Counter-Strike 2 Anticheat
Anticheat measures found in the binaries of Counter-Strike 2. The analysis is based on the 6 June 2023 update.
What's new
6 June 2023
- new functionality added to CUserMessage_Inventory_Response to collect VMT pointers of entities from entity system
- new CUserMessageRequestDiagnostic / CUserMessage_Diagnostic_Response to detect debuggers
Detections which use protobufs
| Request proto | Response proto | What is does |
|---|---|---|
| CUserMessageRequestDllStatus | CUserMessage_DllStatus | Trusted Mode |
| CUserMessageRequestUtilAction | CUserMessage_UtilMsg_Response | Checks ConVars for unathorized modifications |
| CUserMessageRequestInventory | CUserMessage_Inventory_Response | Checks VMT pointers of global interfaces, checks if read-only sections of game DLLs were modified, checks VMT pointers of game entities |
| CUserMessageRequestDiagnostic | CUserMessage_Diagnostic_Response | Debugger detection |
CUserMessage_Inventory_Response
VMT pointer check of global interfaces
// E8 ? ? ? ? 48 8D 8C 24 ? ? ? ? E8 ? ? ? ? F6 43 20 02 (relative jump) @ client.dll
void collectInterfacesData(CUserMessage_Inventory_Response& protobuf);This function iterates over g_pInterfaceGlobals array (name from Source 1 engine) and for every interface fills InventoryDetail protobuf:
message InventoryDetail {
optional int32 index = 1; // index in the g_pInterfaceGlobals array
optional int64 primary = 2; // *g_pInterfaceGlobals[index] (address of the interface)
optional int64 offset = 3; // **g_pInterfaceGlobals[index] (address of virtual method table of the interface)
optional int64 first = 4; // address of the first function in the VMT
optional int64 base = 5;
optional string name = 6;
optional string base_name = 7;
optional int32 base_detail = 8;
optional int32 base_time = 9;
optional int32 base_hash = 10; // interface name hash
}
(fields without a comment are unused)
List of checked interfaces
VApplication001
VEngineCvar007
VStringTokenSystem001
TestScriptMgr001
VProcessUtils002
VFileSystem017
VAsyncFileSystem2_001
ResourceSystem013
ResourceManifestRegistry001
ResourceHandleUtils001
SchemaSystem_001
ResourceCompilerSystem001
VMaterialSystem2_001
PostProcessingSystem_001
InputSystemVersion001
InputStackSystemVersion001
RenderDeviceMgr001
RenderUtils_001
SoundSystem001
SoundOpSystemEdit001
SoundOpSystem001
SteamAudio001
VP4003
Localize_001
VMediaFoundation001
VAvi001
VBik001
MeshSystem001
MeshUtils001
RenderDevice003
VRenderDeviceSetupV001
RenderHardwareConfig002
SceneSystem_002
SceneUtils_001
WorldRendererMgr001
AssetSystem001
AssetSystemTest001
ParticleSystemMgr003
VScriptManager010
PropertyEditorSystem_001
MATCHFRAMEWORK_001
Source2V8System001
PanoramaUIEngine001
PanoramaUIClient001
PanoramaTextServices001
ToolFramework2_002
PhysicsBuilderMgr001
VisBuilder_001
BakedLODBuilderMgr001
HelpSystem_001
ToolSceneNodeFactory_001
EconItemToolModel_001
SchemaTestExternal_Two_001
SchemaTestExternal_One_001
AnimationSystem_001
AnimationSystemUtils_001
HammerMapLoader001
MaterialUtils_001
FontManager_001
TextLayout_001
AssetPreviewSystem_001
AssetBrowserSystem_001
AssetRenameSystem_001
VConComm001
MODEL_PROCESSING_SERVICES_INTERFACE_001
NetworkSystemVersion001
NetworkMessagesVersion001
FlattenedSerializersVersion001
SerializedEntitiesVersion001
DemoUpconverterVersion001
Source2Client002
Source2ClientUI001
Source2ClientPrediction001
Source2Server001
Source2Host001
Source2GameClients001
Source2GameEntities001
EngineServiceMgr001
HostStateMgr001
NetworkService_001
NetworkClientService_001
NetworkP2PService_001
NetworkServerService_001
ToolService_001
RenderService_001
StatsService_001
VProfService_001
InputService_001
MapListService_001
GameUIService_001
SoundService_001
BenchmarkService001
KeyValueCache001
GameResourceServiceClientV001
GameResourceServiceServerV001
Source2EngineToClient001
Source2EngineToServer001
Source2EngineToServerStringTable001
Source2EngineToClientStringTable001
VPhysics2_Interface_001
VPhysics2_Handle_Interface_001
ModelDocUtils001
AnimGraphEditorUtils001
MODEL_PROCESSING_SCRIPT_INTERFACE_001
EXPORTSYSTEM_INTERFACE_VERSION_001
NavSystem001
Integrity of read-only sections of game DLLs
This check is present in client.dll under the name "ComputeInventory2".
Game DLLs register themselves by calling Plat_RegisterModule(moduleHandle) function from tier0.dll. The list of registered modules can be retrieved by calling Plat_GetRegisteredModules().
When game server sends CUserMessageRequestInventory protobuf message to the client, the client responds with CUserMessage_Inventory_Response message containing info about registered modules.
For every registered dll:
struct DllSectionsResult {
void* baseOfDll;
IMAGE_NT_HEADERS* ntHeaders;
void* buffer; // allocated with VirtualAlloc in processDllSections()
DWORD timestamp; // from IMAGE_FILE_HEADER::TimeDateStamp
DWORD pad; // padding
CSHA1 sha1; // sizeof(CSHA1) == 192, seems not to be computed currently
CRC32 readOnlySectionsHash;
};
// E8 ? ? ? ? 8B 8C 24 ? ? ? ? 0F B6 D8 (relative jump) @ client.dll
bool processDllSections(DllSectionsResult& output, HMODULE dll);processDllSections() allocates the buffer of size IMAGE_OPTIONAL_HEADER::SizeOfImage and does the following:
- copies the headers to the buffer (
IMAGE_OPTIONAL_HEADER::SizeOfHeadersbytes at dll base) - copies every unwritable section (
(IMAGE_SECTION_HEADER::Characteristics & IMAGE_SCN_MEM_WRITE) == 0) to the buffer - iterates over base relocation table (
IMAGE_DIRECTORY_ENTRY_BASERELOC) and undoes relocations in the buffer (onlyIMAGE_REL_BASED_DIR64relocations) - zeroes import address table (
IMAGE_DIRECTORY_ENTRY_IAT) and export directory (IMAGE_DIRECTORY_ENTRY_EXPORT) in the buffer - computes CRC32 of read-only sections in the buffer
processDllSections() is called by another function:
// E8 ? ? ? ? 0F B6 C0 85 C0 74 7B (relative jump) @ client.dll
bool processDll(
HMODULE dll,
CRC32& readOnlySectionsHash,
char* pdbPath,
DWORD& sizeOfImage,
DWORD& timestamp,
void** imageBase
);processDll() does the following:
- calls processDllSections() and copies the fields of returned DllSectionsResult to the output parameters
- copies PDB path from debug directory to
pdbPathoutput buffer
Later PDB file name is extracted from path and hashed.
InventoryDetail protobuf is filled with the gathered info.
message InventoryDetail {
optional int32 index = 1; // index in the array of registered modules
optional int64 primary = 2; // image base from IMAGE_OPTIONAL_HEADER
optional int64 offset = 3; // size of image
optional int64 first = 4;
optional int64 base = 5; // dll handle
optional string name = 6;
optional string base_name = 7;
optional int32 base_detail = 8; // crc32 of read-only sections
optional int32 base_time = 9; // timestamp from IMAGE_FILE_HEADER
optional int32 base_hash = 10; // PDB filename hash
}
(fields without a comment are unused)
CUserMessage_Diagnostic_Response
At first Plat_GetDebugMonitor() from tier0.dll is called and the response is filled with data from DebugMonitor.
Then a thread of id provided through a parameter is opened (OpenThread(THREAD_ALL_ACCESS, 0, threadId)) and suspended.
Thread context is then queried and the thread is resumed.
Following values are copied from thread context into response:
- Dr0
- Dr1
- Dr2
- Dr3
- DebugControl
- Rsp
- Rip