x64dbg
/
TitanEngine
mirror of https://github.com/x64dbg/TitanEngine
1
0
Fork 0
Code Releases Activity

better hidedebugger code, some fixes

This commit is contained in:
NtQuery 2014-03-04 19:09:39 +01:00
parent 8efc8a4b5b
commit 1b3aeeb8bd
2 changed files with 15 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
TitanEngine/Global.Engine.Hider.cpp
View File

@ -19,10 +19,16 @@ static bool isAtleastVista()
return isAtleastVista;
}
void FixAntidebugApiInProcess(HANDLE hProcess, bool Hide)
void FixAntidebugApiInProcess32(HANDLE hProcess, bool Hide)
{
const BYTE patchCheckRemoteDebuggerPresent[5] = {0x33, 0xC0, 0xC2, 0x08, 0x00};
const BYTE patchGetTickCount[3] = {0x33, 0xC0, 0xC3};
const BYTE patchCheckRemoteDebuggerPresent[5] = {
0x33, 0xC0, //XOR EAX,EAX
0xC2, 0x08, 0x00}; //RETN 0x8
const BYTE patchGetTickCount[3] = {
0x33, 0xC0, //XOR EAX,EAX
0xC3}; //RETN
ULONG_PTR APIPatchAddress = NULL;
DWORD OldProtect;
SIZE_T ueNumberOfBytesRead = 0;
@ -126,7 +132,9 @@ bool ChangeHideDebuggerState(HANDLE hProcess, DWORD PatchAPILevel, bool Hide)
{
if(PatchAPILevel == UE_HIDE_BASIC)
{
FixAntidebugApiInProcess(hProcess, Hide);
#ifndef _WIN64
FixAntidebugApiInProcess32(hProcess, Hide);
#endif
}
return true;

10
TitanEngine/TitanEngine.Hider.cpp
View File

@ -5,17 +5,13 @@
// TitanEngine.Hider.functions:
__declspec(dllexport) void* TITCALL GetPEBLocation(HANDLE hProcess)
{
typedef NTSTATUS(WINAPI *fNtQueryInformationProcess)(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength);
ULONG RequiredLen = 0;
void * PebAddress = 0;
PPROCESS_BASIC_INFORMATION myProcessBasicInformation = (PPROCESS_BASIC_INFORMATION)VirtualAlloc(NULL, sizeof(PROCESS_BASIC_INFORMATION) * 4, MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE);
if(!myProcessBasicInformation)
return 0;
#if !defined(_WIN64)
typedef NTSTATUS(WINAPI *fNtQueryInformationProcess)(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength);
#else
typedef NTSTATUS(__fastcall *fNtQueryInformationProcess)(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength);
#endif
if(!myProcessBasicInformation)
return 0;
fNtQueryInformationProcess cNtQueryInformationProcess = (fNtQueryInformationProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"),"NtQueryInformationProcess");