API tools faq
paste
Advertisement
n3k4a

code by n3k4a

n3k4a
Apr 22nd, 2019
245
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.58 KB | None | 0 0
raw download clone embed print report
  1. #include <Windows.h>
  2. #include <process.h>
  3. #include <TlHelp32.h>
  4. #include <Psapi.h>
  5. #include "mHook.h"
  6.  
  7. #pragma comment(lib,"Psapi.lib")
  8.  
  9. // Module to exit
  10. HMODULE hDLL;
  11.  
  12. /* Our hooked-function */
  13. void DefineNothing_CC();
  14. /* Our hooked-function */
  15. void K32Enum_CC();
  16.  
  17.  
  18.  
  19. // Function to begin the hook
  20. void _beginhook(void*){
  21.  
  22. // our addresses
  23. DWORD dwAddy;
  24. DWORD dwDLL;
  25. DWORD dwXTrap;
  26. DWORD dwXTrapDriver;
  27.  
  28.  
  29. // wait for xtrap
  30. while(1){
  31. // break
  32. Sleep(500);
  33. // get xtrap base
  34. dwXTrap = (DWORD)GetModuleHandle("XTrapVa.dll");
  35. // check if it exists
  36. if(dwXTrap){
  37. // leave
  38. break;
  39. }
  40.  
  41. }
  42.  
  43.  
  44. if(PSAPI_VERSION == 1){
  45. // get address
  46. dwDLL = (DWORD)GetModuleHandle("Psapi.dll");
  47. // get address
  48. dwAddy = (DWORD)GetProcAddress((HINSTANCE)dwDLL,"EnumProcesses");
  49. // Prevent that Xtrap scan processes
  50. mHook::DetourCodeCave(dwAddy,(DWORD)DefineNothing_CC,19);
  51.  
  52. // get address
  53. dwDLL = (DWORD)GetModuleHandle("Kernel32.dll");
  54. // get address
  55. dwAddy = (DWORD)GetProcAddress((HINSTANCE)dwDLL,"ExitProcess");
  56. // Prevent exit then ollydbg was found
  57. mHook::DetourCodeCave(dwAddy,(DWORD)DefineNothing_CC,27);
  58. }
  59. else
  60. {
  61. // little break
  62. Sleep(500);
  63. // set new dll
  64. dwDLL = (DWORD)GetModuleHandle("Kernel32.dll");
  65. // get new addy
  66. dwAddy = (DWORD)GetProcAddress((HINSTANCE)dwDLL,"K32EnumProcesses");
  67. // Prevent that Xtrap scan processes
  68. mHook::DetourCodeCave(dwAddy,(DWORD)K32Enum_CC,3);
  69.  
  70. // get address
  71. dwDLL = (DWORD)GetModuleHandle("Kernel32.dll");
  72. // get address
  73. dwAddy = (DWORD)GetProcAddress((HINSTANCE)dwDLL,"ExitProcess");
  74. // Prevent exit then ollydbg was found
  75. mHook::DetourCodeCave(dwAddy,(DWORD)DefineNothing_CC,27);
  76.  
  77. }
  78.  
  79. // Get driver Address
  80. dwXTrapDriver = 0x406668A0;
  81. // Change it
  82. wmemcpy((wchar_t*)dwXTrapDriver,L"X6va01",6);
  83.  
  84. // Exit
  85. FreeLibraryAndExitThread(hDLL,8);
  86.  
  87. }
  88.  
  89.  
  90.  
  91.  
  92. /* Main */
  93. BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved){
  94.  
  95.  
  96. if(fdwReason == DLL_PROCESS_ATTACH){
  97.  
  98.  
  99.  
  100. // set our Module
  101. hDLL = hinstDLL;
  102. // begin
  103. _beginthread(_beginhook,0,0);
  104.  
  105. // success
  106. return true;
  107. }
  108.  
  109. // fail
  110. return false;
  111. }
  112.  
  113.  
  114. /* Our hooked-function */
  115. __declspec( naked ) void K32Enum_CC(){
  116. __asm{
  117. ret 0x00C
  118. }
  119. }
  120.  
  121. /* Our hooked-function */
  122. __declspec( naked ) void DefineNothing_CC(){
  123. __asm{
  124. mov edi,edi
  125. push ebp
  126. mov ebp,esp
  127. pop ebp
  128. jmp orig
  129. nop
  130. nop
  131. nop
  132. nop
  133. nop
  134. orig:
  135. nop
  136. nop
  137. nop
  138. nop
  139. nop
  140. nop
  141. nop
  142. nop
  143. nop
  144. nop
  145. nop
  146. nop
  147. nop
  148. nop
  149. nop
  150. nop
  151. nop
  152. nop
  153. }
  154. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!