Source Code Protect your handles!

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

Broihon

edgy 12 y/o
Escobar Tier VIP
Fleep Tier Donator
Dec 22, 2013
1,746
40,528
316
How long you been coding/hacking?
ur mom gay
Update: I'm retarded. You can simply use SetHandleInformation


Just some code which can be used to protect handles from being closed without your permission. Some anti cheats scan for open handles to the game process and then close that handle (eg. XIGNCODE) and I found that quite annoying so I made this simple wrapper class which lets you protect/unprotect handles with one call.

C++:
//ProtectedHandle.h
#pragma once

#ifndef PROTECTED_HANDLE_H
#define PROTECTED_HANDLE_H

#include <Windows.h>
#include "NT Func.h"

class PROTECTED_HANDLE
{
public:

    PROTECTED_HANDLE(HANDLE & hObject, bool Protect = true, ACCESS_MASK Access = 0);
    ~PROTECTED_HANDLE();

    bool SetHandle(HANDLE & hObject, bool Protect = true, ACCESS_MASK Access = 0);
    void Release();
 
    bool IsProtected();
    bool Protect();
    bool Unprotect();
    bool IsValid();

    HANDLE Get();
    HANDLE operator()();
    operator HANDLE();
 
private:
    HANDLE m_hObject;
};

#endif
C++:
//ProtectedHandle.cpp
#include "ProtectedHandle.h"

PROTECTED_HANDLE::PROTECTED_HANDLE(HANDLE & hObject, bool ProtectFromClose, ACCESS_MASK Access)
{
    SetHandle(hObject, ProtectFromClose, Access);
}

PROTECTED_HANDLE::~PROTECTED_HANDLE()
{
    Release();
}

bool PROTECTED_HANDLE::SetHandle(HANDLE & hObject, bool ProtectFromClose, ACCESS_MASK Access)
{
    if (m_hObject)
        Release();

    DWORD dwFlags = 0;
    if (!GetHandleInformation(hObject, &dwFlags))
    {
        m_hObject = nullptr;
        return false;
    }

    NTSTATUS ntRet = NT::NtDuplicateObject(GetCurrentProcess(), hObject, GetCurrentProcess(), &m_hObject, Access, 0, (Access != 0) ? 0 : DUPLICATE_SAME_ACCESS);
    if(NT_FAIL(ntRet))
        m_hObject = nullptr;
    else
    {
        if (ProtectFromClose)
            if (Protect())
            {
                CloseHandle(hObject);
                return true;
            }
        CloseHandle(m_hObject);
    }
    return false;
}

void PROTECTED_HANDLE::Release()
{
    if (m_hObject)
        if (Unprotect())
        {
            CloseHandle(m_hObject);
            m_hObject = nullptr;
        }
}

bool PROTECTED_HANDLE::IsProtected()
{
    if (!m_hObject)
        return false;

    OBJECT_HANDLE_FLAG_INFORMATION ohfi{ 0 };

    ULONG SizeOut;
    NTSTATUS ntRet = NT::NtQueryObject(m_hObject, ObjectHandleFlagInformation, &ohfi, sizeof(OBJECT_HANDLE_FLAG_INFORMATION), &SizeOut);
    if (NT_FAIL(ntRet))
        return false;

    return (ohfi.ProtectFromClose == 1);
}

bool PROTECTED_HANDLE::Protect()
{
    if (!m_hObject)
        return false;

    OBJECT_HANDLE_FLAG_INFORMATION ohfi{ 0 };
    ohfi.ProtectFromClose = 1;

    NTSTATUS ntRet = NT::NtSetInformationObject(m_hObject, ObjectHandleFlagInformation, &ohfi, sizeof(OBJECT_HANDLE_FLAG_INFORMATION));
    return (NT_SUCCESS(ntRet));
}

bool PROTECTED_HANDLE::Unprotect()
{
    if (!m_hObject)
        return false;

    OBJECT_HANDLE_FLAG_INFORMATION ohfi{ 0 };
 
    NTSTATUS ntRet = NT::NtSetInformationObject(m_hObject, ObjectHandleFlagInformation, &ohfi, sizeof(OBJECT_HANDLE_FLAG_INFORMATION));
    return (NT_SUCCESS(ntRet));
}

bool PROTECTED_HANDLE::IsValid()
{
    if (!m_hObject)
        return false;

    DWORD infoOut;
    if (!GetHandleInformation(m_hObject, &infoOut))
        return false;

    return true;
}

HANDLE PROTECTED_HANDLE::Get()
{
    return m_hObject;
}

HANDLE PROTECTED_HANDLE::operator()()
{
    return m_hObject;
}

PROTECTED_HANDLE::operator HANDLE()
{
    return m_hObject;
}

C++:
#ifndef NT_FAIL
#define NT_FAIL(status) status < 0
#endif

#ifndef NT_SUCCESS
#define NT_SUCCESS(status) status >= 0
#endif

enum _OBJECT_INFORMATION_CLASS
{
    ObjectBasicInformation,
    ObjectNameInformation,
    ObjectTypeInformation,
    ObjectTypesInformation,
    ObjectHandleFlagInformation,
    ObjectSessionInformation,
};
typedef _OBJECT_INFORMATION_CLASS OBJECT_INFORMATION_CLASS;

struct OBJECT_HANDLE_FLAG_INFORMATION
{
    BYTE Inherit;
    BYTE ProtectFromClose;
};

typedef NTSTATUS(__stdcall * f_NtDuplicateObject)(HANDLE hSourceProcess, HANDLE hSourceHandle, HANDLE hTargetProcess, HANDLE * hOut, ACCESS_MASK Access, ULONG HandleAttributes, ULONG Flags); //NT::NtDuplicateObject

typedef NTSTATUS(__stdcall * f_NtQueryObject)(HANDLE hObject, OBJECT_INFORMATION_CLASS ObjectInfoClass, void * pObjectInfo, ULONG BufferSize, ULONG * pSizeReturned); //NT::NtQueryObject

typedef NTSTATUS(__stdcall * f_NtSetInformationObject)(HANDLE hObject, OBJECT_INFORMATION_CLASS ObjectInfoClass, void * pObjectInfo, ULONG BufferSize); //NT::NtSetInformationObject

typedef NTSTATUS(__stdcall * f_NtClose)(HANDLE hObject); //NT::NtClose

There's only one constructor for that class but you can use it in different. By default you just have to pass the old handle object. The protected handle then has the same access mask as the original handle. By default the handle is protected. If you don't want any of that change the 2nd and 3rd argument of the constructor:
C++:
HANDLE hOriginalHandle = OpenProcess(PROCESS_VM_READ, FALSE, PID);
PROTECTED_HANDLE phProc(hOriginalHandle);
PROTECTED_HANDLE phProc(hOriginalHandle, false);
PROTECTED_HANDLE phProc(hOriginalHandle, true, PROCESS_ALL_ACCESS);
Due to the sick overloaded operators you don't even have to manually cast it for RPM/WPM (you can also use .Get() if you want
):
C++:
ReadProcessMemory(phProc, nullptr, nullptr, 0, nullptr);
Keep in mind that the original handle will be closed on creation of the protected handle! Also it's your job to release the instance of the protected handle class. Otherwise the deconstructor won't close the protected handle.
 
Last edited:

Broihon

edgy 12 y/o
Escobar Tier VIP
Fleep Tier Donator
Dec 22, 2013
1,746
40,528
316
And there it goes, right over my head :)
Just some undocumented magic^^ But honestly this is useful in like 1 of 1000 cases. Not many anti cheats will fall for this.
 

JMP

Newbie
Full Member
Dec 7, 2016
22
228
0
good stuff thx++
with this can i make some changes to put this on my dll and prevent xigncode do close the main.exe?
 
Last edited:

Lukor

ded
Meme Tier VIP
Fleep Tier Donator
Dec 13, 2013
493
5,753
25
No, this is used to protect handles from being closed.
 

Broihon

edgy 12 y/o
Escobar Tier VIP
Fleep Tier Donator
Dec 22, 2013
1,746
40,528
316
good stuff thx++
with this can i make some changes to put this on my dll and prevent xigncode do close the main.exe?
No, as Lukor said. You can only use it to prevent Xigncode from closing your handles (eg. hack.exe which writes to game.exe).
If you want to inject a dll just use manual mapping. Xigncode won't detect it.
 

JMP

Newbie
Full Member
Dec 7, 2016
22
228
0
No, as Lukor said. You can only use it to prevent Xigncode from closing your handles (eg. hack.exe which writes to game.exe).
If you want to inject a dll just use manual mapping. Xigncode won't detect it.
He detects this, before that it did not happen before. My method is to create a detour in some function injected with manual map and call my menu for there, this is currently being detected. My hope with this code was to avoid loading the driver and preventing it from terminating the program because of heatbeat. But I understand what this code do now, thanks for the help.
 

gyn

Newbie
Full Member
Apr 12, 2014
5
142
1
A nice to have utility in the pocket, sweet share broihon.

Been using it for anti debugging/sandbox detection with little modifications.
 

Roman_Ablo

Banned
Feb 27, 2017
355
2,402
1
i wanted to do smth similar to this so im wondering:

so
C++:
operator HANDLE()
		{
			return handle_whatever_Xd;
		}
will make it so you can do
C++:
SAFE_HANDLE old(...);
HANDLE cv = old;
right? so then what is this? v
C++:
		HANDLE operator()()
 

Broihon

edgy 12 y/o
Escobar Tier VIP
Fleep Tier Donator
Dec 22, 2013
1,746
40,528
316
i wanted to do smth similar to this so im wondering:

so
C++:
operator HANDLE()
		{
			return handle_whatever_Xd;
		}
will make it so you can do
C++:
SAFE_HANDLE old(...);
HANDLE cv = old;
right? so then what is this? v
C++:
		HANDLE operator()()
The first one is the casting operator:
(HANDLE)phProc (when passed to functions like RPM this gets executed automatically)

The second one is the calling operator:
phProc()

Both (obviously) return the same object.
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods