Code:
#include <stdio.h>
#include <windows.h>
#include <tlhelp32.h>
#define NT_SUCCESS(x) ((x) >= 0)
#define STATUS_INFO_LENGTH_MISMATCH 0xc0000004
#define SystemHandleInformation 16
#define ObjectBasicInformation 0
#define ObjectNameInformation 1
#define ObjectTypeInformation 2
#define fcExp 0x4D9480
#define BaseAddr 0x400000
typedef enum _THREAD_INFORMATION_CLASS {
ThreadBasicInformation,
ThreadTimes,
ThreadPriority,
ThreadBasePriority,
ThreadAffinityMask,
ThreadImpersonationToken,
ThreadDescriptorTableEntry,
ThreadEnableAlignmentFaultFixup,
ThreadEventPair,
ThreadQuerySetWin32StartAddress,
ThreadZeroTlsCell,
ThreadPerformanceCount,
ThreadAmILastThread,
ThreadIdealProcessor,
ThreadPriorityBoost,
ThreadSetTlsArrayAddress,
ThreadIsIoPending,
ThreadHideFromDebugger
} THREAD_INFORMATION_CLASS, *PTHREAD_INFORMATION_CLASS;
typedef DWORD(NTAPI *_ZwSuspendProcess)(HANDLE hProcess);
typedef DWORD(NTAPI *_ZwResumeProcess)(HANDLE hProcess);
typedef DWORD(NTAPI *_ZwQueryInformationThread)(HANDLE ThreadHandle, THREAD_INFORMATION_CLASS ThreadInformationClass, PVOID ThreadInformation, ULONG ThreadInformationLength, PULONG ReturnLength);
typedef DWORD(NTAPI *_NtQuerySystemInformation)(ULONG SystemInformationClass,PVOID SystemInformation,ULONG SystemInformationLength,PULONG ReturnLength);
typedef DWORD(NTAPI *_NtDuplicateObject)(HANDLE SourceProcessHandle,HANDLE SourceHandle,HANDLE TargetProcessHandle,PHANDLE TargetHandle,ACCESS_MASK DesiredAccess,ULONG Attributes,ULONG Options);
typedef DWORD(NTAPI *_NtQueryObject)(HANDLE ObjectHandle,ULONG ObjectInformationClass,PVOID ObjectInformation,ULONG ObjectInformationLength,PULONG ReturnLength);
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef struct _SYSTEM_HANDLE {
ULONG ProcessId;
BYTE ObjectTypeNumber;
BYTE Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE, *PSYSTEM_HANDLE;
typedef struct _SYSTEM_HANDLE_INFORMATION {
ULONG HandleCount;
SYSTEM_HANDLE Handles[1];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
typedef enum _POOL_TYPE {
NonPagedPool,
PagedPool,
NonPagedPoolMustSucceed,
DontUseThisType,
NonPagedPoolCacheAligned,
PagedPoolCacheAligned,
NonPagedPoolCacheAlignedMustS
} POOL_TYPE, *PPOOL_TYPE;
typedef struct _OBJECT_TYPE_INFORMATION {
UNICODE_STRING Name;
ULONG TotalNumberOfObjects;
ULONG TotalNumberOfHandles;
ULONG TotalPagedPoolUsage;
ULONG TotalNonPagedPoolUsage;
ULONG TotalNamePoolUsage;
ULONG TotalHandleTableUsage;
ULONG HighWaterNumberOfObjects;
ULONG HighWaterNumberOfHandles;
ULONG HighWaterPagedPoolUsage;
ULONG HighWaterNonPagedPoolUsage;
ULONG HighWaterNamePoolUsage;
ULONG HighWaterHandleTableUsage;
ULONG InvalidAttributes;
GENERIC_MAPPING GenericMapping;
ULONG ValidAccess;
BOOLEAN SecurityRequired;
BOOLEAN MaintainHandleCount;
USHORT MaintainTypeList;
POOL_TYPE PoolType;
ULONG PagedPoolUsage;
ULONG NonPagedPoolUsage;
} OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION;
PVOID GetLibraryProcAddress(LPSTR LibraryName, LPSTR ProcName) {
return (PVOID)GetProcAddress(GetModuleHandleA(LibraryName), ProcName);
}
DWORD GetPIDbyName(char* szProcess)
{
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
PROCESSENTRY32 PE;
PE.dwSize = sizeof(PE) ;
Process32First(hSnap, &PE);
while (Process32Next(hSnap, &PE))
{
char Converted[100] = "\0";
wcstombs(Converted, PE.szExeFile, sizeof(Converted));
if (strcmp(Converted, szProcess) == 0)
{
return PE.th32ProcessID;
}
}
return 0;
}
int SeDebugPrivilege(void)
{
HANDLE hToken;
LUID Val;
TOKEN_PRIVILEGES tp;
OpenProcessToken(HANDLE(-1),TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &Val);
tp.PrivilegeCount = 1;
tp.Privileges[0].Luid = Val;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof (tp), NULL, NULL);
CloseHandle(hToken);
return 1;
}
DWORD GetModuleBaseAddress(DWORD PID, char* szModule)
{
MODULEENTRY32 ME;
ME.dwSize = sizeof(ME);
HANDLE hSnapy = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, PID);
Module32First(hSnapy, &ME);
while (Module32Next(hSnapy, &ME))
{
char Converted[100] = "\0";
wcstombs(Converted, ME.szModule, sizeof(Converted));
if (strcmp(Converted, szModule) == 0)
{
return (DWORD)ME.hModule;
}
}
}
DWORD GetModuleSize(DWORD PID, char* szModule)
{
MODULEENTRY32 ME;
ME.dwSize = sizeof(ME);
HANDLE hSnapy = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, PID);
Module32First(hSnapy, &ME);
while (Module32Next(hSnapy, &ME))
{
char Converted[100] = "\0";
wcstombs(Converted, ME.szModule, sizeof(Converted));
if (strcmp(Converted, szModule) == 0)
{
return ME.modBaseSize;
}
}
}
int CloseHandles(ULONG pid)
{
_NtQuerySystemInformation NtQuerySystemInformation = (_NtQuerySystemInformation)GetLibraryProcAddress("ntdll.dll", "NtQuerySystemInformation");
_NtDuplicateObject NtDuplicateObject = (_NtDuplicateObject)GetLibraryProcAddress("ntdll.dll", "NtDuplicateObject");
_NtQueryObject NtQueryObject = (_NtQueryObject)GetLibraryProcAddress("ntdll.dll", "NtQueryObject");
DWORD status;
PSYSTEM_HANDLE_INFORMATION handleInfo;
ULONG handleInfoSize = 0x10000;
HANDLE processHandle;
ULONG i;
if (!(processHandle = OpenProcess(PROCESS_DUP_HANDLE, FALSE, pid))) {
printf("Could not open PID %d! (Don't try to open a system process.)\n", pid);
return 1;
}
handleInfo = (PSYSTEM_HANDLE_INFORMATION)malloc(handleInfoSize);
while ((status = NtQuerySystemInformation(
SystemHandleInformation,
handleInfo,
handleInfoSize,
NULL
)) == STATUS_INFO_LENGTH_MISMATCH)
handleInfo = (PSYSTEM_HANDLE_INFORMATION)realloc(handleInfo, handleInfoSize *= 2);
if (!NT_SUCCESS(status)) {
printf("NtQuerySystemInformation failed!\n");
return 1;
}
for (i = 0; i < handleInfo->HandleCount; i++) {
SYSTEM_HANDLE handle = handleInfo->Handles[i];
HANDLE dupHandle = NULL;
POBJECT_TYPE_INFORMATION objectTypeInfo;
PVOID objectNameInfo;
UNICODE_STRING objectName;
ULONG returnLength;
if (handle.ProcessId != pid)
continue;
if (!NT_SUCCESS(NtDuplicateObject(
processHandle,
(void*) handle.Handle,
GetCurrentProcess(),
&dupHandle,
0,
0,
0
))) {
printf("[%#x] Error!\n", handle.Handle);
continue;
}
objectTypeInfo = (POBJECT_TYPE_INFORMATION)malloc(0x1000);
if (!NT_SUCCESS(NtQueryObject(
dupHandle,
ObjectTypeInformation,
objectTypeInfo,
0x1000,
NULL
))) {
printf("[%#x] Error!\n", handle.Handle);
CloseHandle(dupHandle);
continue;
}
if (handle.GrantedAccess == 0x0012019f) {
free(objectTypeInfo);
CloseHandle(dupHandle);
continue;
}
objectNameInfo = malloc(0x1000);
if (!NT_SUCCESS(NtQueryObject(
dupHandle,
ObjectNameInformation,
objectNameInfo,
0x1000,
&returnLength
))) {
objectNameInfo = realloc(objectNameInfo, returnLength);
if (!NT_SUCCESS(NtQueryObject(
dupHandle,
ObjectNameInformation,
objectNameInfo,
returnLength,
NULL
))) {
free(objectTypeInfo);
free(objectNameInfo);
CloseHandle(dupHandle);
continue;
}
}
objectName = *(PUNICODE_STRING)objectNameInfo;
char Converted[100] = "\0";
wcstombs(Converted, objectTypeInfo->Name.Buffer, sizeof(Converted));
if (strcmp((CHAR*)Converted, "Thread") == 0)
{
DuplicateHandle(processHandle, (void*)handle.Handle, NULL, NULL, 0, FALSE, 0x1);
}
free(objectTypeInfo);
free(objectNameInfo);
CloseHandle(dupHandle);
}
free(handleInfo);
CloseHandle(processHandle);
return 0;
}
int main(int argc, CHAR* argv[])
{
SetConsoleTitleA("XTrap Bypass Written by Vitrix Maggot");
printf("#########################################################\n");
printf("########### Programacity XTrap Bypass ################\n");
printf("################################### For Game ######\n");
printf("Written by Vitrix Maggot, Thanks Lacy ######################\n");
printf("#########################################################\n\n");
DWORD PID = GetPIDbyName("Game.exe");
if (PID == 0)
{
printf("Please open Game first and then open me. \n");
system("PAUSE");
return 0;
}
printf("\nProcess ID: 0x%X [ %d ] \n", PID, PID);
printf("Suspending process... \n");
SeDebugPrivilege();
_ZwSuspendProcess ZwSuspendProcess = (_ZwSuspendProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"), "ZwSuspendProcess");
HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);
ZwSuspendProcess(hProc);
printf("Process Suspended succefully!!\nClosing threads...\n");
_ZwQueryInformationThread ZwQueryInformationThread = (_ZwQueryInformationThread)GetProcAddress(GetModuleHandleA("ntdll.dll"), "ZwQueryInformationThread");
HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, PID);
THREADENTRY32 TE;
TE.dwSize = sizeof(TE);
Thread32First(hSnap, &TE);
DWORD BaseAddress = GetModuleBaseAddress(PID, "XTrapVa.dll");
DWORD BaseSize = GetModuleSize(PID, "XTrapVa.dll");
printf("XTrap BaseAddress: 0x%X \n", BaseAddress);
printf("XTrap Size: 0x%X [ %d ] \n", BaseSize);
while (Thread32Next(hSnap, &TE))
{
HANDLE hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, TE.th32ThreadID);
DWORD Start;
ZwQueryInformationThread(hThread, ThreadQuerySetWin32StartAddress, &Start, sizeof(Start), NULL);
if (Start >= BaseAddress && Start <= BaseAddress+BaseSize)
{
TerminateThread(hThread, 8);
}
if (Start - (BaseAddr+fcExp) == 0x6110 | Start - (BaseAddr+fcExp) == 0x2190)
{
TerminateThread(hThread, 8);
}
}
CloseHandle(hSnap);
printf("Threads closed succefully! \nClosing handles...\n");
CloseHandles(PID);
printf("Handles closed succefully! \nPlease inject s0beit.dll and NoExit.dll\n");
CloseHandle(hProc);
system("PAUSE");
_ZwResumeProcess ZwResumeProcess = (_ZwResumeProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"), "ZwResumeProcess");
hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);
ZwResumeProcess(hProc);
printf("\n\nBye bye XTrap :) \n");
system("PAUSE");
return 0;
}