#Request PEP

rick187377 · 12/06/2012, 04:10

PEB - Process environment block
use - Hides process from warrock
Warrock scans and detects for attached Dynamic Linked Library files.
This is my first time hearing of PEB, and this has dramatically brain fucked me.
I know im not a complete newb when it comes to no menu hacks for warrock, but i am not the greatest either.
I have researched PEB and came across some people claiming something was Hiding PEB from warrock but it just placed me in more confusion.
Please show with open source how you would use this code with hiding the DLL from warrock.

Example of code i am using:

Quote:

Code:

#include <Windows.h>
#include <stdio.h>

#define ADR_PLAYERPOINTER 0x00A48E74
#define ADR_SERVERPOINTER 0x00A48E04
#define OFS_NFD 0x00102E8
void HackFunctions(){
for(;;){
[COLOR="#00FF00"]//DWORD Server = *(DWORD*)ADR_SERVERPOINTER;[/COLOR]
DWORD Player = *(DWORD*)ADR_PLAYERPOINTER;
[COLOR="#00FF00"]

/***************************[ No Fall Damage ]***************************/[/COLOR]
{
if( Player != 0 ){ //Player is in game
*(float*)( Player + OFS_NFD ) = -999999;
}
}
[COLOR="#00FF00"]/************************************************************************/[/COLOR]
Sleep(100);
}
}

BOOL WINAPI DllMain(HINSTANCE hModule,DWORD dwReason,LPVOID lpvReserved){
if( dwReason == DLL_PROCESS_ATTACH ){
CreateThread(0,0,(LPTHREAD_START_ROUTINE)HackFunctions,0,0, 0);
}
return true;
}

Quote:

Cyno__™

I want to thank you for your time

sooo i now have..

Quote:

Code:

#include <Windows.h>
#include <stdio.h>

#define ADR_PLAYERPOINTER 0x00A48E74
#define ADR_SERVERPOINTER 0x00A48E04
#define OFS_NFD 0x00102E8

VOID AntiDetection::PEBUnlinkModule(HINSTANCE hModule)
{
DWORD dwPEB_LDR_DATA = 0;
_asm
{
pushad;
pushfd;
mov eax, fs:[30h] // PEB
mov eax, [eax+0Ch] // PEB->ProcessModuleInfo
mov dwPEB_LDR_DATA, eax // Save ProcessModuleInfo

InLoadOrderModuleList:
mov esi, [eax+0Ch] // ProcessModuleInfo->InLoadOrderModuleList[FORWARD]
mov edx, [eax+10h] // ProcessModuleInfo->InLoadOrderModuleList[BACKWARD]

LoopInLoadOrderModuleList:
lodsd // Load First Module
mov esi, eax // ESI points to Next Module
mov ecx, [eax+18h] // LDR_MODULE->BaseAddress
cmp ecx, hModule // Is it Our Module ?
jne SkipA // If Not, Next Please (@f jumps to nearest Unamed Lable @@:)
mov ebx, [eax] // [FORWARD] Module
mov ecx, [eax+4] // [BACKWARD] Module
mov [ecx], ebx // Previous Module's [FORWARD] Notation, Points to us, Replace it with, Module++
mov [ebx+4], ecx // Next Modules, [BACKWARD] Notation, Points to us, Replace it with, Module--
jmp InMemoryOrderModuleList // Hidden, so Move onto Next Set
SkipA:
cmp edx, esi // Reached End of Modules ?
jne LoopInLoadOrderModuleList // If Not, Re Loop

InMemoryOrderModuleList:
mov eax, dwPEB_LDR_DATA // PEB->ProcessModuleInfo
mov esi, [eax+14h] // ProcessModuleInfo->InMemoryOrderModuleList[START]
mov edx, [eax+18h] // ProcessModuleInfo->InMemoryOrderModuleList[FINISH]

LoopInMemoryOrderModuleList:
lodsd
mov esi, eax
mov ecx, [eax+10h]
cmp ecx, hModule
jne SkipB
mov ebx, [eax]
mov ecx, [eax+4]
mov [ecx], ebx
mov [ebx+4], ecx
jmp InInitializationOrderModuleList
SkipB:
cmp edx, esi
jne LoopInMemoryOrderModuleList

InInitializationOrderModuleList:
mov eax, dwPEB_LDR_DATA // PEB->ProcessModuleInfo
mov esi, [eax+1Ch] // ProcessModuleInfo->InInitializationOrderModuleList[START]
mov edx, [eax+20h] // ProcessModuleInfo->InInitializationOrderModuleList[FINISH]

LoopInInitializationOrderModuleList:
lodsd
mov esi, eax
mov ecx, [eax+08h]
cmp ecx, hModule
jne SkipC
mov ebx, [eax]
mov ecx, [eax+4]
mov [ecx], ebx
mov [ebx+4], ecx
jmp Finished
SkipC:
cmp edx, esi
jne LoopInInitializationOrderModuleList

Finished:
popfd;
popad;
}
}


void HackFunctions(){
for(;;){
//DWORD Server = *(DWORD*)ADR_SERVERPOINTER;
DWORD Player = *(DWORD*)ADR_PLAYERPOINTER;


/***************************[ No Fall Damage ]***************************/
{
if( Player != 0 ){ //Player is in game
*(float*)( Player + OFS_NFD ) = -999999;
}
}
/************************************************************************/
Sleep(100);
}
}

BOOL WINAPI DllMain(HINSTANCE hModule,DWORD dwReason,LPVOID lpvReserved){
if( dwReason == DLL_PROCESS_ATTACH ){
CreateThread(0,0,(LPTHREAD_START_ROUTINE)HackFunctions,0,0, 0);
}
return true;
}

But where do i use the command to activate VOID AntiDetection::PEBUnlinkModule(HINSTANCE hModule) and with what parameters?

Raz9r · 12/06/2012, 21:49

The PEB, which is listed at __readfsdword(0x30) on 32-bit-architecture or __readfsdword(0x60) on 64-bit-architecture, contains data about the process environment - that's why it's called Process Environment Block (= PEB). It contains an instance of the PEB_LDR_DATA structure providing information about loaded modules. By modifying this information you can easily hide your module from that list so that HackShield scanning for unknown modules cannot find it on the PEB.
The information can still be found on the VAD (Virtual Address Descriptor) Tree after editing the PEB, though.

For more information, read these helpful articles:
[0] PEB: Process Environment Block - Wikipedia, the free encyclopedia
[1] Understanding PEB_LDR_DATA:

[2] VAD Tree:

[3] Example of Yazzn showing how to use this:

rick187377 · 12/06/2012, 22:35

So, why is my hack still being detected?

Raz9r · 12/06/2012, 22:42

Because you seem to be doing something HackShield detects - or you simply raise an exception or an error.

rick187377 · 12/06/2012, 23:01

It says 3rd party software found, disconnected..
So hackshield is finding it.. i also tried doing it this way

Quote:

PHP Code:

#include <windows.h> #include <vector> #include <algorithm> #define ADR_PLAYERPOINTER 0x00A48E74 #define ADR_SERVERPOINTER 0x00A48E04 #define OFS_Z 0x10308 #define OFS_NFD 0x00102E8 typedef struct _PEB_LDR_DATA { UINT8 _PADDING_[12]; LIST_ENTRY InLoadOrderModuleList; LIST_ENTRY InMemoryOrderModuleList; LIST_ENTRY InInitializationOrderModuleList; } PEB_LDR_DATA, *PPEB_LDR_DATA; typedef struct _PEB { UINT8 _PADDING_[12]; PEB_LDR_DATA* Ldr; } PEB, *PPEB; typedef struct _LDR_DATA_TABLE_ENTRY { LIST_ENTRY InLoadOrderLinks; LIST_ENTRY InMemoryOrderLinks; LIST_ENTRY InInitializationOrderLinks; VOID* DllBase; } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY; typedef struct _UNLINKED_MODULE { HMODULE hModule; PLIST_ENTRY RealInLoadOrderLinks; PLIST_ENTRY RealInMemoryOrderLinks; PLIST_ENTRY RealInInitializationOrderLinks; PLDR_DATA_TABLE_ENTRY Entry; } UNLINKED_MODULE; #define UNLINK(x) \ (x).Flink->Blink = (x).Blink; \ (x).Blink->Flink = (x).Flink; #define RELINK(x, real) \ (x).Flink->Blink = (real); \ (x).Blink->Flink = (real); \ (real)->Blink = (x).Blink; \ (real)->Flink = (x).Flink; std::vector<UNLINKED_MODULE> UnlinkedModules; struct FindModuleHandle { HMODULE m_hModule; FindModuleHandle(HMODULE hModule) : m_hModule(hModule) { } bool operator() (UNLINKED_MODULE const &Module) const { return (Module.hModule == m_hModule); } }; void RelinkModuleToPEB(HMODULE hModule) { std::vector<UNLINKED_MODULE>::iterator it = std::find_if(UnlinkedModules.begin(), UnlinkedModules.end(), FindModuleHandle(hModule)); if (it == UnlinkedModules.end()) { //DBGOUT(TEXT("Module Not Unlinked Yet!")); return; } RELINK((*it).Entry->InLoadOrderLinks, (*it).RealInLoadOrderLinks); RELINK((*it).Entry->InInitializationOrderLinks, (*it).RealInInitializationOrderLinks); RELINK((*it).Entry->InMemoryOrderLinks, (*it).RealInMemoryOrderLinks); UnlinkedModules.erase(it); } void UnlinkModuleFromPEB(HMODULE hModule) { std::vector<UNLINKED_MODULE>::iterator it = std::find_if(UnlinkedModules.begin(), UnlinkedModules.end(), FindModuleHandle(hModule)); if (it != UnlinkedModules.end()) { //DBGOUT(TEXT("Module Already Unlinked!")); return; } #ifdef _WIN64 PPEB pPEB = (PPEB)__readgsqword(0x60); #else PPEB pPEB = (PPEB)__readfsdword(0x30); #endif PLIST_ENTRY CurrentEntry = pPEB->Ldr->InLoadOrderModuleList.Flink; PLDR_DATA_TABLE_ENTRY Current = NULL; while (CurrentEntry != &pPEB->Ldr->InLoadOrderModuleList && CurrentEntry != NULL) { Current = CONTAINING_RECORD(CurrentEntry, LDR_DATA_TABLE_ENTRY, InLoadOrderLinks); if (Current->DllBase == hModule) { UNLINKED_MODULE CurrentModule = {0}; CurrentModule.hModule = hModule; CurrentModule.RealInLoadOrderLinks = Current->InLoadOrderLinks.Blink->Flink; CurrentModule.RealInInitializationOrderLinks = Current->InInitializationOrderLinks.Blink->Flink; CurrentModule.RealInMemoryOrderLinks = Current->InMemoryOrderLinks.Blink->Flink; CurrentModule.Entry = Current; UnlinkedModules.push_back(CurrentModule); UNLINK(Current->InLoadOrderLinks); UNLINK(Current->InInitializationOrderLinks); UNLINK(Current->InMemoryOrderLinks); break; } CurrentEntry = CurrentEntry->Flink; } } HINSTANCE g_hinstDLL = NULL; DWORD WINAPI Init(LPVOID) { for(;;) { Sleep(200); DWORD Server = *(DWORD*)(ADR_SERVERPOINTER ); DWORD Player = *(DWORD*)( ADR_PLAYERPOINTER ); /***********[hacks]***************/ { if( Player != 0 ){//in game /*************Super Jump************/ { if( GetAsyncKeyState( VK_CONTROL )) { *(float*)( Player + OFS_Z ) = 2500; } } /************No Fall Damage********/ { *(float*)( Player + OFS_NFD ) = -999999; } /**************************************/ } } //Hacks here /***********Re LINK************** if (GetAsyncKeyState(VK_F5) & 1) { RelinkModuleToPEB(g_hinstDLL); FreeLibraryAndExitThread(g_hinstDLL, ERROR_SUCCESS); } **********************************/ } } BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID) { if (fdwReason == DLL_PROCESS_ATTACH) { g_hinstDLL = hinstDLL; UnlinkModuleFromPEB(hinstDLL); CreateThread(NULL, 0, Init, NULL, 0, NULL); } return 1; }

+Yazzn · 12/06/2012, 23:03

Close all background programs

Raz9r · 12/07/2012, 00:03

Quote:

Originally Posted by rick187377

It says 3rd party software found, disconnected..
So hackshield is finding it.. i also tried doing it this way

Quote:

Originally Posted by Yazzn (:

Close all background programs

HackShield detected VisualStudio some time ago as a 3rd party software modifying the game for VisualStudio being open whenever HackShield detected an actual cheat module. Most people don't know this, be careful about it.

rick187377 · 12/07/2012, 01:07

Quote:

Originally Posted by __underScore

HackShield detected VisualStudio some time ago as a 3rd party software modifying the game for VisualStudio being open whenever HackShield detected an actual cheat module. Most people don't know this, be careful about it.

I closed all other programs, still being detected.