { + VMProtectBeginMutation("ApplyHooks"); + // Make sure that MinHook is initialized properly. CreateMinHook(); CheckStatus(); @@ -138,6 +140,8 @@ namespace Security SafeCallTo(MH_EnableHook(&send)); return true; + + VMProtectEnd(); } #pragma optimize("", on) @@ -147,17 +151,17 @@ namespace Security HMODULE Module = GetModuleHandleA("ntdll.dll"); if(!Module) - ERROR_ASSERT("[000F:00001A00] Failed to initialize. Please contact an administrator."); + ERROR_ASSERT(STR("[000F:00001A00] Failed to initialize. Please contact an administrator.")); // Grab exports from ntdll.dll - uintptr_t Export_DbgUiRemoteBreakin = (uintptr_t)GetProcAddress(Module, "DbgUiRemoteBreakin"); - uintptr_t Export_DbgBreakPoint = (uintptr_t)GetProcAddress(Module, "DbgBreakPoint"); + uintptr_t Export_DbgUiRemoteBreakin = (uintptr_t)GetProcAddress(Module, STR("DbgUiRemoteBreakin")); + uintptr_t Export_DbgBreakPoint = (uintptr_t)GetProcAddress(Module, STR("DbgBreakPoint")); // Most plugins for OllyDBG / IDA only fix DbgUiRemoteBreakin/DbgBreakPoint, // however, NtContinue is never touched although it is used. // This should prevent any such plugins from effectively attaching the debugger. // NOTE: This does not work on x64dbg for whatever reason.. - uintptr_t Export_NtContinue = (uintptr_t)GetProcAddress(Module, "NtContinue"); + uintptr_t Export_NtContinue = (uintptr_t)GetProcAddress(Module, STR("NtContinue")); // Ensure that the program gets closed if a debugger is attached. uintptr_t Exports[] = { @@ -170,7 +174,7 @@ namespace Security { DWORD OldProtection; if(!VirtualProtect((void *)It, sizeof uintptr_t + 1, PAGE_EXECUTE_READWRITE, &OldProtection)) - ERROR_ASSERT("[000F:00001A00] Failed to initialize. Please contact an administrator."); + ERROR_ASSERT(STR("[000F:00001A00] Failed to initialize. Please contact an administrator.")); // Patch to __asm { jmp oExitProcess; }; *(uint8_t *)It = 0xE9; @@ -182,10 +186,14 @@ namespace Security void RuntimeSecurity::DispatchSecurityThreads() { + VMProtectBeginMutation("DispatchThreads"); + std::thread DebugThread (&RuntimeSecurity::CheckForDebugger, this); DebugThread.detach(); std::thread VMThread (&RuntimeSecurity::CheckForVirtualMachine, this); VMThread.detach(); std::thread DriverThread(&RuntimeSecurity::CheckForDrivers, this); DriverThread.detach(); std::thread TamperThread(&RuntimeSecurity::CheckForTampering, this); TamperThread.detach(); + + VMProtectEnd(); } // The following functions are only called internally. @@ -197,15 +205,21 @@ namespace Security void RuntimeSecurity::CheckForVirtualMachine() { + VMProtectBeginVirtualization("VMThread"); + for(;;) { // Don't put too much stress on the CPU. Sleep(1); } + + VMProtectEnd(); } void RuntimeSecurity::CheckForDebugger() { + VMProtectBeginVirtualization("DebuggerThread"); + for(;;) { // Read the PEB from the TIB. @@ -238,11 +252,11 @@ namespace Security */ using WindowParams = std::pair; static std::vector BlackListedWindows = { - {"ID", "Immunity"}, // Immunity Debugger - {"Qt5QWindowIcon", "x64dbg"}, // x64dbg - {"Qt5QWindowIcon", "x32dbg"}, // x32dbg - {"OLLYDBG", "OllyDbg"}, // OllyDbg - {nullptr, "Progress Telerik Fiddler Web Debugger"}, // Telerik Fiddler + {STR("ID"), STR("Immunity")}, // Immunity Debugger + {STR("Qt5QWindowIcon"), STR("x64dbg")}, // x64dbg + {STR("Qt5QWindowIcon"), STR("x32dbg")}, // x32dbg + {STR("OLLYDBG"), STR("OllyDbg")}, // OllyDbg + {nullptr, STR("Progress Telerik Fiddler Web Debugger")}, // Telerik Fiddler }; for(auto &It : BlackListedWindows) @@ -250,12 +264,14 @@ namespace Security // size_t Index = std::distance(...); if(FindWindowA(It.first, It.second)) - SecurityCallback("Malicious activity [Debugging attempt]."); + SecurityCallback(STR("Malicious activity [Debugging attempt].")); } // Don't put too much stress on the CPU. Sleep(1); } + + VMProtectEnd(); } void RuntimeSecurity::CheckForDrivers() @@ -264,19 +280,19 @@ namespace Security for(;;) { static const char *BlackListedDrivers[] = { - "Sbie", // Sandboxie - "NPF", // WireShark / WinPCAP - "acker", // Process Hacker - "CEDRI" // Cheat Engine - "VBox", // VirtualBox + STR("Sbie"), // Sandboxie + STR("NPF"), // WireShark / WinPCAP + STR("acker"), // Process Hacker + STR("CEDRI"), // Cheat Engine + //STR("VBox") // VirtualBox }; static const char *BlackListReasons[] = { - "Please uninstall Sandboxie.", - "Please uninstall WireShark.", - "Please close Process Hacker.", - "Please close Cheat Engine.", - "Please uninstall VirtualBox." + STR("Please uninstall Sandboxie."), + STR("Please uninstall WireShark."), + STR("Please close Process Hacker."), + STR("Please close Cheat Engine."), + STR("Please uninstall VirtualBox.") }; uint16_t Length = sizeof BlackListedDrivers / sizeof(BlackListedDrivers[0]); @@ -287,7 +303,7 @@ namespace Security if(K32EnumDeviceDrivers(DriverList, sizeof DriverList, &Needed)) { if(Needed > sizeof DriverList) - ERROR_ASSERT("[00DF:00001CFF] A security thread has failed. Contact an administrator."); + ERROR_ASSERT(STR("[00DF:00001CFF] A security thread has failed. Contact an administrator.")); char DriverName[1024]; uint32_t DriverCount = Needed / sizeof DriverList[0]; @@ -375,7 +391,7 @@ namespace Security char ReasonParameter[64]; uint32_t Status = GetLastError(); - sprintf_s(ReasonParameter, "[00DF:%08x] There was an error with accessing a process.", Status); + sprintf_s(ReasonParameter, STR("[00DF:%08x] There was an error with accessing a process."), Status); ERROR_ASSERT(ReasonParameter); } @@ -392,9 +408,9 @@ namespace Security // You can use the reason parameters to debug the security in case // something weird starts going on with it. char Buffer[2048]; - sprintf_s(Buffer, "Security callback was called. Reason parameter: \"%s\"\n", Reason); + sprintf_s(Buffer, STR("Security callback was called. Reason parameter: \"%s\"\n"), Reason); - MessageBoxA(0, Buffer, "Information", MB_ICONINFORMATION | MB_OK); + MessageBoxA(0, Buffer, "", MB_ICONINFORMATION | MB_OK); // The process will straight up die on Release mode. -- cgit v1.2.3