└── EasyAntiCheat.sys ├── cheatpages.c ├── disk.c ├── dispatchhook.c ├── dr.c ├── driver.c ├── handles.c ├── hiddenprocess.c ├── hwid.c ├── kernelpatch.c ├── mac.c ├── physmem.c ├── pooltags.c ├── process.c ├── servicetable.c ├── suspiciousmodules.c ├── systemthread.c ├── tdl.c └── vm.asm /EasyAntiCheat.sys/cheatpages.c: -------------------------------------------------------------------------------- 1 | Checked memory types: 2 | [non-shared only ] Executable. 3 | [non-shared only ] Executable and read-only. 4 | [including shared] Executable and read/write. 5 | [non-shared only ] Executable and copy-on-write. 6 | [non-shared only ] Non-cacheable and executable. 7 | [non-shared only ] Non-cacheable, executable, and read-only. 8 | [including shared] Non-cacheable, executable, and read/write. 9 | [non-shared only ] Non-cacheable, executable, and copy-on-write. 10 | [non-shared only ] Guard page and executable. 11 | [non-shared only ] Guard page, executable, and read-only. 12 | [including shared] Guard page, executable, and read/write. 13 | [non-shared only ] Guard page, executable, and copy-on-write. 14 | [non-shared only ] Non-cacheable, guard page, and executable. 15 | [non-shared only ] Non-cacheable, guard page, executable, and read-only. 16 | [including shared] Non-cacheable, guard page, executable, and read/write. 17 | [non-shared only ] Non-cacheable, guard page, executable, and copy-on-write. 18 | 19 | char __fastcall ScanProcessWorkingSet(__int64 process, char previousMode, WORKINGSET_DETECTION_BUFFER **outDetectionBuffer) 20 | { 21 | char v3; // bp 22 | MEMORY_WORKING_SET_INFORMATION *wsi; // rax MAPDST 23 | WORKINGSET_DETECTION_BUFFER *detectionBuffer; // rax MAPDST 24 | ULONG_PTR v12; // r12 25 | int *info; // rbx 26 | unsigned __int64 protection; // rax 27 | 28 | v3 = 0; 29 | if ( !outDetectionBuffer ) 30 | return 0; 31 | *outDetectionBuffer = 0i64; 32 | wsi = (MEMORY_WORKING_SET_INFORMATION *)AllocatePool(0x100000i64); 33 | if ( !wsi ) 34 | return v3; 35 | if ( !QueryVirtualMemory0(0i64, process, 1u, (__int64)wsi, previousMode, 0x100000i64) )// MemoryWorkingSetInformation 36 | goto LABEL_33; 37 | detectionBuffer = (WORKINGSET_DETECTION_BUFFER *)AllocatePool(2048i64); 38 | if ( detectionBuffer ) 39 | { 40 | memset(detectionBuffer, 0, 2048ui64); 41 | detectionBuffer->usedBytes = 16; 42 | detectionBuffer->maxSize = 2048; 43 | } 44 | *outDetectionBuffer = detectionBuffer; 45 | if ( !detectionBuffer ) 46 | goto LABEL_33; 47 | v12 = 0i64; 48 | if ( !wsi->NumberOfEntries ) 49 | goto LABEL_32; 50 | info = (int *)wsi->WorkingSetInfo; 51 | do 52 | { 53 | protection = *(_QWORD *)info & 0x1Fi64; 54 | if ( protection > 19 ) 55 | { 56 | if ( protection == 22 ) 57 | goto check_entry; // Guard page, executable, and read/write. 58 | if ( protection != 23 ) 59 | { 60 | if ( protection <= 25 ) 61 | goto skip_entry; 62 | if ( protection > 27 ) 63 | { 64 | if ( protection == 30 ) 65 | goto check_entry; // Non-cacheable, guard page, executable, and read/write. 66 | if ( protection != 31 ) 67 | goto skip_entry; 68 | } 69 | } 70 | } 71 | else if ( protection < 18 ) 72 | { 73 | if ( protection < 2 ) 74 | goto skip_entry; 75 | if ( protection > 3 ) 76 | { 77 | if ( protection == 6 ) 78 | goto check_entry; // Executable and read/write. 79 | if ( protection != 7 ) 80 | { 81 | if ( protection <= 9 ) 82 | goto skip_entry; 83 | if ( protection > 0xB ) 84 | { 85 | if ( protection == 14 ) 86 | goto check_entry; // Non-cacheable, executable, and read/write. 87 | if ( protection != 15 ) 88 | goto skip_entry; 89 | } 90 | } 91 | } 92 | } 93 | if ( previousMode && !_bittest64((const signed __int64 *)info, 8u) )// bit 8 = shared 94 | { 95 | check_entry: 96 | v3 = 1; 97 | CheckWorkingSetEntry(*outDetectionBuffer, info, previousMode); 98 | } 99 | skip_entry: 100 | ++v12; 101 | info += 2; 102 | } 103 | while ( v12 < wsi->NumberOfEntries ); 104 | if ( !v3 ) 105 | { 106 | LABEL_32: 107 | FreePool((__int64)*outDetectionBuffer); 108 | *outDetectionBuffer = 0i64; 109 | } 110 | LABEL_33: 111 | FreePool((__int64)wsi); 112 | return v3; 113 | } 114 | 115 | char __usercall CheckWorkingSetEntry@(WORKINGSET_DETECTION_BUFFER *detectionBuffer@, int *pWsiInfo@, signed int previousMode@) 116 | { 117 | unsigned __int64 v3; // rax 118 | void *address; // rdi 119 | unsigned __int64 v7; // r9 120 | WORKINGSET_DETECTION_ENTRY *prevEntry; // r8 121 | int wsiInfo; // eax 122 | __int64 v10; // rdx 123 | UNICODE_STRING mappedFilename; // [rsp+30h] [rbp-88h] 124 | UNICODE_STRING string; // [rsp+40h] [rbp-78h] 125 | WORKINGSET_DETECTION_ENTRY detectionEntry; // [rsp+50h] [rbp-68h] 126 | MEMORY_BASIC_INFORMATION mbi; // [rsp+78h] [rbp-40h] 127 | 128 | detectionEntry.address = 0i64; 129 | LOBYTE(v3) = 0; 130 | address = (void *)(*(_QWORD *)pWsiInfo & 0xFFFFFFFFFFFFF000ui64);// extract page address 131 | *(_QWORD *)&detectionEntry.offsetFromAllocationBase = 0i64; 132 | *(_QWORD *)&detectionEntry.isShared = 0i64; 133 | *(_QWORD *)&detectionEntry.mappedFilename[7] = 0i64; 134 | detectionEntry.mappedFilename[15] = 0; 135 | if ( !detectionBuffer ) 136 | return v3; 137 | LODWORD(v3) = detectionBuffer->maxSize; 138 | if ( (unsigned int)v3 < 0x10 ) 139 | return v3; 140 | LODWORD(v3) = v3 - detectionBuffer->usedBytes; 141 | ++detectionBuffer->unk123; 142 | if ( (unsigned int)v3 < 33 ) 143 | return v3; 144 | mbi.BaseAddress = address; 145 | LOBYTE(v3) = (signed int)QueryVirtualMemory((__int64)address, -1i64, 0, (__int64)&mbi, previousMode, 48i64, 0i64) >= 0; 146 | if ( !(_BYTE)v3 ) 147 | { 148 | detectionEntry.address = (__int64)address; 149 | LABEL_14: 150 | wsiInfo = *pWsiInfo; 151 | v10 = (unsigned int)detectionBuffer->count; 152 | detectionEntry.isShared = (*pWsiInfo & 0x100i64) != 0; 153 | detectionEntry.protection = wsiInfo & 0x1F; 154 | detectionBuffer->count = v10 + 1; 155 | LOBYTE(v3) = (unsigned __int64)memmove(&detectionBuffer->entries[v10], &detectionEntry, 33ui64); 156 | detectionBuffer->usedBytes += 33; 157 | return v3; 158 | } 159 | v7 = 0i64; 160 | if ( !detectionBuffer->count ) 161 | { 162 | LABEL_9: 163 | detectionEntry.address = (__int64)mbi.AllocationBase; 164 | detectionEntry.offsetFromAllocationBase = (_DWORD)address - LODWORD(mbi.AllocationBase); 165 | if ( GetMappedFilename(-1i64, (__int64)mbi.AllocationBase, (__int64)&mappedFilename, previousMode) ) 166 | { 167 | if ( sub_289F0(&mappedFilename.Length, (__int64)&string) ) 168 | CopyUnicodeStringToAnsiBuffer((__int64)detectionEntry.mappedFilename, 16i64, &string); 169 | FreeUnicodeString(&mappedFilename); 170 | } 171 | goto LABEL_14; 172 | } 173 | prevEntry = detectionBuffer->entries; 174 | while ( (PVOID)prevEntry->address != mbi.AllocationBase ) 175 | { 176 | v3 = (unsigned int)detectionBuffer->count; 177 | ++v7; 178 | ++prevEntry; 179 | if ( v7 >= v3 ) 180 | goto LABEL_9; 181 | } 182 | return v3; 183 | } -------------------------------------------------------------------------------- /EasyAntiCheat.sys/disk.c: -------------------------------------------------------------------------------- 1 | void __usercall SendDiskInformation(unsigned int a1@, signed int a2@) 2 | { 3 | int crc32; // ebx 4 | unsigned int packetValueUnk; // ecx 5 | UNICODE_STRING deviceSerial; // [rsp+20h] [rbp-18h] 6 | 7 | deviceSerial.Length = 0; 8 | *(_QWORD *)&deviceSerial.MaximumLength = 0i64; 9 | crc32 = 0; 10 | *(_DWORD *)((char *)&deviceSerial.Buffer + 2) = 0; 11 | HIWORD(deviceSerial.Buffer) = 0; 12 | if ( QueryFilesystemDeviceSerial(3i64, &deviceSerial, a2) 13 | && deviceSerial.Buffer 14 | && deviceSerial.Length 15 | && deviceSerial.MaximumLength ) 16 | { 17 | crc32 = HashCRC32((char *)deviceSerial.Buffer, deviceSerial.Length, deviceSerial.Length); 18 | } 19 | if ( !a1 || !crc32 || (packetValueUnk = 316, a1 != crc32) ) 20 | packetValueUnk = 315; 21 | SendHWIDDataToServer(packetValueUnk, a1, crc32, &deviceSerial); 22 | if ( deviceSerial.Buffer && deviceSerial.Length ) 23 | { 24 | if ( deviceSerial.MaximumLength ) 25 | FreeUnicodeString(&deviceSerial); 26 | } 27 | } 28 | 29 | char __usercall QueryFilesystemDeviceSerial@(__int64 a1@, UNICODE_STRING *outData@, signed int a3@) 30 | { 31 | char success; // bl 32 | _DEVICE_OBJECT *deviceObject; // rax MAPDST 33 | _DEVICE_OBJECT *filesystemDevice; // rax MAPDST 34 | UNICODE_STRING driverName; // [rsp+20h] [rbp-18h] 35 | 36 | success = 0; 37 | if ( !outData || KeGetCurrentIrql() || (unsigned __int8)import_KeAreAllApcsDisabled(a1) ) 38 | return 0; 39 | InitializeUnicodeStringWithCStr(&driverName, (_WORD *)(StringTable + 4419));// \Driver\disk 40 | deviceObject = (_DEVICE_OBJECT *)GetLastDeviceObjectForDriver(&driverName, a3); 41 | if ( deviceObject ) 42 | { 43 | filesystemDevice = (_DEVICE_OBJECT *)IoGetDeviceAttachmentBaseRef(deviceObject); 44 | if ( filesystemDevice ) 45 | { 46 | if ( filesystemDevice != deviceObject ) 47 | success = QueryDriveSmartOrStorageData(filesystemDevice, 3, outData);// 3 = query serial 48 | ObfDereferenceObject(filesystemDevice); 49 | } 50 | ObfDereferenceObject(deviceObject); 51 | } 52 | return success; 53 | } 54 | 55 | __int64 __usercall GetLastDeviceObjectForDriver@(UNICODE_STRING *driverName@, signed int a2@) 56 | { 57 | unsigned int v2; // ebx 58 | __int64 lastDeviceObject; // r12 59 | _IMAGE_DOS_HEADER *v4; // rax 60 | __int64 IoDeviceObject; // rsi 61 | signed int status1; // edi MAPDST 62 | unsigned int access; // ST20_4 63 | unsigned int status0; // eax 64 | unsigned int bufferSize; // ebp 65 | __int64 deviceObjectList; // rsi 66 | __int64 lastDeviceIndex; // rcx 67 | PVOID *currentDeviceObject; // rdi 68 | PVOID *v16; // [rsp+20h] [rbp-78h] 69 | __int64 v17; // [rsp+28h] [rbp-70h] 70 | OBJECT_ATTRIBUTES objectAttributes; // [rsp+40h] [rbp-58h] 71 | __int64 deviceObjectNumber; // [rsp+A0h] [rbp+8h] 72 | PVOID driverObject; // [rsp+A8h] [rbp+10h] 73 | __int64 driverHandle; // [rsp+B0h] [rbp+18h] 74 | 75 | v2 = 0; 76 | lastDeviceObject = 0i64; 77 | LODWORD(deviceObjectNumber) = 0; 78 | if ( !driverName || !driverName->Buffer || !driverName->Length || !driverName->MaximumLength ) 79 | return 0i64; 80 | objectAttributes.Length = 48; 81 | objectAttributes.RootDirectory = 0i64; 82 | objectAttributes.Attributes = 576; 83 | objectAttributes.ObjectName = driverName; 84 | objectAttributes.SecurityDescriptor = 0i64; 85 | objectAttributes.SecurityQualityOfService = 0i64; 86 | v4 = (_IMAGE_DOS_HEADER *)qword_4D8C8; 87 | if ( qword_4D8C8 || (v4 = FindExport(&unk_46B38), IoDeviceObject = 0i64, (qword_4D8C8 = (__int64)v4) != 0) ) 88 | IoDeviceObject = *(_QWORD *)&v4->e_magic; 89 | if ( IoDeviceObject ) 90 | { 91 | status1 = 0xC0000002; 92 | if ( import_ObOpenObjectByName ) 93 | { 94 | access = 0x80000000; 95 | status1 = import_ObOpenObjectByName(&objectAttributes, IoDeviceObject, 0i64, 0i64, access, 0i64, &driverHandle); 96 | } 97 | else 98 | { 99 | status1 = 0xC0000002; 100 | } 101 | if ( status1 >= 0 ) 102 | { 103 | if ( import_ObReferenceObjectByHandle ) 104 | { 105 | v17 = 0i64; 106 | v16 = &driverObject; 107 | status1 = import_ObReferenceObjectByHandle(driverHandle, 1i64, IoDeviceObject); 108 | } 109 | else 110 | { 111 | status1 = 0xC0000002; 112 | } 113 | if ( status1 >= 0 ) 114 | { 115 | if ( import_IoEnumerateDeviceObjectList ) 116 | status0 = import_IoEnumerateDeviceObjectList(driverObject, 0i64, 0i64, &deviceObjectNumber, v16, v17); 117 | else 118 | status0 = 0xC0000002; 119 | if ( status0 == 0xC0000023 && (unsigned int)deviceObjectNumber > 0 ) 120 | { 121 | bufferSize = 8 * deviceObjectNumber; 122 | deviceObjectList = AllocatePool((unsigned int)(8 * deviceObjectNumber)); 123 | if ( deviceObjectList ) 124 | { 125 | if ( import_IoEnumerateDeviceObjectList ) 126 | status1 = import_IoEnumerateDeviceObjectList( 127 | driverObject, 128 | deviceObjectList, 129 | bufferSize, 130 | &deviceObjectNumber, 131 | v16, 132 | v17); 133 | if ( status1 >= 0 && (unsigned int)deviceObjectNumber > 0 ) 134 | { 135 | lastDeviceIndex = (unsigned int)(deviceObjectNumber - 1); 136 | lastDeviceObject = *(_QWORD *)(deviceObjectList + 8 * lastDeviceIndex); 137 | if ( (unsigned int)lastDeviceIndex > 0 ) 138 | { 139 | currentDeviceObject = (PVOID *)deviceObjectList; 140 | do 141 | { 142 | ObfDereferenceObject(*currentDeviceObject); 143 | ++v2; 144 | ++currentDeviceObject; 145 | } 146 | while ( v2 < (signed int)deviceObjectNumber - 1 ); 147 | } 148 | } 149 | FreePool(deviceObjectList); 150 | } 151 | } 152 | ObfDereferenceObject(driverObject); 153 | } 154 | CloseHandle(driverHandle, a2); 155 | } 156 | } 157 | return lastDeviceObject; 158 | } 159 | 160 | char __fastcall QueryDriveSmartOrStorageData(_DEVICE_OBJECT *deviceObject, int whatToQueryEnum, UNICODE_STRING *outData) 161 | { 162 | char success; // bl 163 | 164 | success = 0; 165 | if ( !deviceObject 166 | || !outData 167 | || whatToQueryEnum != 2 && whatToQueryEnum != 3 168 | || KeGetCurrentIrql() 169 | || (unsigned __int8)import_KeAreAllApcsDisabled(deviceObject) ) 170 | { 171 | return 0; 172 | } 173 | if ( QuerySmartData(whatToQueryEnum, deviceObject, outData) 174 | || QueryStorageProperty(whatToQueryEnum, deviceObject, outData) ) 175 | { 176 | success = 1; 177 | } 178 | return success; 179 | } 180 | 181 | bool __fastcall QuerySmartData(int whatToQueryEnum, _DEVICE_OBJECT *deviceObject, UNICODE_STRING *outData) 182 | { 183 | bool success; // bl 184 | _SENDCMDOUTPARAMS *outParams; // rsi 185 | int querySerial; // edi 186 | BYTE *data; // rbp 187 | size_t dataLength; // rdi 188 | unsigned __int64 v11; // rdx 189 | unsigned __int64 v12; // r11 190 | char v13; // cl 191 | char v14; // al 192 | unsigned __int8 c; // al 193 | ANSI_STRING ansiString; // [rsp+30h] [rbp-C8h] 194 | SENDCMDINPARAMS inParams; // [rsp+40h] [rbp-B8h] 195 | char v19; // [rsp+6Eh] [rbp-8Ah] 196 | char v20; // [rsp+6Fh] [rbp-89h] 197 | char copiedData[128]; // [rsp+70h] [rbp-88h] 198 | // https://www.winsim.com/diskid32/diskid32.cpp 199 | success = 0; 200 | if ( deviceObject && outData ) 201 | { 202 | outParams = (_SENDCMDOUTPARAMS *)AllocatePool(529i64); 203 | if ( !outParams ) 204 | return success; 205 | *(_QWORD *)&outParams->cBufferSize = 0i64; 206 | *(_QWORD *)outParams->DriverStatus.dwReserved = 0i64; 207 | outParams->bBuffer[0] = 0; 208 | memset(&inParams, 0, 33ui64); 209 | inParams.irDriveRegs.bCommandReg = -20; // Returns ID sector for ATA 210 | if ( SendIoControl( 211 | (__int64)&dword_7C088, // SMART_RCV_DRIVE_DATA 212 | deviceObject, 213 | (__int64)&inParams, 214 | 33u, 215 | (__int64)outParams, 216 | 529) >= 0 ) 217 | { 218 | querySerial = whatToQueryEnum - 2; 219 | if ( !querySerial ) 220 | { 221 | data = (BYTE *)outParams[3].DriverStatus.dwReserved + 2;// model number 222 | dataLength = 40i64; 223 | goto LABEL_9; 224 | } 225 | if ( querySerial == 1 ) 226 | { 227 | data = outParams[1].bBuffer; // serial number 228 | dataLength = 20i64; 229 | LABEL_9: 230 | if ( data && dataLength > 0 ) 231 | { 232 | memset(copiedData, 0, 128ui64); 233 | memmove(copiedData, data, dataLength); 234 | v11 = dataLength - 1; 235 | v12 = 0i64; 236 | if ( dataLength - 1 > 0 ) 237 | { 238 | do 239 | { 240 | v13 = copiedData[v12]; 241 | v14 = copiedData[v12 + 1]; 242 | v12 += 2i64; 243 | *(&v19 + v12) = v14; 244 | *(&v20 + v12) = v13; 245 | } 246 | while ( v12 < v11 ); 247 | if ( v11 > 0 ) 248 | { 249 | do 250 | { 251 | c = copiedData[v11]; 252 | if ( (c < '\t' || c > '\r') && c != 0x20 ) 253 | { 254 | if ( c ) 255 | break; 256 | } 257 | else 258 | { 259 | copiedData[v11] = 0; 260 | } 261 | --v11; 262 | } 263 | while ( v11 ); 264 | } 265 | } 266 | ansiString.Buffer = copiedData; 267 | SetAnsiStringLength(&ansiString, copiedData); 268 | success = (signed int)AnsiStringToUnicodeString(outData, &ansiString) >= 0; 269 | } 270 | goto LABEL_21; 271 | } 272 | } 273 | LABEL_21: 274 | FreePool((__int64)outParams); 275 | return success; 276 | } 277 | return 0; 278 | } 279 | 280 | bool __fastcall QueryStorageProperty(int whatToQueryEnum, _DEVICE_OBJECT *driverObject, UNICODE_STRING *outData) 281 | { 282 | bool status; // bl 283 | unsigned __int64 dataLength; // rdi 284 | _STORAGE_DEVICE_DESCRIPTOR *deviceDescriptor; // rsi MAPDST 285 | char *deviceDescriptorEnd; // rcx 286 | int querySerial; // ebp 287 | char *data; // rdx 288 | unsigned __int64 maxSize0; // rcx 289 | unsigned __int64 maxSize1; // rcx 290 | size_t length; // rbp 291 | signed __int64 v16; // rax 292 | unsigned __int8 c; // cl 293 | _STORAGE_PROPERTY_QUERY propertyQuery; // [rsp+30h] [rbp-B8h] 294 | ANSI_STRING ansiString; // [rsp+40h] [rbp-A8h] 295 | char copiedData[128]; // [rsp+50h] [rbp-98h] 296 | __int64 requiredSize; // [rsp+F8h] [rbp+10h] 297 | 298 | status = 0; 299 | dataLength = 0i64; 300 | if ( driverObject && outData ) 301 | { 302 | requiredSize = 0i64; 303 | *(_DWORD *)propertyQuery.AdditionalParameters = 0; 304 | propertyQuery.QueryType = 0; 305 | propertyQuery.PropertyId = 0; 306 | if ( SendIoControl(2954240i64, driverObject, (__int64)&propertyQuery, 0xCu, (__int64)&requiredSize, 8) < 0 ) 307 | return status; 308 | if ( HIDWORD(requiredSize) <= 0x28 ) 309 | return status; 310 | deviceDescriptor = (_STORAGE_DEVICE_DESCRIPTOR *)AllocatePool(HIDWORD(requiredSize)); 311 | if ( !deviceDescriptor ) 312 | return status; 313 | memset(deviceDescriptor, 0, HIDWORD(requiredSize)); 314 | *(_DWORD *)propertyQuery.AdditionalParameters = 0; 315 | propertyQuery.QueryType = 0; // StorageDeviceProperty 316 | propertyQuery.PropertyId = 0; // PropertyStandardQuery 317 | if ( SendIoControl( 318 | 0x2D1400i64, // IOCTL_STORAGE_QUERY_PROPERTY 319 | driverObject, 320 | (__int64)&propertyQuery, 321 | 0xCu, 322 | (__int64)deviceDescriptor, 323 | SHIDWORD(requiredSize)) >= 0 ) 324 | { 325 | deviceDescriptorEnd = (char *)deviceDescriptor + HIDWORD(requiredSize); 326 | querySerial = whatToQueryEnum - 2; 327 | if ( querySerial ) 328 | { 329 | if ( querySerial == 1 && deviceDescriptor->SerialNumberOffset ) 330 | { 331 | data = (char *)deviceDescriptor + deviceDescriptor->SerialNumberOffset; 332 | if ( data < (char *)deviceDescriptor || data >= deviceDescriptorEnd ) 333 | goto LABEL_24; 334 | maxSize0 = deviceDescriptorEnd - data; 335 | if ( data ) 336 | { 337 | if ( maxSize0 > 0 ) 338 | { 339 | do 340 | { 341 | if ( !data[dataLength] ) 342 | break; 343 | ++dataLength; 344 | } 345 | while ( dataLength < maxSize0 ); 346 | } 347 | goto LABEL_24; 348 | } 349 | } 350 | } 351 | else if ( deviceDescriptor->ProductIdOffset ) 352 | { 353 | data = (char *)deviceDescriptor + deviceDescriptor->ProductIdOffset; 354 | if ( data < (char *)deviceDescriptor || data >= deviceDescriptorEnd ) 355 | goto LABEL_24; 356 | maxSize1 = deviceDescriptorEnd - data; 357 | if ( data ) 358 | { 359 | if ( maxSize1 > 0 ) 360 | { 361 | do 362 | { 363 | if ( !data[dataLength] ) 364 | break; 365 | ++dataLength; 366 | } 367 | while ( dataLength < maxSize1 ); 368 | } 369 | LABEL_24: 370 | if ( data && dataLength > 0 ) 371 | { 372 | length = 127i64; 373 | if ( dataLength < 127 ) 374 | length = dataLength; 375 | memmove(copiedData, data, length); 376 | copiedData[length] = 0; 377 | if ( length ) 378 | { 379 | v16 = length - 1; 380 | if ( length - 1 > 0 ) 381 | { 382 | do 383 | { 384 | c = copiedData[v16]; 385 | if ( (c < '\t' || c > '\r') && c != ' ' ) 386 | { 387 | if ( c ) 388 | break; 389 | } 390 | else 391 | { 392 | copiedData[v16] = 0; 393 | } 394 | --v16; 395 | } 396 | while ( v16 ); 397 | } 398 | } 399 | *(_QWORD *)&ansiString.Length = copiedData;// it's Buffer but hexrays is doing weird shit 400 | SetAnsiStringLength(&ansiString, copiedData); 401 | status = (signed int)AnsiStringToUnicodeString(outData, &ansiString) >= 0; 402 | } 403 | goto LABEL_37; 404 | } 405 | } 406 | } 407 | LABEL_37: 408 | FreePool((__int64)deviceDescriptor); 409 | return status; 410 | } 411 | return 0; 412 | } -------------------------------------------------------------------------------- /EasyAntiCheat.sys/dispatchhook.c: -------------------------------------------------------------------------------- 1 | char __usercall CheckDriverDispatch@(DRIVER_OBJECT *driverObject@, _DWORD *detectionData@, _DWORD *outStatus@, signed int a4@) 2 | { 3 | char v4; // bp 4 | PDRIVER_DISPATCH addr; // rdi 5 | SYSTEM_MODULE_INFORMATION *moduleInformation; // rax MAPDST 6 | ULONG moduleIndex; // ecx 7 | PVOID *cur; // r12 8 | _BYTE *fileName; // rdx 9 | unsigned __int64 nameLength; // rax 10 | size_t nameLength2; // rdi 11 | 12 | v4 = 0; 13 | if ( !driverObject ) 14 | { 15 | if ( outStatus ) 16 | *outStatus = 2; 17 | return 0; 18 | } 19 | addr = driverObject->MajorFunction[14]; 20 | if ( !addr ) 21 | { 22 | if ( outStatus ) 23 | *outStatus = 4; 24 | return 0; 25 | } 26 | moduleInformation = (SYSTEM_MODULE_INFORMATION *)QuerySystemModuleInformation(a4); 27 | if ( !moduleInformation ) 28 | { 29 | if ( outStatus ) 30 | *outStatus = 5; 31 | return 0; 32 | } 33 | moduleIndex = 0; 34 | if ( moduleInformation->Count ) 35 | { 36 | cur = &moduleInformation->Module[0].ImageBase; 37 | while ( (unsigned __int64)*cur < MmSystemRangeStart 38 | || (char *)addr < *cur 39 | || (char *)addr > (char *)*cur + *((unsigned int *)cur + 2) ) 40 | { 41 | ++moduleIndex; 42 | cur += 37; 43 | if ( moduleIndex >= moduleInformation->Count ) 44 | goto LABEL_29; 45 | } 46 | v4 = 1; 47 | if ( detectionData ) 48 | { 49 | fileName = cur + 3; 50 | nameLength = 0i64; 51 | *detectionData = (_DWORD)addr - *(_DWORD *)cur; 52 | if ( cur == (PVOID *)0xFFFFFFFFFFFFFFE8i64 ) 53 | goto LABEL_35; 54 | do 55 | { 56 | if ( !fileName[nameLength] ) 57 | break; 58 | ++nameLength; 59 | } 60 | while ( nameLength < 256 ); 61 | nameLength2 = 255i64; 62 | if ( nameLength < 255 ) 63 | { 64 | LABEL_35: 65 | nameLength2 = 0i64; 66 | if ( cur != (PVOID *)0xFFFFFFFFFFFFFFE8i64 ) 67 | { 68 | do 69 | { 70 | if ( !fileName[nameLength2] ) 71 | break; 72 | ++nameLength2; 73 | } 74 | while ( nameLength2 < 256 ); 75 | } 76 | } 77 | memmove(detectionData + 2, fileName, nameLength2); 78 | *((_BYTE *)detectionData + nameLength2 + 8) = 0; 79 | detectionData[1] = *((_DWORD *)cur + 2); 80 | } 81 | if ( outStatus ) 82 | *outStatus = 7; 83 | } 84 | LABEL_29: 85 | FreePool((__int64)moduleInformation); 86 | if ( !v4 && outStatus ) 87 | *outStatus = 6; 88 | return v4; 89 | } -------------------------------------------------------------------------------- /EasyAntiCheat.sys/dr.c: -------------------------------------------------------------------------------- 1 | void CheckDebugRegisters() 2 | { 3 | __int64 v0; // rdx 4 | __int64 v1; // rcx 5 | __int64 v2; // rax 6 | __int64 currentProcessID; // rax 7 | __int64 *v4; // rax MAPDST 8 | unsigned __int64 dr7; // [rsp+38h] [rbp+10h] 9 | unsigned __int64 dr6; // [rsp+40h] [rbp+18h] 10 | 11 | ReadDR6_DR7(&dr6, &dr7); 12 | if ( (_BYTE)dr7 ) 13 | { 14 | v2 = import_PsGetCurrentProcess(v1, v0); 15 | if ( import_PsGetProcessId ) 16 | currentProcessID = import_PsGetProcessId(v2); 17 | else 18 | currentProcessID = 0i64; 19 | v4 = sub_29404(currentProcessID); 20 | if ( v4 ) 21 | { 22 | sub_330E0((__int64)v4, 14i64, 0); 23 | sub_29534((__int64)v4); 24 | } 25 | } 26 | } -------------------------------------------------------------------------------- /EasyAntiCheat.sys/driver.c: -------------------------------------------------------------------------------- 1 | SYSTEM_MODULE_INFORMATION *__usercall LogAllLoadedDrivers@(signed int a1@) 2 | { 3 | signed __int64 v1; // r13 4 | SYSTEM_MODULE_INFORMATION *result; // rax 5 | SYSTEM_MODULE_INFORMATION *systemModuleInformation; // rdi 6 | _DWORD *logBuffer; // rsi 7 | _IMAGE_DOS_HEADER *moduleBuffer; // r14 8 | ULONG moduleIndex; // er15 9 | PVOID *currentModule; // r12 10 | __int64 moduleBase; // rcx 11 | signed __int64 moduleName; // rbp 12 | unsigned __int64 nameLength; // rbx 13 | __int64 offsetToFilename; // rax 14 | signed __int64 v12; // r13 15 | unsigned __int64 v13; // rdx 16 | _BYTE *v14; // rcx 17 | unsigned __int64 v15; // r8 18 | signed __int64 v16; // rbp 19 | char v17; // al 20 | __int64 checksumAndTimestamp; // [rsp+20h] [rbp-38h] 21 | ULONG entrypointRva; // [rsp+28h] [rbp-30h] 22 | __int16 nameLength0; // [rsp+2Ch] [rbp-2Ch] 23 | _IMAGE_NT_HEADERS64 *ntHeaders; // [rsp+60h] [rbp+8h] 24 | 25 | v1 = 4i64; 26 | result = (SYSTEM_MODULE_INFORMATION *)QuerySystemModuleInformation(a1); 27 | systemModuleInformation = result; 28 | if ( result ) 29 | { 30 | if ( result->Count ) 31 | { 32 | logBuffer = (_DWORD *)AllocatePool(0x2000i64); 33 | if ( logBuffer ) 34 | { 35 | *logBuffer = 0; 36 | moduleBuffer = (_IMAGE_DOS_HEADER *)AllocatePool(4096i64); 37 | if ( moduleBuffer ) 38 | { 39 | moduleIndex = 0; 40 | if ( systemModuleInformation->Count ) 41 | { 42 | currentModule = &systemModuleInformation->Module[0].ImageBase; 43 | do 44 | { 45 | moduleBase = (__int64)*currentModule; 46 | if ( (unsigned __int64)*currentModule >= MmSystemRangeStart && moduleBase != EACBase ) 47 | { 48 | if ( (unsigned __int64)(v1 + 270) > 0x2000 ) 49 | break; 50 | checksumAndTimestamp = 0i64; 51 | entrypointRva = 0; 52 | if ( CopyVirtualMemory(moduleBase, 4096i64, (__int64)moduleBuffer) == 4096 53 | && ValidatePeHeader(moduleBuffer, 0x1000ui64, 0i64, &ntHeaders) ) 54 | { 55 | HIDWORD(checksumAndTimestamp) = ntHeaders->OptionalHeader.CheckSum; 56 | LODWORD(checksumAndTimestamp) = ntHeaders->FileHeader.TimeDateStamp; 57 | entrypointRva = ntHeaders->OptionalHeader.AddressOfEntryPoint; 58 | } 59 | moduleName = (signed __int64)(currentModule + 3); 60 | nameLength = 0i64; 61 | if ( currentModule != (PVOID *)0xFFFFFFFFFFFFFFE8i64 ) 62 | { 63 | do 64 | { 65 | if ( !*(_BYTE *)(nameLength + moduleName) ) 66 | break; 67 | ++nameLength; 68 | } 69 | while ( nameLength < 0xFF ); 70 | } 71 | nameLength0 = nameLength; 72 | if ( *((_WORD *)currentModule + 11) == 29 73 | && strstrIgnoreCase((_BYTE *)currentModule + 0x18, (_BYTE *)(StringTable + 1187), 29ui64) )// \SystemRoot\system32\drivers\ 74 | { 75 | offsetToFilename = *((unsigned __int16 *)currentModule + 11); 76 | moduleName += offsetToFilename; 77 | LOWORD(nameLength) = nameLength - offsetToFilename; 78 | nameLength0 = nameLength; 79 | } 80 | *(_QWORD *)((char *)logBuffer + v1) = checksumAndTimestamp; 81 | v12 = v1 + 14; 82 | v13 = 0x2000 - v12; 83 | *(_DWORD *)((char *)logBuffer + v12 - 6) = entrypointRva; 84 | *(_WORD *)((char *)logBuffer + v12 - 2) = nameLength0; 85 | v14 = (char *)logBuffer + v12; 86 | if ( v12 != 0x2000 && v13 <= 0x7FFFFFFF ) 87 | { 88 | if ( (unsigned __int16)nameLength <= 0x7FFFFFFEui64 ) 89 | { 90 | v15 = (unsigned __int16)nameLength - v13; 91 | v16 = moduleName - (_QWORD)v14; 92 | do 93 | { 94 | if ( !(v15 + v13) ) 95 | break; 96 | v17 = v14[v16]; 97 | if ( !v17 ) 98 | break; 99 | *v14++ = v17; 100 | --v13; 101 | } 102 | while ( v13 ); 103 | if ( !v13 ) 104 | --v14; 105 | } 106 | *v14 = 0; 107 | } 108 | v1 = (unsigned __int16)nameLength + v12; 109 | ++*logBuffer; 110 | } 111 | ++moduleIndex; 112 | currentModule += 37; 113 | } 114 | while ( moduleIndex < systemModuleInformation->Count ); 115 | } 116 | FreePool((__int64)moduleBuffer); 117 | } 118 | SendPacketToServer(294i64, (__int64)logBuffer, (unsigned int)v1); 119 | FreePool((__int64)logBuffer); 120 | } 121 | } 122 | result = (SYSTEM_MODULE_INFORMATION *)FreePool((__int64)systemModuleInformation); 123 | } 124 | return result; 125 | } 126 | 127 | __int64 __usercall IterateDirectoriesRecursive@(UNICODE_STRING *argPath@, __int64 *outBuffer@, unsigned int a3@, unsigned int a4@, signed int a5@, char a6) 128 | { 129 | unsigned int index; // ebp 130 | __int64 directoryObject; // rbx 131 | signed int status; // eax 132 | OBJECT_DIRECTORY_INFORMATION *objectInfo; // rsi 133 | bool isDirectory; // al MAPDST 134 | bool isRoot; // bl 135 | unsigned __int16 fullLength; // r8 136 | DRIVER_OBJECT *driver; // rax MAPDST 137 | __int64 v16; // rax 138 | __int64 a6a; // [rsp+20h] [rbp-98h] 139 | bool isDriver; // [rsp+40h] [rbp-78h] 140 | int v21; // [rsp+44h] [rbp-74h] 141 | UNICODE_STRING path; // [rsp+48h] [rbp-70h] 142 | __int64 directoryHandle; // [rsp+58h] [rbp-60h] 143 | UNICODE_STRING argPathCopy; // [rsp+60h] [rbp-58h] 144 | OBJECT_ATTRIBUTES objectAttributes; // [rsp+70h] [rbp-48h] 145 | 146 | index = 0; 147 | v21 = 0; 148 | if ( !outBuffer ) 149 | return 0i64; 150 | if ( !argPath ) 151 | return 0i64; 152 | if ( !argPath->Buffer ) 153 | return 0i64; 154 | if ( !argPath->Length ) 155 | return 0i64; 156 | if ( !argPath->MaximumLength ) 157 | return 0i64; 158 | if ( !a3 ) 159 | return 0i64; 160 | if ( !a4 ) 161 | return 0i64; 162 | directoryObject = GetDirectoryObjectType(a5); 163 | if ( !directoryObject || !AllocateCopyUnicodeString((__int64)&argPathCopy, argPath) ) 164 | return 0i64; 165 | objectAttributes.Length = 48; 166 | objectAttributes.RootDirectory = 0i64; 167 | objectAttributes.ObjectName = &argPathCopy; 168 | objectAttributes.Attributes = 512; 169 | objectAttributes.SecurityDescriptor = 0i64; 170 | objectAttributes.SecurityQualityOfService = 0i64; 171 | if ( import_ObOpenObjectByName ) 172 | status = import_ObOpenObjectByName(&objectAttributes, directoryObject, 0i64, 0i64, 1, 0i64, &directoryHandle); 173 | else 174 | status = 0xC0000002; 175 | if ( status >= 0 ) 176 | { 177 | objectInfo = (OBJECT_DIRECTORY_INFORMATION *)AllocatePool(1024i64); 178 | if ( objectInfo ) 179 | { 180 | if ( a3 > 0 ) 181 | { 182 | do 183 | { 184 | LOBYTE(a6a) = 0; 185 | if ( (signed int)GetNextDirectoryObject((__int64)objectInfo, directoryHandle, 0x400u, a5, a6a, (__int64)&v21) < 0 ) 186 | break; 187 | isDriver = CompareUnicodeStrings((__int64)&objectInfo->TypeName, (_WORD *)(StringTable + 1247)) == 0;// Driver 188 | isDirectory = CompareUnicodeStrings((__int64)&objectInfo->TypeName, (_WORD *)(StringTable + 1261)) == 0;// Directory 189 | if ( (isDriver || isDirectory) 190 | && argPath->Buffer 191 | && argPath->Length 192 | && argPath->MaximumLength 193 | && objectInfo->Name.Buffer 194 | && objectInfo->Name.Length 195 | && objectInfo->Name.MaximumLength ) 196 | { 197 | isRoot = CompareUnicodeStrings((__int64)argPath, (_WORD *)(StringTable + 1217)) == 0;// \ 198 | fullLength = objectInfo->Name.Length + argPath->Length; 199 | if ( !isRoot ) 200 | fullLength += 2; 201 | if ( AllocatePoolForUnicodeString((__int64)&path, argPath, fullLength) ) 202 | { 203 | if ( !isRoot && StringTable != 4294966079 ) 204 | CopyUnicodeString(&path, StringTable + 1217);// \ 205 | if ( (signed int)AppendUnicodeString(&path, objectInfo) >= 0 ) 206 | { 207 | if ( isDirectory && a4 > 0 ) 208 | { 209 | index += IterateDirectoriesRecursive(&path, &outBuffer[index], a3 - index, a4 - 1, a5, a6); 210 | } 211 | else if ( isDriver ) 212 | { 213 | driver = (DRIVER_OBJECT *)OpenDriver(&path.Length); 214 | if ( driver ) 215 | { 216 | if ( !a6 || driver->DriverSection && driver->DriverStart && driver->DriverSize ) 217 | { 218 | v16 = index++; 219 | outBuffer[v16] = (__int64)driver; 220 | } 221 | else 222 | { 223 | ObfDereferenceObject(driver); 224 | } 225 | } 226 | } 227 | } 228 | FreeUnicodeString(&path); 229 | } 230 | } 231 | } 232 | while ( index < a3 ); 233 | } 234 | FreePool((__int64)objectInfo); 235 | } 236 | CloseHandle(directoryHandle, a5); 237 | } 238 | FreeUnicodeString(&argPathCopy); 239 | return index; 240 | } 241 | 242 | char __usercall CheckDriverObjects@(_QWORD *a1@, _DWORD *a2@, __int64 detectionBuffer@, signed int a4@) 243 | { 244 | char v4; // bl 245 | __int64 directoryObject; // rdi 246 | SYSTEM_MODULE_INFORMATION *moduleInfo; // rsi 247 | signed int v10; // ST20_4 248 | signed int v11; // eax 249 | OBJECT_DIRECTORY_INFORMATION *objectInfo; // rdi 250 | __int64 v14; // [rsp+20h] [rbp-88h] 251 | UNICODE_STRING v15; // [rsp+40h] [rbp-68h] 252 | OBJECT_ATTRIBUTES v2; // [rsp+50h] [rbp-58h] 253 | int v17; // [rsp+B0h] [rbp+8h] 254 | __int64 directoryHandle; // [rsp+C8h] [rbp+20h] 255 | 256 | v4 = 0; 257 | v17 = 0; 258 | if ( !a1 || !a2 || !detectionBuffer ) 259 | return 0; 260 | directoryObject = GetDirectoryObjectType(a4); 261 | if ( directoryObject ) 262 | { 263 | moduleInfo = (SYSTEM_MODULE_INFORMATION *)QuerySystemModuleInformation(a4); 264 | if ( moduleInfo ) 265 | { 266 | InitializeUnicodeStringWithCStr(&v15, (_WORD *)(StringTable + 1221));// \Driver\ 267 | v2.Length = 48; 268 | v2.ObjectName = &v15; 269 | v2.RootDirectory = 0i64; 270 | v2.Attributes = 512; 271 | v2.SecurityDescriptor = 0i64; 272 | v2.SecurityQualityOfService = 0i64; 273 | if ( import_ObOpenObjectByName ) 274 | { 275 | v10 = 1; 276 | v11 = import_ObOpenObjectByName(&v2, directoryObject, 0i64, 0i64, v10, 0i64, &directoryHandle); 277 | } 278 | else 279 | { 280 | v11 = 0xC0000002; 281 | } 282 | if ( v11 >= 0 ) 283 | { 284 | objectInfo = (OBJECT_DIRECTORY_INFORMATION *)AllocatePool(0x400i64); 285 | if ( objectInfo ) 286 | { 287 | while ( 1 ) 288 | { 289 | LOBYTE(v14) = 0; 290 | if ( (signed int)GetNextDirectoryObject( 291 | (__int64)objectInfo, 292 | directoryHandle, 293 | 0x400u, 294 | a4, 295 | v14, 296 | (__int64)&v17) < 0 ) 297 | break; 298 | if ( IsDriverNotBackedByModule(objectInfo, moduleInfo, a1, a2) ) 299 | { 300 | AllocateCopyUnicodeString(detectionBuffer, &objectInfo->Name); 301 | v4 = 1; 302 | break; 303 | } 304 | } 305 | FreePool((__int64)objectInfo); 306 | } 307 | CloseHandle(directoryHandle, a4); 308 | } 309 | FreePool((__int64)moduleInfo); 310 | } 311 | } 312 | return v4; 313 | } 314 | 315 | char __fastcall IsDriverNotBackedByModule(OBJECT_DIRECTORY_INFORMATION *objectInfo, SYSTEM_MODULE_INFORMATION *moduleInfo, _QWORD *a3, _DWORD *a4) 316 | { 317 | char v4; // bl 318 | unsigned __int64 v6; // rsi 319 | int v11; // eax 320 | signed int v12; // eax 321 | unsigned __int64 driverStart; // rcx 322 | __int64 v15; // rcx 323 | int v16; // er11 324 | DRIVER_OBJECT *driverObject; // [rsp+40h] [rbp-38h] MAPDST 325 | UNICODE_STRING driverName; // [rsp+48h] [rbp-30h] 326 | 327 | v4 = 0; 328 | v6 = (unsigned __int64)EACBase >> 32; 329 | if ( !import_IoDriverObjectType ) 330 | { 331 | import_IoDriverObjectType = (__int64)FindExport(&unk_46B38); 332 | if ( !import_IoDriverObjectType ) 333 | return 0; 334 | } 335 | if ( objectInfo ) 336 | { 337 | if ( moduleInfo ) 338 | { 339 | if ( a3 ) 340 | { 341 | if ( a4 ) 342 | { 343 | if ( (_DWORD)v6 ) 344 | { 345 | driverName.Buffer = (PWSTR)AllocatePool(512i64); 346 | if ( driverName.Buffer ) 347 | { 348 | driverName.Length = 0; 349 | driverName.MaximumLength = 512; 350 | if ( StringTable == 0xFFFFFFFFFFFFEE92i64 ) 351 | v11 = 0; 352 | else 353 | v11 = CopyUnicodeString(&driverName, StringTable + 0x116E);// \Driver\ 354 | if ( v11 >= 0 && (signed int)AppendUnicodeString(&driverName, objectInfo) >= 0 ) 355 | { 356 | v12 = import_ObReferenceObjectByName ? (unsigned int)import_ObReferenceObjectByName( 357 | &driverName, 358 | 576i64, 359 | 0i64, 360 | 0i64, 361 | *(_QWORD *)import_IoDriverObjectType, 362 | 0, 363 | 0i64, 364 | &driverObject) : 0xC0000002; 365 | if ( v12 >= 0 ) 366 | { 367 | driverStart = (unsigned __int64)driverObject->DriverStart; 368 | if ( driverStart 369 | && driverObject->DriverSize 370 | && driverObject->DriverSection 371 | && driverStart >> 32 == v6 372 | && !FindModuleForAddress((unsigned __int64)driverObject->DriverStart, moduleInfo) ) 373 | { 374 | *a3 = v15; 375 | *a4 = v16; 376 | v4 = 1; 377 | } 378 | ObfDereferenceObject(driverObject); 379 | } 380 | } 381 | FreePool((__int64)driverName.Buffer); 382 | } 383 | } 384 | } 385 | } 386 | } 387 | } 388 | return v4; 389 | } 390 | 391 | char __fastcall CheckUnloadedDrivers(unsigned __int16 *a1) 392 | { 393 | UNK_BUFFER2 *v1; // rsi 394 | char v2; // r12 395 | __int64 SystemTime; // rdi 396 | __int64 TickCount; // rbx 397 | signed __int64 systemTimeFromTickCount; // rbx 398 | __int64 (__fastcall *MmGetPhysicalAddress)(__int64); // rax 399 | __int64 PhysMmUnloadedDrivers; // rax 400 | __int64 unloadedDrivers; // rax MAPDST 401 | unsigned __int64 index; // r14 402 | signed __int64 addr; // rax 403 | signed __int64 decIndex; // r15 404 | WCHAR *v13; // r13 405 | USHORT nameLength; // cx 406 | PWSTR nameBuffer; // rdx 407 | signed __int64 timeSinceUnload; // rbp 408 | __int64 bufferPhys; // rax 409 | LONG v18; // eax 410 | signed __int64 v19; // r9 411 | const wchar_t *v20; // r8 412 | unsigned __int16 v21; // ax 413 | unsigned __int64 v22; // rbp 414 | signed __int64 sizeLeft; // r10 415 | unsigned __int64 v24; // rdx 416 | __int16 *curCh; // r8 417 | signed int v26; // er9 418 | __int16 v27; // cx 419 | signed __int64 v28; // r11 420 | __int16 v29; // cx 421 | __int64 v30; // r15 422 | _MM_UNLOADED_DRIVER unloadedDriver; // [rsp+30h] [rbp-188h] 423 | __int64 v33; // [rsp+60h] [rbp-158h] 424 | UNICODE_STRING name; // [rsp+70h] [rbp-148h] 425 | char printfBuffer[256]; // [rsp+80h] [rbp-138h] 426 | __int64 MmUnloadedDrivers; // [rsp+1C8h] [rbp+10h] 427 | __int64 nullbyte; // [rsp+1D0h] [rbp+18h] 428 | __int64 SystemTime2; // [rsp+1D8h] [rbp+20h] 429 | 430 | v1 = (UNK_BUFFER2 *)a1; 431 | nullbyte = 0i64; 432 | v2 = 0; 433 | if ( !FindMmUnloadedDrivers(&MmUnloadedDrivers) ) 434 | return 0; 435 | SystemTime = MEMORY[0xFFFFF78000000014]; 436 | TickCount = MEMORY[0xFFFFF78000000320]; 437 | SystemTime2 = MEMORY[0xFFFFF78000000014]; 438 | systemTimeFromTickCount = KeQueryTimeIncrement() * TickCount; 439 | if ( !sub_30C04((__int64)v1, 1024u) ) 440 | return v2; 441 | MmGetPhysicalAddress = import_MmGetPhysicalAddress; 442 | v1->bytesUsed = 0; 443 | v1->size = 1024; 444 | if ( MmGetPhysicalAddress ) 445 | PhysMmUnloadedDrivers = MmGetPhysicalAddress(MmUnloadedDrivers); 446 | else 447 | PhysMmUnloadedDrivers = qword_4DBE8; 448 | if ( !PhysMmUnloadedDrivers ) 449 | goto LABEL_68; 450 | unloadedDrivers = MapPhysicalMemory(PhysMmUnloadedDrivers, 2000i64); 451 | if ( !unloadedDrivers ) 452 | goto LABEL_68; 453 | index = 0i64; 454 | addr = unloadedDrivers + 2000; 455 | decIndex = 50i64; 456 | while ( 1 ) 457 | { 458 | --decIndex; 459 | v13 = 0i64; 460 | v33 = addr - 40; 461 | memmove(&unloadedDriver, (const void *)(addr - 40), 40ui64); 462 | nameLength = unloadedDriver.Name.Length; 463 | nameBuffer = unloadedDriver.Name.Buffer; 464 | if ( !unloadedDriver.Name.Length 465 | && !unloadedDriver.Name.MaximumLength 466 | && !unloadedDriver.Name.Buffer 467 | && !unloadedDriver.ModuleStart 468 | && !unloadedDriver.ModuleEnd 469 | && !unloadedDriver.UnloadTime ) 470 | { 471 | if ( index > 0 && !byte_4DA66 ) 472 | { 473 | SendPacketToServer(351i64, 0i64, 0i64); 474 | byte_4DA66 = 1; 475 | } 476 | goto next_entry; 477 | } 478 | ++index; 479 | timeSinceUnload = SystemTime - unloadedDriver.UnloadTime; 480 | if ( (signed __int64)(SystemTime - unloadedDriver.UnloadTime) > systemTimeFromTickCount ) 481 | break; 482 | if ( timeSinceUnload <= 36000000000i64 ) 483 | goto check_entry; 484 | next_entry: 485 | addr = v33; 486 | if ( !decIndex ) 487 | goto LABEL_63; 488 | } 489 | if ( byte_4DA67 ) 490 | { 491 | SendPacketToServer(350i64, 0i64, 0i64); 492 | nameBuffer = unloadedDriver.Name.Buffer; 493 | nameLength = unloadedDriver.Name.Length; 494 | byte_4DA67 = 1; 495 | } 496 | check_entry: 497 | if ( nameBuffer && nameLength && unloadedDriver.Name.MaximumLength ) 498 | { 499 | if ( import_MmGetPhysicalAddress ) 500 | { 501 | bufferPhys = import_MmGetPhysicalAddress(nameBuffer); 502 | nameLength = unloadedDriver.Name.Length; 503 | } 504 | else 505 | { 506 | bufferPhys = qword_4DBE8; 507 | } 508 | if ( bufferPhys && (v13 = (WCHAR *)MapPhysicalMemory(bufferPhys, nameLength)) != 0i64 ) 509 | { 510 | unloadedDriver.Name.Buffer = v13; 511 | MmUnloadedDrivers = unloadedDriver.Name.Length; 512 | } 513 | else 514 | { 515 | unloadedDriver.Name.Buffer = 0i64; 516 | unloadedDriver.Name.Length = 0; 517 | unloadedDriver.Name.MaximumLength = 0; 518 | } 519 | } 520 | v18 = CompareUnicodeStrings((__int64)&unloadedDriver, (_WORD *)(StringTable + 7242));// easyanticheat.sys 521 | v19 = unloadedDriver.ModuleEnd - unloadedDriver.ModuleStart; 522 | if ( v18 != 0 || v19 != *(_DWORD *)(qword_4E080 + 32) ) 523 | { 524 | if ( unloadedDriver.Name.Buffer && unloadedDriver.Name.Length > 0xD8u ) 525 | { 526 | unloadedDriver.Name.Length = 216; 527 | unloadedDriver.Name.Buffer[108] = 0; 528 | } 529 | v20 = (const wchar_t *)(StringTable + 7278);// %wZ 0x%X %i 530 | _mm_storeu_si128((__m128i *)&name, _mm_loadu_si128((const __m128i *)&unloadedDriver)); 531 | if ( (signed int)VsnwprintfWrapper( 532 | (wchar_t *)printfBuffer, 533 | 0x100ui64, 534 | v20, 535 | &name, 536 | v19, 537 | ((unsigned __int64)(timeSinceUnload 538 | + ((unsigned __int128)(timeSinceUnload * (signed __int128)0xD6BF94D5E57A42BDi64) >> 64)) >> 63) 539 | + ((signed __int64)(timeSinceUnload 540 | + ((unsigned __int128)(timeSinceUnload * (signed __int128)0xD6BF94D5E57A42BDi64) >> 64)) >> 23)) >= 0 541 | && !(v1->bytesUsed & 1) ) 542 | { 543 | v21 = v1->size; 544 | if ( !(v21 & 1) && v1->bytesUsed <= v21 && v21 <= 0xFFFEu && (v1->pool || !v1->bytesUsed && !v21) ) 545 | { 546 | v22 = (unsigned __int64)v1->bytesUsed >> 1; 547 | sizeLeft = 0x7FFFi64; 548 | v24 = ((unsigned __int64)v21 >> 1) - v22; 549 | curCh = (__int16 *)printfBuffer; 550 | v26 = 0; 551 | v27 = 0; 552 | if ( (unsigned __int64)v21 >> 1 == v22 ) 553 | goto LABEL_72; 554 | v28 = 2 * v22 - (_QWORD)printfBuffer + v1->pool; 555 | do 556 | { 557 | if ( !sizeLeft ) 558 | break; 559 | if ( *curCh == (_WORD)nullbyte ) 560 | break; 561 | *(__int16 *)((char *)curCh + v28) = *curCh; 562 | --v24; 563 | ++curCh; 564 | --sizeLeft; 565 | ++v27; 566 | } 567 | while ( v24 ); 568 | SystemTime = SystemTime2; 569 | if ( !v24 ) 570 | { 571 | if ( sizeLeft ) 572 | { 573 | LABEL_72: 574 | if ( *curCh ) 575 | v26 = 0x80000005; 576 | } 577 | } 578 | v29 = 2 * (v22 + v27); 579 | if ( v26 >= 0 ) 580 | v2 = 1; 581 | v1->bytesUsed = v29; 582 | } 583 | } 584 | } 585 | if ( v13 && import_MmUnmapVideoDisplay ) 586 | import_MmUnmapVideoDisplay(v13, MmUnloadedDrivers); 587 | if ( v1->bytesUsed != v1->size ) 588 | goto next_entry; 589 | LABEL_63: 590 | v30 = unloadedDrivers; 591 | if ( !index ) 592 | SendPacketToServer(349i64, 0i64, 0i64); 593 | if ( import_MmUnmapVideoDisplay ) 594 | import_MmUnmapVideoDisplay(v30, 2000i64); 595 | if ( !v2 ) 596 | LABEL_68: 597 | FreeUnicodeString(v1); 598 | return v2; 599 | } -------------------------------------------------------------------------------- /EasyAntiCheat.sys/handles.c: -------------------------------------------------------------------------------- 1 | __int64 __usercall CheckOpenedHandles@(PVOID protectedProcessID@, __int64 a2@, unsigned __int64 a3@) 2 | { 3 | char v3; // bp 4 | SYSTEM_HANDLE_INFORMATION *handleInformation; // rax MAPDST 5 | ULONG index; // esi 6 | __int64 entry; // rbx 7 | __int64 ownerProcess; // r13 8 | __int64 handle; // rbp 9 | char v12; // r15 10 | signed int v13; // ebp 11 | __int64 v14; // [rsp+20h] [rbp-88h] 12 | __int64 v15; // [rsp+28h] [rbp-80h] 13 | __int64 v16; // [rsp+30h] [rbp-78h] 14 | _PROCESS_BASIC_INFORMATION processInfo; // [rsp+40h] [rbp-68h] 15 | char v19; // [rsp+C0h] [rbp+18h] 16 | __int64 duplicatedHandle; // [rsp+C8h] [rbp+20h] 17 | 18 | v3 = 1; 19 | v19 = 1; 20 | if ( !ReportProcess ) 21 | return 0i64; 22 | handleInformation = (SYSTEM_HANDLE_INFORMATION *)QuerySystemInformation_0( 23 | 0x10u, 24 | (unsigned __int64)qword_80000, 25 | 0x1000000u, 26 | 0i64, 27 | a3); 28 | if ( !handleInformation ) 29 | return 0i64; 30 | index = 0; 31 | if ( handleInformation->Count ) 32 | { 33 | entry = (__int64)&handleInformation->Info[0].GrantedAccess; 34 | while ( 1 ) 35 | { 36 | if ( !v3 ) 37 | goto LABEL_24; 38 | if ( *(_DWORD *)(entry - 16) > 4u && *(_DWORD *)(entry - 16) != (_DWORD)protectedProcessID ) 39 | { 40 | ownerProcess = GetProcessHandleFromPID(*(unsigned int *)(entry - 0x10), 1104i64); 41 | if ( ownerProcess ) 42 | break; 43 | } 44 | LABEL_23: 45 | ++index; 46 | entry += 24i64; 47 | if ( index >= handleInformation->Count ) 48 | goto LABEL_24; 49 | } 50 | if ( !byte_4DEF2 || byte_4DEF2 == *(_BYTE *)(entry - 12) ) 51 | { 52 | a3 = __readgsqword(0x188u); 53 | handle = *(unsigned __int16 *)(entry - 0xA); 54 | v12 = GetPreviousMode(a3, a3); 55 | SetPreviousMode(0, a3, a3); 56 | if ( import_NtDuplicateObject ) 57 | { 58 | LODWORD(v16) = 2; 59 | LODWORD(v15) = 512; 60 | LODWORD(v14) = 0; 61 | v13 = import_NtDuplicateObject(ownerProcess, handle, -1i64, &duplicatedHandle, v14, v15, v16); 62 | } 63 | else 64 | { 65 | v13 = -1073741822; 66 | } 67 | SetPreviousMode(v12, a3, a3); 68 | if ( v13 >= 0 ) 69 | { 70 | if ( (signed int)QueryProcessInformation(0, duplicatedHandle, (__int64)&processInfo, 0x30u, a3, 0i64) < 0 ) 71 | { 72 | CloseHandle(duplicatedHandle, a3); 73 | } 74 | else 75 | { 76 | CloseHandle(duplicatedHandle, a3); 77 | byte_4DEF2 = *(_BYTE *)(entry - 12); 78 | if ( (PVOID)processInfo.UniqueProcessId == protectedProcessID && (unsigned int)word_E063A & *(_DWORD *)entry ) 79 | { 80 | v3 = ReportProcess( 81 | protectedProcessID, 82 | *(unsigned int *)(entry - 0x10),// handle owner PID 83 | *(unsigned __int16 *)(entry - 10),// handle 84 | *(_DWORD *)entry, // access 85 | (PVOID)a2); 86 | v19 = v3; 87 | goto LABEL_22; 88 | } 89 | } 90 | } 91 | v3 = v19; 92 | } 93 | LABEL_22: 94 | CloseHandle(ownerProcess, a3); 95 | goto LABEL_23; 96 | } 97 | LABEL_24: 98 | FreePool((__int64)handleInformation); 99 | return index; 100 | } -------------------------------------------------------------------------------- /EasyAntiCheat.sys/hiddenprocess.c: -------------------------------------------------------------------------------- 1 | __int64 FindHiddenProcess() 2 | { 3 | __int64 hiddenProcess; // rbx 4 | __int64 *processesFromThreads; // r12 5 | HANDLE *processes; // r14 6 | unsigned int *list; // r15 7 | unsigned int processFromThreadCount; // eax 8 | __int64 processFromThreadCount0; // rsi 9 | unsigned int processCount; // eax MAPDST 10 | unsigned int processIndex; // ebp MAPDST 11 | __int64 *currentProcess; // r13 12 | __int64 processFromThreadIndex; // rdi 13 | __int64 *currentProcessFromThread; // rbp 14 | __int64 pid; // r13 15 | signed int status; // eax 16 | __int64 hiddenProcessId; // r11 17 | HANDLE *v17; // rax 18 | PVOID *v18; // rdi 19 | PVOID processObject; // [rsp+50h] [rbp+8h] 20 | 21 | hiddenProcess = 0i64; 22 | processesFromThreads = (__int64 *)AllocatePool(4096i64); 23 | if ( processesFromThreads ) 24 | { 25 | processes = (HANDLE *)AllocatePool(4096i64); 26 | if ( processes ) 27 | { 28 | list = CreateUniqueList(1); 29 | if ( list ) 30 | { 31 | processFromThreadCount = Get512RunningProcessesFromThreads(processesFromThreads); 32 | processFromThreadCount0 = processFromThreadCount; 33 | if ( processFromThreadCount ) 34 | { 35 | processCount = GetRunningProcesses(processes, 512u, 0i64, 0i64); 36 | if ( processCount ) 37 | { 38 | if ( (_DWORD)processFromThreadCount0 != 512 && processCount != 512 ) 39 | { 40 | processIndex = 0; 41 | if ( processCount ) 42 | { 43 | currentProcess = (__int64 *)processes; 44 | while ( AddListEntry((__int64)list, *currentProcess, 0i64, 0) ) 45 | { 46 | ++processIndex; 47 | ++currentProcess; 48 | if ( processIndex >= processCount ) 49 | goto LABEL_12; 50 | } 51 | } 52 | else 53 | { 54 | LABEL_12: 55 | processFromThreadIndex = 0i64; 56 | if ( (_DWORD)processFromThreadCount0 ) 57 | { 58 | currentProcessFromThread = processesFromThreads; 59 | while ( 1 ) 60 | { 61 | pid = import_PsGetProcessId ? import_PsGetProcessId(*currentProcessFromThread) : 0i64; 62 | status = import_PsLookupProcessByProcessId ? (unsigned int)import_PsLookupProcessByProcessId( 63 | pid, 64 | &processObject) : 0xC0000002; 65 | if ( status < 0 ) 66 | break; 67 | ObfDereferenceObject(processObject); 68 | if ( !IsEntryPresentInList((__int64)list, pid) ) 69 | break; 70 | processFromThreadIndex = (unsigned int)(processFromThreadIndex + 1); 71 | ++currentProcessFromThread; 72 | if ( (unsigned int)processFromThreadIndex >= (unsigned int)processFromThreadCount0 ) 73 | goto LABEL_38; 74 | } 75 | hiddenProcess = processesFromThreads[processFromThreadIndex]; 76 | if ( hiddenProcess ) 77 | { 78 | processCount = GetRunningProcesses(processes, 0x200u, 0i64, 0i64); 79 | if ( processCount ) 80 | { 81 | if ( import_PsGetProcessId ) 82 | hiddenProcessId = import_PsGetProcessId(hiddenProcess); 83 | else 84 | hiddenProcessId = 0i64; 85 | processIndex = 0; 86 | if ( processCount ) 87 | { 88 | v17 = processes; 89 | while ( *v17 != (HANDLE)hiddenProcessId ) 90 | { 91 | ++processIndex; 92 | ++v17; 93 | if ( processIndex >= processCount ) 94 | goto LABEL_35; 95 | } 96 | hiddenProcess = 0i64; 97 | } 98 | LABEL_35: 99 | if ( hiddenProcess ) 100 | IsProcessExiting(hiddenProcess); 101 | } 102 | else 103 | { 104 | hiddenProcess = 0i64; 105 | } 106 | } 107 | } 108 | } 109 | } 110 | } 111 | } 112 | LABEL_38: 113 | FreeList(list); 114 | } 115 | else 116 | { 117 | processFromThreadCount0 = (unsigned int)processObject; 118 | } 119 | FreePool((__int64)processes); 120 | } 121 | else 122 | { 123 | processFromThreadCount0 = (unsigned int)processObject; 124 | } 125 | if ( (_DWORD)processFromThreadCount0 ) 126 | { 127 | v18 = (PVOID *)processesFromThreads; 128 | do 129 | { 130 | if ( *v18 != (PVOID)hiddenProcess ) 131 | ObfDereferenceObject(*v18); 132 | ++v18; 133 | --processFromThreadCount0; 134 | } 135 | while ( processFromThreadCount0 ); 136 | } 137 | FreePool((__int64)processesFromThreads); 138 | } 139 | return hiddenProcess; 140 | } 141 | 142 | __int64 __fastcall Get512RunningProcessesFromThreads(__int64 *buffer) 143 | { 144 | unsigned int processCount; // edi 145 | unsigned __int64 currentTID; // rbx 146 | __int64 list; // rsi 147 | signed int v5; // eax 148 | __int64 process; // r12 149 | PVOID threadObject; // [rsp+40h] [rbp+8h] 150 | 151 | processCount = 0; 152 | currentTID = 4i64; 153 | if ( buffer ) 154 | { 155 | if ( GetThreadProcess(__readgsqword(0x188u)) ) 156 | { 157 | list = (__int64)CreateUniqueList(1); 158 | if ( list ) 159 | { 160 | do 161 | { 162 | if ( processCount >= 512 ) 163 | break; 164 | if ( import_PsLookupThreadByThreadId ) 165 | v5 = import_PsLookupThreadByThreadId(currentTID, &threadObject); 166 | else 167 | v5 = 0xC0000002; 168 | if ( v5 >= 0 ) 169 | { 170 | process = GetThreadProcess((__int64)threadObject); 171 | if ( !IsEntryPresentInList(list, process) ) 172 | { 173 | import_ObfReferenceObject(process); 174 | *buffer = process; 175 | ++processCount; 176 | ++buffer; 177 | AddListEntry(list, process, 0i64, 0); 178 | } 179 | ObfDereferenceObject(threadObject); 180 | } 181 | currentTID += 4i64; 182 | } 183 | while ( currentTID < 0x3000 ); 184 | FreeList((PVOID)list); 185 | } 186 | } 187 | } 188 | return processCount; 189 | } 190 | 191 | __int64 __fastcall GetRunningProcesses(HANDLE *outProcesses, unsigned int maxCount, unsigned __int8 (__fastcall *callback)(__int64, __int64), __int64 a4) 192 | { 193 | unsigned int v4; // edi 194 | SYSTEM_PROCESS_INFO *processInformation; // rax MAPDST 195 | SYSTEM_PROCESS_INFO *entry; // rbx 196 | __int64 pid; // rcx 197 | 198 | v4 = 0; 199 | if ( !outProcesses || !maxCount ) 200 | return 0i64; 201 | processInformation = (SYSTEM_PROCESS_INFO *)QuerySystemInformation_0( 202 | 5u, 203 | (unsigned __int64)qword_80000, 204 | 0x1000000u, 205 | 0i64, 206 | a4); 207 | if ( processInformation ) 208 | { 209 | entry = processInformation; 210 | if ( maxCount ) 211 | { 212 | do 213 | { 214 | pid = (__int64)entry->UniqueProcessId; 215 | if ( pid && (!callback || callback(pid, a4)) ) 216 | { 217 | ++v4; 218 | *outProcesses = entry->UniqueProcessId; 219 | ++outProcesses; 220 | } 221 | if ( !entry->NextEntryOffset ) 222 | break; 223 | entry = (SYSTEM_PROCESS_INFO *)((char *)entry + entry->NextEntryOffset); 224 | } 225 | while ( v4 < maxCount ); 226 | } 227 | FreePool((__int64)processInformation); 228 | } 229 | return v4; 230 | } -------------------------------------------------------------------------------- /EasyAntiCheat.sys/hwid.c: -------------------------------------------------------------------------------- 1 | char __fastcall HWID_HashProcessorFeatures(__int64 a1) 2 | { 3 | __int64 v1; // rbx 4 | char *v3; // r11 5 | char *v4; // r8 6 | unsigned int v5; // edx 7 | _WORD *v6; // rcx 8 | char buffer[64]; // [rsp+20h] [rbp-A8h] 9 | 10 | v1 = a1; 11 | buffer[0] = 0; 12 | *(_QWORD *)&buffer[1] = 0i64; 13 | *(_QWORD *)&buffer[9] = 0i64; 14 | *(_WORD *)&buffer[17] = 0; 15 | buffer[19] = 0; 16 | *(_WORD *)&buffer[32] = 0; 17 | memset(&buffer[34], 0, 0x7Eui64); 18 | if ( !v1 ) 19 | return 0; 20 | HashSHA(0xFFFFF78000000274i64, 0x40u, (DATA_HASH_BUFFER *)buffer);// ProcessorFeatures 21 | v3 = buffer; 22 | v4 = &buffer[34]; 23 | v5 = 1; 24 | do 25 | { 26 | if ( v5 >= 0x40 ) 27 | break; 28 | v5 += 2; 29 | v6 = (_WORD *)qword_4A230[(unsigned __int8)*v3++]; 30 | *((_WORD *)v4 - 1) = *v6; 31 | *(_WORD *)v4 = v6[1]; 32 | v4 += 4; 33 | } 34 | while ( v5 < 0x29 ); 35 | return CreateUnicodeStringFromPWSTR(v1, &buffer[32]); 36 | } 37 | 38 | __int64 __fastcall HWID_GetScannedRegistryKeyName(unsigned int id) 39 | { 40 | unsigned int v1; // ecx 41 | int v2; // ecx 42 | int v3; // ecx 43 | int v4; // ecx 44 | unsigned int v6; // ecx 45 | int v7; // ecx 46 | int v8; // ecx 47 | unsigned int v9; // ecx 48 | int v10; // ecx 49 | int v11; // ecx 50 | int v12; // ecx 51 | unsigned int v13; // ecx 52 | int v14; // ecx 53 | int v15; // ecx 54 | 55 | if ( id <= 0xC ) 56 | { 57 | if ( id == 12 ) 58 | return StringTable + 3117; // \Registry\Machine\Hardware\Description\System\CentralProcessor\0 59 | if ( id > 6 ) 60 | { 61 | v6 = id - 8; 62 | if ( !v6 ) 63 | return StringTable + 2843; // SystemProductName 64 | v7 = v6 - 1; 65 | if ( !v7 ) 66 | return StringTable + 2879; // \Registry\Machine\Hardware\DeviceMap\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 67 | v8 = v7 - 1; 68 | if ( !v8 ) 69 | return StringTable + 3069; // Identifier 70 | if ( v8 == 1 ) 71 | return StringTable + 3091; // SerialNumber 72 | } 73 | else 74 | { 75 | if ( id == 6 ) 76 | return StringTable + 2805; // SystemManufacturer 77 | v1 = id - 1; 78 | if ( !v1 ) 79 | return StringTable + 2473; // \Registry\Machine\System\CurrentControlSet\Control\SystemInformation 80 | v2 = v1 - 1; 81 | if ( !v2 ) 82 | return StringTable + 2611; // ComputerHardwareId 83 | v3 = v2 - 1; 84 | if ( !v3 ) 85 | return StringTable + 2649; // \Registry\Machine\Hardware\Description\System\BIOS 86 | v4 = v3 - 1; 87 | if ( !v4 ) 88 | return StringTable + 2751; // BIOSVendor 89 | if ( v4 == 1 ) 90 | return StringTable + 2773; // BIOSReleaseDate 91 | } 92 | return 0i64; 93 | } 94 | if ( id <= 0x12 ) 95 | { 96 | if ( id == 18 ) 97 | return StringTable + 3661; // ProductId 98 | v9 = id - 13; 99 | if ( !v9 ) 100 | return StringTable + 3247; // ProcessorNameString 101 | v10 = v9 - 1; 102 | if ( !v10 ) 103 | return StringTable + 3287; // \Registry\Machine\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 104 | v11 = v10 - 1; 105 | if ( v11 ) 106 | { 107 | v12 = v11 - 1; 108 | if ( !v12 ) 109 | return StringTable + 3511; // \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion 110 | if ( v12 == 1 ) 111 | return StringTable + 3637; // InstallDate 112 | return 0i64; 113 | } 114 | return StringTable + 3489; // DriverDesc 115 | } 116 | v13 = id - 19; 117 | if ( !v13 ) 118 | return StringTable + 3681; // \Registry\Machine\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate 119 | v14 = v13 - 1; 120 | if ( !v14 ) 121 | return StringTable + 3829; // SusClientId 122 | v15 = v14 - 1; 123 | if ( v15 ) 124 | { 125 | if ( v15 != 1 ) 126 | return 0i64; 127 | return StringTable + 3489; 128 | } 129 | return StringTable + 3853; // \Registry\Machine\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001 130 | } 131 | 132 | char __fastcall QueryWMIData(const __m128i *guid0, __int64 *outBuffer) 133 | { 134 | char status; // bl 135 | _IMAGE_DOS_HEADER *IoWMIOpenBlock; // rdi 136 | __int64 v7; // rax 137 | __int128 guid1; // [rsp+20h] [rbp-28h] 138 | __int64 v1; // [rsp+58h] [rbp+10h] 139 | PVOID dataBlockObject; // [rsp+60h] [rbp+18h] 140 | 141 | status = 0; 142 | if ( !outBuffer ) 143 | return 0; 144 | IoWMIOpenBlock = (_IMAGE_DOS_HEADER *)import_IoWMIOpenBlock; 145 | if ( !import_IoWMIOpenBlock ) 146 | { 147 | IoWMIOpenBlock = FindExport((DATA_HASH_BUFFER *)&unk_46BE0); 148 | import_IoWMIOpenBlock = (__int64)IoWMIOpenBlock; 149 | if ( !IoWMIOpenBlock ) 150 | return 0; 151 | } 152 | if ( !import_IoWMIQueryAllData ) 153 | { 154 | import_IoWMIQueryAllData = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD))FindExport((DATA_HASH_BUFFER *)&unk_46BF8); 155 | if ( !import_IoWMIQueryAllData ) 156 | return 0; 157 | } 158 | _mm_storeu_si128((__m128i *)&guid1, _mm_loadu_si128(guid0)); 159 | if ( ((__int64 (__fastcall *)(__int128 *, signed __int64, PVOID *))IoWMIOpenBlock)(&guid1, 1i64, &dataBlockObject) >= 0 ) 160 | { 161 | LODWORD(v1) = 0; 162 | if ( (unsigned int)import_IoWMIQueryAllData(dataBlockObject, &v1, 0i64) == 0xC0000023 ) 163 | { 164 | v7 = AllocatePool((unsigned int)v1); 165 | *outBuffer = v7; 166 | if ( v7 ) 167 | { 168 | if ( (signed int)import_IoWMIQueryAllData(dataBlockObject, &v1, v7) < 0 ) 169 | FreePool(*outBuffer); 170 | else 171 | status = 1; 172 | } 173 | } 174 | ObfDereferenceObject(dataBlockObject); 175 | } 176 | return status; 177 | } 178 | 179 | __int64 __usercall GetMachineId@(__int64 a1@, signed int a2@) 180 | { 181 | unsigned int v2; // ebx 182 | DATA_HASH_BUFFER *v3; // rdi 183 | char v4; // al 184 | unsigned __int16 v6; // [rsp+20h] [rbp-18h] 185 | __int64 v7; // [rsp+28h] [rbp-10h] 186 | 187 | v2 = 0; 188 | v3 = (DATA_HASH_BUFFER *)a1; 189 | if ( a1 ) 190 | { 191 | if ( StringTable == 4294963241 ) 192 | v4 = 0; 193 | else // MachineId 194 | v4 = ReadRegistryUnicodeString(StringTable + 4281, (_WORD *)(StringTable + 4055), (__int64)&v6, a2);// \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows Activation Technologies\AdminObject\Store 195 | if ( v4 ) 196 | { 197 | HashSHA(v7, v6, v3); 198 | v2 = 20; 199 | FreeUnicodeString(&v6); 200 | } 201 | } 202 | return v2; 203 | } 204 | 205 | char __usercall GetNtoskrnlProductVersion@(UNICODE_STRING *outProductVersion@, signed int a2@) 206 | { 207 | char v3; // di 208 | __int64 resourceAddr; // [rsp+20h] [rbp-28h] 209 | UNICODE_STRING path; // [rsp+28h] [rbp-20h] 210 | unsigned int size; // [rsp+58h] [rbp+10h] 211 | __int64 buffer; // [rsp+60h] [rbp+18h] 212 | _IMAGE_NT_HEADERS64 *a4; // [rsp+68h] [rbp+20h] 213 | 214 | v3 = 0; 215 | if ( GetNtoskrnlPath(&path, a2) ) 216 | { 217 | if ( ReadFileW(&path, &buffer, &size) ) 218 | { 219 | if ( ValidatePeHeader((_IMAGE_DOS_HEADER *)buffer, size, 0i64, &a4) 220 | && GetResourceSection(a4, buffer, &resourceAddr, &size) ) 221 | { 222 | v3 = GetProductVersionFromResource(resourceAddr, size, outProductVersion); 223 | } 224 | if ( buffer ) 225 | FreePool(buffer); 226 | } 227 | FreeUnicodeString(&path); 228 | } 229 | return v3; 230 | } -------------------------------------------------------------------------------- /EasyAntiCheat.sys/kernelpatch.c: -------------------------------------------------------------------------------- 1 | void __usercall CheckForKernelPatches(__int64 a1@, __int64 a2@, signed int a3@) 2 | { 3 | signed int v5; // ebx 4 | _IMAGE_DOS_HEADER *ntoskrnlBase; // rbp 5 | int v7; // ebx 6 | signed int v8; // ebx 7 | bool v9; // sf 8 | unsigned int v10; // eax 9 | char v11; // [rsp+30h] [rbp-58h] 10 | __int64 v12; // [rsp+38h] [rbp-50h] 11 | _IMAGE_NT_HEADERS64 *v13; // [rsp+40h] [rbp-48h] 12 | _IMAGE_NT_HEADERS64 *a4; // [rsp+48h] [rbp-40h] 13 | UNICODE_STRING ntoskrnlPath; // [rsp+50h] [rbp-38h] 14 | char v16; // [rsp+60h] [rbp-28h] 15 | __int64 v17; // [rsp+68h] [rbp-20h] 16 | unsigned __int64 fileLength; // [rsp+A0h] [rbp+18h] 17 | _IMAGE_DOS_HEADER *fileBuffer; // [rsp+A8h] [rbp+20h] 18 | 19 | v5 = 2; 20 | ntoskrnlBase = (_IMAGE_DOS_HEADER *)GetNtoskrnlBase(); 21 | if ( ntoskrnlBase && GetNtoskrnlPath(&ntoskrnlPath, a3) ) 22 | { 23 | if ( (MEMORY[0xFFFFF7800000026C] > 6u 24 | || MEMORY[0xFFFFF7800000026C] == 6 && (MEMORY[0xFFFFF78000000270] == 2 || MEMORY[0xFFFFF78000000270] == 3)) 25 | && CompareUnicodeStrings((__int64)&ntoskrnlPath, (_WORD *)(StringTable + 4752)) )// \SystemRoot\system32\ntoskrnl.exe 26 | { 27 | v5 = 1; 28 | } 29 | else if ( ReadFileW(&ntoskrnlPath, (__int64 *)&fileBuffer, (ULONG *)&fileLength) ) 30 | { 31 | if ( (unsigned int)fileLength >= 0x1000 ) 32 | v5 = !ValidatePeHeader(ntoskrnlBase, 0x1000ui64, &fileLength, &v13) 33 | || !ValidatePeHeader(fileBuffer, 0x1000ui64, &fileLength, &a4) 34 | || v13->FileHeader.NumberOfSections != a4->FileHeader.NumberOfSections 35 | || v13->FileHeader.TimeDateStamp != a4->FileHeader.TimeDateStamp 36 | || v13->OptionalHeader.AddressOfEntryPoint != a4->OptionalHeader.AddressOfEntryPoint 37 | || v13->OptionalHeader.CheckSum != a4->OptionalHeader.CheckSum 38 | || v13->OptionalHeader.SizeOfImage != a4->OptionalHeader.SizeOfImage; 39 | if ( fileBuffer ) 40 | FreePool((__int64)fileBuffer); 41 | } 42 | FreeUnicodeString(&ntoskrnlPath); 43 | } 44 | v7 = v5 - 1; 45 | if ( !v7 ) 46 | { 47 | v8 = -1073610745; 48 | goto LABEL_47; 49 | } 50 | if ( v7 == 1 ) 51 | { 52 | v8 = -1073610744; 53 | LABEL_47: 54 | sub_33230(a2, (unsigned int)v8); 55 | return; 56 | } 57 | v8 = 0; 58 | v9 = MEMORY[0xFFFFF7800000026C] - 6 < 0; 59 | if ( MEMORY[0xFFFFF7800000026C] > 6u 60 | || MEMORY[0xFFFFF7800000026C] == 6 61 | && (MEMORY[0xFFFFF78000000270] == 2 || (v9 = MEMORY[0xFFFFF78000000270] - 3 < 0, MEMORY[0xFFFFF78000000270] == 3)) ) 62 | { 63 | if ( GetBCDData((_UNICODE_STRING *)&v16, (UNICODE_STRING *)&v11, a3) ) 64 | { 65 | if ( v12 ) 66 | { 67 | if ( CompareUnicodeStrings((__int64)&v11, (_WORD *)(StringTable + 1003))// \Windows\system32\winload.exe 68 | && CompareUnicodeStrings((__int64)&v11, (_WORD *)(StringTable + 1063)) )// \Windows\system32\winload.efi 69 | { 70 | v8 = 0xC0020010; 71 | } 72 | FreeUnicodeString(&v11); 73 | } 74 | if ( v17 ) 75 | { 76 | if ( CompareUnicodeStrings((__int64)&v16, (_WORD *)(StringTable + 1123)) )// ntoskrnl.exe 77 | v8 = 0xC0020011; 78 | FreeUnicodeString(&v16); 79 | } 80 | } 81 | else 82 | { 83 | sub_3329C(a2, 81i64, 0i64); 84 | } 85 | v9 = v8 < 0; 86 | if ( v8 ) 87 | goto LABEL_47; 88 | } 89 | sub_25ECC(a2, 1073807366i64, v9); 90 | v10 = sub_13F3C(a1, a2); 91 | if ( v10 == 0x40031000 ) 92 | sub_25BF4(0x40031000, a2, a3); 93 | else 94 | sub_33230(a2, v10); 95 | qword_4E0D0 = 0i64; 96 | qword_4E0D8 = 0i64; 97 | qword_4E0E0 = 0i64; 98 | qword_4E0E8 = 0i64; 99 | } 100 | 101 | char __usercall GetBCDData@(_UNICODE_STRING *a1@, UNICODE_STRING *a2@, signed int a3@) 102 | { 103 | char v3; // di 104 | _UNICODE_STRING *v4; // rsi 105 | UNICODE_STRING *v5; // rbp 106 | __int64 globalDataTable; // rbx 107 | __int64 v7; // rdx 108 | unsigned __int16 v9; // [rsp+20h] [rbp-128h] 109 | void *Src; // [rsp+28h] [rbp-120h] 110 | __m128i v11; // [rsp+30h] [rbp-118h] 111 | char Dst; // [rsp+40h] [rbp-108h] 112 | char v13; // [rsp+8Ch] [rbp-BCh] 113 | __int128 v14; // [rsp+ECh] [rbp-5Ch] 114 | __int16 v15; // [rsp+FCh] [rbp-4Ch] 115 | 116 | v3 = 0; 117 | v4 = a1; 118 | v5 = a2; 119 | if ( !a2 || !a1 ) 120 | return 0; 121 | *(_QWORD *)&a2->Length = 0i64; 122 | a2->Buffer = 0i64; 123 | *(_QWORD *)&a1->Length = 0i64; 124 | a1->Buffer = 0i64; 125 | if ( QuerySystemBootEnvironmentInformation(&v11, a3) && sub_12080((unsigned __int8 *)&v11, (__int64)&v9) ) 126 | { 127 | globalDataTable = StringTable; 128 | v15 = 0; 129 | memmove(&Dst, (const void *)(StringTable + 188), 0xBCui64);// \Registry\Machine\BCD00000000\Objects\{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\Elements\xxxxxxxx 130 | memmove(&v13, Src, v9); 131 | _mm_storeu_si128((__m128i *)&v14, _mm_loadu_si128((const __m128i *)(globalDataTable + 378))); 132 | ReadRegistryUnicodeString(globalDataTable + 396, &Dst, (__int64)v5, a3); 133 | v7 = StringTable + 396; 134 | _mm_storeu_si128((__m128i *)&v14, _mm_loadu_si128((const __m128i *)(StringTable + 412))); 135 | ReadRegistryUnicodeString(v7, &Dst, (__int64)v4, a3); 136 | FreeUnicodeString(&v9); 137 | } 138 | if ( v5->Buffer || v4->Buffer ) 139 | v3 = 1; 140 | return v3; 141 | } -------------------------------------------------------------------------------- /EasyAntiCheat.sys/mac.c: -------------------------------------------------------------------------------- 1 | char __fastcall HWID_GetMacAddress(int a1, __int64 a2) 2 | { 3 | char v2; // bl 4 | char v6; // [rsp+30h] [rbp-18h] 5 | 6 | v2 = 0; 7 | v6 = 0; 8 | if ( !a2 || a1 != 6 ) 9 | return 0; 10 | if ( GetFirstNetworkDeviceMacAddress((__int64)&GUID_DEVINTERFACE_NET, (HWIDBuffer *)&a1) ) 11 | { 12 | if ( v6 ) 13 | v2 = 1; 14 | } 15 | return v2; 16 | } 17 | 18 | char __fastcall GetFirstNetworkDeviceMacAddress(__int64 deviceGuid, HWIDBuffer *hwidBuffer) 19 | { 20 | char notFound; // bl 21 | __int64 index; // r12 MAPDST 22 | signed int status; // eax 23 | _WORD *it; // rbp MAPDST 24 | signed __int64 invertedSize; // rcx MAPDST 25 | _WORD *tempIt; // rdi MAPDST 26 | bool isNull; // zf 27 | char v20; // dl 28 | UNICODE_STRING symbolicLink; // [rsp+20h] [rbp-38h] 29 | PVOID symbolicLinks; // [rsp+70h] [rbp+18h] 30 | 31 | notFound = 1; 32 | index = 0i64; 33 | if ( !GetAdapterMacAddressWrapper || KeGetCurrentIrql() ) 34 | return 0; 35 | status = import_IoGetDeviceInterfaces ? (unsigned int)import_IoGetDeviceInterfaces( 36 | deviceGuid, 37 | 0i64, 38 | 0i64, 39 | &symbolicLinks) : 0xC0000002; 40 | if ( status < 0 ) 41 | return 0; 42 | do 43 | { 44 | it = (char *)symbolicLinks + 2 * index; 45 | if ( !*it ) 46 | break; 47 | invertedSize = -1i64; 48 | tempIt = (char *)symbolicLinks + 2 * index; 49 | do 50 | { 51 | if ( !invertedSize ) 52 | break; 53 | isNull = *tempIt == 0; 54 | ++tempIt; 55 | --invertedSize; 56 | } 57 | while ( !isNull ); 58 | if ( strstrIgnoreCaseW((_WORD *)symbolicLinks + index, (unsigned __int16 *)(StringTable + 828), ~invertedSize - 1) != it )// \??\PCI 59 | goto LABEL_16; 60 | InitializeUnicodeStringWithCStr(&symbolicLink, it); 61 | if ( !hwidBuffer ) 62 | goto LABEL_15; 63 | if ( GetAdapterMacAddress(hwidBuffer->hwidType, &symbolicLink, hwidBuffer->uniqueIdentifier) == 1 ) 64 | { 65 | hwidBuffer->found = 1; 66 | LABEL_15: 67 | notFound = 0; 68 | goto LABEL_16; 69 | } 70 | notFound = 1; 71 | LABEL_16: 72 | invertedSize = -1i64; 73 | tempIt = (char *)symbolicLinks + 2 * index; 74 | do 75 | { 76 | if ( !invertedSize ) 77 | break; 78 | isNull = *tempIt == 0; 79 | ++tempIt; 80 | --invertedSize; 81 | } 82 | while ( !isNull ); 83 | index += ~invertedSize; 84 | } 85 | while ( notFound ); 86 | for ( index = 0i64; notFound; index += ~invertedSize ) 87 | { 88 | it = (char *)symbolicLinks + 2 * index; 89 | if ( !*it ) 90 | break; 91 | invertedSize = -1i64; 92 | tempIt = (char *)symbolicLinks + 2 * index; 93 | do 94 | { 95 | if ( !invertedSize ) 96 | break; 97 | isNull = *tempIt == 0; 98 | ++tempIt; 99 | --invertedSize; 100 | } 101 | while ( !isNull ); 102 | if ( strstrIgnoreCaseW((_WORD *)symbolicLinks + index, (unsigned __int16 *)(StringTable + 844), ~invertedSize - 1) == it )// \??\USB 103 | { 104 | InitializeUnicodeStringWithCStr(&symbolicLink, it); 105 | if ( hwidBuffer ) 106 | { 107 | if ( GetAdapterMacAddress(hwidBuffer->hwidType, &symbolicLink, hwidBuffer->uniqueIdentifier) != 1 ) 108 | { 109 | notFound = 1; 110 | goto LABEL_31; 111 | } 112 | hwidBuffer->found = 1; 113 | } 114 | notFound = 0; 115 | } 116 | LABEL_31: 117 | invertedSize = -1i64; 118 | tempIt = (char *)symbolicLinks + 2 * index; 119 | do 120 | { 121 | if ( !invertedSize ) 122 | break; 123 | isNull = *tempIt == 0; 124 | ++tempIt; 125 | --invertedSize; 126 | } 127 | while ( !isNull ); 128 | } 129 | index = 0i64; 130 | if ( notFound ) 131 | { 132 | while ( 1 ) 133 | { 134 | it = (char *)symbolicLinks + 2 * index; 135 | if ( !*it ) 136 | goto LABEL_46; 137 | InitializeUnicodeStringWithCStr(&symbolicLink, it); 138 | if ( !hwidBuffer ) 139 | goto LABEL_41; 140 | if ( GetAdapterMacAddress(hwidBuffer->hwidType, &symbolicLink, hwidBuffer->uniqueIdentifier) == 1 ) 141 | break; 142 | v20 = 1; 143 | LABEL_42: 144 | invertedSize = -1i64; 145 | tempIt = (char *)symbolicLinks + 2 * index; 146 | do 147 | { 148 | if ( !invertedSize ) 149 | break; 150 | isNull = *tempIt == 0; 151 | ++tempIt; 152 | --invertedSize; 153 | } 154 | while ( !isNull ); 155 | index += ~invertedSize; 156 | if ( !v20 ) 157 | goto LABEL_46; 158 | } 159 | hwidBuffer->found = 1; 160 | LABEL_41: 161 | v20 = 0; 162 | goto LABEL_42; 163 | } 164 | LABEL_46: 165 | ExFreePoolWithTag(symbolicLinks, 0); 166 | return 1; 167 | } 168 | 169 | char __fastcall GetAdapterMacAddress(__int64 a1, UNICODE_STRING *deviceName, UNICODE_STRING *outMacAddress) 170 | { 171 | char result; // al 172 | char status1; // r13 173 | int macCrc32; // ebp 174 | __int64 v8; // rbx 175 | char v10; // r12 176 | signed int status; // edi 177 | int *v12; // rax 178 | int v13; // ecx 179 | int *v14; // rax 180 | int v15; // ecx 181 | int *v16; // rax 182 | int v17; // ecx 183 | int *v18; // rax 184 | int v19; // ecx 185 | int *v20; // rax 186 | int v21; // ecx 187 | int *v22; // rax 188 | char *addrNtDeviceIoControlFile; // rax MAPDST 189 | int v24; // edi MAPDST 190 | char checksPassed; // si 191 | int status0; // eax 192 | int *v29; // rax 193 | int v30; // ecx 194 | int *v31; // rax 195 | int v32; // ecx 196 | int *v33; // rax 197 | int v34; // ecx 198 | int *v35; // rax 199 | int v36; // ecx 200 | int *v37; // rax 201 | int v38; // ecx 202 | int *v39; // rax 203 | __int64 ioctl; // [rsp+28h] [rbp-100h] 204 | __int64 inputSize; // [rsp+38h] [rbp-F0h] 205 | __int64 inputSize2; // [rsp+40h] [rbp-E8h] 206 | PVOID outputSize; // [rsp+48h] [rbp-E0h] 207 | unsigned __int8 macAddress[6]; // [rsp+60h] [rbp-C8h] 208 | HANDLE fileHandle; // [rsp+68h] [rbp-C0h] MAPDST 209 | int v46; // [rsp+70h] [rbp-B8h] 210 | __int16 v47; // [rsp+74h] [rbp-B4h] 211 | int v48; // [rsp+76h] [rbp-B2h] 212 | __int16 v49; // [rsp+7Ah] [rbp-AEh] 213 | int v50; // [rsp+7Ch] [rbp-ACh] 214 | __int16 v51; // [rsp+80h] [rbp-A8h] 215 | int v52; // [rsp+82h] [rbp-A6h] 216 | __int16 v53; // [rsp+86h] [rbp-A2h] 217 | int v54; // [rsp+88h] [rbp-A0h] 218 | __int16 v55; // [rsp+8Ch] [rbp-9Ch] 219 | int v56; // [rsp+8Eh] [rbp-9Ah] 220 | __int16 v57; // [rsp+92h] [rbp-96h] 221 | __int64 outValue; // [rsp+B0h] [rbp-78h] 222 | __int64 addedBytes; // [rsp+B8h] [rbp-70h] MAPDST 223 | struct _IO_STATUS_BLOCK statusBlock; // [rsp+C0h] [rbp-68h] 224 | OBJECT_ATTRIBUTES objectAttributes; // [rsp+D0h] [rbp-58h] 225 | int objectId; // [rsp+138h] [rbp+10h] 226 | 227 | result = 0; 228 | objectId = 0x1010101; // OID_802_3_PERMANENT_ADDRESS 229 | status1 = 0; 230 | macAddress[0] = 0; 231 | *(_DWORD *)&macAddress[1] = 0; 232 | macAddress[5] = 0; 233 | macCrc32 = 0; 234 | if ( deviceName 235 | && deviceName->Buffer 236 | && deviceName->Length 237 | && deviceName->MaximumLength 238 | && outMacAddress 239 | && (_DWORD)a1 == 6 ) 240 | { 241 | if ( !KeGetCurrentIrql() && !(unsigned __int8)import_KeAreAllApcsDisabled(a1) ) 242 | { 243 | objectAttributes.Length = 48; 244 | objectAttributes.RootDirectory = 0i64; 245 | objectAttributes.Attributes = 512; 246 | objectAttributes.ObjectName = deviceName; 247 | objectAttributes.SecurityDescriptor = 0i64; 248 | objectAttributes.SecurityQualityOfService = 0i64; 249 | if ( ZwCreateFile(&fileHandle, 0x120089u, &objectAttributes, &statusBlock, 0i64, 0x80u, 7u, 1u, 0x20u, 0i64, 0) < 0 ) 250 | return status1; 251 | v8 = __readgsqword(0x188u); 252 | v10 = GetPreviousMode(v8, 0); 253 | SetPreviousMode(0, v8, 0); 254 | if ( import_NtDeviceIoControlFile ) 255 | { 256 | LODWORD(outputSize) = 6; 257 | LODWORD(inputSize) = 4; 258 | LODWORD(ioctl) = 0x170002; // IOCTL_NDIS_QUERY_GLOBAL_STATS 259 | status = import_NtDeviceIoControlFile( 260 | fileHandle, 261 | 0i64, 262 | 0i64, 263 | 0i64, 264 | &statusBlock, 265 | ioctl, 266 | &objectId, 267 | inputSize, 268 | macAddress, 269 | outputSize); 270 | } 271 | else 272 | { 273 | status = 0xC0000002; 274 | } 275 | SetPreviousMode(v10, v8, 0); 276 | if ( status >= 0 ) 277 | { 278 | v12 = (int *)qword_4A230[macAddress[0]]; 279 | v47 = '-'; 280 | v49 = '-'; 281 | v13 = *v12; 282 | v51 = '-'; 283 | v14 = (int *)qword_4A230[macAddress[1]]; 284 | v46 = v13; 285 | v53 = '-'; 286 | v15 = *v14; 287 | v55 = '-'; 288 | v16 = (int *)qword_4A230[macAddress[2]]; 289 | v48 = v15; 290 | v57 = 0; 291 | v17 = *v16; 292 | v18 = (int *)qword_4A230[macAddress[3]]; 293 | v50 = v17; 294 | v19 = *v18; 295 | v20 = (int *)qword_4A230[macAddress[4]]; 296 | v52 = v19; 297 | v21 = *v20; 298 | v22 = (int *)qword_4A230[macAddress[5]]; 299 | v54 = v21; 300 | v56 = *v22; 301 | status1 = CreateUnicodeStringFromPWSTR((__int64)outMacAddress, &v46); 302 | if ( status1 ) 303 | { 304 | addrNtDeviceIoControlFile = (char *)GetNtDeviceIoControlFileAddress(); 305 | v24 = sub_1705C(addrNtDeviceIoControlFile, 0x10i64, &addedBytes); 306 | if ( v24 && addedBytes ) 307 | { 308 | checksPassed = 0; 309 | addrNtDeviceIoControlFile = (char *)GetNtDeviceIoControlFileAddress(); 310 | if ( addrNtDeviceIoControlFile ) 311 | { 312 | if ( v24 == 0x1290373 313 | && (unsigned int)sub_1705C((char *)CallNtDeviceIoControlFilePlus10, addedBytes, &outValue) == 0x1290373 314 | && outValue == addedBytes ) 315 | { 316 | checksPassed = 1; 317 | NtDeviceIoControlFilePlus10 = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD, _QWORD))&addrNtDeviceIoControlFile[addedBytes]; 318 | } 319 | } 320 | else 321 | { 322 | checksPassed = 0; 323 | } 324 | if ( checksPassed ) 325 | { 326 | if ( v24 != 0x1290373 ) 327 | { 328 | if ( !byte_4D8AB ) 329 | { 330 | SendPacketToServer(353i64, (__int64)&v24, 4i64); 331 | byte_4D8AB = 1; 332 | } 333 | goto LABEL_37; 334 | } 335 | macCrc32 = HashCRC32((char *)macAddress, 6u, 0); 336 | LODWORD(inputSize2) = 4; 337 | status0 = CallNtDeviceIoControlFilePlus10_KernelMode( 338 | (__int64)fileHandle, 339 | 0, 340 | 0, 341 | (__int64)&statusBlock, 342 | 0x170002, 343 | (unsigned __int64)&objectId, 344 | inputSize2, 345 | (unsigned __int64)macAddress); 346 | goto LABEL_30; 347 | } 348 | } 349 | if ( !byte_4D8AA ) 350 | { 351 | SendPacketToServer(352i64, 0i64, 0i64); 352 | status0 = objectId; 353 | byte_4D8AA = 1; 354 | LABEL_30: 355 | if ( macCrc32 ) 356 | { 357 | if ( status0 >= 0 ) 358 | { 359 | if ( macCrc32 != (unsigned int)HashCRC32((char *)macAddress, 6u, 0) && !byte_4DA64 ) 360 | { 361 | v29 = (int *)qword_4A230[macAddress[0]]; 362 | v47 = 45; 363 | v30 = *v29; 364 | v49 = 45; 365 | v31 = (int *)qword_4A230[macAddress[1]]; 366 | v46 = v30; 367 | v51 = 45; 368 | v32 = *v31; 369 | v53 = 45; 370 | v33 = (int *)qword_4A230[macAddress[2]]; 371 | v48 = v32; 372 | v55 = 45; 373 | v34 = *v33; 374 | v35 = (int *)qword_4A230[macAddress[3]]; 375 | v50 = v34; 376 | v57 = 0; 377 | v36 = *v35; 378 | v37 = (int *)qword_4A230[macAddress[4]]; 379 | v52 = v36; 380 | v38 = *v37; 381 | v39 = (int *)qword_4A230[macAddress[5]]; 382 | v54 = v38; 383 | v56 = *v39; 384 | SendPacketToServer(354i64, (__int64)&v46, 64i64); 385 | byte_4DA64 = 1; 386 | } 387 | } 388 | else if ( !byte_4DA65 ) 389 | { 390 | SendPacketToServer(355i64, (__int64)&v24, 4i64); 391 | byte_4DA65 = 1; 392 | } 393 | } 394 | goto LABEL_37; 395 | } 396 | } 397 | } 398 | LABEL_37: 399 | CloseHandle((__int64)fileHandle, 0); 400 | return status1; 401 | } 402 | result = 0; 403 | } 404 | return result; 405 | } -------------------------------------------------------------------------------- /EasyAntiCheat.sys/physmem.c: -------------------------------------------------------------------------------- 1 | bool __fastcall CheckForPhysicalHandle(_DWORD *a1) 2 | { 3 | SYSTEM_HANDLE_INFORMATION *systemHandleInformation; // r12 4 | signed int v4; // er11 5 | PVOID v5; // rax 6 | unsigned __int64 index; // rbp 7 | PVOID sectionObjectType; // rcx 8 | char v8; // r13 9 | SYSTEM_HANDLE_TABLE_ENTRY_INFO *entry; // rsi 10 | char v10; // si 11 | char v11; // r13 12 | _UNICODE_STRING *v12; // rdx 13 | char v13; // al 14 | UNICODE_STRING v14; // [rsp+30h] [rbp-88h] 15 | UNICODE_STRING a1a; // [rsp+40h] [rbp-78h] 16 | char v16; // [rsp+50h] [rbp-68h] 17 | OBJECT_ATTRIBUTES ObjectAttributes; // [rsp+60h] [rbp-58h] 18 | HANDLE SectionHandle; // [rsp+C0h] [rbp+8h] 19 | 20 | if ( !a1 ) 21 | return 0; 22 | memset(a1, 0, 0x20ui64); 23 | if ( !import_ObIsKernelHandle || _InterlockedCompareExchange(&dword_4D8B0, 1, 0) ) 24 | return 0; 25 | systemHandleInformation = (SYSTEM_HANDLE_INFORMATION *)QuerySystemInformation_0( 26 | 0x10u, 27 | (unsigned __int64)qword_80000, 28 | 0x1000000u, 29 | 0i64, 30 | 1); 31 | if ( !systemHandleInformation ) 32 | goto LABEL_43; 33 | InitializeUnicodeStringWithCStr(&a1a, (_WORD *)(StringTable + 7061));// \Device\PhysicalMemory 34 | ObjectAttributes.ObjectName = &a1a; 35 | ObjectAttributes.Length = 48; 36 | ObjectAttributes.RootDirectory = 0i64; 37 | ObjectAttributes.Attributes = 576; 38 | ObjectAttributes.SecurityDescriptor = 0i64; 39 | ObjectAttributes.SecurityQualityOfService = 0i64; 40 | if ( ZwOpenSection(&SectionHandle, 1u, &ObjectAttributes) >= 0 ) 41 | { 42 | if ( import_ObReferenceObjectByHandle ) 43 | v4 = import_ObReferenceObjectByHandle(SectionHandle, 1i64, 0i64); 44 | else 45 | v4 = 0xC0000002; 46 | v5 = SectionObjectType; 47 | if ( v4 < 0 ) 48 | v5 = 0i64; 49 | SectionObjectType = v5; 50 | ZwClose(SectionHandle); 51 | } 52 | index = 0i64; 53 | if ( systemHandleInformation->Count <= 0 ) 54 | goto LABEL_39; 55 | sectionObjectType = SectionObjectType; 56 | v8 = 0; 57 | entry = systemHandleInformation->Info; 58 | while ( 1 ) 59 | { 60 | if ( entry->Object != sectionObjectType || !sectionObjectType || entry->ProcessId == 4 ) 61 | goto LABEL_20; 62 | if ( !(unsigned __int8)import_ObIsKernelHandle(entry->Handle) ) 63 | break; 64 | sectionObjectType = SectionObjectType; 65 | LABEL_20: 66 | ++index; 67 | ++entry; 68 | if ( index >= systemHandleInformation->Count ) 69 | goto LABEL_40; 70 | } 71 | if ( entry->ProcessId ) 72 | v10 = GetProcessImageFileName(&v14, entry->ProcessId, 1); 73 | else 74 | v10 = 0; 75 | if ( v10 ) 76 | v8 = sub_289F0(&v14.Length, (__int64)&v16); 77 | v11 = -v8; 78 | v12 = (_UNICODE_STRING *)((unsigned __int64)&v16 & -(signed __int64)(v11 != 0)); 79 | if ( !a1[1] ) 80 | { 81 | *(_BYTE *)a1 = 1; 82 | a1[1] = 13; 83 | if ( v12 ) 84 | { 85 | if ( *(_QWORD *)(((unsigned __int64)&v16 & -(signed __int64)(v11 != 0)) + 8) 86 | && v12->Length 87 | && *(_WORD *)(((unsigned __int64)&v16 & -(signed __int64)(v11 != 0)) + 2) 88 | && !*((_BYTE *)a1 + 8) ) 89 | { 90 | if ( a1 == (_DWORD *)-16i64 ) 91 | v13 = 0; 92 | else 93 | v13 = AllocateCopyUnicodeString((__int64)(a1 + 4), v12); 94 | *((_BYTE *)a1 + 8) = v13; 95 | } 96 | } 97 | } 98 | if ( v10 ) 99 | FreeUnicodeString(&v14); 100 | LABEL_39: 101 | sectionObjectType = SectionObjectType; 102 | LABEL_40: 103 | if ( sectionObjectType ) 104 | { 105 | ObfDereferenceObject(sectionObjectType); 106 | SectionObjectType = 0i64; 107 | } 108 | FreePool((__int64)systemHandleInformation); 109 | LABEL_43: 110 | _InterlockedExchange(&dword_4D8B0, 0); 111 | return a1[1] != 0; 112 | } -------------------------------------------------------------------------------- /EasyAntiCheat.sys/pooltags.c: -------------------------------------------------------------------------------- 1 | bool __usercall CheckForBannedPooltags@(signed int a1@) 2 | { 3 | signed int v1; // ebx 4 | SYSTEM_POOLTAG_INFORMATION *pooltagInformation; // rax 5 | ULONG v3; // edx 6 | __int64 entry; // rcx 7 | 8 | v1 = 0; 9 | pooltagInformation = (SYSTEM_POOLTAG_INFORMATION *)QuerySystemInformation_0(0x16u, 0x10000u, 0x100000u, 0i64, a1); 10 | if ( pooltagInformation ) 11 | { 12 | v3 = 0; 13 | if ( pooltagInformation->Count > 0 ) 14 | { 15 | entry = (__int64)&pooltagInformation->TagInfo[0].PagedAllocs; 16 | do 17 | { 18 | if ( v1 == 3 ) 19 | break; 20 | if ( *(_DWORD *)(entry - 4) != 'rcIC' || *(_DWORD *)entry <= *(_DWORD *)(entry + 4) ) 21 | { 22 | if ( *(_DWORD *)(entry - 4) == 'csIC' && *(_DWORD *)entry > *(_DWORD *)(entry + 4) ) 23 | v1 |= 2u; 24 | } 25 | else 26 | { 27 | v1 |= 1u; 28 | } 29 | ++v3; 30 | entry += 40i64; 31 | } 32 | while ( v3 < pooltagInformation->Count ); 33 | } 34 | FreePool((__int64)pooltagInformation); 35 | } 36 | else 37 | { 38 | v1 = 3; 39 | } 40 | return v1 == 3; 41 | } -------------------------------------------------------------------------------- /EasyAntiCheat.sys/process.c: -------------------------------------------------------------------------------- 1 | char __usercall CheckProcess@(__int64 a1@, unsigned int *buffer@, int a3@) 2 | { 3 | __int64 *v4; // rdi 4 | char result; // al 5 | char *v6; // rcx 6 | signed int v7; // eax 7 | __int64 v8; // rdx 8 | __int64 v9; // rcx 9 | __int64 v11; // rcx 10 | char *v12; // r9 11 | unsigned __int64 v13; // rdx 12 | _DWORD *v14; // rdx 13 | char v15; // [rsp+20h] [rbp-48h] 14 | char v16; // [rsp+30h] [rbp-38h] 15 | PVOID process; // [rsp+78h] [rbp+10h] MAPDST 16 | 17 | v15 = 0; 18 | v4 = 0i64; 19 | if ( !buffer ) 20 | return 0; 21 | v6 = (char *)buffer + 15; 22 | if ( v6 < (char *)buffer || (unsigned __int64)v6 >= MmUserProbeAddress ) 23 | { 24 | ExRaiseAccessViolation(v6, a1); 25 | result = 0; 26 | } 27 | else if ( *buffer && *(_QWORD *)(buffer + 1) && buffer[3] ) 28 | { 29 | if ( import_PsLookupProcessByProcessId ) 30 | v7 = import_PsLookupProcessByProcessId(*buffer, &process); 31 | else 32 | v7 = 0xC0000002; 33 | if ( v7 >= 0 ) 34 | { 35 | if ( AttachToProcess((__int64)process, (__int64)&v16) ) 36 | { 37 | LOBYTE(v9) = 1; 38 | v4 = (__int64 *)CheckCurrentProcess(v9, v8); 39 | if ( process ) 40 | DetachFromProcess((__int64)process, (__int64)&v16, (char)v4, a3); 41 | } 42 | ObfDereferenceObject(process); 43 | } 44 | if ( v4 ) 45 | { 46 | v11 = buffer[3]; 47 | v12 = *(char **)(buffer + 1); 48 | if ( buffer[3] ) 49 | { 50 | v13 = (unsigned __int64)&v12[v11 - 1]; 51 | if ( v13 < (unsigned __int64)v12 || v13 >= MmUserProbeAddress ) 52 | ExRaiseAccessViolation(v11, v13); 53 | } 54 | v14 = (_DWORD *)*v4; 55 | if ( *(_DWORD *)*v4 < (unsigned int)v11 ) 56 | LODWORD(v11) = *v14; 57 | memmove(v12, v14, (unsigned int)v11); 58 | v15 = 1; 59 | sub_20430(v4); 60 | } 61 | result = v15; 62 | } 63 | else 64 | { 65 | result = 0; 66 | } 67 | return result; 68 | } 69 | 70 | UNK_BUFFER3 *__fastcall CheckCurrentProcess(__int64 a1, __int64 a2) 71 | { 72 | char v3; // r14 MAPDST 73 | __int64 currentProcess; // rax MAPDST 74 | UNK_BUFFER3 *buffer; // rax MAPDST 75 | _IMAGE_DOS_HEADER *v8; // rax 76 | _IMAGE_DOS_HEADER *v9; // rax 77 | unsigned int processFlags; // esi 78 | _IMAGE_DOS_HEADER *baseAddress; // rbx 79 | __int64 v12; // rdx 80 | bool v13; // al 81 | __int64 v14; // rdx 82 | __int64 v15; // rcx 83 | __int64 currentProcess2; // rax MAPDST 84 | __int64 currentProcessID2; // rax 85 | bool v19; // cf 86 | int v20; // eax 87 | bool v21; // cf 88 | int v22; // eax 89 | bool v23; // cf 90 | int v24; // eax 91 | bool v25; // cf 92 | int v26; // eax 93 | bool v27; // cf 94 | int v28; // eax 95 | __int64 parentPID; // rax 96 | signed int v30; // eax 97 | PVOID v31; // rcx 98 | char v32; // al 99 | char v33; // al 100 | UNICODE_STRING *v34; // r13 101 | __int64 v35; // rdx 102 | _IMAGE_DOS_HEADER *v36; // rax 103 | unsigned __int64 v37; // rcx 104 | unsigned __int16 *v38; // rbx 105 | int v39; // eax 106 | unsigned int *v40; // rax 107 | char filename; // [rsp+50h] [rbp-38h] 108 | unsigned __int16 v43; // [rsp+58h] [rbp-30h] 109 | unsigned __int8 v44; // [rsp+5Ah] [rbp-2Eh] 110 | unsigned __int16 v45; // [rsp+5Ch] [rbp-2Ch] 111 | unsigned int v46; // [rsp+98h] [rbp+10h] 112 | PVOID parentProcess; // [rsp+A0h] [rbp+18h] 113 | __int64 currentProcessID; // [rsp+A8h] [rbp+20h] 114 | 115 | v3 = a1; 116 | v3 = 0; 117 | currentProcess = import_PsGetCurrentProcess(a1, a2); 118 | if ( import_PsGetProcessId ) 119 | currentProcessID = import_PsGetProcessId(currentProcess); 120 | else 121 | currentProcessID = 0i64; 122 | buffer = (UNK_BUFFER3 *)AllocatePool(816i64); 123 | if ( !buffer ) 124 | goto LABEL_99; 125 | memset(buffer, 0, 0x330ui64); 126 | v8 = (_IMAGE_DOS_HEADER *)GetProcessBaseAddress(currentProcess); 127 | buffer->base_address = v8; 128 | if ( !v8 ) 129 | { 130 | v9 = (_IMAGE_DOS_HEADER *)GetUsermodeModule(0i64); 131 | buffer->base_address = v9; 132 | if ( !v9 ) 133 | goto LABEL_99; 134 | } 135 | if ( IsWin32ConsoleSubsystem(currentProcess) ) 136 | { 137 | processFlags = 0x8001; 138 | } 139 | else if ( HasComDescriptor(buffer->base_address) ) 140 | { 141 | processFlags = 9; 142 | } 143 | else if ( GetUsermodeModule((UNICODE_STRING *)(StringTable + 5202)) )// msvbvm60.dll 144 | { 145 | processFlags = 17; 146 | } 147 | else 148 | { 149 | processFlags = 1; 150 | if ( GetUsermodeModule((UNICODE_STRING *)(StringTable + 4894)) )// perl512.dll 151 | processFlags = 4097; 152 | } 153 | baseAddress = buffer->base_address; 154 | v13 = IsDbgUiRemoteBreakinPatchedToCallLdrShutdownProcess() || HasBlankNamedSections((__int64)baseAddress, v12); 155 | if ( v13 ) 156 | processFlags |= 0x20u; 157 | if ( IsObufuscatedByVMP((__int64)buffer->base_address, v12) )// check for .vmp0 section 158 | processFlags |= 0x40u; 159 | currentProcess2 = import_PsGetCurrentProcess(v15, v14); 160 | if ( import_PsGetProcessId ) 161 | currentProcessID2 = import_PsGetProcessId(currentProcess2); 162 | else 163 | currentProcessID2 = 0i64; 164 | if ( !IsProtectedGameProcessMaybe(currentProcessID2) && GetProcessFileName(currentProcess2, &filename) ) 165 | { 166 | v19 = *(_QWORD *)&filename < *(_QWORD *)(StringTable + 5148);// dllhost.exe 167 | if ( *(_QWORD *)&filename != *(_QWORD *)(StringTable + 5148) 168 | || (v19 = v43 < *(_WORD *)(StringTable + 5156), v43 != *(_WORD *)(StringTable + 5156)) 169 | || (v19 = v44 < *(_BYTE *)(StringTable + 5158), v44 != *(_BYTE *)(StringTable + 5158)) ) 170 | { 171 | v20 = -v19 - (v19 - 1); 172 | } 173 | else 174 | { 175 | v20 = 0; 176 | } 177 | if ( !v20 ) 178 | goto processname_matched; 179 | v21 = *(_QWORD *)&filename < *(_QWORD *)(StringTable + 4545);// svchost.exe 180 | if ( *(_QWORD *)&filename != *(_QWORD *)(StringTable + 4545) 181 | || (v21 = v43 < *(_WORD *)(StringTable + 4553), v43 != *(_WORD *)(StringTable + 4553)) 182 | || (v21 = v44 < *(_BYTE *)(StringTable + 4555), v44 != *(_BYTE *)(StringTable + 4555)) ) 183 | { 184 | v22 = -v21 - (v21 - 1); 185 | } 186 | else 187 | { 188 | v22 = 0; 189 | } 190 | if ( !v22 ) 191 | goto processname_matched; 192 | v23 = *(_QWORD *)&filename < *(_QWORD *)(StringTable + 5160);// taskhost.exe 193 | if ( *(_QWORD *)&filename != *(_QWORD *)(StringTable + 5160) 194 | || (v23 = *(_DWORD *)&v43 < *(_DWORD *)(StringTable + 5168), *(_DWORD *)&v43 != *(_DWORD *)(StringTable + 5168)) ) 195 | { 196 | v24 = -v23 - (v23 - 1); 197 | } 198 | else 199 | { 200 | v24 = 0; 201 | } 202 | if ( !v24 ) 203 | goto processname_matched; 204 | v25 = *(_QWORD *)&filename < *(_QWORD *)(StringTable + 5173);// taskhostex.exe 205 | if ( *(_QWORD *)&filename != *(_QWORD *)(StringTable + 5173) 206 | || (v25 = *(_DWORD *)&v43 < *(_DWORD *)(StringTable + 5181), *(_DWORD *)&v43 != *(_DWORD *)(StringTable + 5181)) 207 | || (v25 = v45 < *(_WORD *)(StringTable + 5185), v45 != *(_WORD *)(StringTable + 5185)) ) 208 | { 209 | v26 = -v25 - (v25 - 1); 210 | } 211 | else 212 | { 213 | v26 = 0; 214 | } 215 | if ( !v26 216 | || ((v27 = *(_QWORD *)&filename < *(_QWORD *)(StringTable + 5188), 217 | *(_QWORD *)&filename != *(_QWORD *)(StringTable + 5188))// taskhostw.exe 218 | || (v27 = *(_DWORD *)&v43 < *(_DWORD *)(StringTable + 5196), *(_DWORD *)&v43 != *(_DWORD *)(StringTable + 5196)) 219 | || (v27 = (unsigned __int8)v45 < *(_BYTE *)(StringTable + 5200), (_BYTE)v45 != *(_BYTE *)(StringTable + 5200)) ? (v28 = -v27 - (v27 - 1)) : (v28 = 0), 220 | !v28) ) 221 | { 222 | processname_matched: // this is executed if process name equals any of listed above 223 | processFlags |= 0x2000u; 224 | if ( currentProcess2 ) 225 | { 226 | if ( import_PsGetProcessInheritedFromUniqueProcessId ) 227 | parentPID = import_PsGetProcessInheritedFromUniqueProcessId(currentProcess2); 228 | else 229 | parentPID = 0i64; 230 | } 231 | else 232 | { 233 | parentPID = 0i64; 234 | } 235 | if ( parentPID ) 236 | { 237 | v30 = import_PsLookupProcessByProcessId ? (unsigned int)import_PsLookupProcessByProcessId( 238 | parentPID, 239 | &parentProcess) : -1073741822; 240 | if ( v30 >= 0 ) 241 | { 242 | if ( MEMORY[0xFFFFF7800000026C] != 5 ) 243 | { 244 | v31 = parentProcess; 245 | if ( !parentProcess ) 246 | { 247 | LABEL_72: 248 | processFlags |= 0x4000u; 249 | LABEL_74: 250 | ObfDereferenceObject(v31); 251 | goto LABEL_76; 252 | } 253 | if ( !QueryTokenIntegrityLevel((__int64)parentProcess, (__int64)&v46) || v46 < 0x4000 ) 254 | { 255 | v31 = parentProcess; 256 | goto LABEL_72; 257 | } 258 | } 259 | v31 = parentProcess; 260 | goto LABEL_74; 261 | } 262 | } 263 | processFlags |= 0x4000u; 264 | } 265 | } 266 | LABEL_76: 267 | if ( v3 && (!currentProcess ? (v32 = 0) : (v32 = GetProcessPath(currentProcess, (__int64)&buffer->process_path)), v32) 268 | || v3 && GetMappedFilename(-1i64, (__int64)buffer->base_address, (__int64)&buffer->process_path, 0) 269 | || v3 270 | && (!currentProcessID ? (v33 = 0) : (v33 = GetProcessImageFileName(&buffer->process_path, currentProcessID, 0)), v33) 271 | || (v34 = &buffer->process_path, GetProcessPathOrCommandLine(currentProcess, 1, (__int64)&buffer->process_path)) ) 272 | { 273 | buffer->success = 1; 274 | v34 = &buffer->process_path; 275 | if ( IsFileInSystemDirectory(&buffer->process_path) ) 276 | processFlags |= 0x200u; 277 | } 278 | v36 = buffer->base_address; 279 | v37 = (unsigned __int64)&v36[63].e_lfanew + 3; 280 | if ( (_IMAGE_DOS_HEADER *)((char *)&v36[63].e_lfanew + 3) < v36 || v37 >= MmUserProbeAddress ) 281 | { 282 | ExRaiseAccessViolation(v37, v35); 283 | } 284 | else 285 | { 286 | v38 = (unsigned __int16 *)((unsigned __int64)v34 & -(signed __int64)(buffer->success != 0)); 287 | v39 = GetProcessBitness2(currentProcess); 288 | v40 = CopyProcessInformation(buffer->base_address, 0x1000ui64, 0i64, processFlags, v39, v38, currentProcessID, 0i64); 289 | *(_QWORD *)&buffer->char0 = v40; 290 | if ( v40 ) 291 | { 292 | if ( !buffer->success && GetProcessFileName(currentProcess, &filename) ) 293 | CopyString(*(_QWORD *)&buffer->char0 + 22i64, 0x100ui64, &filename); 294 | v3 = 1; 295 | } 296 | } 297 | LABEL_99: 298 | if ( !v3 && buffer ) 299 | { 300 | sub_20430((__int64 *)&buffer->char0); 301 | buffer = 0i64; 302 | } 303 | return buffer; 304 | } 305 | 306 | unsigned int *__fastcall CopyProcessInformation(_IMAGE_DOS_HEADER *baseAddress, unsigned __int64 a2, unsigned __int64 a3, unsigned int a4, int a5, unsigned __int16 *a6, __int16 a7, _QWORD *a8) 307 | { 308 | _DWORD *buffer; // rax MAPDST 309 | __int64 v14; // rdx 310 | bool v15; // al 311 | _WORD *v16; // rcx 312 | __int64 v17; // r9 313 | unsigned __int64 v18; // r8 314 | signed int v19; // eax 315 | unsigned __int16 v20; // dx 316 | signed __int64 v21; // rdx 317 | __int64 v22; // r9 318 | _QWORD *v23; // r13 319 | char *v24; // rcx 320 | int v25; // eax 321 | _IMAGE_NT_HEADERS64 *v26; // rdx 322 | _IMAGE_SECTION_HEADER *v27; // rcx 323 | USHORT v28; // r8 324 | __int64 v29; // rdi 325 | int v30; // er13 326 | unsigned int *v31; // rax 327 | unsigned int *v32; // rbx 328 | _IMAGE_NT_HEADERS64 *ntHeader; // [rsp+28h] [rbp-E0h] 329 | char *Src; // [rsp+30h] [rbp-D8h] 330 | _DWORD *v35; // [rsp+38h] [rbp-D0h] 331 | _DWORD *v36; // [rsp+40h] [rbp-C8h] 332 | int v38; // [rsp+50h] [rbp-B8h] 333 | _IMAGE_SECTION_HEADER *v39; // [rsp+58h] [rbp-B0h] 334 | char debugstring; // [rsp+60h] [rbp-A8h] 335 | 336 | buffer = (_DWORD *)AllocatePool(4676i64); 337 | if ( !buffer ) 338 | return 0i64; 339 | memset(buffer, 0, 0x244ui64); 340 | *(_QWORD *)(buffer + 1) = baseAddress; 341 | buffer[3] = a2; 342 | buffer[4] = a4; 343 | if ( a5 ) 344 | *((_BYTE *)buffer + 20) = a5; 345 | else 346 | *((_BYTE *)buffer + 20) = 64; 347 | *((_WORD *)buffer + 267) = a7; 348 | v15 = !a6 || !*((_QWORD *)a6 + 1) || !*a6 || !a6[1]; 349 | if ( !v15 ) 350 | { 351 | v16 = (_WORD *)((char *)buffer + 22); 352 | v17 = 0i64; 353 | v18 = 0i64; 354 | v19 = 0; 355 | if ( *(_BYTE *)a6 & 1 || (v20 = a6[1], v20 & 1) || *a6 > v20 || v20 > 0xFFFEu ) 356 | { 357 | v19 = 0xC000000D; 358 | } 359 | else if ( !*((_QWORD *)a6 + 1) && (*a6 || v20) ) 360 | { 361 | v19 = -1073741811; 362 | } 363 | if ( v19 >= 0 ) 364 | { 365 | v17 = *((_QWORD *)a6 + 1); 366 | v18 = (unsigned __int64)*a6 >> 1; 367 | } 368 | if ( v19 < 0 ) 369 | { 370 | *v16 = 0; 371 | } 372 | else 373 | { 374 | v21 = 256i64; 375 | v22 = v17 - (_QWORD)v16; 376 | do 377 | { 378 | if ( !v18 ) 379 | break; 380 | *v16 = *(_WORD *)((char *)v16 + v22); 381 | ++v16; 382 | --v21; 383 | --v18; 384 | } 385 | while ( v21 ); 386 | if ( !v21 ) 387 | --v16; 388 | *v16 = 0; 389 | } 390 | if ( sub_289F0(a6, (__int64)&ntHeader) ) 391 | *((_BYTE *)buffer + 21) = (unsigned __int64)(*a6 - (unsigned int)ntHeader) >> 1; 392 | } 393 | v23 = buffer + 145; 394 | v35 = buffer + 145; 395 | if ( baseAddress && a2 && (unsigned __int64)baseAddress < MmHighestUserAddress ) 396 | { 397 | v24 = (char *)baseAddress + a2 - 1; 398 | if ( v24 < (char *)baseAddress || (unsigned __int64)v24 >= MmUserProbeAddress ) 399 | { 400 | ExRaiseAccessViolation(v24, v14); 401 | } 402 | else if ( ValidatePeHeader(baseAddress, a2, 0i64, &ntHeader) && (v25 = IsPe64Or32Bit(baseAddress), (v38 = v25) != 0) ) 403 | { 404 | *((_BYTE *)buffer + 20) = v25; 405 | v26 = ntHeader; 406 | buffer[134] = ntHeader->FileHeader.TimeDateStamp; 407 | *((_WORD *)buffer + 270) = v26->FileHeader.Machine; 408 | *((_WORD *)buffer + 271) = v26->FileHeader.Characteristics; 409 | *((_WORD *)buffer + 284) = 0; 410 | if ( v25 == 64 ) 411 | buffer[136] = v26->OptionalHeader.ImageBase; 412 | else 413 | buffer[136] = HIDWORD(v26->OptionalHeader.ImageBase); 414 | buffer[137] = v26->OptionalHeader.SizeOfImage; 415 | buffer[138] = v26->OptionalHeader.BaseOfCode; 416 | buffer[139] = v26->OptionalHeader.SizeOfCode; 417 | buffer[140] = v26->OptionalHeader.AddressOfEntryPoint; 418 | buffer[141] = v26->OptionalHeader.CheckSum; 419 | v36 = buffer + 145; 420 | v27 = (_IMAGE_SECTION_HEADER *)((char *)&v26->OptionalHeader + v26->FileHeader.SizeOfOptionalHeader); 421 | v28 = 0; 422 | while ( v28 < v26->FileHeader.NumberOfSections ) 423 | { 424 | if ( (_IMAGE_SECTION_HEADER *)((char *)&v27->Characteristics + 3) < v27 425 | || (unsigned __int64)&v27->Characteristics + 3 >= MmUserProbeAddress ) 426 | { 427 | ExRaiseAccessViolation(v27, v26); 428 | break; 429 | } 430 | *v23 = *(_QWORD *)v27->Name; 431 | ++*((_WORD *)buffer + 284); 432 | ++v28; 433 | ++v27; 434 | v39 = v27; 435 | ++v23; 436 | v36 = v23; 437 | } 438 | v35 = v23; 439 | if ( CopyRawDataFromDebugDirectory(baseAddress, (__int64)&debugstring) ) 440 | { 441 | Src = &debugstring; 442 | InitAnsiString((ANSI_STRING *)&ntHeader, &debugstring); 443 | v29 = (unsigned __int16)ntHeader; 444 | memmove(v23, Src, (unsigned __int16)ntHeader); 445 | v23 = (_QWORD *)((char *)v23 + v29); 446 | v35 = v23; 447 | *((_WORD *)buffer + 287) = v29; 448 | } 449 | } 450 | else 451 | { 452 | buffer[4] |= 0x80u; 453 | } 454 | } 455 | v30 = (_DWORD)v23 - (_DWORD)buffer; 456 | *buffer = v30; 457 | v31 = (unsigned int *)AllocatePool((unsigned int)(v30 + a3)); 458 | v32 = v31; 459 | if ( v31 ) 460 | { 461 | memmove(v31, buffer, (unsigned int)*buffer); 462 | if ( a3 > 0 ) 463 | { 464 | if ( a8 ) 465 | *a8 = (char *)v32 + *v32; 466 | } 467 | } 468 | FreePool((__int64)buffer); 469 | return v32; 470 | } -------------------------------------------------------------------------------- /EasyAntiCheat.sys/servicetable.c: -------------------------------------------------------------------------------- 1 | char __usercall CheckServiceTable@(signed int a1@) 2 | { 3 | unsigned int v2; // er12 4 | unsigned __int64 lstar; // rax MAPDST 5 | unsigned __int64 lstarEnd; // rbp 6 | unsigned int serviceTableHash; // edi 7 | unsigned int systemVersion; // eax MAPDST 8 | __int64 packetType; // rcx 9 | SystemServiceDescriptorTable *ssdt; // rsi 10 | unsigned int *detectionBuffer; // rbp 11 | unsigned int *functionDetectionBuffer; // r12 12 | unsigned int index; // ebx 13 | _BYTE *functionName; // rcx 14 | char *zwSyscallFunction; // rax MAPDST 15 | __int64 syscallIndex; // rax 16 | char *syscallFunctionFromSDDT; // rcx 17 | ULONG numOfServices; // edx 18 | unsigned int v20; // [rsp+40h] [rbp+8h] 19 | 20 | systemVersion = GetSystemVersion(); 21 | v2 = systemVersion; 22 | v20 = systemVersion; 23 | lstar = __readmsr(0xC0000082); 24 | lstarEnd = (lstar & 0xFFFFFFFFFFFFF000ui64) + 0xFF1; 25 | if ( KeGetCurrentIrql() > 1u ) 26 | return 0; 27 | serviceTableHash = 0; 28 | if ( !lstar ) 29 | return 0; 30 | if ( !IsAddressWithinNtoskrnl(lstar) ) 31 | { 32 | systemVersion = GetSystemVersion(); 33 | packetType = 328i64; 34 | v20 = systemVersion; 35 | LABEL_5: 36 | SendPacketToServer(packetType, (__int64)&v20, 4i64); 37 | return 0; 38 | } 39 | if ( lstar >= lstarEnd ) 40 | { 41 | LABEL_14: 42 | ssdt = 0i64; 43 | } 44 | else 45 | { 46 | while ( 1 ) 47 | { 48 | if ( (*(_DWORD *)lstar & 0xFFFFFF) == 0x158D4C// lea r10, [rip+offset] 49 | // lea r11, [rip+offset] 50 | // test [something] 51 | && (*(_DWORD *)(lstar + 7) & 0xFFFFFF) == 0x1D8D4C 52 | && *(_BYTE *)(lstar + 14) == 0xF7u ) 53 | { 54 | ssdt = (SystemServiceDescriptorTable *)(*(unsigned int *)(lstar + 3) + lstar + 7); 55 | if ( IsAddressWithinNtoskrnl((unsigned __int64)ssdt) ) 56 | break; 57 | } 58 | if ( ++lstar >= lstarEnd ) 59 | goto LABEL_14; 60 | } 61 | } 62 | if ( !ssdt ) 63 | return 0; 64 | if ( !IsAddressWithinNtoskrnl((unsigned __int64)ssdt) ) 65 | { 66 | packetType = 327i64; 67 | goto LABEL_5; 68 | } 69 | if ( !(unsigned __int8)MmIsAddressValid(ssdt) ) 70 | return 0; 71 | detectionBuffer = (unsigned int *)AllocatePool(72i64); 72 | memset(detectionBuffer, 0, 72ui64); 73 | *detectionBuffer = v2; 74 | functionDetectionBuffer = detectionBuffer + 3; 75 | index = 0; 76 | do 77 | { 78 | if ( index ) 79 | { 80 | switch ( index ) 81 | { 82 | case 1u: 83 | functionName = (_BYTE *)(StringTable + 4658);// ZwDeviceIoControlFile 84 | break; 85 | case 2u: 86 | functionName = (_BYTE *)(StringTable + 4680);// ZwQueryInformationProcess 87 | break; 88 | case 3u: 89 | functionName = (_BYTE *)(StringTable + 4706);// ZwQuerySystemInformation 90 | break; 91 | case 4u: 92 | functionName = (_BYTE *)(StringTable + 4731);// ZwQueryVirtualMemory 93 | break; 94 | default: 95 | functionName = 0i64; 96 | break; 97 | } 98 | } 99 | else 100 | { 101 | functionName = (_BYTE *)(StringTable + 4645);// ZwCreateFile 102 | } 103 | zwSyscallFunction = (char *)GetKernelSyscallFunctionForNtdllFunction(functionName, a1); 104 | if ( zwSyscallFunction ) 105 | { 106 | functionDetectionBuffer[1] = UnkHashFunction(zwSyscallFunction, 0x40i64, 0i64); 107 | if ( GetSyscallIndexFromFunction(&v20, (unsigned __int64)zwSyscallFunction, a1) ) 108 | { 109 | syscallIndex = v20; 110 | *functionDetectionBuffer = v20; 111 | if ( (unsigned int)syscallIndex > 0xFFF || (unsigned int)syscallIndex >= ssdt->NumberOfServices ) 112 | syscallFunctionFromSDDT = 0i64; 113 | else 114 | syscallFunctionFromSDDT = (char *)ssdt->ServiceTableBase 115 | + ((unsigned __int64)*((unsigned int *)ssdt->ServiceTableBase + syscallIndex) >> 4); 116 | functionDetectionBuffer[2] = UnkHashFunction(syscallFunctionFromSDDT, 64i64, 0i64); 117 | } 118 | } 119 | ++index; 120 | functionDetectionBuffer += 3; 121 | } 122 | while ( index < 5 ); 123 | numOfServices = ssdt->NumberOfServices; 124 | if ( numOfServices <= 0xFFF ) 125 | serviceTableHash = HashCRC32((char *)ssdt->ServiceTableBase, 4 * numOfServices, 0); 126 | detectionBuffer[1] = serviceTableHash; 127 | detectionBuffer[2] = ssdt->NumberOfServices; 128 | SendPacketToServer(317i64, (__int64)detectionBuffer, 72i64); 129 | FreePool((__int64)detectionBuffer); 130 | return 1; 131 | } 132 | 133 | _WORD *__usercall GetKernelSyscallFunctionForNtdllFunction@(_BYTE *funcName@, signed int a2@) 134 | { 135 | _WORD *v3; // rbx Gets kernel ZwXXX function address which is equivallent to ntdll Nt/ZwXXX function 136 | _WORD *result; // rax 137 | unsigned int copySize; // edi 138 | char *ntdllExportRva; // rax 139 | int ntdllSyscallIndex; // er12 140 | unsigned int i; // edi 141 | char *ntdllByte; // r13 142 | int v12; // eax 143 | __int64 zwFuncIt; // rsi 144 | char foundRet; // r13 145 | int syscallIndexOffset; // er15 146 | unsigned int ntoskrnlOffset; // edi 147 | unsigned int j; // er14 148 | unsigned int instructionSize; // eax 149 | int v19; // ecx 150 | void *v20; // rcx 151 | char v21; // al 152 | _WORD *addr; // rcx 153 | _BYTE *addr0; // r8 MAPDST 154 | unsigned __int64 currentOffset; // rdx 155 | unsigned __int8 v26; // [rsp+48h] [rbp-2E0h] 156 | __int64 v27; // [rsp+50h] [rbp-2D8h] 157 | __int64 v28; // [rsp+58h] [rbp-2D0h] 158 | _WORD *sectionVa; // [rsp+60h] [rbp-2C8h] 159 | unsigned __int64 v30; // [rsp+68h] [rbp-2C0h] 160 | char *ntoskrnlBuffer0; // [rsp+70h] [rbp-2B8h] MAPDST 161 | unsigned __int8 v33; // [rsp+80h] [rbp-2A8h] 162 | __int64 v34; // [rsp+95h] [rbp-293h] 163 | __int64 v35; // [rsp+9Dh] [rbp-28Bh] 164 | char ntdllBuffer[64]; // [rsp+B0h] [rbp-278h] 165 | char ntoskrnlBuffer[120]; // [rsp+F0h] [rbp-238h] 166 | unsigned int size; // [rsp+330h] [rbp+8h] 167 | void *bufferIt; // [rsp+338h] [rbp+10h] MAPDST 168 | size_t instructionSize_; // [rsp+340h] [rbp+18h] 169 | unsigned __int64 sectionSize; // [rsp+348h] [rbp+20h] 170 | 171 | v3 = 0i64; 172 | v26 = 0; 173 | result = 0i64; 174 | v27 = 0i64; 175 | v28 = 0i64; 176 | if ( funcName && *funcName ) 177 | { 178 | copySize = 0; 179 | if ( StringTable != 0xFFFFFFFFFFFFDB93i64 180 | && ReadFileA((const char *)(StringTable + 0x246D), (__int64)&bufferIt, (__int64)&size) )// \SystemRoot\system32\ntdll.dll 181 | { 182 | ntdllExportRva = GetPeExportRva((_IMAGE_DOS_HEADER *)bufferIt, size, (unsigned __int64)funcName); 183 | if ( ntdllExportRva ) 184 | { 185 | copySize = size - (_DWORD)ntdllExportRva; 186 | if ( size - (unsigned int)ntdllExportRva > 64 ) 187 | copySize = 64; 188 | memmove(ntdllBuffer, (char *)bufferIt + (_QWORD)ntdllExportRva, copySize); 189 | } 190 | if ( bufferIt ) 191 | FreePool((__int64)bufferIt); 192 | } 193 | if ( copySize ) 194 | { 195 | if ( GetNtoskrnlSection('txet.', §ionVa, §ionSize) ) 196 | { 197 | ntdllSyscallIndex = 0; 198 | for ( i = 0; i < 0x10; i += v12 ) 199 | { 200 | ntdllByte = &ntdllBuffer[i]; 201 | v12 = GetInstructionSize(&v33, &ntdllBuffer[i], a2); 202 | if ( _bittest((const signed __int32 *)&v35 + 1, 0xCu) ) 203 | break; 204 | if ( *ntdllByte == 0xB8u ) // mov eax, ??h 205 | { 206 | ntdllSyscallIndex = *(_DWORD *)&ntdllBuffer[i + 1]; 207 | break; 208 | } 209 | if ( *ntdllByte == 0xC2u || *ntdllByte == 0xC3u ) 210 | break; 211 | } 212 | if ( ntdllSyscallIndex ) 213 | { 214 | zwFuncIt = (__int64)FindExport((DATA_HASH_BUFFER *)&unk_47588);// can be any ZwXX function 215 | if ( zwFuncIt ) 216 | { 217 | foundRet = 0; 218 | syscallIndexOffset = 0; 219 | ntoskrnlOffset = 0; 220 | for ( j = 0; j < 0x10; ++j ) 221 | { 222 | instructionSize = GetInstructionSize(&v33, (_BYTE *)zwFuncIt, j); 223 | size = instructionSize; 224 | if ( _bittest((const signed __int32 *)&v35 + 1, 0xCu) ) 225 | break; 226 | instructionSize_ = instructionSize; 227 | bufferIt = &ntoskrnlBuffer[ntoskrnlOffset]; 228 | memmove(&ntoskrnlBuffer[ntoskrnlOffset], (const void *)zwFuncIt, instructionSize); 229 | if ( *(_BYTE *)zwFuncIt == 0xB8u ) 230 | { 231 | syscallIndexOffset = ntoskrnlOffset + 1; 232 | *(_DWORD *)&ntoskrnlBuffer[ntoskrnlOffset + 1] = ntdllSyscallIndex; 233 | } 234 | else 235 | { 236 | if ( *(_BYTE *)zwFuncIt == 0xC2u || *(_BYTE *)zwFuncIt == 0xC3u ) 237 | { 238 | if ( *(_BYTE *)zwFuncIt == 0xC2u ) 239 | *(_WORD *)&ntoskrnlBuffer[ntoskrnlOffset + 1] = 0xAAAAu; 240 | ntoskrnlOffset += size; 241 | foundRet = 1; 242 | break; 243 | } 244 | v19 = HIDWORD(v35); 245 | if ( _bittest(&v19, 9u) || _bittest(&v19, 8u) ) 246 | { 247 | v26 = v33; 248 | v27 = v34; 249 | v28 = v35; 250 | v20 = bufferIt; 251 | if ( bufferIt ) 252 | { 253 | v21 = sub_17FB0((unsigned __int64)bufferIt, &v26); 254 | v20 = bufferIt; 255 | } 256 | else 257 | { 258 | v21 = 0; 259 | } 260 | if ( !v21 ) 261 | { 262 | memset(v20, 170, instructionSize_); 263 | *(_BYTE *)bufferIt = *(_BYTE *)zwFuncIt; 264 | } 265 | if ( *(_BYTE *)zwFuncIt == 0xE9u ) 266 | { 267 | ntoskrnlOffset += size; 268 | goto LABEL_46; 269 | } 270 | } 271 | } 272 | ntoskrnlOffset += size; 273 | zwFuncIt += instructionSize_; 274 | } 275 | if ( !foundRet ) 276 | goto LABEL_60; 277 | LABEL_46: 278 | if ( syscallIndexOffset && ntoskrnlOffset >= 2 && ntoskrnlOffset <= sectionSize ) 279 | { 280 | for ( addr = sectionVa; 281 | addr < (_WORD *)((char *)sectionVa + sectionSize - ntoskrnlOffset); 282 | addr = (_WORD *)((char *)addr + 1) ) 283 | { 284 | if ( *addr == *(_WORD *)ntoskrnlBuffer ) 285 | { 286 | addr0 = addr; 287 | addr0 = addr; 288 | ntoskrnlBuffer0 = ntoskrnlBuffer; 289 | ntoskrnlBuffer0 = ntoskrnlBuffer; 290 | currentOffset = 0i64; 291 | v30 = 0i64; 292 | while ( currentOffset < ntoskrnlOffset && (*addr0 == *ntoskrnlBuffer0 || *ntoskrnlBuffer0 == 0xAAu) ) 293 | { 294 | v30 = ++currentOffset; 295 | ++addr0; 296 | ++ntoskrnlBuffer0; 297 | } 298 | if ( currentOffset == ntoskrnlOffset ) 299 | { 300 | v3 = addr; 301 | break; 302 | } 303 | } 304 | } 305 | } 306 | } 307 | } 308 | LABEL_60: 309 | result = v3; 310 | } 311 | else 312 | { 313 | result = 0i64; 314 | } 315 | } 316 | else 317 | { 318 | result = 0i64; 319 | } 320 | } 321 | return result; 322 | } -------------------------------------------------------------------------------- /EasyAntiCheat.sys/suspiciousmodules.c: -------------------------------------------------------------------------------- 1 | char __fastcall CheckForSuspiciousModules(__int64 a1) 2 | { 3 | char suspiciousModulesFound; // di 4 | __int64 *processes; // rax MAPDST 5 | unsigned int processCount; // esi 6 | __int64 *pProcess; // rbp 7 | __int64 v7; // rsi 8 | 9 | suspiciousModulesFound = 0; 10 | processes = (__int64 *)AllocatePool(4096i64); 11 | if ( processes ) 12 | { 13 | processCount = Get512RunningProcessesFromThreads(processes); 14 | if ( processCount ) 15 | { 16 | ObfDereferenceObject((PVOID)*processes); 17 | if ( processCount > 1 ) 18 | { 19 | pProcess = processes + 1; 20 | v7 = processCount - 1; 21 | do 22 | { 23 | if ( !suspiciousModulesFound && !sub_1F140(a1) ) 24 | suspiciousModulesFound = IsProcessRunningSuspiciousModule(*pProcess, v7); 25 | ObfDereferenceObject((PVOID)*pProcess); 26 | ++pProcess; 27 | --v7; 28 | } 29 | while ( v7 ); 30 | } 31 | } 32 | FreePool((__int64)processes); 33 | } 34 | return suspiciousModulesFound; 35 | } 36 | 37 | char __usercall IsProcessRunningSuspiciousModule@(__int64 process@, int a2@) 38 | { 39 | char v3; // bl 40 | char v5; // [rsp+20h] [rbp-38h] 41 | 42 | v3 = 0; 43 | if ( AttachToProcess(process, (__int64)&v5) ) 44 | { 45 | if ( GetUsermodeModule((UNICODE_STRING *)(StringTable + 4830))// Dumper.dll 46 | && GetUsermodeModule((UNICODE_STRING *)(StringTable + 4852))// Glob.dll 47 | && GetUsermodeModule((UNICODE_STRING *)(StringTable + 4870))// mswsock.dll 48 | && GetUsermodeModule((UNICODE_STRING *)(StringTable + 4894))// perl512.dll 49 | || GetUsermodeModule((UNICODE_STRING *)(StringTable + 4918))// vmclientcore.dll 50 | || GetUsermodeModule((UNICODE_STRING *)(StringTable + 4952))// vmwarewui.dll 51 | || GetUsermodeModule((UNICODE_STRING *)(StringTable + 4980))// virtualbox.dll 52 | || GetUsermodeModule((UNICODE_STRING *)(StringTable + 5010))// qtcorevbox4.dll 53 | || GetUsermodeModule((UNICODE_STRING *)(StringTable + 5042))// vboxvmm.dll 54 | || GetUsermodeModule((UNICODE_STRING *)(StringTable + 5066)) )// netredirect.dll 55 | { 56 | v3 = 1; 57 | } 58 | if ( process ) 59 | DetachFromProcess(process, (__int64)&v5, process, a2); 60 | } 61 | return v3; 62 | } 63 | 64 | char CheckRunningPrograms() 65 | { 66 | char v0; // bp 67 | HANDLE *processes; // rax MAPDST 68 | unsigned int status; // er13 69 | unsigned int index; // esi 70 | HANDLE *current; // r12 71 | signed int v6; // eax 72 | char v7; // bl 73 | __int64 v8; // rbx 74 | unsigned __int64 v9; // r8 75 | SYSTEM_MODULE_INFORMATION *moduleInformation; // rax MAPDST 76 | __int64 v11; // r8 77 | ULONG v13; // esi 78 | USHORT *v14; // rdi 79 | CHAR *v15; // rdx 80 | __int64 v16; // r8 81 | __int64 v17; // r8 82 | ANSI_STRING a1; // [rsp+20h] [rbp-48h] 83 | char v20; // [rsp+30h] [rbp-38h] 84 | PVOID process; // [rsp+70h] [rbp+8h] 85 | 86 | v0 = 0; 87 | processes = (HANDLE *)AllocatePool(2048i64); 88 | if ( !processes ) 89 | goto LABEL_34; 90 | status = GetRunningProcesses(processes, 0x100u, 0i64, 0i64); 91 | if ( status > 0 ) 92 | { 93 | index = 0; 94 | current = processes; 95 | while ( 1 ) 96 | { 97 | if ( *current ) 98 | { 99 | v6 = import_PsLookupProcessByProcessId ? (unsigned int)import_PsLookupProcessByProcessId(*current, &process) : 0xC0000002; 100 | if ( v6 >= 0 ) 101 | { 102 | v7 = GetProcessFileName((__int64)process, &v20); 103 | ObfDereferenceObject(process); 104 | if ( v7 ) 105 | { 106 | v8 = StringTable; 107 | if ( strstrIgnoreCase(&v20, (_BYTE *)(StringTable + 8018), 7ui64)// dbgview 108 | || strstrIgnoreCase(&v20, (_BYTE *)(v8 + 8026), v9)// devenv 109 | || strstrIgnoreCase(&v20, (_BYTE *)(v8 + 8034), 3ui64) )// tv_ 110 | { 111 | break; 112 | } 113 | } 114 | } 115 | } 116 | ++index; 117 | ++current; 118 | if ( index >= status ) 119 | goto LABEL_16; 120 | } 121 | v0 = 1; 122 | } 123 | LABEL_16: 124 | FreePool((__int64)processes); 125 | if ( !v0 ) 126 | { 127 | LABEL_34: 128 | moduleInformation = (SYSTEM_MODULE_INFORMATION *)QuerySystemModuleInformation(0); 129 | if ( moduleInformation ) 130 | { 131 | v13 = 0; 132 | if ( moduleInformation->Count > 0 ) 133 | { 134 | v14 = &moduleInformation->Module[0].OffsetToFileName; 135 | while ( 1 ) 136 | { 137 | if ( *(_QWORD *)(v14 - 11) >= MmSystemRangeStart ) 138 | { 139 | v15 = (char *)v14 + *v14 + 2; 140 | a1.Buffer = v15; 141 | if ( v15 ) 142 | { 143 | SetAnsiStringLength(&a1, v15); 144 | } 145 | else 146 | { 147 | a1.Length = 0; 148 | a1.MaximumLength = 0; 149 | } 150 | LOBYTE(v11) = 1; 151 | if ( !(unsigned int)strstr2((__int64)&a1, (const char *)(StringTable + 8038), v11) )// Dbgv.sys 152 | break; 153 | LOBYTE(v16) = 1; 154 | if ( !(unsigned int)strstr2((__int64)&a1, (const char *)(StringTable + 8047), v16) )// PROCMON23.sys 155 | break; 156 | LOBYTE(v17) = 1; 157 | if ( !(unsigned int)strstr2((__int64)&a1, (const char *)(StringTable + 8061), v17) )// dbk64.sys 158 | break; 159 | } 160 | ++v13; 161 | v14 += 148; 162 | if ( v13 >= moduleInformation->Count ) 163 | goto LABEL_30; 164 | } 165 | v0 = 1; 166 | } 167 | LABEL_30: 168 | FreePool((__int64)moduleInformation); 169 | } 170 | } 171 | return v0; 172 | } 173 | 174 | bool __fastcall SomeModuleCheck(UNICODE_STRING *a1) 175 | { 176 | UNICODE_STRING *v1; // rbx 177 | __int64 v2; // rdi 178 | bool result; // al 179 | 180 | v1 = a1; 181 | result = 0; 182 | if ( a1 ) 183 | { 184 | if ( a1->Buffer ) 185 | { 186 | if ( a1->Length ) 187 | { 188 | if ( a1->MaximumLength ) 189 | { 190 | v2 = StringTable; 191 | if ( CompareUnicodeStringsIgnoreCase(a1, (unsigned __int16 *)(StringTable + 8467))// \System32\atmfd.dll 192 | || CompareUnicodeStringsIgnoreCase(v1, (unsigned __int16 *)(v2 + 8507))// \System32\cdd.dll 193 | || CompareUnicodeStringsIgnoreCase(v1, (unsigned __int16 *)(v2 + 8543))// \System32\rdpdd.dll 194 | || CompareUnicodeStringsIgnoreCase(v1, (unsigned __int16 *)(v2 + 8583))// \System32\vga.dll 195 | || CompareUnicodeStringsIgnoreCase(v1, (unsigned __int16 *)(v2 + 8619)) )// \System32\workerdd.dll 196 | { 197 | result = 1; 198 | } 199 | } 200 | } 201 | } 202 | } 203 | return result; 204 | } -------------------------------------------------------------------------------- /EasyAntiCheat.sys/systemthread.c: -------------------------------------------------------------------------------- 1 | __int64 ScanSystemThreads() 2 | { 3 | __int64 result; // rax 4 | __int64 currentProcessId; // r14 5 | int isSystemThread; // er11 6 | __int64 systemBigPoolInformation; // r12 7 | SYSTEM_MODULE_INFORMATION *systemModuleInformation; // r13 8 | CONTEXT *context; // rsi 9 | unsigned __int64 currentThreadId; // rbx 10 | signed int status0; // eax 11 | STACKWALK_ENTRY *entry; // rdi 12 | __int64 v10; // rcx 13 | int entryIndex; // er10 14 | __int64 v12; // r11 15 | unsigned __int64 v13; // rcx 16 | int status1; // eax 17 | __int64 threadProcessId; // rax 18 | STACKWALK_BUFFER stackwalkBuffer; // [rsp+30h] [rbp-238h] 19 | PVOID threadObject; // [rsp+270h] [rbp+8h] MAPDST 20 | __int64 win32StartAddress; // [rsp+278h] [rbp+10h] MAPDST 21 | 22 | result = import_PsGetCurrentThreadProcessId(); 23 | currentProcessId = result; 24 | if ( import_PsIsSystemThread ) 25 | { 26 | result = import_PsIsSystemThread(__readgsqword(0x188u)); 27 | isSystemThread = (unsigned __int8)result; 28 | } 29 | else 30 | { 31 | isSystemThread = 0; 32 | } 33 | if ( isSystemThread ) 34 | { 35 | result = import_PsGetCurrentProcess(); 36 | if ( result == PsInitialSystemProcess ) 37 | { 38 | systemBigPoolInformation = QuerySystemInformation(0x42i64, 0x100000i64, 0x2000000i64); 39 | result = QuerySystemModuleInformation(); 40 | systemModuleInformation = (SYSTEM_MODULE_INFORMATION *)result; 41 | if ( result ) 42 | { 43 | context = (CONTEXT *)AllocatePool(0x4D0i64); 44 | if ( context ) 45 | { 46 | currentThreadId = 4i64; 47 | do 48 | { 49 | if ( import_PsLookupThreadByThreadId ) 50 | status0 = import_PsLookupThreadByThreadId(currentThreadId, &threadObject); 51 | else 52 | status0 = 0xC0000002; 53 | if ( status0 >= 0 ) 54 | { 55 | if ( GetProcessId((__int64)threadObject) == currentProcessId 56 | && threadObject != (PVOID)__readgsqword(0x188u) 57 | && StackwalkThread((__int64)threadObject, context, &stackwalkBuffer) 58 | && stackwalkBuffer.EntryCount > 0u ) 59 | { 60 | entry = stackwalkBuffer.Entries; 61 | while ( 1 ) 62 | { 63 | if ( !GetModuleEntryForAddress(entry->RipValue, &systemModuleInformation->Count) ) 64 | { 65 | if ( !v10 ) 66 | break; 67 | if ( !v12 ) 68 | break; 69 | v13 = *(_QWORD *)(v12 + 24); 70 | if ( !v13 71 | || *(_DWORD *)(v12 + 32) <= 0u 72 | || entry->RipValue < v13 73 | || entry->RipValue >= v13 + *(unsigned int *)(v12 + 32) ) 74 | { 75 | break; 76 | } 77 | } 78 | ++entry; 79 | if ( (unsigned int)(entryIndex + 1) >= stackwalkBuffer.EntryCount ) 80 | goto LABEL_30; 81 | } 82 | status1 = QueryWin32StartAddress((__int64)threadObject, &win32StartAddress); 83 | if ( status1 < 0 ) 84 | win32StartAddress = 0i64; 85 | threadProcessId = GetProcessId((__int64)threadObject); 86 | PerformAdditionalScans( // This is virtualized. 87 | // Probably checks if address is within any big pool and sends report to server. 88 | threadProcessId, 89 | (unsigned int)currentThreadId, 90 | win32StartAddress, 91 | systemModuleInformation, 92 | systemBigPoolInformation, 93 | &stackwalkBuffer); 94 | } 95 | LABEL_30: 96 | ObfDereferenceObject(threadObject); 97 | } 98 | currentThreadId += 4i64; 99 | } 100 | while ( currentThreadId < 0x3000 ); 101 | FreePool((__int64)context); 102 | } 103 | result = FreePool((__int64)systemModuleInformation); 104 | } 105 | if ( systemBigPoolInformation ) 106 | result = FreePool(systemBigPoolInformation); 107 | } 108 | } 109 | return result; 110 | } 111 | 112 | char __fastcall StackwalkThread(__int64 threadObject, CONTEXT *context, STACKWALK_BUFFER *stackwalkBuffer) 113 | { 114 | char status; // di 115 | _QWORD *stackBuffer; // rax MAPDST 116 | size_t copiedSize; // rax 117 | DWORD64 startRip; // rdx 118 | unsigned int index; // ebp 119 | unsigned __int64 rip0; // rcx 120 | DWORD64 rsp0; // rdx 121 | __int64 functionTableEntry; // rax 122 | __int64 moduleBase; // [rsp+40h] [rbp-48h] 123 | __int64 v17; // [rsp+48h] [rbp-40h] 124 | __int64 v18; // [rsp+50h] [rbp-38h] 125 | unsigned __int64 sectionVa; // [rsp+90h] [rbp+8h] 126 | __int64 sectionSize; // [rsp+A8h] [rbp+20h] 127 | 128 | status = 0; 129 | if ( !threadObject ) 130 | return 0; 131 | if ( !stackwalkBuffer ) 132 | return 0; 133 | memset(context, 0, 0x4D0ui64); 134 | memset(stackwalkBuffer, 0, 0x208ui64); 135 | if ( !import_RtlVirtualUnwind ) 136 | { 137 | import_RtlVirtualUnwind = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _QWORD, _QWORD))FindExport((__int64)&unk_47420); 138 | if ( !import_RtlVirtualUnwind ) 139 | return 0; 140 | } 141 | if ( !import_RtlLookupFunctionEntry ) 142 | { 143 | import_RtlLookupFunctionEntry = (__int64 (__fastcall *)(_QWORD, _QWORD, _QWORD))FindExport((__int64)&unk_473F0); 144 | if ( !import_RtlLookupFunctionEntry ) 145 | return 0; 146 | } 147 | stackBuffer = (_QWORD *)AllocatePool(4096i64); 148 | if ( stackBuffer ) 149 | { 150 | copiedSize = CopyThreadKernelStack(threadObject, 4096i64, stackBuffer, 4096); 151 | if ( copiedSize ) 152 | { 153 | if ( copiedSize != 4096 && copiedSize >= 0x48 ) 154 | { 155 | if ( GetNtoskrnlSection('txet.', §ionVa, §ionSize) ) 156 | { 157 | startRip = stackBuffer[7]; 158 | if ( startRip >= sectionVa && startRip < sectionSize + sectionVa ) 159 | { 160 | status = 1; 161 | context->Rip = startRip; 162 | context->Rsp = (DWORD64)(stackBuffer + 8); 163 | index = 0; 164 | do 165 | { 166 | rip0 = context->Rip; 167 | rsp0 = context->Rsp; 168 | stackwalkBuffer->Entries[stackwalkBuffer->EntryCount].RipValue = rip0; 169 | stackwalkBuffer->Entries[stackwalkBuffer->EntryCount++].RspValue = rsp0; 170 | if ( rip0 < MmSystemRangeStart ) 171 | break; 172 | if ( rsp0 < MmSystemRangeStart ) 173 | break; 174 | functionTableEntry = import_RtlLookupFunctionEntry(rip0, &moduleBase, 0i64); 175 | if ( !functionTableEntry ) 176 | break; 177 | import_RtlVirtualUnwind(0i64, moduleBase, context->Rip, functionTableEntry, context, &v18, &v17, 0i64); 178 | if ( !context->Rip ) 179 | { 180 | stackwalkBuffer->Succeded = 1; 181 | break; 182 | } 183 | ++index; 184 | } 185 | while ( index < 0x20 ); 186 | } 187 | } 188 | } 189 | } 190 | FinalizeFreePool((__int64)stackBuffer); 191 | } 192 | return status; 193 | } 194 | 195 | size_t __usercall CopyThreadKernelStack@(__int64 threadObject@, __int64 maxSize@, void *outStackBuffer@, signed int a4@) 196 | { 197 | size_t copiedSize; // rsi 198 | __int64 threadStateOffset; // r12 MAPDST 199 | __int64 kernelStackOffset; // r14 200 | unsigned int threadStackBaseOffset; // eax 201 | unsigned __int64 threadStackBase; // rdi 202 | unsigned int threadStackLimitOffset; // eax 203 | unsigned __int64 threadStackLimit; // rbp 204 | int isSystemThread; // er11 205 | const void **pKernelStack; // r12 206 | __int64 v16; // rdx 207 | unsigned int threadLockOffset; // eax 208 | KSPIN_LOCK *threadLock; // rcx 209 | void (__fastcall *v19)(_QWORD, __int64); // rax 210 | unsigned __int8 oldIrql; // [rsp+50h] [rbp+8h] 211 | 212 | copiedSize = 0i64; 213 | threadStateOffset = (unsigned int)GetThreadStateOffset(a4); 214 | kernelStackOffset = (unsigned int)GetKernelStackOffset(); 215 | threadStackBaseOffset = GetThreadStackBaseOffset(); 216 | if ( threadObject && threadStackBaseOffset ) 217 | threadStackBase = *(_QWORD *)(threadStackBaseOffset + threadObject); 218 | else 219 | threadStackBase = 0i64; 220 | threadStackLimitOffset = GetThreadStackLimitOffset(); 221 | if ( !threadObject ) 222 | return 0i64; 223 | threadStackLimit = threadStackLimitOffset ? *(_QWORD *)(threadStackLimitOffset + threadObject) : 0i64; 224 | isSystemThread = import_PsIsSystemThread ? (unsigned __int8)import_PsIsSystemThread(threadObject) : 0; 225 | if ( !isSystemThread 226 | || !outStackBuffer 227 | || !(_DWORD)threadStateOffset 228 | || !(_DWORD)kernelStackOffset 229 | || !threadStackBase 230 | || !threadStackLimit 231 | || KeGetCurrentIrql() > 1u 232 | || threadObject == __readgsqword(0x188u) ) 233 | { 234 | return 0i64; 235 | } 236 | pKernelStack = (const void **)(threadObject + kernelStackOffset); 237 | memset(outStackBuffer, 0, 0x1000ui64); 238 | if ( LockThread(&oldIrql, threadObject, 0x1000) ) 239 | { 240 | if ( !(unsigned __int8)PsIsThreadTerminating(threadObject) 241 | && *(_BYTE *)(threadStateOffset + threadObject) == 5 242 | && (unsigned __int64)*pKernelStack > threadStackLimit 243 | && (unsigned __int64)*pKernelStack < threadStackBase 244 | && MmGetPhysicalAddress(*pKernelStack) ) 245 | { 246 | copiedSize = threadStackBase - (_QWORD)*pKernelStack; 247 | if ( copiedSize > 0x1000 ) 248 | copiedSize = 0x1000i64; 249 | memmove(outStackBuffer, *pKernelStack, copiedSize); 250 | } 251 | if ( MEMORY[0xFFFFF7800000026C] >= 6u && (MEMORY[0xFFFFF7800000026C] != 6 || MEMORY[0xFFFFF78000000270]) ) 252 | { 253 | threadLockOffset = GetThreadLockOffset(0x1000); 254 | threadLock = (KSPIN_LOCK *)((threadObject + threadLockOffset) & -(signed __int64)(threadLockOffset != 0)); 255 | if ( threadLock ) 256 | { 257 | KeReleaseSpinLockFromDpcLevel(threadLock); 258 | __writecr8(oldIrql); 259 | } 260 | } 261 | else 262 | { 263 | v19 = (void (__fastcall *)(_QWORD, __int64))qword_4DF00; 264 | if ( qword_4DF00 265 | || (v19 = (void (__fastcall *)(_QWORD, __int64))FindExport((__int64)&unk_46D00), 266 | (qword_4DF00 = (__int64)v19) != 0) ) 267 | { 268 | LOBYTE(v16) = oldIrql; 269 | v19(0i64, v16); 270 | } 271 | } 272 | } 273 | return copiedSize; 274 | } -------------------------------------------------------------------------------- /EasyAntiCheat.sys/tdl.c: -------------------------------------------------------------------------------- 1 | SYSTEM_BIGPOOL_INFORMATION *__usercall CheckForTDL@(signed int a1@) 2 | { 3 | SYSTEM_BIGPOOL_INFORMATION *bigpoolInfo; // rax MAPDST 4 | ULONG index; // esi 5 | __int64 MmGetPhysicalAddress; // rdx 6 | SYSTEM_BIGPOOL_ENTRY1 *entry; // rbx 7 | char detectedTDL; // bp 8 | __int64 physicalAddress; // rax 9 | __int64 v8; // rax MAPDST 10 | unsigned __int64 v10; // rcx 11 | ULONG_PTR size; // rbx 12 | unsigned __int64 v12; // rcx 13 | __int64 alignedSize; // rbx 14 | __int64 v14; // rax 15 | __int64 v15; // rax MAPDST 16 | 17 | bigpoolInfo = (SYSTEM_BIGPOOL_INFORMATION *)QuerySystemInformation_0(0x42u, 0x100000u, 0x2000000u, 0i64, a1); 18 | if ( bigpoolInfo ) 19 | { 20 | index = 0; 21 | if ( bigpoolInfo->Count ) 22 | { 23 | MmGetPhysicalAddress = (__int64)import_MmGetPhysicalAddress; 24 | entry = (SYSTEM_BIGPOOL_ENTRY1 *)bigpoolInfo->AllocatedInfo; 25 | while ( 1 ) 26 | { 27 | detectedTDL = 0; 28 | if ( *(_QWORD *)&entry->0 & 1 && entry->SizeInBytes >= 0x2000 )// if nonpaged 29 | { 30 | if ( entry->TagUlong == 'SldT' ) 31 | break; 32 | if ( MmGetPhysicalAddress ) 33 | { 34 | physicalAddress = ((__int64 (__fastcall *)(unsigned __int64))MmGetPhysicalAddress)((_QWORD)entry->VirtualAddress & 0xFFFFFFFFFFFFFFFEui64); 35 | MmGetPhysicalAddress = (__int64)import_MmGetPhysicalAddress; 36 | } 37 | else 38 | { 39 | physicalAddress = qword_4DBE8; 40 | } 41 | if ( physicalAddress ) 42 | { 43 | v8 = MapPhysicalMemory(physicalAddress, 4096i64); 44 | if ( v8 ) 45 | { 46 | if ( *(_QWORD *)(v8 + 0x184) == 0xB024BC8B48i64 ) 47 | { 48 | detectedTDL = 0; 49 | if ( (unsigned int)HashCRC32((char *)(v8 + 0x184), 151u, 0) == 0xC8931AEB ) 50 | detectedTDL = 1; 51 | } 52 | if ( import_MmUnmapVideoDisplay ) 53 | import_MmUnmapVideoDisplay(v8, 4096i64); 54 | } 55 | MmGetPhysicalAddress = (__int64)import_MmGetPhysicalAddress; 56 | } 57 | } 58 | else 59 | { 60 | detectedTDL = 0; 61 | } 62 | if ( detectedTDL ) 63 | break; 64 | ++index; 65 | ++entry; 66 | if ( index >= bigpoolInfo->Count ) 67 | goto LABEL_31; 68 | } 69 | v10 = (unsigned __int64)entry->VirtualAddress; 70 | size = entry->SizeInBytes; 71 | v12 = v10 & 0xFFFFFFFFFFFFFFFEui64; 72 | if ( size > (unsigned __int64)qword_80000 ) 73 | size = (ULONG_PTR)qword_80000; 74 | alignedSize = size & 0xFFFFFFFFFFFFF000ui64; 75 | if ( MmGetPhysicalAddress ) 76 | v14 = ((__int64 (__fastcall *)(unsigned __int64))MmGetPhysicalAddress)(v12); 77 | else 78 | v14 = qword_4DBE8; 79 | if ( v14 ) 80 | { 81 | v15 = MapPhysicalMemory(v14, alignedSize); 82 | if ( v15 ) 83 | { 84 | SendPacketToServer(133i64, v15, (unsigned int)alignedSize); 85 | if ( import_MmUnmapVideoDisplay ) 86 | import_MmUnmapVideoDisplay(v15, alignedSize); 87 | } 88 | } 89 | } 90 | LABEL_31: 91 | bigpoolInfo = (SYSTEM_BIGPOOL_INFORMATION *)FreePool((__int64)bigpoolInfo); 92 | } 93 | return bigpoolInfo; 94 | } -------------------------------------------------------------------------------- /EasyAntiCheat.sys/vm.asm: -------------------------------------------------------------------------------- 1 | .text:0000000000036C30 ExecVMREAD proc near ; CODE XREF: CheckVM+21↑p 2 | .text:0000000000036C30 0F 78 0A vmread qword ptr [rdx], rcx 3 | .text:0000000000036C33 0F 94 C0 setz al 4 | .text:0000000000036C36 0F 92 C1 setb cl 5 | .text:0000000000036C39 12 C1 adc al, cl 6 | .text:0000000000036C3B C3 retn 7 | .text:0000000000036C3B ExecVMREAD endp 8 | 9 | .text:000000000001FD84 CheckVM proc near ; DATA XREF: .pdata:000000000004F960↓o 10 | .text:000000000001FD84 11 | .text:000000000001FD84 var_28 = byte ptr -28h 12 | .text:000000000001FD84 var_18 = dword ptr -18h 13 | .text:000000000001FD84 var_14 = dword ptr -14h 14 | .text:000000000001FD84 var_10 = dword ptr -10h 15 | .text:000000000001FD84 16 | .text:000000000001FD84 ; FUNCTION CHUNK AT .text:000000000003724A SIZE 00000023 BYTES 17 | .text:000000000001FD84 18 | .text:000000000001FD84 ; __unwind { // __C_specific_handler 19 | .text:000000000001FD84 40 53 push rbx 20 | .text:000000000001FD86 48 83 EC 40 sub rsp, 40h 21 | .text:000000000001FD8A B3 01 mov bl, 1 22 | .text:000000000001FD8C 88 5C 24 20 mov [rsp+48h+var_28], bl 23 | .text:000000000001FD90 33 C0 xor eax, eax 24 | .text:000000000001FD92 89 44 24 30 mov [rsp+48h+var_18], eax 25 | .text:000000000001FD96 89 44 24 34 mov [rsp+48h+var_14], eax 26 | .text:000000000001FD9A 89 44 24 38 mov [rsp+48h+var_10], eax 27 | .text:000000000001FD9E 28 | .text:000000000001FD9E loc_1FD9E: ; DATA XREF: .rdata:0000000000049114↓o 29 | .text:000000000001FD9E ; __try { // __except at VMNotFound 30 | .text:000000000001FD9E 48 8D 54 24 34 lea rdx, [rsp+48h+var_14] 31 | .text:000000000001FDA3 33 C9 xor ecx, ecx 32 | .text:000000000001FDA5 E8 86 6E 01 00 call ExecVMREAD 33 | .text:000000000001FDAA 88 5C 24 20 mov [rsp+48h+var_28], bl 34 | .text:000000000001FDAE EB 16 jmp short VMFound 35 | .text:000000000001FDAE ; } // starts at 1FD9E 36 | .text:000000000001FDB0 ; --------------------------------------------------------------------------- 37 | .text:000000000001FDB0 38 | .text:000000000001FDB0 VMNotFound: ; DATA XREF: .rdata:0000000000049114↓o 39 | .text:000000000001FDB0 ; __except(loc_3724A) // owned by 1FD9E 40 | .text:000000000001FDB0 0F B6 5C 24 20 movzx ebx, [rsp+48h+var_28] 41 | .text:000000000001FDB5 33 C0 xor eax, eax 42 | .text:000000000001FDB7 81 7C 24 30 1D 00 00 C0 cmp [rsp+48h+var_18], 0C000001Dh 43 | .text:000000000001FDBF 0F 44 D8 cmovz ebx, eax 44 | .text:000000000001FDC2 88 5C 24 20 mov [rsp+48h+var_28], bl 45 | .text:000000000001FDC6 46 | .text:000000000001FDC6 VMFound: ; CODE XREF: CheckVM+2A↑j 47 | .text:000000000001FDC6 F6 DB neg bl 48 | .text:000000000001FDC8 1B C9 sbb ecx, ecx 49 | .text:000000000001FDCA 81 C1 55 01 00 00 add ecx, 155h 50 | .text:000000000001FDD0 45 33 C9 xor r9d, r9d 51 | .text:000000000001FDD3 45 8D 41 0C lea r8d, [r9+0Ch] 52 | .text:000000000001FDD7 48 8D 54 24 30 lea rdx, [rsp+48h+var_18] 53 | .text:000000000001FDDC E8 27 09 01 00 call SendPacketToServer 54 | .text:000000000001FDE1 48 83 C4 40 add rsp, 40h 55 | .text:000000000001FDE5 5B pop rbx 56 | .text:000000000001FDE6 C3 retn 57 | .text:000000000001FDE6 ; } // starts at 1FD84 58 | .text:000000000001FDE6 CheckVM endp 59 | 60 | 61 | 62 | .text:000000000001FDF0 48 89 5C 24 08 mov [rsp+arg_0], rbx 63 | .text:000000000001FDF5 57 push rdi 64 | .text:000000000001FDF6 48 83 EC 50 sub rsp, 50h 65 | .text:000000000001FDFA 83 64 24 20 00 and [rsp+58h+var_38], 0 66 | .text:000000000001FDFF 33 D2 xor edx, edx ; Val 67 | .text:000000000001FE01 48 8D 4C 24 24 lea rcx, [rsp+58h+Dst] ; Dst 68 | .text:000000000001FE06 44 8D 42 24 lea r8d, [rdx+24h] ; Size 69 | .text:000000000001FE0A E8 11 72 01 00 call memset 70 | .text:000000000001FE0F 45 0F 20 C3 mov r11, cr8 71 | .text:000000000001FE13 B8 0F 00 00 00 mov eax, 0Fh 72 | .text:000000000001FE18 44 0F 22 C0 mov cr8, rax 73 | .text:000000000001FE1C 48 8B 7C 24 38 mov rdi, [rsp+58h+var_20] 74 | .text:000000000001FE21 44 8D 48 55 lea r9d, [rax+55h] 75 | .text:000000000001FE25 4D 8B D1 mov r10, r9 76 | .text:000000000001FE28 77 | .text:000000000001FE28 loc_1FE28: ; CODE XREF: sub_1FDF0+70↓j 78 | .text:000000000001FE28 0F 31 rdtsc 79 | .text:000000000001FE2A 48 C1 E2 20 shl rdx, 20h 80 | .text:000000000001FE2E 48 0B C2 or rax, rdx 81 | .text:000000000001FE31 33 C9 xor ecx, ecx 82 | .text:000000000001FE33 4C 8B C0 mov r8, rax 83 | .text:000000000001FE36 B8 01 00 00 00 mov eax, 1 84 | .text:000000000001FE3B 0F A2 cpuid 85 | .text:000000000001FE3D 89 44 24 20 mov [rsp+58h+var_38], eax 86 | .text:000000000001FE41 89 5C 24 24 mov [rsp+58h+Dst], ebx 87 | .text:000000000001FE45 89 4C 24 28 mov [rsp+58h+var_30], ecx 88 | .text:000000000001FE49 89 54 24 2C mov [rsp+58h+var_2C], edx 89 | .text:000000000001FE4D 0F 31 rdtsc 90 | .text:000000000001FE4F 48 C1 E2 20 shl rdx, 20h 91 | .text:000000000001FE53 48 0B C2 or rax, rdx 92 | .text:000000000001FE56 49 2B C0 sub rax, r8 93 | .text:000000000001FE59 48 03 F8 add rdi, rax 94 | .text:000000000001FE5C 49 83 EA 01 sub r10, 1 95 | .text:000000000001FE60 75 C6 jnz short loc_1FE28 96 | .text:000000000001FE62 48 8B 5C 24 40 mov rbx, [rsp+58h+var_18] 97 | .text:000000000001FE67 48 89 7C 24 38 mov [rsp+58h+var_20], rdi 98 | .text:000000000001FE6C 99 | .text:000000000001FE6C loc_1FE6C: ; CODE XREF: sub_1FDF0+9B↓j 100 | .text:000000000001FE6C 0F 31 rdtsc 101 | .text:000000000001FE6E 48 C1 E2 20 shl rdx, 20h 102 | .text:000000000001FE72 48 0B C2 or rax, rdx 103 | .text:000000000001FE75 48 8B C8 mov rcx, rax 104 | .text:000000000001FE78 0F 31 rdtsc 105 | .text:000000000001FE7A 48 C1 E2 20 shl rdx, 20h 106 | .text:000000000001FE7E 48 0B C2 or rax, rdx 107 | .text:000000000001FE81 48 2B C1 sub rax, rcx 108 | .text:000000000001FE84 48 03 D8 add rbx, rax 109 | .text:000000000001FE87 49 83 E9 01 sub r9, 1 110 | .text:000000000001FE8B 75 DF jnz short loc_1FE6C 111 | .text:000000000001FE8D 48 89 5C 24 40 mov [rsp+58h+var_18], rbx 112 | .text:000000000001FE92 41 0F B6 CB movzx ecx, r11b 113 | .text:000000000001FE96 44 0F 22 C1 mov cr8, rcx 114 | .text:000000000001FE9A 48 8D 0D 4F 73 01 00 lea rcx, qword_371F0 115 | .text:000000000001FEA1 E9 B4 59 0A 00 jmp loc_C585A --------------------------------------------------------------------------------