Solved Bypass Loopback Removal

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat
Status
Not open for further replies.

Maxcloud

Newbie
Dec 24, 2012
4
152
0
Hello, I'm new here and this is my first post. I was referred here by Fleep and his YouTube Channel. I am trying to learn C++
while coding a simple DLL bypass.

I have been trying to prevent my target from removing my loopback adaptor. I am only a few days into C++ and
when I try the code, it relays my custom message of "Failed Virtual Protect". I'm not really sure what I am doing wrong,
would someone mind giving me a bump in the right direction regarding this problem? I appreciate all the help I can get.

Thank you.

#include "stdafx.h"

#include <iostream>
#include <windows.h>
#include <setupapi.h>

using namespace std;

void WINAPI Main()
{

HINSTANCE asdf = LoadLibrary(L"setupapi.dll");

if (asdf == NULL) {
MessageBoxA(NULL, "There was an error injecting...", NULL, MB_OK);
} else {

// We're using this for a debugging feature.
AllocConsole();

HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId());

if (hProcess) {

FARPROC devA = (FARPROC) GetProcAddress(asdf, "SetupDiGetClassDevsExA"); // 0x7554125C

unsigned long oldProtect;

if(!VirtualProtectEx(hProcess, devA, sizeof(devA), PAGE_EXECUTE_WRITECOPY, &oldProtect)) {
cout << "[Virtual-1]: " << GetLastError() << endl;
return;
}

BYTE newAddy[] = {0xC2, 0x1C, 0x00}; // RETN 1C ?

if (!WriteProcessMemory(hProcess, (BYTE*)devA, &newAddy, sizeof(newAddy), NULL)) {
cout << "[Write2Memory]: " << GetLastError() << endl;
return;
}

if (!VirtualProtectEx(hProcess, devA, sizeof(devA), PAGE_EXECUTE, &oldProtect)) {
cout << "[Virtual-2]: " << GetLastError() << endl;
return;
}

MessageBoxA(NULL, "Success!", NULL, MB_OK);
Sleep(3000);

} else {
MessageBoxA(NULL, "The process could not be found.", NULL, MB_OK);
}
}
FreeLibrary(asdf);
}



BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
Main();
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}

December 27th
UPDATE: I have quickly updated the code and it's displaying the "Success" message now but it still seems to be deleting the loopback adaptor.
 
Last edited:

Fleep

Founder
Meme Tier VIP
May 20, 2012
572
11,023
6
Originally Posted by Maxcloud

Hello, I'm new here and this is my first post. I was referred here by Fleep and his YouTube Channel. I am trying to learn C++
while coding a simple DLL bypass.

I have been trying to prevent my target from removing my loopback adaptor. I am only a few days into C++ and
when I try the code, it relays my custom message of "Failed Virtual Protect". I'm not really sure what I am doing wrong,
would someone mind giving me a bump in the right direction regarding this problem? I appreciate all the help I can get.

Thank you.

#include "stdafx.h"

#include <iostream>
#include <windows.h>
#include <setupapi.h>

using namespace std;

void WINAPI Main()
{

HINSTANCE asdf = LoadLibrary(L"setupapi.dll");

if (asdf == NULL) {
MessageBoxA(NULL, "There was an error injecting...", NULL, MB_OK);
} else {

// We're using this for a debugging feature.
AllocConsole();

HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId());

if (hProcess) {

FARPROC devA = (FARPROC) GetProcAddress(asdf, "SetupDiGetClassDevsExA"); // 0x7554125C

unsigned long oldProtect;

if(!VirtualProtectEx(hProcess, devA, sizeof(devA), PAGE_EXECUTE_WRITECOPY, &oldProtect)) {
cout << "[Virtual-1]: " << GetLastError() << endl;
return;
}

BYTE newAddy[] = {0xC2, 0x1C, 0x00}; // RETN 1C ?

if (!WriteProcessMemory(hProcess, (BYTE*)devA, &newAddy, sizeof(newAddy), NULL)) {
cout << "[Write2Memory]: " << GetLastError() << endl;
return;
}

if (!VirtualProtectEx(hProcess, devA, sizeof(devA), PAGE_EXECUTE, &oldProtect)) {
cout << "[Virtual-2]: " << GetLastError() << endl;
return;
}

MessageBoxA(NULL, "Success!", NULL, MB_OK);
Sleep(3000);

} else {
MessageBoxA(NULL, "The process could not be found.", NULL, MB_OK);
}
}
FreeLibrary(asdf);
}



BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
Main();
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}

December 27th
UPDATE: I have quickly updated the code and it's displaying the "Success" message now but it still seems to be deleting the loopback adaptor.
 

ndani14

Nick
Dank Tier Donator
Nobleman
Aug 27, 2012
52
708
1
Hey Maxcloud,

What do you mean by "loopback adaptor"?

I can see a few errors in the code.

I believe you need to use PAGE_EXECUTE_READWRITE, not PAGE_EXECUTE_WRITECOPY.

Your call to WriteProcessMemory, isn't actually needed if your running in the process, just can write to the address directly. But you can still use it. You will need to fix the address you're copying from (3rd param). It should just be "newAddy" not "&newAddy". "newAddy" is a pointer to the data where as "&newAddy" is a pointer to the pointer of the data.

You can just call memcpy like this.
memcpy(devA, newAddy, sizeof(newAddy)); // may need to cast haven't checked
// also include string.h

Also another minor thing when you're trying to revert the access rights you should be setting them to what they were not hard coding the PAGE_EXECUTE
is
VirtualProtectEx(hProcess, devA, sizeof(devA), PAGE_EXECUTE, &oldProtect)
should be
VirtualProtectEx(hProcess, devA, sizeof(devA), oldProtect, &oldProtect)

Another thing to be careful of, but in this case you're ok. When you call VirtualProtectEx to change the page protection make sure you use the size of the memory you're going to change. If not you may go to write something and get an access violation because the data could be on the edge between two pages.

VirtualProtectEx(hProcess, devA, sizeof(devA), oldProtect, &oldProtect)
3rd param should be the size of the data you're going to change. In this case the size of a FARPROC is larger than what you're writing.

By the way, why are you freeing the library when you're done? It kind of makes the change useless there's something else going on I don't know about?

Hope this helps with the issue =)
 

Maxcloud

Newbie
Dec 24, 2012
4
152
0
Hey Maxcloud,

What do you mean by "loopback adaptor"?

I can see a few errors in the code.

I believe you need to use PAGE_EXECUTE_READWRITE, not PAGE_EXECUTE_WRITECOPY.

Your call to WriteProcessMemory, isn't actually needed if your running in the process, just can write to the address directly. But you can still use it. You will need to fix the address you're copying from (3rd param). It should just be "newAddy" not "&newAddy". "newAddy" is a pointer to the data where as "&newAddy" is a pointer to the pointer of the data.

You can just call memcpy like this.
memcpy(devA, newAddy, sizeof(newAddy)); // may need to cast haven't checked
// also include string.h

Also another minor thing when you're trying to revert the access rights you should be setting them to what they were not hard coding the PAGE_EXECUTE
is
VirtualProtectEx(hProcess, devA, sizeof(devA), PAGE_EXECUTE, &oldProtect)
should be
VirtualProtectEx(hProcess, devA, sizeof(devA), oldProtect, &oldProtect)

Another thing to be careful of, but in this case you're ok. When you call VirtualProtectEx to change the page protection make sure you use the size of the memory you're going to change. If not you may go to write something and get an access violation because the data could be on the edge between two pages.

VirtualProtectEx(hProcess, devA, sizeof(devA), oldProtect, &oldProtect)
3rd param should be the size of the data you're going to change. In this case the size of a FARPROC is larger than what you're writing.

By the way, why are you freeing the library when you're done? It kind of makes the change useless there's something else going on I don't know about?

Hope this helps with the issue =)
I use a Microsoft Loopback Adapter to trick my target into thinking I am the gaming server and then it connects to my emulated server, but recently they have discovered people doing this and are now deleting the adapter before the game even opens.

Surprisingly enough, I understand everything you said. I really appreciate the help but unfortunately it didn't solve my problem. I've recently tried using an API monitor to see if I am in fact tackling the correct function, but since the client is packed with Themdia it's difficult to work with. There was someone else that had the idea of creating a dirty patch to SetupDiRemoveDevice to trick it into giving the response that the device was deleted, but again no results.

I personally think the API is guarded by HackShield so I have decided to take a shot at detouring WS2_32 and it worked for a few versions, but now it's freezing upon connecting. I have included the code, maybe it needs to be improved?

C++:
#include "stdafx.h"
#include "Detours/detours.h"

#include <stdio.h>
#include <iostream>
#include <Windows.h>
#include <ws2tcpip.h>
 
#pragma comment(lib, "WS2_32")
#pragma comment(lib, "Detours/detours.lib") 

using namespace std;

typedef int (WINAPI *LocalConnect) (SOCKET, sockaddr_in*, int);
LocalConnect local_addr;

int WINAPI GetPeerName (SOCKET s, sockaddr_in* sockAddr, int size)
{

		sockaddr_in* service = (sockaddr_in*)sockAddr;
	
		unsigned long address = inet_addr("127.0.0.1");

		memcpy(&service->sin_addr, &address, sizeof(unsigned long));

		return local_addr (s, sockAddr, size);
}

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
					 )
{
	switch (ul_reason_for_call)
	{
	DisableThreadLibraryCalls(hModule);
	case DLL_PROCESS_ATTACH:
		AllocConsole();
		local_addr = (LocalConnect)DetourFunction((PBYTE)GetProcAddress (GetModuleHandleA("ws2_32.dll"), "connect"), (PBYTE)GetPeerName);
	case DLL_THREAD_ATTACH:
	case DLL_THREAD_DETACH:
	case DLL_PROCESS_DETACH:
		break;
	}
	return TRUE;
}
 
Last edited:
Status
Not open for further replies.
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods