diff --git a/SDK/C/TitanEngine.h b/SDK/C/TitanEngine.h index 64e7263..769c484 100644 --- a/SDK/C/TitanEngine.h +++ b/SDK/C/TitanEngine.h @@ -13,20 +13,6 @@ // Global.Constant.Structure.Declaration: // Engine.External: -#define UE_STRUCT_PE32STRUCT 1 -#define UE_STRUCT_PE64STRUCT 2 -#define UE_STRUCT_PESTRUCT 3 -#define UE_STRUCT_IMPORTENUMDATA 4 -#define UE_STRUCT_THREAD_ITEM_DATA 5 -#define UE_STRUCT_LIBRARY_ITEM_DATA 6 -#define UE_STRUCT_LIBRARY_ITEM_DATAW 7 -#define UE_STRUCT_PROCESS_ITEM_DATA 8 -#define UE_STRUCT_HANDLERARRAY 9 -#define UE_STRUCT_PLUGININFORMATION 10 -#define UE_STRUCT_HOOK_ENTRY 11 -#define UE_STRUCT_FILE_STATUS_INFO 12 -#define UE_STRUCT_FILE_FIX_INFO 13 - #define UE_ACCESS_READ 0 #define UE_ACCESS_WRITE 1 #define UE_ACCESS_ALL 2 @@ -335,6 +321,13 @@ typedef struct DWORD dwThreadId; void* ThreadStartAddress; void* ThreadLocalBase; + void* TebAddress; + ULONG WaitTime; + LONG Priority; + LONG BasePriority; + ULONG ContextSwitches; + ULONG ThreadState; + ULONG WaitReason; } THREAD_ITEM_DATA, *PTHREAD_ITEM_DATA; typedef struct @@ -934,7 +927,6 @@ __declspec(dllexport) bool TITCALL EngineFakeMissingDependencies(HANDLE hProcess __declspec(dllexport) bool TITCALL EngineDeleteCreatedDependencies(); __declspec(dllexport) bool TITCALL EngineCreateUnpackerWindow(char* WindowUnpackerTitle, char* WindowUnpackerLongTitle, char* WindowUnpackerName, char* WindowUnpackerAuthor, void* StartUnpackingCallBack); __declspec(dllexport) void TITCALL EngineAddUnpackerWindowLogMessage(char* szLogMessage); -__declspec(dllexport) bool TITCALL EngineCheckStructAlignment(DWORD StructureType, ULONG_PTR StructureSize); // Global.Engine.Extension.Functions: __declspec(dllexport) bool TITCALL ExtensionManagerIsPluginLoaded(char* szPluginName); __declspec(dllexport) bool TITCALL ExtensionManagerIsPluginEnabled(char* szPluginName); diff --git a/SDK/CPP/TitanEngine.h b/SDK/CPP/TitanEngine.h index ca4834d..3e18c29 100644 --- a/SDK/CPP/TitanEngine.h +++ b/SDK/CPP/TitanEngine.h @@ -13,20 +13,6 @@ // Global.Constant.Structure.Declaration: // Engine.External: -const BYTE UE_STRUCT_PE32STRUCT = 1; -const BYTE UE_STRUCT_PE64STRUCT = 2; -const BYTE UE_STRUCT_PESTRUCT = 3; -const BYTE UE_STRUCT_IMPORTENUMDATA = 4; -const BYTE UE_STRUCT_THREAD_ITEM_DATA = 5; -const BYTE UE_STRUCT_LIBRARY_ITEM_DATA = 6; -const BYTE UE_STRUCT_LIBRARY_ITEM_DATAW = 7; -const BYTE UE_STRUCT_PROCESS_ITEM_DATA = 8; -const BYTE UE_STRUCT_HANDLERARRAY = 9; -const BYTE UE_STRUCT_PLUGININFORMATION = 10; -const BYTE UE_STRUCT_HOOK_ENTRY = 11; -const BYTE UE_STRUCT_FILE_STATUS_INFO = 12; -const BYTE UE_STRUCT_FILE_FIX_INFO = 13; - const BYTE UE_ACCESS_READ = 0; const BYTE UE_ACCESS_WRITE = 1; const BYTE UE_ACCESS_ALL = 2; @@ -335,6 +321,13 @@ typedef struct DWORD dwThreadId; void* ThreadStartAddress; void* ThreadLocalBase; + void* TebAddress; + ULONG WaitTime; + LONG Priority; + LONG BasePriority; + ULONG ContextSwitches; + ULONG ThreadState; + ULONG WaitReason; } THREAD_ITEM_DATA, *PTHREAD_ITEM_DATA; typedef struct @@ -928,7 +921,6 @@ __declspec(dllimport) bool TITCALL EngineFakeMissingDependencies(HANDLE hProcess __declspec(dllimport) bool TITCALL EngineDeleteCreatedDependencies(); __declspec(dllimport) bool TITCALL EngineCreateUnpackerWindow(char* WindowUnpackerTitle, char* WindowUnpackerLongTitle, char* WindowUnpackerName, char* WindowUnpackerAuthor, void* StartUnpackingCallBack); __declspec(dllimport) void TITCALL EngineAddUnpackerWindowLogMessage(char* szLogMessage); -__declspec(dllexport) bool TITCALL EngineCheckStructAlignment(DWORD StructureType, ULONG_PTR StructureSize); // Global.Engine.Extension.Functions: __declspec(dllimport) bool TITCALL ExtensionManagerIsPluginLoaded(char* szPluginName); __declspec(dllimport) bool TITCALL ExtensionManagerIsPluginEnabled(char* szPluginName); diff --git a/SDK/CPP/TitanEngine.hpp b/SDK/CPP/TitanEngine.hpp index 48148b6..a8f8ecf 100644 --- a/SDK/CPP/TitanEngine.hpp +++ b/SDK/CPP/TitanEngine.hpp @@ -23,23 +23,6 @@ namespace UE // ---- -enum eStructType : DWORD -{ - UE_STRUCT_PE32STRUCT = UE::UE_STRUCT_PE32STRUCT, - UE_STRUCT_PE64STRUCT = UE::UE_STRUCT_PE64STRUCT, - UE_STRUCT_PESTRUCT = UE::UE_STRUCT_PESTRUCT, - UE_STRUCT_IMPORTENUMDATA = UE::UE_STRUCT_IMPORTENUMDATA, - UE_STRUCT_THREAD_ITEM_DATA = UE::UE_STRUCT_THREAD_ITEM_DATA, - UE_STRUCT_LIBRARY_ITEM_DATA = UE::UE_STRUCT_LIBRARY_ITEM_DATA, - UE_STRUCT_LIBRARY_ITEM_DATAW = UE::UE_STRUCT_LIBRARY_ITEM_DATAW, - UE_STRUCT_PROCESS_ITEM_DATA = UE::UE_STRUCT_PROCESS_ITEM_DATA, - UE_STRUCT_HANDLERARRAY = UE::UE_STRUCT_HANDLERARRAY, - UE_STRUCT_PLUGININFORMATION = UE::UE_STRUCT_PLUGININFORMATION, - UE_STRUCT_HOOK_ENTRY = UE::UE_STRUCT_HOOK_ENTRY, - UE_STRUCT_FILE_STATUS_INFO = UE::UE_STRUCT_FILE_STATUS_INFO, - UE_STRUCT_FILE_FIX_INFO = UE::UE_STRUCT_FILE_FIX_INFO -}; - enum eHideLevel : DWORD { UE_HIDE_PEBONLY = UE::UE_HIDE_PEBONLY, @@ -726,8 +709,6 @@ public: using DumperX::ConvertVAtoFileOffsetEx; using DumperX::ConvertFileOffsetToVA; using DumperX::ConvertFileOffsetToVAEx; - using DumperX::MemoryReadSafe; - using DumperX::MemoryWriteSafe; }; class RealignerA; @@ -2759,10 +2740,6 @@ protected: { return UE::EngineAddUnpackerWindowLogMessage(szLogMessage); } - static bool EngineCheckStructAlignment(DWORD StructureType, ULONG_PTR StructureSize) - { - return UE::EngineCheckStructAlignment(StructureType, StructureSize); - } }; class EngineA @@ -2796,7 +2773,6 @@ public: using EngineX::DeleteCreatedDependencies; using EngineX::CreateUnpackerWindow; using EngineX::AddUnpackerWindowLogMessage; - using EngineX::EngineCheckStructAlignment; }; class ExtensionManager diff --git a/TitanEngine/TitanEngine.Threader.cpp b/TitanEngine/TitanEngine.Threader.cpp index e829157..ea1655f 100644 --- a/TitanEngine/TitanEngine.Threader.cpp +++ b/TitanEngine/TitanEngine.Threader.cpp @@ -10,31 +10,81 @@ __declspec(dllexport) bool TITCALL ThreaderImportRunningThreadData(DWORD Process { if(dbgProcessInformation.hProcess != NULL || ProcessId == NULL) return false; + std::vector().swap(hListThread); //clear thread list - THREADENTRY32 ThreadEntry = {}; - ThreadEntry.dwSize = sizeof THREADENTRY32; - HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, ProcessId); - if(hSnapShot != INVALID_HANDLE_VALUE) + + THREAD_ITEM_DATA NewThreadData; + ULONG retLength = 0; + ULONG bufferLength = 1; + PSYSTEM_PROCESS_INFORMATION pBuffer = (PSYSTEM_PROCESS_INFORMATION)malloc(bufferLength); + PSYSTEM_PROCESS_INFORMATION pIter; + PSYSTEM_THREAD_INFORMATION pIterThread; + + if (NtQuerySystemInformation(SystemProcessInformation, pBuffer, bufferLength, &retLength) == STATUS_INFO_LENGTH_MISMATCH) { - if(Thread32First(hSnapShot, &ThreadEntry)) + free(pBuffer); + bufferLength = retLength + sizeof(SYSTEM_PROCESS_INFORMATION); + pBuffer = (PSYSTEM_PROCESS_INFORMATION)malloc(bufferLength); + if (!pBuffer) + return false; + + if (NtQuerySystemInformation(SystemProcessInformation, pBuffer, bufferLength, &retLength) != STATUS_SUCCESS) { - do - { - if(ThreadEntry.th32OwnerProcessID == ProcessId) - { - THREAD_ITEM_DATA NewThreadData; - memset(&NewThreadData, 0, sizeof(THREAD_ITEM_DATA)); - NewThreadData.dwThreadId = ThreadEntry.th32ThreadID; - NewThreadData.hThread = OpenThread(THREAD_ALL_ACCESS, false, NewThreadData.dwThreadId); - hListThread.push_back(NewThreadData); - } - } - while(Thread32Next(hSnapShot, &ThreadEntry)); + return false; } - EngineCloseHandle(hSnapShot); - return true; } - return false; + else + { + return false; + } + + pIter = pBuffer; + + while(TRUE) + { + if (pIter->UniqueProcessId == (HANDLE)ProcessId) + { + pIterThread = &pIter->Threads[0]; + for (ULONG i = 0; i < pIter->NumberOfThreads; i++) + { + ZeroMemory(&NewThreadData, sizeof(THREAD_ITEM_DATA)); + + NewThreadData.BasePriority = pIterThread->BasePriority; + NewThreadData.ContextSwitches = pIterThread->ContextSwitches; + NewThreadData.Priority = pIterThread->Priority; + NewThreadData.BasePriority = pIterThread->BasePriority; + NewThreadData.ThreadStartAddress = pIterThread->StartAddress; + NewThreadData.ThreadState = pIterThread->ThreadState; + NewThreadData.WaitReason = pIterThread->WaitReason; + NewThreadData.WaitTime = pIterThread->WaitTime; + NewThreadData.dwThreadId = (DWORD)pIterThread->ClientId.UniqueThread; + + NewThreadData.hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, NewThreadData.dwThreadId); + if (NewThreadData.hThread) + { + NewThreadData.TebAddress = GetTEBLocation(NewThreadData.hThread); + } + + hListThread.push_back(NewThreadData); + + pIterThread++; + } + + break; + } + + if (pIter->NextEntryOffset == 0) + { + break; + } + else + { + pIter = (PSYSTEM_PROCESS_INFORMATION)((DWORD_PTR)pIter + (DWORD_PTR)pIter->NextEntryOffset); + } + } + + free(pBuffer); + return (hListThread.size() > 0); } __declspec(dllexport) void* TITCALL ThreaderGetThreadInfo(HANDLE hThread, DWORD ThreadId) diff --git a/TitanEngine/ntdll.h b/TitanEngine/ntdll.h index 7ce981f..717c389 100644 --- a/TitanEngine/ntdll.h +++ b/TitanEngine/ntdll.h @@ -8,6 +8,8 @@ #pragma comment(lib, "ntdll_x64.lib") #endif +#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L) + typedef LONG NTSTATUS; typedef LONG KPRIORITY; @@ -17,6 +19,61 @@ typedef struct _CLIENT_ID HANDLE UniqueThread; } CLIENT_ID, *PCLIENT_ID; +typedef enum _KTHREAD_STATE +{ + Initialized, + Ready, + Running, + Standby, + Terminated, + Waiting, + Transition, + DeferredReady, + GateWait +} KTHREAD_STATE; + +typedef enum _KWAIT_REASON +{ + Executive, + FreePage, + PageIn, + PoolAllocation, + DelayExecution, + Suspended, + UserRequest, + WrExecutive, + WrFreePage, + WrPageIn, + WrPoolAllocation, + WrDelayExecution, + WrSuspended, + WrUserRequest, + WrEventPair, + WrQueue, + WrLpcReceive, + WrLpcReply, + WrVirtualMemory, + WrPageOut, + WrRendezvous, + Spare2, + Spare3, + Spare4, + Spare5, + Spare6, + WrKernel, + WrResource, + WrPushLock, + WrMutex, + WrQuantumEnd, + WrDispatchInt, + WrPreempted, + WrYieldExecution, + WrFastMutex, + WrGuardedMutex, + WrRundown, + MaximumWaitReason +} KWAIT_REASON; + typedef struct _UNICODE_STRING { USHORT Length; @@ -24,6 +81,78 @@ typedef struct _UNICODE_STRING PWSTR Buffer; } UNICODE_STRING, *PUNICODE_STRING; +typedef struct _SYSTEM_SESSION_PROCESS_INFORMATION +{ + ULONG SessionId; + ULONG SizeOfBuf; + PVOID Buffer; +} SYSTEM_SESSION_PROCESS_INFORMATION, *PSYSTEM_SESSION_PROCESS_INFORMATION; + +typedef struct _SYSTEM_THREAD_INFORMATION +{ + LARGE_INTEGER KernelTime; + LARGE_INTEGER UserTime; + LARGE_INTEGER CreateTime; + ULONG WaitTime; + PVOID StartAddress; + CLIENT_ID ClientId; + KPRIORITY Priority; + LONG BasePriority; + ULONG ContextSwitches; + ULONG ThreadState; + ULONG WaitReason; +} SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION; + +typedef struct _SYSTEM_EXTENDED_THREAD_INFORMATION +{ + SYSTEM_THREAD_INFORMATION ThreadInfo; + PVOID StackBase; + PVOID StackLimit; + PVOID Win32StartAddress; + PVOID TebAddress; /* This is only filled in on Vista and above */ + ULONG_PTR Reserved2; + ULONG_PTR Reserved3; + ULONG_PTR Reserved4; +} SYSTEM_EXTENDED_THREAD_INFORMATION, *PSYSTEM_EXTENDED_THREAD_INFORMATION; + +typedef struct _SYSTEM_PROCESS_INFORMATION +{ + ULONG NextEntryOffset; + ULONG NumberOfThreads; + LARGE_INTEGER SpareLi1; + LARGE_INTEGER SpareLi2; + LARGE_INTEGER SpareLi3; + LARGE_INTEGER CreateTime; + LARGE_INTEGER UserTime; + LARGE_INTEGER KernelTime; + UNICODE_STRING ImageName; + KPRIORITY BasePriority; + HANDLE UniqueProcessId; + HANDLE InheritedFromUniqueProcessId; + ULONG HandleCount; + ULONG SessionId; + ULONG_PTR PageDirectoryBase; + SIZE_T PeakVirtualSize; + SIZE_T VirtualSize; + ULONG PageFaultCount; + SIZE_T PeakWorkingSetSize; + SIZE_T WorkingSetSize; + SIZE_T QuotaPeakPagedPoolUsage; + SIZE_T QuotaPagedPoolUsage; + SIZE_T QuotaPeakNonPagedPoolUsage; + SIZE_T QuotaNonPagedPoolUsage; + SIZE_T PagefileUsage; + SIZE_T PeakPagefileUsage; + SIZE_T PrivatePageCount; + LARGE_INTEGER ReadOperationCount; + LARGE_INTEGER WriteOperationCount; + LARGE_INTEGER OtherOperationCount; + LARGE_INTEGER ReadTransferCount; + LARGE_INTEGER WriteTransferCount; + LARGE_INTEGER OtherTransferCount; + SYSTEM_THREAD_INFORMATION Threads[1]; +} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION; + typedef struct _PUBLIC_OBJECT_BASIC_INFORMATION { ULONG Attributes; @@ -54,8 +183,7 @@ typedef struct _PROCESS_BASIC_INFORMATION } PROCESS_BASIC_INFORMATION; typedef PROCESS_BASIC_INFORMATION *PPROCESS_BASIC_INFORMATION; -typedef struct _THREAD_BASIC_INFORMATION -{ +typedef struct _THREAD_BASIC_INFORMATION { NTSTATUS ExitStatus; PVOID TebBaseAddress; CLIENT_ID ClientId; @@ -365,6 +493,48 @@ NtQueueApcThread ( __in_opt PVOID ApcArgument3 ); +NTSYSCALLAPI +NTSTATUS +NTAPI +RtlGetCompressionWorkSpaceSize ( + IN USHORT CompressionFormatAndEngine, + OUT PULONG CompressBufferWorkSpaceSize, + OUT PULONG CompressFragmentWorkSpaceSize +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +RtlCompressBuffer ( + IN USHORT CompressionFormatAndEngine, + IN PUCHAR UncompressedBuffer, + IN ULONG UncompressedBufferSize, + OUT PUCHAR CompressedBuffer, + IN ULONG CompressedBufferSize, + IN ULONG UncompressedChunkSize, + OUT PULONG FinalCompressedSize, + IN PVOID WorkSpace +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +RtlDecompressBuffer ( + IN USHORT CompressionFormat, + OUT PUCHAR UncompressedBuffer, + IN ULONG UncompressedBufferSize, + IN PUCHAR CompressedBuffer, + IN ULONG CompressedBufferSize, + OUT PULONG FinalUncompressedSize +); + +NTSYSCALLAPI +ULONG +NTAPI +RtlNtStatusToDosError ( + NTSTATUS Status +); + #ifdef __cplusplus }; #endif diff --git a/TitanEngine/stdafx.h b/TitanEngine/stdafx.h index 32dc48d..7a578eb 100644 --- a/TitanEngine/stdafx.h +++ b/TitanEngine/stdafx.h @@ -258,6 +258,13 @@ typedef struct DWORD dwThreadId; void* ThreadStartAddress; void* ThreadLocalBase; + void* TebAddress; + ULONG WaitTime; + LONG Priority; + LONG BasePriority; + ULONG ContextSwitches; + ULONG ThreadState; + ULONG WaitReason; } THREAD_ITEM_DATA, *PTHREAD_ITEM_DATA; typedef struct