From 3bf9f6e335b7f9861528808e2ff68c515b8eef22 Mon Sep 17 00:00:00 2001 From: weak1337 <57501119+weak1337@users.noreply.github.com> Date: Fri, 1 Apr 2022 20:21:55 +0200 Subject: [PATCH] Update main.cpp --- BattleyePresentCheck/main.cpp | 54 +++++++++++++++++++++++++++++++---- 1 file changed, 49 insertions(+), 5 deletions(-) diff --git a/BattleyePresentCheck/main.cpp b/BattleyePresentCheck/main.cpp index 8075c46..e4c9f21 100644 --- a/BattleyePresentCheck/main.cpp +++ b/BattleyePresentCheck/main.cpp @@ -87,6 +87,52 @@ bool find_memory_anomaly(uintptr_t present) { int main() { bool reported = false; + + //General report + { + + uintptr_t base = (uintptr_t)GetModuleHandleA("dxgi.dll"); + if (base) { + PIMAGE_DOS_HEADER dos = (PIMAGE_DOS_HEADER)base; + PIMAGE_NT_HEADERS nt = (PIMAGE_NT_HEADERS)(base + dos->e_lfanew); + DWORD code_base = nt->OptionalHeader.BaseOfCode; + DWORD code_size = nt->OptionalHeader.SizeOfCode; + uintptr_t code_start = code_base + base; + uintptr_t sig_base = utils::scanpattern(code_start, code_size, "48 C7 40 B8 FE FF FF FF 48 89 58 18"); + if (sig_base) { + uintptr_t swap_chain = sig_base + *(signed int*)(sig_base + 0x25) + 0x29; + uintptr_t present = *(uintptr_t*)(swap_chain + 0x40); + MEMORY_BASIC_INFORMATION mbi_globalchain = { 0 }; + NTSTATUS globalchainstatus = NtQueryVirtualMemory((HANDLE)-1, (PVOID)swap_chain, MemoryBasicInformation, (PVOID)&mbi_globalchain, sizeof(mbi_globalchain), 0); + if (globalchainstatus || func_anomaly(present)) { + reported = true; + printf("[!!!] Anomaly at: %p\n", present); + } + + else + { + printf("[>] No anomalys found jump chain ends at %p\n", present); + printf("[>] Verifying memory!\n"); + if (find_memory_anomaly(present)) { + printf("[!!!] Memory anomaly at destination!\n"); + reported = true; + } + + } + printf("==GENERAL REPORT==\n"); + printf("Report: %x %x\n", 0x47, 0x1); + printf("Present: %p\n", present); + printf("First 32 bytes...\n"); + printf("Allocation base: %p\n", mbi_globalchain.AllocationBase); + printf("Base address: %p\n", mbi_globalchain.BaseAddress); + } + + + } + + } + + //Module specific detections int idx = 0; for (auto pair : modules) { if (uintptr_t base = (uintptr_t)GetModuleHandleA(pair.first.c_str())) { @@ -109,8 +155,6 @@ int main() { } } - - else if (idx == 1) { //DiscordHook64.dll uintptr_t jmp_dst = sig_base - 0x13; if (*(BYTE*)jmp_dst == 0xE8 && @@ -137,7 +181,7 @@ int main() { } if (present_pointer && *present_pointer) { - static MEMORY_BASIC_INFORMATION mbi = { 0 }; + MEMORY_BASIC_INFORMATION mbi = { 0 }; NTSTATUS status = NtQueryVirtualMemory((HANDLE) - 1, *present_pointer, MemoryBasicInformation, (PVOID) & mbi, sizeof(mbi), 0); if (status || mbi.State != MEM_COMMIT || mbi.Type != MEM_PRIVATE || mbi.Protect != PAGE_EXECUTE_READWRITE || *(DWORD*)(*present_pointer) == 0x50C03148) { //xor rax, rax push rax printf("[!!!] Present is invalid memory! %p %p\n", status, &mbi); @@ -152,7 +196,7 @@ int main() { Sleep(1000); //Sleep and hope that present got called once printf("[>] Found SwapChain at %p\n", globalchain); - static MEMORY_BASIC_INFORMATION mbi_globalchain = { 0 }; + MEMORY_BASIC_INFORMATION mbi_globalchain = { 0 }; NTSTATUS globalchainstatus = NtQueryVirtualMemory((HANDLE)-1, globalchain, MemoryBasicInformation, (PVOID)&mbi_globalchain, sizeof(mbi_globalchain), 0); uintptr_t present_from_vtable = *(uintptr_t*)(*(uintptr_t*)(globalchain)+0x40); if (globalchainstatus || func_anomaly(present_from_vtable)) { @@ -197,4 +241,4 @@ BOOL WINAPI DllMain(HINSTANCE hinstDLL, // handle to DLL module } return TRUE; -} \ No newline at end of file +}