Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- XTrap Bypass.exe: [C++]
- //=======================================================================================================
- //=======================================================================================================
- //=======================================================================================================
- //=======================================================================================================
- //=======================================================================================================
- //=======================================================================================================
- //=======================================================================================================
- //=======================================================================================================
- //=======================================================================================================
- //=======================================================================================================
- #include <stdio.h>
- #include <windows.h>
- #include <tlhelp32.h>
- #define NT_SUCCESS(x) ((x) >= 0)
- #define STATUS_INFO_LENGTH_MISMATCH 0xc0000004
- #define SystemHandleInformation 16
- #define ObjectBasicInformation 0
- #define ObjectNameInformation 1
- #define ObjectTypeInformation 2
- #define fcExp 0x4D9480
- #define BaseAddr 0x400000
- typedef enum _THREAD_INFORMATION_CLASS {
- ThreadBasicInformation,
- ThreadTimes,
- ThreadPriority,
- ThreadBasePriority,
- ThreadAffinityMask,
- ThreadImpersonationToken,
- ThreadDescriptorTableEntry,
- ThreadEnableAlignmentFaultFixup,
- ThreadEventPair,
- ThreadQuerySetWin32StartAddress,
- ThreadZeroTlsCell,
- ThreadPerformanceCount,
- ThreadAmILastThread,
- ThreadIdealProcessor,
- ThreadPriorityBoost,
- ThreadSetTlsArrayAddress,
- ThreadIsIoPending,
- ThreadHideFromDebugger
- } THREAD_INFORMATION_CLASS, *PTHREAD_INFORMATION_CLASS;
- typedef DWORD(NTAPI *_ZwSuspendProcess)(HANDLE hProcess);
- typedef DWORD(NTAPI *_ZwResumeProcess)(HANDLE hProcess);
- typedef DWORD(NTAPI *_ZwQueryInformationThread)(HANDLE ThreadHandle, THREAD_INFORMATION_CLASS ThreadInformationClass, PVOID ThreadInformation, ULONG ThreadInformationLength, PULONG ReturnLength);
- typedef DWORD(NTAPI *_NtQuerySystemInformation)(ULONG SystemInformationClass,PVOID SystemInformation,ULONG SystemInformationLength,PULONG ReturnLength);
- typedef DWORD(NTAPI *_NtDuplicateObject)(HANDLE SourceProcessHandle,HANDLE SourceHandle,HANDLE TargetProcessHandle,PHANDLE TargetHandle,ACCESS_MASK DesiredAccess,ULONG Attributes,ULONG Options);
- typedef DWORD(NTAPI *_NtQueryObject)(HANDLE ObjectHandle,ULONG ObjectInformationClass,PVOID ObjectInformation,ULONG ObjectInformationLength,PULONG ReturnLength);
- typedef struct _UNICODE_STRING {
- USHORT Length;
- USHORT MaximumLength;
- PWSTR Buffer;
- } UNICODE_STRING, *PUNICODE_STRING;
- typedef struct _SYSTEM_HANDLE {
- ULONG ProcessId;
- BYTE ObjectTypeNumber;
- BYTE Flags;
- USHORT Handle;
- PVOID Object;
- ACCESS_MASK GrantedAccess;
- } SYSTEM_HANDLE, *PSYSTEM_HANDLE;
- typedef struct _SYSTEM_HANDLE_INFORMATION {
- ULONG HandleCount;
- SYSTEM_HANDLE Handles[1];
- } SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
- typedef enum _POOL_TYPE {
- NonPagedPool,
- PagedPool,
- NonPagedPoolMustSucceed,
- DontUseThisType,
- NonPagedPoolCacheAligned,
- PagedPoolCacheAligned,
- NonPagedPoolCacheAlignedMustS
- } POOL_TYPE, *PPOOL_TYPE;
- typedef struct _OBJECT_TYPE_INFORMATION {
- UNICODE_STRING Name;
- ULONG TotalNumberOfObjects;
- ULONG TotalNumberOfHandles;
- ULONG TotalPagedPoolUsage;
- ULONG TotalNonPagedPoolUsage;
- ULONG TotalNamePoolUsage;
- ULONG TotalHandleTableUsage;
- ULONG HighWaterNumberOfObjects;
- ULONG HighWaterNumberOfHandles;
- ULONG HighWaterPagedPoolUsage;
- ULONG HighWaterNonPagedPoolUsage;
- ULONG HighWaterNamePoolUsage;
- ULONG HighWaterHandleTableUsage;
- ULONG InvalidAttributes;
- GENERIC_MAPPING GenericMapping;
- ULONG ValidAccess;
- BOOLEAN SecurityRequired;
- BOOLEAN MaintainHandleCount;
- USHORT MaintainTypeList;
- POOL_TYPE PoolType;
- ULONG PagedPoolUsage;
- ULONG NonPagedPoolUsage;
- } OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION;
- PVOID GetLibraryProcAddress(LPSTR LibraryName, LPSTR ProcName) {
- return (PVOID)GetProcAddress(GetModuleHandleA(LibraryName), ProcName);
- }
- DWORD GetPIDbyName(char* szProcess)
- {
- HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
- PROCESSENTRY32 PE;
- PE.dwSize = sizeof(PE) ;
- Process32First(hSnap, &PE);
- while (Process32Next(hSnap, &PE))
- {
- char Converted[100] = "\0";
- wcstombs(Converted, PE.szExeFile, sizeof(Converted));
- if (strcmp(Converted, szProcess) == 0)
- {
- return PE.th32ProcessID;
- }
- }
- return 0;
- }
- int SeDebugPrivilege(void)
- {
- HANDLE hToken;
- LUID Val;
- TOKEN_PRIVILEGES tp;
- OpenProcessToken(HANDLE(-1),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);
- LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &Val);
- tp.PrivilegeCount = 1;
- tp.Privileges[0].Luid = Val;
- tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
- AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof (tp), NULL, NULL);
- CloseHandle(hToken);
- return 1;
- }
- DWORD GetModuleBaseAddress(DWORD PID, char* szModule)
- {
- MODULEENTRY32 ME;
- ME.dwSize = sizeof(ME);
- HANDLE hSnapy = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, PID);
- Module32First(hSnapy, &ME);
- while (Module32Next(hSnapy, &ME))
- {
- char Converted[100] = "\0";
- wcstombs(Converted, ME.szModule, sizeof(Converted));
- if (strcmp(Converted, szModule) == 0)
- {
- return (DWORD)ME.hModule;
- }
- }
- }
- DWORD GetModuleSize(DWORD PID, char* szModule)
- {
- MODULEENTRY32 ME;
- ME.dwSize = sizeof(ME);
- HANDLE hSnapy = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, PID);
- Module32First(hSnapy, &ME);
- while (Module32Next(hSnapy, &ME))
- {
- char Converted[100] = "\0";
- wcstombs(Converted, ME.szModule, sizeof(Converted));
- if (strcmp(Converted, szModule) == 0)
- {
- return ME.modBaseSize;
- }
- }
- }
- int CloseHandles(ULONG pid)
- {
- _NtQuerySystemInformation NtQuerySystemInformation = (_NtQuerySystemInformation)GetLibraryProcAddress("ntdll.dll", "NtQuerySystemInformation");
- _NtDuplicateObject NtDuplicateObject = (_NtDuplicateObject)GetLibraryProcAddress("ntdll.dll", "NtDuplicateObject");
- _NtQueryObject NtQueryObject = (_NtQueryObject)GetLibraryProcAddress("ntdll.dll", "NtQueryObject");
- DWORD status;
- PSYSTEM_HANDLE_INFORMATION handleInfo;
- ULONG handleInfoSize = 0x10000;
- HANDLE processHandle;
- ULONG i;
- if (!(processHandle = OpenProcess(PROCESS_DUP_HANDLE, FALSE, pid))) {
- printf("Could not open PID %d! (Don't try to open a system process.)\n", pid);
- return 1;
- }
- handleInfo = (PSYSTEM_HANDLE_INFORMATION)malloc(handleInfoSize);
- while ((status = NtQuerySystemInformation(
- SystemHandleInformation,
- handleInfo,
- handleInfoSize,
- NULL
- )) == STATUS_INFO_LENGTH_MISMATCH)
- handleInfo = (PSYSTEM_HANDLE_INFORMATION)realloc(handleInfo, handleInfoSize *= 2);
- if (!NT_SUCCESS(status)) {
- printf("NtQuerySystemInformation failed!\n");
- return 1;
- }
- for (i = 0; i < handleInfo->HandleCount; i++) {
- SYSTEM_HANDLE handle = handleInfo->Handles[i];
- HANDLE dupHandle = NULL;
- POBJECT_TYPE_INFORMATION objectTypeInfo;
- PVOID objectNameInfo;
- UNICODE_STRING objectName;
- ULONG returnLength;
- if (handle.ProcessId != pid)
- continue;
- if (!NT_SUCCESS(NtDuplicateObject(
- processHandle,
- (void*) handle.Handle,
- GetCurrentProcess(),
- &dupHandle,
- 0,
- 0,
- 0
- ))) {
- printf("[%#x] Error!\n", handle.Handle);
- continue;
- }
- objectTypeInfo = (POBJECT_TYPE_INFORMATION)malloc(0x1000);
- if (!NT_SUCCESS(NtQueryObject(
- dupHandle,
- ObjectTypeInformation,
- objectTypeInfo,
- 0x1000,
- NULL
- ))) {
- printf("[%#x] Error!\n", handle.Handle);
- CloseHandle(dupHandle);
- continue;
- }
- if (handle.GrantedAccess == 0x0012019f) {
- free(objectTypeInfo);
- CloseHandle(dupHandle);
- continue;
- }
- objectNameInfo = malloc(0x1000);
- if (!NT_SUCCESS(NtQueryObject(
- dupHandle,
- ObjectNameInformation,
- objectNameInfo,
- 0x1000,
- &returnLength
- ))) {
- objectNameInfo = realloc(objectNameInfo, returnLength);
- if (!NT_SUCCESS(NtQueryObject(
- dupHandle,
- ObjectNameInformation,
- objectNameInfo,
- returnLength,
- NULL
- ))) {
- free(objectTypeInfo);
- free(objectNameInfo);
- CloseHandle(dupHandle);
- continue;
- }
- }
- objectName = *(PUNICODE_STRING)objectNameInfo;
- char Converted[100] = "\0";
- wcstombs(Converted, objectTypeInfo->Name.Buffer, sizeof(Converted));
- if (strcmp((CHAR*)Converted, "Thread") == 0)
- {
- DuplicateHandle(processHandle, (void*)handle.Handle, NULL, NULL, 0, FALSE, 0x1);
- }
- free(objectTypeInfo);
- free(objectNameInfo);
- CloseHandle(dupHandle);
- }
- free(handleInfo);
- CloseHandle(processHandle);
- return 0;
- }
- int main(int argc, CHAR* argv[])
- {
- SetConsoleTitleA("XTrap Bypass Written by AceStryker");
- printf("#########################################################\n");
- printf("########### DarkProgramming XTrap Bypass ################\n");
- printf("################################### For PointBlank ######\n");
- printf("Written by AceStryker, Thanks Lacy ######################\n");
- printf("noexit.dll - Written by AceStryker ######################\n");
- printf("s0beit.dll - Written by Mr_S0beit ######################\n");
- printf("#########################################################\n\n");
- DWORD PID = GetPIDbyName("PointBlank.exe");
- if (PID == 0)
- {
- printf("Please open PointBlank first and then open me. \n");
- system("PAUSE");
- return 0;
- }
- printf("\nProcess ID: 0x%X [ %d ] \n", PID, PID);
- printf("Suspending process... \n");
- SeDebugPrivilege();
- _ZwSuspendProcess ZwSuspendProcess = (_ZwSuspendProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"), "ZwSuspendProcess");
- HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);
- ZwSuspendProcess(hProc);
- printf("Process Suspended succefully!!\nClosing threads...\n");
- _ZwQueryInformationThread ZwQueryInformationThread = (_ZwQueryInformationThread)GetProcAddress(GetModuleHandleA("ntdll.dll"), "ZwQueryInformationThread");
- HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, PID);
- THREADENTRY32 TE;
- TE.dwSize = sizeof(TE);
- Thread32First(hSnap, &TE);
- DWORD BaseAddress = GetModuleBaseAddress(PID, "XTrapVa.dll");
- DWORD BaseSize = GetModuleSize(PID, "XTrapVa.dll");
- printf("XTrap BaseAddress: 0x%X \n", BaseAddress);
- printf("XTrap Size: 0x%X [ %d ] \n", BaseSize);
- while (Thread32Next(hSnap, &TE))
- {
- HANDLE hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, TE.th32ThreadID);
- DWORD Start;
- ZwQueryInformationThread(hThread, ThreadQuerySetWin32StartAddress, &Start, sizeof(Start), NULL);
- if (Start >= BaseAddress && Start <= BaseAddress+BaseSize)
- {
- TerminateThread(hThread, 8);
- }
- if (Start - (BaseAddr+fcExp) == 0x6110 | Start - (BaseAddr+fcExp) == 0x2190)
- {
- TerminateThread(hThread, 8);
- }
- }
- CloseHandle(hSnap);
- printf("Threads closed succefully! \nClosing handles...\n");
- CloseHandles(PID);
- printf("Handles closed succefully! \nPlease inject s0beit.dll and NoExit.dll\n");
- CloseHandle(hProc);
- system("PAUSE");
- _ZwResumeProcess ZwResumeProcess = (_ZwResumeProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"), "ZwResumeProcess");
- hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);
- ZwResumeProcess(hProc);
- printf("\n\nBye bye XTrap :) \n");
- system("PAUSE");
- return 0;
- }
- //=======================================================================================================
- //=======================================================================================================
- //=======================================================================================================
- //=======================================================================================================
- //=======================================================================================================
- //=======================================================================================================
- //=======================================================================================================
- //=======================================================================================================
- //=======================================================================================================
- //=======================================================================================================
- NoExit.dll: [Delphi]
- //=======================================================================================================
- //=======================================================================================================
- //=======================================================================================================
- //=======================================================================================================
- //=======================================================================================================
- //=======================================================================================================
- //=======================================================================================================
- //=======================================================================================================
- //=======================================================================================================
- //=======================================================================================================
- library NoExit;
- uses
- Windows;
- var
- Place : Pointer;
- ProtecaoAntiga : DWORD;
- Written : cardinal;
- procedure ExitProc(uExitCode : DWORD);stdcall;
- begin
- end;
- function TerminateProc(Proc : THandle;uExitCode : DWORD) : DWORD;stdcall;
- begin
- result := 8;
- end;
- procedure HookThis(Lib, Func : String;CallBack : Pointer);
- begin
- Place := GetProcAddress(LoadLibrary(PChar(Lib)), PChar(Func));
- VirtualProtect(Place, 6, PAGE_READWRITE, ProtecaoAntiga);
- PBYTE(DWORD(Place))^ := $E9;
- PDWORD(DWORD(Place) + 1)^ := (DWORD(CallBack) - (DWORD(Place)) -5);
- VirtualProtect(Place, 6, ProtecaoAntiga, ProtecaoAntiga);
- end;
- begin
- HookThis('ntdll.dll', 'RtlExitUserProcess', @ExitProc);
- HookThis('ntdll.dll', 'ZwTerminateProcess', @TerminateProc);
- end.
- //=======================================================================================================
- //=======================================================================================================
- //=======================================================================================================
- //=======================================================================================================
- //=======================================================================================================
- //=======================================================================================================
- //=======================================================================================================
- //=======================================================================================================
- //=======================================================================================================
- //=======================================================================================================
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement