What ? xD ...
Soo, Extreme Injector v1.2 -> All PE Hiding, All Dll Scrambling, Manual Map = No Detect ?
Sure ?
Injected .DLL whit Makecert -> Using these Method's -> Xtrap Error v8000 Abnormal Acess Memory, Tool Name: blank.
This method is already catched, our guys doing something wrong.
What ? xD ...
Crossfire Projects
Made 21 Feature (Memory Hack)
Respect ListPressIF I Helped
@ComboDance
@mamo007
@GaaD
@Olwayy
@Biesi
@iSmexy
@derh.acker
@Brimir
@steveroseik
@Hero
@Temperrr
@Rullez
manual map inject -> xtrap
everything is xtrap today.
Crossfire Projects
Made 21 Feature (Memory Hack)
Respect ListPressIF I Helped
@ComboDance
@mamo007
@GaaD
@Olwayy
@Biesi
@iSmexy
@derh.acker
@Brimir
@steveroseik
@Hero
@Temperrr
@Rullez
Still Working For Me , NA/CF
Private Project :
well, anyway, if i create a _beginthreadex it geet's unhooked for some reason, and CreateThread is my only solution, but it gives this xtrap message, soo...
Xtrap v8000 Detection No Tool Name, using PE Hiding, Scrambling and Manual Map & Makecert, injector: Extreme Injector v1.2Code:#include <Windows.h> DWORD WINAPI InfinityLoop ( LPVOID ) { while( true ) { } return false; } DWORD WINAPI DllMain ( HMODULE hDll, DWORD dwReason, LPVOID ipvReason ) { switch( dwReason ) { case 1: DisableThreadLibraryCalls( hDll ); CreateThread( 0, 0, InfinityLoop, 0, 0, 0 ); break; } return 1; }
this is what i am usingCode:BOOL WINAPI DllMain ( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved ) { switch(dwReason) { case DLL_PROCESS_ATTACH: DisableThreadLibraryCalls(hinstDLL); CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)Thread, hinstDLL, NULL, NULL); break; case DLL_PROCESS_DETACH: break; case DLL_THREAD_ATTACH: break; case DLL_THREAD_DETACH: break; } return TRUE; }
try it
Crossfire Projects
Made 21 Feature (Memory Hack)
Respect ListPressIF I Helped
@ComboDance
@mamo007
@GaaD
@Olwayy
@Biesi
@iSmexy
@derh.acker
@Brimir
@steveroseik
@Hero
@Temperrr
@Rullez
That's what happens when I tell someone how I get my hack not being detected by XTrap..
Requires MSVC10+ or a compiler with at least equivalent C++11 support. We used that when debugging our hack in the beginning of 2013. Should still work (didn't test it, though).Code:typedef UINT(__stdcall *threadFunc_t)(void*); HANDLE createStealthThread(threadFunc_t pThreadFunc, void *pArgument) { BYTE *pK32 = (BYTE*)GetModuleHandleA("kernel32"); BYTE *pPopRet = nullptr; DWORD oldProt; auto rva2va = [&](DWORD dwVA) { return (void*)((uintptr_t)pK32 + dwVA); }; // Find propper location to place our shellcode void *pWriteTarget = nullptr; auto pMz = (IMAGE_DOS_HEADER* )pK32; auto pNt = (IMAGE_NT_HEADERS32* )rva2va(pMz->e_lfanew); auto pCurSection = (IMAGE_SECTION_HEADER*)((uintptr_t)pNt + sizeof(IMAGE_NT_HEADERS32)); for (int i = 0; i < pNt->FileHeader.NumberOfSections; ++i) { if (memcmp(".text", pCurSection->Name, 5) == 0) { pWriteTarget = (void*)((uintptr_t)rva2va(pCurSection->VirtualAddress) + pCurSection->Misc.VirtualSize - 6); break; } ++pCurSection; } if (!pWriteTarget) return NULL; // Prepare and write shellcode to K32 uint8_t shellcode[] = "\x68\x00\x00\x00\x00\xC2"; *(threadFunc_t*)(shellcode + 1) = pThreadFunc; VirtualProtect(pWriteTarget, 6, PAGE_EXECUTE_READWRITE, &oldProt); memcpy(pWriteTarget, shellcode, 6); VirtualProtect(pWriteTarget, 6, oldProt, &oldProt); // Create thread return CreateThread(nullptr, 0, (LPTHREAD_START_ROUTINE)pWriteTarget, pArgument, NULL, nullptr); } // ==> createStealthThread
Last edited by Ende!; 12-26-2013 at 04:52 PM.
That munual map also doesnt work for me... I suggest that everybody writes his OS info here so we can see...
I am Win 7 Ultimate x64