added Teb32 and Teb64 functions

2014-03-06 20:17:14 +01:00 · 2014-03-06 20:17:14 +01:00 · 35c3c618b1
parent 2770c22838
commit 35c3c618b1
6 changed files with 149 additions and 0 deletions
--- a/TitanEngine/TitanEngine.Hider.cpp
+++ b/TitanEngine/TitanEngine.Hider.cpp
@ -29,6 +29,49 @@ __declspec(dllexport) void* TITCALL GetPEBLocation(HANDLE hProcess)
    return PebAddress;
 }

+__declspec(dllexport) void* TITCALL GetTEBLocation(HANDLE hThread)
+{
+    ULONG RequiredLen = 0;
+    void * TebAddress = 0;
+    PTHREAD_BASIC_INFORMATION myThreadBasicInformation = (PTHREAD_BASIC_INFORMATION)VirtualAlloc(NULL, sizeof(THREAD_BASIC_INFORMATION) * 4, MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE);
+
+    if(!myThreadBasicInformation)
+        return 0;
+
+    if(NtQueryInformationThread(hThread, ThreadBasicInformation, myThreadBasicInformation, sizeof(THREAD_BASIC_INFORMATION), &RequiredLen) == STATUS_SUCCESS)
+    {
+        TebAddress = (void*)myThreadBasicInformation->TebBaseAddress;
+    }
+    else
+    {
+        if(NtQueryInformationThread(hThread, ThreadBasicInformation, myThreadBasicInformation, RequiredLen, &RequiredLen) == STATUS_SUCCESS)
+        {
+            TebAddress = (void*)myThreadBasicInformation->TebBaseAddress;
+        }
+    }
+
+
+    VirtualFree(myThreadBasicInformation, 0, MEM_RELEASE);
+    return TebAddress;
+}
+
+__declspec(dllexport) void* TITCALL GetTEBLocation64(HANDLE hThread)
+{
+#ifndef _WIN64
+    if (IsThisProcessWow64())
+    {
+        //Only WOW64 processes have 2 PEBs and 2 TEBs
+        DWORD teb32 = (DWORD)GetTEBLocation(hThread);
+        if (teb32)
+        {
+            teb32 -= 0x2000; //TEB64 before TEB32
+            return (void *)teb32;
+        }
+    }
+#endif //_WIN64
+    return 0;
+}
+
 __declspec(dllexport) void* TITCALL GetPEBLocation64(HANDLE hProcess)
 {
 #ifndef _WIN64
--- a/TitanEngine/TitanEngine.def
+++ b/TitanEngine/TitanEngine.def
@ -229,6 +229,8 @@ HooksScanEntireProcessMemory
 HooksScanEntireProcessMemoryEx
 GetPEBLocation
 GetPEBLocation64
+GetTEBLocation
+GetTEBLocation64
 HideDebugger
 UnHideDebugger
 RelocaterInit
--- a/TitanEngine/definitions.h
+++ b/TitanEngine/definitions.h
@ -90,6 +90,8 @@ __declspec(dllexport) bool TITCALL IsFileDLLW(wchar_t* szFileName, ULONG_PTR Fil
 // TitanEngine.Hider.functions:
 __declspec(dllexport) void* TITCALL GetPEBLocation(HANDLE hProcess);
 __declspec(dllexport) void* TITCALL GetPEBLocation64(HANDLE hProcess);
+__declspec(dllexport) void* TITCALL GetTEBLocation(HANDLE hThread);
+__declspec(dllexport) void* TITCALL GetTEBLocation64(HANDLE hThread);
 __declspec(dllexport) bool TITCALL HideDebugger(HANDLE hProcess, DWORD PatchAPILevel);
 __declspec(dllexport) bool TITCALL UnHideDebugger(HANDLE hProcess, DWORD PatchAPILevel);
 // TitanEngine.Relocater.functions:
--- a/TitanEngine/ntdll.h
+++ b/TitanEngine/ntdll.h
@ -9,6 +9,12 @@
 #endif

 typedef LONG NTSTATUS;
+typedef LONG KPRIORITY;
+
+typedef struct _CLIENT_ID {
+    HANDLE UniqueProcess;
+    HANDLE UniqueThread;
+} CLIENT_ID, *PCLIENT_ID;

 typedef struct _UNICODE_STRING
 {
@ -47,6 +53,23 @@ typedef struct _PROCESS_BASIC_INFORMATION
 } PROCESS_BASIC_INFORMATION;
 typedef PROCESS_BASIC_INFORMATION *PPROCESS_BASIC_INFORMATION;

+typedef struct _THREAD_BASIC_INFORMATION {
+    NTSTATUS ExitStatus;
+    PVOID TebBaseAddress;
+    CLIENT_ID ClientId;
+    ULONG_PTR AffinityMask;
+    KPRIORITY Priority;
+    LONG BasePriority;
+} THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION;
+
+typedef
+VOID
+(*PPS_APC_ROUTINE) (
+    __in_opt PVOID ApcArgument1,
+    __in_opt PVOID ApcArgument2,
+    __in_opt PVOID ApcArgument3
+);
+
 typedef enum _PROCESSINFOCLASS
 {
    ProcessBasicInformation,
@ -219,6 +242,16 @@ typedef enum _THREADINFOCLASS
 extern "C" {
 #endif

+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetInformationProcess (
+    __in HANDLE ProcessHandle,
+    __in PROCESSINFOCLASS ProcessInformationClass,
+    __in_bcount(ProcessInformationLength) PVOID ProcessInformation,
+    __in ULONG ProcessInformationLength
+);
+
 NTSYSCALLAPI
 NTSTATUS
 NTAPI
@ -241,6 +274,15 @@ NtQueryObject (
    __out_opt PULONG ReturnLength
 );

+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSetSystemInformation (
+    __in SYSTEM_INFORMATION_CLASS SystemInformationClass,
+    __in_bcount_opt(SystemInformationLength) PVOID SystemInformation,
+    __in ULONG SystemInformationLength
+);
+
 NTSYSCALLAPI
 NTSTATUS
 NTAPI
@ -261,6 +303,66 @@ NtSetInformationThread (
    __in ULONG ThreadInformationLength
 );

+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueryInformationThread (
+    __in HANDLE ThreadHandle,
+    __in THREADINFOCLASS ThreadInformationClass,
+    __out_bcount(ThreadInformationLength) PVOID ThreadInformation,
+    __in ULONG ThreadInformationLength,
+    __out_opt PULONG ReturnLength
+);
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtUnmapViewOfSection (
+    __in HANDLE ProcessHandle,
+    __in PVOID BaseAddress
+);
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSuspendThread (
+    __in HANDLE ThreadHandle,
+    __out_opt PULONG PreviousSuspendCount
+);
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtResumeThread (
+    __in HANDLE ThreadHandle,
+    __out_opt PULONG PreviousSuspendCount
+);
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtSuspendProcess (
+    __in HANDLE ProcessHandle
+);
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtResumeProcess (
+    __in HANDLE ProcessHandle
+);
+
+NTSYSCALLAPI
+NTSTATUS
+NTAPI
+NtQueueApcThread (
+    __in HANDLE ThreadHandle,
+    __in PPS_APC_ROUTINE ApcRoutine,
+    __in_opt PVOID ApcArgument1,
+    __in_opt PVOID ApcArgument2,
+    __in_opt PVOID ApcArgument3
+);
+
 #ifdef __cplusplus
 };
 #endif
--- a/TitanEngine/ntdll_x64.lib
+++ b/TitanEngine/ntdll_x64.lib
--- a/TitanEngine/ntdll_x86.lib
+++ b/TitanEngine/ntdll_x86.lib