mirror of https://github.com/x64dbg/TitanEngine
added Teb32 and Teb64 functions
This commit is contained in:
NtQuery
parent
2770c22838
commit
35c3c618b1
|
|
@ -29,6 +29,49 @@ __declspec(dllexport) void* TITCALL GetPEBLocation(HANDLE hProcess)
|
||||||
return PebAddress;
|
return PebAddress;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
__declspec(dllexport) void* TITCALL GetTEBLocation(HANDLE hThread)
|
||||||
|
{
|
||||||
|
ULONG RequiredLen = 0;
|
||||||
|
void * TebAddress = 0;
|
||||||
|
PTHREAD_BASIC_INFORMATION myThreadBasicInformation = (PTHREAD_BASIC_INFORMATION)VirtualAlloc(NULL, sizeof(THREAD_BASIC_INFORMATION) * 4, MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE);
|
||||||
|
|
||||||
|
if(!myThreadBasicInformation)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
if(NtQueryInformationThread(hThread, ThreadBasicInformation, myThreadBasicInformation, sizeof(THREAD_BASIC_INFORMATION), &RequiredLen) == STATUS_SUCCESS)
|
||||||
|
{
|
||||||
|
TebAddress = (void*)myThreadBasicInformation->TebBaseAddress;
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
if(NtQueryInformationThread(hThread, ThreadBasicInformation, myThreadBasicInformation, RequiredLen, &RequiredLen) == STATUS_SUCCESS)
|
||||||
|
{
|
||||||
|
TebAddress = (void*)myThreadBasicInformation->TebBaseAddress;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
VirtualFree(myThreadBasicInformation, 0, MEM_RELEASE);
|
||||||
|
return TebAddress;
|
||||||
|
}
|
||||||
|
|
||||||
|
__declspec(dllexport) void* TITCALL GetTEBLocation64(HANDLE hThread)
|
||||||
|
{
|
||||||
|
#ifndef _WIN64
|
||||||
|
if (IsThisProcessWow64())
|
||||||
|
{
|
||||||
|
//Only WOW64 processes have 2 PEBs and 2 TEBs
|
||||||
|
DWORD teb32 = (DWORD)GetTEBLocation(hThread);
|
||||||
|
if (teb32)
|
||||||
|
{
|
||||||
|
teb32 -= 0x2000; //TEB64 before TEB32
|
||||||
|
return (void *)teb32;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif //_WIN64
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
__declspec(dllexport) void* TITCALL GetPEBLocation64(HANDLE hProcess)
|
__declspec(dllexport) void* TITCALL GetPEBLocation64(HANDLE hProcess)
|
||||||
{
|
{
|
||||||
#ifndef _WIN64
|
#ifndef _WIN64
|
||||||
|
|
|
||||||
|
|
@ -229,6 +229,8 @@ HooksScanEntireProcessMemory
|
||||||
HooksScanEntireProcessMemoryEx
|
HooksScanEntireProcessMemoryEx
|
||||||
GetPEBLocation
|
GetPEBLocation
|
||||||
GetPEBLocation64
|
GetPEBLocation64
|
||||||
|
GetTEBLocation
|
||||||
|
GetTEBLocation64
|
||||||
HideDebugger
|
HideDebugger
|
||||||
UnHideDebugger
|
UnHideDebugger
|
||||||
RelocaterInit
|
RelocaterInit
|
||||||
|
|
|
||||||
|
|
@ -90,6 +90,8 @@ __declspec(dllexport) bool TITCALL IsFileDLLW(wchar_t* szFileName, ULONG_PTR Fil
|
||||||
// TitanEngine.Hider.functions:
|
// TitanEngine.Hider.functions:
|
||||||
__declspec(dllexport) void* TITCALL GetPEBLocation(HANDLE hProcess);
|
__declspec(dllexport) void* TITCALL GetPEBLocation(HANDLE hProcess);
|
||||||
__declspec(dllexport) void* TITCALL GetPEBLocation64(HANDLE hProcess);
|
__declspec(dllexport) void* TITCALL GetPEBLocation64(HANDLE hProcess);
|
||||||
|
__declspec(dllexport) void* TITCALL GetTEBLocation(HANDLE hThread);
|
||||||
|
__declspec(dllexport) void* TITCALL GetTEBLocation64(HANDLE hThread);
|
||||||
__declspec(dllexport) bool TITCALL HideDebugger(HANDLE hProcess, DWORD PatchAPILevel);
|
__declspec(dllexport) bool TITCALL HideDebugger(HANDLE hProcess, DWORD PatchAPILevel);
|
||||||
__declspec(dllexport) bool TITCALL UnHideDebugger(HANDLE hProcess, DWORD PatchAPILevel);
|
__declspec(dllexport) bool TITCALL UnHideDebugger(HANDLE hProcess, DWORD PatchAPILevel);
|
||||||
// TitanEngine.Relocater.functions:
|
// TitanEngine.Relocater.functions:
|
||||||
|
|
|
||||||
|
|
@ -9,6 +9,12 @@
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
typedef LONG NTSTATUS;
|
typedef LONG NTSTATUS;
|
||||||
|
typedef LONG KPRIORITY;
|
||||||
|
|
||||||
|
typedef struct _CLIENT_ID {
|
||||||
|
HANDLE UniqueProcess;
|
||||||
|
HANDLE UniqueThread;
|
||||||
|
} CLIENT_ID, *PCLIENT_ID;
|
||||||
|
|
||||||
typedef struct _UNICODE_STRING
|
typedef struct _UNICODE_STRING
|
||||||
{
|
{
|
||||||
|
|
@ -47,6 +53,23 @@ typedef struct _PROCESS_BASIC_INFORMATION
|
||||||
} PROCESS_BASIC_INFORMATION;
|
} PROCESS_BASIC_INFORMATION;
|
||||||
typedef PROCESS_BASIC_INFORMATION *PPROCESS_BASIC_INFORMATION;
|
typedef PROCESS_BASIC_INFORMATION *PPROCESS_BASIC_INFORMATION;
|
||||||
|
|
||||||
|
typedef struct _THREAD_BASIC_INFORMATION {
|
||||||
|
NTSTATUS ExitStatus;
|
||||||
|
PVOID TebBaseAddress;
|
||||||
|
CLIENT_ID ClientId;
|
||||||
|
ULONG_PTR AffinityMask;
|
||||||
|
KPRIORITY Priority;
|
||||||
|
LONG BasePriority;
|
||||||
|
} THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION;
|
||||||
|
|
||||||
|
typedef
|
||||||
|
VOID
|
||||||
|
(*PPS_APC_ROUTINE) (
|
||||||
|
__in_opt PVOID ApcArgument1,
|
||||||
|
__in_opt PVOID ApcArgument2,
|
||||||
|
__in_opt PVOID ApcArgument3
|
||||||
|
);
|
||||||
|
|
||||||
typedef enum _PROCESSINFOCLASS
|
typedef enum _PROCESSINFOCLASS
|
||||||
{
|
{
|
||||||
ProcessBasicInformation,
|
ProcessBasicInformation,
|
||||||
|
|
@ -219,6 +242,16 @@ typedef enum _THREADINFOCLASS
|
||||||
extern "C" {
|
extern "C" {
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
NTSYSCALLAPI
|
||||||
|
NTSTATUS
|
||||||
|
NTAPI
|
||||||
|
NtSetInformationProcess (
|
||||||
|
__in HANDLE ProcessHandle,
|
||||||
|
__in PROCESSINFOCLASS ProcessInformationClass,
|
||||||
|
__in_bcount(ProcessInformationLength) PVOID ProcessInformation,
|
||||||
|
__in ULONG ProcessInformationLength
|
||||||
|
);
|
||||||
|
|
||||||
NTSYSCALLAPI
|
NTSYSCALLAPI
|
||||||
NTSTATUS
|
NTSTATUS
|
||||||
NTAPI
|
NTAPI
|
||||||
|
|
@ -241,6 +274,15 @@ NtQueryObject (
|
||||||
__out_opt PULONG ReturnLength
|
__out_opt PULONG ReturnLength
|
||||||
);
|
);
|
||||||
|
|
||||||
|
NTSYSCALLAPI
|
||||||
|
NTSTATUS
|
||||||
|
NTAPI
|
||||||
|
NtSetSystemInformation (
|
||||||
|
__in SYSTEM_INFORMATION_CLASS SystemInformationClass,
|
||||||
|
__in_bcount_opt(SystemInformationLength) PVOID SystemInformation,
|
||||||
|
__in ULONG SystemInformationLength
|
||||||
|
);
|
||||||
|
|
||||||
NTSYSCALLAPI
|
NTSYSCALLAPI
|
||||||
NTSTATUS
|
NTSTATUS
|
||||||
NTAPI
|
NTAPI
|
||||||
|
|
@ -261,6 +303,66 @@ NtSetInformationThread (
|
||||||
__in ULONG ThreadInformationLength
|
__in ULONG ThreadInformationLength
|
||||||
);
|
);
|
||||||
|
|
||||||
|
NTSYSCALLAPI
|
||||||
|
NTSTATUS
|
||||||
|
NTAPI
|
||||||
|
NtQueryInformationThread (
|
||||||
|
__in HANDLE ThreadHandle,
|
||||||
|
__in THREADINFOCLASS ThreadInformationClass,
|
||||||
|
__out_bcount(ThreadInformationLength) PVOID ThreadInformation,
|
||||||
|
__in ULONG ThreadInformationLength,
|
||||||
|
__out_opt PULONG ReturnLength
|
||||||
|
);
|
||||||
|
|
||||||
|
NTSYSCALLAPI
|
||||||
|
NTSTATUS
|
||||||
|
NTAPI
|
||||||
|
NtUnmapViewOfSection (
|
||||||
|
__in HANDLE ProcessHandle,
|
||||||
|
__in PVOID BaseAddress
|
||||||
|
);
|
||||||
|
|
||||||
|
NTSYSCALLAPI
|
||||||
|
NTSTATUS
|
||||||
|
NTAPI
|
||||||
|
NtSuspendThread (
|
||||||
|
__in HANDLE ThreadHandle,
|
||||||
|
__out_opt PULONG PreviousSuspendCount
|
||||||
|
);
|
||||||
|
|
||||||
|
NTSYSCALLAPI
|
||||||
|
NTSTATUS
|
||||||
|
NTAPI
|
||||||
|
NtResumeThread (
|
||||||
|
__in HANDLE ThreadHandle,
|
||||||
|
__out_opt PULONG PreviousSuspendCount
|
||||||
|
);
|
||||||
|
|
||||||
|
NTSYSCALLAPI
|
||||||
|
NTSTATUS
|
||||||
|
NTAPI
|
||||||
|
NtSuspendProcess (
|
||||||
|
__in HANDLE ProcessHandle
|
||||||
|
);
|
||||||
|
|
||||||
|
NTSYSCALLAPI
|
||||||
|
NTSTATUS
|
||||||
|
NTAPI
|
||||||
|
NtResumeProcess (
|
||||||
|
__in HANDLE ProcessHandle
|
||||||
|
);
|
||||||
|
|
||||||
|
NTSYSCALLAPI
|
||||||
|
NTSTATUS
|
||||||
|
NTAPI
|
||||||
|
NtQueueApcThread (
|
||||||
|
__in HANDLE ThreadHandle,
|
||||||
|
__in PPS_APC_ROUTINE ApcRoutine,
|
||||||
|
__in_opt PVOID ApcArgument1,
|
||||||
|
__in_opt PVOID ApcArgument2,
|
||||||
|
__in_opt PVOID ApcArgument3
|
||||||
|
);
|
||||||
|
|
||||||
#ifdef __cplusplus
|
#ifdef __cplusplus
|
||||||
};
|
};
|
||||||
#endif
|
#endif
|
||||||
|
|
|
||||||
Binary file not shown.
Binary file not shown.
Loading…
Reference in New Issue