From a5acd4c9a3b24c9d5af3a8f504e5af053fa7fa09 Mon Sep 17 00:00:00 2001 From: boris Date: Thu, 20 Dec 2018 21:38:04 +1300 Subject: yo is this loss --- .../csgo-client/Security/SyscallManager.cpp | 40 ++++++++++++++-------- 1 file changed, 25 insertions(+), 15 deletions(-) (limited to 'csgo-loader/csgo-client/Security/SyscallManager.cpp') diff --git a/csgo-loader/csgo-client/Security/SyscallManager.cpp b/csgo-loader/csgo-client/Security/SyscallManager.cpp index 55d68a3..9de2459 100644 --- a/csgo-loader/csgo-client/Security/SyscallManager.cpp +++ b/csgo-loader/csgo-client/Security/SyscallManager.cpp @@ -4,17 +4,21 @@ // Global accessor for SyscallManager. Wrapper::SyscallManagerPtr Syscalls = std::make_unique(); -namespace Wrapper { - void SyscallStub::SetIndex(uint32_t Index) { +namespace Wrapper +{ + void SyscallStub::SetIndex(uint32_t Index) + { unsigned long OldProtection{}; - + // Make the code executable and set the index. - if(VirtualProtect(m_Shellcode, sizeof m_Shellcode, PAGE_EXECUTE_READWRITE, &OldProtection)) { + if(VirtualProtect(m_Shellcode, sizeof m_Shellcode, PAGE_EXECUTE_READWRITE, &OldProtection)) + { *(uint32_t *)(&m_Shellcode[4]) = Index; } } - ByteArray SyscallManager::GetNtdllFromDisk() { + ByteArray SyscallManager::GetNtdllFromDisk() + { char SystemPath[MAX_PATH]; GetSystemDirectoryA(SystemPath, MAX_PATH); @@ -42,7 +46,8 @@ namespace Wrapper { } // Stolen :-) - uint64_t SyscallManager::GetRawOffsetByRva(IMAGE_SECTION_HEADER *SectionHeader, uint64_t Sections, uint64_t FileSize, uint64_t Rva) { + uint64_t SyscallManager::GetRawOffsetByRva(IMAGE_SECTION_HEADER *SectionHeader, uint64_t Sections, uint64_t FileSize, uint64_t Rva) + { IMAGE_SECTION_HEADER *Header = GetSectionByRva(SectionHeader, Sections, Rva); if(!Header) @@ -59,10 +64,12 @@ namespace Wrapper { return Offset; } - IMAGE_SECTION_HEADER *SyscallManager::GetSectionByRva(IMAGE_SECTION_HEADER *SectionHeader, uint64_t Sections, uint64_t Rva) { + IMAGE_SECTION_HEADER *SyscallManager::GetSectionByRva(IMAGE_SECTION_HEADER *SectionHeader, uint64_t Sections, uint64_t Rva) + { IMAGE_SECTION_HEADER *Header = SectionHeader; - for(size_t i{}; i < Sections; ++i, ++Header) { + for(size_t i{}; i < Sections; ++i, ++Header) + { uint64_t VirtualAddress = Header->VirtualAddress; uint64_t AddressBounds = VirtualAddress + Header->SizeOfRawData; @@ -74,9 +81,10 @@ namespace Wrapper { } // Sick macros, retard. - #define GetRvaPointer(Rva) (Buffer + GetRawOffsetByRva(SectionHeader, SectionCount, FileSize, Rva)) +#define GetRvaPointer(Rva) (Buffer + GetRawOffsetByRva(SectionHeader, SectionCount, FileSize, Rva)) - bool SyscallManager::Start() { + bool SyscallManager::Start() + { // Read contents of NTDLL. ByteArray Ntdll = GetNtdllFromDisk(); @@ -101,7 +109,7 @@ namespace Wrapper { if(!SectionHeader) return false; - + uint64_t ExportRva = NtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; uint64_t ExportSize = NtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size; uint64_t ExportRaw = GetRawOffsetByRva(SectionHeader, SectionCount, FileSize, ExportRva); @@ -120,7 +128,8 @@ namespace Wrapper { return false; // Loop each exported symbol. - for(uint32_t n{}; n < ExportDirectory->NumberOfNames; ++n) { + for(uint32_t n{}; n < ExportDirectory->NumberOfNames; ++n) + { uint32_t NameRva = Names[n]; uint32_t FunctionRva = Functions[Ordinals[n]]; @@ -129,10 +138,11 @@ namespace Wrapper { // We've found a syscall. uint8_t *Opcodes = (uint8_t *)(Buffer + FunctionRawOffset); - - if(!memcmp(Opcodes, "\x4C\x8B\xD1\xB8", 4)) { + + if(!memcmp(Opcodes, "\x4C\x8B\xD1\xB8", 4)) + { uint32_t SyscallIndex = *(uint32_t *)(Buffer + FunctionRawOffset + 4); - + char *SyscallName = (char *)(Buffer + NameRawOffset); uint64_t SyscallNameHash = fnv::hash_runtime(SyscallName); -- cgit v1.2.3