API tools faq
paste
Advertisement
FilterYT

Untitled

FilterYT
May 14th, 2019
139
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.27 KB | None | 0 0
raw download clone embed print report
  1. BOOL Memcheck_Disable()
  2. {
  3. InitializeCriticalSection(&CriticalSection);
  4. EnterCriticalSection(&CriticalSection);
  5.  
  6. HMODULE NtDll = GetModuleHandle("ntdll.dll");
  7. MODULEINFO ModuleInfo;
  8. GetModuleInformation(GetCurrentProcess(), NtDll, &ModuleInfo, sizeof(ModuleInfo)); // Gather Module information about ntdll.dll
  9. uintptr_t sectionAddress;
  10. uintptr_t sectionSize;
  11.  
  12. if (NtDll && !getSectionInfo(NtDll, ".text", sectionAddress, sectionSize)) // Gather section information about .text
  13. // This is the case where .text couldn't be found
  14. return FALSE; // Return false because of failure, we can't continue if we don't know information about .text
  15.  
  16. PVOID ModuleCopy = VirtualAlloc(nullptr, ModuleInfo.SizeOfImage, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); //Copy the Module with our allocations and protection
  17. DWORD OldProtection;
  18.  
  19. memcpy(ModuleCopy, reinterpret_cast<LPVOID>(sectionAddress), sectionSize);
  20. VirtualProtect(reinterpret_cast<LPVOID>(sectionAddress), sectionSize, PAGE_EXECUTE_READWRITE, &OldProtection);
  21.  
  22. unsigned char* functionMemory = reinterpret_cast<unsigned char*>(GetTickCount64());
  23. DWORD Location = reinterpret_cast<DWORD>(functionMemory) + *reinterpret_cast<DWORD*>(functionMemory + 1) + 5;
  24. DWORD NtDllBase = reinterpret_cast<DWORD>(NtDll);
  25. uintptr_t NtDllSize = ModuleInfo.SizeOfImage;
  26. volatile unsigned char* newFunctionMemory = functionMemory;
  27.  
  28. if (functionMemory[0] && (Location - sectionAddress < NtDllSize)) // Make sure it's within the NtDllSize, this is what ROBLOX is looking for in terms of the memory check.
  29. {
  30. // mov eax, dword 0x0000???? <- B8 ?? ?? 00 00
  31. if ((functionMemory[0] != 0xB8 || functionMemory[3] != 0x00 || functionMemory[4] != 0x00 && (Location - NtDllBase) > NtDllSize))
  32. {
  33. do
  34. {
  35. /*
  36. Run until this hits the functions prologue.
  37. Will assume that all call are 0x10 (16) bytes credits go to Chirality for this.
  38. */
  39. newFunctionMemory[0] += 0x10;
  40. __asm
  41. {
  42. mov eax, newFunctionMemory;
  43. ror eax, 3;
  44. push ad;
  45. }
  46. } while (!newFunctionMemory[0] == 0x55 && newFunctionMemory[1] == 0x8B && newFunctionMemory[2] == 0xEC); //Copied from Brandon's Retcheck Prologue, works in this case
  47. }
  48. PVOID FunctionCopy = VirtualAlloc(nullptr, sizeof(functionMemory), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); //Copy the function with allocations and protections
  49.  
  50. if (FunctionCopy == nullptr)
  51. // Returns FALSE because the function isn't copied hence failure
  52. return FALSE;
  53.  
  54. // Copies the new function memory to the new copied function
  55. memcpy(FunctionCopy, newFunctionMemory, sizeof(newFunctionMemory));
  56. }
  57.  
  58. DWORD Kernel32Module = reinterpret_cast<DWORD>(GetModuleHandle("kernel32.dll"));
  59. PlaceHook(Kernel32Module + 0x0A5A92A, &Memcheck_Hook); //Place our Memory Checker Hook //Address = Kernel32.dll+SetProcessDEPPolicy+0x1C
  60. LeaveCriticalSection(&CriticalSection);
  61. return TRUE; // Return TRUE because the bypass successfully worked
  62. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!