Vape V4 finder

Detects Vape V4 injected into a Minecraft instance.

How It Works

Vape injects its cheat DLL into Minecraft by writing the entire PE flat into a single allocation and marking it PAGE_EXECUTE_READWRITE. The injected PE is protected with Themida/WinLicense, which adds a section called .vlizer.

The detector:

1. Finds javaw.exe or java.exe
2. Walks the process memory with VirtualQueryEx looking for private, committed, RWX regions
3. Checks if the region starts with an MZ header and has a valid PE signature
4. Parses the PE section table looking for a section named .vlizer
5. If found, prints the base address of the injected module

After scanning, you can dump vapes module (vapes dll) to a vape-V4-{n}.bin.

Building

MSVC:

open the sln and build with vs 22 - 26

Usage

just open the exe when it builds after injecting vape-v4

output

looking for vape v4
vape v4 found @ 0x000002F9BCC40000
dump? (y/n): n

How Vape Injects

1. Enables SeDebugPrivilege on its process token
2. Allocates memory in Minecraft with VirtualAllocEx (MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE)
3. Writes the entire PE with WriteProcessMemory
4. Flips the region to PAGE_EXECUTE_READWRITE with VirtualProtectEx
5. Starts a remote thread with CreateRemoteThread at an export named "tim" in the injected PE

also for some reason vape maps the same dll twice, for no reason -_- so it will always show 2 instances 

so they map the module then the module maps the same module then messes with the 1st dll's pages?, its fucked, but this does work 100% of the time as of right now 

ptview output