precomputed integirty checks

This commit is contained in:
quaK 2023-02-21 23:41:40 +02:00
parent b0e34012a1
commit eb99597d0a
2 changed files with 712 additions and 16 deletions

View File

@ -3,12 +3,20 @@
#include "game/game.hpp" #include "game/game.hpp"
#include "game_module.hpp" #include "component/game_module.hpp"
#include "scheduler.hpp" #include "component/scheduler.hpp"
#include <utils/hook.hpp> #include <utils/hook.hpp>
#include <utils/string.hpp> #include <utils/string.hpp>
#include "integrity.hpp"
#define PRECOMPUTED_INTEGRITY_CHECKS
#define ProcessDebugPort 7
#define ProcessDebugObjectHandle 30
#define ProcessDebugFlags 31
namespace arxan namespace arxan
{ {
namespace namespace
@ -16,10 +24,6 @@ namespace arxan
utils::hook::detour nt_close_hook; utils::hook::detour nt_close_hook;
utils::hook::detour nt_query_information_process_hook; utils::hook::detour nt_query_information_process_hook;
#define ProcessDebugPort 7
#define ProcessDebugObjectHandle 30 // WinXP source says 31?
#define ProcessDebugFlags 31 // WinXP source says 32?
HANDLE process_id_to_handle(const DWORD pid) HANDLE process_id_to_handle(const DWORD pid)
{ {
return reinterpret_cast<HANDLE>(static_cast<DWORD64>(pid)); return reinterpret_cast<HANDLE>(static_cast<DWORD64>(pid));
@ -29,8 +33,7 @@ namespace arxan
const PVOID info, const PVOID info,
const ULONG info_length, const PULONG ret_length) const ULONG info_length, const PULONG ret_length)
{ {
auto* orig = static_cast<decltype(NtQueryInformationProcess)*>(nt_query_information_process_hook. auto* orig = static_cast<decltype(NtQueryInformationProcess)*>(nt_query_information_process_hook.get_original());
get_original());
const auto status = orig(handle, info_class, info, info_length, ret_length); const auto status = orig(handle, info_class, info, info_length, ret_length);
if (NT_SUCCESS(status)) if (NT_SUCCESS(status))
@ -176,6 +179,7 @@ namespace arxan
uint32_t adjust_integrity_checksum(const uint64_t return_address, uint8_t* stack_frame, uint32_t adjust_integrity_checksum(const uint64_t return_address, uint8_t* stack_frame,
const uint32_t current_checksum) const uint32_t current_checksum)
{ {
[[maybe_unused]]const auto handler_address = return_address - 5;
const auto* context = search_handler_context(stack_frame, current_checksum); const auto* context = search_handler_context(stack_frame, current_checksum);
if (!context) if (!context)
@ -189,8 +193,7 @@ namespace arxan
if (current_checksum != correct_checksum) if (current_checksum != correct_checksum)
{ {
#ifdef _DEBUG #ifdef DEV_BUILD
const auto handler_address = return_address - 5;
OutputDebugStringA(utils::string::va("Adjusting checksum (%llX): %X -> %X", handler_address, OutputDebugStringA(utils::string::va("Adjusting checksum (%llX): %X -> %X", handler_address,
current_checksum, correct_checksum)); current_checksum, correct_checksum));
#endif #endif
@ -296,29 +299,42 @@ namespace arxan
utils::hook::call(game_address, stub); utils::hook::call(game_address, stub);
} }
#ifdef PRECOMPUTED_INTEGRITY_CHECKS
void search_and_patch_integrity_checks_precomputed()
{
for (const auto i : intact_integrity_check_blocks)
{
patch_intact_basic_block_integrity_check(reinterpret_cast<void*>(i));
}
for (const auto i : split_integrity_check_blocks)
{
patch_split_basic_block_integrity_check(reinterpret_cast<void*>(i));
}
}
#endif
void search_and_patch_integrity_checks() void search_and_patch_integrity_checks()
{ {
#ifdef PRECOMPUTED_INTEGRITY_CHECKS
search_and_patch_integrity_checks_precomputed();
#else
// There seem to be 670 results. // There seem to be 670 results.
// Searching them is quite slow. // Searching them is quite slow.
// Maybe precomputing that might be better? // Maybe precomputing that might be better?
const auto intact_results = "89 04 8A 83 45 ? FF"_sig; const auto intact_results = "89 04 8A 83 45 ? FF"_sig;
const auto split_results = "89 04 8A E9"_sig; const auto split_results = "89 04 8A E9"_sig;
int results = 0;
for (auto* i : intact_results) for (auto* i : intact_results)
{ {
patch_intact_basic_block_integrity_check(i); patch_intact_basic_block_integrity_check(i);
results++;
} }
for (auto* i : split_results) for (auto* i : split_results)
{ {
patch_split_basic_block_integrity_check(i); patch_split_basic_block_integrity_check(i);
results++;
} }
#endif
OutputDebugStringA(utils::string::va("integrity check amount: %d\n", results));
} }
} }

View File

@ -0,0 +1,680 @@
#pragma once
#include <cstdint>
constexpr uint64_t intact_integrity_check_blocks[] =
{
0x1405513CA,
0x140CF618F,
0x140F17D3D,
0x141264752,
0x141268472,
0x141293C98,
0x1413A5CCD,
0x141401C92,
0x14B2B5D4C,
0x14B2BB94B,
0x14B2C1CDA,
0x14B2C354D,
0x14B2C59A8,
0x14B2C6B9A,
0x14B2C79AC,
0x14B2CA156,
0x14B2D09BA,
0x14B2DA07D,
0x14B2DCE29,
0x14B2E093D,
0x14B2E60C6,
0x14B2E73F7,
0x14B2EB04C,
0x14B2ED7A1,
0x14B2F066C,
0x14B2F4C60,
0x14B2F52B0,
0x14B2F7B07,
0x14B2FB430,
0x14B2FE149,
0x14B301C60,
0x14B306D2A,
0x14B34EAFF,
0x14B34EF91,
0x14B35E81C,
0x14B365FE6,
0x14B368633,
0x14B36CD45,
0x14B36E829,
0x14B3709FC,
0x14B372CB3,
0x14B37CA76,
0x14B39C9E9,
0x14B39F39F,
0x14B3A12C5,
0x14B3A937F,
0x14B3ADF24,
0x14B3AECCE,
0x14B3BA7EB,
0x14B3BAC96,
0x14B3BCF21,
0x14B3BF232,
0x14B3C06BA,
0x14B3C0711,
0x14B3E626B,
0x14B3E686A,
0x14B3E8971,
0x14B3E9204,
0x14B3E997D,
0x14B3F3073,
0x14B3F31A7,
0x14B3F8A94,
0x14B400A04,
0x14B400B37,
0x14B401901,
0x14B403190,
0x14B407B39,
0x14B41020D,
0x14B410779,
0x14B4131B2,
0x14B41DE34,
0x14B423DD9,
0x14B42502A,
0x14B4263C0,
0x14B4266A9,
0x14B42707C,
0x14B427B77,
0x14B42B590,
0x14B42C318,
0x14B42DF7C,
0x14B42E2B8,
0x14B42FBE4,
0x14B4317FF,
0x14B432644,
0x14B433A37,
0x14B4395D1,
0x14B43BEB8,
0x14B43D812,
0x14B447F50,
0x14B4483D7,
0x14B449E6A,
0x14B44AD16,
0x14B44C068,
0x14B44C1EC,
0x14B452CCB,
0x14B454632,
0x14B457E8C,
0x14B45D032,
0x14B461829,
0x14B46D912,
0x14B46E728,
0x14B477A70,
0x14B4786A2,
0x14B47E1CE,
0x14B485458,
0x14B48E34D,
0x14B4931E7,
0x14B49346C,
0x14B494E73,
0x14B49796F,
0x14B4A0B4B,
0x14B4A494F,
0x14B4AB536,
0x14B4B9D23,
0x14B4BA83C,
0x14B4BD494,
0x14B4CCF0A,
0x14B4CF62A,
0x14B4D0F15,
0x14B4D1608,
0x14B4D1E39,
0x14B4D69E7,
0x14B4D8EAD,
0x14B52D094,
0x14B52E6E1,
0x14B52EE53,
0x14B5352A6,
0x14B542FAB,
0x14B54503B,
0x14B545DF0,
0x14B545F65,
0x14B552EE8,
0x14B553AA8,
0x14B5550E4,
0x14B568DF8,
0x14B57CA07,
0x14B5801EB,
0x14B583C85,
0x14B5887C5,
0x14B593270,
0x14B59A75E,
0x14B59FD10,
0x14B5A4139,
0x14B5B8C49,
0x14B5BB8A7,
0x14B5BE4E4,
0x14B5C0046,
0x14B5C023E,
0x14B5C2748,
0x14B5C99E5,
0x14B61C0B9,
0x14B62153F,
0x14B624498,
0x14B629AE0,
0x14B64A453,
0x14B64E311,
0x14B651C9E,
0x14B654AC6,
0x14B656F32,
0x14B65A14A,
0x14B65A8A8,
0x14B65EF32,
0x14B6615EB,
0x14B662B6C,
0x14B668212,
0x14B670FC0,
0x14B677D66,
0x14B67B7CD,
0x14B680B1A,
0x14B685CAD,
0x14B68792E,
0x14B6882D1,
0x14B68A1BC,
0x14B6915FE,
0x14B6DD849,
0x14B737C7C,
0x14B739774,
0x14B73A2FE,
0x14B73DB3C,
0x14B745C2A,
0x14B746D6C,
0x14B74780E,
0x14B747AE7,
0x14B74A87C,
0x14B754174,
0x14B75C1EE,
0x14B75D577,
0x14B764693,
0x14B769CD8,
0x14B76A3F6,
0x14B771E7A,
0x14B777373,
0x14B77902F,
0x14B77A98C,
0x14B782E2A,
0x14B796BD7,
0x14B79AB7D,
0x14B79FBA5,
0x14B7A08C2,
0x14B7A0B65,
0x14B7A14EE,
0x14B7A9132,
0x14B7B64EC,
0x14B7BB12D,
0x14B7CA7FB,
0x14B7CABC4,
0x14B7D4E4D,
0x14B7E46AC,
0x14B7EA91C,
0x14B7F1E3F,
0x14B7F42E0,
0x14B7F5DC8,
0x14B7F88D6,
0x14B80219B,
0x14B80C9B0,
0x14B80E9E2,
0x14B81047C,
0x14B8125A0,
0x14B816D87,
0x14B81B0A6,
0x14B8256F5,
0x14B82692A,
0x14B82A39F,
0x14B8702B8,
0x14B872364,
0x14B876400,
0x14B8E53F0,
0x14B8EED57,
0x14B8F3DCE,
0x14B8F5558,
0x14B9002E1,
0x14B9064E3,
0x14B959C3D,
0x14B95F229,
0x14B9B4975,
0x14B9D0C53,
0x14B9D1DBF,
0x14B9D4B3D,
0x14B9E8970,
0x14B9E98BD,
0x14B9F34A5,
0x14B9F74E9,
0x14B9F9E0E,
0x14B9FB1DD,
0x14BA0295D,
0x14BA0D9EC,
0x14BA117A8,
0x14BA1689D,
0x14BA17CCF,
0x14BA1905B,
0x14BA197AE,
0x14BA1AF96,
0x14BA1E69C,
0x14BA22B1A,
0x14BA26ED0,
0x14BA28CB9,
0x14BA32405,
0x14BA3816F,
0x14BA3A6EF,
0x14BA3E050,
0x14BA41194,
0x14BA4E533,
0x14BA50A19,
0x14BA563AB,
0x14BA59D77,
0x14BA5CE20,
0x14BA5F4E4,
0x14BA65528,
0x14BA6C847,
0x14BA7FBAC,
0x14BA834D2,
0x14BA8554F,
0x14BA90B91,
0x14BA9352E,
0x14BA9528A,
0x14BA9C8D0,
0x14BA9F445,
0x14BAA1D17,
0x14BAA3ABA,
0x14BAA61E1,
0x14BAA9F0A,
0x14BAAFCC6,
0x14BAB1443,
0x14BAB2AAA,
0x14BAB3565,
0x14BAC7D99,
0x14BAC909F,
0x14BACB9AE,
0x14BAD0818,
0x14BAD9B08,
0x14BADA8EC,
0x14BAEA4A7,
0x14BAF1627,
0x14BAF49EF,
0x14BAF4EF1,
0x14BAF963C,
0x14BB04995,
0x14BB0B169,
0x14BB0C9A8,
0x14BB0CF9C,
0x14BB14F27,
0x14BB1B0A5,
0x14BB1E110,
0x14BB1EFCA,
0x14BB1FB5C,
0x14BB20224,
0x14BB3DA05,
0x14BB43A6D,
0x14BB4F2E8,
0x14BB4F8B8,
0x14BB54279,
0x14BB54306,
0x14BB6425A,
0x14BB6614B,
0x14BB68416,
0x14BB6FE20,
0x14BB71D2B,
0x14BB7889D,
0x14BB7A513,
0x14BB83496,
0x14BB857D9,
0x14BB85C89,
0x14BC087E5,
0x14BC0A365,
0x14BC0D8B6,
0x14BC1443D,
0x14BC14D50,
0x14BC1D85D,
0x14BC306B9,
0x14BC30722,
0x14BC460A8,
0x14BC4BCD8,
0x14BC5420A,
0x14BC54EC3,
0x14BC56D19,
0x14BC57951,
0x14BC587D7,
0x14BC58D18,
0x14BC5CA1B,
0x14BCC09A5,
0x14BCC0E54,
0x14BCC3735,
0x14BCC404C,
0x14BCCAB24,
0x14BCCBBF8,
0x14BCCC864,
0x14BCDA5EE,
0x14BCE2BFE,
0x14BCE47C3,
0x14BCE96BB,
0x14BCE9A1D,
0x14BCF3F0C,
0x14BCFD98E,
0x14BD0097E,
0x14BD07EEE,
0x14BD09474,
0x14BD0C24D,
0x14BD0FAC2,
0x14BD70956,
0x14BDB2895,
0x14BDB68A8,
0x14BDBAB93,
0x14BDBD1AF,
0x14BDBDD09,
0x14BDCCEC0,
0x14BDD25D7,
0x14BDD6873,
0x14BDDC942,
0x14BDE0654,
0x14BDE4C6D,
0x14BDEAC1E,
0x14BDF7AF5,
0x14BDFD390,
0x14BDFDEC5,
0x14BE00E14,
0x14BE0B8BE,
0x14BE27A98,
0x14BE344BE,
0x14BE5381E,
0x14BE5A805,
0x14BE5C080,
0x14BE5EA6D,
0x14BE60430,
0x14BE63B34,
0x14BE6A0BB,
0x14BE6E01E,
0x14BE7227A,
0x14BE7A3B6,
0x14BE7C786,
0x14BE91677,
0x14BE97C35,
0x14BE9E57C,
0x14BEA29D0,
0x14BEADB62,
0x14BEB6B5E,
0x14BEC3304,
0x14BEC5CD6,
0x14BEC9714,
0x14BECA1B8,
0x14BECAEFF,
0x14BECB924,
0x14BECCEE1,
0x14BECE414,
0x14BECE570,
0x14BED21BD,
0x14BED676E,
0x14BED7004,
0x14BED83FA,
0x14BEE14EE,
0x14BEE9F1E,
0x14BEEC6C1,
0x14BEF50B0,
0x14BEF53A9,
0x14BEF9E3B,
0x14BEFAB7E,
0x14BEFDBD2,
0x14BEFED27,
0x14BF03CC4,
0x14BF0BFE9,
0x14BF12851,
0x14BF15D29,
0x14BF17039,
0x14BF22E3F,
0x14BF34A65,
0x14BF35C80,
0x14BF45E47,
0x14BF4631B,
0x14BF47DCF,
0x14BF4EF06,
0x14BF57A0C,
0x14BF58BE2,
0x14BF5D8C9,
0x14BF6BFD2,
0x14BF6C969,
0x14BF6D427,
0x14BF72629,
0x14BF72C77,
0x14BF79516,
0x14BF7A2CB,
0x14BF7E23D,
0x14BF7F75B,
0x14BF82E3D,
0x14BF8414D,
0x14BF8EDC3,
0x14BF94FF6,
0x14BF97763,
0x14BF9E515,
0x14BFA42BA,
0x14BFA7857,
0x14BFB2EA3,
0x14BFBCBBE,
0x14BFC7FF3,
0x14BFCB8BB,
0x14BFD46C6,
0x14BFD4BBE,
0x14BFE0104,
0x14BFE3682,
0x14C016217,
0x14C017169,
0x14C019255,
0x14C01C246,
0x14C01E682,
0x14C069217,
0x14C06DCB8,
0x14C06F77E,
0x14C08604D,
0x14C0883B7,
0x14C08E55C,
0x14C090D1B,
0x14C0A4EB1,
0x14C0AE975,
0x14C0B9DEA,
0x14C0BD8E2,
0x14C0BE011,
0x14C0BEB0F,
0x14C0C1857,
0x14C0C318B,
0x14C0CD46B,
0x14C0ED485,
0x14C0F5A83,
0x14C0F94E8,
0x14C0FADF7,
0x14C16F1A9,
0x14C171949,
0x14C175458,
0x14C177E58,
0x14C17AE62,
0x14C182A62,
0x14C182C94,
0x14C1855E9,
0x14C185D82,
0x14C18D6CC,
0x14C1D55C1,
0x14C1E4BAD,
0x14C1E4C0C,
0x14C1EDEAE,
0x14C1EF2CC,
0x14C1F2B67,
0x14C1FC041,
0x14C1FD82E,
0x14C1FFBF9,
0x14C200ABE,
0x14C20604D,
0x14C20AEF1,
0x14C20D60E,
0x14C20F17D,
0x14C2126BD,
0x14C21523A,
0x14C223F6B,
0x14C22A3A3,
0x14C22E75C,
0x14C22E83D,
0x14C23204E,
0x14C234907,
0x14C24266E,
0x14C244D51,
0x14C256DA7,
0x14C256F88,
0x14C26388B,
0x14C26945E,
0x14C26AB3F,
0x14C26E6FC,
0x14C273D82,
0x14C274BDB,
0x14C274ECA,
0x14C27558D,
0x14C27659A,
0x14C278748,
};
constexpr uint64_t split_integrity_check_blocks[] =
{
0x1412878D4,
0x14B2C17D9,
0x14B2CE0AE,
0x14B2CF464,
0x14B2D4817,
0x14B2EE86A,
0x14B2F555B,
0x14B3862EF,
0x14B3879B6,
0x14B3A00AF,
0x14B3A3C3C,
0x14B3A54BA,
0x14B3A628E,
0x14B3A714A,
0x14B3DB71C,
0x14B3E3173,
0x14B41CDC5,
0x14B45BA58,
0x14B46C0B8,
0x14B47A8F4,
0x14B47C03C,
0x14B48AB44,
0x14B49FA2C,
0x14B4B404A,
0x14B4C4702,
0x14B4D0C5B,
0x14B5246D1,
0x14B52F94F,
0x14B58111E,
0x14B599C89,
0x14B63E876,
0x14B63F3CF,
0x14B6445CE,
0x14B654062,
0x14B65A74F,
0x14B663424,
0x14B66CC27,
0x14B676FD4,
0x14B679802,
0x14B67CBAB,
0x14B680E68,
0x14B68D922,
0x14B766388,
0x14B771220,
0x14B7741FB,
0x14B7748B5,
0x14B78764E,
0x14B7C157D,
0x14B7C7E84,
0x14B7DC8AB,
0x14B7FD70D,
0x14B80B5C8,
0x14B81CC2B,
0x14B81E060,
0x14B873A62,
0x14B88933B,
0x14B88CEA5,
0x14B88CF3D,
0x14B909643,
0x14B960366,
0x14B9B4D91,
0x14B9C9155,
0x14B9E0BA5,
0x14BA1C4C4,
0x14BA20E57,
0x14BA2BA1C,
0x14BA47A4F,
0x14BA4BADD,
0x14BA501D1,
0x14BA50796,
0x14BA51B18,
0x14BA87AF4,
0x14BAA513B,
0x14BAB4C7B,
0x14BADF68E,
0x14BAEB4E9,
0x14BAF0596,
0x14BAFA3B7,
0x14BB0C13B,
0x14BB32B54,
0x14BB369CC,
0x14BB4BBE7,
0x14BB54DFC,
0x14BB74503,
0x14BB7654E,
0x14BC16394,
0x14BC4D609,
0x14BC59D36,
0x14BC65AA9,
0x14BC676DC,
0x14BCB74F8,
0x14BCDEEAB,
0x14BCEF0DB,
0x14BCFE978,
0x14BD0B53E,
0x14BDD4A1A,
0x14BE279DA,
0x14BE64CC9,
0x14BE652D5,
0x14BE65680,
0x14BE66C17,
0x14BEA5E67,
0x14BEADAA5,
0x14BEB51F5,
0x14BEB5CCB,
0x14BEC96D1,
0x14BED8AA6,
0x14BEDAA76,
0x14BEE90A2,
0x14BF00E50,
0x14BF1C4A2,
0x14BF23F04,
0x14BF26212,
0x14BF2AF73,
0x14BF698CC,
0x14BF9E0A1,
0x14BFA1E57,
0x14BFB5614,
0x14BFCA31D,
0x14C01642A,
0x14C017071,
0x14C01DFF4,
0x14C066852,
0x14C0761CB,
0x14C0AA756,
0x14C0CF3E1,
0x14C0D194A,
0x14C0E327E,
0x14C0EFB1E,
0x14C0FCBD5,
0x14C0FF175,
0x14C11148B,
0x14C17E415,
0x14C183DF2,
0x14C1D4BD2,
0x14C1D64A1,
0x14C1DDC1B,
0x14C1F22AD,
0x14C200E2C,
0x14C20C6C7,
0x14C232A55,
0x14C238BED,
};