From 23b12636c2b9676ed76fa2daef5b628b4bd3fe41 Mon Sep 17 00:00:00 2001 From: NtQuery Date: Wed, 5 Mar 2014 11:15:54 +0100 Subject: [PATCH] hider bugfix --- TitanEngine/Global.Engine.Hider.cpp | 4 ++-- TitanEngine/TitanEngine.Hider.cpp | 7 +++++-- TitanEngine/stdafx.h | 6 ++++-- 3 files changed, 11 insertions(+), 6 deletions(-) diff --git a/TitanEngine/Global.Engine.Hider.cpp b/TitanEngine/Global.Engine.Hider.cpp index ce9b88e..188f7e5 100644 --- a/TitanEngine/Global.Engine.Hider.cpp +++ b/TitanEngine/Global.Engine.Hider.cpp @@ -50,10 +50,10 @@ static void FixAntidebugApiInProcess(HANDLE hProcess, bool Hide, bool x64) 0x33, 0xC0, //XOR EAX,EAX 0xC3 //RETN }; - const BYTE patchCheckRemoteDebuggerPresent64[6] = + const BYTE patchCheckRemoteDebuggerPresent64[4] = { 0x48, 0x31, 0xC0, //XOR RAX,RAX - 0xC2, 0x08, 0x00 //RETN 0x8 + 0xC3 //RETN }; const BYTE patchGetTickCount64[4] = { diff --git a/TitanEngine/TitanEngine.Hider.cpp b/TitanEngine/TitanEngine.Hider.cpp index d0a4190..8e32a6f 100644 --- a/TitanEngine/TitanEngine.Hider.cpp +++ b/TitanEngine/TitanEngine.Hider.cpp @@ -41,8 +41,11 @@ __declspec(dllexport) void* TITCALL GetPEBLocation64(HANDLE hProcess) { //Only WOW64 processes have 2 PEBs DWORD peb32 = (DWORD)GetPEBLocation(hProcess); - peb32 += 0x1000; //PEB64 after PEB32 - return (void *)peb32; + if (peb32) + { + peb32 += 0x1000; //PEB64 after PEB32 + return (void *)peb32; + } } #endif //_WIN64 return 0; diff --git a/TitanEngine/stdafx.h b/TitanEngine/stdafx.h index 3856c6d..1cad587 100644 --- a/TitanEngine/stdafx.h +++ b/TitanEngine/stdafx.h @@ -927,7 +927,9 @@ struct _PEB_T DWORD NumberOfHeaps; DWORD MaximumNumberOfHeaps; T ProcessHeaps; - T GdiSharedHandleTable; + +//FULL PEB not needed + /* T GdiSharedHandleTable; T ProcessStarterHelper; T GdiDCAttributeList; T LoaderLock; @@ -958,7 +960,7 @@ struct _PEB_T T ProcessAssemblyStorageMap; T SystemDefaultActivationContextData; T SystemAssemblyStorageMap; - T MinimumStackCommit; + T MinimumStackCommit;*/ }; typedef _PEB_T PEB32;