From a3cd9bcc24a10ab4f4a553471ac130250ae8cc3d Mon Sep 17 00:00:00 2001 From: Toni Uhlig Date: Thu, 26 Mar 2020 21:30:23 +0100 Subject: Hunt Showdown public release Signed-off-by: Toni Uhlig --- Hunt Showdown/CMD/CMD.vcxproj | 197 ++++++++++++++++++ Hunt Showdown/CMD/CMD.vcxproj.user | 4 + Hunt Showdown/CMD/Hunted.cpp | 333 +++++++++++++++++++++++++++++++ Hunt Showdown/CMD/Hunted.vcxproj.filters | 36 ++++ Hunt Showdown/CMD/Hunted.vcxproj.user | 4 + Hunt Showdown/CMD/KInterface.h | 3 + Hunt Showdown/CMD/pch.cpp | 5 + Hunt Showdown/CMD/pch.h | 14 ++ 8 files changed, 596 insertions(+) create mode 100644 Hunt Showdown/CMD/CMD.vcxproj create mode 100644 Hunt Showdown/CMD/CMD.vcxproj.user create mode 100644 Hunt Showdown/CMD/Hunted.cpp create mode 100644 Hunt Showdown/CMD/Hunted.vcxproj.filters create mode 100644 Hunt Showdown/CMD/Hunted.vcxproj.user create mode 100644 Hunt Showdown/CMD/KInterface.h create mode 100644 Hunt Showdown/CMD/pch.cpp create mode 100644 Hunt Showdown/CMD/pch.h (limited to 'Hunt Showdown/CMD') diff --git a/Hunt Showdown/CMD/CMD.vcxproj b/Hunt Showdown/CMD/CMD.vcxproj new file mode 100644 index 0000000..b18e818 --- /dev/null +++ b/Hunt Showdown/CMD/CMD.vcxproj @@ -0,0 +1,197 @@ + + + + + Debug + Win32 + + + Release + Win32 + + + Debug + x64 + + + Release + x64 + + + + 15.0 + {DB513F0F-ECDB-4856-8AB1-B2CBCC745E5A} + Win32Proj + Hunted + 10.0.17763.0 + HuntCtrl + + + + Application + true + v141 + Unicode + false + + + Application + false + v141 + true + Unicode + false + + + Application + true + v141 + Unicode + Static + false + + + Application + false + v141 + true + Unicode + false + Static + + + + + + + + + + + + + + + + + + + + + true + $(ProjectName)-kmem + + + true + + + false + + + false + $(ProjectName)-kmem + + + + Use + Level3 + Disabled + true + _DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + pch.h + MultiThreadedDebugDLL + SyncCThrow + true + $(ProjectDir) + + + Console + true + false + kernel32.lib;user32.lib;Shlwapi.lib;MemDriverLib.lib;%(AdditionalDependencies) + $(ProjectDir);%(AdditionalLibraryDirectories) + + + + + Use + Level3 + Disabled + true + WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + pch.h + SyncCThrow + false + MultiThreaded + + + Console + true + false + + + + + Use + Level3 + MaxSpeed + true + true + WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + pch.h + Sync + false + + + Console + true + true + true + false + + + + + Use + Level3 + MaxSpeed + true + true + NDEBUG;_CONSOLE;%(PreprocessorDefinitions) + true + pch.h + Sync + false + $(ProjectDir) + MultiThreadedDLL + + + Console + true + true + true + $(ProjectDir);%(AdditionalLibraryDirectories) + false + kernel32.lib;user32.lib;Shlwapi.lib;MemDriverLib.lib;%(AdditionalDependencies) + + + + + + + + + + Create + Create + Create + Create + + + + + + \ No newline at end of file diff --git a/Hunt Showdown/CMD/CMD.vcxproj.user b/Hunt Showdown/CMD/CMD.vcxproj.user new file mode 100644 index 0000000..be25078 --- /dev/null +++ b/Hunt Showdown/CMD/CMD.vcxproj.user @@ -0,0 +1,4 @@ + + + + \ No newline at end of file diff --git a/Hunt Showdown/CMD/Hunted.cpp b/Hunt Showdown/CMD/Hunted.cpp new file mode 100644 index 0000000..9329090 --- /dev/null +++ b/Hunt Showdown/CMD/Hunted.cpp @@ -0,0 +1,333 @@ +#include "pch.h" +#include "KInterface.h" +#include "DLLHelper.h" +#include "PatternScanner.h" + +#include +#include +#include +#include +#include + +#define WHEXOUT std::setfill(L'0') << std::setw(16) << std::hex + +static BOOL running = false; +static const wchar_t wName[] = L"HUNT"; + + +static bool consoleHandler(int signal) { + if (signal == CTRL_C_EVENT) { + if (!running) + exit(EXIT_FAILURE); + running = false; + std::wcout << L"Waiting for graceful shutdown .." << std::endl; + } + return true; +} + +static void printBuf(UCHAR *buf, SIZE_T siz, SIZE_T bytesBeforeNewline) { + unsigned int i, j; + const unsigned char colors[] = { 10,11,12,13,14,15 }; + HANDLE hConsole = GetStdHandle(STD_OUTPUT_HANDLE); + + for (i = 0, j = 0; i < siz; ++i) { + if (i % bytesBeforeNewline == 0) { + SetConsoleTextAttribute(hConsole, colors[j++ % (sizeof colors)]); + wprintf(L"\n0x%04X: ", i); + } + wprintf(L"%02X ", buf[i]); + } + wprintf(L"\n"); + SetConsoleTextAttribute(hConsole, 15); +} + +static BOOL CALLBACK enumWindowsProc(HWND hWnd, LPARAM lParam) +{ + int length = GetWindowTextLength(hWnd); + TCHAR* buffer; + buffer = new TCHAR[length + 1]; + memset(buffer, 0, (length + 1) * sizeof(TCHAR)); + GetWindowText(hWnd, buffer, length + 1); + if (!wcscmp(buffer, wName)) + *(HWND *)lParam = hWnd; + delete[] buffer; + return TRUE; +} + +int wmain(int argc, wchar_t **argv) +{ + HANDLE targetPID = 0; + PVOID buf; + HANDLE kevent; + HANDLE uevent; + + KInterface &ki = KInterface::getInstance(); + std::vector pages; + std::vector modules; + + std::wcout << L"Waiting for window title: '" << wName << L"'" << std::endl; + + HWND targetHWND = NULL; + while (1) { + if (!EnumWindows(enumWindowsProc, (LPARAM)&targetHWND)) { + return 1; + } + if (targetHWND) { + std::wcout << L"Found window '" << wName << L"' with Handle 0x" + << std::hex << targetHWND << std::endl; + break; + } + Sleep(1000); + } + GetWindowThreadProcessId(targetHWND, (LPDWORD)&targetPID); + + SetConsoleCtrlHandler((PHANDLER_ROUTINE)consoleHandler, TRUE); + + if (!ki.Init()) { + std::wcout << L"Kernel Interface Init() failed" << std::endl; + return 1; + } + + try { + buf = ki.getBuffer(); + kevent = ki.getKHandle(); + uevent = ki.getUHandle(); + } + catch (std::runtime_error& err) { + std::wcout << err.what() << std::endl; + return 1; + } + + std::wcout << L"Buffer.: " << buf << std::endl; + std::wcout << L"KHandle: " << kevent << std::endl; + std::wcout << L"UHandle: " << uevent << std::endl; + + if (!ki.Handshake()) { + std::wcout << L"Kernel Interface Handshake() failed" << std::endl; + return 1; + } + if (targetPID) { + if (!ki.Modules(targetPID, modules)) + std::wcout << L"Kernel Interface Modules() failed with 0x" + << std::hex << ki.getLastNtStatus() << std::endl; + else std::wcout << L"Got " << std::dec << modules.size() << L" modules for pid 0x" + << std::hex << targetPID << std::endl; + if (!ki.Pages(targetPID, pages)) + std::wcout << L"Kernel Interface Pages() failed with 0x" + << std::hex << ki.getLastNtStatus() << std::endl; + else std::wcout << L"Got " << std::dec << pages.size() << L" mapped pages for pid 0x" + << std::hex << targetPID << std::endl; + } + + running = TRUE; + do { + if (ki.RecvWait() == SRR_TIMEOUT) { + std::wcout << L"Ping -> "; + if (!ki.Ping()) { + std::wcout << L"Got no valid PONG, abort!" << std::endl; + running = FALSE; + } + else std::wcout << L"PONG!" << std::endl; + } + + if (!running) + break; + + try { + if (targetPID) { + for (MODULE_DATA& md : modules) { + if (!strncmp(md.BaseDllName, "CryEntitySystem.dll", + sizeof md.BaseDllName)) + { + /* + * "C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.16.27023\bin\Hostx64\x64\cl.exe" + * /Zp2 /c /d1reportSingleClassLayoutCEntitySystem + * \Source\Repos\CRYENGINE\Code\CryEngine\CryEntitySystem\EntitySystem.cpp + * /I \Source\Repos\CRYENGINE\Code\CryEngine\CryCommon + * /I "C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.16.27023\include" + * /I "C:\Program Files (x86)\Windows Kits\10\Include\10.0.17763.0\ucrt" + * /I "C:\Program Files (x86)\Windows Kits\10\Include\10.0.17763.0\shared" + * /I "C:\Program Files (x86)\Windows Kits\10\Include\10.0.17763.0\um" + */ + + static bool first = true; + if (first) { + first = false; + + SymbolResolver sresolv; + DLLHelper dll(sresolv); + if (!dll.Init(targetPID, "./HuntDLL.dll")) { + std::wcout << L"DLL Init failed" << std::endl; + } + if (!dll.VerifyHeader()) { + std::wcout << L"DLL VerifyHeader failed" << std::endl; + } + if (!dll.InitTargetMemory(/* 0x7ffe00000000 */)) { + std::wcout << L"DLL InitTargetMemory failed" << std::endl; + } + if (!dll.HasImports()) + { + std::wcout << L"DLL has no ImportTable" << std::endl; + } + else if (!dll.FixImports()) { + std::wcout << L"DLL FixImports failed" << std::endl; + } + if (!dll.HasRelocs()) { + std::wcout << L"DLL has no RelocTable" << std::endl; + } + else if (!dll.FixRelocs()) { + std::wcout << L"DLL FixRelocs failed" << std::endl; + } + if (!dll.CopyHeaderAndSections()) { + std::wcout << L"DLL CopyHeaderAndSections failed" << std::endl; + } + std::wcout << L"DLL mapping succesful, " + << "BaseAddress: " << WHEXOUT << dll.GetBaseAddress() + << ", EntryPoint: " << WHEXOUT << dll.GetEntryPoint() << std::endl; + + UINT64 targetAddr = dll.GetBaseAddress(); + UINT64 g_pEnvSysSigged = NULL; + UINT64 g_pCCryActionSigged = NULL; + UINT64 g_pEntSys = 0; + + { + struct loadlib_user_data llua; + char * cryDllDir = new char[sizeof md.FullDllPath]; + std::memcpy(cryDllDir, md.FullDllPath, sizeof md.FullDllPath); + PathRemoveFileSpecA(cryDllDir); + llua.additionalDllSearchDirectories.push_back(std::string(cryDllDir)); + delete cryDllDir; + + PatternScanner pscan(sresolv, &map_loadlib, &llua); + std::vector foundAddresses; + /* ?g_pIEntitySystem -> EXPORT TABLE [Offset: -0x32 == g_pEntSys] */ + pscan.Scan(md, "3F 67 5F 70 49 45 6E 74 69 74 79 53 79 73 74 65 6D", foundAddresses); + + for (auto& addr : foundAddresses) { + g_pEntSys = KMemory::Rpm(targetPID, (PVOID)(addr - 0x8)); + g_pEntSys >>= 32; + g_pEntSys += addr; + std::wcout << "g_pEntSys via SigScan: " << g_pEntSys << std::endl; + } + } + + for (MODULE_DATA& md : modules) { + if (!strncmp(md.BaseDllName, "CryAction.dll", + sizeof md.BaseDllName)) { + + struct loadlib_user_data llua; + char * cryDllDir = new char[sizeof md.FullDllPath]; + std::memcpy(cryDllDir, md.FullDllPath, sizeof md.FullDllPath); + PathRemoveFileSpecA(cryDllDir); + llua.additionalDllSearchDirectories.push_back(std::string(cryDllDir)); + delete cryDllDir; + + for (auto& dir : llua.additionalDllSearchDirectories) { + std::wcout << L"AdditionalDLLDir: " + << std::wstring(dir.begin(), dir.end()) << std::endl; + } + { + PatternScanner pscan(sresolv, &map_loadlib, &llua); + std::vector foundAddresses; + pscan.Scan(md, "48 8B 48 20 48 8B 01 FF 90 20 01 00 00", foundAddresses); + + for (auto& addr : foundAddresses) { + g_pEnvSysSigged = KMemory::Rpm(targetPID, (PVOID)(addr - 0x8)); + g_pEnvSysSigged >>= 32; + g_pEnvSysSigged += addr; + std::wcout << "g_pEnvSys via SigScan: " << g_pEnvSysSigged << std::endl; + } + } + { + PatternScanner pscan(sresolv, &map_loadlib, &llua); + std::vector foundAddresses; + pscan.Scan(md, "48 89 6C 24 38 48 8D 2D ?? ?? ?? ?? 48 8B 11", foundAddresses); + + for (auto& addr : foundAddresses) { + g_pCCryActionSigged = KMemory::Rpm(targetPID, (PVOID)(addr - 0x8)); + g_pCCryActionSigged >>= 32; + g_pCCryActionSigged += addr; + std::wcout << "g_pCCryAction via SigScan: " << g_pCCryActionSigged << std::endl; + } + } + + break; + } + } + + BYTE cc[] = { /* push rax; push rbx; push rcx; push rdx; push rsi; + push rdi; push rsp; push rbp; push r8; push r9; + push r10; push r11; push r12; push r13; push r14; + push r15 */ + 0x50, 0x53, 0x51, 0x52, 0x56, 0x57, + 0x54, 0x55, 0x41, 0x50, 0x41, 0x51, + 0x41, 0x52, 0x41, 0x53, 0x41, 0x54, + 0x41, 0x55, 0x41, 0x56, 0x41, 0x57, + /* nops */ + 0x90, 0x90, 0x90, 0x90, 0x90, + /* mov rcx, 0x0000000000000000 */ + 0x48, 0xB9, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + /* mov rax, 0x0000000000000000 */ + 0x48, 0xB8, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + /* call rax */ + 0xFF, 0xD0, + /* nops */ + 0x90, 0x90, + /* pop r15; pop r14; pop r13; pop r12; pop r11; + pop r10; pop r9; pop r8; pop rbp; pop rsp; + pop rdi; pop rsi; pop rdx; pop rcx; pop rbx; + pop rax */ + 0x41, 0x5F, 0x41, 0x5E, 0x41, 0x5D, + 0x41, 0x5C, 0x41, 0x5B, 0x41, 0x5A, + 0x41, 0x59, 0x41, 0x58, 0x5D, 0x5C, + 0x5F, 0x5E, 0x5A, 0x59, 0x5B, 0x58, + /* nops */ + 0x90, 0x90, + /* mov rax, 0x0000000000000000 */ + 0x48, 0xB8, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + /* jmp rax */ + 0xFF, 0xE0, + /* the following is part of the HuntCtx struct */ + /* ptr to ptr to EntitySystem */ + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + /* ptr to ptr to GlobalEnv */ + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + /* ptr to ptr to CCryAction */ + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; + *(UINT64 *)((BYTE *)cc + 31) = targetAddr + 91; + *(UINT64 *)((BYTE *)cc + 41) = dll.GetEntryPoint(); + /* PATTERN: 48 89 4C 24 08 48 83 EC 48 +0x275 */ + UINT64 jumpBackAddr = (UINT64)md.DllBase + 0x70875; /* TODO: SigScan Me! */ + *(UINT64 *)((BYTE *)cc + 81) = jumpBackAddr; + *(UINT64 *)((BYTE *)cc + 91) = g_pEntSys; + *(UINT64 *)((BYTE *)cc + 99) = g_pEnvSysSigged; + *(UINT64 *)((BYTE *)cc + 107) = g_pCCryActionSigged; + + printBuf(cc, sizeof cc, 32); + KMemoryBuf::Wpm(targetPID, (PVOID)targetAddr, &cc[0]); + + /* mov rax, 0x0000000000000000; jmp rax */ + BYTE dd[] = { 0x48, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xE0 }; + *(UINT64 *)((BYTE *)dd + 2) = (UINT64)targetAddr; + printBuf(dd, sizeof dd, 32); + + /* PATTERN: 48 89 4C 24 08 48 83 EC 48 +0x9 */ + KMemoryBuf::Wpm(targetPID, (PVOID)((UINT64)md.DllBase + 0x70609 /* TODO: SigScan Me! */), &dd[0]); + } + } + } + } + } + catch (std::runtime_error& err) { + std::wcout << err.what() << std::endl; + } + } while (running); + + std::wcout << L"Driver shutdown .." << std::endl; + ki.Exit(); + + return 0; +} \ No newline at end of file diff --git a/Hunt Showdown/CMD/Hunted.vcxproj.filters b/Hunt Showdown/CMD/Hunted.vcxproj.filters new file mode 100644 index 0000000..e3b3430 --- /dev/null +++ b/Hunt Showdown/CMD/Hunted.vcxproj.filters @@ -0,0 +1,36 @@ + + + + + {4FC737F1-C7A5-4376-A066-2A32D752A2FF} + cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx + + + {93995380-89BD-4b04-88EB-625FBE52EBFB} + h;hh;hpp;hxx;hm;inl;inc;ipp;xsd + + + {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} + rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms + + + + + Header Files + + + Header Files + + + Header Files + + + + + Source Files + + + Source Files + + + \ No newline at end of file diff --git a/Hunt Showdown/CMD/Hunted.vcxproj.user b/Hunt Showdown/CMD/Hunted.vcxproj.user new file mode 100644 index 0000000..be25078 --- /dev/null +++ b/Hunt Showdown/CMD/Hunted.vcxproj.user @@ -0,0 +1,4 @@ + + + + \ No newline at end of file diff --git a/Hunt Showdown/CMD/KInterface.h b/Hunt Showdown/CMD/KInterface.h new file mode 100644 index 0000000..fd3ea8f --- /dev/null +++ b/Hunt Showdown/CMD/KInterface.h @@ -0,0 +1,3 @@ +#pragma once + +#error "This CHEAT is requires an additional non-public library and kernel driver. Nice try pasta kid.." \ No newline at end of file diff --git a/Hunt Showdown/CMD/pch.cpp b/Hunt Showdown/CMD/pch.cpp new file mode 100644 index 0000000..3a3d12b --- /dev/null +++ b/Hunt Showdown/CMD/pch.cpp @@ -0,0 +1,5 @@ +// pch.cpp: source file corresponding to pre-compiled header; necessary for compilation to succeed + +#include "pch.h" + +// In general, ignore this file, but keep it around if you are using pre-compiled headers. diff --git a/Hunt Showdown/CMD/pch.h b/Hunt Showdown/CMD/pch.h new file mode 100644 index 0000000..b04e71e --- /dev/null +++ b/Hunt Showdown/CMD/pch.h @@ -0,0 +1,14 @@ +// Tips for Getting Started: +// 1. Use the Solution Explorer window to add/manage files +// 2. Use the Team Explorer window to connect to source control +// 3. Use the Output window to see build output and other messages +// 4. Use the Error List window to view errors +// 5. Go to Project > Add New Item to create new code files, or Project > Add Existing Item to add existing code files to the project +// 6. In the future, to open this project again, go to File > Open > Project and select the .sln file + +#ifndef PCH_H +#define PCH_H + +// TODO: add headers that you want to pre-compile here + +#endif //PCH_H -- cgit v1.2.3