From 4db29589a61f2e7cb663c5734f911c02206c7997 Mon Sep 17 00:00:00 2001 From: boris Date: Wed, 9 Jan 2019 20:51:16 +1300 Subject: whole buncha shit FIXME: loader currently corrupts heap on injection because i am retarded --- csgo-loader/csgo-client/Client.cpp | 55 ++++---- csgo-loader/csgo-client/Client.hpp | 5 +- csgo-loader/csgo-client/Login/RemoteLogin.cpp | 3 + csgo-loader/csgo-client/Networking/TCPClient.cpp | 4 +- .../csgo-client/RemoteCode/RemoteCodeClient.cpp | 69 ---------- .../csgo-client/RemoteCode/RemoteCodeClient.hpp | 33 ----- .../RemoteCode/RemoteInjectionClient.cpp | 6 - .../RemoteCode/RemoteInjectionClient.hpp | 69 ---------- .../csgo-client/RemoteCode/RemoteMapper.cpp | 139 +++++++++++++++++++++ .../csgo-client/RemoteCode/RemoteMapper.hpp | 26 ++++ .../csgo-client/RemoteCode/RemoteProcess.cpp | 2 +- .../csgo-client/RemoteCode/RemoteProcess.hpp | 10 +- .../csgo-client/Security/RuntimeSecurity.cpp | 113 ++++++++--------- csgo-loader/csgo-client/csgo-client.vcxproj | 6 +- .../csgo-client/csgo-client.vcxproj.filters | 18 +-- 15 files changed, 268 insertions(+), 290 deletions(-) delete mode 100644 csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.cpp delete mode 100644 csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.hpp delete mode 100644 csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.cpp delete mode 100644 csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.hpp create mode 100644 csgo-loader/csgo-client/RemoteCode/RemoteMapper.cpp create mode 100644 csgo-loader/csgo-client/RemoteCode/RemoteMapper.hpp (limited to 'csgo-loader/csgo-client') diff --git a/csgo-loader/csgo-client/Client.cpp b/csgo-loader/csgo-client/Client.cpp index 05ceb0b..d7b266f 100644 --- a/csgo-loader/csgo-client/Client.cpp +++ b/csgo-loader/csgo-client/Client.cpp @@ -1,23 +1,11 @@ #include /* - TODO: - - Finish off shellcode execution wrapper: - - The shellcode can be executed via two ways - - Either the code is mapped and called via CreateRemoteThread (allows custom param) - - or the code is mapped and called via DX9 (does not allow custom param) - - This will probably be the easiest thing to do. - --nave note: you don't need any custom params it's entirely pointless, we can use a wiped PE header to pass all the data we need plus passing shit via dllmain is too obvious anyway, dumb idea - - Finish off injection wrapper: - - Allocate every memory page as a bunch of consecutive 4kb sections (in order to fuck with people trying to dump) - - - Have the loader inject a .DLL :^) - --nave note 2: what you haven't done and what will completely fuck us up if anyone competent gets the loader: loading the binary directly via the loader itself is completely stupid and unreasonable @@ -46,11 +34,7 @@ int __stdcall WinMain(HINSTANCE inst, HINSTANCE prev, char* str, int cmdshow) Utils::OpenConsole(); ); - /////////////////////////////////////////////////////////////// - - //VMProtectBeginMutation("EntryPoint"); - - /////////////////////////////////////////////////////////////// + ////////////////////////////////////////////////////////////////////////////////////////// // Create a thread to handle UI. std::thread WindowThread([] @@ -64,6 +48,8 @@ int __stdcall WinMain(HINSTANCE inst, HINSTANCE prev, char* str, int cmdshow) while(!UserInterface->m_Data.m_Ready) { Sleep(1); } + ////////////////////////////////////////////////////////////////////////////////////////// + // Initialize the syscall manager. if(!Syscalls->Start()) ERROR_ASSERT(STR("[000F:00001B00] Failed to initialize. Please contact an administrator.")); @@ -80,11 +66,20 @@ int __stdcall WinMain(HINSTANCE inst, HINSTANCE prev, char* str, int cmdshow) printf("[DEBUG] Server IP: %08x\n", inet_addr("35.165.60.229")); ); + ////////////////////////////////////////////////////////////////////////////////////////// + + // Connect to server. Networking::TCPClientPtr Client = std::make_unique(); if(!Client->Start(LOCAL_IP, SERVER_PORT)) ERROR_ASSERT(STR("[000F:0002A000] Server closed the connection unexpectedly.")); + // Header for Client. + ByteArray Header{ 0x0A, 0x31, 0x42, 0x4D }; + Client->SendRawBytes(Header); + + ////////////////////////////////////////////////////////////////////////////////////////// + // Allow the user to input their log-in data. UserInterface->m_Data.m_ExecutionState = UserExperience::EXECUTION_LOG_IN; @@ -100,17 +95,29 @@ int __stdcall WinMain(HINSTANCE inst, HINSTANCE prev, char* str, int cmdshow) if(!LoginTransaction.TranslateResponse(LoginResponse)) ExitProcess(0); - // Allow the user to choose a cheat to inject. - UserInterface->m_Data.m_ExecutionState = UserExperience::EXECUTION_CHOOSE; + // Echo back to server. + Client->SendBytes(LoginResponse); + + ////////////////////////////////////////////////////////////////////////////////////////// + + // Receive loader module. + ByteArray LdrModule = Client->ReceiveBytes(); + + // Map loader module. + RemoteCode::RemoteProcess Process; - // TODO: Add game selection. - while(1) { if(GetAsyncKeyState(VK_END) & 0x8000) break; Sleep(1); } + if(!Process.Start(STR("explorer.exe"))) + ExitProcess(0); - /////////////////////////////////////////////////////////////// + RemoteCode::RemoteMapper Mapper; - //VMProtectEnd(); + if(!Mapper.Start(Process)) + ExitProcess(0); - /////////////////////////////////////////////////////////////// + if(!Mapper.WriteCodeToMap(LdrModule)) + ExitProcess(0); + + Mapper.ExecuteCodeFromMap(); } #pragma optimize("", on) \ No newline at end of file diff --git a/csgo-loader/csgo-client/Client.hpp b/csgo-loader/csgo-client/Client.hpp index 0f05a34..79f0a17 100644 --- a/csgo-loader/csgo-client/Client.hpp +++ b/csgo-loader/csgo-client/Client.hpp @@ -7,6 +7,8 @@ #define SERVER_IP 0xE53CA523 // Hexadecimal representation of the server IP, obtained by inet_addr() #define SERVER_PORT 0xF2C // Hexadecimal representation of the server port. +#define CLIENT_HEADER 0x4D42310A + // Security features (these will be initialised and ran // first, failure will terminate loader execution). #include @@ -20,8 +22,7 @@ #include #include -#include -#include +#include // It looked nasty in Client.cpp, so I'm putting it here. namespace Utils diff --git a/csgo-loader/csgo-client/Login/RemoteLogin.cpp b/csgo-loader/csgo-client/Login/RemoteLogin.cpp index 4a46da3..2385ab5 100644 --- a/csgo-loader/csgo-client/Login/RemoteLogin.cpp +++ b/csgo-loader/csgo-client/Login/RemoteLogin.cpp @@ -55,6 +55,9 @@ namespace Login bool RemoteLoginTransaction::TranslateResponse(ByteArray &RawResponse) { + if(RawResponse.empty()) + return false; + RemoteLoginResponse ServerResponse = *(RemoteLoginResponse *)&RawResponse[0]; WRAP_IF_DEBUG( diff --git a/csgo-loader/csgo-client/Networking/TCPClient.cpp b/csgo-loader/csgo-client/Networking/TCPClient.cpp index c974f88..2ff5095 100644 --- a/csgo-loader/csgo-client/Networking/TCPClient.cpp +++ b/csgo-loader/csgo-client/Networking/TCPClient.cpp @@ -144,12 +144,12 @@ namespace Networking if(EncryptionKey.empty()) return false; + std::memcpy(m_EncryptionKey, EncryptionKey.data(), EncryptionKey.size()); + WRAP_IF_DEBUG( printf("[DEBUG] Server handshake successful!\n"); ) - std::memcpy(m_EncryptionKey, EncryptionKey.data(), EncryptionKey.size()); - return true; } diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.cpp b/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.cpp deleted file mode 100644 index 21d7851..0000000 --- a/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.cpp +++ /dev/null @@ -1,69 +0,0 @@ -#include - -namespace RemoteCode -{ - uint8_t ShellcodeStub[] = { - 0x55, - 0x8B, 0xEC, - 0x56, - 0x8B, 0x75, 0x08, - 0x57, - 0x80, 0x3E, 0x00, - 0x74, 0x2F, - 0x8B, 0x7E, 0x14, - 0x8D, 0x45, 0x08, - 0x50, - 0x8B, 0x46, 0x18, - 0x81, 0xC7, 0xA8, 0x00, 0x00, 0x00, - 0x6A, 0x40, - 0x6A, 0x04, - 0x57, - 0xFF, 0xD0, - 0x84, 0xC0, - 0x74, 0x4D, - 0x8B, 0x46, 0x10, - 0x89, 0x07, - 0x8D, 0x45, 0x08, - 0x50, - 0xFF, 0x75, 0x08, - 0x8B, 0x46, 0x18, - 0x6A, 0x04, - 0x57, - 0xFF, 0xD0, - - 0x8B, 0x46, 0x08, - 0x85, 0xC0, - 0x74, 0x09, - 0x6A, 0x00, - 0x6A, 0x01, - 0xFF, 0x76, 0x04, - 0xFF, 0xD0, - - 0x53, - 0x8B, 0x5E, 0x0C, - 0x85, 0xDB, - 0x74, 0x20, - 0x8B, 0x5B, 0x0C, - 0x33, 0xFF, - 0x8B, 0x03, - 0x85, 0xC0, - 0x74, 0x15, - 0x90, - - 0x6A, 0x00, - 0x6A, 0x01, - 0xFF, 0x76, 0x04, - 0xFF, 0xD0, - 0x8B, 0x44, 0xBB, 0x04, - 0x8D, 0x7F, 0x01, - 0x85, 0xC0, - 0x75, 0xEC, - - 0x5B, - - 0x5F, - 0x5E, - 0x5D, - 0xC2, 0x04, 0x00 - }; -} \ No newline at end of file diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.hpp b/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.hpp deleted file mode 100644 index 84021c6..0000000 --- a/csgo-loader/csgo-client/RemoteCode/RemoteCodeClient.hpp +++ /dev/null @@ -1,33 +0,0 @@ -#pragma once - -#include - -namespace RemoteCode -{ - class RemoteCodeClient - { - using MemProtect = bool(__stdcall *)(void *, size_t, uint32_t, uint32_t *); - - struct ShellcodeParameters - { - // Specifies whether or not the thread hijacking - // exploit will be used for code execution. - uint8_t m_ThreadExploit; - - // Address of the module allocation base - uintptr_t m_AllocationBase; - - // Specifies the entry-point / optional TLS directory - // to invoke. - uintptr_t m_EntryPoint; - uintptr_t m_TlsDirectory; - - // Thread hijacking (original address & VMT) - uintptr_t m_ThreadOriginal; - uintptr_t m_ThreadVirtual; - - // Function parameters that will be passed - MemProtect m_ProtectMemory; - }; - }; -} \ No newline at end of file diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.cpp b/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.cpp deleted file mode 100644 index 01f52be..0000000 --- a/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.cpp +++ /dev/null @@ -1,6 +0,0 @@ -#include - -namespace RemoteCode -{ - -} \ No newline at end of file diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.hpp b/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.hpp deleted file mode 100644 index 2e5d216..0000000 --- a/csgo-loader/csgo-client/RemoteCode/RemoteInjectionClient.hpp +++ /dev/null @@ -1,69 +0,0 @@ -#pragma once - -#include -#include - -namespace RemoteCode -{ - // Used for TransactionStart - using ImportedModule = char[64]; - using ImportList = std::vector; - - // Used for TransactionContinue - struct ExportedFunction - { - // I've never seen modules / functions with names - // that were larger than 64 characters. - char m_Module[64]; - char m_Function[64]; - - // Address of exported module / function - uintptr_t m_ModuleAddress; - uintptr_t m_FunctionAddress; - }; - - using ExportList = std::vector; - - // Used for TransactionCommit - struct RemoteInjectionHeader - { - // Used to decrypt the cheat header (first 1000 bytes of image sent back). - uint8_t m_HeaderKey; - - // Used to call entrypoint/TLS callbacks. - uintptr_t m_EntryPoint; - uintptr_t m_TlsDirectory; - }; - - struct RemoteInjectionCode - { - RemoteInjectionHeader m_Header; - - // Actual injection code. - ByteArray m_Code; - }; - - // Implementation of client mapping code - class RemoteInjectionClient - { - RemoteInjectionHeader m_Header; - RemoteProcess m_Process; - - public: - // Receive hash of selected cheat. - // Reply with size of image to allocate. - ByteArray Start(ByteArray &Response); - - // Receive client header, send over list of imported functions - ByteArray TransactionStart(ByteArray &Response); - - // Receive list of modules & export addresses - ByteArray TransactionContinue(ByteArray &Response); - - // Write the file to the - void TransactionCommit(ByteArray &Response); - - RemoteProcess GetProcess() { return m_Process; } - RemoteInjectionHeader GetHeader() { return m_Header; } - }; -} \ No newline at end of file diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteMapper.cpp b/csgo-loader/csgo-client/RemoteCode/RemoteMapper.cpp new file mode 100644 index 0000000..7b72550 --- /dev/null +++ b/csgo-loader/csgo-client/RemoteCode/RemoteMapper.cpp @@ -0,0 +1,139 @@ +#include + +namespace RemoteCode +{ + bool RemoteMapper::Start(RemoteProcess Process) + { + m_Process = Process; + return true; + } + + bool RemoteMapper::WriteCodeToMap(ByteArray Code) + { + // Check if the PE file is valid. + /*uint8_t *Buffer = Code.data(); + IMAGE_DOS_HEADER *DosHeader = (IMAGE_DOS_HEADER *)Buffer; + + if(!DosHeader || DosHeader->e_magic != IMAGE_DOS_SIGNATURE) + return false; + + IMAGE_NT_HEADERS *NtHeaders = (IMAGE_NT_HEADERS *)(Buffer + DosHeader->e_lfanew); + + if(!NtHeaders || NtHeaders->Signature != IMAGE_NT_SIGNATURE) + return false; + + WRAP_IF_DEBUG( + printf("[DEBUG] PE file validated!\n"); + ); + + IMAGE_SECTION_HEADER *Sections = (IMAGE_SECTION_HEADER *)((uintptr_t)&NtHeaders->OptionalHeader + NtHeaders->FileHeader.SizeOfOptionalHeader); + + if(!Sections) + return false; + + // Allocate map in process. + m_Map = m_Process.Allocate(Code.size()); + + if(!m_Map) + return false; + + // Ghetto workaround so heap doesn't get corrupted (i'm lazy) + size_t SizeOfCode = Code.size(); + m_Mapped = new uint8_t[SizeOfCode]; + + uint16_t SectionCount = NtHeaders->FileHeader.NumberOfSections; + + // Write each section to the process. + for(uint16_t n{}; n < SectionCount; n++) + { + uint32_t VirtualAddress = Sections[n].VirtualAddress; + uint32_t PointerToData = Sections[n].PointerToRawData; + uint32_t SizeOfData = Sections[n].SizeOfRawData; + + WRAP_IF_DEBUG( + printf("[DEBUG] Writing PE section #%d!\n", n); + printf("[DEBUG] Virtual address: 0x%x\n", VirtualAddress); + printf("[DEBUG] Pointer to data: 0x%x\n", PointerToData); + printf("[DEBUG] Size of data : %d bytes\n", SizeOfData); + ); + + // Write the data to map. + uint8_t *Data = (uint8_t *)((uintptr_t)Buffer + PointerToData); + void *ImageRva = (void *)((uintptr_t)&m_Mapped[0] + VirtualAddress); + + std::memcpy(ImageRva, Data, SizeOfData); + } + + // Copy over the PE header (temporarily). + uint32_t SizeOfHeaders = NtHeaders->OptionalHeader.SizeOfHeaders; + std::memcpy(&m_Mapped[0], Buffer, SizeOfHeaders); + + WRAP_IF_DEBUG( + printf("[DEBUG] Successfully copied over PE header!\n"); + printf("[DEBUG] Relocating image...\n"); + ); + + // Relocate the image. + IMAGE_BASE_RELOCATION *Reloc = (IMAGE_BASE_RELOCATION *)(&m_Mapped[0] + NtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress); + + uintptr_t ImageDelta = (uintptr_t)m_Map - NtHeaders->OptionalHeader.ImageBase; + + while(Reloc->SizeOfBlock > 0) + { + // address in binary where we need to relocate an address used by code + uintptr_t RelocationAddress = (uintptr_t)&m_Mapped[Reloc->VirtualAddress]; + uintptr_t RelocationDataAddress = (uintptr_t)Reloc + sizeof IMAGE_BASE_RELOCATION; + size_t RelocationCount = (Reloc->SizeOfBlock - sizeof IMAGE_BASE_RELOCATION) / sizeof uint16_t; + + for(size_t i = 0; i < RelocationCount; i++) + { + uint16_t RelocationData = *(uint16_t *)(RelocationDataAddress + sizeof uint16_t * i); + uint16_t RelocationType = RelocationData >> 12; + uint16_t RelocationOffset = RelocationData & 0x0FFF; + + WRAP_IF_DEBUG( + printf("[DEBUG] Processing relocation at %llx!\n", RelocationAddress + RelocationOffset); + ); + + switch(RelocationType) + { + case IMAGE_REL_BASED_MIPS_JMPADDR: + case IMAGE_REL_BASED_HIGH: + case IMAGE_REL_BASED_LOW: + case IMAGE_REL_BASED_HIGHLOW: + { + *(uint32_t*)(RelocationAddress + RelocationOffset) += ImageDelta; + break; + } + + case IMAGE_REL_BASED_ABSOLUTE: + default: + break; + }; + } + + Reloc = (IMAGE_BASE_RELOCATION*)((uintptr_t)Reloc + Reloc->SizeOfBlock); + } + + // Cripple the entire PE header. + std::memset(&m_Mapped[0], 0, SizeOfHeaders); + + WRAP_IF_DEBUG( + printf("[DEBUG] Successfully crippled PE header!\n"); + ); + + // Write the mapped image to the process. + m_Process.Write(m_Map, &m_Mapped[0], Code.size());*/ + + return true; + } + + bool RemoteMapper::ExecuteCodeFromMap() + { + WRAP_IF_DEBUG( + printf("[DEBUG] Executing payload!\n"); + ) + + return true; + } +} \ No newline at end of file diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteMapper.hpp b/csgo-loader/csgo-client/RemoteCode/RemoteMapper.hpp new file mode 100644 index 0000000..21eb569 --- /dev/null +++ b/csgo-loader/csgo-client/RemoteCode/RemoteMapper.hpp @@ -0,0 +1,26 @@ +#pragma once + +#include + +namespace RemoteCode +{ + class RemoteMapper + { + RemoteProcess m_Process; + uint8_t *m_Mapped; + + void *m_Map; + + public: + RemoteMapper() = default; + + // Copy process & shellcode to class. + bool Start(RemoteProcess Process); + + // Writes code to process in allocated page. + bool WriteCodeToMap(ByteArray Code); + + // Calls shellcode to call the library ;D + bool ExecuteCodeFromMap(); + }; +} \ No newline at end of file diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteProcess.cpp b/csgo-loader/csgo-client/RemoteCode/RemoteProcess.cpp index 1bbfed0..a6b90d4 100644 --- a/csgo-loader/csgo-client/RemoteCode/RemoteProcess.cpp +++ b/csgo-loader/csgo-client/RemoteCode/RemoteProcess.cpp @@ -30,7 +30,7 @@ namespace RemoteCode m_Process = OpenProcess(PROCESS_ALL_ACCESS, false, ProcessEntry.th32ProcessID); WRAP_IF_DEBUG( - printf("[DEBUG] Found process \"%s\" -> %p", ProcessEntry.szExeFile, m_Process); + printf("[DEBUG] Found process \"%s\" -> %p\n", ProcessEntry.szExeFile, m_Process); ); if(!m_Process) diff --git a/csgo-loader/csgo-client/RemoteCode/RemoteProcess.hpp b/csgo-loader/csgo-client/RemoteCode/RemoteProcess.hpp index a58320f..5fb3c75 100644 --- a/csgo-loader/csgo-client/RemoteCode/RemoteProcess.hpp +++ b/csgo-loader/csgo-client/RemoteCode/RemoteProcess.hpp @@ -48,11 +48,11 @@ namespace RemoteCode } // Release the handle when the process goes out of scope. - ~RemoteProcess() - { - if(m_Process) - CloseHandle(m_Process); - } + //~RemoteProcess() + //{ + // if(m_Process) + // CloseHandle(m_Process); + //} // Find the process ID and initialise the process. bool Start(const char *ProcessName); diff --git a/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp b/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp index 6054790..bfe45c5 100644 --- a/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp +++ b/csgo-loader/csgo-client/Security/RuntimeSecurity.cpp @@ -92,9 +92,7 @@ namespace Security // Let's meme anyone who tries to reverse this. if(ReturnModule != LoaderModule) - { return []() { Protection->SecurityCallback(STR("Malicious activity [Tampering].")); return -1; }(); - } // Call original function return oWSARecv(Socket, Buffer, Length, Flags); @@ -115,9 +113,7 @@ namespace Security // Let's meme anyone who tries to reverse this. if(ReturnModule != LoaderModule) - { return []() { Protection->SecurityCallback(STR("Malicious activity [Tampering].")); return -1; }(); - } // Call original function return oWSASend(Socket, Buffer, Length, Flags); @@ -129,9 +125,9 @@ namespace Security /////////////////////////////////////////////////////////// // Sick macros, retard. -#define CreateMinHook() MH_STATUS Status; Status = MH_Initialize(); -#define CheckStatus() if(Status != MH_OK) { return false; } -#define SafeCallTo(Function) Status = Function; CheckStatus(); + #define CreateMinHook() MH_STATUS Status; Status = MH_Initialize(); + #define CheckStatus() if(Status != MH_OK) { return false; } + #define SafeCallTo(Function) Status = Function; CheckStatus(); #pragma optimize("", off) @@ -266,8 +262,6 @@ namespace Security for(auto &It : BlackListedWindows) { - // size_t Index = std::distance(...); - if(FindWindowA(It.first, It.second)) SecurityCallback(STR("Malicious activity [Debugging attempt].")); } @@ -291,7 +285,8 @@ namespace Security STR("NPF"), // WireShark / WinPCAP STR("acker"), // Process Hacker STR("CEDRI"), // Cheat Engine - //STR("VBox") // VirtualBox + STR("nHide"), // TitanHide + //STR("VBox") // VirtualBox }; static const char *BlackListReasons[] = { @@ -299,7 +294,8 @@ namespace Security STR("Please uninstall WireShark."), STR("Please close Process Hacker."), STR("Please close Cheat Engine."), - STR("Please uninstall VirtualBox.") + STR("Please uninstall TitanHide."), + //STR("Please uninstall VirtualBox.") }; uint16_t Length = sizeof BlackListedDrivers / sizeof(BlackListedDrivers[0]); @@ -357,14 +353,6 @@ namespace Security if(m_Identifier.m_SpecialMode[TEST_BUILD_MODE]) SecurityCallback(STR("Malicious activity [Plausible].")); - // Check if the file was unpacked. - //if(!VMProtectIsProtected()) - // SecurityCallback(STR("Malicious activity [Tampering].")); - - // Check if the image in memory was partially unpacked or patched. - //if(!VMProtectIsValidImageCRC()) - // SecurityCallback(STR("Malicious activity [Tampering].")); - // Don't put too much stress on the CPU. Sleep(1); } @@ -380,50 +368,49 @@ namespace Security constexpr uintptr_t KUSER_SHARED_DATA = 0x7FFE0000; - __forceinline uint64_t get_hdd_hash() { - STORAGE_PROPERTY_QUERY query{ }; - STORAGE_DESCRIPTOR_HEADER desc_header{ }; - STORAGE_DEVICE_DESCRIPTOR* device_descriptor{ }; - HANDLE device; - DWORD bytes_returned; - uint8_t* out_buffer; - - const wchar_t* device_path = L"\\??\\PhysicalDrive0"; - device = CreateFileA("\\\\.\\PhysicalDrive0", 0, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, 0, 0); - if(!device) return uint64_t{ }; - - query.PropertyId = StorageDeviceProperty; - query.QueryType = PropertyStandardQuery; - - if(!DeviceIoControl(device, IOCTL_STORAGE_QUERY_PROPERTY, - &query, sizeof(STORAGE_PROPERTY_QUERY), - &desc_header, sizeof(STORAGE_DESCRIPTOR_HEADER), - &bytes_returned, 0)) { - return uint64_t{ }; - } - - out_buffer = new uint8_t[desc_header.Size]; - memset(out_buffer, 0, desc_header.Size); - - if(!DeviceIoControl(device, IOCTL_STORAGE_QUERY_PROPERTY, - &query, sizeof(STORAGE_PROPERTY_QUERY), - out_buffer, desc_header.Size, - &bytes_returned, 0)) { - delete[] out_buffer; - return uint64_t{ }; - } - - device_descriptor = (STORAGE_DEVICE_DESCRIPTOR*)out_buffer; - if(device_descriptor->SerialNumberOffset) { - std::string serial_num = reinterpret_cast( - out_buffer + device_descriptor->SerialNumberOffset); - - delete[] out_buffer; - CloseHandle(device); - return fnv::hash_runtime(serial_num.c_str()); - } - - return 0; + __forceinline uint64_t get_hdd_hash() { + STORAGE_PROPERTY_QUERY query{ }; + STORAGE_DESCRIPTOR_HEADER desc_header{ }; + STORAGE_DEVICE_DESCRIPTOR* device_descriptor{ }; + HANDLE device; + DWORD bytes_returned; + uint8_t* out_buffer; + + device = CreateFileA(STR("\\\\.\\PhysicalDrive0"), 0, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, 0, 0); + if(!device) return uint64_t{ }; + + query.PropertyId = StorageDeviceProperty; + query.QueryType = PropertyStandardQuery; + + if(!DeviceIoControl(device, IOCTL_STORAGE_QUERY_PROPERTY, + &query, sizeof(STORAGE_PROPERTY_QUERY), + &desc_header, sizeof(STORAGE_DESCRIPTOR_HEADER), + &bytes_returned, 0)) { + return uint64_t{ }; + } + + out_buffer = new uint8_t[desc_header.Size]; + memset(out_buffer, 0, desc_header.Size); + + if(!DeviceIoControl(device, IOCTL_STORAGE_QUERY_PROPERTY, + &query, sizeof(STORAGE_PROPERTY_QUERY), + out_buffer, desc_header.Size, + &bytes_returned, 0)) { + delete[] out_buffer; + return uint64_t{ }; + } + + device_descriptor = (STORAGE_DEVICE_DESCRIPTOR*)out_buffer; + if(device_descriptor->SerialNumberOffset) { + std::string serial_num = reinterpret_cast( + out_buffer + device_descriptor->SerialNumberOffset); + + delete[] out_buffer; + CloseHandle(device); + return fnv::hash_runtime(serial_num.c_str()); + } + + return 0; } void RuntimeSecurity::SetupSystemIdentifier() diff --git a/csgo-loader/csgo-client/csgo-client.vcxproj b/csgo-loader/csgo-client/csgo-client.vcxproj index 40af0a8..d29454f 100644 --- a/csgo-loader/csgo-client/csgo-client.vcxproj +++ b/csgo-loader/csgo-client/csgo-client.vcxproj @@ -30,8 +30,7 @@ - - + @@ -47,8 +46,7 @@ - - + diff --git a/csgo-loader/csgo-client/csgo-client.vcxproj.filters b/csgo-loader/csgo-client/csgo-client.vcxproj.filters index 0957ab9..e4b42c3 100644 --- a/csgo-loader/csgo-client/csgo-client.vcxproj.filters +++ b/csgo-loader/csgo-client/csgo-client.vcxproj.filters @@ -55,15 +55,12 @@ RemoteCode - - RemoteCode - - - RemoteCode - Security + + RemoteCode + @@ -159,17 +156,14 @@ RemoteCode - - RemoteCode - - - RemoteCode - Security + + RemoteCode + -- cgit v1.2.3