API tools faq
paste
Advertisement
n3k4a

XTrap and HGWC Bypass! XTrap-Bypass Source v2 (32/64 bit) Co

n3k4a
Sep 27th, 2019
369
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.67 KB | None | 0 0
raw download clone embed print report
  1. XTrap and HGWC Bypass!
  2.  
  3. XTrap-Bypass(32/64 bit)
  4.  
  5.  
  6. Code:
  7. ------------
  8. #include <Windows.h>
  9. #include <process.h>
  10. #include <TlHelp32.h>
  11. #include <Psapi.h>
  12. #include "mHook.h"
  13.  
  14. #pragma comment(lib,"Psapi.lib")
  15.  
  16. // Module to exit
  17. HMODULE hDLL;
  18.  
  19. /* Our hooked-function */
  20. void DefineNothing_CC();
  21. /* Our hooked-function */
  22. void K32Enum_CC();
  23.  
  24.  
  25.  
  26. // Function to begin the hook
  27. void _beginhook(void*){
  28.  
  29. // our addresses
  30. DWORD dwAddy;
  31. DWORD dwDLL;
  32. DWORD dwXTrap;
  33. DWORD dwXTrapDriver;
  34.  
  35.  
  36. // wait for xtrap
  37. while(1){
  38. // break
  39. Sleep(500);
  40. // get xtrap base
  41. dwXTrap = (DWORD)GetModuleHandle("XTrapVa.dll");
  42. // check if it exists
  43. if(dwXTrap){
  44. // leave
  45. break;
  46. }
  47.  
  48. }
  49.  
  50.  
  51. if(PSAPI_VERSION == 1){
  52. // get address
  53. dwDLL = (DWORD)GetModuleHandle("Psapi.dll");
  54. // get address
  55. dwAddy = (DWORD)GetProcAddress((HINSTANCE)dwDLL,"EnumProcesses");
  56. // Prevent that Xtrap scan processes
  57. mHook::DetourCodeCave(dwAddy,(DWORD)DefineNothing_CC,19);
  58.  
  59. // get address
  60. dwDLL = (DWORD)GetModuleHandle("Kernel32.dll");
  61. // get address
  62. dwAddy = (DWORD)GetProcAddress((HINSTANCE)dwDLL,"ExitProcess");
  63. // Prevent exit then ollydbg was found
  64. mHook::DetourCodeCave(dwAddy,(DWORD)DefineNothing_CC,27);
  65. }
  66. else
  67. {
  68. // little break
  69. Sleep(500);
  70. // set new dll
  71. dwDLL = (DWORD)GetModuleHandle("Kernel32.dll");
  72. // get new addy
  73. dwAddy = (DWORD)GetProcAddress((HINSTANCE)dwDLL,"K32EnumProcesses");
  74. // Prevent that Xtrap scan processes
  75. mHook::DetourCodeCave(dwAddy,(DWORD)K32Enum_CC,3);
  76.  
  77. // get address
  78. dwDLL = (DWORD)GetModuleHandle("Kernel32.dll");
  79. // get address
  80. dwAddy = (DWORD)GetProcAddress((HINSTANCE)dwDLL,"ExitProcess");
  81. // Prevent exit then ollydbg was found
  82. mHook::DetourCodeCave(dwAddy,(DWORD)DefineNothing_CC,27);
  83.  
  84. }
  85.  
  86. // Get driver Address
  87. dwXTrapDriver = 0x406668A0;
  88. // Change it
  89. wmemcpy((wchar_t*)dwXTrapDriver,L"X6va01",6);
  90.  
  91. // Exit
  92. FreeLibraryAndExitThread(hDLL,8);
  93.  
  94. }
  95.  
  96.  
  97.  
  98.  
  99. /* Main */
  100. BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved){
  101.  
  102.  
  103. if(fdwReason == DLL_PROCESS_ATTACH){
  104.  
  105.  
  106.  
  107. // set our Module
  108. hDLL = hinstDLL;
  109. // begin
  110. _beginthread(_beginhook,0,0);
  111.  
  112. // success
  113. return true;
  114. }
  115.  
  116. // fail
  117. return false;
  118. }
  119.  
  120.  
  121. /* Our hooked-function */
  122. __declspec( naked ) void K32Enum_CC(){
  123. __asm{
  124. ret 0x00C
  125. }
  126. }
  127.  
  128. /* Our hooked-function */
  129. __declspec( naked ) void DefineNothing_CC(){
  130. __asm{
  131. mov edi,edi
  132. push ebp
  133. mov ebp,esp
  134. pop ebp
  135. jmp orig
  136. nop
  137. nop
  138. nop
  139. nop
  140. nop
  141. orig:
  142. nop
  143. nop
  144. nop
  145. nop
  146. nop
  147. nop
  148. nop
  149. nop
  150. nop
  151. nop
  152. nop
  153. nop
  154. nop
  155. nop
  156. nop
  157. nop
  158. nop
  159. nop
  160. }
  161. }
  162. ------------
  163. HGWC Bypass Function Source Only (64 bit)
  164.  
  165. Code:
  166. ---------
  167. #define TRUE FALSE
  168. class HGWC
  169. {
  170. public:
  171. int HGWC::FileDetection(int);
  172. int HGWC::KeepAlive(int);
  173. int HGWC::Bann(int);
  174. int HGWC::Thread(int);
  175. }rect;
  176. int HGWC::FileDetection(int LParam)
  177. {
  178. memcpy((LPVOID)0x0040CAE1,(LPVOID)"\xEB",1);
  179. return 0;
  180. }
  181. int HGWC::KeepAlive(int LParam)
  182. {
  183. memcpy((LPVOID)0x0040D5B7,(LPVOID)"\xEB",1);
  184. return 0;
  185. }
  186. int HGWC::Bann(int LParam)
  187. {
  188. memcpy((LPVOID)0x0040F9FD,(LPVOID)"\xEB",1);
  189. memcpy((LPVOID)0x0040FA31,(LPVOID)"\xEB",1);
  190. memcpy((LPVOID)0x0040FB71,(LPVOID)"\xC2\x0C\x00\x90\x90",5);
  191. memcpy((LPVOID)0x00410270,(LPVOID)"\xC2\x0C\x00\x90\x90",5);
  192. return 0;
  193. }
  194. int HGWC::Thread(int LParam)
  195. {
  196. memcpy((LPVOID)0x0040D4E3,(LPVOID)"\x6A\x7D",2);
  197. memcpy((LPVOID)0x00418F91,(LPVOID)"\xEB\x0A",2);
  198. memcpy((LPVOID)0x00464147,(LPVOID)"\x68\xFF\x08\x00\x00",5);
  199. memcpy((LPVOID)0x00410270,(LPVOID)"\xC2\x0C\x00\x90\x90",5);
  200. return 0;
  201. }
  202.  
  203. ------
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!