- added function ImporterGetDLLNameFromDebugeeW

- fixed function ImporterGetDLLNameFromDebugee
- added function EngineGetModuleBaseRemote
- added function EngineGetAPIAddressRemote
- added function EngineGetAPIAddressLocal
- fixed a potential bug in SetAPIBreakPoint & DeleteAPIBreakPoint
- fixed ImpoerterGetDLLName (this function is used on the local process)
- fixed function ImporterGetDLLNameW & ImporterGetDLLName
- moved fixed functions up

SDK/C/TitanEngine.h

@@ -751,6 +751,7 @@ __declspec(dllexport) long long TITCALL ImporterGetRemoteAPIAddress(HANDLE hProc
 __declspec(dllexport) long long TITCALL ImporterGetRemoteAPIAddressEx(char* szDLLName, char* szAPIName);
 __declspec(dllexport) long long TITCALL ImporterGetLocalAPIAddress(HANDLE hProcess, ULONG_PTR APIAddress);
 __declspec(dllexport) void* TITCALL ImporterGetDLLNameFromDebugee(HANDLE hProcess, ULONG_PTR APIAddress);
+__declspec(dllexport) void* TITCALL ImporterGetDLLNameFromDebugeeW(HANDLE hProcess, ULONG_PTR APIAddress);
 __declspec(dllexport) void* TITCALL ImporterGetAPINameFromDebugee(HANDLE hProcess, ULONG_PTR APIAddress);
 __declspec(dllexport) long long TITCALL ImporterGetAPIOrdinalNumberFromDebugee(HANDLE hProcess, ULONG_PTR APIAddress);
 __declspec(dllexport) long TITCALL ImporterGetDLLIndexEx(ULONG_PTR APIAddress, ULONG_PTR DLLBasesList);

SDK/CPP/TitanEngine.h

@@ -750,6 +750,7 @@ __declspec(dllimport) long long TITCALL ImporterGetRemoteAPIAddress(HANDLE hProc
 __declspec(dllimport) long long TITCALL ImporterGetRemoteAPIAddressEx(char* szDLLName, char* szAPIName);
 __declspec(dllimport) long long TITCALL ImporterGetLocalAPIAddress(HANDLE hProcess, ULONG_PTR APIAddress);
 __declspec(dllimport) void* TITCALL ImporterGetDLLNameFromDebugee(HANDLE hProcess, ULONG_PTR APIAddress);
+__declspec(dllexport) void* TITCALL ImporterGetDLLNameFromDebugeeW(HANDLE hProcess, ULONG_PTR APIAddress);
 __declspec(dllimport) void* TITCALL ImporterGetAPINameFromDebugee(HANDLE hProcess, ULONG_PTR APIAddress);
 __declspec(dllimport) long long TITCALL ImporterGetAPIOrdinalNumberFromDebugee(HANDLE hProcess, ULONG_PTR APIAddress);
 __declspec(dllimport) long TITCALL ImporterGetDLLIndexEx(ULONG_PTR APIAddress, ULONG_PTR DLLBasesList);

SDK/CPP/TitanEngine.hpp

@@ -1721,6 +1721,10 @@ protected:
     {
         return (const char*)UE::ImporterGetDLLNameFromDebugee(hProcess, APIAddress);
     }
+    static const wchar_t* GetDLLNameFromDebugeeW(HANDLE hProcess, ULONG_PTR APIAddress)
+    {
+        return (const wchar_t*)UE::ImporterGetDLLNameFromDebugeeW(hProcess, APIAddress);
+    }
     static const char* GetAPINameFromDebugee(HANDLE hProcess, ULONG_PTR APIAddress)
     {
         return (const char*)UE::ImporterGetAPINameFromDebugee(hProcess, APIAddress);
@@ -1888,6 +1892,7 @@ public:
     using ImporterX::GetRemoteAPIAddressEx;
     using ImporterX::GetLocalAPIAddress;
     using ImporterX::GetDLLNameFromDebugee;
+    using ImporterX::GetDLLNameFromDebugeeW;
     using ImporterX::GetAPINameFromDebugee;
     using ImporterX::GetAPIOrdinalNumberFromDebugee;
     using ImporterX::GetDLLIndexEx;

TitanEngine/Global.Engine.Importer.cpp

@@ -4,7 +4,7 @@
 #include "Global.Debugger.h"
 #include <psapi.h>
 
-ULONG_PTR EngineGetProcAddressRemote(HANDLE hProcess, const WCHAR * szDLLName, const char* szAPIName)
+ULONG_PTR EngineGetProcAddressRemote(HANDLE hProcess, const wchar_t* szDLLName, const char* szAPIName)
 {
     if(!hProcess) //no process specified
     {
@@ -52,12 +52,7 @@ ULONG_PTR EngineGetProcAddressRemote(HANDLE hProcess, const WCHAR * szDLLName, c
     return 0;
 }
 
-ULONG_PTR EngineGetProcAddressRemote(const WCHAR * szDLLName, const char* szAPIName)
+ULONG_PTR EngineGetProcAddressRemote(HANDLE hProcess, const char* szDLLName, const char* szAPIName)
-{
-    return EngineGetProcAddressRemote(0, szDLLName, szAPIName);
-}
-
-ULONG_PTR EngineGetProcAddressRemote(HANDLE hProcess, const char * szDLLName, const char* szAPIName)
 {
     WCHAR uniDLLName[MAX_PATH] = {0};
     if (MultiByteToWideChar(CP_ACP, NULL, szDLLName, -1, uniDLLName, _countof(uniDLLName)))
@@ -70,11 +65,6 @@ ULONG_PTR EngineGetProcAddressRemote(HANDLE hProcess, const char * szDLLName, co
     }
 }
 
-ULONG_PTR EngineGetProcAddressRemote(const char * szDLLName, const char* szAPIName)
-{
-    return EngineGetProcAddressRemote(0, szDLLName, szAPIName);
-}
-
 ULONG_PTR EngineGetModuleBaseRemote(HANDLE hProcess, ULONG_PTR APIAddress)
 {
     if(!hProcess) //no process specified
@@ -107,3 +97,101 @@ ULONG_PTR EngineGetModuleBaseRemote(HANDLE hProcess, ULONG_PTR APIAddress)
     }
     return 0;
 }
+
+ULONG_PTR EngineGetModuleBaseRemote(HANDLE hProcess, const wchar_t* szDLLName)
+{
+    if(!hProcess) //no process specified
+    {
+        if(!dbgProcessInformation.hProcess)
+            hProcess = GetCurrentProcess();
+        else
+            hProcess = dbgProcessInformation.hProcess;
+    }
+    DWORD cbNeeded=0;
+    if(EnumProcessModules(hProcess, 0, 0, &cbNeeded))
+    {
+        HMODULE* hMods=(HMODULE*)malloc(cbNeeded*sizeof(HMODULE));
+        if(EnumProcessModules(hProcess, hMods, cbNeeded, &cbNeeded))
+        {
+            for(unsigned int i=0; i<cbNeeded/sizeof(HMODULE); i++)
+            {
+                wchar_t szModuleName[MAX_PATH]=L"";
+                if(GetModuleFileNameExW(hProcess, hMods[i], szModuleName, _countof(szModuleName)))
+                {
+                    wchar_t* dllName=wcsrchr(szModuleName, L'\\');
+                    if(dllName)
+                    {
+                        dllName++;
+                        if(!_wcsicmp(dllName, szDLLName))
+                        {
+                            return (ULONG_PTR)hMods[i];
+                        }
+                    }
+                }
+            }
+        }
+        free(hMods);
+    }
+    return 0;
+}
+
+ULONG_PTR EngineGetModuleBaseRemote(HANDLE hProcess, const char* szDLLName)
+{
+    WCHAR uniDLLName[MAX_PATH] = {0};
+    if (MultiByteToWideChar(CP_ACP, NULL, szDLLName, -1, uniDLLName, _countof(uniDLLName)))
+    {
+        return EngineGetModuleBaseRemote(hProcess, szDLLName);
+    }
+    else
+    {
+        return 0;
+    }
+}
+
+ULONG_PTR EngineGetAPIAddressRemote(HANDLE hProcess, ULONG_PTR APIAddress)
+{
+    HMODULE localModuleBase=(HMODULE)EngineGetModuleBaseRemote(GetCurrentProcess(), APIAddress);
+    if(localModuleBase)
+    {
+        wchar_t szModuleName[MAX_PATH]=L"";
+        if(GetModuleFileNameExW(hProcess, localModuleBase, szModuleName, _countof(szModuleName)))
+        {
+            wchar_t* dllName=wcsrchr(szModuleName, L'\\');
+            if(dllName)
+            {
+                dllName++;
+                ULONG_PTR remoteModuleBase=EngineGetModuleBaseRemote(hProcess, dllName);
+                if(remoteModuleBase)
+                {
+                    APIAddress-=(ULONG_PTR)localModuleBase; //rva
+                    return APIAddress+remoteModuleBase;
+                }
+            }
+        }
+    }
+    return 0;
+}
+
+ULONG_PTR EngineGetAPIAddressLocal(HANDLE hProcess, ULONG_PTR APIAddress)
+{
+    HMODULE remoteModuleBase=(HMODULE)EngineGetModuleBaseRemote(hProcess, APIAddress);
+    if(remoteModuleBase)
+    {
+        wchar_t szModuleName[MAX_PATH]=L"";
+        if(GetModuleFileNameExW(hProcess, remoteModuleBase, szModuleName, _countof(szModuleName)))
+        {
+            wchar_t* dllName=wcsrchr(szModuleName, L'\\');
+            if(dllName)
+            {
+                dllName++;
+                ULONG_PTR localModuleBase=EngineGetModuleBaseRemote(GetCurrentProcess(), dllName);
+                if(localModuleBase)
+                {
+                    APIAddress-=(ULONG_PTR)remoteModuleBase; //rva
+                    return APIAddress+localModuleBase;
+                }
+            }
+        }
+    }
+    return 0;
+}

TitanEngine/Global.Engine.Importer.h

@@ -2,10 +2,12 @@
 #define _GLOBAL_ENGINE_IMPORTER_H
 
 //EngineGetProcAddressRemote
-ULONG_PTR EngineGetProcAddressRemote(const char * szDLLName, const char* szAPIName);
+ULONG_PTR EngineGetProcAddressRemote(HANDLE hProcess, const wchar_t* szDLLName, const char* szAPIName);
-ULONG_PTR EngineGetProcAddressRemote(HANDLE hProcess, const char * szDLLName, const char* szAPIName);
+ULONG_PTR EngineGetProcAddressRemote(HANDLE hProcess, const char* szDLLName, const char* szAPIName);
-ULONG_PTR EngineGetProcAddressRemote(const WCHAR * szDLLName, const char* szAPIName);
-ULONG_PTR EngineGetProcAddressRemote(HANDLE hProcess, const WCHAR * szDLLName, const char* szAPIName);
 ULONG_PTR EngineGetModuleBaseRemote(HANDLE hProcess, ULONG_PTR APIAddress);
+ULONG_PTR EngineGetModuleBaseRemote(HANDLE hProcess, const wchar_t* szDLLName);
+ULONG_PTR EngineGetModuleBaseRemote(HANDLE hProcess, const char* szDLLName);
+ULONG_PTR EngineGetAPIAddressRemote(HANDLE hProcess, ULONG_PTR APIAddress);
+ULONG_PTR EngineGetAPIAddressLocal(HANDLE hProcess, ULONG_PTR APIAddress);
 
 #endif //_GLOBAL_ENGINE_IMPORTER_H

TitanEngine/TitanEngine.Breakpoints.cpp

@@ -306,7 +306,7 @@ __declspec(dllexport) bool TITCALL SetAPIBreakPoint(const char* szDLLName, const
     ULONG_PTR APIAddress = NULL;
     if(szDLLName && szAPIName)
     {
-        APIAddress = EngineGetProcAddressRemote(szDLLName, szAPIName); //get remote proc address
+        APIAddress = EngineGetProcAddressRemote(0, szDLLName, szAPIName); //get remote proc address
         if(APIAddress)
         {
             if(bpxPlace == UE_APIEND)
@@ -314,9 +314,9 @@ __declspec(dllexport) bool TITCALL SetAPIBreakPoint(const char* szDLLName, const
                 int i = 0;
                 int len = 0;
                 unsigned char CmdBuffer[MAXIMUM_INSTRUCTION_SIZE];
-                if(!_strnicmp(szDLLName, "kernel32", 8))
+                if(!_stricmp(szDLLName, "kernel32.dll"))
                 {
-                    ULONG_PTR APIAddress_ = EngineGetProcAddressRemote("kernelbase.dll", szAPIName);
+                    ULONG_PTR APIAddress_ = EngineGetProcAddressRemote(0, "kernelbase.dll", szAPIName);
                     if(APIAddress_)
                     {
                         bool KernelBase = true;
@@ -364,7 +364,7 @@ __declspec(dllexport) bool TITCALL DeleteAPIBreakPoint(const char* szDLLName, co
     ULONG_PTR APIAddress = NULL;
     if(szDLLName && szAPIName)
     {
-        APIAddress = EngineGetProcAddressRemote(szDLLName, szAPIName); //get remote proc address
+        APIAddress = EngineGetProcAddressRemote(0, szDLLName, szAPIName); //get remote proc address
         if(APIAddress)
         {
             if(bpxPlace == UE_APIEND)
@@ -372,9 +372,9 @@ __declspec(dllexport) bool TITCALL DeleteAPIBreakPoint(const char* szDLLName, co
                 int i = 0;
                 int len = 0;
                 unsigned char CmdBuffer[MAXIMUM_INSTRUCTION_SIZE];
-                if(!_strnicmp(szDLLName, "kernel32", 8))
+                if(!_stricmp(szDLLName, "kernel32.dll"))
                 {
-                    ULONG_PTR APIAddress_ = EngineGetProcAddressRemote("kernelbase.dll", szAPIName);
+                    ULONG_PTR APIAddress_ = EngineGetProcAddressRemote(0, "kernelbase.dll", szAPIName);
                     if(APIAddress_)
                     {
                         bool KernelBase = true;

TitanEngine/TitanEngine.Importer.cpp

@@ -94,11 +94,31 @@ __declspec(dllexport) long long TITCALL ImporterFindDLLByWriteLocation(ULONG_PTR
 
 __declspec(dllexport) void* TITCALL ImporterGetDLLName(ULONG_PTR APIAddress)
 {
-    HANDLE hProcess;
+    return ImporterGetDLLNameFromDebugee(GetCurrentProcess(), APIAddress);
-    if(!dbgProcessInformation.hProcess)
+}
-        hProcess = GetCurrentProcess();
+
-    else
+__declspec(dllexport) void* TITCALL ImporterGetDLLNameW(ULONG_PTR APIAddress)
-        hProcess = dbgProcessInformation.hProcess;
+{
+    return ImporterGetDLLNameFromDebugeeW(GetCurrentProcess(), APIAddress);
+}
+
+__declspec(dllexport) long long TITCALL ImporterGetRemoteAPIAddress(HANDLE hProcess, ULONG_PTR APIAddress)
+{
+    return EngineGetAPIAddressRemote(hProcess, APIAddress);
+}
+
+__declspec(dllexport) long long TITCALL ImporterGetRemoteAPIAddressEx(char* szDLLName, char* szAPIName)
+{
+    return EngineGetProcAddressRemote(0, szDLLName, szAPIName);
+}
+
+__declspec(dllexport) long long TITCALL ImporterGetLocalAPIAddress(HANDLE hProcess, ULONG_PTR APIAddress)
+{
+    return EngineGetAPIAddressLocal(hProcess, APIAddress);
+}
+
+__declspec(dllexport) void* TITCALL ImporterGetDLLNameFromDebugee(HANDLE hProcess, ULONG_PTR APIAddress)
+{
     ULONG_PTR moduleBase=EngineGetModuleBaseRemote(hProcess, APIAddress);
     if(moduleBase)
     {
@@ -109,13 +129,8 @@ __declspec(dllexport) void* TITCALL ImporterGetDLLName(ULONG_PTR APIAddress)
     return 0;
 }
 
-__declspec(dllexport) void* TITCALL ImporterGetDLLNameW(ULONG_PTR APIAddress)
+__declspec(dllexport) void* TITCALL ImporterGetDLLNameFromDebugeeW(HANDLE hProcess, ULONG_PTR APIAddress)
 {
-    HANDLE hProcess;
-    if(!dbgProcessInformation.hProcess)
-        hProcess = GetCurrentProcess();
-    else
-        hProcess = dbgProcessInformation.hProcess;
     ULONG_PTR moduleBase=EngineGetModuleBaseRemote(hProcess, APIAddress);
     if(moduleBase)
     {
@@ -126,6 +141,17 @@ __declspec(dllexport) void* TITCALL ImporterGetDLLNameW(ULONG_PTR APIAddress)
     return 0;
 }
 
+__declspec(dllexport) void* TITCALL ImporterGetRemoteDLLBaseExW(HANDLE hProcess, WCHAR * szModuleName)
+{
+    return (void*)EngineGetModuleBaseRemote(hProcess, szModuleName);
+}
+
+__declspec(dllexport) long long TITCALL ImporterGetRemoteDLLBaseEx(HANDLE hProcess, char* szModuleName)
+{
+    return EngineGetModuleBaseRemote(hProcess, szModuleName);
+}
+
+
 __declspec(dllexport) void* TITCALL ImporterGetAPIName(ULONG_PTR APIAddress)
 {
     return((LPVOID)EngineGlobalAPIHandler(NULL, NULL, APIAddress, NULL, UE_OPTION_IMPORTER_RETURN_APINAME));
@@ -138,30 +164,6 @@ __declspec(dllexport) void* TITCALL ImporterGetAPINameEx(ULONG_PTR APIAddress, U
 {
     return((LPVOID)EngineGlobalAPIHandler(NULL, DLLBasesList, APIAddress, NULL, UE_OPTION_IMPORTER_RETURN_APINAME));
 }
-__declspec(dllexport) long long TITCALL ImporterGetRemoteAPIAddress(HANDLE hProcess, ULONG_PTR APIAddress)
-{
-    return((ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, APIAddress, NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS));
-}
-__declspec(dllexport) long long TITCALL ImporterGetRemoteAPIAddressEx(char* szDLLName, char* szAPIName)
-{
-    WCHAR uniDLLName[MAX_PATH] = {0};
-    if (MultiByteToWideChar(CP_ACP, NULL, szDLLName, -1, uniDLLName, _countof(uniDLLName)))
-    {
-        return EngineGetProcAddressRemote(uniDLLName, szAPIName);
-    }
-    else
-    {
-        return 0;
-    }
-}
-__declspec(dllexport) long long TITCALL ImporterGetLocalAPIAddress(HANDLE hProcess, ULONG_PTR APIAddress)
-{
-    return((ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, APIAddress, NULL, UE_OPTION_IMPORTER_REALIGN_LOCAL_APIADDRESS));
-}
-__declspec(dllexport) void* TITCALL ImporterGetDLLNameFromDebugee(HANDLE hProcess, ULONG_PTR APIAddress)
-{
-    return((LPVOID)EngineGlobalAPIHandler(hProcess, NULL, APIAddress, NULL, UE_OPTION_IMPORTER_RETURN_DLLNAME));
-}
 __declspec(dllexport) void* TITCALL ImporterGetAPINameFromDebugee(HANDLE hProcess, ULONG_PTR APIAddress)
 {
     return((LPVOID)EngineGlobalAPIHandler(hProcess, NULL, APIAddress, NULL, UE_OPTION_IMPORTER_RETURN_APINAME));
@@ -182,40 +184,6 @@ __declspec(dllexport) long long TITCALL ImporterGetRemoteDLLBase(HANDLE hProcess
 {
     return((ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)LocalModuleBase, NULL, UE_OPTION_IMPORTER_RETURN_DLLBASE));
 }
-__declspec(dllexport) void* TITCALL ImporterGetRemoteDLLBaseExW(HANDLE hProcess, WCHAR * szModuleName)
-{
-    DWORD cbNeeded = NULL;
-    HMODULE EnumeratedModules[1024] = {0};
-    WCHAR RemoteDLLName[MAX_PATH] = {0};
-
-    if(EnumProcessModules(hProcess, EnumeratedModules, sizeof(EnumeratedModules), &cbNeeded))
-    {
-        for(int i = 0; i < (int)(cbNeeded / sizeof(HMODULE)); i++)
-        {
-            RemoteDLLName[0] = 0;
-            if(GetModuleBaseNameW(hProcess, EnumeratedModules[i], RemoteDLLName, _countof(RemoteDLLName)) > NULL)
-            {
-                if(_wcsicmp(RemoteDLLName, szModuleName) == 0)
-                {
-                    return (void*)EnumeratedModules[i];
-                }
-            }
-        }
-    }
-    return 0;
-}
-__declspec(dllexport) long long TITCALL ImporterGetRemoteDLLBaseEx(HANDLE hProcess, char* szModuleName)
-{
-    WCHAR uniModuleName[MAX_PATH] = {0};
-    if (MultiByteToWideChar(CP_ACP, NULL, szModuleName, -1, uniModuleName, _countof(uniModuleName)))
-    {
-        return (long long)ImporterGetRemoteDLLBaseExW(hProcess, uniModuleName);
-    }
-    else
-    {
-        return 0;
-    }
-}
 
 __declspec(dllexport) bool TITCALL ImporterIsForwardedAPI(HANDLE hProcess, ULONG_PTR APIAddress)
 {

TitanEngine/definitions.h

@@ -257,6 +257,7 @@ __declspec(dllexport) long long TITCALL ImporterGetRemoteAPIAddress(HANDLE hProc
 __declspec(dllexport) long long TITCALL ImporterGetRemoteAPIAddressEx(char* szDLLName, char* szAPIName);
 __declspec(dllexport) long long TITCALL ImporterGetLocalAPIAddress(HANDLE hProcess, ULONG_PTR APIAddress);
 __declspec(dllexport) void* TITCALL ImporterGetDLLNameFromDebugee(HANDLE hProcess, ULONG_PTR APIAddress);
+__declspec(dllexport) void* TITCALL ImporterGetDLLNameFromDebugeeW(HANDLE hProcess, ULONG_PTR APIAddress);
 __declspec(dllexport) void* TITCALL ImporterGetAPINameFromDebugee(HANDLE hProcess, ULONG_PTR APIAddress);
 __declspec(dllexport) long long TITCALL ImporterGetAPIOrdinalNumberFromDebugee(HANDLE hProcess, ULONG_PTR APIAddress);
 __declspec(dllexport) long TITCALL ImporterGetDLLIndexEx(ULONG_PTR APIAddress, ULONG_PTR DLLBasesList);