Deixando CE indetectavel!

[Monga123 0]

coisa simples, apenas uma mostra de como tornar um programa de cheat se tornar indetectavel!

 

procure esses nomes e mude-os para qualquer nome:

 

 

QUOTE

0) Pid

1) phandle

2) GetWindowThreadProcessId

3) OpenProcess

4) WriteProcessMemory

5) CloseHandle

6) ReadProcessMemory

7) LoadPrivilege

8) InjectLibrary

9) InjectIntoMe

10) hWnd

 

 

 

Exemplo de Uma source modificada :

 

Mudei todos os nome Adicionando 0192 no final...

 

 

QUOTE

0) Pid0192

1) phandle0192

2) GetWindowThreadProcessId0192

3) OpenProcess0192

4) WriteProcessMemory0192

5) CloseHandle0192

6) ReadProcessMemory0192

7) LoadPrivilege0192

8) InjectLibrary0192

9) InjectIntoMe0192

10) hWnd0192

 

 

 

modDebugPriveleges:

 

 

QUOTE

'Injection into a different process is a stable, but not very safe thing to be doing

'so i take no responsibility what you choose to do with this program.

 

'This was ported from a C++ application.

 

'Created by Marcin Kleczynski

'[email protected]

 

Option Explicit

 

Private Const SE_DEBUG_NAME As String = "SeDebugPrivilege"

Private Const TOKEN_ADJUST_PRIVILEGES As Long = &H20

Private Const TOKEN_QUERY As Long = &H8

Private Const SE_PRIVILEGE_ENABLED As Long = &H2

 

Private Type LUID

LowPart As Long

HighPart As Long

End Type

 

Private Type LUID_AND_ATTRIBUTES

pLuid As LUID

Attributes As Long

End Type

 

Private Type TOKEN_PRIVILEGES

PrivilegeCount As Long

TheLuid As LUID

Attributes As Long

End Type

 

Private Declare Function GetCurrentProcess Lib "kernel32.dll" () As Long

Private Declare Function OpenProcessToken Lib "advapi32.dll" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, ByRef TokenHandle As Long) As Long

Private Declare Function LookupPrivilegeValue Lib "advapi32.dll" Alias "LookupPrivilegeValueA" (ByVal lpSystemName As String, ByVal lpName As String, lpLuid As LUID) As Long

Private Declare Function AdjustTokenPrivileges Lib "advapi32.dll" (ByVal TokenHandle As Long, ByVal DisableAllPrivileges As Long, ByRef NewState As TOKEN_PRIVILEGES, ByVal BufferLength As Long, ByRef PreviousState As TOKEN_PRIVILEGES, ByRef ReturnLength As Long) As Long

Private Declare Function GetLastError Lib "kernel32" () As Long

 

Public Sub GetSeDebugPrivelege()

LoadPrivilege0192 SE_DEBUG_NAME

End Sub

 

Public Function LoadPrivilege0192(ByVal Privilege As String) As Boolean

On Error GoTo ErrHandler

 

Dim hToken&, SEDebugNameValue As LUID, tkp As TOKEN_PRIVILEGES, hProcessHandle&, tkpNewButIgnored As TOKEN_PRIVILEGES, lBuffer&

 

hProcessHandle = GetCurrentProcess()

OpenProcessToken hProcessHandle, (TOKEN_ADJUST_PRIVILEGES Or TOKEN_QUERY), hToken

LookupPrivilegeValue "", Privilege, SEDebugNameValue

 

With tkp

.PrivilegeCount = 1

.TheLuid = SEDebugNameValue

.Attributes = SE_PRIVILEGE_ENABLED

End With

 

AdjustTokenPrivileges hToken, False, tkp, Len(tkp), tkpNewButIgnored, lBuffer

LoadPrivilege0192 = True

 

Exit Function

ErrHandler:

MsgBox "An error occurred retrieving SE_DEBUG_NAME prileges in the LoadPrivelege() function. Note: This program is running without debug priveleges, that may interfere with removing the infection.", vbCritical + vbOKOnly

Resume Next

End Function

 

 

 

modFiles:

 

 

QUOTE

'Injection into a different process is a stable, but not very safe thing to be doing

'so i take no responsibility what you choose to do with this program.

 

'This was ported from a C++ application.

 

'Created by Marcin Kleczynski

'[email protected]

 

Option Explicit

 

'Does the file exist, if so, report true

Public Function FileExists(sFile$) As Boolean

If Trim$(sFile) = vbNullString Then Exit Function

 

FileExists = IIf(Dir(sFile, vbArchive + vbHidden + vbReadOnly + vbSystem) <> vbNullString, True, False)

End Function

 

'Used as a better stripper function

Public Function TrimNull$(sToTrim$)

If InStr(sToTrim, Chr(0)) > 0 Then

TrimNull = Left$(sToTrim, InStr(sToTrim, Chr(0)) - 1)

Else

TrimNull = sToTrim

End If

End Function

 

 

 

modInjection:

 

 

QUOTE

'Injection into a different process is a stable, but not very safe thing to be doing

'so i take no responsibility what you choose to do with this program.

 

'This was ported from a C++ application.

 

'Created by Marcin Kleczynski

'[email protected]

 

Option Explicit

 

'Full access to a given process

Private Const PROCESS_ALL_ACCESS = &H1F0FFF

 

'Just what it sais, infinite time period

Private Const INFINITE = &HFFFFFFFF

 

'Memory allocation

Private Const MEM_COMMIT = &H1000

Private Const MEM_RELEASE = &H8000

Private Const PAGE_READWRITE = &H4

 

'Returns current process ID

Public Declare Function GetCurrentProcessId Lib "kernel32" () As Long

 

'Allows allocation of memory

Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long

 

'Frees the allocated memory

Private Declare Function VirtualFreeEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long

 

'Opens a handle to the process

Private Declare Function OpenProcesso0192 Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long

 

'Writes bytes to process memory

Private Declare Function WriteProcessMemory1092 Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long

 

'Gets the handle a module such as kernel32.dll

Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long

 

'Gets a function address

Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long

 

'Creates the actual remote thread in process

Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, lpThreadAttributes As Any, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long

 

'Waits for thread to finish

Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long

 

'Closes handles to a process, thread, etc..

Private Declare Function CloseHandle0192 Lib "kernel32" (ByVal hObject As Long) As Long

 

'Loads a library into the current process

Private Declare Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long

 

Public Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long

Public Declare Function GetWindowThreadProcessoID Lib "user32" (ByVal hWnd0192 As Long, lpdwProcessId As Long) As Long

'Public Declare Function OpenProcesso0192 Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long

'Public Declare Function WriteProcessMemory1092 Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, ByVal lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long

Public Declare Function ReadProcessMemory0192 Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, ByVal lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long

'Public Declare Function CloseHandle0192 Lib "kernel32" (ByVal hObject As Long) As Long

 

 

'This is the function that injects the library into the given process. If the process

'is our process, this function will call InjectIntoMe0192()

Public Function InjectLibrary0192(lPid0192&, sLibrary$) As Long

Dim hProcess&, hThread&, lLinkToLibrary&, lSize&, hKernel&

 

'If the file does not exist, just exit.

If Not FileExists(sLibrary) Then

MsgBox "File does not exist."

Exit Function

End If

 

'If its our process, use different method

If lPid0192 = GetCurrentProcessId() Then

'Use alternate method to inject into me

InjectLibrary0192 = InjectIntoMe0192(sLibrary)

 

'Exit the function

Exit Function

End If

 

'Obtain handle to the process

hProcess = OpenProcesso0192(PROCESS_ALL_ACCESS, 0, lPid0192)

 

If hProcess = 0 Then

MsgBox "hProcess returned NULL"

Exit Function

End If

 

'Create the address size and allocate that much memory

lSize = LenB(StrConv(sLibrary, vbFromUnicode)) + 1

lLinkToLibrary = VirtualAllocEx(hProcess, 0&, lSize, MEM_COMMIT, PAGE_READWRITE)

 

If lLinkToLibrary = 0 Then

CloseHandle0192 hProcess

 

MsgBox "lLinkToLibrary failed"

Exit Function

End If

 

'Write the library name to the address space

If (WriteProcessMemory1092(hProcess, lLinkToLibrary, ByVal sLibrary, lSize, ByVal 0&) = 0) Then

CloseHandle0192 hProcess

If lLinkToLibrary <> 0 Then VirtualFreeEx hProcess, lLinkToLibrary, 0, MEM_RELEASE

 

MsgBox "WriteProcessMemory failed"

Exit Function

End If

 

'Obtain a handle to the LoadLibrary function from kernel32.dll

hKernel = GetProcAddress(GetModuleHandle("Kernel32"), "LoadLibraryA")

 

If hKernel = 0 Then

CloseHandle0192 hProcess

If lLinkToLibrary <> 0 Then VirtualFreeEx hProcess, lLinkToLibrary, 0, MEM_RELEASE

 

MsgBox "hKernel returned NULL"

Exit Function

End If

 

'Create the remote thread in the address space

hThread = CreateRemoteThread(hProcess, ByVal 0&, 0&, ByVal hKernel, lLinkToLibrary, 0, ByVal 0&)

 

If hThread = 0 Then

CloseHandle0192 hKernel

CloseHandle0192 hProcess

If lLinkToLibrary <> 0 Then VirtualFreeEx hProcess, lLinkToLibrary, 0, MEM_RELEASE

 

MsgBox "hThread returned NULL."

Exit Function

End If

 

'Wait for it to complete, the suggested time to wait is 2000 ms, however

'you may use INFINITE (it is declared)

WaitForSingleObject hThread, 2000

 

If lLinkToLibrary <> 0 Then VirtualFreeEx hProcess, lLinkToLibrary, 0, MEM_RELEASE

 

'Close all open handles

If hKernel <> 0 Then CloseHandle0192 (hKernel)

If hThread <> 0 Then CloseHandle0192 (hThread)

If hProcess <> 0 Then CloseHandle0192 (hProcess)

 

InjectLibrary0192 = 1 'Success

End Function

 

Private Function InjectIntoMe0192(sLibrary$) As Long

InjectIntoMe0192 = LoadLibrary(sLibrary)

End Function

 

 

Créditos: Desconhecidos

[shadowtobi 0]

n tive mt paciencia pra le td n mas ta bom o comecin

[Minato 0]

Fexa esse topico