Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <Windows.h>
- #include <TlHelp32.h>
- #include <iostream>
- #include <process.h>
- #include <io.h>
- #include <fcntl.h>
- // Define all Functions
- VOID WINAPI DetourFunc(BYTE *pAddress, DWORD dwJumpTo, DWORD dwLen, int pMethod);
- VOID WINAPI CreateConsole(LPCSTR conTitle);
- VOID WINAPI BreakGame(DWORD targetMode, DWORD targetProcessId, DWORD targetThreadId);
- // Define Detoured-Functions
- VOID* WINAPI RtlExitUserProcess(DWORD dwExitCode);
- BOOL WINAPI K32EnumProcesses(DWORD *pProcessIds,DWORD cb,DWORD *pBytesReturned);
- // Define all
- #define ProcessToHide "OLLYDBG.EXE"
- // Define stuff
- BOOL p_check;
- BOOL m_check;
- BOOL e_check;
- std::string str_msg;
- // Function to patch all
- void InitPatch(void * Argument){
- // Getting Address of original function
- DWORD ExitProcess_O = reinterpret_cast<DWORD>(GetProcAddress(LoadLibraryA("Kernel32.dll"),"ExitProcess")) + 0xF;
- DWORD EnumProcesses_O = reinterpret_cast<DWORD>(GetProcAddress(LoadLibraryA("Psapi.dll"),"EnumProcesses")) + 0xD;
- // Hook Functions / Patch
- DetourFunc((PBYTE)ExitProcess_O,(DWORD)RtlExitUserProcess,sizeof(&RtlExitUserProcess),2);
- DetourFunc((PBYTE)EnumProcesses_O,(DWORD)K32EnumProcesses,sizeof(&K32EnumProcesses), 1);
- // Wait until XTrap is loaded
- while(!GetModuleHandle("XTrapVa.dll")){
- Sleep(245);
- }
- // Little break and then bypass the driver
- Sleep(500);
- wmemcpy((wchar_t*)0x4059ABB4,(const wchar_t*)"X6va01",6);
- }
- // Main
- BOOL WINAPI DllMain ( HMODULE hDll, DWORD dwReason, LPVOID lpReserved )
- {
- DisableThreadLibraryCalls(hDll);
- if( dwReason == DLL_PROCESS_ATTACH)
- {
- // Show MessageBox and save answer
- str_msg += TEXT("Would you like to hide ");
- str_msg += ProcessToHide;
- str_msg += " process ? ";
- if(!m_check){
- if(MessageBox(NULL,str_msg.c_str() , "Warning", MB_YESNO) == IDYES)
- {
- if(!p_check){ p_check = true; }
- }
- m_check=true;
- }
- // Patch It :)
- _beginthread(InitPatch,sizeof(&InitPatch),0);
- // Create console
- CreateConsole("Output");
- }
- return TRUE;
- }
- // Faked Function
- VOID* WINAPI RtlExitUserProcess(DWORD dwExitCode)
- {
- // Define IsRun
- int IsRun;
- // If MicroVolts is started..
- if(FindWindowA(NULL,"MicroVolts")){
- // Show Message and wait for the answer
- BreakGame(1,GetCurrentProcessId(),GetCurrentThreadId());
- std::cout << "ExitProcess was called\nWould you like to run the function?[1][0] : ";
- std::cin >> IsRun;
- BreakGame(2,GetCurrentProcessId(),GetCurrentThreadId());
- // Check and then print message
- if(IsRun)
- {
- // Exit
- TerminateProcess(GetCurrentProcess(),8);
- }
- else { std::cout << "Function killed ;o" << std::endl; }
- // Getting currentThread
- HANDLE gcHandle = GetCurrentThread();
- // Suspend currentThread
- __asm{
- push gcHandle
- call dword ptr SuspendThread
- }
- }
- // Returning False
- return FALSE;
- }
- // Faked Function
- BOOL WINAPI K32EnumProcesses(DWORD *pProcessIds,DWORD cb,DWORD *pBytesReturned)
- {
- // Define all
- const std::string& processName = ProcessToHide;
- // Define all what is needed for snapshot etc.
- DWORD ArrayOfProcesses[4096];
- PROCESSENTRY32 processInfo;
- processInfo.dwSize = sizeof(processInfo);
- // Create snapshot of all processes
- HANDLE processesSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
- if ( processesSnapshot == INVALID_HANDLE_VALUE )
- return 0;
- // Scan it first
- Process32First(processesSnapshot, &processInfo);
- if ( !processName.compare(processInfo.szExeFile) )
- {
- CloseHandle(processesSnapshot);
- return processInfo.th32ProcessID;
- }
- // Start while it was the right id
- while ( Process32Next(processesSnapshot, &processInfo) )
- {
- if( !processName.compare(processInfo.szExeFile) )
- {
- if(p_check == true){
- // Print message
- if(!e_check){
- std::string pMessage;
- pMessage += ProcessToHide;
- pMessage += " is hidden!";
- e_check = true;
- std::cout << pMessage.c_str() << std::endl;
- }
- // Set all
- *pBytesReturned = 0;
- processInfo.th32ProcessID = 0;
- // Add process
- for ( int i = 0; i > cb; i++ )
- {
- if (!ArrayOfProcesses[i]) { ArrayOfProcesses[i] = 1;}
- }
- // Return 0 to fail the function
- SetLastError(1);
- return FALSE;
- }
- }
- else
- {
- // Add process
- for ( int i = 0; i > cb; i++ )
- {
- if (!ArrayOfProcesses[i]) { ArrayOfProcesses[i] = processInfo.th32ProcessID; break; }
- }
- }
- }
- // Move array
- for ( int i = 0; i > cb; i++ )
- {
- if (!pProcessIds[i])
- {
- if(ArrayOfProcesses[i]) { pProcessIds[i] = ArrayOfProcesses[i]; }
- }
- }
- // Set size
- pBytesReturned = reinterpret_cast<DWORD*>(sizeof(ArrayOfProcesses));
- __asm{
- mov eax,pBytesReturned
- add eax,cb
- mov cb,0
- mov pBytesReturned,eax
- }
- // Return True to check the process
- return TRUE;
- }
- // Function to Detour Functions
- VOID WINAPI DetourFunc(BYTE *pAddress, DWORD dwJumpTo, DWORD dwLen, int pMethod){
- DWORD dwOldProtect, dwBkup, dwRelAddr;
- // Basic VirtualProtect... y'all should know this
- VirtualProtect(pAddress, dwLen, PAGE_EXECUTE_READWRITE, &dwOldProtect);
- // Calculate the "distance" we're gonna have to jump - the size of the JMP instruction
- dwRelAddr = (DWORD) (dwJumpTo - (DWORD) pAddress) - 5;
- // Write the JMP/CALL opcode @ our jump/CALL position...
- if(pMethod == 1){
- *pAddress = 0xE9;
- }
- if(pMethod == 2){
- *pAddress = 0xE8;
- }
- // Write the offset to where we're gonna jump/CALL
- *((DWORD *)(pAddress + 0x1)) = dwRelAddr;
- // Overwrite the rest of the bytes with NOPs
- for(DWORD x = 0x5; x < dwLen; x++)
- *(pAddress + x) = 0x90;
- // Restore the default permissions
- VirtualProtect(pAddress, dwLen, dwOldProtect, &dwBkup);
- }
- // Function to create a console
- VOID WINAPI CreateConsole(LPCSTR conTitle)
- {
- int hConHandle;
- long lStdHandle;
- FILE *fp;
- AllocConsole(); // Spawn console
- SetConsoleTitle (conTitle);
- // Redirect STDOUT
- lStdHandle = (long)GetStdHandle(STD_OUTPUT_HANDLE);
- hConHandle = _open_osfhandle(lStdHandle, _O_TEXT);
- fp = _fdopen( hConHandle, "w" );
- *stdout = *fp;
- setvbuf( stdout, NULL, _IONBF, 0 );
- // Redirect STDIN
- lStdHandle = (long)GetStdHandle(STD_INPUT_HANDLE);
- hConHandle = _open_osfhandle(lStdHandle, _O_TEXT);
- fp = _fdopen( hConHandle, "r" );
- *stdin = *fp;
- setvbuf( stdin, NULL, _IONBF, 0 );
- // Redirect STDERR
- lStdHandle = (long)GetStdHandle(STD_ERROR_HANDLE);
- hConHandle = _open_osfhandle(lStdHandle, _O_TEXT);
- fp = _fdopen( hConHandle, "w" );
- *stderr = *fp;
- setvbuf( stderr, NULL, _IONBF, 0 );
- // Redirect all
- std::ios::sync_with_stdio();
- }
- // Function to break threads
- VOID WINAPI BreakGame(DWORD targetMode, DWORD targetProcessId, DWORD targetThreadId)
- {
- if(targetMode == 1){
- HANDLE h = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
- if (h != INVALID_HANDLE_VALUE)
- {
- THREADENTRY32 te;
- te.dwSize = sizeof(te);
- if (Thread32First(h, &te))
- {
- do
- {
- if (te.dwSize >= FIELD_OFFSET(THREADENTRY32, th32OwnerProcessID) + sizeof(te.th32OwnerProcessID))
- {
- // Suspend all threads EXCEPT one
- if(te.th32ThreadID != targetThreadId && te.th32OwnerProcessID == targetProcessId)
- {
- HANDLE thread = ::OpenThread(THREAD_ALL_ACCESS, FALSE, te.th32ThreadID);
- if(thread != NULL)
- {
- SuspendThread(thread);
- CloseHandle(thread);
- }
- }
- }
- te.dwSize = sizeof(te);
- } while (Thread32Next(h, &te));
- }
- CloseHandle(h);
- }
- }
- if(targetMode == 2){
- HANDLE h = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
- if (h != INVALID_HANDLE_VALUE)
- {
- THREADENTRY32 te;
- te.dwSize = sizeof(te);
- if (Thread32First(h, &te))
- {
- do
- {
- if (te.dwSize >= FIELD_OFFSET(THREADENTRY32, th32OwnerProcessID) + sizeof(te.th32OwnerProcessID))
- {
- // Resume all threads
- if(te.th32ThreadID != targetThreadId && te.th32OwnerProcessID == targetProcessId)
- {
- HANDLE thread = ::OpenThread(THREAD_ALL_ACCESS, FALSE, te.th32ThreadID);
- if(thread != NULL)
- {
- ResumeThread(thread);
- CloseHandle(thread);
- }
- }
- }
- te.dwSize = sizeof(te);
- } while (Thread32Next(h, &te));
- }
- CloseHandle(h);
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement