-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathVITALBypass.cs
316 lines (248 loc) · 10.9 KB
/
VITALBypass.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
// join for more https://discord.gg/kSSF6eM4Er
using System;
using System.Collections.Generic;
using System.Runtime.ConstrainedExecution;
using System.Runtime.InteropServices;
using System.Security;
using System.Text;
namespace VITAL9999
{
public static class VITAL9999
{
private static List<FuncDLL> _functions = new List<FuncDLL>()
{
new FuncDLL("LoadLibraryExW", "kernel32"),
new FuncDLL("VirtualAlloc", "kernel32"),
new FuncDLL("FreeLibrary", "kernel32"),
new FuncDLL("LoadLibraryExA", "kernel32"),
new FuncDLL("LoadLibraryW", "kernel32"),
new FuncDLL("LoadLibraryA", "kernel32"),
new FuncDLL("VirtualAllocEx", "kernel32"),
new FuncDLL("LdrLoadDll", "ntdll"),
new FuncDLL("NtOpenFile", "ntdll"),
new FuncDLL("VirtualProtect", "kernel32"),
new FuncDLL("CreateProcessW", "kernel32"),
new FuncDLL("CreateProcessA", "kernel32"),
new FuncDLL("VirtualProtectEx", "kernel32"),
new FuncDLL("FreeLibrary", "KernelBase"),
new FuncDLL("LoadLibraryExA", "KernelBase"),
new FuncDLL("LoadLibraryExW", "KernelBase"),
new FuncDLL("ResumeThread", "KernelBase")
};
private static byte[,] originalBytes;
private static IntPtr hGame = IntPtr.Zero;
private static UInt32 pid = UInt32.MinValue;
public static bool Run(string pathToDLL)
{
Init();
pid = GetGamePID();
if (pid == UInt32.MinValue)
{
throw new ApplicationException("The game was not found.");
}
hGame = OpenProcess(ProcessAccessFlags.All, false, (int)pid);
if (hGame == IntPtr.Zero)
{
throw new ApplicationException("Failed to open process.");
}
BypassCSGOHook();
InjectDLL(pathToDLL);
RestoreCSGOHook();
return true;
}
private static void Init()
{
originalBytes = new byte[17, 6];
hGame = IntPtr.Zero;
pid = UInt32.MinValue;
}
private static void InjectDLL(string path)
{
IntPtr handle = OpenProcess(ProcessAccessFlags.All, false, (Int32)pid);
if (handle == IntPtr.Zero)
{
throw new ApplicationException("Failed to open process.");
}
IntPtr size = (IntPtr)path.Length;
IntPtr DLLMemory = VirtualAllocEx(handle, IntPtr.Zero, size, AllocationType.Reserve | AllocationType.Commit,
MemoryProtection.ExecuteReadWrite);
if (DLLMemory == IntPtr.Zero)
{
throw new ApplicationException("Memory allocation error.");
}
byte[] bytes = Encoding.ASCII.GetBytes(path);
if (!WriteProcessMemory(handle, DLLMemory, bytes, (int)bytes.Length, out _))
{
throw new ApplicationException("Memory read error");
}
IntPtr kernel32Handle = GetModuleHandle("Kernel32.dll");
IntPtr loadLibraryAAddress = GetProcAddress(kernel32Handle, "LoadLibraryA");
if (loadLibraryAAddress == IntPtr.Zero)
{
throw new ApplicationException("Failed to load LoadLibraryA.");
}
IntPtr threadHandle = CreateRemoteThread(handle, IntPtr.Zero, 0, loadLibraryAAddress, DLLMemory, 0,
IntPtr.Zero);
if (threadHandle == IntPtr.Zero)
{
throw new ApplicationException("Failed to create thread.");
}
CloseHandle(threadHandle);
CloseHandle(handle);
}
private static UInt32 GetGamePID()
{
IntPtr hwGame = (IntPtr)FindWindow(null, "Counter-Strike: Global Offensive");
if (hwGame == IntPtr.Zero)
{
return 0;
}
UInt32 ret = UInt32.MinValue;
GetWindowThreadProcessId(hwGame, out ret);
return ret;
}
private static void BypassCSGOHook()
{
for (int i = 0; i < _functions.Count; i++)
{
if (!Unhook(_functions[i].MethodName, _functions[i].DLLName, i))
{
throw new ApplicationException($"Failed unhook {_functions[i].MethodName} in {_functions[i].DLLName}.");
}
}
}
private static void RestoreCSGOHook()
{
for (int i = 0; i < _functions.Count; i++)
{
if (!RestoreHook(_functions[i].MethodName, _functions[i].DLLName, i))
{
throw new ApplicationException($"Failed restore {_functions[i].MethodName} in {_functions[i].DLLName}.");
}
}
}
private static bool Unhook(string methodName, string dllName, Int32 index)
{
IntPtr originalMethodAddress = GetProcAddress(LoadLibrary(dllName), methodName);
if (originalMethodAddress == IntPtr.Zero)
{
throw new ApplicationException($"The {methodName} address in {dllName} is zero.");
}
byte[] originalGameBytes = new byte[6];
ReadProcessMemory(hGame, originalMethodAddress, originalGameBytes, sizeof(byte) * 6, out _);
for (int i = 0; i < originalGameBytes.Length; i++)
{
originalBytes[index, i] = originalGameBytes[i];
}
byte[] originalDLLBytes = new byte[6];
GCHandle pinnedArray = GCHandle.Alloc(originalDLLBytes, GCHandleType.Pinned);
IntPtr originalDLLBytesPointer = pinnedArray.AddrOfPinnedObject();
memcpy(originalDLLBytesPointer, originalMethodAddress, (UIntPtr)(sizeof(byte) * 6));
return WriteProcessMemory(hGame, originalMethodAddress, originalDLLBytes, sizeof(byte) * 6, out _);
}
private static bool RestoreHook(string methodName, string dllName, Int32 index)
{
IntPtr originalMethodAdress = GetProcAddress(LoadLibrary(dllName), methodName);
if (originalMethodAdress == IntPtr.Zero)
{
return false;
}
byte[] origBytes = new byte[6];
for (int i = 0; i < origBytes.Length; i++)
{
origBytes[i] = originalBytes[index, i];
}
return WriteProcessMemory(hGame, originalMethodAdress, origBytes, sizeof(byte) * 6, out _);
}
private class FuncDLL
{
public string MethodName { get; set; }
public string DLLName { get; set; }
public FuncDLL(string methodName, string dllName)
{
MethodName = methodName;
DLLName = dllName;
}
}
#region Win32 DLL Enum
private const UInt32 INFINITY = 0xFFFFFFFF;
[Flags]
public enum ProcessAccessFlags : uint
{
All = 0x001F0FFF,
Terminate = 0x00000001,
CreateThread = 0x00000002,
VirtualMemoryOperation = 0x00000008,
VirtualMemoryRead = 0x00000010,
VirtualMemoryWrite = 0x00000020,
DuplicateHandle = 0x00000040,
CreateProcess = 0x000000080,
SetQuota = 0x00000100,
SetInformation = 0x00000200,
QueryInformation = 0x00000400,
QueryLimitedInformation = 0x00001000,
Synchronize = 0x00100000
}
[Flags]
public enum AllocationType
{
Commit = 0x1000,
Reserve = 0x2000,
Decommit = 0x4000,
Release = 0x8000,
Reset = 0x80000,
Physical = 0x400000,
TopDown = 0x100000,
WriteWatch = 0x200000,
LargePages = 0x20000000
}
[Flags]
public enum MemoryProtection
{
Execute = 0x10,
ExecuteRead = 0x20,
ExecuteReadWrite = 0x40,
ExecuteWriteCopy = 0x80,
NoAccess = 0x01,
ReadOnly = 0x02,
ReadWrite = 0x04,
WriteCopy = 0x08,
GuardModifierflag = 0x100,
NoCacheModifierflag = 0x200,
WriteCombineModifierflag = 0x400
}
#endregion
#region Win32 DLL import
[DllImport("user32.dll", SetLastError = true)]
static extern IntPtr FindWindow(string lpClassName, string lpWindowName);
[DllImport("user32.dll", SetLastError = true)]
static extern uint GetWindowThreadProcessId(IntPtr hWnd, out uint lpdwProcessId);
[DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
internal static extern IntPtr LoadLibrary(string lpFileName);
[DllImport("kernel32", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]
static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("msvcrt.dll", EntryPoint = "memcpy", CallingConvention = CallingConvention.Cdecl, SetLastError = false)]
public static extern IntPtr memcpy(IntPtr dest, IntPtr src, UIntPtr count);
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern IntPtr VirtualAllocEx(IntPtr hProcess, IntPtr lpAddress, IntPtr dwSize, AllocationType flAllocationType, MemoryProtection flProtect);
[DllImport("kernel32.dll")]
static extern IntPtr CreateRemoteThread(IntPtr hProcess, IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport("kernel32.dll", SetLastError = true, ExactSpelling = true)]
static extern bool VirtualFreeEx(IntPtr hProcess, IntPtr lpAddress,
int dwSize, AllocationType dwFreeType);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern IntPtr OpenProcess(ProcessAccessFlags processAccess, bool bInheritHandle, int processId);
[DllImport("kernel32.dll", SetLastError = true)]
static extern bool ReadProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, [Out] byte[] lpBuffer, int dwSize, out IntPtr lpNumberOfBytesRead);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern bool WriteProcessMemory(IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, Int32 nSize, out IntPtr lpNumberOfBytesWritten);
[DllImport("kernel32.dll", CharSet = CharSet.Auto)]
public static extern IntPtr GetModuleHandle(string lpModuleName);
[DllImport("kernel32.dll", SetLastError = true)]
[ReliabilityContract(Consistency.WillNotCorruptState, Cer.Success)]
[SuppressUnmanagedCodeSecurity]
[return: MarshalAs(UnmanagedType.Bool)]
static extern bool CloseHandle(IntPtr hObject);
#endregion
}
}