Source Bypass Xtrap (para estudos)

Vitrix Maggot · 2013-04-05, 05:46 PM

Ola pessoal, sou novo aqui no fórum meu primeiro post para vocês, sou Programador em Delphi, Assembly e C++, estou aqui pra ajudar vocês com meus conhecimentos e adquirir também conhecimentos com vocês!!!

Vamos ao que interessa!

Code:

#include <stdio.h>
#include <windows.h>
#include <tlhelp32.h>

#define NT_SUCCESS(x) ((x) >= 0)
#define STATUS_INFO_LENGTH_MISMATCH 0xc0000004
#define SystemHandleInformation 16
#define ObjectBasicInformation 0
#define ObjectNameInformation 1
#define ObjectTypeInformation 2
#define fcExp            0x4D9480
#define BaseAddr        0x400000

typedef enum _THREAD_INFORMATION_CLASS {
    ThreadBasicInformation,
    ThreadTimes,
    ThreadPriority,
    ThreadBasePriority,
    ThreadAffinityMask,
    ThreadImpersonationToken,
    ThreadDescriptorTableEntry,
    ThreadEnableAlignmentFaultFixup,
    ThreadEventPair,
    ThreadQuerySetWin32StartAddress,
    ThreadZeroTlsCell,
    ThreadPerformanceCount,
    ThreadAmILastThread,
    ThreadIdealProcessor,
    ThreadPriorityBoost,
    ThreadSetTlsArrayAddress,
    ThreadIsIoPending,
    ThreadHideFromDebugger
} THREAD_INFORMATION_CLASS, *PTHREAD_INFORMATION_CLASS;

typedef DWORD(NTAPI *_ZwSuspendProcess)(HANDLE hProcess);
typedef DWORD(NTAPI *_ZwResumeProcess)(HANDLE hProcess);
typedef DWORD(NTAPI *_ZwQueryInformationThread)(HANDLE ThreadHandle, THREAD_INFORMATION_CLASS ThreadInformationClass, PVOID ThreadInformation, ULONG ThreadInformationLength, PULONG ReturnLength); 
typedef DWORD(NTAPI *_NtQuerySystemInformation)(ULONG SystemInformationClass,PVOID SystemInformation,ULONG SystemInformationLength,PULONG ReturnLength);
typedef DWORD(NTAPI *_NtDuplicateObject)(HANDLE SourceProcessHandle,HANDLE SourceHandle,HANDLE TargetProcessHandle,PHANDLE TargetHandle,ACCESS_MASK DesiredAccess,ULONG Attributes,ULONG Options);
typedef DWORD(NTAPI *_NtQueryObject)(HANDLE ObjectHandle,ULONG ObjectInformationClass,PVOID ObjectInformation,ULONG ObjectInformationLength,PULONG ReturnLength); 

typedef struct _UNICODE_STRING {
    USHORT Length;
    USHORT MaximumLength;
    PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
 
typedef struct _SYSTEM_HANDLE {
    ULONG ProcessId;
    BYTE ObjectTypeNumber;
    BYTE Flags;
    USHORT Handle;
    PVOID Object;
    ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE, *PSYSTEM_HANDLE;
 
typedef struct _SYSTEM_HANDLE_INFORMATION {
    ULONG HandleCount;
    SYSTEM_HANDLE Handles[1];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
 
typedef enum _POOL_TYPE {
    NonPagedPool,
    PagedPool,
    NonPagedPoolMustSucceed,
    DontUseThisType,
    NonPagedPoolCacheAligned,
    PagedPoolCacheAligned,
    NonPagedPoolCacheAlignedMustS
} POOL_TYPE, *PPOOL_TYPE;
 
typedef struct _OBJECT_TYPE_INFORMATION {
    UNICODE_STRING Name;
    ULONG TotalNumberOfObjects;
    ULONG TotalNumberOfHandles;
    ULONG TotalPagedPoolUsage;
    ULONG TotalNonPagedPoolUsage;
    ULONG TotalNamePoolUsage;
    ULONG TotalHandleTableUsage;
    ULONG HighWaterNumberOfObjects;
    ULONG HighWaterNumberOfHandles;
    ULONG HighWaterPagedPoolUsage;
    ULONG HighWaterNonPagedPoolUsage;
    ULONG HighWaterNamePoolUsage;
    ULONG HighWaterHandleTableUsage;
    ULONG InvalidAttributes;
    GENERIC_MAPPING GenericMapping;
    ULONG ValidAccess;
    BOOLEAN SecurityRequired;
    BOOLEAN MaintainHandleCount;
    USHORT MaintainTypeList;
    POOL_TYPE PoolType;
    ULONG PagedPoolUsage;
    ULONG NonPagedPoolUsage;
} OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION;

PVOID GetLibraryProcAddress(LPSTR LibraryName, LPSTR ProcName) {
    return (PVOID)GetProcAddress(GetModuleHandleA(LibraryName), ProcName);
}


DWORD GetPIDbyName(char* szProcess)
{
    HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
    PROCESSENTRY32 PE;
    PE.dwSize = sizeof(PE) ;
    Process32First(hSnap, &PE);

    while (Process32Next(hSnap, &PE))
    {
        char Converted[100] = "\0";
        wcstombs(Converted, PE.szExeFile, sizeof(Converted));
        if (strcmp(Converted, szProcess) == 0)
        {
            return PE.th32ProcessID;
        }
    }
    return 0;
}

int SeDebugPrivilege(void)
{
    HANDLE hToken;
    LUID Val;
    TOKEN_PRIVILEGES tp;
    OpenProcessToken(HANDLE(-1),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);
    LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &Val);
    tp.PrivilegeCount = 1;
    tp.Privileges[0].Luid = Val;
    tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
    AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof (tp), NULL, NULL);
    CloseHandle(hToken);
    return 1;
}

DWORD GetModuleBaseAddress(DWORD PID, char* szModule)
{
    MODULEENTRY32 ME;
    ME.dwSize = sizeof(ME);
    HANDLE hSnapy = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, PID);
    Module32First(hSnapy, &ME);
    while (Module32Next(hSnapy, &ME))
    {
        char Converted[100] = "\0";
        wcstombs(Converted, ME.szModule, sizeof(Converted));
        if (strcmp(Converted, szModule) == 0)
        {
            return (DWORD)ME.hModule;
        }
    }
}

DWORD GetModuleSize(DWORD PID, char* szModule)
{
    MODULEENTRY32 ME;
    ME.dwSize = sizeof(ME);
    HANDLE hSnapy = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, PID);
    Module32First(hSnapy, &ME);
    while (Module32Next(hSnapy, &ME))
    {
        char Converted[100] = "\0";
        wcstombs(Converted, ME.szModule, sizeof(Converted));
        if (strcmp(Converted, szModule) == 0)
        {
            return ME.modBaseSize;
        }
    }
}

int CloseHandles(ULONG pid)
{
_NtQuerySystemInformation NtQuerySystemInformation = (_NtQuerySystemInformation)GetLibraryProcAddress("ntdll.dll", "NtQuerySystemInformation");
    _NtDuplicateObject NtDuplicateObject = (_NtDuplicateObject)GetLibraryProcAddress("ntdll.dll", "NtDuplicateObject");
    _NtQueryObject NtQueryObject = (_NtQueryObject)GetLibraryProcAddress("ntdll.dll", "NtQueryObject");
 
    DWORD status;
    PSYSTEM_HANDLE_INFORMATION handleInfo;
    ULONG handleInfoSize = 0x10000;
    HANDLE processHandle;
    ULONG i;
    if (!(processHandle = OpenProcess(PROCESS_DUP_HANDLE, FALSE, pid))) {
        printf("Could not open PID %d! (Don't try to open a system process.)\n", pid);
        return 1;
    }
    handleInfo = (PSYSTEM_HANDLE_INFORMATION)malloc(handleInfoSize);
    while ((status = NtQuerySystemInformation(
        SystemHandleInformation,
        handleInfo,
        handleInfoSize,
        NULL
        )) == STATUS_INFO_LENGTH_MISMATCH)
        handleInfo = (PSYSTEM_HANDLE_INFORMATION)realloc(handleInfo, handleInfoSize *= 2);
    if (!NT_SUCCESS(status)) {
        printf("NtQuerySystemInformation failed!\n");
        return 1;
    }
    for (i = 0; i < handleInfo->HandleCount; i++) {
        SYSTEM_HANDLE handle = handleInfo->Handles[i];
        HANDLE dupHandle = NULL;
        POBJECT_TYPE_INFORMATION objectTypeInfo;
        PVOID objectNameInfo;
        UNICODE_STRING objectName;
        ULONG returnLength;
        if (handle.ProcessId != pid)
            continue;
        if (!NT_SUCCESS(NtDuplicateObject(
            processHandle,
            (void*) handle.Handle,
            GetCurrentProcess(),
            &dupHandle,
            0,
            0,
            0
            ))) {
            printf("[%#x] Error!\n", handle.Handle);
            continue;
        }
 
        objectTypeInfo = (POBJECT_TYPE_INFORMATION)malloc(0x1000);
        if (!NT_SUCCESS(NtQueryObject(
            dupHandle,
            ObjectTypeInformation,
            objectTypeInfo,
            0x1000,
            NULL
            ))) {
 
            printf("[%#x] Error!\n", handle.Handle);
            CloseHandle(dupHandle);
            continue;
        }
        if (handle.GrantedAccess == 0x0012019f) {
         
 
            free(objectTypeInfo);
            CloseHandle(dupHandle);
            continue;
        }
 
        objectNameInfo = malloc(0x1000);
        if (!NT_SUCCESS(NtQueryObject(
            dupHandle,
            ObjectNameInformation,
            objectNameInfo,
            0x1000,
            &returnLength
            ))) {
            objectNameInfo = realloc(objectNameInfo, returnLength);
            if (!NT_SUCCESS(NtQueryObject(
                dupHandle,
                ObjectNameInformation,
                objectNameInfo,
                returnLength,
                NULL
                ))) {
               
                free(objectTypeInfo);
                free(objectNameInfo);
                CloseHandle(dupHandle);
                continue;
            }
        }
        objectName = *(PUNICODE_STRING)objectNameInfo;
            char Converted[100] = "\0";
            wcstombs(Converted, objectTypeInfo->Name.Buffer, sizeof(Converted));
            if (strcmp((CHAR*)Converted, "Thread") == 0)
            {
                 DuplicateHandle(processHandle, (void*)handle.Handle, NULL, NULL, 0, FALSE, 0x1);
            }
 
        free(objectTypeInfo);
        free(objectNameInfo);
        CloseHandle(dupHandle);
    }
 
    free(handleInfo);
    CloseHandle(processHandle);
    return 0;
}

int main(int argc, CHAR* argv[])
{
    SetConsoleTitleA("XTrap Bypass Written by Vitrix Maggot");
    printf("#########################################################\n");
    printf("########### Programacity XTrap Bypass ################\n");
    printf("################################### For Game ######\n");
    printf("Written by Vitrix Maggot, Thanks Lacy ######################\n");
    printf("#########################################################\n\n");
    DWORD PID = GetPIDbyName("Game.exe");
    if (PID == 0)
    {
        printf("Please open Game first and then open me. \n");
        system("PAUSE");
        return 0;
    }
    printf("\nProcess ID: 0x%X [ %d ] \n", PID, PID);
    printf("Suspending process... \n");
    SeDebugPrivilege();
    _ZwSuspendProcess ZwSuspendProcess = (_ZwSuspendProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"), "ZwSuspendProcess");
    HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);
    ZwSuspendProcess(hProc);
    printf("Process Suspended succefully!!\nClosing threads...\n");
    _ZwQueryInformationThread ZwQueryInformationThread = (_ZwQueryInformationThread)GetProcAddress(GetModuleHandleA("ntdll.dll"), "ZwQueryInformationThread");
    HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, PID);
    THREADENTRY32 TE;
    TE.dwSize = sizeof(TE);
    Thread32First(hSnap, &TE);
    DWORD BaseAddress = GetModuleBaseAddress(PID, "XTrapVa.dll");
    DWORD BaseSize = GetModuleSize(PID, "XTrapVa.dll");
    printf("XTrap BaseAddress: 0x%X \n", BaseAddress);
    printf("XTrap Size: 0x%X [ %d ] \n", BaseSize);
    while (Thread32Next(hSnap, &TE))
    {
        HANDLE hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, TE.th32ThreadID);
        DWORD Start;
        ZwQueryInformationThread(hThread, ThreadQuerySetWin32StartAddress, &Start, sizeof(Start), NULL);
        if (Start >= BaseAddress && Start <= BaseAddress+BaseSize)
        {
            TerminateThread(hThread, 8);
        }
        if (Start - (BaseAddr+fcExp) == 0x6110 | Start - (BaseAddr+fcExp) == 0x2190)
        {
            TerminateThread(hThread, 8);
        }
    }
    CloseHandle(hSnap);
    printf("Threads closed succefully! \nClosing handles...\n");
    CloseHandles(PID); 
    printf("Handles closed succefully! \nPlease inject s0beit.dll and NoExit.dll\n");
    CloseHandle(hProc);
    system("PAUSE");
    _ZwResumeProcess ZwResumeProcess = (_ZwResumeProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"), "ZwResumeProcess");
    hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);
    ZwResumeProcess(hProc);
    printf("\n\nBye bye XTrap :) \n");
    system("PAUSE");
    return 0;
}

Thread: Source Bypass Xtrap (para estudos)

Thread Tools

Display

Threaded View

Source Bypass Xtrap (para estudos)

The Following 5 Users Say Thank You to Vitrix Maggot For This Useful Post:

Similar Threads

[Source] Aika XTrap Eliminator Full Delphi Source with comments

Hackshield Bypass Source

[Release]Bot para Aika BR / Bot to Aika Brasil (Epic II Working) (Bypass Xtrap)

Posting Permissions