From 35c3c618b1b1b481bf19c191aa83801c596ccf82 Mon Sep 17 00:00:00 2001 From: NtQuery Date: Thu, 6 Mar 2014 20:17:14 +0100 Subject: [PATCH] added Teb32 and Teb64 functions --- TitanEngine/TitanEngine.Hider.cpp | 43 +++++++++++++ TitanEngine/TitanEngine.def | 2 + TitanEngine/definitions.h | 2 + TitanEngine/ntdll.h | 102 ++++++++++++++++++++++++++++++ TitanEngine/ntdll_x64.lib | Bin 2428 -> 4366 bytes TitanEngine/ntdll_x86.lib | Bin 2500 -> 4592 bytes 6 files changed, 149 insertions(+) diff --git a/TitanEngine/TitanEngine.Hider.cpp b/TitanEngine/TitanEngine.Hider.cpp index ed9deb0..4714037 100644 --- a/TitanEngine/TitanEngine.Hider.cpp +++ b/TitanEngine/TitanEngine.Hider.cpp @@ -29,6 +29,49 @@ __declspec(dllexport) void* TITCALL GetPEBLocation(HANDLE hProcess) return PebAddress; } +__declspec(dllexport) void* TITCALL GetTEBLocation(HANDLE hThread) +{ + ULONG RequiredLen = 0; + void * TebAddress = 0; + PTHREAD_BASIC_INFORMATION myThreadBasicInformation = (PTHREAD_BASIC_INFORMATION)VirtualAlloc(NULL, sizeof(THREAD_BASIC_INFORMATION) * 4, MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE); + + if(!myThreadBasicInformation) + return 0; + + if(NtQueryInformationThread(hThread, ThreadBasicInformation, myThreadBasicInformation, sizeof(THREAD_BASIC_INFORMATION), &RequiredLen) == STATUS_SUCCESS) + { + TebAddress = (void*)myThreadBasicInformation->TebBaseAddress; + } + else + { + if(NtQueryInformationThread(hThread, ThreadBasicInformation, myThreadBasicInformation, RequiredLen, &RequiredLen) == STATUS_SUCCESS) + { + TebAddress = (void*)myThreadBasicInformation->TebBaseAddress; + } + } + + + VirtualFree(myThreadBasicInformation, 0, MEM_RELEASE); + return TebAddress; +} + +__declspec(dllexport) void* TITCALL GetTEBLocation64(HANDLE hThread) +{ +#ifndef _WIN64 + if (IsThisProcessWow64()) + { + //Only WOW64 processes have 2 PEBs and 2 TEBs + DWORD teb32 = (DWORD)GetTEBLocation(hThread); + if (teb32) + { + teb32 -= 0x2000; //TEB64 before TEB32 + return (void *)teb32; + } + } +#endif //_WIN64 + return 0; +} + __declspec(dllexport) void* TITCALL GetPEBLocation64(HANDLE hProcess) { #ifndef _WIN64 diff --git a/TitanEngine/TitanEngine.def b/TitanEngine/TitanEngine.def index af01955..7cd2745 100644 --- a/TitanEngine/TitanEngine.def +++ b/TitanEngine/TitanEngine.def @@ -229,6 +229,8 @@ HooksScanEntireProcessMemory HooksScanEntireProcessMemoryEx GetPEBLocation GetPEBLocation64 +GetTEBLocation +GetTEBLocation64 HideDebugger UnHideDebugger RelocaterInit diff --git a/TitanEngine/definitions.h b/TitanEngine/definitions.h index ba2bc5e..2f6408f 100644 --- a/TitanEngine/definitions.h +++ b/TitanEngine/definitions.h @@ -90,6 +90,8 @@ __declspec(dllexport) bool TITCALL IsFileDLLW(wchar_t* szFileName, ULONG_PTR Fil // TitanEngine.Hider.functions: __declspec(dllexport) void* TITCALL GetPEBLocation(HANDLE hProcess); __declspec(dllexport) void* TITCALL GetPEBLocation64(HANDLE hProcess); +__declspec(dllexport) void* TITCALL GetTEBLocation(HANDLE hThread); +__declspec(dllexport) void* TITCALL GetTEBLocation64(HANDLE hThread); __declspec(dllexport) bool TITCALL HideDebugger(HANDLE hProcess, DWORD PatchAPILevel); __declspec(dllexport) bool TITCALL UnHideDebugger(HANDLE hProcess, DWORD PatchAPILevel); // TitanEngine.Relocater.functions: diff --git a/TitanEngine/ntdll.h b/TitanEngine/ntdll.h index e45d6eb..fde91dd 100644 --- a/TitanEngine/ntdll.h +++ b/TitanEngine/ntdll.h @@ -9,6 +9,12 @@ #endif typedef LONG NTSTATUS; +typedef LONG KPRIORITY; + +typedef struct _CLIENT_ID { + HANDLE UniqueProcess; + HANDLE UniqueThread; +} CLIENT_ID, *PCLIENT_ID; typedef struct _UNICODE_STRING { @@ -47,6 +53,23 @@ typedef struct _PROCESS_BASIC_INFORMATION } PROCESS_BASIC_INFORMATION; typedef PROCESS_BASIC_INFORMATION *PPROCESS_BASIC_INFORMATION; +typedef struct _THREAD_BASIC_INFORMATION { + NTSTATUS ExitStatus; + PVOID TebBaseAddress; + CLIENT_ID ClientId; + ULONG_PTR AffinityMask; + KPRIORITY Priority; + LONG BasePriority; +} THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION; + +typedef +VOID +(*PPS_APC_ROUTINE) ( + __in_opt PVOID ApcArgument1, + __in_opt PVOID ApcArgument2, + __in_opt PVOID ApcArgument3 +); + typedef enum _PROCESSINFOCLASS { ProcessBasicInformation, @@ -219,6 +242,16 @@ typedef enum _THREADINFOCLASS extern "C" { #endif +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetInformationProcess ( + __in HANDLE ProcessHandle, + __in PROCESSINFOCLASS ProcessInformationClass, + __in_bcount(ProcessInformationLength) PVOID ProcessInformation, + __in ULONG ProcessInformationLength +); + NTSYSCALLAPI NTSTATUS NTAPI @@ -241,6 +274,15 @@ NtQueryObject ( __out_opt PULONG ReturnLength ); +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSetSystemInformation ( + __in SYSTEM_INFORMATION_CLASS SystemInformationClass, + __in_bcount_opt(SystemInformationLength) PVOID SystemInformation, + __in ULONG SystemInformationLength +); + NTSYSCALLAPI NTSTATUS NTAPI @@ -261,6 +303,66 @@ NtSetInformationThread ( __in ULONG ThreadInformationLength ); +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueryInformationThread ( + __in HANDLE ThreadHandle, + __in THREADINFOCLASS ThreadInformationClass, + __out_bcount(ThreadInformationLength) PVOID ThreadInformation, + __in ULONG ThreadInformationLength, + __out_opt PULONG ReturnLength +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtUnmapViewOfSection ( + __in HANDLE ProcessHandle, + __in PVOID BaseAddress +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSuspendThread ( + __in HANDLE ThreadHandle, + __out_opt PULONG PreviousSuspendCount +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtResumeThread ( + __in HANDLE ThreadHandle, + __out_opt PULONG PreviousSuspendCount +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtSuspendProcess ( + __in HANDLE ProcessHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtResumeProcess ( + __in HANDLE ProcessHandle +); + +NTSYSCALLAPI +NTSTATUS +NTAPI +NtQueueApcThread ( + __in HANDLE ThreadHandle, + __in PPS_APC_ROUTINE ApcRoutine, + __in_opt PVOID ApcArgument1, + __in_opt PVOID ApcArgument2, + __in_opt PVOID ApcArgument3 +); + #ifdef __cplusplus }; #endif diff --git a/TitanEngine/ntdll_x64.lib b/TitanEngine/ntdll_x64.lib index d4f11e8f4abee51ff19d77eb45e8a5def7175cc4..45bce84e5fde17a2bd1d077a3880924a8cffd037 100644 GIT binary patch literal 4366 zcmcgv&2AGh5T5?0Nt#B$p-=$H+n1O{uY*2 zwS|RrI=$-Vr}=Ps^)~N4ivqw!fbk=M$SFW{1|VVD6l(wwP4Czg{{%pkKs}<^iA`~o z6D1FAnm$H-q$wN|B{iE85uArKwMbMdZ9Li9%oj`R4+{_S8(YQAd`T~^=WD#%S zR}8P2+?Ey}ZR?Lq>ubd|(5-@DZ8Y|pX1#3HnvE^9SuxseT&GrVm4c+Y^|WJ{2R-Hm z$=Qm9gSKVV9kZQqULi;G3dANEm{+XszPN81<*F0Qu>~&lTBgiW4Rg=i+`h;a9vcFSl~JxAhZ>sH=qcj|_!=H|-P6mvL+w8EaH zD7l!-LmgwSRZ+CiSSLGdUah3Nd6mS(IvNK!#fYE5EHe`TjTperG{C1g@^O4ZW9%QI z@-gxcrvNnUM^LtieN0RkgGq?O1SDY!rePE!Fb;7@Kn#XpxQBEE^Flpn;a{&rI?sLF zY~&Y}ilfv66l1xpe})D`H)H#uD$%3{L_m0kt~0KjbmW(CUy$4zOy+@KHhE2RtmuqC z!FK0?o2!8OJ6cR}OTANrcc!>rE@&sRvXW0J2&&yw@#m{AU-DG@)6J!=WaQ0NeKP{9 zjhVv45M~T!3VricW4H5su3(P%kT<&VHE&y$V2r%)fM@40f^&|#lE6sWf_c{Ci9sK&`)JH`u5k$h=ECAc; zzThy!Y!t4ekq%A*sgvn)h<}NG_(!V)Eb|dH!=U5u;4b&5G_=nMS=3e>5i-moYtG*+EeZ2lY>ycF% z;U>yT$|~oVg{;Ubd>7gu>3tIe-jd#cecO*;XAyotwJIYX11WlCQ)*Vr$3f{A}6FoGnectc8{LE1Lb#qr)@5(vWE zw(M^kg~_PEbY9tigB1`j7Z7WVVY%M{T`1Y>vqowGQF0!U#vMrfT9?a*_g^L;Hm)Ml z1VeH^NyHPY3n_bj+Ll@JKd~!_81X?IfQ>y6Ck5hvi^`~tsQkf_Nf$l?dPHT+iRE!* W=#yLUKe@|za&d;_^RAR25d96rEGbj~ delta 465 zcmYjN%}T>S7@Tdg`KJjcHdWMW)e3@bnrKn*;z8)agCL?HLWSP-4ZL|2%Ll!B@CAe( z3PpVc=|lA17x3Vh6q+s!`>`{_e6z3BzooY|EsC4TNsFGG(rFUMo3qog0N8+11Y`tg zT|ghrVDy0ub-o!UYfY>7bwP)YN0DmKhA`+^rn5^!xlX^LM3;psO+-u`C0K|&Pm(-R z=ggu4L=xy~z=$9E22f{MX0{JhXpqn$P?*mOH61?-yH(SWu=mrX8+kz2g@E%{sV0gv zR`uSrOpmso$A{(Pqj}-(i-I5suXMq+=)r0Y&h(+k#U%<%Po|0?-CGrEo0CPdZFvfl zgF9<4H@P9b+rF8acDNj<;VjeGuI0x4j4U%J=)-Bu33g5$-$|X@Or~Y&Q?AgrTgf#u L^A_{`1@7)YO2=6# diff --git a/TitanEngine/ntdll_x86.lib b/TitanEngine/ntdll_x86.lib index a173db378d295ae1ad705f71246ff92f491634a2..0d3e918ed6d1d03a26a5f381ae2a074af7f076a2 100644 GIT binary patch literal 4592 zcmcInTW=Fb6h5|Tjg6f+X&;b6TQ{PGN+`9Bor_e_4Wv>d%qF#+z8Yh%8&~)udo9FE z_yha`1QMeEfxhz20}te#f5BTt&zYT@cV{=YnyxgSnRCv}H|ILzZ+~iy+sC)kKjvq@ z;?13Mu~;Y+%d_+XpKkAn(fu?4dH<(($$4!F_okNpNUho2zjt_0Yc%(Mso$yXA2tqZO}nvItwOVD zA62VCHauZ`kK6e5$iCa$+imPZ({}5QyFcg-$NiSu8x9V~!?rV-SjA1;tJfdlh7l6B z``gqRKQ^o{71a7D8Mb@<@x*od+AdbHq?Y3W%>o?Vz|;=Uz|A6l%^JsJr`3s2T@wgu z&Y4k)Ya)F8!Gk}Ywrd3zX>{8?8uVME-+RuZgKizA(M#60GLM;yx=kk|XV4K2Evpql zj_uZ*$+YhngaZt@GuK8t3g1{U#J-9mV#?cA(V0D_&hDtqX+D$qSc_)uPC;cYrWBkc z0bZs6PBDkAWq|bzzzt-aWC32|{29(yaeT4@@CxbOCCp14pJM+J>6rHL8KfW$NytGK zmf-?igwG)ZOK=Hd5Rc#{DC?qg!q3%g5)2$p35#*u%V#`^KjYx3nDE|$-0h8Cr{%V;mIUid9K6N$ffEwgTTpnz*gZUi%?m-M8;D zuI~pc4_inZ0G1VeU?2pQ8yZOru-e1^2+z6p;yHZ!B)~|XJ~~(>`_0JL<8ZFvaM2 z2|+273=%-fR1}5iU(*l&Xm@}uKBF!UHvXR9!z3*goijp8gW}8K1RYjPIf{?OG z|Foy)REp0T`IQ~< zPh}SO8sf(AMPhhusJl(UE}U^P;e7gDLEN~8t1e6hCP(L>V?x6+Txy%jps=uxm7>|U z-=K~cB(Cpfm&z@UR}S%|_ugc_^gkE=3z{gI1`pC(Rz4KvWv{^GXkHJ7V1194OnO+M z?;44vTsbf5mf3&bA?igFs(LFa(8Z%B0yQO34Y68M3N9Wym5};F7k8SY`d@WQNjaL+ gvQd$GX$H*@Jd0aYTvWbDT}RzA9-8s_DYb%s0Uo4TSO5S3 delta 456 zcmY*VJxjw-6g~NPNz)`vFu~XlOreONpvF|8=-6&0gSsnz43-Xca25Z7Eq8b7F4Dod z;G$EfZf7Kw?q!sgHPGz4L- zI=63xyK{S$`$rPcVL)F2rkogOfEGujCA&d}0tOWV#NS+^E5oN#bAevuGB+*IfSu93 zs8d~8r#EG(H}U93b>4OVJh130;Z$K;wl$K7&H`?>BIEXl99ER$SYiy SxGabzJvyp4n;YltHnQLIXj+2+