#Request PEP

12/06/2012 04:10 rick187377#1
PEB - Process environment block
use - Hides process from warrock
Warrock scans and detects for attached Dynamic Linked Library files.
This is my first time hearing of PEB, and this has dramatically brain fucked me.
I know im not a complete newb when it comes to no menu hacks for warrock, but i am not the greatest either.
I have researched PEB and came across some people claiming something was Hiding PEB from warrock but it just placed me in more confusion.
Please show with open source how you would use this code with hiding the DLL from warrock.

Example of code i am using:
Quote:
Code:
#include <Windows.h>
#include <stdio.h>

#define ADR_PLAYERPOINTER 0x00A48E74
#define ADR_SERVERPOINTER 0x00A48E04
#define OFS_NFD 0x00102E8
void HackFunctions(){
for(;;){
[COLOR="#00FF00"]//DWORD Server = *(DWORD*)ADR_SERVERPOINTER;[/COLOR]
DWORD Player = *(DWORD*)ADR_PLAYERPOINTER;
[COLOR="#00FF00"]

/***************************[ No Fall Damage ]***************************/[/COLOR]
{
if( Player != 0 ){ //Player is in game
*(float*)( Player + OFS_NFD ) = -999999;
}
}
[COLOR="#00FF00"]/************************************************************************/[/COLOR]
Sleep(100);
}
}

BOOL WINAPI DllMain(HINSTANCE hModule,DWORD dwReason,LPVOID lpvReserved){
if( dwReason == DLL_PROCESS_ATTACH ){
CreateThread(0,0,(LPTHREAD_START_ROUTINE)HackFunctions,0,0, 0);
}
return true;
}
Quote:
Cyno__™
I want to thank you for your time :)

sooo i now have..

Quote:
Code:
#include <Windows.h>
#include <stdio.h>

#define ADR_PLAYERPOINTER 0x00A48E74
#define ADR_SERVERPOINTER 0x00A48E04
#define OFS_NFD 0x00102E8

VOID AntiDetection::PEBUnlinkModule(HINSTANCE hModule)
{
DWORD dwPEB_LDR_DATA = 0;
_asm
{
pushad;
pushfd;
mov eax, fs:[30h] // PEB
mov eax, [eax+0Ch] // PEB->ProcessModuleInfo
mov dwPEB_LDR_DATA, eax // Save ProcessModuleInfo

InLoadOrderModuleList:
mov esi, [eax+0Ch] // ProcessModuleInfo->InLoadOrderModuleList[FORWARD]
mov edx, [eax+10h] // ProcessModuleInfo->InLoadOrderModuleList[BACKWARD]

LoopInLoadOrderModuleList:
lodsd // Load First Module
mov esi, eax // ESI points to Next Module
mov ecx, [eax+18h] // LDR_MODULE->BaseAddress
cmp ecx, hModule // Is it Our Module ?
jne SkipA // If Not, Next Please (@f jumps to nearest Unamed Lable @@:)
mov ebx, [eax] // [FORWARD] Module
mov ecx, [eax+4] // [BACKWARD] Module
mov [ecx], ebx // Previous Module's [FORWARD] Notation, Points to us, Replace it with, Module++
mov [ebx+4], ecx // Next Modules, [BACKWARD] Notation, Points to us, Replace it with, Module--
jmp InMemoryOrderModuleList // Hidden, so Move onto Next Set
SkipA:
cmp edx, esi // Reached End of Modules ?
jne LoopInLoadOrderModuleList // If Not, Re Loop

InMemoryOrderModuleList:
mov eax, dwPEB_LDR_DATA // PEB->ProcessModuleInfo
mov esi, [eax+14h] // ProcessModuleInfo->InMemoryOrderModuleList[START]
mov edx, [eax+18h] // ProcessModuleInfo->InMemoryOrderModuleList[FINISH]

LoopInMemoryOrderModuleList:
lodsd
mov esi, eax
mov ecx, [eax+10h]
cmp ecx, hModule
jne SkipB
mov ebx, [eax]
mov ecx, [eax+4]
mov [ecx], ebx
mov [ebx+4], ecx
jmp InInitializationOrderModuleList
SkipB:
cmp edx, esi
jne LoopInMemoryOrderModuleList

InInitializationOrderModuleList:
mov eax, dwPEB_LDR_DATA // PEB->ProcessModuleInfo
mov esi, [eax+1Ch] // ProcessModuleInfo->InInitializationOrderModuleList[START]
mov edx, [eax+20h] // ProcessModuleInfo->InInitializationOrderModuleList[FINISH]

LoopInInitializationOrderModuleList:
lodsd
mov esi, eax
mov ecx, [eax+08h]
cmp ecx, hModule
jne SkipC
mov ebx, [eax]
mov ecx, [eax+4]
mov [ecx], ebx
mov [ebx+4], ecx
jmp Finished
SkipC:
cmp edx, esi
jne LoopInInitializationOrderModuleList

Finished:
popfd;
popad;
}
}


void HackFunctions(){
for(;;){
//DWORD Server = *(DWORD*)ADR_SERVERPOINTER;
DWORD Player = *(DWORD*)ADR_PLAYERPOINTER;


/***************************[ No Fall Damage ]***************************/
{
if( Player != 0 ){ //Player is in game
*(float*)( Player + OFS_NFD ) = -999999;
}
}
/************************************************************************/
Sleep(100);
}
}

BOOL WINAPI DllMain(HINSTANCE hModule,DWORD dwReason,LPVOID lpvReserved){
if( dwReason == DLL_PROCESS_ATTACH ){
CreateThread(0,0,(LPTHREAD_START_ROUTINE)HackFunctions,0,0, 0);
}
return true;
}
But where do i use the command to activate VOID AntiDetection::PEBUnlinkModule(HINSTANCE hModule) and with what parameters?
12/06/2012 21:49 Raz9r#2
The PEB, which is listed at __readfsdword(0x30) on 32-bit-architecture or __readfsdword(0x60) on 64-bit-architecture, contains data about the process environment - that's why it's called Process Environment Block (= PEB). It contains an instance of the PEB_LDR_DATA structure providing information about loaded modules. By modifying this information you can easily hide your module from that list so that HackShield scanning for unknown modules cannot find it on the PEB.
The information can still be found on the VAD (Virtual Address Descriptor) Tree after editing the PEB, though.

For more information, read these helpful articles:
[0] PEB: Process Environment Block - Wikipedia, the free encyclopedia
[1] Understanding PEB_LDR_DATA: [Only registered and activated users can see links. Click Here To Register...]
[2] VAD Tree: [Only registered and activated users can see links. Click Here To Register...]
[3] Example of Yazzn showing how to use this: [Only registered and activated users can see links. Click Here To Register...]
12/06/2012 22:35 rick187377#3
So, why is my hack still being detected?
12/06/2012 22:42 Raz9r#4
Because you seem to be doing something HackShield detects - or you simply raise an exception or an error.
12/06/2012 23:01 rick187377#5
It says 3rd party software found, disconnected..
So hackshield is finding it.. i also tried doing it this way

Quote:
PHP Code:
#include <windows.h>
#include <vector>
#include <algorithm>

#define ADR_PLAYERPOINTER 0x00A48E74
#define ADR_SERVERPOINTER 0x00A48E04
#define OFS_Z           0x10308
#define OFS_NFD            0x00102E8

typedef struct _PEB_LDR_DATA {
    UINT8 _PADDING_[12];
    LIST_ENTRY InLoadOrderModuleList;
    LIST_ENTRY InMemoryOrderModuleList;
    LIST_ENTRY InInitializationOrderModuleList;
PEB_LDR_DATA, *PPEB_LDR_DATA;

typedef struct _PEB {
    UINT8 _PADDING_[12];
    PEB_LDR_DATALdr;
PEB, *PPEB;

typedef struct _LDR_DATA_TABLE_ENTRY {
    LIST_ENTRY InLoadOrderLinks;
    LIST_ENTRY InMemoryOrderLinks;
    LIST_ENTRY InInitializationOrderLinks;
    VOIDDllBase;
LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;

typedef struct _UNLINKED_MODULE
{
    HMODULE hModule;
    PLIST_ENTRY RealInLoadOrderLinks;
    PLIST_ENTRY RealInMemoryOrderLinks;
    PLIST_ENTRY RealInInitializationOrderLinks;
    PLDR_DATA_TABLE_ENTRY Entry;
UNLINKED_MODULE;

#define UNLINK(x)               \
    (x).Flink->Blink = (x).Blink;   \
    (x).Blink->Flink = (x).Flink;

#define RELINK(x, real)   \
    (x).Flink->Blink = (real);  \
    (x).Blink->Flink = (real);  \
    (real)->Blink = (x).Blink;  \
    (real)->Flink = (x).Flink;

std::vector<UNLINKED_MODULEUnlinkedModules;

struct FindModuleHandle
{
    HMODULE m_hModule;
    FindModuleHandle(HMODULE hModule) : m_hModule(hModule)
    {
    }
    bool operator() (UNLINKED_MODULE const &Module) const
    {
        return (Module.hModule == m_hModule);
    }
};

void RelinkModuleToPEB(HMODULE hModule)
{
    std::vector<UNLINKED_MODULE>::iterator it std::find_if(UnlinkedModules.begin(), UnlinkedModules.end(), FindModuleHandle(hModule));

    if (it == UnlinkedModules.end())
    {
        //DBGOUT(TEXT("Module Not Unlinked Yet!"));
        return;
    }

    RELINK((*it).Entry->InLoadOrderLinks, (*it).RealInLoadOrderLinks);
    RELINK((*it).Entry->InInitializationOrderLinks, (*it).RealInInitializationOrderLinks);
    RELINK((*it).Entry->InMemoryOrderLinks, (*it).RealInMemoryOrderLinks);
    UnlinkedModules.erase(it);
}

void UnlinkModuleFromPEB(HMODULE hModule)
{
    std::vector<UNLINKED_MODULE>::iterator it std::find_if(UnlinkedModules.begin(), UnlinkedModules.end(), FindModuleHandle(hModule));
    if (it != UnlinkedModules.end())
    {
        //DBGOUT(TEXT("Module Already Unlinked!"));
        return;
    }

#ifdef _WIN64
    PPEB pPEB = (PPEB)__readgsqword(0x60);
#else
    PPEB pPEB = (PPEB)__readfsdword(0x30);
#endif

    PLIST_ENTRY CurrentEntry pPEB->Ldr->InLoadOrderModuleList.Flink;
    PLDR_DATA_TABLE_ENTRY Current NULL;

    while (CurrentEntry != &pPEB->Ldr->InLoadOrderModuleList && CurrentEntry != NULL)
    {
        Current CONTAINING_RECORD(CurrentEntryLDR_DATA_TABLE_ENTRYInLoadOrderLinks);
        if (Current->DllBase == hModule)
        {
            UNLINKED_MODULE CurrentModule = {0};
            CurrentModule.hModule hModule;
            CurrentModule.RealInLoadOrderLinks Current->InLoadOrderLinks.Blink->Flink;
            CurrentModule.RealInInitializationOrderLinks Current->InInitializationOrderLinks.Blink->Flink;
            CurrentModule.RealInMemoryOrderLinks Current->InMemoryOrderLinks.Blink->Flink;
            CurrentModule.Entry Current;
            UnlinkedModules.push_back(CurrentModule);

            UNLINK(Current->InLoadOrderLinks);
            UNLINK(Current->InInitializationOrderLinks);
            UNLINK(Current->InMemoryOrderLinks);

            break;
        }

        CurrentEntry CurrentEntry->Flink;
    }
}

HINSTANCE g_hinstDLL NULL;
DWORD WINAPI Init(LPVOID)
{
    for(;;) {
        Sleep(200);

        DWORD Server = *(DWORD*)(ADR_SERVERPOINTER );
        DWORD Player = *(DWORD*)( ADR_PLAYERPOINTER );

            /***********[hacks]***************/
        {
            if( Player != ){//in game
                    /*************Super Jump************/
                {
                    if( GetAsyncKeyStateVK_CONTROL ))
                    {
                        *(float*)( Player OFS_Z ) = 2500;
                    }
                }
                    /************No Fall Damage********/
                {
                    *(float*)( Player OFS_NFD ) = -999999;

                }
                /**************************************/
            }
        }

        //Hacks here


        /***********Re LINK**************
        if (GetAsyncKeyState(VK_F5) & 1) {
            RelinkModuleToPEB(g_hinstDLL);
            FreeLibraryAndExitThread(g_hinstDLL, ERROR_SUCCESS);
        }
        **********************************/
    }
}

BOOL WINAPI DllMain(HINSTANCE hinstDLLDWORD fdwReasonLPVOID)
{
    if (fdwReason == DLL_PROCESS_ATTACH) {
        g_hinstDLL hinstDLL;
        UnlinkModuleFromPEB(hinstDLL);
        CreateThread(NULL0InitNULL0NULL);
    }

    return 1;
12/06/2012 23:03 +Yazzn#6
Close all background programs
12/07/2012 00:03 Raz9r#7
Quote:
Originally Posted by rick187377 View Post
It says 3rd party software found, disconnected..
So hackshield is finding it.. i also tried doing it this way
Quote:
Originally Posted by Yazzn (: View Post
Close all background programs
HackShield detected VisualStudio some time ago as a 3rd party software modifying the game for VisualStudio being open whenever HackShield detected an actual cheat module. Most people don't know this, be careful about it.
12/07/2012 01:07 rick187377#8
Quote:
Originally Posted by __underScore View Post
HackShield detected VisualStudio some time ago as a 3rd party software modifying the game for VisualStudio being open whenever HackShield detected an actual cheat module. Most people don't know this, be careful about it.
I closed all other programs, still being detected.