From c0f1354a301ce2a2fc867a89fafdde4571c07c02 Mon Sep 17 00:00:00 2001 From: boris Date: Wed, 2 Jan 2019 21:11:03 +1300 Subject: 6IX9INE "Billy" (WSHH Exclusive - Official Music Video) --- .../csgo-client/Security/RuntimeSecurity.cpp | 124 ++++++++++++++++----- 1 file changed, 95 insertions(+), 29 deletions(-) (limited to 'csgo-loader/csgo-client/Security/RuntimeSecurity.cpp') diff --git a/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp b/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp index 572c9b1..7f528e3 100644 --- a/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp +++ b/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp @@ -209,6 +209,9 @@ namespace Security for(;;) { + if(VMProtectIsVirtualMachinePresent()) + SecurityCallback(STR("Malicious activity [Virtualized environment].")); + // Don't put too much stress on the CPU. Sleep(1); } @@ -227,36 +230,18 @@ namespace Security // Offset for x64 is 0x60 ; mov ..., qword ptr gs:[0x60] PEB *ProcessEnvBlock = (PEB *)__readgsqword(0x60); - //if(ProcessEnvBlock->BeingDebugged) - // SecurityCallback(__FUNCSIG__); + if(ProcessEnvBlock->BeingDebugged) + SecurityCallback(STR("Malicious activity [Debugging attempt].")); // TODO: Check for x64dbg window? - /* - ------------------------------ - HWND: 000305A4 - HWND->m_Class = "ID" - HWND->m_Text = "Immunity - ------------------------------ - HWND: 00060574 - HWND->m_Class = || NON CONSTANT || - HWND->m_Text = "x64dbg" - ------------------------------ - HWND: 002C0680 - HWND->m_Class = || NON CONSTANT || - HWND->m_Text = "Progress Telerik Fiddler Web Debugger" - ------------------------------ - HWND: 000406E4 - HWND->m_Class = "OLLYDBG" - HWND->m_Text = "OllyDbg" - ------------------------------ - */ using WindowParams = std::pair; static std::vector BlackListedWindows = { {STR("ID"), STR("Immunity")}, // Immunity Debugger - {STR("Qt5QWindowIcon"), STR("x64dbg")}, // x64dbg - {STR("Qt5QWindowIcon"), STR("x32dbg")}, // x32dbg - {STR("OLLYDBG"), STR("OllyDbg")}, // OllyDbg - {nullptr, STR("Progress Telerik Fiddler Web Debugger")}, // Telerik Fiddler + {STR("Qt5QWindowIcon"), STR("x64dbg")}, // x64dbg + {STR("Qt5QWindowIcon"), STR("x32dbg")}, // x32dbg + {STR("Qt5QWindowIcon"), STR("The Wireshark Network Analyzer")}, // x32dbg + {STR("OLLYDBG"), STR("OllyDbg")}, // OllyDbg + {nullptr, STR("Progress Telerik Fiddler Web Debugger")}, // Telerik Fiddler }; for(auto &It : BlackListedWindows) @@ -284,7 +269,7 @@ namespace Security STR("NPF"), // WireShark / WinPCAP STR("acker"), // Process Hacker STR("CEDRI"), // Cheat Engine - //STR("VBox") // VirtualBox + //STR("VBox") // VirtualBox }; static const char *BlackListReasons[] = { @@ -303,7 +288,11 @@ namespace Security if(K32EnumDeviceDrivers(DriverList, sizeof DriverList, &Needed)) { if(Needed > sizeof DriverList) - ERROR_ASSERT(STR("[00DF:00001CFF] A security thread has failed. Contact an administrator.")); + { + ERROR_ASSERT( + STR("[00DF:00001CFF] A security thread has failed. Contact an administrator.") + ); + } char DriverName[1024]; uint32_t DriverCount = Needed / sizeof DriverList[0]; @@ -330,6 +319,12 @@ namespace Security { for(;;) { + if(!VMProtectIsProtected()) + SecurityCallback(STR("Malicious activity [Tampering].")); + + if(!VMProtectIsValidImageCRC()) + SecurityCallback(STR("Malicious activity [Tampering].")); + // Don't put too much stress on the CPU. Sleep(1); } @@ -358,22 +353,93 @@ namespace Security constexpr uintptr_t KUSER_SHARED_DATA = 0x7FFE0000; + __forceinline uint64_t get_hdd_hash() { + STORAGE_PROPERTY_QUERY query{ }; + STORAGE_DESCRIPTOR_HEADER desc_header{ }; + STORAGE_DEVICE_DESCRIPTOR* device_descriptor{ }; + HANDLE device; + DWORD bytes_returned; + uint8_t* out_buffer; + + const wchar_t* device_path = L"\\??\\PhysicalDrive0"; + device = CreateFileA("\\\\.\\PhysicalDrive0", 0, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, 0, 0); + if(!device) return uint64_t{ }; + + query.PropertyId = StorageDeviceProperty; + query.QueryType = PropertyStandardQuery; + + if(!DeviceIoControl(device, IOCTL_STORAGE_QUERY_PROPERTY, + &query, sizeof(STORAGE_PROPERTY_QUERY), + &desc_header, sizeof(STORAGE_DESCRIPTOR_HEADER), + &bytes_returned, 0)) { + return uint64_t{ }; + } + + out_buffer = new uint8_t[desc_header.Size]; + memset(out_buffer, 0, desc_header.Size); + + if(!DeviceIoControl(device, IOCTL_STORAGE_QUERY_PROPERTY, + &query, sizeof(STORAGE_PROPERTY_QUERY), + out_buffer, desc_header.Size, + &bytes_returned, 0)) { + delete[] out_buffer; + return uint64_t{ }; + } + + device_descriptor = (STORAGE_DEVICE_DESCRIPTOR*)out_buffer; + if(device_descriptor->SerialNumberOffset) { + std::string serial_num = reinterpret_cast( + out_buffer + device_descriptor->SerialNumberOffset); + + delete[] out_buffer; + CloseHandle(device); + return fnv::hash_runtime(serial_num.c_str()); + } + + return 0; + } + HardwareIdentifier RuntimeSecurity::GetHardwareId() { + VMProtectBeginMutation("HardwareIdentifier"); + HardwareIdentifier Identifier{}; // CPU information Identifier.m_CpuCount = *(uint32_t *)(KUSER_SHARED_DATA + 0x3C0); Identifier.m_CpuArchitecture = *(uint16_t *)(KUSER_SHARED_DATA + 0x26A); - // CPU features + // HDD serial number + Identifier.m_HardDiskSerialHash = get_hdd_hash(); // Safe-mode Identifier.m_SpecialMode[0] = *(uint8_t *)(KUSER_SHARED_DATA + 0x2EC); // Test-signing mode + static auto ZwQuerySystemInformation = Syscalls->Find(FNV("ZwQuerySystemInformation")); + + // 0x02 CODEINTEGRITY_OPTION_TESTSIGN + // 0x20 CODEINTEGRITY_OPTION_TEST_BUILD + // 0x80 CODEINTEGRITY_OPTION_DEBUGMODE_ENABLED + + CodeIntegrityInformation Info{ sizeof CodeIntegrityInformation }; + NTSTATUS Status = ZwQuerySystemInformation(0x67, &Info, sizeof Info, nullptr); + + if(NT_ERROR(Status)) + ERROR_ASSERT(STR("[00CF:%08x] Critical execution error."), Status); + + if(Info.m_Options & 0x02) + Identifier.m_SpecialMode[1] = true; + + if(Info.m_Options & 0x20) + Identifier.m_SpecialMode[2] = true; + + if(Info.m_Options & 0x40) + Identifier.m_SpecialMode[3] = true; + + VMProtectEnd(); - return HardwareIdentifier{}; + return Identifier; } #pragma optimize("", off) -- cgit v1.2.3