Untitled

#include <Windows.h>

typedef SC_HANDLE (WINAPI* f_OpenServiceA)(SC_HANDLE,LPCSTR,DWORD);
f_OpenServiceA pTrp_OpenServiceA;

DWORD p_XTrapVa=0;
bool b_DriverTerminated=false;
BYTE* pPattern=reinterpret_cast<BYTE*>("\x5C\x5C\x2E\x5C\x58\x36\x76\x61\x30");
char* pDriver=nullptr;

SC_HANDLE WINAPI hk_OpenServiceA(SC_HANDLE hSCManager,LPCSTR lpServiceName,DWORD dwDesiredAccess)
{
    if(pDriver==nullptr)
    {
        pDriver=reinterpret_cast<char*>(FindPattern(pPattern,"xxxxxxxxx",p_XTrapVa+0x2C0000,0x500000,4)+4);
    }
    else
    {
        if(!strcmp(lpServiceName,pDriver)){
            SC_HANDLE Ret=pTrp_OpenServiceA(hSCManager,lpServiceName,dwDesiredAccess);
            CloseServiceHandle(hSCManager);
            return Ret;
        }
    }
    return pTrp_OpenServiceA(hSCManager,lpServiceName,dwDesiredAccess);
}

void hk_EnumWindows()
{
    Sleep(-1);
}

union DWORD_Split
{
    DWORD dwDWORD;
    BYTE bByte[4];
};

DWORD __stdcall HaxThread(void* pArg)
{
    Sleep(500);
    pTrp_OpenServiceA=reinterpret_cast<f_OpenServiceA>(SetDetour(OpenServiceA,hk_OpenServiceA,5));
    while(p_XTrapVa==0)
    {
        p_XTrapVa=reinterpret_cast<DWORD>(GetModuleHandle("XTrapVa.dll"));
    }
    DWORD_Split dws_EnumWindows;
    dws_EnumWindows.dwDWORD=reinterpret_cast<DWORD>(EnumWindows);
    DWORD* p_XTrapVa_pEnumWindows=reinterpret_cast<DWORD*>(FindPattern(dws_EnumWindows.bByte,"xxxx",p_XTrapVa+0x2A0000,0x100000,4));
    *p_XTrapVa_pEnumWindows=reinterpret_cast<DWORD>(&hk_EnumWindows);

    return 0;
}

void CloakModule(HINSTANCE hMod)
{
    DWORD dwOld;
    VirtualProtect(hMod,0x1000,PAGE_WRITECOPY,&dwOld);
    memcpy(hMod,GetModuleHandle("kernel32.dll"),0x1000);
    VirtualProtect(hMod,0x1000,dwOld,&dwOld);
}

int __stdcall DllMain(HINSTANCE hDll,DWORD dwReason,void* pReserved)
{
    if(dwReason==DLL_PROCESS_ATTACH){
        CloakModule(hDll);
        AllocConsole();
        CreateThread(0,0,HaxThread,0,0,0);
    }
    return 1;
}