Plugin Dump

[DC4 | Сергей]

I found out that through some programs it is possible to spam the server plug-ins that are loaded on the client. How can I fix this? Examples I can throw off - just need an adaptation

internal class AntiDump
    {
        [DllImport("kernel32.dll")]
        static extern unsafe bool VirtualProtect(byte* lpAddress, int dwSize, uint flNewProtect, out uint lpflOldProtect);
        public static unsafe void Initialize()
        {
            uint old;
            Module module = typeof(AntiDump).Module;
            var bas = (byte*)Marshal.GetHINSTANCE(module);
            byte* ptr = bas + 0x3c;
            byte* ptr2;
            ptr = ptr2 = bas + *(uint*)ptr;
            ptr += 0x6;
            ushort sectNum = *(ushort*)ptr;
            ptr += 14;
            ushort optSize = *(ushort*)ptr;
            ptr = ptr2 = ptr + 0x4 + optSize;
            byte* @new = stackalloc byte[11];
            if (module.FullyQualifiedName[0] != '<') //Mapped
            {
                //VirtualProtect(ptr - 16, 8, 0x40, out old);
                //*(uint*)(ptr - 12) = 0;
                byte* mdDir = bas + *(uint*)(ptr - 16);
                //*(uint*)(ptr - 16) = 0;
                if (*(uint*)(ptr - 0x78) != 0)
                {
                    byte* importDir = bas + *(uint*)(ptr - 0x78);
                    byte* oftMod = bas + *(uint*)importDir;
                    byte* modName = bas + *(uint*)(importDir + 12);
                    byte* funcName = bas + *(uint*)oftMod + 2;
                    VirtualProtect(modName, 11, 0x40, out old);
                    *(uint*)@new = 0x6c64746e;
                    *((uint*)@new + 1) = 0x6c642e6c;
                    *((ushort*)@new + 4) = 0x006c;
                    *(@new + 10) = 0;
                    for (int i = 0; i < 11; i++)
                        *(modName + i) = *(@new + i);
                    VirtualProtect(funcName, 11, 0x40, out old);
                    *(uint*)@new = 0x6f43744e;
                    *((uint*)@new + 1) = 0x6e69746e;
                    *((ushort*)@new + 4) = 0x6575;
                    *(@new + 10) = 0;
                    for (int i = 0; i < 11; i++)
                        *(funcName + i) = *(@new + i);
                }
                for (int i = 0; i < sectNum; i++)
                {
                    VirtualProtect(ptr, 8, 0x40, out old);
                    Marshal.Copy(new byte[8], 0, (IntPtr)ptr, 8);
                    ptr += 0x28;
                }
                VirtualProtect(mdDir, 0x48, 0x40, out old);
                byte* mdHdr = bas + *(uint*)(mdDir + 8);
                *(uint*)mdDir = 0;
                *((uint*)mdDir + 1) = 0;
                *((uint*)mdDir + 2) = 0;
                *((uint*)mdDir + 3) = 0;
                VirtualProtect(mdHdr, 4, 0x40, out old);
                *(uint*)mdHdr = 0;
                mdHdr += 12;
                mdHdr += *(uint*)mdHdr;
                mdHdr = (byte*)(((ulong)mdHdr + 7) & ~3UL);
                mdHdr += 2;
                ushort numOfStream = *mdHdr;
                mdHdr += 2;
                for (int i = 0; i < numOfStream; i++)
                {
                    VirtualProtect(mdHdr, 8, 0x40, out old);
                    //*(uint*)mdHdr = 0;
                    mdHdr += 4;
                    //*(uint*)mdHdr = 0;
                    mdHdr += 4;
                    for (int ii = 0; ii < 8; ii++)
                    {
                        VirtualProtect(mdHdr, 4, 0x40, out old);
                        *mdHdr = 0;
                        mdHdr++;
                        if (*mdHdr == 0)
                        {
                            mdHdr += 3;
                            break;
                        }
                        *mdHdr = 0;
                        mdHdr++;
                        if (*mdHdr == 0)
                        {
                            mdHdr += 2;
                            break;
                        }
                        *mdHdr = 0;
                        mdHdr++;
                        if (*mdHdr == 0)
                        {
                            mdHdr += 1;
                            break;
                        }
                        *mdHdr = 0;
                        mdHdr++;
                    }
                }
            }
            else //Flat
            {
                //VirtualProtect(ptr - 16, 8, 0x40, out old);
                //*(uint*)(ptr - 12) = 0;
                uint mdDir = *(uint*)(ptr - 16);
                //*(uint*)(ptr - 16) = 0;
                uint importDir = *(uint*)(ptr - 0x78);
                var vAdrs = new uint[sectNum];
                var vSizes = new uint[sectNum];
                var rAdrs = new uint[sectNum];
                for (int i = 0; i < sectNum; i++)
                {
                    VirtualProtect(ptr, 8, 0x40, out old);
                    Marshal.Copy(new byte[8], 0, (IntPtr)ptr, 8);
                    vAdrs[i] = *(uint*)(ptr + 12);
                    vSizes[i] = *(uint*)(ptr + 8);
                    rAdrs[i] = *(uint*)(ptr + 20);
                    ptr += 0x28;
                }
                if (importDir != 0)
                {
                    for (int i = 0; i < sectNum; i++)
                        if (vAdrs[i] <= importDir && importDir < vAdrs[i] + vSizes[i])
                        {
                            importDir = importDir - vAdrs[i] + rAdrs[i];
                            break;
                        }
                    byte* importDirPtr = bas + importDir;
                    uint oftMod = *(uint*)importDirPtr;
                    for (int i = 0; i < sectNum; i++)
                        if (vAdrs[i] <= oftMod && oftMod < vAdrs[i] + vSizes[i])
                        {
                            oftMod = oftMod - vAdrs[i] + rAdrs[i];
                            break;
                        }
                    byte* oftModPtr = bas + oftMod;
                    uint modName = *(uint*)(importDirPtr + 12);
                    for (int i = 0; i < sectNum; i++)
                        if (vAdrs[i] <= modName && modName < vAdrs[i] + vSizes[i])
                        {
                            modName = modName - vAdrs[i] + rAdrs[i];
                            break;
                        }
                    uint funcName = *(uint*)oftModPtr + 2;
                    for (int i = 0; i < sectNum; i++)
                        if (vAdrs[i] <= funcName && funcName < vAdrs[i] + vSizes[i])
                        {
                            funcName = funcName - vAdrs[i] + rAdrs[i];
                            break;
                        }
                    VirtualProtect(bas + modName, 11, 0x40, out old);
                    *(uint*)@new = 0x6c64746e;
                    *((uint*)@new + 1) = 0x6c642e6c;
                    *((ushort*)@new + 4) = 0x006c;
                    *(@new + 10) = 0;
                    for (int i = 0; i < 11; i++)
                        *(bas + modName + i) = *(@new + i);
                    VirtualProtect(bas + funcName, 11, 0x40, out old);
                    *(uint*)@new = 0x6f43744e;
                    *((uint*)@new + 1) = 0x6e69746e;
                    *((ushort*)@new + 4) = 0x6575;
                    *(@new + 10) = 0;
                    for (int i = 0; i < 11; i++)
                        *(bas + funcName + i) = *(@new + i);
                }
                for (int i = 0; i < sectNum; i++)
                    if (vAdrs[i] <= mdDir && mdDir < vAdrs[i] + vSizes[i])
                    {
                        mdDir = mdDir - vAdrs[i] + rAdrs[i];
                        break;
                    }
                byte* mdDirPtr = bas + mdDir;
                VirtualProtect(mdDirPtr, 0x48, 0x40, out old);
                uint mdHdr = *(uint*)(mdDirPtr + 8);
                for (int i = 0; i < sectNum; i++)
                    if (vAdrs[i] <= mdHdr && mdHdr < vAdrs[i] + vSizes[i])
                    {
                        mdHdr = mdHdr - vAdrs[i] + rAdrs[i];
                        break;
                    }
                *(uint*)mdDirPtr = 0;
                *((uint*)mdDirPtr + 1) = 0;
                *((uint*)mdDirPtr + 2) = 0;
                *((uint*)mdDirPtr + 3) = 0;
                byte* mdHdrPtr = bas + mdHdr;
                VirtualProtect(mdHdrPtr, 4, 0x40, out old);
                *(uint*)mdHdrPtr = 0;
                mdHdrPtr += 12;
                mdHdrPtr += *(uint*)mdHdrPtr;
                mdHdrPtr = (byte*)(((ulong)mdHdrPtr + 7) & ~3UL);
                mdHdrPtr += 2;
                ushort numOfStream = *mdHdrPtr;
                mdHdrPtr += 2;
                for (int i = 0; i < numOfStream; i++)
                {
                    VirtualProtect(mdHdrPtr, 8, 0x40, out old);
                    //*(uint*)mdHdrPtr = 0;
                    mdHdrPtr += 4;
                    //*(uint*)mdHdrPtr = 0;
                    mdHdrPtr += 4;
                    for (int ii = 0; ii < 8; ii++)
                    {
                        VirtualProtect(mdHdrPtr, 4, 0x40, out old);
                        *mdHdrPtr = 0;
                        mdHdrPtr++;
                        if (*mdHdrPtr == 0)
                        {
                            mdHdrPtr += 3;
                            break;
                        }
                        *mdHdrPtr = 0;
                        mdHdrPtr++;
                        if (*mdHdrPtr == 0)
                        {
                            mdHdrPtr += 2;
                            break;
                        }
                        *mdHdrPtr = 0;
                        mdHdrPtr++;
                        if (*mdHdrPtr == 0)
                        {
                            mdHdrPtr += 1;
                            break;
                        }
                        *mdHdrPtr = 0;
                        mdHdrPtr++;
                    }
                }
            }
        }
    }

 

[DC4 | Сергей]

public class Gigajew {
     
        [DllImport("kernel32.dll")]
        private static extern IntPtr ZeroMemory(IntPtr addr, IntPtr size);
     
        [DllImport("kernel32.dll")]
        private static extern IntPtr VirtualProtect(IntPtr lpAddress, IntPtr dwSize, IntPtr flNewProtect, ref IntPtr lpflOldProtect);
     
        private static void EraseSection(IntPtr address, int size) {
            IntPtr sz = (IntPtr)size;
            IntPtr dwOld = default(IntPtr);
            VirtualProtect(address, sz, (IntPtr)0x40, ref dwOld);
            ZeroMemory(address, sz);
            IntPtr temp = default(IntPtr);
            VirtualProtect(address, sz, dwOld, ref temp);
        }
     
        public static void AntiDump() {
            var process = System.Diagnostics.Process.GetCurrentProcess();
            var base_address = process.MainModule.BaseAddress;
            var dwpeheader = Marshal.ReadInt32((IntPtr)(base_address.ToInt32() + 0x3C));
            var wnumberofsections = Marshal.ReadInt16((IntPtr)(base_address.ToInt32() + dwpeheader + 0x6));
            EraseSection(base_address, 30);
            for (int i = 0; i < peheaderdwords.Length; i++) {
                EraseSection((IntPtr)(base_address.ToInt32() + dwpeheader + peheaderdwords[i]), 4);
            }
            for (int i = 0; i < peheaderwords.Length; i++) {
                EraseSection((IntPtr)(base_address.ToInt32() + dwpeheader + peheaderwords[i]), 2);
            }
            for (int i = 0; i < peheaderbytes.Length; i++) {
                EraseSection((IntPtr)(base_address.ToInt32() + dwpeheader + peheaderbytes[i]), 1);
            }
            int x = 0;
            int y = 0;
            while (x <= wnumberofsections) {
                if(y == 0) {
                    EraseSection((IntPtr)((base_address.ToInt32() + dwpeheader + 0xFA + (0x28 * x)) + 0x20), 2);
                }
                EraseSection((IntPtr)((base_address.ToInt32() + dwpeheader + 0xFA + (0x28 * x)) + sectiontabledwords[y]), 4);
                y++;
                if(y == sectiontabledwords.Length) {
                    x++;
                    y = 0;
                }
            }
        }
     
        private static int[] sectiontabledwords = new int[] {0x8, 0xC, 0x10, 0x14, 0x18, 0x1C, 0x24};
        private static int[] peheaderbytes = new int[] {0x1A, 0x1B};
        private static int[] peheaderwords = new int[] {0x4, 0x16, 0x18, 0x40, 0x42, 0x44, 0x46, 0x48, 0x4A, 0x4C, 0x5C, 0x5E};
        private static int[] peheaderdwords = new int[] {0x0, 0x8, 0xC, 0x10, 0x16, 0x1C, 0x20, 0x28, 0x2C, 0x34, 0x3C, 0x4C, 0x50, 0x54, 0x58, 0x60, 0x64, 0x68, 0x6C,

0x70, 0x74, 0x104, 0x108, 0x10C, 0x110, 0x114, 0x11C};
    }

 

[Jakkee]

What do you mean by spamming Client Plugins?

 

[DC4 | Сергей]

What do you mean by spamming Client Plugins?

restore dll's

 

[Jakkee]

restore dll's

Got ya, I think you'd need to obscure your plugin for now. I'll pass it on in the staff chat and see what we come up with.

 

[DC4 | Сергей]

Got ya, I think you'd need to obscure your plugin for now. I'll pass it on in the staff chat and see what we come up with.

I do not want to come here - I want to help

 

[Jakkee]

Ah I see!
Are you looking to catch injected cheats this way?

 

[DC4 | Сергей]

Ah I see!
Are you looking to catch injected cheats this way?

You did not understand me - so you can get all the client plug-ins from the servers - here is an example from your servers

 

[Jakkee]

You did not understand me - so you can get all the client plug-ins from the servers - here is an example from your servers

You want to stop this from happening yourself or are you asking us to fix this?

 

[DC4 | Сергей]

You want to stop this from happening yourself or are you asking us to fix this?

I show you that the client plugins on the Save \ RustBuster2016Server \ ClientPlugins path can be dumped and they are no longer private - I want to find a way to protect the process memory when it is read from outside

 

[Jakkee]

I show you that the client plugins on the Save \ RustBuster2016Server \ ClientPlugins path can be dumped and they are no longer private - I want to find a way to protect the process memory when it is read from outside

I think we have a way of encrypting the memory stopping it from being read

 

[DC4 | Сергей]

I think we have a way of encrypting the memory stopping it from being read

Can you share? I gave you the scripts above - just need to adapt

 

[Jakkee]

Can you share? I gave you the scripts above - just need to adapt

What do the above scripts do?

 

[DC4 | Сергей]

What do the above scripts do?

They are for exe files - just need to adapt to rust
When accessing the game memory from the outside, a PE header is created and does not give information

 

[Jakkee]

@DreTaX maybe this could work?

 

[salva]

I do not know what to really say, thanks for the information and the contribution you made about the dump, it's something to watch especially if someone added sensitive information to their server's rbplugins (ftp, personal information and those shit) obviously is not My case xD, but for the moment everything in the rb plugins is not much, just a map, a point of view, some images and little else, simply obfuctuando the dll would be enough, but thanks for the contribution

 

[DC4 | Сергей]

I do not know what to really say, thanks for the information and the contribution you made about the dump, it's something to watch especially if someone added sensitive information to their server's rbplugins (ftp, personal information and those shit) obviously is not My case xD, but for the moment everything in the rb plugins is not much, just a map, a point of view, some images and little else, simply obfuctuando the dll would be enough, but thanks for the contribution

Not at all - I kind of found a way - but I need to get an empty point for ZeroMemory

 

[DreTaX]

I guess so, but I never meant to bypass this that much.
Obfuscation would help you a bunch of times, however I will take a look at it.