Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- // BeTest.cpp : Defines the entry point for the console application.
- //
- #include "stdafx.h"
- #include <Windows.h>
- #include <winternl.h>
- #include <iostream>
- #include <vector>
- #include <tlhelp32.h>
- #include <psapi.h>
- #include "FileManager.h"
- #include "sihclient.h"
- #define SERVICE_PIPE "\\\\.\\pipe\\BattlEye"
- std::vector<HANDLE> Threads, Pipes;
- SERVICE_STATUS g_ServiceStatus = { 0 };
- SERVICE_STATUS_HANDLE g_StatusHandle = NULL;
- HANDLE g_ServiceStopEvent = INVALID_HANDLE_VALUE, g_Thread = NULL;
- DWORD WINAPI ServiceWorkerThread(LPVOID lpParam);
- DWORD WINAPI ServiceHandleThread(LPVOID lpParam);
- DWORD WINAPI ServiceGameThread(LPVOID lpParam);
- #define SERVICE_NAME L"BEService"
- SC_HANDLE schService = 0;
- SC_HANDLE schSCManager = 0;
- BOOL __stdcall StopDependentServices()
- {
- DWORD i;
- DWORD dwBytesNeeded;
- DWORD dwCount;
- LPENUM_SERVICE_STATUS lpDependencies = NULL;
- ENUM_SERVICE_STATUS ess;
- SC_HANDLE hDepService;
- SERVICE_STATUS_PROCESS ssp;
- DWORD dwStartTime = GetTickCount();
- DWORD dwTimeout = 30000; // 30-second time-out
- // Pass a zero-length buffer to get the required buffer size.
- if (EnumDependentServices(schService, SERVICE_ACTIVE,
- lpDependencies, 0, &dwBytesNeeded, &dwCount))
- {
- // If the Enum call succeeds, then there are no dependent
- // services, so do nothing.
- return TRUE;
- }
- else
- {
- if (GetLastError() != ERROR_MORE_DATA)
- return FALSE; // Unexpected error
- // Allocate a buffer for the dependencies.
- lpDependencies = (LPENUM_SERVICE_STATUS)HeapAlloc(
- GetProcessHeap(), HEAP_ZERO_MEMORY, dwBytesNeeded);
- if (!lpDependencies)
- return FALSE;
- __try {
- // Enumerate the dependencies.
- if (!EnumDependentServices(schService, SERVICE_ACTIVE,
- lpDependencies, dwBytesNeeded, &dwBytesNeeded,
- &dwCount))
- return FALSE;
- for (i = 0; i < dwCount; i++)
- {
- ess = *(lpDependencies + i);
- // Open the service.
- SC_HANDLE hDepService = OpenService(schSCManager,
- ess.lpServiceName,
- SERVICE_STOP | SERVICE_QUERY_STATUS);
- if (!hDepService)
- return FALSE;
- __try {
- // Send a stop code.
- if (!ControlService(hDepService,
- SERVICE_CONTROL_STOP,
- (LPSERVICE_STATUS)&ssp))
- return FALSE;
- // Wait for the service to stop.
- while (ssp.dwCurrentState != SERVICE_STOPPED)
- {
- Sleep(ssp.dwWaitHint);
- if (!QueryServiceStatusEx(
- hDepService,
- SC_STATUS_PROCESS_INFO,
- (LPBYTE)&ssp,
- sizeof(SERVICE_STATUS_PROCESS),
- &dwBytesNeeded))
- return FALSE;
- if (ssp.dwCurrentState == SERVICE_STOPPED)
- break;
- if (GetTickCount() - dwStartTime > dwTimeout)
- return FALSE;
- }
- }
- __finally
- {
- // Always release the service handle.
- CloseServiceHandle(hDepService);
- }
- }
- }
- __finally
- {
- // Always free the enumeration buffer.
- HeapFree(GetProcessHeap(), 0, lpDependencies);
- }
- }
- return TRUE;
- }
- VOID __stdcall DoStopSvc()
- {
- SERVICE_STATUS_PROCESS ssp;
- DWORD dwStartTime = GetTickCount();
- DWORD dwBytesNeeded;
- DWORD dwTimeout = 30000; // 30-second time-out
- DWORD dwWaitTime;
- // Get a handle to the SCM database.
- schSCManager = OpenSCManager(
- NULL, // local computer
- NULL, // ServicesActive database
- SC_MANAGER_ALL_ACCESS); // full access rights
- if (NULL == schSCManager)
- {
- printf("OpenSCManager failed (%d)\n", GetLastError());
- return;
- }
- // Get a handle to the service.
- schService = OpenService(
- schSCManager, // SCM database
- L"BEService", // name of service
- SERVICE_STOP |
- SERVICE_QUERY_STATUS |
- SERVICE_ENUMERATE_DEPENDENTS);
- if (schService == NULL)
- {
- printf("OpenService failed (%d)\n", GetLastError());
- CloseServiceHandle(schSCManager);
- return;
- }
- // Make sure the service is not already stopped.
- if (!QueryServiceStatusEx(
- schService,
- SC_STATUS_PROCESS_INFO,
- (LPBYTE)&ssp,
- sizeof(SERVICE_STATUS_PROCESS),
- &dwBytesNeeded))
- {
- printf("QueryServiceStatusEx failed (%d)\n", GetLastError());
- goto stop_cleanup;
- }
- if (ssp.dwCurrentState == SERVICE_STOPPED)
- {
- printf("Service is already stopped.\n");
- goto stop_cleanup;
- }
- // If a stop is pending, wait for it.
- while (ssp.dwCurrentState == SERVICE_STOP_PENDING)
- {
- printf("Service stop pending...\n");
- // Do not wait longer than the wait hint. A good interval is
- // one-tenth of the wait hint but not less than 1 second
- // and not more than 10 seconds.
- dwWaitTime = ssp.dwWaitHint / 10;
- if (dwWaitTime < 1000)
- dwWaitTime = 1000;
- else if (dwWaitTime > 10000)
- dwWaitTime = 10000;
- Sleep(dwWaitTime);
- if (!QueryServiceStatusEx(
- schService,
- SC_STATUS_PROCESS_INFO,
- (LPBYTE)&ssp,
- sizeof(SERVICE_STATUS_PROCESS),
- &dwBytesNeeded))
- {
- printf("QueryServiceStatusEx failed (%d)\n", GetLastError());
- goto stop_cleanup;
- }
- if (ssp.dwCurrentState == SERVICE_STOPPED)
- {
- printf("Service stopped successfully.\n");
- goto stop_cleanup;
- }
- if (GetTickCount() - dwStartTime > dwTimeout)
- {
- printf("Service stop timed out.\n");
- goto stop_cleanup;
- }
- }
- // If the service is running, dependencies must be stopped first.
- StopDependentServices();
- // Send a stop code to the service.
- if (!ControlService(
- schService,
- SERVICE_CONTROL_STOP,
- (LPSERVICE_STATUS)&ssp))
- {
- printf("ControlService failed (%d)\n", GetLastError());
- goto stop_cleanup;
- }
- // Wait for the service to stop.
- while (ssp.dwCurrentState != SERVICE_STOPPED)
- {
- Sleep(ssp.dwWaitHint);
- if (!QueryServiceStatusEx(
- schService,
- SC_STATUS_PROCESS_INFO,
- (LPBYTE)&ssp,
- sizeof(SERVICE_STATUS_PROCESS),
- &dwBytesNeeded))
- {
- printf("QueryServiceStatusEx failed (%d)\n", GetLastError());
- goto stop_cleanup;
- }
- if (ssp.dwCurrentState == SERVICE_STOPPED)
- break;
- if (GetTickCount() - dwStartTime > dwTimeout)
- {
- printf("Wait timed out\n");
- goto stop_cleanup;
- }
- }
- printf("BEService stopped successfully\n");
- stop_cleanup:
- CloseServiceHandle(schService);
- CloseServiceHandle(schSCManager);
- }
- #include <iostream>
- #include <iomanip>
- #include <fstream>
- #include <vector>
- #include <random>
- int main(int argc, CHAR* argv[])
- {
- DoStopSvc();
- g_Thread = CreateThread(NULL, 0, ServiceWorkerThread, NULL, 0, NULL);
- WaitForSingleObject(g_Thread, INFINITE);
- }
- DWORD WINAPI ServiceWorkerThread(LPVOID lpParam)
- {
- HANDLE g_PipeHandle = 0, g_PipeThread = 0;
- SECURITY_DESCRIPTOR security_decscriptor;
- if (!(InitializeSecurityDescriptor(&security_decscriptor, SECURITY_DESCRIPTOR_REVISION) && SetSecurityDescriptorDacl(&security_decscriptor, 1, nullptr, 0)))
- {
- return false;
- };
- SECURITY_ATTRIBUTES security_attributes = { sizeof(SECURITY_ATTRIBUTES) };
- security_attributes.lpSecurityDescriptor = static_cast<void*>(&security_decscriptor);
- security_attributes.bInheritHandle = TRUE;
- while (WaitForSingleObject(g_ServiceStopEvent, 0) != WAIT_OBJECT_0)
- {
- g_PipeHandle = CreateNamedPipeA(SERVICE_PIPE, PIPE_ACCESS_INBOUND | PIPE_ACCESS_DUPLEX, PIPE_TYPE_MESSAGE | PIPE_READMODE_MESSAGE | PIPE_NOWAIT, PIPE_UNLIMITED_INSTANCES, 4096, 4096, 0, &security_attributes);
- if (g_PipeHandle == NULL ||
- g_PipeHandle == INVALID_HANDLE_VALUE)
- {
- printf_s("BEService : CreateNamedPipeA failed.\n");
- return false;
- }
- while (!ConnectNamedPipe(g_PipeHandle, 0) && GetLastError() != ERROR_PIPE_CONNECTED)
- {
- if (WaitForSingleObject(g_ServiceStopEvent, 0) == WAIT_OBJECT_0)
- break;
- Sleep(125);
- }
- if (!(g_PipeThread = CreateThread(0, 0, ServiceHandleThread, g_PipeHandle, 0, 0)))
- {
- printf_s("BEService : CreateThread failed.\n");
- return FALSE;
- }
- Threads.push_back(g_PipeThread);
- }
- return ERROR_SUCCESS;
- }
- uintptr_t myGetProcessId(std::string ProcessName)
- {
- std::wstring processname = std::wstring(ProcessName.begin(), ProcessName.end());
- PROCESSENTRY32 pe32;
- HANDLE hSnapshot = NULL;
- pe32.dwSize = sizeof(PROCESSENTRY32);
- hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
- if (Process32First(hSnapshot, &pe32) == TRUE)
- {
- while (Process32Next(hSnapshot, &pe32) == TRUE)
- {
- if (wcscmp(pe32.szExeFile, processname.c_str()) == 0)
- {
- CloseHandle(hSnapshot);
- return pe32.th32ProcessID;
- }
- }
- }
- CloseHandle(hSnapshot);
- return 0;
- }
- DWORD WINAPI ServiceHandleThread(LPVOID lpParam)
- {
- typedef struct BATTLEYE_DATA
- {
- BYTE ID;
- BYTE Data[256];
- }BATTLEYE_DATA, *PBATTLEYE_DATA;
- CHAR Buffer[1024];
- LPVOID lpBuffer = 0;
- DWORD dwReaded = 0, dwWritten = 0;
- static DWORD dwGameID = 0;
- PBATTLEYE_DATA BattlEyeData = 0;
- HANDLE g_PipeHandle = reinterpret_cast<HANDLE>(lpParam);
- ZeroMemory(Buffer, 1024);
- lpBuffer = VirtualAlloc(0, 0x1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
- if (!lpBuffer)
- {
- printf_s("BEService : VirtualAlloc failed.\n");
- return FALSE;
- }
- DWORD pProcessId = (DWORD)myGetProcessId("FortniteClient-Win64-Shipping.exe");
- if (!CreateThread(0, 0, ServiceGameThread, reinterpret_cast<LPVOID>(pProcessId), 0, 0))
- return 0;
- printf_s("Process check thread has been started. \n");
- while (WaitForSingleObject(g_ServiceStopEvent, 0) != WAIT_OBJECT_0)
- {
- Sleep(125);
- if (!ReadFile(g_PipeHandle, lpBuffer, 0x1000, &dwReaded, 0) &&
- GetLastError() == ERROR_BROKEN_PIPE)
- break;
- if (dwReaded)
- {
- BattlEyeData = reinterpret_cast<PBATTLEYE_DATA>(lpBuffer);
- if (BattlEyeData->ID == 6)
- {
- byte Request[]{ 0x06, 0x98, 0x27, 0x86, 0x2D, 0x1B, 0xDC, 0xCC, 0xC7, 0x41, 0xFB, 0x17, 0x87, 0x68, 0x95, 0x03, 0x4E, 0x62, 0x87, 0x6F, 0xEB, 0x00, 0x2C, 0x16, 0x3D, 0x06, 0xB3, 0x2C, 0x17, 0x2A, 0xD7, 0x26, 0xD4, 0x3E, 0xCF, 0x54, 0x7B, 0x42, 0x6E, 0x33, 0xA7, 0x5A, 0xCF, 0x50, 0xD1, 0x5A, 0xCF, 0x51, 0xE7, 0xEA, 0x17, 0x90, 0xF9, 0xB7, 0x7F, 0x7C, 0x55, 0xCB, 0xB6, 0x63, 0xC3, 0xB5, 0xEE, 0x24, 0xE8, 0x5E, 0x62, 0xB1, 0x04, 0x2D, 0x98, 0xB8, 0x41, 0x7B, 0x82, 0x58, 0x4F, 0xE4, 0xA9, 0x72, 0x50, 0x73, 0xE1, 0xF7, 0xC3 };
- if (!WriteFile(g_PipeHandle, &Request, 85, &dwWritten, 0))
- break;
- dwReaded = 0;
- }
- if (BattlEyeData->ID == 2)
- {
- struct BATTLE_REQUEST_2
- {
- BYTE ID;
- BYTE pArgument[4];
- };
- BATTLE_REQUEST_2 Request;
- Request.ID = 2;
- Request.pArgument[0] = 0xDC;
- Request.pArgument[1] = 0xCF;
- Request.pArgument[2] = 0x73;
- Request.pArgument[3] = 0x5C;
- if (!WriteFile(g_PipeHandle, &Request, 5, &dwWritten, 0))
- break;
- Request.ID = 2;
- *reinterpret_cast<DWORD*>(Request.pArgument) = pProcessId;
- if (!WriteFile(g_PipeHandle, &Request, 5, &dwWritten, 0))
- break;
- dwReaded = 0;
- }
- if (BattlEyeData->ID == 0)
- {
- if (!WriteFile(g_PipeHandle, lpBuffer, 1, &dwWritten, 0))
- break;
- }
- dwReaded = 0;
- }
- }
- CloseHandle(g_PipeHandle);
- VirtualFree(lpBuffer, 0x1000, MEM_DECOMMIT);
- return TRUE;
- }
- DWORD WINAPI ServiceGameThread(LPVOID lpParam)
- {
- DWORD pProcessID = reinterpret_cast<DWORD>(lpParam);
- HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, pProcessID);
- WaitForSingleObject(hProcess, INFINITE);
- CloseHandle(hProcess);
- ExitProcess(1);
- return TRUE;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement