XTrap Memory Detection

11/18/2013 15:12 Forbidi#1
Hello, so i tried many time to bypass memory détection using fake scan page method but i get always a crash. i added an infinite loop before return original page then xcrap call the function without any return, well i dont get a crash only after few minutes. So i was asking if the method is patched or if i'm doing something wrong and if i need to detours another func.
11/18/2013 15:28 cheyester10#2
It's a lot better to remove the xtrap driver. You can do that by preventing it from starting up(You have to make it look like xtrap is still there). You can also hook functions. There are several other methods.
11/18/2013 15:36 Forbidi#3
Quote:
Originally Posted by cheyester10 View Post
You can also hook functions. There are several other methods.
Thats what i'm doing. I set a jmp to my page.
11/18/2013 15:43 cheyester10#4
Quote:
Originally Posted by Forbidi View Post
Thats what i'm doing. I set a jmp to my page.
did you inc the original opcode?
11/18/2013 15:52 Forbidi#5
Quote:
Originally Posted by cheyester10 View Post
did you inc the original opcode?
i think i have the right calling convention.
11/18/2013 16:00 snow#6
Make sure you don't have any multithreading related issues, multiple threads use this function.
Also make sure your hook includes if (size <= 0).
11/18/2013 16:03 Forbidi#7
Quote:
Originally Posted by snow911 View Post
Make sure you don't have any multithreading related issues, multiple threads use this function.
Also make sure your hook includes if (size < 0).
Im not using multithreading, i will add the conditions and see thx.
Edit : still get crash :S
11/18/2013 18:55 K1ramoX#8
Quote:
Originally Posted by cheyester10 View Post
It's a lot better to remove the xtrap driver. You can do that by preventing it from starting up(You have to make it look like xtrap is still there). You can also hook functions. There are several other methods.
xtrap driver != memorydetection ;o

Quote:
Originally Posted by Forbidi View Post
Hello, so i tried many time to bypass memory détection using fake scan page method but i get always a crash. i added an infinite loop before return original page then xcrap call the function without any return, well i dont get a crash only after few minutes. So i was asking if the method is patched or if i'm doing something wrong and if i need to detours another func.
thats cause xtrap has a new check for this function. you can bypass it by hooking some functions before it and using maybe a vtable hook ;o

Quote:
Originally Posted by snow911 View Post
Also make sure your hook includes if (size < 0).
size cant be <0. just check:

Code:
if (!size)
{
	return 0;
}
11/18/2013 20:22 Omdi#9
Quote:
Originally Posted by K1ramoX View Post
Code:
if (!size)
{
	return 0;
}
Well comparing 'size' for being smaller than zero is actually much safer than expecting that 'size' would never be smaller than zero. Be prepared for the worst case scenario :p
11/18/2013 21:13 Forbidi#10
Quote:
Originally Posted by K1ramoX View Post
thats cause xtrap has a new check for this function. you can bypass it by hooking some functions before it and using maybe a vtable hook ;o
What func you mean Oo
11/18/2013 21:32 snow#11
Quote:
Originally Posted by Forbidi View Post
What func you mean Oo
I don't think it's a good idea to share everything we know about XTrap with the wide public, you were able to find the memory detection by yourself so you should be able to find other functions as well.

Quote:
Im not using multithreading, i will add the conditions and see thx.
No, you aren't using multithreading, XTrap uses multithreading and you're hooking a XTrap function.
std::mutex might be something for you.

Oh, and you should return TRUE in your DllMain, return FALSE will free the allocated memory thus your hook jumps to some random / empty memory.
11/19/2013 14:40 K1ramoX#12
Quote:
Originally Posted by Omdihar View Post
Well comparing 'size' for being smaller than zero is actually much safer than expecting that 'size' would never be smaller than zero. Be prepared for the worst case scenario :p
xtrap is checking if its zero too =P

Quote:
Originally Posted by Forbidi View Post
What func you mean Oo
just backtrace

Quote:
Originally Posted by snow911 View Post
No, you aren't using multithreading, XTrap uses multithreading and you're hooking a XTrap function.
std::mutex might be something for you.
if you let xtrap scan in copied pages you dont need a mutex d:
11/19/2013 15:06 Omdi#13
Quote:
Originally Posted by K1ramoX View Post
xtrap is checking if its zero too =P
XTrap also gets the address of GetProcAddress with calling GetProcAddress instead of doing &GetProcAddress.

Quote:
if you let xtrap scan in copied pages you dont need a mutex d:
This is only the case if there's only one thread checking the page ;)
11/19/2013 18:02 K1ramoX#14
Quote:
Originally Posted by Omdihar View Post
XTrap also gets the address of GetProcAddress with calling GetProcAddress instead of doing &GetProcAddress.
advanced code obfuscation, Y U NO KNOW THAT

Quote:
Originally Posted by Omdihar View Post
This is only the case if there's only one thread checking the page ;)
mutex for read? theres no write or run ;o