From b23675562f16c53304a80c49a0a15350747fee6b Mon Sep 17 00:00:00 2001 From: mrexodia Date: Tue, 23 May 2017 19:41:09 +0200 Subject: [PATCH] implemented GetPEBLocation + GetTEBLocation + removed unused ImporterGetRemoteAPIAddress --- TitanEngineEmulator/Emulator.h | 50 +- TitanEngineEmulator/TitanEngineEmulator.cpp | 9 +- TitanEngineEmulator/ntdll.h | 610 ++++++++++++++++++++ TitanEngineEmulator/ntdll_x64.lib | Bin 0 -> 4366 bytes TitanEngineEmulator/ntdll_x86.lib | Bin 0 -> 4592 bytes 5 files changed, 649 insertions(+), 20 deletions(-) create mode 100644 TitanEngineEmulator/ntdll.h create mode 100644 TitanEngineEmulator/ntdll_x64.lib create mode 100644 TitanEngineEmulator/ntdll_x86.lib diff --git a/TitanEngineEmulator/Emulator.h b/TitanEngineEmulator/Emulator.h index 3547ad2..bac0f6a 100644 --- a/TitanEngineEmulator/Emulator.h +++ b/TitanEngineEmulator/Emulator.h @@ -1,5 +1,6 @@ #include #include "TitanEngine.h" +#include "ntdll.h" using namespace GleeBug; @@ -66,8 +67,7 @@ public: auto process = processFromHandle(hProcess); if (!process) return false; - //TODO process->MemWriteSafe - return process->MemWriteUnsafe(ptr(lpBaseAddress), lpBuffer, nSize, (ptr*)lpNumberOfBytesWritten); + return process->MemWriteSafe(ptr(lpBaseAddress), lpBuffer, nSize, (ptr*)lpNumberOfBytesWritten); } bool Fill(LPVOID MemoryStart, DWORD MemorySize, PBYTE FillByte) @@ -158,14 +158,44 @@ public: //Misc void* GetPEBLocation(HANDLE hProcess) { - //TODO - return nullptr; + ULONG RequiredLen = 0; + void* PebAddress = 0; + PROCESS_BASIC_INFORMATION myProcessBasicInformation[5] = { 0 }; + + if(NtQueryInformationProcess(hProcess, ProcessBasicInformation, myProcessBasicInformation, sizeof(PROCESS_BASIC_INFORMATION), &RequiredLen) == 0) + { + PebAddress = (void*)myProcessBasicInformation->PebBaseAddress; + } + else + { + if(NtQueryInformationProcess(hProcess, ProcessBasicInformation, myProcessBasicInformation, RequiredLen, &RequiredLen) == 0) + { + PebAddress = (void*)myProcessBasicInformation->PebBaseAddress; + } + } + + return PebAddress; } - void* GetTEBLocation(HANDLE hProcess) + void* GetTEBLocation(HANDLE hThread) { - //TODO - return nullptr; + ULONG RequiredLen = 0; + void* TebAddress = 0; + THREAD_BASIC_INFORMATION myThreadBasicInformation[5] = { 0 }; + + if(NtQueryInformationThread(hThread, ThreadBasicInformation, myThreadBasicInformation, sizeof(THREAD_BASIC_INFORMATION), &RequiredLen) == 0) + { + TebAddress = (void*)myThreadBasicInformation->TebBaseAddress; + } + else + { + if(NtQueryInformationThread(hThread, ThreadBasicInformation, myThreadBasicInformation, RequiredLen, &RequiredLen) == 0) + { + TebAddress = (void*)myThreadBasicInformation->TebBaseAddress; + } + } + + return TebAddress; } bool HideDebugger(HANDLE hProcess, DWORD PatchAPILevel) @@ -186,12 +216,6 @@ public: return OpenThread(dwDesiredAccess, bInheritHandle, dwThreadId); } - ULONG_PTR ImporterGetRemoteAPIAddress(HANDLE hProcess, ULONG_PTR APIAddress) - { - //TODO - return 0; - } - //Stepping void StepOver(LPVOID CallBack) { diff --git a/TitanEngineEmulator/TitanEngineEmulator.cpp b/TitanEngineEmulator/TitanEngineEmulator.cpp index abaf554..0ee8759 100644 --- a/TitanEngineEmulator/TitanEngineEmulator.cpp +++ b/TitanEngineEmulator/TitanEngineEmulator.cpp @@ -97,9 +97,9 @@ __declspec(dllexport) void* TITCALL GetPEBLocation(HANDLE hProcess) return emu.GetPEBLocation(hProcess); } -__declspec(dllexport) void* TITCALL GetTEBLocation(HANDLE hProcess) +__declspec(dllexport) void* TITCALL GetTEBLocation(HANDLE hThread) { - return emu.GetTEBLocation(hProcess); + return emu.GetTEBLocation(hThread); } __declspec(dllexport) bool TITCALL HideDebugger(HANDLE hProcess, DWORD PatchAPILevel) @@ -117,11 +117,6 @@ __declspec(dllexport) HANDLE TITCALL TitanOpenThread(DWORD dwDesiredAccess, bool return emu.TitanOpenThread(dwDesiredAccess, bInheritHandle, dwThreadId); } -__declspec(dllexport) ULONG_PTR TITCALL ImporterGetRemoteAPIAddress(HANDLE hProcess, ULONG_PTR APIAddress) -{ - return emu.ImporterGetRemoteAPIAddress(hProcess, APIAddress); -} - //Registers __declspec(dllexport) ULONG_PTR TITCALL GetContextDataEx(HANDLE hActiveThread, DWORD IndexOfRegister) { diff --git a/TitanEngineEmulator/ntdll.h b/TitanEngineEmulator/ntdll.h new file mode 100644 index 0000000..0ac4245 --- /dev/null +++ b/TitanEngineEmulator/ntdll.h @@ -0,0 +1,610 @@ +#pragma once + +#include + +#ifndef _WIN64 +#pragma comment(lib, "ntdll_x86.lib") +#else +#pragma comment(lib, "ntdll_x64.lib") +#endif + +#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L) + +typedef LONG NTSTATUS; +typedef LONG KPRIORITY; + +typedef struct _CLIENT_ID +{ + HANDLE UniqueProcess; + HANDLE UniqueThread; +} CLIENT_ID, *PCLIENT_ID; + +typedef enum _KTHREAD_STATE +{ + Initialized, + Ready, + Running, + Standby, + Terminated, + Waiting, + Transition, + DeferredReady, + GateWait +} KTHREAD_STATE; + +typedef enum _KWAIT_REASON +{ + Executive, + FreePage, + PageIn, + PoolAllocation, + DelayExecution, + Suspended, + UserRequest, + WrExecutive, + WrFreePage, + WrPageIn, + WrPoolAllocation, + WrDelayExecution, + WrSuspended, + WrUserRequest, + WrEventPair, + WrQueue, + WrLpcReceive, + WrLpcReply, + WrVirtualMemory, + WrPageOut, + WrRendezvous, + Spare2, + Spare3, + Spare4, + Spare5, + Spare6, + WrKernel, + WrResource, + WrPushLock, + WrMutex, + WrQuantumEnd, + WrDispatchInt, + WrPreempted, + WrYieldExecution, + WrFastMutex, + WrGuardedMutex, + WrRundown, + MaximumWaitReason +} KWAIT_REASON; + +typedef struct _UNICODE_STRING +{ + USHORT Length; + USHORT MaximumLength; + PWSTR Buffer; +} UNICODE_STRING, *PUNICODE_STRING; + +typedef struct _SYSTEM_SESSION_PROCESS_INFORMATION +{ + ULONG SessionId; + ULONG SizeOfBuf; + PVOID Buffer; +} SYSTEM_SESSION_PROCESS_INFORMATION, *PSYSTEM_SESSION_PROCESS_INFORMATION; + +typedef struct _SYSTEM_THREAD_INFORMATION +{ + LARGE_INTEGER KernelTime; + LARGE_INTEGER UserTime; + LARGE_INTEGER CreateTime; + ULONG WaitTime; + PVOID StartAddress; + CLIENT_ID ClientId; + KPRIORITY Priority; + LONG BasePriority; + ULONG ContextSwitches; + ULONG ThreadState; + ULONG WaitReason; +} SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION; + +typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO +{ + USHORT UniqueProcessId; + USHORT CreatorBackTraceIndex; + UCHAR ObjectTypeIndex; + UCHAR HandleAttributes; + USHORT HandleValue; + PVOID Object; + ULONG GrantedAccess; +} SYSTEM_HANDLE_TABLE_ENTRY_INFO, *PSYSTEM_HANDLE_TABLE_ENTRY_INFO; + +typedef struct _SYSTEM_HANDLE_INFORMATION +{ + ULONG NumberOfHandles; + SYSTEM_HANDLE_TABLE_ENTRY_INFO Handles[1]; +} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; + +typedef struct _SYSTEM_EXTENDED_THREAD_INFORMATION +{ + SYSTEM_THREAD_INFORMATION ThreadInfo; + PVOID StackBase; + PVOID StackLimit; + PVOID Win32StartAddress; + PVOID TebAddress; /* This is only filled in on Vista and above */ + ULONG_PTR Reserved2; + ULONG_PTR Reserved3; + ULONG_PTR Reserved4; +} SYSTEM_EXTENDED_THREAD_INFORMATION, *PSYSTEM_EXTENDED_THREAD_INFORMATION; + +typedef struct _SYSTEM_PROCESS_INFORMATION +{ + ULONG NextEntryOffset; + ULONG NumberOfThreads; + LARGE_INTEGER SpareLi1; + LARGE_INTEGER SpareLi2; + LARGE_INTEGER SpareLi3; + LARGE_INTEGER CreateTime; + LARGE_INTEGER UserTime; + LARGE_INTEGER KernelTime; + UNICODE_STRING ImageName; + KPRIORITY BasePriority; + HANDLE UniqueProcessId; + HANDLE InheritedFromUniqueProcessId; + ULONG HandleCount; + ULONG SessionId; + ULONG_PTR PageDirectoryBase; + SIZE_T PeakVirtualSize; + SIZE_T VirtualSize; + ULONG PageFaultCount; + SIZE_T PeakWorkingSetSize; + SIZE_T WorkingSetSize; + SIZE_T QuotaPeakPagedPoolUsage; + SIZE_T QuotaPagedPoolUsage; + SIZE_T QuotaPeakNonPagedPoolUsage; + SIZE_T QuotaNonPagedPoolUsage; + SIZE_T PagefileUsage; + SIZE_T PeakPagefileUsage; + SIZE_T PrivatePageCount; + LARGE_INTEGER ReadOperationCount; + LARGE_INTEGER WriteOperationCount; + LARGE_INTEGER OtherOperationCount; + LARGE_INTEGER ReadTransferCount; + LARGE_INTEGER WriteTransferCount; + LARGE_INTEGER OtherTransferCount; + SYSTEM_THREAD_INFORMATION Threads[1]; +} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION; + + +typedef struct _OBJECT_BASIC_INFORMATION +{ + ULONG Attributes; + ACCESS_MASK GrantedAccess; + ULONG HandleCount; + ULONG PointerCount; + ULONG PagedPoolCharge; + ULONG NonPagedPoolCharge; + ULONG Reserved[ 3 ]; + ULONG NameInfoSize; + ULONG TypeInfoSize; + ULONG SecurityDescriptorSize; + LARGE_INTEGER CreationTime; +} OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION; + +typedef struct _OBJECT_NAME_INFORMATION +{ + UNICODE_STRING Name; +} OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION; + +typedef struct _OBJECT_TYPE_INFORMATION +{ + UNICODE_STRING TypeName; + ULONG TotalNumberOfObjects; + ULONG TotalNumberOfHandles; + ULONG TotalPagedPoolUsage; + ULONG TotalNonPagedPoolUsage; + ULONG TotalNamePoolUsage; + ULONG TotalHandleTableUsage; + ULONG HighWaterNumberOfObjects; + ULONG HighWaterNumberOfHandles; + ULONG HighWaterPagedPoolUsage; + ULONG HighWaterNonPagedPoolUsage; + ULONG HighWaterNamePoolUsage; + ULONG HighWaterHandleTableUsage; + ULONG InvalidAttributes; + GENERIC_MAPPING GenericMapping; + ULONG ValidAccessMask; + BOOLEAN SecurityRequired; + BOOLEAN MaintainHandleCount; + ULONG PoolType; + ULONG DefaultPagedPoolCharge; + ULONG DefaultNonPagedPoolCharge; +} OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION; + +typedef struct _OBJECT_TYPES_INFORMATION +{ + ULONG NumberOfTypes; + OBJECT_TYPE_INFORMATION TypeInformation[1]; +} OBJECT_TYPES_INFORMATION, *POBJECT_TYPES_INFORMATION; + +//typedef struct _PUBLIC_OBJECT_BASIC_INFORMATION +//{ +// ULONG Attributes; +// ACCESS_MASK GrantedAccess; +// ULONG HandleCount; +// ULONG PointerCount; +// +// ULONG Reserved[10]; // reserved for internal use +// +//} PUBLIC_OBJECT_BASIC_INFORMATION, *PPUBLIC_OBJECT_BASIC_INFORMATION; + +typedef struct __PUBLIC_OBJECT_TYPE_INFORMATION +{ + + UNICODE_STRING TypeName; + + ULONG Reserved [22]; // reserved for internal use + +} PUBLIC_OBJECT_TYPE_INFORMATION, *PPUBLIC_OBJECT_TYPE_INFORMATION; + +typedef struct _PROCESS_BASIC_INFORMATION +{ + PVOID Reserved1; + PVOID PebBaseAddress; + PVOID Reserved2[2]; + ULONG_PTR UniqueProcessId; + PVOID Reserved3; +} PROCESS_BASIC_INFORMATION; +typedef PROCESS_BASIC_INFORMATION* PPROCESS_BASIC_INFORMATION; + +typedef struct _THREAD_BASIC_INFORMATION +{ + NTSTATUS ExitStatus; + PVOID TebBaseAddress; + CLIENT_ID ClientId; + ULONG_PTR AffinityMask; + KPRIORITY Priority; + LONG BasePriority; +} THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION; + +typedef +VOID +(*PPS_APC_ROUTINE)( + __in_opt PVOID ApcArgument1, + __in_opt PVOID ApcArgument2, + __in_opt PVOID ApcArgument3 +); + +typedef enum _PROCESSINFOCLASS +{ + ProcessBasicInformation, + ProcessQuotaLimits, + ProcessIoCounters, + ProcessVmCounters, + ProcessTimes, + ProcessBasePriority, + ProcessRaisePriority, + ProcessDebugPort, + ProcessExceptionPort, + ProcessAccessToken, + ProcessLdtInformation, + ProcessLdtSize, + ProcessDefaultHardErrorMode, + ProcessIoPortHandlers, // Note: this is kernel mode only + ProcessPooledUsageAndLimits, + ProcessWorkingSetWatch, + ProcessUserModeIOPL, + ProcessEnableAlignmentFaultFixup, + ProcessPriorityClass, + ProcessWx86Information, + ProcessHandleCount, + ProcessAffinityMask, + ProcessPriorityBoost, + ProcessDeviceMap, + ProcessSessionInformation, + ProcessForegroundInformation, + ProcessWow64Information, + ProcessImageFileName, + ProcessLUIDDeviceMapsEnabled, + ProcessBreakOnTermination, + ProcessDebugObjectHandle, + ProcessDebugFlags, + ProcessHandleTracing, + ProcessIoPriority, + ProcessExecuteFlags, + ProcessResourceManagement, + ProcessCookie, + ProcessImageInformation, + MaxProcessInfoClass // MaxProcessInfoClass should always be the last enum +} PROCESSINFOCLASS; + +typedef enum _SYSTEM_INFORMATION_CLASS +{ + SystemBasicInformation, + SystemProcessorInformation, // obsolete...delete + SystemPerformanceInformation, + SystemTimeOfDayInformation, + SystemPathInformation, + SystemProcessInformation, + SystemCallCountInformation, + SystemDeviceInformation, + SystemProcessorPerformanceInformation, + SystemFlagsInformation, + SystemCallTimeInformation, + SystemModuleInformation, + SystemLocksInformation, + SystemStackTraceInformation, + SystemPagedPoolInformation, + SystemNonPagedPoolInformation, + SystemHandleInformation, + SystemObjectInformation, + SystemPageFileInformation, + SystemVdmInstemulInformation, + SystemVdmBopInformation, + SystemFileCacheInformation, + SystemPoolTagInformation, + SystemInterruptInformation, + SystemDpcBehaviorInformation, + SystemFullMemoryInformation, + SystemLoadGdiDriverInformation, + SystemUnloadGdiDriverInformation, + SystemTimeAdjustmentInformation, + SystemSummaryMemoryInformation, + SystemMirrorMemoryInformation, + SystemPerformanceTraceInformation, + SystemObsolete0, + SystemExceptionInformation, + SystemCrashDumpStateInformation, + SystemKernelDebuggerInformation, + SystemContextSwitchInformation, + SystemRegistryQuotaInformation, + SystemExtendServiceTableInformation, + SystemPrioritySeperation, + SystemVerifierAddDriverInformation, + SystemVerifierRemoveDriverInformation, + SystemProcessorIdleInformation, + SystemLegacyDriverInformation, + SystemCurrentTimeZoneInformation, + SystemLookasideInformation, + SystemTimeSlipNotification, + SystemSessionCreate, + SystemSessionDetach, + SystemSessionInformation, + SystemRangeStartInformation, + SystemVerifierInformation, + SystemVerifierThunkExtend, + SystemSessionProcessInformation, + SystemLoadGdiDriverInSystemSpace, + SystemNumaProcessorMap, + SystemPrefetcherInformation, + SystemExtendedProcessInformation, + SystemRecommendedSharedDataAlignment, + SystemComPlusPackage, + SystemNumaAvailableMemory, + SystemProcessorPowerInformation, + SystemEmulationBasicInformation, + SystemEmulationProcessorInformation, + SystemExtendedHandleInformation, + SystemLostDelayedWriteInformation, + SystemBigPoolInformation, + SystemSessionPoolTagInformation, + SystemSessionMappedViewInformation, + SystemHotpatchInformation, + SystemObjectSecurityMode, + SystemWatchdogTimerHandler, + SystemWatchdogTimerInformation, + SystemLogicalProcessorInformation, + SystemWow64SharedInformation, + SystemRegisterFirmwareTableInformationHandler, + SystemFirmwareTableInformation, + SystemModuleInformationEx, + SystemVerifierTriageInformation, + SystemSuperfetchInformation, + SystemMemoryListInformation, + SystemFileCacheInformationEx, + MaxSystemInfoClass // MaxSystemInfoClass should always be the last enum +} SYSTEM_INFORMATION_CLASS; + +typedef enum _OBJECT_INFORMATION_CLASS +{ + ObjectBasicInformation, + ObjectNameInformation, + ObjectTypeInformation, + ObjectTypesInformation, + ObjectHandleFlagInformation, + ObjectSessionInformation, + MaxObjectInfoClass // MaxObjectInfoClass should always be the last enum +} OBJECT_INFORMATION_CLASS; + +typedef enum _THREADINFOCLASS +{ + ThreadBasicInformation, + ThreadTimes, + ThreadPriority, + ThreadBasePriority, + ThreadAffinityMask, + ThreadImpersonationToken, + ThreadDescriptorTableEntry, + ThreadEnableAlignmentFaultFixup, + ThreadEventPair_Reusable, + ThreadQuerySetWin32StartAddress, + ThreadZeroTlsCell, + ThreadPerformanceCount, + ThreadAmILastThread, + ThreadIdealProcessor, + ThreadPriorityBoost, + ThreadSetTlsArrayAddress, + ThreadIsIoPending, + ThreadHideFromDebugger, + ThreadBreakOnTermination, + ThreadSwitchLegacyState, + ThreadIsTerminated, + MaxThreadInfoClass +} THREADINFOCLASS; + + +#ifdef __cplusplus +extern "C" { +#endif + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetInformationProcess( + __in HANDLE ProcessHandle, + __in PROCESSINFOCLASS ProcessInformationClass, + __in_bcount(ProcessInformationLength) PVOID ProcessInformation, + __in ULONG ProcessInformationLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryInformationProcess( + __in HANDLE ProcessHandle, + __in PROCESSINFOCLASS ProcessInformationClass, + __out_bcount(ProcessInformationLength) PVOID ProcessInformation, + __in ULONG ProcessInformationLength, + __out_opt PULONG ReturnLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryObject( + __in HANDLE Handle, + __in OBJECT_INFORMATION_CLASS ObjectInformationClass, + __out_bcount_opt(ObjectInformationLength) PVOID ObjectInformation, + __in ULONG ObjectInformationLength, + __out_opt PULONG ReturnLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetSystemInformation( + __in SYSTEM_INFORMATION_CLASS SystemInformationClass, + __in_bcount_opt(SystemInformationLength) PVOID SystemInformation, + __in ULONG SystemInformationLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQuerySystemInformation( + __in SYSTEM_INFORMATION_CLASS SystemInformationClass, + __out_bcount_opt(SystemInformationLength) PVOID SystemInformation, + __in ULONG SystemInformationLength, + __out_opt PULONG ReturnLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetInformationThread( + __in HANDLE ThreadHandle, + __in THREADINFOCLASS ThreadInformationClass, + __in_bcount(ThreadInformationLength) PVOID ThreadInformation, + __in ULONG ThreadInformationLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryInformationThread( + __in HANDLE ThreadHandle, + __in THREADINFOCLASS ThreadInformationClass, + __out_bcount(ThreadInformationLength) PVOID ThreadInformation, + __in ULONG ThreadInformationLength, + __out_opt PULONG ReturnLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtUnmapViewOfSection( + __in HANDLE ProcessHandle, + __in PVOID BaseAddress +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSuspendThread( + __in HANDLE ThreadHandle, + __out_opt PULONG PreviousSuspendCount +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtResumeThread( + __in HANDLE ThreadHandle, + __out_opt PULONG PreviousSuspendCount +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSuspendProcess( + __in HANDLE ProcessHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtResumeProcess( + __in HANDLE ProcessHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueueApcThread( + __in HANDLE ThreadHandle, + __in PPS_APC_ROUTINE ApcRoutine, + __in_opt PVOID ApcArgument1, + __in_opt PVOID ApcArgument2, + __in_opt PVOID ApcArgument3 +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +RtlGetCompressionWorkSpaceSize( + IN USHORT CompressionFormatAndEngine, + OUT PULONG CompressBufferWorkSpaceSize, + OUT PULONG CompressFragmentWorkSpaceSize +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +RtlCompressBuffer( + IN USHORT CompressionFormatAndEngine, + IN PUCHAR UncompressedBuffer, + IN ULONG UncompressedBufferSize, + OUT PUCHAR CompressedBuffer, + IN ULONG CompressedBufferSize, + IN ULONG UncompressedChunkSize, + OUT PULONG FinalCompressedSize, + IN PVOID WorkSpace +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +RtlDecompressBuffer( + IN USHORT CompressionFormat, + OUT PUCHAR UncompressedBuffer, + IN ULONG UncompressedBufferSize, + IN PUCHAR CompressedBuffer, + IN ULONG CompressedBufferSize, + OUT PULONG FinalUncompressedSize +); + +NTSYSCALLAPI +ULONG +NTAPI +RtlNtStatusToDosError( + NTSTATUS Status +); + +#ifdef __cplusplus +}; +#endif diff --git a/TitanEngineEmulator/ntdll_x64.lib b/TitanEngineEmulator/ntdll_x64.lib new file mode 100644 index 0000000000000000000000000000000000000000..45bce84e5fde17a2bd1d077a3880924a8cffd037 GIT binary patch literal 4366 zcmcgv&2AGh5T5?0Nt#B$p-=$H+n1O{uY*2 zwS|RrI=$-Vr}=Ps^)~N4ivqw!fbk=M$SFW{1|VVD6l(wwP4Czg{{%pkKs}<^iA`~o z6D1FAnm$H-q$wN|B{iE85uArKwMbMdZ9Li9%oj`R4+{_S8(YQAd`T~^=WD#%S zR}8P2+?Ey}ZR?Lq>ubd|(5-@DZ8Y|pX1#3HnvE^9SuxseT&GrVm4c+Y^|WJ{2R-Hm z$=Qm9gSKVV9kZQqULi;G3dANEm{+XszPN81<*F0Qu>~&lTBgiW4Rg=i+`h;a9vcFSl~JxAhZ>sH=qcj|_!=H|-P6mvL+w8EaH zD7l!-LmgwSRZ+CiSSLGdUah3Nd6mS(IvNK!#fYE5EHe`TjTperG{C1g@^O4ZW9%QI z@-gxcrvNnUM^LtieN0RkgGq?O1SDY!rePE!Fb;7@Kn#XpxQBEE^Flpn;a{&rI?sLF zY~&Y}ilfv66l1xpe})D`H)H#uD$%3{L_m0kt~0KjbmW(CUy$4zOy+@KHhE2RtmuqC z!FK0?o2!8OJ6cR}OTANrcc!>rE@&sRvXW0J2&&yw@#m{AU-DG@)6J!=WaQ0NeKP{9 zjhVv45M~T!3VricW4H5su3(P%kT<&VHE&y$V2r%)fM@40f^&|#lE6sWf_c{Ci9sK&`)JH`u5k$h=ECAc; zzThy!Y!t4ekq%A*sgvn)h<}NG_(!V)Eb|dH!=U5u;4b&5G_=nMS=3e>5i-moYtG*+EeZ2lY>ycF% z;U>yT$|~oVg{;Ubd>7gu>3tIe-jd#cecO*;XAyotwJIYX11WlCQ)*Vr$3f{A}6FoGnectc8{LE1Lb#qr)@5(vWE zw(M^kg~_PEbY9tigB1`j7Z7WVVY%M{T`1Y>vqowGQF0!U#vMrfT9?a*_g^L;Hm)Ml z1VeH^NyHPY3n_bj+Ll@JKd~!_81X?IfQ>y6Ck5hvi^`~tsQkf_Nf$l?dPHT+iRE!* W=#yLUKe@|za&d;_^RAR25d96rEGbj~ literal 0 HcmV?d00001 diff --git a/TitanEngineEmulator/ntdll_x86.lib b/TitanEngineEmulator/ntdll_x86.lib new file mode 100644 index 0000000000000000000000000000000000000000..0d3e918ed6d1d03a26a5f381ae2a074af7f076a2 GIT binary patch literal 4592 zcmcInTW=Fb6h5|Tjg6f+X&;b6TQ{PGN+`9Bor_e_4Wv>d%qF#+z8Yh%8&~)udo9FE z_yha`1QMeEfxhz20}te#f5BTt&zYT@cV{=YnyxgSnRCv}H|ILzZ+~iy+sC)kKjvq@ z;?13Mu~;Y+%d_+XpKkAn(fu?4dH<(($$4!F_okNpNUho2zjt_0Yc%(Mso$yXA2tqZO}nvItwOVD zA62VCHauZ`kK6e5$iCa$+imPZ({}5QyFcg-$NiSu8x9V~!?rV-SjA1;tJfdlh7l6B z``gqRKQ^o{71a7D8Mb@<@x*od+AdbHq?Y3W%>o?Vz|;=Uz|A6l%^JsJr`3s2T@wgu z&Y4k)Ya)F8!Gk}Ywrd3zX>{8?8uVME-+RuZgKizA(M#60GLM;yx=kk|XV4K2Evpql zj_uZ*$+YhngaZt@GuK8t3g1{U#J-9mV#?cA(V0D_&hDtqX+D$qSc_)uPC;cYrWBkc z0bZs6PBDkAWq|bzzzt-aWC32|{29(yaeT4@@CxbOCCp14pJM+J>6rHL8KfW$NytGK zmf-?igwG)ZOK=Hd5Rc#{DC?qg!q3%g5)2$p35#*u%V#`^KjYx3nDE|$-0h8Cr{%V;mIUid9K6N$ffEwgTTpnz*gZUi%?m-M8;D zuI~pc4_inZ0G1VeU?2pQ8yZOru-e1^2+z6p;yHZ!B)~|XJ~~(>`_0JL<8ZFvaM2 z2|+273=%-fR1}5iU(*l&Xm@}uKBF!UHvXR9!z3*goijp8gW}8K1RYjPIf{?OG z|Foy)REp0T`IQ~< zPh}SO8sf(AMPhhusJl(UE}U^P;e7gDLEN~8t1e6hCP(L>V?x6+Txy%jps=uxm7>|U z-=K~cB(Cpfm&z@UR}S%|_ugc_^gkE=3z{gI1`pC(Rz4KvWv{^GXkHJ7V1194OnO+M z?;44vTsbf5mf3&bA?igFs(LFa(8Z%B0yQO34Y68M3N9Wym5};F7k8SY`d@WQNjaL+ gvQd$GX$H*@Jd0aYTvWbDT}RzA9-8s_DYb%s0Uo4TSO5S3 literal 0 HcmV?d00001