From e1f048c8f922613aec1f63791c2191e55cbd5132 Mon Sep 17 00:00:00 2001 From: boris Date: Thu, 3 Jan 2019 16:51:40 +1300 Subject: ricardo milos :DDDD::D:D:D: --- .../csgo-client/Security/RuntimeSecurity.cpp | 106 +++++++++++++++------ .../csgo-client/Security/RuntimeSecurity.hpp | 8 ++ 2 files changed, 87 insertions(+), 27 deletions(-) (limited to 'csgo-loader/csgo-client/Security') diff --git a/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp b/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp index 7f528e3..6054790 100644 --- a/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp +++ b/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp @@ -44,6 +44,25 @@ namespace Security return oOpenProcess(AccessLevel, Inherit, ProcessId); } + + decltype(&FindWindowA) oFindWindow; + HWND __stdcall Hooked_FindWindow(const char *Class, const char *Text) + { + // Determine where the return address of the function actually points. + void *Address = _ReturnAddress(); + MEMORY_BASIC_INFORMATION Query = Protection->QueryMemory(Address); + + // If the return address points outside of the loader module, + // fail the function. + HMODULE ReturnModule = (HMODULE)Query.AllocationBase; + HMODULE LoaderModule = GetModuleHandleA(NULL); + + if(ReturnModule != LoaderModule) + return []() { Protection->SecurityCallback(STR("Malicious activity [Tampering].")); return HWND{}; }(); + + return oFindWindow(Class, Text); + } + decltype(&ExitProcess) oExitProcess; void __stdcall Hooked_ExitProcess(DWORD ExitCode) { @@ -62,7 +81,6 @@ namespace Security decltype(&recv) oWSARecv; int __stdcall Hooked_WSARecv(SOCKET Socket, char *Buffer, int Length, int Flags) { - // Determine where the return address of the function actually points. void *Address = _ReturnAddress(); MEMORY_BASIC_INFORMATION Query = Protection->QueryMemory(Address); @@ -86,7 +104,6 @@ namespace Security decltype(&send) oWSASend; int __stdcall Hooked_WSASend(SOCKET Socket, char *Buffer, int Length, int Flags) { - // Determine where the return address of the function actually points. void *Address = _ReturnAddress(); MEMORY_BASIC_INFORMATION Query = Protection->QueryMemory(Address); @@ -129,6 +146,9 @@ namespace Security // Apply any hooks. SafeCallTo(MH_CreateHook(&OpenProcess, Hooked_OpenProcess, (void **)&oOpenProcess)); SafeCallTo(MH_EnableHook(&OpenProcess)); + + SafeCallTo(MH_CreateHook(&FindWindowA, Hooked_FindWindow, (void **)&oFindWindow)); + SafeCallTo(MH_EnableHook(&FindWindowA)); SafeCallTo(MH_CreateHook(&ExitProcess, Hooked_ExitProcess, (void **)&oExitProcess)); SafeCallTo(MH_EnableHook(&ExitProcess)); @@ -148,7 +168,7 @@ namespace Security void RuntimeSecurity::PatchDebugFunctions() { - HMODULE Module = GetModuleHandleA("ntdll.dll"); + HMODULE Module = GetModuleHandleA(STR("ntdll.dll")); if(!Module) ERROR_ASSERT(STR("[000F:00001A00] Failed to initialize. Please contact an administrator.")); @@ -261,6 +281,8 @@ namespace Security void RuntimeSecurity::CheckForDrivers() { + VMProtectBeginMutation("DriverThread"); + // TODO: Check for disallowed drivers for(;;) { @@ -313,21 +335,41 @@ namespace Security // Don't put too much stress on the CPU. Sleep(1); } + + VMProtectEnd(); } void RuntimeSecurity::CheckForTampering() { + VMProtectBeginMutation("TamperThread"); + for(;;) { - if(!VMProtectIsProtected()) - SecurityCallback(STR("Malicious activity [Tampering].")); + if(m_Identifier.m_SpecialMode[SAFE_MODE]) + ERROR_ASSERT(STR("[000F:00003D00] This program cannot run under Safe Mode.\nPlease reboot your system and select 'Normal Mode'.")); + + if(m_Identifier.m_SpecialMode[TEST_SIGN_MODE]) + ERROR_ASSERT(STR("[000F:00003D00] This program cannot run under Test Signing Mode.\nPlease reboot your system and select 'Normal Mode'.")); + + if(m_Identifier.m_SpecialMode[DEBUGGING_MODE]) + SecurityCallback(STR("Malicious activity [Plausible].")); + + if(m_Identifier.m_SpecialMode[TEST_BUILD_MODE]) + SecurityCallback(STR("Malicious activity [Plausible].")); - if(!VMProtectIsValidImageCRC()) - SecurityCallback(STR("Malicious activity [Tampering].")); + // Check if the file was unpacked. + //if(!VMProtectIsProtected()) + // SecurityCallback(STR("Malicious activity [Tampering].")); + + // Check if the image in memory was partially unpacked or patched. + //if(!VMProtectIsValidImageCRC()) + // SecurityCallback(STR("Malicious activity [Tampering].")); // Don't put too much stress on the CPU. Sleep(1); } + + VMProtectEnd(); } #pragma optimize("", on) @@ -335,21 +377,6 @@ namespace Security // The following functions are exposed publicly. /////////////////////////////////////////////////////////// - bool RuntimeSecurity::Start() - { - // If hooking API functions fails, exit the program. - if(!ApplyApiHooks()) - return false; - - // Dispatch threads before patching NtContinue & co. - DispatchSecurityThreads(); - - // Patch DbgUiRemoteBreakin, DbgBreakPoint, NtContinue - // This also fucks up detours for some reason... only extra protection :-) - PatchDebugFunctions(); - - return true; - } constexpr uintptr_t KUSER_SHARED_DATA = 0x7FFE0000; @@ -399,14 +426,14 @@ namespace Security return 0; } - HardwareIdentifier RuntimeSecurity::GetHardwareId() + void RuntimeSecurity::SetupSystemIdentifier() { - VMProtectBeginMutation("HardwareIdentifier"); + VMProtectBeginUltra("SetupHWID"); HardwareIdentifier Identifier{}; // CPU information - Identifier.m_CpuCount = *(uint32_t *)(KUSER_SHARED_DATA + 0x3C0); + Identifier.m_CpuCount = *(uint32_t *)(KUSER_SHARED_DATA + 0x3C0); Identifier.m_CpuArchitecture = *(uint16_t *)(KUSER_SHARED_DATA + 0x26A); // HDD serial number @@ -425,8 +452,11 @@ namespace Security CodeIntegrityInformation Info{ sizeof CodeIntegrityInformation }; NTSTATUS Status = ZwQuerySystemInformation(0x67, &Info, sizeof Info, nullptr); + if(!VMProtectGetCurrentHWID(Identifier.m_CustomDetail, 256)) + ERROR_ASSERT(STR("[000F:00001A00] Failed to initialize. Please contact an administrator.")); + if(NT_ERROR(Status)) - ERROR_ASSERT(STR("[00CF:%08x] Critical execution error."), Status); + ERROR_ASSERT(STR("[000F:00001A00] Failed to initialize. Please contact an administrator.")); if(Info.m_Options & 0x02) Identifier.m_SpecialMode[1] = true; @@ -437,11 +467,33 @@ namespace Security if(Info.m_Options & 0x40) Identifier.m_SpecialMode[3] = true; + m_Identifier = Identifier; + VMProtectEnd(); + } + + bool RuntimeSecurity::Start() + { + WRAP_IF_RELEASE( + // If hooking API functions fails, exit the program. + if(!ApplyApiHooks()) + return false; - return Identifier; + // Dispatch threads before patching NtContinue & co. + DispatchSecurityThreads(); + + // Patch DbgUiRemoteBreakin, DbgBreakPoint, NtContinue + // This also fucks up detours for some reason... only extra protection :-) + PatchDebugFunctions(); + ); + + SetupSystemIdentifier(); + + return true; } + HardwareIdentifier RuntimeSecurity::GetHardwareId() { return m_Identifier; } + #pragma optimize("", off) __declspec(noinline) MEMORY_BASIC_INFORMATION RuntimeSecurity::QueryMemory(void *Address) diff --git a/csgo-loader/csgo-client/Security/RuntimeSecurity.hpp b/csgo-loader/csgo-client/Security/RuntimeSecurity.hpp index 06df3bf..6446a08 100644 --- a/csgo-loader/csgo-client/Security/RuntimeSecurity.hpp +++ b/csgo-loader/csgo-client/Security/RuntimeSecurity.hpp @@ -74,6 +74,9 @@ namespace Security // Hash of the hard disk serial identifier. uint64_t m_HardDiskSerialHash; + // VMP HWID + char m_CustomDetail[256]; + // Safe-mode/Test-signing mode status uint8_t m_SpecialMode[4]; }; @@ -87,6 +90,8 @@ namespace Security // any potentially malicious actions from users. class RuntimeSecurity { + HardwareIdentifier m_Identifier; + protected: // Applies necessary API hooks. bool ApplyApiHooks(); @@ -97,6 +102,9 @@ namespace Security // Dispatches security threads. void DispatchSecurityThreads(); + // Grabs all hardware data. + void SetupSystemIdentifier(); + // The following functions are used in security threads to run checks. void CheckForVirtualMachine(); -- cgit v1.2.3