2023-06-05 21:23:08 +00:00
|
|
|
#include <ntdll.h>
|
|
|
|
|
#include <pe.h>
|
2023-06-08 18:44:42 +00:00
|
|
|
#include <msg.h>
|
2023-06-05 21:23:08 +00:00
|
|
|
|
|
|
|
|
#include <ace.h>
|
|
|
|
|
|
|
|
|
|
static void _dll_notification(ULONG reason, const PLDR_DLL_NOTIFICATION_DATA data, void *context) {
|
|
|
|
|
if (reason != 1) { // 1 - attach
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
2023-08-01 22:42:04 +00:00
|
|
|
// context should be set to the target module name
|
2023-06-05 21:23:08 +00:00
|
|
|
wchar_t *targetModuleName = (wchar_t*)context;
|
|
|
|
|
|
2023-08-01 22:42:04 +00:00
|
|
|
if (wcsicmp(targetModuleName, data->Loaded.BaseDllName->Buffer) != 0) {
|
|
|
|
|
return;
|
|
|
|
|
}
|
2023-06-05 21:23:08 +00:00
|
|
|
|
2023-08-01 22:42:04 +00:00
|
|
|
// Replace entry point with a stub
|
|
|
|
|
void *entryPoint = pe_find_entry_point(data->Loaded.DllBase);
|
2023-06-05 21:23:08 +00:00
|
|
|
|
2023-08-01 22:42:04 +00:00
|
|
|
const char ENTRY_POINT_STUB[] = {
|
|
|
|
|
0xB8, 0x01, 0x00, 0x00, 0x00, // mov eax, 1
|
|
|
|
|
0xC3 // ret
|
|
|
|
|
};
|
2023-06-05 21:23:08 +00:00
|
|
|
|
2023-08-01 22:42:04 +00:00
|
|
|
DWORD oldProtect;
|
|
|
|
|
VirtualProtect(entryPoint, sizeof(ENTRY_POINT_STUB), PAGE_EXECUTE_READWRITE, &oldProtect);
|
2023-06-05 21:23:08 +00:00
|
|
|
|
2023-08-01 22:42:04 +00:00
|
|
|
memcpy(entryPoint, ENTRY_POINT_STUB, sizeof(ENTRY_POINT_STUB));
|
2023-06-05 21:23:08 +00:00
|
|
|
|
2023-08-01 22:42:04 +00:00
|
|
|
VirtualProtect(entryPoint, sizeof(ENTRY_POINT_STUB), oldProtect, &oldProtect);
|
|
|
|
|
|
2023-06-05 21:23:08 +00:00
|
|
|
}
|
|
|
|
|
|
2023-08-01 22:42:04 +00:00
|
|
|
static void _create_driver_file(const char *path) {
|
2023-06-05 21:23:08 +00:00
|
|
|
// They only report presence
|
2023-08-01 22:42:04 +00:00
|
|
|
HANDLE file = CreateFileA(path, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
|
2023-06-05 21:23:08 +00:00
|
|
|
|
2023-08-01 22:42:04 +00:00
|
|
|
if (file == INVALID_HANDLE_VALUE) {
|
|
|
|
|
msg_err_a("Could not create driver file: %s", file);
|
2023-06-05 21:23:08 +00:00
|
|
|
}
|
|
|
|
|
|
2023-08-01 22:42:04 +00:00
|
|
|
CloseHandle(file);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void ace_fake_driver_files() {
|
|
|
|
|
_create_driver_file("ACE-BASE.sys");
|
2023-06-05 21:23:08 +00:00
|
|
|
|
2023-08-01 22:42:04 +00:00
|
|
|
// Just in case
|
|
|
|
|
_create_driver_file("C:\\windows\\system32\\drivers\\ACE-BASE.sys");
|
2023-06-05 21:23:08 +00:00
|
|
|
}
|
|
|
|
|
|
2023-08-01 22:42:04 +00:00
|
|
|
HMODULE _load_module_patched(wchar_t *path) {
|
|
|
|
|
// Get filename from the path
|
|
|
|
|
wchar_t *name = wcsrchr(path, '\\');
|
|
|
|
|
name = name ? name + 1 : path;
|
2023-06-05 21:23:08 +00:00
|
|
|
|
|
|
|
|
void *cookie;
|
2023-08-01 22:42:04 +00:00
|
|
|
LdrRegisterDllNotification(0, &_dll_notification, name, &cookie);
|
2023-06-05 21:23:08 +00:00
|
|
|
|
2023-08-01 22:42:04 +00:00
|
|
|
HMODULE module = LoadLibraryW(path);
|
|
|
|
|
if (!module) {
|
|
|
|
|
msg_err_w(L"Could not load module: %ls", path);
|
2023-06-05 21:23:08 +00:00
|
|
|
}
|
|
|
|
|
|
2023-08-01 22:42:04 +00:00
|
|
|
// LoadLibraryW is synchronous; the notification function has already finished executing
|
2023-06-05 21:23:08 +00:00
|
|
|
LdrUnregisterDllNotification(cookie);
|
|
|
|
|
|
2023-08-01 22:42:04 +00:00
|
|
|
return module;
|
2023-06-05 21:23:08 +00:00
|
|
|
}
|
|
|
|
|
|
2023-08-01 22:42:04 +00:00
|
|
|
HMODULE ace_load_base_module(const char *exeName) {
|
|
|
|
|
wchar_t baseModuleName[MAX_PATH];
|
|
|
|
|
swprintf(baseModuleName, MAX_PATH, L"%sBase.dll", exeName);
|
|
|
|
|
wcslwr(baseModuleName);
|
2023-06-05 21:23:08 +00:00
|
|
|
|
2023-08-01 22:42:04 +00:00
|
|
|
return _load_module_patched(baseModuleName);
|
|
|
|
|
}
|
2023-06-05 21:23:08 +00:00
|
|
|
|
2023-08-01 22:42:04 +00:00
|
|
|
HMODULE ace_load_driver_module() {
|
|
|
|
|
return _load_module_patched(L"AntiCheatExpert\\InGame\\x64\\ACE-DRV64.dll");
|
2023-06-05 21:23:08 +00:00
|
|
|
}
|
