added Importer::DeleteAPI export for deleting an API out of the parsed/read IAT, x64 still needs to be updated

2014-01-16 01:41:59 +01:00 · 2014-01-16 01:41:59 +01:00 · 095950b16d
parent d732ec290e
commit 095950b16d
8 changed files with 13 additions and 1 deletions
--- a/SDK/C/TitanEngine.h
+++ b/SDK/C/TitanEngine.h
@ -796,6 +796,7 @@ __declspec(dllexport) long TITCALL ImporterAutoFixIATEx(DWORD ProcessId, char* s
 __declspec(dllexport) long TITCALL ImporterAutoFixIATExW(DWORD ProcessId, wchar_t* szDumpedFile, wchar_t* szSectionName, bool DumpRunningProcess, bool RealignFile, ULONG_PTR EntryPointAddress, ULONG_PTR ImageBase, ULONG_PTR SearchStart,  bool TryAutoFix, bool FixEliminations, LPVOID UnknownPointerFixCallback);
 __declspec(dllexport) long TITCALL ImporterAutoFixIAT(DWORD ProcessId, char* szDumpedFile, ULONG_PTR SearchStart);
 __declspec(dllexport) long TITCALL ImporterAutoFixIATW(DWORD ProcessId, wchar_t* szDumpedFile, ULONG_PTR SearchStart);
+__declspec(dllexport) bool TITCALL ImporterDeleteAPI(DWORD_PTR apiAddr);
 // Global.Engine.Hook.functions:
 __declspec(dllexport) bool TITCALL HooksSafeTransitionEx(LPVOID HookAddressArray, int NumberOfHooks, bool TransitionStart);
 __declspec(dllexport) bool TITCALL HooksSafeTransition(LPVOID HookAddress, bool TransitionStart);
--- a/SDK/CPP/TitanEngine.h
+++ b/SDK/CPP/TitanEngine.h
@ -794,6 +794,7 @@ __declspec(dllimport) long TITCALL ImporterAutoFixIATEx(DWORD ProcessId, char* s
 __declspec(dllimport) long TITCALL ImporterAutoFixIATExW(DWORD ProcessId, wchar_t* szDumpedFile, char* szSectionName, bool DumpRunningProcess, bool RealignFile, ULONG_PTR EntryPointAddress, ULONG_PTR ImageBase, ULONG_PTR SearchStart,  bool TryAutoFix, bool FixEliminations, LPVOID UnknownPointerFixCallback);
 __declspec(dllimport) long TITCALL ImporterAutoFixIAT(DWORD ProcessId, char* szDumpedFile, ULONG_PTR SearchStart);
 __declspec(dllimport) long TITCALL ImporterAutoFixIATW(DWORD ProcessId, wchar_t* szDumpedFile, ULONG_PTR SearchStart);
+__declspec(dllimport) bool TITCALL ImporterDeleteAPI(DWORD_PTR apiAddr);
 // Global.Engine.Hook.functions:
 __declspec(dllimport) bool TITCALL HooksSafeTransitionEx(LPVOID HookAddressArray, int NumberOfHooks, bool TransitionStart);
 __declspec(dllimport) bool TITCALL HooksSafeTransition(LPVOID HookAddress, bool TransitionStart);
--- a/SDK/CPP/TitanEngine.hpp
+++ b/SDK/CPP/TitanEngine.hpp
@ -1809,6 +1809,10 @@ protected:
 	{
 		UE::ImporterEnumAddedData((void*)EnumCallBack);
 	}
+    static bool DeleteAPI(DWORD_PTR apiAddr)
+    {
+       return UE::ImporterDeleteAPI(apiAddr);
+    }
 };

 class ImporterA
@ -1937,6 +1941,7 @@ public:
 	using ImporterW::AutoSearchIAT;
 	using ImporterX::AutoSearchIATEx;
 	using ImporterX::EnumAddedData;
+    using ImporterX::DeleteAPI;
 	using ImporterA::AutoFixIATEx;
 	using ImporterW::AutoFixIATEx;
 	using ImporterA::AutoFixIAT;
--- a/TitanEngine/3rdparty-definitions.h
+++ b/TitanEngine/3rdparty-definitions.h
@ -13,6 +13,7 @@ extern "C" {
 int scylla_searchIAT(DWORD pid, DWORD_PTR &iatStart, DWORD &iatSize, DWORD_PTR searchStart, bool advancedSearch);
 int scylla_getImports(DWORD_PTR iatAddr, DWORD iatSize, DWORD pid, LPVOID invalidImportCallback = NULL);
 bool scylla_importsValid();
+bool scylla_cutImport(DWORD_PTR apiAddr);
 int scylla_fixDump(WCHAR* dumpFile, WCHAR* iatFixFile, WCHAR* sectionName = L".scy");
 int scylla_fixMappedDump(DWORD_PTR iatVA, DWORD_PTR FileMapVA, HANDLE hFileMap); 
 #ifdef __cplusplus
--- a/TitanEngine/TitanEngine.cpp
+++ b/TitanEngine/TitanEngine.cpp
@ -19595,7 +19595,6 @@ __declspec(dllexport) long TITCALL ImporterAutoFixIATExW(DWORD ProcessId, wchar_
    scylla_getImports(iatStart, iatSize, ProcessId, UnknownPointerFixCallback);

    if(!scylla_importsValid()) {
-        //TODO call UnknownPointerFixCallback for every bad import, scylla_wrapper needs to be enhanced tho
        return (0x405);
    }

@ -19628,6 +19627,10 @@ __declspec(dllexport) long TITCALL ImporterAutoFixIATW(DWORD ProcessId, wchar_t*
 {
    return(ImporterAutoFixIATExW(ProcessId, szDumpedFile, L".RL!TEv2", false, false, NULL, NULL, SearchStart, false, false, NULL));
 }
+__declspec(dllexport) bool TITCALL ImporterDeleteAPI(DWORD_PTR apiAddr)
+{
+    return scylla_cutImport(apiAddr);
+}
 // Internal.Engine.Hook.functions:
 bool ProcessHookScanAddNewHook(PHOOK_ENTRY HookDetails, void* ptrOriginalInstructions, PLIBRARY_ITEM_DATAW ModuleInformation, DWORD SizeOfImage)
 {
--- a/TitanEngine/definitions.h
+++ b/TitanEngine/definitions.h
@ -295,6 +295,7 @@ __declspec(dllexport) long TITCALL ImporterAutoFixIATEx(DWORD ProcessId, char* s
 __declspec(dllexport) long TITCALL ImporterAutoFixIATExW(DWORD ProcessId, wchar_t* szDumpedFile, wchar_t* szSectionName, bool DumpRunningProcess, bool RealignFile, ULONG_PTR EntryPointAddress, ULONG_PTR ImageBase, ULONG_PTR SearchStart,  bool TryAutoFix, bool FixEliminations, LPVOID UnknownPointerFixCallback);
 __declspec(dllexport) long TITCALL ImporterAutoFixIAT(DWORD ProcessId, char* szDumpedFile, ULONG_PTR SearchStart);
 __declspec(dllexport) long TITCALL ImporterAutoFixIATW(DWORD ProcessId, wchar_t* szDumpedFile, ULONG_PTR SearchStart);
+__declspec(dllexport) bool TITCALL ImporterDeleteAPI(DWORD_PTR apiAddr);
 // Global.Engine.Hook.functions:
 __declspec(dllexport) bool TITCALL HooksSafeTransitionEx(LPVOID HookAddressArray, int NumberOfHooks, bool TransitionStart);
 __declspec(dllexport) bool TITCALL HooksSafeTransition(LPVOID HookAddress, bool TransitionStart);
--- a/TitanEngine/scylla_wrapper_x86.lib
+++ b/TitanEngine/scylla_wrapper_x86.lib
--- a/TitanEngine/scylla_wrapperd_x86.lib
+++ b/TitanEngine/scylla_wrapperd_x86.lib