x64dbg
/
TitanEngine
mirror of https://github.com/x64dbg/TitanEngine
1
0
Fork 0
Code Releases Activity

better hidedebugger code, some fixes

This commit is contained in:
NtQuery 2014-03-04 19:09:39 +01:00
parent 8efc8a4b5b
commit 1b3aeeb8bd
2 changed files with 15 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
TitanEngine/Global.Engine.Hider.cpp
View File

@ -19,10 +19,16 @@ static bool isAtleastVista()
return isAtleastVista; return isAtleastVista;
} }
void FixAntidebugApiInProcess(HANDLE hProcess, bool Hide) void FixAntidebugApiInProcess32(HANDLE hProcess, bool Hide)
{ {
const BYTE patchCheckRemoteDebuggerPresent[5] = {0x33, 0xC0, 0xC2, 0x08, 0x00}; const BYTE patchCheckRemoteDebuggerPresent[5] = {
const BYTE patchGetTickCount[3] = {0x33, 0xC0, 0xC3}; 0x33, 0xC0, //XOR EAX,EAX
0xC2, 0x08, 0x00}; //RETN 0x8
const BYTE patchGetTickCount[3] = {
0x33, 0xC0, //XOR EAX,EAX
0xC3}; //RETN
ULONG_PTR APIPatchAddress = NULL; ULONG_PTR APIPatchAddress = NULL;
DWORD OldProtect; DWORD OldProtect;
SIZE_T ueNumberOfBytesRead = 0; SIZE_T ueNumberOfBytesRead = 0;
@ -126,7 +132,9 @@ bool ChangeHideDebuggerState(HANDLE hProcess, DWORD PatchAPILevel, bool Hide)
{ {
if(PatchAPILevel == UE_HIDE_BASIC) if(PatchAPILevel == UE_HIDE_BASIC)
{ {
FixAntidebugApiInProcess(hProcess, Hide); #ifndef _WIN64
FixAntidebugApiInProcess32(hProcess, Hide);
#endif
} }
return true; return true;

10
TitanEngine/TitanEngine.Hider.cpp
View File

@ -5,18 +5,14 @@
// TitanEngine.Hider.functions: // TitanEngine.Hider.functions:
__declspec(dllexport) void* TITCALL GetPEBLocation(HANDLE hProcess) __declspec(dllexport) void* TITCALL GetPEBLocation(HANDLE hProcess)
{ {
typedef NTSTATUS(WINAPI *fNtQueryInformationProcess)(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength);
ULONG RequiredLen = 0; ULONG RequiredLen = 0;
void * PebAddress = 0; void * PebAddress = 0;
PPROCESS_BASIC_INFORMATION myProcessBasicInformation = (PPROCESS_BASIC_INFORMATION)VirtualAlloc(NULL, sizeof(PROCESS_BASIC_INFORMATION) * 4, MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE); PPROCESS_BASIC_INFORMATION myProcessBasicInformation = (PPROCESS_BASIC_INFORMATION)VirtualAlloc(NULL, sizeof(PROCESS_BASIC_INFORMATION) * 4, MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE);
if(!myProcessBasicInformation)
if(!myProcessBasicInformation)
return 0; return 0;
#if !defined(_WIN64)
typedef NTSTATUS(WINAPI *fNtQueryInformationProcess)(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength);
#else
typedef NTSTATUS(__fastcall *fNtQueryInformationProcess)(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength);
#endif
fNtQueryInformationProcess cNtQueryInformationProcess = (fNtQueryInformationProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"),"NtQueryInformationProcess"); fNtQueryInformationProcess cNtQueryInformationProcess = (fNtQueryInformationProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"),"NtQueryInformationProcess");
if(cNtQueryInformationProcess != NULL) if(cNtQueryInformationProcess != NULL)