x64dbg
/
TitanEngine
mirror of https://github.com/x64dbg/TitanEngine
1
0
Fork 0
Code Releases Activity

extended thread info

This commit is contained in:
NtQuery 2014-03-16 16:47:08 +01:00
parent 4e1685b8ea
commit 17d8b6e09e
6 changed files with 263 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
SDK/C/TitanEngine.h
View File

@ -13,20 +13,6 @@
// Global.Constant.Structure.Declaration: // Global.Constant.Structure.Declaration:
// Engine.External: // Engine.External:
#define UE_STRUCT_PE32STRUCT 1
#define UE_STRUCT_PE64STRUCT 2
#define UE_STRUCT_PESTRUCT 3
#define UE_STRUCT_IMPORTENUMDATA 4
#define UE_STRUCT_THREAD_ITEM_DATA 5
#define UE_STRUCT_LIBRARY_ITEM_DATA 6
#define UE_STRUCT_LIBRARY_ITEM_DATAW 7
#define UE_STRUCT_PROCESS_ITEM_DATA 8
#define UE_STRUCT_HANDLERARRAY 9
#define UE_STRUCT_PLUGININFORMATION 10
#define UE_STRUCT_HOOK_ENTRY 11
#define UE_STRUCT_FILE_STATUS_INFO 12
#define UE_STRUCT_FILE_FIX_INFO 13
#define UE_ACCESS_READ 0 #define UE_ACCESS_READ 0
#define UE_ACCESS_WRITE 1 #define UE_ACCESS_WRITE 1
#define UE_ACCESS_ALL 2 #define UE_ACCESS_ALL 2
@ -335,6 +321,13 @@ typedef struct
DWORD dwThreadId; DWORD dwThreadId;
void* ThreadStartAddress; void* ThreadStartAddress;
void* ThreadLocalBase; void* ThreadLocalBase;
void* TebAddress;
ULONG WaitTime;
LONG Priority;
LONG BasePriority;
ULONG ContextSwitches;
ULONG ThreadState;
ULONG WaitReason;
} THREAD_ITEM_DATA, *PTHREAD_ITEM_DATA; } THREAD_ITEM_DATA, *PTHREAD_ITEM_DATA;
typedef struct typedef struct
@ -934,7 +927,6 @@ __declspec(dllexport) bool TITCALL EngineFakeMissingDependencies(HANDLE hProcess
__declspec(dllexport) bool TITCALL EngineDeleteCreatedDependencies(); __declspec(dllexport) bool TITCALL EngineDeleteCreatedDependencies();
__declspec(dllexport) bool TITCALL EngineCreateUnpackerWindow(char* WindowUnpackerTitle, char* WindowUnpackerLongTitle, char* WindowUnpackerName, char* WindowUnpackerAuthor, void* StartUnpackingCallBack); __declspec(dllexport) bool TITCALL EngineCreateUnpackerWindow(char* WindowUnpackerTitle, char* WindowUnpackerLongTitle, char* WindowUnpackerName, char* WindowUnpackerAuthor, void* StartUnpackingCallBack);
__declspec(dllexport) void TITCALL EngineAddUnpackerWindowLogMessage(char* szLogMessage); __declspec(dllexport) void TITCALL EngineAddUnpackerWindowLogMessage(char* szLogMessage);
__declspec(dllexport) bool TITCALL EngineCheckStructAlignment(DWORD StructureType, ULONG_PTR StructureSize);
// Global.Engine.Extension.Functions: // Global.Engine.Extension.Functions:
__declspec(dllexport) bool TITCALL ExtensionManagerIsPluginLoaded(char* szPluginName); __declspec(dllexport) bool TITCALL ExtensionManagerIsPluginLoaded(char* szPluginName);
__declspec(dllexport) bool TITCALL ExtensionManagerIsPluginEnabled(char* szPluginName); __declspec(dllexport) bool TITCALL ExtensionManagerIsPluginEnabled(char* szPluginName);

22
SDK/CPP/TitanEngine.h
View File

@ -13,20 +13,6 @@
// Global.Constant.Structure.Declaration: // Global.Constant.Structure.Declaration:
// Engine.External: // Engine.External:
const BYTE UE_STRUCT_PE32STRUCT = 1;
const BYTE UE_STRUCT_PE64STRUCT = 2;
const BYTE UE_STRUCT_PESTRUCT = 3;
const BYTE UE_STRUCT_IMPORTENUMDATA = 4;
const BYTE UE_STRUCT_THREAD_ITEM_DATA = 5;
const BYTE UE_STRUCT_LIBRARY_ITEM_DATA = 6;
const BYTE UE_STRUCT_LIBRARY_ITEM_DATAW = 7;
const BYTE UE_STRUCT_PROCESS_ITEM_DATA = 8;
const BYTE UE_STRUCT_HANDLERARRAY = 9;
const BYTE UE_STRUCT_PLUGININFORMATION = 10;
const BYTE UE_STRUCT_HOOK_ENTRY = 11;
const BYTE UE_STRUCT_FILE_STATUS_INFO = 12;
const BYTE UE_STRUCT_FILE_FIX_INFO = 13;
const BYTE UE_ACCESS_READ = 0; const BYTE UE_ACCESS_READ = 0;
const BYTE UE_ACCESS_WRITE = 1; const BYTE UE_ACCESS_WRITE = 1;
const BYTE UE_ACCESS_ALL = 2; const BYTE UE_ACCESS_ALL = 2;
@ -335,6 +321,13 @@ typedef struct
DWORD dwThreadId; DWORD dwThreadId;
void* ThreadStartAddress; void* ThreadStartAddress;
void* ThreadLocalBase; void* ThreadLocalBase;
void* TebAddress;
ULONG WaitTime;
LONG Priority;
LONG BasePriority;
ULONG ContextSwitches;
ULONG ThreadState;
ULONG WaitReason;
} THREAD_ITEM_DATA, *PTHREAD_ITEM_DATA; } THREAD_ITEM_DATA, *PTHREAD_ITEM_DATA;
typedef struct typedef struct
@ -928,7 +921,6 @@ __declspec(dllimport) bool TITCALL EngineFakeMissingDependencies(HANDLE hProcess
__declspec(dllimport) bool TITCALL EngineDeleteCreatedDependencies(); __declspec(dllimport) bool TITCALL EngineDeleteCreatedDependencies();
__declspec(dllimport) bool TITCALL EngineCreateUnpackerWindow(char* WindowUnpackerTitle, char* WindowUnpackerLongTitle, char* WindowUnpackerName, char* WindowUnpackerAuthor, void* StartUnpackingCallBack); __declspec(dllimport) bool TITCALL EngineCreateUnpackerWindow(char* WindowUnpackerTitle, char* WindowUnpackerLongTitle, char* WindowUnpackerName, char* WindowUnpackerAuthor, void* StartUnpackingCallBack);
__declspec(dllimport) void TITCALL EngineAddUnpackerWindowLogMessage(char* szLogMessage); __declspec(dllimport) void TITCALL EngineAddUnpackerWindowLogMessage(char* szLogMessage);
__declspec(dllexport) bool TITCALL EngineCheckStructAlignment(DWORD StructureType, ULONG_PTR StructureSize);
// Global.Engine.Extension.Functions: // Global.Engine.Extension.Functions:
__declspec(dllimport) bool TITCALL ExtensionManagerIsPluginLoaded(char* szPluginName); __declspec(dllimport) bool TITCALL ExtensionManagerIsPluginLoaded(char* szPluginName);
__declspec(dllimport) bool TITCALL ExtensionManagerIsPluginEnabled(char* szPluginName); __declspec(dllimport) bool TITCALL ExtensionManagerIsPluginEnabled(char* szPluginName);

24
SDK/CPP/TitanEngine.hpp
View File

@ -23,23 +23,6 @@ namespace UE
// ---- // ----
enum eStructType : DWORD
{
UE_STRUCT_PE32STRUCT = UE::UE_STRUCT_PE32STRUCT,
UE_STRUCT_PE64STRUCT = UE::UE_STRUCT_PE64STRUCT,
UE_STRUCT_PESTRUCT = UE::UE_STRUCT_PESTRUCT,
UE_STRUCT_IMPORTENUMDATA = UE::UE_STRUCT_IMPORTENUMDATA,
UE_STRUCT_THREAD_ITEM_DATA = UE::UE_STRUCT_THREAD_ITEM_DATA,
UE_STRUCT_LIBRARY_ITEM_DATA = UE::UE_STRUCT_LIBRARY_ITEM_DATA,
UE_STRUCT_LIBRARY_ITEM_DATAW = UE::UE_STRUCT_LIBRARY_ITEM_DATAW,
UE_STRUCT_PROCESS_ITEM_DATA = UE::UE_STRUCT_PROCESS_ITEM_DATA,
UE_STRUCT_HANDLERARRAY = UE::UE_STRUCT_HANDLERARRAY,
UE_STRUCT_PLUGININFORMATION = UE::UE_STRUCT_PLUGININFORMATION,
UE_STRUCT_HOOK_ENTRY = UE::UE_STRUCT_HOOK_ENTRY,
UE_STRUCT_FILE_STATUS_INFO = UE::UE_STRUCT_FILE_STATUS_INFO,
UE_STRUCT_FILE_FIX_INFO = UE::UE_STRUCT_FILE_FIX_INFO
};
enum eHideLevel : DWORD enum eHideLevel : DWORD
{ {
UE_HIDE_PEBONLY = UE::UE_HIDE_PEBONLY, UE_HIDE_PEBONLY = UE::UE_HIDE_PEBONLY,
@ -726,8 +709,6 @@ public:
using DumperX::ConvertVAtoFileOffsetEx; using DumperX::ConvertVAtoFileOffsetEx;
using DumperX::ConvertFileOffsetToVA; using DumperX::ConvertFileOffsetToVA;
using DumperX::ConvertFileOffsetToVAEx; using DumperX::ConvertFileOffsetToVAEx;
using DumperX::MemoryReadSafe;
using DumperX::MemoryWriteSafe;
}; };
class RealignerA; class RealignerA;
@ -2759,10 +2740,6 @@ protected:
{ {
return UE::EngineAddUnpackerWindowLogMessage(szLogMessage); return UE::EngineAddUnpackerWindowLogMessage(szLogMessage);
} }
static bool EngineCheckStructAlignment(DWORD StructureType, ULONG_PTR StructureSize)
{
return UE::EngineCheckStructAlignment(StructureType, StructureSize);
}
}; };
class EngineA class EngineA
@ -2796,7 +2773,6 @@ public:
using EngineX::DeleteCreatedDependencies; using EngineX::DeleteCreatedDependencies;
using EngineX::CreateUnpackerWindow; using EngineX::CreateUnpackerWindow;
using EngineX::AddUnpackerWindowLogMessage; using EngineX::AddUnpackerWindowLogMessage;
using EngineX::EngineCheckStructAlignment;
}; };
class ExtensionManager class ExtensionManager

90
TitanEngine/TitanEngine.Threader.cpp
View File

@ -10,31 +10,81 @@ __declspec(dllexport) bool TITCALL ThreaderImportRunningThreadData(DWORD Process
{ {
if(dbgProcessInformation.hProcess != NULL || ProcessId == NULL) if(dbgProcessInformation.hProcess != NULL || ProcessId == NULL)
return false; return false;
std::vector<THREAD_ITEM_DATA>().swap(hListThread); //clear thread list std::vector<THREAD_ITEM_DATA>().swap(hListThread); //clear thread list
THREADENTRY32 ThreadEntry = {};
ThreadEntry.dwSize = sizeof THREADENTRY32; THREAD_ITEM_DATA NewThreadData;
HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, ProcessId); ULONG retLength = 0;
if(hSnapShot != INVALID_HANDLE_VALUE) ULONG bufferLength = 1;
PSYSTEM_PROCESS_INFORMATION pBuffer = (PSYSTEM_PROCESS_INFORMATION)malloc(bufferLength);
PSYSTEM_PROCESS_INFORMATION pIter;
PSYSTEM_THREAD_INFORMATION pIterThread;
if (NtQuerySystemInformation(SystemProcessInformation, pBuffer, bufferLength, &retLength) == STATUS_INFO_LENGTH_MISMATCH)
{ {
if(Thread32First(hSnapShot, &ThreadEntry)) free(pBuffer);
bufferLength = retLength + sizeof(SYSTEM_PROCESS_INFORMATION);
pBuffer = (PSYSTEM_PROCESS_INFORMATION)malloc(bufferLength);
if (!pBuffer)
return false;
if (NtQuerySystemInformation(SystemProcessInformation, pBuffer, bufferLength, &retLength) != STATUS_SUCCESS)
{ {
do return false;
{
if(ThreadEntry.th32OwnerProcessID == ProcessId)
{
THREAD_ITEM_DATA NewThreadData;
memset(&NewThreadData, 0, sizeof(THREAD_ITEM_DATA));
NewThreadData.dwThreadId = ThreadEntry.th32ThreadID;
NewThreadData.hThread = OpenThread(THREAD_ALL_ACCESS, false, NewThreadData.dwThreadId);
hListThread.push_back(NewThreadData);
}
}
while(Thread32Next(hSnapShot, &ThreadEntry));
} }
EngineCloseHandle(hSnapShot);
return true;
} }
return false; else
{
return false;
}
pIter = pBuffer;
while(TRUE)
{
if (pIter->UniqueProcessId == (HANDLE)ProcessId)
{
pIterThread = &pIter->Threads[0];
for (ULONG i = 0; i < pIter->NumberOfThreads; i++)
{
ZeroMemory(&NewThreadData, sizeof(THREAD_ITEM_DATA));
NewThreadData.BasePriority = pIterThread->BasePriority;
NewThreadData.ContextSwitches = pIterThread->ContextSwitches;
NewThreadData.Priority = pIterThread->Priority;
NewThreadData.BasePriority = pIterThread->BasePriority;
NewThreadData.ThreadStartAddress = pIterThread->StartAddress;
NewThreadData.ThreadState = pIterThread->ThreadState;
NewThreadData.WaitReason = pIterThread->WaitReason;
NewThreadData.WaitTime = pIterThread->WaitTime;
NewThreadData.dwThreadId = (DWORD)pIterThread->ClientId.UniqueThread;
NewThreadData.hThread = OpenThread(THREAD_ALL_ACCESS, FALSE, NewThreadData.dwThreadId);
if (NewThreadData.hThread)
{
NewThreadData.TebAddress = GetTEBLocation(NewThreadData.hThread);
}
hListThread.push_back(NewThreadData);
pIterThread++;
}
break;
}
if (pIter->NextEntryOffset == 0)
{
break;
}
else
{
pIter = (PSYSTEM_PROCESS_INFORMATION)((DWORD_PTR)pIter + (DWORD_PTR)pIter->NextEntryOffset);
}
}
free(pBuffer);
return (hListThread.size() > 0);
} }
__declspec(dllexport) void* TITCALL ThreaderGetThreadInfo(HANDLE hThread, DWORD ThreadId) __declspec(dllexport) void* TITCALL ThreaderGetThreadInfo(HANDLE hThread, DWORD ThreadId)

174
TitanEngine/ntdll.h
View File

@ -8,6 +8,8 @@
#pragma comment(lib, "ntdll_x64.lib") #pragma comment(lib, "ntdll_x64.lib")
#endif #endif
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
typedef LONG NTSTATUS; typedef LONG NTSTATUS;
typedef LONG KPRIORITY; typedef LONG KPRIORITY;
@ -17,6 +19,61 @@ typedef struct _CLIENT_ID
HANDLE UniqueThread; HANDLE UniqueThread;
} CLIENT_ID, *PCLIENT_ID; } CLIENT_ID, *PCLIENT_ID;
typedef enum _KTHREAD_STATE
{
Initialized,
Ready,
Running,
Standby,
Terminated,
Waiting,
Transition,
DeferredReady,
GateWait
} KTHREAD_STATE;
typedef enum _KWAIT_REASON
{
Executive,
FreePage,
PageIn,
PoolAllocation,
DelayExecution,
Suspended,
UserRequest,
WrExecutive,
WrFreePage,
WrPageIn,
WrPoolAllocation,
WrDelayExecution,
WrSuspended,
WrUserRequest,
WrEventPair,
WrQueue,
WrLpcReceive,
WrLpcReply,
WrVirtualMemory,
WrPageOut,
WrRendezvous,
Spare2,
Spare3,
Spare4,
Spare5,
Spare6,
WrKernel,
WrResource,
WrPushLock,
WrMutex,
WrQuantumEnd,
WrDispatchInt,
WrPreempted,
WrYieldExecution,
WrFastMutex,
WrGuardedMutex,
WrRundown,
MaximumWaitReason
} KWAIT_REASON;
typedef struct _UNICODE_STRING typedef struct _UNICODE_STRING
{ {
USHORT Length; USHORT Length;
@ -24,6 +81,78 @@ typedef struct _UNICODE_STRING
PWSTR Buffer; PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING; } UNICODE_STRING, *PUNICODE_STRING;
typedef struct _SYSTEM_SESSION_PROCESS_INFORMATION
{
ULONG SessionId;
ULONG SizeOfBuf;
PVOID Buffer;
} SYSTEM_SESSION_PROCESS_INFORMATION, *PSYSTEM_SESSION_PROCESS_INFORMATION;
typedef struct _SYSTEM_THREAD_INFORMATION
{
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER CreateTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
KPRIORITY Priority;
LONG BasePriority;
ULONG ContextSwitches;
ULONG ThreadState;
ULONG WaitReason;
} SYSTEM_THREAD_INFORMATION, *PSYSTEM_THREAD_INFORMATION;
typedef struct _SYSTEM_EXTENDED_THREAD_INFORMATION
{
SYSTEM_THREAD_INFORMATION ThreadInfo;
PVOID StackBase;
PVOID StackLimit;
PVOID Win32StartAddress;
PVOID TebAddress; /* This is only filled in on Vista and above */
ULONG_PTR Reserved2;
ULONG_PTR Reserved3;
ULONG_PTR Reserved4;
} SYSTEM_EXTENDED_THREAD_INFORMATION, *PSYSTEM_EXTENDED_THREAD_INFORMATION;
typedef struct _SYSTEM_PROCESS_INFORMATION
{
ULONG NextEntryOffset;
ULONG NumberOfThreads;
LARGE_INTEGER SpareLi1;
LARGE_INTEGER SpareLi2;
LARGE_INTEGER SpareLi3;
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ImageName;
KPRIORITY BasePriority;
HANDLE UniqueProcessId;
HANDLE InheritedFromUniqueProcessId;
ULONG HandleCount;
ULONG SessionId;
ULONG_PTR PageDirectoryBase;
SIZE_T PeakVirtualSize;
SIZE_T VirtualSize;
ULONG PageFaultCount;
SIZE_T PeakWorkingSetSize;
SIZE_T WorkingSetSize;
SIZE_T QuotaPeakPagedPoolUsage;
SIZE_T QuotaPagedPoolUsage;
SIZE_T QuotaPeakNonPagedPoolUsage;
SIZE_T QuotaNonPagedPoolUsage;
SIZE_T PagefileUsage;
SIZE_T PeakPagefileUsage;
SIZE_T PrivatePageCount;
LARGE_INTEGER ReadOperationCount;
LARGE_INTEGER WriteOperationCount;
LARGE_INTEGER OtherOperationCount;
LARGE_INTEGER ReadTransferCount;
LARGE_INTEGER WriteTransferCount;
LARGE_INTEGER OtherTransferCount;
SYSTEM_THREAD_INFORMATION Threads[1];
} SYSTEM_PROCESS_INFORMATION, *PSYSTEM_PROCESS_INFORMATION;
typedef struct _PUBLIC_OBJECT_BASIC_INFORMATION typedef struct _PUBLIC_OBJECT_BASIC_INFORMATION
{ {
ULONG Attributes; ULONG Attributes;
@ -54,8 +183,7 @@ typedef struct _PROCESS_BASIC_INFORMATION
} PROCESS_BASIC_INFORMATION; } PROCESS_BASIC_INFORMATION;
typedef PROCESS_BASIC_INFORMATION *PPROCESS_BASIC_INFORMATION; typedef PROCESS_BASIC_INFORMATION *PPROCESS_BASIC_INFORMATION;
typedef struct _THREAD_BASIC_INFORMATION typedef struct _THREAD_BASIC_INFORMATION {
{
NTSTATUS ExitStatus; NTSTATUS ExitStatus;
PVOID TebBaseAddress; PVOID TebBaseAddress;
CLIENT_ID ClientId; CLIENT_ID ClientId;
@ -365,6 +493,48 @@ NtQueueApcThread (
__in_opt PVOID ApcArgument3 __in_opt PVOID ApcArgument3
); );
NTSYSCALLAPI
NTSTATUS
NTAPI
RtlGetCompressionWorkSpaceSize (
IN USHORT CompressionFormatAndEngine,
OUT PULONG CompressBufferWorkSpaceSize,
OUT PULONG CompressFragmentWorkSpaceSize
);
NTSYSCALLAPI
NTSTATUS
NTAPI
RtlCompressBuffer (
IN USHORT CompressionFormatAndEngine,
IN PUCHAR UncompressedBuffer,
IN ULONG UncompressedBufferSize,
OUT PUCHAR CompressedBuffer,
IN ULONG CompressedBufferSize,
IN ULONG UncompressedChunkSize,
OUT PULONG FinalCompressedSize,
IN PVOID WorkSpace
);
NTSYSCALLAPI
NTSTATUS
NTAPI
RtlDecompressBuffer (
IN USHORT CompressionFormat,
OUT PUCHAR UncompressedBuffer,
IN ULONG UncompressedBufferSize,
IN PUCHAR CompressedBuffer,
IN ULONG CompressedBufferSize,
OUT PULONG FinalUncompressedSize
);
NTSYSCALLAPI
ULONG
NTAPI
RtlNtStatusToDosError (
NTSTATUS Status
);
#ifdef __cplusplus #ifdef __cplusplus
}; };
#endif #endif

7
TitanEngine/stdafx.h
View File

@ -258,6 +258,13 @@ typedef struct
DWORD dwThreadId; DWORD dwThreadId;
void* ThreadStartAddress; void* ThreadStartAddress;
void* ThreadLocalBase; void* ThreadLocalBase;
void* TebAddress;
ULONG WaitTime;
LONG Priority;
LONG BasePriority;
ULONG ContextSwitches;
ULONG ThreadState;
ULONG WaitReason;
} THREAD_ITEM_DATA, *PTHREAD_ITEM_DATA; } THREAD_ITEM_DATA, *PTHREAD_ITEM_DATA;
typedef struct typedef struct