- Joined
- Aug 14, 2009
- Messages
- 2,304
- Reaction score
- 1,189
Super basic implementation to go through the DNS cache and look for gamehacking sites via a blacklist.
Additionally it includes detecting gamehacking sites in window titles just for the lolz.
You must be registered to see links
Code:
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <iostream>
#include <string>
#include <vector>
#include <locale>
using namespace std;
void toUpper(basic_string<char>& s) {
for (basic_string<char>::iterator p = s.begin();
p != s.end(); ++p) {
*p = toupper(*p); // toupper is for char
}
}
void toUpper(basic_string<wchar_t>& s) {
for (basic_string<wchar_t>::iterator p = s.begin();
p != s.end(); ++p) {
*p = towupper(*p); // towupper is for wchar_t
}
}
void toLower(basic_string<char>& s) {
for (basic_string<char>::iterator p = s.begin();
p != s.end(); ++p) {
*p = tolower(*p);
}
}
void toLower(basic_string<wchar_t>& s) {
for (basic_string<wchar_t>::iterator p = s.begin();
p != s.end(); ++p) {
*p = towlower(*p);
}
}
void toLower(char* s){
/*for (char *iter = s; *iter != '\0'; ++iter)
{
*iter = tolower(*iter);
++iter;
}*/
char c;
int i = 0;
while (s[i])
{
c=s[i];
s[i] = (tolower(c));
i++;
}
}
#pragma comment(lib, "User32.lib")
typedef struct _DNS_CACHE_ENTRY {
struct _DNS_CACHE_ENTRY* pNext; // Pointer to next entry
PWSTR pszName; // DNS Record Name
unsigned short wType; // DNS Record Type
unsigned short wDataLength; // Not referenced
unsigned long dwFlags; // DNS Record Flags
} DNSCACHEENTRY, *PDNSCACHEENTRY;
typedef int(WINAPI *DNS_GET_CACHE_DATA_TABLE)(PDNSCACHEENTRY*);
typedef void (WINAPI *P_DnsApiFree)(PVOID pData);
/*std::vector<std::string> names = std::vector<std::string>({
"hack"
});*/
static const std::string titleBlacklist[] = {
std::string("hack"),
std::string("cheat"),
std::string("****.net")
};
BOOL FindInBlack(char* window){
toLower(window);
for(std::size_t i = 0; i != (sizeof titleBlacklist / sizeof *titleBlacklist); i++) {
if(strstr(window, titleBlacklist[i].c_str()) != nullptr){
return TRUE;
}
}
return FALSE;
}
int cheatHeaderFound = 0;
BOOL CALLBACK enumWindowsProc(
__in HWND hWnd,
__in LPARAM lParam
) {
/*if( !::IsIconic( hWnd ) ) {
return TRUE;
}*/
int length = ::GetWindowTextLength( hWnd );
if( 0 == length ) return TRUE;
TCHAR* buffer;
buffer = new TCHAR[ length + 1 ];
memset( buffer, 0, ( length + 1 ) * sizeof( TCHAR ) );
TCHAR* buffer2;
buffer2 = new TCHAR[ 128 + 1 ];
memset( buffer2, 0, ( 128 + 1 ) * sizeof( TCHAR ) );
GetWindowText( hWnd, buffer, length + 1 );
GetClassName( hWnd, buffer2, 128 + 1);
/*if((strcmp(buffer2, "Chrome_WidgetWin_1") == 0 ||
strcmp(buffer2, "IEFrame") == 0 ||
strcmp(buffer2, "MozillaWindowClass") == 0) &&
strstr(buffer, "hack") != nullptr)
printf("%p: %s\n", hWnd, buffer);*/
if(FindInBlack(buffer)){
printf("%p: %s\t:\tCHEAT IN TITLE DETECTED!\n", hWnd, buffer);
cheatHeaderFound++;
}
//std::wcout << hWnd << TEXT( ": " ) << buffer << std::endl;
//std::wcout.clear();
delete[] buffer;
return TRUE;
}
int main(int argc, char **argv) {
BOOL enumeratingWindowsSucceeded = ::EnumWindows( enumWindowsProc, NULL );
PDNSCACHEENTRY pEntry = NULL;
HINSTANCE hLib = LoadLibrary(TEXT("DNSAPI.dll"));
DNS_GET_CACHE_DATA_TABLE DnsGetCacheDataTable = (DNS_GET_CACHE_DATA_TABLE)GetProcAddress(hLib, "DnsGetCacheDataTable");
P_DnsApiFree pDnsApiFree = (P_DnsApiFree)GetProcAddress(hLib, "DnsApiFree");
int stat = DnsGetCacheDataTable(&pEntry);
PVOID pFirstEntry = pEntry;
printf("stat = %d\n", stat);
pEntry = pEntry->pNext;
int i = 0;
while (pEntry) {
char buffer[128];
wcstombs ( buffer, pEntry->pszName, sizeof(buffer) );
/*if(strstr(buffer, "cheat") != nullptr ||
strstr(buffer, "hack") != nullptr ||
strstr(buffer, "****.net") != nullptr ||
strstr(buffer, "***************") != nullptr)*/
if(FindInBlack(buffer))
{
wprintf(L"%s\t:\tCHEAT SITE DETECTED!\n", (pEntry->pszName));
i++;
}else
wprintf(L"%s\n", pEntry->pszName);
pDnsApiFree(pEntry->pszName);
PVOID p = pEntry;
pEntry = pEntry->pNext;
pDnsApiFree(p);
}
wprintf(L"CHEAT SITES IN DNSCACHE FOUND: %d\n", i);
wprintf(L"CHEAT SITES IN WINDOW TITLES FOUND: %d!\n", cheatHeaderFound);
FreeLibrary(hLib);
std::cin.get();
return 0;
}
Also some code from M$ which I saved to verify if a PE File / Module is signed or not.
Code:
//-------------------------------------------------------------------
// Copyright (C) Microsoft. All rights reserved.
// Example of verifying the embedded signature of a PE file by using
// the WinVerifyTrust function.
#define _UNICODE 1
#define UNICODE 1
#include <tchar.h>
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <Softpub.h>
#include <wincrypt.h>
#include <wintrust.h>
#include <tlhelp32.h>
// Link with the Wintrust.lib file.
#pragma comment (lib, "wintrust")
BOOL VerifyEmbeddedSignature(LPCWSTR pwszSourceFile)
{
LONG lStatus;
DWORD dwLastError;
// Initialize the WINTRUST_FILE_INFO structure.
WINTRUST_FILE_INFO FileData;
memset(&FileData, 0, sizeof(FileData));
FileData.cbStruct = sizeof(WINTRUST_FILE_INFO);
FileData.pcwszFilePath = pwszSourceFile;
FileData.hFile = NULL;
FileData.pgKnownSubject = NULL;
/*
WVTPolicyGUID specifies the policy to apply on the file
WINTRUST_ACTION_GENERIC_VERIFY_V2 policy checks:
1) The certificate used to sign the file chains up to a root
certificate located in the trusted root certificate store. This
implies that the identity of the publisher has been verified by
a certification authority.
2) In cases where user interface is displayed (which this example
does not do), WinVerifyTrust will check for whether the
end entity certificate is stored in the trusted publisher store,
implying that the user trusts content from this publisher.
3) The end entity certificate has sufficient permission to sign
code, as indicated by the presence of a code signing EKU or no
EKU.
*/
GUID WVTPolicyGUID = WINTRUST_ACTION_GENERIC_VERIFY_V2;
WINTRUST_DATA WinTrustData;
// Initialize the WinVerifyTrust input data structure.
// Default all fields to 0.
memset(&WinTrustData, 0, sizeof(WinTrustData));
WinTrustData.cbStruct = sizeof(WinTrustData);
// Use default code signing EKU.
WinTrustData.pPolicyCallbackData = NULL;
// No data to pass to SIP.
WinTrustData.pSIPClientData = NULL;
// Disable WVT UI.
WinTrustData.dwUIChoice = WTD_UI_NONE;
// No revocation checking.
WinTrustData.fdwRevocationChecks = WTD_REVOKE_WHOLECHAIN; //WTD_REVOKE_NONE;
// Verify an embedded signature on a file.
WinTrustData.dwUnionChoice = WTD_CHOICE_FILE;
// Verify action.
WinTrustData.dwStateAction = WTD_STATEACTION_VERIFY;
// Verification sets this value.
WinTrustData.hWVTStateData = NULL;
// Not used.
WinTrustData.pwszURLReference = NULL;
// This is not applicable if there is no UI because it changes
// the UI to accommodate running applications instead of
// installing applications.
WinTrustData.dwUIContext = 0;
// Set pFile.
WinTrustData.pFile = &FileData;
// WinVerifyTrust verifies signatures as specified by the GUID
// and Wintrust_Data.
lStatus = WinVerifyTrust(
NULL,
&WVTPolicyGUID,
&WinTrustData);
switch (lStatus)
{
case ERROR_SUCCESS:
/*
Signed file:
- Hash that represents the subject is trusted.
- Trusted publisher without any verification errors.
- UI was disabled in dwUIChoice. No publisher or
time stamp chain errors.
- UI was enabled in dwUIChoice and the user clicked
"Yes" when asked to install and run the signed
subject.
*/
return TRUE;
case TRUST_E_NOSIGNATURE:
// The file was not signed or had a signature
// that was not valid.
/*
// Get the reason for no signature.
dwLastError = GetLastError();
if (TRUST_E_NOSIGNATURE == dwLastError ||
TRUST_E_SUBJECT_FORM_UNKNOWN == dwLastError ||
TRUST_E_PROVIDER_UNKNOWN == dwLastError)
{
// The file was not signed.
wprintf_s(L"The file \"%s\" is not signed.\n",
pwszSourceFile);
}
else
{
// The signature was not valid or there was an error
// opening the file.
wprintf_s(L"An unknown error occurred trying to "
L"verify the signature of the \"%s\" file.\n",
pwszSourceFile);
}*/
return FALSE;
case TRUST_E_EXPLICIT_DISTRUST:
// The hash that represents the subject or the publisher
// is not allowed by the admin or user.
return FALSE;
case TRUST_E_SUBJECT_NOT_TRUSTED:
// The user clicked "No" when asked to install and run.
return FALSE;
case CRYPT_E_SECURITY_SETTINGS:
/*
The hash that represents the subject or the publisher
was not explicitly trusted by the admin and the
admin policy has disabled user trust. No signature,
publisher or time stamp errors.
*/
return FALSE;
default:
// The UI was disabled in dwUIChoice or the admin policy
// has disabled user trust. lStatus contains the
// publisher or time stamp chain error.
return FALSE;
}
// Any hWVTStateData must be released by a call with close.
WinTrustData.dwStateAction = WTD_STATEACTION_CLOSE;
lStatus = WinVerifyTrust(
NULL,
&WVTPolicyGUID,
&WinTrustData);
return TRUE;
}
void ListModules()
{
HANDLE hModuleSnap = INVALID_HANDLE_VALUE;
MODULEENTRY32 me32;
hModuleSnap = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, 0);
/*if( hModuleSnap == INVALID_HANDLE_VALUE )
r3dError("CreateToolhelp32Snapshot (of modules)");*/
me32.dwSize = sizeof( MODULEENTRY32 );
if( !Module32First( hModuleSnap, &me32 ) )
{
CloseHandle( hModuleSnap );
return;
/*r3dError("Module32First");*/
}
do
{
//r3dOutToDebugLog("MODULE NAME: %s | Executable = %s | Base address = 0x%08X\n", me32.szModule, me32.szExePath, (DWORD)me32.modBaseAddr);
if(VerifyEmbeddedSignature(me32.szExePath))
wprintf_s(L"File \"%s\" is signed!\n", me32.szModule);
else
wprintf_s(L"File \"%s\" is not signed!\n", me32.szModule);
} while( Module32Next( hModuleSnap, &me32 ) );
CloseHandle(hModuleSnap);
}
int _tmain(int argc, _TCHAR* argv[])
{
if(argc > 1)
{
VerifyEmbeddedSignature(argv[1]);
}else{
ListModules();
}
return 0;
}
Attachments
You must be registered for see attachments list