GamersClub Injected Module

[Kreedhacks]

GamersClub manual maps a module into csgo.exe, I dumped that module from memory.

Here are some interesting string objects.

They appear to hook LdrLoadDll, not sure why they don't just use a MiniFilter since they already have a kernel-driver but they're not very good at their job so I'll just assume the reason is incompetence.

Quote:

Code:

.rdata:100AB8A4 0000000B C LdrLoadDll
.rdata:100AB8B0 0000000A C ntdll.dll
You can also see that they monitor the source engine for unauthorized modifications or activities.

Quote:
.rdata:100AAA20 0000001D C A1 ? ? ? ? 50 8B 08 FF 51 0C
.rdata:100AAA40 00000011 C shaderapidx9.dll
.rdata:100AAA54 0000000B C VClient018
.rdata:100AAA60 0000000B C client.dll
.rdata:100AAA6C 00000011 C VEngineClient014
.rdata:100AAA80 0000000B C engine.dll
.rdata:100AAA8C 0000000E C VGUI_Panel009
.rdata:100AAA9C 0000000A C vgui2.dll
.rdata:100ABAB4 00000010 C CreateInterface
.rdata:100AB920 00000011 C FrameStageNHK_%d
.rdata:100AB934 00000010 C CreateMoveHK_%d
.rdata:100AB944 00000014 C PaintTraverseNHK_%d

You can see from these strings that they take screenshots of the game window using Direct3D.

Quote:

Code:

.data:100B1014 0000000D C d3dx9_43.dll
.rdata:100B05F6 0000000A C D3DXSaveSu
.data:100B1000 00000014 C rfaceToFileInMemory

The module also uses LibCurl, it seems to forward certain things to a web API and the module can make connections to an FTP server and/or a Mail server (I doubt the mail server connection functionality is used, I think it's just part of a library they use)

So the injected module appears to be able to do a couple of things.
Take screenshots of the game surface using Direct3D SDK
Monitor the Source Engine for unauthorized hooks or activities
Hook LdrLoadDll for DLL whitelisting
Upload suspect binaries/memory to an FTP server/web API

These are the main functions it appears to be capable of, it can do a few more standard anti-cheating things, but nothing interesting or otherwise worth noting.