From 7a3b48831bfc9c4aa8c39c1e42d5bf5dd73e43c5 Mon Sep 17 00:00:00 2001 From: boris Date: Tue, 1 Jan 2019 20:31:51 +1300 Subject: whole buncha fixes & switching to vmp --- .../csgo-client/Security/RuntimeSecurity.cpp | 194 ++++++++------------- 1 file changed, 76 insertions(+), 118 deletions(-) (limited to 'csgo-loader/csgo-client/Security/RuntimeSecurity.cpp') diff --git a/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp b/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp index ab2ea87..6a5ce20 100644 --- a/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp +++ b/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp @@ -19,8 +19,6 @@ namespace Security decltype(&OpenProcess) oOpenProcess; HANDLE __stdcall Hooked_OpenProcess(DWORD AccessLevel, bool Inherit, DWORD ProcessId) { - WRAP_IF_RELEASE(VM_EAGLE_WHITE_START); - // Determine where the return address of the function actually points. void *Address = _ReturnAddress(); MEMORY_BASIC_INFORMATION Query = Protection->QueryMemory(Address); @@ -32,9 +30,7 @@ namespace Security if(ReturnModule != LoaderModule) { - WRAP_IF_RELEASE(STR_ENCRYPT_START); - Protection->SecurityCallback(__FUNCSIG__); - WRAP_IF_RELEASE(STR_ENCRYPT_END); + Protection->SecurityCallback("Malicious activity [Tampering]."); [&](decltype(&OpenProcess) A) { @@ -46,15 +42,11 @@ namespace Security // Call original function return oOpenProcess(AccessLevel, Inherit, ProcessId); - - WRAP_IF_RELEASE(VM_EAGLE_WHITE_END); } decltype(&ExitProcess) oExitProcess; void __stdcall Hooked_ExitProcess(DWORD ExitCode) { - WRAP_IF_RELEASE(VM_EAGLE_WHITE_START); - WRAP_IF_DEBUG(oExitProcess(ExitCode)); WRAP_IF_RELEASE( @@ -65,14 +57,11 @@ namespace Security A(NullPointer); }(oExitProcess); ); - - WRAP_IF_RELEASE(VM_EAGLE_WHITE_END); } decltype(&recv) oWSARecv; int __stdcall Hooked_WSARecv(SOCKET Socket, char *Buffer, int Length, int Flags) { - WRAP_IF_RELEASE(VM_EAGLE_WHITE_START); // Determine where the return address of the function actually points. void *Address = _ReturnAddress(); @@ -86,21 +75,17 @@ namespace Security // Let's meme anyone who tries to reverse this. if(ReturnModule != LoaderModule) { - WRAP_IF_RELEASE(STR_ENCRYPT_START); - return []() { Protection->SecurityCallback(__FUNCSIG__); return -1; }(); - WRAP_IF_RELEASE(STR_ENCRYPT_END); + return []() { Protection->SecurityCallback("Malicious activity [Tampering]."); return -1; }(); } // Call original function return oWSARecv(Socket, Buffer, Length, Flags); - WRAP_IF_RELEASE(VM_EAGLE_WHITE_END); } decltype(&send) oWSASend; int __stdcall Hooked_WSASend(SOCKET Socket, char *Buffer, int Length, int Flags) { - WRAP_IF_RELEASE(VM_EAGLE_WHITE_START); // Determine where the return address of the function actually points. void *Address = _ReturnAddress(); @@ -114,15 +99,11 @@ namespace Security // Let's meme anyone who tries to reverse this. if(ReturnModule != LoaderModule) { - WRAP_IF_RELEASE(STR_ENCRYPT_START); - return []() { Protection->SecurityCallback(__FUNCSIG__); return -1; }(); - WRAP_IF_RELEASE(STR_ENCRYPT_END); + return []() { Protection->SecurityCallback("Malicious activity [Tampering]."); return -1; }(); } // Call original function return oWSASend(Socket, Buffer, Length, Flags); - - WRAP_IF_RELEASE(VM_EAGLE_WHITE_END); } #pragma optimize("", on) @@ -139,8 +120,6 @@ namespace Security bool RuntimeSecurity::ApplyApiHooks() { - WRAP_IF_RELEASE(MUTATE_START); - // Make sure that MinHook is initialized properly. CreateMinHook(); CheckStatus(); @@ -159,17 +138,12 @@ namespace Security SafeCallTo(MH_EnableHook(&send)); return true; - - WRAP_IF_RELEASE(MUTATE_END); } #pragma optimize("", on) void RuntimeSecurity::PatchDebugFunctions() { - WRAP_IF_RELEASE(VM_EAGLE_WHITE_START); - WRAP_IF_RELEASE(STR_ENCRYPT_START); - HMODULE Module = GetModuleHandleA("ntdll.dll"); if(!Module) @@ -199,26 +173,19 @@ namespace Security ERROR_ASSERT("[000F:00001A00] Failed to initialize. Please contact an administrator."); // Patch to __asm { jmp oExitProcess; }; - *(uint8_t *)It = 0xE9; - *(uint32_t *)(It + 1) = (uintptr_t)oExitProcess; + *(uint8_t *)It = 0xE9; + *(uintptr_t *)(It + 1) = (uintptr_t)oExitProcess; VirtualProtect((void *)It, sizeof uintptr_t + 1, OldProtection, &OldProtection); } - - WRAP_IF_RELEASE(STR_ENCRYPT_END); - WRAP_IF_RELEASE(VM_EAGLE_WHITE_END); } void RuntimeSecurity::DispatchSecurityThreads() { - WRAP_IF_RELEASE(MUTATE_START); - std::thread DebugThread (&RuntimeSecurity::CheckForDebugger, this); DebugThread.detach(); std::thread VMThread (&RuntimeSecurity::CheckForVirtualMachine, this); VMThread.detach(); std::thread DriverThread(&RuntimeSecurity::CheckForDrivers, this); DriverThread.detach(); std::thread TamperThread(&RuntimeSecurity::CheckForTampering, this); TamperThread.detach(); - - WRAP_IF_RELEASE(MUTATE_END); } // The following functions are only called internally. @@ -230,35 +197,15 @@ namespace Security void RuntimeSecurity::CheckForVirtualMachine() { - WRAP_IF_RELEASE(VM_EAGLE_BLACK_START); - for(;;) { - // Yeah, um, your code did absolutely fuck all in my analysis VM. - int32_t VirtualMachineChecksum = 0x4000; - - WRAP_IF_RELEASE( - CHECK_VIRTUAL_PC(VirtualMachineChecksum, 0x2000); - - WRAP_IF_RELEASE(STR_ENCRYPT_START); - if(VirtualMachineChecksum != 0x2000) - SecurityCallback(__FUNCSIG__); - WRAP_IF_RELEASE(STR_ENCRYPT_END); - ); - // Don't put too much stress on the CPU. - Sleep(VirtualMachineChecksum); + Sleep(1); } - - - WRAP_IF_RELEASE(VM_EAGLE_BLACK_END); } void RuntimeSecurity::CheckForDebugger() { - WRAP_IF_RELEASE(VM_EAGLE_BLACK_START); - WRAP_IF_RELEASE(STR_ENCRYPT_START); - for(;;) { // Read the PEB from the TIB. @@ -303,67 +250,73 @@ namespace Security // size_t Index = std::distance(...); if(FindWindowA(It.first, It.second)) - SecurityCallback(__FUNCSIG__); + SecurityCallback("Malicious activity [Debugging attempt]."); } // Don't put too much stress on the CPU. - Sleep(150); + Sleep(1); } - - WRAP_IF_RELEASE(STR_ENCRYPT_END); - WRAP_IF_RELEASE(VM_EAGLE_BLACK_END); } void RuntimeSecurity::CheckForDrivers() { - WRAP_IF_RELEASE(VM_EAGLE_BLACK_START); - - // TODO: Check if test-signing mode is on - // TODO: Check if safe-mode is on - // TODO: Check for disallowed drivers for(;;) { + static const char *BlackListedDrivers[] = { + "Sbie", // Sandboxie + "NPF", // WireShark / WinPCAP + "acker", // Process Hacker + "CEDRI" // Cheat Engine + "VBox", // VirtualBox + }; + + static const char *BlackListReasons[] = { + "Please uninstall Sandboxie.", + "Please uninstall WireShark.", + "Please close Process Hacker.", + "Please close Cheat Engine.", + "Please uninstall VirtualBox." + }; + + uint16_t Length = sizeof BlackListedDrivers / sizeof(BlackListedDrivers[0]); + + void *DriverList[1024]; + DWORD Needed; + + if(K32EnumDeviceDrivers(DriverList, sizeof DriverList, &Needed)) + { + if(Needed > sizeof DriverList) + ERROR_ASSERT("[00DF:00001CFF] A security thread has failed. Contact an administrator."); + + char DriverName[1024]; + uint32_t DriverCount = Needed / sizeof DriverList[0]; + + for(size_t n{}; n < DriverCount; ++n) + { + if(K32GetDeviceDriverBaseNameA(DriverList[n], DriverName, sizeof DriverName / sizeof DriverList[0])) + { + for(size_t j{}; j < Length; ++j) + { + if(strstr(DriverName, BlackListedDrivers[j])) + ERROR_ASSERT(BlackListReasons[j]); + } + } + } + } // Don't put too much stress on the CPU. - Sleep(150); + Sleep(1); } - - WRAP_IF_RELEASE(VM_EAGLE_BLACK_END); } void RuntimeSecurity::CheckForTampering() { - WRAP_IF_RELEASE(VM_EAGLE_BLACK_START); - for(;;) { - int32_t CodeIntegrityChecksum = 0x2000; - - WRAP_IF_RELEASE( - CHECK_CODE_INTEGRITY(CodeIntegrityChecksum, 0x4000); - - WRAP_IF_RELEASE(STR_ENCRYPT_START); - if(CodeIntegrityChecksum != 0x4000) - SecurityCallback(__FUNCSIG__); - WRAP_IF_RELEASE(STR_ENCRYPT_END); - ); - - WRAP_IF_RELEASE( - CHECK_PROTECTION(CodeIntegrityChecksum, 0x4000); - - WRAP_IF_RELEASE(STR_ENCRYPT_START); - if(CodeIntegrityChecksum != 0x4000) - SecurityCallback(__FUNCSIG__); - WRAP_IF_RELEASE(STR_ENCRYPT_END); - ); - // Don't put too much stress on the CPU. - Sleep(CodeIntegrityChecksum); + Sleep(1); } - - - WRAP_IF_RELEASE(VM_EAGLE_BLACK_END); } #pragma optimize("", on) @@ -387,32 +340,43 @@ namespace Security return true; } + constexpr uintptr_t KUSER_SHARED_DATA = 0x7FFE0000; + HardwareIdentifier RuntimeSecurity::GetHardwareId() { + HardwareIdentifier Identifier{}; + + // CPU information + Identifier.m_CpuCount = *(uint32_t *)(KUSER_SHARED_DATA + 0x3C0); + Identifier.m_CpuArchitecture = *(uint16_t *)(KUSER_SHARED_DATA + 0x26A); + + // CPU features + + // Safe-mode + Identifier.m_SpecialMode[0] = *(uint8_t *)(KUSER_SHARED_DATA + 0x2EC); + + // Test-signing mode + return HardwareIdentifier{}; } #pragma optimize("", off) - MEMORY_BASIC_INFORMATION RuntimeSecurity::QueryMemory(void *Address) + __declspec(noinline) MEMORY_BASIC_INFORMATION RuntimeSecurity::QueryMemory(void *Address) { - static auto ZwQueryVirtualMemory = Syscalls->Find(FNV("ZwQueryVirtualMemory")); - MEMORY_BASIC_INFORMATION Result{}; - NTSTATUS Status = ZwQueryVirtualMemory((HANDLE)-1, Address, 0, &Result, sizeof Result, nullptr); + + // VirtualQuery is also referenced in MinHook lib, will be a pain to find anyway + // especially if I have VMP encrypt all this shit. + bool Success = VirtualQuery(Address, &Result, sizeof Result); - if(NT_ERROR(Status)) + if(!Success) { - char ReasonParameter[64]; + char ReasonParameter[64]; + uint32_t Status = GetLastError(); - WRAP_IF_DEBUG(sprintf_s(ReasonParameter, "[QueryMemory] NTSTATUS: %08x", Status)); - WRAP_IF_RELEASE( - sprintf_s(ReasonParameter, "[00DF:%08x] There was an error with accessing a process.", Status); - ERROR_ASSERT(ReasonParameter); - ); - - // yeet - SecurityCallback(ReasonParameter); + sprintf_s(ReasonParameter, "[00DF:%08x] There was an error with accessing a process.", Status); + ERROR_ASSERT(ReasonParameter); } return Result; @@ -420,13 +384,10 @@ namespace Security void RuntimeSecurity::SecurityCallback(const char *Reason) { - WRAP_IF_RELEASE(VM_FISH_WHITE_START); - static bool TriggeredCallback = false; if(!TriggeredCallback) { - WRAP_IF_RELEASE(STR_ENCRYPT_START); // You can use the reason parameters to debug the security in case // something weird starts going on with it. @@ -443,10 +404,7 @@ namespace Security ); TriggeredCallback = true; - WRAP_IF_RELEASE(STR_ENCRYPT_END); } - - WRAP_IF_RELEASE(VM_FISH_WHITE_END); } #pragma optimize("", on) -- cgit v1.2.3