XTrap-Bypass Source v2 (32/64 bit)
Code:
#include <Windows.h>
#include <process.h>
#include <TlHelp32.h>
#include <Psapi.h>
#include "mHook.h"
#pragma comment(lib,"Psapi.lib")
// Module to exit
HMODULE hDLL;
/* Our hooked-function */
void DefineNothing_CC();
/* Our hooked-function */
void K32Enum_CC();
// Function to begin the hook
void _beginhook(void*){
// our addresses
DWORD dwAddy;
DWORD dwDLL;
DWORD dwXTrap;
DWORD dwXTrapDriver;
// wait for xtrap
while(1){
// break
Sleep(500);
// get xtrap base
dwXTrap = (DWORD)GetModuleHandle("XTrapVa.dll");
// check if it exists
if(dwXTrap){
// leave
break;
}
}
if(PSAPI_VERSION == 1){
// get address
dwDLL = (DWORD)GetModuleHandle("Psapi.dll");
// get address
dwAddy = (DWORD)GetProcAddress((HINSTANCE)dwDLL,"EnumProcesses");
// Prevent that Xtrap scan processes
mHook::DetourCodeCave(dwAddy,(DWORD)DefineNothing_CC,19);
// get address
dwDLL = (DWORD)GetModuleHandle("Kernel32.dll");
// get address
dwAddy = (DWORD)GetProcAddress((HINSTANCE)dwDLL,"ExitProcess");
// Prevent exit then ollydbg was found
mHook::DetourCodeCave(dwAddy,(DWORD)DefineNothing_CC,27);
}
else
{
// little break
Sleep(500);
// set new dll
dwDLL = (DWORD)GetModuleHandle("Kernel32.dll");
// get new addy
dwAddy = (DWORD)GetProcAddress((HINSTANCE)dwDLL,"K32EnumProcesses");
// Prevent that Xtrap scan processes
mHook::DetourCodeCave(dwAddy,(DWORD)K32Enum_CC,3);
// get address
dwDLL = (DWORD)GetModuleHandle("Kernel32.dll");
// get address
dwAddy = (DWORD)GetProcAddress((HINSTANCE)dwDLL,"ExitProcess");
// Prevent exit then ollydbg was found
mHook::DetourCodeCave(dwAddy,(DWORD)DefineNothing_CC,27);
}
// Get driver Address
dwXTrapDriver = 0x406668A0;
// Change it
wmemcpy((wchar_t*)dwXTrapDriver,L"X6va01",6);
// Exit
FreeLibraryAndExitThread(hDLL,8);
}
/* Main */
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved){
if(fdwReason == DLL_PROCESS_ATTACH){
// set our Module
hDLL = hinstDLL;
// begin
_beginthread(_beginhook,0,0);
// success
return true;
}
// fail
return false;
}
/* Our hooked-function */
__declspec( naked ) void K32Enum_CC(){
__asm{
ret 0x00C
}
}
/* Our hooked-function */
__declspec( naked ) void DefineNothing_CC(){
__asm{
mov edi,edi
push ebp
mov ebp,esp
pop ebp
jmp orig
nop
nop
nop
nop
nop
orig:
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
nop
}
}
HGWC Bypass Function Source Only (64 bit)
Code:
#define TRUE FALSE
class HGWC
{
public:
int HGWC::FileDetection(int);
int HGWC::KeepAlive(int);
int HGWC::Bann(int);
int HGWC::Thread(int);
}rect;
int HGWC::FileDetection(int LParam)
{
memcpy((LPVOID)0x0040CAE1,(LPVOID)"\xEB",1);
return 0;
}
int HGWC::KeepAlive(int LParam)
{
memcpy((LPVOID)0x0040D5B7,(LPVOID)"\xEB",1);
return 0;
}
int HGWC::Bann(int LParam)
{
memcpy((LPVOID)0x0040F9FD,(LPVOID)"\xEB",1);
memcpy((LPVOID)0x0040FA31,(LPVOID)"\xEB",1);
memcpy((LPVOID)0x0040FB71,(LPVOID)"\xC2\x0C\x00\x90\x90",5);
memcpy((LPVOID)0x00410270,(LPVOID)"\xC2\x0C\x00\x90\x90",5);
return 0;
}
int HGWC::Thread(int LParam)
{
memcpy((LPVOID)0x0040D4E3,(LPVOID)"\x6A\x7D",2);
memcpy((LPVOID)0x00418F91,(LPVOID)"\xEB\x0A",2);
memcpy((LPVOID)0x00464147,(LPVOID)"\x68\xFF\x08\x00\x00",5);
memcpy((LPVOID)0x00410270,(LPVOID)"\xC2\x0C\x00\x90\x90",5);
return 0;
}
Update some of it.
You need reverse engineering basics.
I accept thanks too.
Credits: Akira