added CSGO cheat whcih instruments a non-public r0 interface

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
author: Toni Uhlig <matzeton@googlemail.com> 2020-03-25 22:36:35 +0100
committer: Toni Uhlig <matzeton@googlemail.com> 2020-03-25 23:58:08 +0100
commit: 8094f2fe22c9abc7aa4bc7e28a51a9de2dbae98d (patch)
tree: 4ad63f2d42bf77930e437ea532f1fc986f8c74d1 /csgo_radar_kmem/CSGO.cpp
parent: 1647f4b4f9ebef8b938222b1f48d9a15cc262e97 (diff)
1 files changed, 225 insertions, 0 deletions
diff --git a/csgo_radar_kmem/CSGO.cpp b/csgo_radar_kmem/CSGO.cpp
new file mode 100644
index 0000000..775477a
--- /dev/null
+++ b/csgo_radar_kmem/CSGO.cpp
@@ -0,0 +1,225 @@
+#include "pch.h"
+#include "KInterface.h"
+
+#include <iostream>
+#include <iomanip>
+#include <chrono>
+#include <thread>
+#include <windows.h>
+
+static BOOL running = false;
+static const wchar_t *wName = L"Counter-Strike: Global Offensive";
+
+typedef struct player_info_s
+{
+	__int64         unknown;            //0x0000 
+	union
+	{
+		__int64       steamID64;          //0x0008 - SteamID64
+		struct
+		{
+			__int32     xuid_low;
+			__int32     xuid_high;
+		};
+	};
+	char            szName[128];        //0x0010 - Player Name
+	int             userId;             //0x0090 - Unique Server Identifier
+	char            szSteamID[20];      //0x0094 - STEAM_X:Y:Z
+	char            pad_0x00A8[0x10];   //0x00A8
+	unsigned long   iSteamID;           //0x00B8 - SteamID 
+	char            szFriendsName[128];
+	bool            fakeplayer;
+	bool            ishltv;
+	unsigned int    customfiles[4];
+	unsigned char   filesdownloaded;
+} player_info_t;
+
+
+static bool consoleHandler(int signal) {
+	if (signal == CTRL_C_EVENT) {
+		if (!running)
+			exit(EXIT_FAILURE);
+		running = false;
+		std::wcout << L"Waiting for graceful shutdown .." << std::endl;
+	}
+	return true;
+}
+
+static BOOL CALLBACK enumWindowsProc(HWND hWnd, LPARAM lParam)
+{
+	int length = GetWindowTextLength(hWnd);
+	TCHAR* buffer;
+	buffer = new TCHAR[length + 1];
+	memset(buffer, 0, (length + 1) * sizeof(TCHAR));
+	GetWindowText(hWnd, buffer, length + 1);
+	//wprintf(L"Window: '%ls'\n", buffer);
+	if (!wcscmp(buffer, wName))
+		*(HWND *)lParam = hWnd;
+	delete[] buffer;
+	return TRUE;
+}
+
+int wmain(int argc, wchar_t **argv)
+{
+	HANDLE targetPID = 0;
+	PVOID buf;
+	HANDLE kevent;
+	HANDLE uevent;
+
+	KInterface &ki = KInterface::getInstance();
+	std::vector<MEMORY_BASIC_INFORMATION> pages;
+	std::vector<MODULE_DATA> modules;
+
+	std::wcout << L"Waiting for window title: '" << wName << L"'" << std::endl;
+
+	HWND targetHWND = NULL;
+	while (1) {
+		if (!EnumWindows(enumWindowsProc, (LPARAM)&targetHWND)) {
+			return 1;
+		}
+		if (targetHWND) {
+			std::wcout << L"Found window '" << wName << L"' with Handle 0x"
+				<< std::hex << targetHWND << std::endl;
+			break;
+		}
+		Sleep(1000);
+	}
+	GetWindowThreadProcessId(targetHWND, (LPDWORD)&targetPID);
+
+	SetConsoleCtrlHandler((PHANDLER_ROUTINE)consoleHandler, TRUE);
+
+	if (!ki.Init()) {
+		std::wcout << L"Kernel Interface Init() failed" << std::endl;
+		return 1;
+	}
+
+	try {
+		buf = ki.getBuffer();
+		kevent = ki.getKHandle();
+		uevent = ki.getUHandle();
+	}
+	catch (std::runtime_error& err) {
+		std::wcout << err.what() << std::endl;
+		return 1;
+	}
+
+	std::wcout << L"Buffer.: " << buf << std::endl;
+	std::wcout << L"KHandle: " << kevent << std::endl;
+	std::wcout << L"UHandle: " << uevent << std::endl;
+
+	if (!ki.Handshake()) {
+		std::wcout << L"Kernel Interface Handshake() failed" << std::endl;
+		return 1;
+	}
+
+	if (!ki.Modules(targetPID, modules))
+		std::wcout << L"Kernel Interface Modules() failed with 0x"
+		<< std::hex << ki.getLastNtStatus() << std::endl;
+	else std::wcout << L"Got " << std::dec << modules.size() << L" modules for pid 0x"
+		<< std::hex << targetPID << std::endl;
+#if 0
+	if (!ki.Pages(targetPID, pages))
+		std::wcout << L"Kernel Interface Pages() failed with 0x"
+		<< std::hex << ki.getLastNtStatus() << std::endl;
+	else std::wcout << L"Got " << std::dec << pages.size() << L" mapped pages for pid 0x"
+		<< std::hex << targetPID << std::endl;
+#endif
+
+	MODULE_DATA *engineDLL = NULL;
+	MODULE_DATA *clientDLL = NULL;
+	for (MODULE_DATA& md : modules) {
+		if (strncmp(md.BaseDllName, "engine.dll", sizeof md.BaseDllName) == 0) {
+			std::wcout << L"FOUND ENGINE DLL at " << std::hex << md.DllBase << "!!!" << std::endl;
+			engineDLL = &md;
+		}
+		if (strncmp(md.BaseDllName, "client_panorama.dll", sizeof md.BaseDllName) == 0) {
+			std::wcout << L"FOUND CLIENT DLL at " << std::hex << md.DllBase << "!!!" << std::endl;
+			clientDLL = &md;
+		}
+	}
+
+	running = TRUE;
+	do {
+		if (engineDLL) {
+			/* unused */
+		}
+
+		if (clientDLL) {
+			DWORD dwLocalPlayer = 13580876;
+			PVOID localPlayerPtr = (PVOID)((ULONG_PTR)clientDLL->DllBase + dwLocalPlayer);
+			localPlayerPtr = (PVOID)((ULONG_PTR)KMemory::Rpm<DWORD>(targetPID, localPlayerPtr));
+			std::wcout << L"localPlayerPtr..................: " << std::hex << localPlayerPtr << std::endl;
+
+			DWORD dwEntityList = 80763620;
+			PVOID entityListPtr = (PVOID)((ULONG_PTR)clientDLL->DllBase + dwEntityList);
+			std::wcout << L"client_panorama.dll+dwEntityList: " << std::hex << entityListPtr << std::endl;
+
+			for (size_t i = 0; i < 32; ++i) {
+				PVOID entityPtr = (PVOID)((ULONG_PTR)entityListPtr + (i * 0x10));
+				try {
+					entityPtr = (PVOID)((ULONG_PTR)KMemory::Rpm<DWORD>(targetPID, entityPtr));
+					if (!entityPtr) {
+						continue;
+					}
+				}
+				catch (std::runtime_error &) {
+					continue;
+				}
+
+				DWORD dwHealth = 256;
+				PVOID healthPtr = (PVOID)((ULONG_PTR)entityPtr + dwHealth);
+				DWORD health;
+				try {
+					health = KMemory::Rpm<DWORD>(targetPID, healthPtr);
+				}
+				catch (std::runtime_error &) {
+					continue;
+				}
+
+				std::wcout << L"entityPtr.......................: " << std::hex << entityPtr << " -> " << std::dec << health << std::endl;
+
+				DWORD dwSpotted = 2365;
+				PVOID spottedPtr = (PVOID)((ULONG_PTR)entityPtr + dwSpotted);
+				DWORD spotted = KMemory::Rpm<DWORD>(targetPID, spottedPtr);
+				DWORD dwSpottedBy = 2432;
+				PVOID spottedByPtr = (PVOID)((ULONG_PTR)entityPtr + dwSpottedBy);
+				DWORD spottedBy = KMemory::Rpm<DWORD>(targetPID, spottedByPtr);
+				if (spotted) {
+					spotted = 0;
+				}
+				else {
+					spotted = 1;
+					spottedBy |= 0xFF;
+					KMemory::Wpm<DWORD>(targetPID, spottedByPtr, &spottedBy);
+				}
+				KMemory::Wpm<DWORD>(targetPID, spottedPtr, &spotted);
+				//std::wcout << L"Sp: " << spotted << std::endl;
+			}
+
+			std::this_thread::sleep_for(std::chrono::microseconds(250000));
+		} else
+
+		if (ki.RecvWait() == SRR_TIMEOUT) {
+			std::wcout << L"Ping -> ";
+			if (!ki.Ping()) {
+				std::wcout << L"Got no valid PONG, abort!" << std::endl;
+				running = FALSE;
+			}
+			else std::wcout << L"PONG!" << std::endl;
+		}
+
+		if (!running)
+			break;
+
+		try {
+			if (targetPID) {
+			}
+		}
+		catch (std::runtime_error& err) {
+			std::wcout << err.what() << std::endl;
+		}
+	} while (running);
+
+	std::wcout << L"Driver shutdown .." << std::endl;
+	ki.Exit();
+}
+\ No newline at end of file
author	Toni Uhlig <matzeton@googlemail.com>	2020-03-25 22:36:35 +0100
committer	Toni Uhlig <matzeton@googlemail.com>	2020-03-25 23:58:08 +0100
commit	8094f2fe22c9abc7aa4bc7e28a51a9de2dbae98d (patch)
tree	4ad63f2d42bf77930e437ea532f1fc986f8c74d1 /csgo_radar_kmem/CSGO.cpp
parent	1647f4b4f9ebef8b938222b1f48d9a15cc262e97 (diff)