Skip to content

Commit e5e9dd7

Browse files
ELF-NigelELF-Nigel
committed
Add function region checks
1 parent f16bfae commit e5e9dd7

1 file changed

Lines changed: 26 additions & 0 deletions

File tree

auth.cpp

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -96,6 +96,7 @@ bool core_modules_signed();
9696
bool hypervisor_present();
9797
void snapshot_prologues();
9898
bool prologues_ok();
99+
bool func_region_ok(const void* addr);
99100
std::string seed;
100101
void cleanUpSeedData(const std::string& seed);
101102
std::string signature;
@@ -2023,6 +2024,21 @@ bool prologues_ok()
20232024
std::memcmp(pro_checkinit.data(), check_ptr, pro_checkinit.size()) == 0;
20242025
}
20252026

2027+
bool func_region_ok(const void* addr)
2028+
{
2029+
MEMORY_BASIC_INFORMATION mbi{};
2030+
if (VirtualQuery(addr, &mbi, sizeof(mbi)) == 0)
2031+
return false;
2032+
if (mbi.Type != MEM_IMAGE)
2033+
return false;
2034+
const DWORD prot = mbi.Protect;
2035+
const bool exec = (prot & PAGE_EXECUTE) || (prot & PAGE_EXECUTE_READ) || (prot & PAGE_EXECUTE_READWRITE) || (prot & PAGE_EXECUTE_WRITECOPY);
2036+
const bool write = (prot & PAGE_READWRITE) || (prot & PAGE_EXECUTE_READWRITE) || (prot & PAGE_WRITECOPY) || (prot & PAGE_EXECUTE_WRITECOPY);
2037+
if (!exec || write)
2038+
return false;
2039+
return true;
2040+
}
2041+
20262042
void KeyAuth::api::setDebug(bool value) {
20272043
KeyAuth::api::debug = value;
20282044
}
@@ -2416,6 +2432,11 @@ void checkInit() {
24162432
if (!prologues_ok()) {
24172433
error(XorStr("function prologue check failed, possible inline hook detected."));
24182434
}
2435+
if (!func_region_ok(reinterpret_cast<const void*>(&KeyAuth::api::req)) ||
2436+
!func_region_ok(reinterpret_cast<const void*>(&VerifyPayload)) ||
2437+
!func_region_ok(reinterpret_cast<const void*>(&checkInit))) {
2438+
error(XorStr("function region check failed, possible hook detected."));
2439+
}
24192440
integrity_check();
24202441
}
24212442

@@ -2451,6 +2472,11 @@ void integrity_watchdog() {
24512472
if (!prologues_ok()) {
24522473
error(XorStr("function prologue check failed, possible inline hook detected."));
24532474
}
2475+
if (!func_region_ok(reinterpret_cast<const void*>(&KeyAuth::api::req)) ||
2476+
!func_region_ok(reinterpret_cast<const void*>(&VerifyPayload)) ||
2477+
!func_region_ok(reinterpret_cast<const void*>(&checkInit))) {
2478+
error(XorStr("function region check failed, possible hook detected."));
2479+
}
24542480
if (check_section_integrity(XorStr(".text").c_str(), false)) {
24552481
const int streak = integrity_fail_streak.fetch_add(1) + 1;
24562482
if (streak >= 2) {

0 commit comments

Comments
 (0)