You last visited: Today at 05:02
Advertisement
[Tutorial + Source] Bypass Most Anti-Hacks Easy
Discussion on [Tutorial + Source] Bypass Most Anti-Hacks Easy within the Flyff Hacks, Bots, Cheats, Exploits & Macros forum part of the Flyff category.
04/25/2016, 01:21
#1
elite*gold: 70
Join Date: Apr 2015
Posts: 421
Received Thanks: 1,023
[Tutorial + Source] Flyff Bypass Most Anti-Hacks Easy
Today I'm going to share a method to be able to bypass client-sided anti-cheats without editing any memory. It is basically update-friendly and will not be patched by regular server updates. It works by utilizing the fact that the server uses a method called to call code infinitely that protects their client from cheating / reverse engineering.
Having such critical code in it's own thread is easy to bypass and I'm quite surprised that none has yet figured it out. The point of this thread is not only to show people how to bypass the anti-cheats but also to make the server owners aware about it. I'm going to use a server called Flyff Thai to showcase. But this works on most servers which has client-sided protection. I know, it's sad.
Be aware that it's easier to bypass an anti-cheat with this method while not logged into the game since there's less threads running and you'll easier identify which threads are the ones protecting the client.
The server "Flyff Thai" has two types of security (most servers doesn't). One of them is a dll called "GameGuard.dll" and the other one is internal inside of the "Neuz.exe". By looking at the image below you're able to see which threads are the ones keeping the client safe. I've surrounded them with blue and green rectangles. Btw, the program used is called .
When you've found them, you can easily just stop their flow by suspending them and they'll stop doing what they're doing.
Boom, you've successfully bypassed a anti-cheat without any coding knowledge at all.
The only annoying thing right now, is that you're manually required to do it everytime.
What if we could make the computer do it for us instead?
Luckily we can! The only thing we need to do is find patterns to be able to identify the anti-cheat threads. The pattern is required to be the same everytime the client is restarted. E.g we would not be able to use the TEB address.
The first pattern we can easily detect is the start address of the gameguard threads. Example: GameGuard.dll!Vermillion_Guard+0x3b70 . We can see that the thread's associated module is GameGuard.dll, that's the first and easy part of the anti-cheat bypass.
The only thing left is the internal anti-cheat which is located inside of the "Neuz.exe". Those are the threads marked with a green rectangle in the first image above. Sadly we cannot take the approach as we did with the GameGuard threads because there's three threads with the same associated module and one is the main threads for the game, if we suspend that one. The game will be paused.
So we'll need another pattern. There are two patterns which we're able to use to identify the threads. Their "Status" is set to "DelayExecution" and their Start Address's are both the same but the main thread is not. We can use either one of these patterns. I'm using the "DelayExecution" in the code below.
Now too the fun part, the ugly code. Hopefully I've explained good enough. Btw, now that people know about this, servers might hopefully fix it. Bai!
nt_ddk.h - (Required Header) Download:
Source.cpp
Code:
#include "gWin_ProcessEnumerator.h"
int main() {
gWin::ProcessEnumerator procEnum;
for (auto &process : procEnum.getProcesses()) {
if (process.getName() == "Neuz.exe") {
for (auto &thread : process.getThreads()) {
auto modInfo = process.getAssociatedModule(&thread);
std::cout << modInfo.name << "+" << std::hex <<
thread.getStartAddress() - modInfo.base << std::endl;
if (modInfo.name.find("GameGuard") != std::string::npos)
SuspendThread(thread.getHandle().getRaw());
if (modInfo.name.find("Neuz") != std::string::npos)
if (thread.getWaitReason() == DelayExecution)
SuspendThread(thread.getHandle().getRaw());
}
}
}
return 0;
}
gWin_ProcessEnumerator.h
Code:
#pragma once
/*
NT Internals Process Enumerator
- Created by greyb1t 2016-04-22
I'd appreciate if you left this comment here when copy pasting it somewhere else.
Thank you!
*/
#include <iostream>
#include <Windows.h>
#include <vector>
#include <memory>
#include <string>
#include <TlHelp32.h>
#include "nt_ddk.h"
#define PRINT_ERRORS true
std::string getNtErrorCode(NTSTATUS ntStatus);
void PRINT_ERROR(std::string s, NTSTATUS status);
namespace gWin {
struct ModuleInfo {
DWORD base;
DWORD size;
std::string name;
};
class SafeHandle {
public:
SafeHandle() {}
// Legal Usage (constructor):
// gWin::SafeHandle handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
SafeHandle(HANDLE handle) : m_handle(handle) {}
~SafeHandle() {
CloseHandle(m_handle);
}
SafeHandle(const SafeHandle &source) {
this->operator=(source);
}
// Legal Usage (assignment operator):
// handle1 = handle2;
SafeHandle& operator= (const SafeHandle &hSource) {
// TODO: Check if DuplicateHandle is the function which is needed
m_handle = hSource.m_handle;
return *this;
}
SafeHandle& operator= (const HANDLE hSource) {
// TODO: Check if DuplicateHandle is the function which is needed
m_handle = hSource;
return *this;
}
const HANDLE getRaw() const {
return m_handle;
}
private:
HANDLE m_handle;
};
class Thread {
public:
Thread(SYSTEM_THREADS_INFORMATION *threadInfo) : m_threadInfo(threadInfo) {}
~Thread() {}
SYSTEM_THREADS_INFORMATION *getPtr() { return m_threadInfo; }
// Getters
DWORD getStartAddress() { return (DWORD)m_threadInfo->StartAddress; }
DWORD getProcessId() { return (DWORD)m_threadInfo->ClientId.UniqueProcess; }
DWORD getThreadId() { return (DWORD)m_threadInfo->ClientId.UniqueThread; }
int getPriority() { return m_threadInfo->Priority; }
ULONG getContextSwitchCount() { return m_threadInfo->ContextSwitchCount; }
int getState() { return m_threadInfo->State; }
KWAIT_REASON getWaitReason() { return m_threadInfo->WaitReason; }
gWin::SafeHandle getHandle() { return OpenThread(THREAD_ALL_ACCESS, FALSE, getThreadId()); }
private:
SYSTEM_THREADS_INFORMATION *m_threadInfo;
};
class Process {
public:
Process(SYSTEM_PROCESS_INFORMATION *spi, PVOID buf) : m_spi(spi), m_allBuffer(buf) {}
void deallocWholeBuffer() { delete[] m_allBuffer; }
SYSTEM_PROCESS_INFORMATION *getPtr() { return m_spi; }
std::vector<Thread> &getThreads() {
if (m_threads.size() <= 0)
enumThreads();
return m_threads;
}
std::vector<MODULEENTRY32> &getModules() {
if (m_modules.size() <= 0)
enumModules();
return m_modules;
}
std::string getName() {
if (m_spi->ImageName.Buffer != nullptr) {
std::wstring wProcName = m_spi->ImageName.Buffer;
return std::string(wProcName.begin(), wProcName.end());
}
else {
return "nullptr";
}
}
ModuleInfo getAssociatedModule(Thread *thread);
DWORD getId() { return (DWORD)m_spi->UniqueProcessId; }
private:
void enumModules();
void enumThreads();
DWORD getThreadStartAddress(HANDLE hThread);
private:
std::vector<Thread> m_threads;
std::vector<MODULEENTRY32> m_modules;
SYSTEM_PROCESS_INFORMATION *m_spi;
_SYSTEM_HANDLE_INFORMATION_T<PVOID> *m_shi;
PVOID m_allBuffer;
};
class ProcessEnumerator {
public:
ProcessEnumerator() { iterateProcesses(); }
~ProcessEnumerator() {
if (m_processes.size() >= 0)
m_processes[0].deallocWholeBuffer();
}
std::vector<Process> &getProcesses() {
return m_processes;
}
private:
void iterateProcesses();
private:
std::vector<Process> m_processes;
};
}
gWin_ProcessEnumerator.cpp
Code:
#include "gWin_ProcessEnumerator.h"
std::string getNtErrorCode(NTSTATUS ntStatus) {
switch (ntStatus) {
case STATUS_SUCCESS:
return "NTSuccess";
case STATUS_UNSUCCESSFUL:
return "NTUnsuccessful";
case STATUS_NOT_IMPLEMENTED:
return "Not Implemented";
case STATUS_INFO_LENGTH_MISMATCH:
return "Length Mismatch";
case STATUS_NO_MEMORY:
return "No memory";
case STATUS_ACCESS_DENIED:
return "Access Denied";
case STATUS_BUFFER_TOO_SMALL:
return "Buffer too small";
case STATUS_PROCEDURE_NOT_FOUND:
return "Proceadure not found";
case STATUS_NOT_SUPPORTED:
return "Not supported";
case STATUS_NOT_FOUND:
return "Not found";
case STATUS_PARTIAL_COPY:
return "Partial copy";
default:
return "Unkown error";
}
}
void PRINT_ERROR(std::string s, NTSTATUS status) {
#if PRINT_ERRORS
std::cerr << "GetLastError() - " << GetLastError() << " - " << "NTSTATUS - " << getNtErrorCode(status) << " - " << s << std::endl;
#endif
}
namespace gWin {
void Process::enumModules() {
gWin::SafeHandle hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPALL, (DWORD)m_spi->UniqueProcessId);
MODULEENTRY32 modEntry = { 0 };
modEntry.dwSize = sizeof(MODULEENTRY32);
m_modules.clear();
if (!Module32First(hSnapshot.getRaw(), &modEntry))
PRINT_ERROR("Unable to iterate through modules", 0);
do {
m_modules.push_back(modEntry);
} while (Module32Next(hSnapshot.getRaw(), &modEntry));
}
void Process::enumThreads() {
for (ULONG i = 0; i < m_spi->NumberOfThreads; ++i) {
m_spi->Threads[i].StartAddress = (PVOID)getThreadStartAddress(m_spi->Threads[i].ClientId.UniqueThread);
m_threads.push_back(Thread(&m_spi->Threads[i]));
}
}
DWORD Process::getThreadStartAddress(HANDLE hThread) {
HMODULE ntDll = GetModuleHandle("ntdll.dll");
if (ntDll == NULL) {
PRINT_ERROR("Unable to get module handle from ntdll.dll", 0);
return 0;
}
tNtQueryInformationThread NtQueryInformationThread =
(tNtQueryInformationThread)GetProcAddress(ntDll, ("NtQueryInformationThread"));
if (NtQueryInformationThread == NULL) {
PRINT_ERROR("NtQueryInformationThread was not found", 0);
return 0;
}
gWin::SafeHandle hNewThread = OpenThread(THREAD_QUERY_INFORMATION, FALSE, (DWORD)hThread);
DWORD threadStartAddr = 0;
NTSTATUS retval = NtQueryInformationThread(hNewThread.getRaw(), ThreadQuerySetWin32StartAddress, &threadStartAddr, sizeof(DWORD), NULL);
if (!NT_SUCCESS(retval)) {
PRINT_ERROR("Unable to get start address of thread", retval);
return 0;
}
return threadStartAddr;
}
ModuleInfo Process::getAssociatedModule(Thread *thread) {
if (m_modules.size() <= 0)
enumModules();
for (auto &module : m_modules) {
if (thread->getStartAddress() >= (DWORD)module.modBaseAddr &&
thread->getStartAddress() <= ((DWORD)module.modBaseAddr + module.modBaseSize)) {
return ModuleInfo { (DWORD)module.modBaseAddr, module.modBaseSize, module.szExePath };
}
}
return ModuleInfo { 0 };
}
void ProcessEnumerator::iterateProcesses() {
HMODULE ntDll = GetModuleHandle("ntdll.dll");
if (ntDll == NULL)
PRINT_ERROR("Unable to get module handle from ntdll.dll", 0);
tNtQuerySystemInformation NtQuerySystemInformation =
(tNtQuerySystemInformation)GetProcAddress(ntDll, ("NtQuerySystemInformation"));
if (NtQuerySystemInformation == NULL)
PRINT_ERROR("NtQuerySystemInformation was not found", 0);
void *buffer = new void *[1024 * 1024];
PSYSTEM_PROCESS_INFORMATION pSpi = (PSYSTEM_PROCESS_INFORMATION)buffer;
NTSTATUS ntStatus = NtQuerySystemInformation(SystemProcessInformation, pSpi, 1024 * 1024, NULL);
if (!NT_SUCCESS(ntStatus)) {
PRINT_ERROR("Unable to iterate through process list", ntStatus);
return;
}
m_processes.clear();
while (pSpi->NextEntryOffset) {
m_processes.push_back(Process(pSpi, buffer));
ULONG nextEntry = (ULONG)pSpi + pSpi->NextEntryOffset;
pSpi = (PSYSTEM_PROCESS_INFORMATION)(nextEntry);
}
}
}
Attached Files
Process - Thread Iteration NT Internals - VS Solution.zip
(21.2 KB, 1373 views)
04/25/2016, 02:18
#2
elite*gold: 28
Join Date: Feb 2010
Posts: 463
Received Thanks: 277
Nice work
04/25/2016, 04:29
#3
elite*gold: 0
Join Date: Apr 2016
Posts: 40
Received Thanks: 8
Nice. Glad to see a person who knows what to do and how to do it.
04/25/2016, 09:13
#4
elite*gold: 0
Join Date: Jun 2012
Posts: 68
Received Thanks: 2
^^x
04/25/2016, 19:08
#5
elite*gold: 0
Join Date: May 2014
Posts: 35
Received Thanks: 0
thanks for sharing
04/26/2016, 04:27
#6
elite*gold: 0
Join Date: Jul 2012
Posts: 259
Received Thanks: 16
nice work
04/28/2016, 14:42
#7
elite*gold: 0
Join Date: Nov 2013
Posts: 21
Received Thanks: 4
Oh My *** ! Thanks for the release!
04/29/2016, 00:25
#8
elite*gold: 0
Join Date: Oct 2007
Posts: 45
Received Thanks: 33
So with The Prozess Viewer you Look into process Neuz and suspend the gameguard threads and the other Neuz threads right?
Got a problem with compilation of the source, why do I get errors?
04/29/2016, 13:39
#9
elite*gold: 70
Join Date: Apr 2015
Posts: 421
Received Thanks: 1,023
Quote:
Originally Posted by
Amatzu
So with The Prozess Viewer you Look into process Neuz and suspend the gameguard threads and the other Neuz threads right?
Got a problem with compilation of the source, why do I get errors?
Post the error messages.
04/29/2016, 14:17
#10
elite*gold: 0
Join Date: Oct 2007
Posts: 45
Received Thanks: 33
too many to post, here a few of them:
nt_ddk.h [Error] conflicting declaration 'typedef struct _EXCEPTION_REGISTRATION EXCEPTION_REGISTRATION'
mingw64\x86_64-w64-mingw32\include\excpt.h [Error] 'PEXCEPTION_HANDLER' has a previous declaration as 'typedef int (* PEXCEPTION_HANDLER)(struct _EXCEPTION_RECORD*, void*, struct _CONTEXT*, void*)'
nt_ddk.h [Error] conflicting declaration 'typedef struct _EXCEPTION_REGISTRATION EXCEPTION_REGISTRATION'
nt_ddk.h [Error] 'PROCESSOR_NUMBER' does not name a type
nt_ddk.h [Error] typedef 'tNtCreateThreadEx' is initialized (use decltype instead)
nt_ddk.h [Error] '__out' was not declared in this scope
nt_ddk.h [Error] '__in' was not declared in this scope
gWin_ProcessEnumerator.h [Error] cast from 'PVOID {aka void*}' to 'DWORD {aka long unsigned int}' loses precision [-fpermissive]
and a few more, they repeat themselves..
Im just learning c++ right now so maybe I missed something..
tried to understand the code, could follow source but the others too complex for me to understand right now..
could you help?
04/29/2016, 15:54
#11
elite*gold: 70
Join Date: Apr 2015
Posts: 421
Received Thanks: 1,023
Quote:
Originally Posted by
Amatzu
too many to post, here a few of them:
nt_ddk.h [Error] conflicting declaration 'typedef struct _EXCEPTION_REGISTRATION EXCEPTION_REGISTRATION'
mingw64\x86_64-w64-mingw32\include\excpt.h [Error] 'PEXCEPTION_HANDLER' has a previous declaration as 'typedef int (* PEXCEPTION_HANDLER)(struct _EXCEPTION_RECORD*, void*, struct _CONTEXT*, void*)'
nt_ddk.h [Error] conflicting declaration 'typedef struct _EXCEPTION_REGISTRATION EXCEPTION_REGISTRATION'
nt_ddk.h [Error] 'PROCESSOR_NUMBER' does not name a type
nt_ddk.h [Error] typedef 'tNtCreateThreadEx' is initialized (use decltype instead)
nt_ddk.h [Error] '__out' was not declared in this scope
nt_ddk.h [Error] '__in' was not declared in this scope
gWin_ProcessEnumerator.h [Error] cast from 'PVOID {aka void*}' to 'DWORD {aka long unsigned int}' loses precision [-fpermissive]
and a few more, they repeat themselves..
Im just learning c++ right now so maybe I missed something..
tried to understand the code, could follow source but the others too complex for me to understand right now..
could you help?
Weird errors! That could be alot of things, most likely a problem you've done since you're a beginner. But maybe not. Or maybe another IDE / compiler or some other crap. Don't really know how to fix them just by seeing them errors and not looking through what you've done. But what you could do is skip the nt_ddk.h and just use the required definitions instead.
Remove the include to "nt_ddk.h" in "gWin_ProcessEnumerator.h" and check which errors appear. Then just manually take all the defintions and copy over them to the gWin_ProcessEnumerator.h.
If you're using Visual Studio, I've uploaded the solution as an attachment. Download that one if you're unable to get it to work.
Attached Files
Process - Thread Iteration - VS Solution.zip
(1.05 MB, 173 views)
04/29/2016, 19:12
#12
elite*gold: 0
Join Date: Oct 2007
Posts: 45
Received Thanks: 33
Thank you, but still doesnt work, even with your solution. Visual studio says it failed.
this whole compiler stuff sucks -.-
im using visual studio 2015 btw
also, if you use the process view program, the processes neuz.exe and gameguard disappear after a short period of time. do they hide themselves in some way? since the code doesnt work with me I tried manually but the processes disappear real quick.
04/29/2016, 19:28
#13
elite*gold: 70
Join Date: Apr 2015
Posts: 421
Received Thanks: 1,023
Quote:
Originally Posted by
Amatzu
Thank you, but still doesnt work, even with your solution. Visual studio says it failed.
this whole compiler stuff sucks -.-
im using visual studio 2015 btw
If the code below doesn't work, I don't know what will. It's probably something you're missing installed or something. Replace the code in the gWin_ProcessEnumerator.h with the one below and see if it works.
// Edit: Forgot to mention, don't forget to remove the nt_ddk.h
Which server are you trying this on?
gWin_ProcessEnumerator.h
Code:
#pragma once
/*
NT Internals Process Enumerator
- Created by greyb1t 2016-04-22
I'd appreciate if you left this comment here when copy pasting it somewhere else.
Thank you!
*/
#include <iostream>
#include <Windows.h>
#include <vector>
#include <memory>
#include <string>
#include <TlHelp32.h>
#define PRINT_ERRORS true
std::string getNtErrorCode(NTSTATUS ntStatus);
void PRINT_ERROR(std::string s, NTSTATUS status);
#ifndef NT_SUCCESS
#define NT_SUCCESS(x) ((x) >= 0)
#endif
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemBasicInformation, // q: SYSTEM_BASIC_INFORMATION
SystemProcessorInformation, // q: SYSTEM_PROCESSOR_INFORMATION
SystemPerformanceInformation, // q: SYSTEM_PERFORMANCE_INFORMATION
SystemTimeOfDayInformation, // q: SYSTEM_TIMEOFDAY_INFORMATION
SystemPathInformation, // not implemented
SystemProcessInformation, // q: SYSTEM_PROCESS_INFORMATION
SystemCallCountInformation, // q: SYSTEM_CALL_COUNT_INFORMATION
SystemDeviceInformation, // q: SYSTEM_DEVICE_INFORMATION
SystemProcessorPerformanceInformation, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION
SystemFlagsInformation, // q: SYSTEM_FLAGS_INFORMATION
SystemCallTimeInformation, // not implemented // 10
SystemModuleInformation, // q: RTL_PROCESS_MODULES
SystemLocksInformation,
SystemStackTraceInformation,
SystemPagedPoolInformation, // not implemented
SystemNonPagedPoolInformation, // not implemented
SystemHandleInformation, // q: SYSTEM_HANDLE_INFORMATION
SystemObjectInformation, // q: SYSTEM_OBJECTTYPE_INFORMATION mixed with SYSTEM_OBJECT_INFORMATION
SystemPageFileInformation, // q: SYSTEM_PAGEFILE_INFORMATION
SystemVdmInstemulInformation, // q
SystemVdmBopInformation, // not implemented // 20
SystemFileCacheInformation, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemCache)
SystemPoolTagInformation, // q: SYSTEM_POOLTAG_INFORMATION
SystemInterruptInformation, // q: SYSTEM_INTERRUPT_INFORMATION
SystemDpcBehaviorInformation, // q: SYSTEM_DPC_BEHAVIOR_INFORMATION; s: SYSTEM_DPC_BEHAVIOR_INFORMATION (requires SeLoadDriverPrivilege)
SystemFullMemoryInformation, // not implemented
SystemLoadGdiDriverInformation, // s (kernel-mode only)
SystemUnloadGdiDriverInformation, // s (kernel-mode only)
SystemTimeAdjustmentInformation, // q: SYSTEM_QUERY_TIME_ADJUST_INFORMATION; s: SYSTEM_SET_TIME_ADJUST_INFORMATION (requires SeSystemtimePrivilege)
SystemSummaryMemoryInformation, // not implemented
SystemMirrorMemoryInformation, // s (requires license value "Kernel-MemoryMirroringSupported") (requires SeShutdownPrivilege) // 30
SystemPerformanceTraceInformation, // s
SystemObsolete0, // not implemented
SystemExceptionInformation, // q: SYSTEM_EXCEPTION_INFORMATION
SystemCrashDumpStateInformation, // s (requires SeDebugPrivilege)
SystemKernelDebuggerInformation, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION
SystemContextSwitchInformation, // q: SYSTEM_CONTEXT_SWITCH_INFORMATION
SystemRegistryQuotaInformation, // q: SYSTEM_REGISTRY_QUOTA_INFORMATION; s (requires SeIncreaseQuotaPrivilege)
SystemExtendServiceTableInformation, // s (requires SeLoadDriverPrivilege) // loads win32k only
SystemPrioritySeperation, // s (requires SeTcbPrivilege)
SystemVerifierAddDriverInformation, // s (requires SeDebugPrivilege) // 40
SystemVerifierRemoveDriverInformation, // s (requires SeDebugPrivilege)
SystemProcessorIdleInformation, // q: SYSTEM_PROCESSOR_IDLE_INFORMATION
SystemLegacyDriverInformation, // q: SYSTEM_LEGACY_DRIVER_INFORMATION
SystemCurrentTimeZoneInformation, // q
SystemLookasideInformation, // q: SYSTEM_LOOKASIDE_INFORMATION
SystemTimeSlipNotification, // s (requires SeSystemtimePrivilege)
SystemSessionCreate, // not implemented
SystemSessionDetach, // not implemented
SystemSessionInformation, // not implemented
SystemRangeStartInformation, // q // 50
SystemVerifierInformation, // q: SYSTEM_VERIFIER_INFORMATION; s (requires SeDebugPrivilege)
SystemVerifierThunkExtend, // s (kernel-mode only)
SystemSessionProcessInformation, // q: SYSTEM_SESSION_PROCESS_INFORMATION
SystemLoadGdiDriverInSystemSpace, // s (kernel-mode only) (same as SystemLoadGdiDriverInformation)
SystemNumaProcessorMap, // q
SystemPrefetcherInformation, // q: PREFETCHER_INFORMATION; s: PREFETCHER_INFORMATION // PfSnQueryPrefetcherInformation
SystemExtendedProcessInformation, // q: SYSTEM_PROCESS_INFORMATION
SystemRecommendedSharedDataAlignment, // q
SystemComPlusPackage, // q; s
SystemNumaAvailableMemory, // 60
SystemProcessorPowerInformation, // q: SYSTEM_PROCESSOR_POWER_INFORMATION
SystemEmulationBasicInformation, // q
SystemEmulationProcessorInformation,
SystemExtendedHandleInformation, // q: SYSTEM_HANDLE_INFORMATION_EX
SystemLostDelayedWriteInformation, // q: ULONG
SystemBigPoolInformation, // q: SYSTEM_BIGPOOL_INFORMATION
SystemSessionPoolTagInformation, // q: SYSTEM_SESSION_POOLTAG_INFORMATION
SystemSessionMappedViewInformation, // q: SYSTEM_SESSION_MAPPED_VIEW_INFORMATION
SystemHotpatchInformation, // q; s
SystemObjectSecurityMode, // q // 70
SystemWatchdogTimerHandler, // s (kernel-mode only)
SystemWatchdogTimerInformation, // q (kernel-mode only); s (kernel-mode only)
SystemLogicalProcessorInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION
SystemWow64SharedInformationObsolete, // not implemented
SystemRegisterFirmwareTableInformationHandler, // s (kernel-mode only)
SystemFirmwareTableInformation, // not implemented
SystemModuleInformationEx, // q: RTL_PROCESS_MODULE_INFORMATION_EX
SystemVerifierTriageInformation, // not implemented
SystemSuperfetchInformation, // q: SUPERFETCH_INFORMATION; s: SUPERFETCH_INFORMATION // PfQuerySuperfetchInformation
SystemMemoryListInformation, // q: SYSTEM_MEMORY_LIST_INFORMATION; s: SYSTEM_MEMORY_LIST_COMMAND (requires SeProfileSingleProcessPrivilege) // 80
SystemFileCacheInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (same as SystemFileCacheInformation)
SystemThreadPriorityClientIdInformation, // s: SYSTEM_THREAD_CID_PRIORITY_INFORMATION (requires SeIncreaseBasePriorityPrivilege)
SystemProcessorIdleCycleTimeInformation, // q: SYSTEM_PROCESSOR_IDLE_CYCLE_TIME_INFORMATION[]
SystemVerifierCancellationInformation, // not implemented // name:wow64:whNT32QuerySystemVerifierCancellationInformation
SystemProcessorPowerInformationEx, // not implemented
SystemRefTraceInformation, // q; s // ObQueryRefTraceInformation
SystemSpecialPoolInformation, // q; s (requires SeDebugPrivilege) // MmSpecialPoolTag, then MmSpecialPoolCatchOverruns != 0
SystemProcessIdInformation, // q: SYSTEM_PROCESS_ID_INFORMATION
SystemErrorPortInformation, // s (requires SeTcbPrivilege)
SystemBootEnvironmentInformation, // q: SYSTEM_BOOT_ENVIRONMENT_INFORMATION // 90
SystemHypervisorInformation, // q; s (kernel-mode only)
SystemVerifierInformationEx, // q; s
SystemTimeZoneInformation, // s (requires SeTimeZonePrivilege)
SystemImageFileExecutionOptionsInformation, // s: SYSTEM_IMAGE_FILE_EXECUTION_OPTIONS_INFORMATION (requires SeTcbPrivilege)
SystemCoverageInformation, // q; s // name:wow64:whNT32QuerySystemCoverageInformation; ExpCovQueryInformation
SystemPrefetchPatchInformation, // not implemented
SystemVerifierFaultsInformation, // s (requires SeDebugPrivilege)
SystemSystemPartitionInformation, // q: SYSTEM_SYSTEM_PARTITION_INFORMATION
SystemSystemDiskInformation, // q: SYSTEM_SYSTEM_DISK_INFORMATION
SystemProcessorPerformanceDistribution, // q: SYSTEM_PROCESSOR_PERFORMANCE_DISTRIBUTION // 100
SystemNumaProximityNodeInformation, // q
SystemDynamicTimeZoneInformation, // q; s (requires SeTimeZonePrivilege)
SystemCodeIntegrityInformation, // q // SeCodeIntegrityQueryInformation
SystemProcessorMicrocodeUpdateInformation, // s
SystemProcessorBrandString, // q // HaliQuerySystemInformation -> HalpGetProcessorBrandString, info class 23
SystemVirtualAddressInformation, // q: SYSTEM_VA_LIST_INFORMATION[]; s: SYSTEM_VA_LIST_INFORMATION[] (requires SeIncreaseQuotaPrivilege) // MmQuerySystemVaInformation
SystemLogicalProcessorAndGroupInformation, // q: SYSTEM_LOGICAL_PROCESSOR_INFORMATION_EX // since WIN7 // KeQueryLogicalProcessorRelationship
SystemProcessorCycleTimeInformation, // q: SYSTEM_PROCESSOR_CYCLE_TIME_INFORMATION[]
SystemStoreInformation, // q; s // SmQueryStoreInformation
SystemRegistryAppendString, // s: SYSTEM_REGISTRY_APPEND_STRING_PARAMETERS // 110
SystemAitSamplingValue, // s: ULONG (requires SeProfileSingleProcessPrivilege)
SystemVhdBootInformation, // q: SYSTEM_VHD_BOOT_INFORMATION
SystemCpuQuotaInformation, // q; s // PsQueryCpuQuotaInformation
SystemNativeBasicInformation, // not implemented
SystemSpare1, // not implemented
SystemLowPriorityIoInformation, // q: SYSTEM_LOW_PRIORITY_IO_INFORMATION
SystemTpmBootEntropyInformation, // q: TPM_BOOT_ENTROPY_NT_RESULT // ExQueryTpmBootEntropyInformation
SystemVerifierCountersInformation, // q: SYSTEM_VERIFIER_COUNTERS_INFORMATION
SystemPagedPoolInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypePagedPool)
SystemSystemPtesInformationEx, // q: SYSTEM_FILECACHE_INFORMATION; s (requires SeIncreaseQuotaPrivilege) (info for WorkingSetTypeSystemPtes) // 120
SystemNodeDistanceInformation, // q
SystemAcpiAuditInformation, // q: SYSTEM_ACPI_AUDIT_INFORMATION // HaliQuerySystemInformation -> HalpAuditQueryResults, info class 26
SystemBasicPerformanceInformation, // q: SYSTEM_BASIC_PERFORMANCE_INFORMATION // name:wow64:whNtQuerySystemInformation_SystemBasicPerformanceInformation
SystemQueryPerformanceCounterInformation, // q: SYSTEM_QUERY_PERFORMANCE_COUNTER_INFORMATION // since WIN7 SP1
SystemSessionBigPoolInformation, // since WIN8
SystemBootGraphicsInformation,
SystemScrubPhysicalMemoryInformation,
SystemBadPageInformation,
SystemProcessorProfileControlArea,
SystemCombinePhysicalMemoryInformation, // 130
SystemEntropyInterruptTimingCallback,
SystemConsoleInformation,
SystemPlatformBinaryInformation,
SystemThrottleNotificationInformation,
SystemHypervisorProcessorCountInformation,
SystemDeviceDataInformation,
SystemDeviceDataEnumerationInformation,
SystemMemoryTopologyInformation,
SystemMemoryChannelInformation,
SystemBootLogoInformation, // 140
SystemProcessorPerformanceInformationEx, // q: SYSTEM_PROCESSOR_PERFORMANCE_INFORMATION_EX // since WINBLUE
SystemSpare0,
SystemSecureBootPolicyInformation,
SystemPageFileInformationEx, // q: SYSTEM_PAGEFILE_INFORMATION_EX
SystemSecureBootInformation,
SystemEntropyInterruptTimingRawInformation,
SystemPortableWorkspaceEfiLauncherInformation,
SystemFullProcessInformation, // q: SYSTEM_PROCESS_INFORMATION with SYSTEM_PROCESS_INFORMATION_EXTENSION (requires admin)
SystemKernelDebuggerInformationEx, // q: SYSTEM_KERNEL_DEBUGGER_INFORMATION_EX
SystemBootMetadataInformation, // 150
SystemSoftRebootInformation,
SystemElamCertificateInformation,
SystemOfflineDumpConfigInformation,
SystemProcessorFeaturesInformation, // q: SYSTEM_PROCESSOR_FEATURES_INFORMATION
SystemRegistryReconciliationInformation,
SystemEdidInformation,
SystemManufacturingInformation, // q: SYSTEM_MANUFACTURING_INFORMATION // since THRESHOLD
SystemEnergyEstimationConfigInformation, // q: SYSTEM_ENERGY_ESTIMATION_CONFIG_INFORMATION
SystemHypervisorDetailInformation, // q: SYSTEM_HYPERVISOR_DETAIL_INFORMATION
SystemProcessorCycleStatsInformation, // q: SYSTEM_PROCESSOR_CYCLE_STATS_INFORMATION // 160
SystemVmGenerationCountInformation,
SystemTrustedPlatformModuleInformation, // q: SYSTEM_TPM_INFORMATION
SystemKernelDebuggerFlags,
SystemCodeIntegrityPolicyInformation,
SystemIsolatedUserModeInformation,
SystemHardwareSecurityTestInterfaceResultsInformation,
SystemSingleModuleInformation, // q: SYSTEM_SINGLE_MODULE_INFORMATION
SystemAllowedCpuSetsInformation,
SystemDmaProtectionInformation, // q: SYSTEM_DMA_PROTECTION_INFORMATION
SystemInterruptCpuSetsInformation,
SystemSecureBootPolicyFullInformation,
SystemCodeIntegrityPolicyFullInformation,
SystemAffinitizedInterruptProcessorInformation,
SystemRootSiloInformation, // q: SYSTEM_ROOT_SILO_INFORMATION
SystemCpuSetInformation, // q: SYSTEM_CPU_SET_INFORMATION // since THRESHOLD2
SystemCpuSetTagInformation, // q: SYSTEM_CPU_SET_TAG_INFORMATION
SystemWin32WerStartCallout,
SystemSecureKernelProfileInformation,
MaxSystemInfoClass
} SYSTEM_INFORMATION_CLASS;
typedef enum _PROCESSINFOCLASS {
ProcessBasicInformation = 0, // 0, q: PROCESS_BASIC_INFORMATION, PROCESS_EXTENDED_BASIC_INFORMATION
ProcessQuotaLimits, // qs: QUOTA_LIMITS, QUOTA_LIMITS_EX
ProcessIoCounters, // q: IO_COUNTERS
ProcessVmCounters, // q: VM_COUNTERS, VM_COUNTERS_EX
ProcessTimes, // q: KERNEL_USER_TIMES
ProcessBasePriority, // s: KPRIORITY
ProcessRaisePriority, // s: ULONG
ProcessDebugPort, // q: HANDLE
ProcessExceptionPort, // s: HANDLE
ProcessAccessToken, // s: PROCESS_ACCESS_TOKEN
ProcessLdtInformation, // 10
ProcessLdtSize,
ProcessDefaultHardErrorMode, // qs: ULONG
ProcessIoPortHandlers, // (kernel-mode only)
ProcessPooledUsageAndLimits, // q: POOLED_USAGE_AND_LIMITS
ProcessWorkingSetWatch, // q: PROCESS_WS_WATCH_INFORMATION[]; s: void
ProcessUserModeIOPL,
ProcessEnableAlignmentFaultFixup, // s: BOOLEAN
ProcessPriorityClass, // qs: PROCESS_PRIORITY_CLASS
ProcessWx86Information,
ProcessHandleCount, // 20, q: ULONG, PROCESS_HANDLE_INFORMATION
ProcessAffinityMask, // s: KAFFINITY
ProcessPriorityBoost, // qs: ULONG
ProcessDeviceMap, // qs: PROCESS_DEVICEMAP_INFORMATION, PROCESS_DEVICEMAP_INFORMATION_EX
ProcessSessionInformation, // q: PROCESS_SESSION_INFORMATION
ProcessForegroundInformation, // s: PROCESS_FOREGROUND_BACKGROUND
ProcessWow64Information, // q: ULONG_PTR
ProcessImageFileName, // q: UNICODE_STRING
ProcessLUIDDeviceMapsEnabled, // q: ULONG
ProcessBreakOnTermination, // qs: ULONG
ProcessDebugObjectHandle, // 30, q: HANDLE
ProcessDebugFlags, // qs: ULONG
ProcessHandleTracing, // q: PROCESS_HANDLE_TRACING_QUERY; s: size 0 disables, otherwise enables
ProcessIoPriority, // qs: ULONG
ProcessExecuteFlags, // qs: ULONG
ProcessResourceManagement,
ProcessCookie, // q: ULONG
ProcessImageInformation, // q: SECTION_IMAGE_INFORMATION
ProcessCycleTime, // q: PROCESS_CYCLE_TIME_INFORMATION
ProcessPagePriority, // q: ULONG
ProcessInstrumentationCallback, // 40
ProcessThreadStackAllocation, // s: PROCESS_STACK_ALLOCATION_INFORMATION, PROCESS_STACK_ALLOCATION_INFORMATION_EX
ProcessWorkingSetWatchEx, // q: PROCESS_WS_WATCH_INFORMATION_EX[]
ProcessImageFileNameWin32, // q: UNICODE_STRING
ProcessImageFileMapping, // q: HANDLE (input)
ProcessAffinityUpdateMode, // qs: PROCESS_AFFINITY_UPDATE_MODE
ProcessMemoryAllocationMode, // qs: PROCESS_MEMORY_ALLOCATION_MODE
ProcessGroupInformation, // q: USHORT[]
ProcessTokenVirtualizationEnabled, // s: ULONG
ProcessConsoleHostProcess, // q: ULONG_PTR
ProcessWindowInformation, // 50, q: PROCESS_WINDOW_INFORMATION
ProcessHandleInformation, // q: PROCESS_HANDLE_SNAPSHOT_INFORMATION // since WIN8
ProcessMitigationPolicy, // s: PROCESS_MITIGATION_POLICY_INFORMATION
ProcessDynamicFunctionTableInformation,
ProcessHandleCheckingMode,
ProcessKeepAliveCount, // q: PROCESS_KEEPALIVE_COUNT_INFORMATION
ProcessRevokeFileHandles, // s: PROCESS_REVOKE_FILE_HANDLES_INFORMATION
MaxProcessInfoClass
} PROCESSINFOCLASS;
typedef enum _THREADINFOCLASS {
ThreadBasicInformation,
ThreadTimes,
ThreadPriority,
ThreadBasePriority,
ThreadAffinityMask,
ThreadImpersonationToken,
ThreadDescriptorTableEntry,
ThreadEnableAlignmentFaultFixup,
ThreadEventPair_Reusable,
ThreadQuerySetWin32StartAddress,
ThreadZeroTlsCell,
ThreadPerformanceCount,
ThreadAmILastThread,
ThreadIdealProcessor,
ThreadPriorityBoost,
ThreadSetTlsArrayAddress,
ThreadIsIoPending,
ThreadHideFromDebugger,
ThreadBreakOnTermination,
ThreadSwitchLegacyState,
ThreadIsTerminated,
ThreadLastSystemCall,
ThreadIoPriority,
ThreadCycleTime,
ThreadPagePriority,
ThreadActualBasePriority,
ThreadTebInformation,
ThreadCSwitchMon,
MaxThreadInfoClass
} THREADINFOCLASS;
typedef NTSTATUS(NTAPI *tRtlGetNativeSystemInformation)(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
typedef NTSTATUS(NTAPI *tNtQueryInformationProcess)(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength);
typedef NTSTATUS(NTAPI *tNtQuerySystemInformation)(ULONG SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
typedef NTSTATUS(NTAPI *tNtQueryInformationThread)(HANDLE ThreadHandle, THREADINFOCLASS ThreadInformationClass, PVOID ThreadInformation, ULONG ThreadInformationLength, PULONG ReturnLength);
#ifndef STATUS_SUCCESS
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
#endif //!STATUS_SUCCESS
#ifndef STATUS_UNSUCCESSFUL
#define STATUS_UNSUCCESSFUL ((NTSTATUS)0xC0000001L)
#endif //!STATUS_UNSUCCESSFUL
#ifndef STATUS_NOT_IMPLEMENTED
#define STATUS_NOT_IMPLEMENTED ((NTSTATUS)0xC0000002L)
#endif //!STATUS_NOT_IMPLEMENTED
#ifndef STATUS_INFO_LENGTH_MISMATCH
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
#endif //!STATUS_INFO_LENGTH_MISMATCH
#ifndef STATUS_NO_MEMORY
#define STATUS_NO_MEMORY ((NTSTATUS)0xC0000017L)
#endif //!STATUS_NO_MEMORY
#ifndef STATUS_ACCESS_DENIED
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)
#endif //!STATUS_ACCESS_DENIED
#ifndef STATUS_BUFFER_TOO_SMALL
#define STATUS_BUFFER_TOO_SMALL ((NTSTATUS)0xC0000023L)
#endif //!STATUS_BUFFER_TOO_SMALL
#ifndef STATUS_PROCEDURE_NOT_FOUND
#define STATUS_PROCEDURE_NOT_FOUND ((NTSTATUS)0xC000007AL)
#endif //!STATUS_PROCEDURE_NOT_FOUND
#ifndef STATUS_NOT_SUPPORTED
#define STATUS_NOT_SUPPORTED ((NTSTATUS)0xC00000BBL)
#endif //!STATUS_NOT_SUPPORTED
#ifndef STATUS_NOT_FOUND
#define STATUS_NOT_FOUND ((NTSTATUS)0xC0000225L)
#endif //!STATUS_NOT_FOUND
#ifndef STATUS_PARTIAL_COPY
#define STATUS_PARTIAL_COPY ((NTSTATUS)0x8000000DL)
#endif //!STATUS_PARTIAL_COPY
template<typename T>
struct _SYSTEM_HANDLE_T {
ULONG ProcessId;
BYTE ObjectTypeNumber;
BYTE Flags;
USHORT Handle;
T Object;
ACCESS_MASK GrantedAccess;
};
template<typename T>
struct _SYSTEM_HANDLE_INFORMATION_T {
ULONG HandleCount;
_SYSTEM_HANDLE_T<T> Handles[1];
};
typedef long KPRIORITY;
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
typedef enum _KWAIT_REASON {
Executive,
FreePage,
PageIn,
PoolAllocation,
DelayExecution,
Suspended,
UserRequest,
WrExecutive,
WrFreePage,
WrPageIn,
WrPoolAllocation,
WrDelayExecution,
WrSuspended,
WrUserRequest,
WrEventPair,
WrQueue,
WrLpcReceive,
WrLpcReply,
WrVirtualMemory,
WrPageOut,
WrRendezvous,
WrKeyedEvent,
WrTerminated,
WrProcessInSwap,
WrCpuRateControl,
WrCalloutStack,
WrKernel,
WrResource,
WrPushLock,
WrMutex,
WrQuantumEnd,
WrDispatchInt,
WrPreempted,
WrYieldExecution,
WrFastMutex,
WrGuardedMutex,
WrRundown,
WrAlertByThreadId,
WrDeferredPreempt,
MaximumWaitReason
} KWAIT_REASON, *PKWAIT_REASON;
typedef struct _CLIENT_ID {
HANDLE UniqueProcess;
HANDLE UniqueThread;
} CLIENT_ID, *PCLIENT_ID;
typedef struct _SYSTEM_THREADS_INFORMATION {
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
int Priority;
int BasePriority;
ULONG ContextSwitchCount;
int State;
KWAIT_REASON WaitReason;
} SYSTEM_THREADS_INFORMATION, *PSYSTEM_THREADS_INFORMATION;
typedef struct _SYSTEM_PROCESS_INFORMATION {
ULONG NextEntryOffset;
ULONG NumberOfThreads;
LARGE_INTEGER WorkingSetPrivateSize; // since VISTA
ULONG HardFaultCount; // since WIN7
ULONG NumberOfThreadsHighWatermark; // since WIN7
ULONGLONG CycleTime; // since WIN7
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ImageName;
KPRIORITY BasePriority;
HANDLE UniqueProcessId;
HANDLE InheritedFromUniqueProcessId;
ULONG HandleCount;
ULONG SessionId;
ULONG_PTR UniqueProcessKey; // since VISTA (requires SystemExtendedProcessInformation)
SIZE_T PeakVirtualSize;
SIZE_T VirtualSize;
ULONG PageFaultCount;
SIZE_T PeakWorkingSetSize;
SIZE_T WorkingSetSize;
SIZE_T QuotaPeakPagedPoolUsage;
SIZE_T QuotaPagedPoolUsage;
SIZE_T QuotaPeakNonPagedPoolUsage;
SIZE_T QuotaNonPagedPoolUsage;
SIZE_T PagefileUsage;
SIZE_T PeakPagefileUsage;
SIZE_T PrivatePageCount;
LARGE_INTEGER ReadOperationCount;
LARGE_INTEGER WriteOperationCount;
LARGE_INTEGER OtherOperationCount;
LARGE_INTEGER ReadTransferCount;
LARGE_INTEGER WriteTransferCount;
LARGE_INTEGER OtherTransferCount;
SYSTEM_THREADS_INFORMATION Threads[1];
// SYSTEM_EXTENDED_THREAD_INFORMATION Threads[1];
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
namespace gWin {
struct ModuleInfo {
DWORD base;
DWORD size;
std::string name;
};
class SafeHandle {
public:
SafeHandle() {}
// Legal Usage (constructor):
// gWin::SafeHandle handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
SafeHandle(HANDLE handle) : m_handle(handle) {}
~SafeHandle() {
CloseHandle(m_handle);
}
SafeHandle(const SafeHandle &source) {
this->operator=(source);
}
// Legal Usage (assignment operator):
// handle1 = handle2;
SafeHandle& operator= (const SafeHandle &hSource) {
// TODO: Check if DuplicateHandle is the function which is needed
m_handle = hSource.m_handle;
return *this;
}
SafeHandle& operator= (const HANDLE hSource) {
// TODO: Check if DuplicateHandle is the function which is needed
m_handle = hSource;
return *this;
}
const HANDLE getRaw() const {
return m_handle;
}
private:
HANDLE m_handle;
};
class Thread {
public:
Thread(SYSTEM_THREADS_INFORMATION *threadInfo) : m_threadInfo(threadInfo) {}
~Thread() {}
SYSTEM_THREADS_INFORMATION *getPtr() { return m_threadInfo; }
// Getters
DWORD getStartAddress() { return (DWORD)m_threadInfo->StartAddress; }
DWORD getProcessId() { return (DWORD)m_threadInfo->ClientId.UniqueProcess; }
DWORD getThreadId() { return (DWORD)m_threadInfo->ClientId.UniqueThread; }
int getPriority() { return m_threadInfo->Priority; }
ULONG getContextSwitchCount() { return m_threadInfo->ContextSwitchCount; }
int getState() { return m_threadInfo->State; }
KWAIT_REASON getWaitReason() { return m_threadInfo->WaitReason; }
gWin::SafeHandle getHandle() { return OpenThread(THREAD_ALL_ACCESS, FALSE, getThreadId()); }
private:
SYSTEM_THREADS_INFORMATION *m_threadInfo;
};
class Process {
public:
Process(SYSTEM_PROCESS_INFORMATION *spi, PVOID buf) : m_spi(spi), m_allBuffer(buf) {}
void deallocWholeBuffer() { delete[] m_allBuffer; }
SYSTEM_PROCESS_INFORMATION *getPtr() { return m_spi; }
std::vector<Thread> &getThreads() {
if (m_threads.size() <= 0)
enumThreads();
return m_threads;
}
std::vector<MODULEENTRY32> &getModules() {
if (m_modules.size() <= 0)
enumModules();
return m_modules;
}
std::string getName() {
if (m_spi->ImageName.Buffer != nullptr) {
std::wstring wProcName = m_spi->ImageName.Buffer;
return std::string(wProcName.begin(), wProcName.end());
}
else {
return "nullptr";
}
}
ModuleInfo getAssociatedModule(Thread *thread);
DWORD getId() { return (DWORD)m_spi->UniqueProcessId; }
private:
void enumModules();
void enumThreads();
DWORD getThreadStartAddress(HANDLE hThread);
private:
std::vector<Thread> m_threads;
std::vector<MODULEENTRY32> m_modules;
SYSTEM_PROCESS_INFORMATION *m_spi;
_SYSTEM_HANDLE_INFORMATION_T<PVOID> *m_shi;
PVOID m_allBuffer;
};
class ProcessEnumerator {
public:
ProcessEnumerator() { iterateProcesses(); }
~ProcessEnumerator() {
if (m_processes.size() >= 0)
m_processes[0].deallocWholeBuffer();
}
std::vector<Process> &getProcesses() {
return m_processes;
}
private:
void iterateProcesses();
private:
std::vector<Process> m_processes;
};
}
04/29/2016, 20:48
#14
elite*gold: 0
Join Date: Oct 2007
Posts: 45
Received Thanks: 33
trying the manual version on the official flyff. isnt it working on offi?
04/29/2016, 20:54
#15
elite*gold: 70
Join Date: Apr 2015
Posts: 421
Received Thanks: 1,023
Quote:
Originally Posted by
Amatzu
trying the manual version on the official flyff. isnt it working on offi?
I'm going to guess that it doesn't, but I don't know.
I don't play on official servers at all. It'd be quite dumb if it did work though.
Similar Threads
YT-Tutorial: Easy Bypass [Working]
08/25/2013 - Wolfteam - 20 Replies
Bypass Wolfteam
Ich zeige euch hier mal einen funktionierenden Bypass, mit verständlicher Erklärung. ;)
Habe auch extra ein Tutorial für euch zusammengestellt, dass keine weiteren Fragen mehr auftreten sollten :P
Schaut euch das Video an, und die Fragen sind wie weggeblasen ;)
[Tutorial] Anti Memory Detection Bypass Benutzung
05/25/2013 - S4 League Hacks, Bots, Cheats & Exploits - 2 Replies
Einen wunderschönen guten Abend,
ich verkünde frohe Botschaftich hab herausgefunden wie man den Bypass von iKasaii benutz mit 2 anderen Bypässen Links werde ich zu den einzelnen Bypässen posten.
Hier ist das Tutorial:Anti Memory Detection Hacking
Und hier die Links zu den Bypässen:Xtrap Bypass(Delphi/C++)
Decay' Bypass!
All times are GMT +1. The time now is 05:02 .