From 1f4b6de250535ba6347202a591b964963e86ef18 Mon Sep 17 00:00:00 2001 From: NtQuery Date: Sun, 9 Mar 2014 22:03:45 +0100 Subject: [PATCH] fixed EnumProcessModules problems, improved dumper, added new function ReadProcessMemoryEnforce --- TitanEngine/Global.Engine.cpp | 11 +- TitanEngine/TitanEngine.Dumper.cpp | 188 +++++++++++++-------------- TitanEngine/TitanEngine.Hooks.cpp | 9 +- TitanEngine/TitanEngine.Importer.cpp | 17 +-- TitanEngine/TitanEngine.Process.cpp | 14 +- TitanEngine/TitanEngine.Tracer.cpp | 9 +- TitanEngine/definitions.h | 1 + 7 files changed, 120 insertions(+), 129 deletions(-) diff --git a/TitanEngine/Global.Engine.cpp b/TitanEngine/Global.Engine.cpp index 5e53b29..4ef529b 100644 --- a/TitanEngine/Global.Engine.cpp +++ b/TitanEngine/Global.Engine.cpp @@ -1316,8 +1316,8 @@ long long EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBa unsigned int z = 0; DWORD Dummy = NULL; HANDLE hProcess = NULL; - ULONG_PTR EnumeratedModules[0x2000]; - ULONG_PTR LoadedModules[1000][4]; + ULONG_PTR EnumeratedModules[0x1000] = {0}; + ULONG_PTR LoadedModules[1000][4] = {0}; char RemoteDLLName[MAX_PATH]= {0}; char FullRemoteDLLName[MAX_PATH]= {0}; char szWindowsSideBySide[MAX_PATH]= {0}; @@ -1349,15 +1349,12 @@ long long EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBa int Vista64UserForwarderFix = 0; unsigned int Windows7KernelBase = 0xFFFFFFFF; - RtlZeroMemory(&engineFoundDLLName, sizeof(szFwdDLLName)); - RtlZeroMemory(&EnumeratedModules, 0x2000 * sizeof ULONG_PTR); - RtlZeroMemory(&LoadedModules, 1000 * 4 * sizeof ULONG_PTR); GetWindowsDirectoryA(szWindowsSideBySide, MAX_PATH); lstrcpyA(szWindowsKernelBase, szWindowsSideBySide); lstrcatA(szWindowsSideBySide, "\\WinSxS"); if(EnumedModulesBases != NULL) { - RtlMoveMemory(&EnumeratedModules, (LPVOID)EnumedModulesBases, 0x1000); + RtlMoveMemory(EnumeratedModules, (LPVOID)EnumedModulesBases, 0x1000); i--; } if(handleProcess == NULL) @@ -1375,7 +1372,7 @@ long long EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBa { hProcess = handleProcess; } - if(EnumedModulesBases != NULL || EnumProcessModules(hProcess, (HMODULE*)EnumeratedModules, 0x2000, &Dummy)) + if(EnumedModulesBases != NULL || EnumProcessModules(hProcess, (HMODULE*)EnumeratedModules, sizeof(EnumeratedModules), &Dummy)) { i++; z = i; diff --git a/TitanEngine/TitanEngine.Dumper.cpp b/TitanEngine/TitanEngine.Dumper.cpp index 53d7351..13fbc3f 100644 --- a/TitanEngine/TitanEngine.Dumper.cpp +++ b/TitanEngine/TitanEngine.Dumper.cpp @@ -7,10 +7,10 @@ //TitanEngine.Dumper.functions: __declspec(dllexport) bool TITCALL DumpProcess(HANDLE hProcess, LPVOID ImageBase, char* szDumpFileName, ULONG_PTR EntryPoint) { - wchar_t uniDumpFileName[MAX_PATH] = {}; + wchar_t uniDumpFileName[MAX_PATH] = {0}; if(szDumpFileName != NULL) { - MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, lstrlenA(szDumpFileName)+1, uniDumpFileName, sizeof(uniDumpFileName)/(sizeof(uniDumpFileName[0]))); + MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, -1, uniDumpFileName, _countof(uniDumpFileName)); return DumpProcessW(hProcess, ImageBase, uniDumpFileName, EntryPoint); } return false; @@ -39,7 +39,6 @@ __declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBas SIZE_T AlignedHeaderSize = NULL; LPVOID ueReadBuffer = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); LPVOID ueCopyBuffer = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); - DWORD Protect; if(ReadProcessMemory(hProcess, ImageBase, ueReadBuffer, 0x1000, &ueNumberOfBytesRead)) {//ReadProcessMemory @@ -156,24 +155,18 @@ __declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBas if(SizeOfImageDump >= TITANENGINE_PAGESIZE) { RtlZeroMemory(ueCopyBuffer, AlignedHeaderSize); - if(!ReadProcessMemory(hProcess, ReadBase, ueCopyBuffer, TITANENGINE_PAGESIZE, &ueNumberOfBytesRead)) - { - VirtualProtectEx(hProcess, ReadBase, TITANENGINE_PAGESIZE, PAGE_EXECUTE_READWRITE, &Protect); - ReadProcessMemory(hProcess, ReadBase, ueCopyBuffer, TITANENGINE_PAGESIZE, &ueNumberOfBytesRead); - VirtualProtectEx(hProcess, ReadBase, TITANENGINE_PAGESIZE, Protect, &Protect); - } + + ReadProcessMemoryEnforce(hProcess, ReadBase, ueCopyBuffer, TITANENGINE_PAGESIZE, &ueNumberOfBytesRead); + WriteFile(hFile, ueCopyBuffer, TITANENGINE_PAGESIZE, &uedNumberOfBytesRead, NULL); SizeOfImageDump = SizeOfImageDump - TITANENGINE_PAGESIZE; } else { RtlZeroMemory(ueCopyBuffer, AlignedHeaderSize); - if(!ReadProcessMemory(hProcess, ReadBase, ueCopyBuffer, SizeOfImageDump, &ueNumberOfBytesRead)) - { - VirtualProtectEx(hProcess, ReadBase, TITANENGINE_PAGESIZE, PAGE_EXECUTE_READWRITE, &Protect); - ReadProcessMemory(hProcess, ReadBase, ueCopyBuffer, TITANENGINE_PAGESIZE, &ueNumberOfBytesRead); - VirtualProtectEx(hProcess, ReadBase, TITANENGINE_PAGESIZE, Protect, &Protect); - } + + ReadProcessMemoryEnforce(hProcess, ReadBase, ueCopyBuffer, SizeOfImageDump, &ueNumberOfBytesRead); + WriteFile(hFile, ueCopyBuffer, SizeOfImageDump, &uedNumberOfBytesRead, NULL); SizeOfImageDump = NULL; } @@ -245,24 +238,18 @@ __declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBas if(SizeOfImageDump >= TITANENGINE_PAGESIZE) { RtlZeroMemory(ueCopyBuffer, AlignedHeaderSize); - if(!ReadProcessMemory(hProcess, ReadBase, ueCopyBuffer, TITANENGINE_PAGESIZE, &ueNumberOfBytesRead)) - { - VirtualProtectEx(hProcess, ReadBase, TITANENGINE_PAGESIZE, PAGE_EXECUTE_READWRITE, &Protect); - ReadProcessMemory(hProcess, ReadBase, ueCopyBuffer, TITANENGINE_PAGESIZE, &ueNumberOfBytesRead); - VirtualProtectEx(hProcess, ReadBase, TITANENGINE_PAGESIZE, Protect, &Protect); - } + + ReadProcessMemoryEnforce(hProcess, ReadBase, ueCopyBuffer, TITANENGINE_PAGESIZE, &ueNumberOfBytesRead); + WriteFile(hFile, ueCopyBuffer, TITANENGINE_PAGESIZE, &uedNumberOfBytesRead, NULL); SizeOfImageDump = SizeOfImageDump - TITANENGINE_PAGESIZE; } else { RtlZeroMemory(ueCopyBuffer, AlignedHeaderSize); - if(!ReadProcessMemory(hProcess, ReadBase, ueCopyBuffer, SizeOfImageDump, &ueNumberOfBytesRead)) - { - VirtualProtectEx(hProcess, ReadBase, TITANENGINE_PAGESIZE, PAGE_EXECUTE_READWRITE, &Protect); - ReadProcessMemory(hProcess, ReadBase, ueCopyBuffer, TITANENGINE_PAGESIZE, &ueNumberOfBytesRead); - VirtualProtectEx(hProcess, ReadBase, TITANENGINE_PAGESIZE, Protect, &Protect); - } + + ReadProcessMemoryEnforce(hProcess, ReadBase, ueCopyBuffer, SizeOfImageDump, &ueNumberOfBytesRead); + WriteFile(hFile, ueCopyBuffer, SizeOfImageDump, &uedNumberOfBytesRead, NULL); SizeOfImageDump = NULL; } @@ -298,12 +285,11 @@ __declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBas __declspec(dllexport) bool TITCALL DumpProcessEx(DWORD ProcessId, LPVOID ImageBase, char* szDumpFileName, ULONG_PTR EntryPoint) { - - wchar_t uniDumpFileName[MAX_PATH] = {}; + wchar_t uniDumpFileName[MAX_PATH] = {0}; if(szDumpFileName != NULL) { - MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, lstrlenA(szDumpFileName)+1, uniDumpFileName, sizeof(uniDumpFileName)/(sizeof(uniDumpFileName[0]))); + MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, -1, uniDumpFileName, _countof(uniDumpFileName)); return(DumpProcessExW(ProcessId, ImageBase, uniDumpFileName, EntryPoint)); } else @@ -316,21 +302,14 @@ __declspec(dllexport) bool TITCALL DumpProcessExW(DWORD ProcessId, LPVOID ImageB { HANDLE hProcess = 0; - BOOL ReturnValue = false; + bool ReturnValue = false; hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId); if(hProcess) { ReturnValue = DumpProcessW(hProcess, ImageBase, szDumpFileName, EntryPoint); EngineCloseHandle(hProcess); - if(ReturnValue) - { - return true; - } - else - { - return false; - } + return ReturnValue; } else { @@ -340,12 +319,11 @@ __declspec(dllexport) bool TITCALL DumpProcessExW(DWORD ProcessId, LPVOID ImageB __declspec(dllexport) bool TITCALL DumpMemory(HANDLE hProcess, LPVOID MemoryStart, ULONG_PTR MemorySize, char* szDumpFileName) { - - wchar_t uniDumpFileName[MAX_PATH] = {}; + wchar_t uniDumpFileName[MAX_PATH] = {0}; if(szDumpFileName != NULL) { - MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, lstrlenA(szDumpFileName)+1, uniDumpFileName, sizeof(uniDumpFileName)/(sizeof(uniDumpFileName[0]))); + MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, -1, uniDumpFileName, _countof(uniDumpFileName)); return(DumpMemoryW(hProcess, MemoryStart, MemorySize, uniDumpFileName)); } else @@ -354,6 +332,46 @@ __declspec(dllexport) bool TITCALL DumpMemory(HANDLE hProcess, LPVOID MemoryStar } } +__declspec(dllexport) bool TITCALL ReadProcessMemoryEnforce(HANDLE hProcess, LPVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T * lpNumberOfBytesRead) +{ + SIZE_T ueNumberOfBytesRead = 0; + SIZE_T * pNumBytes = 0; + DWORD dwProtect = 0; + bool retValue = false; + + if ( (hProcess == 0) || (lpBaseAddress == 0) || (lpBuffer == 0) || (nSize == 0)) + { + return false; + } + + if (!lpNumberOfBytesRead) + { + pNumBytes = &ueNumberOfBytesRead; + } + else + { + pNumBytes = lpNumberOfBytesRead; + } + + if(!ReadProcessMemory(hProcess, lpBaseAddress, lpBuffer, nSize, pNumBytes)) + { + if (VirtualProtectEx(hProcess, lpBaseAddress, nSize, PAGE_EXECUTE_READWRITE, &dwProtect)) + { + if (ReadProcessMemory(hProcess, lpBaseAddress, lpBuffer, nSize, pNumBytes)) + { + retValue = false; + } + VirtualProtectEx(hProcess, lpBaseAddress, nSize, dwProtect, &dwProtect); + } + } + else + { + retValue = true; + } + + return retValue; +} + __declspec(dllexport) bool TITCALL DumpMemoryW(HANDLE hProcess, LPVOID MemoryStart, ULONG_PTR MemorySize, wchar_t* szDumpFileName) { @@ -363,7 +381,6 @@ __declspec(dllexport) bool TITCALL DumpMemoryW(HANDLE hProcess, LPVOID MemorySta LPVOID ReadBase = MemoryStart; ULONG_PTR ProcReadBase = (ULONG_PTR)ReadBase; LPVOID ueCopyBuffer = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); - MEMORY_BASIC_INFORMATION MemInfo; if(EngineCreatePathForFileW(szDumpFileName)) { @@ -376,26 +393,18 @@ __declspec(dllexport) bool TITCALL DumpMemoryW(HANDLE hProcess, LPVOID MemorySta if(MemorySize >= 0x1000) { RtlZeroMemory(ueCopyBuffer,0x2000); - if(!ReadProcessMemory(hProcess, ReadBase, ueCopyBuffer, 0x1000, &ueNumberOfBytesRead)) - { - VirtualQueryEx(hProcess, ReadBase, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); - VirtualProtectEx(hProcess, ReadBase, 0x1000, PAGE_EXECUTE_READWRITE, &MemInfo.Protect); - ReadProcessMemory(hProcess, ReadBase, ueCopyBuffer, 0x1000, &ueNumberOfBytesRead); - VirtualProtectEx(hProcess, ReadBase, 0x1000, MemInfo.Protect, &MemInfo.Protect); - } + + ReadProcessMemoryEnforce(hProcess, ReadBase, ueCopyBuffer, 0x1000, &ueNumberOfBytesRead); + WriteFile(hFile,ueCopyBuffer, 0x1000, &uedNumberOfBytesRead, NULL); MemorySize = MemorySize - 0x1000; } else { RtlZeroMemory(ueCopyBuffer,0x2000); - if(!ReadProcessMemory(hProcess, ReadBase, ueCopyBuffer, MemorySize, &ueNumberOfBytesRead)) - { - VirtualQueryEx(hProcess, ReadBase, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); - VirtualProtectEx(hProcess, ReadBase, 0x1000, PAGE_EXECUTE_READWRITE, &MemInfo.Protect); - ReadProcessMemory(hProcess, ReadBase, ueCopyBuffer, 0x1000, &ueNumberOfBytesRead); - VirtualProtectEx(hProcess, ReadBase, 0x1000, MemInfo.Protect, &MemInfo.Protect); - } + + ReadProcessMemoryEnforce(hProcess, ReadBase, ueCopyBuffer, MemorySize, &ueNumberOfBytesRead); + WriteFile(hFile, ueCopyBuffer, (DWORD)MemorySize, &uedNumberOfBytesRead, NULL); MemorySize = NULL; } @@ -416,12 +425,11 @@ __declspec(dllexport) bool TITCALL DumpMemoryW(HANDLE hProcess, LPVOID MemorySta __declspec(dllexport) bool TITCALL DumpMemoryEx(DWORD ProcessId, LPVOID MemoryStart, ULONG_PTR MemorySize, char* szDumpFileName) { - - wchar_t uniDumpFileName[MAX_PATH] = {}; + wchar_t uniDumpFileName[MAX_PATH] = {0}; if(szDumpFileName != NULL) { - MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, lstrlenA(szDumpFileName)+1, uniDumpFileName, sizeof(uniDumpFileName)/(sizeof(uniDumpFileName[0]))); + MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, -1, uniDumpFileName, _countof(uniDumpFileName)); return(DumpMemoryExW(ProcessId, MemoryStart, MemorySize, uniDumpFileName)); } else @@ -434,17 +442,14 @@ __declspec(dllexport) bool TITCALL DumpMemoryExW(DWORD ProcessId, LPVOID MemoryS { HANDLE hProcess = 0; - BOOL ReturnValue = false; + bool ReturnValue = false; hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId); if(hProcess) { ReturnValue = DumpMemoryW(hProcess, MemoryStart, MemorySize, szDumpFileName); EngineCloseHandle(hProcess); - if(ReturnValue) - { - return true; - } + return ReturnValue; } return false; @@ -452,12 +457,11 @@ __declspec(dllexport) bool TITCALL DumpMemoryExW(DWORD ProcessId, LPVOID MemoryS __declspec(dllexport) bool TITCALL DumpRegions(HANDLE hProcess, char* szDumpFolder, bool DumpAboveImageBaseOnly) { - - wchar_t uniDumpFolder[MAX_PATH] = {}; + wchar_t uniDumpFolder[MAX_PATH] = {0}; if(szDumpFolder != NULL) { - MultiByteToWideChar(CP_ACP, NULL, szDumpFolder, lstrlenA(szDumpFolder)+1, uniDumpFolder, sizeof(uniDumpFolder)/(sizeof(uniDumpFolder[0]))); + MultiByteToWideChar(CP_ACP, NULL, szDumpFolder, -1, uniDumpFolder, _countof(uniDumpFolder)); return(DumpRegionsW(hProcess, uniDumpFolder, DumpAboveImageBaseOnly)); } else @@ -470,7 +474,7 @@ __declspec(dllexport) bool TITCALL DumpRegionsW(HANDLE hProcess, wchar_t* szDump { int i; - DWORD Dummy = NULL; + DWORD cbNeeded = NULL; wchar_t szDumpName[MAX_PATH]; wchar_t szDumpFileName[MAX_PATH]; MEMORY_BASIC_INFORMATION MemInfo; @@ -480,11 +484,15 @@ __declspec(dllexport) bool TITCALL DumpRegionsW(HANDLE hProcess, wchar_t* szDump if(hProcess != NULL) { - EnumProcessModules(hProcess, EnumeratedModules, sizeof(EnumeratedModules), &Dummy); + if (!EnumProcessModules(hProcess, EnumeratedModules, sizeof(EnumeratedModules), &cbNeeded)) + { + return false; + } + while(VirtualQueryEx(hProcess, (LPVOID)DumpAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION) != NULL) { AddressIsModuleBase = false; - for(i = 0; i < _countof(EnumeratedModules); i++) + for(i = 0; i < (int)(cbNeeded / sizeof(HMODULE)); i++) { if(EnumeratedModules[i] == (HMODULE)MemInfo.AllocationBase) { @@ -521,12 +529,11 @@ __declspec(dllexport) bool TITCALL DumpRegionsW(HANDLE hProcess, wchar_t* szDump __declspec(dllexport) bool TITCALL DumpRegionsEx(DWORD ProcessId, char* szDumpFolder, bool DumpAboveImageBaseOnly) { - - wchar_t uniDumpFolder[MAX_PATH] = {}; + wchar_t uniDumpFolder[MAX_PATH] = {0}; if(szDumpFolder != NULL) { - MultiByteToWideChar(CP_ACP, NULL, szDumpFolder, lstrlenA(szDumpFolder)+1, uniDumpFolder, sizeof(uniDumpFolder)/(sizeof(uniDumpFolder[0]))); + MultiByteToWideChar(CP_ACP, NULL, szDumpFolder, -1, uniDumpFolder, _countof(uniDumpFolder)); return(DumpRegionsExW(ProcessId, uniDumpFolder, DumpAboveImageBaseOnly)); } else @@ -537,19 +544,15 @@ __declspec(dllexport) bool TITCALL DumpRegionsEx(DWORD ProcessId, char* szDumpFo __declspec(dllexport) bool TITCALL DumpRegionsExW(DWORD ProcessId, wchar_t* szDumpFolder, bool DumpAboveImageBaseOnly) { - HANDLE hProcess = 0; - BOOL ReturnValue = false; + bool ReturnValue = false; hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId); if(hProcess) { ReturnValue = DumpRegionsW(hProcess, szDumpFolder, DumpAboveImageBaseOnly); EngineCloseHandle(hProcess); - if(ReturnValue) - { - return true; - } + return ReturnValue; } return false; @@ -557,12 +560,11 @@ __declspec(dllexport) bool TITCALL DumpRegionsExW(DWORD ProcessId, wchar_t* szDu __declspec(dllexport) bool TITCALL DumpModule(HANDLE hProcess, LPVOID ModuleBase, char* szDumpFileName) { - - wchar_t uniDumpFileName[MAX_PATH] = {}; + wchar_t uniDumpFileName[MAX_PATH] = {0}; if(szDumpFileName != NULL) { - MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, lstrlenA(szDumpFileName)+1, uniDumpFileName, sizeof(uniDumpFileName)/(sizeof(uniDumpFileName[0]))); + MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, -1, uniDumpFileName, _countof(uniDumpFileName)); return(DumpModuleW(hProcess, ModuleBase, uniDumpFileName)); } else @@ -575,13 +577,13 @@ __declspec(dllexport) bool TITCALL DumpModuleW(HANDLE hProcess, LPVOID ModuleBas { int i; - DWORD Dummy = NULL; + DWORD cbNeeded = NULL; MODULEINFO RemoteModuleInfo; - HMODULE EnumeratedModules[1024]; + HMODULE EnumeratedModules[1024] = {0}; - if(EnumProcessModules(hProcess, EnumeratedModules, sizeof(EnumeratedModules), &Dummy)) + if(EnumProcessModules(hProcess, EnumeratedModules, sizeof(EnumeratedModules), &cbNeeded)) { - for(i = 0; i < _countof(EnumeratedModules); i++) + for(i = 0; i < (int)(cbNeeded / sizeof(HMODULE)); i++) { if(EnumeratedModules[i] == (HMODULE)ModuleBase) { @@ -597,12 +599,11 @@ __declspec(dllexport) bool TITCALL DumpModuleW(HANDLE hProcess, LPVOID ModuleBas __declspec(dllexport) bool TITCALL DumpModuleEx(DWORD ProcessId, LPVOID ModuleBase, char* szDumpFileName) { - - wchar_t uniDumpFileName[MAX_PATH] = {}; + wchar_t uniDumpFileName[MAX_PATH] = {0}; if(szDumpFileName != NULL) { - MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, lstrlenA(szDumpFileName)+1, uniDumpFileName, sizeof(uniDumpFileName)/(sizeof(uniDumpFileName[0]))); + MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, -1, uniDumpFileName, _countof(uniDumpFileName)); return(DumpModuleExW(ProcessId, ModuleBase, uniDumpFileName)); } else @@ -615,17 +616,14 @@ __declspec(dllexport) bool TITCALL DumpModuleExW(DWORD ProcessId, LPVOID ModuleB { HANDLE hProcess = 0; - BOOL ReturnValue = false; + bool ReturnValue = false; hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId); if(hProcess) //If the function fails, the return value is NULL. To get extended error information, call GetLastError. { ReturnValue = DumpModuleW(hProcess, ModuleBase, szDumpFileName); EngineCloseHandle(hProcess); - if(ReturnValue) - { - return true; - } + return ReturnValue; } return false; diff --git a/TitanEngine/TitanEngine.Hooks.cpp b/TitanEngine/TitanEngine.Hooks.cpp index e9c52ba..b5324fe 100644 --- a/TitanEngine/TitanEngine.Hooks.cpp +++ b/TitanEngine/TitanEngine.Hooks.cpp @@ -1112,14 +1112,13 @@ __declspec(dllexport) void TITCALL HooksScanEntireProcessMemory(LPVOID CallBack) { unsigned int i; - DWORD ModulesLoaded; - HMODULE EnumeratedModules[1024]; + DWORD cbNeeded = 0; + HMODULE EnumeratedModules[1024] = {0}; hookEntry.clear(); - if(EnumProcessModules(GetCurrentProcess(), &EnumeratedModules[0], sizeof EnumeratedModules, &ModulesLoaded)) + if(EnumProcessModules(GetCurrentProcess(), EnumeratedModules, sizeof(EnumeratedModules), &cbNeeded)) { - ModulesLoaded = ModulesLoaded / sizeof HANDLE; - for(i = 1; i < ModulesLoaded; i++) + for(i = 1; i < (cbNeeded / sizeof(HMODULE)); i++) { HooksScanModuleMemory(EnumeratedModules[i], CallBack); } diff --git a/TitanEngine/TitanEngine.Importer.cpp b/TitanEngine/TitanEngine.Importer.cpp index d1e03fe..ef53085 100644 --- a/TitanEngine/TitanEngine.Importer.cpp +++ b/TitanEngine/TitanEngine.Importer.cpp @@ -240,25 +240,22 @@ __declspec(dllexport) long long TITCALL ImporterGetRemoteDLLBase(HANDLE hProcess } __declspec(dllexport) long long TITCALL ImporterGetRemoteDLLBaseEx(HANDLE hProcess, char* szModuleName) { + DWORD cbNeeded = NULL; + HMODULE EnumeratedModules[0x1024] = {0}; + char RemoteDLLName[MAX_PATH] = {0}; - int i = 1; - DWORD Dummy = NULL; - ULONG_PTR EnumeratedModules[0x2000]; - char RemoteDLLName[MAX_PATH]; - - if(EnumProcessModules(hProcess, (HMODULE*)EnumeratedModules, 0x2000, &Dummy)) + if(EnumProcessModules(hProcess, EnumeratedModules, sizeof(EnumeratedModules), &cbNeeded)) { - RtlZeroMemory(&RemoteDLLName, MAX_PATH); - while(EnumeratedModules[i] != NULL) + for(int i = 0; i < (int)(cbNeeded / sizeof(HMODULE)); i++) { - if(GetModuleBaseNameA(hProcess, (HMODULE)EnumeratedModules[i], (LPSTR)RemoteDLLName, MAX_PATH) > NULL) + RemoteDLLName[0] = 0; + if(GetModuleBaseNameA(hProcess, EnumeratedModules[i], (LPSTR)RemoteDLLName, _countof(RemoteDLLName)) > NULL) { if(lstrcmpiA((LPCSTR)RemoteDLLName, (LPCSTR)szModuleName)) { return((ULONG_PTR)EnumeratedModules[i]); } } - i++; } } return(NULL); diff --git a/TitanEngine/TitanEngine.Process.cpp b/TitanEngine/TitanEngine.Process.cpp index c6f7a51..a0f3269 100644 --- a/TitanEngine/TitanEngine.Process.cpp +++ b/TitanEngine/TitanEngine.Process.cpp @@ -73,11 +73,11 @@ __declspec(dllexport) void TITCALL EnumProcessesWithLibrary(char* szLibraryName, int j; typedef void(TITCALL *fEnumFunction)(DWORD ProcessId, HMODULE ModuleBaseAddress); fEnumFunction myEnumFunction = (fEnumFunction)EnumFunction; - HMODULE EnumeratedModules[1024] = {}; - DWORD bProcessId[1024] = {}; - char szModuleName[1024] = {}; + HMODULE EnumeratedModules[1024] = {0}; + DWORD bProcessId[1024] = {0}; + char szModuleName[1024] = {0}; DWORD pProcessIdCount = NULL; - DWORD pModuleCount; + DWORD cbNeeded = 0; HANDLE hProcess; if(EnumFunction != NULL) @@ -91,10 +91,10 @@ __declspec(dllexport) void TITCALL EnumProcessesWithLibrary(char* szLibraryName, hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, false, bProcessId[i]); if(hProcess != NULL) { - RtlZeroMemory(&EnumeratedModules[0], sizeof EnumeratedModules); - if(EnumProcessModules(hProcess, (HMODULE*)EnumeratedModules, sizeof EnumeratedModules, &pModuleCount)) + RtlZeroMemory(EnumeratedModules, sizeof(EnumeratedModules)); + if(EnumProcessModules(hProcess, (HMODULE*)EnumeratedModules, sizeof(EnumeratedModules), &cbNeeded)) { - for(j = 0; j < (int)pModuleCount; j++) + for(j = 0; j < (int)(cbNeeded / sizeof(HMODULE)); j++) { if(EnumeratedModules[j] != NULL) { diff --git a/TitanEngine/TitanEngine.Tracer.cpp b/TitanEngine/TitanEngine.Tracer.cpp index eb52102..3bf5301 100644 --- a/TitanEngine/TitanEngine.Tracer.cpp +++ b/TitanEngine/TitanEngine.Tracer.cpp @@ -543,8 +543,8 @@ __declspec(dllexport) long long TITCALL HashTracerLevel1(HANDLE hProcess, ULONG_ unsigned int j = 0; DWORD Dummy = NULL; MODULEINFO RemoteModuleInfo; - ULONG_PTR EnumeratedModules[0x2000]; - ULONG_PTR LoadedModules[1000][4]; + ULONG_PTR EnumeratedModules[0x2000] = {0}; + ULONG_PTR LoadedModules[1000][4] = {0}; char RemoteDLLName[MAX_PATH]; HANDLE hLoadedModule = NULL; HANDLE ModuleHandle = NULL; @@ -576,8 +576,7 @@ __declspec(dllexport) long long TITCALL HashTracerLevel1(HANDLE hProcess, ULONG_ return(NULL); } } - RtlZeroMemory(&EnumeratedModules, 0x2000 * sizeof ULONG_PTR); - RtlZeroMemory(&LoadedModules, 1000 * 4 * sizeof ULONG_PTR); + if(hProcess == NULL) { if(dbgProcessInformation.hProcess == NULL) @@ -589,7 +588,7 @@ __declspec(dllexport) long long TITCALL HashTracerLevel1(HANDLE hProcess, ULONG_ hProcess = dbgProcessInformation.hProcess; } } - if(EnumProcessModules(hProcess, (HMODULE*)EnumeratedModules, 0x2000, &Dummy)) + if(EnumProcessModules(hProcess, (HMODULE*)EnumeratedModules, sizeof(EnumeratedModules), &Dummy)) { i++; while(FoundAPI == false && EnumeratedModules[i] != NULL) diff --git a/TitanEngine/definitions.h b/TitanEngine/definitions.h index 2f6408f..2220808 100644 --- a/TitanEngine/definitions.h +++ b/TitanEngine/definitions.h @@ -73,6 +73,7 @@ __declspec(dllexport) long long TITCALL ConvertVAtoFileOffset(ULONG_PTR FileMapV __declspec(dllexport) long long TITCALL ConvertVAtoFileOffsetEx(ULONG_PTR FileMapVA, DWORD FileSize, ULONG_PTR ImageBase, ULONG_PTR AddressToConvert, bool AddressIsRVA, bool ReturnType); __declspec(dllexport) long long TITCALL ConvertFileOffsetToVA(ULONG_PTR FileMapVA, ULONG_PTR AddressToConvert, bool ReturnType); __declspec(dllexport) long long TITCALL ConvertFileOffsetToVAEx(ULONG_PTR FileMapVA, DWORD FileSize, ULONG_PTR ImageBase, ULONG_PTR AddressToConvert, bool ReturnType); +__declspec(dllexport) bool TITCALL ReadProcessMemoryEnforce(HANDLE hProcess, LPVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T * lpNumberOfBytesRead); // TitanEngine.Realigner.functions: __declspec(dllexport) bool TITCALL FixHeaderCheckSum(char* szFileName); __declspec(dllexport) bool TITCALL FixHeaderCheckSumW(wchar_t* szFileName);