Moarr!
AntiBlackCipher
Code:
//08/10/2013
#include "stdafx.h"
#include <TlHelp32.h>
BOOL isRunning( const CHAR *name )
{
HANDLE SnapShot = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
if( SnapShot == INVALID_HANDLE_VALUE )
return FALSE;
PROCESSENTRY32 procEntry;
procEntry.dwSize = sizeof( PROCESSENTRY32 );
if( !Process32First( SnapShot, &procEntry ) )
return FALSE;
do
{
if( strcmp( ( const CHAR * )procEntry.szExeFile, name ) == 0 )
return TRUE;
}
while( Process32Next( SnapShot, &procEntry ) );
return FALSE;
}
DWORD GetProcessID( CHAR *name )
{
PROCESSENTRY32 pe = { sizeof( PROCESSENTRY32 ) };
HANDLE hand = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
if( Process32First( hand, &pe ) )
{
while( Process32Next( hand, &pe ) )
{
if( !strcmp( ( const CHAR * )pe.szExeFile, name ) )
return pe.th32ProcessID;
}
}
CloseHandle( hand );
return 0;
}
DWORD GetModuleAddress( DWORD proc, const CHAR *modname )
{
HANDLE snapshot = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, proc );
if( snapshot == INVALID_HANDLE_VALUE )
return 0;
MODULEENTRY32 mod;
mod.dwSize = sizeof( MODULEENTRY32 );
if( Module32First( snapshot, &mod ) )
{
if( strcmp( ( const CHAR * )mod.szModule, modname ) == 0 )
return ( DWORD )mod.modBaseAddr;
while( Module32Next( snapshot, &mod ) )
{
if( strcmp( ( const CHAR * )mod.szModule, modname ) == 0 )
return ( DWORD )mod.modBaseAddr;
}
return 0;
}
else
return 0;
}
BOOL bBlackCipherProcessOpened = FALSE; HANDLE hCipherInstanceProcess; DWORD dwCipherPID;
void WriteBlackCipherBypass( void )
{
BYTE MOVAL0RET[6] = { 0xB0, 0x00, 0xC2, 0x04, 0x00 };
while( TRUE )
{
if( !bBlackCipherProcessOpened )
{
if( isRunning( "BlackCipher.aes" ) )
{
if( !bBlackCipherProcessOpened )
{
dwCipherPID = GetProcessID( "BlackCipher.aes" );
hCipherInstanceProcess = OpenProcess( PROCESS_QUERY_INFORMATION | PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, 0, dwCipherPID );
bBlackCipherProcessOpened = TRUE;
}
}
}
else
{
DWORD dwEHSvcModule = GetModuleAddress( dwCipherPID, "EHSvc.dll" );
if( dwEHSvcModule != 0 )
{
WriteProcessMemory( hCipherInstanceProcess, ( LPVOID )0x004212F0, MOVAL0RET, 5, 0 );
CloseHandle( hCipherInstanceProcess );
ExitThread( 0 );
}
}
Sleep( 200 );
}
}
Not know if works. you may try?