x64dbg
/
TitanEngine
mirror of https://github.com/x64dbg/TitanEngine
1
0
Fork 0
Code Releases Activity

fixed EnumProcessModules problems, improved dumper, added new function ReadProcessMemoryEnforce

This commit is contained in:
NtQuery 2014-03-09 22:03:45 +01:00
parent d29b17795c
commit 1f4b6de250
7 changed files with 120 additions and 129 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
TitanEngine/Global.Engine.cpp
View File

@ -1316,8 +1316,8 @@ long long EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBa
unsigned int z = 0;
DWORD Dummy = NULL;
HANDLE hProcess = NULL;
ULONG_PTR EnumeratedModules[0x2000];
ULONG_PTR LoadedModules[1000][4];
ULONG_PTR EnumeratedModules[0x1000] = {0};
ULONG_PTR LoadedModules[1000][4] = {0};
char RemoteDLLName[MAX_PATH]= {0};
char FullRemoteDLLName[MAX_PATH]= {0};
char szWindowsSideBySide[MAX_PATH]= {0};
@ -1349,15 +1349,12 @@ long long EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBa
int Vista64UserForwarderFix = 0;
unsigned int Windows7KernelBase = 0xFFFFFFFF;
RtlZeroMemory(&engineFoundDLLName, sizeof(szFwdDLLName));
RtlZeroMemory(&EnumeratedModules, 0x2000 * sizeof ULONG_PTR);
RtlZeroMemory(&LoadedModules, 1000 * 4 * sizeof ULONG_PTR);
GetWindowsDirectoryA(szWindowsSideBySide, MAX_PATH);
lstrcpyA(szWindowsKernelBase, szWindowsSideBySide);
lstrcatA(szWindowsSideBySide, "\\WinSxS");
if(EnumedModulesBases != NULL)
{
RtlMoveMemory(&EnumeratedModules, (LPVOID)EnumedModulesBases, 0x1000);
RtlMoveMemory(EnumeratedModules, (LPVOID)EnumedModulesBases, 0x1000);
i--;
}
if(handleProcess == NULL)
@ -1375,7 +1372,7 @@ long long EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBa
{
hProcess = handleProcess;
}
if(EnumedModulesBases != NULL || EnumProcessModules(hProcess, (HMODULE*)EnumeratedModules, 0x2000, &Dummy))
if(EnumedModulesBases != NULL || EnumProcessModules(hProcess, (HMODULE*)EnumeratedModules, sizeof(EnumeratedModules), &Dummy))
{
i++;
z = i;

188
TitanEngine/TitanEngine.Dumper.cpp
View File

@ -7,10 +7,10 @@
//TitanEngine.Dumper.functions:
__declspec(dllexport) bool TITCALL DumpProcess(HANDLE hProcess, LPVOID ImageBase, char* szDumpFileName, ULONG_PTR EntryPoint)
{
wchar_t uniDumpFileName[MAX_PATH] = {};
wchar_t uniDumpFileName[MAX_PATH] = {0};
if(szDumpFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, lstrlenA(szDumpFileName)+1, uniDumpFileName, sizeof(uniDumpFileName)/(sizeof(uniDumpFileName[0])));
MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, -1, uniDumpFileName, _countof(uniDumpFileName));
return DumpProcessW(hProcess, ImageBase, uniDumpFileName, EntryPoint);
}
return false;
@ -39,7 +39,6 @@ __declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBas
SIZE_T AlignedHeaderSize = NULL;
LPVOID ueReadBuffer = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE);
LPVOID ueCopyBuffer = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE);
DWORD Protect;
if(ReadProcessMemory(hProcess, ImageBase, ueReadBuffer, 0x1000, &ueNumberOfBytesRead))
{//ReadProcessMemory
@ -156,24 +155,18 @@ __declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBas
if(SizeOfImageDump >= TITANENGINE_PAGESIZE)
{
RtlZeroMemory(ueCopyBuffer, AlignedHeaderSize);
if(!ReadProcessMemory(hProcess, ReadBase, ueCopyBuffer, TITANENGINE_PAGESIZE, &ueNumberOfBytesRead))
{
VirtualProtectEx(hProcess, ReadBase, TITANENGINE_PAGESIZE, PAGE_EXECUTE_READWRITE, &Protect);
ReadProcessMemory(hProcess, ReadBase, ueCopyBuffer, TITANENGINE_PAGESIZE, &ueNumberOfBytesRead);
VirtualProtectEx(hProcess, ReadBase, TITANENGINE_PAGESIZE, Protect, &Protect);
}
ReadProcessMemoryEnforce(hProcess, ReadBase, ueCopyBuffer, TITANENGINE_PAGESIZE, &ueNumberOfBytesRead);
WriteFile(hFile, ueCopyBuffer, TITANENGINE_PAGESIZE, &uedNumberOfBytesRead, NULL);
SizeOfImageDump = SizeOfImageDump - TITANENGINE_PAGESIZE;
}
else
{
RtlZeroMemory(ueCopyBuffer, AlignedHeaderSize);
if(!ReadProcessMemory(hProcess, ReadBase, ueCopyBuffer, SizeOfImageDump, &ueNumberOfBytesRead))
{
VirtualProtectEx(hProcess, ReadBase, TITANENGINE_PAGESIZE, PAGE_EXECUTE_READWRITE, &Protect);
ReadProcessMemory(hProcess, ReadBase, ueCopyBuffer, TITANENGINE_PAGESIZE, &ueNumberOfBytesRead);
VirtualProtectEx(hProcess, ReadBase, TITANENGINE_PAGESIZE, Protect, &Protect);
}
ReadProcessMemoryEnforce(hProcess, ReadBase, ueCopyBuffer, SizeOfImageDump, &ueNumberOfBytesRead);
WriteFile(hFile, ueCopyBuffer, SizeOfImageDump, &uedNumberOfBytesRead, NULL);
SizeOfImageDump = NULL;
}
@ -245,24 +238,18 @@ __declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBas
if(SizeOfImageDump >= TITANENGINE_PAGESIZE)
{
RtlZeroMemory(ueCopyBuffer, AlignedHeaderSize);
if(!ReadProcessMemory(hProcess, ReadBase, ueCopyBuffer, TITANENGINE_PAGESIZE, &ueNumberOfBytesRead))
{
VirtualProtectEx(hProcess, ReadBase, TITANENGINE_PAGESIZE, PAGE_EXECUTE_READWRITE, &Protect);
ReadProcessMemory(hProcess, ReadBase, ueCopyBuffer, TITANENGINE_PAGESIZE, &ueNumberOfBytesRead);
VirtualProtectEx(hProcess, ReadBase, TITANENGINE_PAGESIZE, Protect, &Protect);
}
ReadProcessMemoryEnforce(hProcess, ReadBase, ueCopyBuffer, TITANENGINE_PAGESIZE, &ueNumberOfBytesRead);
WriteFile(hFile, ueCopyBuffer, TITANENGINE_PAGESIZE, &uedNumberOfBytesRead, NULL);
SizeOfImageDump = SizeOfImageDump - TITANENGINE_PAGESIZE;
}
else
{
RtlZeroMemory(ueCopyBuffer, AlignedHeaderSize);
if(!ReadProcessMemory(hProcess, ReadBase, ueCopyBuffer, SizeOfImageDump, &ueNumberOfBytesRead))
{
VirtualProtectEx(hProcess, ReadBase, TITANENGINE_PAGESIZE, PAGE_EXECUTE_READWRITE, &Protect);
ReadProcessMemory(hProcess, ReadBase, ueCopyBuffer, TITANENGINE_PAGESIZE, &ueNumberOfBytesRead);
VirtualProtectEx(hProcess, ReadBase, TITANENGINE_PAGESIZE, Protect, &Protect);
}
ReadProcessMemoryEnforce(hProcess, ReadBase, ueCopyBuffer, SizeOfImageDump, &ueNumberOfBytesRead);
WriteFile(hFile, ueCopyBuffer, SizeOfImageDump, &uedNumberOfBytesRead, NULL);
SizeOfImageDump = NULL;
}
@ -298,12 +285,11 @@ __declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBas
__declspec(dllexport) bool TITCALL DumpProcessEx(DWORD ProcessId, LPVOID ImageBase, char* szDumpFileName, ULONG_PTR EntryPoint)
{
wchar_t uniDumpFileName[MAX_PATH] = {};
wchar_t uniDumpFileName[MAX_PATH] = {0};
if(szDumpFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, lstrlenA(szDumpFileName)+1, uniDumpFileName, sizeof(uniDumpFileName)/(sizeof(uniDumpFileName[0])));
MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, -1, uniDumpFileName, _countof(uniDumpFileName));
return(DumpProcessExW(ProcessId, ImageBase, uniDumpFileName, EntryPoint));
}
else
@ -316,21 +302,14 @@ __declspec(dllexport) bool TITCALL DumpProcessExW(DWORD ProcessId, LPVOID ImageB
{
HANDLE hProcess = 0;
BOOL ReturnValue = false;
bool ReturnValue = false;
hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId);
if(hProcess)
{
ReturnValue = DumpProcessW(hProcess, ImageBase, szDumpFileName, EntryPoint);
EngineCloseHandle(hProcess);
if(ReturnValue)
{
return true;
}
else
{
return false;
}
return ReturnValue;
}
else
{
@ -340,12 +319,11 @@ __declspec(dllexport) bool TITCALL DumpProcessExW(DWORD ProcessId, LPVOID ImageB
__declspec(dllexport) bool TITCALL DumpMemory(HANDLE hProcess, LPVOID MemoryStart, ULONG_PTR MemorySize, char* szDumpFileName)
{
wchar_t uniDumpFileName[MAX_PATH] = {};
wchar_t uniDumpFileName[MAX_PATH] = {0};
if(szDumpFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, lstrlenA(szDumpFileName)+1, uniDumpFileName, sizeof(uniDumpFileName)/(sizeof(uniDumpFileName[0])));
MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, -1, uniDumpFileName, _countof(uniDumpFileName));
return(DumpMemoryW(hProcess, MemoryStart, MemorySize, uniDumpFileName));
}
else
@ -354,6 +332,46 @@ __declspec(dllexport) bool TITCALL DumpMemory(HANDLE hProcess, LPVOID MemoryStar
}
}
__declspec(dllexport) bool TITCALL ReadProcessMemoryEnforce(HANDLE hProcess, LPVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T * lpNumberOfBytesRead)
{
SIZE_T ueNumberOfBytesRead = 0;
SIZE_T * pNumBytes = 0;
DWORD dwProtect = 0;
bool retValue = false;
if ( (hProcess == 0) || (lpBaseAddress == 0) || (lpBuffer == 0) || (nSize == 0))
{
return false;
}
if (!lpNumberOfBytesRead)
{
pNumBytes = &ueNumberOfBytesRead;
}
else
{
pNumBytes = lpNumberOfBytesRead;
}
if(!ReadProcessMemory(hProcess, lpBaseAddress, lpBuffer, nSize, pNumBytes))
{
if (VirtualProtectEx(hProcess, lpBaseAddress, nSize, PAGE_EXECUTE_READWRITE, &dwProtect))
{
if (ReadProcessMemory(hProcess, lpBaseAddress, lpBuffer, nSize, pNumBytes))
{
retValue = false;
}
VirtualProtectEx(hProcess, lpBaseAddress, nSize, dwProtect, &dwProtect);
}
}
else
{
retValue = true;
}
return retValue;
}
__declspec(dllexport) bool TITCALL DumpMemoryW(HANDLE hProcess, LPVOID MemoryStart, ULONG_PTR MemorySize, wchar_t* szDumpFileName)
{
@ -363,7 +381,6 @@ __declspec(dllexport) bool TITCALL DumpMemoryW(HANDLE hProcess, LPVOID MemorySta
LPVOID ReadBase = MemoryStart;
ULONG_PTR ProcReadBase = (ULONG_PTR)ReadBase;
LPVOID ueCopyBuffer = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE);
MEMORY_BASIC_INFORMATION MemInfo;
if(EngineCreatePathForFileW(szDumpFileName))
{
@ -376,26 +393,18 @@ __declspec(dllexport) bool TITCALL DumpMemoryW(HANDLE hProcess, LPVOID MemorySta
if(MemorySize >= 0x1000)
{
RtlZeroMemory(ueCopyBuffer,0x2000);
if(!ReadProcessMemory(hProcess, ReadBase, ueCopyBuffer, 0x1000, &ueNumberOfBytesRead))
{
VirtualQueryEx(hProcess, ReadBase, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
VirtualProtectEx(hProcess, ReadBase, 0x1000, PAGE_EXECUTE_READWRITE, &MemInfo.Protect);
ReadProcessMemory(hProcess, ReadBase, ueCopyBuffer, 0x1000, &ueNumberOfBytesRead);
VirtualProtectEx(hProcess, ReadBase, 0x1000, MemInfo.Protect, &MemInfo.Protect);
}
ReadProcessMemoryEnforce(hProcess, ReadBase, ueCopyBuffer, 0x1000, &ueNumberOfBytesRead);
WriteFile(hFile,ueCopyBuffer, 0x1000, &uedNumberOfBytesRead, NULL);
MemorySize = MemorySize - 0x1000;
}
else
{
RtlZeroMemory(ueCopyBuffer,0x2000);
if(!ReadProcessMemory(hProcess, ReadBase, ueCopyBuffer, MemorySize, &ueNumberOfBytesRead))
{
VirtualQueryEx(hProcess, ReadBase, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
VirtualProtectEx(hProcess, ReadBase, 0x1000, PAGE_EXECUTE_READWRITE, &MemInfo.Protect);
ReadProcessMemory(hProcess, ReadBase, ueCopyBuffer, 0x1000, &ueNumberOfBytesRead);
VirtualProtectEx(hProcess, ReadBase, 0x1000, MemInfo.Protect, &MemInfo.Protect);
}
ReadProcessMemoryEnforce(hProcess, ReadBase, ueCopyBuffer, MemorySize, &ueNumberOfBytesRead);
WriteFile(hFile, ueCopyBuffer, (DWORD)MemorySize, &uedNumberOfBytesRead, NULL);
MemorySize = NULL;
}
@ -416,12 +425,11 @@ __declspec(dllexport) bool TITCALL DumpMemoryW(HANDLE hProcess, LPVOID MemorySta
__declspec(dllexport) bool TITCALL DumpMemoryEx(DWORD ProcessId, LPVOID MemoryStart, ULONG_PTR MemorySize, char* szDumpFileName)
{
wchar_t uniDumpFileName[MAX_PATH] = {};
wchar_t uniDumpFileName[MAX_PATH] = {0};
if(szDumpFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, lstrlenA(szDumpFileName)+1, uniDumpFileName, sizeof(uniDumpFileName)/(sizeof(uniDumpFileName[0])));
MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, -1, uniDumpFileName, _countof(uniDumpFileName));
return(DumpMemoryExW(ProcessId, MemoryStart, MemorySize, uniDumpFileName));
}
else
@ -434,17 +442,14 @@ __declspec(dllexport) bool TITCALL DumpMemoryExW(DWORD ProcessId, LPVOID MemoryS
{
HANDLE hProcess = 0;
BOOL ReturnValue = false;
bool ReturnValue = false;
hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId);
if(hProcess)
{
ReturnValue = DumpMemoryW(hProcess, MemoryStart, MemorySize, szDumpFileName);
EngineCloseHandle(hProcess);
if(ReturnValue)
{
return true;
}
return ReturnValue;
}
return false;
@ -452,12 +457,11 @@ __declspec(dllexport) bool TITCALL DumpMemoryExW(DWORD ProcessId, LPVOID MemoryS
__declspec(dllexport) bool TITCALL DumpRegions(HANDLE hProcess, char* szDumpFolder, bool DumpAboveImageBaseOnly)
{
wchar_t uniDumpFolder[MAX_PATH] = {};
wchar_t uniDumpFolder[MAX_PATH] = {0};
if(szDumpFolder != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szDumpFolder, lstrlenA(szDumpFolder)+1, uniDumpFolder, sizeof(uniDumpFolder)/(sizeof(uniDumpFolder[0])));
MultiByteToWideChar(CP_ACP, NULL, szDumpFolder, -1, uniDumpFolder, _countof(uniDumpFolder));
return(DumpRegionsW(hProcess, uniDumpFolder, DumpAboveImageBaseOnly));
}
else
@ -470,7 +474,7 @@ __declspec(dllexport) bool TITCALL DumpRegionsW(HANDLE hProcess, wchar_t* szDump
{
int i;
DWORD Dummy = NULL;
DWORD cbNeeded = NULL;
wchar_t szDumpName[MAX_PATH];
wchar_t szDumpFileName[MAX_PATH];
MEMORY_BASIC_INFORMATION MemInfo;
@ -480,11 +484,15 @@ __declspec(dllexport) bool TITCALL DumpRegionsW(HANDLE hProcess, wchar_t* szDump
if(hProcess != NULL)
{
EnumProcessModules(hProcess, EnumeratedModules, sizeof(EnumeratedModules), &Dummy);
if (!EnumProcessModules(hProcess, EnumeratedModules, sizeof(EnumeratedModules), &cbNeeded))
{
return false;
}
while(VirtualQueryEx(hProcess, (LPVOID)DumpAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION) != NULL)
{
AddressIsModuleBase = false;
for(i = 0; i < _countof(EnumeratedModules); i++)
for(i = 0; i < (int)(cbNeeded / sizeof(HMODULE)); i++)
{
if(EnumeratedModules[i] == (HMODULE)MemInfo.AllocationBase)
{
@ -521,12 +529,11 @@ __declspec(dllexport) bool TITCALL DumpRegionsW(HANDLE hProcess, wchar_t* szDump
__declspec(dllexport) bool TITCALL DumpRegionsEx(DWORD ProcessId, char* szDumpFolder, bool DumpAboveImageBaseOnly)
{
wchar_t uniDumpFolder[MAX_PATH] = {};
wchar_t uniDumpFolder[MAX_PATH] = {0};
if(szDumpFolder != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szDumpFolder, lstrlenA(szDumpFolder)+1, uniDumpFolder, sizeof(uniDumpFolder)/(sizeof(uniDumpFolder[0])));
MultiByteToWideChar(CP_ACP, NULL, szDumpFolder, -1, uniDumpFolder, _countof(uniDumpFolder));
return(DumpRegionsExW(ProcessId, uniDumpFolder, DumpAboveImageBaseOnly));
}
else
@ -537,19 +544,15 @@ __declspec(dllexport) bool TITCALL DumpRegionsEx(DWORD ProcessId, char* szDumpFo
__declspec(dllexport) bool TITCALL DumpRegionsExW(DWORD ProcessId, wchar_t* szDumpFolder, bool DumpAboveImageBaseOnly)
{
HANDLE hProcess = 0;
BOOL ReturnValue = false;
bool ReturnValue = false;
hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId);
if(hProcess)
{
ReturnValue = DumpRegionsW(hProcess, szDumpFolder, DumpAboveImageBaseOnly);
EngineCloseHandle(hProcess);
if(ReturnValue)
{
return true;
}
return ReturnValue;
}
return false;
@ -557,12 +560,11 @@ __declspec(dllexport) bool TITCALL DumpRegionsExW(DWORD ProcessId, wchar_t* szDu
__declspec(dllexport) bool TITCALL DumpModule(HANDLE hProcess, LPVOID ModuleBase, char* szDumpFileName)
{
wchar_t uniDumpFileName[MAX_PATH] = {};
wchar_t uniDumpFileName[MAX_PATH] = {0};
if(szDumpFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, lstrlenA(szDumpFileName)+1, uniDumpFileName, sizeof(uniDumpFileName)/(sizeof(uniDumpFileName[0])));
MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, -1, uniDumpFileName, _countof(uniDumpFileName));
return(DumpModuleW(hProcess, ModuleBase, uniDumpFileName));
}
else
@ -575,13 +577,13 @@ __declspec(dllexport) bool TITCALL DumpModuleW(HANDLE hProcess, LPVOID ModuleBas
{
int i;
DWORD Dummy = NULL;
DWORD cbNeeded = NULL;
MODULEINFO RemoteModuleInfo;
HMODULE EnumeratedModules[1024];
HMODULE EnumeratedModules[1024] = {0};
if(EnumProcessModules(hProcess, EnumeratedModules, sizeof(EnumeratedModules), &Dummy))
if(EnumProcessModules(hProcess, EnumeratedModules, sizeof(EnumeratedModules), &cbNeeded))
{
for(i = 0; i < _countof(EnumeratedModules); i++)
for(i = 0; i < (int)(cbNeeded / sizeof(HMODULE)); i++)
{
if(EnumeratedModules[i] == (HMODULE)ModuleBase)
{
@ -597,12 +599,11 @@ __declspec(dllexport) bool TITCALL DumpModuleW(HANDLE hProcess, LPVOID ModuleBas
__declspec(dllexport) bool TITCALL DumpModuleEx(DWORD ProcessId, LPVOID ModuleBase, char* szDumpFileName)
{
wchar_t uniDumpFileName[MAX_PATH] = {};
wchar_t uniDumpFileName[MAX_PATH] = {0};
if(szDumpFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, lstrlenA(szDumpFileName)+1, uniDumpFileName, sizeof(uniDumpFileName)/(sizeof(uniDumpFileName[0])));
MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, -1, uniDumpFileName, _countof(uniDumpFileName));
return(DumpModuleExW(ProcessId, ModuleBase, uniDumpFileName));
}
else
@ -615,17 +616,14 @@ __declspec(dllexport) bool TITCALL DumpModuleExW(DWORD ProcessId, LPVOID ModuleB
{
HANDLE hProcess = 0;
BOOL ReturnValue = false;
bool ReturnValue = false;
hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId);
if(hProcess) //If the function fails, the return value is NULL. To get extended error information, call GetLastError.
{
ReturnValue = DumpModuleW(hProcess, ModuleBase, szDumpFileName);
EngineCloseHandle(hProcess);
if(ReturnValue)
{
return true;
}
return ReturnValue;
}
return false;

9
TitanEngine/TitanEngine.Hooks.cpp
View File

@ -1112,14 +1112,13 @@ __declspec(dllexport) void TITCALL HooksScanEntireProcessMemory(LPVOID CallBack)
{
unsigned int i;
DWORD ModulesLoaded;
HMODULE EnumeratedModules[1024];
DWORD cbNeeded = 0;
HMODULE EnumeratedModules[1024] = {0};
hookEntry.clear();
if(EnumProcessModules(GetCurrentProcess(), &EnumeratedModules[0], sizeof EnumeratedModules, &ModulesLoaded))
if(EnumProcessModules(GetCurrentProcess(), EnumeratedModules, sizeof(EnumeratedModules), &cbNeeded))
{
ModulesLoaded = ModulesLoaded / sizeof HANDLE;
for(i = 1; i < ModulesLoaded; i++)
for(i = 1; i < (cbNeeded / sizeof(HMODULE)); i++)
{
HooksScanModuleMemory(EnumeratedModules[i], CallBack);
}

17
TitanEngine/TitanEngine.Importer.cpp
View File

@ -240,25 +240,22 @@ __declspec(dllexport) long long TITCALL ImporterGetRemoteDLLBase(HANDLE hProcess
}
__declspec(dllexport) long long TITCALL ImporterGetRemoteDLLBaseEx(HANDLE hProcess, char* szModuleName)
{
DWORD cbNeeded = NULL;
HMODULE EnumeratedModules[0x1024] = {0};
char RemoteDLLName[MAX_PATH] = {0};
int i = 1;
DWORD Dummy = NULL;
ULONG_PTR EnumeratedModules[0x2000];
char RemoteDLLName[MAX_PATH];
if(EnumProcessModules(hProcess, (HMODULE*)EnumeratedModules, 0x2000, &Dummy))
if(EnumProcessModules(hProcess, EnumeratedModules, sizeof(EnumeratedModules), &cbNeeded))
{
RtlZeroMemory(&RemoteDLLName, MAX_PATH);
while(EnumeratedModules[i] != NULL)
for(int i = 0; i < (int)(cbNeeded / sizeof(HMODULE)); i++)
{
if(GetModuleBaseNameA(hProcess, (HMODULE)EnumeratedModules[i], (LPSTR)RemoteDLLName, MAX_PATH) > NULL)
RemoteDLLName[0] = 0;
if(GetModuleBaseNameA(hProcess, EnumeratedModules[i], (LPSTR)RemoteDLLName, _countof(RemoteDLLName)) > NULL)
{
if(lstrcmpiA((LPCSTR)RemoteDLLName, (LPCSTR)szModuleName))
{
return((ULONG_PTR)EnumeratedModules[i]);
}
}
i++;
}
}
return(NULL);

14
TitanEngine/TitanEngine.Process.cpp
View File

@ -73,11 +73,11 @@ __declspec(dllexport) void TITCALL EnumProcessesWithLibrary(char* szLibraryName,
int j;
typedef void(TITCALL *fEnumFunction)(DWORD ProcessId, HMODULE ModuleBaseAddress);
fEnumFunction myEnumFunction = (fEnumFunction)EnumFunction;
HMODULE EnumeratedModules[1024] = {};
DWORD bProcessId[1024] = {};
char szModuleName[1024] = {};
HMODULE EnumeratedModules[1024] = {0};
DWORD bProcessId[1024] = {0};
char szModuleName[1024] = {0};
DWORD pProcessIdCount = NULL;
DWORD pModuleCount;
DWORD cbNeeded = 0;
HANDLE hProcess;
if(EnumFunction != NULL)
@ -91,10 +91,10 @@ __declspec(dllexport) void TITCALL EnumProcessesWithLibrary(char* szLibraryName,
hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, false, bProcessId[i]);
if(hProcess != NULL)
{
RtlZeroMemory(&EnumeratedModules[0], sizeof EnumeratedModules);
if(EnumProcessModules(hProcess, (HMODULE*)EnumeratedModules, sizeof EnumeratedModules, &pModuleCount))
RtlZeroMemory(EnumeratedModules, sizeof(EnumeratedModules));
if(EnumProcessModules(hProcess, (HMODULE*)EnumeratedModules, sizeof(EnumeratedModules), &cbNeeded))
{
for(j = 0; j < (int)pModuleCount; j++)
for(j = 0; j < (int)(cbNeeded / sizeof(HMODULE)); j++)
{
if(EnumeratedModules[j] != NULL)
{

9
TitanEngine/TitanEngine.Tracer.cpp
View File

@ -543,8 +543,8 @@ __declspec(dllexport) long long TITCALL HashTracerLevel1(HANDLE hProcess, ULONG_
unsigned int j = 0;
DWORD Dummy = NULL;
MODULEINFO RemoteModuleInfo;
ULONG_PTR EnumeratedModules[0x2000];
ULONG_PTR LoadedModules[1000][4];
ULONG_PTR EnumeratedModules[0x2000] = {0};
ULONG_PTR LoadedModules[1000][4] = {0};
char RemoteDLLName[MAX_PATH];
HANDLE hLoadedModule = NULL;
HANDLE ModuleHandle = NULL;
@ -576,8 +576,7 @@ __declspec(dllexport) long long TITCALL HashTracerLevel1(HANDLE hProcess, ULONG_
return(NULL);
}
}
RtlZeroMemory(&EnumeratedModules, 0x2000 * sizeof ULONG_PTR);
RtlZeroMemory(&LoadedModules, 1000 * 4 * sizeof ULONG_PTR);
if(hProcess == NULL)
{
if(dbgProcessInformation.hProcess == NULL)
@ -589,7 +588,7 @@ __declspec(dllexport) long long TITCALL HashTracerLevel1(HANDLE hProcess, ULONG_
hProcess = dbgProcessInformation.hProcess;
}
}
if(EnumProcessModules(hProcess, (HMODULE*)EnumeratedModules, 0x2000, &Dummy))
if(EnumProcessModules(hProcess, (HMODULE*)EnumeratedModules, sizeof(EnumeratedModules), &Dummy))
{
i++;
while(FoundAPI == false && EnumeratedModules[i] != NULL)

1
TitanEngine/definitions.h
View File

@ -73,6 +73,7 @@ __declspec(dllexport) long long TITCALL ConvertVAtoFileOffset(ULONG_PTR FileMapV
__declspec(dllexport) long long TITCALL ConvertVAtoFileOffsetEx(ULONG_PTR FileMapVA, DWORD FileSize, ULONG_PTR ImageBase, ULONG_PTR AddressToConvert, bool AddressIsRVA, bool ReturnType);
__declspec(dllexport) long long TITCALL ConvertFileOffsetToVA(ULONG_PTR FileMapVA, ULONG_PTR AddressToConvert, bool ReturnType);
__declspec(dllexport) long long TITCALL ConvertFileOffsetToVAEx(ULONG_PTR FileMapVA, DWORD FileSize, ULONG_PTR ImageBase, ULONG_PTR AddressToConvert, bool ReturnType);
__declspec(dllexport) bool TITCALL ReadProcessMemoryEnforce(HANDLE hProcess, LPVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T * lpNumberOfBytesRead);
// TitanEngine.Realigner.functions:
__declspec(dllexport) bool TITCALL FixHeaderCheckSum(char* szFileName);
__declspec(dllexport) bool TITCALL FixHeaderCheckSumW(wchar_t* szFileName);