x64dbg
/
TitanEngine
mirror of https://github.com/x64dbg/TitanEngine
1
0
Fork 0
Code Releases Activity

fixed EnumProcessModules problems, improved dumper, added new function ReadProcessMemoryEnforce

This commit is contained in:
NtQuery 2014-03-09 22:03:45 +01:00
parent d29b17795c
commit 1f4b6de250
7 changed files with 120 additions and 129 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
TitanEngine/Global.Engine.cpp
View File

@ -1316,8 +1316,8 @@ long long EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBa
unsigned int z = 0; unsigned int z = 0;
DWORD Dummy = NULL; DWORD Dummy = NULL;
HANDLE hProcess = NULL; HANDLE hProcess = NULL;
ULONG_PTR EnumeratedModules[0x2000]; ULONG_PTR EnumeratedModules[0x1000] = {0};
ULONG_PTR LoadedModules[1000][4]; ULONG_PTR LoadedModules[1000][4] = {0};
char RemoteDLLName[MAX_PATH]= {0}; char RemoteDLLName[MAX_PATH]= {0};
char FullRemoteDLLName[MAX_PATH]= {0}; char FullRemoteDLLName[MAX_PATH]= {0};
char szWindowsSideBySide[MAX_PATH]= {0}; char szWindowsSideBySide[MAX_PATH]= {0};
@ -1349,15 +1349,12 @@ long long EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBa
int Vista64UserForwarderFix = 0; int Vista64UserForwarderFix = 0;
unsigned int Windows7KernelBase = 0xFFFFFFFF; unsigned int Windows7KernelBase = 0xFFFFFFFF;
RtlZeroMemory(&engineFoundDLLName, sizeof(szFwdDLLName));
RtlZeroMemory(&EnumeratedModules, 0x2000 * sizeof ULONG_PTR);
RtlZeroMemory(&LoadedModules, 1000 * 4 * sizeof ULONG_PTR);
GetWindowsDirectoryA(szWindowsSideBySide, MAX_PATH); GetWindowsDirectoryA(szWindowsSideBySide, MAX_PATH);
lstrcpyA(szWindowsKernelBase, szWindowsSideBySide); lstrcpyA(szWindowsKernelBase, szWindowsSideBySide);
lstrcatA(szWindowsSideBySide, "\\WinSxS"); lstrcatA(szWindowsSideBySide, "\\WinSxS");
if(EnumedModulesBases != NULL) if(EnumedModulesBases != NULL)
{ {
RtlMoveMemory(&EnumeratedModules, (LPVOID)EnumedModulesBases, 0x1000); RtlMoveMemory(EnumeratedModules, (LPVOID)EnumedModulesBases, 0x1000);
i--; i--;
} }
if(handleProcess == NULL) if(handleProcess == NULL)
@ -1375,7 +1372,7 @@ long long EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBa
{ {
hProcess = handleProcess; hProcess = handleProcess;
} }
if(EnumedModulesBases != NULL || EnumProcessModules(hProcess, (HMODULE*)EnumeratedModules, 0x2000, &Dummy)) if(EnumedModulesBases != NULL || EnumProcessModules(hProcess, (HMODULE*)EnumeratedModules, sizeof(EnumeratedModules), &Dummy))
{ {
i++; i++;
z = i; z = i;

188
TitanEngine/TitanEngine.Dumper.cpp
View File

@ -7,10 +7,10 @@
//TitanEngine.Dumper.functions: //TitanEngine.Dumper.functions:
__declspec(dllexport) bool TITCALL DumpProcess(HANDLE hProcess, LPVOID ImageBase, char* szDumpFileName, ULONG_PTR EntryPoint) __declspec(dllexport) bool TITCALL DumpProcess(HANDLE hProcess, LPVOID ImageBase, char* szDumpFileName, ULONG_PTR EntryPoint)
{ {
wchar_t uniDumpFileName[MAX_PATH] = {}; wchar_t uniDumpFileName[MAX_PATH] = {0};
if(szDumpFileName != NULL) if(szDumpFileName != NULL)
{ {
MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, lstrlenA(szDumpFileName)+1, uniDumpFileName, sizeof(uniDumpFileName)/(sizeof(uniDumpFileName[0]))); MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, -1, uniDumpFileName, _countof(uniDumpFileName));
return DumpProcessW(hProcess, ImageBase, uniDumpFileName, EntryPoint); return DumpProcessW(hProcess, ImageBase, uniDumpFileName, EntryPoint);
} }
return false; return false;
@ -39,7 +39,6 @@ __declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBas
SIZE_T AlignedHeaderSize = NULL; SIZE_T AlignedHeaderSize = NULL;
LPVOID ueReadBuffer = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); LPVOID ueReadBuffer = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE);
LPVOID ueCopyBuffer = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); LPVOID ueCopyBuffer = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE);
DWORD Protect;
if(ReadProcessMemory(hProcess, ImageBase, ueReadBuffer, 0x1000, &ueNumberOfBytesRead)) if(ReadProcessMemory(hProcess, ImageBase, ueReadBuffer, 0x1000, &ueNumberOfBytesRead))
{//ReadProcessMemory {//ReadProcessMemory
@ -156,24 +155,18 @@ __declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBas
if(SizeOfImageDump >= TITANENGINE_PAGESIZE) if(SizeOfImageDump >= TITANENGINE_PAGESIZE)
{ {
RtlZeroMemory(ueCopyBuffer, AlignedHeaderSize); RtlZeroMemory(ueCopyBuffer, AlignedHeaderSize);
if(!ReadProcessMemory(hProcess, ReadBase, ueCopyBuffer, TITANENGINE_PAGESIZE, &ueNumberOfBytesRead))
{ ReadProcessMemoryEnforce(hProcess, ReadBase, ueCopyBuffer, TITANENGINE_PAGESIZE, &ueNumberOfBytesRead);
VirtualProtectEx(hProcess, ReadBase, TITANENGINE_PAGESIZE, PAGE_EXECUTE_READWRITE, &Protect);
ReadProcessMemory(hProcess, ReadBase, ueCopyBuffer, TITANENGINE_PAGESIZE, &ueNumberOfBytesRead);
VirtualProtectEx(hProcess, ReadBase, TITANENGINE_PAGESIZE, Protect, &Protect);
}
WriteFile(hFile, ueCopyBuffer, TITANENGINE_PAGESIZE, &uedNumberOfBytesRead, NULL); WriteFile(hFile, ueCopyBuffer, TITANENGINE_PAGESIZE, &uedNumberOfBytesRead, NULL);
SizeOfImageDump = SizeOfImageDump - TITANENGINE_PAGESIZE; SizeOfImageDump = SizeOfImageDump - TITANENGINE_PAGESIZE;
} }
else else
{ {
RtlZeroMemory(ueCopyBuffer, AlignedHeaderSize); RtlZeroMemory(ueCopyBuffer, AlignedHeaderSize);
if(!ReadProcessMemory(hProcess, ReadBase, ueCopyBuffer, SizeOfImageDump, &ueNumberOfBytesRead))
{ ReadProcessMemoryEnforce(hProcess, ReadBase, ueCopyBuffer, SizeOfImageDump, &ueNumberOfBytesRead);
VirtualProtectEx(hProcess, ReadBase, TITANENGINE_PAGESIZE, PAGE_EXECUTE_READWRITE, &Protect);
ReadProcessMemory(hProcess, ReadBase, ueCopyBuffer, TITANENGINE_PAGESIZE, &ueNumberOfBytesRead);
VirtualProtectEx(hProcess, ReadBase, TITANENGINE_PAGESIZE, Protect, &Protect);
}
WriteFile(hFile, ueCopyBuffer, SizeOfImageDump, &uedNumberOfBytesRead, NULL); WriteFile(hFile, ueCopyBuffer, SizeOfImageDump, &uedNumberOfBytesRead, NULL);
SizeOfImageDump = NULL; SizeOfImageDump = NULL;
} }
@ -245,24 +238,18 @@ __declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBas
if(SizeOfImageDump >= TITANENGINE_PAGESIZE) if(SizeOfImageDump >= TITANENGINE_PAGESIZE)
{ {
RtlZeroMemory(ueCopyBuffer, AlignedHeaderSize); RtlZeroMemory(ueCopyBuffer, AlignedHeaderSize);
if(!ReadProcessMemory(hProcess, ReadBase, ueCopyBuffer, TITANENGINE_PAGESIZE, &ueNumberOfBytesRead))
{ ReadProcessMemoryEnforce(hProcess, ReadBase, ueCopyBuffer, TITANENGINE_PAGESIZE, &ueNumberOfBytesRead);
VirtualProtectEx(hProcess, ReadBase, TITANENGINE_PAGESIZE, PAGE_EXECUTE_READWRITE, &Protect);
ReadProcessMemory(hProcess, ReadBase, ueCopyBuffer, TITANENGINE_PAGESIZE, &ueNumberOfBytesRead);
VirtualProtectEx(hProcess, ReadBase, TITANENGINE_PAGESIZE, Protect, &Protect);
}
WriteFile(hFile, ueCopyBuffer, TITANENGINE_PAGESIZE, &uedNumberOfBytesRead, NULL); WriteFile(hFile, ueCopyBuffer, TITANENGINE_PAGESIZE, &uedNumberOfBytesRead, NULL);
SizeOfImageDump = SizeOfImageDump - TITANENGINE_PAGESIZE; SizeOfImageDump = SizeOfImageDump - TITANENGINE_PAGESIZE;
} }
else else
{ {
RtlZeroMemory(ueCopyBuffer, AlignedHeaderSize); RtlZeroMemory(ueCopyBuffer, AlignedHeaderSize);
if(!ReadProcessMemory(hProcess, ReadBase, ueCopyBuffer, SizeOfImageDump, &ueNumberOfBytesRead))
{ ReadProcessMemoryEnforce(hProcess, ReadBase, ueCopyBuffer, SizeOfImageDump, &ueNumberOfBytesRead);
VirtualProtectEx(hProcess, ReadBase, TITANENGINE_PAGESIZE, PAGE_EXECUTE_READWRITE, &Protect);
ReadProcessMemory(hProcess, ReadBase, ueCopyBuffer, TITANENGINE_PAGESIZE, &ueNumberOfBytesRead);
VirtualProtectEx(hProcess, ReadBase, TITANENGINE_PAGESIZE, Protect, &Protect);
}
WriteFile(hFile, ueCopyBuffer, SizeOfImageDump, &uedNumberOfBytesRead, NULL); WriteFile(hFile, ueCopyBuffer, SizeOfImageDump, &uedNumberOfBytesRead, NULL);
SizeOfImageDump = NULL; SizeOfImageDump = NULL;
} }
@ -298,12 +285,11 @@ __declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBas
__declspec(dllexport) bool TITCALL DumpProcessEx(DWORD ProcessId, LPVOID ImageBase, char* szDumpFileName, ULONG_PTR EntryPoint) __declspec(dllexport) bool TITCALL DumpProcessEx(DWORD ProcessId, LPVOID ImageBase, char* szDumpFileName, ULONG_PTR EntryPoint)
{ {
wchar_t uniDumpFileName[MAX_PATH] = {0};
wchar_t uniDumpFileName[MAX_PATH] = {};
if(szDumpFileName != NULL) if(szDumpFileName != NULL)
{ {
MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, lstrlenA(szDumpFileName)+1, uniDumpFileName, sizeof(uniDumpFileName)/(sizeof(uniDumpFileName[0]))); MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, -1, uniDumpFileName, _countof(uniDumpFileName));
return(DumpProcessExW(ProcessId, ImageBase, uniDumpFileName, EntryPoint)); return(DumpProcessExW(ProcessId, ImageBase, uniDumpFileName, EntryPoint));
} }
else else
@ -316,21 +302,14 @@ __declspec(dllexport) bool TITCALL DumpProcessExW(DWORD ProcessId, LPVOID ImageB
{ {
HANDLE hProcess = 0; HANDLE hProcess = 0;
BOOL ReturnValue = false; bool ReturnValue = false;
hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId); hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId);
if(hProcess) if(hProcess)
{ {
ReturnValue = DumpProcessW(hProcess, ImageBase, szDumpFileName, EntryPoint); ReturnValue = DumpProcessW(hProcess, ImageBase, szDumpFileName, EntryPoint);
EngineCloseHandle(hProcess); EngineCloseHandle(hProcess);
if(ReturnValue) return ReturnValue;
{
return true;
}
else
{
return false;
}
} }
else else
{ {
@ -340,12 +319,11 @@ __declspec(dllexport) bool TITCALL DumpProcessExW(DWORD ProcessId, LPVOID ImageB
__declspec(dllexport) bool TITCALL DumpMemory(HANDLE hProcess, LPVOID MemoryStart, ULONG_PTR MemorySize, char* szDumpFileName) __declspec(dllexport) bool TITCALL DumpMemory(HANDLE hProcess, LPVOID MemoryStart, ULONG_PTR MemorySize, char* szDumpFileName)
{ {
wchar_t uniDumpFileName[MAX_PATH] = {0};
wchar_t uniDumpFileName[MAX_PATH] = {};
if(szDumpFileName != NULL) if(szDumpFileName != NULL)
{ {
MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, lstrlenA(szDumpFileName)+1, uniDumpFileName, sizeof(uniDumpFileName)/(sizeof(uniDumpFileName[0]))); MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, -1, uniDumpFileName, _countof(uniDumpFileName));
return(DumpMemoryW(hProcess, MemoryStart, MemorySize, uniDumpFileName)); return(DumpMemoryW(hProcess, MemoryStart, MemorySize, uniDumpFileName));
} }
else else
@ -354,6 +332,46 @@ __declspec(dllexport) bool TITCALL DumpMemory(HANDLE hProcess, LPVOID MemoryStar
} }
} }
__declspec(dllexport) bool TITCALL ReadProcessMemoryEnforce(HANDLE hProcess, LPVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T * lpNumberOfBytesRead)
{
SIZE_T ueNumberOfBytesRead = 0;
SIZE_T * pNumBytes = 0;
DWORD dwProtect = 0;
bool retValue = false;
if ( (hProcess == 0) || (lpBaseAddress == 0) || (lpBuffer == 0) || (nSize == 0))
{
return false;
}
if (!lpNumberOfBytesRead)
{
pNumBytes = &ueNumberOfBytesRead;
}
else
{
pNumBytes = lpNumberOfBytesRead;
}
if(!ReadProcessMemory(hProcess, lpBaseAddress, lpBuffer, nSize, pNumBytes))
{
if (VirtualProtectEx(hProcess, lpBaseAddress, nSize, PAGE_EXECUTE_READWRITE, &dwProtect))
{
if (ReadProcessMemory(hProcess, lpBaseAddress, lpBuffer, nSize, pNumBytes))
{
retValue = false;
}
VirtualProtectEx(hProcess, lpBaseAddress, nSize, dwProtect, &dwProtect);
}
}
else
{
retValue = true;
}
return retValue;
}
__declspec(dllexport) bool TITCALL DumpMemoryW(HANDLE hProcess, LPVOID MemoryStart, ULONG_PTR MemorySize, wchar_t* szDumpFileName) __declspec(dllexport) bool TITCALL DumpMemoryW(HANDLE hProcess, LPVOID MemoryStart, ULONG_PTR MemorySize, wchar_t* szDumpFileName)
{ {
@ -363,7 +381,6 @@ __declspec(dllexport) bool TITCALL DumpMemoryW(HANDLE hProcess, LPVOID MemorySta
LPVOID ReadBase = MemoryStart; LPVOID ReadBase = MemoryStart;
ULONG_PTR ProcReadBase = (ULONG_PTR)ReadBase; ULONG_PTR ProcReadBase = (ULONG_PTR)ReadBase;
LPVOID ueCopyBuffer = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); LPVOID ueCopyBuffer = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE);
MEMORY_BASIC_INFORMATION MemInfo;
if(EngineCreatePathForFileW(szDumpFileName)) if(EngineCreatePathForFileW(szDumpFileName))
{ {
@ -376,26 +393,18 @@ __declspec(dllexport) bool TITCALL DumpMemoryW(HANDLE hProcess, LPVOID MemorySta
if(MemorySize >= 0x1000) if(MemorySize >= 0x1000)
{ {
RtlZeroMemory(ueCopyBuffer,0x2000); RtlZeroMemory(ueCopyBuffer,0x2000);
if(!ReadProcessMemory(hProcess, ReadBase, ueCopyBuffer, 0x1000, &ueNumberOfBytesRead))
{ ReadProcessMemoryEnforce(hProcess, ReadBase, ueCopyBuffer, 0x1000, &ueNumberOfBytesRead);
VirtualQueryEx(hProcess, ReadBase, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
VirtualProtectEx(hProcess, ReadBase, 0x1000, PAGE_EXECUTE_READWRITE, &MemInfo.Protect);
ReadProcessMemory(hProcess, ReadBase, ueCopyBuffer, 0x1000, &ueNumberOfBytesRead);
VirtualProtectEx(hProcess, ReadBase, 0x1000, MemInfo.Protect, &MemInfo.Protect);
}
WriteFile(hFile,ueCopyBuffer, 0x1000, &uedNumberOfBytesRead, NULL); WriteFile(hFile,ueCopyBuffer, 0x1000, &uedNumberOfBytesRead, NULL);
MemorySize = MemorySize - 0x1000; MemorySize = MemorySize - 0x1000;
} }
else else
{ {
RtlZeroMemory(ueCopyBuffer,0x2000); RtlZeroMemory(ueCopyBuffer,0x2000);
if(!ReadProcessMemory(hProcess, ReadBase, ueCopyBuffer, MemorySize, &ueNumberOfBytesRead))
{ ReadProcessMemoryEnforce(hProcess, ReadBase, ueCopyBuffer, MemorySize, &ueNumberOfBytesRead);
VirtualQueryEx(hProcess, ReadBase, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
VirtualProtectEx(hProcess, ReadBase, 0x1000, PAGE_EXECUTE_READWRITE, &MemInfo.Protect);
ReadProcessMemory(hProcess, ReadBase, ueCopyBuffer, 0x1000, &ueNumberOfBytesRead);
VirtualProtectEx(hProcess, ReadBase, 0x1000, MemInfo.Protect, &MemInfo.Protect);
}
WriteFile(hFile, ueCopyBuffer, (DWORD)MemorySize, &uedNumberOfBytesRead, NULL); WriteFile(hFile, ueCopyBuffer, (DWORD)MemorySize, &uedNumberOfBytesRead, NULL);
MemorySize = NULL; MemorySize = NULL;
} }
@ -416,12 +425,11 @@ __declspec(dllexport) bool TITCALL DumpMemoryW(HANDLE hProcess, LPVOID MemorySta
__declspec(dllexport) bool TITCALL DumpMemoryEx(DWORD ProcessId, LPVOID MemoryStart, ULONG_PTR MemorySize, char* szDumpFileName) __declspec(dllexport) bool TITCALL DumpMemoryEx(DWORD ProcessId, LPVOID MemoryStart, ULONG_PTR MemorySize, char* szDumpFileName)
{ {
wchar_t uniDumpFileName[MAX_PATH] = {0};
wchar_t uniDumpFileName[MAX_PATH] = {};
if(szDumpFileName != NULL) if(szDumpFileName != NULL)
{ {
MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, lstrlenA(szDumpFileName)+1, uniDumpFileName, sizeof(uniDumpFileName)/(sizeof(uniDumpFileName[0]))); MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, -1, uniDumpFileName, _countof(uniDumpFileName));
return(DumpMemoryExW(ProcessId, MemoryStart, MemorySize, uniDumpFileName)); return(DumpMemoryExW(ProcessId, MemoryStart, MemorySize, uniDumpFileName));
} }
else else
@ -434,17 +442,14 @@ __declspec(dllexport) bool TITCALL DumpMemoryExW(DWORD ProcessId, LPVOID MemoryS
{ {
HANDLE hProcess = 0; HANDLE hProcess = 0;
BOOL ReturnValue = false; bool ReturnValue = false;
hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId); hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId);
if(hProcess) if(hProcess)
{ {
ReturnValue = DumpMemoryW(hProcess, MemoryStart, MemorySize, szDumpFileName); ReturnValue = DumpMemoryW(hProcess, MemoryStart, MemorySize, szDumpFileName);
EngineCloseHandle(hProcess); EngineCloseHandle(hProcess);
if(ReturnValue) return ReturnValue;
{
return true;
}
} }
return false; return false;
@ -452,12 +457,11 @@ __declspec(dllexport) bool TITCALL DumpMemoryExW(DWORD ProcessId, LPVOID MemoryS
__declspec(dllexport) bool TITCALL DumpRegions(HANDLE hProcess, char* szDumpFolder, bool DumpAboveImageBaseOnly) __declspec(dllexport) bool TITCALL DumpRegions(HANDLE hProcess, char* szDumpFolder, bool DumpAboveImageBaseOnly)
{ {
wchar_t uniDumpFolder[MAX_PATH] = {0};
wchar_t uniDumpFolder[MAX_PATH] = {};
if(szDumpFolder != NULL) if(szDumpFolder != NULL)
{ {
MultiByteToWideChar(CP_ACP, NULL, szDumpFolder, lstrlenA(szDumpFolder)+1, uniDumpFolder, sizeof(uniDumpFolder)/(sizeof(uniDumpFolder[0]))); MultiByteToWideChar(CP_ACP, NULL, szDumpFolder, -1, uniDumpFolder, _countof(uniDumpFolder));
return(DumpRegionsW(hProcess, uniDumpFolder, DumpAboveImageBaseOnly)); return(DumpRegionsW(hProcess, uniDumpFolder, DumpAboveImageBaseOnly));
} }
else else
@ -470,7 +474,7 @@ __declspec(dllexport) bool TITCALL DumpRegionsW(HANDLE hProcess, wchar_t* szDump
{ {
int i; int i;
DWORD Dummy = NULL; DWORD cbNeeded = NULL;
wchar_t szDumpName[MAX_PATH]; wchar_t szDumpName[MAX_PATH];
wchar_t szDumpFileName[MAX_PATH]; wchar_t szDumpFileName[MAX_PATH];
MEMORY_BASIC_INFORMATION MemInfo; MEMORY_BASIC_INFORMATION MemInfo;
@ -480,11 +484,15 @@ __declspec(dllexport) bool TITCALL DumpRegionsW(HANDLE hProcess, wchar_t* szDump
if(hProcess != NULL) if(hProcess != NULL)
{ {
EnumProcessModules(hProcess, EnumeratedModules, sizeof(EnumeratedModules), &Dummy); if (!EnumProcessModules(hProcess, EnumeratedModules, sizeof(EnumeratedModules), &cbNeeded))
{
return false;
}
while(VirtualQueryEx(hProcess, (LPVOID)DumpAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION) != NULL) while(VirtualQueryEx(hProcess, (LPVOID)DumpAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION) != NULL)
{ {
AddressIsModuleBase = false; AddressIsModuleBase = false;
for(i = 0; i < _countof(EnumeratedModules); i++) for(i = 0; i < (int)(cbNeeded / sizeof(HMODULE)); i++)
{ {
if(EnumeratedModules[i] == (HMODULE)MemInfo.AllocationBase) if(EnumeratedModules[i] == (HMODULE)MemInfo.AllocationBase)
{ {
@ -521,12 +529,11 @@ __declspec(dllexport) bool TITCALL DumpRegionsW(HANDLE hProcess, wchar_t* szDump
__declspec(dllexport) bool TITCALL DumpRegionsEx(DWORD ProcessId, char* szDumpFolder, bool DumpAboveImageBaseOnly) __declspec(dllexport) bool TITCALL DumpRegionsEx(DWORD ProcessId, char* szDumpFolder, bool DumpAboveImageBaseOnly)
{ {
wchar_t uniDumpFolder[MAX_PATH] = {0};
wchar_t uniDumpFolder[MAX_PATH] = {};
if(szDumpFolder != NULL) if(szDumpFolder != NULL)
{ {
MultiByteToWideChar(CP_ACP, NULL, szDumpFolder, lstrlenA(szDumpFolder)+1, uniDumpFolder, sizeof(uniDumpFolder)/(sizeof(uniDumpFolder[0]))); MultiByteToWideChar(CP_ACP, NULL, szDumpFolder, -1, uniDumpFolder, _countof(uniDumpFolder));
return(DumpRegionsExW(ProcessId, uniDumpFolder, DumpAboveImageBaseOnly)); return(DumpRegionsExW(ProcessId, uniDumpFolder, DumpAboveImageBaseOnly));
} }
else else
@ -537,19 +544,15 @@ __declspec(dllexport) bool TITCALL DumpRegionsEx(DWORD ProcessId, char* szDumpFo
__declspec(dllexport) bool TITCALL DumpRegionsExW(DWORD ProcessId, wchar_t* szDumpFolder, bool DumpAboveImageBaseOnly) __declspec(dllexport) bool TITCALL DumpRegionsExW(DWORD ProcessId, wchar_t* szDumpFolder, bool DumpAboveImageBaseOnly)
{ {
HANDLE hProcess = 0; HANDLE hProcess = 0;
BOOL ReturnValue = false; bool ReturnValue = false;
hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId); hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId);
if(hProcess) if(hProcess)
{ {
ReturnValue = DumpRegionsW(hProcess, szDumpFolder, DumpAboveImageBaseOnly); ReturnValue = DumpRegionsW(hProcess, szDumpFolder, DumpAboveImageBaseOnly);
EngineCloseHandle(hProcess); EngineCloseHandle(hProcess);
if(ReturnValue) return ReturnValue;
{
return true;
}
} }
return false; return false;
@ -557,12 +560,11 @@ __declspec(dllexport) bool TITCALL DumpRegionsExW(DWORD ProcessId, wchar_t* szDu
__declspec(dllexport) bool TITCALL DumpModule(HANDLE hProcess, LPVOID ModuleBase, char* szDumpFileName) __declspec(dllexport) bool TITCALL DumpModule(HANDLE hProcess, LPVOID ModuleBase, char* szDumpFileName)
{ {
wchar_t uniDumpFileName[MAX_PATH] = {0};
wchar_t uniDumpFileName[MAX_PATH] = {};
if(szDumpFileName != NULL) if(szDumpFileName != NULL)
{ {
MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, lstrlenA(szDumpFileName)+1, uniDumpFileName, sizeof(uniDumpFileName)/(sizeof(uniDumpFileName[0]))); MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, -1, uniDumpFileName, _countof(uniDumpFileName));
return(DumpModuleW(hProcess, ModuleBase, uniDumpFileName)); return(DumpModuleW(hProcess, ModuleBase, uniDumpFileName));
} }
else else
@ -575,13 +577,13 @@ __declspec(dllexport) bool TITCALL DumpModuleW(HANDLE hProcess, LPVOID ModuleBas
{ {
int i; int i;
DWORD Dummy = NULL; DWORD cbNeeded = NULL;
MODULEINFO RemoteModuleInfo; MODULEINFO RemoteModuleInfo;
HMODULE EnumeratedModules[1024]; HMODULE EnumeratedModules[1024] = {0};
if(EnumProcessModules(hProcess, EnumeratedModules, sizeof(EnumeratedModules), &Dummy)) if(EnumProcessModules(hProcess, EnumeratedModules, sizeof(EnumeratedModules), &cbNeeded))
{ {
for(i = 0; i < _countof(EnumeratedModules); i++) for(i = 0; i < (int)(cbNeeded / sizeof(HMODULE)); i++)
{ {
if(EnumeratedModules[i] == (HMODULE)ModuleBase) if(EnumeratedModules[i] == (HMODULE)ModuleBase)
{ {
@ -597,12 +599,11 @@ __declspec(dllexport) bool TITCALL DumpModuleW(HANDLE hProcess, LPVOID ModuleBas
__declspec(dllexport) bool TITCALL DumpModuleEx(DWORD ProcessId, LPVOID ModuleBase, char* szDumpFileName) __declspec(dllexport) bool TITCALL DumpModuleEx(DWORD ProcessId, LPVOID ModuleBase, char* szDumpFileName)
{ {
wchar_t uniDumpFileName[MAX_PATH] = {0};
wchar_t uniDumpFileName[MAX_PATH] = {};
if(szDumpFileName != NULL) if(szDumpFileName != NULL)
{ {
MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, lstrlenA(szDumpFileName)+1, uniDumpFileName, sizeof(uniDumpFileName)/(sizeof(uniDumpFileName[0]))); MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, -1, uniDumpFileName, _countof(uniDumpFileName));
return(DumpModuleExW(ProcessId, ModuleBase, uniDumpFileName)); return(DumpModuleExW(ProcessId, ModuleBase, uniDumpFileName));
} }
else else
@ -615,17 +616,14 @@ __declspec(dllexport) bool TITCALL DumpModuleExW(DWORD ProcessId, LPVOID ModuleB
{ {
HANDLE hProcess = 0; HANDLE hProcess = 0;
BOOL ReturnValue = false; bool ReturnValue = false;
hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId); hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId);
if(hProcess) //If the function fails, the return value is NULL. To get extended error information, call GetLastError. if(hProcess) //If the function fails, the return value is NULL. To get extended error information, call GetLastError.
{ {
ReturnValue = DumpModuleW(hProcess, ModuleBase, szDumpFileName); ReturnValue = DumpModuleW(hProcess, ModuleBase, szDumpFileName);
EngineCloseHandle(hProcess); EngineCloseHandle(hProcess);
if(ReturnValue) return ReturnValue;
{
return true;
}
} }
return false; return false;

9
TitanEngine/TitanEngine.Hooks.cpp
View File

@ -1112,14 +1112,13 @@ __declspec(dllexport) void TITCALL HooksScanEntireProcessMemory(LPVOID CallBack)
{ {
unsigned int i; unsigned int i;
DWORD ModulesLoaded; DWORD cbNeeded = 0;
HMODULE EnumeratedModules[1024]; HMODULE EnumeratedModules[1024] = {0};
hookEntry.clear(); hookEntry.clear();
if(EnumProcessModules(GetCurrentProcess(), &EnumeratedModules[0], sizeof EnumeratedModules, &ModulesLoaded)) if(EnumProcessModules(GetCurrentProcess(), EnumeratedModules, sizeof(EnumeratedModules), &cbNeeded))
{ {
ModulesLoaded = ModulesLoaded / sizeof HANDLE; for(i = 1; i < (cbNeeded / sizeof(HMODULE)); i++)
for(i = 1; i < ModulesLoaded; i++)
{ {
HooksScanModuleMemory(EnumeratedModules[i], CallBack); HooksScanModuleMemory(EnumeratedModules[i], CallBack);
} }

17
TitanEngine/TitanEngine.Importer.cpp
View File

@ -240,25 +240,22 @@ __declspec(dllexport) long long TITCALL ImporterGetRemoteDLLBase(HANDLE hProcess
} }
__declspec(dllexport) long long TITCALL ImporterGetRemoteDLLBaseEx(HANDLE hProcess, char* szModuleName) __declspec(dllexport) long long TITCALL ImporterGetRemoteDLLBaseEx(HANDLE hProcess, char* szModuleName)
{ {
DWORD cbNeeded = NULL;
HMODULE EnumeratedModules[0x1024] = {0};
char RemoteDLLName[MAX_PATH] = {0};
int i = 1; if(EnumProcessModules(hProcess, EnumeratedModules, sizeof(EnumeratedModules), &cbNeeded))
DWORD Dummy = NULL;
ULONG_PTR EnumeratedModules[0x2000];
char RemoteDLLName[MAX_PATH];
if(EnumProcessModules(hProcess, (HMODULE*)EnumeratedModules, 0x2000, &Dummy))
{ {
RtlZeroMemory(&RemoteDLLName, MAX_PATH); for(int i = 0; i < (int)(cbNeeded / sizeof(HMODULE)); i++)
while(EnumeratedModules[i] != NULL)
{ {
if(GetModuleBaseNameA(hProcess, (HMODULE)EnumeratedModules[i], (LPSTR)RemoteDLLName, MAX_PATH) > NULL) RemoteDLLName[0] = 0;
if(GetModuleBaseNameA(hProcess, EnumeratedModules[i], (LPSTR)RemoteDLLName, _countof(RemoteDLLName)) > NULL)
{ {
if(lstrcmpiA((LPCSTR)RemoteDLLName, (LPCSTR)szModuleName)) if(lstrcmpiA((LPCSTR)RemoteDLLName, (LPCSTR)szModuleName))
{ {
return((ULONG_PTR)EnumeratedModules[i]); return((ULONG_PTR)EnumeratedModules[i]);
} }
} }
i++;
} }
} }
return(NULL); return(NULL);

14
TitanEngine/TitanEngine.Process.cpp
View File

@ -73,11 +73,11 @@ __declspec(dllexport) void TITCALL EnumProcessesWithLibrary(char* szLibraryName,
int j; int j;
typedef void(TITCALL *fEnumFunction)(DWORD ProcessId, HMODULE ModuleBaseAddress); typedef void(TITCALL *fEnumFunction)(DWORD ProcessId, HMODULE ModuleBaseAddress);
fEnumFunction myEnumFunction = (fEnumFunction)EnumFunction; fEnumFunction myEnumFunction = (fEnumFunction)EnumFunction;
HMODULE EnumeratedModules[1024] = {}; HMODULE EnumeratedModules[1024] = {0};
DWORD bProcessId[1024] = {}; DWORD bProcessId[1024] = {0};
char szModuleName[1024] = {}; char szModuleName[1024] = {0};
DWORD pProcessIdCount = NULL; DWORD pProcessIdCount = NULL;
DWORD pModuleCount; DWORD cbNeeded = 0;
HANDLE hProcess; HANDLE hProcess;
if(EnumFunction != NULL) if(EnumFunction != NULL)
@ -91,10 +91,10 @@ __declspec(dllexport) void TITCALL EnumProcessesWithLibrary(char* szLibraryName,
hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, false, bProcessId[i]); hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, false, bProcessId[i]);
if(hProcess != NULL) if(hProcess != NULL)
{ {
RtlZeroMemory(&EnumeratedModules[0], sizeof EnumeratedModules); RtlZeroMemory(EnumeratedModules, sizeof(EnumeratedModules));
if(EnumProcessModules(hProcess, (HMODULE*)EnumeratedModules, sizeof EnumeratedModules, &pModuleCount)) if(EnumProcessModules(hProcess, (HMODULE*)EnumeratedModules, sizeof(EnumeratedModules), &cbNeeded))
{ {
for(j = 0; j < (int)pModuleCount; j++) for(j = 0; j < (int)(cbNeeded / sizeof(HMODULE)); j++)
{ {
if(EnumeratedModules[j] != NULL) if(EnumeratedModules[j] != NULL)
{ {

9
TitanEngine/TitanEngine.Tracer.cpp
View File

@ -543,8 +543,8 @@ __declspec(dllexport) long long TITCALL HashTracerLevel1(HANDLE hProcess, ULONG_
unsigned int j = 0; unsigned int j = 0;
DWORD Dummy = NULL; DWORD Dummy = NULL;
MODULEINFO RemoteModuleInfo; MODULEINFO RemoteModuleInfo;
ULONG_PTR EnumeratedModules[0x2000]; ULONG_PTR EnumeratedModules[0x2000] = {0};
ULONG_PTR LoadedModules[1000][4]; ULONG_PTR LoadedModules[1000][4] = {0};
char RemoteDLLName[MAX_PATH]; char RemoteDLLName[MAX_PATH];
HANDLE hLoadedModule = NULL; HANDLE hLoadedModule = NULL;
HANDLE ModuleHandle = NULL; HANDLE ModuleHandle = NULL;
@ -576,8 +576,7 @@ __declspec(dllexport) long long TITCALL HashTracerLevel1(HANDLE hProcess, ULONG_
return(NULL); return(NULL);
} }
} }
RtlZeroMemory(&EnumeratedModules, 0x2000 * sizeof ULONG_PTR);
RtlZeroMemory(&LoadedModules, 1000 * 4 * sizeof ULONG_PTR);
if(hProcess == NULL) if(hProcess == NULL)
{ {
if(dbgProcessInformation.hProcess == NULL) if(dbgProcessInformation.hProcess == NULL)
@ -589,7 +588,7 @@ __declspec(dllexport) long long TITCALL HashTracerLevel1(HANDLE hProcess, ULONG_
hProcess = dbgProcessInformation.hProcess; hProcess = dbgProcessInformation.hProcess;
} }
} }
if(EnumProcessModules(hProcess, (HMODULE*)EnumeratedModules, 0x2000, &Dummy)) if(EnumProcessModules(hProcess, (HMODULE*)EnumeratedModules, sizeof(EnumeratedModules), &Dummy))
{ {
i++; i++;
while(FoundAPI == false && EnumeratedModules[i] != NULL) while(FoundAPI == false && EnumeratedModules[i] != NULL)

1
TitanEngine/definitions.h
View File

@ -73,6 +73,7 @@ __declspec(dllexport) long long TITCALL ConvertVAtoFileOffset(ULONG_PTR FileMapV
__declspec(dllexport) long long TITCALL ConvertVAtoFileOffsetEx(ULONG_PTR FileMapVA, DWORD FileSize, ULONG_PTR ImageBase, ULONG_PTR AddressToConvert, bool AddressIsRVA, bool ReturnType); __declspec(dllexport) long long TITCALL ConvertVAtoFileOffsetEx(ULONG_PTR FileMapVA, DWORD FileSize, ULONG_PTR ImageBase, ULONG_PTR AddressToConvert, bool AddressIsRVA, bool ReturnType);
__declspec(dllexport) long long TITCALL ConvertFileOffsetToVA(ULONG_PTR FileMapVA, ULONG_PTR AddressToConvert, bool ReturnType); __declspec(dllexport) long long TITCALL ConvertFileOffsetToVA(ULONG_PTR FileMapVA, ULONG_PTR AddressToConvert, bool ReturnType);
__declspec(dllexport) long long TITCALL ConvertFileOffsetToVAEx(ULONG_PTR FileMapVA, DWORD FileSize, ULONG_PTR ImageBase, ULONG_PTR AddressToConvert, bool ReturnType); __declspec(dllexport) long long TITCALL ConvertFileOffsetToVAEx(ULONG_PTR FileMapVA, DWORD FileSize, ULONG_PTR ImageBase, ULONG_PTR AddressToConvert, bool ReturnType);
__declspec(dllexport) bool TITCALL ReadProcessMemoryEnforce(HANDLE hProcess, LPVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T * lpNumberOfBytesRead);
// TitanEngine.Realigner.functions: // TitanEngine.Realigner.functions:
__declspec(dllexport) bool TITCALL FixHeaderCheckSum(char* szFileName); __declspec(dllexport) bool TITCALL FixHeaderCheckSum(char* szFileName);
__declspec(dllexport) bool TITCALL FixHeaderCheckSumW(wchar_t* szFileName); __declspec(dllexport) bool TITCALL FixHeaderCheckSumW(wchar_t* szFileName);