x64dbg
/
TitanEngine
mirror of https://github.com/x64dbg/TitanEngine
1
0
Fork 0
Code Releases Activity

- done moving stuff

This commit is contained in:
mr.exodia 2014-03-03 22:53:16 +01:00
parent a781684106
commit 2b850c3032
39 changed files with 9836 additions and 9530 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

114
TitanEngine/Global.Engine.GUI.cpp Normal file
View File

@ -0,0 +1,114 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Engine.GUI.h"
#include "Global.Engine.h"
#include <commdlg.h>
#include <shellapi.h>
#define TE_VER_MAJOR 2
#define TE_VER_MIDDLE 1
#define TE_VER_MINOR 0
char szWindowUnpackerName[128];
char szWindowUnpackerTitle[128];
char szWindowUnpackerLongTitle[128];
char szWindowUnpackerAuthor[128];
HWND EngineBoxHandle;
static HWND EngineWindowHandle;
// Global.TitanEngine.Engine.functions:
bool EngineGetFileDialog(char* GlobalBuffer)
{
OPENFILENAMEA sOpenFileName;
char szFilterString[] = "All Files \0*.*\0\0";
char szDialogTitle[] = "TitanEngine2 from Reversing Labs";
RtlZeroMemory(&sOpenFileName, sizeof(OPENFILENAMEA));
sOpenFileName.lStructSize = sizeof(OPENFILENAMEA);
sOpenFileName.lpstrFilter = &szFilterString[0];
sOpenFileName.lpstrFile = &GlobalBuffer[0];
sOpenFileName.nMaxFile = 1024;
sOpenFileName.Flags = OFN_FILEMUSTEXIST | OFN_PATHMUSTEXIST | OFN_LONGNAMES | OFN_EXPLORER | OFN_HIDEREADONLY;
sOpenFileName.lpstrTitle = &szDialogTitle[0];
if(!GetOpenFileNameA(&sOpenFileName))
{
RtlZeroMemory(&GlobalBuffer[0], 1024);
return(false);
}
else
{
return(true);
}
}
long EngineWndProc(HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lParam)
{
char szAboutTitle[] = "[ About ]";
char szAboutText[] = "%s \r\n\r\n ReversingLabs - http://www.reversinglabs.com \r\n\r\n Minimum engine version needed:\r\n- TitanEngine %i.%i.%i by RevLabs\r\n\r\nUnpacker coded by %s";
typedef void(TITCALL *fStartUnpacking)(char* szInputFile, bool RealignFile, bool CopyOverlay);
fStartUnpacking myStartUnpacking = (fStartUnpacking)EngineStartUnpackingCallBack;
char GlobalBuffer[1024] = {};
char AboutBuffer[1024] = {};
bool bRealignFile = false;
bool bCopyOverlay = false;
if(uMsg == WM_INITDIALOG)
{
SendMessageA(hwndDlg, WM_SETTEXT, NULL, (LPARAM)&szWindowUnpackerTitle);
SendMessageA(hwndDlg, WM_SETICON, NULL, (LPARAM)LoadIconA((HINSTANCE)engineHandle, MAKEINTRESOURCEA(IDI_ICON2)));
SetDlgItemTextA(hwndDlg, IDD_UNPACKERTITLE, szWindowUnpackerLongTitle);
SetDlgItemTextA(hwndDlg, IDC_FILENAME, "filename.exe");
CheckDlgButton(hwndDlg, IDC_REALING, 1);
EngineWindowHandle = hwndDlg;
}
else if(uMsg == WM_DROPFILES)
{
DragQueryFileA((HDROP)wParam, NULL, GlobalBuffer, 1024);
SetDlgItemTextA(hwndDlg, IDC_FILENAME, GlobalBuffer);
}
else if(uMsg == WM_CLOSE)
{
EndDialog(hwndDlg, NULL);
}
else if(uMsg == WM_COMMAND)
{
if(wParam == IDC_UNPACK)
{
GetDlgItemTextA(hwndDlg, IDC_FILENAME, GlobalBuffer, 1024);
if(!IsFileBeingDebugged() && EngineFileExists(GlobalBuffer))
{
EngineBoxHandle = GetDlgItem(hwndDlg, IDC_LISTBOX);
SendMessageA(EngineBoxHandle, LB_RESETCONTENT, NULL, NULL);
if(IsDlgButtonChecked(EngineWindowHandle, IDC_REALING))
{
bRealignFile = true;
}
if(IsDlgButtonChecked(EngineWindowHandle, IDC_COPYOVERLAY))
{
bCopyOverlay = true;
}
myStartUnpacking(GlobalBuffer, bRealignFile, bCopyOverlay);
}
}
else if(wParam == IDC_BROWSE)
{
if(EngineGetFileDialog(GlobalBuffer))
{
SetDlgItemTextA(hwndDlg, IDC_FILENAME, GlobalBuffer);
}
}
else if(wParam == IDC_ABOUT)
{
wsprintfA(AboutBuffer, szAboutText, szWindowUnpackerName, TE_VER_MAJOR, TE_VER_MIDDLE, TE_VER_MINOR, szWindowUnpackerAuthor);
MessageBoxA(hwndDlg, AboutBuffer, szAboutTitle, MB_ICONASTERISK);
}
else if(wParam == IDC_EXIT)
{
EndDialog(hwndDlg, NULL);
}
}
return(NULL);
}

16
TitanEngine/Global.Engine.GUI.h Normal file
View File

@ -0,0 +1,16 @@
#ifndef _GLOBAL_ENGINE_GUI_H
#define _GLOBAL_ENGINE_GUI_H
#include "resource.h"
extern char szWindowUnpackerName[128];
extern char szWindowUnpackerTitle[128];
extern char szWindowUnpackerLongTitle[128];
extern char szWindowUnpackerAuthor[128];
extern HWND EngineBoxHandle;
bool EngineGetFileDialog(char* GlobalBuffer);
long EngineWndProc(HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lParam);
#endif //_GLOBAL_ENGINE_GUI_H

73
TitanEngine/Global.Engine.Hook.cpp Normal file
View File

@ -0,0 +1,73 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Engine.Hook.h"
#include "Global.Debugger.h"
// Global.Engine.Hook.functions:
void EngineFakeLoadLibraryReturn()
{
ULONG_PTR ParameterData;
LPDEBUG_EVENT currentDBGEvent;
HANDLE currentProcess;
currentDBGEvent = (LPDEBUG_EVENT)GetDebugData();
currentProcess = dbgProcessInformation.hProcess;
if(currentProcess != NULL)
{
#if !defined(_WIN64)
ParameterData = (ULONG_PTR)GetFunctionParameter(currentProcess, UE_FUNCTION_STDCALL_RET, 1, UE_PARAMETER_DWORD);
if(ParameterData != NULL)
{
if(engineFakeDLLHandle != NULL)
{
SetContextData(UE_EAX, engineFakeDLLHandle);
}
else
{
SetContextData(UE_EAX, 0x10000000);
}
}
#else
ParameterData = (ULONG_PTR)GetFunctionParameter(currentProcess, UE_FUNCTION_FASTCALL, 1, UE_PARAMETER_QWORD);
if(ParameterData != NULL)
{
if(engineFakeDLLHandle != NULL)
{
SetContextData(UE_RAX, engineFakeDLLHandle);
}
else
{
SetContextData(UE_RAX, 0x10000000);
}
}
#endif
}
}
void EngineFakeGetProcAddressReturn()
{
ULONG_PTR ParameterData;
LPDEBUG_EVENT currentDBGEvent;
HANDLE currentProcess;
currentDBGEvent = (LPDEBUG_EVENT)GetDebugData();
currentProcess = dbgProcessInformation.hProcess;
if(currentProcess != NULL)
{
#if !defined(_WIN64)
ParameterData = (ULONG_PTR)GetFunctionParameter(currentProcess, UE_FUNCTION_STDCALL_RET, 1, UE_PARAMETER_DWORD);
if(ParameterData != NULL)
{
SetContextData(UE_EAX, (ULONG_PTR)ImporterGetRemoteAPIAddress(currentProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "ExitProcess")));
}
#else
ParameterData = (ULONG_PTR)GetFunctionParameter(currentProcess, UE_FUNCTION_FASTCALL, 1, UE_PARAMETER_QWORD);
if(ParameterData != NULL)
{
SetContextData(UE_RAX, (ULONG_PTR)ImporterGetRemoteAPIAddress(currentProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "ExitProcess")));
}
#endif
}
}

7
TitanEngine/Global.Engine.Hook.h Normal file
View File

@ -0,0 +1,7 @@
#ifndef _GLOBAL_ENGINE_HOOK_H
#define _GLOBAL_ENGINE_HOOK_H
void EngineFakeLoadLibraryReturn();
void EngineFakeGetProcAddressReturn();
#endif //_GLOBAL_ENGINE_HOOK_H

335
TitanEngine/Global.Engine.Simplification.cpp Normal file
View File

@ -0,0 +1,335 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Engine.Simplification.h"
#include "Global.Debugger.h"
// Global.Engine.Simplify
bool EngineUnpackerOptionLogData;
bool EngineUnpackerFileImporterInit;
bool EngineUnpackerOptionRealingFile;
bool EngineUnpackerOptionMoveOverlay;
bool EngineUnpackerOptionRelocationFix;
ULONG_PTR EngineUnpackerOptionUnpackedOEP;
wchar_t szEngineUnpackerInputFile[MAX_PATH];
wchar_t szEngineUnpackerOutputFile[MAX_PATH];
wchar_t szEngineUnpackerSnapShot1[MAX_PATH];
wchar_t szEngineUnpackerSnapShot2[MAX_PATH];
FILE_STATUS_INFO EngineUnpackerFileStatus = {};
LPPROCESS_INFORMATION pEngineUnpackerProcessHandle;
std::vector<UnpackerInformation> EngineUnpackerBreakInfo;
// Global.Engine.Simplification.functions:
void EngineSimplifyLoadLibraryCallBack()
{
ULONG_PTR iParameter1;
char szLogBufferData[MAX_PATH] = {};
char szReadStringData[MAX_PATH] = {};
ULONG_PTR CurrentBreakAddress = (ULONG_PTR)GetContextData(UE_CIP);
if(!EngineUnpackerFileImporterInit)
{
EngineUnpackerFileImporterInit = true;
/* broken since scylla integration but we dont care
if(EngineUnpackerFileStatus.FileIsDLL)
{
ImporterInit(50 * 1024, (ULONG_PTR)GetDebuggedDLLBaseAddress());
}
else
{
ImporterInit(50 * 1024, (ULONG_PTR)GetDebuggedFileBaseAddress());
}*/
}
for(int i = 0; i < (int)EngineUnpackerBreakInfo.size(); i++)
{
if(EngineUnpackerBreakInfo[i].BreakPointAddress == CurrentBreakAddress)
{
iParameter1 = (ULONG_PTR)GetContextData((DWORD)EngineUnpackerBreakInfo[i].Parameter1);
if(EngineUnpackerBreakInfo[i].SingleBreak)
{
EngineUnpackerBreakInfo.erase(EngineUnpackerBreakInfo.begin() + i);
}
if(GetRemoteString(pEngineUnpackerProcessHandle->hProcess, (void*)iParameter1, &szReadStringData[0], MAX_PATH))
{
ImporterAddNewDll(szReadStringData, (ULONG_PTR)GetContextData((DWORD)EngineUnpackerBreakInfo[i].Parameter2));
if(EngineUnpackerOptionLogData)
{
wsprintfA(szLogBufferData,"[x] LoadLibrary BPX -> %s",szReadStringData);
EngineAddUnpackerWindowLogMessage(szLogBufferData);
}
}
break;
}
}
}
void EngineSimplifyGetProcAddressCallBack()
{
ULONG_PTR iParameter1;
char szLogBufferData[MAX_PATH] = {};
char szReadStringData[MAX_PATH] = {};
ULONG_PTR CurrentBreakAddress = (ULONG_PTR)GetContextData(UE_CIP);
for(int i = 0; i < (int)EngineUnpackerBreakInfo.size(); i++)
{
if(EngineUnpackerBreakInfo[i].BreakPointAddress == CurrentBreakAddress)
{
iParameter1 = (ULONG_PTR)GetContextData((DWORD)EngineUnpackerBreakInfo[i].Parameter1);
if(EngineUnpackerBreakInfo[i].SingleBreak)
{
EngineUnpackerBreakInfo.erase(EngineUnpackerBreakInfo.begin() + i);
}
if(EngineUnpackerFileStatus.FileIsDLL)
{
if(iParameter1 > (ULONG_PTR)GetDebuggedDLLBaseAddress())
{
if(GetRemoteString(pEngineUnpackerProcessHandle->hProcess, (void*)iParameter1, &szReadStringData[0], MAX_PATH))
{
ImporterAddNewAPI(szReadStringData, (ULONG_PTR)GetContextData((DWORD)EngineUnpackerBreakInfo[i].Parameter2));
if(EngineUnpackerOptionLogData)
{
wsprintfA(szLogBufferData,"[x] GetProcAddress BPX -> %s",szReadStringData);
EngineAddUnpackerWindowLogMessage(szLogBufferData);
}
}
}
else
{
ImporterAddNewOrdinalAPI(iParameter1, (ULONG_PTR)GetContextData((DWORD)EngineUnpackerBreakInfo[i].Parameter2));
if(EngineUnpackerOptionLogData)
{
wsprintfA(szLogBufferData,"[x] GetProcAddress BPX -> %08X",iParameter1);
EngineAddUnpackerWindowLogMessage(szLogBufferData);
}
}
}
else
{
if(iParameter1 > (ULONG_PTR)GetDebuggedFileBaseAddress())
{
if(GetRemoteString(pEngineUnpackerProcessHandle->hProcess, (void*)iParameter1, &szReadStringData[0], MAX_PATH))
{
ImporterAddNewAPI(szReadStringData, (ULONG_PTR)GetContextData((DWORD)EngineUnpackerBreakInfo[i].Parameter2));
if(EngineUnpackerOptionLogData)
{
wsprintfA(szLogBufferData,"[x] GetProcAddress BPX -> %s",szReadStringData);
EngineAddUnpackerWindowLogMessage(szLogBufferData);
}
}
}
else
{
ImporterAddNewOrdinalAPI(iParameter1, (ULONG_PTR)GetContextData((DWORD)EngineUnpackerBreakInfo[i].Parameter2));
if(EngineUnpackerOptionLogData)
{
wsprintfA(szLogBufferData,"[x] GetProcAddress BPX -> %08X",iParameter1);
EngineAddUnpackerWindowLogMessage(szLogBufferData);
}
}
}
break;
}
}
}
void EngineSimplifyMakeSnapshotCallBack()
{
ULONG_PTR fdLoadedBase;
wchar_t szTempName[MAX_PATH] = {};
wchar_t szTempFolder[MAX_PATH] = {};
ULONG_PTR CurrentBreakAddress = (ULONG_PTR)GetContextData(UE_CIP);
if(EngineUnpackerFileStatus.FileIsDLL)
{
fdLoadedBase = (ULONG_PTR)GetDebuggedDLLBaseAddress();
}
else
{
fdLoadedBase = (ULONG_PTR)GetDebuggedFileBaseAddress();
}
for(int i = 0; i < (int)EngineUnpackerBreakInfo.size(); i++)
{
if(EngineUnpackerBreakInfo[i].BreakPointAddress == CurrentBreakAddress)
{
if(EngineUnpackerBreakInfo[i].SnapShotNumber == 1)
{
if(GetTempPathW(MAX_PATH, szTempFolder) < MAX_PATH)
{
if(GetTempFileNameW(szTempFolder, L"OverlayTemp", GetTickCount() + 101, szTempName))
{
lstrcpyW(szEngineUnpackerSnapShot1, szTempName);
RelocaterMakeSnapshotW(pEngineUnpackerProcessHandle->hProcess, szEngineUnpackerSnapShot1, (void*)(EngineUnpackerBreakInfo[i].Parameter1 + fdLoadedBase), EngineUnpackerBreakInfo[i].Parameter2);
}
}
}
else
{
if(GetTempPathW(MAX_PATH, szTempFolder) < MAX_PATH)
{
if(GetTempFileNameW(szTempFolder, L"OverlayTemp", GetTickCount() + 201, szTempName))
{
lstrcpyW(szEngineUnpackerSnapShot2, szTempName);
RelocaterMakeSnapshotW(pEngineUnpackerProcessHandle->hProcess, szEngineUnpackerSnapShot2, (void*)(EngineUnpackerBreakInfo[i].Parameter1 + fdLoadedBase), EngineUnpackerBreakInfo[i].Parameter2);
}
}
}
return;
}
}
}
void EngineSimplifyEntryPointCallBack()
{
int i = 0;
int j = 0;
DWORD FileSize;
HANDLE FileMap;
ULONG_PTR FileMapVA;
HANDLE FileHandle;
long mImportTableOffset;
long mRelocTableOffset;
DWORD pOverlayStart;
DWORD pOverlaySize;
ULONG_PTR fdLoadedBase;
char szLogBufferData[MAX_PATH] = {};
wchar_t szTempFolder[MAX_PATH] = {};
wchar_t szTempName[MAX_PATH] = {};
__try
{
if(EngineUnpackerOptionUnpackedOEP == NULL)
{
EngineUnpackerOptionUnpackedOEP = (ULONG_PTR)GetContextData(UE_CIP);
}
if(EngineUnpackerOptionLogData)
{
wsprintfA(szLogBufferData,"[x] Entry Point at: %08X", EngineUnpackerOptionUnpackedOEP);
EngineAddUnpackerWindowLogMessage(szLogBufferData);
}
if(EngineUnpackerFileStatus.FileIsDLL)
{
fdLoadedBase = (ULONG_PTR)GetDebuggedDLLBaseAddress();
RelocaterInit(100 * 1024, (ULONG_PTR)GetPE32DataW(szEngineUnpackerInputFile, NULL, UE_IMAGEBASE), fdLoadedBase);
for(i = 0; i < (int)EngineUnpackerBreakInfo.size(); i++)
{
if(EngineUnpackerBreakInfo[i].SnapShotNumber == 1)
{
j = i;
}
}
if(szEngineUnpackerSnapShot2[0] == 0x00)
{
if(GetTempPathW(MAX_PATH, szTempFolder) < MAX_PATH)
{
if(GetTempFileNameW(szTempFolder, L"OverlayTemp", GetTickCount() + 301, szTempName))
{
lstrcpyW(szEngineUnpackerSnapShot2, szTempName);
RelocaterMakeSnapshotW(pEngineUnpackerProcessHandle->hProcess, szEngineUnpackerSnapShot2, (void*)(EngineUnpackerBreakInfo[j].Parameter1 + fdLoadedBase), EngineUnpackerBreakInfo[j].Parameter2);
}
}
}
RelocaterCompareTwoSnapshotsW(pEngineUnpackerProcessHandle->hProcess, fdLoadedBase, (ULONG_PTR)GetPE32DataW(szEngineUnpackerInputFile, NULL, UE_SIZEOFIMAGE), szEngineUnpackerSnapShot1, szEngineUnpackerSnapShot2, EngineUnpackerBreakInfo[j].Parameter1 + fdLoadedBase);
EngineUnpackerOptionRelocationFix = true;
}
else
{
fdLoadedBase = (ULONG_PTR)GetDebuggedFileBaseAddress();
}
if(PastePEHeaderW(pEngineUnpackerProcessHandle->hProcess, (void*)fdLoadedBase, szEngineUnpackerInputFile))
{
if(EngineUnpackerOptionLogData)
{
EngineAddUnpackerWindowLogMessage("[x] Paste PE header");
}
}
DumpProcessW(pEngineUnpackerProcessHandle->hProcess, (void*)fdLoadedBase, szEngineUnpackerOutputFile, EngineUnpackerOptionUnpackedOEP);
if(EngineUnpackerOptionLogData)
{
EngineAddUnpackerWindowLogMessage("[x] Process dumped!");
}
mImportTableOffset = AddNewSectionW(szEngineUnpackerOutputFile, ".TEv2", ImporterEstimatedSize() + 200) + (DWORD)fdLoadedBase;
if(EngineUnpackerOptionRelocationFix)
{
if(EngineUnpackerFileStatus.FileIsDLL)
{
mRelocTableOffset = AddNewSectionW(szEngineUnpackerOutputFile, ".TEv2", RelocaterEstimatedSize() + 200);
}
}
if(StaticFileLoadW(szEngineUnpackerOutputFile, UE_ACCESS_ALL, false, &FileHandle, &FileSize, &FileMap, &FileMapVA))
{
if(ImporterExportIAT((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, mImportTableOffset, true), FileMapVA, FileHandle))
{
if(EngineUnpackerOptionLogData)
{
EngineAddUnpackerWindowLogMessage("[x] IAT has been fixed!");
}
}
if(EngineUnpackerOptionRelocationFix)
{
if(EngineUnpackerFileStatus.FileIsDLL)
{
RelocaterExportRelocation((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, mRelocTableOffset + fdLoadedBase, true), mRelocTableOffset, FileMapVA);
if(EngineUnpackerOptionLogData)
{
EngineAddUnpackerWindowLogMessage("[x] Exporting relocations!");
}
}
}
if(EngineUnpackerOptionRealingFile)
{
FileSize = RealignPE(FileMapVA, FileSize, 2);
if(EngineUnpackerOptionLogData)
{
EngineAddUnpackerWindowLogMessage("[x] Realigning file!");
}
}
StaticFileUnloadW(szEngineUnpackerOutputFile, false, FileHandle, FileSize, FileMap, FileMapVA);
MakeAllSectionsRWEW(szEngineUnpackerOutputFile);
if(EngineUnpackerFileStatus.FileIsDLL)
{
if(RelocaterChangeFileBaseW(szEngineUnpackerOutputFile, (ULONG_PTR)GetPE32DataW(szEngineUnpackerInputFile, NULL, UE_IMAGEBASE)))
{
if(EngineUnpackerOptionLogData)
{
EngineAddUnpackerWindowLogMessage("[x] Rebase file image!");
}
}
}
if(EngineUnpackerOptionMoveOverlay && FindOverlayW(szEngineUnpackerInputFile, &pOverlayStart, &pOverlaySize))
{
CopyOverlayW(szEngineUnpackerInputFile, szEngineUnpackerOutputFile);
if(EngineUnpackerOptionLogData)
{
EngineAddUnpackerWindowLogMessage("[x] Moving overlay to unpacked file!");
}
}
StopDebug();
if(EngineUnpackerOptionLogData)
{
EngineAddUnpackerWindowLogMessage("[Success] File has been unpacked!");
}
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
ForceClose();
//broken since scylla integration but we dont care
//ImporterCleanup();
if(FileMapVA > NULL)
{
StaticFileUnloadW(szEngineUnpackerOutputFile, false, FileHandle, FileSize, FileMap, FileMapVA);
}
DeleteFileW(szEngineUnpackerOutputFile);
if(EngineUnpackerOptionLogData)
{
EngineAddUnpackerWindowLogMessage("[Fatal Unpacking Error] Please mail file you tried to unpack to ReversingLabs Corporation!");
}
}
if(EngineUnpackerOptionLogData)
{
EngineAddUnpackerWindowLogMessage("-> Unpack ended...");
}
}

25
TitanEngine/Global.Engine.Simplification.h Normal file
View File

@ -0,0 +1,25 @@
#ifndef _GLOBAL_ENGINE_SIMPLIFICATION_H
#define _GLOBAL_ENGINE_SIMPLIFICATION_H
#include <vector>
extern bool EngineUnpackerOptionLogData;
extern bool EngineUnpackerFileImporterInit;
extern bool EngineUnpackerOptionRealingFile;
extern bool EngineUnpackerOptionMoveOverlay;
extern bool EngineUnpackerOptionRelocationFix;
extern ULONG_PTR EngineUnpackerOptionUnpackedOEP;
extern wchar_t szEngineUnpackerInputFile[MAX_PATH];
extern wchar_t szEngineUnpackerOutputFile[MAX_PATH];
extern wchar_t szEngineUnpackerSnapShot1[MAX_PATH];
extern wchar_t szEngineUnpackerSnapShot2[MAX_PATH];
extern FILE_STATUS_INFO EngineUnpackerFileStatus;
extern LPPROCESS_INFORMATION pEngineUnpackerProcessHandle;
extern std::vector<UnpackerInformation> EngineUnpackerBreakInfo;
void EngineSimplifyLoadLibraryCallBack();
void EngineSimplifyGetProcAddressCallBack();
void EngineSimplifyMakeSnapshotCallBack();
void EngineSimplifyEntryPointCallBack();
#endif //_GLOBAL_ENGINE_SIMPLIFICATION_H

4
TitanEngine/Global.Engine.cpp
View File

@ -25,10 +25,12 @@ char engineFoundAPIName[512];
char engineExtractedFileName[512];
wchar_t engineExtractedFileNameW[512];
wchar_t engineSzEngineFile[MAX_PATH];
wchar_t engineSzEngineGarbageFolder[MAX_PATH];
wchar_t engineSzEngineFolder[MAX_PATH];
HMODULE engineHandle;
LPVOID engineExitThreadOneShootCallBack = NULL;
LPVOID engineDependencyFiles;
LPVOID engineDependencyFilesCWP;
void* EngineStartUnpackingCallBack;
// Global.Engine.functions:
void EngineInit()

9
TitanEngine/Global.Engine.h
View File

@ -5,6 +5,11 @@
//Global.Engine.Variables
extern HMODULE engineHandle;
extern wchar_t engineSzEngineGarbageFolder[MAX_PATH];
extern LPVOID engineExitThreadOneShootCallBack;
extern LPVOID engineDependencyFiles;
extern LPVOID engineDependencyFilesCWP;
extern void* EngineStartUnpackingCallBack;
extern bool engineAlowModuleLoading;
extern bool engineCheckForwarders;
@ -16,10 +21,6 @@ extern bool enginePassAllExceptions;
extern bool engineExecutePluginCallBack;
extern bool engineAutoHideFromDebugger;
extern wchar_t engineSzEngineGarbageFolder[MAX_PATH];
extern LPVOID engineExitThreadOneShootCallBack;
//Global.Engine.Functions
void EngineInit();
bool EngineIsThereFreeHardwareBreakSlot(LPDWORD FreeRegister);

155
TitanEngine/Global.Garbage.cpp Normal file
View File

@ -0,0 +1,155 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Garbage.h"
#include "Global.Handle.h"
#include "Global.Engine.h"
#include <stdlib.h>
#include <time.h>
wchar_t engineSzEngineGarbageFolder[MAX_PATH];
// Global.Garbage.functions:
bool CreateGarbageItem(void* outGargabeItem, int MaxGargabeStringSize)
{
bool Created = false;
wchar_t szGarbageItem[512];
wchar_t szGargabeItemBuff[128];
while(!Created)
{
RtlZeroMemory(&szGarbageItem, sizeof szGarbageItem);
RtlZeroMemory(&szGargabeItemBuff, sizeof szGargabeItemBuff);
srand((unsigned int)time(NULL));
wsprintfW(szGargabeItemBuff, L"Junk-%08x\\", (rand() % 128 + 1) * (rand() % 128 + 1) + (rand() % 1024 + 1));
lstrcpyW(szGarbageItem, engineSzEngineGarbageFolder);
lstrcatW(szGarbageItem, szGargabeItemBuff);
if(EngineCreatePathForFileW(szGarbageItem))
{
Created = true;
}
}
if(lstrlenW(szGarbageItem) * 2 >= MaxGargabeStringSize)
{
RtlMoveMemory(outGargabeItem, &szGarbageItem, MaxGargabeStringSize);
return(false);
}
else
{
RtlMoveMemory(outGargabeItem, &szGarbageItem, lstrlenW(szGarbageItem) * 2);
return(true);
}
}
bool RemoveGarbageItem(wchar_t* szGarbageItem, bool RemoveFolder)
{
wchar_t szFindSearchString[MAX_PATH];
wchar_t szFoundFile[MAX_PATH];
WIN32_FIND_DATAW FindData;
bool QueryNextFile = true;
HANDLE CurrentFile;
if(szGarbageItem != NULL)
{
lstrcpyW(szFindSearchString, szGarbageItem);
if(szFindSearchString[0] != NULL)
{
lstrcatW(szFindSearchString, L"\\*.*");
CurrentFile = FindFirstFileW(szFindSearchString, &FindData);
while(QueryNextFile == true && CurrentFile != INVALID_HANDLE_VALUE)
{
RtlZeroMemory(&szFoundFile, sizeof szFoundFile);
lstrcpyW(szFoundFile, szGarbageItem);
lstrcatW(szFoundFile, FindData.cFileName);
if(FindData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)
{
if(FindData.cFileName[0] != 0x2E)
{
lstrcatW(szFoundFile, L"\\");
RemoveGarbageItem(szFoundFile, true);
}
}
else
{
if(!DeleteFileW(szFoundFile))
{
if(HandlerCloseAllLockHandlesW(szFoundFile, false, true))
{
DeleteFileW(szFoundFile);
}
}
}
if(!FindNextFileW(CurrentFile, &FindData))
{
QueryNextFile = false;
}
}
FindClose(CurrentFile);
if(RemoveFolder)
{
if(lstrlenW(engineSzEngineGarbageFolder) < lstrlenW(szGarbageItem))
{
if(!RemoveDirectoryW(szGarbageItem))
{
if(HandlerCloseAllLockHandlesW(szGarbageItem, true, true))
{
RemoveDirectoryW(szGarbageItem);
}
}
}
}
return(true);
}
else
{
return(false);
}
}
else
{
return(false);
}
}
bool FillGarbageItem(wchar_t* szGarbageItem, wchar_t* szFileName, void* outGargabeItem, int MaxGargabeStringSize)
{
if(!szGarbageItem || !szFileName || !outGargabeItem)
return false;
wchar_t szCopyFileName[512];
wchar_t szGargabeItemBuff[128];
lstrcpyW(szCopyFileName, szGarbageItem);
if(szFileName != NULL)
{
lstrcatW(szCopyFileName, EngineExtractFileNameW(szFileName));
}
else
{
srand((unsigned int)time(NULL));
wsprintfW(szGargabeItemBuff, L"Junk-Data-%08x.bin", (rand() % 128 + 1) * (rand() % 128 + 1) + (rand() % 1024 + 1));
lstrcatW(szCopyFileName, szGargabeItemBuff);
}
if(lstrlenW(szCopyFileName) >= MaxGargabeStringSize)
{
RtlMoveMemory(outGargabeItem, &szCopyFileName, MaxGargabeStringSize);
if(szFileName != NULL)
{
CopyFileW(szFileName, szCopyFileName, false);
}
}
else
{
RtlMoveMemory(outGargabeItem, &szCopyFileName, lstrlenW(szCopyFileName) * 2);
if(szFileName != NULL)
{
CopyFileW(szFileName, szCopyFileName, false);
}
}
return(true);
}
void EmptyGarbage()
{
RemoveGarbageItem(engineSzEngineGarbageFolder, false);
}

12
TitanEngine/Global.Garbage.h Normal file
View File

@ -0,0 +1,12 @@
#ifndef _GLOBAL_GARBAGE_H
#define _GLOBAL_GARBAGE_H
extern wchar_t engineSzEngineGarbageFolder[MAX_PATH];
// Global.Garbage.functions:
bool CreateGarbageItem(void* outGargabeItem, int MaxGargabeStringSize);
bool RemoveGarbageItem(wchar_t* szGarbageItem, bool RemoveFolder);
bool FillGarbageItem(wchar_t* szGarbageItem, wchar_t* szFileName, void* outGargabeItem, int MaxGargabeStringSize);
void EmptyGarbage();
#endif //_GLOBAL_GARBAGE_H

150
TitanEngine/Global.Injector.cpp Normal file
View File

@ -0,0 +1,150 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Injector.h"
HANDLE engineReservedMemoryProcess = NULL;
ULONG_PTR engineReservedMemoryLeft[UE_MAX_RESERVED_MEMORY_LEFT];
long injectedRemoteLoadLibrary(LPVOID Parameter)
{
PInjectCodeData APIData = (PInjectCodeData)Parameter;
Parameter = (LPVOID)((ULONG_PTR)Parameter + sizeof InjectCodeData);
#if !defined(_WIN64)
typedef ULONG_PTR(WINAPI *fLoadLibraryW)(LPCWSTR fLibraryName);
typedef ULONG_PTR(WINAPI *fVirtualFree)(LPVOID fMemBase, SIZE_T fMemSize, DWORD fFreeType);
#else
typedef ULONG_PTR(__fastcall *fLoadLibraryW)(LPCWSTR fLibraryName);
typedef ULONG_PTR(__fastcall *fVirtualFree)(LPVOID fMemBase, SIZE_T fMemSize, DWORD fFreeType);
#endif
fLoadLibraryW cLoadLibraryW = (fLoadLibraryW)(APIData->fLoadLibrary);
fVirtualFree cVirtualFree = (fVirtualFree)(APIData->fVirtualFree);
long retValue = NULL;
if(cLoadLibraryW((LPCWSTR)Parameter) != NULL)
{
retValue++;
}
cVirtualFree(Parameter, NULL, MEM_RELEASE);
return(retValue);
}
long injectedRemoteFreeLibrary(LPVOID Parameter)
{
PInjectCodeData APIData = (PInjectCodeData)Parameter;
#if !defined(_WIN64)
typedef ULONG_PTR(WINAPI *fFreeLibrary)(HMODULE fLibBase);
typedef ULONG_PTR(WINAPI *fVirtualFree)(LPVOID fMemBase, SIZE_T fMemSize, DWORD fFreeType);
#else
typedef ULONG_PTR(__fastcall *fFreeLibrary)(HMODULE fLibBase);
typedef ULONG_PTR(__fastcall *fVirtualFree)(LPVOID fMemBase, SIZE_T fMemSize, DWORD fFreeType);
#endif
fFreeLibrary cFreeLibrary = (fFreeLibrary)(APIData->fFreeLibrary);
fVirtualFree cVirtualFree = (fVirtualFree)(APIData->fVirtualFree);
long retValue = NULL;
if(cFreeLibrary(APIData->fFreeLibraryHandle))
{
retValue++;
}
cVirtualFree(Parameter, NULL, MEM_RELEASE);
return(retValue);
}
long injectedRemoteFreeLibrarySimple(LPVOID Parameter)
{
PInjectCodeData APIData = (PInjectCodeData)Parameter;
LPVOID orgParameter = Parameter;
Parameter = (LPVOID)((ULONG_PTR)Parameter + sizeof InjectCodeData);
#if !defined(_WIN64)
typedef ULONG_PTR(WINAPI *fFreeLibrary)(HMODULE fLibBase);
typedef HMODULE(WINAPI *fGetModuleHandleW)(LPCWSTR fLibraryName);
typedef ULONG_PTR(WINAPI *fVirtualFree)(LPVOID fMemBase, SIZE_T fMemSize, DWORD fFreeType);
#else
typedef ULONG_PTR(__fastcall *fFreeLibrary)(HMODULE fLibBase);
typedef HMODULE(__fastcall *fGetModuleHandleW)(LPCWSTR fLibraryName);
typedef ULONG_PTR(__fastcall *fVirtualFree)(LPVOID fMemBase, SIZE_T fMemSize, DWORD fFreeType);
#endif
fGetModuleHandleW cGetModuleHandleW = (fGetModuleHandleW)(APIData->fGetModuleHandle);
fFreeLibrary cFreeLibrary = (fFreeLibrary)(APIData->fFreeLibrary);
fVirtualFree cVirtualFree = (fVirtualFree)(APIData->fVirtualFree);
long retValue = NULL;
HMODULE hModule;
hModule = cGetModuleHandleW((LPCWSTR)Parameter);
if(hModule != NULL)
{
if(cFreeLibrary(hModule))
{
retValue++;
}
}
else
{
retValue++;
}
cVirtualFree(orgParameter, NULL, MEM_RELEASE);
return(retValue);
}
long injectedExitProcess(LPVOID Parameter)
{
PInjectCodeData APIData = (PInjectCodeData)Parameter;
#if !defined(_WIN64)
typedef ULONG_PTR(WINAPI *fExitProcess)(DWORD fExitCode);
#else
typedef ULONG_PTR(__fastcall *fExitProcess)(DWORD fExitCode);
#endif
fExitProcess cExitProcess = (fExitProcess)(APIData->fExitProcess);
long retValue = NULL;
cExitProcess(APIData->fExitProcessCode);
return(NULL);
}
void injectedTerminator()
{
int i;
for(i = 0; i < UE_MAX_RESERVED_MEMORY_LEFT; i++)
{
if(engineReservedMemoryLeft[i] != NULL)
{
VirtualFreeEx(engineReservedMemoryProcess, (LPVOID)engineReservedMemoryLeft[i], NULL, MEM_RELEASE);
engineReservedMemoryLeft[i] = NULL;
}
}
}
// Global.Injector.functions: {DO NOT REORDER! USE ONLY IN RELEASE MODE!}
long injectedImpRec(LPVOID Parameter)
{
HANDLE hFile;
HANDLE hFileMap;
PInjectImpRecCodeData APIData = (PInjectImpRecCodeData)Parameter;
LPVOID szFileName = (LPVOID)((ULONG_PTR)Parameter + sizeof InjectImpRecCodeData);
typedef ULONG_PTR(__cdecl *fTrace)(DWORD hFileMap, DWORD dwSizeMap, DWORD dwTimeOut, DWORD dwToTrace, DWORD dwExactCall);
typedef HANDLE(WINAPI *fCreateFileW)(LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile);
typedef HANDLE(WINAPI *fCreateFileMappingA)(HANDLE hFile, LPSECURITY_ATTRIBUTES lpFileMappingAttributes, DWORD flProtect, DWORD dwMaximumSizeHigh, DWORD dwMaximumSizeLow, LPCSTR lpName);
typedef BOOL(__cdecl *fCloseHandle)(HANDLE hHandle);
fTrace cTrace = (fTrace)(APIData->fTrace);
fCreateFileW cCreateFileW = (fCreateFileW)(APIData->fCreateFileA);
fCloseHandle cCloseHandle = (fCloseHandle)(APIData->fCloseHandle);
fCreateFileMappingA cCreateFileMappingA = (fCreateFileMappingA)(APIData->fCreateFileMappingA);
hFile = cCreateFileW((LPCWSTR)szFileName, GENERIC_READ+GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if(hFile != INVALID_HANDLE_VALUE)
{
hFileMap = cCreateFileMappingA(hFile, NULL, 4, NULL, 0x100, NULL);
cTrace((DWORD)hFileMap, 0x100, -1, (DWORD)APIData->AddressToTrace, NULL);
cCloseHandle(hFile);
return(1);
}
else
{
return(0);
}
}

14
TitanEngine/Global.Injector.h Normal file
View File

@ -0,0 +1,14 @@
#ifndef _GLOBAL_INJECTOR_H
#define _GLOBAL_INJECTOR_H
extern HANDLE engineReservedMemoryProcess;
extern ULONG_PTR engineReservedMemoryLeft[UE_MAX_RESERVED_MEMORY_LEFT];
long injectedRemoteLoadLibrary(LPVOID Parameter);
long injectedRemoteFreeLibrary(LPVOID Parameter);
long injectedRemoteFreeLibrarySimple(LPVOID Parameter);
long injectedExitProcess(LPVOID Parameter);
void injectedTerminator();
long injectedImpRec(LPVOID Parameter);
#endif //_GLOBAL_INJECTOR_H

302
TitanEngine/Global.OEPFinder.cpp Normal file
View File

@ -0,0 +1,302 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.OEPFinder.h"
#include "Global.Engine.h"
#include "Global.Breakpoints.h"
#include "Global.Debugger.h"
#include "Global.Mapping.h"
#include "Global.Handle.h"
#include <psapi.h>
GenericOEPTracerData glbEntryTracerData = {};
// Global.FindOEP.functions:
void GenericOEPVirtualProtectHit()
{
PBreakPointDetail bpxList = (PBreakPointDetail)BreakPointBuffer;
MEMORY_BASIC_INFORMATION MemInfo;
DWORD MaximumBreakPoints = 0;
DWORD NewProtect = 0;
DWORD OldProtect = 0;
while(MaximumBreakPoints < MAXIMUM_BREAKPOINTS)
{
bpxList = (PBreakPointDetail)((ULONG_PTR)bpxList + sizeof BreakPointDetail);
if(bpxList->BreakPointType == UE_MEMORY && bpxList->BreakPointActive == UE_BPXACTIVE)
{
VirtualQueryEx(dbgProcessInformation.hProcess, (LPVOID)bpxList->BreakPointAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION);
OldProtect = MemInfo.Protect;
if(!(OldProtect & PAGE_GUARD))
{
NewProtect = OldProtect ^ PAGE_GUARD;
VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)bpxList->BreakPointAddress, bpxList->BreakPointSize, NewProtect, &OldProtect);
}
}
MaximumBreakPoints++;
}
}
void GenericOEPTraceHit()
{
char* szInstructionType;
typedef void(TITCALL *fEPCallBack)();
fEPCallBack myEPCallBack = (fEPCallBack)glbEntryTracerData.EPCallBack;
LPDEBUG_EVENT myDbgEvent = (LPDEBUG_EVENT)GetDebugData();
glbEntryTracerData.MemoryAccessedFrom = (ULONG_PTR)GetContextData(UE_CIP);
glbEntryTracerData.MemoryAccessed = myDbgEvent->u.Exception.ExceptionRecord.ExceptionInformation[1];
glbEntryTracerData.AccessType = myDbgEvent->u.Exception.ExceptionRecord.ExceptionInformation[0];
szInstructionType = (char*)DisassembleEx(dbgProcessInformation.hProcess, (void*)glbEntryTracerData.MemoryAccessedFrom, true);
StepInto(&GenericOEPTraceHited);
}
void GenericOEPTraceHited()
{
int i;
void* lpHashBuffer;
bool FakeEPDetected = false;
ULONG_PTR NumberOfBytesRW;
LPDEBUG_EVENT myDbgEvent = (LPDEBUG_EVENT)GetDebugData();
typedef void(TITCALL *fEPCallBack)();
fEPCallBack myEPCallBack = (fEPCallBack)glbEntryTracerData.EPCallBack;
PMEMORY_COMPARE_HANDLER myCmpHandler;
ULONG_PTR memBpxAddress;
ULONG_PTR memBpxSize;
DWORD originalHash;
DWORD currentHash;
if(myDbgEvent->u.Exception.ExceptionRecord.ExceptionCode == STATUS_SINGLE_STEP)
{
if(glbEntryTracerData.MemoryAccessed >= glbEntryTracerData.LoadedImageBase && glbEntryTracerData.MemoryAccessed <= glbEntryTracerData.LoadedImageBase + glbEntryTracerData.SizeOfImage)
{
for(i = 0; i < glbEntryTracerData.SectionNumber; i++)
{
if(glbEntryTracerData.MemoryAccessed >= glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.LoadedImageBase && glbEntryTracerData.MemoryAccessed < glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.SectionData[i].SectionVirtualSize + glbEntryTracerData.LoadedImageBase)
{
if(glbEntryTracerData.AccessType == 1)
{
glbEntryTracerData.SectionData[i].AccessedAlready = true;
}
if(glbEntryTracerData.MemoryAccessedFrom >= glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.LoadedImageBase && glbEntryTracerData.MemoryAccessedFrom <= glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.SectionData[i].SectionVirtualSize + glbEntryTracerData.LoadedImageBase)
{
if(i != glbEntryTracerData.OriginalEntryPointNum)
{
glbEntryTracerData.SectionData[i].AccessedAlready = true;
}
lpHashBuffer = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
memBpxAddress = (glbEntryTracerData.MemoryAccessed / 0x1000) * 0x1000;
memBpxSize = glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.SectionData[i].SectionVirtualSize + glbEntryTracerData.LoadedImageBase - memBpxAddress;
if(memBpxSize > 0x1000)
{
memBpxSize = 0x1000;
}
if(ReadProcessMemory(dbgProcessInformation.hProcess, (void*)(memBpxAddress), lpHashBuffer, memBpxSize, &NumberOfBytesRW))
{
currentHash = EngineHashMemory((char*)lpHashBuffer, (DWORD)memBpxSize, NULL);
originalHash = EngineHashMemory((char*)((ULONG_PTR)glbEntryTracerData.SectionData[i].AllocatedSection + memBpxAddress - glbEntryTracerData.LoadedImageBase - glbEntryTracerData.SectionData[i].SectionVirtualOffset), (DWORD)memBpxSize, NULL);
if(ReadProcessMemory(dbgProcessInformation.hProcess, (void*)(glbEntryTracerData.CurrentIntructionPointer), lpHashBuffer, MAXIMUM_INSTRUCTION_SIZE, &NumberOfBytesRW))
{
myCmpHandler = (PMEMORY_COMPARE_HANDLER)(lpHashBuffer);
if(myCmpHandler->Array.bArrayEntry[0] == 0xC3) // RET
{
FakeEPDetected = true;
}
else if(myCmpHandler->Array.bArrayEntry[0] == 0x33 && myCmpHandler->Array.bArrayEntry[1] == 0xC0 && myCmpHandler->Array.bArrayEntry[2] == 0xC3) // XOR EAX,EAX; RET
{
FakeEPDetected = true;
}
}
VirtualFree(lpHashBuffer, NULL, MEM_RELEASE);
if(currentHash != originalHash && glbEntryTracerData.SectionData[i].AccessedAlready == true && i != glbEntryTracerData.OriginalEntryPointNum && FakeEPDetected == false)
{
__try
{
if(glbEntryTracerData.EPCallBack != NULL)
{
glbEntryTracerData.CurrentIntructionPointer = (ULONG_PTR)GetContextData(UE_CIP);
SetContextData(UE_CIP, glbEntryTracerData.MemoryAccessedFrom);
DeleteAPIBreakPoint("kernel32.dll", "VirtualProtect", UE_APIEND);
RemoveAllBreakPoints(UE_OPTION_REMOVEALL);
myEPCallBack();
SetContextData(UE_CIP, glbEntryTracerData.CurrentIntructionPointer);
}
else
{
StopDebug();
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
StopDebug();
}
}
}
}
else
{
SetMemoryBPXEx((ULONG_PTR)(glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.LoadedImageBase), glbEntryTracerData.SectionData[i].SectionVirtualSize, UE_MEMORY, false, &GenericOEPTraceHit);
}
}
else
{
SetMemoryBPXEx((ULONG_PTR)(glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.LoadedImageBase), glbEntryTracerData.SectionData[i].SectionVirtualSize, UE_MEMORY, false, &GenericOEPTraceHit);
}
}
}
}
else
{
StopDebug();
}
}
void GenericOEPLibraryDetailsHit()
{
int i;
bool memBreakPointSet = false;
char szModuleName[2 * MAX_PATH] = {};
#if !defined(_WIN64)
int inReg = UE_EAX;
#else
int inReg = UE_RAX;
#endif
if(GetModuleBaseNameA(dbgProcessInformation.hProcess, (HMODULE)GetContextData(inReg), szModuleName, sizeof szModuleName) > NULL)
{
if(lstrcmpiA(szModuleName, "kernel32.dll") != NULL)
{
if(glbEntryTracerData.FileIsDLL)
{
glbEntryTracerData.LoadedImageBase = (ULONG_PTR)GetDebuggedDLLBaseAddress();
}
else
{
glbEntryTracerData.LoadedImageBase = (ULONG_PTR)GetDebuggedFileBaseAddress();
}
for(i = 0; i < glbEntryTracerData.SectionNumber; i++)
{
if(glbEntryTracerData.SectionData[i].SectionAttributes & IMAGE_SCN_MEM_EXECUTE || glbEntryTracerData.SectionData[i].SectionAttributes & IMAGE_SCN_CNT_CODE)
{
SetMemoryBPXEx((ULONG_PTR)(glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.LoadedImageBase), glbEntryTracerData.SectionData[i].SectionVirtualSize, UE_MEMORY, false, &GenericOEPTraceHit);
memBreakPointSet = true;
}
}
if(!memBreakPointSet)
{
StopDebug();
}
else
{
DeleteAPIBreakPoint("kernel32.dll", "GetModuleHandleW", UE_APIEND);
DeleteAPIBreakPoint("kernel32.dll", "LoadLibraryExW", UE_APIEND);
}
}
}
}
void GenericOEPTraceInit()
{
int i;
void* lpHashBuffer;
ULONG_PTR NumberOfBytesRW;
typedef void(TITCALL *fInitCallBack)();
fInitCallBack myInitCallBack = (fInitCallBack)glbEntryTracerData.InitCallBack;
if(glbEntryTracerData.FileIsDLL)
{
glbEntryTracerData.LoadedImageBase = (ULONG_PTR)GetDebuggedDLLBaseAddress();
}
else
{
glbEntryTracerData.LoadedImageBase = (ULONG_PTR)GetDebuggedFileBaseAddress();
}
for(i = 0; i < glbEntryTracerData.SectionNumber; i++)
{
lpHashBuffer = VirtualAlloc(NULL, glbEntryTracerData.SectionData[i].SectionVirtualSize, MEM_COMMIT, PAGE_READWRITE);
if(lpHashBuffer != NULL)
{
if(ReadProcessMemory(dbgProcessInformation.hProcess, (void*)(glbEntryTracerData.SectionData[i].SectionVirtualOffset + glbEntryTracerData.LoadedImageBase), lpHashBuffer, glbEntryTracerData.SectionData[i].SectionVirtualSize, &NumberOfBytesRW))
{
glbEntryTracerData.SectionData[i].AllocatedSection = lpHashBuffer;
}
}
}
SetAPIBreakPoint("kernel32.dll", "VirtualProtect", UE_BREAKPOINT, UE_APIEND, &GenericOEPVirtualProtectHit);
SetAPIBreakPoint("kernel32.dll", "GetModuleHandleW", UE_BREAKPOINT, UE_APIEND, &GenericOEPLibraryDetailsHit);
SetAPIBreakPoint("kernel32.dll", "LoadLibraryExW", UE_BREAKPOINT, UE_APIEND, &GenericOEPLibraryDetailsHit);
if(glbEntryTracerData.InitCallBack != NULL)
{
__try
{
myInitCallBack();
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
StopDebug();
}
}
}
bool GenericOEPFileInitW(wchar_t* szFileName, LPVOID TraceInitCallBack, LPVOID CallBack)
{
int i;
#if defined(_WIN64)
PE64Struct PEStruct = {};
#else
PE32Struct PEStruct = {};
#endif
HANDLE FileHandle;
DWORD FileSize;
HANDLE FileMap;
ULONG_PTR FileMapVA;
if(MapFileExW(szFileName, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
{
if(GetPE32DataFromMappedFileEx(FileMapVA, &PEStruct))
{
RtlZeroMemory(&glbEntryTracerData, sizeof GenericOEPTracerData);
glbEntryTracerData.OriginalImageBase = PEStruct.ImageBase;
glbEntryTracerData.OriginalEntryPoint = PEStruct.OriginalEntryPoint;
glbEntryTracerData.SizeOfImage = PEStruct.NtSizeOfImage;
glbEntryTracerData.SectionNumber = PEStruct.SectionNumber;
glbEntryTracerData.FileIsDLL = IsFileDLL(NULL, FileMapVA);
glbEntryTracerData.OriginalEntryPointNum = GetPE32SectionNumberFromVA(FileMapVA, glbEntryTracerData.OriginalImageBase + glbEntryTracerData.OriginalEntryPoint);
for(i = 0; i < glbEntryTracerData.SectionNumber; i++)
{
glbEntryTracerData.SectionData[i].SectionVirtualOffset = (DWORD)GetPE32DataFromMappedFile(FileMapVA, i, UE_SECTIONVIRTUALOFFSET);
glbEntryTracerData.SectionData[i].SectionVirtualSize = (DWORD)GetPE32DataFromMappedFile(FileMapVA, i, UE_SECTIONVIRTUALSIZE);
if(glbEntryTracerData.SectionData[i].SectionVirtualSize % 0x1000 != 0)
{
glbEntryTracerData.SectionData[i].SectionVirtualSize = ((glbEntryTracerData.SectionData[i].SectionVirtualSize / 0x1000) + 1) * 0x1000;
}
else
{
glbEntryTracerData.SectionData[i].SectionVirtualSize = (glbEntryTracerData.SectionData[i].SectionVirtualSize / 0x1000) * 0x1000;
}
glbEntryTracerData.SectionData[i].SectionAttributes = (DWORD)GetPE32DataFromMappedFile(FileMapVA, i, UE_SECTIONFLAGS);
}
glbEntryTracerData.EPCallBack = CallBack;
glbEntryTracerData.InitCallBack = TraceInitCallBack;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
if(glbEntryTracerData.FileIsDLL)
{
return(false);
}
else
{
return(true);
}
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
}
}
return(false);
}

13
TitanEngine/Global.OEPFinder.h Normal file
View File

@ -0,0 +1,13 @@
#ifndef _GLOBAL_OEPFINDER_H
#define _GLOBAL_OEPFINDER_H
extern GenericOEPTracerData glbEntryTracerData;
void GenericOEPVirtualProtectHit();
void GenericOEPTraceHit();
void GenericOEPTraceHited();
void GenericOEPLibraryDetailsHit();
void GenericOEPTraceInit();
bool GenericOEPFileInitW(wchar_t* szFileName, LPVOID TraceInitCallBack, LPVOID CallBack);
#endif //_GLOBAL_OEPFINDER_H

200
TitanEngine/TitanEngine.Debugger.Control.cpp Normal file
View File

@ -0,0 +1,200 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Debugger.h"
#include "Global.Handle.h"
#include "Global.Threader.h"
#include "Global.Librarian.h"
__declspec(dllexport) void TITCALL ForceClose()
{
/*wchar_t szTempName[MAX_PATH];
wchar_t szTempFolder[MAX_PATH];*/
PPROCESS_ITEM_DATA hListProcessPtr = NULL;
PTHREAD_ITEM_DATA hListThreadPtr = NULL;
PLIBRARY_ITEM_DATAW hListLibraryPtr = NULL;
if(hListProcess != NULL)
{
hListProcessPtr = (PPROCESS_ITEM_DATA)hListProcess;
while(hListProcessPtr->hProcess != NULL)
{
__try
{
EngineCloseHandle(hListProcessPtr->hFile);
EngineCloseHandle(hListProcessPtr->hProcess);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
}
hListProcessPtr = (PPROCESS_ITEM_DATA)((ULONG_PTR)hListProcessPtr + sizeof PROCESS_ITEM_DATA);
}
RtlZeroMemory(hListProcess, MAX_DEBUG_DATA * sizeof PROCESS_ITEM_DATA);
}
if(hListThread != NULL)
{
hListThreadPtr = (PTHREAD_ITEM_DATA)hListThread;
while(hListThreadPtr->hThread != NULL)
{
if(hListThreadPtr->hThread != (HANDLE)-1)
{
__try
{
if(EngineCloseHandle(hListThreadPtr->hThread))
{
hListThreadPtr->hThread = NULL;
hListThreadPtr->dwThreadId = NULL;
hListThreadPtr->ThreadLocalBase = NULL;
hListThreadPtr->ThreadStartAddress = NULL;
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
hListThreadPtr->hThread = NULL;
hListThreadPtr->dwThreadId = NULL;
hListThreadPtr->ThreadLocalBase = NULL;
hListThreadPtr->ThreadStartAddress = NULL;
}
}
hListThreadPtr = (PTHREAD_ITEM_DATA)((ULONG_PTR)hListThreadPtr + sizeof THREAD_ITEM_DATA);
}
RtlZeroMemory(hListThread, MAX_DEBUG_DATA * sizeof THREAD_ITEM_DATA);
}
if(hListLibrary != NULL)
{
hListLibraryPtr = (PLIBRARY_ITEM_DATAW)hListLibrary;
while(hListLibraryPtr->hFile != NULL)
{
if(hListLibraryPtr->hFile != (HANDLE)-1)
{
if(hListLibraryPtr->hFileMappingView != NULL)
{
UnmapViewOfFile(hListLibraryPtr->hFileMappingView);
__try
{
EngineCloseHandle(hListLibraryPtr->hFileMapping);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
}
}
__try
{
EngineCloseHandle(hListLibraryPtr->hFile);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
}
}
hListLibraryPtr = (PLIBRARY_ITEM_DATAW)((ULONG_PTR)hListLibraryPtr + sizeof LIBRARY_ITEM_DATAW);
}
RtlZeroMemory(hListLibrary, MAX_DEBUG_DATA * sizeof LIBRARY_ITEM_DATAW);
}
if(!engineProcessIsNowDetached)
{
StopDebug();
}
RtlZeroMemory(&dbgProcessInformation, sizeof PROCESS_INFORMATION);
/*if(DebugDebuggingDLL)
{
RtlZeroMemory(&szTempName, sizeof szTempName);
RtlZeroMemory(&szTempFolder, sizeof szTempFolder);
if(GetTempPathW(MAX_PATH, szTempFolder) < MAX_PATH)
{
if(GetTempFileNameW(szTempFolder, L"DeleteTempFile", GetTickCount(), szTempName))
{
DeleteFileW(szTempName);
if(!MoveFileW(szDebuggerName, szTempName))
{
DeleteFileW(szDebuggerName);
}
else
{
DeleteFileW(szTempName);
}
}
RtlZeroMemory(&szTempName, sizeof szTempName);
if(GetTempFileNameW(szTempFolder, L"DeleteTempFile", GetTickCount() + 1, szTempName))
{
DeleteFileW(szTempName);
if(!MoveFileW(szReserveModuleName, szTempName))
{
DeleteFileW(szReserveModuleName);
}
else
{
DeleteFileW(szTempName);
}
}
}
}*/
DebugDebuggingDLL = false;
DebugExeFileEntryPointCallBack = NULL;
}
__declspec(dllexport) void TITCALL StepInto(LPVOID StepCallBack)
{
ULONG_PTR ueContext = NULL;
ueContext = (ULONG_PTR)GetContextData(UE_EFLAGS);
if(!(ueContext & 0x100))
{
ueContext = ueContext ^ 0x100;
}
SetContextData(UE_EFLAGS, ueContext);
engineStepActive = true;
engineStepCallBack = StepCallBack;
engineStepCount = NULL;
}
__declspec(dllexport) void TITCALL StepOver(LPVOID StepCallBack)
{
ULONG_PTR ueCurrentPosition = NULL;
#if !defined(_WIN64)
ueCurrentPosition = (ULONG_PTR)GetContextData(UE_EIP);
#else
ueCurrentPosition = GetContextData(UE_RIP);
#endif
unsigned char instr[16];
ReadProcessMemory(dbgProcessInformation.hProcess, (void*)ueCurrentPosition, instr, sizeof(instr), 0);
char* DisassembledString=(char*)StaticDisassembleEx(ueCurrentPosition, (LPVOID)instr);
if(strstr(DisassembledString, "CALL")||strstr(DisassembledString, "REP")||strstr(DisassembledString, "PUSHF"))
{
ueCurrentPosition+=StaticLengthDisassemble((void*)instr);
SetBPX(ueCurrentPosition, UE_BREAKPOINT_TYPE_INT3+UE_SINGLESHOOT, StepCallBack);
}
else
StepInto(StepCallBack);
}
__declspec(dllexport) void TITCALL SingleStep(DWORD StepCount, LPVOID StepCallBack)
{
ULONG_PTR ueContext = NULL;
ueContext = (ULONG_PTR)GetContextData(UE_EFLAGS);
if(!(ueContext & 0x100))
{
ueContext = ueContext ^ 0x100;
}
SetContextData(UE_EFLAGS, ueContext);
engineStepActive = true;
engineStepCount = (int)StepCount;
engineStepCallBack = StepCallBack;
engineStepCount--;
}
__declspec(dllexport) void TITCALL SetNextDbgContinueStatus(DWORD SetDbgCode)
{
if(SetDbgCode != DBG_CONTINUE)
{
DBGCode = DBG_EXCEPTION_NOT_HANDLED;
}
else
{
DBGCode = DBG_CONTINUE;
}
}

24
TitanEngine/TitanEngine.Debugger.Data.cpp
View File

@ -9,6 +9,7 @@ __declspec(dllexport) void TITCALL ClearExceptionNumber()
{
CurrentExceptionsNumber = 0;
}
__declspec(dllexport) long TITCALL CurrentExceptionNumber()
{
return(CurrentExceptionsNumber);
@ -18,18 +19,22 @@ __declspec(dllexport) void* TITCALL GetDebugData()
{
return(&DBGEvent);
}
__declspec(dllexport) void* TITCALL GetTerminationData()
{
return(&TerminateDBGEvent);
}
__declspec(dllexport) long TITCALL GetExitCode()
{
return(ProcessExitCode);
}
__declspec(dllexport) long long TITCALL GetDebuggedDLLBaseAddress()
{
return((ULONG_PTR)DebugDebuggingDLLBase);
}
__declspec(dllexport) unsigned long long TITCALL GetDebuggedFileBaseAddress()
{
return (unsigned long long)DebugDebuggingMainModuleBase;
@ -153,7 +158,26 @@ __declspec(dllexport) void* TITCALL GetProcessInformation()
{
return(&dbgProcessInformation);
}
__declspec(dllexport) void* TITCALL GetStartupInformation()
{
return(&dbgStartupInfo);
}
__declspec(dllexport) bool TITCALL IsFileBeingDebugged()
{
return(engineFileIsBeingDebugged);
}
__declspec(dllexport) void TITCALL SetErrorModel(bool DisplayErrorMessages)
{
if(DisplayErrorMessages)
{
SetErrorMode(NULL);
}
else
{
SetErrorMode(SEM_FAILCRITICALERRORS);
}
}

1
TitanEngine/TitanEngine.Debugger.DebugLoop.cpp
View File

@ -42,7 +42,6 @@ __declspec(dllexport) void TITCALL DebugLoop()
typedef void(TITCALL *fFindOEPHandler)(LPPROCESS_INFORMATION fProcessInfo, LPVOID fCallBack);
fCustomHandler myCustomHandler;
fCustomBreakPoint myCustomBreakPoint;
fFindOEPHandler myFindOEPHandler;
ULONG_PTR MemoryBpxCallBack = 0;
SIZE_T ResetBPXSize = 0;
ULONG_PTR ResetBPXAddressTo = 0;

187
TitanEngine/TitanEngine.Debugger.cpp
View File

@ -2,7 +2,9 @@
#include "definitions.h"
#include "Global.Debugger.h"
#include "Global.Engine.h"
#include "Global.Handle.h"
#include "Global.Breakpoints.h"
#include "Global.Threader.h"
static wchar_t szBackupDebuggedFileName[512];
static wchar_t szDebuggerName[512];
@ -231,4 +233,189 @@ __declspec(dllexport) bool TITCALL StopDebug()
{
return(false);
}
}
__declspec(dllexport) bool TITCALL AttachDebugger(DWORD ProcessId, bool KillOnExit, LPVOID DebugInfo, LPVOID CallBack)
{
typedef void(WINAPI *fDebugSetProcessKillOnExit)(bool KillExitingDebugee);
fDebugSetProcessKillOnExit myDebugSetProcessKillOnExit;
LPVOID funcDebugSetProcessKillOnExit = NULL;
if(ProcessId != NULL && dbgProcessInformation.hProcess == NULL)
{
RtlZeroMemory(&BreakPointBuffer, sizeof BreakPointBuffer);
if(DebugActiveProcess(ProcessId))
{
if(KillOnExit)
{
funcDebugSetProcessKillOnExit = GetProcAddress(GetModuleHandleA("kernel32.dll"), "DebugSetProcessKillOnExit");
if(funcDebugSetProcessKillOnExit != NULL)
{
myDebugSetProcessKillOnExit = (fDebugSetProcessKillOnExit)(funcDebugSetProcessKillOnExit);
myDebugSetProcessKillOnExit(KillOnExit);
}
}
BreakPointSetCount = 0;
DebugDebuggingDLL = false;
DebugAttachedToProcess = true;
DebugAttachedProcessCallBack = (ULONG_PTR)CallBack;
engineAttachedProcessDebugInfo = DebugInfo;
dbgProcessInformation.dwProcessId = ProcessId;
DebugLoop();
DebugAttachedToProcess = false;
DebugAttachedProcessCallBack = NULL;
return(true);
}
}
else
{
return(false);
}
return(false);
}
__declspec(dllexport) bool TITCALL DetachDebugger(DWORD ProcessId)
{
typedef bool(WINAPI *fDebugActiveProcessStop)(DWORD dwProcessId);
fDebugActiveProcessStop myDebugActiveProcessStop;
LPVOID funcDebugActiveProcessStop = NULL;
bool FuncReturn = false;
if(ProcessId != NULL)
{
funcDebugActiveProcessStop = GetProcAddress(GetModuleHandleA("kernel32.dll"), "DebugActiveProcessStop");
if(funcDebugActiveProcessStop != NULL)
{
myDebugActiveProcessStop = (fDebugActiveProcessStop)(funcDebugActiveProcessStop);
FuncReturn = myDebugActiveProcessStop(ProcessId);
engineProcessIsNowDetached = true;
Sleep(250);
}
DebugAttachedToProcess = false;
if(FuncReturn)
{
return(true);
}
else
{
return(false);
}
}
return(false);
}
__declspec(dllexport) bool TITCALL DetachDebuggerEx(DWORD ProcessId)
{
HANDLE hActiveThread;
CONTEXT myDBGContext;
PTHREAD_ITEM_DATA hListThreadPtr = (PTHREAD_ITEM_DATA)hListThread;
if(hListThreadPtr != NULL)
{
ThreaderPauseProcess();
while(hListThreadPtr->hThread != NULL)
{
hActiveThread = OpenThread(THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, false, hListThreadPtr->dwThreadId);
myDBGContext.ContextFlags = CONTEXT_CONTROL;
GetThreadContext(hActiveThread, &myDBGContext);
if((myDBGContext.EFlags & 0x100))
{
myDBGContext.EFlags = myDBGContext.EFlags ^ 0x100;
}
if(!(myDBGContext.EFlags & 0x10000))
{
myDBGContext.EFlags = myDBGContext.EFlags ^ 0x10000;
}
SetThreadContext(hActiveThread, &myDBGContext);
EngineCloseHandle(hActiveThread);
hListThreadPtr = (PTHREAD_ITEM_DATA)((ULONG_PTR)hListThreadPtr + sizeof THREAD_ITEM_DATA);
}
ContinueDebugEvent(DBGEvent.dwProcessId, DBGEvent.dwThreadId, DBG_CONTINUE);
ThreaderResumeProcess();
return(DetachDebugger(ProcessId));
}
else
{
return(false);
}
}
__declspec(dllexport) void TITCALL AutoDebugEx(char* szFileName, bool ReserveModuleBase, char* szCommandLine, char* szCurrentFolder, DWORD TimeOut, LPVOID EntryCallBack)
{
wchar_t* PtrUniFileName = NULL;
wchar_t uniFileName[MAX_PATH] = {};
wchar_t* PtrUniCommandLine = NULL;
wchar_t uniCommandLine[MAX_PATH] = {};
wchar_t* PtrUniCurrentFolder = NULL;
wchar_t uniCurrentFolder[MAX_PATH] = {};
if(szFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0])));
MultiByteToWideChar(CP_ACP, NULL, szCommandLine, lstrlenA(szCommandLine)+1, uniCommandLine, sizeof(uniCommandLine)/(sizeof(uniCommandLine[0])));
MultiByteToWideChar(CP_ACP, NULL, szCurrentFolder, lstrlenA(szCurrentFolder)+1, uniCurrentFolder, sizeof(uniCurrentFolder)/(sizeof(uniCurrentFolder[0])));
if(szFileName != NULL)
{
PtrUniFileName = &uniFileName[0];
}
if(szCommandLine != NULL)
{
PtrUniCommandLine = &uniCommandLine[0];
}
if(szCurrentFolder != NULL)
{
PtrUniCurrentFolder = &uniCurrentFolder[0];
}
return(AutoDebugExW(PtrUniFileName, ReserveModuleBase, PtrUniCommandLine, PtrUniCurrentFolder, TimeOut, EntryCallBack));
}
}
__declspec(dllexport) void TITCALL AutoDebugExW(wchar_t* szFileName, bool ReserveModuleBase, wchar_t* szCommandLine, wchar_t* szCurrentFolder, DWORD TimeOut, LPVOID EntryCallBack)
{
DebugReserveModuleBase = NULL;
DWORD ThreadId;
DWORD ExitCode = 0;
HANDLE hSecondThread;
bool FileIsDll = false;
#if !defined(_WIN64)
PE32Struct PEStructure;
#else
PE64Struct PEStructure;
#endif
if(TimeOut == NULL)
{
TimeOut = INFINITE;
}
if(szFileName != NULL)
{
RtlZeroMemory(&expertDebug, sizeof ExpertDebug);
expertDebug.ExpertModeActive = true;
expertDebug.szFileName = szFileName;
expertDebug.szCommandLine = szCommandLine;
expertDebug.szCurrentFolder = szCurrentFolder;
expertDebug.ReserveModuleBase = ReserveModuleBase;
expertDebug.EntryCallBack = EntryCallBack;
GetPE32DataExW(szFileName, (LPVOID)&PEStructure);
if(PEStructure.Characteristics & 0x2000)
{
FileIsDll = true;
}
SetDebugLoopTimeOut(TimeOut);
hSecondThread = CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE)DebugLoopInSecondThread, (LPVOID)FileIsDll, NULL, &ThreadId);
WaitForSingleObject(hSecondThread, INFINITE);
if(GetExitCodeThread(hSecondThread, &ExitCode))
{
if(ExitCode == -1)
{
ForceClose();
}
}
RtlZeroMemory(&expertDebug, sizeof ExpertDebug);
SetDebugLoopTimeOut(INFINITE);
}
}

179
TitanEngine/TitanEngine.Engine.Simplification.cpp Normal file
View File

@ -0,0 +1,179 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Engine.Simplification.h"
#include "Global.Garbage.h"
// TitanEngine.Engine.Simplification.functions:
__declspec(dllexport) void TITCALL EngineUnpackerInitialize(char* szFileName, char* szUnpackedFileName, bool DoLogData, bool DoRealignFile, bool DoMoveOverlay, void* EntryCallBack)
{
wchar_t uniFileName[MAX_PATH] = {};
wchar_t uniUnpackedFileName[MAX_PATH] = {};
if(szFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0])));
if(szUnpackedFileName == NULL)
{
return(EngineUnpackerInitializeW(uniFileName, NULL, DoLogData, DoRealignFile, DoMoveOverlay, EntryCallBack));
}
else
{
MultiByteToWideChar(CP_ACP, NULL, szUnpackedFileName, lstrlenA(szUnpackedFileName)+1, uniUnpackedFileName, sizeof(uniUnpackedFileName)/(sizeof(uniUnpackedFileName[0])));
EngineUnpackerInitializeW(uniFileName, uniUnpackedFileName, DoLogData, DoRealignFile, DoMoveOverlay, EntryCallBack);
}
}
}
__declspec(dllexport) void TITCALL EngineUnpackerInitializeW(wchar_t* szFileName, wchar_t* szUnpackedFileName, bool DoLogData, bool DoRealignFile, bool DoMoveOverlay, void* EntryCallBack)
{
int i,j;
wchar_t TempBackBuffer[MAX_PATH] = {};
if(szFileName != NULL)
{
RtlZeroMemory(&szEngineUnpackerSnapShot1[0], MAX_PATH * 2);
RtlZeroMemory(&szEngineUnpackerSnapShot2[0], MAX_PATH * 2);
RtlZeroMemory(&EngineUnpackerFileStatus, sizeof FILE_STATUS_INFO);
if(IsPE32FileValidExW(szFileName, UE_DEPTH_DEEP, &EngineUnpackerFileStatus))
{
if(!EngineUnpackerFileStatus.FileIsDLL)
{
pEngineUnpackerProcessHandle = (LPPROCESS_INFORMATION)InitDebugExW(szFileName, NULL, NULL, EntryCallBack);
}
else
{
pEngineUnpackerProcessHandle = (LPPROCESS_INFORMATION)InitDLLDebugW(szFileName, true, NULL, NULL, EntryCallBack);
}
if(pEngineUnpackerProcessHandle != NULL)
{
lstrcpyW(szEngineUnpackerInputFile, szFileName);
if(szUnpackedFileName != NULL)
{
lstrcpyW(szEngineUnpackerOutputFile, szUnpackedFileName);
}
else
{
lstrcpyW(TempBackBuffer, szFileName);
i = lstrlenW(TempBackBuffer);
while(TempBackBuffer[i] != 0x2E)
{
i--;
}
TempBackBuffer[i] = 0x00;
j = i + 1;
wsprintfW(szEngineUnpackerOutputFile, L"%s.unpacked.%s", &TempBackBuffer[0], &TempBackBuffer[j]);
}
EngineUnpackerOptionRealingFile = DoRealignFile;
EngineUnpackerOptionMoveOverlay = DoMoveOverlay;
EngineUnpackerOptionRelocationFix = false;
EngineUnpackerOptionLogData = DoLogData;
EngineUnpackerOptionUnpackedOEP = NULL;
EngineUnpackerFileImporterInit = false;
if(EngineUnpackerOptionLogData)
{
EngineAddUnpackerWindowLogMessage("-> Unpack started...");
}
EngineUnpackerBreakInfo.clear();
DebugLoop();
}
}
}
}
__declspec(dllexport) bool TITCALL EngineUnpackerSetBreakCondition(void* SearchStart, DWORD SearchSize, void* SearchPattern, DWORD PatternSize, DWORD PatternDelta, ULONG_PTR BreakType, bool SingleBreak, DWORD Parameter1, DWORD Parameter2)
{
ULONG_PTR fPatternLocation;
DWORD fBreakPointType = UE_BREAKPOINT;
UnpackerInformation fUnpackerInformation = {};
if((int)SearchStart == UE_UNPACKER_CONDITION_SEARCH_FROM_EP)
{
if(EngineUnpackerFileStatus.FileIsDLL)
{
SearchStart = (void*)((ULONG_PTR)GetPE32DataW(szEngineUnpackerInputFile, NULL, UE_OEP) + (ULONG_PTR)GetDebuggedDLLBaseAddress());
}
else
{
SearchStart = (void*)((ULONG_PTR)GetPE32DataW(szEngineUnpackerInputFile, NULL, UE_OEP) + (ULONG_PTR)GetDebuggedFileBaseAddress());
}
}
if(SearchSize == NULL)
{
SearchSize = 0x1000;
}
fPatternLocation = (ULONG_PTR)FindEx(pEngineUnpackerProcessHandle->hProcess, SearchStart, SearchSize, SearchPattern, PatternSize, NULL);
if(fPatternLocation != NULL)
{
if(SingleBreak)
{
fBreakPointType = UE_SINGLESHOOT;
}
fPatternLocation = fPatternLocation + (int)PatternDelta;
fUnpackerInformation.Parameter1 = Parameter1;
fUnpackerInformation.Parameter2 = Parameter2;
fUnpackerInformation.SingleBreak = SingleBreak;
fUnpackerInformation.BreakPointAddress = fPatternLocation;
if(BreakType == UE_UNPACKER_CONDITION_LOADLIBRARY)
{
if(SetBPX(fPatternLocation, UE_BREAKPOINT, &EngineSimplifyLoadLibraryCallBack))
{
EngineUnpackerBreakInfo.push_back(fUnpackerInformation);
return(true);
}
}
else if(BreakType == UE_UNPACKER_CONDITION_GETPROCADDRESS)
{
if(SetBPX(fPatternLocation, UE_BREAKPOINT, &EngineSimplifyGetProcAddressCallBack))
{
EngineUnpackerBreakInfo.push_back(fUnpackerInformation);
return(true);
}
}
else if(BreakType == UE_UNPACKER_CONDITION_ENTRYPOINTBREAK)
{
if(SetBPX(fPatternLocation, UE_BREAKPOINT, &EngineSimplifyGetProcAddressCallBack))
{
EngineUnpackerBreakInfo.push_back(fUnpackerInformation);
return(true);
}
}
else if(BreakType == UE_UNPACKER_CONDITION_RELOCSNAPSHOT1)
{
if(SetBPX(fPatternLocation, UE_BREAKPOINT, &EngineSimplifyMakeSnapshotCallBack))
{
fUnpackerInformation.SnapShotNumber = 1;
EngineUnpackerBreakInfo.push_back(fUnpackerInformation);
return(true);
}
}
else if(BreakType == UE_UNPACKER_CONDITION_RELOCSNAPSHOT2)
{
if(SetBPX(fPatternLocation, UE_BREAKPOINT, &EngineSimplifyMakeSnapshotCallBack))
{
fUnpackerInformation.SnapShotNumber = 2;
EngineUnpackerBreakInfo.push_back(fUnpackerInformation);
return(true);
}
}
else
{
if(SetBPX(fPatternLocation, fBreakPointType, (void*)BreakType))
{
EngineUnpackerBreakInfo.push_back(fUnpackerInformation);
return(true);
}
}
}
return(false);
}
__declspec(dllexport) void TITCALL EngineUnpackerSetEntryPointAddress(ULONG_PTR UnpackedEntryPointAddress)
{
EngineUnpackerOptionUnpackedOEP = UnpackedEntryPointAddress;
}
__declspec(dllexport) void TITCALL EngineUnpackerFinalizeUnpacking()
{
EngineSimplifyEntryPointCallBack();
EmptyGarbage();
}

304
TitanEngine/TitanEngine.Engine.cpp Normal file
View File

@ -0,0 +1,304 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Engine.h"
#include "Global.Mapping.h"
#include "Global.Engine.Hook.h"
#include "Global.Engine.GUI.h"
// TitanEngine.Engine.functions:
__declspec(dllexport) void TITCALL SetEngineVariable(DWORD VariableId, bool VariableSet)
{
if(VariableId == UE_ENGINE_ALOW_MODULE_LOADING)
{
engineAlowModuleLoading = VariableSet;
}
else if(VariableId == UE_ENGINE_AUTOFIX_FORWARDERS)
{
engineCheckForwarders = VariableSet;
}
else if(VariableId == UE_ENGINE_PASS_ALL_EXCEPTIONS)
{
enginePassAllExceptions = VariableSet;
}
else if(VariableId == UE_ENGINE_NO_CONSOLE_WINDOW)
{
engineRemoveConsoleForDebugee = VariableSet;
}
else if(VariableId == UE_ENGINE_BACKUP_FOR_CRITICAL_FUNCTIONS)
{
engineBackupForCriticalFunctions = VariableSet;
}
else if(VariableId == UE_ENGINE_RESET_CUSTOM_HANDLER)
{
engineResetCustomHandler = VariableSet;
}
else if(VariableId == UE_ENGINE_CALL_PLUGIN_DEBUG_CALLBACK)
{
engineExecutePluginCallBack = VariableSet;
}
}
__declspec(dllexport) bool TITCALL EngineCreateMissingDependencies(char* szFileName, char* szOutputFolder, bool LogCreatedFiles)
{
wchar_t uniFileName[MAX_PATH] = {};
wchar_t uniOutputFolder[MAX_PATH] = {};
if(szFileName != NULL && szOutputFolder != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0])));
MultiByteToWideChar(CP_ACP, NULL, szOutputFolder, lstrlenA(szOutputFolder)+1, uniOutputFolder, sizeof(uniOutputFolder)/(sizeof(uniOutputFolder[0])));
return(EngineCreateMissingDependenciesW(uniFileName, uniOutputFolder, LogCreatedFiles));
}
else
{
return(NULL);
}
}
__declspec(dllexport) bool TITCALL EngineCreateMissingDependenciesW(wchar_t* szFileName, wchar_t* szOutputFolder, bool LogCreatedFiles)
{
char* ImportDllName;
wchar_t ImportDllNameW[512];
wchar_t BuildExportName[512];
PIMAGE_THUNK_DATA32 ImportThunkX86;
PIMAGE_THUNK_DATA64 ImportThunkX64;
PIMAGE_IMPORT_DESCRIPTOR ImportPointer;
ULONG_PTR ImportTableAddress = NULL;
ULONG_PTR ImportThunkName = NULL;
DWORD ImportThunkAddress = NULL;
ULONG_PTR ImageBase = NULL;
PIMAGE_DOS_HEADER DOSHeader;
PIMAGE_NT_HEADERS32 PEHeader32;
PIMAGE_NT_HEADERS64 PEHeader64;
HANDLE FileHandle;
DWORD FileSize;
HANDLE FileMap;
ULONG_PTR FileMapVA;
BOOL FileIs64;
if(MapFileExW(szFileName, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
{
DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA;
if(DOSHeader->e_lfanew < 0x1000 - 108)
{
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
if(PEHeader32->OptionalHeader.Magic == 0x10B)
{
FileIs64 = false;
}
else if(PEHeader32->OptionalHeader.Magic == 0x20B)
{
FileIs64 = true;
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(false);
}
if(LogCreatedFiles)
{
if(engineDependencyFiles != NULL)
{
VirtualFree(engineDependencyFiles, NULL, MEM_RELEASE);
}
engineDependencyFiles = VirtualAlloc(NULL, 20 * 1024, MEM_COMMIT, PAGE_READWRITE);
engineDependencyFilesCWP = engineDependencyFiles;
}
if(!FileIs64)
{
ImageBase = (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase;
ImportTableAddress = (ULONG_PTR)PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
ImportTableAddress = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportTableAddress + ImageBase, true);
ImportPointer = (PIMAGE_IMPORT_DESCRIPTOR)ImportTableAddress;
while(ImportPointer->FirstThunk != NULL)
{
ImportDllName = (PCHAR)((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportPointer->Name + ImageBase, true));
MultiByteToWideChar(CP_ACP, NULL, ImportDllName, lstrlenA(ImportDllName)+1, ImportDllNameW, sizeof(ImportDllNameW)/(sizeof(ImportDllNameW[0])));
if(!EngineIsDependencyPresentW(ImportDllNameW, szFileName, szOutputFolder))
{
RtlZeroMemory(&BuildExportName, 512);
lstrcatW(BuildExportName, szOutputFolder);
if(BuildExportName[lstrlenW(BuildExportName)-1] != 0x5C)
{
BuildExportName[lstrlenW(BuildExportName)] = 0x5C;
}
lstrcatW(BuildExportName, ImportDllNameW);
if(LogCreatedFiles)
{
RtlMoveMemory(engineDependencyFilesCWP, &BuildExportName, lstrlenW(BuildExportName) * 2);
engineDependencyFilesCWP = (LPVOID)((ULONG_PTR)engineDependencyFilesCWP + (lstrlenW(BuildExportName) * 2) + 2);
}
EngineExtractResource("MODULEx86", BuildExportName);
ExporterInit(20 * 1024, (ULONG_PTR)GetPE32DataW(BuildExportName, NULL, UE_IMAGEBASE), NULL, ImportDllName);
ImportThunkAddress = ImportPointer->FirstThunk;
if(ImportPointer->OriginalFirstThunk != NULL)
{
ImportThunkX86 = (PIMAGE_THUNK_DATA32)((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportPointer->OriginalFirstThunk + ImageBase, true));
}
else
{
ImportThunkX86 = (PIMAGE_THUNK_DATA32)((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportPointer->FirstThunk + ImageBase, true));
}
while(ImportThunkX86->u1.Function != NULL)
{
if(ImportThunkX86->u1.Ordinal & IMAGE_ORDINAL_FLAG32)
{
ExporterAddNewOrdinalExport(ImportThunkX86->u1.Ordinal ^ IMAGE_ORDINAL_FLAG32, 0x1000);
}
else
{
ImportThunkName = (ULONG_PTR)(ConvertVAtoFileOffset(FileMapVA, ImportThunkX86->u1.AddressOfData + ImageBase, true) + 2);
ExporterAddNewExport((PCHAR)ImportThunkName, 0x1000);
}
ImportThunkX86 = (PIMAGE_THUNK_DATA32)((ULONG_PTR)ImportThunkX86 + 4);
ImportThunkAddress = ImportThunkAddress + 4;
}
ExporterBuildExportTableExW(BuildExportName, ".export");
}
ImportPointer = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportPointer + sizeof IMAGE_IMPORT_DESCRIPTOR);
}
}
else
{
ImageBase = (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase;
ImportTableAddress = (ULONG_PTR)PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
ImportTableAddress = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportTableAddress + ImageBase, true);
ImportPointer = (PIMAGE_IMPORT_DESCRIPTOR)ImportTableAddress;
while(ImportPointer->FirstThunk != NULL)
{
ImportDllName = (PCHAR)((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportPointer->Name + ImageBase, true));
MultiByteToWideChar(CP_ACP, NULL, ImportDllName, lstrlenA(ImportDllName)+1, ImportDllNameW, sizeof(ImportDllNameW)/(sizeof(ImportDllNameW[0])));
if(!EngineIsDependencyPresentW(ImportDllNameW, szFileName, szOutputFolder))
{
RtlZeroMemory(&BuildExportName, 512);
lstrcatW(BuildExportName, szOutputFolder);
if(BuildExportName[lstrlenW(BuildExportName)-1] != 0x5C)
{
BuildExportName[lstrlenW(BuildExportName)] = 0x5C;
}
lstrcatW(BuildExportName, ImportDllNameW);
if(LogCreatedFiles)
{
RtlMoveMemory(engineDependencyFilesCWP, &BuildExportName, lstrlenW(BuildExportName) * 2);
engineDependencyFilesCWP = (LPVOID)((ULONG_PTR)engineDependencyFilesCWP + (lstrlenW(BuildExportName) * 2) + 2);
}
EngineExtractResource("MODULEx64", BuildExportName);
ExporterInit(20 * 1024, (ULONG_PTR)GetPE32DataW(BuildExportName, NULL, UE_IMAGEBASE), NULL, ImportDllName);
ImportThunkAddress = ImportPointer->FirstThunk;
if(ImportPointer->OriginalFirstThunk != NULL)
{
ImportThunkX64 = (PIMAGE_THUNK_DATA64)((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportPointer->OriginalFirstThunk + ImageBase, true));
}
else
{
ImportThunkX64 = (PIMAGE_THUNK_DATA64)((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportPointer->FirstThunk + ImageBase, true));
}
while(ImportThunkX64->u1.Function != NULL)
{
if(ImportThunkX64->u1.Ordinal & IMAGE_ORDINAL_FLAG64)
{
ExporterAddNewOrdinalExport((DWORD)(ImportThunkX64->u1.Ordinal ^ IMAGE_ORDINAL_FLAG64), 0x1000);
}
else
{
ImportThunkName = (ULONG_PTR)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(ImportThunkX64->u1.AddressOfData + ImageBase), true) + 2);
ExporterAddNewExport((PCHAR)ImportThunkName, 0x1000);
}
ImportThunkX64 = (PIMAGE_THUNK_DATA64)((ULONG_PTR)ImportThunkX64 + 8);
ImportThunkAddress = ImportThunkAddress + 8;
}
ExporterBuildExportTableExW(BuildExportName, ".export");
}
ImportPointer = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportPointer + sizeof IMAGE_IMPORT_DESCRIPTOR);
}
}
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(true);
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(false);
}
}
return(false);
}
__declspec(dllexport) bool TITCALL EngineFakeMissingDependencies(HANDLE hProcess)
{
if(hProcess != NULL)
{
SetAPIBreakPoint("ntdll.dll", "LdrLoadDll", UE_BREAKPOINT, UE_APIEND, (LPVOID)&EngineFakeLoadLibraryReturn);
SetAPIBreakPoint("ntdll.dll", "LdrGetProcedureAddress", UE_BREAKPOINT, UE_APIEND, (LPVOID)&EngineFakeGetProcAddressReturn);
}
return(false);
}
__declspec(dllexport) bool TITCALL EngineDeleteCreatedDependencies()
{
wchar_t szTempName[MAX_PATH];
wchar_t szTempFolder[MAX_PATH];
if(engineDependencyFiles != NULL)
{
engineDependencyFilesCWP = engineDependencyFiles;
while(*((char*)engineDependencyFilesCWP) != 0)
{
RtlZeroMemory(&szTempName, sizeof szTempName);
RtlZeroMemory(&szTempFolder, sizeof szTempFolder);
if(GetTempPathW(MAX_PATH, szTempFolder) < MAX_PATH)
{
if(GetTempFileNameW(szTempFolder, L"DeleteTempGenFile", GetTickCount(), szTempName))
{
DeleteFileW(szTempName);
if(!MoveFileW((LPCWSTR)engineDependencyFilesCWP, szTempName))
{
DeleteFileW((LPCWSTR)engineDependencyFilesCWP);
}
else
{
DeleteFileW(szTempName);
}
}
}
engineDependencyFilesCWP = (LPVOID)((ULONG_PTR)engineDependencyFilesCWP + (lstrlenW((PWCHAR)engineDependencyFilesCWP) * 2) + 2);
}
VirtualFree(engineDependencyFiles, NULL, MEM_RELEASE);
engineDependencyFiles = NULL;
engineDependencyFilesCWP = NULL;
return(true);
}
return(false);
}
__declspec(dllexport) bool TITCALL EngineCreateUnpackerWindow(char* WindowUnpackerTitle, char* WindowUnpackerLongTitle, char* WindowUnpackerName, char* WindowUnpackerAuthor, void* StartUnpackingCallBack)
{
if(!WindowUnpackerTitle || !WindowUnpackerLongTitle || !WindowUnpackerName || !WindowUnpackerAuthor || !StartUnpackingCallBack)
return false;
EngineStartUnpackingCallBack = StartUnpackingCallBack;
lstrcpyA(szWindowUnpackerTitle, WindowUnpackerTitle);
lstrcpyA(szWindowUnpackerLongTitle, WindowUnpackerLongTitle);
lstrcpyA(szWindowUnpackerAuthor, WindowUnpackerAuthor);
lstrcpyA(szWindowUnpackerName, WindowUnpackerName);
if(DialogBoxParamA((HINSTANCE)engineHandle, MAKEINTRESOURCEA(IDD_MAINWINDOW), NULL, (DLGPROC)EngineWndProc, NULL) != -1)
{
return(true);
}
else
{
return(false);
}
}
__declspec(dllexport) void TITCALL EngineAddUnpackerWindowLogMessage(char* szLogMessage)
{
int cSelect;
SendMessageA(EngineBoxHandle, LB_ADDSTRING, NULL, (LPARAM)szLogMessage);
cSelect = (int)SendMessageA(EngineBoxHandle, LB_GETCOUNT, NULL, NULL);
cSelect--;
SendMessageA(EngineBoxHandle, LB_SETCURSEL, (WPARAM)cSelect, NULL);
}

449
TitanEngine/TitanEngine.Exporter.cpp Normal file
View File

@ -0,0 +1,449 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Mapping.h"
#include "Global.Engine.h"
static LPVOID expTableData = NULL;
static LPVOID expTableDataCWP = NULL;
static ULONG_PTR expImageBase = 0;
static DWORD expExportNumber = 0;
static bool expNamePresent = false;
static DWORD expExportAddress[1000];
static DWORD expSortedNamePointers[1000];
static ULONG_PTR expNamePointers[1000];
static DWORD expNameHashes[1000];
static WORD expOrdinals[1000];
static IMAGE_EXPORT_DIRECTORY expExportData;
// TitanEngine.Exporter.functions:
__declspec(dllexport) void TITCALL ExporterCleanup()
{
int i = NULL;
for(i = 0; i < 1000; i++)
{
expExportAddress[i] = 0;
expSortedNamePointers[i] = 0;
expNamePointers[i] = 0;
expNameHashes[i] = 0;
expOrdinals[i] = 0;
}
//RtlZeroMemory(&szExportFileName, 512);
RtlZeroMemory(&expExportData, sizeof IMAGE_EXPORT_DIRECTORY);
VirtualFree(expTableData, NULL, MEM_RELEASE);
expExportNumber = NULL;
expTableData = NULL;
expImageBase = NULL;
}
__declspec(dllexport) void TITCALL ExporterSetImageBase(ULONG_PTR ImageBase)
{
expImageBase = ImageBase;
}
__declspec(dllexport) void TITCALL ExporterInit(DWORD MemorySize, ULONG_PTR ImageBase, DWORD ExportOrdinalBase, char* szExportModuleName)
{
if(expTableData != NULL)
{
ExporterCleanup();
}
expExportData.Base = ExportOrdinalBase;
expTableData = VirtualAlloc(NULL, MemorySize, MEM_COMMIT, PAGE_READWRITE);
if(szExportModuleName != NULL)
{
RtlMoveMemory(expTableData, szExportModuleName, lstrlenA(szExportModuleName));
expTableDataCWP = (LPVOID)((ULONG_PTR)expTableData + lstrlenA(szExportModuleName) + 2);
expNamePresent = true;
}
else
{
expTableDataCWP = expTableData;
expNamePresent = false;
}
expImageBase = ImageBase;
}
__declspec(dllexport) bool TITCALL ExporterAddNewExport(char* szExportName, DWORD ExportRelativeAddress)
{
unsigned int i;
DWORD NameHash;
if(expTableDataCWP != NULL && szExportName != NULL)
{
NameHash = (DWORD)EngineHashString(szExportName);
for(i = 0; i < expExportNumber; i++)
{
if(expNameHashes[i] == NameHash)
{
return(true);
}
}
expExportAddress[expExportNumber] = ExportRelativeAddress;
expNamePointers[expExportNumber] = (ULONG_PTR)expTableDataCWP;
expNameHashes[expExportNumber] = (DWORD)EngineHashString(szExportName);
expOrdinals[expExportNumber] = (WORD)(expExportNumber);
RtlMoveMemory(expTableDataCWP, szExportName, lstrlenA(szExportName));
expTableDataCWP = (LPVOID)((ULONG_PTR)expTableDataCWP + lstrlenA(szExportName) + 2);
expExportNumber++;
return(true);
}
return(false);
}
__declspec(dllexport) bool TITCALL ExporterAddNewOrdinalExport(DWORD OrdinalNumber, DWORD ExportRelativeAddress)
{
unsigned int i = NULL;
char szExportFunctionName[512];
RtlZeroMemory(&szExportFunctionName, 512);
if(expTableDataCWP != NULL)
{
if(expExportNumber == NULL)
{
expExportData.Base = OrdinalNumber;
wsprintfA(szExportFunctionName, "Func%d", expExportNumber + 1);
return(ExporterAddNewExport(szExportFunctionName, ExportRelativeAddress));
}
else
{
if(OrdinalNumber == expExportData.Base + expExportNumber - 1)
{
wsprintfA(szExportFunctionName, "Func%d", expExportNumber + 1);
return(ExporterAddNewExport(szExportFunctionName, ExportRelativeAddress));
}
else if(OrdinalNumber > expExportData.Base + expExportNumber - 1)
{
for(i = expExportData.Base + expExportNumber - 1; i <= OrdinalNumber; i++)
{
RtlZeroMemory(&szExportFunctionName, 512);
wsprintfA(szExportFunctionName, "Func%d", expExportNumber + 1);
ExporterAddNewExport(szExportFunctionName, ExportRelativeAddress);
}
return(true);
}
else
{
return(true);
}
}
}
return(false);
}
__declspec(dllexport) long TITCALL ExporterGetAddedExportCount()
{
return(expExportNumber);
}
__declspec(dllexport) long TITCALL ExporterEstimatedSize()
{
DWORD EstimatedSize = NULL;
EstimatedSize = (DWORD)((ULONG_PTR)expTableDataCWP - (ULONG_PTR)expTableData);
EstimatedSize = EstimatedSize + (expExportNumber * 12) + sizeof IMAGE_EXPORT_DIRECTORY;
return(EstimatedSize);
}
__declspec(dllexport) bool TITCALL ExporterBuildExportTable(ULONG_PTR StorePlace, ULONG_PTR FileMapVA)
{
unsigned int i = NULL;
unsigned int j = NULL;
LPVOID expBuildExportDataOld;
PIMAGE_DOS_HEADER DOSHeader;
PIMAGE_NT_HEADERS32 PEHeader32;
PIMAGE_NT_HEADERS64 PEHeader64;
LPVOID expBuildExportData;
LPVOID expBuildExportDataCWP;
DWORD StorePlaceRVA = (DWORD)ConvertFileOffsetToVA(FileMapVA, StorePlace, false);
ULONG_PTR TempULONG;
DWORD TempDWORD;
BOOL FileIs64 = false;
if(expTableDataCWP != NULL)
{
expBuildExportData = VirtualAlloc(NULL, ExporterEstimatedSize(), MEM_COMMIT, PAGE_READWRITE);
expBuildExportDataCWP = (LPVOID)((ULONG_PTR)expBuildExportData + sizeof IMAGE_EXPORT_DIRECTORY);
expExportData.NumberOfNames = expExportNumber;
expExportData.NumberOfFunctions = expExportNumber;
for(i = 0; i < expExportNumber; i++)
{
for(j = 0; j < expExportNumber; j++)
{
if(lstrcmpiA((PCHAR)expNamePointers[i], (PCHAR)expNamePointers[j]) < NULL)
{
TempULONG = expNamePointers[j];
expNamePointers[j] = expNamePointers[i];
expNamePointers[i] = TempULONG;
TempDWORD = expExportAddress[j];
expExportAddress[j] = expExportAddress[i];
expExportAddress[i] = TempDWORD;
}
}
}
if(expNamePresent)
{
expExportData.Name = StorePlaceRVA + (DWORD)((ULONG_PTR)expBuildExportDataCWP - (ULONG_PTR)expBuildExportData);
RtlMoveMemory(expBuildExportDataCWP, (LPVOID)expTableData, lstrlenA((PCHAR)expTableData));
expBuildExportDataCWP = (LPVOID)((ULONG_PTR)expBuildExportDataCWP + lstrlenA((PCHAR)expTableData) + 2);
}
for(i = 0; i < expExportNumber; i++)
{
RtlMoveMemory(expBuildExportDataCWP, (LPVOID)expNamePointers[i], lstrlenA((PCHAR)expNamePointers[i]));
expBuildExportDataOld = expBuildExportDataCWP;
expBuildExportDataCWP = (LPVOID)((ULONG_PTR)expBuildExportDataCWP + lstrlenA((PCHAR)expNamePointers[i]) + 2);
expSortedNamePointers[i] = (DWORD)((ULONG_PTR)expBuildExportDataOld - (ULONG_PTR)expBuildExportData) + StorePlaceRVA;
}
expExportData.AddressOfFunctions = StorePlaceRVA + (DWORD)((ULONG_PTR)expBuildExportDataCWP - (ULONG_PTR)expBuildExportData);
RtlMoveMemory(expBuildExportDataCWP, &expExportAddress, 4 * expExportNumber);
expBuildExportDataCWP = (LPVOID)((ULONG_PTR)expBuildExportDataCWP + 4 * expExportNumber);
expExportData.AddressOfNames = StorePlaceRVA + (DWORD)((ULONG_PTR)expBuildExportDataCWP - (ULONG_PTR)expBuildExportData);
RtlMoveMemory(expBuildExportDataCWP, &expSortedNamePointers, 4 * expExportNumber);
expBuildExportDataCWP = (LPVOID)((ULONG_PTR)expBuildExportDataCWP + 4 * expExportNumber);
expExportData.AddressOfNameOrdinals = StorePlaceRVA + (DWORD)((ULONG_PTR)expBuildExportDataCWP - (ULONG_PTR)expBuildExportData);
RtlMoveMemory(expBuildExportDataCWP, &expOrdinals, 2 * expExportNumber);
expBuildExportDataCWP = (LPVOID)((ULONG_PTR)expBuildExportDataCWP + 2 * expExportNumber);
RtlMoveMemory(expBuildExportData, &expExportData, sizeof IMAGE_EXPORT_DIRECTORY);
__try
{
RtlMoveMemory((LPVOID)StorePlace, expBuildExportData, (DWORD)((ULONG_PTR)expBuildExportDataCWP - (ULONG_PTR)expBuildExportData));
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
VirtualFree(expBuildExportData, NULL, MEM_RELEASE);
ExporterCleanup();
return(false);
}
if(FileMapVA != NULL)
{
DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA;
if(EngineValidateHeader(FileMapVA, NULL, NULL, DOSHeader, true))
{
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
if(PEHeader32->OptionalHeader.Magic == 0x10B)
{
FileIs64 = false;
}
else if(PEHeader32->OptionalHeader.Magic == 0x20B)
{
FileIs64 = true;
}
else
{
return false;
}
if(!FileIs64)
{
PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress = (DWORD)StorePlaceRVA;
PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size = (DWORD)((ULONG_PTR)expBuildExportDataCWP - (ULONG_PTR)expBuildExportData);
}
else
{
PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress = (DWORD)StorePlaceRVA;
PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size = (DWORD)((ULONG_PTR)expBuildExportDataCWP - (ULONG_PTR)expBuildExportData);
}
}
}
VirtualFree(expBuildExportData, NULL, MEM_RELEASE);
ExporterCleanup();
return(true);
}
return(false);
}
__declspec(dllexport) bool TITCALL ExporterBuildExportTableEx(char* szExportFileName, char* szSectionName)
{
wchar_t uniExportFileName[MAX_PATH] = {};
if(szExportFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szExportFileName, lstrlenA(szExportFileName)+1, uniExportFileName, sizeof(uniExportFileName)/(sizeof(uniExportFileName[0])));
return(ExporterBuildExportTableExW(uniExportFileName, szSectionName));
}
else
{
return(false);
}
}
__declspec(dllexport) bool TITCALL ExporterBuildExportTableExW(wchar_t* szExportFileName, char* szSectionName)
{
HANDLE FileHandle;
DWORD FileSize;
HANDLE FileMap;
ULONG_PTR FileMapVA;
DWORD NewSectionVO = NULL;
DWORD NewSectionFO = NULL;
bool ReturnValue = false;
if(ExporterGetAddedExportCount() > NULL)
{
NewSectionVO = AddNewSectionW(szExportFileName, szSectionName, ExporterEstimatedSize());
if(MapFileExW(szExportFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
{
NewSectionFO = (DWORD)ConvertVAtoFileOffset(FileMapVA, NewSectionVO + (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_IMAGEBASE), true);
ReturnValue = ExporterBuildExportTable(NewSectionFO, FileMapVA);
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
if(ReturnValue)
{
return(true);
}
else
{
return(false);
}
}
else
{
return(false);
}
}
else
{
return(false);
}
}
__declspec(dllexport) bool TITCALL ExporterLoadExportTable(char* szFileName)
{
wchar_t uniFileName[MAX_PATH] = {};
if(szFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0])));
return(ExporterLoadExportTableW(uniFileName));
}
else
{
return(false);
}
}
__declspec(dllexport) bool TITCALL ExporterLoadExportTableW(wchar_t* szFileName)
{
unsigned int i = 0;
unsigned int j = 0;
unsigned int n = 0;
unsigned int x = 0;
bool ExportPresent = false;
PIMAGE_DOS_HEADER DOSHeader;
PIMAGE_NT_HEADERS32 PEHeader32;
PIMAGE_NT_HEADERS64 PEHeader64;
PIMAGE_EXPORT_DIRECTORY PEExports;
PEXPORTED_DATA ExportedFunctions;
PEXPORTED_DATA ExportedFunctionNames;
PEXPORTED_DATA_WORD ExportedFunctionOrdinals;
char* ExportName = NULL;
BOOL FileIs64;
HANDLE FileHandle;
DWORD FileSize;
HANDLE FileMap;
ULONG_PTR FileMapVA;
if(MapFileExW(szFileName, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
{
DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA;
if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true))
{
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
if(PEHeader32->OptionalHeader.Magic == 0x10B)
{
FileIs64 = false;
}
else if(PEHeader32->OptionalHeader.Magic == 0x20B)
{
FileIs64 = true;
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(false);
}
if(!FileIs64)
{
if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress != NULL)
{
PEExports = (PIMAGE_EXPORT_DIRECTORY)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + PEHeader32->OptionalHeader.ImageBase), true));
ExportedFunctions = (PEXPORTED_DATA)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEExports->AddressOfFunctions + PEHeader32->OptionalHeader.ImageBase), true));
ExporterInit(50 * 1024, (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, PEExports->Base, NULL);
ExportPresent = true;
}
}
else
{
if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress != NULL)
{
PEExports = (PIMAGE_EXPORT_DIRECTORY)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + PEHeader64->OptionalHeader.ImageBase), true));
ExportedFunctions = (PEXPORTED_DATA)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEExports->AddressOfFunctions + PEHeader64->OptionalHeader.ImageBase), true));
ExporterInit(50 * 1024, (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, PEExports->Base, NULL);
ExportPresent = true;
}
}
if(ExportPresent)
{
for(n = 0; n <= PEExports->NumberOfNames; n++)
{
ExportPresent = false;
x = n;
if(!FileIs64)
{
ExportedFunctionNames = (PEXPORTED_DATA)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEExports->AddressOfNames + PEHeader32->OptionalHeader.ImageBase), true));
ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEExports->AddressOfNameOrdinals + PEHeader32->OptionalHeader.ImageBase), true));
}
else
{
ExportedFunctionNames = (PEXPORTED_DATA)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEExports->AddressOfNames + PEHeader64->OptionalHeader.ImageBase), true));
ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEExports->AddressOfNameOrdinals + PEHeader64->OptionalHeader.ImageBase), true));
}
for(j = 0; j <= PEExports->NumberOfNames; j++)
{
if(ExportedFunctionOrdinals->OrdinalNumber != x)
{
ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)((ULONG_PTR)ExportedFunctionOrdinals + 2);
}
else
{
ExportPresent = true;
break;
}
}
if(ExportPresent)
{
ExportedFunctionNames = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctionNames + j * 4);
if(!FileIs64)
{
ExportName = (char*)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(ExportedFunctionNames->ExportedItem + PEHeader32->OptionalHeader.ImageBase), true));
}
else
{
ExportName = (char*)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(ExportedFunctionNames->ExportedItem + PEHeader64->OptionalHeader.ImageBase), true));
}
ExporterAddNewExport(ExportName, ExportedFunctions->ExportedItem);
}
ExportedFunctions = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctions + 4);
}
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(true);
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(false);
}
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(false);
}
}
else
{
return(false);
}
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(false);
}

1090
TitanEngine/TitanEngine.Handler.cpp Normal file
View File

File diff suppressed because it is too large Load Diff

1146
TitanEngine/TitanEngine.Hooks.cpp Normal file
View File

File diff suppressed because it is too large Load Diff

746
TitanEngine/TitanEngine.Importer.cpp Normal file
View File

@ -0,0 +1,746 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Mapping.h"
#include "Global.Engine.h"
#include "Global.Librarian.h"
#include "scylla_wrapper.h"
#include <psapi.h>
// TitanEngine.Importer.functions:
__declspec(dllexport) void TITCALL ImporterAddNewDll(char* szDLLName, ULONG_PTR FirstThunk)
{
wchar_t uniDLLName[MAX_PATH] = {};
MultiByteToWideChar(CP_ACP, NULL, szDLLName, lstrlenA(szDLLName)+1, uniDLLName, sizeof(uniDLLName)/(sizeof(uniDLLName[0])));
scylla_addModule(uniDLLName, FirstThunk);
}
__declspec(dllexport) void TITCALL ImporterAddNewAPI(char* szAPIName, ULONG_PTR ThunkValue)
{
wchar_t uniAPIName[MAX_PATH] = {};
MultiByteToWideChar(CP_ACP, NULL, szAPIName, lstrlenA(szAPIName)+1, uniAPIName, sizeof(uniAPIName)/(sizeof(uniAPIName[0])));
scylla_addImport(uniAPIName, ThunkValue);
}
__declspec(dllexport) void TITCALL ImporterAddNewOrdinalAPI(ULONG_PTR OrdinalNumber, ULONG_PTR ThunkValue)
{
if(OrdinalNumber & IMAGE_ORDINAL_FLAG)
{
OrdinalNumber = OrdinalNumber ^ IMAGE_ORDINAL_FLAG;
ImporterAddNewAPI((char*)OrdinalNumber, ThunkValue);
}
else
{
ImporterAddNewAPI((char*)OrdinalNumber, ThunkValue);
}
}
__declspec(dllexport) long TITCALL ImporterGetAddedDllCount()
{
return scylla_getModuleCount();
}
__declspec(dllexport) long TITCALL ImporterGetAddedAPICount()
{
return scylla_getImportCount();
}
__declspec(dllexport) bool TITCALL ImporterExportIAT(ULONG_PTR StorePlace, ULONG_PTR FileMapVA, HANDLE hFileMap)
{
if(scylla_fixMappedDump(StorePlace, FileMapVA, hFileMap) != SCY_ERROR_SUCCESS)
{
return false;
}
return true;
}
__declspec(dllexport) long TITCALL ImporterEstimatedSize()
{
return scylla_estimatedIATSize();
}
__declspec(dllexport) bool TITCALL ImporterExportIATEx(char* szDumpFileName, char* szExportFileName, char* szSectionName)
{
wchar_t uniExportFileName[MAX_PATH] = {};
wchar_t uniDumpFileName[MAX_PATH] = {};
wchar_t uniSectionName[MAX_PATH] = {};
if(szExportFileName != NULL && szDumpFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szExportFileName, lstrlenA(szExportFileName)+1, uniExportFileName, sizeof(uniExportFileName)/(sizeof(uniExportFileName[0])));
MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, lstrlenA(szDumpFileName)+1, uniDumpFileName, sizeof(uniDumpFileName)/(sizeof(uniDumpFileName[0])));
MultiByteToWideChar(CP_ACP, NULL, szSectionName, lstrlenA(szSectionName)+1, uniSectionName, sizeof(uniSectionName)/(sizeof(uniSectionName[0])));
return(ImporterExportIATExW(uniDumpFileName, uniExportFileName, uniSectionName));
}
else
{
return(false);
}
}
__declspec(dllexport) bool TITCALL ImporterExportIATExW(wchar_t* szDumpFileName, wchar_t* szExportFileName, wchar_t* szSectionName)
{
if(scylla_fixDump(szDumpFileName, szExportFileName, szSectionName) != SCY_ERROR_SUCCESS)
{
return false;
}
return true;
}
__declspec(dllexport) long long TITCALL ImporterFindAPIWriteLocation(char* szAPIName)
{
return(scylla_findImportWriteLocation(szAPIName));
}
__declspec(dllexport) long long TITCALL ImporterFindOrdinalAPIWriteLocation(ULONG_PTR OrdinalNumber)
{
return(scylla_findOrdinalImportWriteLocation(OrdinalNumber));
}
__declspec(dllexport) long long TITCALL ImporterFindAPIByWriteLocation(ULONG_PTR APIWriteLocation)
{
return(scylla_findImportNameByWriteLocation(APIWriteLocation));
}
__declspec(dllexport) long long TITCALL ImporterFindDLLByWriteLocation(ULONG_PTR APIWriteLocation)
{
return scylla_findModuleNameByWriteLocation(APIWriteLocation);
}
__declspec(dllexport) void* TITCALL ImporterGetDLLName(ULONG_PTR APIAddress)
{
return((LPVOID)EngineGlobalAPIHandler(NULL, NULL, APIAddress, NULL, UE_OPTION_IMPORTER_RETURN_DLLNAME));
}
__declspec(dllexport) void* TITCALL ImporterGetAPIName(ULONG_PTR APIAddress)
{
return((LPVOID)EngineGlobalAPIHandler(NULL, NULL, APIAddress, NULL, UE_OPTION_IMPORTER_RETURN_APINAME));
}
__declspec(dllexport) long long TITCALL ImporterGetAPIOrdinalNumber(ULONG_PTR APIAddress)
{
return((long)EngineGlobalAPIHandler(NULL, NULL, APIAddress, NULL, UE_OPTION_IMPORTER_RETURN_API_ORDINAL_NUMBER));
}
__declspec(dllexport) void* TITCALL ImporterGetAPINameEx(ULONG_PTR APIAddress, ULONG_PTR DLLBasesList)
{
return((LPVOID)EngineGlobalAPIHandler(NULL, DLLBasesList, APIAddress, NULL, UE_OPTION_IMPORTER_RETURN_APINAME));
}
__declspec(dllexport) long long TITCALL ImporterGetRemoteAPIAddress(HANDLE hProcess, ULONG_PTR APIAddress)
{
return((ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, APIAddress, NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS));
}
__declspec(dllexport) long long TITCALL ImporterGetRemoteAPIAddressEx(char* szDLLName, char* szAPIName)
{
int i = 0;
int j = 0;
char szAnsiLibraryName[MAX_PATH];
PLIBRARY_ITEM_DATAW hListLibraryPtr = NULL;
ULONG_PTR APIFoundAddress = 0;
PIMAGE_DOS_HEADER DOSHeader;
PIMAGE_NT_HEADERS32 PEHeader32;
PIMAGE_NT_HEADERS64 PEHeader64;
PIMAGE_EXPORT_DIRECTORY PEExports;
PEXPORTED_DATA ExportedFunctions;
PEXPORTED_DATA ExportedFunctionNames;
PEXPORTED_DATA_WORD ExportedFunctionOrdinals;
bool FileIs64 = false;
hListLibraryPtr = (PLIBRARY_ITEM_DATAW)hListLibrary;
if(hListLibraryPtr != NULL)
{
while(hListLibraryPtr->hFile != NULL)
{
WideCharToMultiByte(CP_ACP, NULL, hListLibraryPtr->szLibraryName, -1, szAnsiLibraryName, sizeof szAnsiLibraryName, NULL, NULL);
if(lstrcmpiA(szAnsiLibraryName, szDLLName) == NULL)
{
__try
{
DOSHeader = (PIMAGE_DOS_HEADER)hListLibraryPtr->hFileMappingView;
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
if(PEHeader32->OptionalHeader.Magic == 0x10B)
{
FileIs64 = false;
}
else if(PEHeader32->OptionalHeader.Magic == 0x20B)
{
FileIs64 = true;
}
else
{
return(NULL);
}
if(!FileIs64)
{
PEExports = (PIMAGE_EXPORT_DIRECTORY)((ULONG_PTR)ConvertVAtoFileOffsetEx((ULONG_PTR)hListLibraryPtr->hFileMappingView, GetFileSize(hListLibraryPtr->hFile, NULL), (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress, true, true));
ExportedFunctions = (PEXPORTED_DATA)((ULONG_PTR)ConvertVAtoFileOffsetEx((ULONG_PTR)hListLibraryPtr->hFileMappingView, GetFileSize(hListLibraryPtr->hFile, NULL), (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, PEExports->AddressOfFunctions, true, true));
ExportedFunctionNames = (PEXPORTED_DATA)((ULONG_PTR)ConvertVAtoFileOffsetEx((ULONG_PTR)hListLibraryPtr->hFileMappingView, GetFileSize(hListLibraryPtr->hFile, NULL), (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, PEExports->AddressOfNames, true, true));
ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)((ULONG_PTR)ConvertVAtoFileOffsetEx((ULONG_PTR)hListLibraryPtr->hFileMappingView, GetFileSize(hListLibraryPtr->hFile, NULL), (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, PEExports->AddressOfNameOrdinals, true, true));
}
else
{
PEExports = (PIMAGE_EXPORT_DIRECTORY)((ULONG_PTR)ConvertVAtoFileOffsetEx((ULONG_PTR)hListLibraryPtr->hFileMappingView, GetFileSize(hListLibraryPtr->hFile, NULL), (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress, true, true));
ExportedFunctions = (PEXPORTED_DATA)((ULONG_PTR)ConvertVAtoFileOffsetEx((ULONG_PTR)hListLibraryPtr->hFileMappingView, GetFileSize(hListLibraryPtr->hFile, NULL), (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, PEExports->AddressOfFunctions, true, true));
ExportedFunctionNames = (PEXPORTED_DATA)((ULONG_PTR)ConvertVAtoFileOffsetEx((ULONG_PTR)hListLibraryPtr->hFileMappingView, GetFileSize(hListLibraryPtr->hFile, NULL), (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, PEExports->AddressOfNames, true, true));
ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)((ULONG_PTR)ConvertVAtoFileOffsetEx((ULONG_PTR)hListLibraryPtr->hFileMappingView, GetFileSize(hListLibraryPtr->hFile, NULL), (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, PEExports->AddressOfNameOrdinals, true, true));
}
for(j = 0; j <= (int)PEExports->NumberOfNames; j++)
{
if(!FileIs64)
{
if(lstrcmpiA((LPCSTR)szAPIName, (LPCSTR)((ULONG_PTR)ConvertVAtoFileOffsetEx((ULONG_PTR)hListLibraryPtr->hFileMappingView, GetFileSize(hListLibraryPtr->hFile, NULL), (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, ExportedFunctionNames->ExportedItem, true, true))) == NULL)
{
ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)((ULONG_PTR)ExportedFunctionOrdinals + j * 2);
ExportedFunctions = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctions + (ExportedFunctionOrdinals->OrdinalNumber) * 4);
APIFoundAddress = ExportedFunctions->ExportedItem + (ULONG_PTR)hListLibraryPtr->BaseOfDll;
return((ULONG_PTR)APIFoundAddress);
}
}
else
{
if(lstrcmpiA((LPCSTR)szAPIName, (LPCSTR)((ULONG_PTR)ConvertVAtoFileOffsetEx((ULONG_PTR)hListLibraryPtr->hFileMappingView, GetFileSize(hListLibraryPtr->hFile, NULL), (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, ExportedFunctionNames->ExportedItem, true, true))) == NULL)
{
ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)((ULONG_PTR)ExportedFunctionOrdinals + j * 2);
ExportedFunctions = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctions + (ExportedFunctionOrdinals->OrdinalNumber) * 4);
APIFoundAddress = ExportedFunctions->ExportedItem + (ULONG_PTR)hListLibraryPtr->BaseOfDll;
return((ULONG_PTR)APIFoundAddress);
}
}
ExportedFunctionNames = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctionNames + 4);
}
return(NULL);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
return(NULL);
}
}
hListLibraryPtr = (PLIBRARY_ITEM_DATAW)((ULONG_PTR)hListLibraryPtr + sizeof LIBRARY_ITEM_DATAW);
}
}
return(NULL);
}
__declspec(dllexport) long long TITCALL ImporterGetLocalAPIAddress(HANDLE hProcess, ULONG_PTR APIAddress)
{
return((ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, APIAddress, NULL, UE_OPTION_IMPORTER_REALIGN_LOCAL_APIADDRESS));
}
__declspec(dllexport) void* TITCALL ImporterGetDLLNameFromDebugee(HANDLE hProcess, ULONG_PTR APIAddress)
{
return((LPVOID)EngineGlobalAPIHandler(hProcess, NULL, APIAddress, NULL, UE_OPTION_IMPORTER_RETURN_DLLNAME));
}
__declspec(dllexport) void* TITCALL ImporterGetAPINameFromDebugee(HANDLE hProcess, ULONG_PTR APIAddress)
{
return((LPVOID)EngineGlobalAPIHandler(hProcess, NULL, APIAddress, NULL, UE_OPTION_IMPORTER_RETURN_APINAME));
}
__declspec(dllexport) long long TITCALL ImporterGetAPIOrdinalNumberFromDebugee(HANDLE hProcess, ULONG_PTR APIAddress)
{
return((long)EngineGlobalAPIHandler(hProcess, NULL, APIAddress, NULL, UE_OPTION_IMPORTER_RETURN_API_ORDINAL_NUMBER));
}
__declspec(dllexport) long TITCALL ImporterGetDLLIndexEx(ULONG_PTR APIAddress, ULONG_PTR DLLBasesList)
{
return((DWORD)EngineGlobalAPIHandler(NULL, DLLBasesList, APIAddress, NULL, UE_OPTION_IMPORTER_RETURN_DLLINDEX));
}
__declspec(dllexport) long TITCALL ImporterGetDLLIndex(HANDLE hProcess, ULONG_PTR APIAddress, ULONG_PTR DLLBasesList)
{
return((DWORD)EngineGlobalAPIHandler(hProcess, DLLBasesList, APIAddress, NULL, UE_OPTION_IMPORTER_RETURN_DLLINDEX));
}
__declspec(dllexport) long long TITCALL ImporterGetRemoteDLLBase(HANDLE hProcess, HMODULE LocalModuleBase)
{
return((ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)LocalModuleBase, NULL, UE_OPTION_IMPORTER_RETURN_DLLBASE));
}
__declspec(dllexport) long long TITCALL ImporterGetRemoteDLLBaseEx(HANDLE hProcess, char* szModuleName)
{
int i = 1;
DWORD Dummy = NULL;
ULONG_PTR EnumeratedModules[0x2000];
char RemoteDLLName[MAX_PATH];
if(EnumProcessModules(hProcess, (HMODULE*)EnumeratedModules, 0x2000, &Dummy))
{
RtlZeroMemory(&RemoteDLLName, MAX_PATH);
while(EnumeratedModules[i] != NULL)
{
if(GetModuleBaseNameA(hProcess, (HMODULE)EnumeratedModules[i], (LPSTR)RemoteDLLName, MAX_PATH) > NULL)
{
if(lstrcmpiA((LPCSTR)RemoteDLLName, (LPCSTR)szModuleName))
{
return((ULONG_PTR)EnumeratedModules[i]);
}
}
i++;
}
}
return(NULL);
}
__declspec(dllexport) bool TITCALL ImporterIsForwardedAPI(HANDLE hProcess, ULONG_PTR APIAddress)
{
if((ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, APIAddress, NULL, UE_OPTION_IMPORTER_RETURN_FORWARDER_DLLINDEX) > NULL)
{
return(true);
}
else
{
return(false);
}
}
__declspec(dllexport) void* TITCALL ImporterGetForwardedAPIName(HANDLE hProcess, ULONG_PTR APIAddress)
{
return((LPVOID)EngineGlobalAPIHandler(hProcess, NULL, APIAddress, NULL, UE_OPTION_IMPORTER_RETURN_FORWARDER_APINAME));
}
__declspec(dllexport) void* TITCALL ImporterGetForwardedDLLName(HANDLE hProcess, ULONG_PTR APIAddress)
{
return((LPVOID)EngineGlobalAPIHandler(hProcess, NULL, APIAddress, NULL, UE_OPTION_IMPORTER_RETURN_FORWARDER_DLLNAME));
}
__declspec(dllexport) long TITCALL ImporterGetForwardedDLLIndex(HANDLE hProcess, ULONG_PTR APIAddress, ULONG_PTR DLLBasesList)
{
return((DWORD)EngineGlobalAPIHandler(hProcess, NULL, APIAddress, NULL, UE_OPTION_IMPORTER_RETURN_FORWARDER_DLLINDEX));
}
__declspec(dllexport) long long TITCALL ImporterGetForwardedAPIOrdinalNumber(HANDLE hProcess, ULONG_PTR APIAddress)
{
return((DWORD)EngineGlobalAPIHandler(hProcess, NULL, APIAddress, NULL, UE_OPTION_IMPORTER_RETURN_FORWARDER_API_ORDINAL_NUMBER));
}
__declspec(dllexport) long long TITCALL ImporterGetNearestAPIAddress(HANDLE hProcess, ULONG_PTR APIAddress)
{
return((ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, APIAddress, NULL, UE_OPTION_IMPORTER_RETURN_NEAREST_APIADDRESS));
}
__declspec(dllexport) void* TITCALL ImporterGetNearestAPIName(HANDLE hProcess, ULONG_PTR APIAddress)
{
return((LPVOID)EngineGlobalAPIHandler(hProcess, NULL, APIAddress, NULL, UE_OPTION_IMPORTER_RETURN_NEAREST_APINAME));
}
__declspec(dllexport) bool TITCALL ImporterCopyOriginalIAT(char* szOriginalFile, char* szDumpFile)
{
wchar_t uniDumpFile[MAX_PATH] = {};
wchar_t uniOriginalFile[MAX_PATH] = {};
if(szOriginalFile != NULL && szDumpFile != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szDumpFile, lstrlenA(szDumpFile)+1, uniDumpFile, sizeof(uniDumpFile)/(sizeof(uniDumpFile[0])));
MultiByteToWideChar(CP_ACP, NULL, szOriginalFile, lstrlenA(szOriginalFile)+1, uniOriginalFile, sizeof(uniOriginalFile)/(sizeof(uniOriginalFile[0])));
return(ImporterCopyOriginalIATW(uniOriginalFile, uniDumpFile));
}
else
{
return(false);
}
}
__declspec(dllexport) bool TITCALL ImporterCopyOriginalIATW(wchar_t* szOriginalFile, wchar_t* szDumpFile)
{
PIMAGE_DOS_HEADER DOSHeader;
PIMAGE_NT_HEADERS32 PEHeader32;
PIMAGE_NT_HEADERS64 PEHeader64;
BOOL FileIs64;
HANDLE FileHandle=0;
DWORD FileSize;
HANDLE FileMap=0;
ULONG_PTR FileMapVA;
HANDLE FileHandle1=0;
DWORD FileSize1;
HANDLE FileMap1=0;
ULONG_PTR FileMapVA1;
ULONG_PTR IATPointer;
ULONG_PTR IATWritePointer;
ULONG_PTR IATCopyStart;
DWORD IATSection;
DWORD IATCopySize;
DWORD IATHeaderData;
if(MapFileExW(szOriginalFile, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
{
if(MapFileExW(szDumpFile, UE_ACCESS_ALL, &FileHandle1, &FileSize1, &FileMap1, &FileMapVA1, NULL))
{
DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA;
if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true))
{
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
if(PEHeader32->OptionalHeader.Magic == 0x10B)
{
FileIs64 = false;
}
else if(PEHeader32->OptionalHeader.Magic == 0x20B)
{
FileIs64 = true;
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
UnMapFileEx(FileHandle1, FileSize1, FileMap1, FileMapVA1);
return(false);
}
if(!FileIs64)
{
IATPointer = (ULONG_PTR)(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + PEHeader32->OptionalHeader.ImageBase);
}
else
{
IATPointer = (ULONG_PTR)(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + PEHeader64->OptionalHeader.ImageBase);
}
IATSection = GetPE32SectionNumberFromVA(FileMapVA, IATPointer);
IATPointer = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, IATPointer, true);
if((int)IATSection >= NULL)
{
IATWritePointer = (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA1, IATSection, UE_SECTIONRAWOFFSET) + FileMapVA1;
IATCopyStart = (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, IATSection, UE_SECTIONRAWOFFSET) + FileMapVA;
IATCopySize = (DWORD)GetPE32DataFromMappedFile(FileMapVA1, IATSection, UE_SECTIONRAWSIZE);
__try
{
RtlMoveMemory((LPVOID)IATWritePointer, (LPVOID)IATCopyStart, IATCopySize);
IATHeaderData = (DWORD)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_IMPORTTABLEADDRESS);
SetPE32DataForMappedFile(FileMapVA1, NULL, UE_IMPORTTABLEADDRESS, (ULONG_PTR)IATHeaderData);
IATHeaderData = (DWORD)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_IMPORTTABLESIZE);
SetPE32DataForMappedFile(FileMapVA1, NULL, UE_IMPORTTABLESIZE, (ULONG_PTR)IATHeaderData);
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
UnMapFileEx(FileHandle1, FileSize1, FileMap1, FileMapVA1);
return(true);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
UnMapFileEx(FileHandle1, FileSize1, FileMap1, FileMapVA1);
return(false);
}
}
}
UnMapFileEx(FileHandle1, FileSize1, FileMap1, FileMapVA1);
}
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
}
return(false);
}
__declspec(dllexport) bool TITCALL ImporterLoadImportTable(char* szFileName)
{
wchar_t uniFileName[MAX_PATH] = {};
if(szFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0])));
return(ImporterLoadImportTableW(uniFileName));
}
else
{
return(false);
}
}
__declspec(dllexport) bool TITCALL ImporterLoadImportTableW(wchar_t* szFileName)
{
//TODO scylla enable
return false;
/*
PIMAGE_DOS_HEADER DOSHeader;
PIMAGE_NT_HEADERS32 PEHeader32;
PIMAGE_NT_HEADERS64 PEHeader64;
PIMAGE_IMPORT_DESCRIPTOR ImportIID;
PIMAGE_THUNK_DATA32 ThunkData32;
PIMAGE_THUNK_DATA64 ThunkData64;
ULONG_PTR CurrentThunk;
BOOL FileIs64;
HANDLE FileHandle;
DWORD FileSize;
HANDLE FileMap;
ULONG_PTR FileMapVA;
if(MapFileExW(szFileName, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
{
DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA;
if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true))
{
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
if(PEHeader32->OptionalHeader.Magic == 0x10B)
{
FileIs64 = false;
}
else if(PEHeader32->OptionalHeader.Magic == 0x20B)
{
FileIs64 = true;
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(false);
}
if(!FileIs64)
{
if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress != NULL)
{
ImporterInit(MAX_IMPORT_ALLOC, (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase);
ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + PEHeader32->OptionalHeader.ImageBase), true);
__try
{
while(ImportIID->FirstThunk != NULL)
{
ImporterAddNewDll((char*)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)((ULONG_PTR)ImportIID->Name + PEHeader32->OptionalHeader.ImageBase), true), NULL);
if(ImportIID->OriginalFirstThunk != NULL)
{
ThunkData32 = (PIMAGE_THUNK_DATA32)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)((ULONG_PTR)ImportIID->OriginalFirstThunk + PEHeader32->OptionalHeader.ImageBase), true);
CurrentThunk = (ULONG_PTR)ImportIID->FirstThunk;
}
else
{
ThunkData32 = (PIMAGE_THUNK_DATA32)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)((ULONG_PTR)ImportIID->FirstThunk + PEHeader32->OptionalHeader.ImageBase), true);
CurrentThunk = (ULONG_PTR)ImportIID->FirstThunk;
}
while(ThunkData32->u1.AddressOfData != NULL)
{
if(ThunkData32->u1.Ordinal & IMAGE_ORDINAL_FLAG32)
{
ImporterAddNewAPI((char*)(ThunkData32->u1.Ordinal ^ IMAGE_ORDINAL_FLAG32), (ULONG_PTR)CurrentThunk + PEHeader32->OptionalHeader.ImageBase);
}
else
{
ImporterAddNewAPI((char*)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)((ULONG_PTR)ThunkData32->u1.AddressOfData + 2 + PEHeader32->OptionalHeader.ImageBase), true), (ULONG_PTR)CurrentThunk + PEHeader32->OptionalHeader.ImageBase);
}
CurrentThunk = CurrentThunk + 4;
ThunkData32 = (PIMAGE_THUNK_DATA32)((ULONG_PTR)ThunkData32 + sizeof IMAGE_THUNK_DATA32);
}
ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof IMAGE_IMPORT_DESCRIPTOR);
}
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(true);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
ImporterCleanup();
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(false);
}
}
}
else
{
if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress != NULL)
{
ImporterInit(MAX_IMPORT_ALLOC, (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase);
ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + PEHeader64->OptionalHeader.ImageBase), true);
__try
{
while(ImportIID->FirstThunk != NULL)
{
ImporterAddNewDll((char*)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)((ULONG_PTR)ImportIID->Name + PEHeader64->OptionalHeader.ImageBase), true), NULL);
if(ImportIID->OriginalFirstThunk != NULL)
{
ThunkData64 = (PIMAGE_THUNK_DATA64)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)((ULONG_PTR)ImportIID->OriginalFirstThunk + PEHeader64->OptionalHeader.ImageBase), true);
CurrentThunk = (ULONG_PTR)ImportIID->OriginalFirstThunk;
}
else
{
ThunkData64 = (PIMAGE_THUNK_DATA64)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)((ULONG_PTR)ImportIID->FirstThunk + PEHeader64->OptionalHeader.ImageBase), true);
CurrentThunk = (ULONG_PTR)ImportIID->FirstThunk;
}
while(ThunkData64->u1.AddressOfData != NULL)
{
if(ThunkData64->u1.Ordinal & IMAGE_ORDINAL_FLAG64)
{
ImporterAddNewAPI((char*)(ThunkData64->u1.Ordinal ^ (ULONG_PTR)IMAGE_ORDINAL_FLAG64), (ULONG_PTR)CurrentThunk + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase);
}
else
{
ImporterAddNewAPI((char*)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)((ULONG_PTR)ThunkData64->u1.AddressOfData + 2 + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase), true), (ULONG_PTR)CurrentThunk + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase);
}
CurrentThunk = CurrentThunk + 8;
ThunkData64 = (PIMAGE_THUNK_DATA64)((ULONG_PTR)ThunkData64 + sizeof IMAGE_THUNK_DATA64);
}
ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof IMAGE_IMPORT_DESCRIPTOR);
}
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(true);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
ImporterCleanup();
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(false);
}
}
}
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(false);
}
}
else
{
return(false);
}
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(false);
*/
}
__declspec(dllexport) bool TITCALL ImporterMoveOriginalIAT(char* szOriginalFile, char* szDumpFile, char* szSectionName)
{
/*
if(ImporterLoadImportTable(szOriginalFile))
{
return(ImporterExportIATEx(szDumpFile, szSectionName));
}*/
return(false);
}
__declspec(dllexport) bool TITCALL ImporterMoveOriginalIATW(wchar_t* szOriginalFile, wchar_t* szDumpFile, char* szSectionName)
{
/*
if(ImporterLoadImportTableW(szOriginalFile))
{
return(ImporterExportIATExW(szDumpFile, szSectionName));
}*/
return(false);
}
__declspec(dllexport) void TITCALL ImporterAutoSearchIAT(DWORD ProcessId, char* szFileName, ULONG_PTR SearchStart, LPVOID pIATStart, LPVOID pIATSize)
{
wchar_t uniFileName[MAX_PATH] = {};
if(szFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0])));
return(ImporterAutoSearchIATW(ProcessId, uniFileName, SearchStart, pIATStart, pIATSize));
}
}
__declspec(dllexport) void TITCALL ImporterAutoSearchIATW(DWORD ProcessId, wchar_t* szFileName, ULONG_PTR SearchStart, LPVOID pIATStart, LPVOID pIATSize)
{
ULONG_PTR iatStart = NULL;
DWORD iatSize = NULL;
scylla_searchIAT(ProcessId, iatStart, iatSize, SearchStart, false);
//we also try to automatically read imports so following call to ExportIAT has a chance
if(iatStart != NULL && iatSize != NULL)
{
scylla_getImports(iatStart, iatSize, ProcessId);
}
RtlMoveMemory(pIATStart, &iatStart, sizeof ULONG_PTR);
RtlMoveMemory(pIATSize, &iatSize, sizeof ULONG_PTR);
return;
}
__declspec(dllexport) void TITCALL ImporterAutoSearchIATEx(DWORD ProcessId, ULONG_PTR ImageBase, ULONG_PTR SearchStart, LPVOID pIATStart, LPVOID pIATSize)
{
wchar_t szTempName[MAX_PATH];
wchar_t szTempFolder[MAX_PATH];
RtlZeroMemory(&szTempName, sizeof szTempName);
RtlZeroMemory(&szTempFolder, sizeof szTempFolder);
if(GetTempPathW(MAX_PATH, szTempFolder) < MAX_PATH)
{
if(GetTempFileNameW(szTempFolder, L"DumpTemp", GetTickCount() + 102, szTempName))
{
HANDLE hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId);
DumpProcessW(hProcess, (LPVOID)ImageBase, szTempName, NULL);
ImporterAutoSearchIATW(ProcessId, szTempName, SearchStart, pIATStart, pIATSize);
DeleteFileW(szTempName);
}
}
}
__declspec(dllexport) void TITCALL ImporterEnumAddedData(LPVOID EnumCallBack)
{
return scylla_enumImportTree(EnumCallBack);
}
__declspec(dllexport) long TITCALL ImporterAutoFixIATEx(DWORD ProcessId, char* szDumpedFile, char* szSectionName, bool DumpRunningProcess, bool RealignFile, ULONG_PTR EntryPointAddress, ULONG_PTR ImageBase, ULONG_PTR SearchStart, bool TryAutoFix, bool FixEliminations, LPVOID UnknownPointerFixCallback)
{
wchar_t uniDumpedFile[MAX_PATH] = {};
wchar_t uniSectionName[MAX_PATH] = {};
if(szDumpedFile != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szDumpedFile, lstrlenA(szDumpedFile)+1, uniDumpedFile, sizeof(uniDumpedFile)/(sizeof(uniDumpedFile[0])));
MultiByteToWideChar(CP_ACP, NULL, szSectionName, lstrlenA(szSectionName)+1, uniSectionName, sizeof(uniSectionName)/(sizeof(uniSectionName[0])));
return(ImporterAutoFixIATExW(ProcessId, uniDumpedFile, uniSectionName, DumpRunningProcess, RealignFile, EntryPointAddress, ImageBase, SearchStart, TryAutoFix, FixEliminations, UnknownPointerFixCallback));
}
else
{
return(NULL); // Critical error! *just to be safe, but it should never happen!
}
}
__declspec(dllexport) long TITCALL ImporterAutoFixIATExW(DWORD ProcessId, wchar_t* szDumpedFile, wchar_t* szSectionName, bool DumpRunningProcess, bool RealignFile, ULONG_PTR EntryPointAddress, ULONG_PTR ImageBase, ULONG_PTR SearchStart, bool TryAutoFix, bool FixEliminations, LPVOID UnknownPointerFixCallback)
{
HANDLE FileHandle;
DWORD FileSize;
HANDLE FileMap;
ULONG_PTR FileMapVA;
ULONG_PTR iatStart = NULL;
DWORD iatSize = NULL;
WCHAR IatFixFileName[MAX_PATH];
WCHAR DumpFileName[MAX_PATH];
lstrcpyW(DumpFileName, szDumpedFile);
WCHAR* Extension = wcsrchr(DumpFileName, L'.');
WCHAR Bak = *Extension;
*Extension = 0;
lstrcpyW(IatFixFileName, DumpFileName);
*Extension = Bak;
lstrcatW(IatFixFileName, L"_scy");
lstrcatW(IatFixFileName, Extension);
lstrcatW(DumpFileName, Extension);
//do we need to dump first?
if(DumpRunningProcess)
{
HANDLE hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId);
if(!DumpProcessW(hProcess, (LPVOID)ImageBase, szDumpedFile, EntryPointAddress))
{
return(NULL); // Critical error! *just to be safe, but it should never happen!
}
}
//we need to fix iat, thats for sure
int ret = scylla_searchIAT(ProcessId, iatStart, iatSize, SearchStart, false);
if(ret != SCY_ERROR_SUCCESS)
{
if(ret == SCY_ERROR_PROCOPEN)
{
return (0x401); //error proc terminated
}
if(ret == SCY_ERROR_IATNOTFOUND || ret == SCY_ERROR_IATSEARCH)
{
return (0x405); //no API found
}
}
scylla_getImports(iatStart, iatSize, ProcessId, UnknownPointerFixCallback);
if(!scylla_importsValid())
{
return (0x405);
}
ret = scylla_fixDump(szDumpedFile, IatFixFileName, szSectionName);
if(ret == SCY_ERROR_IATWRITE)
{
return (0x407);
}
//do we need to realign ?
if(RealignFile)
{
if(MapFileExW(szDumpedFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
{
FileSize = RealignPE(FileMapVA, FileSize, NULL);
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
}
else
{
return(0x406); // Success, but realign failed!
}
}
return(0x400); // Success!
}
__declspec(dllexport) long TITCALL ImporterAutoFixIAT(DWORD ProcessId, char* szDumpedFile, ULONG_PTR SearchStart)
{
return(ImporterAutoFixIATEx(ProcessId, szDumpedFile, ".RL!TEv2", false, false, NULL, NULL, SearchStart, false, false, NULL));
}
__declspec(dllexport) long TITCALL ImporterAutoFixIATW(DWORD ProcessId, wchar_t* szDumpedFile, ULONG_PTR SearchStart)
{
return(ImporterAutoFixIATExW(ProcessId, szDumpedFile, L".RL!TEv2", false, false, NULL, NULL, SearchStart, false, false, NULL));
}
__declspec(dllexport) bool TITCALL ImporterDeleteAPI(DWORD_PTR apiAddr)
{
return scylla_cutImport(apiAddr);
}

280
TitanEngine/TitanEngine.Injector.cpp Normal file
View File

@ -0,0 +1,280 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Injector.h"
// TitanEngine.Injector.functions:
__declspec(dllexport) bool TITCALL RemoteLoadLibrary(HANDLE hProcess, char* szLibraryFile, bool WaitForThreadExit)
{
wchar_t uniLibraryFile[MAX_PATH] = {};
if(szLibraryFile != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szLibraryFile, lstrlenA(szLibraryFile)+1, uniLibraryFile, sizeof(uniLibraryFile)/(sizeof(uniLibraryFile[0])));
return(RemoteLoadLibraryW(hProcess, uniLibraryFile, WaitForThreadExit));
}
else
{
return(false);
}
}
__declspec(dllexport) bool TITCALL RemoteLoadLibraryW(HANDLE hProcess, wchar_t* szLibraryFile, bool WaitForThreadExit)
{
int i;
InjectCodeData APIData;
LPVOID remStringData;
LPVOID remCodeData;
ULONG_PTR remInjectSize = (ULONG_PTR)((ULONG_PTR)&injectedRemoteFreeLibrary - (ULONG_PTR)&injectedRemoteLoadLibrary);
#if !defined(_WIN64)
typedef NTSTATUS(WINAPI *fZwSetInformationThread)(HANDLE fThreadHandle, DWORD fThreadInfoClass, LPVOID fBuffer, ULONG fBufferSize);
#else
typedef NTSTATUS(__fastcall *fZwSetInformationThread)(HANDLE fThreadHandle, DWORD fThreadInfoClass, LPVOID fBuffer, ULONG fBufferSize);
#endif
LPVOID ZwSetInformationThread = (LPVOID)GetProcAddress(GetModuleHandleA("ntdll.dll"),"ZwSetInformationThread");
fZwSetInformationThread cZwSetInformationThread = (fZwSetInformationThread)(ZwSetInformationThread);
ULONG_PTR NumberOfBytesWritten;
DWORD ThreadId;
HANDLE hThread;
DWORD ExitCode;
if(hProcess != NULL)
{
RtlZeroMemory(&APIData, sizeof InjectCodeData);
APIData.fLoadLibrary = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryW"));
APIData.fFreeLibrary = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "FreeLibrary"));
APIData.fGetModuleHandle = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetModuleHandleW"));
APIData.fGetProcAddress = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetProcAddress"));
APIData.fVirtualFree = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "VirtualFree"));
APIData.fExitProcess = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "ExitProcess"));
remCodeData = VirtualAllocEx(hProcess, NULL, remInjectSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
remStringData = VirtualAllocEx(hProcess, NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
if(WriteProcessMemory(hProcess, (LPVOID)((ULONG_PTR)remStringData + sizeof InjectCodeData), (LPCVOID)szLibraryFile, lstrlenW(szLibraryFile) * 2, &NumberOfBytesWritten))
{
WriteProcessMemory(hProcess, remStringData, &APIData, sizeof InjectCodeData, &NumberOfBytesWritten);
WriteProcessMemory(hProcess, remCodeData, (LPCVOID)&injectedRemoteLoadLibrary, remInjectSize, &NumberOfBytesWritten);
if(WaitForThreadExit)
{
hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)remCodeData, remStringData, CREATE_SUSPENDED, &ThreadId);
if(ZwSetInformationThread != NULL)
{
cZwSetInformationThread(hThread, 0x11, NULL, NULL);
}
ResumeThread(hThread);
WaitForSingleObject(hThread, INFINITE);
VirtualFreeEx(hProcess, remCodeData, NULL, MEM_RELEASE);
VirtualFreeEx(hProcess, remStringData, NULL, MEM_RELEASE);
if(GetExitCodeThread(hThread, &ExitCode))
{
if(ExitCode == NULL)
{
return(false);
}
}
}
else
{
hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)remCodeData, remStringData, NULL, &ThreadId);
for(i = 0; i < UE_MAX_RESERVED_MEMORY_LEFT; i++)
{
if(engineReservedMemoryLeft[i] == NULL)
{
break;
}
}
engineReservedMemoryLeft[i] = (ULONG_PTR)remCodeData;
engineReservedMemoryProcess = hProcess;
ThreaderSetCallBackForNextExitThreadEvent((LPVOID)&injectedTerminator);
}
return(true);
}
else
{
VirtualFreeEx(hProcess, remCodeData, NULL, MEM_RELEASE);
VirtualFreeEx(hProcess, remStringData, NULL, MEM_RELEASE);
}
}
return(false);
}
__declspec(dllexport) bool TITCALL RemoteFreeLibrary(HANDLE hProcess, HMODULE hModule, char* szLibraryFile, bool WaitForThreadExit)
{
wchar_t uniLibraryFile[MAX_PATH] = {};
if(szLibraryFile != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szLibraryFile, lstrlenA(szLibraryFile)+1, uniLibraryFile, sizeof(uniLibraryFile)/(sizeof(uniLibraryFile[0])));
return(RemoteFreeLibraryW(hProcess, hModule, uniLibraryFile, WaitForThreadExit));
}
else
{
return(false);
}
}
__declspec(dllexport) bool TITCALL RemoteFreeLibraryW(HANDLE hProcess, HMODULE hModule, wchar_t* szLibraryFile, bool WaitForThreadExit)
{
int i;
InjectCodeData APIData;
LPVOID remStringData;
LPVOID remCodeData;
ULONG_PTR remInjectSize1 = (ULONG_PTR)((ULONG_PTR)&injectedExitProcess - (ULONG_PTR)&injectedRemoteFreeLibrarySimple);
ULONG_PTR remInjectSize2 = (ULONG_PTR)((ULONG_PTR)&injectedRemoteFreeLibrarySimple - (ULONG_PTR)&injectedRemoteFreeLibrary);
#if !defined(_WIN64)
typedef NTSTATUS(WINAPI *fZwSetInformationThread)(HANDLE fThreadHandle, DWORD fThreadInfoClass, LPVOID fBuffer, ULONG fBufferSize);
#else
typedef NTSTATUS(__fastcall *fZwSetInformationThread)(HANDLE fThreadHandle, DWORD fThreadInfoClass, LPVOID fBuffer, ULONG fBufferSize);
#endif
LPVOID ZwSetInformationThread = (LPVOID)GetProcAddress(GetModuleHandleA("ntdll.dll"),"ZwSetInformationThread");
fZwSetInformationThread cZwSetInformationThread = (fZwSetInformationThread)(ZwSetInformationThread);
ULONG_PTR NumberOfBytesWritten;
DWORD ThreadId;
HANDLE hThread;
DWORD ExitCode;
if(hProcess != NULL)
{
RtlZeroMemory(&APIData, sizeof InjectCodeData);
APIData.fLoadLibrary = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryW"));
APIData.fFreeLibrary = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "FreeLibrary"));
APIData.fGetModuleHandle = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetModuleHandleW"));
APIData.fGetProcAddress = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetProcAddress"));
APIData.fVirtualFree = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "VirtualFree"));
APIData.fExitProcess = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "ExitProcess"));
APIData.fFreeLibraryHandle = hModule;
remCodeData = VirtualAllocEx(hProcess, NULL, remInjectSize1, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if(hModule == NULL)
{
remStringData = VirtualAllocEx(hProcess, NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
if(WriteProcessMemory(hProcess, (LPVOID)((ULONG_PTR)remStringData + sizeof InjectCodeData), (LPCVOID)szLibraryFile, lstrlenW(szLibraryFile) * 2, &NumberOfBytesWritten))
{
WriteProcessMemory(hProcess, remStringData, &APIData, sizeof InjectCodeData, &NumberOfBytesWritten);
WriteProcessMemory(hProcess, remCodeData, (LPCVOID)&injectedRemoteFreeLibrarySimple, remInjectSize1, &NumberOfBytesWritten);
if(WaitForThreadExit)
{
hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)remCodeData, remStringData, CREATE_SUSPENDED, &ThreadId);
if(ZwSetInformationThread != NULL)
{
cZwSetInformationThread(hThread, 0x11, NULL, NULL);
}
ResumeThread(hThread);
WaitForSingleObject(hThread, INFINITE);
VirtualFreeEx(hProcess, remCodeData, NULL, MEM_RELEASE);
VirtualFreeEx(hProcess, remStringData, NULL, MEM_RELEASE);
if(GetExitCodeThread(hThread, &ExitCode))
{
if(ExitCode == NULL)
{
return(false);
}
}
}
else
{
hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)remCodeData, remStringData, NULL, &ThreadId);
for(i = 0; i < UE_MAX_RESERVED_MEMORY_LEFT; i++)
{
if(engineReservedMemoryLeft[i] == NULL)
{
break;
}
}
engineReservedMemoryLeft[i] = (ULONG_PTR)remCodeData;
engineReservedMemoryProcess = hProcess;
ThreaderSetCallBackForNextExitThreadEvent((LPVOID)&injectedTerminator);
}
return(true);
}
else
{
VirtualFreeEx(hProcess, remCodeData, NULL, MEM_RELEASE);
VirtualFreeEx(hProcess, remStringData, NULL, MEM_RELEASE);
}
}
else
{
remStringData = VirtualAllocEx(hProcess, NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
if(WriteProcessMemory(hProcess, remStringData, &APIData, sizeof InjectCodeData, &NumberOfBytesWritten))
{
WriteProcessMemory(hProcess, remCodeData, (LPCVOID)&injectedRemoteFreeLibrary, remInjectSize2, &NumberOfBytesWritten);
if(WaitForThreadExit)
{
hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)remCodeData, remStringData, CREATE_SUSPENDED, &ThreadId);
if(ZwSetInformationThread != NULL)
{
cZwSetInformationThread(hThread, 0x11, NULL, NULL);
}
ResumeThread(hThread);
WaitForSingleObject(hThread, INFINITE);
VirtualFreeEx(hProcess, remCodeData, NULL, MEM_RELEASE);
if(GetExitCodeThread(hThread, &ExitCode))
{
if(ExitCode == NULL)
{
return(false);
}
}
}
else
{
hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)remCodeData, remStringData, NULL, &ThreadId);
for(i = 0; i < UE_MAX_RESERVED_MEMORY_LEFT; i++)
{
if(engineReservedMemoryLeft[i] == NULL)
{
break;
}
}
engineReservedMemoryLeft[i] = (ULONG_PTR)remCodeData;
engineReservedMemoryProcess = hProcess;
ThreaderSetCallBackForNextExitThreadEvent((LPVOID)&injectedTerminator);
}
return(true);
}
else
{
VirtualFreeEx(hProcess, remCodeData, NULL, MEM_RELEASE);
VirtualFreeEx(hProcess, remStringData, NULL, MEM_RELEASE);
}
}
}
return(false);
}
__declspec(dllexport) bool TITCALL RemoteExitProcess(HANDLE hProcess, DWORD ExitCode)
{
InjectCodeData APIData;
LPVOID remCodeData;
LPVOID remStringData;
ULONG_PTR remInjectSize = (ULONG_PTR)((ULONG_PTR)&injectedTerminator - (ULONG_PTR)&injectedExitProcess);
ULONG_PTR NumberOfBytesWritten;
DWORD ThreadId;
HANDLE hThread;
if(hProcess != NULL)
{
RtlZeroMemory(&APIData, sizeof InjectCodeData);
APIData.fLoadLibrary = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA"));
APIData.fFreeLibrary = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "FreeLibrary"));
APIData.fGetModuleHandle = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetModuleHandleA"));
APIData.fGetProcAddress = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetProcAddress"));
APIData.fVirtualFree = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "VirtualFree"));
APIData.fExitProcess = (ULONG_PTR)ImporterGetRemoteAPIAddress(hProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "ExitProcess"));
APIData.fExitProcessCode = ExitCode;
remStringData = VirtualAllocEx(hProcess, NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
remCodeData = VirtualAllocEx(hProcess, NULL, remInjectSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if(WriteProcessMemory(hProcess, remCodeData, (LPCVOID)&injectedExitProcess, remInjectSize, &NumberOfBytesWritten))
{
WriteProcessMemory(hProcess, remStringData, &APIData, sizeof InjectCodeData, &NumberOfBytesWritten);
hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)remCodeData, remStringData, NULL, &ThreadId);
VirtualFreeEx(hProcess, remCodeData, NULL, MEM_RELEASE);
return(true);
}
else
{
VirtualFreeEx(hProcess, remCodeData, NULL, MEM_RELEASE);
VirtualFreeEx(hProcess, remStringData, NULL, MEM_RELEASE);
}
}
return(false);
}

216
TitanEngine/TitanEngine.Librarian.cpp Normal file
View File

@ -0,0 +1,216 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Librarian.h"
// TitanEngine.Librarian.functions:
__declspec(dllexport) bool TITCALL LibrarianSetBreakPoint(char* szLibraryName, DWORD bpxType, bool SingleShoot, LPVOID bpxCallBack)
{
int i = MAX_LIBRARY_BPX;
PLIBRARY_BREAK_DATA ptrLibrarianData = (PLIBRARY_BREAK_DATA)LibrarianData;
if(szLibraryName != NULL && ptrLibrarianData != NULL)
{
while(i > NULL && ptrLibrarianData->szLibraryName[0] != 0x00)
{
ptrLibrarianData = (PLIBRARY_BREAK_DATA)((ULONG_PTR)ptrLibrarianData + sizeof LIBRARY_BREAK_DATA);
i--;
}
lstrcpyA(&ptrLibrarianData->szLibraryName[0], szLibraryName);
ptrLibrarianData->bpxCallBack = bpxCallBack;
ptrLibrarianData->bpxSingleShoot = SingleShoot;
ptrLibrarianData->bpxType = bpxType;
return(true);
}
return(false);
}
__declspec(dllexport) bool TITCALL LibrarianRemoveBreakPoint(char* szLibraryName, DWORD bpxType)
{
int i = MAX_LIBRARY_BPX;
PLIBRARY_BREAK_DATA ptrLibrarianData = (PLIBRARY_BREAK_DATA)LibrarianData;
if(szLibraryName != NULL && ptrLibrarianData != NULL)
{
while(i > NULL)
{
if(ptrLibrarianData->szLibraryName[0] != 0x00)
{
if(lstrcmpiA(szLibraryName, ptrLibrarianData->szLibraryName) == NULL && (ptrLibrarianData->bpxType == bpxType || bpxType == UE_ON_LIB_ALL))
{
RtlZeroMemory(ptrLibrarianData, sizeof LIBRARY_BREAK_DATA);
}
}
ptrLibrarianData = (PLIBRARY_BREAK_DATA)((ULONG_PTR)ptrLibrarianData + sizeof LIBRARY_BREAK_DATA);
i--;
}
return(true);
}
return(false);
}
__declspec(dllexport) void* TITCALL LibrarianGetLibraryInfo(char* szLibraryName)
{
wchar_t uniLibraryName[MAX_PATH] = {};
PLIBRARY_ITEM_DATAW LibInfo;
if(szLibraryName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szLibraryName, lstrlenA(szLibraryName)+1, uniLibraryName, sizeof(uniLibraryName)/(sizeof(uniLibraryName[0])));
LibInfo = (PLIBRARY_ITEM_DATAW)LibrarianGetLibraryInfoW(uniLibraryName);
if(LibInfo != NULL)
{
RtlZeroMemory(&LibraryInfoData, sizeof LIBRARY_ITEM_DATA);
LibraryInfoData.hFile = LibInfo->hFile;
LibraryInfoData.BaseOfDll = LibInfo->BaseOfDll;
LibraryInfoData.hFileMapping = LibInfo->hFileMapping;
LibraryInfoData.hFileMappingView = LibInfo->hFileMappingView;
WideCharToMultiByte(CP_ACP, NULL, LibInfo->szLibraryName, -1, &LibraryInfoData.szLibraryName[0], sizeof LibraryInfoData.szLibraryName, NULL, NULL);
WideCharToMultiByte(CP_ACP, NULL, LibInfo->szLibraryPath, -1, &LibraryInfoData.szLibraryPath[0], sizeof LibraryInfoData.szLibraryPath, NULL, NULL);
return((void*)&LibraryInfoData);
}
else
{
return(NULL);
}
}
else
{
return(NULL);
}
}
__declspec(dllexport) void* TITCALL LibrarianGetLibraryInfoW(wchar_t* szLibraryName)
{
PLIBRARY_ITEM_DATAW hListLibraryPtr = NULL;
if(hListLibrary != NULL)
{
hListLibraryPtr = (PLIBRARY_ITEM_DATAW)hListLibrary;
while(hListLibraryPtr->hFile != NULL)
{
if(hListLibraryPtr->hFile != (HANDLE)-1)
{
if(lstrcmpiW(hListLibraryPtr->szLibraryName, szLibraryName) == NULL)
{
return((void*)hListLibraryPtr);
}
}
hListLibraryPtr = (PLIBRARY_ITEM_DATAW)((ULONG_PTR)hListLibraryPtr + sizeof LIBRARY_ITEM_DATAW);
}
}
return(NULL);
}
__declspec(dllexport) void* TITCALL LibrarianGetLibraryInfoEx(void* BaseOfDll)
{
PLIBRARY_ITEM_DATAW LibInfo;
LibInfo = (PLIBRARY_ITEM_DATAW)LibrarianGetLibraryInfoExW(BaseOfDll);
if(LibInfo != NULL)
{
RtlZeroMemory(&LibraryInfoData, sizeof LIBRARY_ITEM_DATA);
LibraryInfoData.hFile = LibInfo->hFile;
LibraryInfoData.BaseOfDll = LibInfo->BaseOfDll;
LibraryInfoData.hFileMapping = LibInfo->hFileMapping;
LibraryInfoData.hFileMappingView = LibInfo->hFileMappingView;
WideCharToMultiByte(CP_ACP, NULL, LibInfo->szLibraryName, -1, &LibraryInfoData.szLibraryName[0], sizeof LibraryInfoData.szLibraryName, NULL, NULL);
WideCharToMultiByte(CP_ACP, NULL, LibInfo->szLibraryPath, -1, &LibraryInfoData.szLibraryPath[0], sizeof LibraryInfoData.szLibraryPath, NULL, NULL);
return((void*)&LibraryInfoData);
}
else
{
return(NULL);
}
}
__declspec(dllexport) void* TITCALL LibrarianGetLibraryInfoExW(void* BaseOfDll)
{
PLIBRARY_ITEM_DATAW hListLibraryPtr = NULL;
if(hListLibrary != NULL)
{
hListLibraryPtr = (PLIBRARY_ITEM_DATAW)hListLibrary;
while(hListLibraryPtr->hFile != NULL)
{
if(hListLibraryPtr->hFile != (HANDLE)-1)
{
if(hListLibraryPtr->BaseOfDll == BaseOfDll)
{
return((void*)hListLibraryPtr);
}
}
hListLibraryPtr = (PLIBRARY_ITEM_DATAW)((ULONG_PTR)hListLibraryPtr + sizeof LIBRARY_ITEM_DATAW);
}
}
return(NULL);
}
__declspec(dllexport) void TITCALL LibrarianEnumLibraryInfo(void* EnumCallBack)
{
PLIBRARY_ITEM_DATAW hListLibraryPtr = NULL;
typedef void(TITCALL *fEnumCallBack)(LPVOID fLibraryDetail);
fEnumCallBack myEnumCallBack = (fEnumCallBack)EnumCallBack;
if(hListLibrary != NULL)
{
hListLibraryPtr = (PLIBRARY_ITEM_DATAW)hListLibrary;
while(EnumCallBack != NULL && hListLibraryPtr->hFile != NULL)
{
if(hListLibraryPtr->hFile != (HANDLE)-1)
{
__try
{
myEnumCallBack((void*)hListLibraryPtr);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
EnumCallBack = NULL;
}
}
hListLibraryPtr = (PLIBRARY_ITEM_DATAW)((ULONG_PTR)hListLibraryPtr + sizeof LIBRARY_ITEM_DATAW);
}
}
}
__declspec(dllexport) void TITCALL LibrarianEnumLibraryInfoW(void* EnumCallBack)
{
LIBRARY_ITEM_DATA myLibraryInfoData;
PLIBRARY_ITEM_DATAW hListLibraryPtr = NULL;
typedef void(TITCALL *fEnumCallBack)(LPVOID fLibraryDetail);
fEnumCallBack myEnumCallBack = (fEnumCallBack)EnumCallBack;
if(hListLibrary != NULL)
{
hListLibraryPtr = (PLIBRARY_ITEM_DATAW)hListLibrary;
while(EnumCallBack != NULL && hListLibraryPtr->hFile != NULL)
{
if(hListLibraryPtr->hFile != (HANDLE)-1)
{
__try
{
RtlZeroMemory(&myLibraryInfoData, sizeof LIBRARY_ITEM_DATA);
myLibraryInfoData.hFile = hListLibraryPtr->hFile;
myLibraryInfoData.BaseOfDll = hListLibraryPtr->BaseOfDll;
myLibraryInfoData.hFileMapping = hListLibraryPtr->hFileMapping;
myLibraryInfoData.hFileMappingView = hListLibraryPtr->hFileMappingView;
WideCharToMultiByte(CP_ACP, NULL, hListLibraryPtr->szLibraryName, -1, &myLibraryInfoData.szLibraryName[0], sizeof myLibraryInfoData.szLibraryName, NULL, NULL);
WideCharToMultiByte(CP_ACP, NULL, hListLibraryPtr->szLibraryPath, -1, &myLibraryInfoData.szLibraryPath[0], sizeof myLibraryInfoData.szLibraryPath, NULL, NULL);
myEnumCallBack((void*)&myLibraryInfoData);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
EnumCallBack = NULL;
}
}
hListLibraryPtr = (PLIBRARY_ITEM_DATAW)((ULONG_PTR)hListLibraryPtr + sizeof LIBRARY_ITEM_DATAW);
}
}
}

40
TitanEngine/TitanEngine.OEPFinder.cpp Normal file
View File

@ -0,0 +1,40 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.OEPFinder.h"
// TitanEngine.FindOEP.functions:
__declspec(dllexport) void TITCALL FindOEPInit()
{
RemoveAllBreakPoints(UE_OPTION_REMOVEALL);
}
__declspec(dllexport) bool TITCALL FindOEPGenerically(char* szFileName, LPVOID TraceInitCallBack, LPVOID CallBack)
{
wchar_t uniFileName[MAX_PATH] = {};
if(szFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0])));
return(FindOEPGenericallyW(uniFileName, TraceInitCallBack, CallBack));
}
else
{
return(false);
}
}
__declspec(dllexport) bool TITCALL FindOEPGenericallyW(wchar_t* szFileName, LPVOID TraceInitCallBack, LPVOID CallBack)
{
int i;
if(GenericOEPFileInitW(szFileName, TraceInitCallBack, CallBack))
{
InitDebugExW(szFileName, NULL, NULL, &GenericOEPTraceInit);
DebugLoop();
for(i = 0; i < glbEntryTracerData.SectionNumber; i++)
{
VirtualFree(glbEntryTracerData.SectionData[i].AllocatedSection, NULL, MEM_RELEASE);
}
}
return(false);
}

1
TitanEngine/TitanEngine.PE.Section.cpp
View File

@ -3,6 +3,7 @@
#include "Global.Engine.h"
#include "Global.Handle.h"
#include "Global.Mapping.h"
#include "Global.Garbage.h"
__declspec(dllexport) bool TITCALL ExtractSection(char* szFileName, char* szDumpFileName, DWORD SectionNumber)
{

125
TitanEngine/TitanEngine.Process.cpp Normal file
View File

@ -0,0 +1,125 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Handle.h"
#include "Global.Engine.h"
#include <psapi.h>
// TitanEngine.Process.functions:
__declspec(dllexport) long TITCALL GetActiveProcessId(char* szImageName)
{
wchar_t uniImageName[MAX_PATH] = {};
if(szImageName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szImageName, lstrlenA(szImageName)+1, uniImageName, sizeof(uniImageName)/(sizeof(uniImageName[0])));
return(GetActiveProcessIdW(uniImageName));
}
else
{
return(NULL);
}
}
__declspec(dllexport) long TITCALL GetActiveProcessIdW(wchar_t* szImageName)
{
int i;
wchar_t* szTranslatedProcName;
DWORD bProcessId[1024] = {};
wchar_t szProcessPath[1024] = {};
DWORD pProcessIdCount = NULL;
HANDLE hProcess;
if(EnumProcesses(bProcessId, sizeof bProcessId, &pProcessIdCount))
{
for(i = 0; i < (int)pProcessIdCount; i++)
{
if(bProcessId[i] != NULL)
{
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, false, bProcessId[i]);
if(hProcess != NULL)
{
if(GetProcessImageFileNameW(hProcess, szProcessPath, 1024) > NULL)
{
szTranslatedProcName = (wchar_t*)TranslateNativeNameW(szProcessPath);
lstrcpyW(szProcessPath, szTranslatedProcName);
VirtualFree((void*)szTranslatedProcName, NULL, MEM_RELEASE);
EngineCloseHandle(hProcess);
if(lstrcmpiW(szProcessPath, szImageName) == NULL)
{
return(bProcessId[i]);
}
else if(lstrcmpiW(EngineExtractFileNameW(szProcessPath), szImageName) == NULL)
{
return(bProcessId[i]);
}
}
else
{
EngineCloseHandle(hProcess);
}
}
}
}
}
return(NULL);
}
__declspec(dllexport) void TITCALL EnumProcessesWithLibrary(char* szLibraryName, void* EnumFunction)
{
int i;
int j;
typedef void(TITCALL *fEnumFunction)(DWORD ProcessId, HMODULE ModuleBaseAddress);
fEnumFunction myEnumFunction = (fEnumFunction)EnumFunction;
HMODULE EnumeratedModules[1024] = {};
DWORD bProcessId[1024] = {};
char szModuleName[1024] = {};
DWORD pProcessIdCount = NULL;
DWORD pModuleCount;
HANDLE hProcess;
if(EnumFunction != NULL)
{
if(EnumProcesses(bProcessId, sizeof bProcessId, &pProcessIdCount))
{
for(i = 0; i < (int)pProcessIdCount; i++)
{
if(bProcessId[i] != NULL)
{
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, false, bProcessId[i]);
if(hProcess != NULL)
{
RtlZeroMemory(&EnumeratedModules[0], sizeof EnumeratedModules);
if(EnumProcessModules(hProcess, (HMODULE*)EnumeratedModules, sizeof EnumeratedModules, &pModuleCount))
{
for(j = 0; j < (int)pModuleCount; j++)
{
if(EnumeratedModules[j] != NULL)
{
if(GetModuleBaseNameA(hProcess, EnumeratedModules[j], szModuleName, 1024) > NULL)
{
if(lstrcmpiA(szModuleName, szLibraryName) == NULL)
{
__try
{
myEnumFunction(bProcessId[i], EnumeratedModules[j]);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
EngineCloseHandle(hProcess);
return;
}
}
}
}
}
}
EngineCloseHandle(hProcess);
}
}
}
}
}
}

1
TitanEngine/TitanEngine.Realigner.cpp
View File

@ -2,6 +2,7 @@
#include "definitions.h"
#include "Global.Engine.h"
#include "Global.Mapping.h"
#include "Global.Garbage.h"
#include <imagehlp.h>
// TitanEngine.Realigner.functions:

1
TitanEngine/TitanEngine.Relocator.cpp
View File

@ -2,6 +2,7 @@
#include "definitions.h"
#include "Global.Mapping.h"
#include "Global.Engine.h"
#include "Global.Garbage.h"
static LPVOID RelocationData = NULL;
LPVOID RelocationLastPage = NULL;

1073
TitanEngine/TitanEngine.Static.cpp Normal file
View File

File diff suppressed because it is too large Load Diff

774
TitanEngine/TitanEngine.TLS.cpp Normal file
View File

@ -0,0 +1,774 @@
#include "stdafx.h"
#include "definitions.h"
#include "Global.Engine.h"
#include "Global.Mapping.h"
#include "Global.Debugger.h"
#include "Global.TLS.h"
static bool engineBackupTLSx64 = false;
static IMAGE_TLS_DIRECTORY32 engineBackupTLSDataX86 = {};
static IMAGE_TLS_DIRECTORY64 engineBackupTLSDataX64 = {};
static DWORD engineBackupNumberOfCallBacks = NULL;
static LPVOID engineBackupArrayOfCallBacks = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
static DWORD engineBackupTLSAddress = NULL;
// TitanEngine.TLSFixer.functions:
__declspec(dllexport) bool TITCALL TLSBreakOnCallBack(LPVOID ArrayOfCallBacks, DWORD NumberOfCallBacks, LPVOID bpxCallBack)
{
unsigned int i;
LPVOID ReadArrayOfCallBacks = ArrayOfCallBacks;
if(NumberOfCallBacks > NULL)
{
for(i = 0; i < NumberOfCallBacks; i++)
{
RtlMoveMemory(&tlsCallBackList[i], ReadArrayOfCallBacks, sizeof ULONG_PTR);
ReadArrayOfCallBacks = (LPVOID)((ULONG_PTR)ReadArrayOfCallBacks + sizeof ULONG_PTR);
}
engineTLSBreakOnCallBackAddress = (ULONG_PTR)bpxCallBack;
engineTLSBreakOnCallBack = true;
return(true);
}
else
{
return(false);
}
}
__declspec(dllexport) bool TITCALL TLSGrabCallBackData(char* szFileName, LPVOID ArrayOfCallBacks, LPDWORD NumberOfCallBacks)
{
wchar_t uniFileName[MAX_PATH] = {};
if(szFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0])));
return(TLSGrabCallBackDataW(uniFileName, ArrayOfCallBacks, NumberOfCallBacks));
}
else
{
return(false);
}
}
__declspec(dllexport) bool TITCALL TLSGrabCallBackDataW(wchar_t* szFileName, LPVOID ArrayOfCallBacks, LPDWORD NumberOfCallBacks)
{
PIMAGE_DOS_HEADER DOSHeader;
PIMAGE_NT_HEADERS32 PEHeader32;
PIMAGE_NT_HEADERS64 PEHeader64;
HANDLE FileHandle;
DWORD FileSize;
HANDLE FileMap;
ULONG_PTR FileMapVA;
BOOL FileIs64;
PIMAGE_TLS_DIRECTORY32 TLSDirectoryX86;
PIMAGE_TLS_DIRECTORY64 TLSDirectoryX64;
ULONG_PTR TLSDirectoryAddress;
ULONG_PTR TLSCallBackAddress;
ULONG_PTR TLSCompareData = NULL;
DWORD NumberOfTLSCallBacks = NULL;
if(MapFileExW(szFileName, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
{
DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA;
if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true))
{
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
if(PEHeader32->OptionalHeader.Magic == 0x10B)
{
FileIs64 = false;
}
else if(PEHeader32->OptionalHeader.Magic == 0x20B)
{
FileIs64 = true;
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(false);
}
if(!FileIs64)
{
if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress != NULL)
{
TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader32->OptionalHeader.ImageBase + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress);
TLSDirectoryX86 = (PIMAGE_TLS_DIRECTORY32)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true);
if(TLSDirectoryX86->AddressOfCallBacks != NULL)
{
TLSCallBackAddress = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryX86->AddressOfCallBacks, true);
while(memcmp((LPVOID)TLSCallBackAddress, &TLSCompareData, sizeof ULONG_PTR) != NULL)
{
RtlMoveMemory(ArrayOfCallBacks, (LPVOID)TLSCallBackAddress, sizeof ULONG_PTR);
ArrayOfCallBacks = (LPVOID)((ULONG_PTR)ArrayOfCallBacks + sizeof ULONG_PTR);
TLSCallBackAddress = TLSCallBackAddress + sizeof ULONG_PTR;
NumberOfTLSCallBacks++;
}
*NumberOfCallBacks = NumberOfTLSCallBacks;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(true);
}
else
{
*NumberOfCallBacks = NULL;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(false);
}
}
else
{
*NumberOfCallBacks = NULL;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(false);
}
}
else
{
if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress != NULL)
{
TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader64->OptionalHeader.ImageBase + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress);
TLSDirectoryX64 = (PIMAGE_TLS_DIRECTORY64)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true);
if(TLSDirectoryX64->AddressOfCallBacks != NULL)
{
TLSCallBackAddress = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryX64->AddressOfCallBacks, true);
while(memcmp((LPVOID)TLSCallBackAddress, &TLSCompareData, sizeof ULONG_PTR) != NULL)
{
RtlMoveMemory(ArrayOfCallBacks, (LPVOID)TLSCallBackAddress, sizeof ULONG_PTR);
ArrayOfCallBacks = (LPVOID)((ULONG_PTR)ArrayOfCallBacks + sizeof ULONG_PTR);
TLSCallBackAddress = TLSCallBackAddress + sizeof ULONG_PTR;
NumberOfTLSCallBacks++;
}
*NumberOfCallBacks = NumberOfTLSCallBacks;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(true);
}
else
{
*NumberOfCallBacks = NULL;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(false);
}
}
else
{
*NumberOfCallBacks = NULL;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(false);
}
}
}
else
{
*NumberOfCallBacks = NULL;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(false);
}
}
return(false);
}
__declspec(dllexport) bool TITCALL TLSBreakOnCallBackEx(char* szFileName, LPVOID bpxCallBack)
{
wchar_t uniFileName[MAX_PATH] = {};
if(szFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0])));
return(TLSBreakOnCallBackExW(uniFileName, bpxCallBack));
}
else
{
return(false);
}
}
__declspec(dllexport) bool TITCALL TLSBreakOnCallBackExW(wchar_t* szFileName, LPVOID bpxCallBack)
{
ULONG_PTR TlsArrayOfCallBacks[100];
DWORD TlsNumberOfCallBacks;
RtlZeroMemory(&TlsArrayOfCallBacks, 100 * sizeof ULONG_PTR);
if(szFileName != NULL)
{
if(TLSGrabCallBackDataW(szFileName, &TlsArrayOfCallBacks, &TlsNumberOfCallBacks))
{
TLSBreakOnCallBack(&TlsArrayOfCallBacks, TlsNumberOfCallBacks, bpxCallBack);
return(true);
}
else
{
return(false);
}
}
else
{
return(false);
}
}
__declspec(dllexport) bool TITCALL TLSRemoveCallback(char* szFileName)
{
wchar_t uniFileName[MAX_PATH] = {};
if(szFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0])));
return(TLSRemoveCallbackW(uniFileName));
}
else
{
return(false);
}
}
__declspec(dllexport) bool TITCALL TLSRemoveCallbackW(wchar_t* szFileName)
{
PIMAGE_DOS_HEADER DOSHeader;
PIMAGE_NT_HEADERS32 PEHeader32;
PIMAGE_NT_HEADERS64 PEHeader64;
HANDLE FileHandle;
DWORD FileSize;
HANDLE FileMap;
ULONG_PTR FileMapVA;
BOOL FileIs64;
PIMAGE_TLS_DIRECTORY32 TLSDirectoryX86;
PIMAGE_TLS_DIRECTORY64 TLSDirectoryX64;
ULONG_PTR TLSDirectoryAddress;
if(MapFileExW(szFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
{
DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA;
if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true))
{
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
if(PEHeader32->OptionalHeader.Magic == 0x10B)
{
FileIs64 = false;
}
else if(PEHeader32->OptionalHeader.Magic == 0x20B)
{
FileIs64 = true;
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(false);
}
if(!FileIs64)
{
if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress != NULL)
{
__try
{
TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader32->OptionalHeader.ImageBase + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress);
TLSDirectoryX86 = (PIMAGE_TLS_DIRECTORY32)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true);
if(TLSDirectoryX86->AddressOfCallBacks != NULL)
{
TLSDirectoryX86->AddressOfCallBacks = NULL;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(true);
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(false);
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(false);
}
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(false);
}
}
else
{
if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress != NULL)
{
__try
{
TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader64->OptionalHeader.ImageBase + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress);
TLSDirectoryX64 = (PIMAGE_TLS_DIRECTORY64)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true);
if(TLSDirectoryX64->AddressOfCallBacks != NULL)
{
TLSDirectoryX64->AddressOfCallBacks = NULL;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(true);
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(false);
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(false);
}
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(false);
}
}
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(false);
}
}
return(false);
}
__declspec(dllexport) bool TITCALL TLSRemoveTable(char* szFileName)
{
wchar_t uniFileName[MAX_PATH] = {};
if(szFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0])));
return(TLSRemoveTableW(uniFileName));
}
else
{
return(false);
}
}
__declspec(dllexport) bool TITCALL TLSRemoveTableW(wchar_t* szFileName)
{
PIMAGE_DOS_HEADER DOSHeader;
PIMAGE_NT_HEADERS32 PEHeader32;
PIMAGE_NT_HEADERS64 PEHeader64;
HANDLE FileHandle;
DWORD FileSize;
HANDLE FileMap;
ULONG_PTR FileMapVA;
BOOL FileIs64;
PIMAGE_TLS_DIRECTORY32 TLSDirectoryX86;
PIMAGE_TLS_DIRECTORY64 TLSDirectoryX64;
ULONG_PTR TLSDirectoryAddress;
if(MapFileExW(szFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
{
DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA;
if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true))
{
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
if(PEHeader32->OptionalHeader.Magic == 0x10B)
{
FileIs64 = false;
}
else if(PEHeader32->OptionalHeader.Magic == 0x20B)
{
FileIs64 = true;
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(false);
}
if(!FileIs64)
{
if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress != NULL)
{
__try
{
TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader32->OptionalHeader.ImageBase + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress);
TLSDirectoryX86 = (PIMAGE_TLS_DIRECTORY32)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true);
PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = NULL;
PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = NULL;
RtlZeroMemory(TLSDirectoryX86, sizeof IMAGE_TLS_DIRECTORY32);
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(true);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(false);
}
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(false);
}
}
else
{
if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress != NULL)
{
__try
{
TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader64->OptionalHeader.ImageBase + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress);
TLSDirectoryX64 = (PIMAGE_TLS_DIRECTORY64)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true);
PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = NULL;
PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = NULL;
RtlZeroMemory(TLSDirectoryX64, sizeof IMAGE_TLS_DIRECTORY64);
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(true);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(false);
}
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(false);
}
}
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(false);
}
}
return(false);
}
__declspec(dllexport) bool TITCALL TLSBackupData(char* szFileName)
{
wchar_t uniFileName[MAX_PATH] = {};
if(szFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0])));
return(TLSBackupDataW(uniFileName));
}
else
{
return(false);
}
}
__declspec(dllexport) bool TITCALL TLSBackupDataW(wchar_t* szFileName)
{
PIMAGE_DOS_HEADER DOSHeader;
PIMAGE_NT_HEADERS32 PEHeader32;
PIMAGE_NT_HEADERS64 PEHeader64;
HANDLE FileHandle;
DWORD FileSize;
HANDLE FileMap;
ULONG_PTR FileMapVA;
BOOL FileIs64;
PIMAGE_TLS_DIRECTORY32 TLSDirectoryX86;
PIMAGE_TLS_DIRECTORY64 TLSDirectoryX64;
ULONG_PTR TLSDirectoryAddress;
ULONG_PTR TLSCallBackAddress;
ULONG_PTR TLSCompareData = NULL;
DWORD NumberOfTLSCallBacks = NULL;
LPVOID ArrayOfCallBacks = &engineBackupArrayOfCallBacks;
LPDWORD NumberOfCallBacks = &engineBackupNumberOfCallBacks;
engineBackupTLSAddress = NULL;
RtlZeroMemory(engineBackupArrayOfCallBacks, 0x1000);
RtlZeroMemory(&engineBackupTLSDataX86, sizeof IMAGE_TLS_DIRECTORY32);
RtlZeroMemory(&engineBackupTLSDataX64, sizeof IMAGE_TLS_DIRECTORY64);
if(MapFileExW(szFileName, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
{
DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA;
if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true))
{
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
if(PEHeader32->OptionalHeader.Magic == 0x10B)
{
FileIs64 = false;
}
else if(PEHeader32->OptionalHeader.Magic == 0x20B)
{
FileIs64 = true;
}
else
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(false);
}
if(!FileIs64)
{
if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress != NULL)
{
__try
{
engineBackupTLSx64 = false;
engineBackupTLSAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress;
TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader32->OptionalHeader.ImageBase + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress);
TLSDirectoryX86 = (PIMAGE_TLS_DIRECTORY32)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true);
RtlMoveMemory(&engineBackupTLSDataX86, (LPVOID)TLSDirectoryX86, sizeof IMAGE_TLS_DIRECTORY32);
if(TLSDirectoryX86->AddressOfCallBacks != NULL)
{
TLSCallBackAddress = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryX86->AddressOfCallBacks, true);
while(memcmp((LPVOID)TLSCallBackAddress, &TLSCompareData, sizeof ULONG_PTR) != NULL)
{
RtlMoveMemory(ArrayOfCallBacks, (LPVOID)TLSCallBackAddress, sizeof ULONG_PTR);
ArrayOfCallBacks = (LPVOID)((ULONG_PTR)ArrayOfCallBacks + sizeof ULONG_PTR);
TLSCallBackAddress = TLSCallBackAddress + sizeof ULONG_PTR;
NumberOfTLSCallBacks++;
}
*NumberOfCallBacks = NumberOfTLSCallBacks;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(true);
}
else
{
*NumberOfCallBacks = NULL;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(false);
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
*NumberOfCallBacks = NULL;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(false);
}
}
else
{
*NumberOfCallBacks = NULL;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(false);
}
}
else
{
if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress != NULL)
{
__try
{
engineBackupTLSx64 = true;
engineBackupTLSAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress;
TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader64->OptionalHeader.ImageBase + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress);
TLSDirectoryX64 = (PIMAGE_TLS_DIRECTORY64)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true);
RtlMoveMemory(&engineBackupTLSDataX64, (LPVOID)TLSDirectoryX64, sizeof IMAGE_TLS_DIRECTORY64);
if(TLSDirectoryX64->AddressOfCallBacks != NULL)
{
TLSCallBackAddress = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryX64->AddressOfCallBacks, true);
while(memcmp((LPVOID)TLSCallBackAddress, &TLSCompareData, sizeof ULONG_PTR) != NULL)
{
RtlMoveMemory(ArrayOfCallBacks, (LPVOID)TLSCallBackAddress, sizeof ULONG_PTR);
ArrayOfCallBacks = (LPVOID)((ULONG_PTR)ArrayOfCallBacks + sizeof ULONG_PTR);
TLSCallBackAddress = TLSCallBackAddress + sizeof ULONG_PTR;
NumberOfTLSCallBacks++;
}
*NumberOfCallBacks = NumberOfTLSCallBacks;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(true);
}
else
{
*NumberOfCallBacks = NULL;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(false);
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
*NumberOfCallBacks = NULL;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(false);
}
}
else
{
*NumberOfCallBacks = NULL;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(false);
}
}
}
else
{
*NumberOfCallBacks = NULL;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return(false);
}
}
return(false);
}
__declspec(dllexport) bool TITCALL TLSRestoreData()
{
ULONG_PTR ueNumberOfBytesRead = NULL;
if(dbgProcessInformation.hProcess != NULL && engineBackupTLSAddress != NULL)
{
if(engineBackupTLSx64)
{
if(WriteProcessMemory(dbgProcessInformation.hProcess, (LPVOID)(engineBackupTLSAddress + GetDebuggedFileBaseAddress()), &engineBackupTLSDataX64, sizeof IMAGE_TLS_DIRECTORY64, &ueNumberOfBytesRead))
{
if(engineBackupTLSDataX64.AddressOfCallBacks != NULL && engineBackupNumberOfCallBacks != NULL)
{
if(WriteProcessMemory(dbgProcessInformation.hProcess, (LPVOID)(engineBackupTLSDataX64.AddressOfCallBacks + GetDebuggedFileBaseAddress()), engineBackupArrayOfCallBacks, sizeof IMAGE_TLS_DIRECTORY64, &ueNumberOfBytesRead))
{
engineBackupTLSAddress = NULL;
return(true);
}
}
else
{
engineBackupTLSAddress = NULL;
return(true);
}
}
}
else
{
if(WriteProcessMemory(dbgProcessInformation.hProcess, (LPVOID)(engineBackupTLSAddress + GetDebuggedFileBaseAddress()), &engineBackupTLSDataX86, sizeof IMAGE_TLS_DIRECTORY32, &ueNumberOfBytesRead))
{
if(engineBackupTLSDataX86.AddressOfCallBacks != NULL && engineBackupNumberOfCallBacks != NULL)
{
if(WriteProcessMemory(dbgProcessInformation.hProcess, (LPVOID)(engineBackupTLSDataX86.AddressOfCallBacks + GetDebuggedFileBaseAddress()), engineBackupArrayOfCallBacks, sizeof IMAGE_TLS_DIRECTORY32, &ueNumberOfBytesRead))
{
engineBackupTLSAddress = NULL;
return(true);
}
}
else
{
engineBackupTLSAddress = NULL;
return(true);
}
}
}
}
return(false);
}
__declspec(dllexport) bool TITCALL TLSBuildNewTable(ULONG_PTR FileMapVA, ULONG_PTR StorePlace, ULONG_PTR StorePlaceRVA, LPVOID ArrayOfCallBacks, DWORD NumberOfCallBacks)
{
BOOL FileIs64;
PIMAGE_DOS_HEADER DOSHeader;
PIMAGE_NT_HEADERS32 PEHeader32;
PIMAGE_NT_HEADERS64 PEHeader64;
PIMAGE_TLS_DIRECTORY32 TLSDirectoryX86;
PIMAGE_TLS_DIRECTORY64 TLSDirectoryX64;
ULONG_PTR TLSWriteData = StorePlaceRVA;
if(FileMapVA != NULL)
{
DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA;
if(EngineValidateHeader(FileMapVA, NULL, NULL, DOSHeader, true))
{
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
if(PEHeader32->OptionalHeader.Magic == 0x10B)
{
FileIs64 = false;
}
else if(PEHeader32->OptionalHeader.Magic == 0x20B)
{
FileIs64 = true;
}
else
{
return(false);
}
if(!FileIs64)
{
__try
{
PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = (DWORD)StorePlaceRVA;
PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = sizeof IMAGE_TLS_DIRECTORY32;
TLSDirectoryX86 = (PIMAGE_TLS_DIRECTORY32)StorePlace;
TLSDirectoryX86->StartAddressOfRawData = (DWORD)TLSWriteData;
TLSDirectoryX86->EndAddressOfRawData = (DWORD)TLSWriteData + 0x10;
TLSDirectoryX86->AddressOfIndex = (DWORD)TLSWriteData + 0x14;
TLSDirectoryX86->AddressOfCallBacks = (DWORD)TLSWriteData + sizeof IMAGE_TLS_DIRECTORY32 + 8;
RtlMoveMemory((LPVOID)(StorePlace + sizeof IMAGE_TLS_DIRECTORY32 + 8), ArrayOfCallBacks, NumberOfCallBacks * 4);
return(true);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
return(false);
}
}
else
{
__try
{
PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = (DWORD)StorePlaceRVA;
PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = sizeof IMAGE_TLS_DIRECTORY64;
TLSDirectoryX64 = (PIMAGE_TLS_DIRECTORY64)StorePlace;
TLSDirectoryX64->StartAddressOfRawData = TLSWriteData;
TLSDirectoryX64->EndAddressOfRawData = TLSWriteData + 0x20;
TLSDirectoryX64->AddressOfIndex = TLSWriteData + 0x28;
TLSDirectoryX64->AddressOfCallBacks = TLSWriteData + sizeof IMAGE_TLS_DIRECTORY64 + 12;
RtlMoveMemory((LPVOID)(StorePlace + sizeof IMAGE_TLS_DIRECTORY64 + 12), ArrayOfCallBacks, NumberOfCallBacks * 8);
return(true);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
return(false);
}
}
}
else
{
return(false);
}
}
return(false);
}
__declspec(dllexport) bool TITCALL TLSBuildNewTableEx(char* szFileName, char* szSectionName, LPVOID ArrayOfCallBacks, DWORD NumberOfCallBacks)
{
wchar_t uniFileName[MAX_PATH] = {};
if(szFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0])));
return(TLSBuildNewTableExW(uniFileName, szSectionName, ArrayOfCallBacks, NumberOfCallBacks));
}
else
{
return(false);
}
}
__declspec(dllexport) bool TITCALL TLSBuildNewTableExW(wchar_t* szFileName, char* szSectionName, LPVOID ArrayOfCallBacks, DWORD NumberOfCallBacks)
{
HANDLE FileHandle;
DWORD FileSize;
HANDLE FileMap;
ULONG_PTR FileMapVA;
DWORD NewSectionVO = NULL;
DWORD NewSectionFO = NULL;
bool ReturnValue = false;
ULONG_PTR tlsImageBase;
tlsImageBase = (ULONG_PTR)GetPE32DataW(szFileName, NULL, UE_IMAGEBASE);
NewSectionVO = AddNewSectionW(szFileName, szSectionName, sizeof IMAGE_TLS_DIRECTORY64 * 2);
if(MapFileExW(szFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
{
NewSectionFO = (DWORD)ConvertVAtoFileOffset(FileMapVA, NewSectionVO + tlsImageBase, true);
ReturnValue = TLSBuildNewTable(FileMapVA, NewSectionFO, NewSectionVO, ArrayOfCallBacks, NumberOfCallBacks);
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
if(ReturnValue)
{
return(true);
}
else
{
return(false);
}
}
else
{
return(false);
}
}

1561
TitanEngine/TitanEngine.Tracer.cpp Normal file
View File

File diff suppressed because it is too large Load Diff

94
TitanEngine/TitanEngine.TranslateName.cpp Normal file
View File

@ -0,0 +1,94 @@
#include "stdafx.h"
#include "definitions.h"
// TitanEngine.TranslateName.functions:
__declspec(dllexport) void* TITCALL TranslateNativeName(char* szNativeName)
{
LPVOID TranslatedName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
char szDeviceName[3] = "A:";
char szDeviceCOMName[5] = "COM0";
int CurrentDeviceLen;
while(szDeviceName[0] <= 0x5A)
{
RtlZeroMemory(TranslatedName, 0x1000);
if(QueryDosDeviceA(szDeviceName, (LPSTR)TranslatedName, 0x1000) > NULL)
{
CurrentDeviceLen = lstrlenA((LPSTR)TranslatedName);
lstrcatA((LPSTR)TranslatedName, (LPCSTR)(szNativeName + CurrentDeviceLen));
if(lstrcmpiA((LPCSTR)TranslatedName, szNativeName) == NULL)
{
RtlZeroMemory(TranslatedName, 0x1000);
lstrcatA((LPSTR)TranslatedName, szDeviceName);
lstrcatA((LPSTR)TranslatedName, (LPCSTR)(szNativeName + CurrentDeviceLen));
return(TranslatedName);
}
}
szDeviceName[0]++;
}
while(szDeviceCOMName[3] <= 0x39)
{
RtlZeroMemory(TranslatedName, 0x1000);
if(QueryDosDeviceA(szDeviceCOMName, (LPSTR)TranslatedName, 0x1000) > NULL)
{
CurrentDeviceLen = lstrlenA((LPSTR)TranslatedName);
lstrcatA((LPSTR)TranslatedName, (LPCSTR)(szNativeName + CurrentDeviceLen));
if(lstrcmpiA((LPCSTR)TranslatedName, szNativeName) == NULL)
{
RtlZeroMemory(TranslatedName, 0x1000);
lstrcatA((LPSTR)TranslatedName, szDeviceCOMName);
lstrcatA((LPSTR)TranslatedName, (LPCSTR)(szNativeName + CurrentDeviceLen));
return(TranslatedName);
}
}
szDeviceCOMName[3]++;
}
VirtualFree(TranslatedName, NULL, MEM_RELEASE);
return(NULL);
}
__declspec(dllexport) void* TITCALL TranslateNativeNameW(wchar_t* szNativeName)
{
LPVOID TranslatedName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
wchar_t szDeviceName[3] = L"A:";
wchar_t szDeviceCOMName[5] = L"COM0";
int CurrentDeviceLen;
while(szDeviceName[0] <= 0x5A)
{
RtlZeroMemory(TranslatedName, 0x1000);
if(QueryDosDeviceW(szDeviceName, (LPWSTR)TranslatedName, MAX_PATH * 2) > NULL)
{
CurrentDeviceLen = lstrlenW((LPWSTR)TranslatedName);
lstrcatW((LPWSTR)TranslatedName, (LPCWSTR)(szNativeName + CurrentDeviceLen));
if(lstrcmpiW((LPCWSTR)TranslatedName, szNativeName) == NULL)
{
RtlZeroMemory(TranslatedName, 0x1000);
lstrcatW((LPWSTR)TranslatedName, szDeviceName);
lstrcatW((LPWSTR)TranslatedName, (LPWSTR)(szNativeName + CurrentDeviceLen));
return(TranslatedName);
}
}
szDeviceName[0]++;
}
while(szDeviceCOMName[3] <= 0x39)
{
RtlZeroMemory(TranslatedName, 0x1000);
if(QueryDosDeviceW(szDeviceCOMName, (LPWSTR)TranslatedName, MAX_PATH * 2) > NULL)
{
CurrentDeviceLen = lstrlenW((LPWSTR)TranslatedName);
lstrcatW((LPWSTR)TranslatedName, (LPCWSTR)(szNativeName + CurrentDeviceLen));
if(lstrcmpiW((LPCWSTR)TranslatedName, szNativeName) == NULL)
{
RtlZeroMemory(TranslatedName, 0x1000);
lstrcatW((LPWSTR)TranslatedName, szDeviceCOMName);
lstrcatW((LPWSTR)TranslatedName, (LPWSTR)(szNativeName + CurrentDeviceLen));
return(TranslatedName);
}
}
szDeviceCOMName[3]++;
}
VirtualFree(TranslatedName, NULL, MEM_RELEASE);
return(NULL);
}

9519
TitanEngine/TitanEngine.cpp
View File

File diff suppressed because it is too large Load Diff

35
TitanEngine/TitanEngine.vcxproj
View File

@ -118,7 +118,7 @@
<SetChecksum>false</SetChecksum>
<TargetMachine>MachineX86</TargetMachine>
<CLRThreadAttribute>DefaultThreadingAttribute</CLRThreadAttribute>
<AdditionalOptions>/ignore:4197 %(AdditionalOptions)</AdditionalOptions>
<AdditionalOptions>/ignore:4197 /LTCG %(AdditionalOptions)</AdditionalOptions>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
@ -152,7 +152,7 @@
<SetChecksum>false</SetChecksum>
<TargetMachine>MachineX64</TargetMachine>
<CLRThreadAttribute>STAThreadingAttribute</CLRThreadAttribute>
<AdditionalOptions>/ignore:4197 %(AdditionalOptions)</AdditionalOptions>
<AdditionalOptions>/ignore:4197 /LTCG %(AdditionalOptions)</AdditionalOptions>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
@ -177,7 +177,7 @@
<GenerateDebugInformation>false</GenerateDebugInformation>
<LinkTimeCodeGeneration>
</LinkTimeCodeGeneration>
<AdditionalOptions>/ignore:4197 %(AdditionalOptions)</AdditionalOptions>
<AdditionalOptions>/ignore:4197 /LTCG %(AdditionalOptions)</AdditionalOptions>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
@ -211,7 +211,7 @@
<TargetMachine>MachineX64</TargetMachine>
<IgnoreSpecificDefaultLibraries>
</IgnoreSpecificDefaultLibraries>
<AdditionalOptions>/ignore:4197 %(AdditionalOptions)</AdditionalOptions>
<AdditionalOptions>/ignore:4197 /LTCG %(AdditionalOptions)</AdditionalOptions>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
@ -221,11 +221,17 @@
<ClCompile Include="Global.Engine.Extension.cpp" />
<ClCompile Include="Global.Engine.Hash.cpp" />
<ClCompile Include="Global.Engine.Hider.cpp" />
<ClCompile Include="Global.Engine.Hook.cpp" />
<ClCompile Include="Global.Engine.Simplification.cpp" />
<ClCompile Include="Global.Garbage.cpp" />
<ClCompile Include="Global.Handle.cpp" />
<ClCompile Include="Global.Injector.cpp" />
<ClCompile Include="Global.Librarian.cpp" />
<ClCompile Include="Global.Mapping.cpp" />
<ClCompile Include="Global.OEPFinder.cpp" />
<ClCompile Include="Global.Realigner.cpp" />
<ClCompile Include="Global.Threader.cpp" />
<ClCompile Include="Global.Engine.GUI.cpp" />
<ClCompile Include="Global.TLS.cpp" />
<ClCompile Include="stdafx.cpp">
<PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
@ -237,20 +243,35 @@
<ClCompile Include="TitanEngine.cpp" />
<ClCompile Include="LzmaDec.cpp" />
<ClCompile Include="TitanEngine.Debugger.Context.cpp" />
<ClCompile Include="TitanEngine.Debugger.Control.cpp" />
<ClCompile Include="TitanEngine.Debugger.cpp" />
<ClCompile Include="TitanEngine.Debugger.Data.cpp" />
<ClCompile Include="TitanEngine.Debugger.Helper.cpp" />
<ClCompile Include="TitanEngine.Debugger.Memory.cpp" />
<ClCompile Include="TitanEngine.Disassembler.cpp" />
<ClCompile Include="TitanEngine.Dumper.cpp" />
<ClCompile Include="TitanEngine.Engine.cpp" />
<ClCompile Include="TitanEngine.Engine.Simplification.cpp" />
<ClCompile Include="TitanEngine.Exporter.cpp" />
<ClCompile Include="TitanEngine.Handler.cpp" />
<ClCompile Include="TitanEngine.Hider.cpp" />
<ClCompile Include="TitanEngine.Hooks.cpp" />
<ClCompile Include="TitanEngine.Importer.cpp" />
<ClCompile Include="TitanEngine.Injector.cpp" />
<ClCompile Include="TitanEngine.Librarian.cpp" />
<ClCompile Include="TitanEngine.OEPFinder.cpp" />
<ClCompile Include="TitanEngine.PE.Convert.cpp" />
<ClCompile Include="TitanEngine.PE.cpp" />
<ClCompile Include="TitanEngine.PE.Fixer.cpp" />
<ClCompile Include="TitanEngine.Process.cpp" />
<ClCompile Include="TitanEngine.Realigner.cpp" />
<ClCompile Include="TitanEngine.Relocator.cpp" />
<ClCompile Include="TitanEngine.Resourcer.cpp" />
<ClCompile Include="TitanEngine.Static.cpp" />
<ClCompile Include="TitanEngine.Threader.cpp" />
<ClCompile Include="TitanEngine.TLS.cpp" />
<ClCompile Include="TitanEngine.Tracer.cpp" />
<ClCompile Include="TitanEngine.TranslateName.cpp" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="aplib.h" />
@ -261,11 +282,17 @@
<ClInclude Include="Global.Engine.Extension.h" />
<ClInclude Include="Global.Engine.h" />
<ClInclude Include="Global.Engine.Hider.h" />
<ClInclude Include="Global.Engine.Hook.h" />
<ClInclude Include="Global.Engine.Simplification.h" />
<ClInclude Include="Global.Garbage.h" />
<ClInclude Include="Global.Handle.h" />
<ClInclude Include="Global.Injector.h" />
<ClInclude Include="Global.Librarian.h" />
<ClInclude Include="Global.Mapping.h" />
<ClInclude Include="Global.OEPFinder.h" />
<ClInclude Include="Global.Realigner.h" />
<ClInclude Include="Global.Threader.h" />
<ClInclude Include="Global.Engine.GUI.h" />
<ClInclude Include="Global.TLS.h" />
<ClInclude Include="LzmaDec.h" />
<ClInclude Include="LzmaTypes.h" />

81
TitanEngine/TitanEngine.vcxproj.filters
View File

@ -135,6 +135,69 @@
<ClCompile Include="Global.TLS.cpp">
<Filter>Source Files\TitanEngine</Filter>
</ClCompile>
<ClCompile Include="TitanEngine.Debugger.Control.cpp">
<Filter>Source Files\TitanEngine</Filter>
</ClCompile>
<ClCompile Include="Global.OEPFinder.cpp">
<Filter>Source Files\TitanEngine</Filter>
</ClCompile>
<ClCompile Include="TitanEngine.OEPFinder.cpp">
<Filter>Source Files\TitanEngine</Filter>
</ClCompile>
<ClCompile Include="TitanEngine.Importer.cpp">
<Filter>Source Files\TitanEngine</Filter>
</ClCompile>
<ClCompile Include="TitanEngine.Hooks.cpp">
<Filter>Source Files\TitanEngine</Filter>
</ClCompile>
<ClCompile Include="TitanEngine.Tracer.cpp">
<Filter>Source Files\TitanEngine</Filter>
</ClCompile>
<ClCompile Include="TitanEngine.Exporter.cpp">
<Filter>Source Files\TitanEngine</Filter>
</ClCompile>
<ClCompile Include="TitanEngine.Librarian.cpp">
<Filter>Source Files\TitanEngine</Filter>
</ClCompile>
<ClCompile Include="TitanEngine.Process.cpp">
<Filter>Source Files\TitanEngine</Filter>
</ClCompile>
<ClCompile Include="TitanEngine.TLS.cpp">
<Filter>Source Files\TitanEngine</Filter>
</ClCompile>
<ClCompile Include="TitanEngine.TranslateName.cpp">
<Filter>Source Files\TitanEngine</Filter>
</ClCompile>
<ClCompile Include="TitanEngine.Handler.cpp">
<Filter>Source Files\TitanEngine</Filter>
</ClCompile>
<ClCompile Include="TitanEngine.Injector.cpp">
<Filter>Source Files\TitanEngine</Filter>
</ClCompile>
<ClCompile Include="Global.Injector.cpp">
<Filter>Source Files\TitanEngine</Filter>
</ClCompile>
<ClCompile Include="TitanEngine.Static.cpp">
<Filter>Source Files\TitanEngine</Filter>
</ClCompile>
<ClCompile Include="TitanEngine.Engine.cpp">
<Filter>Source Files\TitanEngine</Filter>
</ClCompile>
<ClCompile Include="Global.Engine.Hook.cpp">
<Filter>Source Files\TitanEngine</Filter>
</ClCompile>
<ClCompile Include="Global.Engine.GUI.cpp">
<Filter>Source Files\TitanEngine</Filter>
</ClCompile>
<ClCompile Include="Global.Engine.Simplification.cpp">
<Filter>Source Files\TitanEngine</Filter>
</ClCompile>
<ClCompile Include="TitanEngine.Engine.Simplification.cpp">
<Filter>Source Files\TitanEngine</Filter>
</ClCompile>
<ClCompile Include="Global.Garbage.cpp">
<Filter>Source Files\TitanEngine</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="resource.h">
@ -197,6 +260,24 @@
<ClInclude Include="Global.TLS.h">
<Filter>Header Files\TitanEngine</Filter>
</ClInclude>
<ClInclude Include="Global.OEPFinder.h">
<Filter>Header Files\TitanEngine</Filter>
</ClInclude>
<ClInclude Include="Global.Injector.h">
<Filter>Header Files\TitanEngine</Filter>
</ClInclude>
<ClInclude Include="Global.Engine.Hook.h">
<Filter>Header Files\TitanEngine</Filter>
</ClInclude>
<ClInclude Include="Global.Engine.GUI.h">
<Filter>Header Files\TitanEngine</Filter>
</ClInclude>
<ClInclude Include="Global.Engine.Simplification.h">
<Filter>Header Files\TitanEngine</Filter>
</ClInclude>
<ClInclude Include="Global.Garbage.h">
<Filter>Header Files\TitanEngine</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="TitanEngine.rc">

10
TitanEngine/definitions.h
View File

@ -3,16 +3,6 @@
#define TITCALL
// Global.Function.Declaration:
void BreakPointManager();
void GenericOEPTraceHited();
// Global.Garbage.functions:
bool CreateGarbageItem(void* outGargabeItem, int MaxGargabeStringSize);
bool RemoveGarbageItem(wchar_t* szGarbageItem, bool RemoveFolder);
bool FillGarbageItem(wchar_t* szGarbageItem, wchar_t* szFileName, void* outGargabeItem, int MaxGargabeStringSize);
void EmptyGarbage();
#ifdef __cplusplus
extern "C" {
#endif /*__cplusplus*/