XTrap Bypass [Cheat Engine, Ollydbg, IDA PRO undetected]

1. #include <Windows.h>
2. #include <TlHelp32.h>
3. #include <iostream>
4. #include <process.h>
5. #include <io.h>
6. #include <fcntl.h>
7.  
8. // Define all Functions
9. VOID WINAPI DetourFunc(BYTE *pAddress, DWORD dwJumpTo, DWORD dwLen, int pMethod);
10. VOID WINAPI CreateConsole(LPCSTR conTitle);
11. VOID WINAPI BreakGame(DWORD targetMode, DWORD targetProcessId, DWORD targetThreadId);
12.  
13. // Define Detoured-Functions
14. VOID* WINAPI RtlExitUserProcess(DWORD dwExitCode);
15. BOOL WINAPI K32EnumProcesses(DWORD *pProcessIds,DWORD cb,DWORD *pBytesReturned);
16.  
17. // Define all
18. #define ProcessToHide "OLLYDBG.EXE"
19.  
20. // Define stuff
21. BOOL p_check;
22. BOOL m_check;
23. BOOL e_check;
24. std::string str_msg;
25.  
26. // Function to patch all
27. void InitPatch(void * Argument){
28.  
29. // Getting Address of original function
30. DWORD ExitProcess_O = reinterpret_cast<DWORD>(GetProcAddress(LoadLibraryA("Kernel32.dll"),"ExitProcess")) + 0xF;
31. DWORD EnumProcesses_O = reinterpret_cast<DWORD>(GetProcAddress(LoadLibraryA("Psapi.dll"),"EnumProcesses")) + 0xD;
32. // Hook Functions / Patch
33. DetourFunc((PBYTE)ExitProcess_O,(DWORD)RtlExitUserProcess,sizeof(&RtlExitUserProcess),2);
34. DetourFunc((PBYTE)EnumProcesses_O,(DWORD)K32EnumProcesses,sizeof(&K32EnumProcesses), 1);
35. // Wait until XTrap is loaded
36. while(!GetModuleHandle("XTrapVa.dll")){
37. Sleep(245);
38. }
39. // Little break and then bypass the driver
40. Sleep(500);
41. wmemcpy((wchar_t*)0x4059ABB4,(const wchar_t*)"X6va01",6);
42. }
43.  
44.  
45. // Main
46. BOOL WINAPI DllMain ( HMODULE hDll, DWORD dwReason, LPVOID lpReserved )
47. {
48. DisableThreadLibraryCalls(hDll);
49. if( dwReason == DLL_PROCESS_ATTACH)
50.  
51. {
52. // Show MessageBox and save answer
53. str_msg += TEXT("Would you like to hide ");
54. str_msg += ProcessToHide;
55. str_msg += " process ? ";
56. if(!m_check){
57. if(MessageBox(NULL,str_msg.c_str() , "Warning", MB_YESNO) == IDYES)
58. {
59. if(!p_check){ p_check = true; }
60. }
61. m_check=true;
62. }
63. // Patch It :)
64. _beginthread(InitPatch,sizeof(&InitPatch),0);
65. // Create console
66. CreateConsole("Output");
67.  
68. }
69.  
70.  
71. return TRUE;
72. }
73.  
74. // Faked Function
75. VOID* WINAPI RtlExitUserProcess(DWORD dwExitCode)
76. {
77. // Define IsRun
78. int IsRun;
79. // If MicroVolts is started..
80. if(FindWindowA(NULL,"MicroVolts")){
81. // Show Message and wait for the answer
82. BreakGame(1,GetCurrentProcessId(),GetCurrentThreadId());
83. std::cout << "ExitProcess was called\nWould you like to run the function?[1][0] : ";
84. std::cin >> IsRun;
85. BreakGame(2,GetCurrentProcessId(),GetCurrentThreadId());
86. // Check and then print message
87. if(IsRun)
88.  
89. {
90. // Exit
91. TerminateProcess(GetCurrentProcess(),8);
92. }
93.  
94. else { std::cout << "Function killed ;o" << std::endl; }
95.  
96. // Getting currentThread
97. HANDLE gcHandle = GetCurrentThread();
98.  
99. // Suspend currentThread
100. __asm{
101. push gcHandle
102. call dword ptr SuspendThread
103. }
104. }
105.  
106. // Returning False
107. return FALSE;
108. }
109.  
110. // Faked Function
111. BOOL WINAPI K32EnumProcesses(DWORD *pProcessIds,DWORD cb,DWORD *pBytesReturned)
112. {
113. // Define all
114. const std::string& processName = ProcessToHide;
115.  
116. // Define all what is needed for snapshot etc.
117. DWORD ArrayOfProcesses[4096];
118. PROCESSENTRY32 processInfo;
119. processInfo.dwSize = sizeof(processInfo);
120.  
121. // Create snapshot of all processes
122. HANDLE processesSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
123. if ( processesSnapshot == INVALID_HANDLE_VALUE )
124. return 0;
125. // Scan it first
126. Process32First(processesSnapshot, &processInfo);
127. if ( !processName.compare(processInfo.szExeFile) )
128. {
129. CloseHandle(processesSnapshot);
130. return processInfo.th32ProcessID;
131. }
132. // Start while it was the right id
133. while ( Process32Next(processesSnapshot, &processInfo) )
134. {
135. if( !processName.compare(processInfo.szExeFile) )
136. {
137.  
138.  
139. if(p_check == true){
140.  
141. // Print message
142. if(!e_check){
143. std::string pMessage;
144. pMessage += ProcessToHide;
145. pMessage += " is hidden!";
146. e_check = true;
147. std::cout << pMessage.c_str() << std::endl;
148. }
149. // Set all
150. *pBytesReturned = 0;
151. processInfo.th32ProcessID = 0;
152.  
153.  
154. // Add process
155. for ( int i = 0; i > cb; i++ )
156. {
157.  
158.  
159. if (!ArrayOfProcesses[i]) { ArrayOfProcesses[i] = 1;}
160.  
161. }
162. // Return 0 to fail the function
163. SetLastError(1);
164. return FALSE;
165.  
166.  
167. }
168. }
169. else
170. {
171.  
172.  
173. // Add process
174. for ( int i = 0; i > cb; i++ )
175. {
176.  
177. if (!ArrayOfProcesses[i]) { ArrayOfProcesses[i] = processInfo.th32ProcessID; break; }
178.  
179. }
180.  
181.  
182.  
183. }
184. }
185.  
186. // Move array
187. for ( int i = 0; i > cb; i++ )
188. {
189.  
190. if (!pProcessIds[i])
191. {
192. if(ArrayOfProcesses[i]) { pProcessIds[i] = ArrayOfProcesses[i]; }
193. }
194.  
195. }
196.  
197. // Set size
198. pBytesReturned = reinterpret_cast<DWORD*>(sizeof(ArrayOfProcesses));
199. __asm{
200. mov eax,pBytesReturned
201. add eax,cb
202. mov cb,0
203. mov pBytesReturned,eax
204. }
205.  
206.  
207. // Return True to check the process
208. return TRUE;
209. }
210.  
211.  
212. // Function to Detour Functions
213. VOID WINAPI DetourFunc(BYTE *pAddress, DWORD dwJumpTo, DWORD dwLen, int pMethod){
214.  
215. DWORD dwOldProtect, dwBkup, dwRelAddr;
216.  
217. // Basic VirtualProtect... y'all should know this
218. VirtualProtect(pAddress, dwLen, PAGE_EXECUTE_READWRITE, &dwOldProtect);
219.  
220. // Calculate the "distance" we're gonna have to jump - the size of the JMP instruction
221. dwRelAddr = (DWORD) (dwJumpTo - (DWORD) pAddress) - 5;
222.  
223. // Write the JMP/CALL opcode @ our jump/CALL position...
224. if(pMethod == 1){
225. *pAddress = 0xE9;
226. }
227. if(pMethod == 2){
228. *pAddress = 0xE8;
229. }
230.  
231. // Write the offset to where we're gonna jump/CALL
232. *((DWORD *)(pAddress + 0x1)) = dwRelAddr;
233.  
234. // Overwrite the rest of the bytes with NOPs
235. for(DWORD x = 0x5; x < dwLen; x++)
236. *(pAddress + x) = 0x90;
237.  
238. // Restore the default permissions
239. VirtualProtect(pAddress, dwLen, dwOldProtect, &dwBkup);
240.  
241. }
242.  
243. // Function to create a console
244. VOID WINAPI CreateConsole(LPCSTR conTitle)
245. {
246. int hConHandle;
247. long lStdHandle;
248. FILE *fp;
249.  
250. AllocConsole(); // Spawn console
251. SetConsoleTitle (conTitle);
252.  
253. // Redirect STDOUT
254. lStdHandle = (long)GetStdHandle(STD_OUTPUT_HANDLE);
255. hConHandle = _open_osfhandle(lStdHandle, _O_TEXT);
256. fp = _fdopen( hConHandle, "w" );
257. *stdout = *fp;
258. setvbuf( stdout, NULL, _IONBF, 0 );
259.  
260. // Redirect STDIN
261. lStdHandle = (long)GetStdHandle(STD_INPUT_HANDLE);
262. hConHandle = _open_osfhandle(lStdHandle, _O_TEXT);
263. fp = _fdopen( hConHandle, "r" );
264. *stdin = *fp;
265. setvbuf( stdin, NULL, _IONBF, 0 );
266.  
267. // Redirect STDERR
268. lStdHandle = (long)GetStdHandle(STD_ERROR_HANDLE);
269. hConHandle = _open_osfhandle(lStdHandle, _O_TEXT);
270. fp = _fdopen( hConHandle, "w" );
271. *stderr = *fp;
272. setvbuf( stderr, NULL, _IONBF, 0 );
273.  
274. // Redirect all
275. std::ios::sync_with_stdio();
276. }
277.  
278. // Function to break threads
279. VOID WINAPI BreakGame(DWORD targetMode, DWORD targetProcessId, DWORD targetThreadId)
280. {
281. if(targetMode == 1){
282. HANDLE h = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
283. if (h != INVALID_HANDLE_VALUE)
284. {
285. THREADENTRY32 te;
286. te.dwSize = sizeof(te);
287. if (Thread32First(h, &te))
288. {
289. do
290. {
291. if (te.dwSize >= FIELD_OFFSET(THREADENTRY32, th32OwnerProcessID) + sizeof(te.th32OwnerProcessID))
292. {
293. // Suspend all threads EXCEPT one
294. if(te.th32ThreadID != targetThreadId && te.th32OwnerProcessID == targetProcessId)
295. {
296. HANDLE thread = ::OpenThread(THREAD_ALL_ACCESS, FALSE, te.th32ThreadID);
297. if(thread != NULL)
298. {
299. SuspendThread(thread);
300. CloseHandle(thread);
301. }
302. }
303. }
304. te.dwSize = sizeof(te);
305. } while (Thread32Next(h, &te));
306. }
307. CloseHandle(h);
308. }
309. }
310.  
311. if(targetMode == 2){
312. HANDLE h = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
313. if (h != INVALID_HANDLE_VALUE)
314. {
315. THREADENTRY32 te;
316. te.dwSize = sizeof(te);
317. if (Thread32First(h, &te))
318. {
319. do
320. {
321. if (te.dwSize >= FIELD_OFFSET(THREADENTRY32, th32OwnerProcessID) + sizeof(te.th32OwnerProcessID))
322. {
323. // Resume all threads
324. if(te.th32ThreadID != targetThreadId && te.th32OwnerProcessID == targetProcessId)
325. {
326. HANDLE thread = ::OpenThread(THREAD_ALL_ACCESS, FALSE, te.th32ThreadID);
327. if(thread != NULL)
328. {
329. ResumeThread(thread);
330. CloseHandle(thread);
331. }
332. }
333. }
334. te.dwSize = sizeof(te);
335. } while (Thread32Next(h, &te));
336. }
337. CloseHandle(h);
338. }
339. }
340. }