Results 1 to 15 of 15
  1. #1
    Flengo's Avatar
    Join Date
    May 2010
    Gender
    male
    Location
    Ontario, Canada
    Posts
    15,695
    Reputation
    3319
    Thanks
    11,108
    My Mood
    Happy

    Wink PEB Hiding & Polymorphic Techniques

    PEB Hiding & Polymorphic Techniques


    So to prevent detection, these are some key things to look into. This is just the source I'll be posting here, I'm a bad teacher. But you on your own, should further look into each of those things.

    Credits are all around, the Poly Class is from matypatty's VIP Base. Poly.cpp & Poly.h were coded by s0beit.

    Code:
    void cTools::EraseHeaders(HINSTANCE hModule)
    {
    	PIMAGE_DOS_HEADER pDoH;
    	PIMAGE_NT_HEADERS pNtH;
    	DWORD i, ersize, protect;
    
    	if (!hModule) return;
    
    	pDoH = (PIMAGE_DOS_HEADER)(hModule);
    
    	pNtH = (PIMAGE_NT_HEADERS)((LONG)hModule + ((PIMAGE_DOS_HEADER)hModule)->e_lfanew);
    
    	ersize = sizeof(IMAGE_DOS_HEADER);
    	if ( VirtualProtect(pDoH, ersize, PAGE_READWRITE, &protect) )
    	{
    		for ( i=0; i < ersize; i++ )
    			*(BYTE*)((BYTE*)pDoH + i) = 0;
    	}
    
    	ersize = sizeof(IMAGE_NT_HEADERS);
    	if ( pNtH && VirtualProtect(pNtH, ersize, PAGE_READWRITE, &protect) )
    	{
    		for ( i=0; i < ersize; i++ )
    			*(BYTE*)((BYTE*)pNtH + i) = 0;
    	}
    	return;
    }
    
    void cTools::HideModule(HINSTANCE hModule)
    {
    	DWORD dwPEB_LDR_DATA = 0;
    	_asm
    	{
    		pushad;
    		pushfd;
    		mov eax, fs:[30h]           
    		mov eax, [eax+0Ch]          
    		mov dwPEB_LDR_DATA, eax		
    
    			mov esi, [eax+0Ch]			
    		mov edx, [eax+10h]			
    
    LoopInLoadOrderModuleList: 
    		lodsd		            
    			mov esi, eax			
    			mov ecx, [eax+18h]		
    		cmp ecx, hModule		
    			jne SkipA				
    			mov ebx, [eax]		
    		mov ecx, [eax+4]	
    		mov [ecx], ebx		
    			mov [ebx+4], ecx	
    			jmp InMemoryOrderModuleList  
    SkipA:
    		cmp edx, esi       
    			jne LoopInLoadOrderModuleList 
    
    InMemoryOrderModuleList:
    		mov eax, dwPEB_LDR_DATA	
    			mov esi, [eax+14h]   
    		mov edx, [eax+18h]  
    
    LoopInMemoryOrderModuleList: 
    		lodsd
    			mov esi, eax
    			mov ecx, [eax+10h]
    		cmp ecx, hModule
    			jne SkipB
    			mov ebx, [eax] 
    		mov ecx, [eax+4]
    		mov [ecx], ebx
    			mov [ebx+4], ecx
    			jmp InInitializationOrderModuleList
    SkipB:
    		cmp edx, esi
    			jne LoopInMemoryOrderModuleList
    
    InInitializationOrderModuleList:
    		mov eax, dwPEB_LDR_DATA 
    			mov esi, [eax+1Ch]	    
    		mov edx, [eax+20h]	    
    
    LoopInInitializationOrderModuleList: 
    		lodsd
    			mov esi, eax		
    			mov ecx, [eax+08h]
    		cmp ecx, hModule		
    			jne SkipC
    			mov ebx, [eax] 
    		mov ecx, [eax+4]
    		mov [ecx], ebx
    			mov [ebx+4], ecx
    			jmp Finished
    SkipC:
    		cmp edx, esi
    			jne LoopInInitializationOrderModuleList
    
    Finished:
    		popfd;
    		popad;
    	}
    }
    Poly.h:

    Code:
    #ifndef __POLY__
    #define __POLY__
    #pragma once
    #include "Files.h"
    
    typedef struct
    {
    	unsigned long start;
    	unsigned long end;
    } SectionInformation_t;
    
    class cPoly
    {
    public:
    	SectionInformation_t GetSectionInformation( HMODULE hModule, const char *pszName );
    
    	void DestroyAndMorphSection( HMODULE hModule, const char *pszName );
    
    	// void UseThisAndThenMorphIt( void );
    
    	void RandomizeCodeAtPlace( unsigned long begin, unsigned long end );
    
    	void RunFrame( void );
    };
    
    extern cPoly* Poly;
    
    #endif
    Poly.cpp

    Code:
    #include "Poly.h"
    #include <vector>
    
    cPoly* Poly;
    
    std::vector< SectionInformation_t > m_vMorphTheseSections;
    
    SectionInformation_t cPoly::GetSectionInformation( HMODULE hModule, const char *pszName )
    {
    	SectionInformation_t si;
    
    	si.start    = 0;
    	si.end        = 0;
    
    	if( hModule )
    	{
    		IMAGE_DOS_HEADER *pDosHeader = reinterpret_cast<IMAGE_DOS_HEADER *>( hModule );
    
    		if( pDosHeader->e_magic != IMAGE_DOS_SIGNATURE )
    			return si;
    
    		IMAGE_NT_HEADERS *pNTHeaders = reinterpret_cast<IMAGE_NT_HEADERS *>( ( DWORD )hModule + pDosHeader->e_lfanew );
    
    		if( pNTHeaders->Signature != IMAGE_NT_SIGNATURE )
    			return si;
    
    		IMAGE_SECTION_HEADER *pSectionHeader = reinterpret_cast<IMAGE_SECTION_HEADER *>( ( DWORD )pNTHeaders + 
    			sizeof( IMAGE_FILE_HEADER ) + sizeof( DWORD ) + pNTHeaders->FileHeader.SizeOfOptionalHeader );
    
    		for( unsigned int i = 0; i < pNTHeaders->FileHeader.NumberOfSections; i++ )
    		{
    			IMAGE_SECTION_HEADER *pSection = &pSectionHeader[ i ];
    
    			if( pSection == NULL )
    				continue;
    
    			if( memcmp( pszName, ( CHAR* )pSection->Name, strlen( pszName ) ) == 0 )
    			{
    				si.start    = ( ( DWORD )hModule + ( DWORD )pSection->VirtualAddress );
    				si.end        = si.start + ( DWORD ) pSection->SizeOfRawData;
    
    				break;
    			}
    		}
    	}
    
    	return si;
    }
    
    void cPoly::DestroyAndMorphSection( HMODULE hModule, const char *pszName )
    {
    	SectionInformation_t si = GetSectionInformation( hModule, pszName );
    
    	if( si.start && si.end )
    	{
    		m_vMorphTheseSections.push_back( si );
    	}
    }
    
    void UseThisAndThenMorphIt( void )
    {
    	_asm nop;        //0000
    	_asm nop;        //0001
    	_asm nop;        //0002
    	_asm nop;        //0003
    	_asm nop;        //0004
    	_asm nop;        //0005
    	_asm nop;        //0006
    	_asm nop;        //0007
    	_asm nop;        //0008
    	_asm nop;        //0009
    	_asm nop;        //0010
    	_asm nop;        //0011
    	_asm nop;        //0012
    	_asm nop;        //0013
    	_asm nop;        //0014
    	_asm nop;        //0015
    	_asm nop;        //0016
    	_asm nop;        //0017
    	_asm nop;        //0018
    	_asm nop;        //0019
    	_asm nop;        //0020
    	_asm nop;        //0021
    	_asm nop;        //0022
    	_asm nop;        //0023
    	_asm nop;        //0024
    	_asm nop;        //0025
    	_asm nop;        //0026
    	_asm nop;        //0027
    	_asm nop;        //0028
    	_asm nop;        //0029
    	_asm nop;        //0030
    	_asm nop;        //0031
    	_asm nop;        //0032
    	_asm retn;        //0033
    }
    
    void cPoly::RandomizeCodeAtPlace( unsigned long begin, unsigned long end )
    {
    	BYTE *ArrayOfCode = reinterpret_cast< BYTE* >( begin );
    
    	int seed = (( rand() % 9999 ) ^ 0xFFFFFFFF );
    
    	srand( GetTickCount() ^ seed );
    
    	MEMORY_BASIC_INFORMATION mbi;
    
    	VirtualQuery( ( LPCVOID ) begin, &mbi, sizeof( mbi ) );
    
    	VirtualProtect( mbi.BaseAddress, mbi.RegionSize, PAGE_EXECUTE_READWRITE, &mbi.Protect );
    
    	for( size_t i = 0; i < ( end - begin ); i++ )
    	{
    		int CurrentRandomSeed = ( GetTickCount() ^ seed * ( ArrayOfCode[ i + 1 ] & 0xFFFF ) );
    
    		srand( CurrentRandomSeed );
    
    		ArrayOfCode[ i ] = rand() % 0xFF;
    	}
    
    	VirtualProtect( mbi.BaseAddress, mbi.RegionSize, mbi.Protect, NULL ); 
    
    	FlushInstructionCache( GetCurrentProcess(), ( LPCVOID ) begin, ( end - begin ) ); 
    }
    
    void cPoly::RunFrame( void )
    {
    	RandomizeCodeAtPlace( 
    		( unsigned long ) UseThisAndThenMorphIt, 
    		( unsigned long ) UseThisAndThenMorphIt + 32 );
    
    	for( size_t i = 0; i < m_vMorphTheseSections.size(); i++ )
    	{
    		SectionInformation_t si = m_vMorphTheseSections[ i ];
    
    		if( si.start == 0 || si.end == 0 ) continue;
    
    		RandomizeCodeAtPlace( si.start, si.end );
    	}
    }
    Hope it helps, Enjoy
    Last edited by Flengo; 07-08-2012 at 10:50 AM.


    I Read All Of My PM's & VM's
    If you need help with anything, just let me know.
     
     
    VM | PM

    Publicist Since 04.04.2015
    Middleman Since Unknown - Unknown
    Global Moderator Since 08.01.2013
    Donator Since 05.29.2013

    Minion+ Since 04.18.2013

    District 187 Minion Since 04.04.2013
    Steam Minion Since 02.26.2013
    WarRock Minion Since 02.19.2013
    A.V.A Minion Since 02.13.2013
    DayZ Minion Since 01.21.2013
    Combat Arms Minion Since 12.26.2012
    Contributor Since 11.16.2012
    Member Since 05.11.2010


  2. The Following 2 Users Say Thank You to Flengo For This Useful Post:

    Reflex- (07-08-2012),Telenim (07-08-2012)

  3. #2
    flameswor10's Avatar
    Join Date
    Jul 2009
    Gender
    male
    Posts
    12,528
    Reputation
    981
    Thanks
    10,404
    My Mood
    In Love
    1 tip. Matypatty did not code that poly.cpp nor poly.h
    All he did was rename it.

    Credits belong to s0beit
    No I do not make game hacks anymore, please stop asking.


    Been MPGH Minion: 6 July 2011 - 1 August 2012

  4. The Following 4 Users Say Thank You to flameswor10 For This Useful Post:

    [MPGH]Flengo (07-08-2012),matypatty (07-08-2012),NotRealPro (07-08-2012),Xipher (07-09-2012)

  5. #3
    NotRealPro's Avatar
    Join Date
    Jun 2012
    Gender
    male
    Posts
    43
    Reputation
    10
    Thanks
    1
    isnt hidemodule detected?

  6. #4
    Flengo's Avatar
    Join Date
    May 2010
    Gender
    male
    Location
    Ontario, Canada
    Posts
    15,695
    Reputation
    3319
    Thanks
    11,108
    My Mood
    Happy
    Quote Originally Posted by NotRealPro View Post
    isnt hidemodule detected?
    It hasn't caused me to crash at all yet, so I would say no.


    I Read All Of My PM's & VM's
    If you need help with anything, just let me know.
     
     
    VM | PM

    Publicist Since 04.04.2015
    Middleman Since Unknown - Unknown
    Global Moderator Since 08.01.2013
    Donator Since 05.29.2013

    Minion+ Since 04.18.2013

    District 187 Minion Since 04.04.2013
    Steam Minion Since 02.26.2013
    WarRock Minion Since 02.19.2013
    A.V.A Minion Since 02.13.2013
    DayZ Minion Since 01.21.2013
    Combat Arms Minion Since 12.26.2012
    Contributor Since 11.16.2012
    Member Since 05.11.2010


  7. #5
    Ch40zz-C0d3r's Avatar
    Join Date
    Apr 2011
    Gender
    male
    Posts
    839
    Reputation
    44
    Thanks
    400
    My Mood
    Twisted
    BlackCipher anti cheat detected the hidemodule.
    They removed it on NA, and next patch on EU too
    Last edited by Ch40zz-C0d3r; 07-08-2012 at 11:02 AM.

    Progress with my game - "Disbanded"
    • Fixed FPS lag on spawning entities due to the ent_preload buffer!
    • Edit the AI code to get some better pathfinding
    • Fixed the view bug within the sniper scope view. The mirror entity is invisible now!
    • Added a new silencer for ALL weapons. Also fixed the rotation bugs
    • Added a ton of new weapons and the choice to choose a silencer for every weapon
    • Created a simple AntiCheat, noobs will cry like hell xD
    • The name will be Disbanded, the alpha starts on the 18th august 2014



    Some new physics fun (Serversided, works on every client)



    My new AI
    http://www.youtube.com/watch?v=EMSB1GbBVl8

    And for sure my 8 months old gameplay with 2 friends
    http://www.youtube.com/watch?v=Na2kUdu4d_k

  8. #6
    -Unbelievable!'s Avatar
    Join Date
    Sep 2011
    Gender
    male
    Posts
    256
    Reputation
    10
    Thanks
    166
    My Mood
    Yeehaw
    In CABR HideModule is Detected

  9. #7
    Xipher's Avatar
    Join Date
    Jul 2011
    Gender
    male
    Location
    Melbourne, AU.
    Posts
    1,784
    Reputation
    472
    Thanks
    1,688
    My Mood
    Innocent
    I'm still using hidemodule fine.

  10. #8
    Jason's Avatar
    Join Date
    Apr 2010
    Gender
    male
    Location
    /dev/null
    Posts
    5,706
    Reputation
    907
    Thanks
    7,295
    My Mood
    Mellow
    Lol people need Manual Mapping in their lives, then you don't need to worry about hiding modules at all :3

    Quote Originally Posted by Jeremy S. Anderson
    There are only two things to come out of Berkley, Unix and LSD,
    and I don’t think this is a coincidence
    You can win the rat race,
    But you're still nothing but a fucking RAT.


    ++Latest Projects++
    [Open Source] Injection Library
    Simple PE Cipher
    FilthyHooker - Simple Hooking Class
    CLR Injector - Inject .NET dlls with ease
    Simple Injection - An in-depth look
    MPGH's .NET SDK
    eJect - Simple Injector
    Basic PE Explorer (BETA)

  11. The Following User Says Thank You to Jason For This Useful Post:

    ac1d_buRn (07-11-2012)

  12. #9
    Departure's Avatar
    Join Date
    Nov 2010
    Gender
    male
    Posts
    818
    Reputation
    125
    Thanks
    1,785
    My Mood
    Doh
    Quote Originally Posted by flameswor10 View Post
    1 tip. Matypatty did not code that poly.cpp nor poly.h
    All he did was rename it.

    Credits belong to s0beit

    2nd Tip, s0beit didn't code that either, That code has been around for many years and used on many coding discussion forums and blogs, Yeah it been modified a little but its still the same code thats been floating around for years

  13. The Following 2 Users Say Thank You to Departure For This Useful Post:

    [MPGH]flameswor10 (07-12-2012),[MPGH]Flengo (07-11-2012)

  14. #10
    Nightmare's Avatar
    Join Date
    Jun 2011
    Gender
    male
    Location
    North of Hell
    Posts
    2,399
    Reputation
    149
    Thanks
    6,560
    My Mood
    Worried
    LOL this is detected.

  15. #11
    Flengo's Avatar
    Join Date
    May 2010
    Gender
    male
    Location
    Ontario, Canada
    Posts
    15,695
    Reputation
    3319
    Thanks
    11,108
    My Mood
    Happy
    Quote Originally Posted by Nightmare View Post
    LOL this is detected.
    I was using HideModule fine, but I guess it is detected maybe


    I Read All Of My PM's & VM's
    If you need help with anything, just let me know.
     
     
    VM | PM

    Publicist Since 04.04.2015
    Middleman Since Unknown - Unknown
    Global Moderator Since 08.01.2013
    Donator Since 05.29.2013

    Minion+ Since 04.18.2013

    District 187 Minion Since 04.04.2013
    Steam Minion Since 02.26.2013
    WarRock Minion Since 02.19.2013
    A.V.A Minion Since 02.13.2013
    DayZ Minion Since 01.21.2013
    Combat Arms Minion Since 12.26.2012
    Contributor Since 11.16.2012
    Member Since 05.11.2010


  16. #12
    Nightmare's Avatar
    Join Date
    Jun 2011
    Gender
    male
    Location
    North of Hell
    Posts
    2,399
    Reputation
    149
    Thanks
    6,560
    My Mood
    Worried
    Quote Originally Posted by comando2056 View Post


    I was using HideModule fine, but I guess it is detected maybe
    I think that in CABR is detected.

  17. #13
    Flengo's Avatar
    Join Date
    May 2010
    Gender
    male
    Location
    Ontario, Canada
    Posts
    15,695
    Reputation
    3319
    Thanks
    11,108
    My Mood
    Happy
    Quote Originally Posted by Nightmare View Post
    I think that in CABR is detected.
    Detected in BR but not NA or EU? Weird.


    I Read All Of My PM's & VM's
    If you need help with anything, just let me know.
     
     
    VM | PM

    Publicist Since 04.04.2015
    Middleman Since Unknown - Unknown
    Global Moderator Since 08.01.2013
    Donator Since 05.29.2013

    Minion+ Since 04.18.2013

    District 187 Minion Since 04.04.2013
    Steam Minion Since 02.26.2013
    WarRock Minion Since 02.19.2013
    A.V.A Minion Since 02.13.2013
    DayZ Minion Since 01.21.2013
    Combat Arms Minion Since 12.26.2012
    Contributor Since 11.16.2012
    Member Since 05.11.2010


  18. #14
    Nightmare's Avatar
    Join Date
    Jun 2011
    Gender
    male
    Location
    North of Hell
    Posts
    2,399
    Reputation
    149
    Thanks
    6,560
    My Mood
    Worried
    Quote Originally Posted by comando2056 View Post


    Detected in BR but not NA or EU? Weird.
    Is weird, but it is what they say.

  19. #15
    de.bug's Avatar
    Join Date
    May 2009
    Gender
    male
    Posts
    30
    Reputation
    12
    Thanks
    9
    My Mood
    Amused
    I know wiping PE header without hiding module used to be detected, if you wipe header and hide it you might be ok.
    Have not messed with BR myself though...

Similar Threads

  1. Hide IP Platinum 2.82
    By 1h1a1i in forum Hardware & Software Support
    Replies: 14
    Last Post: 06-10-2007, 11:03 AM
  2. mng hide
    By ace76543 in forum General Gaming
    Replies: 19
    Last Post: 10-08-2006, 06:59 PM
  3. Techniques ( No Hacking Required )
    By no0b in forum Gunz Hacks
    Replies: 4
    Last Post: 05-30-2006, 03:46 AM