From b9702fe8541e61f27f5c788dc72feaefe5abfc0d Mon Sep 17 00:00:00 2001 From: boris Date: Tue, 1 Jan 2019 14:35:30 +1300 Subject: eeeeeeeeeeeeeeek --- .../csgo-client/Security/RuntimeSecurity.cpp | 169 +++++++++++++++------ 1 file changed, 122 insertions(+), 47 deletions(-) (limited to 'csgo-loader/csgo-client/Security') diff --git a/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp b/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp index f9825c0..ab2ea87 100644 --- a/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp +++ b/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp @@ -135,8 +135,12 @@ namespace Security #define CheckStatus() if(Status != MH_OK) { return false; } #define SafeCallTo(Function) Status = Function; CheckStatus(); +#pragma optimize("", off) + bool RuntimeSecurity::ApplyApiHooks() { + WRAP_IF_RELEASE(MUTATE_START); + // Make sure that MinHook is initialized properly. CreateMinHook(); CheckStatus(); @@ -155,8 +159,12 @@ namespace Security SafeCallTo(MH_EnableHook(&send)); return true; + + WRAP_IF_RELEASE(MUTATE_END); } +#pragma optimize("", on) + void RuntimeSecurity::PatchDebugFunctions() { WRAP_IF_RELEASE(VM_EAGLE_WHITE_START); @@ -181,7 +189,7 @@ namespace Security uintptr_t Exports[] = { Export_DbgUiRemoteBreakin, Export_DbgBreakPoint, - //Export_NtContinue // This causes a lot of crashes ATM while debugging, leave this out till release. + Export_NtContinue // This causes a lot of crashes ATM while debugging, leave this out till release. }; for(auto &It : Exports) @@ -224,20 +232,24 @@ namespace Security { WRAP_IF_RELEASE(VM_EAGLE_BLACK_START); - // Yeah, um, your code did absolutely fuck all in my analysis VM. - int32_t VirtualMachineChecksum = 0x4000; + for(;;) + { + // Yeah, um, your code did absolutely fuck all in my analysis VM. + int32_t VirtualMachineChecksum = 0x4000; - WRAP_IF_RELEASE( - CHECK_VIRTUAL_PC(VirtualMachineChecksum, 0x2000); + WRAP_IF_RELEASE( + CHECK_VIRTUAL_PC(VirtualMachineChecksum, 0x2000); - WRAP_IF_RELEASE(STR_ENCRYPT_START); + WRAP_IF_RELEASE(STR_ENCRYPT_START); if(VirtualMachineChecksum != 0x2000) SecurityCallback(__FUNCSIG__); - WRAP_IF_RELEASE(STR_ENCRYPT_END); - ); + WRAP_IF_RELEASE(STR_ENCRYPT_END); + ); + + // Don't put too much stress on the CPU. + Sleep(VirtualMachineChecksum); + } - // Don't put too much stress on the CPU. - Sleep(VirtualMachineChecksum); WRAP_IF_RELEASE(VM_EAGLE_BLACK_END); } @@ -245,21 +257,60 @@ namespace Security void RuntimeSecurity::CheckForDebugger() { WRAP_IF_RELEASE(VM_EAGLE_BLACK_START); + WRAP_IF_RELEASE(STR_ENCRYPT_START); - // Read the PEB from the TIB. - // Offset for x86 is 0x30 ; mov ..., dword ptr fs:[0x30] - // Offset for x64 is 0x60 ; mov ..., qword ptr gs:[0x60] - PEB *ProcessEnvBlock = (PEB *)__readgsqword(0x60); - - // if(ProcessEnvBlock->BeingDebugged) - // SecurityCallback(); - - // TODO: Check for x64dbg window? + for(;;) + { + // Read the PEB from the TIB. + // Offset for x86 is 0x30 ; mov ..., dword ptr fs:[0x30] + // Offset for x64 is 0x60 ; mov ..., qword ptr gs:[0x60] + PEB *ProcessEnvBlock = (PEB *)__readgsqword(0x60); + + //if(ProcessEnvBlock->BeingDebugged) + // SecurityCallback(__FUNCSIG__); + + // TODO: Check for x64dbg window? + /* + ------------------------------ + HWND: 000305A4 + HWND->m_Class = "ID" + HWND->m_Text = "Immunity + ------------------------------ + HWND: 00060574 + HWND->m_Class = || NON CONSTANT || + HWND->m_Text = "x64dbg" + ------------------------------ + HWND: 002C0680 + HWND->m_Class = || NON CONSTANT || + HWND->m_Text = "Progress Telerik Fiddler Web Debugger" + ------------------------------ + HWND: 000406E4 + HWND->m_Class = "OLLYDBG" + HWND->m_Text = "OllyDbg" + ------------------------------ + */ + using WindowParams = std::pair; + static std::vector BlackListedWindows = { + {"ID", "Immunity"}, // Immunity Debugger + {"Qt5QWindowIcon", "x64dbg"}, // x64dbg + {"Qt5QWindowIcon", "x32dbg"}, // x32dbg + {"OLLYDBG", "OllyDbg"}, // OllyDbg + {nullptr, "Progress Telerik Fiddler Web Debugger"}, // Telerik Fiddler + }; + + for(auto &It : BlackListedWindows) + { + // size_t Index = std::distance(...); + if(FindWindowA(It.first, It.second)) + SecurityCallback(__FUNCSIG__); + } - // Don't put too much stress on the CPU. - Sleep(150); + // Don't put too much stress on the CPU. + Sleep(150); + } + WRAP_IF_RELEASE(STR_ENCRYPT_END); WRAP_IF_RELEASE(VM_EAGLE_BLACK_END); } @@ -267,10 +318,16 @@ namespace Security { WRAP_IF_RELEASE(VM_EAGLE_BLACK_START); - // TODO: + // TODO: Check if test-signing mode is on + // TODO: Check if safe-mode is on - // Don't put too much stress on the CPU. - Sleep(150); + // TODO: Check for disallowed drivers + for(;;) + { + + // Don't put too much stress on the CPU. + Sleep(150); + } WRAP_IF_RELEASE(VM_EAGLE_BLACK_END); } @@ -279,28 +336,32 @@ namespace Security { WRAP_IF_RELEASE(VM_EAGLE_BLACK_START); - int32_t CodeIntegrityChecksum = 0x2000; + for(;;) + { + int32_t CodeIntegrityChecksum = 0x2000; - WRAP_IF_RELEASE( - CHECK_CODE_INTEGRITY(CodeIntegrityChecksum, 0x4000); + WRAP_IF_RELEASE( + CHECK_CODE_INTEGRITY(CodeIntegrityChecksum, 0x4000); - WRAP_IF_RELEASE(STR_ENCRYPT_START); + WRAP_IF_RELEASE(STR_ENCRYPT_START); if(CodeIntegrityChecksum != 0x4000) SecurityCallback(__FUNCSIG__); - WRAP_IF_RELEASE(STR_ENCRYPT_END); - ); + WRAP_IF_RELEASE(STR_ENCRYPT_END); + ); - WRAP_IF_RELEASE( - CHECK_PROTECTION(CodeIntegrityChecksum, 0x4000); + WRAP_IF_RELEASE( + CHECK_PROTECTION(CodeIntegrityChecksum, 0x4000); - WRAP_IF_RELEASE(STR_ENCRYPT_START); - if(CodeIntegrityChecksum != 0x4000) - SecurityCallback(__FUNCSIG__); - WRAP_IF_RELEASE(STR_ENCRYPT_END); - ); + WRAP_IF_RELEASE(STR_ENCRYPT_START); + if(CodeIntegrityChecksum != 0x4000) + SecurityCallback(__FUNCSIG__); + WRAP_IF_RELEASE(STR_ENCRYPT_END); + ); + + // Don't put too much stress on the CPU. + Sleep(CodeIntegrityChecksum); + } - // Don't put too much stress on the CPU. - Sleep(CodeIntegrityChecksum); WRAP_IF_RELEASE(VM_EAGLE_BLACK_END); } @@ -331,21 +392,24 @@ namespace Security return HardwareIdentifier{}; } +#pragma optimize("", off) + MEMORY_BASIC_INFORMATION RuntimeSecurity::QueryMemory(void *Address) { static auto ZwQueryVirtualMemory = Syscalls->Find(FNV("ZwQueryVirtualMemory")); - MEMORY_BASIC_INFORMATION Result; - - NTSTATUS Status = ZwQueryVirtualMemory(GetCurrentProcess(), Address, 0, &Result, sizeof Result, nullptr); + MEMORY_BASIC_INFORMATION Result{}; + NTSTATUS Status = ZwQueryVirtualMemory((HANDLE)-1, Address, 0, &Result, sizeof Result, nullptr); if(NT_ERROR(Status)) { - char ReasonParameter[64]; WRAP_IF_DEBUG(sprintf_s(ReasonParameter, "[QueryMemory] NTSTATUS: %08x", Status)); - WRAP_IF_RELEASE(sprintf_s(ReasonParameter, "[00DF:%08x] There was an error with accessing a process.", Status)); + WRAP_IF_RELEASE( + sprintf_s(ReasonParameter, "[00DF:%08x] There was an error with accessing a process.", Status); + ERROR_ASSERT(ReasonParameter); + ); // yeet SecurityCallback(ReasonParameter); @@ -358,21 +422,32 @@ namespace Security { WRAP_IF_RELEASE(VM_FISH_WHITE_START); - // TODO: Implement something that bans the user or notifies - // you if someone tampers with the loader. static bool TriggeredCallback = false; if(!TriggeredCallback) { WRAP_IF_RELEASE(STR_ENCRYPT_START); + + // You can use the reason parameters to debug the security in case + // something weird starts going on with it. char Buffer[2048]; sprintf_s(Buffer, "Security callback was called. Reason parameter: \"%s\"\n", Reason); - + MessageBoxA(0, Buffer, "Information", MB_ICONINFORMATION | MB_OK); + + + // The process will straight up die on Release mode. + // Compile with FuckMSVC to debug this. + WRAP_IF_RELEASE( + ExitProcess(rand() % RAND_MAX); + ); + TriggeredCallback = true; WRAP_IF_RELEASE(STR_ENCRYPT_END); } WRAP_IF_RELEASE(VM_FISH_WHITE_END); } + +#pragma optimize("", on) } \ No newline at end of file -- cgit v1.2.3