diff --git a/TitanEngine/TitanEngine.Hider.cpp b/TitanEngine/TitanEngine.Hider.cpp index ed9deb0..4714037 100644 --- a/TitanEngine/TitanEngine.Hider.cpp +++ b/TitanEngine/TitanEngine.Hider.cpp @@ -29,6 +29,49 @@ __declspec(dllexport) void* TITCALL GetPEBLocation(HANDLE hProcess) return PebAddress; } +__declspec(dllexport) void* TITCALL GetTEBLocation(HANDLE hThread) +{ + ULONG RequiredLen = 0; + void * TebAddress = 0; + PTHREAD_BASIC_INFORMATION myThreadBasicInformation = (PTHREAD_BASIC_INFORMATION)VirtualAlloc(NULL, sizeof(THREAD_BASIC_INFORMATION) * 4, MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE); + + if(!myThreadBasicInformation) + return 0; + + if(NtQueryInformationThread(hThread, ThreadBasicInformation, myThreadBasicInformation, sizeof(THREAD_BASIC_INFORMATION), &RequiredLen) == STATUS_SUCCESS) + { + TebAddress = (void*)myThreadBasicInformation->TebBaseAddress; + } + else + { + if(NtQueryInformationThread(hThread, ThreadBasicInformation, myThreadBasicInformation, RequiredLen, &RequiredLen) == STATUS_SUCCESS) + { + TebAddress = (void*)myThreadBasicInformation->TebBaseAddress; + } + } + + + VirtualFree(myThreadBasicInformation, 0, MEM_RELEASE); + return TebAddress; +} + +__declspec(dllexport) void* TITCALL GetTEBLocation64(HANDLE hThread) +{ +#ifndef _WIN64 + if (IsThisProcessWow64()) + { + //Only WOW64 processes have 2 PEBs and 2 TEBs + DWORD teb32 = (DWORD)GetTEBLocation(hThread); + if (teb32) + { + teb32 -= 0x2000; //TEB64 before TEB32 + return (void *)teb32; + } + } +#endif //_WIN64 + return 0; +} + __declspec(dllexport) void* TITCALL GetPEBLocation64(HANDLE hProcess) { #ifndef _WIN64 diff --git a/TitanEngine/TitanEngine.def b/TitanEngine/TitanEngine.def index af01955..7cd2745 100644 --- a/TitanEngine/TitanEngine.def +++ b/TitanEngine/TitanEngine.def @@ -229,6 +229,8 @@ HooksScanEntireProcessMemory HooksScanEntireProcessMemoryEx GetPEBLocation GetPEBLocation64 +GetTEBLocation +GetTEBLocation64 HideDebugger UnHideDebugger RelocaterInit diff --git a/TitanEngine/definitions.h b/TitanEngine/definitions.h index ba2bc5e..2f6408f 100644 --- a/TitanEngine/definitions.h +++ b/TitanEngine/definitions.h @@ -90,6 +90,8 @@ __declspec(dllexport) bool TITCALL IsFileDLLW(wchar_t* szFileName, ULONG_PTR Fil // TitanEngine.Hider.functions: __declspec(dllexport) void* TITCALL GetPEBLocation(HANDLE hProcess); __declspec(dllexport) void* TITCALL GetPEBLocation64(HANDLE hProcess); +__declspec(dllexport) void* TITCALL GetTEBLocation(HANDLE hThread); +__declspec(dllexport) void* TITCALL GetTEBLocation64(HANDLE hThread); __declspec(dllexport) bool TITCALL HideDebugger(HANDLE hProcess, DWORD PatchAPILevel); __declspec(dllexport) bool TITCALL UnHideDebugger(HANDLE hProcess, DWORD PatchAPILevel); // TitanEngine.Relocater.functions: diff --git a/TitanEngine/ntdll.h b/TitanEngine/ntdll.h index e45d6eb..fde91dd 100644 --- a/TitanEngine/ntdll.h +++ b/TitanEngine/ntdll.h @@ -9,6 +9,12 @@ #endif typedef LONG NTSTATUS; +typedef LONG KPRIORITY; + +typedef struct _CLIENT_ID { + HANDLE UniqueProcess; + HANDLE UniqueThread; +} CLIENT_ID, *PCLIENT_ID; typedef struct _UNICODE_STRING { @@ -47,6 +53,23 @@ typedef struct _PROCESS_BASIC_INFORMATION } PROCESS_BASIC_INFORMATION; typedef PROCESS_BASIC_INFORMATION *PPROCESS_BASIC_INFORMATION; +typedef struct _THREAD_BASIC_INFORMATION { + NTSTATUS ExitStatus; + PVOID TebBaseAddress; + CLIENT_ID ClientId; + ULONG_PTR AffinityMask; + KPRIORITY Priority; + LONG BasePriority; +} THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION; + +typedef +VOID +(*PPS_APC_ROUTINE) ( + __in_opt PVOID ApcArgument1, + __in_opt PVOID ApcArgument2, + __in_opt PVOID ApcArgument3 +); + typedef enum _PROCESSINFOCLASS { ProcessBasicInformation, @@ -219,6 +242,16 @@ typedef enum _THREADINFOCLASS extern "C" { #endif +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetInformationProcess ( + __in HANDLE ProcessHandle, + __in PROCESSINFOCLASS ProcessInformationClass, + __in_bcount(ProcessInformationLength) PVOID ProcessInformation, + __in ULONG ProcessInformationLength +); + NTSYSCALLAPI NTSTATUS NTAPI @@ -241,6 +274,15 @@ NtQueryObject ( __out_opt PULONG ReturnLength ); +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetSystemInformation ( + __in SYSTEM_INFORMATION_CLASS SystemInformationClass, + __in_bcount_opt(SystemInformationLength) PVOID SystemInformation, + __in ULONG SystemInformationLength +); + NTSYSCALLAPI NTSTATUS NTAPI @@ -261,6 +303,66 @@ NtSetInformationThread ( __in ULONG ThreadInformationLength ); +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryInformationThread ( + __in HANDLE ThreadHandle, + __in THREADINFOCLASS ThreadInformationClass, + __out_bcount(ThreadInformationLength) PVOID ThreadInformation, + __in ULONG ThreadInformationLength, + __out_opt PULONG ReturnLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtUnmapViewOfSection ( + __in HANDLE ProcessHandle, + __in PVOID BaseAddress +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSuspendThread ( + __in HANDLE ThreadHandle, + __out_opt PULONG PreviousSuspendCount +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtResumeThread ( + __in HANDLE ThreadHandle, + __out_opt PULONG PreviousSuspendCount +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSuspendProcess ( + __in HANDLE ProcessHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtResumeProcess ( + __in HANDLE ProcessHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueueApcThread ( + __in HANDLE ThreadHandle, + __in PPS_APC_ROUTINE ApcRoutine, + __in_opt PVOID ApcArgument1, + __in_opt PVOID ApcArgument2, + __in_opt PVOID ApcArgument3 +); + #ifdef __cplusplus }; #endif diff --git a/TitanEngine/ntdll_x64.lib b/TitanEngine/ntdll_x64.lib index d4f11e8..45bce84 100644 Binary files a/TitanEngine/ntdll_x64.lib and b/TitanEngine/ntdll_x64.lib differ diff --git a/TitanEngine/ntdll_x86.lib b/TitanEngine/ntdll_x86.lib index a173db3..0d3e918 100644 Binary files a/TitanEngine/ntdll_x86.lib and b/TitanEngine/ntdll_x86.lib differ