From 381252384fbe09b846352bb97facc8e5c47a5f81 Mon Sep 17 00:00:00 2001 From: "mr.exodia" Date: Mon, 3 Mar 2014 20:20:55 +0100 Subject: [PATCH] - more separations --- TitanEngine/Global.Engine.Hash.cpp | 1 + TitanEngine/Global.Engine.Hider.cpp | 106 + TitanEngine/Global.Engine.Hider.h | 6 + TitanEngine/Global.Engine.cpp | 4 + TitanEngine/Global.Engine.h | 4 + TitanEngine/Global.Handle.cpp | 1 + TitanEngine/Global.Realigner.cpp | 23 + TitanEngine/Global.Realigner.h | 6 + TitanEngine/Global.Threader.cpp | 5 + TitanEngine/Global.Threader.h | 6 + TitanEngine/TitanEngine.Dumper.cpp | 3 +- TitanEngine/TitanEngine.Dumper.h | 6 - TitanEngine/TitanEngine.Hider.cpp | 45 + TitanEngine/TitanEngine.PE.Convert.cpp | 554 ++ TitanEngine/TitanEngine.PE.Data.cpp | 1198 +++ TitanEngine/TitanEngine.PE.Fixer.cpp | 3010 ++++++++ TitanEngine/TitanEngine.PE.Overlay.cpp | 412 ++ TitanEngine/TitanEngine.PE.Section.cpp | 1553 ++++ TitanEngine/TitanEngine.PE.cpp | 171 + TitanEngine/TitanEngine.Realigner.cpp | 474 ++ TitanEngine/TitanEngine.Relocator.cpp | 787 ++ TitanEngine/TitanEngine.Resourcer.cpp | 359 + TitanEngine/TitanEngine.Threader.cpp | 443 ++ TitanEngine/TitanEngine.cpp | 9047 +---------------------- TitanEngine/TitanEngine.vcxproj | 22 +- TitanEngine/TitanEngine.vcxproj.filters | 54 +- TitanEngine/definitions.h | 1 - 27 files changed, 9246 insertions(+), 9055 deletions(-) create mode 100644 TitanEngine/Global.Engine.Hider.cpp create mode 100644 TitanEngine/Global.Engine.Hider.h create mode 100644 TitanEngine/Global.Realigner.cpp create mode 100644 TitanEngine/Global.Realigner.h create mode 100644 TitanEngine/Global.Threader.cpp create mode 100644 TitanEngine/Global.Threader.h delete mode 100644 TitanEngine/TitanEngine.Dumper.h create mode 100644 TitanEngine/TitanEngine.Hider.cpp create mode 100644 TitanEngine/TitanEngine.PE.Convert.cpp create mode 100644 TitanEngine/TitanEngine.PE.Data.cpp create mode 100644 TitanEngine/TitanEngine.PE.Fixer.cpp create mode 100644 TitanEngine/TitanEngine.PE.Overlay.cpp create mode 100644 TitanEngine/TitanEngine.PE.Section.cpp create mode 100644 TitanEngine/TitanEngine.PE.cpp create mode 100644 TitanEngine/TitanEngine.Realigner.cpp create mode 100644 TitanEngine/TitanEngine.Relocator.cpp create mode 100644 TitanEngine/TitanEngine.Resourcer.cpp create mode 100644 TitanEngine/TitanEngine.Threader.cpp diff --git a/TitanEngine/Global.Engine.Hash.cpp b/TitanEngine/Global.Engine.Hash.cpp index 3b81d8a..97e212d 100644 --- a/TitanEngine/Global.Engine.Hash.cpp +++ b/TitanEngine/Global.Engine.Hash.cpp @@ -1,4 +1,5 @@ #include "stdafx.h" +#include "definitions.h" #include "Global.Engine.Hash.h" static unsigned long Crc32Table[256]; diff --git a/TitanEngine/Global.Engine.Hider.cpp b/TitanEngine/Global.Engine.Hider.cpp new file mode 100644 index 0000000..4546c0c --- /dev/null +++ b/TitanEngine/Global.Engine.Hider.cpp @@ -0,0 +1,106 @@ +#include "stdafx.h" +#include "definitions.h" +#include "Global.Engine.Hider.h" +#include "Global.Engine.h" + +// Global.Engine.Hider.functions: +static bool isAtleastVista() +{ + static bool isAtleastVista=false; + static bool isSet=false; + if(isSet) + return isAtleastVista; + OSVERSIONINFO versionInfo= {0}; + versionInfo.dwOSVersionInfoSize=sizeof(OSVERSIONINFO); + GetVersionEx(&versionInfo); + isAtleastVista=versionInfo.dwMajorVersion >= 6; + isSet=true; + return isAtleastVista; +} + +bool ChangeHideDebuggerState(HANDLE hProcess, DWORD PatchAPILevel, bool Hide) +{ + static ULONG OldHeapFlags=0; + static ULONG OldForceFlag=0; + ULONG_PTR AddressOfPEB = NULL; + ULONG_PTR ueNumberOfBytesRead = NULL; + BYTE patchCheckRemoteDebuggerPresent[5] = {0x33, 0xC0, 0xC2, 0x08, 0x00}; + BYTE patchGetTickCount[3] = {0x33, 0xC0, 0xC3}; + MEMORY_BASIC_INFORMATION MemInfo; + ULONG_PTR APIPatchAddress = NULL; + DWORD OldProtect; + NTPEB myPEB = {}; + + if(hProcess != NULL) + { + AddressOfPEB = (ULONG_PTR)GetPEBLocation(hProcess); + if(ReadProcessMemory(hProcess, (void*)AddressOfPEB, (void*)&myPEB, sizeof NTPEB, &ueNumberOfBytesRead)) + { + if(Hide) + { + myPEB.BeingDebugged = false; + myPEB.NtGlobalFlag = NULL; + //Fix heap flags: https://github.com/eschweiler/ProReversing + BYTE* Heap=(BYTE*)myPEB.ProcessHeap; + + if(WriteProcessMemory(hProcess, (void*)AddressOfPEB, (void*)&myPEB, sizeof NTPEB, &ueNumberOfBytesRead)) + { + if(PatchAPILevel == UE_HIDE_BASIC) + { + APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"),"CheckRemoteDebuggerPresent"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS); + VirtualQueryEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); + OldProtect = MemInfo.Protect; + VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, 5, PAGE_EXECUTE_READWRITE, &OldProtect); + WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), &patchCheckRemoteDebuggerPresent, 5, &ueNumberOfBytesRead); + + APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"),"GetTickCount"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS); + VirtualQueryEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); + OldProtect = MemInfo.Protect; + VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, 3, PAGE_EXECUTE_READWRITE, &OldProtect); + WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), &patchGetTickCount, 3, &ueNumberOfBytesRead); + } + return(true); + } + else + { + return(false); + } + } + else + { + myPEB.BeingDebugged = true; + if(WriteProcessMemory(hProcess, (void*)AddressOfPEB, (void*)&myPEB, sizeof NTPEB, &ueNumberOfBytesRead)) + { + if(PatchAPILevel == UE_HIDE_BASIC) + { + APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"),"CheckRemoteDebuggerPresent"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS); + VirtualQueryEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); + OldProtect = MemInfo.Protect; + VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, 5, PAGE_EXECUTE_READWRITE, &OldProtect); + WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), (void*)GetProcAddress(GetModuleHandleA("kernel32.dll"),"CheckRemoteDebuggerPresent"), 5, &ueNumberOfBytesRead); + + APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"),"GetTickCount"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS); + VirtualQueryEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); + OldProtect = MemInfo.Protect; + VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, 3, PAGE_EXECUTE_READWRITE, &OldProtect); + WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), (void*)GetProcAddress(GetModuleHandleA("kernel32.dll"),"GetTickCount"), 3, &ueNumberOfBytesRead); + } + return(true); + } + else + { + return(false); + } + } + } + else + { + return(false); + } + } + else + { + return(false); + } + return(false); +} \ No newline at end of file diff --git a/TitanEngine/Global.Engine.Hider.h b/TitanEngine/Global.Engine.Hider.h new file mode 100644 index 0000000..033d214 --- /dev/null +++ b/TitanEngine/Global.Engine.Hider.h @@ -0,0 +1,6 @@ +#ifndef _GLOBAL_ENGINE_HIDER_H +#define _GLOBAL_ENGINE_HIDER_H + +bool ChangeHideDebuggerState(HANDLE hProcess, DWORD PatchAPILevel, bool Hide); + +#endif //_GLOBAL_ENGINE_HIDER_H \ No newline at end of file diff --git a/TitanEngine/Global.Engine.cpp b/TitanEngine/Global.Engine.cpp index cccb421..81d4959 100644 --- a/TitanEngine/Global.Engine.cpp +++ b/TitanEngine/Global.Engine.cpp @@ -21,6 +21,10 @@ HMODULE engineHandle; bool engineCheckForwarders = true; bool engineAlowModuleLoading = false; bool engineCreatePathForFiles = true; // hardcoded +bool engineBackupForCriticalFunctions = true; +bool engineResumeProcessIfNoThreadIsActive = false; + +LPVOID engineExitThreadOneShootCallBack = NULL; // Global.Engine.functions: void EngineInit() diff --git a/TitanEngine/Global.Engine.h b/TitanEngine/Global.Engine.h index 5498790..ef3066c 100644 --- a/TitanEngine/Global.Engine.h +++ b/TitanEngine/Global.Engine.h @@ -10,9 +10,13 @@ extern HMODULE engineHandle; extern bool engineAlowModuleLoading; extern bool engineCheckForwarders; +extern bool engineBackupForCriticalFunctions; +extern bool engineResumeProcessIfNoThreadIsActive; extern wchar_t engineSzEngineGarbageFolder[MAX_PATH]; +extern LPVOID engineExitThreadOneShootCallBack; + //Global.Engine.Functions void EngineInit(); bool EngineIsThereFreeHardwareBreakSlot(LPDWORD FreeRegister); diff --git a/TitanEngine/Global.Handle.cpp b/TitanEngine/Global.Handle.cpp index baee92f..126a9da 100644 --- a/TitanEngine/Global.Handle.cpp +++ b/TitanEngine/Global.Handle.cpp @@ -1,4 +1,5 @@ #include "stdafx.h" +#include "definitions.h" #include "Global.Handle.h" // Global.Handle.functions: diff --git a/TitanEngine/Global.Realigner.cpp b/TitanEngine/Global.Realigner.cpp new file mode 100644 index 0000000..4414b63 --- /dev/null +++ b/TitanEngine/Global.Realigner.cpp @@ -0,0 +1,23 @@ +#include "stdafx.h" +#include "Global.Realigner.h" + +// Global.Realigner.functions: +void SetOverallFileStatus(PFILE_STATUS_INFO myFileInfo, BYTE FiledStatus, bool FiledCritical) +{ + + if(myFileInfo->OveralEvaluation == UE_RESULT_FILE_OK || myFileInfo->OveralEvaluation == UE_RESULT_FILE_INVALID_BUT_FIXABLE) + { + if(FiledStatus == UE_FIELD_FIXABLE_CRITICAL || FiledStatus == UE_FIELD_BROKEN_FIXABLE_FOR_STATIC_USE || FiledStatus == UE_FIELD_BROKEN_BUT_CAN_BE_EMULATED) + { + myFileInfo->OveralEvaluation = UE_RESULT_FILE_INVALID_BUT_FIXABLE; + } + else if(FiledStatus == UE_FIELD_BROKEN_NON_FIXABLE && FiledCritical == true) + { + myFileInfo->OveralEvaluation = UE_RESULT_FILE_INVALID_AND_NON_FIXABLE; + } + else if(FiledStatus == UE_FIELD_BROKEN_FIXABLE_FOR_STATIC_USE) + { + myFileInfo->OveralEvaluation = UE_RESULT_FILE_INVALID_BUT_FIXABLE; + } + } +} \ No newline at end of file diff --git a/TitanEngine/Global.Realigner.h b/TitanEngine/Global.Realigner.h new file mode 100644 index 0000000..c806523 --- /dev/null +++ b/TitanEngine/Global.Realigner.h @@ -0,0 +1,6 @@ +#ifndef _GLOBAL_REALIGNER_H +#define _GLOBAL_REALIGNER_H + +void SetOverallFileStatus(PFILE_STATUS_INFO myFileInfo, BYTE FiledStatus, bool FiledCritical); + +#endif //_GLOBAL_REALIGNER_H \ No newline at end of file diff --git a/TitanEngine/Global.Threader.cpp b/TitanEngine/Global.Threader.cpp new file mode 100644 index 0000000..86725a7 --- /dev/null +++ b/TitanEngine/Global.Threader.cpp @@ -0,0 +1,5 @@ +#include "stdafx.h" +#include "definitions.h" +#include "Global.Threader.h" + +LPVOID hListThread = 0; \ No newline at end of file diff --git a/TitanEngine/Global.Threader.h b/TitanEngine/Global.Threader.h new file mode 100644 index 0000000..b6ca0d1 --- /dev/null +++ b/TitanEngine/Global.Threader.h @@ -0,0 +1,6 @@ +#ifndef _GLOBAL_THREADER_H +#define _GLOBAL_THREADER_H + +extern LPVOID hListThread; + +#endif //_GLOBAL_THREADER_H \ No newline at end of file diff --git a/TitanEngine/TitanEngine.Dumper.cpp b/TitanEngine/TitanEngine.Dumper.cpp index b9e8410..9d96e82 100644 --- a/TitanEngine/TitanEngine.Dumper.cpp +++ b/TitanEngine/TitanEngine.Dumper.cpp @@ -1,8 +1,7 @@ #include "stdafx.h" -#include "TitanEngine.Dumper.h" +#include "definitions.h" #include "Global.Engine.h" #include "Global.Handle.h" -#include "definitions.h" #include //TitanEngine.Dumper.functions: diff --git a/TitanEngine/TitanEngine.Dumper.h b/TitanEngine/TitanEngine.Dumper.h deleted file mode 100644 index da286b1..0000000 --- a/TitanEngine/TitanEngine.Dumper.h +++ /dev/null @@ -1,6 +0,0 @@ -#ifndef _TITANENGINE_DUMPER_H -#define _TITANENGINE_DUMPER_H - - - -#endif //_TITANENGINE_DUMPER_H \ No newline at end of file diff --git a/TitanEngine/TitanEngine.Hider.cpp b/TitanEngine/TitanEngine.Hider.cpp new file mode 100644 index 0000000..3b56e1e --- /dev/null +++ b/TitanEngine/TitanEngine.Hider.cpp @@ -0,0 +1,45 @@ +#include "stdafx.h" +#include "definitions.h" +#include "Global.Engine.Hider.h" + +// TitanEngine.Hider.functions: +__declspec(dllexport) void* TITCALL GetPEBLocation(HANDLE hProcess) +{ + ULONG RequiredLen = NULL; + PPROCESS_BASIC_INFORMATION myProcessBasicInformation = (PPROCESS_BASIC_INFORMATION)VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); + if(!myProcessBasicInformation) + return 0; +#if !defined(_WIN64) + typedef NTSTATUS(WINAPI *fZwQueryInformationProcess)(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength); +#else + typedef NTSTATUS(__fastcall *fZwQueryInformationProcess)(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength); +#endif + LPVOID ZwQueryInformationProcess = (LPVOID)GetProcAddress(GetModuleHandleA("ntdll.dll"),"ZwQueryInformationProcess"); + fZwQueryInformationProcess cZwQueryInformationProcess = (fZwQueryInformationProcess)(ZwQueryInformationProcess); + + if(cZwQueryInformationProcess != NULL) + { + if(cZwQueryInformationProcess(hProcess, ProcessBasicInformation, myProcessBasicInformation, sizeof PROCESS_BASIC_INFORMATION, &RequiredLen) == STATUS_SUCCESS) + { + return (void*)myProcessBasicInformation->PebBaseAddress; + } + else + { + if(cZwQueryInformationProcess(hProcess, ProcessBasicInformation, myProcessBasicInformation, RequiredLen, &RequiredLen) == STATUS_SUCCESS) + { + return (void*)myProcessBasicInformation->PebBaseAddress; + } + } + } + return NULL; +} + +__declspec(dllexport) bool TITCALL HideDebugger(HANDLE hProcess, DWORD PatchAPILevel) +{ + return ChangeHideDebuggerState(hProcess, PatchAPILevel, true); +} + +__declspec(dllexport) bool TITCALL UnHideDebugger(HANDLE hProcess, DWORD PatchAPILevel) +{ + return ChangeHideDebuggerState(hProcess, PatchAPILevel, false); +} \ No newline at end of file diff --git a/TitanEngine/TitanEngine.PE.Convert.cpp b/TitanEngine/TitanEngine.PE.Convert.cpp new file mode 100644 index 0000000..3b7cdc4 --- /dev/null +++ b/TitanEngine/TitanEngine.PE.Convert.cpp @@ -0,0 +1,554 @@ +#include "stdafx.h" +#include "definitions.h" +#include "Global.Engine.h" + +__declspec(dllexport) long TITCALL GetPE32SectionNumberFromVA(ULONG_PTR FileMapVA, ULONG_PTR AddressToConvert) +{ + + PIMAGE_DOS_HEADER DOSHeader; + PIMAGE_NT_HEADERS32 PEHeader32; + PIMAGE_NT_HEADERS64 PEHeader64; + PIMAGE_SECTION_HEADER PESections; + ULONG_PTR FoundInSection = -1; + DWORD SectionNumber = 0; + DWORD ConvertAddress = 0; + BOOL FileIs64; + + if(FileMapVA != NULL) + { + DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; + if(EngineValidateHeader(FileMapVA, NULL, NULL, DOSHeader, true)) + { + PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + if(PEHeader32->OptionalHeader.Magic == 0x10B) + { + FileIs64 = false; + } + else if(PEHeader32->OptionalHeader.Magic == 0x20B) + { + FileIs64 = true; + } + else + { + return(-2); + } + if(!FileIs64) + { + __try + { + ConvertAddress = (DWORD)((DWORD)AddressToConvert - PEHeader32->OptionalHeader.ImageBase); + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + SectionNumber = PEHeader32->FileHeader.NumberOfSections; + while(SectionNumber > 0) + { + if(PESections->VirtualAddress <= ConvertAddress && ConvertAddress < PESections->VirtualAddress + PESections->Misc.VirtualSize) + { + FoundInSection = PEHeader32->FileHeader.NumberOfSections - SectionNumber; + } + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); + SectionNumber--; + } + return((DWORD)FoundInSection); + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + return(-2); + } + } + else + { + __try + { + ConvertAddress = (DWORD)(AddressToConvert - PEHeader64->OptionalHeader.ImageBase); + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + SectionNumber = PEHeader64->FileHeader.NumberOfSections; + while(SectionNumber > 0) + { + if(PESections->VirtualAddress <= ConvertAddress && ConvertAddress < PESections->VirtualAddress + PESections->Misc.VirtualSize) + { + FoundInSection = PEHeader64->FileHeader.NumberOfSections - SectionNumber; + } + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); + SectionNumber--; + } + return((DWORD)FoundInSection); + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + return(-2); + } + } + } + else + { + return(-2); + } + } + return(-2); +} +__declspec(dllexport) long long TITCALL ConvertVAtoFileOffset(ULONG_PTR FileMapVA, ULONG_PTR AddressToConvert, bool ReturnType) +{ + + PIMAGE_DOS_HEADER DOSHeader; + PIMAGE_NT_HEADERS32 PEHeader32; + PIMAGE_NT_HEADERS64 PEHeader64; + PIMAGE_SECTION_HEADER PESections; + DWORD SectionNumber = 0; + ULONG_PTR ConvertedAddress = 0; + ULONG_PTR ConvertAddress = 0; + BOOL FileIs64; + + if(FileMapVA != NULL) + { + DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; + if(EngineValidateHeader(FileMapVA, NULL, NULL, DOSHeader, true)) + { + PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + if(PEHeader32->OptionalHeader.Magic == 0x10B) + { + FileIs64 = false; + } + else if(PEHeader32->OptionalHeader.Magic == 0x20B) + { + FileIs64 = true; + } + else + { + return(0); + } + if(!FileIs64) + { + ConvertAddress = (DWORD)((DWORD)AddressToConvert - PEHeader32->OptionalHeader.ImageBase); + if(ConvertAddress < PEHeader32->OptionalHeader.SectionAlignment) + { + ConvertedAddress = ConvertAddress; + } + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + SectionNumber = PEHeader32->FileHeader.NumberOfSections; + __try + { + while(SectionNumber > 0) + { + if(PESections->VirtualAddress <= ConvertAddress && ConvertAddress <= PESections->VirtualAddress + PESections->Misc.VirtualSize) + { + if(ConvertAddress - PESections->VirtualAddress <= PESections->SizeOfRawData) + { + ConvertedAddress = PESections->PointerToRawData + (ConvertAddress - PESections->VirtualAddress); + } + } + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); + SectionNumber--; + } + if(ReturnType) + { + if(ConvertedAddress != NULL) + { + ConvertedAddress = ConvertedAddress + FileMapVA; + } + else if(ConvertAddress == NULL) + { + ConvertedAddress = FileMapVA; + } + } + return(ConvertedAddress); + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + return(0); + } + } + else + { + ConvertAddress = (DWORD)(AddressToConvert - PEHeader64->OptionalHeader.ImageBase); + if(ConvertAddress < PEHeader64->OptionalHeader.SectionAlignment) + { + ConvertedAddress = ConvertAddress; + } + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + SectionNumber = PEHeader64->FileHeader.NumberOfSections; + __try + { + while(SectionNumber > 0) + { + if(PESections->VirtualAddress <= ConvertAddress && ConvertAddress <= PESections->VirtualAddress + PESections->Misc.VirtualSize) + { + if(ConvertAddress - PESections->VirtualAddress <= PESections->SizeOfRawData) + { + ConvertedAddress = PESections->PointerToRawData + (ConvertAddress - PESections->VirtualAddress); + } + } + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); + SectionNumber--; + } + if(ReturnType) + { + if(ConvertedAddress != NULL) + { + ConvertedAddress = ConvertedAddress + FileMapVA; + } + else if(ConvertAddress == NULL) + { + ConvertedAddress = FileMapVA; + } + } + return(ConvertedAddress); + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + return(0); + } + } + } + else + { + return(0); + } + } + return(0); +} +__declspec(dllexport) long long TITCALL ConvertVAtoFileOffsetEx(ULONG_PTR FileMapVA, DWORD FileSize, ULONG_PTR ImageBase, ULONG_PTR AddressToConvert, bool AddressIsRVA, bool ReturnType) +{ + + PIMAGE_DOS_HEADER DOSHeader; + PIMAGE_NT_HEADERS32 PEHeader32; + PIMAGE_NT_HEADERS64 PEHeader64; + PIMAGE_SECTION_HEADER PESections; + DWORD SectionNumber = 0; + ULONG_PTR ConvertedAddress = 0; + ULONG_PTR ConvertAddress = 0; + BOOL FileIs64; + + if(FileMapVA != NULL) + { + DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; + if(EngineValidateHeader(FileMapVA, NULL, NULL, DOSHeader, true)) + { + PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + if(PEHeader32->OptionalHeader.Magic == 0x10B) + { + FileIs64 = false; + } + else if(PEHeader32->OptionalHeader.Magic == 0x20B) + { + FileIs64 = true; + } + else + { + return(0); + } + if(!FileIs64) + { + if(!AddressIsRVA) + { + if(ImageBase == NULL) + { + ConvertAddress = (DWORD)((DWORD)AddressToConvert - PEHeader32->OptionalHeader.ImageBase); + } + else + { + ConvertAddress = (DWORD)((DWORD)AddressToConvert - ImageBase); + } + } + else + { + ConvertAddress = (DWORD)AddressToConvert; + } + if(ConvertAddress < PEHeader32->OptionalHeader.SectionAlignment) + { + ConvertedAddress = ConvertAddress; + } + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + SectionNumber = PEHeader32->FileHeader.NumberOfSections; + __try + { + while(SectionNumber > 0) + { + if(PESections->VirtualAddress <= ConvertAddress && ConvertAddress <= PESections->VirtualAddress + PESections->Misc.VirtualSize) + { + if(ConvertAddress - PESections->VirtualAddress <= PESections->SizeOfRawData) + { + ConvertedAddress = PESections->PointerToRawData + (ConvertAddress - PESections->VirtualAddress); + } + } + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); + SectionNumber--; + } + if(ReturnType) + { + if(ConvertedAddress != NULL) + { + ConvertedAddress = ConvertedAddress + FileMapVA; + } + } + if(ReturnType) + { + if(ConvertedAddress >= FileMapVA && ConvertedAddress <= FileMapVA + FileSize) + { + return((ULONG_PTR)ConvertedAddress); + } + else + { + return(NULL); + } + } + else + { + if(ConvertedAddress > NULL && ConvertedAddress <= FileSize) + { + return((ULONG_PTR)ConvertedAddress); + } + else + { + return(NULL); + } + } + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + return(NULL); + } + } + else + { + if(!AddressIsRVA) + { + if(ImageBase == NULL) + { + ConvertAddress = (DWORD)(AddressToConvert - PEHeader64->OptionalHeader.ImageBase); + } + else + { + ConvertAddress = (DWORD)(AddressToConvert - ImageBase); + } + } + else + { + ConvertAddress = (DWORD)AddressToConvert; + } + if(ConvertAddress < PEHeader64->OptionalHeader.SectionAlignment) + { + ConvertedAddress = ConvertAddress; + } + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + SectionNumber = PEHeader64->FileHeader.NumberOfSections; + __try + { + while(SectionNumber > 0) + { + if(PESections->VirtualAddress <= ConvertAddress && ConvertAddress <= PESections->VirtualAddress + PESections->Misc.VirtualSize) + { + if(ConvertAddress - PESections->VirtualAddress <= PESections->SizeOfRawData) + { + ConvertedAddress = PESections->PointerToRawData + (ConvertAddress - PESections->VirtualAddress); + } + } + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); + SectionNumber--; + } + if(ReturnType) + { + if(ConvertedAddress != NULL) + { + ConvertedAddress = ConvertedAddress + FileMapVA; + } + } + if(ReturnType) + { + if(ConvertedAddress >= FileMapVA && ConvertedAddress <= FileMapVA + FileSize) + { + return((ULONG_PTR)ConvertedAddress); + } + else + { + return(NULL); + } + } + else + { + if(ConvertedAddress > NULL && ConvertedAddress <= FileSize) + { + return((ULONG_PTR)ConvertedAddress); + } + else + { + return(NULL); + } + } + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + return(NULL); + } + } + } + else + { + return(0); + } + } + return(0); +} +__declspec(dllexport) long long TITCALL ConvertFileOffsetToVA(ULONG_PTR FileMapVA, ULONG_PTR AddressToConvert, bool ReturnType) +{ + + PIMAGE_DOS_HEADER DOSHeader; + PIMAGE_NT_HEADERS32 PEHeader32; + PIMAGE_NT_HEADERS64 PEHeader64; + PIMAGE_SECTION_HEADER PESections; + DWORD SectionNumber = 0; + ULONG_PTR ConvertedAddress = 0; + ULONG_PTR ConvertAddress = 0; + BOOL FileIs64; + + if(FileMapVA != NULL) + { + DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; + if(EngineValidateHeader(FileMapVA, NULL, NULL, DOSHeader, true)) + { + PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + if(PEHeader32->OptionalHeader.Magic == 0x10B) + { + FileIs64 = false; + } + else if(PEHeader32->OptionalHeader.Magic == 0x20B) + { + FileIs64 = true; + } + else + { + return(0); + } + if(!FileIs64) + { + ConvertAddress = (DWORD)((DWORD)AddressToConvert - FileMapVA); + if(ConvertAddress < PEHeader32->OptionalHeader.FileAlignment) + { + ConvertedAddress = ConvertAddress; + } + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + SectionNumber = PEHeader32->FileHeader.NumberOfSections; + __try + { + while(SectionNumber > 0) + { + if(PESections->PointerToRawData <= ConvertAddress && ConvertAddress <= PESections->PointerToRawData + PESections->SizeOfRawData) + { + ConvertedAddress = PESections->VirtualAddress + (ConvertAddress - PESections->PointerToRawData); + } + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); + SectionNumber--; + } + if(ReturnType) + { + if(ConvertedAddress != NULL) + { + ConvertedAddress = ConvertedAddress + PEHeader32->OptionalHeader.ImageBase; + } + } + else if(ConvertAddress == NULL) + { + ConvertedAddress = PEHeader32->OptionalHeader.ImageBase; + } + return(ConvertedAddress); + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + return(0); + } + } + else + { + ConvertAddress = (DWORD)(AddressToConvert - FileMapVA); + if(ConvertAddress < PEHeader64->OptionalHeader.FileAlignment) + { + ConvertedAddress = ConvertAddress; + } + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + SectionNumber = PEHeader64->FileHeader.NumberOfSections; + __try + { + while(SectionNumber > 0) + { + if(PESections->PointerToRawData <= ConvertAddress && ConvertAddress <= PESections->PointerToRawData + PESections->SizeOfRawData) + { + ConvertedAddress = PESections->VirtualAddress + (ConvertAddress - PESections->PointerToRawData); + } + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); + SectionNumber--; + } + if(ReturnType) + { + if(ConvertedAddress != NULL) + { + ConvertedAddress = ConvertedAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase; + } + } + else if(ConvertAddress == NULL) + { + ConvertedAddress = (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase; + } + return(ConvertedAddress); + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + return(0); + } + } + } + else + { + return(0); + } + } + return(0); +} +__declspec(dllexport) long long TITCALL ConvertFileOffsetToVAEx(ULONG_PTR FileMapVA, DWORD FileSize, ULONG_PTR ImageBase, ULONG_PTR AddressToConvert, bool ReturnType) +{ + + ULONG_PTR ConvertedAddress = NULL; + DWORD cnvSectionAlignment = NULL; + ULONG_PTR cnvImageBase = NULL; + DWORD cnvSizeOfImage = NULL; + + if(FileMapVA != NULL) + { + if(ImageBase == NULL) + { + cnvImageBase = (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_IMAGEBASE); + } + else + { + cnvImageBase = ImageBase; + } + cnvSizeOfImage = (DWORD)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_SIZEOFIMAGE); + cnvSectionAlignment = (DWORD)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_SECTIONALIGNMENT); + ConvertedAddress = (ULONG_PTR)ConvertFileOffsetToVA(FileMapVA, AddressToConvert, ReturnType); + if(ReturnType) + { + if(ConvertedAddress >= cnvImageBase + cnvSectionAlignment && ConvertedAddress <= cnvImageBase + cnvSizeOfImage) + { + return((ULONG_PTR)ConvertedAddress); + } + else + { + return(NULL); + } + } + else + { + if(ConvertedAddress >= cnvSectionAlignment && ConvertedAddress <= cnvSizeOfImage) + { + return((ULONG_PTR)ConvertedAddress); + } + else + { + return(NULL); + } + } + } + return(NULL); +} \ No newline at end of file diff --git a/TitanEngine/TitanEngine.PE.Data.cpp b/TitanEngine/TitanEngine.PE.Data.cpp new file mode 100644 index 0000000..fe0ad68 --- /dev/null +++ b/TitanEngine/TitanEngine.PE.Data.cpp @@ -0,0 +1,1198 @@ +#include "stdafx.h" +#include "definitions.h" +#include "Global.Engine.h" +#include "Global.Mapping.h" + +__declspec(dllexport) long long TITCALL GetPE32DataFromMappedFile(ULONG_PTR FileMapVA, DWORD WhichSection, DWORD WhichData) +{ + + PIMAGE_DOS_HEADER DOSHeader; + PIMAGE_NT_HEADERS32 PEHeader32; + PIMAGE_NT_HEADERS64 PEHeader64; + PIMAGE_SECTION_HEADER PESections; + DWORD SectionNumber = 0; + BOOL FileIs64; + static char sectionName[9] = ""; + + if(FileMapVA != NULL) + { + DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; + if(EngineValidateHeader(FileMapVA, NULL, NULL, DOSHeader, true)) + { + PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + if(PEHeader32->OptionalHeader.Magic == 0x10B) + { + FileIs64 = false; + } + else if(PEHeader32->OptionalHeader.Magic == 0x20B) + { + FileIs64 = true; + } + else + { + return(0); + } + if(!FileIs64) + { + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + SectionNumber = PEHeader32->FileHeader.NumberOfSections; + if(WhichData < UE_SECTIONNAME) + { + if(WhichData == UE_PE_OFFSET) + { + return(DOSHeader->e_lfanew); + } + else if(WhichData == UE_IMAGEBASE) + { + return(PEHeader32->OptionalHeader.ImageBase); + } + else if(WhichData == UE_OEP) + { + return(PEHeader32->OptionalHeader.AddressOfEntryPoint); + } + else if(WhichData == UE_BASEOFCODE) + { + return(PEHeader32->OptionalHeader.BaseOfCode); + } + else if(WhichData == UE_BASEOFDATA) + { + return(PEHeader32->OptionalHeader.BaseOfData); + } + else if(WhichData == UE_SIZEOFIMAGE) + { + return(PEHeader32->OptionalHeader.SizeOfImage); + } + else if(WhichData == UE_SIZEOFHEADERS) + { + return(PEHeader32->OptionalHeader.SizeOfHeaders); + } + else if(WhichData == UE_SIZEOFOPTIONALHEADER) + { + return(PEHeader32->FileHeader.SizeOfOptionalHeader); + } + else if(WhichData == UE_SECTIONALIGNMENT) + { + return(PEHeader32->OptionalHeader.SectionAlignment); + } + else if(WhichData == UE_IMPORTTABLEADDRESS) + { + return(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress); + } + else if(WhichData == UE_IMPORTTABLESIZE) + { + return(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size); + } + else if(WhichData == UE_RESOURCETABLEADDRESS) + { + return(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress); + } + else if(WhichData == UE_RESOURCETABLESIZE) + { + return(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size); + } + else if(WhichData == UE_EXPORTTABLEADDRESS) + { + return(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); + } + else if(WhichData == UE_EXPORTTABLESIZE) + { + return(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size); + } + else if(WhichData == UE_TLSTABLEADDRESS) + { + return(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress); + } + else if(WhichData == UE_TLSTABLESIZE) + { + return(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size); + } + else if(WhichData == UE_RELOCATIONTABLEADDRESS) + { + return(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress); + } + else if(WhichData == UE_RELOCATIONTABLESIZE) + { + return(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size); + } + else if(WhichData == UE_TIMEDATESTAMP) + { + return(PEHeader32->FileHeader.TimeDateStamp); + } + else if(WhichData == UE_SECTIONNUMBER) + { + return(PEHeader32->FileHeader.NumberOfSections); + } + else if(WhichData == UE_CHECKSUM) + { + return(PEHeader32->OptionalHeader.CheckSum); + } + else if(WhichData == UE_SUBSYSTEM) + { + return(PEHeader32->OptionalHeader.Subsystem); + } + else if(WhichData == UE_CHARACTERISTICS) + { + return(PEHeader32->FileHeader.Characteristics); + } + else if(WhichData == UE_NUMBEROFRVAANDSIZES) + { + return(PEHeader32->OptionalHeader.NumberOfRvaAndSizes); + } + else + { + return(0); + } + } + else + { + if(SectionNumber >= WhichSection) + { + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + WhichSection * IMAGE_SIZEOF_SECTION_HEADER); + if(WhichData == UE_SECTIONNAME) + { + memcpy(sectionName, PESections->Name, 8); + return (long long)sectionName; + } + else if(WhichData == UE_SECTIONVIRTUALOFFSET) + { + return(PESections->VirtualAddress); + } + else if(WhichData == UE_SECTIONVIRTUALSIZE) + { + return(PESections->Misc.VirtualSize); + } + else if(WhichData == UE_SECTIONRAWOFFSET) + { + return(PESections->PointerToRawData); + } + else if(WhichData == UE_SECTIONRAWSIZE) + { + return(PESections->SizeOfRawData); + } + else if(WhichData == UE_SECTIONFLAGS) + { + return(PESections->Characteristics); + } + else + { + return(0); + } + } + } + return(0); + } + else + { + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + SectionNumber = PEHeader64->FileHeader.NumberOfSections; + if(WhichData < UE_SECTIONNAME) + { + if(WhichData == UE_PE_OFFSET) + { + return(DOSHeader->e_lfanew); + } + else if(WhichData == UE_IMAGEBASE) + { + return(PEHeader64->OptionalHeader.ImageBase); + } + else if(WhichData == UE_OEP) + { + return(PEHeader64->OptionalHeader.AddressOfEntryPoint); + } + else if(WhichData == UE_BASEOFCODE) + { + return(PEHeader64->OptionalHeader.BaseOfCode); + } + /* non-existent in IMAGE_OPTIONAL_HEADER64 + else if(WhichData == UE_BASEOFDATA) + { + return(PEHeader64->OptionalHeader.BaseOfData); + }*/ + else if(WhichData == UE_SIZEOFIMAGE) + { + return(PEHeader64->OptionalHeader.SizeOfImage); + } + else if(WhichData == UE_SIZEOFHEADERS) + { + return(PEHeader64->OptionalHeader.SizeOfHeaders); + } + else if(WhichData == UE_SIZEOFOPTIONALHEADER) + { + return(PEHeader64->FileHeader.SizeOfOptionalHeader); + } + else if(WhichData == UE_SECTIONALIGNMENT) + { + return(PEHeader64->OptionalHeader.SectionAlignment); + } + else if(WhichData == UE_IMPORTTABLEADDRESS) + { + return(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress); + } + else if(WhichData == UE_IMPORTTABLESIZE) + { + return(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size); + } + else if(WhichData == UE_RESOURCETABLEADDRESS) + { + return(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress); + } + else if(WhichData == UE_RESOURCETABLESIZE) + { + return(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size); + } + else if(WhichData == UE_EXPORTTABLEADDRESS) + { + return(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); + } + else if(WhichData == UE_EXPORTTABLESIZE) + { + return(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size); + } + else if(WhichData == UE_TLSTABLEADDRESS) + { + return(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress); + } + else if(WhichData == UE_TLSTABLESIZE) + { + return(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size); + } + else if(WhichData == UE_RELOCATIONTABLEADDRESS) + { + return(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress); + } + else if(WhichData == UE_RELOCATIONTABLESIZE) + { + return(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size); + } + else if(WhichData == UE_TIMEDATESTAMP) + { + return(PEHeader64->FileHeader.TimeDateStamp); + } + else if(WhichData == UE_SECTIONNUMBER) + { + return(PEHeader64->FileHeader.NumberOfSections); + } + else if(WhichData == UE_CHECKSUM) + { + return(PEHeader64->OptionalHeader.CheckSum); + } + else if(WhichData == UE_SUBSYSTEM) + { + return(PEHeader64->OptionalHeader.Subsystem); + } + else if(WhichData == UE_CHARACTERISTICS) + { + return(PEHeader64->FileHeader.Characteristics); + } + else if(WhichData == UE_NUMBEROFRVAANDSIZES) + { + return(PEHeader64->OptionalHeader.NumberOfRvaAndSizes); + } + else + { + return(0); + } + } + else + { + if(SectionNumber >= WhichSection) + { + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + WhichSection * IMAGE_SIZEOF_SECTION_HEADER); + if(WhichData == UE_SECTIONNAME) + { + return((ULONG_PTR)PESections->Name); + } + else if(WhichData == UE_SECTIONVIRTUALOFFSET) + { + return(PESections->VirtualAddress); + } + else if(WhichData == UE_SECTIONVIRTUALSIZE) + { + return(PESections->Misc.VirtualSize); + } + else if(WhichData == UE_SECTIONRAWOFFSET) + { + return(PESections->PointerToRawData); + } + else if(WhichData == UE_SECTIONRAWSIZE) + { + return(PESections->SizeOfRawData); + } + else if(WhichData == UE_SECTIONFLAGS) + { + return(PESections->Characteristics); + } + else + { + return(0); + } + } + } + return(0); + } + } + else + { + return(0); + } + } + return(0); +} +__declspec(dllexport) long long TITCALL GetPE32Data(char* szFileName, DWORD WhichSection, DWORD WhichData) +{ + + HANDLE FileHandle; + DWORD FileSize; + HANDLE FileMap; + ULONG_PTR FileMapVA; + long long ReturnValue = 0; + + if(MapFileEx(szFileName, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) + { + ReturnValue = GetPE32DataFromMappedFile(FileMapVA, WhichSection, WhichData); + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return(ReturnValue); + } + else + { + return(0); + } +} +__declspec(dllexport) long long TITCALL GetPE32DataW(wchar_t* szFileName, DWORD WhichSection, DWORD WhichData) +{ + + HANDLE FileHandle; + DWORD FileSize; + HANDLE FileMap; + ULONG_PTR FileMapVA; + long long ReturnValue = 0; + + if(MapFileExW(szFileName, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) + { + ReturnValue = GetPE32DataFromMappedFile(FileMapVA, WhichSection, WhichData); + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return(ReturnValue); + } + else + { + return(0); + } +} +__declspec(dllexport) bool TITCALL GetPE32DataFromMappedFileEx(ULONG_PTR FileMapVA, LPVOID DataStorage) +{ + + PIMAGE_DOS_HEADER DOSHeader; + PIMAGE_NT_HEADERS32 PEHeader32; + PIMAGE_NT_HEADERS64 PEHeader64; + BOOL FileIs64; + PPE32Struct PE32Structure = (PPE32Struct)DataStorage; + PPE64Struct PE64Structure = (PPE64Struct)DataStorage; + + if(FileMapVA != NULL) + { + DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; + if(EngineValidateHeader(FileMapVA, NULL, NULL, DOSHeader, true)) + { + PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + if(PEHeader32->OptionalHeader.Magic == 0x10B) + { + FileIs64 = false; + } + else if(PEHeader32->OptionalHeader.Magic == 0x20B) + { + FileIs64 = true; + } + else + { + return(false); + } + if(!FileIs64) + { + PE32Structure->PE32Offset = DOSHeader->e_lfanew; + PE32Structure->ImageBase = PEHeader32->OptionalHeader.ImageBase; + PE32Structure->OriginalEntryPoint = PEHeader32->OptionalHeader.AddressOfEntryPoint; + PE32Structure->BaseOfCode = PEHeader32->OptionalHeader.BaseOfCode; + PE32Structure->BaseOfData = PEHeader32->OptionalHeader.BaseOfData; + PE32Structure->NtSizeOfImage = PEHeader32->OptionalHeader.SizeOfImage; + PE32Structure->NtSizeOfHeaders = PEHeader32->OptionalHeader.SizeOfHeaders; + PE32Structure->SizeOfOptionalHeaders = PEHeader32->FileHeader.SizeOfOptionalHeader; + PE32Structure->FileAlignment = PEHeader32->OptionalHeader.FileAlignment; + PE32Structure->SectionAligment = PEHeader32->OptionalHeader.SectionAlignment; + PE32Structure->ImportTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress; + PE32Structure->ImportTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size; + PE32Structure->ResourceTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress; + PE32Structure->ResourceTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size; + PE32Structure->ExportTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; + PE32Structure->ExportTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size; + PE32Structure->TLSTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress; + PE32Structure->TLSTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size; + PE32Structure->RelocationTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress; + PE32Structure->RelocationTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; + PE32Structure->TimeDateStamp = PEHeader32->FileHeader.TimeDateStamp; + PE32Structure->SectionNumber = PEHeader32->FileHeader.NumberOfSections; + PE32Structure->CheckSum = PEHeader32->OptionalHeader.CheckSum; + PE32Structure->SubSystem = PEHeader32->OptionalHeader.Subsystem; + PE32Structure->Characteristics = PEHeader32->FileHeader.Characteristics; + PE32Structure->NumberOfRvaAndSizes = PEHeader32->OptionalHeader.NumberOfRvaAndSizes; + return(true); + } + else + { + PE64Structure->PE64Offset = DOSHeader->e_lfanew; + PE64Structure->ImageBase = PEHeader64->OptionalHeader.ImageBase; + PE64Structure->OriginalEntryPoint = PEHeader64->OptionalHeader.AddressOfEntryPoint; + PE64Structure->BaseOfCode = PEHeader32->OptionalHeader.BaseOfCode; + PE64Structure->BaseOfData = PEHeader32->OptionalHeader.BaseOfData; + PE64Structure->NtSizeOfImage = PEHeader64->OptionalHeader.SizeOfImage; + PE64Structure->NtSizeOfHeaders = PEHeader64->OptionalHeader.SizeOfHeaders; + PE64Structure->SizeOfOptionalHeaders = PEHeader64->FileHeader.SizeOfOptionalHeader; + PE64Structure->FileAlignment = PEHeader64->OptionalHeader.FileAlignment; + PE64Structure->SectionAligment = PEHeader64->OptionalHeader.SectionAlignment; + PE64Structure->ImportTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress; + PE64Structure->ImportTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size; + PE64Structure->ResourceTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress; + PE64Structure->ResourceTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size; + PE64Structure->ExportTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; + PE64Structure->ExportTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size; + PE64Structure->TLSTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress; + PE64Structure->TLSTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size; + PE64Structure->RelocationTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress; + PE64Structure->RelocationTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; + PE64Structure->TimeDateStamp = PEHeader64->FileHeader.TimeDateStamp; + PE64Structure->SectionNumber = PEHeader64->FileHeader.NumberOfSections; + PE64Structure->CheckSum = PEHeader64->OptionalHeader.CheckSum; + PE64Structure->SubSystem = PEHeader64->OptionalHeader.Subsystem; + PE64Structure->Characteristics = PEHeader64->FileHeader.Characteristics; + PE64Structure->NumberOfRvaAndSizes = PEHeader64->OptionalHeader.NumberOfRvaAndSizes; + return(true); + } + } + else + { + return(false); + } + } + return(false); +} +__declspec(dllexport) bool TITCALL GetPE32DataEx(char* szFileName, LPVOID DataStorage) +{ + + HANDLE FileHandle; + DWORD FileSize; + HANDLE FileMap; + ULONG_PTR FileMapVA; + long long ReturnValue = 0; + + if(MapFileEx(szFileName, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) + { + ReturnValue = GetPE32DataFromMappedFileEx(FileMapVA, DataStorage); + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + if(ReturnValue) + { + return(true); + } + else + { + return(false); + } + } + else + { + return(false); + } +} +__declspec(dllexport) bool TITCALL GetPE32DataExW(wchar_t* szFileName, LPVOID DataStorage) +{ + + HANDLE FileHandle; + DWORD FileSize; + HANDLE FileMap; + ULONG_PTR FileMapVA; + long long ReturnValue = 0; + + if(MapFileExW(szFileName, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) + { + ReturnValue = GetPE32DataFromMappedFileEx(FileMapVA, DataStorage); + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + if(ReturnValue) + { + return(true); + } + else + { + return(false); + } + } + else + { + return(false); + } +} +__declspec(dllexport) bool TITCALL SetPE32DataForMappedFile(ULONG_PTR FileMapVA, DWORD WhichSection, DWORD WhichData, ULONG_PTR NewDataValue) +{ + + PIMAGE_DOS_HEADER DOSHeader; + PIMAGE_NT_HEADERS32 PEHeader32; + PIMAGE_NT_HEADERS64 PEHeader64; + PIMAGE_SECTION_HEADER PESections; + DWORD SectionNumber = 0; + BOOL FileIs64; + + if(FileMapVA != NULL) + { + DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; + if(EngineValidateHeader(FileMapVA, NULL, NULL, DOSHeader, true)) + { + PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + if(PEHeader32->OptionalHeader.Magic == 0x10B) + { + FileIs64 = false; + } + else if(PEHeader32->OptionalHeader.Magic == 0x20B) + { + FileIs64 = true; + } + else + { + return(false); + } + if(!FileIs64) + { + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + SectionNumber = PEHeader32->FileHeader.NumberOfSections; + __try + { + if(WhichData < UE_SECTIONNAME) + { + if(WhichData == UE_PE_OFFSET) + { + DOSHeader->e_lfanew = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_IMAGEBASE) + { + PEHeader32->OptionalHeader.ImageBase = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_OEP) + { + PEHeader32->OptionalHeader.AddressOfEntryPoint = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_BASEOFCODE) + { + PEHeader32->OptionalHeader.BaseOfCode = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_BASEOFDATA) + { + PEHeader32->OptionalHeader.BaseOfData = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_SIZEOFIMAGE) + { + PEHeader32->OptionalHeader.SizeOfImage = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_SIZEOFHEADERS) + { + PEHeader32->OptionalHeader.SizeOfHeaders = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_SIZEOFOPTIONALHEADER) + { + PEHeader32->FileHeader.SizeOfOptionalHeader = (WORD)NewDataValue; + return(true); + } + else if(WhichData == UE_SECTIONALIGNMENT) + { + PEHeader32->OptionalHeader.SectionAlignment = (WORD)NewDataValue; + return(true); + } + else if(WhichData == UE_IMPORTTABLEADDRESS) + { + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_IMPORTTABLESIZE) + { + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_RESOURCETABLEADDRESS) + { + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_RESOURCETABLESIZE) + { + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_EXPORTTABLEADDRESS) + { + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_EXPORTTABLESIZE) + { + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_TLSTABLEADDRESS) + { + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_TLSTABLESIZE) + { + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_RELOCATIONTABLEADDRESS) + { + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_RELOCATIONTABLESIZE) + { + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_TIMEDATESTAMP) + { + PEHeader32->FileHeader.TimeDateStamp = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_SECTIONNUMBER) + { + PEHeader32->FileHeader.NumberOfSections = (WORD)NewDataValue; + return(true); + } + else if(WhichData == UE_CHECKSUM) + { + PEHeader32->OptionalHeader.CheckSum = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_SUBSYSTEM) + { + PEHeader32->OptionalHeader.Subsystem = (WORD)NewDataValue; + return(true); + } + else if(WhichData == UE_CHARACTERISTICS) + { + PEHeader32->FileHeader.Characteristics = (WORD)NewDataValue; + return(true); + } + else if(WhichData == UE_NUMBEROFRVAANDSIZES) + { + PEHeader32->OptionalHeader.NumberOfRvaAndSizes = (DWORD)NewDataValue; + return(true); + } + else + { + return(false); + } + } + else + { + if(WhichSection <= SectionNumber) + { + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + WhichSection * IMAGE_SIZEOF_SECTION_HEADER); + if(WhichData == UE_SECTIONNAME) + { + memcpy(PESections->Name, (void*)NewDataValue, 8); + return(true); + } + else if(WhichData == UE_SECTIONVIRTUALOFFSET) + { + PESections->VirtualAddress = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_SECTIONVIRTUALSIZE) + { + PESections->Misc.VirtualSize = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_SECTIONRAWOFFSET) + { + PESections->PointerToRawData = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_SECTIONRAWSIZE) + { + PESections->SizeOfRawData = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_SECTIONFLAGS) + { + PESections->Characteristics = (DWORD)NewDataValue; + return(true); + } + else + { + return(false); + } + } + } + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + return(false); + } + return(false); + } + else + { + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + SectionNumber = PEHeader64->FileHeader.NumberOfSections; + __try + { + if(WhichData < UE_SECTIONNAME) + { + if(WhichData == UE_PE_OFFSET) + { + DOSHeader->e_lfanew = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_IMAGEBASE) + { + PEHeader64->OptionalHeader.ImageBase = NewDataValue; + return(true); + } + else if(WhichData == UE_OEP) + { + PEHeader64->OptionalHeader.AddressOfEntryPoint = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_BASEOFCODE) + { + PEHeader64->OptionalHeader.BaseOfCode = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_BASEOFDATA) + { + //non-existant in IMAGE_OPTIONAL_HEADER64 + return(false); + } + else if(WhichData == UE_SIZEOFIMAGE) + { + PEHeader64->OptionalHeader.SizeOfImage = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_SIZEOFHEADERS) + { + PEHeader64->OptionalHeader.SizeOfHeaders = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_SIZEOFOPTIONALHEADER) + { + PEHeader64->FileHeader.SizeOfOptionalHeader = (WORD)NewDataValue; + return(true); + } + else if(WhichData == UE_SECTIONALIGNMENT) + { + PEHeader64->OptionalHeader.SectionAlignment = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_IMPORTTABLEADDRESS) + { + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_IMPORTTABLESIZE) + { + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_RESOURCETABLEADDRESS) + { + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_RESOURCETABLESIZE) + { + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_EXPORTTABLEADDRESS) + { + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_EXPORTTABLESIZE) + { + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_TLSTABLEADDRESS) + { + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_TLSTABLESIZE) + { + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_RELOCATIONTABLEADDRESS) + { + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_RELOCATIONTABLESIZE) + { + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_TIMEDATESTAMP) + { + PEHeader64->FileHeader.TimeDateStamp = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_SECTIONNUMBER) + { + PEHeader64->FileHeader.NumberOfSections = (WORD)NewDataValue; + return(true); + } + else if(WhichData == UE_CHECKSUM) + { + PEHeader64->OptionalHeader.CheckSum = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_SUBSYSTEM) + { + PEHeader64->OptionalHeader.Subsystem = (WORD)NewDataValue; + return(true); + } + else if(WhichData == UE_CHARACTERISTICS) + { + PEHeader64->FileHeader.Characteristics = (WORD)NewDataValue; + return(true); + } + else if(WhichData == UE_NUMBEROFRVAANDSIZES) + { + PEHeader64->OptionalHeader.NumberOfRvaAndSizes = (DWORD)NewDataValue; + return(true); + } + else + { + return(0); + } + } + else + { + if(WhichSection <= SectionNumber) + { + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + WhichSection * IMAGE_SIZEOF_SECTION_HEADER); + if(WhichData == UE_SECTIONNAME) + { + return(false); + } + else if(WhichData == UE_SECTIONVIRTUALOFFSET) + { + PESections->VirtualAddress = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_SECTIONVIRTUALSIZE) + { + PESections->Misc.VirtualSize = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_SECTIONRAWOFFSET) + { + PESections->PointerToRawData = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_SECTIONRAWSIZE) + { + PESections->SizeOfRawData = (DWORD)NewDataValue; + return(true); + } + else if(WhichData == UE_SECTIONFLAGS) + { + PESections->Characteristics = (DWORD)NewDataValue; + return(true); + } + else + { + return(false); + } + } + } + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + return(false); + } + return(false); + } + } + else + { + return(false); + } + } + return(false); +} +__declspec(dllexport) bool TITCALL SetPE32Data(char* szFileName, DWORD WhichSection, DWORD WhichData, ULONG_PTR NewDataValue) +{ + + HANDLE FileHandle; + DWORD FileSize; + HANDLE FileMap; + ULONG_PTR FileMapVA; + long long ReturnValue = 0; + + if(MapFileEx(szFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) + { + ReturnValue = SetPE32DataForMappedFile(FileMapVA, WhichSection, WhichData, NewDataValue); + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + if(ReturnValue) + { + return(true); + } + else + { + return(false); + } + } + else + { + return(false); + } +} +__declspec(dllexport) bool TITCALL SetPE32DataW(wchar_t* szFileName, DWORD WhichSection, DWORD WhichData, ULONG_PTR NewDataValue) +{ + + HANDLE FileHandle; + DWORD FileSize; + HANDLE FileMap; + ULONG_PTR FileMapVA; + long long ReturnValue = 0; + + if(MapFileExW(szFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) + { + ReturnValue = SetPE32DataForMappedFile(FileMapVA, WhichSection, WhichData, NewDataValue); + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + if(ReturnValue) + { + return(true); + } + else + { + return(false); + } + } + else + { + return(false); + } +} +__declspec(dllexport) bool TITCALL SetPE32DataForMappedFileEx(ULONG_PTR FileMapVA, LPVOID DataStorage) +{ + + PIMAGE_DOS_HEADER DOSHeader; + PIMAGE_NT_HEADERS32 PEHeader32; + PIMAGE_NT_HEADERS64 PEHeader64; + BOOL FileIs64; + PPE32Struct PE32Structure = (PPE32Struct)DataStorage; + PPE64Struct PE64Structure = (PPE64Struct)DataStorage; + + if(FileMapVA != NULL) + { + DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; + if(EngineValidateHeader(FileMapVA, NULL, NULL, DOSHeader, true)) + { + PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + if(PEHeader32->OptionalHeader.Magic == 0x10B) + { + FileIs64 = false; + } + else if(PEHeader32->OptionalHeader.Magic == 0x20B) + { + FileIs64 = true; + } + else + { + return(false); + } + if(!FileIs64) + { + __try + { + DOSHeader->e_lfanew = PE32Structure->PE32Offset; + PEHeader32->OptionalHeader.ImageBase = PE32Structure->ImageBase; + PEHeader32->OptionalHeader.AddressOfEntryPoint = PE32Structure->OriginalEntryPoint; + PEHeader32->OptionalHeader.BaseOfCode = PE32Structure->BaseOfCode; + PEHeader32->OptionalHeader.BaseOfData = PE32Structure->BaseOfData; + PEHeader32->OptionalHeader.SizeOfImage = PE32Structure->NtSizeOfImage; + PEHeader32->OptionalHeader.SizeOfHeaders = PE32Structure->NtSizeOfHeaders; + PEHeader32->FileHeader.SizeOfOptionalHeader = PE32Structure->SizeOfOptionalHeaders; + PEHeader32->OptionalHeader.FileAlignment = PE32Structure->FileAlignment; + PEHeader32->OptionalHeader.SectionAlignment = PE32Structure->SectionAligment; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress = PE32Structure->ImportTableAddress; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size = PE32Structure->ImportTableSize; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress = PE32Structure->ResourceTableAddress; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size = PE32Structure->ResourceTableSize; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress = PE32Structure->ExportTableAddress; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size = PE32Structure->ExportTableSize; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = PE32Structure->TLSTableAddress; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = PE32Structure->TLSTableSize; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = PE32Structure->RelocationTableAddress; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size = PE32Structure->RelocationTableSize; + PEHeader32->FileHeader.TimeDateStamp = PE32Structure->TimeDateStamp; + PEHeader32->FileHeader.NumberOfSections = PE32Structure->SectionNumber; + PEHeader32->OptionalHeader.CheckSum = PE32Structure->CheckSum; + PEHeader32->OptionalHeader.Subsystem = PE32Structure->SubSystem; + PEHeader32->FileHeader.Characteristics = PE32Structure->Characteristics; + PEHeader32->OptionalHeader.NumberOfRvaAndSizes = PE32Structure->NumberOfRvaAndSizes; + return(true); + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + return(false); + } + } + else + { + __try + { + DOSHeader->e_lfanew = PE64Structure->PE64Offset; + PEHeader64->OptionalHeader.ImageBase = PE64Structure->ImageBase; + PEHeader64->OptionalHeader.AddressOfEntryPoint = PE64Structure->OriginalEntryPoint; + PEHeader64->OptionalHeader.BaseOfCode = PE64Structure->BaseOfCode; + PEHeader64->OptionalHeader.SizeOfImage = PE64Structure->NtSizeOfImage; + PEHeader64->OptionalHeader.SizeOfHeaders = PE64Structure->NtSizeOfHeaders; + PEHeader64->FileHeader.SizeOfOptionalHeader = PE64Structure->SizeOfOptionalHeaders; + PEHeader64->OptionalHeader.FileAlignment = PE64Structure->FileAlignment; + PEHeader64->OptionalHeader.SectionAlignment = PE64Structure->SectionAligment; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress = PE64Structure->ImportTableAddress; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size = PE64Structure->ImportTableSize; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress = PE64Structure->ResourceTableAddress; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size = PE64Structure->ResourceTableSize; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress = PE64Structure->ExportTableAddress; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size = PE64Structure->ExportTableSize; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = PE64Structure->TLSTableAddress; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = PE64Structure->TLSTableSize; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = PE64Structure->RelocationTableAddress; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size = PE64Structure->RelocationTableSize; + PEHeader64->FileHeader.TimeDateStamp = PE64Structure->TimeDateStamp; + PEHeader64->FileHeader.NumberOfSections = PE64Structure->SectionNumber; + PEHeader64->OptionalHeader.CheckSum = PE64Structure->CheckSum; + PEHeader64->OptionalHeader.Subsystem = PE64Structure->SubSystem; + PEHeader64->FileHeader.Characteristics = PE64Structure->Characteristics; + PEHeader64->OptionalHeader.NumberOfRvaAndSizes = PE64Structure->NumberOfRvaAndSizes; + return(true); + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + return(false); + } + } + } + else + { + return(false); + } + } + return(false); +} +__declspec(dllexport) bool TITCALL SetPE32DataEx(char* szFileName, LPVOID DataStorage) +{ + + HANDLE FileHandle; + DWORD FileSize; + HANDLE FileMap; + ULONG_PTR FileMapVA; + long long ReturnValue = 0; + + if(MapFileEx(szFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) + { + ReturnValue = SetPE32DataForMappedFileEx(FileMapVA, DataStorage); + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + if(ReturnValue) + { + return(true); + } + else + { + return(false); + } + } + else + { + return(false); + } +} +__declspec(dllexport) bool TITCALL SetPE32DataExW(wchar_t* szFileName, LPVOID DataStorage) +{ + + HANDLE FileHandle; + DWORD FileSize; + HANDLE FileMap; + ULONG_PTR FileMapVA; + long long ReturnValue = 0; + + if(MapFileExW(szFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) + { + ReturnValue = SetPE32DataForMappedFileEx(FileMapVA, DataStorage); + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + if(ReturnValue) + { + return(true); + } + else + { + return(false); + } + } + else + { + return(false); + } +} + +__declspec(dllexport) bool TITCALL IsFileDLL(char* szFileName, ULONG_PTR FileMapVA) +{ + + if(szFileName != NULL) + { + if((DWORD)GetPE32Data(szFileName, NULL, UE_CHARACTERISTICS) & 0x2000) + { + return(true); + } + } + else if(FileMapVA != NULL) + { + if((DWORD)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_CHARACTERISTICS) & 0x2000) + { + return(true); + } + } + return(false); +} + +__declspec(dllexport) bool TITCALL IsFileDLLW(wchar_t* szFileName, ULONG_PTR FileMapVA) +{ + + if(szFileName != NULL) + { + if((DWORD)GetPE32DataW(szFileName, NULL, UE_CHARACTERISTICS) & 0x2000) + { + return(true); + } + } + else if(FileMapVA != NULL) + { + if((DWORD)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_CHARACTERISTICS) & 0x2000) + { + return(true); + } + } + return(false); +} \ No newline at end of file diff --git a/TitanEngine/TitanEngine.PE.Fixer.cpp b/TitanEngine/TitanEngine.PE.Fixer.cpp new file mode 100644 index 0000000..83d81cd --- /dev/null +++ b/TitanEngine/TitanEngine.PE.Fixer.cpp @@ -0,0 +1,3010 @@ +#include "stdafx.h" +#include "definitions.h" +#include "Global.Engine.h" +#include "Global.Mapping.h" +#include "Global.Realigner.h" + +__declspec(dllexport) bool TITCALL IsPE32FileValidEx(char* szFileName, DWORD CheckDepth, LPVOID FileStatusInfo) +{ + wchar_t uniFileName[MAX_PATH] = {}; + + if(szFileName != NULL) + { + MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); + return(IsPE32FileValidExW(uniFileName, CheckDepth, FileStatusInfo)); + } + else + { + return(false); + } +} + +__declspec(dllexport) bool TITCALL IsPE32FileValidExW(wchar_t* szFileName, DWORD CheckDepth, LPVOID FileStatusInfo) +{ + unsigned int i; + ULONG_PTR ReadData = NULL; + DWORD ReadSize = 0; + WORD ReadDataWORD = 0; + ULONG_PTR hSimulatedFileLoad; + long SectionNumber = 0; + DWORD SectionAttributes = 0; + ULONG_PTR ConvertedAddress = NULL; + DWORD CorrectedImageSize = 0; + DWORD SectionVirtualSize = 0; + DWORD SectionVirtualSizeFixed = 0; + DWORD NumberOfSections = 0; + FILE_STATUS_INFO myFileStatusInfo; + PIMAGE_DOS_HEADER DOSHeader; + PIMAGE_NT_HEADERS32 PEHeader32; + PIMAGE_NT_HEADERS64 PEHeader64; + PIMAGE_SECTION_HEADER PESections; + PIMAGE_EXPORT_DIRECTORY PEExports; + PIMAGE_TLS_DIRECTORY32 PETls32; + PIMAGE_TLS_DIRECTORY64 PETls64; + PIMAGE_IMPORT_DESCRIPTOR ImportIID; + PIMAGE_BOUND_IMPORT_DESCRIPTOR BoundIID; + PIMAGE_THUNK_DATA32 ThunkData32; + PIMAGE_THUNK_DATA64 ThunkData64; + bool hLoadedModuleSimulated = false; + HMODULE hLoadedModule; + ULONG_PTR ImportNamePtr; + ULONG_PTR CurrentThunk; + BOOL FileIsDLL = false; + BOOL FileIs64; + HANDLE FileHandle; + DWORD FileSize; + HANDLE FileMap; + ULONG_PTR FileMapVA; + WORD ResourceNamesTable[22] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 16, 17, 18, 19, 20, 21, 22, 23, 24}; + + RtlZeroMemory(&myFileStatusInfo, sizeof FILE_STATUS_INFO); + if(MapFileExW(szFileName, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) + { + DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; + myFileStatusInfo.OveralEvaluation = UE_RESULT_FILE_OK; + if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true)) + { + PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + if(PEHeader32->Signature == 0x4550 && PEHeader32->OptionalHeader.Magic == 0x10B) + { + FileIs64 = false; + } + else if(PEHeader32->Signature == 0x4550 && PEHeader32->OptionalHeader.Magic == 0x20B) + { + FileIs64 = true; + myFileStatusInfo.FileIs64Bit = true; + } + else + { + myFileStatusInfo.OveralEvaluation = UE_RESULT_FILE_INVALID_FORMAT; + myFileStatusInfo.SignaturePE = UE_FIELD_BROKEN_NON_FIXABLE; + if(FileStatusInfo != NULL) + { + RtlMoveMemory(FileStatusInfo, &myFileStatusInfo, sizeof FILE_STATUS_INFO); + } + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return(false); + } + if(!FileIs64) + { + /* + x86 Surface check + */ + __try + { + if(PEHeader32->OptionalHeader.SizeOfImage % PEHeader32->OptionalHeader.SectionAlignment == NULL) + { + CorrectedImageSize = ((PEHeader32->OptionalHeader.SizeOfImage / PEHeader32->OptionalHeader.SectionAlignment)) * PEHeader32->OptionalHeader.SectionAlignment; + } + else + { + CorrectedImageSize = ((PEHeader32->OptionalHeader.SizeOfImage / PEHeader32->OptionalHeader.SectionAlignment) + 1) * PEHeader32->OptionalHeader.SectionAlignment; + } + if(PEHeader32->OptionalHeader.SectionAlignment != NULL && PEHeader32->OptionalHeader.SectionAlignment >= PEHeader32->OptionalHeader.FileAlignment) + { + myFileStatusInfo.SectionAlignment = UE_FIELD_OK; + if(PEHeader32->OptionalHeader.SizeOfImage % PEHeader32->OptionalHeader.SectionAlignment == NULL) + { + myFileStatusInfo.SizeOfImage = UE_FIELD_OK; + } + else + { + if(CorrectedImageSize < PEHeader32->OptionalHeader.AddressOfEntryPoint) + { + myFileStatusInfo.SizeOfImage = UE_FIELD_BROKEN_NON_FIXABLE; + } + else + { + myFileStatusInfo.SizeOfImage = UE_FIELD_FIXABLE_NON_CRITICAL; + } + } + } + else + { + myFileStatusInfo.SectionAlignment = UE_FIELD_FIXABLE_CRITICAL; + } + SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.SectionAlignment, true); + if(PEHeader32->OptionalHeader.ImageBase % 0x1000 == NULL) + { + myFileStatusInfo.ImageBase = UE_FIELD_OK; + } + else + { + myFileStatusInfo.ImageBase = UE_FIELD_BROKEN_NON_FIXABLE; + } + SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.ImageBase, true); + if(PEHeader32->OptionalHeader.FileAlignment % 2 == NULL) + { + myFileStatusInfo.FileAlignment = UE_FIELD_OK; + } + else + { + myFileStatusInfo.FileAlignment = UE_FIELD_FIXABLE_CRITICAL; + } + SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.FileAlignment, false); + /* + Get the console flag + */ + if(PEHeader32->OptionalHeader.Subsystem == IMAGE_SUBSYSTEM_WINDOWS_CUI) + { + myFileStatusInfo.FileIsConsole = true; + } + /* + Export and relocation checks [for DLL and EXE] + */ + if(PEHeader32->FileHeader.Characteristics & 0x2000) + { + /* + Export table check + */ + FileIsDLL = true; + myFileStatusInfo.FileIsDLL = true; + if(PEHeader32->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_EXPORT && PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress != NULL) + { + if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress > CorrectedImageSize || PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size > CorrectedImageSize) + { + myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; + } + else + { + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + PEHeader32->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress != NULL) + { + if(EngineIsBadReadPtrEx((LPVOID)ConvertedAddress, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size)) + { + PEExports = (PIMAGE_EXPORT_DIRECTORY)ConvertedAddress; + if(PEExports->AddressOfFunctions > CorrectedImageSize || PEExports->AddressOfFunctions + 4 * PEExports->NumberOfFunctions > CorrectedImageSize) + { + myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; + } + else if(PEExports->AddressOfNameOrdinals > CorrectedImageSize || PEExports->AddressOfNameOrdinals + 4 * PEExports->NumberOfNames > CorrectedImageSize) + { + myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; + } + else if(PEExports->AddressOfNames > CorrectedImageSize || PEExports->AddressOfNames + 4 * PEExports->NumberOfNames > CorrectedImageSize) + { + myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; + } + else if(PEExports->Name > CorrectedImageSize) + { + myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; + } + else + { + if(CheckDepth == UE_DEPTH_DEEP) + { + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEExports->AddressOfFunctions + PEHeader32->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress != NULL) + { + for(i = 0; i < PEExports->NumberOfFunctions; i++) + { + RtlMoveMemory(&ReadData, (LPVOID)ConvertedAddress, 4); + if(ReadData > CorrectedImageSize || ReadData < PEHeader32->OptionalHeader.SectionAlignment) + { + myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; + i = PEExports->NumberOfFunctions; + } + else + { + ConvertedAddress = ConvertedAddress + 4; + } + } + } + else + { + myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; + } + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEExports->AddressOfNames + PEHeader32->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress != NULL) + { + for(i = 0; i < PEExports->NumberOfNames; i++) + { + RtlMoveMemory(&ReadData, (LPVOID)ConvertedAddress, 4); + if(ReadData > CorrectedImageSize || ReadData < PEHeader32->OptionalHeader.SectionAlignment) + { + myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; + i = PEExports->NumberOfNames; + } + else + { + ConvertedAddress = ConvertedAddress + 4; + } + } + } + else + { + myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; + } + } + } + } + else + { + myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; + } + } + else + { + myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; + } + } + SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.ExportTable, true); + } + else + { + myFileStatusInfo.ExportTable = UE_FIELD_NOT_PRESET; + } + /* + Relocation table check + */ + if(PEHeader32->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_BASERELOC && PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress != NULL) + { + if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress > CorrectedImageSize || PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size > CorrectedImageSize) + { + myFileStatusInfo.RelocationTable = UE_FIELD_BROKEN_NON_FIXABLE; + } + else + { + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + PEHeader32->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress != NULL) + { + if(EngineIsBadReadPtrEx((LPVOID)ConvertedAddress, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size)) + { + RtlMoveMemory(&ReadData, (LPVOID)ConvertedAddress, 4); + RtlMoveMemory(&ReadSize, (LPVOID)(ConvertedAddress + 4), 4); + while(ReadData != NULL) + { + ReadSize = ReadSize - 8; + ConvertedAddress = ConvertedAddress + 8; + while(ReadSize > NULL) + { + RtlMoveMemory(&ReadDataWORD, (LPVOID)ConvertedAddress, 2); + if(ReadDataWORD > 0xCFFF) + { + myFileStatusInfo.RelocationTable = UE_FIELD_BROKEN_FIXABLE_FOR_STATIC_USE; + } + ConvertedAddress = ConvertedAddress + 2; + ReadSize = ReadSize - 2; + } + RtlMoveMemory(&ReadData, (LPVOID)ConvertedAddress, 4); + RtlMoveMemory(&ReadSize, (LPVOID)(ConvertedAddress + 4), 4); + } + } + else + { + myFileStatusInfo.RelocationTable = UE_FIELD_BROKEN_FIXABLE_FOR_STATIC_USE; + } + } + else + { + myFileStatusInfo.RelocationTable = UE_FIELD_BROKEN_FIXABLE_FOR_STATIC_USE; + } + } + SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.RelocationTable, true); + } + else + { + myFileStatusInfo.RelocationTable = UE_FIELD_NOT_PRESET_WARNING; + } + } + else + { + /* + Export table check + */ + if(PEHeader32->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_EXPORT && PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress != NULL) + { + if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress > CorrectedImageSize || PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size > CorrectedImageSize) + { + myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_CRITICAL; + } + else + { + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + PEHeader32->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress != NULL) + { + if(EngineIsBadReadPtrEx((LPVOID)ConvertedAddress, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size)) + { + PEExports = (PIMAGE_EXPORT_DIRECTORY)ConvertedAddress; + if(PEExports->AddressOfFunctions > CorrectedImageSize || PEExports->AddressOfFunctions + 4 * PEExports->NumberOfFunctions > CorrectedImageSize) + { + myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_CRITICAL; + } + else if(PEExports->AddressOfNameOrdinals > CorrectedImageSize || PEExports->AddressOfNameOrdinals + 4 * PEExports->NumberOfNames > CorrectedImageSize) + { + myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_CRITICAL; + } + else if(PEExports->AddressOfNames > CorrectedImageSize || PEExports->AddressOfNames + 4 * PEExports->NumberOfNames > CorrectedImageSize) + { + myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_CRITICAL; + } + else if(PEExports->Name > CorrectedImageSize) + { + myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_CRITICAL; + } + } + else + { + myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_CRITICAL; + } + } + } + SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.ExportTable, false); + } + else + { + myFileStatusInfo.ExportTable = UE_FIELD_NOT_PRESET; + } + /* + Relocation table check + */ + if(PEHeader32->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_BASERELOC && PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress != NULL) + { + if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress > CorrectedImageSize || PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size > CorrectedImageSize) + { + myFileStatusInfo.RelocationTable = UE_FIELD_BROKEN_NON_FIXABLE; + } + else + { + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + PEHeader32->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) + { + myFileStatusInfo.RelocationTable = UE_FIELD_FIXABLE_NON_CRITICAL; + } + } + SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.RelocationTable, false); + } + else + { + myFileStatusInfo.RelocationTable = UE_FIELD_NOT_PRESET; + } + } + /* + Import table check + */ + if(PEHeader32->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_IMPORT && PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress != NULL) + { + if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress > CorrectedImageSize) + { + myFileStatusInfo.ImportTable = UE_FIELD_BROKEN_NON_FIXABLE; + } + else + { + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + PEHeader32->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) + { + myFileStatusInfo.ImportTable = UE_FIELD_BROKEN_NON_FIXABLE; + } + else + { + SectionNumber = GetPE32SectionNumberFromVA(FileMapVA, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + PEHeader32->OptionalHeader.ImageBase); + if(SectionNumber < 0x7FFFFFFF) + { + SectionAttributes = (DWORD)GetPE32DataFromMappedFile(FileMapVA, SectionNumber, UE_SECTIONFLAGS); + if(SectionAttributes & IMAGE_SCN_MEM_EXECUTE || SectionAttributes & IMAGE_SCN_CNT_CODE || SectionAttributes & IMAGE_SCN_MEM_WRITE || SectionAttributes & IMAGE_SCN_CNT_INITIALIZED_DATA) + { + myFileStatusInfo.ImportTableSection = UE_FIELD_OK; + } + else + { + myFileStatusInfo.ImportTableSection = UE_FIELD_FIXABLE_CRITICAL; + } + if(CheckDepth == UE_DEPTH_DEEP) + { + if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress != NULL) + { + ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, (ULONG_PTR)(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + PEHeader32->OptionalHeader.ImageBase), false, true); + while(myFileStatusInfo.ImportTableData == UE_FIELD_OK && ImportIID->FirstThunk != NULL) + { + hLoadedModule = NULL; + ImportNamePtr = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, (ULONG_PTR)((ULONG_PTR)ImportIID->Name + PEHeader32->OptionalHeader.ImageBase), false, true); + if(ImportNamePtr != NULL) + { + if(!EngineIsDependencyPresent((char*)ImportNamePtr, NULL, NULL)) + { + myFileStatusInfo.MissingDependencies = true; + hLoadedModuleSimulated = false; + } + else + { + hLoadedModuleSimulated = false; + hLoadedModule = GetModuleHandleA((char*)ImportNamePtr); + if(hLoadedModule == NULL) + { + hLoadedModule = (HMODULE)EngineSimulateDllLoader(GetCurrentProcess(), (char*)ImportNamePtr); + hLoadedModuleSimulated = true; + } + } + } + else + { + myFileStatusInfo.ImportTableData = UE_FIELD_BROKEN_NON_FIXABLE; + } + if(ImportIID->OriginalFirstThunk != NULL) + { + ThunkData32 = (PIMAGE_THUNK_DATA32)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, (ULONG_PTR)((ULONG_PTR)ImportIID->OriginalFirstThunk + PEHeader32->OptionalHeader.ImageBase), false, true); + CurrentThunk = (ULONG_PTR)ImportIID->OriginalFirstThunk; + } + else + { + ThunkData32 = (PIMAGE_THUNK_DATA32)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, (ULONG_PTR)((ULONG_PTR)ImportIID->FirstThunk + PEHeader32->OptionalHeader.ImageBase), false, true); + CurrentThunk = (ULONG_PTR)ImportIID->FirstThunk; + } + if(ThunkData32 != NULL) + { + while(myFileStatusInfo.ImportTableData == UE_FIELD_OK && ThunkData32->u1.AddressOfData != NULL) + { + if(ThunkData32->u1.Ordinal & IMAGE_ORDINAL_FLAG32) + { + if((int)(ThunkData32->u1.Ordinal ^ IMAGE_ORDINAL_FLAG32) >= 0x10000) + { + myFileStatusInfo.ImportTableData = UE_FIELD_BROKEN_NON_FIXABLE; + } + } + else + { + ImportNamePtr = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, (ULONG_PTR)((ULONG_PTR)ThunkData32->u1.AddressOfData + 2 + PEHeader32->OptionalHeader.ImageBase), false, true); + if(ImportNamePtr != NULL) + { + if(!EngineIsBadReadPtrEx((LPVOID)ImportNamePtr, 8)) + { + myFileStatusInfo.ImportTableData = UE_FIELD_BROKEN_NON_FIXABLE; + } + else + { + if(hLoadedModule != NULL) + { + if(EngineGetProcAddress((ULONG_PTR)hLoadedModule, (char*)ImportNamePtr) == NULL) + { + myFileStatusInfo.MissingDeclaredAPIs = true; + SetOverallFileStatus(&myFileStatusInfo, UE_FIELD_FIXABLE_CRITICAL, true); + } + } + } + } + else + { + myFileStatusInfo.ImportTableData = UE_FIELD_BROKEN_NON_FIXABLE; + } + } + CurrentThunk = CurrentThunk + 4; + ThunkData32 = (PIMAGE_THUNK_DATA32)((ULONG_PTR)ThunkData32 + sizeof IMAGE_THUNK_DATA32); + } + } + else + { + myFileStatusInfo.ImportTableData = UE_FIELD_BROKEN_NON_FIXABLE; + } + if(hLoadedModuleSimulated) + { + VirtualFree((LPVOID)hLoadedModule, NULL, MEM_RELEASE); + } + ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof IMAGE_IMPORT_DESCRIPTOR); + } + } + } + } + else + { + myFileStatusInfo.ImportTable = UE_FIELD_BROKEN_NON_FIXABLE; + } + } + } + SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.ImportTable, true); + SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.ImportTableData, true); + SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.ImportTableSection, true); + } + else + { + myFileStatusInfo.ImportTable = UE_FIELD_NOT_PRESET; + } + /* + TLS table check + */ + if(PEHeader32->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_TLS && PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress != NULL) + { + if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress > CorrectedImageSize || PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size > CorrectedImageSize) + { + myFileStatusInfo.TLSTable = UE_FIELD_FIXABLE_CRITICAL; + } + else + { + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress + PEHeader32->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) + { + myFileStatusInfo.TLSTable = UE_FIELD_FIXABLE_CRITICAL; + } + else + { + PETls32 = (PIMAGE_TLS_DIRECTORY32)ConvertedAddress; + if(PETls32->StartAddressOfRawData != NULL && (PETls32->StartAddressOfRawData < PEHeader32->OptionalHeader.ImageBase || PETls32->StartAddressOfRawData > CorrectedImageSize + PEHeader32->OptionalHeader.ImageBase)) + { + myFileStatusInfo.TLSTable = UE_FIELD_FIXABLE_CRITICAL; + } + else if(PETls32->EndAddressOfRawData != NULL && (PETls32->EndAddressOfRawData < PEHeader32->OptionalHeader.ImageBase || PETls32->EndAddressOfRawData > CorrectedImageSize + PEHeader32->OptionalHeader.ImageBase)) + { + myFileStatusInfo.TLSTable = UE_FIELD_FIXABLE_CRITICAL; + } + else if(PETls32->AddressOfIndex != NULL && (PETls32->AddressOfIndex < PEHeader32->OptionalHeader.ImageBase || PETls32->AddressOfIndex > CorrectedImageSize + PEHeader32->OptionalHeader.ImageBase)) + { + myFileStatusInfo.TLSTable = UE_FIELD_FIXABLE_CRITICAL; + } + else if(PETls32->AddressOfCallBacks != NULL && (PETls32->AddressOfCallBacks < PEHeader32->OptionalHeader.ImageBase || PETls32->AddressOfCallBacks > CorrectedImageSize + PEHeader32->OptionalHeader.ImageBase)) + { + myFileStatusInfo.TLSTable = UE_FIELD_FIXABLE_CRITICAL; + } + if(PETls32->AddressOfCallBacks != NULL && CheckDepth == UE_DEPTH_DEEP) + { + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PETls32->AddressOfCallBacks + PEHeader32->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress != NULL) + { + while(ReadData != NULL) + { + RtlMoveMemory(&ReadData, (LPVOID)ConvertedAddress, 4); + if(ReadData < PEHeader32->OptionalHeader.ImageBase || ReadData > CorrectedImageSize + PEHeader32->OptionalHeader.ImageBase) + { + myFileStatusInfo.TLSTable = UE_FIELD_FIXABLE_CRITICAL; + } + ConvertedAddress = ConvertedAddress + 4; + } + } + } + } + } + SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.TLSTable, false); + } + else + { + myFileStatusInfo.TLSTable = UE_FIELD_NOT_PRESET; + } + /* + Load config table check + */ + if(PEHeader32->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG && PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress != NULL) + { + if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress > CorrectedImageSize || PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].Size > CorrectedImageSize) + { + myFileStatusInfo.LoadConfigTable = UE_FIELD_FIXABLE_CRITICAL; + } + else + { + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress + PEHeader32->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) + { + myFileStatusInfo.LoadConfigTable = UE_FIELD_FIXABLE_CRITICAL; + } + } + } + else + { + myFileStatusInfo.LoadConfigTable = UE_FIELD_NOT_PRESET; + } + SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.LoadConfigTable, false); + /* + Bound import table check + */ + if(PEHeader32->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT && PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress != NULL) + { + if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress > CorrectedImageSize || PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size > CorrectedImageSize) + { + myFileStatusInfo.BoundImportTable = UE_FIELD_FIXABLE_CRITICAL; + } + else + { + ConvertedAddress = (ULONG_PTR)PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress + FileMapVA; + if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) + { + myFileStatusInfo.BoundImportTable = UE_FIELD_FIXABLE_CRITICAL; + } + else + { + BoundIID = (PIMAGE_BOUND_IMPORT_DESCRIPTOR)ConvertedAddress; + while(BoundIID->TimeDateStamp != NULL) + { + if(BoundIID->OffsetModuleName > PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size) + { + myFileStatusInfo.BoundImportTable = UE_FIELD_FIXABLE_CRITICAL; + } + else if(!EngineIsPointedMemoryString(ConvertedAddress + BoundIID->OffsetModuleName)) + { + myFileStatusInfo.BoundImportTable = UE_FIELD_FIXABLE_CRITICAL; + } + BoundIID = (PIMAGE_BOUND_IMPORT_DESCRIPTOR)((ULONG_PTR)BoundIID + sizeof IMAGE_BOUND_IMPORT_DESCRIPTOR); + } + } + } + } + else + { + myFileStatusInfo.BoundImportTable = UE_FIELD_NOT_PRESET; + } + SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.BoundImportTable, false); + /* + IAT check + */ + if(PEHeader32->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_IAT && PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress != NULL) + { + if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress > CorrectedImageSize || PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].Size > CorrectedImageSize) + { + myFileStatusInfo.IATTable = UE_FIELD_FIXABLE_NON_CRITICAL; + } + else + { + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress + PEHeader32->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) + { + myFileStatusInfo.IATTable = UE_FIELD_FIXABLE_NON_CRITICAL; + } + } + } + else + { + myFileStatusInfo.IATTable = UE_FIELD_NOT_PRESET; + } + SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.IATTable, false); + /* + COM header check + */ + if(PEHeader32->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR && PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress != NULL) + { + if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress > CorrectedImageSize || PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].Size > CorrectedImageSize) + { + myFileStatusInfo.COMHeaderTable = UE_FIELD_FIXABLE_NON_CRITICAL; + } + else + { + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress + PEHeader32->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) + { + myFileStatusInfo.COMHeaderTable = UE_FIELD_FIXABLE_NON_CRITICAL; + } + } + } + else + { + myFileStatusInfo.COMHeaderTable = UE_FIELD_NOT_PRESET; + } + SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.COMHeaderTable, false); + /* + Resource header check + */ + if(PEHeader32->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_RESOURCE && PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress != NULL) + { + if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress > CorrectedImageSize || PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size > CorrectedImageSize) + { + myFileStatusInfo.ResourceTable = UE_FIELD_FIXABLE_NON_CRITICAL; + } + else + { + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress + PEHeader32->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize || ConvertedAddress - FileMapVA + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size > FileSize) + { + myFileStatusInfo.ResourceTable = UE_FIELD_BROKEN_BUT_CAN_BE_EMULATED; + } + if(CheckDepth == UE_DEPTH_DEEP) + { + hSimulatedFileLoad = (ULONG_PTR)EngineSimulateNtLoaderW(szFileName); + if(hSimulatedFileLoad != NULL) + { + for(i = 0; i < 22; i++) + { + if(myFileStatusInfo.ResourceData == UE_FIELD_OK) + { + EnumResourceNamesA((HMODULE)hSimulatedFileLoad, MAKEINTRESOURCEA(ResourceNamesTable[i]), (ENUMRESNAMEPROCA)EngineValidateResource, (ULONG_PTR)&myFileStatusInfo.ResourceData); + } + else + { + i = 22; + } + } + VirtualFree((LPVOID)hSimulatedFileLoad, NULL, MEM_RELEASE); + } + } + } + if(myFileStatusInfo.ResourceTable == UE_FIELD_BROKEN_BUT_CAN_BE_EMULATED && myFileStatusInfo.ResourceData == UE_FIELD_OK) + { + myFileStatusInfo.ResourceTable = UE_FIELD_OK; + } + SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.ResourceTable, true); + } + else + { + myFileStatusInfo.ResourceTable = UE_FIELD_NOT_PRESET; + } + /* + Section check + */ + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + NumberOfSections = PEHeader32->FileHeader.NumberOfSections; + while(NumberOfSections > NULL) + { + SectionVirtualSize = PESections->VirtualAddress + PESections->Misc.VirtualSize; + if(PESections->Misc.VirtualSize % PEHeader32->OptionalHeader.SectionAlignment == NULL) + { + SectionVirtualSizeFixed = SectionVirtualSize; + } + else + { + SectionVirtualSizeFixed = PESections->VirtualAddress + (((PESections->Misc.VirtualSize / PEHeader32->OptionalHeader.SectionAlignment) + 1) * PEHeader32->OptionalHeader.SectionAlignment); + } + if(NumberOfSections > 1) + { + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + sizeof IMAGE_SECTION_HEADER); + if(SectionVirtualSize > PESections->VirtualAddress || SectionVirtualSizeFixed > PESections->VirtualAddress) + { + myFileStatusInfo.SectionTable = UE_FIELD_FIXABLE_CRITICAL; + } + } + NumberOfSections--; + } + if(PESections->PointerToRawData + PESections->SizeOfRawData > FileSize && PESections->SizeOfRawData != NULL) + { + myFileStatusInfo.SectionTable = UE_FIELD_BROKEN_NON_FIXABLE; + } + SectionVirtualSizeFixed = SectionVirtualSizeFixed + 0xF000; + if(PEHeader32->OptionalHeader.SizeOfImage > SectionVirtualSizeFixed) + { + myFileStatusInfo.SizeOfImage = UE_FIELD_FIXABLE_CRITICAL; + } + SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.SizeOfImage, true); + SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.SectionTable, true); + /* + Entry point check + */ + SectionNumber = GetPE32SectionNumberFromVA(FileMapVA, PEHeader32->OptionalHeader.AddressOfEntryPoint + PEHeader32->OptionalHeader.ImageBase); + if(SectionNumber != -1) + { + SectionAttributes = (DWORD)GetPE32DataFromMappedFile(FileMapVA, SectionNumber, UE_SECTIONFLAGS); + if(SectionAttributes & IMAGE_SCN_MEM_EXECUTE || SectionAttributes & IMAGE_SCN_CNT_CODE) + { + myFileStatusInfo.EntryPoint = UE_FIELD_OK; + } + else + { + myFileStatusInfo.EntryPoint = UE_FIELD_BROKEN_NON_CRITICAL; + } + } + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader32->OptionalHeader.AddressOfEntryPoint + PEHeader32->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress == NULL) + { + myFileStatusInfo.EntryPoint = UE_FIELD_BROKEN_NON_FIXABLE; + } + else + { + ReadData = NULL; + if(memcmp(&ReadData, (LPVOID)ConvertedAddress, 4) == NULL) + { + myFileStatusInfo.EntryPoint = UE_FIELD_BROKEN_NON_FIXABLE; + } + } + SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.EntryPoint, true); + /* + Return data + */ + if(FileStatusInfo != NULL) + { + RtlMoveMemory(FileStatusInfo, &myFileStatusInfo, sizeof FILE_STATUS_INFO); + } + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + if(myFileStatusInfo.OveralEvaluation == UE_RESULT_FILE_OK) + { + return(true); + } + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + myFileStatusInfo.EvaluationTerminatedByException = true; + myFileStatusInfo.OveralEvaluation = UE_RESULT_FILE_INVALID_FORMAT; + myFileStatusInfo.SignaturePE = UE_FIELD_BROKEN_NON_FIXABLE; + if(FileStatusInfo != NULL) + { + RtlMoveMemory(FileStatusInfo, &myFileStatusInfo, sizeof FILE_STATUS_INFO); + } + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return(false); + } + } + else + { + /* + x64 Surface check + */ + __try + { + if(PEHeader64->OptionalHeader.SizeOfImage % PEHeader64->OptionalHeader.SectionAlignment == NULL) + { + CorrectedImageSize = ((PEHeader64->OptionalHeader.SizeOfImage / PEHeader64->OptionalHeader.SectionAlignment)) * PEHeader64->OptionalHeader.SectionAlignment; + } + else + { + CorrectedImageSize = ((PEHeader64->OptionalHeader.SizeOfImage / PEHeader64->OptionalHeader.SectionAlignment) + 1) * PEHeader64->OptionalHeader.SectionAlignment; + } + if(PEHeader64->OptionalHeader.SectionAlignment != NULL && PEHeader64->OptionalHeader.SectionAlignment >= PEHeader64->OptionalHeader.FileAlignment) + { + myFileStatusInfo.SectionAlignment = UE_FIELD_OK; + if(PEHeader64->OptionalHeader.SizeOfImage % PEHeader64->OptionalHeader.SectionAlignment == NULL) + { + myFileStatusInfo.SizeOfImage = UE_FIELD_OK; + } + else + { + if(CorrectedImageSize < PEHeader64->OptionalHeader.AddressOfEntryPoint) + { + myFileStatusInfo.SizeOfImage = UE_FIELD_BROKEN_NON_FIXABLE; + } + else + { + myFileStatusInfo.SizeOfImage = UE_FIELD_FIXABLE_NON_CRITICAL; + } + } + } + else + { + myFileStatusInfo.SectionAlignment = UE_FIELD_FIXABLE_CRITICAL; + } + SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.SectionAlignment, true); + if((ULONG_PTR)PEHeader64->OptionalHeader.ImageBase % 0x1000 == NULL) + { + myFileStatusInfo.ImageBase = UE_FIELD_OK; + } + else + { + myFileStatusInfo.ImageBase = UE_FIELD_BROKEN_NON_FIXABLE; + } + SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.ImageBase, true); + if(PEHeader64->OptionalHeader.FileAlignment % 2 == NULL) + { + myFileStatusInfo.FileAlignment = UE_FIELD_OK; + } + else + { + myFileStatusInfo.FileAlignment = UE_FIELD_FIXABLE_CRITICAL; + } + SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.FileAlignment, false); + /* + Get the console flag + */ + if(PEHeader64->OptionalHeader.Subsystem == IMAGE_SUBSYSTEM_WINDOWS_CUI) + { + myFileStatusInfo.FileIsConsole = true; + } + /* + Export and relocation checks [for DLL and EXE] + */ + if(PEHeader64->FileHeader.Characteristics & 0x2000) + { + /* + Export table check + */ + FileIsDLL = true; + myFileStatusInfo.FileIsDLL = true; + if(PEHeader64->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_EXPORT && PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress != NULL) + { + if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress > CorrectedImageSize || PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size > CorrectedImageSize) + { + myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; + } + else + { + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress != NULL) + { + if(EngineIsBadReadPtrEx((LPVOID)ConvertedAddress, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size)) + { + PEExports = (PIMAGE_EXPORT_DIRECTORY)ConvertedAddress; + if(PEExports->AddressOfFunctions > CorrectedImageSize || PEExports->AddressOfFunctions + 4 * PEExports->NumberOfFunctions > CorrectedImageSize) + { + myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; + } + else if(PEExports->AddressOfNameOrdinals > CorrectedImageSize || PEExports->AddressOfNameOrdinals + 4 * PEExports->NumberOfNames > CorrectedImageSize) + { + myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; + } + else if(PEExports->AddressOfNames > CorrectedImageSize || PEExports->AddressOfNames + 4 * PEExports->NumberOfNames > CorrectedImageSize) + { + myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; + } + else if(PEExports->Name > CorrectedImageSize) + { + myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; + } + else + { + if(CheckDepth == UE_DEPTH_DEEP) + { + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEExports->AddressOfFunctions + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress != NULL) + { + for(i = 0; i < PEExports->NumberOfFunctions; i++) + { + RtlMoveMemory(&ReadData, (LPVOID)ConvertedAddress, 4); + if(ReadData > CorrectedImageSize || ReadData < PEHeader64->OptionalHeader.SectionAlignment) + { + myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; + i = PEExports->NumberOfFunctions; + } + else + { + ConvertedAddress = ConvertedAddress + 4; + } + } + } + else + { + myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; + } + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEExports->AddressOfNames + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress != NULL) + { + for(i = 0; i < PEExports->NumberOfNames; i++) + { + RtlMoveMemory(&ReadData, (LPVOID)ConvertedAddress, 4); + if(ReadData > CorrectedImageSize || ReadData < PEHeader64->OptionalHeader.SectionAlignment) + { + myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; + i = PEExports->NumberOfNames; + } + else + { + ConvertedAddress = ConvertedAddress + 4; + } + } + } + else + { + myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; + } + } + } + } + else + { + myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; + } + } + else + { + myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; + } + } + SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.ExportTable, true); + } + else + { + myFileStatusInfo.ExportTable = UE_FIELD_NOT_PRESET; + } + /* + Relocation table check + */ + if(PEHeader64->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_BASERELOC && PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress != NULL) + { + if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress > CorrectedImageSize || PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size > CorrectedImageSize) + { + myFileStatusInfo.RelocationTable = UE_FIELD_BROKEN_NON_FIXABLE; + } + else + { + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress != NULL) + { + if(EngineIsBadReadPtrEx((LPVOID)ConvertedAddress, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size)) + { + RtlMoveMemory(&ReadData, (LPVOID)ConvertedAddress, 4); + RtlMoveMemory(&ReadSize, (LPVOID)(ConvertedAddress + 4), 4); + while(ReadData != NULL) + { + ReadSize = ReadSize - 8; + ConvertedAddress = ConvertedAddress + 8; + while(ReadSize > NULL) + { + RtlMoveMemory(&ReadDataWORD, (LPVOID)ConvertedAddress, 2); + if(ReadDataWORD > 0xCFFF) + { + myFileStatusInfo.RelocationTable = UE_FIELD_BROKEN_FIXABLE_FOR_STATIC_USE; + } + ConvertedAddress = ConvertedAddress + 2; + ReadSize = ReadSize - 2; + } + RtlMoveMemory(&ReadData, (LPVOID)ConvertedAddress, 4); + RtlMoveMemory(&ReadSize, (LPVOID)(ConvertedAddress + 4), 4); + } + } + else + { + myFileStatusInfo.RelocationTable = UE_FIELD_BROKEN_FIXABLE_FOR_STATIC_USE; + } + } + else + { + myFileStatusInfo.RelocationTable = UE_FIELD_BROKEN_FIXABLE_FOR_STATIC_USE; + } + } + SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.RelocationTable, true); + } + else + { + myFileStatusInfo.RelocationTable = UE_FIELD_NOT_PRESET_WARNING; + } + } + else + { + /* + Export table check + */ + if(PEHeader64->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_EXPORT && PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress != NULL) + { + if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress > CorrectedImageSize || PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size > CorrectedImageSize) + { + myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_CRITICAL; + } + else + { + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress != NULL) + { + if(EngineIsBadReadPtrEx((LPVOID)ConvertedAddress, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size)) + { + PEExports = (PIMAGE_EXPORT_DIRECTORY)ConvertedAddress; + if(PEExports->AddressOfFunctions > CorrectedImageSize || PEExports->AddressOfFunctions + 4 * PEExports->NumberOfFunctions > CorrectedImageSize) + { + myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_CRITICAL; + } + else if(PEExports->AddressOfNameOrdinals > CorrectedImageSize || PEExports->AddressOfNameOrdinals + 4 * PEExports->NumberOfNames > CorrectedImageSize) + { + myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_CRITICAL; + } + else if(PEExports->AddressOfNames > CorrectedImageSize || PEExports->AddressOfNames + 4 * PEExports->NumberOfNames > CorrectedImageSize) + { + myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_CRITICAL; + } + else if(PEExports->Name > CorrectedImageSize) + { + myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_CRITICAL; + } + } + else + { + myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_CRITICAL; + } + } + } + SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.ExportTable, false); + } + else + { + myFileStatusInfo.ExportTable = UE_FIELD_NOT_PRESET; + } + /* + Relocation table check + */ + if(PEHeader64->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_BASERELOC && PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress != NULL) + { + if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress > CorrectedImageSize || PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size > CorrectedImageSize) + { + myFileStatusInfo.RelocationTable = UE_FIELD_BROKEN_NON_FIXABLE; + } + else + { + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) + { + myFileStatusInfo.RelocationTable = UE_FIELD_FIXABLE_NON_CRITICAL; + } + } + SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.RelocationTable, false); + } + else + { + myFileStatusInfo.RelocationTable = UE_FIELD_NOT_PRESET; + } + } + /* + Import table check + */ + if(PEHeader64->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_IMPORT && PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress != NULL) + { + if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress > CorrectedImageSize) + { + myFileStatusInfo.ImportTable = UE_FIELD_BROKEN_NON_FIXABLE; + } + else + { + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) + { + myFileStatusInfo.ImportTable = UE_FIELD_BROKEN_NON_FIXABLE; + } + else + { + SectionNumber = GetPE32SectionNumberFromVA(FileMapVA, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase); + if(SectionNumber >= NULL) + { + SectionAttributes = (DWORD)GetPE32DataFromMappedFile(FileMapVA, SectionNumber, UE_SECTIONFLAGS); + if(SectionAttributes & IMAGE_SCN_MEM_EXECUTE || SectionAttributes & IMAGE_SCN_CNT_CODE || SectionAttributes & IMAGE_SCN_MEM_WRITE || SectionAttributes & IMAGE_SCN_CNT_INITIALIZED_DATA) + { + myFileStatusInfo.ImportTableSection = UE_FIELD_OK; + } + else + { + myFileStatusInfo.ImportTableSection = UE_FIELD_FIXABLE_CRITICAL; + } + if(CheckDepth == UE_DEPTH_DEEP) + { + if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress != NULL) + { + ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)(ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, (ULONG_PTR)(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase), false, true); + while(myFileStatusInfo.ImportTableData == UE_FIELD_OK && ImportIID->FirstThunk != NULL) + { + hLoadedModule = NULL; + ImportNamePtr = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)(ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, (ULONG_PTR)((ULONG_PTR)ImportIID->Name + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase), false, true); + if(ImportNamePtr != NULL) + { + if(!EngineIsDependencyPresent((char*)ImportNamePtr, NULL, NULL)) + { + myFileStatusInfo.MissingDependencies = true; + hLoadedModuleSimulated = false; + } + else + { + hLoadedModuleSimulated = false; + hLoadedModule = GetModuleHandleA((char*)ImportNamePtr); + if(hLoadedModule == NULL) + { + hLoadedModule = (HMODULE)EngineSimulateDllLoader(GetCurrentProcess(), (char*)ImportNamePtr); + hLoadedModuleSimulated = true; + } + } + } + else + { + myFileStatusInfo.ImportTableData = UE_FIELD_BROKEN_NON_FIXABLE; + } + if(ImportIID->OriginalFirstThunk != NULL) + { + ThunkData64 = (PIMAGE_THUNK_DATA64)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, (ULONG_PTR)((ULONG_PTR)ImportIID->OriginalFirstThunk + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase), false, true); + CurrentThunk = (ULONG_PTR)ImportIID->OriginalFirstThunk; + } + else + { + ThunkData32 = (PIMAGE_THUNK_DATA32)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, (ULONG_PTR)((ULONG_PTR)ImportIID->FirstThunk + PEHeader32->OptionalHeader.ImageBase), false, true); + CurrentThunk = (ULONG_PTR)ImportIID->FirstThunk; + } + if(ThunkData64 != NULL) + { + while(myFileStatusInfo.ImportTableData == UE_FIELD_OK && ThunkData64->u1.AddressOfData != NULL) + { + if(ThunkData64->u1.Ordinal & IMAGE_ORDINAL_FLAG64) + { + if((int)(ThunkData64->u1.Ordinal ^ IMAGE_ORDINAL_FLAG64) >= 0x10000) + { + myFileStatusInfo.ImportTableData = UE_FIELD_BROKEN_NON_FIXABLE; + } + } + else + { + ImportNamePtr = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)(ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, (ULONG_PTR)((ULONG_PTR)ThunkData64->u1.AddressOfData + 2 + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase), false, true); + if(ImportNamePtr != NULL) + { + if(!EngineIsBadReadPtrEx((LPVOID)ImportNamePtr, 8)) + { + myFileStatusInfo.ImportTableData = UE_FIELD_BROKEN_NON_FIXABLE; + } + else + { + if(hLoadedModule != NULL) + { + if(EngineGetProcAddress((ULONG_PTR)hLoadedModule, (char*)ImportNamePtr) == NULL) + { + myFileStatusInfo.MissingDeclaredAPIs = true; + SetOverallFileStatus(&myFileStatusInfo, UE_FIELD_FIXABLE_CRITICAL, true); + } + } + } + } + else + { + myFileStatusInfo.ImportTableData = UE_FIELD_BROKEN_NON_FIXABLE; + } + } + CurrentThunk = CurrentThunk + 8; + ThunkData64 = (PIMAGE_THUNK_DATA64)((ULONG_PTR)ThunkData64 + sizeof IMAGE_THUNK_DATA64); + } + } + else + { + myFileStatusInfo.ImportTableData = UE_FIELD_BROKEN_NON_FIXABLE; + } + if(hLoadedModuleSimulated) + { + VirtualFree((LPVOID)hLoadedModule, NULL, MEM_RELEASE); + } + ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof IMAGE_IMPORT_DESCRIPTOR); + } + } + } + } + else + { + myFileStatusInfo.ImportTable = UE_FIELD_BROKEN_NON_FIXABLE; + } + } + } + SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.ImportTable, true); + SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.ImportTableData, true); + SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.ImportTableSection, true); + } + else + { + myFileStatusInfo.ImportTable = UE_FIELD_NOT_PRESET; + } + /* + TLS table check + */ + if(PEHeader64->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_TLS && PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress != NULL) + { + if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress > CorrectedImageSize || PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size > CorrectedImageSize) + { + myFileStatusInfo.TLSTable = UE_FIELD_FIXABLE_CRITICAL; + } + else + { + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) + { + myFileStatusInfo.TLSTable = UE_FIELD_FIXABLE_CRITICAL; + } + else + { + PETls64 = (PIMAGE_TLS_DIRECTORY64)ConvertedAddress; + if(PETls64->StartAddressOfRawData != NULL && (PETls64->StartAddressOfRawData < (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase || PETls64->StartAddressOfRawData > CorrectedImageSize + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase)) + { + myFileStatusInfo.TLSTable = UE_FIELD_FIXABLE_CRITICAL; + } + else if(PETls64->EndAddressOfRawData != NULL && (PETls64->EndAddressOfRawData < (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase || PETls64->EndAddressOfRawData > CorrectedImageSize + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase)) + { + myFileStatusInfo.TLSTable = UE_FIELD_FIXABLE_CRITICAL; + } + else if(PETls64->AddressOfIndex != NULL && (PETls64->AddressOfIndex < (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase || PETls64->AddressOfIndex > CorrectedImageSize + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase)) + { + myFileStatusInfo.TLSTable = UE_FIELD_FIXABLE_CRITICAL; + } + else if(PETls64->AddressOfCallBacks != NULL && (PETls64->AddressOfCallBacks < (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase || PETls64->AddressOfCallBacks > CorrectedImageSize + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase)) + { + myFileStatusInfo.TLSTable = UE_FIELD_FIXABLE_CRITICAL; + } + if(PETls64->AddressOfCallBacks != NULL && CheckDepth == UE_DEPTH_DEEP) + { + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, (ULONG_PTR)PETls64->AddressOfCallBacks + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress != NULL) + { + while(ReadData != NULL) + { + RtlMoveMemory(&ReadData, (LPVOID)ConvertedAddress, 8); + if(ReadData < (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase || ReadData > CorrectedImageSize + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase) + { + myFileStatusInfo.TLSTable = UE_FIELD_FIXABLE_CRITICAL; + } + ConvertedAddress = ConvertedAddress + 8; + } + } + } + } + } + SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.TLSTable, false); + } + else + { + myFileStatusInfo.TLSTable = UE_FIELD_NOT_PRESET; + } + /* + Load config table check + */ + if(PEHeader64->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG && PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress != NULL) + { + if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress > CorrectedImageSize || PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].Size > CorrectedImageSize) + { + myFileStatusInfo.LoadConfigTable = UE_FIELD_FIXABLE_CRITICAL; + } + else + { + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) + { + myFileStatusInfo.LoadConfigTable = UE_FIELD_FIXABLE_CRITICAL; + } + } + } + else + { + myFileStatusInfo.LoadConfigTable = UE_FIELD_NOT_PRESET; + } + SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.LoadConfigTable, false); + /* + Bound import table check + */ + if(PEHeader64->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT && PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress != NULL) + { + if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress > CorrectedImageSize || PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size > CorrectedImageSize) + { + myFileStatusInfo.BoundImportTable = UE_FIELD_FIXABLE_CRITICAL; + } + else + { + ConvertedAddress = (ULONG_PTR)PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress + FileMapVA; + if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) + { + myFileStatusInfo.BoundImportTable = UE_FIELD_FIXABLE_CRITICAL; + } + else + { + BoundIID = (PIMAGE_BOUND_IMPORT_DESCRIPTOR)ConvertedAddress; + while(BoundIID->TimeDateStamp != NULL) + { + if(BoundIID->OffsetModuleName > PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size) + { + myFileStatusInfo.BoundImportTable = UE_FIELD_FIXABLE_CRITICAL; + } + else if(!EngineIsPointedMemoryString(ConvertedAddress + BoundIID->OffsetModuleName)) + { + myFileStatusInfo.BoundImportTable = UE_FIELD_FIXABLE_CRITICAL; + } + BoundIID = (PIMAGE_BOUND_IMPORT_DESCRIPTOR)((ULONG_PTR)BoundIID + sizeof IMAGE_BOUND_IMPORT_DESCRIPTOR); + } + } + } + } + else + { + myFileStatusInfo.BoundImportTable = UE_FIELD_NOT_PRESET; + } + SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.BoundImportTable, false); + /* + IAT check + */ + if(PEHeader64->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_IAT && PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress != NULL) + { + if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress > CorrectedImageSize || PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].Size > CorrectedImageSize) + { + myFileStatusInfo.IATTable = UE_FIELD_FIXABLE_NON_CRITICAL; + } + else + { + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) + { + myFileStatusInfo.IATTable = UE_FIELD_FIXABLE_NON_CRITICAL; + } + } + } + else + { + myFileStatusInfo.IATTable = UE_FIELD_NOT_PRESET; + } + SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.IATTable, false); + /* + COM header check + */ + if(PEHeader64->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR && PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress != NULL) + { + if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress > CorrectedImageSize || PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].Size > CorrectedImageSize) + { + myFileStatusInfo.COMHeaderTable = UE_FIELD_FIXABLE_NON_CRITICAL; + } + else + { + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) + { + myFileStatusInfo.COMHeaderTable = UE_FIELD_FIXABLE_NON_CRITICAL; + } + } + } + else + { + myFileStatusInfo.COMHeaderTable = UE_FIELD_NOT_PRESET; + } + SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.COMHeaderTable, false); + /* + Resource header check + */ + if(PEHeader64->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_RESOURCE && PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress != NULL) + { + if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress > CorrectedImageSize || PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size > CorrectedImageSize) + { + myFileStatusInfo.ResourceTable = UE_FIELD_FIXABLE_NON_CRITICAL; + } + else + { + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize || ConvertedAddress - FileMapVA + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size > FileSize) + { + myFileStatusInfo.ResourceTable = UE_FIELD_BROKEN_BUT_CAN_BE_EMULATED; + } + if(CheckDepth == UE_DEPTH_DEEP) + { + hSimulatedFileLoad = (ULONG_PTR)EngineSimulateNtLoaderW(szFileName); + if(hSimulatedFileLoad != NULL) + { + for(i = 0; i < 22; i++) + { + if(myFileStatusInfo.ResourceData == UE_FIELD_OK) + { + EnumResourceNamesA((HMODULE)hSimulatedFileLoad, MAKEINTRESOURCEA(ResourceNamesTable[i]), (ENUMRESNAMEPROCA)EngineValidateResource, (ULONG_PTR)&myFileStatusInfo.ResourceData); + } + else + { + i = 22; + } + } + VirtualFree((LPVOID)hSimulatedFileLoad, NULL, MEM_RELEASE); + } + } + } + if(myFileStatusInfo.ResourceTable == UE_FIELD_BROKEN_BUT_CAN_BE_EMULATED && myFileStatusInfo.ResourceData == UE_FIELD_OK) + { + myFileStatusInfo.ResourceTable = UE_FIELD_OK; + } + SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.ResourceTable, true); + } + else + { + myFileStatusInfo.ResourceTable = UE_FIELD_NOT_PRESET; + } + /* + Section check + */ + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + NumberOfSections = PEHeader64->FileHeader.NumberOfSections; + while(NumberOfSections > NULL) + { + SectionVirtualSize = PESections->VirtualAddress + PESections->Misc.VirtualSize; + if(PESections->Misc.VirtualSize % PEHeader64->OptionalHeader.SectionAlignment == NULL) + { + SectionVirtualSizeFixed = SectionVirtualSize; + } + else + { + SectionVirtualSizeFixed = PESections->VirtualAddress + (((PESections->Misc.VirtualSize / PEHeader64->OptionalHeader.SectionAlignment) + 1) * PEHeader64->OptionalHeader.SectionAlignment); + } + if(NumberOfSections > 1) + { + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + sizeof IMAGE_SECTION_HEADER); + if(SectionVirtualSize > PESections->VirtualAddress || SectionVirtualSizeFixed > PESections->VirtualAddress) + { + myFileStatusInfo.SectionTable = UE_FIELD_FIXABLE_CRITICAL; + } + } + NumberOfSections--; + } + if(PESections->PointerToRawData + PESections->SizeOfRawData > FileSize && PESections->SizeOfRawData != NULL) + { + myFileStatusInfo.SectionTable = UE_FIELD_BROKEN_NON_FIXABLE; + } + SectionVirtualSizeFixed = SectionVirtualSizeFixed + 0xF000; + if(PEHeader64->OptionalHeader.SizeOfImage > SectionVirtualSizeFixed) + { + myFileStatusInfo.SizeOfImage = UE_FIELD_FIXABLE_CRITICAL; + } + SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.SizeOfImage, true); + SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.SectionTable, true); + /* + Entry point check + */ + SectionNumber = GetPE32SectionNumberFromVA(FileMapVA, PEHeader64->OptionalHeader.AddressOfEntryPoint + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase); + if(SectionNumber != -1) + { + SectionAttributes = (DWORD)GetPE32DataFromMappedFile(FileMapVA, SectionNumber, UE_SECTIONFLAGS); + if(SectionAttributes & IMAGE_SCN_MEM_EXECUTE || SectionAttributes & IMAGE_SCN_CNT_CODE) + { + myFileStatusInfo.EntryPoint = UE_FIELD_OK; + } + else + { + myFileStatusInfo.EntryPoint = UE_FIELD_BROKEN_NON_CRITICAL; + } + } + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader64->OptionalHeader.AddressOfEntryPoint + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress == NULL) + { + myFileStatusInfo.EntryPoint = UE_FIELD_BROKEN_NON_FIXABLE; + } + else + { + ReadData = NULL; + if(memcmp(&ReadData, (LPVOID)ConvertedAddress, 4) == NULL) + { + myFileStatusInfo.EntryPoint = UE_FIELD_BROKEN_NON_FIXABLE; + } + } + SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.EntryPoint, true); + /* + Return data + */ + if(FileStatusInfo != NULL) + { + RtlMoveMemory(FileStatusInfo, &myFileStatusInfo, sizeof FILE_STATUS_INFO); + } + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + if(myFileStatusInfo.OveralEvaluation == UE_RESULT_FILE_OK) + { + return(true); + } + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + myFileStatusInfo.EvaluationTerminatedByException = true; + myFileStatusInfo.OveralEvaluation = UE_RESULT_FILE_INVALID_FORMAT; + myFileStatusInfo.SignaturePE = UE_FIELD_BROKEN_NON_FIXABLE; + if(FileStatusInfo != NULL) + { + RtlMoveMemory(FileStatusInfo, &myFileStatusInfo, sizeof FILE_STATUS_INFO); + } + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return(false); + } + } + } + else + { + myFileStatusInfo.OveralEvaluation = UE_RESULT_FILE_INVALID_FORMAT; + myFileStatusInfo.SignatureMZ = UE_FIELD_BROKEN_NON_FIXABLE; + if(FileStatusInfo != NULL) + { + RtlMoveMemory(FileStatusInfo, &myFileStatusInfo, sizeof FILE_STATUS_INFO); + } + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return(false); + } + } + if(FileStatusInfo != NULL) + { + RtlMoveMemory(FileStatusInfo, &myFileStatusInfo, sizeof FILE_STATUS_INFO); + } + return(false); +} +__declspec(dllexport) bool TITCALL FixBrokenPE32FileEx(char* szFileName, LPVOID FileStatusInfo, LPVOID FileFixInfo) +{ + + wchar_t uniFileName[MAX_PATH] = {}; + + if(szFileName != NULL) + { + MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); + return(FixBrokenPE32FileExW(uniFileName, FileStatusInfo, FileFixInfo)); + } + else + { + return(false); + } +} +__declspec(dllexport) bool TITCALL FixBrokenPE32FileExW(wchar_t* szFileName, LPVOID FileStatusInfo, LPVOID FileFixInfo) +{ + if(!FileFixInfo) + return false; + DWORD ReadData = NULL; + DWORD ReadSize = NULL; + WORD ReadDataWORD = NULL; + ULONG_PTR ReadDataQWORD = NULL; + DWORD OrdinalBase = NULL; + DWORD OrdinalCount = NULL; + long SectionNumber = NULL; + DWORD SectionAttributes = NULL; + ULONG_PTR ConvertedAddress = NULL; + DWORD CorrectedImageSize = NULL; + DWORD SectionVirtualSize = NULL; + DWORD SectionVirtualSizeFixed = NULL; + DWORD NumberOfSections = NULL; + PIMAGE_DOS_HEADER DOSHeader; + PIMAGE_NT_HEADERS32 PEHeader32; + PIMAGE_NT_HEADERS64 PEHeader64; + PIMAGE_SECTION_HEADER PESections; + PIMAGE_EXPORT_DIRECTORY PEExports; + PIMAGE_TLS_DIRECTORY32 PETls32; + PIMAGE_TLS_DIRECTORY64 PETls64; + PIMAGE_IMPORT_DESCRIPTOR ImportIID; + PIMAGE_THUNK_DATA32 ThunkData32; + PIMAGE_THUNK_DATA64 ThunkData64; + PFILE_STATUS_INFO myFileStatusInfo = (PFILE_STATUS_INFO)FileStatusInfo; + PFILE_FIX_INFO myFileFixInfo = (PFILE_FIX_INFO)FileFixInfo; //can bad point + bool hLoadedModuleSimulated = false; + HMODULE hLoadedModule; + ULONG_PTR ImportNamePtr; + ULONG_PTR CurrentThunk; + BOOL FileIs64; + HANDLE FileHandle; + DWORD FileSize; + HANDLE FileMap; + ULONG_PTR FileMapVA; + bool FileFixed = true; + bool FeatureFixed = false; + + FILE_STANDARD_INFO filestatusinfo; //for internal use + + if(myFileStatusInfo == NULL) //here check for myfilestrus..ah lol, youre right + { + myFileStatusInfo=(PFILE_STATUS_INFO)&filestatusinfo; + IsPE32FileValidExW(szFileName, UE_DEPTH_DEEP, myFileStatusInfo); + } + if(myFileFixInfo->FileFixPerformed == false && myFileStatusInfo->OveralEvaluation == UE_RESULT_FILE_INVALID_BUT_FIXABLE) + { + if(MapFileExW(szFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) + { + myFileFixInfo->OveralEvaluation = UE_RESULT_FILE_INVALID_AND_NON_FIXABLE; + DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; + if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true)) + { + PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + if(PEHeader32->Signature == 0x4550 && PEHeader32->OptionalHeader.Magic == 0x10B) + { + FileIs64 = false; + } + else if(PEHeader32->Signature == 0x4550 && PEHeader32->OptionalHeader.Magic == 0x20B) + { + FileIs64 = true; + } + else + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return(false); + } + if(myFileStatusInfo->SignatureMZ != UE_FIELD_OK) + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return(false); + } + else if(myFileStatusInfo->SignaturePE != UE_FIELD_OK) + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return(false); + } + else if(myFileStatusInfo->SectionAlignment != UE_FIELD_OK) + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return(false); + } + else if(myFileStatusInfo->FileAlignment != UE_FIELD_OK) + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return(false); + } + else if(myFileStatusInfo->ImportTable != UE_FIELD_OK) + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return(false); + } + else if(myFileStatusInfo->ImportTableData != UE_FIELD_OK) + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return(false); + } + if(!FileIs64) + { + /* + x86 Surface check + */ + __try + { + if(PEHeader32->OptionalHeader.SizeOfImage % PEHeader32->OptionalHeader.SectionAlignment == NULL) + { + CorrectedImageSize = (PEHeader32->OptionalHeader.SizeOfImage / PEHeader32->OptionalHeader.SectionAlignment) * PEHeader32->OptionalHeader.SectionAlignment; + } + else + { + CorrectedImageSize = ((PEHeader32->OptionalHeader.SizeOfImage / PEHeader32->OptionalHeader.SectionAlignment) + 1) * PEHeader32->OptionalHeader.SectionAlignment; + } + /* + Fixing import table + */ + if(myFileStatusInfo->MissingDeclaredAPIs) + { + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + PEHeader32->OptionalHeader.ImageBase, false, true); + SectionNumber = GetPE32SectionNumberFromVA(FileMapVA, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + PEHeader32->OptionalHeader.ImageBase); + if(SectionNumber >= NULL) + { + SectionAttributes = (DWORD)GetPE32DataFromMappedFile(FileMapVA, SectionNumber, UE_SECTIONFLAGS); + if(SectionAttributes & IMAGE_SCN_MEM_EXECUTE || SectionAttributes & IMAGE_SCN_CNT_CODE || SectionAttributes & IMAGE_SCN_MEM_WRITE || SectionAttributes & IMAGE_SCN_CNT_INITIALIZED_DATA) + { + // Should not execute! + } + else + { + if(!SetPE32DataForMappedFile(FileMapVA, SectionAttributes, UE_SECTIONFLAGS, 0xE0000020)) + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return(false); + } + } + if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress != NULL) + { + ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, (ULONG_PTR)(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + PEHeader32->OptionalHeader.ImageBase), false, true); + while(ImportIID->FirstThunk != NULL) + { + hLoadedModule = NULL; + ImportNamePtr = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, (ULONG_PTR)((ULONG_PTR)ImportIID->Name + PEHeader32->OptionalHeader.ImageBase), false, true); + if(ImportNamePtr != NULL) + { + if(!EngineIsDependencyPresent((char*)ImportNamePtr, NULL, NULL)) + { + hLoadedModuleSimulated = false; + } + else + { + hLoadedModuleSimulated = false; + hLoadedModule = GetModuleHandleA((char*)ImportNamePtr); + if(hLoadedModule == NULL) + { + hLoadedModule = (HMODULE)EngineSimulateDllLoader(GetCurrentProcess(), (char*)ImportNamePtr); + hLoadedModuleSimulated = true; + } + } + } + if(ImportIID->OriginalFirstThunk != NULL) + { + ThunkData32 = (PIMAGE_THUNK_DATA32)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, (ULONG_PTR)((ULONG_PTR)ImportIID->OriginalFirstThunk + PEHeader32->OptionalHeader.ImageBase), false, true); + CurrentThunk = (ULONG_PTR)ImportIID->OriginalFirstThunk; + } + else + { + ThunkData32 = (PIMAGE_THUNK_DATA32)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, (ULONG_PTR)((ULONG_PTR)ImportIID->FirstThunk + PEHeader32->OptionalHeader.ImageBase), false, true); + CurrentThunk = (ULONG_PTR)ImportIID->FirstThunk; + } + if(ThunkData32 != NULL) + { + while(ThunkData32->u1.AddressOfData != NULL) + { + if(ThunkData32->u1.Ordinal & IMAGE_ORDINAL_FLAG32) + { + if((int)(ThunkData32->u1.Ordinal ^ IMAGE_ORDINAL_FLAG32) >= 0x10000) + { + FileFixed = false; + } + } + else + { + ImportNamePtr = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, (ULONG_PTR)((ULONG_PTR)ThunkData32->u1.AddressOfData + 2 + PEHeader32->OptionalHeader.ImageBase), false, true); + if(ImportNamePtr != NULL) + { + if(EngineIsBadReadPtrEx((LPVOID)ImportNamePtr, 8)) + { + if(hLoadedModule != NULL) + { + if(EngineGetProcAddress((ULONG_PTR)hLoadedModule, (char*)ImportNamePtr) == NULL) + { + OrdinalBase = NULL; + OrdinalCount = NULL; + if(EngineGetLibraryOrdinalData((ULONG_PTR)hLoadedModule, &OrdinalBase, &OrdinalCount)) + { + if(OrdinalBase != NULL && OrdinalCount != NULL) + { + ThunkData32->u1.Ordinal = (OrdinalBase + 1) ^ IMAGE_ORDINAL_FLAG32; + } + else + { + FileFixed = false; + } + } + } + } + } + } + } + CurrentThunk = CurrentThunk + 4; + ThunkData32 = (PIMAGE_THUNK_DATA32)((ULONG_PTR)ThunkData32 + sizeof IMAGE_THUNK_DATA32); + } + } + if(hLoadedModuleSimulated) + { + VirtualFree((LPVOID)hLoadedModule, NULL, MEM_RELEASE); + } + ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof IMAGE_IMPORT_DESCRIPTOR); + } + } + } + } + /* + Fixing Export table + */ + if(myFileStatusInfo->ExportTable == UE_FIELD_NOT_PRESET_WARNING) + { + FileFixed = false; + } + else if(myFileFixInfo->DontFixExports == false && myFileStatusInfo->ExportTable != UE_FIELD_OK && myFileStatusInfo->ExportTable != UE_FIELD_NOT_PRESET) + { + if(PEHeader32->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_EXPORT && PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress != NULL) + { + if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress > CorrectedImageSize || PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size > CorrectedImageSize) + { + myFileFixInfo->StrippedExports = true; + myFileFixInfo->OriginalExportTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; + myFileFixInfo->OriginalExportTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress = NULL; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size = NULL; + } + else + { + FeatureFixed = true; + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + PEHeader32->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress != NULL) + { + if(EngineIsBadReadPtrEx((LPVOID)ConvertedAddress, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size)) + { + PEExports = (PIMAGE_EXPORT_DIRECTORY)ConvertedAddress; + if(PEExports->AddressOfFunctions > CorrectedImageSize || PEExports->AddressOfFunctions + 4 * PEExports->NumberOfFunctions > CorrectedImageSize) + { + FeatureFixed = false; + } + else if(PEExports->AddressOfNameOrdinals > CorrectedImageSize || PEExports->AddressOfNameOrdinals + 4 * PEExports->NumberOfNames > CorrectedImageSize) + { + FeatureFixed = false; + } + else if(PEExports->AddressOfNames > CorrectedImageSize || PEExports->AddressOfNames + 4 * PEExports->NumberOfNames > CorrectedImageSize) + { + FeatureFixed = false; + } + else if(PEExports->Name > CorrectedImageSize) + { + FeatureFixed = false; + } + if(!FeatureFixed) + { + myFileFixInfo->StrippedExports = true; + myFileFixInfo->OriginalExportTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; + myFileFixInfo->OriginalExportTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress = NULL; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size = NULL; + } + } + else + { + myFileFixInfo->StrippedExports = true; + myFileFixInfo->OriginalExportTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; + myFileFixInfo->OriginalExportTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress = NULL; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size = NULL; + } + } + } + } + } + /* + Fixing Relocation table + */ + if(myFileStatusInfo->FileIsDLL == true && myFileStatusInfo->RelocationTable == UE_FIELD_BROKEN_NON_FIXABLE) + { + FileFixed = false; + } + else if(myFileFixInfo->DontFixRelocations == false && myFileStatusInfo->RelocationTable != UE_FIELD_OK) + { + if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress > CorrectedImageSize || PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size > CorrectedImageSize) + { + if(myFileStatusInfo->FileIsDLL) + { + FileFixed = false; + } + else + { + myFileFixInfo->StrippedRelocation = true; + myFileFixInfo->OriginalRelocationTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress; + myFileFixInfo->OriginalRelocationTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = NULL; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size = NULL; + } + } + else + { + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + PEHeader32->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress != NULL) + { + if(EngineIsBadReadPtrEx((LPVOID)ConvertedAddress, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size)) + { + RtlMoveMemory(&ReadData, (LPVOID)ConvertedAddress, 4); + RtlMoveMemory(&ReadSize, (LPVOID)(ConvertedAddress + 4), 4); + while(ReadData != NULL) + { + ReadSize = ReadSize - 8; + ConvertedAddress = ConvertedAddress + 8; + while(ReadSize > NULL) + { + RtlMoveMemory(&ReadDataWORD, (LPVOID)ConvertedAddress, 2); + if(ReadDataWORD > 0xCFFF) + { + RtlZeroMemory((LPVOID)ConvertedAddress, 2); + } + ConvertedAddress = ConvertedAddress + 2; + ReadSize = ReadSize - 2; + } + RtlMoveMemory(&ReadData, (LPVOID)ConvertedAddress, 4); + RtlMoveMemory(&ReadSize, (LPVOID)(ConvertedAddress + 4), 4); + } + } + else + { + if(myFileStatusInfo->FileIsDLL) + { + FileFixed = false; + } + else + { + myFileFixInfo->StrippedRelocation = true; + myFileFixInfo->OriginalRelocationTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress; + myFileFixInfo->OriginalRelocationTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = NULL; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size = NULL; + } + } + } + else + { + if(myFileStatusInfo->FileIsDLL) + { + FileFixed = false; + } + else + { + myFileFixInfo->StrippedRelocation = true; + myFileFixInfo->OriginalRelocationTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress; + myFileFixInfo->OriginalRelocationTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = NULL; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size = NULL; + } + } + } + } + else if(myFileStatusInfo->RelocationTable == UE_FIELD_OK) + { + // Filter case! + } + else + { + FileFixed = false; + } + /* + Fixing Resource table + */ + if(myFileFixInfo->DontFixResources == false && myFileStatusInfo->ResourceData != UE_FIELD_OK && myFileStatusInfo->ResourceData != UE_FIELD_NOT_PRESET) + { + myFileFixInfo->StrippedResources = true; + myFileFixInfo->OriginalResourceTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress; + myFileFixInfo->OriginalResourceTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress = NULL; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size = NULL; + } + else if(myFileFixInfo->DontFixResources == false && myFileStatusInfo->ResourceTable != UE_FIELD_OK && myFileStatusInfo->ResourceTable != UE_FIELD_NOT_PRESET) + { + if(PEHeader32->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_RESOURCE && PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress != NULL) + { + if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress > CorrectedImageSize || PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size > CorrectedImageSize) + { + myFileFixInfo->StrippedResources = true; + myFileFixInfo->OriginalResourceTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress; + myFileFixInfo->OriginalResourceTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress = NULL; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size = NULL; + } + else + { + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress + PEHeader32->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize || ConvertedAddress - FileMapVA + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size > FileSize) + { + myFileFixInfo->StrippedResources = true; + myFileFixInfo->OriginalResourceTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress; + myFileFixInfo->OriginalResourceTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress = NULL; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size = NULL; + } + } + } + } + /* + Fixing TLS table + */ + if(myFileFixInfo->DontFixTLS == false && myFileStatusInfo->TLSTable != UE_FIELD_OK && myFileStatusInfo->TLSTable != UE_FIELD_NOT_PRESET) + { + if(PEHeader32->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_TLS && PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress != NULL) + { + if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress > CorrectedImageSize || PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size > CorrectedImageSize) + { + myFileFixInfo->StrippedTLS = true; + myFileFixInfo->OriginalTLSTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress; + myFileFixInfo->OriginalTLSTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = NULL; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = NULL; + } + else + { + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress + PEHeader32->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) + { + myFileFixInfo->StrippedTLS = true; + myFileFixInfo->OriginalTLSTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress; + myFileFixInfo->OriginalTLSTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = NULL; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = NULL; + } + else + { + FeatureFixed = true; + PETls32 = (PIMAGE_TLS_DIRECTORY32)ConvertedAddress; + if(PETls32->StartAddressOfRawData != NULL && (PETls32->StartAddressOfRawData < PEHeader32->OptionalHeader.ImageBase || PETls32->StartAddressOfRawData > CorrectedImageSize + PEHeader32->OptionalHeader.ImageBase)) + { + FeatureFixed = false; + } + else if(PETls32->EndAddressOfRawData != NULL && (PETls32->EndAddressOfRawData < PEHeader32->OptionalHeader.ImageBase || PETls32->EndAddressOfRawData > CorrectedImageSize + PEHeader32->OptionalHeader.ImageBase)) + { + FeatureFixed = false; + } + else if(PETls32->AddressOfIndex != NULL && (PETls32->AddressOfIndex < PEHeader32->OptionalHeader.ImageBase || PETls32->AddressOfIndex > CorrectedImageSize + PEHeader32->OptionalHeader.ImageBase)) + { + FeatureFixed = false; + } + else if(PETls32->AddressOfCallBacks != NULL && (PETls32->AddressOfCallBacks < PEHeader32->OptionalHeader.ImageBase || PETls32->AddressOfCallBacks > CorrectedImageSize + PEHeader32->OptionalHeader.ImageBase)) + { + FeatureFixed = false; + } + if(!FeatureFixed) + { + myFileFixInfo->StrippedTLS = true; + myFileFixInfo->OriginalTLSTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress; + myFileFixInfo->OriginalTLSTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = NULL; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = NULL; + } + else + { + if(PETls32->AddressOfCallBacks != NULL) + { + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PETls32->AddressOfCallBacks + PEHeader32->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress != NULL) + { + while(ReadData != NULL) + { + RtlMoveMemory(&ReadData, (LPVOID)ConvertedAddress, 4); + if(ReadData < PEHeader32->OptionalHeader.ImageBase || ReadData > CorrectedImageSize + PEHeader32->OptionalHeader.ImageBase) + { + RtlZeroMemory((LPVOID)ConvertedAddress, 4); + } + ConvertedAddress = ConvertedAddress + 4; + } + } + } + } + } + } + } + } + /* + Fix Load config table + */ + if(myFileFixInfo->DontFixLoadConfig == false && myFileStatusInfo->LoadConfigTable != UE_FIELD_OK && myFileStatusInfo->LoadConfigTable != UE_FIELD_NOT_PRESET) + { + if(PEHeader32->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG && PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress != NULL) + { + if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress > CorrectedImageSize || PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].Size > CorrectedImageSize) + { + myFileFixInfo->StrippedLoadConfig = true; + myFileFixInfo->OriginalLoadConfigTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress; + myFileFixInfo->OriginalLoadConfigTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].Size; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress = NULL; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].Size = NULL; + } + else + { + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress + PEHeader32->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) + { + myFileFixInfo->StrippedLoadConfig = true; + myFileFixInfo->OriginalLoadConfigTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress; + myFileFixInfo->OriginalLoadConfigTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].Size; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress = NULL; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].Size = NULL; + } + } + } + } + /* + Fix Bound import table + */ + if(myFileFixInfo->DontFixBoundImports == false && myFileStatusInfo->BoundImportTable != UE_FIELD_OK && myFileStatusInfo->BoundImportTable != UE_FIELD_NOT_PRESET) + { + if(PEHeader32->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT && PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress != NULL) + { + if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress > CorrectedImageSize || PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size > CorrectedImageSize) + { + myFileFixInfo->StrippedBoundImports = true; + myFileFixInfo->OriginalBoundImportTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress; + myFileFixInfo->OriginalBoundImportTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress = NULL; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size = NULL; + } + else + { + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress + PEHeader32->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) + { + myFileFixInfo->StrippedBoundImports = true; + myFileFixInfo->OriginalBoundImportTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress; + myFileFixInfo->OriginalBoundImportTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress = NULL; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size = NULL; + } + } + } + } + /* + Fix IAT + */ + if(myFileFixInfo->DontFixIAT == false && myFileStatusInfo->IATTable != UE_FIELD_OK && myFileStatusInfo->IATTable != UE_FIELD_NOT_PRESET) + { + if(PEHeader32->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_IAT && PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress != NULL) + { + if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress > CorrectedImageSize || PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].Size > CorrectedImageSize) + { + myFileFixInfo->StrippedIAT = true; + myFileFixInfo->OriginalImportAddressTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress; + myFileFixInfo->OriginalImportAddressTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].Size; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress = NULL; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size = NULL; + } + else + { + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress + PEHeader32->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) + { + myFileFixInfo->StrippedIAT = true; + myFileFixInfo->OriginalImportAddressTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress; + myFileFixInfo->OriginalImportAddressTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].Size; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress = NULL; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size = NULL; + } + } + } + } + /* + Fix COM header + */ + if(myFileFixInfo->DontFixCOM == false && myFileStatusInfo->COMHeaderTable != UE_FIELD_OK && myFileStatusInfo->COMHeaderTable != UE_FIELD_NOT_PRESET) + { + if(PEHeader32->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR && PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress != NULL) + { + if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress > CorrectedImageSize || PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].Size > CorrectedImageSize) + { + myFileFixInfo->StrippedCOM = true; + myFileFixInfo->OriginalCOMTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress; + myFileFixInfo->OriginalCOMTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].Size; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress = NULL; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].Size = NULL; + } + else + { + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress + PEHeader32->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) + { + myFileFixInfo->StrippedCOM = true; + myFileFixInfo->OriginalCOMTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress; + myFileFixInfo->OriginalCOMTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].Size; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress = NULL; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].Size = NULL; + } + } + } + } + /* + Fix sections and SizeOfImage + */ + if(myFileStatusInfo->SectionTable != UE_FIELD_OK || myFileStatusInfo->SizeOfImage != UE_FIELD_OK) + { + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + NumberOfSections = PEHeader32->FileHeader.NumberOfSections; + while(NumberOfSections > NULL) + { + SectionVirtualSize = PESections->VirtualAddress + PESections->Misc.VirtualSize; + if(PESections->Misc.VirtualSize % PEHeader32->OptionalHeader.SectionAlignment == NULL) + { + SectionVirtualSizeFixed = SectionVirtualSize; + } + else + { + SectionVirtualSizeFixed = PESections->VirtualAddress + (((PESections->Misc.VirtualSize / PEHeader32->OptionalHeader.SectionAlignment) + 1) * PEHeader32->OptionalHeader.SectionAlignment); + } + if(NumberOfSections > 1) + { + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + sizeof IMAGE_SECTION_HEADER); + if(SectionVirtualSize > PESections->VirtualAddress || SectionVirtualSizeFixed > PESections->VirtualAddress) + { + PESections->Misc.VirtualSize = SectionVirtualSizeFixed; + } + } + NumberOfSections--; + } + if(PESections->PointerToRawData + PESections->SizeOfRawData > FileSize && PESections->SizeOfRawData != NULL) + { + PESections->SizeOfRawData = FileSize - PESections->PointerToRawData; + } + if(myFileStatusInfo->SizeOfImage != UE_FIELD_OK) + { + SectionVirtualSizeFixed = SectionVirtualSizeFixed + 0xF000; + if(PEHeader32->OptionalHeader.SizeOfImage > SectionVirtualSizeFixed) + { + PEHeader32->OptionalHeader.SizeOfImage = SectionVirtualSizeFixed - 0xF000; + } + } + } + /* + Entry point check + */ + if(myFileStatusInfo->EntryPoint != UE_FIELD_OK) + { + SectionNumber = GetPE32SectionNumberFromVA(FileMapVA, PEHeader32->OptionalHeader.AddressOfEntryPoint + (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase); + if(SectionNumber != -1) + { + SectionAttributes = (DWORD)GetPE32DataFromMappedFile(FileMapVA, SectionNumber, UE_SECTIONFLAGS); + if(SectionAttributes & IMAGE_SCN_MEM_EXECUTE || SectionAttributes & IMAGE_SCN_CNT_CODE) + { + // Should never execute + } + else + { + if(!SetPE32DataForMappedFile(FileMapVA, SectionNumber, UE_SECTIONFLAGS, 0xE0000020)) + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return(false); + } + } + } + } + /* + Fix end + */ + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + if(FileFixed) + { + myFileFixInfo->OveralEvaluation = UE_RESULT_FILE_OK; + myFileFixInfo->FileFixPerformed = FileFixed; + } + return(true); + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + myFileFixInfo->FixingTerminatedByException = true; + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return(false); + } + } + else + { + /* + x64 Surface check + */ + __try + { + if(PEHeader64->OptionalHeader.SizeOfImage % PEHeader64->OptionalHeader.SectionAlignment == NULL) + { + CorrectedImageSize = (PEHeader64->OptionalHeader.SizeOfImage / PEHeader64->OptionalHeader.SectionAlignment) * PEHeader64->OptionalHeader.SectionAlignment; + } + else + { + CorrectedImageSize = ((PEHeader64->OptionalHeader.SizeOfImage / PEHeader64->OptionalHeader.SectionAlignment) + 1) * PEHeader64->OptionalHeader.SectionAlignment; + } + /* + Fixing import table + */ + if(myFileStatusInfo->MissingDeclaredAPIs) + { + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); + SectionNumber = GetPE32SectionNumberFromVA(FileMapVA, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase); + if(SectionNumber >= NULL) + { + SectionAttributes = (DWORD)GetPE32DataFromMappedFile(FileMapVA, SectionNumber, UE_SECTIONFLAGS); + if(SectionAttributes & IMAGE_SCN_MEM_EXECUTE || SectionAttributes & IMAGE_SCN_CNT_CODE || SectionAttributes & IMAGE_SCN_MEM_WRITE || SectionAttributes & IMAGE_SCN_CNT_INITIALIZED_DATA) + { + // Should not execute! + } + else + { + if(!SetPE32DataForMappedFile(FileMapVA, SectionAttributes, UE_SECTIONFLAGS, 0xE0000020)) + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return(false); + } + } + if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress != NULL) + { + ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, (ULONG_PTR)(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase), false, true); + while(ImportIID->FirstThunk != NULL) + { + hLoadedModule = NULL; + ImportNamePtr = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, (ULONG_PTR)((ULONG_PTR)ImportIID->Name + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase), false, true); + if(ImportNamePtr != NULL) + { + if(!EngineIsDependencyPresent((char*)ImportNamePtr, NULL, NULL)) + { + hLoadedModuleSimulated = false; + } + else + { + hLoadedModuleSimulated = false; + hLoadedModule = GetModuleHandleA((char*)ImportNamePtr); + if(hLoadedModule == NULL) + { + hLoadedModule = (HMODULE)EngineSimulateDllLoader(GetCurrentProcess(), (char*)ImportNamePtr); + hLoadedModuleSimulated = true; + } + } + } + if(ImportIID->OriginalFirstThunk != NULL) + { + ThunkData64 = (PIMAGE_THUNK_DATA64)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, (ULONG_PTR)((ULONG_PTR)ImportIID->OriginalFirstThunk + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase), false, true); + CurrentThunk = (ULONG_PTR)ImportIID->OriginalFirstThunk; + } + else + { + ThunkData32 = (PIMAGE_THUNK_DATA32)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, (ULONG_PTR)((ULONG_PTR)ImportIID->FirstThunk + PEHeader32->OptionalHeader.ImageBase), false, true); + CurrentThunk = (ULONG_PTR)ImportIID->FirstThunk; + } + if(ThunkData64 != NULL) + { + while(ThunkData64->u1.AddressOfData != NULL) + { + if(ThunkData64->u1.Ordinal & IMAGE_ORDINAL_FLAG64) + { + if((int)(ThunkData64->u1.Ordinal ^ IMAGE_ORDINAL_FLAG64) >= 0x10000) + { + FileFixed = false; + } + } + else + { + ImportNamePtr = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, (ULONG_PTR)((ULONG_PTR)ThunkData64->u1.AddressOfData + 2 + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase), false, true); + if(ImportNamePtr != NULL) + { + if(EngineIsBadReadPtrEx((LPVOID)ImportNamePtr, 8)) + { + if(hLoadedModule != NULL) + { + if(EngineGetProcAddress((ULONG_PTR)hLoadedModule, (char*)ImportNamePtr) == NULL) + { + OrdinalBase = NULL; + OrdinalCount = NULL; + if(EngineGetLibraryOrdinalData((ULONG_PTR)hLoadedModule, &OrdinalBase, &OrdinalCount)) + { + if(OrdinalBase != NULL && OrdinalCount != NULL) + { + ThunkData64->u1.Ordinal = (OrdinalBase + 1) ^ IMAGE_ORDINAL_FLAG64; + } + else + { + FileFixed = false; + } + } + } + } + } + } + } + CurrentThunk = CurrentThunk + 8; + ThunkData64 = (PIMAGE_THUNK_DATA64)((ULONG_PTR)ThunkData64 + sizeof IMAGE_THUNK_DATA64); + } + } + if(hLoadedModuleSimulated) + { + VirtualFree((LPVOID)hLoadedModule, NULL, MEM_RELEASE); + } + ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof IMAGE_IMPORT_DESCRIPTOR); + } + } + } + } + /* + Fixing Export table + */ + if(myFileStatusInfo->ExportTable == UE_FIELD_NOT_PRESET_WARNING) + { + FileFixed = false; + } + else if(myFileFixInfo->DontFixExports == false && myFileStatusInfo->ExportTable != UE_FIELD_OK && myFileStatusInfo->ExportTable != UE_FIELD_NOT_PRESET) + { + if(PEHeader64->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_EXPORT && PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress != NULL) + { + if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress > CorrectedImageSize || PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size > CorrectedImageSize) + { + myFileFixInfo->StrippedExports = true; + myFileFixInfo->OriginalExportTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; + myFileFixInfo->OriginalExportTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress = NULL; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size = NULL; + } + else + { + FeatureFixed = true; + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress != NULL) + { + if(EngineIsBadReadPtrEx((LPVOID)ConvertedAddress, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size)) + { + PEExports = (PIMAGE_EXPORT_DIRECTORY)ConvertedAddress; + if(PEExports->AddressOfFunctions > CorrectedImageSize || PEExports->AddressOfFunctions + 4 * PEExports->NumberOfFunctions > CorrectedImageSize) + { + FeatureFixed = false; + } + else if(PEExports->AddressOfNameOrdinals > CorrectedImageSize || PEExports->AddressOfNameOrdinals + 4 * PEExports->NumberOfNames > CorrectedImageSize) + { + FeatureFixed = false; + } + else if(PEExports->AddressOfNames > CorrectedImageSize || PEExports->AddressOfNames + 4 * PEExports->NumberOfNames > CorrectedImageSize) + { + FeatureFixed = false; + } + else if(PEExports->Name > CorrectedImageSize) + { + FeatureFixed = false; + } + if(!FeatureFixed) + { + myFileFixInfo->StrippedExports = true; + myFileFixInfo->OriginalExportTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; + myFileFixInfo->OriginalExportTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress = NULL; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size = NULL; + } + } + else + { + myFileFixInfo->StrippedExports = true; + myFileFixInfo->OriginalExportTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; + myFileFixInfo->OriginalExportTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress = NULL; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size = NULL; + } + } + } + } + } + /* + Fixing Relocation table + */ + if(myFileStatusInfo->FileIsDLL == true && myFileStatusInfo->RelocationTable == UE_FIELD_BROKEN_NON_FIXABLE) + { + FileFixed = false; + } + else if(myFileFixInfo->DontFixRelocations == false && myFileStatusInfo->RelocationTable != UE_FIELD_OK) + { + if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress > CorrectedImageSize || PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size > CorrectedImageSize) + { + if(myFileStatusInfo->FileIsDLL) + { + FileFixed = false; + } + else + { + myFileFixInfo->StrippedRelocation = true; + myFileFixInfo->OriginalRelocationTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress; + myFileFixInfo->OriginalRelocationTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = NULL; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size = NULL; + } + } + else + { + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress != NULL) + { + if(EngineIsBadReadPtrEx((LPVOID)ConvertedAddress, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size)) + { + RtlMoveMemory(&ReadData, (LPVOID)ConvertedAddress, 4); + RtlMoveMemory(&ReadSize, (LPVOID)(ConvertedAddress + 4), 4); + while(ReadData != NULL) + { + ReadSize = ReadSize - 8; + ConvertedAddress = ConvertedAddress + 8; + while(ReadSize > NULL) + { + RtlMoveMemory(&ReadDataWORD, (LPVOID)ConvertedAddress, 2); + if(ReadDataWORD > 0xCFFF) + { + RtlZeroMemory((LPVOID)ConvertedAddress, 2); + } + ConvertedAddress = ConvertedAddress + 2; + ReadSize = ReadSize - 2; + } + RtlMoveMemory(&ReadData, (LPVOID)ConvertedAddress, 4); + RtlMoveMemory(&ReadSize, (LPVOID)(ConvertedAddress + 4), 4); + } + } + else + { + if(myFileStatusInfo->FileIsDLL) + { + FileFixed = false; + } + else + { + myFileFixInfo->StrippedRelocation = true; + myFileFixInfo->OriginalRelocationTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress; + myFileFixInfo->OriginalRelocationTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = NULL; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size = NULL; + } + } + } + else + { + if(myFileStatusInfo->FileIsDLL) + { + FileFixed = false; + } + else + { + myFileFixInfo->StrippedRelocation = true; + myFileFixInfo->OriginalRelocationTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress; + myFileFixInfo->OriginalRelocationTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = NULL; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size = NULL; + } + } + } + } + else if(myFileStatusInfo->RelocationTable == UE_FIELD_OK) + { + // Filter case! + } + else + { + FileFixed = false; + } + /* + Fixing Resource table + */ + if(myFileFixInfo->DontFixResources == false && myFileStatusInfo->ResourceData != UE_FIELD_OK && myFileStatusInfo->ResourceData != UE_FIELD_NOT_PRESET) + { + myFileFixInfo->StrippedResources = true; + myFileFixInfo->OriginalResourceTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress; + myFileFixInfo->OriginalResourceTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress = NULL; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size = NULL; + } + else if(myFileFixInfo->DontFixResources == false && myFileStatusInfo->ResourceTable != UE_FIELD_OK && myFileStatusInfo->ResourceTable != UE_FIELD_NOT_PRESET) + { + if(PEHeader64->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_RESOURCE && PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress != NULL) + { + if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress > CorrectedImageSize || PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size > CorrectedImageSize) + { + myFileFixInfo->StrippedResources = true; + myFileFixInfo->OriginalResourceTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress; + myFileFixInfo->OriginalResourceTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress = NULL; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size = NULL; + } + else + { + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize || ConvertedAddress - FileMapVA + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size > FileSize) + { + myFileFixInfo->StrippedResources = true; + myFileFixInfo->OriginalResourceTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress; + myFileFixInfo->OriginalResourceTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress = NULL; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size = NULL; + } + } + } + } + /* + Fixing TLS table + */ + if(myFileFixInfo->DontFixTLS == false && myFileStatusInfo->TLSTable != UE_FIELD_OK && myFileStatusInfo->TLSTable != UE_FIELD_NOT_PRESET) + { + if(PEHeader64->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_TLS && PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress != NULL) + { + if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress > CorrectedImageSize || PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size > CorrectedImageSize) + { + myFileFixInfo->StrippedTLS = true; + myFileFixInfo->OriginalTLSTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress; + myFileFixInfo->OriginalTLSTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = NULL; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = NULL; + } + else + { + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) + { + myFileFixInfo->StrippedTLS = true; + myFileFixInfo->OriginalTLSTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress; + myFileFixInfo->OriginalTLSTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = NULL; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = NULL; + } + else + { + FeatureFixed = true; + PETls64 = (PIMAGE_TLS_DIRECTORY64)ConvertedAddress; + if(PETls64->StartAddressOfRawData != NULL && (PETls64->StartAddressOfRawData < (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase || PETls64->StartAddressOfRawData > CorrectedImageSize + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase)) + { + FeatureFixed = false; + } + else if(PETls64->EndAddressOfRawData != NULL && (PETls64->EndAddressOfRawData < (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase || PETls64->EndAddressOfRawData > CorrectedImageSize + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase)) + { + FeatureFixed = false; + } + else if(PETls64->AddressOfIndex != NULL && (PETls64->AddressOfIndex < (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase || PETls64->AddressOfIndex > CorrectedImageSize + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase)) + { + FeatureFixed = false; + } + else if(PETls64->AddressOfCallBacks != NULL && (PETls64->AddressOfCallBacks < (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase || PETls64->AddressOfCallBacks > CorrectedImageSize + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase)) + { + FeatureFixed = false; + } + if(!FeatureFixed) + { + myFileFixInfo->StrippedTLS = true; + myFileFixInfo->OriginalTLSTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress; + myFileFixInfo->OriginalTLSTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = NULL; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = NULL; + } + else + { + if(PETls64->AddressOfCallBacks != NULL) + { + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, (ULONG_PTR)PETls64->AddressOfCallBacks + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress != NULL) + { + while(ReadData != NULL) + { + RtlMoveMemory(&ReadDataQWORD, (LPVOID)ConvertedAddress, 8); + if(ReadDataQWORD < (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase || ReadDataQWORD > CorrectedImageSize + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase) + { + RtlZeroMemory((LPVOID)ConvertedAddress, 8); + } + ConvertedAddress = ConvertedAddress + 8; + } + } + } + } + } + } + } + } + /* + Fix Load config table + */ + if(myFileFixInfo->DontFixLoadConfig == false && myFileStatusInfo->LoadConfigTable != UE_FIELD_OK && myFileStatusInfo->LoadConfigTable != UE_FIELD_NOT_PRESET) + { + if(PEHeader64->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG && PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress != NULL) + { + if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress > CorrectedImageSize || PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].Size > CorrectedImageSize) + { + myFileFixInfo->StrippedLoadConfig = true; + myFileFixInfo->OriginalLoadConfigTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress; + myFileFixInfo->OriginalLoadConfigTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].Size; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress = NULL; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].Size = NULL; + } + else + { + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) + { + myFileFixInfo->StrippedLoadConfig = true; + myFileFixInfo->OriginalLoadConfigTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress; + myFileFixInfo->OriginalLoadConfigTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].Size; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress = NULL; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].Size = NULL; + } + } + } + } + /* + Fix Bound import table + */ + if(myFileFixInfo->DontFixBoundImports == false && myFileStatusInfo->BoundImportTable != UE_FIELD_OK && myFileStatusInfo->BoundImportTable != UE_FIELD_NOT_PRESET) + { + if(PEHeader64->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT && PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress != NULL) + { + if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress > CorrectedImageSize || PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size > CorrectedImageSize) + { + myFileFixInfo->StrippedBoundImports = true; + myFileFixInfo->OriginalBoundImportTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress; + myFileFixInfo->OriginalBoundImportTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress = NULL; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size = NULL; + } + else + { + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) + { + myFileFixInfo->StrippedBoundImports = true; + myFileFixInfo->OriginalBoundImportTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress; + myFileFixInfo->OriginalBoundImportTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress = NULL; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size = NULL; + } + } + } + } + /* + Fix IAT + */ + if(myFileFixInfo->DontFixIAT == false && myFileStatusInfo->IATTable != UE_FIELD_OK && myFileStatusInfo->IATTable != UE_FIELD_NOT_PRESET) + { + if(PEHeader64->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_IAT && PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress != NULL) + { + if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress > CorrectedImageSize || PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].Size > CorrectedImageSize) + { + myFileFixInfo->StrippedIAT = true; + myFileFixInfo->OriginalImportAddressTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress; + myFileFixInfo->OriginalImportAddressTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].Size; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress = NULL; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size = NULL; + } + else + { + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) + { + myFileFixInfo->StrippedIAT = true; + myFileFixInfo->OriginalImportAddressTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress; + myFileFixInfo->OriginalImportAddressTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].Size; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress = NULL; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size = NULL; + } + } + } + } + /* + Fix COM header + */ + if(myFileFixInfo->DontFixCOM == false && myFileStatusInfo->COMHeaderTable != UE_FIELD_OK && myFileStatusInfo->COMHeaderTable != UE_FIELD_NOT_PRESET) + { + if(PEHeader64->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR && PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress != NULL) + { + if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress > CorrectedImageSize || PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].Size > CorrectedImageSize) + { + myFileFixInfo->StrippedCOM = true; + myFileFixInfo->OriginalCOMTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress; + myFileFixInfo->OriginalCOMTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].Size; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress = NULL; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].Size = NULL; + } + else + { + ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); + if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) + { + myFileFixInfo->StrippedCOM = true; + myFileFixInfo->OriginalCOMTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress; + myFileFixInfo->OriginalCOMTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].Size; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress = NULL; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].Size = NULL; + } + } + } + } + /* + Fix sections and SizeOfImage + */ + if(myFileStatusInfo->SectionTable != UE_FIELD_OK || myFileStatusInfo->SizeOfImage != UE_FIELD_OK) + { + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + NumberOfSections = PEHeader64->FileHeader.NumberOfSections; + while(NumberOfSections > NULL) + { + SectionVirtualSize = PESections->VirtualAddress + PESections->Misc.VirtualSize; + if(PESections->Misc.VirtualSize % PEHeader64->OptionalHeader.SectionAlignment == NULL) + { + SectionVirtualSizeFixed = SectionVirtualSize; + } + else + { + SectionVirtualSizeFixed = PESections->VirtualAddress + (((PESections->Misc.VirtualSize / PEHeader64->OptionalHeader.SectionAlignment) + 1) * PEHeader64->OptionalHeader.SectionAlignment); + } + if(NumberOfSections > 1) + { + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + sizeof IMAGE_SECTION_HEADER); + if(SectionVirtualSize > PESections->VirtualAddress || SectionVirtualSizeFixed > PESections->VirtualAddress) + { + PESections->Misc.VirtualSize = SectionVirtualSizeFixed; + } + } + NumberOfSections--; + } + if(PESections->PointerToRawData + PESections->SizeOfRawData > FileSize && PESections->SizeOfRawData != NULL) + { + PESections->SizeOfRawData = FileSize - PESections->PointerToRawData; + } + if(myFileStatusInfo->SizeOfImage != UE_FIELD_OK) + { + SectionVirtualSizeFixed = SectionVirtualSizeFixed + 0xF000; + if(PEHeader64->OptionalHeader.SizeOfImage > SectionVirtualSizeFixed) + { + PEHeader64->OptionalHeader.SizeOfImage = SectionVirtualSizeFixed - 0xF000; + } + } + } + /* + Entry point check + */ + if(myFileStatusInfo->EntryPoint != UE_FIELD_OK) + { + SectionNumber = GetPE32SectionNumberFromVA(FileMapVA, PEHeader64->OptionalHeader.AddressOfEntryPoint + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase); + if(SectionNumber != -1) + { + SectionAttributes = (DWORD)GetPE32DataFromMappedFile(FileMapVA, SectionNumber, UE_SECTIONFLAGS); + if(SectionAttributes & IMAGE_SCN_MEM_EXECUTE || SectionAttributes & IMAGE_SCN_CNT_CODE) + { + // Should never execute + } + else + { + if(!SetPE32DataForMappedFile(FileMapVA, SectionNumber, UE_SECTIONFLAGS, 0xE0000020)) + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return(false); + } + } + } + } + /* + Fix end + */ + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + if(FileFixed) + { + myFileFixInfo->OveralEvaluation = UE_RESULT_FILE_OK; + myFileFixInfo->FileFixPerformed = FileFixed; + } + return(true); + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + myFileFixInfo->FixingTerminatedByException = true; + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return(false); + } + } + } + else + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return(false); + } + } + } + else if(myFileFixInfo->FileFixPerformed) + { + if(MapFileExW(szFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) + { + DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; + if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true)) + { + PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + if(PEHeader32->Signature == 0x4550 && PEHeader32->OptionalHeader.Magic == 0x10B) + { + FileIs64 = false; + } + else if(PEHeader32->Signature == 0x4550 && PEHeader32->OptionalHeader.Magic == 0x20B) + { + FileIs64 = true; + } + else + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return(false); + } + if(!FileIs64) + { + if(myFileFixInfo->StrippedRelocation) + { + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = myFileFixInfo->OriginalRelocationTableAddress; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size = myFileFixInfo->OriginalRelocationTableSize; + } + if(myFileFixInfo->StrippedExports) + { + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress = myFileFixInfo->OriginalExportTableAddress; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size = myFileFixInfo->OriginalExportTableSize; + } + if(myFileFixInfo->StrippedResources) + { + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress = myFileFixInfo->OriginalResourceTableAddress; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size = myFileFixInfo->OriginalResourceTableSize; + } + if(myFileFixInfo->StrippedTLS) + { + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = myFileFixInfo->OriginalTLSTableAddress; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = myFileFixInfo->OriginalTLSTableSize; + } + if(myFileFixInfo->StrippedLoadConfig) + { + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress = myFileFixInfo->OriginalLoadConfigTableAddress; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].Size = myFileFixInfo->OriginalLoadConfigTableSize; + } + if(myFileFixInfo->StrippedBoundImports) + { + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress = myFileFixInfo->OriginalBoundImportTableAddress; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size = myFileFixInfo->OriginalBoundImportTableSize; + } + if(myFileFixInfo->StrippedIAT) + { + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress = myFileFixInfo->OriginalImportAddressTableAddress; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].Size = myFileFixInfo->OriginalImportAddressTableSize; + } + if(myFileFixInfo->StrippedCOM) + { + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress = myFileFixInfo->OriginalCOMTableAddress; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].Size = myFileFixInfo->OriginalCOMTableSize; + } + } + else + { + if(myFileFixInfo->StrippedRelocation) + { + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = myFileFixInfo->OriginalRelocationTableAddress; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size = myFileFixInfo->OriginalRelocationTableSize; + } + if(myFileFixInfo->StrippedExports) + { + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress = myFileFixInfo->OriginalExportTableAddress; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size = myFileFixInfo->OriginalExportTableSize; + } + if(myFileFixInfo->StrippedResources) + { + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress = myFileFixInfo->OriginalResourceTableAddress; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size = myFileFixInfo->OriginalResourceTableSize; + } + if(myFileFixInfo->StrippedTLS) + { + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = myFileFixInfo->OriginalTLSTableAddress; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = myFileFixInfo->OriginalTLSTableSize; + } + if(myFileFixInfo->StrippedLoadConfig) + { + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress = myFileFixInfo->OriginalLoadConfigTableAddress; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].Size = myFileFixInfo->OriginalLoadConfigTableSize; + } + if(myFileFixInfo->StrippedBoundImports) + { + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress = myFileFixInfo->OriginalBoundImportTableAddress; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size = myFileFixInfo->OriginalBoundImportTableSize; + } + if(myFileFixInfo->StrippedIAT) + { + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress = myFileFixInfo->OriginalImportAddressTableAddress; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].Size = myFileFixInfo->OriginalImportAddressTableSize; + } + if(myFileFixInfo->StrippedCOM) + { + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress = myFileFixInfo->OriginalCOMTableAddress; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].Size = myFileFixInfo->OriginalCOMTableSize; + } + } + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return(true); + } + } + } + return(false); +} \ No newline at end of file diff --git a/TitanEngine/TitanEngine.PE.Overlay.cpp b/TitanEngine/TitanEngine.PE.Overlay.cpp new file mode 100644 index 0000000..a59c484 --- /dev/null +++ b/TitanEngine/TitanEngine.PE.Overlay.cpp @@ -0,0 +1,412 @@ +#include "stdafx.h" +#include "definitions.h" +#include "Global.Handle.h" +#include "Global.Mapping.h" +#include "Global.Engine.h" + +static char* szSharedOverlay = 0; +static wchar_t* szSharedOverlayW = 0; + +__declspec(dllexport) bool TITCALL FindOverlay(char* szFileName, LPDWORD OverlayStart, LPDWORD OverlaySize) +{ + + wchar_t uniFileName[MAX_PATH] = {}; + + if(szFileName != NULL) + { + MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); + return(FindOverlayW(uniFileName, OverlayStart, OverlaySize)); + } + else + { + return(false); + } +} + +__declspec(dllexport) bool TITCALL FindOverlayW(wchar_t* szFileName, LPDWORD OverlayStart, LPDWORD OverlaySize) +{ + + PIMAGE_DOS_HEADER DOSHeader; + PIMAGE_NT_HEADERS32 PEHeader32; + PIMAGE_NT_HEADERS64 PEHeader64; + PIMAGE_SECTION_HEADER PESections; + DWORD SectionNumber = 0; + DWORD SectionRawOffset = 0; + DWORD SectionRawSize = 0; + BOOL FileIs64; + HANDLE FileHandle; + DWORD FileSize; + HANDLE FileMap; + ULONG_PTR FileMapVA; + + if(MapFileExW(szFileName, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) + { + DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; + if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true)) + { + PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + if(PEHeader32->OptionalHeader.Magic == 0x10B) + { + FileIs64 = false; + } + else if(PEHeader32->OptionalHeader.Magic == 0x20B) + { + FileIs64 = true; + } + else + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return(false); + } + if(!FileIs64) + { + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + SectionNumber = PEHeader32->FileHeader.NumberOfSections; + __try + { + while(SectionNumber > 0) + { + if(PESections->PointerToRawData >= SectionRawOffset) + { + if(PESections->SizeOfRawData != NULL || (SectionRawOffset != PESections->PointerToRawData)) + { + SectionRawSize = PESections->SizeOfRawData; + } + SectionRawOffset = PESections->PointerToRawData; + } + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); + SectionNumber--; + } + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + if(SectionRawOffset + SectionRawSize < FileSize) + { + if(OverlayStart != NULL && OverlaySize != NULL) + { + *OverlayStart = (DWORD)(SectionRawOffset + SectionRawSize); + *OverlaySize = (DWORD)(FileSize - SectionRawOffset - SectionRawSize); + } + return(true); + } + else + { + return(false); + } + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return(false); + } + } + else + { + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + SectionNumber = PEHeader64->FileHeader.NumberOfSections; + __try + { + while(SectionNumber > 0) + { + if(PESections->PointerToRawData >= SectionRawOffset) + { + if(PESections->SizeOfRawData != NULL || (SectionRawOffset != PESections->PointerToRawData)) + { + SectionRawSize = PESections->SizeOfRawData; + } + SectionRawOffset = PESections->PointerToRawData; + } + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); + SectionNumber--; + } + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + if(SectionRawOffset + SectionRawSize < FileSize) + { + if(OverlayStart != NULL && OverlaySize != NULL) + { + *OverlayStart = (DWORD)(SectionRawOffset + SectionRawSize); + *OverlaySize = (DWORD)(FileSize - SectionRawOffset - SectionRawSize); + } + return(true); + } + else + { + return(false); + } + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return(false); + } + } + } + else + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return(false); + } + } + return(false); +} +__declspec(dllexport) bool TITCALL ExtractOverlay(char* szFileName, char* szExtactedFileName) +{ + + wchar_t uniFileName[MAX_PATH] = {}; + wchar_t uniExtactedFileName[MAX_PATH] = {}; + + if(szFileName != NULL && szExtactedFileName != NULL) + { + MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); + MultiByteToWideChar(CP_ACP, NULL, szExtactedFileName, lstrlenA(szExtactedFileName)+1, uniExtactedFileName, sizeof(uniExtactedFileName)/(sizeof(uniExtactedFileName[0]))); + return(ExtractOverlayW(uniFileName, uniExtactedFileName)); + } + else + { + return(false); + } +} +__declspec(dllexport) bool TITCALL ExtractOverlayW(wchar_t* szFileName, wchar_t* szExtactedFileName) +{ + + HANDLE hFile = 0; + HANDLE hFileWrite = 0; + BOOL Return = false; + DWORD OverlayStart = 0; + DWORD OverlaySize = 0; + DWORD ueNumberOfBytesRead = 0; + LPVOID ueReadBuffer = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); + + Return = FindOverlayW(szFileName, &OverlayStart, &OverlaySize); + if(Return) + { + hFile = CreateFileW(szFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); + if(hFile != INVALID_HANDLE_VALUE) + { + if(EngineCreatePathForFileW(szExtactedFileName)) + { + hFileWrite = CreateFileW(szExtactedFileName, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); + if(hFileWrite != INVALID_HANDLE_VALUE) + { + SetFilePointer(hFile, OverlayStart, NULL, FILE_BEGIN); + while(OverlaySize > 0) + { + RtlZeroMemory(ueReadBuffer, 0x2000); + + if(OverlaySize > 0x1000) + { + if(ReadFile(hFile, ueReadBuffer, 0x1000, &ueNumberOfBytesRead, NULL)) + { + if(!WriteFile(hFileWrite, ueReadBuffer, 0x1000, &ueNumberOfBytesRead, NULL)) + return false; + } + else + { + return false; + } + + OverlaySize = OverlaySize - 0x1000; + } + else + { + if(ReadFile(hFile, ueReadBuffer, OverlaySize, &ueNumberOfBytesRead, NULL)) + { + if(!WriteFile(hFileWrite, ueReadBuffer, OverlaySize, &ueNumberOfBytesRead, NULL)) + return false; + } + else + { + return false; + } + + OverlaySize = 0; + } + } + VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); + EngineCloseHandle(hFile); + EngineCloseHandle(hFileWrite); + return(true); + } + else + { + VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); + EngineCloseHandle(hFile); + return(false); + } + } + } + } + VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); + return(false); +} +__declspec(dllexport) bool TITCALL AddOverlay(char* szFileName, char* szOverlayFileName) +{ + + wchar_t uniFileName[MAX_PATH] = {}; + wchar_t uniOverlayFileName[MAX_PATH] = {}; + + if(szFileName != NULL && szOverlayFileName != NULL) + { + MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); + MultiByteToWideChar(CP_ACP, NULL, szOverlayFileName, lstrlenA(szOverlayFileName)+1, uniOverlayFileName, sizeof(uniOverlayFileName)/(sizeof(uniOverlayFileName[0]))); + return(AddOverlayW(uniFileName, uniOverlayFileName)); + } + else + { + return(false); + } +} +__declspec(dllexport) bool TITCALL AddOverlayW(wchar_t* szFileName, wchar_t* szOverlayFileName) +{ + + HANDLE hFile = 0; + HANDLE hFileRead = 0; + DWORD FileSize = 0; + DWORD OverlaySize = 0; + ULONG_PTR ueNumberOfBytesRead = 0; + DWORD uedNumberOfBytesRead = 0; + LPVOID ueReadBuffer = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); + + hFile = CreateFileW(szFileName, GENERIC_READ+GENERIC_WRITE, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); + if(hFile != INVALID_HANDLE_VALUE) + { + hFileRead = CreateFileW(szOverlayFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); + if(hFileRead != INVALID_HANDLE_VALUE) + { + FileSize = GetFileSize(hFile, NULL); + OverlaySize = GetFileSize(hFileRead, NULL); + SetFilePointer(hFile, FileSize, NULL, FILE_BEGIN); + while(OverlaySize > 0) + { + RtlZeroMemory(ueReadBuffer, 0x2000); + + if(OverlaySize > 0x1000) + { + if(ReadFile(hFileRead, ueReadBuffer, 0x1000, &uedNumberOfBytesRead, NULL)) + { + if(!WriteFile(hFile, ueReadBuffer, 0x1000, &uedNumberOfBytesRead, NULL)) + return false; + } + else + { + return false; + } + + OverlaySize = OverlaySize - 0x1000; + } + else + { + if(ReadFile(hFileRead, ueReadBuffer, OverlaySize, &uedNumberOfBytesRead, NULL)) + { + if(!WriteFile(hFile, ueReadBuffer, OverlaySize, &uedNumberOfBytesRead, NULL)) + return false; + } + else + { + return false; + } + + OverlaySize = 0; + } + } + EngineCloseHandle(hFile); + EngineCloseHandle(hFileRead); + return(true); + } + else + { + EngineCloseHandle(hFile); + return(false); + } + } + return(false); +} +__declspec(dllexport) bool TITCALL CopyOverlay(char* szInFileName, char* szOutFileName) +{ + + wchar_t uniInFileName[MAX_PATH] = {}; + wchar_t uniOutFileName[MAX_PATH] = {}; + + if(szInFileName != NULL && szOutFileName != NULL) + { + MultiByteToWideChar(CP_ACP, NULL, szInFileName, lstrlenA(szInFileName)+1, uniInFileName, sizeof(uniInFileName)/(sizeof(uniInFileName[0]))); + MultiByteToWideChar(CP_ACP, NULL, szOutFileName, lstrlenA(szOutFileName)+1, uniOutFileName, sizeof(uniOutFileName)/(sizeof(uniOutFileName[0]))); + return(CopyOverlayW(uniInFileName, uniOutFileName)); + } + else + { + return(false); + } +} +__declspec(dllexport) bool TITCALL CopyOverlayW(wchar_t* szInFileName, wchar_t* szOutFileName) +{ + + wchar_t szTempName[MAX_PATH] = {}; + wchar_t szTempFolder[MAX_PATH] = {}; + + if(GetTempPathW(MAX_PATH, szTempFolder) < MAX_PATH) + { + if(GetTempFileNameW(szTempFolder, L"OverlayTemp", GetTickCount() + 101, szTempName)) + { + if(ExtractOverlayW(szInFileName, szTempName)) + { + AddOverlayW(szOutFileName, szTempName); + DeleteFileW(szTempName); + return(true); + } + } + } + return(false); +} +__declspec(dllexport) bool TITCALL RemoveOverlay(char* szFileName) +{ + + wchar_t uniFileName[MAX_PATH] = {}; + + if(szFileName != NULL) + { + MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); + return(RemoveOverlayW(uniFileName)); + } + else + { + return(false); + } +} +__declspec(dllexport) bool TITCALL RemoveOverlayW(wchar_t* szFileName) +{ + + HANDLE FileHandle; + DWORD FileSize; + HANDLE FileMap; + ULONG_PTR FileMapVA; + DWORD OverlayStart = 0; + DWORD OverlaySize = 0; + + if(FindOverlayW(szFileName, &OverlayStart, &OverlaySize)) + { + if(MapFileExW(szFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) + { + FileSize = FileSize - OverlaySize; + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return(true); + } + } + return(false); +} + +__declspec(dllexport) void TITCALL SetSharedOverlay(char* szFileName) +{ + szSharedOverlay = szFileName; +} +__declspec(dllexport) void TITCALL SetSharedOverlayW(wchar_t* szFileName) +{ + szSharedOverlayW = szFileName; +} +__declspec(dllexport) char* TITCALL GetSharedOverlay() +{ + return(szSharedOverlay); +} +__declspec(dllexport) wchar_t* TITCALL GetSharedOverlayW() +{ + return(szSharedOverlayW); +} \ No newline at end of file diff --git a/TitanEngine/TitanEngine.PE.Section.cpp b/TitanEngine/TitanEngine.PE.Section.cpp new file mode 100644 index 0000000..4dd92dc --- /dev/null +++ b/TitanEngine/TitanEngine.PE.Section.cpp @@ -0,0 +1,1553 @@ +#include "stdafx.h" +#include "definitions.h" +#include "Global.Engine.h" +#include "Global.Handle.h" +#include "Global.Mapping.h" + +__declspec(dllexport) bool TITCALL ExtractSection(char* szFileName, char* szDumpFileName, DWORD SectionNumber) +{ + wchar_t uniFileName[MAX_PATH] = {}; + wchar_t uniDumpFileName[MAX_PATH] = {}; + + if(szFileName != NULL && szDumpFileName != NULL) + { + MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); + MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, lstrlenA(szDumpFileName)+1, uniDumpFileName, sizeof(uniDumpFileName)/(sizeof(uniDumpFileName[0]))); + return(ExtractSectionW(uniFileName, uniDumpFileName, SectionNumber)); + } + else + { + return(false); + } +} + +__declspec(dllexport) bool TITCALL ExtractSectionW(wchar_t* szFileName, wchar_t* szDumpFileName, DWORD SectionNumber) +{ + + PIMAGE_DOS_HEADER DOSHeader; + PIMAGE_NT_HEADERS32 PEHeader32; + PIMAGE_NT_HEADERS64 PEHeader64; + PIMAGE_SECTION_HEADER PESections; + DWORD NumberOfBytesWritten; + BOOL FileIs64; + HANDLE FileHandle; + DWORD FileSize; + HANDLE FileMap; + ULONG_PTR FileMapVA; + HANDLE hFile; + + if(MapFileExW(szFileName, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) + { + DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; + if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true)) + { + PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + if(PEHeader32->OptionalHeader.Magic == 0x10B) + { + FileIs64 = false; + } + else if(PEHeader32->OptionalHeader.Magic == 0x20B) + { + FileIs64 = true; + } + else + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return(false); + } + if(!FileIs64) + { + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + if(SectionNumber <= PEHeader32->FileHeader.NumberOfSections) + { + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + SectionNumber * IMAGE_SIZEOF_SECTION_HEADER); + if(EngineCreatePathForFileW(szDumpFileName)) + { + hFile = CreateFileW(szDumpFileName, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); + if(hFile != INVALID_HANDLE_VALUE) + { + __try + { + WriteFile(hFile, (LPCVOID)(FileMapVA + PESections->PointerToRawData), PESections->SizeOfRawData, &NumberOfBytesWritten, NULL); + EngineCloseHandle(hFile); + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return(true); + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + EngineCloseHandle(hFile); + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + DeleteFileW(szDumpFileName); + return(false); + } + } + } + } + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return(false); + } + else + { + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + if(SectionNumber <= PEHeader64->FileHeader.NumberOfSections) + { + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + SectionNumber * IMAGE_SIZEOF_SECTION_HEADER); + if(EngineCreatePathForFileW(szDumpFileName)) + { + hFile = CreateFileW(szDumpFileName, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); + if(hFile != INVALID_HANDLE_VALUE) + { + __try + { + WriteFile(hFile, (LPCVOID)(FileMapVA + PESections->PointerToRawData), PESections->SizeOfRawData, &NumberOfBytesWritten, NULL); + EngineCloseHandle(hFile); + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return(true); + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + EngineCloseHandle(hFile); + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + DeleteFileW(szDumpFileName); + return(false); + } + } + } + } + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return(false); + } + } + else + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return(false); + } + } + return(false); +} + +__declspec(dllexport) bool TITCALL ResortFileSections(char* szFileName) +{ + + wchar_t uniFileName[MAX_PATH] = {}; + + if(szFileName != NULL) + { + MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); + return(ResortFileSectionsW(uniFileName)); + } + else + { + return(false); + } +} + +__declspec(dllexport) bool TITCALL ResortFileSectionsW(wchar_t* szFileName) +{ + + int i = 0; + int j = 0; + PIMAGE_DOS_HEADER DOSHeader; + PIMAGE_NT_HEADERS32 PEHeader32; + PIMAGE_NT_HEADERS64 PEHeader64; + PIMAGE_SECTION_HEADER PESections; + DWORD SectionNumber = 0; + BOOL FileIs64; + HANDLE FileHandle; + DWORD FileSize; + HANDLE FileMap; + ULONG_PTR FileMapVA; + wchar_t szBackupFile[MAX_PATH] = {}; + wchar_t szBackupItem[MAX_PATH] = {}; + ULONG_PTR fileSectionData[MAXIMUM_SECTION_NUMBER][3]; + ULONG_PTR fileSectionTemp; + LPVOID sortedFileName; + + if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof szBackupItem)) + { + if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof szBackupItem)) + { + RtlZeroMemory(&szBackupItem, sizeof szBackupItem); + lstrcpyW(szBackupFile, szFileName); + } + } + else + { + RtlZeroMemory(&szBackupItem, sizeof szBackupItem); + lstrcpyW(szBackupFile, szFileName); + } + if(MapFileExW(szBackupFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) + { + DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; + if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true)) + { + PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + if(PEHeader32->OptionalHeader.Magic == 0x10B) + { + FileIs64 = false; + } + else if(PEHeader32->OptionalHeader.Magic == 0x20B) + { + FileIs64 = true; + } + else + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + RemoveGarbageItem(szBackupItem, true); + return(false); + } + if(!FileIs64) + { + sortedFileName = VirtualAlloc(NULL, FileSize, MEM_COMMIT, PAGE_READWRITE); + __try + { + RtlMoveMemory(sortedFileName, (LPVOID)FileMapVA, FileSize); + SectionNumber = PEHeader32->FileHeader.NumberOfSections; + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + while(SectionNumber > 0) + { + fileSectionData[i][0] = (ULONG_PTR)(PESections->PointerToRawData); + fileSectionData[i][1] = PESections->SizeOfRawData; + fileSectionData[i][2] = PEHeader32->FileHeader.NumberOfSections - SectionNumber; + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); + SectionNumber--; + i++; + } + for(j = 0; j < PEHeader32->FileHeader.NumberOfSections; j++) + { + for(i = 0; i < PEHeader32->FileHeader.NumberOfSections; i++) + { + if(fileSectionData[i][0] > fileSectionData[j][0]) + { + fileSectionTemp = fileSectionData[j][0]; + fileSectionData[j][0] = fileSectionData[i][0]; + fileSectionData[i][0] = fileSectionTemp; + fileSectionTemp = fileSectionData[j][1]; + fileSectionData[j][1] = fileSectionData[i][1]; + fileSectionData[i][1] = fileSectionTemp; + } + } + } + for(i = 0; i < PEHeader32->FileHeader.NumberOfSections; i++) + { + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 - FileMapVA + (ULONG_PTR)sortedFileName + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + fileSectionData[i][2] * IMAGE_SIZEOF_SECTION_HEADER); + RtlMoveMemory((LPVOID)((ULONG_PTR)sortedFileName + fileSectionData[i][0]), (LPVOID)((ULONG_PTR)FileMapVA + PESections->PointerToRawData), fileSectionData[i][1]); + PESections->PointerToRawData = (DWORD)fileSectionData[i][0]; + PESections->SizeOfRawData = (DWORD)fileSectionData[i][1]; + } + RtlMoveMemory((LPVOID)FileMapVA, sortedFileName, FileSize); + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + VirtualFree(sortedFileName, NULL, MEM_RELEASE); + if(szBackupItem[0] != NULL) + { + if(CopyFileW(szBackupFile, szFileName, false)) + { + RemoveGarbageItem(szBackupItem, true); + return(true); + } + else + { + RemoveGarbageItem(szBackupItem, true); + return(false); + } + } + else + { + return(true); + } + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + VirtualFree(sortedFileName, NULL, MEM_RELEASE); + RemoveGarbageItem(szBackupItem, true); + return(false); + } + } + else + { + sortedFileName = VirtualAlloc(NULL, FileSize, MEM_COMMIT, PAGE_READWRITE); + __try + { + RtlMoveMemory(sortedFileName, (LPVOID)FileMapVA, FileSize); + SectionNumber = PEHeader64->FileHeader.NumberOfSections; + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + while(SectionNumber > 0) + { + fileSectionData[i][0] = (ULONG_PTR)(PESections->PointerToRawData); + fileSectionData[i][1] = PESections->SizeOfRawData; + fileSectionData[i][2] = PEHeader64->FileHeader.NumberOfSections - SectionNumber; + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); + SectionNumber--; + i++; + } + for(j = 0; j < PEHeader64->FileHeader.NumberOfSections; j++) + { + for(i = 0; i < PEHeader64->FileHeader.NumberOfSections; i++) + { + if(fileSectionData[i][0] > fileSectionData[j][0]) + { + fileSectionTemp = fileSectionData[j][0]; + fileSectionData[j][0] = fileSectionData[i][0]; + fileSectionData[i][0] = fileSectionTemp; + fileSectionTemp = fileSectionData[j][1]; + fileSectionData[j][1] = fileSectionData[i][1]; + fileSectionData[i][1] = fileSectionTemp; + } + } + } + for(i = 0; i < PEHeader64->FileHeader.NumberOfSections; i++) + { + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 - FileMapVA + (ULONG_PTR)sortedFileName + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + fileSectionData[i][2] * IMAGE_SIZEOF_SECTION_HEADER); + RtlMoveMemory((LPVOID)((ULONG_PTR)sortedFileName + fileSectionData[i][0]), (LPVOID)((ULONG_PTR)FileMapVA + PESections->PointerToRawData), fileSectionData[i][1]); + PESections->PointerToRawData = (DWORD)fileSectionData[i][0]; + PESections->SizeOfRawData = (DWORD)fileSectionData[i][1]; + } + RtlMoveMemory((LPVOID)FileMapVA, sortedFileName, FileSize); + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + VirtualFree(sortedFileName, NULL, MEM_RELEASE); + if(szBackupItem[0] != NULL) + { + if(CopyFileW(szBackupFile, szFileName, false)) + { + RemoveGarbageItem(szBackupItem, true); + return(true); + } + else + { + RemoveGarbageItem(szBackupItem, true); + return(false); + } + } + else + { + return(true); + } + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + VirtualFree(sortedFileName, NULL, MEM_RELEASE); + RemoveGarbageItem(szBackupItem, true); + return(false); + } + } + } + else + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + RemoveGarbageItem(szBackupItem, true); + return(false); + } + } + RemoveGarbageItem(szBackupItem, true); + return(false); +} + +__declspec(dllexport) bool TITCALL MakeAllSectionsRWE(char* szFileName) +{ + + wchar_t uniFileName[MAX_PATH] = {}; + + if(szFileName != NULL) + { + MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); + return(MakeAllSectionsRWEW(uniFileName)); + } + else + { + return(false); + } +} + +__declspec(dllexport) bool TITCALL MakeAllSectionsRWEW(wchar_t* szFileName) +{ + + wchar_t szBackupFile[MAX_PATH] = {}; + wchar_t szBackupItem[MAX_PATH] = {}; + PIMAGE_DOS_HEADER DOSHeader; + PIMAGE_NT_HEADERS32 PEHeader32; + PIMAGE_NT_HEADERS64 PEHeader64; + PIMAGE_SECTION_HEADER PESections; + DWORD SectionNumber = 0; + BOOL FileIs64; + HANDLE FileHandle; + DWORD FileSize; + HANDLE FileMap; + ULONG_PTR FileMapVA; + + if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof szBackupItem)) + { + if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof szBackupItem)) + { + RtlZeroMemory(&szBackupItem, sizeof szBackupItem); + lstrcpyW(szBackupFile, szFileName); + } + } + else + { + RtlZeroMemory(&szBackupItem, sizeof szBackupItem); + lstrcpyW(szBackupFile, szFileName); + } + if(MapFileExW(szBackupFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) + { + DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; + if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true)) + { + PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + if(PEHeader32->OptionalHeader.Magic == 0x10B) + { + FileIs64 = false; + } + else if(PEHeader32->OptionalHeader.Magic == 0x20B) + { + FileIs64 = true; + } + else + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + RemoveGarbageItem(szBackupItem, true); + return(false); + } + if(!FileIs64) + { + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + SectionNumber = PEHeader32->FileHeader.NumberOfSections; + __try + { + while(SectionNumber > 0) + { + PESections->Characteristics = 0xE0000020; + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); + SectionNumber--; + } + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + if(szBackupItem[0] != NULL) + { + if(CopyFileW(szBackupFile, szFileName, false)) + { + RemoveGarbageItem(szBackupItem, true); + return(true); + } + else + { + RemoveGarbageItem(szBackupItem, true); + return(false); + } + } + else + { + return(true); + } + return(true); + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + RemoveGarbageItem(szBackupItem, true); + return(false); + } + } + else + { + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + SectionNumber = PEHeader64->FileHeader.NumberOfSections; + __try + { + while(SectionNumber > 0) + { + PESections->Characteristics = 0xE0000020; + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); + SectionNumber--; + } + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + if(szBackupItem[0] != NULL) + { + if(CopyFileW(szBackupFile, szFileName, false)) + { + RemoveGarbageItem(szBackupItem, true); + return(true); + } + else + { + RemoveGarbageItem(szBackupItem, true); + return(false); + } + } + else + { + return(true); + } + return(true); + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + RemoveGarbageItem(szBackupItem, true); + return(false); + } + } + } + else + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + RemoveGarbageItem(szBackupItem, true); + return(false); + } + } + RemoveGarbageItem(szBackupItem, true); + return(false); +} + +__declspec(dllexport) long TITCALL AddNewSectionEx(char* szFileName, char* szSectionName, DWORD SectionSize, DWORD SectionAttributes, LPVOID SectionContent, DWORD ContentSize) +{ + + wchar_t uniFileName[MAX_PATH] = {}; + + if(szFileName != NULL) + { + MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); + return(AddNewSectionExW(uniFileName, szSectionName, SectionSize, SectionAttributes, SectionContent, ContentSize)); + } + else + { + return(NULL); + } +} + +__declspec(dllexport) long TITCALL AddNewSectionExW(wchar_t* szFileName, char* szSectionName, DWORD SectionSize, DWORD SectionAttributes, LPVOID SectionContent, DWORD ContentSize) +{ + + bool OverlayHasBeenRemoved = false; + wchar_t szBackupOverlayFile[MAX_PATH] = {}; + wchar_t szBackupFile[MAX_PATH] = {}; + wchar_t szBackupItem[MAX_PATH] = {}; + PIMAGE_DOS_HEADER DOSHeader; + PIMAGE_NT_HEADERS32 PEHeader32; + PIMAGE_NT_HEADERS64 PEHeader64; + PIMAGE_SECTION_HEADER PESections; + DWORD SectionNameLength = 0; + DWORD NewSectionVirtualOffset = 0; + DWORD FileResizeValue = 0; + DWORD LastSectionRawSize = 0; + DWORD alignedSectionSize = 0; + DWORD NtSizeOfImage = 0; + DWORD SectionNumber = 0; + DWORD SpaceLeft = 0; + LPVOID NameOffset; + BOOL FileIs64; + HANDLE FileHandle; + DWORD FileSize; + DWORD OldFileSize = 0; + HANDLE FileMap; + ULONG_PTR FileMapVA; + + if(ContentSize < SectionSize && ContentSize != 0) + { + ContentSize = SectionSize; + } + else if(ContentSize > SectionSize) + { + SectionSize = ContentSize; + } + + if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof szBackupItem)) + { + if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof szBackupItem)) + { + RtlZeroMemory(&szBackupItem, sizeof szBackupItem); + lstrcpyW(szBackupFile, szFileName); + } + if(FindOverlayW(szBackupFile, NULL, NULL)) + { + if(!FillGarbageItem(szBackupItem, NULL, &szBackupOverlayFile, sizeof szBackupItem)) + { + RtlZeroMemory(&szBackupOverlayFile, sizeof szBackupOverlayFile); + } + else + { + if(ExtractOverlayW(szBackupFile, szBackupOverlayFile) && RemoveOverlayW(szBackupFile)) + { + OverlayHasBeenRemoved = true; + } + } + } + } + else + { + RtlZeroMemory(&szBackupItem, sizeof szBackupItem); + lstrcpyW(szBackupFile, szFileName); + } + if(MapFileExW(szBackupFile, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) + { + OldFileSize = FileSize; + DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; + if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true)) + { + PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + if(PEHeader32->OptionalHeader.Magic == 0x10B) + { + FileIs64 = false; + } + else if(PEHeader32->OptionalHeader.Magic == 0x20B) + { + FileIs64 = true; + } + else + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + RemoveGarbageItem(szBackupItem, true); + return(0); + } + if(!FileIs64) + { + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + SectionNumber = PEHeader32->FileHeader.NumberOfSections; + __try + { + alignedSectionSize = ((DWORD)SectionSize / PEHeader32->OptionalHeader.FileAlignment) * PEHeader32->OptionalHeader.FileAlignment; + if(alignedSectionSize < SectionSize) + { + SectionSize = alignedSectionSize + PEHeader32->OptionalHeader.FileAlignment; + } + else + { + SectionSize = alignedSectionSize; + } + SpaceLeft = PESections->PointerToRawData - (SectionNumber * IMAGE_SIZEOF_SECTION_HEADER) - DOSHeader->e_lfanew - sizeof IMAGE_NT_HEADERS32; + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + (SectionNumber - 1) * IMAGE_SIZEOF_SECTION_HEADER); + LastSectionRawSize = (PESections->SizeOfRawData / PEHeader32->OptionalHeader.FileAlignment) * PEHeader32->OptionalHeader.FileAlignment; + if(LastSectionRawSize < PESections->SizeOfRawData) + { + LastSectionRawSize = LastSectionRawSize + PEHeader32->OptionalHeader.FileAlignment; + } + LastSectionRawSize = LastSectionRawSize - PESections->SizeOfRawData; + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + FileResizeValue = LastSectionRawSize + SectionSize; + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + RemoveGarbageItem(szBackupItem, true); + return(0); + } + } + else + { + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + SectionNumber = PEHeader64->FileHeader.NumberOfSections; + __try + { + alignedSectionSize = ((DWORD)SectionSize / PEHeader64->OptionalHeader.FileAlignment) * PEHeader64->OptionalHeader.FileAlignment; + if(alignedSectionSize < SectionSize) + { + SectionSize = alignedSectionSize + PEHeader64->OptionalHeader.FileAlignment; + } + else + { + SectionSize = alignedSectionSize; + } + SpaceLeft = PESections->PointerToRawData - (SectionNumber * IMAGE_SIZEOF_SECTION_HEADER) - DOSHeader->e_lfanew - sizeof IMAGE_NT_HEADERS64; + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + (SectionNumber - 1) * IMAGE_SIZEOF_SECTION_HEADER); + LastSectionRawSize = (PESections->SizeOfRawData / PEHeader64->OptionalHeader.FileAlignment) * PEHeader64->OptionalHeader.FileAlignment; + if(LastSectionRawSize < PESections->SizeOfRawData) + { + LastSectionRawSize = LastSectionRawSize + PEHeader64->OptionalHeader.FileAlignment; + } + LastSectionRawSize = LastSectionRawSize - PESections->SizeOfRawData; + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + FileResizeValue = LastSectionRawSize + SectionSize; + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + RemoveGarbageItem(szBackupItem, true); + return(0); + } + } + } + else + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + RemoveGarbageItem(szBackupItem, true); + return(0); + } + } + if(SpaceLeft > IMAGE_SIZEOF_SECTION_HEADER) + { + if(MapFileExW(szBackupFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, FileResizeValue)) + { + DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; + if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true)) + { + PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + if(PEHeader32->OptionalHeader.Magic == 0x10B) + { + FileIs64 = false; + } + else if(PEHeader32->OptionalHeader.Magic == 0x20B) + { + FileIs64 = true; + } + else + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + RemoveGarbageItem(szBackupItem, true); + return(0); + } + if(!FileIs64) + { + __try + { + if(SectionSize == 0) + { + SectionSize = PEHeader32->OptionalHeader.FileAlignment; + } + alignedSectionSize = ((DWORD)SectionSize / PEHeader32->OptionalHeader.SectionAlignment) * PEHeader32->OptionalHeader.SectionAlignment; + if(alignedSectionSize < SectionSize) + { + alignedSectionSize = alignedSectionSize + PEHeader32->OptionalHeader.SectionAlignment; + } + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + SectionNumber = PEHeader32->FileHeader.NumberOfSections; + PEHeader32->FileHeader.NumberOfSections = PEHeader32->FileHeader.NumberOfSections + 1; + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + (SectionNumber - 1)* IMAGE_SIZEOF_SECTION_HEADER); + NewSectionVirtualOffset = PESections->VirtualAddress + (PESections->Misc.VirtualSize / PEHeader32->OptionalHeader.SectionAlignment) * PEHeader32->OptionalHeader.SectionAlignment; + if(NewSectionVirtualOffset < PESections->VirtualAddress + PESections->Misc.VirtualSize) + { + NewSectionVirtualOffset = NewSectionVirtualOffset + PEHeader32->OptionalHeader.SectionAlignment; + } + PESections->SizeOfRawData = PESections->SizeOfRawData + LastSectionRawSize; + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); + PEHeader32->OptionalHeader.SizeOfImage = NewSectionVirtualOffset + alignedSectionSize; + NameOffset = &PESections->Name; + if(lstrlenA(szSectionName) >= 8) + { + SectionNameLength = 8; + } + else + { + SectionNameLength = lstrlenA(szSectionName); + } + RtlMoveMemory(NameOffset, szSectionName, SectionNameLength); + if(SectionAttributes == 0) + { + PESections->Characteristics = 0xE0000020; + } + else + { + PESections->Characteristics = (DWORD)(SectionAttributes); + } + PESections->Misc.VirtualSize = alignedSectionSize; + PESections->SizeOfRawData = (DWORD)(SectionSize); + PESections->VirtualAddress = NewSectionVirtualOffset; + PESections->PointerToRawData = OldFileSize + LastSectionRawSize; + if(SectionContent != NULL) + { + RtlMoveMemory((LPVOID)(FileMapVA + OldFileSize), SectionContent, ContentSize); + } + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + if(szBackupItem[0] != NULL) + { + if(CopyFileW(szBackupFile, szFileName, false)) + { + if(OverlayHasBeenRemoved && !AddOverlayW(szFileName, szBackupOverlayFile)) + { + RemoveGarbageItem(szBackupItem, true); + return(0); + } + RemoveGarbageItem(szBackupItem, true); + return(NewSectionVirtualOffset); + } + else + { + RemoveGarbageItem(szBackupItem, true); + return(0); + } + } + else + { + return(NewSectionVirtualOffset); + } + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + RemoveGarbageItem(szBackupItem, true); + return(0); + } + } + else + { + __try + { + if(SectionSize == 0) + { + SectionSize = PEHeader64->OptionalHeader.FileAlignment; + } + alignedSectionSize = ((DWORD)SectionSize / PEHeader64->OptionalHeader.SectionAlignment) * PEHeader64->OptionalHeader.SectionAlignment; + if(alignedSectionSize < SectionSize) + { + alignedSectionSize = alignedSectionSize + PEHeader64->OptionalHeader.SectionAlignment; + } + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + SectionNumber = PEHeader64->FileHeader.NumberOfSections; + PEHeader32->FileHeader.NumberOfSections = PEHeader32->FileHeader.NumberOfSections + 1; + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + (SectionNumber - 1)* IMAGE_SIZEOF_SECTION_HEADER); + NewSectionVirtualOffset = PESections->VirtualAddress + (PESections->Misc.VirtualSize / PEHeader64->OptionalHeader.SectionAlignment) * PEHeader64->OptionalHeader.SectionAlignment; + if(NewSectionVirtualOffset < PESections->VirtualAddress + PESections->Misc.VirtualSize) + { + NewSectionVirtualOffset = NewSectionVirtualOffset + PEHeader64->OptionalHeader.SectionAlignment; + } + PESections->SizeOfRawData = PESections->SizeOfRawData + LastSectionRawSize; + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); + PEHeader64->OptionalHeader.SizeOfImage = NewSectionVirtualOffset + alignedSectionSize; + NameOffset = &PESections->Name; + if(lstrlenA(szSectionName) >= 8) + { + SectionNameLength = 8; + } + else + { + SectionNameLength = lstrlenA(szSectionName); + } + RtlMoveMemory(NameOffset, szSectionName, SectionNameLength); + if(SectionAttributes == 0) + { + PESections->Characteristics = 0xE0000020; + } + else + { + PESections->Characteristics = (DWORD)(SectionAttributes); + } + PESections->Misc.VirtualSize = alignedSectionSize; + PESections->SizeOfRawData = (DWORD)(SectionSize); + PESections->VirtualAddress = NewSectionVirtualOffset; + PESections->PointerToRawData = OldFileSize + LastSectionRawSize; + if(SectionContent != NULL) + { + RtlMoveMemory((LPVOID)(FileMapVA + OldFileSize), SectionContent, ContentSize); + } + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + if(szBackupItem[0] != NULL) + { + if(CopyFileW(szBackupFile, szFileName, false)) + { + if(OverlayHasBeenRemoved && !AddOverlayW(szFileName, szBackupOverlayFile)) + { + RemoveGarbageItem(szBackupItem, true); + return(0); + } + RemoveGarbageItem(szBackupItem, true); + return(NewSectionVirtualOffset); + } + else + { + RemoveGarbageItem(szBackupItem, true); + return(0); + } + } + else + { + return(NewSectionVirtualOffset); + } + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + RemoveGarbageItem(szBackupItem, true); + return(0); + } + } + } + else + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + RemoveGarbageItem(szBackupItem, true); + return(0); + } + } + } + RemoveGarbageItem(szBackupItem, true); + return(0); +} + +__declspec(dllexport) long TITCALL AddNewSection(char* szFileName, char* szSectionName, DWORD SectionSize) +{ + return(AddNewSectionEx(szFileName, szSectionName, SectionSize, NULL, NULL, NULL)); +} + +__declspec(dllexport) long TITCALL AddNewSectionW(wchar_t* szFileName, char* szSectionName, DWORD SectionSize) +{ + return(AddNewSectionExW(szFileName, szSectionName, SectionSize, NULL, NULL, NULL)); +} + +__declspec(dllexport) bool TITCALL ResizeLastSection(char* szFileName, DWORD NumberOfExpandBytes, bool AlignResizeData) +{ + + wchar_t uniFileName[MAX_PATH] = {}; + + if(szFileName != NULL) + { + MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); + return(ResizeLastSectionW(uniFileName, NumberOfExpandBytes, AlignResizeData)); + } + else + { + return(false); + } +} + +__declspec(dllexport) bool TITCALL ResizeLastSectionW(wchar_t* szFileName, DWORD NumberOfExpandBytes, bool AlignResizeData) +{ + + wchar_t szBackupFile[MAX_PATH] = {}; + wchar_t szBackupItem[MAX_PATH] = {}; + PIMAGE_DOS_HEADER DOSHeader; + PIMAGE_NT_HEADERS32 PEHeader32; + PIMAGE_NT_HEADERS64 PEHeader64; + PIMAGE_SECTION_HEADER PESections; + DWORD SectionNumber = 0; + DWORD SectionRawSize = 0; + BOOL FileIs64; + HANDLE FileHandle; + DWORD FileSize; + HANDLE FileMap; + ULONG_PTR FileMapVA; + + if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof szBackupItem)) + { + if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof szBackupItem)) + { + RtlZeroMemory(&szBackupItem, sizeof szBackupItem); + lstrcpyW(szBackupFile, szFileName); + } + } + else + { + RtlZeroMemory(&szBackupItem, sizeof szBackupItem); + lstrcpyW(szBackupFile, szFileName); + } + if(MapFileExW(szBackupFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NumberOfExpandBytes)) + { + DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; + if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true)) + { + PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + if(PEHeader32->OptionalHeader.Magic == 0x10B) + { + FileIs64 = false; + } + else if(PEHeader32->OptionalHeader.Magic == 0x20B) + { + FileIs64 = true; + } + else + { + FileSize = FileSize - NumberOfExpandBytes; + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + RemoveGarbageItem(szBackupItem, true); + return(false); + } + if(!FileIs64) + { + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + SectionNumber = PEHeader32->FileHeader.NumberOfSections; + SectionNumber--; + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + SectionNumber * IMAGE_SIZEOF_SECTION_HEADER); + __try + { + if(AlignResizeData) + { + SectionRawSize = PESections->SizeOfRawData; + if((PESections->SizeOfRawData + NumberOfExpandBytes) % PEHeader32->OptionalHeader.FileAlignment == NULL) + { + PESections->SizeOfRawData = (((PESections->SizeOfRawData + NumberOfExpandBytes) / PEHeader32->OptionalHeader.FileAlignment)) * PEHeader32->OptionalHeader.FileAlignment; + } + else + { + PESections->SizeOfRawData = (((PESections->SizeOfRawData + NumberOfExpandBytes) / PEHeader32->OptionalHeader.FileAlignment) + 1) * PEHeader32->OptionalHeader.FileAlignment; + } + if(SectionRawSize > 0x7FFFFFFF) + { + SectionRawSize = NULL; + } + SectionRawSize = PESections->SizeOfRawData - SectionRawSize - NumberOfExpandBytes; + PEHeader32->OptionalHeader.SizeOfImage = PEHeader32->OptionalHeader.SizeOfImage - PESections->Misc.VirtualSize; + if((PESections->Misc.VirtualSize + NumberOfExpandBytes + SectionRawSize) % PEHeader32->OptionalHeader.SectionAlignment == NULL) + { + PESections->Misc.VirtualSize = (((PESections->Misc.VirtualSize + NumberOfExpandBytes + SectionRawSize) / PEHeader32->OptionalHeader.SectionAlignment)) * PEHeader32->OptionalHeader.SectionAlignment; + } + else + { + PESections->Misc.VirtualSize = (((PESections->Misc.VirtualSize + NumberOfExpandBytes + SectionRawSize) / PEHeader32->OptionalHeader.SectionAlignment) + 1) * PEHeader32->OptionalHeader.SectionAlignment; + } + PEHeader32->OptionalHeader.SizeOfImage = PEHeader32->OptionalHeader.SizeOfImage + PESections->Misc.VirtualSize; + if(SectionRawSize > NULL) + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + MapFileExW(szFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, SectionRawSize); + } + } + else + { + PESections->SizeOfRawData = PESections->SizeOfRawData + NumberOfExpandBytes; + } + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + if(szBackupItem[0] != NULL) + { + RemoveGarbageItem(szBackupItem, true); + if(CopyFileW(szBackupFile, szFileName, false)) + { + return(true); + } + else + { + return(false); + } + } + else + { + return(true); + } + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + RemoveGarbageItem(szBackupItem, true); + return(false); + } + } + else + { + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + SectionNumber = PEHeader64->FileHeader.NumberOfSections; + SectionNumber--; + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + SectionNumber * IMAGE_SIZEOF_SECTION_HEADER); + __try + { + if(AlignResizeData) + { + SectionRawSize = PESections->SizeOfRawData; + if((PESections->SizeOfRawData + NumberOfExpandBytes) % PEHeader64->OptionalHeader.FileAlignment == NULL) + { + PESections->SizeOfRawData = (((PESections->SizeOfRawData + NumberOfExpandBytes) / PEHeader64->OptionalHeader.FileAlignment)) * PEHeader64->OptionalHeader.FileAlignment; + } + else + { + PESections->SizeOfRawData = (((PESections->SizeOfRawData + NumberOfExpandBytes) / PEHeader64->OptionalHeader.FileAlignment) + 1) * PEHeader64->OptionalHeader.FileAlignment; + } + if(SectionRawSize > 0x7FFFFFFF) + { + SectionRawSize = NULL; + } + SectionRawSize = PESections->SizeOfRawData - SectionRawSize - NumberOfExpandBytes; + PEHeader64->OptionalHeader.SizeOfImage = PEHeader64->OptionalHeader.SizeOfImage - PESections->Misc.VirtualSize; + if((PESections->Misc.VirtualSize + NumberOfExpandBytes) % PEHeader64->OptionalHeader.SectionAlignment == NULL) + { + PESections->Misc.VirtualSize = (((PESections->Misc.VirtualSize + NumberOfExpandBytes + SectionRawSize) / PEHeader32->OptionalHeader.SectionAlignment)) * PEHeader64->OptionalHeader.SectionAlignment; + } + else + { + PESections->Misc.VirtualSize = (((PESections->Misc.VirtualSize + NumberOfExpandBytes + SectionRawSize) / PEHeader32->OptionalHeader.SectionAlignment) + 1) * PEHeader64->OptionalHeader.SectionAlignment; + } + PEHeader64->OptionalHeader.SizeOfImage = PEHeader64->OptionalHeader.SizeOfImage + PESections->Misc.VirtualSize; + if(SectionRawSize > NULL) + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + MapFileExW(szFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, SectionRawSize); + } + } + else + { + PESections->SizeOfRawData = PESections->SizeOfRawData + NumberOfExpandBytes; + } + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + if(szBackupItem[0] != NULL) + { + if(CopyFileW(szBackupFile, szFileName, false)) + { + RemoveGarbageItem(szBackupItem, true); + return(true); + } + else + { + RemoveGarbageItem(szBackupItem, true); + return(false); + } + } + else + { + return(true); + } + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + RemoveGarbageItem(szBackupItem, true); + return(false); + } + } + } + else + { + FileSize = FileSize - NumberOfExpandBytes; + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + RemoveGarbageItem(szBackupItem, true); + return(false); + } + } + RemoveGarbageItem(szBackupItem, true); + return(false); +} + +__declspec(dllexport) bool TITCALL DeleteLastSection(char* szFileName) +{ + + wchar_t uniFileName[MAX_PATH] = {}; + + if(szFileName != NULL) + { + MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); + return(DeleteLastSectionW(uniFileName)); + } + else + { + return(false); + } +} + +__declspec(dllexport) bool TITCALL DeleteLastSectionW(wchar_t* szFileName) +{ + + wchar_t szBackupFile[MAX_PATH] = {}; + wchar_t szBackupItem[MAX_PATH] = {}; + PIMAGE_DOS_HEADER DOSHeader; + PIMAGE_NT_HEADERS32 PEHeader32; + PIMAGE_NT_HEADERS64 PEHeader64; + PIMAGE_SECTION_HEADER PESections; + DWORD SectionNumber = 0; + BOOL FileIs64; + HANDLE FileHandle; + DWORD FileSize; + HANDLE FileMap; + ULONG_PTR FileMapVA; + + if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof szBackupItem)) + { + if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof szBackupItem)) + { + RtlZeroMemory(&szBackupItem, sizeof szBackupItem); + lstrcpyW(szBackupFile, szFileName); + } + } + else + { + RtlZeroMemory(&szBackupItem, sizeof szBackupItem); + lstrcpyW(szBackupFile, szFileName); + } + if(MapFileExW(szBackupFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) + { + DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; + if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true)) + { + PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + if(PEHeader32->OptionalHeader.Magic == 0x10B) + { + FileIs64 = false; + } + else if(PEHeader32->OptionalHeader.Magic == 0x20B) + { + FileIs64 = true; + } + else + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + RemoveGarbageItem(szBackupItem, true); + return(false); + } + if(!FileIs64) + { + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + SectionNumber = PEHeader32->FileHeader.NumberOfSections; + __try + { + if(SectionNumber > 1) + { + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + (SectionNumber - 1) * IMAGE_SIZEOF_SECTION_HEADER); + PEHeader32->OptionalHeader.SizeOfImage = PEHeader32->OptionalHeader.SizeOfImage - PESections->Misc.VirtualSize; + FileSize = PESections->PointerToRawData; + RtlZeroMemory(PESections, IMAGE_SIZEOF_SECTION_HEADER); + PEHeader32->FileHeader.NumberOfSections--; + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + if(szBackupItem[0] != NULL) + { + if(CopyFileW(szBackupFile, szFileName, false)) + { + RemoveGarbageItem(szBackupItem, true); + return(true); + } + else + { + RemoveGarbageItem(szBackupItem, true); + return(false); + } + } + else + { + return(true); + } + } + else + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + RemoveGarbageItem(szBackupItem, true); + return(false); + } + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + RemoveGarbageItem(szBackupItem, true); + return(false); + } + } + else + { + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + SectionNumber = PEHeader64->FileHeader.NumberOfSections; + __try + { + if(SectionNumber > 1) + { + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + (SectionNumber - 1) * IMAGE_SIZEOF_SECTION_HEADER); + PEHeader64->OptionalHeader.SizeOfImage = PEHeader64->OptionalHeader.SizeOfImage - PESections->Misc.VirtualSize; + FileSize = PESections->PointerToRawData; + RtlZeroMemory(PESections, IMAGE_SIZEOF_SECTION_HEADER); + PEHeader64->FileHeader.NumberOfSections--; + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + if(szBackupItem[0] != NULL) + { + if(CopyFileW(szBackupFile, szFileName, false)) + { + RemoveGarbageItem(szBackupItem, true); + return(true); + } + else + { + RemoveGarbageItem(szBackupItem, true); + return(false); + } + } + else + { + return(true); + } + } + else + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + RemoveGarbageItem(szBackupItem, true); + return(false); + } + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + RemoveGarbageItem(szBackupItem, true); + return(false); + } + } + } + else + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + RemoveGarbageItem(szBackupItem, true); + return(false); + } + } + RemoveGarbageItem(szBackupItem, true); + return(false); +} + +__declspec(dllexport) bool TITCALL DeleteLastSectionEx(char* szFileName, DWORD NumberOfSections) +{ + + while(NumberOfSections > 0) + { + DeleteLastSection(szFileName); + NumberOfSections--; + } + return(true); +} + +__declspec(dllexport) bool TITCALL DeleteLastSectionExW(wchar_t* szFileName, DWORD NumberOfSections) +{ + + while(NumberOfSections > 0) + { + DeleteLastSectionW(szFileName); + NumberOfSections--; + } + return(true); +} + +__declspec(dllexport) bool TITCALL WipeSection(char* szFileName, int WipeSectionNumber, bool RemovePhysically) +{ + + wchar_t uniFileName[MAX_PATH] = {}; + + if(szFileName != NULL) + { + MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); + return(WipeSectionW(uniFileName, WipeSectionNumber, RemovePhysically)); + } + else + { + return(false); + } +} +__declspec(dllexport) bool TITCALL WipeSectionW(wchar_t* szFileName, int WipeSectionNumber, bool RemovePhysically) +{ + + wchar_t szBackupFile[MAX_PATH] = {}; + wchar_t szBackupItem[MAX_PATH] = {}; + PIMAGE_DOS_HEADER DOSHeader; + PIMAGE_NT_HEADERS32 PEHeader32; + PIMAGE_NT_HEADERS64 PEHeader64; + PIMAGE_SECTION_HEADER PESections; + DWORD NewVirtualSectionSize = 0; + DWORD NewSectionRawPointer = 0; + DWORD OldSectionDataRawPtr = 0; + DWORD OldSectionDataPtr = 0; + DWORD CurrentSectionPSize = 0; + DWORD WipeSectionVirSize = 0; + DWORD WipeSectionSize = 0; + DWORD SectionDataPtr = 0; + DWORD FileAlignment = 0; + int SectionNumber = 0; + BOOL FileIs64; + HANDLE FileHandle; + DWORD FileSize; + HANDLE FileMap; + ULONG_PTR FileMapVA; + + if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof szBackupItem)) + { + if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof szBackupItem)) + { + RtlZeroMemory(&szBackupItem, sizeof szBackupItem); + lstrcpyW(szBackupFile, szFileName); + } + } + else + { + RtlZeroMemory(&szBackupItem, sizeof szBackupItem); + lstrcpyW(szBackupFile, szFileName); + } + if(MapFileExW(szBackupFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) + { + DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; + if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true)) + { + PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + if(PEHeader32->OptionalHeader.Magic == 0x10B) + { + FileIs64 = false; + } + else if(PEHeader32->OptionalHeader.Magic == 0x20B) + { + FileIs64 = true; + } + else + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + RemoveGarbageItem(szBackupItem, true); + return(false); + } + if(!FileIs64) + { + if(WipeSectionNumber != -1 && WipeSectionNumber <= PEHeader32->FileHeader.NumberOfSections) + { + WipeSectionVirSize = (DWORD)GetPE32DataFromMappedFile(FileMapVA, WipeSectionNumber, UE_SECTIONVIRTUALSIZE); + WipeSectionSize = (DWORD)GetPE32DataFromMappedFile(FileMapVA, WipeSectionNumber, UE_SECTIONRAWSIZE); + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + FileAlignment = PEHeader32->OptionalHeader.FileAlignment; + __try + { + while(SectionNumber < PEHeader32->FileHeader.NumberOfSections) + { + if(SectionNumber == WipeSectionNumber - 1) + { + CurrentSectionPSize = PESections->SizeOfRawData; + if(CurrentSectionPSize % FileAlignment == NULL) + { + CurrentSectionPSize = ((CurrentSectionPSize / FileAlignment)) * FileAlignment; + } + else + { + CurrentSectionPSize = ((CurrentSectionPSize / FileAlignment) + 1) * FileAlignment; + } + PESections->SizeOfRawData = CurrentSectionPSize; + WipeSectionVirSize = WipeSectionVirSize + PESections->Misc.VirtualSize; + if(WipeSectionVirSize % PEHeader32->OptionalHeader.SectionAlignment == NULL) + { + WipeSectionVirSize = ((WipeSectionVirSize / PEHeader32->OptionalHeader.SectionAlignment)) * PEHeader32->OptionalHeader.SectionAlignment; + } + else + { + WipeSectionVirSize = ((WipeSectionVirSize / PEHeader32->OptionalHeader.SectionAlignment) + 1) * PEHeader32->OptionalHeader.SectionAlignment; + } + PESections->Misc.VirtualSize = WipeSectionVirSize; + CurrentSectionPSize = CurrentSectionPSize - PESections->SizeOfRawData; + WipeSectionSize = WipeSectionSize - CurrentSectionPSize; + } + else if(SectionNumber > WipeSectionNumber) + { + RtlMoveMemory((LPVOID)((ULONG_PTR)PESections - IMAGE_SIZEOF_SECTION_HEADER), (LPVOID)PESections, IMAGE_SIZEOF_SECTION_HEADER); + } + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); + SectionNumber++; + } + RtlZeroMemory((LPVOID)PESections, IMAGE_SIZEOF_SECTION_HEADER); + PEHeader32->FileHeader.NumberOfSections--; + if(RemovePhysically) + { + FileSize = RealignPE(FileMapVA, FileSize, NULL); + } + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + if(szBackupItem[0] != NULL) + { + if(CopyFileW(szBackupFile, szFileName, false)) + { + RemoveGarbageItem(szBackupItem, true); + return(true); + } + else + { + RemoveGarbageItem(szBackupItem, true); + return(false); + } + } + else + { + return(true); + } + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + RemoveGarbageItem(szBackupItem, true); + return(false); + } + } + } + else + { + if(WipeSectionNumber != -1 && WipeSectionNumber <= PEHeader64->FileHeader.NumberOfSections) + { + WipeSectionVirSize = (DWORD)GetPE32DataFromMappedFile(FileMapVA, WipeSectionNumber, UE_SECTIONVIRTUALOFFSET); + WipeSectionVirSize = WipeSectionVirSize + (DWORD)GetPE32DataFromMappedFile(FileMapVA, WipeSectionNumber, UE_SECTIONVIRTUALSIZE); + if(WipeSectionVirSize % PEHeader32->OptionalHeader.SectionAlignment == NULL) + { + WipeSectionVirSize = ((WipeSectionVirSize / PEHeader32->OptionalHeader.SectionAlignment)) * PEHeader32->OptionalHeader.SectionAlignment; + } + else + { + WipeSectionVirSize = ((WipeSectionVirSize / PEHeader32->OptionalHeader.SectionAlignment) + 1) * PEHeader32->OptionalHeader.SectionAlignment; + } + WipeSectionSize = (DWORD)GetPE32DataFromMappedFile(FileMapVA, WipeSectionNumber, UE_SECTIONRAWSIZE); + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + FileAlignment = PEHeader64->OptionalHeader.FileAlignment; + __try + { + while(SectionNumber < PEHeader64->FileHeader.NumberOfSections) + { + if(SectionNumber == WipeSectionNumber - 1) + { + CurrentSectionPSize = PESections->SizeOfRawData; + if(CurrentSectionPSize % FileAlignment == NULL) + { + CurrentSectionPSize = ((CurrentSectionPSize / FileAlignment)) * FileAlignment; + } + else + { + CurrentSectionPSize = ((CurrentSectionPSize / FileAlignment) + 1) * FileAlignment; + } + PESections->SizeOfRawData = CurrentSectionPSize; + WipeSectionVirSize = WipeSectionVirSize + PESections->Misc.VirtualSize; + if(WipeSectionVirSize % PEHeader64->OptionalHeader.SectionAlignment == NULL) + { + WipeSectionVirSize = ((WipeSectionVirSize / PEHeader64->OptionalHeader.SectionAlignment)) * PEHeader64->OptionalHeader.SectionAlignment; + } + else + { + WipeSectionVirSize = ((WipeSectionVirSize / PEHeader64->OptionalHeader.SectionAlignment) + 1) * PEHeader64->OptionalHeader.SectionAlignment; + } + PESections->Misc.VirtualSize = WipeSectionVirSize; + CurrentSectionPSize = CurrentSectionPSize - PESections->SizeOfRawData; + WipeSectionSize = WipeSectionSize - CurrentSectionPSize; + } + else if(SectionNumber > WipeSectionNumber) + { + RtlMoveMemory((LPVOID)((ULONG_PTR)PESections - IMAGE_SIZEOF_SECTION_HEADER), (LPVOID)PESections, IMAGE_SIZEOF_SECTION_HEADER); + } + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); + SectionNumber++; + } + RtlZeroMemory((LPVOID)PESections, IMAGE_SIZEOF_SECTION_HEADER); + PEHeader64->FileHeader.NumberOfSections--; + if(RemovePhysically) + { + FileSize = RealignPE(FileMapVA, FileSize, NULL); + } + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + if(szBackupItem[0] != NULL) + { + if(CopyFileW(szBackupFile, szFileName, false)) + { + RemoveGarbageItem(szBackupItem, true); + return(true); + } + else + { + RemoveGarbageItem(szBackupItem, true); + return(false); + } + } + else + { + return(true); + } + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + RemoveGarbageItem(szBackupItem, true); + return(false); + } + } + } + } + else + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + RemoveGarbageItem(szBackupItem, true); + return(false); + } + } + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + RemoveGarbageItem(szBackupItem, true); + return(false); +} \ No newline at end of file diff --git a/TitanEngine/TitanEngine.PE.cpp b/TitanEngine/TitanEngine.PE.cpp new file mode 100644 index 0000000..117379e --- /dev/null +++ b/TitanEngine/TitanEngine.PE.cpp @@ -0,0 +1,171 @@ +#include "stdafx.h" +#include "definitions.h" +#include "Global.Handle.h" +#include "Global.Engine.h" + +__declspec(dllexport) bool TITCALL PastePEHeader(HANDLE hProcess, LPVOID ImageBase, char* szDebuggedFileName) +{ + + wchar_t uniDebuggedFileName[MAX_PATH] = {}; + + if(szDebuggedFileName != NULL) + { + MultiByteToWideChar(CP_ACP, NULL, szDebuggedFileName, lstrlenA(szDebuggedFileName)+1, uniDebuggedFileName, sizeof(uniDebuggedFileName)/(sizeof(uniDebuggedFileName[0]))); + return(PastePEHeaderW(hProcess, ImageBase, uniDebuggedFileName)); + } + else + { + return(false); + } +} + +__declspec(dllexport) bool TITCALL PastePEHeaderW(HANDLE hProcess, LPVOID ImageBase, wchar_t* szDebuggedFileName) +{ + + PIMAGE_DOS_HEADER DOSHeader; + PIMAGE_NT_HEADERS32 PEHeader32; + IMAGE_NT_HEADERS32 RemotePEHeader32; + PIMAGE_NT_HEADERS64 PEHeader64; + IMAGE_NT_HEADERS64 RemotePEHeader64; + ULONG_PTR ueNumberOfBytesRead = 0; + DWORD uedNumberOfBytesRead = 0; + DWORD FileSize = 0; + DWORD PEHeaderSize = 0; + ULONG_PTR dwImageBase = (ULONG_PTR)ImageBase; + BOOL FileIs64 = false; + HANDLE hFile = 0; + SIZE_T CalculatedHeaderSize = NULL; + LPVOID ueReadBuffer = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); + DWORD OldProtect = PAGE_READWRITE; + + hFile = CreateFileW(szDebuggedFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); + if(hFile != INVALID_HANDLE_VALUE) + { + FileSize = GetFileSize(hFile, NULL); + if(FileSize < 0x1000) + { + if(!ReadFile(hFile, ueReadBuffer, FileSize, &uedNumberOfBytesRead, NULL)) + return false; + } + else + { + if(!ReadFile(hFile, ueReadBuffer, 0x1000, &uedNumberOfBytesRead, NULL)) + return false; + } + if(FileSize > 0x200) + { + DOSHeader = (PIMAGE_DOS_HEADER)ueReadBuffer; + if(EngineValidateHeader((ULONG_PTR)ueReadBuffer, hProcess, ImageBase, DOSHeader, false)) + { + PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + CalculatedHeaderSize = DOSHeader->e_lfanew + sizeof IMAGE_DOS_HEADER + sizeof IMAGE_NT_HEADERS64; + if(CalculatedHeaderSize > 0x1000) + { + SetFilePointer(hFile, NULL, NULL, FILE_BEGIN); + VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); + ueReadBuffer = VirtualAlloc(NULL, CalculatedHeaderSize, MEM_COMMIT, PAGE_READWRITE); + if(!ReadFile(hFile, ueReadBuffer, (DWORD)CalculatedHeaderSize, &uedNumberOfBytesRead, NULL)) + { + EngineCloseHandle(hFile); + VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); + return(false); + } + } + if(PEHeader32->OptionalHeader.Magic == 0x10B) + { + if(ReadProcessMemory(hProcess, (LPVOID)((ULONG_PTR)ImageBase + DOSHeader->e_lfanew), &RemotePEHeader32, sizeof IMAGE_NT_HEADERS32, &ueNumberOfBytesRead)) + { + PEHeaderSize = PEHeader32->FileHeader.NumberOfSections * IMAGE_SIZEOF_SECTION_HEADER + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4; + FileIs64 = false; + } + } + else if(PEHeader32->OptionalHeader.Magic == 0x20B) + { + if(ReadProcessMemory(hProcess, (LPVOID)((ULONG_PTR)ImageBase + DOSHeader->e_lfanew), &RemotePEHeader64, sizeof IMAGE_NT_HEADERS32, &ueNumberOfBytesRead)) + { + PEHeaderSize = PEHeader64->FileHeader.NumberOfSections * IMAGE_SIZEOF_SECTION_HEADER + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4; + FileIs64 = true; + } + } + else + { + EngineCloseHandle(hFile); + VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); + return(false); + } + if(!FileIs64) + { + PEHeader32->OptionalHeader.ImageBase = (DWORD)(dwImageBase); + if(VirtualProtectEx(hProcess, ImageBase, PEHeaderSize, PAGE_READWRITE, &OldProtect)) + { + if(WriteProcessMemory(hProcess, ImageBase, ueReadBuffer, PEHeaderSize, &ueNumberOfBytesRead)) + { + EngineCloseHandle(hFile); + VirtualProtectEx(hProcess, ImageBase, PEHeaderSize, OldProtect, &OldProtect); + VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); + return(true); + } + else + { + EngineCloseHandle(hFile); + VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); + return(false); + } + } + else + { + EngineCloseHandle(hFile); + VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); + return(false); + } + } + else + { + PEHeader64->OptionalHeader.ImageBase = dwImageBase; + if(VirtualProtectEx(hProcess, ImageBase, PEHeaderSize, PAGE_READWRITE, &OldProtect)) + { + if(WriteProcessMemory(hProcess, ImageBase, ueReadBuffer, PEHeaderSize, &ueNumberOfBytesRead)) + { + EngineCloseHandle(hFile); + VirtualProtectEx(hProcess, ImageBase, PEHeaderSize, OldProtect, &OldProtect); + VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); + return(true); + } + else + { + EngineCloseHandle(hFile); + VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); + return(false); + } + } + else + { + EngineCloseHandle(hFile); + VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); + return(false); + } + } + } + else + { + EngineCloseHandle(hFile); + VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); + return(false); + } + } + else + { + EngineCloseHandle(hFile); + VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); + return(false); + } + } + else + { + EngineCloseHandle(hFile); + VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); + return(false); + } + return(false); +} \ No newline at end of file diff --git a/TitanEngine/TitanEngine.Realigner.cpp b/TitanEngine/TitanEngine.Realigner.cpp new file mode 100644 index 0000000..b8af434 --- /dev/null +++ b/TitanEngine/TitanEngine.Realigner.cpp @@ -0,0 +1,474 @@ +#include "stdafx.h" +#include "definitions.h" +#include "Global.Engine.h" +#include "Global.Mapping.h" +#include + +// TitanEngine.Realigner.functions: +__declspec(dllexport) bool TITCALL FixHeaderCheckSum(char* szFileName) +{ + + DWORD HeaderSum = NULL; + DWORD CheckSum = NULL; + + if(MapFileAndCheckSumA(szFileName, &HeaderSum, &CheckSum) == NULL) + { + SetPE32Data(szFileName, NULL, UE_CHECKSUM, (ULONG_PTR)CheckSum); + return(true); + } + else + { + return(false); + } +} +__declspec(dllexport) bool TITCALL FixHeaderCheckSumW(wchar_t* szFileName) +{ + + DWORD HeaderSum = NULL; + DWORD CheckSum = NULL; + + if(MapFileAndCheckSumW(szFileName, &HeaderSum, &CheckSum) == NULL) + { + SetPE32DataW(szFileName, NULL, UE_CHECKSUM, (ULONG_PTR)CheckSum); + return(true); + } + else + { + return(false); + } +} +__declspec(dllexport) long TITCALL RealignPE(ULONG_PTR FileMapVA, DWORD FileSize, DWORD RealingMode) +{ + + PIMAGE_DOS_HEADER DOSHeader; + PIMAGE_NT_HEADERS32 PEHeader32; + PIMAGE_NT_HEADERS64 PEHeader64; + PIMAGE_SECTION_HEADER PESections; + DWORD NewVirtualSectionSize = 0; + DWORD NewSectionRawPointer = 0; + DWORD OldSectionDataRawPtr = 0; + DWORD OldSectionDataPtr = 0; + DWORD SectionDataPtr = 0; + DWORD SectionNumber = 0; + DWORD CurrentSection = 0; + DWORD FileAlignment = 0; + BOOL FileIs64; + + if(FileMapVA != NULL) + { + DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; + if(EngineValidateHeader(FileMapVA, NULL, NULL, DOSHeader, true)) + { + PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + if(PEHeader32->OptionalHeader.Magic == 0x10B) + { + FileIs64 = false; + } + else if(PEHeader32->OptionalHeader.Magic == 0x20B) + { + FileIs64 = true; + } + else + { + return(-1); + } + if(!FileIs64) + { + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + SectionNumber = PEHeader32->FileHeader.NumberOfSections; + FileAlignment = PEHeader32->OptionalHeader.FileAlignment; + if(FileAlignment == 0x1000) + { + FileAlignment = 0x200; + } + __try + { + PEHeader32->OptionalHeader.FileAlignment = FileAlignment; + while(SectionNumber > 0) + { + SectionDataPtr = PESections->PointerToRawData + PESections->SizeOfRawData; + if(PESections->SizeOfRawData > NULL) + { + SectionDataPtr--; + while(*(PUCHAR)(FileMapVA + SectionDataPtr) == 0x00 && SectionDataPtr > PESections->PointerToRawData) + { + SectionDataPtr--; + } + } + SectionDataPtr = SectionDataPtr - PESections->PointerToRawData; + OldSectionDataPtr = SectionDataPtr; + SectionDataPtr = (SectionDataPtr / FileAlignment) * FileAlignment; + if(SectionDataPtr < OldSectionDataPtr) + { + SectionDataPtr = SectionDataPtr + FileAlignment; + } + if(CurrentSection == NULL) + { + PEHeader32->OptionalHeader.SizeOfHeaders = PESections->PointerToRawData; + PEHeader32->OptionalHeader.SectionAlignment = PESections->VirtualAddress; + PESections->SizeOfRawData = SectionDataPtr; + } + else + { + OldSectionDataRawPtr = PESections->PointerToRawData; + PESections->SizeOfRawData = SectionDataPtr; + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections - IMAGE_SIZEOF_SECTION_HEADER); + NewSectionRawPointer = PESections->PointerToRawData + PESections->SizeOfRawData; + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); + PESections->PointerToRawData = NewSectionRawPointer; + RtlMoveMemory((LPVOID)((ULONG_PTR)FileMapVA + NewSectionRawPointer), (LPVOID)((ULONG_PTR)FileMapVA + OldSectionDataRawPtr), SectionDataPtr); + } + NewVirtualSectionSize = (PESections->Misc.VirtualSize / PEHeader32->OptionalHeader.SectionAlignment) * PEHeader32->OptionalHeader.SectionAlignment; + if(NewVirtualSectionSize < PESections->Misc.VirtualSize) + { + NewVirtualSectionSize = NewVirtualSectionSize + PEHeader32->OptionalHeader.SectionAlignment; + } + PESections->Misc.VirtualSize = NewVirtualSectionSize; + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); + CurrentSection++; + SectionNumber--; + } + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections - IMAGE_SIZEOF_SECTION_HEADER); + return(PESections->PointerToRawData + PESections->SizeOfRawData); + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + return(-1); + } + } + else + { + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + SectionNumber = PEHeader64->FileHeader.NumberOfSections; + FileAlignment = PEHeader64->OptionalHeader.FileAlignment; + if(FileAlignment == 0x1000) + { + FileAlignment = 0x200; + } + __try + { + PEHeader64->OptionalHeader.FileAlignment = FileAlignment; + while(SectionNumber > 0) + { + SectionDataPtr = PESections->PointerToRawData + PESections->SizeOfRawData; + if(PESections->SizeOfRawData > NULL) + { + SectionDataPtr--; + while(*(PUCHAR)(FileMapVA + SectionDataPtr) == 0x00 && SectionDataPtr > PESections->PointerToRawData) + { + SectionDataPtr--; + } + } + SectionDataPtr = SectionDataPtr - PESections->PointerToRawData; + OldSectionDataPtr = SectionDataPtr; + SectionDataPtr = (SectionDataPtr / FileAlignment) * FileAlignment; + if(SectionDataPtr < OldSectionDataPtr) + { + SectionDataPtr = SectionDataPtr + FileAlignment; + } + if(CurrentSection == NULL) + { + PEHeader64->OptionalHeader.SizeOfHeaders = PESections->PointerToRawData; + PEHeader64->OptionalHeader.SectionAlignment = PESections->VirtualAddress; + PESections->SizeOfRawData = SectionDataPtr; + } + else + { + OldSectionDataRawPtr = PESections->PointerToRawData; + PESections->SizeOfRawData = SectionDataPtr; + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections - IMAGE_SIZEOF_SECTION_HEADER); + NewSectionRawPointer = PESections->PointerToRawData + PESections->SizeOfRawData; + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); + PESections->PointerToRawData = NewSectionRawPointer; + RtlMoveMemory((LPVOID)((ULONG_PTR)FileMapVA + NewSectionRawPointer), (LPVOID)((ULONG_PTR)FileMapVA + OldSectionDataRawPtr), SectionDataPtr); + } + NewVirtualSectionSize = (PESections->Misc.VirtualSize / PEHeader64->OptionalHeader.SectionAlignment) * PEHeader64->OptionalHeader.SectionAlignment; + if(NewVirtualSectionSize < PESections->Misc.VirtualSize) + { + NewVirtualSectionSize = NewVirtualSectionSize + PEHeader64->OptionalHeader.SectionAlignment; + } + PESections->Misc.VirtualSize = NewVirtualSectionSize; + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); + CurrentSection++; + SectionNumber--; + } + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections - IMAGE_SIZEOF_SECTION_HEADER); + return(PESections->PointerToRawData + PESections->SizeOfRawData); + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + return(-1); + } + } + } + else + { + return(-1); + } + } + return(-1); +} +__declspec(dllexport) long TITCALL RealignPEEx(char* szFileName, DWORD RealingFileSize, DWORD ForcedFileAlignment) +{ + + wchar_t uniFileName[MAX_PATH] = {}; + + if(szFileName != NULL) + { + MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); + return(RealignPEExW(uniFileName, RealingFileSize, ForcedFileAlignment)); + } + else + { + return(-1); + } +} +__declspec(dllexport) long TITCALL RealignPEExW(wchar_t* szFileName, DWORD RealingFileSize, DWORD ForcedFileAlignment) +{ + + wchar_t szBackupFile[MAX_PATH] = {}; + wchar_t szBackupItem[MAX_PATH] = {}; + PIMAGE_DOS_HEADER DOSHeader; + PIMAGE_NT_HEADERS32 PEHeader32; + PIMAGE_NT_HEADERS64 PEHeader64; + PIMAGE_SECTION_HEADER PESections; + DWORD NewVirtualSectionSize = 0; + DWORD NewSectionRawPointer = 0; + DWORD OldSectionDataRawPtr = 0; + DWORD OldSectionDataPtr = 0; + DWORD SectionDataPtr = 0; + DWORD SectionNumber = 0; + DWORD CurrentSection = 0; + BOOL FileIs64; + HANDLE FileHandle; + DWORD FileSize; + HANDLE FileMap; + ULONG_PTR FileMapVA; + + if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof szBackupItem)) + { + if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof szBackupItem)) + { + RtlZeroMemory(&szBackupItem, sizeof szBackupItem); + lstrcpyW(szBackupFile, szFileName); + } + } + else + { + RtlZeroMemory(&szBackupItem, sizeof szBackupItem); + lstrcpyW(szBackupFile, szFileName); + } + if(MapFileExW(szBackupFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) + { + DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; + if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true)) + { + PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + if(PEHeader32->OptionalHeader.Magic == 0x10B) + { + FileIs64 = false; + } + else if(PEHeader32->OptionalHeader.Magic == 0x20B) + { + FileIs64 = true; + } + else + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + RemoveGarbageItem(szBackupItem, true); + return(-1); + } + if(!FileIs64) + { + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + SectionNumber = PEHeader32->FileHeader.NumberOfSections; + if(ForcedFileAlignment == 0x0) + { + ForcedFileAlignment = 0x200; + } + __try + { + PEHeader32->OptionalHeader.FileAlignment = ForcedFileAlignment; + while(SectionNumber > 0) + { + SectionDataPtr = PESections->PointerToRawData + PESections->SizeOfRawData; + if(PESections->SizeOfRawData > NULL) + { + SectionDataPtr--; + while(*(PUCHAR)(FileMapVA + SectionDataPtr) == 0x00 && SectionDataPtr > PESections->PointerToRawData) + { + SectionDataPtr--; + } + } + SectionDataPtr = SectionDataPtr - PESections->PointerToRawData; + OldSectionDataPtr = SectionDataPtr; + SectionDataPtr = (SectionDataPtr / ForcedFileAlignment) * ForcedFileAlignment; + if(SectionDataPtr < OldSectionDataPtr) + { + SectionDataPtr = SectionDataPtr + ForcedFileAlignment; + } + if(CurrentSection == NULL) + { + PEHeader32->OptionalHeader.SizeOfHeaders = PESections->PointerToRawData; + PEHeader32->OptionalHeader.SectionAlignment = PESections->VirtualAddress; + PESections->SizeOfRawData = SectionDataPtr; + } + else + { + OldSectionDataRawPtr = PESections->PointerToRawData; + PESections->SizeOfRawData = SectionDataPtr; + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections - IMAGE_SIZEOF_SECTION_HEADER); + NewSectionRawPointer = PESections->PointerToRawData + PESections->SizeOfRawData; + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); + PESections->PointerToRawData = NewSectionRawPointer; + RtlMoveMemory((LPVOID)((ULONG_PTR)FileMapVA + NewSectionRawPointer), (LPVOID)((ULONG_PTR)FileMapVA + OldSectionDataRawPtr), SectionDataPtr); + } + NewVirtualSectionSize = (PESections->Misc.VirtualSize / PEHeader32->OptionalHeader.SectionAlignment) * PEHeader32->OptionalHeader.SectionAlignment; + if(NewVirtualSectionSize < PESections->Misc.VirtualSize) + { + NewVirtualSectionSize = NewVirtualSectionSize + PEHeader32->OptionalHeader.SectionAlignment; + } + PESections->Misc.VirtualSize = NewVirtualSectionSize; + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); + CurrentSection++; + SectionNumber--; + } + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections - IMAGE_SIZEOF_SECTION_HEADER); + if(RealingFileSize == NULL) + { + FileSize = PESections->PointerToRawData + PESections->SizeOfRawData; + } + else + { + FileSize = RealingFileSize; + } + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + if(szBackupItem[0] != NULL) + { + if(CopyFileW(szBackupFile, szFileName, false)) + { + RemoveGarbageItem(szBackupItem, true); + return(FileSize); + } + else + { + RemoveGarbageItem(szBackupItem, true); + return(-1); + } + } + else + { + return(FileSize); + } + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + RemoveGarbageItem(szBackupItem, true); + return(-1); + } + } + else + { + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + SectionNumber = PEHeader64->FileHeader.NumberOfSections; + if(ForcedFileAlignment == 0x0) + { + ForcedFileAlignment = 0x200; + } + __try + { + PEHeader64->OptionalHeader.FileAlignment = ForcedFileAlignment; + while(SectionNumber > 0) + { + SectionDataPtr = PESections->PointerToRawData + PESections->SizeOfRawData; + if(PESections->SizeOfRawData > NULL) + { + SectionDataPtr--; + while(*(PUCHAR)(FileMapVA + SectionDataPtr) == 0x00 && SectionDataPtr > PESections->PointerToRawData) + { + SectionDataPtr--; + } + } + SectionDataPtr = SectionDataPtr - PESections->PointerToRawData; + OldSectionDataPtr = SectionDataPtr; + SectionDataPtr = (SectionDataPtr / ForcedFileAlignment) * ForcedFileAlignment; + if(SectionDataPtr < OldSectionDataPtr) + { + SectionDataPtr = SectionDataPtr + ForcedFileAlignment; + } + if(CurrentSection == NULL) + { + PEHeader64->OptionalHeader.SizeOfHeaders = PESections->PointerToRawData; + PEHeader64->OptionalHeader.SectionAlignment = PESections->VirtualAddress; + PESections->SizeOfRawData = SectionDataPtr; + } + else + { + OldSectionDataRawPtr = PESections->PointerToRawData; + PESections->SizeOfRawData = SectionDataPtr; + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections - IMAGE_SIZEOF_SECTION_HEADER); + NewSectionRawPointer = PESections->PointerToRawData + PESections->SizeOfRawData; + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); + PESections->PointerToRawData = NewSectionRawPointer; + RtlMoveMemory((LPVOID)((ULONG_PTR)FileMapVA + NewSectionRawPointer), (LPVOID)((ULONG_PTR)FileMapVA + OldSectionDataRawPtr), SectionDataPtr); + } + NewVirtualSectionSize = (PESections->Misc.VirtualSize / PEHeader64->OptionalHeader.SectionAlignment) * PEHeader64->OptionalHeader.SectionAlignment; + if(NewVirtualSectionSize < PESections->Misc.VirtualSize) + { + NewVirtualSectionSize = NewVirtualSectionSize + PEHeader64->OptionalHeader.SectionAlignment; + } + PESections->Misc.VirtualSize = NewVirtualSectionSize; + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); + CurrentSection++; + SectionNumber--; + } + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections - IMAGE_SIZEOF_SECTION_HEADER); + if(RealingFileSize == NULL) + { + FileSize = PESections->PointerToRawData + PESections->SizeOfRawData; + } + else + { + FileSize = RealingFileSize; + } + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + if(szBackupItem[0] != NULL) + { + if(CopyFileW(szBackupFile, szFileName, false)) + { + RemoveGarbageItem(szBackupItem, true); + return(FileSize); + } + else + { + RemoveGarbageItem(szBackupItem, true); + return(-1); + } + } + else + { + return(FileSize); + } + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + RemoveGarbageItem(szBackupItem, true); + return(-1); + } + } + } + else + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + RemoveGarbageItem(szBackupItem, true); + return(-1); + } + } + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + RemoveGarbageItem(szBackupItem, true); + return(-1); +} \ No newline at end of file diff --git a/TitanEngine/TitanEngine.Relocator.cpp b/TitanEngine/TitanEngine.Relocator.cpp new file mode 100644 index 0000000..d385207 --- /dev/null +++ b/TitanEngine/TitanEngine.Relocator.cpp @@ -0,0 +1,787 @@ +#include "stdafx.h" +#include "definitions.h" +#include "Global.Mapping.h" +#include "Global.Engine.h" + +static LPVOID RelocationData = NULL; +LPVOID RelocationLastPage = NULL; +LPVOID RelocationStartPosition = NULL; +LPVOID RelocationWritePosition = NULL; +ULONG_PTR RelocationOldImageBase; +ULONG_PTR RelocationNewImageBase; + +// TitanEngine.Relocater.functions: +__declspec(dllexport) void TITCALL RelocaterCleanup() +{ + + if(RelocationData != NULL) + { + VirtualFree(RelocationData, NULL, MEM_RELEASE); + RelocationLastPage = NULL; + RelocationStartPosition = NULL; + RelocationWritePosition = NULL; + RelocationOldImageBase = NULL; + RelocationNewImageBase = NULL; + } +} +__declspec(dllexport) void TITCALL RelocaterInit(DWORD MemorySize, ULONG_PTR OldImageBase, ULONG_PTR NewImageBase) +{ + + if(RelocationData != NULL) + { + VirtualFree(RelocationData, NULL, MEM_RELEASE); + } + RelocationData = VirtualAlloc(NULL, MemorySize, MEM_COMMIT, PAGE_READWRITE); + RelocationLastPage = NULL; + RelocationStartPosition = RelocationData; + RelocationWritePosition = (LPVOID)((ULONG_PTR)RelocationData + 8); + RelocationOldImageBase = OldImageBase; + RelocationNewImageBase = NewImageBase; +} +__declspec(dllexport) void TITCALL RelocaterAddNewRelocation(HANDLE hProcess, ULONG_PTR RelocateAddress, DWORD RelocateState) +{ + + MEMORY_BASIC_INFORMATION MemInfo; + DWORD CompareDummy = NULL; + DWORD CopyDummy = NULL; + + VirtualQueryEx(hProcess, (LPVOID)RelocateAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); + if(MemInfo.BaseAddress != RelocationLastPage || RelocationLastPage == NULL) + { + RelocationLastPage = MemInfo.BaseAddress; + if(memcmp(RelocationStartPosition, &CompareDummy, 4) == NULL) + { + CopyDummy = (DWORD)((ULONG_PTR)MemInfo.BaseAddress - (ULONG_PTR)RelocationNewImageBase); + RtlMoveMemory(RelocationStartPosition, &CopyDummy, 4); + } + else + { + CopyDummy = (DWORD)((ULONG_PTR)RelocationWritePosition - (ULONG_PTR)RelocationStartPosition); + if(CopyDummy % 4 == NULL) + { + RtlMoveMemory((LPVOID)((ULONG_PTR)RelocationStartPosition + 4), &CopyDummy, 4); + } + else + { + RelocationWritePosition = (LPVOID)((ULONG_PTR)RelocationWritePosition + 2); + CopyDummy = (DWORD)((ULONG_PTR)RelocationWritePosition - (ULONG_PTR)RelocationStartPosition); + if(CopyDummy % 4 == NULL) + { + RtlMoveMemory((LPVOID)((ULONG_PTR)RelocationStartPosition + 4), &CopyDummy, 4); + } + else + { + RelocationWritePosition = (LPVOID)((ULONG_PTR)RelocationWritePosition + 2); + CopyDummy = (DWORD)((ULONG_PTR)RelocationWritePosition - (ULONG_PTR)RelocationStartPosition); + RtlMoveMemory((LPVOID)((ULONG_PTR)RelocationStartPosition + 4), &CopyDummy, 4); + } + } + RelocationStartPosition = RelocationWritePosition; + CopyDummy = (DWORD)((ULONG_PTR)RelocationLastPage - (ULONG_PTR)RelocationNewImageBase); + RtlMoveMemory(RelocationWritePosition, &CopyDummy, 4); + RelocationWritePosition = (LPVOID)((ULONG_PTR)RelocationWritePosition + 8); + } + } +#if !defined(_WIN64) + CopyDummy = (DWORD)((RelocateAddress - (ULONG_PTR)RelocationLastPage) ^ 0x3000); +#else + CopyDummy = (DWORD)((RelocateAddress - (ULONG_PTR)RelocationLastPage) ^ 0x8000); +#endif + RtlMoveMemory(RelocationWritePosition, &CopyDummy, 2); + RelocationWritePosition = (LPVOID)((ULONG_PTR)RelocationWritePosition + 2); +} +__declspec(dllexport) long TITCALL RelocaterEstimatedSize() +{ + return((DWORD)((ULONG_PTR)RelocationWritePosition - (ULONG_PTR)RelocationData + 8)); +} +__declspec(dllexport) bool TITCALL RelocaterExportRelocation(ULONG_PTR StorePlace, DWORD StorePlaceRVA, ULONG_PTR FileMapVA) +{ + + PIMAGE_DOS_HEADER DOSHeader; + PIMAGE_NT_HEADERS32 PEHeader32; + PIMAGE_NT_HEADERS64 PEHeader64; + BOOL FileIs64 = false; + DWORD CopyDummy = NULL; + + __try + { + if((ULONG_PTR)RelocationStartPosition != -1) + { + CopyDummy = (DWORD)((ULONG_PTR)RelocationWritePosition - (ULONG_PTR)RelocationStartPosition); + if(CopyDummy % 4 == NULL) + { + RtlMoveMemory((LPVOID)((ULONG_PTR)RelocationStartPosition + 4), &CopyDummy, 4); + } + else + { + RelocationWritePosition = (LPVOID)((ULONG_PTR)RelocationWritePosition + 2); + CopyDummy = (DWORD)((ULONG_PTR)RelocationWritePosition - (ULONG_PTR)RelocationStartPosition); + if(CopyDummy % 4 == NULL) + { + RtlMoveMemory((LPVOID)((ULONG_PTR)RelocationStartPosition + 4), &CopyDummy, 4); + } + else + { + RelocationWritePosition = (LPVOID)((ULONG_PTR)RelocationWritePosition + 2); + CopyDummy = (DWORD)((ULONG_PTR)RelocationWritePosition - (ULONG_PTR)RelocationStartPosition); + RtlMoveMemory((LPVOID)((ULONG_PTR)RelocationStartPosition + 4), &CopyDummy, 4); + } + } + } + RtlMoveMemory((LPVOID)StorePlace, RelocationData, (DWORD)((ULONG_PTR)RelocationWritePosition - (ULONG_PTR)RelocationData)); + VirtualFree(RelocationData, NULL, MEM_RELEASE); + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + return(false); + } + + DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; + if(EngineValidateHeader(FileMapVA, NULL, NULL, DOSHeader, true)) + { + PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + if(PEHeader32->OptionalHeader.Magic == 0x10B) + { + FileIs64 = false; + } + else if(PEHeader32->OptionalHeader.Magic == 0x20B) + { + FileIs64 = true; + } + else + { + RelocationData = NULL; + return(false); + } + if(!FileIs64) + { + PEHeader32->OptionalHeader.ImageBase = (DWORD)RelocationNewImageBase; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = StorePlaceRVA; + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size = (DWORD)((ULONG_PTR)RelocationWritePosition - (ULONG_PTR)RelocationData); + } + else + { + PEHeader64->OptionalHeader.ImageBase = (ULONG_PTR)RelocationNewImageBase; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = StorePlaceRVA; + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size = (DWORD)((ULONG_PTR)RelocationWritePosition - (ULONG_PTR)RelocationData); + } + RelocationData = NULL; + return(true); + } + RelocationData = NULL; + return(false); +} +__declspec(dllexport) bool TITCALL RelocaterExportRelocationEx(char* szFileName, char* szSectionName) +{ + + wchar_t uniFileName[MAX_PATH] = {}; + + if(szFileName != NULL) + { + MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); + return(RelocaterExportRelocationExW(uniFileName, szSectionName)); + } + else + { + return(false); + } +} +__declspec(dllexport) bool TITCALL RelocaterExportRelocationExW(wchar_t* szFileName, char* szSectionName) +{ + + HANDLE FileHandle; + DWORD FileSize; + HANDLE FileMap; + ULONG_PTR FileMapVA; + DWORD NewSectionVO = NULL; + DWORD NewSectionFO = NULL; + bool ReturnValue = false; + + if(RelocaterEstimatedSize() > NULL) + { + NewSectionVO = AddNewSectionW(szFileName, szSectionName, RelocaterEstimatedSize()); + if(MapFileExW(szFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) + { + NewSectionFO = (DWORD)ConvertVAtoFileOffset(FileMapVA, NewSectionVO + (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_IMAGEBASE), true); + ReturnValue = RelocaterExportRelocation(NewSectionFO, NewSectionVO, FileMapVA); + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + if(ReturnValue) + { + return(true); + } + else + { + return(false); + } + } + else + { + return(false); + } + } + else + { + return(false); + } +} +__declspec(dllexport) bool TITCALL RelocaterGrabRelocationTable(HANDLE hProcess, ULONG_PTR MemoryStart, DWORD MemorySize) +{ + + MEMORY_BASIC_INFORMATION MemInfo; + ULONG_PTR ueNumberOfBytesRead = NULL; + DWORD OldProtect; + + if(RelocationData != NULL) + { + VirtualQueryEx(hProcess, (LPVOID)MemoryStart, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); + OldProtect = MemInfo.Protect; + VirtualProtectEx(hProcess, (LPVOID)MemoryStart, MemorySize, PAGE_EXECUTE_READWRITE, &OldProtect); + if(ReadProcessMemory(hProcess, (LPVOID)MemoryStart, RelocationData, MemorySize, &ueNumberOfBytesRead)) + { + RelocationWritePosition = (LPVOID)((ULONG_PTR)RelocationData + MemorySize); + RelocationStartPosition = (LPVOID)(-1); + return(true); + } + } + return(false); +} +__declspec(dllexport) bool TITCALL RelocaterGrabRelocationTableEx(HANDLE hProcess, ULONG_PTR MemoryStart, ULONG_PTR MemorySize, DWORD NtSizeOfImage) +{ + + MEMORY_BASIC_INFORMATION MemInfo; + LPVOID ReadMemoryStorage = NULL; + LPVOID mReadMemoryStorage = NULL; + ULONG_PTR ueNumberOfBytesRead = NULL; + DWORD CompareDummy = NULL; + DWORD RelocationBase = NULL; + DWORD RelocationSize = NULL; + DWORD OldProtect; + + if(RelocationData != NULL) + { + VirtualQueryEx(hProcess, (LPVOID)MemoryStart, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); + OldProtect = MemInfo.Protect; + VirtualQueryEx(hProcess, (LPVOID)MemInfo.BaseAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); + if(MemInfo.RegionSize < MemorySize || MemorySize == NULL) + { + MemorySize = MemInfo.RegionSize; + } + VirtualProtectEx(hProcess, (LPVOID)MemoryStart, MemorySize, PAGE_EXECUTE_READWRITE, &OldProtect); + ReadMemoryStorage = VirtualAlloc(NULL, MemorySize, MEM_COMMIT, PAGE_READWRITE); + mReadMemoryStorage = ReadMemoryStorage; + if(ReadProcessMemory(hProcess, (LPVOID)MemoryStart, ReadMemoryStorage, MemorySize, &ueNumberOfBytesRead)) + { + RtlMoveMemory(&RelocationBase, ReadMemoryStorage, 4); + RtlMoveMemory(&RelocationSize, (LPVOID)((ULONG_PTR)ReadMemoryStorage + 4), 4); + while(memcmp(ReadMemoryStorage, &CompareDummy, 4) != NULL && RelocationBase < NtSizeOfImage && RelocationSize < 0x2000) + { + ReadMemoryStorage = (LPVOID)((ULONG_PTR)ReadMemoryStorage + RelocationSize); + RtlMoveMemory(&RelocationBase, ReadMemoryStorage, 4); + RtlMoveMemory(&RelocationSize, (LPVOID)((ULONG_PTR)ReadMemoryStorage + 4), 4); + } + VirtualFree(mReadMemoryStorage, NULL, MEM_RELEASE); + return(RelocaterGrabRelocationTable(hProcess, MemoryStart, (DWORD)((ULONG_PTR)ReadMemoryStorage - (ULONG_PTR)mReadMemoryStorage))); + } + else + { + VirtualFree(ReadMemoryStorage, NULL, MEM_RELEASE); + return(false); + } + } + return(false); +} + +__declspec(dllexport) bool TITCALL RelocaterMakeSnapshot(HANDLE hProcess, char* szSaveFileName, LPVOID MemoryStart, ULONG_PTR MemorySize) +{ + return(DumpMemory(hProcess, MemoryStart, MemorySize, szSaveFileName)); +} +__declspec(dllexport) bool TITCALL RelocaterMakeSnapshotW(HANDLE hProcess, wchar_t* szSaveFileName, LPVOID MemoryStart, ULONG_PTR MemorySize) +{ + return(DumpMemoryW(hProcess, MemoryStart, MemorySize, szSaveFileName)); +} +__declspec(dllexport) bool TITCALL RelocaterCompareTwoSnapshots(HANDLE hProcess, ULONG_PTR LoadedImageBase, ULONG_PTR NtSizeOfImage, char* szDumpFile1, char* szDumpFile2, ULONG_PTR MemStart) +{ + + wchar_t uniDumpFile1[MAX_PATH] = {}; + wchar_t uniDumpFile2[MAX_PATH] = {}; + + if(szDumpFile1 != NULL && szDumpFile2 != NULL) + { + MultiByteToWideChar(CP_ACP, NULL, szDumpFile1, lstrlenA(szDumpFile1)+1, uniDumpFile1, sizeof(uniDumpFile1)/(sizeof(uniDumpFile1[0]))); + MultiByteToWideChar(CP_ACP, NULL, szDumpFile2, lstrlenA(szDumpFile2)+1, uniDumpFile2, sizeof(uniDumpFile2)/(sizeof(uniDumpFile2[0]))); + return(RelocaterCompareTwoSnapshotsW(hProcess, LoadedImageBase, NtSizeOfImage, uniDumpFile1, uniDumpFile2, MemStart)); + } + else + { + return(false); + } +} +__declspec(dllexport) bool TITCALL RelocaterCompareTwoSnapshotsW(HANDLE hProcess, ULONG_PTR LoadedImageBase, ULONG_PTR NtSizeOfImage, wchar_t* szDumpFile1, wchar_t* szDumpFile2, ULONG_PTR MemStart) +{ + + int i = NULL; + ULONG_PTR DeltaByte = NULL; + int RelativeBase = NULL; + ULONG_PTR ReadData = NULL; + HANDLE FileHandle1; + DWORD FileSize1; + HANDLE FileMap1; + ULONG_PTR FileMapVA1; + HANDLE FileHandle2; + DWORD FileSize2; + HANDLE FileMap2; + ULONG_PTR FileMapVA2; + DWORD SearchSize; + LPVOID Search1; + LPVOID Search2; + DWORD bkSearchSize; + LPVOID bkSearch1; + LPVOID bkSearch2; + + if(MapFileExW(szDumpFile1, UE_ACCESS_READ, &FileHandle1, &FileSize1, &FileMap1, &FileMapVA1, NULL)) + { + if(MapFileExW(szDumpFile2, UE_ACCESS_READ, &FileHandle2, &FileSize2, &FileMap2, &FileMapVA2, NULL)) + { + if(RelocationOldImageBase != NULL && RelocationNewImageBase != NULL && RelocationOldImageBase != RelocationNewImageBase) + { + __try + { + if(RelocationOldImageBase > RelocationNewImageBase) + { + DeltaByte = (ULONG_PTR)((ULONG_PTR)RelocationOldImageBase - (ULONG_PTR)RelocationNewImageBase); + } + else + { + DeltaByte = (ULONG_PTR)((ULONG_PTR)RelocationNewImageBase - (ULONG_PTR)RelocationOldImageBase); + } + while((BYTE)DeltaByte == NULL) + { + DeltaByte = DeltaByte / 0x10; + i++; + } + DeltaByte = i - 1; + Search1 = (LPVOID)FileMapVA1; + Search2 = (LPVOID)FileMapVA2; + NtSizeOfImage = NtSizeOfImage + LoadedImageBase; + SearchSize = FileSize2; + SearchSize--; + while((int)SearchSize > NULL) + { + if(memcmp(Search1, Search2, 1) != 0) + { + i = sizeof HANDLE; + RelativeBase = NULL; + bkSearch1 = Search1; + bkSearch2 = Search2; + bkSearchSize = SearchSize; + if(Search1 >= (void*)((ULONG_PTR)FileMapVA1 + DeltaByte)) + { + Search1 = (LPVOID)((ULONG_PTR)Search1 - DeltaByte); + Search2 = (LPVOID)((ULONG_PTR)Search2 - DeltaByte); + SearchSize = SearchSize + (DWORD)DeltaByte; + } + while(i > NULL && RelativeBase == NULL) + { + RtlMoveMemory(&ReadData, Search2, sizeof HANDLE); + if(ReadData >= LoadedImageBase && ReadData <= NtSizeOfImage) + { + RelativeBase++; + } + else + { + Search1 = (LPVOID)((ULONG_PTR)Search1 + 1); + Search2 = (LPVOID)((ULONG_PTR)Search2 + 1); + SearchSize = SearchSize - 1; + i--; + } + } + if(RelativeBase == NULL) + { + Search1 = bkSearch1; + Search2 = bkSearch2; + SearchSize = bkSearchSize; + } + else + { + RelocaterAddNewRelocation(hProcess, MemStart + ((ULONG_PTR)Search2 - (ULONG_PTR)FileMapVA2), NULL); + Search1 = (LPVOID)((ULONG_PTR)Search1 + sizeof HANDLE - 1); + Search2 = (LPVOID)((ULONG_PTR)Search2 + sizeof HANDLE - 1); + SearchSize = SearchSize - sizeof HANDLE + 1; + } + } + Search1 = (LPVOID)((ULONG_PTR)Search1 + 1); + Search2 = (LPVOID)((ULONG_PTR)Search2 + 1); + SearchSize = SearchSize - 1; + } + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + RelocaterCleanup(); + UnMapFileEx(FileHandle2, FileSize2, FileMap2, FileMapVA2); + UnMapFileEx(FileHandle1, FileSize1, FileMap1, FileMapVA1); + return(false); + } + } + UnMapFileEx(FileHandle2, FileSize2, FileMap2, FileMapVA2); + } + UnMapFileEx(FileHandle1, FileSize1, FileMap1, FileMapVA1); + return(true); + } + return(false); +} +__declspec(dllexport) bool TITCALL RelocaterChangeFileBase(char* szFileName, ULONG_PTR NewImageBase) +{ + + wchar_t uniFileName[MAX_PATH] = {}; + + if(szFileName != NULL) + { + MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); + return(RelocaterChangeFileBaseW(uniFileName, NewImageBase)); + } + else + { + return(false); + } +} +__declspec(dllexport) bool TITCALL RelocaterChangeFileBaseW(wchar_t* szFileName, ULONG_PTR NewImageBase) +{ + + DWORD RelocSize; + ULONG_PTR RelocData; + PIMAGE_DOS_HEADER DOSHeader; + PIMAGE_NT_HEADERS32 PEHeader32; + PIMAGE_NT_HEADERS64 PEHeader64; + BOOL FileIs64; + HANDLE FileHandle; + DWORD FileSize; + HANDLE FileMap; + ULONG_PTR FileMapVA; + DWORD CompareDummy = NULL; + DWORD RelocDelta = NULL; + DWORD RelocDeltaSize = NULL; + WORD RelocAddressData = NULL; + ULONG_PTR RelocWriteAddress = NULL; + ULONG_PTR RelocWriteData = NULL; + DWORD64 RelocWriteData64 = NULL; + wchar_t szBackupFile[MAX_PATH] = {}; + wchar_t szBackupItem[MAX_PATH] = {}; + + if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof szBackupItem)) + { + if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof szBackupItem)) + { + RtlZeroMemory(&szBackupItem, sizeof szBackupItem); + lstrcpyW(szBackupFile, szFileName); + } + } + else + { + RtlZeroMemory(&szBackupItem, sizeof szBackupItem); + lstrcpyW(szBackupFile, szFileName); + } + if(MapFileExW(szBackupFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) + { + DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; + if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true)) + { + PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + if(PEHeader32->OptionalHeader.Magic == 0x10B) + { + FileIs64 = false; + } + else if(PEHeader32->OptionalHeader.Magic == 0x20B) + { + FileIs64 = true; + } + else + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + RemoveGarbageItem(szBackupItem, true); + return(false); + } + if(!FileIs64) + { + if(PEHeader32->OptionalHeader.ImageBase == (DWORD)NewImageBase) + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + RemoveGarbageItem(szBackupItem, true); + return(true); + } + RelocData = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + PEHeader32->OptionalHeader.ImageBase), true); + RelocSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; + } + else + { + if((ULONG_PTR)PEHeader64->OptionalHeader.ImageBase == NewImageBase) + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + RemoveGarbageItem(szBackupItem, true); + return(true); + } + RelocData = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + PEHeader64->OptionalHeader.ImageBase), true); + RelocSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; + } + __try + { + while(memcmp((LPVOID)RelocData, &CompareDummy, 4)) + { + RtlMoveMemory(&RelocDelta, (LPVOID)RelocData, 4); + RtlMoveMemory(&RelocDeltaSize, (LPVOID)((ULONG_PTR)RelocData + 4), 4); + RelocDeltaSize = RelocDeltaSize - 8; + RelocData = RelocData + 8; + while(RelocDeltaSize > NULL) + { + RtlMoveMemory(&RelocAddressData, (LPVOID)RelocData, 2); + if(RelocAddressData != NULL) + { + if(RelocAddressData & 0x8000) + { + RelocAddressData = RelocAddressData ^ 0x8000; + RelocWriteAddress = (ULONG_PTR)(RelocAddressData + RelocDelta); + RelocWriteAddress = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)((DWORD64)PEHeader64->OptionalHeader.ImageBase + RelocWriteAddress), true); + RtlMoveMemory(&RelocWriteData64, (LPVOID)RelocWriteAddress, 8); + RelocWriteData64 = RelocWriteData64 - (DWORD64)PEHeader64->OptionalHeader.ImageBase + (DWORD64)NewImageBase; + RtlMoveMemory((LPVOID)RelocWriteAddress, &RelocWriteData64, 8); + } + else if(RelocAddressData & 0x3000) + { + RelocAddressData = RelocAddressData ^ 0x3000; + RelocWriteAddress = (ULONG_PTR)(RelocAddressData + RelocDelta); + RelocWriteAddress = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, PEHeader32->OptionalHeader.ImageBase + RelocWriteAddress, true); + RtlMoveMemory(&RelocWriteData, (LPVOID)RelocWriteAddress, 4); + RelocWriteData = RelocWriteData - PEHeader32->OptionalHeader.ImageBase + NewImageBase; + RtlMoveMemory((LPVOID)RelocWriteAddress, &RelocWriteData, 4); + } + } + RelocDeltaSize = RelocDeltaSize - 2; + RelocData = RelocData + 2; + } + } + if(!FileIs64) + { + PEHeader32->OptionalHeader.ImageBase = (DWORD)NewImageBase; + } + else + { + PEHeader64->OptionalHeader.ImageBase = (ULONG_PTR)NewImageBase; + } + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + if(szBackupItem[0] != NULL) + { + if(CopyFileW(szBackupFile, szFileName, false)) + { + RemoveGarbageItem(szBackupItem, true); + return(true); + } + else + { + RemoveGarbageItem(szBackupItem, true); + return(false); + } + } + else + { + return(true); + } + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + RemoveGarbageItem(szBackupItem, true); + return(false); + } + } + else + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + RemoveGarbageItem(szBackupItem, true); + return(false); + } + } + RemoveGarbageItem(szBackupItem, true); + return(false); +} +__declspec(dllexport) bool TITCALL RelocaterRelocateMemoryBlock(ULONG_PTR FileMapVA, ULONG_PTR MemoryLocation, void* RelocateMemory, DWORD RelocateMemorySize, ULONG_PTR CurrentLoadedBase, ULONG_PTR RelocateBase) +{ + + BOOL FileIs64; + DWORD RelocSize; + ULONG_PTR RelocData; + PIMAGE_DOS_HEADER DOSHeader; + PIMAGE_NT_HEADERS32 PEHeader32; + PIMAGE_NT_HEADERS64 PEHeader64; + DWORD CompareDummy = NULL; + DWORD RelocDelta = NULL; + DWORD RelocDeltaSize = NULL; + WORD RelocAddressData = NULL; + ULONG_PTR RelocWriteAddress = NULL; + ULONG_PTR RelocWriteData = NULL; + DWORD64 RelocWriteData64 = NULL; + + DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; + MemoryLocation = MemoryLocation - CurrentLoadedBase; + if(EngineValidateHeader(FileMapVA, NULL, NULL, DOSHeader, true)) + { + PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + if(PEHeader32->OptionalHeader.Magic == 0x10B) + { + FileIs64 = false; + } + else if(PEHeader32->OptionalHeader.Magic == 0x20B) + { + FileIs64 = true; + } + else + { + return(false); + } + if(!FileIs64) + { + if(PEHeader32->OptionalHeader.ImageBase == (DWORD)RelocateBase) + { + return(true); + } + RelocData = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + PEHeader32->OptionalHeader.ImageBase), true); + RelocSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; + } + else + { + if((ULONG_PTR)PEHeader64->OptionalHeader.ImageBase == RelocateBase) + { + return(true); + } + RelocData = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + PEHeader64->OptionalHeader.ImageBase), true); + RelocSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; + } + __try + { + while(memcmp((LPVOID)RelocData, &CompareDummy, 4)) + { + RtlMoveMemory(&RelocDelta, (LPVOID)RelocData, 4); + RtlMoveMemory(&RelocDeltaSize, (LPVOID)((ULONG_PTR)RelocData + 4), 4); + RelocDeltaSize = RelocDeltaSize - 8; + RelocData = RelocData + 8; + while(RelocDeltaSize > NULL) + { + RtlMoveMemory(&RelocAddressData, (LPVOID)RelocData, 2); + if(RelocAddressData != NULL) + { + if(RelocAddressData & 0x8000) + { + RelocAddressData = RelocAddressData ^ 0x8000; + if(RelocAddressData >= MemoryLocation && RelocAddressData < MemoryLocation + RelocateMemorySize) + { + RelocWriteAddress = (ULONG_PTR)(RelocAddressData + RelocDelta - MemoryLocation + (ULONG_PTR)RelocateMemory); + RtlMoveMemory(&RelocWriteData64, (LPVOID)RelocWriteAddress, 8); + RelocWriteData64 = RelocWriteData64 - (DWORD64)PEHeader64->OptionalHeader.ImageBase + (DWORD64)RelocateBase; + RtlMoveMemory((LPVOID)RelocWriteAddress, &RelocWriteData64, 8); + } + } + else if(RelocAddressData & 0x3000) + { + RelocAddressData = RelocAddressData ^ 0x3000; + if(RelocAddressData >= MemoryLocation && RelocAddressData < MemoryLocation + RelocateMemorySize) + { + RelocWriteAddress = (ULONG_PTR)(RelocAddressData + RelocDelta - MemoryLocation + (ULONG_PTR)RelocateMemory); + RtlMoveMemory(&RelocWriteData, (LPVOID)RelocWriteAddress, 4); + RelocWriteData = RelocWriteData - PEHeader32->OptionalHeader.ImageBase + RelocateBase; + RtlMoveMemory((LPVOID)RelocWriteAddress, &RelocWriteData, 4); + } + } + } + RelocDeltaSize = RelocDeltaSize - 2; + RelocData = RelocData + 2; + } + } + return(true); + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + return(false); + } + } + else + { + return(false); + } + return(false); +} +__declspec(dllexport) bool TITCALL RelocaterWipeRelocationTable(char* szFileName) +{ + + wchar_t uniFileName[MAX_PATH] = {}; + + if(szFileName != NULL) + { + MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); + return(RelocaterWipeRelocationTableW(uniFileName)); + } + else + { + return(false); + } +} +__declspec(dllexport) bool TITCALL RelocaterWipeRelocationTableW(wchar_t* szFileName) +{ + + PIMAGE_DOS_HEADER DOSHeader; + PIMAGE_NT_HEADERS32 PEHeader32; + PIMAGE_NT_HEADERS64 PEHeader64; + DWORD WipeSectionNumber = NULL; + ULONG_PTR Characteristics; + BOOL FileIs64; + HANDLE FileHandle; + DWORD FileSize; + HANDLE FileMap; + ULONG_PTR FileMapVA; + + if(MapFileExW(szFileName, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) + { + DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; + if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true)) + { + PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + if(PEHeader32->OptionalHeader.Magic == 0x10B) + { + FileIs64 = false; + } + else if(PEHeader32->OptionalHeader.Magic == 0x20B) + { + FileIs64 = true; + } + else + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return(false); + } + if(!FileIs64) + { + if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress != NULL) + { + Characteristics = (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_CHARACTERISTICS) ^ 1; + SetPE32DataForMappedFile(FileMapVA, NULL, UE_CHARACTERISTICS, Characteristics); + WipeSectionNumber = GetPE32SectionNumberFromVA(FileMapVA, (ULONG_PTR)((ULONG_PTR)PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase)); + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return(WipeSectionW(szFileName, (int)WipeSectionNumber, true)); + } + } + else + { + if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress != NULL) + { + Characteristics = (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_CHARACTERISTICS) ^ 1; + SetPE32DataForMappedFile(FileMapVA, NULL, UE_CHARACTERISTICS, Characteristics); + WipeSectionNumber = GetPE32SectionNumberFromVA(FileMapVA, (ULONG_PTR)((ULONG_PTR)PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase)); + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return(WipeSectionW(szFileName, (int)WipeSectionNumber, true)); + } + } + } + } + return(false); +} \ No newline at end of file diff --git a/TitanEngine/TitanEngine.Resourcer.cpp b/TitanEngine/TitanEngine.Resourcer.cpp new file mode 100644 index 0000000..de5a42e --- /dev/null +++ b/TitanEngine/TitanEngine.Resourcer.cpp @@ -0,0 +1,359 @@ +#include "stdafx.h" +#include "definitions.h" +#include "Global.Mapping.h" +#include "Global.Engine.h" +#include "Global.Handle.h" + +// TitanEngine.Resourcer.functions: +__declspec(dllexport) long long TITCALL ResourcerLoadFileForResourceUse(char* szFileName) +{ + return((ULONG_PTR)EngineSimulateNtLoader(szFileName)); +} + +__declspec(dllexport) long long TITCALL ResourcerLoadFileForResourceUseW(wchar_t* szFileName) +{ + return((ULONG_PTR)EngineSimulateNtLoaderW(szFileName)); +} + +__declspec(dllexport) bool TITCALL ResourcerFreeLoadedFile(LPVOID LoadedFileBase) +{ + if(VirtualFree(LoadedFileBase, NULL, MEM_RELEASE)) + { + return(true); + } + else + { + return(false); + } +} + +__declspec(dllexport) bool TITCALL ResourcerExtractResourceFromFileEx(ULONG_PTR FileMapVA, char* szResourceType, char* szResourceName, char* szExtractedFileName) +{ + + HRSRC hResource; + HGLOBAL hResourceGlobal; + DWORD ResourceSize; + LPVOID ResourceData; + DWORD NumberOfBytesWritten; + HANDLE hFile; + + hResource = FindResourceA((HMODULE)FileMapVA, (LPCSTR)szResourceName, (LPCSTR)szResourceType); + if(hResource != NULL) + { + hResourceGlobal = LoadResource((HMODULE)FileMapVA, hResource); + if(hResourceGlobal != NULL) + { + ResourceSize = SizeofResource((HMODULE)FileMapVA, hResource); + ResourceData = LockResource(hResourceGlobal); + if(EngineCreatePathForFile(szExtractedFileName)) + { + hFile = CreateFileA(szExtractedFileName, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); + if(hFile != INVALID_HANDLE_VALUE) + { + WriteFile(hFile, ResourceData, ResourceSize, &NumberOfBytesWritten, NULL); + EngineCloseHandle(hFile); + } + else + { + return(false); + } + } + } + return(true); + } + return(false); +} + +__declspec(dllexport) bool TITCALL ResourcerExtractResourceFromFile(char* szFileName, char* szResourceType, char* szResourceName, char* szExtractedFileName) +{ + + HANDLE FileHandle; + DWORD FileSize; + HANDLE FileMap; + ULONG_PTR FileMapVA; + bool bReturn; + + if(MapFileEx(szFileName, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) + { + bReturn = ResourcerExtractResourceFromFileEx(FileMapVA, szResourceType, szResourceName, szExtractedFileName); + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + if(bReturn) + { + return(true); + } + } + return(false); +} + +__declspec(dllexport) bool TITCALL ResourcerExtractResourceFromFileW(wchar_t* szFileName, char* szResourceType, char* szResourceName, char* szExtractedFileName) +{ + + HANDLE FileHandle; + DWORD FileSize; + HANDLE FileMap; + ULONG_PTR FileMapVA; + bool bReturn; + + if(MapFileExW(szFileName, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) + { + bReturn = ResourcerExtractResourceFromFileEx(FileMapVA, szResourceType, szResourceName, szExtractedFileName); + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + if(bReturn) + { + return(true); + } + } + return(false); +} + +__declspec(dllexport) bool TITCALL ResourcerFindResource(char* szFileName, char* szResourceType, DWORD ResourceType, char* szResourceName, DWORD ResourceName, DWORD ResourceLanguage, PULONG_PTR pResourceData, LPDWORD pResourceSize) +{ + + wchar_t uniFileName[MAX_PATH] = {}; + wchar_t* PtrResourceType = NULL; + wchar_t uniResourceType[MAX_PATH] = {}; + wchar_t* PtrResourceName = NULL; + wchar_t uniResourceName[MAX_PATH] = {}; + + if(szFileName != NULL) + { + MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); + if(szResourceName != NULL) + { + MultiByteToWideChar(CP_ACP, NULL, szResourceName, lstrlenA(szResourceName)+1, uniResourceName, sizeof(uniResourceName)/(sizeof(uniResourceName[0]))); + } + else + { + PtrResourceType = &uniResourceType[0]; + } + if(szResourceType != NULL) + { + MultiByteToWideChar(CP_ACP, NULL, szResourceType, lstrlenA(szResourceType)+1, uniResourceType, sizeof(uniResourceType)/(sizeof(uniResourceType[0]))); + } + else + { + PtrResourceName = &uniResourceName[0]; + } + return(ResourcerFindResourceW(uniFileName, PtrResourceType, ResourceType, PtrResourceName, ResourceName, ResourceLanguage, pResourceData, pResourceSize)); + } + else + { + return(false); + } +} + +__declspec(dllexport) bool TITCALL ResourcerFindResourceW(wchar_t* szFileName, wchar_t* szResourceType, DWORD ResourceType, wchar_t* szResourceName, DWORD ResourceName, DWORD ResourceLanguage, PULONG_PTR pResourceData, LPDWORD pResourceSize) +{ + + bool ReturnValue; + ULONG_PTR FileMapVA; + HANDLE FileHandle; + HANDLE FileMap; + DWORD FileSize; + + if(MapFileExW(szFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) + { + ReturnValue = ResourcerFindResourceEx(FileMapVA, FileSize, szResourceType, ResourceType, szResourceName, ResourceName, ResourceLanguage, pResourceData, pResourceSize); + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + if(ReturnValue) + { + return(true); + } + } + else + { + return(false); + } + return(false); +} + +__declspec(dllexport) bool TITCALL ResourcerFindResourceEx(ULONG_PTR FileMapVA, DWORD FileSize, wchar_t* szResourceType, DWORD ResourceType, wchar_t* szResourceName, DWORD ResourceName, DWORD ResourceLanguage, PULONG_PTR pResourceData, LPDWORD pResourceSize) +{ + + int i,j,n; + wchar_t* uniResourceName; + wchar_t* uniResourceType; + PIMAGE_RESOURCE_DIRECTORY PEResource; + PIMAGE_RESOURCE_DIRECTORY PEResourcePtr; + PIMAGE_RESOURCE_DIRECTORY_ENTRY PEResourceDir; + PIMAGE_RESOURCE_DIRECTORY PESubResourcePtr1; + PIMAGE_RESOURCE_DIRECTORY_ENTRY PEResourceDir1; + PIMAGE_RESOURCE_DIRECTORY PESubResourcePtr2; + PIMAGE_RESOURCE_DIRECTORY_ENTRY PEResourceDir2; + PIMAGE_RESOURCE_DATA_ENTRY PEResourceItem; + + __try + { + if(FileMapVA != NULL && FileSize != NULL) + { + PEResource = (PIMAGE_RESOURCE_DIRECTORY)(ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_IMAGEBASE), (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_RESOURCETABLEADDRESS), true, true)); + if(PEResource != NULL) + { + PEResourceDir = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResource + sizeof IMAGE_RESOURCE_DIRECTORY); + i = PEResource->NumberOfIdEntries + PEResource->NumberOfNamedEntries; + PEResourcePtr = PEResource; + while(i > NULL) + { + PESubResourcePtr1 = (PIMAGE_RESOURCE_DIRECTORY)((ULONG_PTR)PEResourcePtr + (PEResourceDir->OffsetToData ^ IMAGE_RESOURCE_DATA_IS_DIRECTORY)); + PEResourceDir1 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PESubResourcePtr1 + sizeof IMAGE_RESOURCE_DIRECTORY); + j = PESubResourcePtr1->NumberOfIdEntries + PESubResourcePtr1->NumberOfNamedEntries; + uniResourceType = (wchar_t*)((ULONG_PTR)PEResourcePtr + PEResourceDir->NameOffset); + if(((bool)PEResourceDir->NameIsString == true && EngineCompareResourceString(uniResourceType, szResourceType) == true) || ((bool)PEResourceDir->NameIsString == false && PEResourceDir->Id == ResourceType)) + { + while(j > NULL) + { + PESubResourcePtr2 = (PIMAGE_RESOURCE_DIRECTORY)((ULONG_PTR)PEResourcePtr + (PEResourceDir1->OffsetToData ^ IMAGE_RESOURCE_DATA_IS_DIRECTORY)); + PEResourceDir2 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PESubResourcePtr2 + sizeof IMAGE_RESOURCE_DIRECTORY); + n = PESubResourcePtr2->NumberOfIdEntries + PESubResourcePtr2->NumberOfNamedEntries; + uniResourceName = (wchar_t*)((ULONG_PTR)PEResourcePtr + PEResourceDir1->NameOffset); + if(((bool)PEResourceDir1->NameIsString == true && EngineCompareResourceString(uniResourceName, szResourceName) == true) || ((bool)PEResourceDir1->NameIsString == false && PEResourceDir1->Id == ResourceName)) + { + while(n > NULL) + { + PEResourceItem = (PIMAGE_RESOURCE_DATA_ENTRY)((ULONG_PTR)PEResourcePtr + PEResourceDir2->OffsetToData); + if(ResourceLanguage == UE_RESOURCE_LANGUAGE_ANY || ResourceLanguage == PEResourceDir2->Id) + { + *pResourceData = PEResourceItem->OffsetToData; + *pResourceSize = PEResourceItem->Size; + return(true); + } + PEResourceDir2 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir2 + sizeof IMAGE_RESOURCE_DIRECTORY_ENTRY); + n--; + } + } + else + { + PEResourceDir2 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir2 + sizeof IMAGE_RESOURCE_DIRECTORY_ENTRY * n); + } + PEResourceDir1 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir1 + sizeof IMAGE_RESOURCE_DIRECTORY_ENTRY); + j--; + } + } + else + { + PEResourceDir1 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir1 + sizeof IMAGE_RESOURCE_DIRECTORY_ENTRY * j); + } + PEResourceDir = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir + sizeof IMAGE_RESOURCE_DIRECTORY_ENTRY); + i--; + } + } + } + else + { + return(false); + } + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + + } + return(false); +} + +__declspec(dllexport) void TITCALL ResourcerEnumerateResource(char* szFileName, void* CallBack) +{ + + wchar_t uniFileName[MAX_PATH] = {}; + + if(szFileName != NULL) + { + MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); + ResourcerEnumerateResourceW(uniFileName, CallBack); + } +} + +__declspec(dllexport) void TITCALL ResourcerEnumerateResourceW(wchar_t* szFileName, void* CallBack) +{ + + ULONG_PTR FileMapVA; + HANDLE FileHandle; + HANDLE FileMap; + DWORD FileSize; + + if(MapFileExW(szFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) + { + ResourcerEnumerateResourceEx(FileMapVA, FileSize, CallBack); + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + } +} + +__declspec(dllexport) void TITCALL ResourcerEnumerateResourceEx(ULONG_PTR FileMapVA, DWORD FileSize, void* CallBack) +{ + + int i,j,n; + wchar_t* uniResourceName; + wchar_t* uniResourceType; + PIMAGE_RESOURCE_DIRECTORY PEResource; + PIMAGE_RESOURCE_DIRECTORY PEResourcePtr; + PIMAGE_RESOURCE_DIRECTORY_ENTRY PEResourceDir; + PIMAGE_RESOURCE_DIRECTORY PESubResourcePtr1; + PIMAGE_RESOURCE_DIRECTORY_ENTRY PEResourceDir1; + PIMAGE_RESOURCE_DIRECTORY PESubResourcePtr2; + PIMAGE_RESOURCE_DIRECTORY_ENTRY PEResourceDir2; + PIMAGE_RESOURCE_DATA_ENTRY PEResourceItem; + typedef bool(TITCALL *fResourceEnumerator)(wchar_t* szResourceType, DWORD ResourceType, wchar_t* szResourceName, DWORD ResourceName, DWORD ResourceLanguage, DWORD ResourceData, DWORD ResourceSize); + fResourceEnumerator myResourceEnumerator = (fResourceEnumerator)CallBack; + + __try + { + if(CallBack != NULL) + { + if(FileMapVA != NULL && FileSize != NULL) + { + PEResource = (PIMAGE_RESOURCE_DIRECTORY)(ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_IMAGEBASE), (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_RESOURCETABLEADDRESS), true, true)); + if(PEResource != NULL) + { + PEResourceDir = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResource + sizeof IMAGE_RESOURCE_DIRECTORY); + i = PEResource->NumberOfIdEntries + PEResource->NumberOfNamedEntries; + PEResourcePtr = PEResource; + while(i > NULL) + { + PESubResourcePtr1 = (PIMAGE_RESOURCE_DIRECTORY)((ULONG_PTR)PEResourcePtr + (PEResourceDir->OffsetToData ^ IMAGE_RESOURCE_DATA_IS_DIRECTORY)); + PEResourceDir1 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PESubResourcePtr1 + sizeof IMAGE_RESOURCE_DIRECTORY); + j = PESubResourcePtr1->NumberOfIdEntries + PESubResourcePtr1->NumberOfNamedEntries; + while(j > NULL) + { + PESubResourcePtr2 = (PIMAGE_RESOURCE_DIRECTORY)((ULONG_PTR)PEResourcePtr + (PEResourceDir1->OffsetToData ^ IMAGE_RESOURCE_DATA_IS_DIRECTORY)); + PEResourceDir2 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PESubResourcePtr2 + sizeof IMAGE_RESOURCE_DIRECTORY); + n = PESubResourcePtr2->NumberOfIdEntries + PESubResourcePtr2->NumberOfNamedEntries; + while(n > NULL) + { + PEResourceItem = (PIMAGE_RESOURCE_DATA_ENTRY)((ULONG_PTR)PEResourcePtr + PEResourceDir2->OffsetToData); + if(PEResourceDir->NameIsString) + { + uniResourceType = (wchar_t*)((ULONG_PTR)PEResourcePtr + PEResourceDir->NameOffset); + } + else + { + uniResourceType = NULL; + } + if(PEResourceDir1->NameIsString) + { + uniResourceName = (wchar_t*)((ULONG_PTR)PEResourcePtr + PEResourceDir1->NameOffset); + } + else + { + uniResourceName = NULL; + } + if(!myResourceEnumerator(uniResourceType, PEResourceDir->Id, uniResourceName, PEResourceDir1->Id, PEResourceDir2->Id, PEResourceItem->OffsetToData, PEResourceItem->Size)) + { + return; + } + PEResourceDir2 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir2 + sizeof IMAGE_RESOURCE_DIRECTORY_ENTRY); + n--; + } + PEResourceDir1 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir1 + sizeof IMAGE_RESOURCE_DIRECTORY_ENTRY); + j--; + } + PEResourceDir = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir + sizeof IMAGE_RESOURCE_DIRECTORY_ENTRY); + i--; + } + } + } + } + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + + } +} \ No newline at end of file diff --git a/TitanEngine/TitanEngine.Threader.cpp b/TitanEngine/TitanEngine.Threader.cpp new file mode 100644 index 0000000..24bb541 --- /dev/null +++ b/TitanEngine/TitanEngine.Threader.cpp @@ -0,0 +1,443 @@ +#include "stdafx.h" +#include "definitions.h" +#include "Global.Handle.h" +#include "Global.Engine.h" +#include "Global.Threader.h" +#include + +// TitanEngine.Threader.functions: +__declspec(dllexport) bool TITCALL ThreaderImportRunningThreadData(DWORD ProcessId) +{ + + HANDLE hSnapShot; + THREADENTRY32 ThreadEntry = {}; + PTHREAD_ITEM_DATA hListThreadPtr = NULL; + + if(dbgProcessInformation.hProcess == NULL && ProcessId != NULL) + { + if(hListThread == NULL) + { + hListThread = VirtualAlloc(NULL, MAX_DEBUG_DATA * sizeof THREAD_ITEM_DATA, MEM_COMMIT, PAGE_READWRITE); + } + else + { + RtlZeroMemory(hListThread, MAX_DEBUG_DATA * sizeof THREAD_ITEM_DATA); + } + ThreadEntry.dwSize = sizeof THREADENTRY32; + hListThreadPtr = (PTHREAD_ITEM_DATA)hListThread; + hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, ProcessId); + if(hSnapShot != INVALID_HANDLE_VALUE) + { + if(Thread32First(hSnapShot, &ThreadEntry)) + { + do + { + if(ThreadEntry.th32OwnerProcessID == ProcessId) + { + hListThreadPtr->dwThreadId = ThreadEntry.th32ThreadID; + hListThreadPtr->hThread = OpenThread(THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION|THREAD_SUSPEND_RESUME, false, hListThreadPtr->dwThreadId); + hListThreadPtr = (PTHREAD_ITEM_DATA)((ULONG_PTR)hListThreadPtr + sizeof THREAD_ITEM_DATA); + } + } + while(Thread32Next(hSnapShot, &ThreadEntry)); + } + EngineCloseHandle(hSnapShot); + return(true); + } + } + return(false); +} +__declspec(dllexport) void* TITCALL ThreaderGetThreadInfo(HANDLE hThread, DWORD ThreadId) +{ + + PTHREAD_ITEM_DATA hListThreadPtr = (PTHREAD_ITEM_DATA)hListThread; + + if(hListThreadPtr != NULL) + { + if(hThread != NULL) + { + while(hListThreadPtr->hThread != NULL && hListThreadPtr->hThread != hThread) + { + hListThreadPtr = (PTHREAD_ITEM_DATA)((ULONG_PTR)hListThreadPtr + sizeof THREAD_ITEM_DATA); + } + if(hListThreadPtr->hThread == hThread) + { + return((void*)hListThreadPtr); + } + } + else if(ThreadId != NULL) + { + while(hListThreadPtr->hThread != NULL && hListThreadPtr->dwThreadId != ThreadId) + { + hListThreadPtr = (PTHREAD_ITEM_DATA)((ULONG_PTR)hListThreadPtr + sizeof THREAD_ITEM_DATA); + } + if(hListThreadPtr->dwThreadId == ThreadId) + { + return((void*)hListThreadPtr); + } + } + } + return(NULL); +} +__declspec(dllexport) void TITCALL ThreaderEnumThreadInfo(void* EnumCallBack) +{ + + PTHREAD_ITEM_DATA hListThreadPtr = (PTHREAD_ITEM_DATA)hListThread; + typedef void(TITCALL *fEnumCallBack)(LPVOID fThreadDetail); + fEnumCallBack myEnumCallBack = (fEnumCallBack)EnumCallBack; + + if(hListThreadPtr != NULL) + { + while(EnumCallBack != NULL && hListThreadPtr->hThread != NULL) + { + if(hListThreadPtr->hThread != NULL) + { + __try + { + myEnumCallBack((void*)hListThreadPtr); + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + EnumCallBack = NULL; + } + } + hListThreadPtr = (PTHREAD_ITEM_DATA)((ULONG_PTR)hListThreadPtr + sizeof THREAD_ITEM_DATA); + } + } +} +__declspec(dllexport) bool TITCALL ThreaderPauseThread(HANDLE hThread) +{ + + PTHREAD_ITEM_DATA hListThreadPtr = (PTHREAD_ITEM_DATA)hListThread; + + if(hListThreadPtr != NULL) + { + if(hThread != NULL) + { + while(hListThreadPtr->hThread != NULL && hListThreadPtr->hThread != hThread) + { + hListThreadPtr = (PTHREAD_ITEM_DATA)((ULONG_PTR)hListThreadPtr + sizeof THREAD_ITEM_DATA); + } + if(hListThreadPtr->hThread == hThread) + { + if(SuspendThread(hThread) != -1) + { + return(true); + } + else + { + return(false); + } + } + else + { + return(false); + } + } + } + return(false); +} +__declspec(dllexport) bool TITCALL ThreaderResumeThread(HANDLE hThread) +{ + + PTHREAD_ITEM_DATA hListThreadPtr = (PTHREAD_ITEM_DATA)hListThread; + + if(hListThreadPtr != NULL) + { + if(hThread != NULL) + { + while(hListThreadPtr->hThread != NULL && hListThreadPtr->hThread != hThread) + { + hListThreadPtr = (PTHREAD_ITEM_DATA)((ULONG_PTR)hListThreadPtr + sizeof THREAD_ITEM_DATA); + } + if(hListThreadPtr->hThread == hThread) + { + if(ResumeThread(hThread) != -1) + { + return(true); + } + else + { + return(false); + } + } + else + { + return(false); + } + } + } + return(false); +} +__declspec(dllexport) bool TITCALL ThreaderTerminateThread(HANDLE hThread, DWORD ThreadExitCode) +{ + + PTHREAD_ITEM_DATA hListThreadPtr = (PTHREAD_ITEM_DATA)hListThread; + + if(hListThreadPtr != NULL) + { + if(hThread != NULL) + { + while(hListThreadPtr->hThread != NULL && hListThreadPtr->hThread != hThread) + { + hListThreadPtr = (PTHREAD_ITEM_DATA)((ULONG_PTR)hListThreadPtr + sizeof THREAD_ITEM_DATA); + } + if(hListThreadPtr->hThread == hThread) + { + if(TerminateThread(hThread, ThreadExitCode) != NULL) + { + hListThreadPtr->hThread = (HANDLE)-1; + hListThreadPtr->dwThreadId = NULL; + hListThreadPtr->ThreadLocalBase = NULL; + hListThreadPtr->ThreadStartAddress = NULL; + return(true); + } + else + { + return(false); + } + } + else + { + return(false); + } + } + } + return(false); +} +__declspec(dllexport) bool TITCALL ThreaderPauseAllThreads(bool LeaveMainRunning) +{ + + PTHREAD_ITEM_DATA hListThreadPtr = (PTHREAD_ITEM_DATA)hListThread; + + if(hListThreadPtr != NULL) + { + while(hListThreadPtr->hThread != NULL) + { + if(LeaveMainRunning) + { + if(hListThreadPtr->hThread != dbgProcessInformation.hThread) + { + SuspendThread((HANDLE)hListThreadPtr->hThread); + } + } + else + { + SuspendThread(hListThreadPtr->hThread); + } + hListThreadPtr = (PTHREAD_ITEM_DATA)((ULONG_PTR)hListThreadPtr + sizeof THREAD_ITEM_DATA); + } + return(true); + } + return(false); +} +__declspec(dllexport) bool TITCALL ThreaderResumeAllThreads(bool LeaveMainPaused) +{ + + PTHREAD_ITEM_DATA hListThreadPtr = (PTHREAD_ITEM_DATA)hListThread; + + if(hListThreadPtr != NULL) + { + while(hListThreadPtr->hThread != NULL) + { + if(LeaveMainPaused) + { + if(hListThreadPtr->hThread != dbgProcessInformation.hThread) + { + ResumeThread(hListThreadPtr->hThread); + } + } + else + { + ResumeThread(hListThreadPtr->hThread); + } + hListThreadPtr = (PTHREAD_ITEM_DATA)((ULONG_PTR)hListThreadPtr + sizeof THREAD_ITEM_DATA); + } + return(true); + } + return(false); +} +__declspec(dllexport) bool TITCALL ThreaderPauseProcess() +{ + return(ThreaderPauseAllThreads(false)); +} +__declspec(dllexport) bool TITCALL ThreaderResumeProcess() +{ + return(ThreaderResumeAllThreads(false)); +} +__declspec(dllexport) long long TITCALL ThreaderCreateRemoteThread(ULONG_PTR ThreadStartAddress, bool AutoCloseTheHandle, LPVOID ThreadPassParameter, LPDWORD ThreadId) +{ + + HANDLE myThread; + + if(dbgProcessInformation.hProcess != NULL) + { + if(!AutoCloseTheHandle) + { + return((ULONG_PTR)CreateRemoteThread(dbgProcessInformation.hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)ThreadStartAddress, ThreadPassParameter, NULL, ThreadId)); + } + else + { + myThread = CreateRemoteThread(dbgProcessInformation.hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)ThreadStartAddress, ThreadPassParameter, NULL, ThreadId); + EngineCloseHandle(myThread); + return(NULL); + } + } + return(NULL); +} +__declspec(dllexport) bool TITCALL ThreaderInjectAndExecuteCode(LPVOID InjectCode, DWORD StartDelta, DWORD InjectSize) +{ + + LPVOID ThreadBase = 0; + ULONG_PTR ueNumberOfBytesRead = 0; + + if(dbgProcessInformation.hProcess != NULL) + { + ThreadBase = VirtualAllocEx(dbgProcessInformation.hProcess, NULL, InjectSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE); + if(WriteProcessMemory(dbgProcessInformation.hProcess, ThreadBase, InjectCode, InjectSize, &ueNumberOfBytesRead)) + { + ThreaderCreateRemoteThread((ULONG_PTR)((ULONG_PTR)InjectCode + StartDelta), true, NULL, NULL); + return(true); + } + else + { + return(false); + } + } + return(false); +} +__declspec(dllexport) long long TITCALL ThreaderCreateRemoteThreadEx(HANDLE hProcess, ULONG_PTR ThreadStartAddress, bool AutoCloseTheHandle, LPVOID ThreadPassParameter, LPDWORD ThreadId) +{ + + HANDLE myThread; + + if(hProcess != NULL) + { + if(!AutoCloseTheHandle) + { + return((ULONG_PTR)CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)ThreadStartAddress, ThreadPassParameter, NULL, ThreadId)); + } + else + { + myThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)ThreadStartAddress, ThreadPassParameter, NULL, ThreadId); + EngineCloseHandle(myThread); + return(NULL); + } + } + return(NULL); +} +__declspec(dllexport) bool TITCALL ThreaderInjectAndExecuteCodeEx(HANDLE hProcess, LPVOID InjectCode, DWORD StartDelta, DWORD InjectSize) +{ + + LPVOID ThreadBase = 0; + ULONG_PTR ueNumberOfBytesRead = 0; + + if(hProcess != NULL) + { + ThreadBase = VirtualAllocEx(hProcess, NULL, InjectSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE); + if(WriteProcessMemory(hProcess, ThreadBase, InjectCode, InjectSize, &ueNumberOfBytesRead)) + { + ThreaderCreateRemoteThread((ULONG_PTR)((ULONG_PTR)InjectCode + StartDelta), true, NULL, NULL); + return(true); + } + else + { + return(false); + } + } + return(false); +} +__declspec(dllexport) void TITCALL ThreaderSetCallBackForNextExitThreadEvent(LPVOID exitThreadCallBack) +{ + engineExitThreadOneShootCallBack = exitThreadCallBack; +} +__declspec(dllexport) bool TITCALL ThreaderIsThreadStillRunning(HANDLE hThread) +{ + + CONTEXT myDBGContext; + + RtlZeroMemory(&myDBGContext, sizeof CONTEXT); + myDBGContext.ContextFlags = CONTEXT_ALL; + if(GetThreadContext(hThread, &myDBGContext)) + { + return(true); + } + else + { + return(false); + } +} +__declspec(dllexport) bool TITCALL ThreaderIsThreadActive(HANDLE hThread) +{ + if(SuspendThread(hThread)) //if previous suspend count is above 0 (which means thread is suspended) + { + ResumeThread(hThread); //decrement suspend count + return(true); + } + return(false); +} +__declspec(dllexport) bool TITCALL ThreaderIsAnyThreadActive() +{ + + PTHREAD_ITEM_DATA hListThreadPtr = (PTHREAD_ITEM_DATA)hListThread; + + if(hListThreadPtr != NULL) + { + while(hListThreadPtr->hThread != NULL) + { + if(hListThreadPtr->hThread != (HANDLE)-1) + { + if(ThreaderIsThreadActive(hListThreadPtr->hThread)) + { + return(true); + } + } + hListThreadPtr = (PTHREAD_ITEM_DATA)((ULONG_PTR)hListThreadPtr + sizeof THREAD_ITEM_DATA); + } + } + return(false); +} +__declspec(dllexport) bool TITCALL ThreaderExecuteOnlyInjectedThreads() +{ + + if(ThreaderPauseProcess()) + { + engineResumeProcessIfNoThreadIsActive = true; + return(true); + } + return(false); +} +__declspec(dllexport) long long TITCALL ThreaderGetOpenHandleForThread(DWORD ThreadId) +{ + + PTHREAD_ITEM_DATA hListThreadPtr = (PTHREAD_ITEM_DATA)hListThread; + + if(hListThread != NULL) + { + while(hListThreadPtr->hThread != NULL) + { + if(hListThreadPtr->hThread != (HANDLE)-1 && hListThreadPtr->dwThreadId == ThreadId) + { + return((ULONG_PTR)hListThreadPtr->hThread); + } + hListThreadPtr = (PTHREAD_ITEM_DATA)((ULONG_PTR)hListThreadPtr + sizeof THREAD_ITEM_DATA); + } + } + return(NULL); +} +__declspec(dllexport) void* TITCALL ThreaderGetThreadData() +{ + return(hListThread); +} +__declspec(dllexport) bool TITCALL ThreaderIsExceptionInMainThread() +{ + + LPDEBUG_EVENT myDBGEvent; + + myDBGEvent = (LPDEBUG_EVENT)GetDebugData(); + if(myDBGEvent->dwThreadId == dbgProcessInformation.dwThreadId) + { + return(true); + } + return(false); +} \ No newline at end of file diff --git a/TitanEngine/TitanEngine.cpp b/TitanEngine/TitanEngine.cpp index 49345b4..9073c1c 100644 --- a/TitanEngine/TitanEngine.cpp +++ b/TitanEngine/TitanEngine.cpp @@ -18,8 +18,8 @@ #include #include // Global.Engine: -#include "definitions.h" #include "resource.h" +#include "definitions.h" // scylla wrapper #include "scylla_wrapper.h" @@ -29,6 +29,9 @@ #include "Global.Mapping.h" #include "Global.Engine.Extension.h" #include "Global.Engine.Hash.h" +#include "Global.Realigner.h" +#include "Global.Engine.Hider.h" +#include "Global.Threader.h" #define TE_VER_MAJOR 2 #define TE_VER_MIDDLE 1 @@ -38,8 +41,6 @@ "processorArchitecture='x86' publicKeyToken='6595b64144ccf1df' language='*'\"")*/ // Global.variables: -char* szSharedOverlay = 0; -wchar_t* szSharedOverlayW = 0; STARTUPINFOW dbgStartupInfo = {}; DWORD DBGCode = DBG_CONTINUE; @@ -57,7 +58,7 @@ CONTEXT DBGContext = {}; HANDLE DBGFileHandle; DWORD ProcessExitCode = 0; LPVOID hListProcess = 0; -LPVOID hListThread = 0; + LPVOID hListLibrary = 0; LPVOID expTableData = NULL; LPVOID expTableDataCWP = NULL; @@ -84,7 +85,6 @@ IMAGE_TLS_DIRECTORY64 engineBackupTLSDataX64 = {}; bool enginePassAllExceptions = true; bool engineRemoveConsoleForDebugee = false; -bool engineBackupForCriticalFunctions = true; bool engineResetCustomHandler = true; bool engineExecutePluginCallBack = true; @@ -98,8 +98,6 @@ bool engineAttachedToProcess = false; bool engineProcessIsNowDetached = false; ULONG_PTR engineAttachedProcessCallBack = NULL; LPVOID engineAttachedProcessDebugInfo = NULL; -LPVOID engineExitThreadOneShootCallBack = NULL; -bool engineResumeProcessIfNoThreadIsActive = false; bool engineAutoHideFromDebugger = false; long engineDefaultBreakPointType = UE_BREAKPOINT_INT3; bool engineDebuggingDLL = false; @@ -120,14 +118,6 @@ ULONG_PTR DebugModuleImageBase; LPVOID DebugModuleEntryPointCallBack; LPVOID DebugExeFileEntryPointCallBack; - -LPVOID RelocationData = NULL; -LPVOID RelocationLastPage = NULL; -LPVOID RelocationStartPosition = NULL; -LPVOID RelocationWritePosition = NULL; -ULONG_PTR RelocationOldImageBase; -ULONG_PTR RelocationNewImageBase; - wchar_t szBackupDebuggedFileName[512]; //wchar_t szReserveModuleName[512]; wchar_t szDebuggerName[512]; @@ -172,9033 +162,6 @@ std::vector hookEntry; #define UE_MODULEx86 0x2000; #define UE_MODULEx64 0x2000; -__declspec(dllexport) bool TITCALL PastePEHeader(HANDLE hProcess, LPVOID ImageBase, char* szDebuggedFileName) -{ - - wchar_t uniDebuggedFileName[MAX_PATH] = {}; - - if(szDebuggedFileName != NULL) - { - MultiByteToWideChar(CP_ACP, NULL, szDebuggedFileName, lstrlenA(szDebuggedFileName)+1, uniDebuggedFileName, sizeof(uniDebuggedFileName)/(sizeof(uniDebuggedFileName[0]))); - return(PastePEHeaderW(hProcess, ImageBase, uniDebuggedFileName)); - } - else - { - return(false); - } -} -__declspec(dllexport) bool TITCALL PastePEHeaderW(HANDLE hProcess, LPVOID ImageBase, wchar_t* szDebuggedFileName) -{ - - PIMAGE_DOS_HEADER DOSHeader; - PIMAGE_NT_HEADERS32 PEHeader32; - IMAGE_NT_HEADERS32 RemotePEHeader32; - PIMAGE_NT_HEADERS64 PEHeader64; - IMAGE_NT_HEADERS64 RemotePEHeader64; - ULONG_PTR ueNumberOfBytesRead = 0; - DWORD uedNumberOfBytesRead = 0; - DWORD FileSize = 0; - DWORD PEHeaderSize = 0; - ULONG_PTR dwImageBase = (ULONG_PTR)ImageBase; - BOOL FileIs64 = false; - HANDLE hFile = 0; - SIZE_T CalculatedHeaderSize = NULL; - LPVOID ueReadBuffer = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); - DWORD OldProtect = PAGE_READWRITE; - - hFile = CreateFileW(szDebuggedFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); - if(hFile != INVALID_HANDLE_VALUE) - { - FileSize = GetFileSize(hFile, NULL); - if(FileSize < 0x1000) - { - if(!ReadFile(hFile, ueReadBuffer, FileSize, &uedNumberOfBytesRead, NULL)) - return false; - } - else - { - if(!ReadFile(hFile, ueReadBuffer, 0x1000, &uedNumberOfBytesRead, NULL)) - return false; - } - if(FileSize > 0x200) - { - DOSHeader = (PIMAGE_DOS_HEADER)ueReadBuffer; - if(EngineValidateHeader((ULONG_PTR)ueReadBuffer, hProcess, ImageBase, DOSHeader, false)) - { - PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - CalculatedHeaderSize = DOSHeader->e_lfanew + sizeof IMAGE_DOS_HEADER + sizeof IMAGE_NT_HEADERS64; - if(CalculatedHeaderSize > 0x1000) - { - SetFilePointer(hFile, NULL, NULL, FILE_BEGIN); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); - ueReadBuffer = VirtualAlloc(NULL, CalculatedHeaderSize, MEM_COMMIT, PAGE_READWRITE); - if(!ReadFile(hFile, ueReadBuffer, (DWORD)CalculatedHeaderSize, &uedNumberOfBytesRead, NULL)) - { - EngineCloseHandle(hFile); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); - return(false); - } - } - if(PEHeader32->OptionalHeader.Magic == 0x10B) - { - if(ReadProcessMemory(hProcess, (LPVOID)((ULONG_PTR)ImageBase + DOSHeader->e_lfanew), &RemotePEHeader32, sizeof IMAGE_NT_HEADERS32, &ueNumberOfBytesRead)) - { - PEHeaderSize = PEHeader32->FileHeader.NumberOfSections * IMAGE_SIZEOF_SECTION_HEADER + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4; - FileIs64 = false; - } - } - else if(PEHeader32->OptionalHeader.Magic == 0x20B) - { - if(ReadProcessMemory(hProcess, (LPVOID)((ULONG_PTR)ImageBase + DOSHeader->e_lfanew), &RemotePEHeader64, sizeof IMAGE_NT_HEADERS32, &ueNumberOfBytesRead)) - { - PEHeaderSize = PEHeader64->FileHeader.NumberOfSections * IMAGE_SIZEOF_SECTION_HEADER + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4; - FileIs64 = true; - } - } - else - { - EngineCloseHandle(hFile); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); - return(false); - } - if(!FileIs64) - { - PEHeader32->OptionalHeader.ImageBase = (DWORD)(dwImageBase); - if(VirtualProtectEx(hProcess, ImageBase, PEHeaderSize, PAGE_READWRITE, &OldProtect)) - { - if(WriteProcessMemory(hProcess, ImageBase, ueReadBuffer, PEHeaderSize, &ueNumberOfBytesRead)) - { - EngineCloseHandle(hFile); - VirtualProtectEx(hProcess, ImageBase, PEHeaderSize, OldProtect, &OldProtect); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); - return(true); - } - else - { - EngineCloseHandle(hFile); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); - return(false); - } - } - else - { - EngineCloseHandle(hFile); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); - return(false); - } - } - else - { - PEHeader64->OptionalHeader.ImageBase = dwImageBase; - if(VirtualProtectEx(hProcess, ImageBase, PEHeaderSize, PAGE_READWRITE, &OldProtect)) - { - if(WriteProcessMemory(hProcess, ImageBase, ueReadBuffer, PEHeaderSize, &ueNumberOfBytesRead)) - { - EngineCloseHandle(hFile); - VirtualProtectEx(hProcess, ImageBase, PEHeaderSize, OldProtect, &OldProtect); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); - return(true); - } - else - { - EngineCloseHandle(hFile); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); - return(false); - } - } - else - { - EngineCloseHandle(hFile); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); - return(false); - } - } - } - else - { - EngineCloseHandle(hFile); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); - return(false); - } - } - else - { - EngineCloseHandle(hFile); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); - return(false); - } - } - else - { - EngineCloseHandle(hFile); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); - return(false); - } - return(false); -} -__declspec(dllexport) bool TITCALL ExtractSection(char* szFileName, char* szDumpFileName, DWORD SectionNumber) -{ - - wchar_t uniFileName[MAX_PATH] = {}; - wchar_t uniDumpFileName[MAX_PATH] = {}; - - if(szFileName != NULL && szDumpFileName != NULL) - { - MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); - MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, lstrlenA(szDumpFileName)+1, uniDumpFileName, sizeof(uniDumpFileName)/(sizeof(uniDumpFileName[0]))); - return(ExtractSectionW(uniFileName, uniDumpFileName, SectionNumber)); - } - else - { - return(false); - } -} -__declspec(dllexport) bool TITCALL ExtractSectionW(wchar_t* szFileName, wchar_t* szDumpFileName, DWORD SectionNumber) -{ - - PIMAGE_DOS_HEADER DOSHeader; - PIMAGE_NT_HEADERS32 PEHeader32; - PIMAGE_NT_HEADERS64 PEHeader64; - PIMAGE_SECTION_HEADER PESections; - DWORD NumberOfBytesWritten; - BOOL FileIs64; - HANDLE FileHandle; - DWORD FileSize; - HANDLE FileMap; - ULONG_PTR FileMapVA; - HANDLE hFile; - - if(MapFileExW(szFileName, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) - { - DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; - if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true)) - { - PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - if(PEHeader32->OptionalHeader.Magic == 0x10B) - { - FileIs64 = false; - } - else if(PEHeader32->OptionalHeader.Magic == 0x20B) - { - FileIs64 = true; - } - else - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return(false); - } - if(!FileIs64) - { - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - if(SectionNumber <= PEHeader32->FileHeader.NumberOfSections) - { - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + SectionNumber * IMAGE_SIZEOF_SECTION_HEADER); - if(EngineCreatePathForFileW(szDumpFileName)) - { - hFile = CreateFileW(szDumpFileName, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); - if(hFile != INVALID_HANDLE_VALUE) - { - __try - { - WriteFile(hFile, (LPCVOID)(FileMapVA + PESections->PointerToRawData), PESections->SizeOfRawData, &NumberOfBytesWritten, NULL); - EngineCloseHandle(hFile); - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return(true); - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - EngineCloseHandle(hFile); - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - DeleteFileW(szDumpFileName); - return(false); - } - } - } - } - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return(false); - } - else - { - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - if(SectionNumber <= PEHeader64->FileHeader.NumberOfSections) - { - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + SectionNumber * IMAGE_SIZEOF_SECTION_HEADER); - if(EngineCreatePathForFileW(szDumpFileName)) - { - hFile = CreateFileW(szDumpFileName, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); - if(hFile != INVALID_HANDLE_VALUE) - { - __try - { - WriteFile(hFile, (LPCVOID)(FileMapVA + PESections->PointerToRawData), PESections->SizeOfRawData, &NumberOfBytesWritten, NULL); - EngineCloseHandle(hFile); - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return(true); - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - EngineCloseHandle(hFile); - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - DeleteFileW(szDumpFileName); - return(false); - } - } - } - } - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return(false); - } - } - else - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return(false); - } - } - return(false); -} -__declspec(dllexport) bool TITCALL ResortFileSections(char* szFileName) -{ - - wchar_t uniFileName[MAX_PATH] = {}; - - if(szFileName != NULL) - { - MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); - return(ResortFileSectionsW(uniFileName)); - } - else - { - return(false); - } -} -__declspec(dllexport) bool TITCALL ResortFileSectionsW(wchar_t* szFileName) -{ - - int i = 0; - int j = 0; - PIMAGE_DOS_HEADER DOSHeader; - PIMAGE_NT_HEADERS32 PEHeader32; - PIMAGE_NT_HEADERS64 PEHeader64; - PIMAGE_SECTION_HEADER PESections; - DWORD SectionNumber = 0; - BOOL FileIs64; - HANDLE FileHandle; - DWORD FileSize; - HANDLE FileMap; - ULONG_PTR FileMapVA; - wchar_t szBackupFile[MAX_PATH] = {}; - wchar_t szBackupItem[MAX_PATH] = {}; - ULONG_PTR fileSectionData[MAXIMUM_SECTION_NUMBER][3]; - ULONG_PTR fileSectionTemp; - LPVOID sortedFileName; - - if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof szBackupItem)) - { - if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof szBackupItem)) - { - RtlZeroMemory(&szBackupItem, sizeof szBackupItem); - lstrcpyW(szBackupFile, szFileName); - } - } - else - { - RtlZeroMemory(&szBackupItem, sizeof szBackupItem); - lstrcpyW(szBackupFile, szFileName); - } - if(MapFileExW(szBackupFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) - { - DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; - if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true)) - { - PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - if(PEHeader32->OptionalHeader.Magic == 0x10B) - { - FileIs64 = false; - } - else if(PEHeader32->OptionalHeader.Magic == 0x20B) - { - FileIs64 = true; - } - else - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - RemoveGarbageItem(szBackupItem, true); - return(false); - } - if(!FileIs64) - { - sortedFileName = VirtualAlloc(NULL, FileSize, MEM_COMMIT, PAGE_READWRITE); - __try - { - RtlMoveMemory(sortedFileName, (LPVOID)FileMapVA, FileSize); - SectionNumber = PEHeader32->FileHeader.NumberOfSections; - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - while(SectionNumber > 0) - { - fileSectionData[i][0] = (ULONG_PTR)(PESections->PointerToRawData); - fileSectionData[i][1] = PESections->SizeOfRawData; - fileSectionData[i][2] = PEHeader32->FileHeader.NumberOfSections - SectionNumber; - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); - SectionNumber--; - i++; - } - for(j = 0; j < PEHeader32->FileHeader.NumberOfSections; j++) - { - for(i = 0; i < PEHeader32->FileHeader.NumberOfSections; i++) - { - if(fileSectionData[i][0] > fileSectionData[j][0]) - { - fileSectionTemp = fileSectionData[j][0]; - fileSectionData[j][0] = fileSectionData[i][0]; - fileSectionData[i][0] = fileSectionTemp; - fileSectionTemp = fileSectionData[j][1]; - fileSectionData[j][1] = fileSectionData[i][1]; - fileSectionData[i][1] = fileSectionTemp; - } - } - } - for(i = 0; i < PEHeader32->FileHeader.NumberOfSections; i++) - { - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 - FileMapVA + (ULONG_PTR)sortedFileName + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + fileSectionData[i][2] * IMAGE_SIZEOF_SECTION_HEADER); - RtlMoveMemory((LPVOID)((ULONG_PTR)sortedFileName + fileSectionData[i][0]), (LPVOID)((ULONG_PTR)FileMapVA + PESections->PointerToRawData), fileSectionData[i][1]); - PESections->PointerToRawData = (DWORD)fileSectionData[i][0]; - PESections->SizeOfRawData = (DWORD)fileSectionData[i][1]; - } - RtlMoveMemory((LPVOID)FileMapVA, sortedFileName, FileSize); - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - VirtualFree(sortedFileName, NULL, MEM_RELEASE); - if(szBackupItem[0] != NULL) - { - if(CopyFileW(szBackupFile, szFileName, false)) - { - RemoveGarbageItem(szBackupItem, true); - return(true); - } - else - { - RemoveGarbageItem(szBackupItem, true); - return(false); - } - } - else - { - return(true); - } - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - VirtualFree(sortedFileName, NULL, MEM_RELEASE); - RemoveGarbageItem(szBackupItem, true); - return(false); - } - } - else - { - sortedFileName = VirtualAlloc(NULL, FileSize, MEM_COMMIT, PAGE_READWRITE); - __try - { - RtlMoveMemory(sortedFileName, (LPVOID)FileMapVA, FileSize); - SectionNumber = PEHeader64->FileHeader.NumberOfSections; - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - while(SectionNumber > 0) - { - fileSectionData[i][0] = (ULONG_PTR)(PESections->PointerToRawData); - fileSectionData[i][1] = PESections->SizeOfRawData; - fileSectionData[i][2] = PEHeader64->FileHeader.NumberOfSections - SectionNumber; - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); - SectionNumber--; - i++; - } - for(j = 0; j < PEHeader64->FileHeader.NumberOfSections; j++) - { - for(i = 0; i < PEHeader64->FileHeader.NumberOfSections; i++) - { - if(fileSectionData[i][0] > fileSectionData[j][0]) - { - fileSectionTemp = fileSectionData[j][0]; - fileSectionData[j][0] = fileSectionData[i][0]; - fileSectionData[i][0] = fileSectionTemp; - fileSectionTemp = fileSectionData[j][1]; - fileSectionData[j][1] = fileSectionData[i][1]; - fileSectionData[i][1] = fileSectionTemp; - } - } - } - for(i = 0; i < PEHeader64->FileHeader.NumberOfSections; i++) - { - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 - FileMapVA + (ULONG_PTR)sortedFileName + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + fileSectionData[i][2] * IMAGE_SIZEOF_SECTION_HEADER); - RtlMoveMemory((LPVOID)((ULONG_PTR)sortedFileName + fileSectionData[i][0]), (LPVOID)((ULONG_PTR)FileMapVA + PESections->PointerToRawData), fileSectionData[i][1]); - PESections->PointerToRawData = (DWORD)fileSectionData[i][0]; - PESections->SizeOfRawData = (DWORD)fileSectionData[i][1]; - } - RtlMoveMemory((LPVOID)FileMapVA, sortedFileName, FileSize); - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - VirtualFree(sortedFileName, NULL, MEM_RELEASE); - if(szBackupItem[0] != NULL) - { - if(CopyFileW(szBackupFile, szFileName, false)) - { - RemoveGarbageItem(szBackupItem, true); - return(true); - } - else - { - RemoveGarbageItem(szBackupItem, true); - return(false); - } - } - else - { - return(true); - } - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - VirtualFree(sortedFileName, NULL, MEM_RELEASE); - RemoveGarbageItem(szBackupItem, true); - return(false); - } - } - } - else - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - RemoveGarbageItem(szBackupItem, true); - return(false); - } - } - RemoveGarbageItem(szBackupItem, true); - return(false); -} -__declspec(dllexport) bool TITCALL FindOverlay(char* szFileName, LPDWORD OverlayStart, LPDWORD OverlaySize) -{ - - wchar_t uniFileName[MAX_PATH] = {}; - - if(szFileName != NULL) - { - MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); - return(FindOverlayW(uniFileName, OverlayStart, OverlaySize)); - } - else - { - return(false); - } -} -__declspec(dllexport) bool TITCALL FindOverlayW(wchar_t* szFileName, LPDWORD OverlayStart, LPDWORD OverlaySize) -{ - - PIMAGE_DOS_HEADER DOSHeader; - PIMAGE_NT_HEADERS32 PEHeader32; - PIMAGE_NT_HEADERS64 PEHeader64; - PIMAGE_SECTION_HEADER PESections; - DWORD SectionNumber = 0; - DWORD SectionRawOffset = 0; - DWORD SectionRawSize = 0; - BOOL FileIs64; - HANDLE FileHandle; - DWORD FileSize; - HANDLE FileMap; - ULONG_PTR FileMapVA; - - if(MapFileExW(szFileName, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) - { - DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; - if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true)) - { - PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - if(PEHeader32->OptionalHeader.Magic == 0x10B) - { - FileIs64 = false; - } - else if(PEHeader32->OptionalHeader.Magic == 0x20B) - { - FileIs64 = true; - } - else - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return(false); - } - if(!FileIs64) - { - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - SectionNumber = PEHeader32->FileHeader.NumberOfSections; - __try - { - while(SectionNumber > 0) - { - if(PESections->PointerToRawData >= SectionRawOffset) - { - if(PESections->SizeOfRawData != NULL || (SectionRawOffset != PESections->PointerToRawData)) - { - SectionRawSize = PESections->SizeOfRawData; - } - SectionRawOffset = PESections->PointerToRawData; - } - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); - SectionNumber--; - } - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - if(SectionRawOffset + SectionRawSize < FileSize) - { - if(OverlayStart != NULL && OverlaySize != NULL) - { - *OverlayStart = (DWORD)(SectionRawOffset + SectionRawSize); - *OverlaySize = (DWORD)(FileSize - SectionRawOffset - SectionRawSize); - } - return(true); - } - else - { - return(false); - } - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return(false); - } - } - else - { - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - SectionNumber = PEHeader64->FileHeader.NumberOfSections; - __try - { - while(SectionNumber > 0) - { - if(PESections->PointerToRawData >= SectionRawOffset) - { - if(PESections->SizeOfRawData != NULL || (SectionRawOffset != PESections->PointerToRawData)) - { - SectionRawSize = PESections->SizeOfRawData; - } - SectionRawOffset = PESections->PointerToRawData; - } - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); - SectionNumber--; - } - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - if(SectionRawOffset + SectionRawSize < FileSize) - { - if(OverlayStart != NULL && OverlaySize != NULL) - { - *OverlayStart = (DWORD)(SectionRawOffset + SectionRawSize); - *OverlaySize = (DWORD)(FileSize - SectionRawOffset - SectionRawSize); - } - return(true); - } - else - { - return(false); - } - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return(false); - } - } - } - else - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return(false); - } - } - return(false); -} -__declspec(dllexport) bool TITCALL ExtractOverlay(char* szFileName, char* szExtactedFileName) -{ - - wchar_t uniFileName[MAX_PATH] = {}; - wchar_t uniExtactedFileName[MAX_PATH] = {}; - - if(szFileName != NULL && szExtactedFileName != NULL) - { - MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); - MultiByteToWideChar(CP_ACP, NULL, szExtactedFileName, lstrlenA(szExtactedFileName)+1, uniExtactedFileName, sizeof(uniExtactedFileName)/(sizeof(uniExtactedFileName[0]))); - return(ExtractOverlayW(uniFileName, uniExtactedFileName)); - } - else - { - return(false); - } -} -__declspec(dllexport) bool TITCALL ExtractOverlayW(wchar_t* szFileName, wchar_t* szExtactedFileName) -{ - - HANDLE hFile = 0; - HANDLE hFileWrite = 0; - BOOL Return = false; - DWORD OverlayStart = 0; - DWORD OverlaySize = 0; - DWORD ueNumberOfBytesRead = 0; - LPVOID ueReadBuffer = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); - - Return = FindOverlayW(szFileName, &OverlayStart, &OverlaySize); - if(Return) - { - hFile = CreateFileW(szFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); - if(hFile != INVALID_HANDLE_VALUE) - { - if(EngineCreatePathForFileW(szExtactedFileName)) - { - hFileWrite = CreateFileW(szExtactedFileName, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); - if(hFileWrite != INVALID_HANDLE_VALUE) - { - SetFilePointer(hFile, OverlayStart, NULL, FILE_BEGIN); - while(OverlaySize > 0) - { - RtlZeroMemory(ueReadBuffer, 0x2000); - - if(OverlaySize > 0x1000) - { - if(ReadFile(hFile, ueReadBuffer, 0x1000, &ueNumberOfBytesRead, NULL)) - { - if(!WriteFile(hFileWrite, ueReadBuffer, 0x1000, &ueNumberOfBytesRead, NULL)) - return false; - } - else - { - return false; - } - - OverlaySize = OverlaySize - 0x1000; - } - else - { - if(ReadFile(hFile, ueReadBuffer, OverlaySize, &ueNumberOfBytesRead, NULL)) - { - if(!WriteFile(hFileWrite, ueReadBuffer, OverlaySize, &ueNumberOfBytesRead, NULL)) - return false; - } - else - { - return false; - } - - OverlaySize = 0; - } - } - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); - EngineCloseHandle(hFile); - EngineCloseHandle(hFileWrite); - return(true); - } - else - { - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); - EngineCloseHandle(hFile); - return(false); - } - } - } - } - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); - return(false); -} -__declspec(dllexport) bool TITCALL AddOverlay(char* szFileName, char* szOverlayFileName) -{ - - wchar_t uniFileName[MAX_PATH] = {}; - wchar_t uniOverlayFileName[MAX_PATH] = {}; - - if(szFileName != NULL && szOverlayFileName != NULL) - { - MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); - MultiByteToWideChar(CP_ACP, NULL, szOverlayFileName, lstrlenA(szOverlayFileName)+1, uniOverlayFileName, sizeof(uniOverlayFileName)/(sizeof(uniOverlayFileName[0]))); - return(AddOverlayW(uniFileName, uniOverlayFileName)); - } - else - { - return(false); - } -} -__declspec(dllexport) bool TITCALL AddOverlayW(wchar_t* szFileName, wchar_t* szOverlayFileName) -{ - - HANDLE hFile = 0; - HANDLE hFileRead = 0; - DWORD FileSize = 0; - DWORD OverlaySize = 0; - ULONG_PTR ueNumberOfBytesRead = 0; - DWORD uedNumberOfBytesRead = 0; - LPVOID ueReadBuffer = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); - - hFile = CreateFileW(szFileName, GENERIC_READ+GENERIC_WRITE, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); - if(hFile != INVALID_HANDLE_VALUE) - { - hFileRead = CreateFileW(szOverlayFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); - if(hFileRead != INVALID_HANDLE_VALUE) - { - FileSize = GetFileSize(hFile, NULL); - OverlaySize = GetFileSize(hFileRead, NULL); - SetFilePointer(hFile, FileSize, NULL, FILE_BEGIN); - while(OverlaySize > 0) - { - RtlZeroMemory(ueReadBuffer, 0x2000); - - if(OverlaySize > 0x1000) - { - if(ReadFile(hFileRead, ueReadBuffer, 0x1000, &uedNumberOfBytesRead, NULL)) - { - if(!WriteFile(hFile, ueReadBuffer, 0x1000, &uedNumberOfBytesRead, NULL)) - return false; - } - else - { - return false; - } - - OverlaySize = OverlaySize - 0x1000; - } - else - { - if(ReadFile(hFileRead, ueReadBuffer, OverlaySize, &uedNumberOfBytesRead, NULL)) - { - if(!WriteFile(hFile, ueReadBuffer, OverlaySize, &uedNumberOfBytesRead, NULL)) - return false; - } - else - { - return false; - } - - OverlaySize = 0; - } - } - EngineCloseHandle(hFile); - EngineCloseHandle(hFileRead); - return(true); - } - else - { - EngineCloseHandle(hFile); - return(false); - } - } - return(false); -} -__declspec(dllexport) bool TITCALL CopyOverlay(char* szInFileName, char* szOutFileName) -{ - - wchar_t uniInFileName[MAX_PATH] = {}; - wchar_t uniOutFileName[MAX_PATH] = {}; - - if(szInFileName != NULL && szOutFileName != NULL) - { - MultiByteToWideChar(CP_ACP, NULL, szInFileName, lstrlenA(szInFileName)+1, uniInFileName, sizeof(uniInFileName)/(sizeof(uniInFileName[0]))); - MultiByteToWideChar(CP_ACP, NULL, szOutFileName, lstrlenA(szOutFileName)+1, uniOutFileName, sizeof(uniOutFileName)/(sizeof(uniOutFileName[0]))); - return(CopyOverlayW(uniInFileName, uniOutFileName)); - } - else - { - return(false); - } -} -__declspec(dllexport) bool TITCALL CopyOverlayW(wchar_t* szInFileName, wchar_t* szOutFileName) -{ - - wchar_t szTempName[MAX_PATH] = {}; - wchar_t szTempFolder[MAX_PATH] = {}; - - if(GetTempPathW(MAX_PATH, szTempFolder) < MAX_PATH) - { - if(GetTempFileNameW(szTempFolder, L"OverlayTemp", GetTickCount() + 101, szTempName)) - { - if(ExtractOverlayW(szInFileName, szTempName)) - { - AddOverlayW(szOutFileName, szTempName); - DeleteFileW(szTempName); - return(true); - } - } - } - return(false); -} -__declspec(dllexport) bool TITCALL RemoveOverlay(char* szFileName) -{ - - wchar_t uniFileName[MAX_PATH] = {}; - - if(szFileName != NULL) - { - MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); - return(RemoveOverlayW(uniFileName)); - } - else - { - return(false); - } -} -__declspec(dllexport) bool TITCALL RemoveOverlayW(wchar_t* szFileName) -{ - - HANDLE FileHandle; - DWORD FileSize; - HANDLE FileMap; - ULONG_PTR FileMapVA; - DWORD OverlayStart = 0; - DWORD OverlaySize = 0; - - if(FindOverlayW(szFileName, &OverlayStart, &OverlaySize)) - { - if(MapFileExW(szFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) - { - FileSize = FileSize - OverlaySize; - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return(true); - } - } - return(false); -} -__declspec(dllexport) bool TITCALL MakeAllSectionsRWE(char* szFileName) -{ - - wchar_t uniFileName[MAX_PATH] = {}; - - if(szFileName != NULL) - { - MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); - return(MakeAllSectionsRWEW(uniFileName)); - } - else - { - return(false); - } -} -__declspec(dllexport) bool TITCALL MakeAllSectionsRWEW(wchar_t* szFileName) -{ - - wchar_t szBackupFile[MAX_PATH] = {}; - wchar_t szBackupItem[MAX_PATH] = {}; - PIMAGE_DOS_HEADER DOSHeader; - PIMAGE_NT_HEADERS32 PEHeader32; - PIMAGE_NT_HEADERS64 PEHeader64; - PIMAGE_SECTION_HEADER PESections; - DWORD SectionNumber = 0; - BOOL FileIs64; - HANDLE FileHandle; - DWORD FileSize; - HANDLE FileMap; - ULONG_PTR FileMapVA; - - if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof szBackupItem)) - { - if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof szBackupItem)) - { - RtlZeroMemory(&szBackupItem, sizeof szBackupItem); - lstrcpyW(szBackupFile, szFileName); - } - } - else - { - RtlZeroMemory(&szBackupItem, sizeof szBackupItem); - lstrcpyW(szBackupFile, szFileName); - } - if(MapFileExW(szBackupFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) - { - DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; - if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true)) - { - PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - if(PEHeader32->OptionalHeader.Magic == 0x10B) - { - FileIs64 = false; - } - else if(PEHeader32->OptionalHeader.Magic == 0x20B) - { - FileIs64 = true; - } - else - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - RemoveGarbageItem(szBackupItem, true); - return(false); - } - if(!FileIs64) - { - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - SectionNumber = PEHeader32->FileHeader.NumberOfSections; - __try - { - while(SectionNumber > 0) - { - PESections->Characteristics = 0xE0000020; - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); - SectionNumber--; - } - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - if(szBackupItem[0] != NULL) - { - if(CopyFileW(szBackupFile, szFileName, false)) - { - RemoveGarbageItem(szBackupItem, true); - return(true); - } - else - { - RemoveGarbageItem(szBackupItem, true); - return(false); - } - } - else - { - return(true); - } - return(true); - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - RemoveGarbageItem(szBackupItem, true); - return(false); - } - } - else - { - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - SectionNumber = PEHeader64->FileHeader.NumberOfSections; - __try - { - while(SectionNumber > 0) - { - PESections->Characteristics = 0xE0000020; - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); - SectionNumber--; - } - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - if(szBackupItem[0] != NULL) - { - if(CopyFileW(szBackupFile, szFileName, false)) - { - RemoveGarbageItem(szBackupItem, true); - return(true); - } - else - { - RemoveGarbageItem(szBackupItem, true); - return(false); - } - } - else - { - return(true); - } - return(true); - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - RemoveGarbageItem(szBackupItem, true); - return(false); - } - } - } - else - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - RemoveGarbageItem(szBackupItem, true); - return(false); - } - } - RemoveGarbageItem(szBackupItem, true); - return(false); -} -__declspec(dllexport) long TITCALL AddNewSectionEx(char* szFileName, char* szSectionName, DWORD SectionSize, DWORD SectionAttributes, LPVOID SectionContent, DWORD ContentSize) -{ - - wchar_t uniFileName[MAX_PATH] = {}; - - if(szFileName != NULL) - { - MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); - return(AddNewSectionExW(uniFileName, szSectionName, SectionSize, SectionAttributes, SectionContent, ContentSize)); - } - else - { - return(NULL); - } -} -__declspec(dllexport) long TITCALL AddNewSectionExW(wchar_t* szFileName, char* szSectionName, DWORD SectionSize, DWORD SectionAttributes, LPVOID SectionContent, DWORD ContentSize) -{ - - bool OverlayHasBeenRemoved = false; - wchar_t szBackupOverlayFile[MAX_PATH] = {}; - wchar_t szBackupFile[MAX_PATH] = {}; - wchar_t szBackupItem[MAX_PATH] = {}; - PIMAGE_DOS_HEADER DOSHeader; - PIMAGE_NT_HEADERS32 PEHeader32; - PIMAGE_NT_HEADERS64 PEHeader64; - PIMAGE_SECTION_HEADER PESections; - DWORD SectionNameLength = 0; - DWORD NewSectionVirtualOffset = 0; - DWORD FileResizeValue = 0; - DWORD LastSectionRawSize = 0; - DWORD alignedSectionSize = 0; - DWORD NtSizeOfImage = 0; - DWORD SectionNumber = 0; - DWORD SpaceLeft = 0; - LPVOID NameOffset; - BOOL FileIs64; - HANDLE FileHandle; - DWORD FileSize; - DWORD OldFileSize = 0; - HANDLE FileMap; - ULONG_PTR FileMapVA; - - if(ContentSize < SectionSize && ContentSize != 0) - { - ContentSize = SectionSize; - } - else if(ContentSize > SectionSize) - { - SectionSize = ContentSize; - } - - if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof szBackupItem)) - { - if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof szBackupItem)) - { - RtlZeroMemory(&szBackupItem, sizeof szBackupItem); - lstrcpyW(szBackupFile, szFileName); - } - if(FindOverlayW(szBackupFile, NULL, NULL)) - { - if(!FillGarbageItem(szBackupItem, NULL, &szBackupOverlayFile, sizeof szBackupItem)) - { - RtlZeroMemory(&szBackupOverlayFile, sizeof szBackupOverlayFile); - } - else - { - if(ExtractOverlayW(szBackupFile, szBackupOverlayFile) && RemoveOverlayW(szBackupFile)) - { - OverlayHasBeenRemoved = true; - } - } - } - } - else - { - RtlZeroMemory(&szBackupItem, sizeof szBackupItem); - lstrcpyW(szBackupFile, szFileName); - } - if(MapFileExW(szBackupFile, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) - { - OldFileSize = FileSize; - DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; - if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true)) - { - PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - if(PEHeader32->OptionalHeader.Magic == 0x10B) - { - FileIs64 = false; - } - else if(PEHeader32->OptionalHeader.Magic == 0x20B) - { - FileIs64 = true; - } - else - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - RemoveGarbageItem(szBackupItem, true); - return(0); - } - if(!FileIs64) - { - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - SectionNumber = PEHeader32->FileHeader.NumberOfSections; - __try - { - alignedSectionSize = ((DWORD)SectionSize / PEHeader32->OptionalHeader.FileAlignment) * PEHeader32->OptionalHeader.FileAlignment; - if(alignedSectionSize < SectionSize) - { - SectionSize = alignedSectionSize + PEHeader32->OptionalHeader.FileAlignment; - } - else - { - SectionSize = alignedSectionSize; - } - SpaceLeft = PESections->PointerToRawData - (SectionNumber * IMAGE_SIZEOF_SECTION_HEADER) - DOSHeader->e_lfanew - sizeof IMAGE_NT_HEADERS32; - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + (SectionNumber - 1) * IMAGE_SIZEOF_SECTION_HEADER); - LastSectionRawSize = (PESections->SizeOfRawData / PEHeader32->OptionalHeader.FileAlignment) * PEHeader32->OptionalHeader.FileAlignment; - if(LastSectionRawSize < PESections->SizeOfRawData) - { - LastSectionRawSize = LastSectionRawSize + PEHeader32->OptionalHeader.FileAlignment; - } - LastSectionRawSize = LastSectionRawSize - PESections->SizeOfRawData; - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - FileResizeValue = LastSectionRawSize + SectionSize; - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - RemoveGarbageItem(szBackupItem, true); - return(0); - } - } - else - { - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - SectionNumber = PEHeader64->FileHeader.NumberOfSections; - __try - { - alignedSectionSize = ((DWORD)SectionSize / PEHeader64->OptionalHeader.FileAlignment) * PEHeader64->OptionalHeader.FileAlignment; - if(alignedSectionSize < SectionSize) - { - SectionSize = alignedSectionSize + PEHeader64->OptionalHeader.FileAlignment; - } - else - { - SectionSize = alignedSectionSize; - } - SpaceLeft = PESections->PointerToRawData - (SectionNumber * IMAGE_SIZEOF_SECTION_HEADER) - DOSHeader->e_lfanew - sizeof IMAGE_NT_HEADERS64; - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + (SectionNumber - 1) * IMAGE_SIZEOF_SECTION_HEADER); - LastSectionRawSize = (PESections->SizeOfRawData / PEHeader64->OptionalHeader.FileAlignment) * PEHeader64->OptionalHeader.FileAlignment; - if(LastSectionRawSize < PESections->SizeOfRawData) - { - LastSectionRawSize = LastSectionRawSize + PEHeader64->OptionalHeader.FileAlignment; - } - LastSectionRawSize = LastSectionRawSize - PESections->SizeOfRawData; - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - FileResizeValue = LastSectionRawSize + SectionSize; - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - RemoveGarbageItem(szBackupItem, true); - return(0); - } - } - } - else - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - RemoveGarbageItem(szBackupItem, true); - return(0); - } - } - if(SpaceLeft > IMAGE_SIZEOF_SECTION_HEADER) - { - if(MapFileExW(szBackupFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, FileResizeValue)) - { - DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; - if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true)) - { - PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - if(PEHeader32->OptionalHeader.Magic == 0x10B) - { - FileIs64 = false; - } - else if(PEHeader32->OptionalHeader.Magic == 0x20B) - { - FileIs64 = true; - } - else - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - RemoveGarbageItem(szBackupItem, true); - return(0); - } - if(!FileIs64) - { - __try - { - if(SectionSize == 0) - { - SectionSize = PEHeader32->OptionalHeader.FileAlignment; - } - alignedSectionSize = ((DWORD)SectionSize / PEHeader32->OptionalHeader.SectionAlignment) * PEHeader32->OptionalHeader.SectionAlignment; - if(alignedSectionSize < SectionSize) - { - alignedSectionSize = alignedSectionSize + PEHeader32->OptionalHeader.SectionAlignment; - } - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - SectionNumber = PEHeader32->FileHeader.NumberOfSections; - PEHeader32->FileHeader.NumberOfSections = PEHeader32->FileHeader.NumberOfSections + 1; - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + (SectionNumber - 1)* IMAGE_SIZEOF_SECTION_HEADER); - NewSectionVirtualOffset = PESections->VirtualAddress + (PESections->Misc.VirtualSize / PEHeader32->OptionalHeader.SectionAlignment) * PEHeader32->OptionalHeader.SectionAlignment; - if(NewSectionVirtualOffset < PESections->VirtualAddress + PESections->Misc.VirtualSize) - { - NewSectionVirtualOffset = NewSectionVirtualOffset + PEHeader32->OptionalHeader.SectionAlignment; - } - PESections->SizeOfRawData = PESections->SizeOfRawData + LastSectionRawSize; - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); - PEHeader32->OptionalHeader.SizeOfImage = NewSectionVirtualOffset + alignedSectionSize; - NameOffset = &PESections->Name; - if(lstrlenA(szSectionName) >= 8) - { - SectionNameLength = 8; - } - else - { - SectionNameLength = lstrlenA(szSectionName); - } - RtlMoveMemory(NameOffset, szSectionName, SectionNameLength); - if(SectionAttributes == 0) - { - PESections->Characteristics = 0xE0000020; - } - else - { - PESections->Characteristics = (DWORD)(SectionAttributes); - } - PESections->Misc.VirtualSize = alignedSectionSize; - PESections->SizeOfRawData = (DWORD)(SectionSize); - PESections->VirtualAddress = NewSectionVirtualOffset; - PESections->PointerToRawData = OldFileSize + LastSectionRawSize; - if(SectionContent != NULL) - { - RtlMoveMemory((LPVOID)(FileMapVA + OldFileSize), SectionContent, ContentSize); - } - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - if(szBackupItem[0] != NULL) - { - if(CopyFileW(szBackupFile, szFileName, false)) - { - if(OverlayHasBeenRemoved && !AddOverlayW(szFileName, szBackupOverlayFile)) - { - RemoveGarbageItem(szBackupItem, true); - return(0); - } - RemoveGarbageItem(szBackupItem, true); - return(NewSectionVirtualOffset); - } - else - { - RemoveGarbageItem(szBackupItem, true); - return(0); - } - } - else - { - return(NewSectionVirtualOffset); - } - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - RemoveGarbageItem(szBackupItem, true); - return(0); - } - } - else - { - __try - { - if(SectionSize == 0) - { - SectionSize = PEHeader64->OptionalHeader.FileAlignment; - } - alignedSectionSize = ((DWORD)SectionSize / PEHeader64->OptionalHeader.SectionAlignment) * PEHeader64->OptionalHeader.SectionAlignment; - if(alignedSectionSize < SectionSize) - { - alignedSectionSize = alignedSectionSize + PEHeader64->OptionalHeader.SectionAlignment; - } - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - SectionNumber = PEHeader64->FileHeader.NumberOfSections; - PEHeader32->FileHeader.NumberOfSections = PEHeader32->FileHeader.NumberOfSections + 1; - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + (SectionNumber - 1)* IMAGE_SIZEOF_SECTION_HEADER); - NewSectionVirtualOffset = PESections->VirtualAddress + (PESections->Misc.VirtualSize / PEHeader64->OptionalHeader.SectionAlignment) * PEHeader64->OptionalHeader.SectionAlignment; - if(NewSectionVirtualOffset < PESections->VirtualAddress + PESections->Misc.VirtualSize) - { - NewSectionVirtualOffset = NewSectionVirtualOffset + PEHeader64->OptionalHeader.SectionAlignment; - } - PESections->SizeOfRawData = PESections->SizeOfRawData + LastSectionRawSize; - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); - PEHeader64->OptionalHeader.SizeOfImage = NewSectionVirtualOffset + alignedSectionSize; - NameOffset = &PESections->Name; - if(lstrlenA(szSectionName) >= 8) - { - SectionNameLength = 8; - } - else - { - SectionNameLength = lstrlenA(szSectionName); - } - RtlMoveMemory(NameOffset, szSectionName, SectionNameLength); - if(SectionAttributes == 0) - { - PESections->Characteristics = 0xE0000020; - } - else - { - PESections->Characteristics = (DWORD)(SectionAttributes); - } - PESections->Misc.VirtualSize = alignedSectionSize; - PESections->SizeOfRawData = (DWORD)(SectionSize); - PESections->VirtualAddress = NewSectionVirtualOffset; - PESections->PointerToRawData = OldFileSize + LastSectionRawSize; - if(SectionContent != NULL) - { - RtlMoveMemory((LPVOID)(FileMapVA + OldFileSize), SectionContent, ContentSize); - } - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - if(szBackupItem[0] != NULL) - { - if(CopyFileW(szBackupFile, szFileName, false)) - { - if(OverlayHasBeenRemoved && !AddOverlayW(szFileName, szBackupOverlayFile)) - { - RemoveGarbageItem(szBackupItem, true); - return(0); - } - RemoveGarbageItem(szBackupItem, true); - return(NewSectionVirtualOffset); - } - else - { - RemoveGarbageItem(szBackupItem, true); - return(0); - } - } - else - { - return(NewSectionVirtualOffset); - } - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - RemoveGarbageItem(szBackupItem, true); - return(0); - } - } - } - else - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - RemoveGarbageItem(szBackupItem, true); - return(0); - } - } - } - RemoveGarbageItem(szBackupItem, true); - return(0); -} -__declspec(dllexport) long TITCALL AddNewSection(char* szFileName, char* szSectionName, DWORD SectionSize) -{ - return(AddNewSectionEx(szFileName, szSectionName, SectionSize, NULL, NULL, NULL)); -} -__declspec(dllexport) long TITCALL AddNewSectionW(wchar_t* szFileName, char* szSectionName, DWORD SectionSize) -{ - return(AddNewSectionExW(szFileName, szSectionName, SectionSize, NULL, NULL, NULL)); -} -__declspec(dllexport) bool TITCALL ResizeLastSection(char* szFileName, DWORD NumberOfExpandBytes, bool AlignResizeData) -{ - - wchar_t uniFileName[MAX_PATH] = {}; - - if(szFileName != NULL) - { - MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); - return(ResizeLastSectionW(uniFileName, NumberOfExpandBytes, AlignResizeData)); - } - else - { - return(false); - } -} -__declspec(dllexport) bool TITCALL ResizeLastSectionW(wchar_t* szFileName, DWORD NumberOfExpandBytes, bool AlignResizeData) -{ - - wchar_t szBackupFile[MAX_PATH] = {}; - wchar_t szBackupItem[MAX_PATH] = {}; - PIMAGE_DOS_HEADER DOSHeader; - PIMAGE_NT_HEADERS32 PEHeader32; - PIMAGE_NT_HEADERS64 PEHeader64; - PIMAGE_SECTION_HEADER PESections; - DWORD SectionNumber = 0; - DWORD SectionRawSize = 0; - BOOL FileIs64; - HANDLE FileHandle; - DWORD FileSize; - HANDLE FileMap; - ULONG_PTR FileMapVA; - - if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof szBackupItem)) - { - if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof szBackupItem)) - { - RtlZeroMemory(&szBackupItem, sizeof szBackupItem); - lstrcpyW(szBackupFile, szFileName); - } - } - else - { - RtlZeroMemory(&szBackupItem, sizeof szBackupItem); - lstrcpyW(szBackupFile, szFileName); - } - if(MapFileExW(szBackupFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NumberOfExpandBytes)) - { - DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; - if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true)) - { - PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - if(PEHeader32->OptionalHeader.Magic == 0x10B) - { - FileIs64 = false; - } - else if(PEHeader32->OptionalHeader.Magic == 0x20B) - { - FileIs64 = true; - } - else - { - FileSize = FileSize - NumberOfExpandBytes; - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - RemoveGarbageItem(szBackupItem, true); - return(false); - } - if(!FileIs64) - { - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - SectionNumber = PEHeader32->FileHeader.NumberOfSections; - SectionNumber--; - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + SectionNumber * IMAGE_SIZEOF_SECTION_HEADER); - __try - { - if(AlignResizeData) - { - SectionRawSize = PESections->SizeOfRawData; - if((PESections->SizeOfRawData + NumberOfExpandBytes) % PEHeader32->OptionalHeader.FileAlignment == NULL) - { - PESections->SizeOfRawData = (((PESections->SizeOfRawData + NumberOfExpandBytes) / PEHeader32->OptionalHeader.FileAlignment)) * PEHeader32->OptionalHeader.FileAlignment; - } - else - { - PESections->SizeOfRawData = (((PESections->SizeOfRawData + NumberOfExpandBytes) / PEHeader32->OptionalHeader.FileAlignment) + 1) * PEHeader32->OptionalHeader.FileAlignment; - } - if(SectionRawSize > 0x7FFFFFFF) - { - SectionRawSize = NULL; - } - SectionRawSize = PESections->SizeOfRawData - SectionRawSize - NumberOfExpandBytes; - PEHeader32->OptionalHeader.SizeOfImage = PEHeader32->OptionalHeader.SizeOfImage - PESections->Misc.VirtualSize; - if((PESections->Misc.VirtualSize + NumberOfExpandBytes + SectionRawSize) % PEHeader32->OptionalHeader.SectionAlignment == NULL) - { - PESections->Misc.VirtualSize = (((PESections->Misc.VirtualSize + NumberOfExpandBytes + SectionRawSize) / PEHeader32->OptionalHeader.SectionAlignment)) * PEHeader32->OptionalHeader.SectionAlignment; - } - else - { - PESections->Misc.VirtualSize = (((PESections->Misc.VirtualSize + NumberOfExpandBytes + SectionRawSize) / PEHeader32->OptionalHeader.SectionAlignment) + 1) * PEHeader32->OptionalHeader.SectionAlignment; - } - PEHeader32->OptionalHeader.SizeOfImage = PEHeader32->OptionalHeader.SizeOfImage + PESections->Misc.VirtualSize; - if(SectionRawSize > NULL) - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - MapFileExW(szFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, SectionRawSize); - } - } - else - { - PESections->SizeOfRawData = PESections->SizeOfRawData + NumberOfExpandBytes; - } - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - if(szBackupItem[0] != NULL) - { - RemoveGarbageItem(szBackupItem, true); - if(CopyFileW(szBackupFile, szFileName, false)) - { - return(true); - } - else - { - return(false); - } - } - else - { - return(true); - } - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - RemoveGarbageItem(szBackupItem, true); - return(false); - } - } - else - { - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - SectionNumber = PEHeader64->FileHeader.NumberOfSections; - SectionNumber--; - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + SectionNumber * IMAGE_SIZEOF_SECTION_HEADER); - __try - { - if(AlignResizeData) - { - SectionRawSize = PESections->SizeOfRawData; - if((PESections->SizeOfRawData + NumberOfExpandBytes) % PEHeader64->OptionalHeader.FileAlignment == NULL) - { - PESections->SizeOfRawData = (((PESections->SizeOfRawData + NumberOfExpandBytes) / PEHeader64->OptionalHeader.FileAlignment)) * PEHeader64->OptionalHeader.FileAlignment; - } - else - { - PESections->SizeOfRawData = (((PESections->SizeOfRawData + NumberOfExpandBytes) / PEHeader64->OptionalHeader.FileAlignment) + 1) * PEHeader64->OptionalHeader.FileAlignment; - } - if(SectionRawSize > 0x7FFFFFFF) - { - SectionRawSize = NULL; - } - SectionRawSize = PESections->SizeOfRawData - SectionRawSize - NumberOfExpandBytes; - PEHeader64->OptionalHeader.SizeOfImage = PEHeader64->OptionalHeader.SizeOfImage - PESections->Misc.VirtualSize; - if((PESections->Misc.VirtualSize + NumberOfExpandBytes) % PEHeader64->OptionalHeader.SectionAlignment == NULL) - { - PESections->Misc.VirtualSize = (((PESections->Misc.VirtualSize + NumberOfExpandBytes + SectionRawSize) / PEHeader32->OptionalHeader.SectionAlignment)) * PEHeader64->OptionalHeader.SectionAlignment; - } - else - { - PESections->Misc.VirtualSize = (((PESections->Misc.VirtualSize + NumberOfExpandBytes + SectionRawSize) / PEHeader32->OptionalHeader.SectionAlignment) + 1) * PEHeader64->OptionalHeader.SectionAlignment; - } - PEHeader64->OptionalHeader.SizeOfImage = PEHeader64->OptionalHeader.SizeOfImage + PESections->Misc.VirtualSize; - if(SectionRawSize > NULL) - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - MapFileExW(szFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, SectionRawSize); - } - } - else - { - PESections->SizeOfRawData = PESections->SizeOfRawData + NumberOfExpandBytes; - } - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - if(szBackupItem[0] != NULL) - { - if(CopyFileW(szBackupFile, szFileName, false)) - { - RemoveGarbageItem(szBackupItem, true); - return(true); - } - else - { - RemoveGarbageItem(szBackupItem, true); - return(false); - } - } - else - { - return(true); - } - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - RemoveGarbageItem(szBackupItem, true); - return(false); - } - } - } - else - { - FileSize = FileSize - NumberOfExpandBytes; - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - RemoveGarbageItem(szBackupItem, true); - return(false); - } - } - RemoveGarbageItem(szBackupItem, true); - return(false); -} -__declspec(dllexport) void TITCALL SetSharedOverlay(char* szFileName) -{ - szSharedOverlay = szFileName; -} -__declspec(dllexport) void TITCALL SetSharedOverlayW(wchar_t* szFileName) -{ - szSharedOverlayW = szFileName; -} -__declspec(dllexport) char* TITCALL GetSharedOverlay() -{ - return(szSharedOverlay); -} -__declspec(dllexport) wchar_t* TITCALL GetSharedOverlayW() -{ - return(szSharedOverlayW); -} -__declspec(dllexport) bool TITCALL DeleteLastSection(char* szFileName) -{ - - wchar_t uniFileName[MAX_PATH] = {}; - - if(szFileName != NULL) - { - MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); - return(DeleteLastSectionW(uniFileName)); - } - else - { - return(false); - } -} -__declspec(dllexport) bool TITCALL DeleteLastSectionW(wchar_t* szFileName) -{ - - wchar_t szBackupFile[MAX_PATH] = {}; - wchar_t szBackupItem[MAX_PATH] = {}; - PIMAGE_DOS_HEADER DOSHeader; - PIMAGE_NT_HEADERS32 PEHeader32; - PIMAGE_NT_HEADERS64 PEHeader64; - PIMAGE_SECTION_HEADER PESections; - DWORD SectionNumber = 0; - BOOL FileIs64; - HANDLE FileHandle; - DWORD FileSize; - HANDLE FileMap; - ULONG_PTR FileMapVA; - - if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof szBackupItem)) - { - if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof szBackupItem)) - { - RtlZeroMemory(&szBackupItem, sizeof szBackupItem); - lstrcpyW(szBackupFile, szFileName); - } - } - else - { - RtlZeroMemory(&szBackupItem, sizeof szBackupItem); - lstrcpyW(szBackupFile, szFileName); - } - if(MapFileExW(szBackupFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) - { - DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; - if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true)) - { - PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - if(PEHeader32->OptionalHeader.Magic == 0x10B) - { - FileIs64 = false; - } - else if(PEHeader32->OptionalHeader.Magic == 0x20B) - { - FileIs64 = true; - } - else - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - RemoveGarbageItem(szBackupItem, true); - return(false); - } - if(!FileIs64) - { - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - SectionNumber = PEHeader32->FileHeader.NumberOfSections; - __try - { - if(SectionNumber > 1) - { - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + (SectionNumber - 1) * IMAGE_SIZEOF_SECTION_HEADER); - PEHeader32->OptionalHeader.SizeOfImage = PEHeader32->OptionalHeader.SizeOfImage - PESections->Misc.VirtualSize; - FileSize = PESections->PointerToRawData; - RtlZeroMemory(PESections, IMAGE_SIZEOF_SECTION_HEADER); - PEHeader32->FileHeader.NumberOfSections--; - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - if(szBackupItem[0] != NULL) - { - if(CopyFileW(szBackupFile, szFileName, false)) - { - RemoveGarbageItem(szBackupItem, true); - return(true); - } - else - { - RemoveGarbageItem(szBackupItem, true); - return(false); - } - } - else - { - return(true); - } - } - else - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - RemoveGarbageItem(szBackupItem, true); - return(false); - } - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - RemoveGarbageItem(szBackupItem, true); - return(false); - } - } - else - { - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - SectionNumber = PEHeader64->FileHeader.NumberOfSections; - __try - { - if(SectionNumber > 1) - { - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + (SectionNumber - 1) * IMAGE_SIZEOF_SECTION_HEADER); - PEHeader64->OptionalHeader.SizeOfImage = PEHeader64->OptionalHeader.SizeOfImage - PESections->Misc.VirtualSize; - FileSize = PESections->PointerToRawData; - RtlZeroMemory(PESections, IMAGE_SIZEOF_SECTION_HEADER); - PEHeader64->FileHeader.NumberOfSections--; - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - if(szBackupItem[0] != NULL) - { - if(CopyFileW(szBackupFile, szFileName, false)) - { - RemoveGarbageItem(szBackupItem, true); - return(true); - } - else - { - RemoveGarbageItem(szBackupItem, true); - return(false); - } - } - else - { - return(true); - } - } - else - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - RemoveGarbageItem(szBackupItem, true); - return(false); - } - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - RemoveGarbageItem(szBackupItem, true); - return(false); - } - } - } - else - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - RemoveGarbageItem(szBackupItem, true); - return(false); - } - } - RemoveGarbageItem(szBackupItem, true); - return(false); -} -__declspec(dllexport) bool TITCALL DeleteLastSectionEx(char* szFileName, DWORD NumberOfSections) -{ - - while(NumberOfSections > 0) - { - DeleteLastSection(szFileName); - NumberOfSections--; - } - return(true); -} -__declspec(dllexport) bool TITCALL DeleteLastSectionExW(wchar_t* szFileName, DWORD NumberOfSections) -{ - - while(NumberOfSections > 0) - { - DeleteLastSectionW(szFileName); - NumberOfSections--; - } - return(true); -} -__declspec(dllexport) long long TITCALL GetPE32DataFromMappedFile(ULONG_PTR FileMapVA, DWORD WhichSection, DWORD WhichData) -{ - - PIMAGE_DOS_HEADER DOSHeader; - PIMAGE_NT_HEADERS32 PEHeader32; - PIMAGE_NT_HEADERS64 PEHeader64; - PIMAGE_SECTION_HEADER PESections; - DWORD SectionNumber = 0; - BOOL FileIs64; - static char sectionName[9] = ""; - - if(FileMapVA != NULL) - { - DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; - if(EngineValidateHeader(FileMapVA, NULL, NULL, DOSHeader, true)) - { - PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - if(PEHeader32->OptionalHeader.Magic == 0x10B) - { - FileIs64 = false; - } - else if(PEHeader32->OptionalHeader.Magic == 0x20B) - { - FileIs64 = true; - } - else - { - return(0); - } - if(!FileIs64) - { - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - SectionNumber = PEHeader32->FileHeader.NumberOfSections; - if(WhichData < UE_SECTIONNAME) - { - if(WhichData == UE_PE_OFFSET) - { - return(DOSHeader->e_lfanew); - } - else if(WhichData == UE_IMAGEBASE) - { - return(PEHeader32->OptionalHeader.ImageBase); - } - else if(WhichData == UE_OEP) - { - return(PEHeader32->OptionalHeader.AddressOfEntryPoint); - } - else if(WhichData == UE_BASEOFCODE) - { - return(PEHeader32->OptionalHeader.BaseOfCode); - } - else if(WhichData == UE_BASEOFDATA) - { - return(PEHeader32->OptionalHeader.BaseOfData); - } - else if(WhichData == UE_SIZEOFIMAGE) - { - return(PEHeader32->OptionalHeader.SizeOfImage); - } - else if(WhichData == UE_SIZEOFHEADERS) - { - return(PEHeader32->OptionalHeader.SizeOfHeaders); - } - else if(WhichData == UE_SIZEOFOPTIONALHEADER) - { - return(PEHeader32->FileHeader.SizeOfOptionalHeader); - } - else if(WhichData == UE_SECTIONALIGNMENT) - { - return(PEHeader32->OptionalHeader.SectionAlignment); - } - else if(WhichData == UE_IMPORTTABLEADDRESS) - { - return(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress); - } - else if(WhichData == UE_IMPORTTABLESIZE) - { - return(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size); - } - else if(WhichData == UE_RESOURCETABLEADDRESS) - { - return(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress); - } - else if(WhichData == UE_RESOURCETABLESIZE) - { - return(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size); - } - else if(WhichData == UE_EXPORTTABLEADDRESS) - { - return(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); - } - else if(WhichData == UE_EXPORTTABLESIZE) - { - return(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size); - } - else if(WhichData == UE_TLSTABLEADDRESS) - { - return(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress); - } - else if(WhichData == UE_TLSTABLESIZE) - { - return(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size); - } - else if(WhichData == UE_RELOCATIONTABLEADDRESS) - { - return(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress); - } - else if(WhichData == UE_RELOCATIONTABLESIZE) - { - return(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size); - } - else if(WhichData == UE_TIMEDATESTAMP) - { - return(PEHeader32->FileHeader.TimeDateStamp); - } - else if(WhichData == UE_SECTIONNUMBER) - { - return(PEHeader32->FileHeader.NumberOfSections); - } - else if(WhichData == UE_CHECKSUM) - { - return(PEHeader32->OptionalHeader.CheckSum); - } - else if(WhichData == UE_SUBSYSTEM) - { - return(PEHeader32->OptionalHeader.Subsystem); - } - else if(WhichData == UE_CHARACTERISTICS) - { - return(PEHeader32->FileHeader.Characteristics); - } - else if(WhichData == UE_NUMBEROFRVAANDSIZES) - { - return(PEHeader32->OptionalHeader.NumberOfRvaAndSizes); - } - else - { - return(0); - } - } - else - { - if(SectionNumber >= WhichSection) - { - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + WhichSection * IMAGE_SIZEOF_SECTION_HEADER); - if(WhichData == UE_SECTIONNAME) - { - memcpy(sectionName, PESections->Name, 8); - return (long long)sectionName; - } - else if(WhichData == UE_SECTIONVIRTUALOFFSET) - { - return(PESections->VirtualAddress); - } - else if(WhichData == UE_SECTIONVIRTUALSIZE) - { - return(PESections->Misc.VirtualSize); - } - else if(WhichData == UE_SECTIONRAWOFFSET) - { - return(PESections->PointerToRawData); - } - else if(WhichData == UE_SECTIONRAWSIZE) - { - return(PESections->SizeOfRawData); - } - else if(WhichData == UE_SECTIONFLAGS) - { - return(PESections->Characteristics); - } - else - { - return(0); - } - } - } - return(0); - } - else - { - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - SectionNumber = PEHeader64->FileHeader.NumberOfSections; - if(WhichData < UE_SECTIONNAME) - { - if(WhichData == UE_PE_OFFSET) - { - return(DOSHeader->e_lfanew); - } - else if(WhichData == UE_IMAGEBASE) - { - return(PEHeader64->OptionalHeader.ImageBase); - } - else if(WhichData == UE_OEP) - { - return(PEHeader64->OptionalHeader.AddressOfEntryPoint); - } - else if(WhichData == UE_BASEOFCODE) - { - return(PEHeader64->OptionalHeader.BaseOfCode); - } - /* non-existent in IMAGE_OPTIONAL_HEADER64 - else if(WhichData == UE_BASEOFDATA) - { - return(PEHeader64->OptionalHeader.BaseOfData); - }*/ - else if(WhichData == UE_SIZEOFIMAGE) - { - return(PEHeader64->OptionalHeader.SizeOfImage); - } - else if(WhichData == UE_SIZEOFHEADERS) - { - return(PEHeader64->OptionalHeader.SizeOfHeaders); - } - else if(WhichData == UE_SIZEOFOPTIONALHEADER) - { - return(PEHeader64->FileHeader.SizeOfOptionalHeader); - } - else if(WhichData == UE_SECTIONALIGNMENT) - { - return(PEHeader64->OptionalHeader.SectionAlignment); - } - else if(WhichData == UE_IMPORTTABLEADDRESS) - { - return(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress); - } - else if(WhichData == UE_IMPORTTABLESIZE) - { - return(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size); - } - else if(WhichData == UE_RESOURCETABLEADDRESS) - { - return(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress); - } - else if(WhichData == UE_RESOURCETABLESIZE) - { - return(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size); - } - else if(WhichData == UE_EXPORTTABLEADDRESS) - { - return(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); - } - else if(WhichData == UE_EXPORTTABLESIZE) - { - return(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size); - } - else if(WhichData == UE_TLSTABLEADDRESS) - { - return(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress); - } - else if(WhichData == UE_TLSTABLESIZE) - { - return(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size); - } - else if(WhichData == UE_RELOCATIONTABLEADDRESS) - { - return(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress); - } - else if(WhichData == UE_RELOCATIONTABLESIZE) - { - return(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size); - } - else if(WhichData == UE_TIMEDATESTAMP) - { - return(PEHeader64->FileHeader.TimeDateStamp); - } - else if(WhichData == UE_SECTIONNUMBER) - { - return(PEHeader64->FileHeader.NumberOfSections); - } - else if(WhichData == UE_CHECKSUM) - { - return(PEHeader64->OptionalHeader.CheckSum); - } - else if(WhichData == UE_SUBSYSTEM) - { - return(PEHeader64->OptionalHeader.Subsystem); - } - else if(WhichData == UE_CHARACTERISTICS) - { - return(PEHeader64->FileHeader.Characteristics); - } - else if(WhichData == UE_NUMBEROFRVAANDSIZES) - { - return(PEHeader64->OptionalHeader.NumberOfRvaAndSizes); - } - else - { - return(0); - } - } - else - { - if(SectionNumber >= WhichSection) - { - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + WhichSection * IMAGE_SIZEOF_SECTION_HEADER); - if(WhichData == UE_SECTIONNAME) - { - return((ULONG_PTR)PESections->Name); - } - else if(WhichData == UE_SECTIONVIRTUALOFFSET) - { - return(PESections->VirtualAddress); - } - else if(WhichData == UE_SECTIONVIRTUALSIZE) - { - return(PESections->Misc.VirtualSize); - } - else if(WhichData == UE_SECTIONRAWOFFSET) - { - return(PESections->PointerToRawData); - } - else if(WhichData == UE_SECTIONRAWSIZE) - { - return(PESections->SizeOfRawData); - } - else if(WhichData == UE_SECTIONFLAGS) - { - return(PESections->Characteristics); - } - else - { - return(0); - } - } - } - return(0); - } - } - else - { - return(0); - } - } - return(0); -} -__declspec(dllexport) long long TITCALL GetPE32Data(char* szFileName, DWORD WhichSection, DWORD WhichData) -{ - - HANDLE FileHandle; - DWORD FileSize; - HANDLE FileMap; - ULONG_PTR FileMapVA; - long long ReturnValue = 0; - - if(MapFileEx(szFileName, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) - { - ReturnValue = GetPE32DataFromMappedFile(FileMapVA, WhichSection, WhichData); - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return(ReturnValue); - } - else - { - return(0); - } -} -__declspec(dllexport) long long TITCALL GetPE32DataW(wchar_t* szFileName, DWORD WhichSection, DWORD WhichData) -{ - - HANDLE FileHandle; - DWORD FileSize; - HANDLE FileMap; - ULONG_PTR FileMapVA; - long long ReturnValue = 0; - - if(MapFileExW(szFileName, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) - { - ReturnValue = GetPE32DataFromMappedFile(FileMapVA, WhichSection, WhichData); - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return(ReturnValue); - } - else - { - return(0); - } -} -__declspec(dllexport) bool TITCALL GetPE32DataFromMappedFileEx(ULONG_PTR FileMapVA, LPVOID DataStorage) -{ - - PIMAGE_DOS_HEADER DOSHeader; - PIMAGE_NT_HEADERS32 PEHeader32; - PIMAGE_NT_HEADERS64 PEHeader64; - BOOL FileIs64; - PPE32Struct PE32Structure = (PPE32Struct)DataStorage; - PPE64Struct PE64Structure = (PPE64Struct)DataStorage; - - if(FileMapVA != NULL) - { - DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; - if(EngineValidateHeader(FileMapVA, NULL, NULL, DOSHeader, true)) - { - PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - if(PEHeader32->OptionalHeader.Magic == 0x10B) - { - FileIs64 = false; - } - else if(PEHeader32->OptionalHeader.Magic == 0x20B) - { - FileIs64 = true; - } - else - { - return(false); - } - if(!FileIs64) - { - PE32Structure->PE32Offset = DOSHeader->e_lfanew; - PE32Structure->ImageBase = PEHeader32->OptionalHeader.ImageBase; - PE32Structure->OriginalEntryPoint = PEHeader32->OptionalHeader.AddressOfEntryPoint; - PE32Structure->BaseOfCode = PEHeader32->OptionalHeader.BaseOfCode; - PE32Structure->BaseOfData = PEHeader32->OptionalHeader.BaseOfData; - PE32Structure->NtSizeOfImage = PEHeader32->OptionalHeader.SizeOfImage; - PE32Structure->NtSizeOfHeaders = PEHeader32->OptionalHeader.SizeOfHeaders; - PE32Structure->SizeOfOptionalHeaders = PEHeader32->FileHeader.SizeOfOptionalHeader; - PE32Structure->FileAlignment = PEHeader32->OptionalHeader.FileAlignment; - PE32Structure->SectionAligment = PEHeader32->OptionalHeader.SectionAlignment; - PE32Structure->ImportTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress; - PE32Structure->ImportTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size; - PE32Structure->ResourceTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress; - PE32Structure->ResourceTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size; - PE32Structure->ExportTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; - PE32Structure->ExportTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size; - PE32Structure->TLSTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress; - PE32Structure->TLSTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size; - PE32Structure->RelocationTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress; - PE32Structure->RelocationTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; - PE32Structure->TimeDateStamp = PEHeader32->FileHeader.TimeDateStamp; - PE32Structure->SectionNumber = PEHeader32->FileHeader.NumberOfSections; - PE32Structure->CheckSum = PEHeader32->OptionalHeader.CheckSum; - PE32Structure->SubSystem = PEHeader32->OptionalHeader.Subsystem; - PE32Structure->Characteristics = PEHeader32->FileHeader.Characteristics; - PE32Structure->NumberOfRvaAndSizes = PEHeader32->OptionalHeader.NumberOfRvaAndSizes; - return(true); - } - else - { - PE64Structure->PE64Offset = DOSHeader->e_lfanew; - PE64Structure->ImageBase = PEHeader64->OptionalHeader.ImageBase; - PE64Structure->OriginalEntryPoint = PEHeader64->OptionalHeader.AddressOfEntryPoint; - PE64Structure->BaseOfCode = PEHeader32->OptionalHeader.BaseOfCode; - PE64Structure->BaseOfData = PEHeader32->OptionalHeader.BaseOfData; - PE64Structure->NtSizeOfImage = PEHeader64->OptionalHeader.SizeOfImage; - PE64Structure->NtSizeOfHeaders = PEHeader64->OptionalHeader.SizeOfHeaders; - PE64Structure->SizeOfOptionalHeaders = PEHeader64->FileHeader.SizeOfOptionalHeader; - PE64Structure->FileAlignment = PEHeader64->OptionalHeader.FileAlignment; - PE64Structure->SectionAligment = PEHeader64->OptionalHeader.SectionAlignment; - PE64Structure->ImportTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress; - PE64Structure->ImportTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size; - PE64Structure->ResourceTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress; - PE64Structure->ResourceTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size; - PE64Structure->ExportTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; - PE64Structure->ExportTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size; - PE64Structure->TLSTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress; - PE64Structure->TLSTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size; - PE64Structure->RelocationTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress; - PE64Structure->RelocationTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; - PE64Structure->TimeDateStamp = PEHeader64->FileHeader.TimeDateStamp; - PE64Structure->SectionNumber = PEHeader64->FileHeader.NumberOfSections; - PE64Structure->CheckSum = PEHeader64->OptionalHeader.CheckSum; - PE64Structure->SubSystem = PEHeader64->OptionalHeader.Subsystem; - PE64Structure->Characteristics = PEHeader64->FileHeader.Characteristics; - PE64Structure->NumberOfRvaAndSizes = PEHeader64->OptionalHeader.NumberOfRvaAndSizes; - return(true); - } - } - else - { - return(false); - } - } - return(false); -} -__declspec(dllexport) bool TITCALL GetPE32DataEx(char* szFileName, LPVOID DataStorage) -{ - - HANDLE FileHandle; - DWORD FileSize; - HANDLE FileMap; - ULONG_PTR FileMapVA; - long long ReturnValue = 0; - - if(MapFileEx(szFileName, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) - { - ReturnValue = GetPE32DataFromMappedFileEx(FileMapVA, DataStorage); - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - if(ReturnValue) - { - return(true); - } - else - { - return(false); - } - } - else - { - return(false); - } -} -__declspec(dllexport) bool TITCALL GetPE32DataExW(wchar_t* szFileName, LPVOID DataStorage) -{ - - HANDLE FileHandle; - DWORD FileSize; - HANDLE FileMap; - ULONG_PTR FileMapVA; - long long ReturnValue = 0; - - if(MapFileExW(szFileName, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) - { - ReturnValue = GetPE32DataFromMappedFileEx(FileMapVA, DataStorage); - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - if(ReturnValue) - { - return(true); - } - else - { - return(false); - } - } - else - { - return(false); - } -} -__declspec(dllexport) bool TITCALL SetPE32DataForMappedFile(ULONG_PTR FileMapVA, DWORD WhichSection, DWORD WhichData, ULONG_PTR NewDataValue) -{ - - PIMAGE_DOS_HEADER DOSHeader; - PIMAGE_NT_HEADERS32 PEHeader32; - PIMAGE_NT_HEADERS64 PEHeader64; - PIMAGE_SECTION_HEADER PESections; - DWORD SectionNumber = 0; - BOOL FileIs64; - - if(FileMapVA != NULL) - { - DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; - if(EngineValidateHeader(FileMapVA, NULL, NULL, DOSHeader, true)) - { - PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - if(PEHeader32->OptionalHeader.Magic == 0x10B) - { - FileIs64 = false; - } - else if(PEHeader32->OptionalHeader.Magic == 0x20B) - { - FileIs64 = true; - } - else - { - return(false); - } - if(!FileIs64) - { - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - SectionNumber = PEHeader32->FileHeader.NumberOfSections; - __try - { - if(WhichData < UE_SECTIONNAME) - { - if(WhichData == UE_PE_OFFSET) - { - DOSHeader->e_lfanew = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_IMAGEBASE) - { - PEHeader32->OptionalHeader.ImageBase = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_OEP) - { - PEHeader32->OptionalHeader.AddressOfEntryPoint = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_BASEOFCODE) - { - PEHeader32->OptionalHeader.BaseOfCode = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_BASEOFDATA) - { - PEHeader32->OptionalHeader.BaseOfData = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_SIZEOFIMAGE) - { - PEHeader32->OptionalHeader.SizeOfImage = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_SIZEOFHEADERS) - { - PEHeader32->OptionalHeader.SizeOfHeaders = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_SIZEOFOPTIONALHEADER) - { - PEHeader32->FileHeader.SizeOfOptionalHeader = (WORD)NewDataValue; - return(true); - } - else if(WhichData == UE_SECTIONALIGNMENT) - { - PEHeader32->OptionalHeader.SectionAlignment = (WORD)NewDataValue; - return(true); - } - else if(WhichData == UE_IMPORTTABLEADDRESS) - { - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_IMPORTTABLESIZE) - { - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_RESOURCETABLEADDRESS) - { - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_RESOURCETABLESIZE) - { - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_EXPORTTABLEADDRESS) - { - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_EXPORTTABLESIZE) - { - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_TLSTABLEADDRESS) - { - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_TLSTABLESIZE) - { - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_RELOCATIONTABLEADDRESS) - { - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_RELOCATIONTABLESIZE) - { - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_TIMEDATESTAMP) - { - PEHeader32->FileHeader.TimeDateStamp = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_SECTIONNUMBER) - { - PEHeader32->FileHeader.NumberOfSections = (WORD)NewDataValue; - return(true); - } - else if(WhichData == UE_CHECKSUM) - { - PEHeader32->OptionalHeader.CheckSum = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_SUBSYSTEM) - { - PEHeader32->OptionalHeader.Subsystem = (WORD)NewDataValue; - return(true); - } - else if(WhichData == UE_CHARACTERISTICS) - { - PEHeader32->FileHeader.Characteristics = (WORD)NewDataValue; - return(true); - } - else if(WhichData == UE_NUMBEROFRVAANDSIZES) - { - PEHeader32->OptionalHeader.NumberOfRvaAndSizes = (DWORD)NewDataValue; - return(true); - } - else - { - return(false); - } - } - else - { - if(WhichSection <= SectionNumber) - { - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + WhichSection * IMAGE_SIZEOF_SECTION_HEADER); - if(WhichData == UE_SECTIONNAME) - { - memcpy(PESections->Name, (void*)NewDataValue, 8); - return(true); - } - else if(WhichData == UE_SECTIONVIRTUALOFFSET) - { - PESections->VirtualAddress = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_SECTIONVIRTUALSIZE) - { - PESections->Misc.VirtualSize = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_SECTIONRAWOFFSET) - { - PESections->PointerToRawData = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_SECTIONRAWSIZE) - { - PESections->SizeOfRawData = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_SECTIONFLAGS) - { - PESections->Characteristics = (DWORD)NewDataValue; - return(true); - } - else - { - return(false); - } - } - } - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - return(false); - } - return(false); - } - else - { - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - SectionNumber = PEHeader64->FileHeader.NumberOfSections; - __try - { - if(WhichData < UE_SECTIONNAME) - { - if(WhichData == UE_PE_OFFSET) - { - DOSHeader->e_lfanew = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_IMAGEBASE) - { - PEHeader64->OptionalHeader.ImageBase = NewDataValue; - return(true); - } - else if(WhichData == UE_OEP) - { - PEHeader64->OptionalHeader.AddressOfEntryPoint = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_BASEOFCODE) - { - PEHeader64->OptionalHeader.BaseOfCode = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_BASEOFDATA) - { - //non-existant in IMAGE_OPTIONAL_HEADER64 - return(false); - } - else if(WhichData == UE_SIZEOFIMAGE) - { - PEHeader64->OptionalHeader.SizeOfImage = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_SIZEOFHEADERS) - { - PEHeader64->OptionalHeader.SizeOfHeaders = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_SIZEOFOPTIONALHEADER) - { - PEHeader64->FileHeader.SizeOfOptionalHeader = (WORD)NewDataValue; - return(true); - } - else if(WhichData == UE_SECTIONALIGNMENT) - { - PEHeader64->OptionalHeader.SectionAlignment = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_IMPORTTABLEADDRESS) - { - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_IMPORTTABLESIZE) - { - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_RESOURCETABLEADDRESS) - { - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_RESOURCETABLESIZE) - { - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_EXPORTTABLEADDRESS) - { - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_EXPORTTABLESIZE) - { - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_TLSTABLEADDRESS) - { - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_TLSTABLESIZE) - { - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_RELOCATIONTABLEADDRESS) - { - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_RELOCATIONTABLESIZE) - { - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_TIMEDATESTAMP) - { - PEHeader64->FileHeader.TimeDateStamp = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_SECTIONNUMBER) - { - PEHeader64->FileHeader.NumberOfSections = (WORD)NewDataValue; - return(true); - } - else if(WhichData == UE_CHECKSUM) - { - PEHeader64->OptionalHeader.CheckSum = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_SUBSYSTEM) - { - PEHeader64->OptionalHeader.Subsystem = (WORD)NewDataValue; - return(true); - } - else if(WhichData == UE_CHARACTERISTICS) - { - PEHeader64->FileHeader.Characteristics = (WORD)NewDataValue; - return(true); - } - else if(WhichData == UE_NUMBEROFRVAANDSIZES) - { - PEHeader64->OptionalHeader.NumberOfRvaAndSizes = (DWORD)NewDataValue; - return(true); - } - else - { - return(0); - } - } - else - { - if(WhichSection <= SectionNumber) - { - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + WhichSection * IMAGE_SIZEOF_SECTION_HEADER); - if(WhichData == UE_SECTIONNAME) - { - return(false); - } - else if(WhichData == UE_SECTIONVIRTUALOFFSET) - { - PESections->VirtualAddress = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_SECTIONVIRTUALSIZE) - { - PESections->Misc.VirtualSize = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_SECTIONRAWOFFSET) - { - PESections->PointerToRawData = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_SECTIONRAWSIZE) - { - PESections->SizeOfRawData = (DWORD)NewDataValue; - return(true); - } - else if(WhichData == UE_SECTIONFLAGS) - { - PESections->Characteristics = (DWORD)NewDataValue; - return(true); - } - else - { - return(false); - } - } - } - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - return(false); - } - return(false); - } - } - else - { - return(false); - } - } - return(false); -} -__declspec(dllexport) bool TITCALL SetPE32Data(char* szFileName, DWORD WhichSection, DWORD WhichData, ULONG_PTR NewDataValue) -{ - - HANDLE FileHandle; - DWORD FileSize; - HANDLE FileMap; - ULONG_PTR FileMapVA; - long long ReturnValue = 0; - - if(MapFileEx(szFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) - { - ReturnValue = SetPE32DataForMappedFile(FileMapVA, WhichSection, WhichData, NewDataValue); - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - if(ReturnValue) - { - return(true); - } - else - { - return(false); - } - } - else - { - return(false); - } -} -__declspec(dllexport) bool TITCALL SetPE32DataW(wchar_t* szFileName, DWORD WhichSection, DWORD WhichData, ULONG_PTR NewDataValue) -{ - - HANDLE FileHandle; - DWORD FileSize; - HANDLE FileMap; - ULONG_PTR FileMapVA; - long long ReturnValue = 0; - - if(MapFileExW(szFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) - { - ReturnValue = SetPE32DataForMappedFile(FileMapVA, WhichSection, WhichData, NewDataValue); - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - if(ReturnValue) - { - return(true); - } - else - { - return(false); - } - } - else - { - return(false); - } -} -__declspec(dllexport) bool TITCALL SetPE32DataForMappedFileEx(ULONG_PTR FileMapVA, LPVOID DataStorage) -{ - - PIMAGE_DOS_HEADER DOSHeader; - PIMAGE_NT_HEADERS32 PEHeader32; - PIMAGE_NT_HEADERS64 PEHeader64; - BOOL FileIs64; - PPE32Struct PE32Structure = (PPE32Struct)DataStorage; - PPE64Struct PE64Structure = (PPE64Struct)DataStorage; - - if(FileMapVA != NULL) - { - DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; - if(EngineValidateHeader(FileMapVA, NULL, NULL, DOSHeader, true)) - { - PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - if(PEHeader32->OptionalHeader.Magic == 0x10B) - { - FileIs64 = false; - } - else if(PEHeader32->OptionalHeader.Magic == 0x20B) - { - FileIs64 = true; - } - else - { - return(false); - } - if(!FileIs64) - { - __try - { - DOSHeader->e_lfanew = PE32Structure->PE32Offset; - PEHeader32->OptionalHeader.ImageBase = PE32Structure->ImageBase; - PEHeader32->OptionalHeader.AddressOfEntryPoint = PE32Structure->OriginalEntryPoint; - PEHeader32->OptionalHeader.BaseOfCode = PE32Structure->BaseOfCode; - PEHeader32->OptionalHeader.BaseOfData = PE32Structure->BaseOfData; - PEHeader32->OptionalHeader.SizeOfImage = PE32Structure->NtSizeOfImage; - PEHeader32->OptionalHeader.SizeOfHeaders = PE32Structure->NtSizeOfHeaders; - PEHeader32->FileHeader.SizeOfOptionalHeader = PE32Structure->SizeOfOptionalHeaders; - PEHeader32->OptionalHeader.FileAlignment = PE32Structure->FileAlignment; - PEHeader32->OptionalHeader.SectionAlignment = PE32Structure->SectionAligment; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress = PE32Structure->ImportTableAddress; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size = PE32Structure->ImportTableSize; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress = PE32Structure->ResourceTableAddress; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size = PE32Structure->ResourceTableSize; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress = PE32Structure->ExportTableAddress; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size = PE32Structure->ExportTableSize; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = PE32Structure->TLSTableAddress; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = PE32Structure->TLSTableSize; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = PE32Structure->RelocationTableAddress; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size = PE32Structure->RelocationTableSize; - PEHeader32->FileHeader.TimeDateStamp = PE32Structure->TimeDateStamp; - PEHeader32->FileHeader.NumberOfSections = PE32Structure->SectionNumber; - PEHeader32->OptionalHeader.CheckSum = PE32Structure->CheckSum; - PEHeader32->OptionalHeader.Subsystem = PE32Structure->SubSystem; - PEHeader32->FileHeader.Characteristics = PE32Structure->Characteristics; - PEHeader32->OptionalHeader.NumberOfRvaAndSizes = PE32Structure->NumberOfRvaAndSizes; - return(true); - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - return(false); - } - } - else - { - __try - { - DOSHeader->e_lfanew = PE64Structure->PE64Offset; - PEHeader64->OptionalHeader.ImageBase = PE64Structure->ImageBase; - PEHeader64->OptionalHeader.AddressOfEntryPoint = PE64Structure->OriginalEntryPoint; - PEHeader64->OptionalHeader.BaseOfCode = PE64Structure->BaseOfCode; - PEHeader64->OptionalHeader.SizeOfImage = PE64Structure->NtSizeOfImage; - PEHeader64->OptionalHeader.SizeOfHeaders = PE64Structure->NtSizeOfHeaders; - PEHeader64->FileHeader.SizeOfOptionalHeader = PE64Structure->SizeOfOptionalHeaders; - PEHeader64->OptionalHeader.FileAlignment = PE64Structure->FileAlignment; - PEHeader64->OptionalHeader.SectionAlignment = PE64Structure->SectionAligment; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress = PE64Structure->ImportTableAddress; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size = PE64Structure->ImportTableSize; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress = PE64Structure->ResourceTableAddress; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size = PE64Structure->ResourceTableSize; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress = PE64Structure->ExportTableAddress; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size = PE64Structure->ExportTableSize; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = PE64Structure->TLSTableAddress; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = PE64Structure->TLSTableSize; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = PE64Structure->RelocationTableAddress; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size = PE64Structure->RelocationTableSize; - PEHeader64->FileHeader.TimeDateStamp = PE64Structure->TimeDateStamp; - PEHeader64->FileHeader.NumberOfSections = PE64Structure->SectionNumber; - PEHeader64->OptionalHeader.CheckSum = PE64Structure->CheckSum; - PEHeader64->OptionalHeader.Subsystem = PE64Structure->SubSystem; - PEHeader64->FileHeader.Characteristics = PE64Structure->Characteristics; - PEHeader64->OptionalHeader.NumberOfRvaAndSizes = PE64Structure->NumberOfRvaAndSizes; - return(true); - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - return(false); - } - } - } - else - { - return(false); - } - } - return(false); -} -__declspec(dllexport) bool TITCALL SetPE32DataEx(char* szFileName, LPVOID DataStorage) -{ - - HANDLE FileHandle; - DWORD FileSize; - HANDLE FileMap; - ULONG_PTR FileMapVA; - long long ReturnValue = 0; - - if(MapFileEx(szFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) - { - ReturnValue = SetPE32DataForMappedFileEx(FileMapVA, DataStorage); - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - if(ReturnValue) - { - return(true); - } - else - { - return(false); - } - } - else - { - return(false); - } -} -__declspec(dllexport) bool TITCALL SetPE32DataExW(wchar_t* szFileName, LPVOID DataStorage) -{ - - HANDLE FileHandle; - DWORD FileSize; - HANDLE FileMap; - ULONG_PTR FileMapVA; - long long ReturnValue = 0; - - if(MapFileExW(szFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) - { - ReturnValue = SetPE32DataForMappedFileEx(FileMapVA, DataStorage); - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - if(ReturnValue) - { - return(true); - } - else - { - return(false); - } - } - else - { - return(false); - } -} - -__declspec(dllexport) long TITCALL GetPE32SectionNumberFromVA(ULONG_PTR FileMapVA, ULONG_PTR AddressToConvert) -{ - - PIMAGE_DOS_HEADER DOSHeader; - PIMAGE_NT_HEADERS32 PEHeader32; - PIMAGE_NT_HEADERS64 PEHeader64; - PIMAGE_SECTION_HEADER PESections; - ULONG_PTR FoundInSection = -1; - DWORD SectionNumber = 0; - DWORD ConvertAddress = 0; - BOOL FileIs64; - - if(FileMapVA != NULL) - { - DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; - if(EngineValidateHeader(FileMapVA, NULL, NULL, DOSHeader, true)) - { - PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - if(PEHeader32->OptionalHeader.Magic == 0x10B) - { - FileIs64 = false; - } - else if(PEHeader32->OptionalHeader.Magic == 0x20B) - { - FileIs64 = true; - } - else - { - return(-2); - } - if(!FileIs64) - { - __try - { - ConvertAddress = (DWORD)((DWORD)AddressToConvert - PEHeader32->OptionalHeader.ImageBase); - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - SectionNumber = PEHeader32->FileHeader.NumberOfSections; - while(SectionNumber > 0) - { - if(PESections->VirtualAddress <= ConvertAddress && ConvertAddress < PESections->VirtualAddress + PESections->Misc.VirtualSize) - { - FoundInSection = PEHeader32->FileHeader.NumberOfSections - SectionNumber; - } - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); - SectionNumber--; - } - return((DWORD)FoundInSection); - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - return(-2); - } - } - else - { - __try - { - ConvertAddress = (DWORD)(AddressToConvert - PEHeader64->OptionalHeader.ImageBase); - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - SectionNumber = PEHeader64->FileHeader.NumberOfSections; - while(SectionNumber > 0) - { - if(PESections->VirtualAddress <= ConvertAddress && ConvertAddress < PESections->VirtualAddress + PESections->Misc.VirtualSize) - { - FoundInSection = PEHeader64->FileHeader.NumberOfSections - SectionNumber; - } - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); - SectionNumber--; - } - return((DWORD)FoundInSection); - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - return(-2); - } - } - } - else - { - return(-2); - } - } - return(-2); -} -__declspec(dllexport) long long TITCALL ConvertVAtoFileOffset(ULONG_PTR FileMapVA, ULONG_PTR AddressToConvert, bool ReturnType) -{ - - PIMAGE_DOS_HEADER DOSHeader; - PIMAGE_NT_HEADERS32 PEHeader32; - PIMAGE_NT_HEADERS64 PEHeader64; - PIMAGE_SECTION_HEADER PESections; - DWORD SectionNumber = 0; - ULONG_PTR ConvertedAddress = 0; - ULONG_PTR ConvertAddress = 0; - BOOL FileIs64; - - if(FileMapVA != NULL) - { - DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; - if(EngineValidateHeader(FileMapVA, NULL, NULL, DOSHeader, true)) - { - PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - if(PEHeader32->OptionalHeader.Magic == 0x10B) - { - FileIs64 = false; - } - else if(PEHeader32->OptionalHeader.Magic == 0x20B) - { - FileIs64 = true; - } - else - { - return(0); - } - if(!FileIs64) - { - ConvertAddress = (DWORD)((DWORD)AddressToConvert - PEHeader32->OptionalHeader.ImageBase); - if(ConvertAddress < PEHeader32->OptionalHeader.SectionAlignment) - { - ConvertedAddress = ConvertAddress; - } - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - SectionNumber = PEHeader32->FileHeader.NumberOfSections; - __try - { - while(SectionNumber > 0) - { - if(PESections->VirtualAddress <= ConvertAddress && ConvertAddress <= PESections->VirtualAddress + PESections->Misc.VirtualSize) - { - if(ConvertAddress - PESections->VirtualAddress <= PESections->SizeOfRawData) - { - ConvertedAddress = PESections->PointerToRawData + (ConvertAddress - PESections->VirtualAddress); - } - } - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); - SectionNumber--; - } - if(ReturnType) - { - if(ConvertedAddress != NULL) - { - ConvertedAddress = ConvertedAddress + FileMapVA; - } - else if(ConvertAddress == NULL) - { - ConvertedAddress = FileMapVA; - } - } - return(ConvertedAddress); - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - return(0); - } - } - else - { - ConvertAddress = (DWORD)(AddressToConvert - PEHeader64->OptionalHeader.ImageBase); - if(ConvertAddress < PEHeader64->OptionalHeader.SectionAlignment) - { - ConvertedAddress = ConvertAddress; - } - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - SectionNumber = PEHeader64->FileHeader.NumberOfSections; - __try - { - while(SectionNumber > 0) - { - if(PESections->VirtualAddress <= ConvertAddress && ConvertAddress <= PESections->VirtualAddress + PESections->Misc.VirtualSize) - { - if(ConvertAddress - PESections->VirtualAddress <= PESections->SizeOfRawData) - { - ConvertedAddress = PESections->PointerToRawData + (ConvertAddress - PESections->VirtualAddress); - } - } - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); - SectionNumber--; - } - if(ReturnType) - { - if(ConvertedAddress != NULL) - { - ConvertedAddress = ConvertedAddress + FileMapVA; - } - else if(ConvertAddress == NULL) - { - ConvertedAddress = FileMapVA; - } - } - return(ConvertedAddress); - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - return(0); - } - } - } - else - { - return(0); - } - } - return(0); -} -__declspec(dllexport) long long TITCALL ConvertVAtoFileOffsetEx(ULONG_PTR FileMapVA, DWORD FileSize, ULONG_PTR ImageBase, ULONG_PTR AddressToConvert, bool AddressIsRVA, bool ReturnType) -{ - - PIMAGE_DOS_HEADER DOSHeader; - PIMAGE_NT_HEADERS32 PEHeader32; - PIMAGE_NT_HEADERS64 PEHeader64; - PIMAGE_SECTION_HEADER PESections; - DWORD SectionNumber = 0; - ULONG_PTR ConvertedAddress = 0; - ULONG_PTR ConvertAddress = 0; - BOOL FileIs64; - - if(FileMapVA != NULL) - { - DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; - if(EngineValidateHeader(FileMapVA, NULL, NULL, DOSHeader, true)) - { - PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - if(PEHeader32->OptionalHeader.Magic == 0x10B) - { - FileIs64 = false; - } - else if(PEHeader32->OptionalHeader.Magic == 0x20B) - { - FileIs64 = true; - } - else - { - return(0); - } - if(!FileIs64) - { - if(!AddressIsRVA) - { - if(ImageBase == NULL) - { - ConvertAddress = (DWORD)((DWORD)AddressToConvert - PEHeader32->OptionalHeader.ImageBase); - } - else - { - ConvertAddress = (DWORD)((DWORD)AddressToConvert - ImageBase); - } - } - else - { - ConvertAddress = (DWORD)AddressToConvert; - } - if(ConvertAddress < PEHeader32->OptionalHeader.SectionAlignment) - { - ConvertedAddress = ConvertAddress; - } - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - SectionNumber = PEHeader32->FileHeader.NumberOfSections; - __try - { - while(SectionNumber > 0) - { - if(PESections->VirtualAddress <= ConvertAddress && ConvertAddress <= PESections->VirtualAddress + PESections->Misc.VirtualSize) - { - if(ConvertAddress - PESections->VirtualAddress <= PESections->SizeOfRawData) - { - ConvertedAddress = PESections->PointerToRawData + (ConvertAddress - PESections->VirtualAddress); - } - } - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); - SectionNumber--; - } - if(ReturnType) - { - if(ConvertedAddress != NULL) - { - ConvertedAddress = ConvertedAddress + FileMapVA; - } - } - if(ReturnType) - { - if(ConvertedAddress >= FileMapVA && ConvertedAddress <= FileMapVA + FileSize) - { - return((ULONG_PTR)ConvertedAddress); - } - else - { - return(NULL); - } - } - else - { - if(ConvertedAddress > NULL && ConvertedAddress <= FileSize) - { - return((ULONG_PTR)ConvertedAddress); - } - else - { - return(NULL); - } - } - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - return(NULL); - } - } - else - { - if(!AddressIsRVA) - { - if(ImageBase == NULL) - { - ConvertAddress = (DWORD)(AddressToConvert - PEHeader64->OptionalHeader.ImageBase); - } - else - { - ConvertAddress = (DWORD)(AddressToConvert - ImageBase); - } - } - else - { - ConvertAddress = (DWORD)AddressToConvert; - } - if(ConvertAddress < PEHeader64->OptionalHeader.SectionAlignment) - { - ConvertedAddress = ConvertAddress; - } - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - SectionNumber = PEHeader64->FileHeader.NumberOfSections; - __try - { - while(SectionNumber > 0) - { - if(PESections->VirtualAddress <= ConvertAddress && ConvertAddress <= PESections->VirtualAddress + PESections->Misc.VirtualSize) - { - if(ConvertAddress - PESections->VirtualAddress <= PESections->SizeOfRawData) - { - ConvertedAddress = PESections->PointerToRawData + (ConvertAddress - PESections->VirtualAddress); - } - } - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); - SectionNumber--; - } - if(ReturnType) - { - if(ConvertedAddress != NULL) - { - ConvertedAddress = ConvertedAddress + FileMapVA; - } - } - if(ReturnType) - { - if(ConvertedAddress >= FileMapVA && ConvertedAddress <= FileMapVA + FileSize) - { - return((ULONG_PTR)ConvertedAddress); - } - else - { - return(NULL); - } - } - else - { - if(ConvertedAddress > NULL && ConvertedAddress <= FileSize) - { - return((ULONG_PTR)ConvertedAddress); - } - else - { - return(NULL); - } - } - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - return(NULL); - } - } - } - else - { - return(0); - } - } - return(0); -} -__declspec(dllexport) long long TITCALL ConvertFileOffsetToVA(ULONG_PTR FileMapVA, ULONG_PTR AddressToConvert, bool ReturnType) -{ - - PIMAGE_DOS_HEADER DOSHeader; - PIMAGE_NT_HEADERS32 PEHeader32; - PIMAGE_NT_HEADERS64 PEHeader64; - PIMAGE_SECTION_HEADER PESections; - DWORD SectionNumber = 0; - ULONG_PTR ConvertedAddress = 0; - ULONG_PTR ConvertAddress = 0; - BOOL FileIs64; - - if(FileMapVA != NULL) - { - DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; - if(EngineValidateHeader(FileMapVA, NULL, NULL, DOSHeader, true)) - { - PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - if(PEHeader32->OptionalHeader.Magic == 0x10B) - { - FileIs64 = false; - } - else if(PEHeader32->OptionalHeader.Magic == 0x20B) - { - FileIs64 = true; - } - else - { - return(0); - } - if(!FileIs64) - { - ConvertAddress = (DWORD)((DWORD)AddressToConvert - FileMapVA); - if(ConvertAddress < PEHeader32->OptionalHeader.FileAlignment) - { - ConvertedAddress = ConvertAddress; - } - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - SectionNumber = PEHeader32->FileHeader.NumberOfSections; - __try - { - while(SectionNumber > 0) - { - if(PESections->PointerToRawData <= ConvertAddress && ConvertAddress <= PESections->PointerToRawData + PESections->SizeOfRawData) - { - ConvertedAddress = PESections->VirtualAddress + (ConvertAddress - PESections->PointerToRawData); - } - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); - SectionNumber--; - } - if(ReturnType) - { - if(ConvertedAddress != NULL) - { - ConvertedAddress = ConvertedAddress + PEHeader32->OptionalHeader.ImageBase; - } - } - else if(ConvertAddress == NULL) - { - ConvertedAddress = PEHeader32->OptionalHeader.ImageBase; - } - return(ConvertedAddress); - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - return(0); - } - } - else - { - ConvertAddress = (DWORD)(AddressToConvert - FileMapVA); - if(ConvertAddress < PEHeader64->OptionalHeader.FileAlignment) - { - ConvertedAddress = ConvertAddress; - } - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - SectionNumber = PEHeader64->FileHeader.NumberOfSections; - __try - { - while(SectionNumber > 0) - { - if(PESections->PointerToRawData <= ConvertAddress && ConvertAddress <= PESections->PointerToRawData + PESections->SizeOfRawData) - { - ConvertedAddress = PESections->VirtualAddress + (ConvertAddress - PESections->PointerToRawData); - } - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); - SectionNumber--; - } - if(ReturnType) - { - if(ConvertedAddress != NULL) - { - ConvertedAddress = ConvertedAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase; - } - } - else if(ConvertAddress == NULL) - { - ConvertedAddress = (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase; - } - return(ConvertedAddress); - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - return(0); - } - } - } - else - { - return(0); - } - } - return(0); -} -__declspec(dllexport) long long TITCALL ConvertFileOffsetToVAEx(ULONG_PTR FileMapVA, DWORD FileSize, ULONG_PTR ImageBase, ULONG_PTR AddressToConvert, bool ReturnType) -{ - - ULONG_PTR ConvertedAddress = NULL; - DWORD cnvSectionAlignment = NULL; - ULONG_PTR cnvImageBase = NULL; - DWORD cnvSizeOfImage = NULL; - - if(FileMapVA != NULL) - { - if(ImageBase == NULL) - { - cnvImageBase = (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_IMAGEBASE); - } - else - { - cnvImageBase = ImageBase; - } - cnvSizeOfImage = (DWORD)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_SIZEOFIMAGE); - cnvSectionAlignment = (DWORD)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_SECTIONALIGNMENT); - ConvertedAddress = (ULONG_PTR)ConvertFileOffsetToVA(FileMapVA, AddressToConvert, ReturnType); - if(ReturnType) - { - if(ConvertedAddress >= cnvImageBase + cnvSectionAlignment && ConvertedAddress <= cnvImageBase + cnvSizeOfImage) - { - return((ULONG_PTR)ConvertedAddress); - } - else - { - return(NULL); - } - } - else - { - if(ConvertedAddress >= cnvSectionAlignment && ConvertedAddress <= cnvSizeOfImage) - { - return((ULONG_PTR)ConvertedAddress); - } - else - { - return(NULL); - } - } - } - return(NULL); -} -// Global.Realigner.functions: -void SetOverallFileStatus(PFILE_STATUS_INFO myFileInfo, BYTE FiledStatus, bool FiledCritical) -{ - - if(myFileInfo->OveralEvaluation == UE_RESULT_FILE_OK || myFileInfo->OveralEvaluation == UE_RESULT_FILE_INVALID_BUT_FIXABLE) - { - if(FiledStatus == UE_FIELD_FIXABLE_CRITICAL || FiledStatus == UE_FIELD_BROKEN_FIXABLE_FOR_STATIC_USE || FiledStatus == UE_FIELD_BROKEN_BUT_CAN_BE_EMULATED) - { - myFileInfo->OveralEvaluation = UE_RESULT_FILE_INVALID_BUT_FIXABLE; - } - else if(FiledStatus == UE_FIELD_BROKEN_NON_FIXABLE && FiledCritical == true) - { - myFileInfo->OveralEvaluation = UE_RESULT_FILE_INVALID_AND_NON_FIXABLE; - } - else if(FiledStatus == UE_FIELD_BROKEN_FIXABLE_FOR_STATIC_USE) - { - myFileInfo->OveralEvaluation = UE_RESULT_FILE_INVALID_BUT_FIXABLE; - } - } -} -// TitanEngine.Realigner.functions: -__declspec(dllexport) bool TITCALL FixHeaderCheckSum(char* szFileName) -{ - - DWORD HeaderSum = NULL; - DWORD CheckSum = NULL; - - if(MapFileAndCheckSumA(szFileName, &HeaderSum, &CheckSum) == NULL) - { - SetPE32Data(szFileName, NULL, UE_CHECKSUM, (ULONG_PTR)CheckSum); - return(true); - } - else - { - return(false); - } -} -__declspec(dllexport) bool TITCALL FixHeaderCheckSumW(wchar_t* szFileName) -{ - - DWORD HeaderSum = NULL; - DWORD CheckSum = NULL; - - if(MapFileAndCheckSumW(szFileName, &HeaderSum, &CheckSum) == NULL) - { - SetPE32DataW(szFileName, NULL, UE_CHECKSUM, (ULONG_PTR)CheckSum); - return(true); - } - else - { - return(false); - } -} -__declspec(dllexport) long TITCALL RealignPE(ULONG_PTR FileMapVA, DWORD FileSize, DWORD RealingMode) -{ - - PIMAGE_DOS_HEADER DOSHeader; - PIMAGE_NT_HEADERS32 PEHeader32; - PIMAGE_NT_HEADERS64 PEHeader64; - PIMAGE_SECTION_HEADER PESections; - DWORD NewVirtualSectionSize = 0; - DWORD NewSectionRawPointer = 0; - DWORD OldSectionDataRawPtr = 0; - DWORD OldSectionDataPtr = 0; - DWORD SectionDataPtr = 0; - DWORD SectionNumber = 0; - DWORD CurrentSection = 0; - DWORD FileAlignment = 0; - BOOL FileIs64; - - if(FileMapVA != NULL) - { - DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; - if(EngineValidateHeader(FileMapVA, NULL, NULL, DOSHeader, true)) - { - PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - if(PEHeader32->OptionalHeader.Magic == 0x10B) - { - FileIs64 = false; - } - else if(PEHeader32->OptionalHeader.Magic == 0x20B) - { - FileIs64 = true; - } - else - { - return(-1); - } - if(!FileIs64) - { - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - SectionNumber = PEHeader32->FileHeader.NumberOfSections; - FileAlignment = PEHeader32->OptionalHeader.FileAlignment; - if(FileAlignment == 0x1000) - { - FileAlignment = 0x200; - } - __try - { - PEHeader32->OptionalHeader.FileAlignment = FileAlignment; - while(SectionNumber > 0) - { - SectionDataPtr = PESections->PointerToRawData + PESections->SizeOfRawData; - if(PESections->SizeOfRawData > NULL) - { - SectionDataPtr--; - while(*(PUCHAR)(FileMapVA + SectionDataPtr) == 0x00 && SectionDataPtr > PESections->PointerToRawData) - { - SectionDataPtr--; - } - } - SectionDataPtr = SectionDataPtr - PESections->PointerToRawData; - OldSectionDataPtr = SectionDataPtr; - SectionDataPtr = (SectionDataPtr / FileAlignment) * FileAlignment; - if(SectionDataPtr < OldSectionDataPtr) - { - SectionDataPtr = SectionDataPtr + FileAlignment; - } - if(CurrentSection == NULL) - { - PEHeader32->OptionalHeader.SizeOfHeaders = PESections->PointerToRawData; - PEHeader32->OptionalHeader.SectionAlignment = PESections->VirtualAddress; - PESections->SizeOfRawData = SectionDataPtr; - } - else - { - OldSectionDataRawPtr = PESections->PointerToRawData; - PESections->SizeOfRawData = SectionDataPtr; - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections - IMAGE_SIZEOF_SECTION_HEADER); - NewSectionRawPointer = PESections->PointerToRawData + PESections->SizeOfRawData; - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); - PESections->PointerToRawData = NewSectionRawPointer; - RtlMoveMemory((LPVOID)((ULONG_PTR)FileMapVA + NewSectionRawPointer), (LPVOID)((ULONG_PTR)FileMapVA + OldSectionDataRawPtr), SectionDataPtr); - } - NewVirtualSectionSize = (PESections->Misc.VirtualSize / PEHeader32->OptionalHeader.SectionAlignment) * PEHeader32->OptionalHeader.SectionAlignment; - if(NewVirtualSectionSize < PESections->Misc.VirtualSize) - { - NewVirtualSectionSize = NewVirtualSectionSize + PEHeader32->OptionalHeader.SectionAlignment; - } - PESections->Misc.VirtualSize = NewVirtualSectionSize; - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); - CurrentSection++; - SectionNumber--; - } - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections - IMAGE_SIZEOF_SECTION_HEADER); - return(PESections->PointerToRawData + PESections->SizeOfRawData); - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - return(-1); - } - } - else - { - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - SectionNumber = PEHeader64->FileHeader.NumberOfSections; - FileAlignment = PEHeader64->OptionalHeader.FileAlignment; - if(FileAlignment == 0x1000) - { - FileAlignment = 0x200; - } - __try - { - PEHeader64->OptionalHeader.FileAlignment = FileAlignment; - while(SectionNumber > 0) - { - SectionDataPtr = PESections->PointerToRawData + PESections->SizeOfRawData; - if(PESections->SizeOfRawData > NULL) - { - SectionDataPtr--; - while(*(PUCHAR)(FileMapVA + SectionDataPtr) == 0x00 && SectionDataPtr > PESections->PointerToRawData) - { - SectionDataPtr--; - } - } - SectionDataPtr = SectionDataPtr - PESections->PointerToRawData; - OldSectionDataPtr = SectionDataPtr; - SectionDataPtr = (SectionDataPtr / FileAlignment) * FileAlignment; - if(SectionDataPtr < OldSectionDataPtr) - { - SectionDataPtr = SectionDataPtr + FileAlignment; - } - if(CurrentSection == NULL) - { - PEHeader64->OptionalHeader.SizeOfHeaders = PESections->PointerToRawData; - PEHeader64->OptionalHeader.SectionAlignment = PESections->VirtualAddress; - PESections->SizeOfRawData = SectionDataPtr; - } - else - { - OldSectionDataRawPtr = PESections->PointerToRawData; - PESections->SizeOfRawData = SectionDataPtr; - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections - IMAGE_SIZEOF_SECTION_HEADER); - NewSectionRawPointer = PESections->PointerToRawData + PESections->SizeOfRawData; - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); - PESections->PointerToRawData = NewSectionRawPointer; - RtlMoveMemory((LPVOID)((ULONG_PTR)FileMapVA + NewSectionRawPointer), (LPVOID)((ULONG_PTR)FileMapVA + OldSectionDataRawPtr), SectionDataPtr); - } - NewVirtualSectionSize = (PESections->Misc.VirtualSize / PEHeader64->OptionalHeader.SectionAlignment) * PEHeader64->OptionalHeader.SectionAlignment; - if(NewVirtualSectionSize < PESections->Misc.VirtualSize) - { - NewVirtualSectionSize = NewVirtualSectionSize + PEHeader64->OptionalHeader.SectionAlignment; - } - PESections->Misc.VirtualSize = NewVirtualSectionSize; - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); - CurrentSection++; - SectionNumber--; - } - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections - IMAGE_SIZEOF_SECTION_HEADER); - return(PESections->PointerToRawData + PESections->SizeOfRawData); - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - return(-1); - } - } - } - else - { - return(-1); - } - } - return(-1); -} -__declspec(dllexport) long TITCALL RealignPEEx(char* szFileName, DWORD RealingFileSize, DWORD ForcedFileAlignment) -{ - - wchar_t uniFileName[MAX_PATH] = {}; - - if(szFileName != NULL) - { - MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); - return(RealignPEExW(uniFileName, RealingFileSize, ForcedFileAlignment)); - } - else - { - return(-1); - } -} -__declspec(dllexport) long TITCALL RealignPEExW(wchar_t* szFileName, DWORD RealingFileSize, DWORD ForcedFileAlignment) -{ - - wchar_t szBackupFile[MAX_PATH] = {}; - wchar_t szBackupItem[MAX_PATH] = {}; - PIMAGE_DOS_HEADER DOSHeader; - PIMAGE_NT_HEADERS32 PEHeader32; - PIMAGE_NT_HEADERS64 PEHeader64; - PIMAGE_SECTION_HEADER PESections; - DWORD NewVirtualSectionSize = 0; - DWORD NewSectionRawPointer = 0; - DWORD OldSectionDataRawPtr = 0; - DWORD OldSectionDataPtr = 0; - DWORD SectionDataPtr = 0; - DWORD SectionNumber = 0; - DWORD CurrentSection = 0; - BOOL FileIs64; - HANDLE FileHandle; - DWORD FileSize; - HANDLE FileMap; - ULONG_PTR FileMapVA; - - if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof szBackupItem)) - { - if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof szBackupItem)) - { - RtlZeroMemory(&szBackupItem, sizeof szBackupItem); - lstrcpyW(szBackupFile, szFileName); - } - } - else - { - RtlZeroMemory(&szBackupItem, sizeof szBackupItem); - lstrcpyW(szBackupFile, szFileName); - } - if(MapFileExW(szBackupFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) - { - DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; - if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true)) - { - PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - if(PEHeader32->OptionalHeader.Magic == 0x10B) - { - FileIs64 = false; - } - else if(PEHeader32->OptionalHeader.Magic == 0x20B) - { - FileIs64 = true; - } - else - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - RemoveGarbageItem(szBackupItem, true); - return(-1); - } - if(!FileIs64) - { - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - SectionNumber = PEHeader32->FileHeader.NumberOfSections; - if(ForcedFileAlignment == 0x0) - { - ForcedFileAlignment = 0x200; - } - __try - { - PEHeader32->OptionalHeader.FileAlignment = ForcedFileAlignment; - while(SectionNumber > 0) - { - SectionDataPtr = PESections->PointerToRawData + PESections->SizeOfRawData; - if(PESections->SizeOfRawData > NULL) - { - SectionDataPtr--; - while(*(PUCHAR)(FileMapVA + SectionDataPtr) == 0x00 && SectionDataPtr > PESections->PointerToRawData) - { - SectionDataPtr--; - } - } - SectionDataPtr = SectionDataPtr - PESections->PointerToRawData; - OldSectionDataPtr = SectionDataPtr; - SectionDataPtr = (SectionDataPtr / ForcedFileAlignment) * ForcedFileAlignment; - if(SectionDataPtr < OldSectionDataPtr) - { - SectionDataPtr = SectionDataPtr + ForcedFileAlignment; - } - if(CurrentSection == NULL) - { - PEHeader32->OptionalHeader.SizeOfHeaders = PESections->PointerToRawData; - PEHeader32->OptionalHeader.SectionAlignment = PESections->VirtualAddress; - PESections->SizeOfRawData = SectionDataPtr; - } - else - { - OldSectionDataRawPtr = PESections->PointerToRawData; - PESections->SizeOfRawData = SectionDataPtr; - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections - IMAGE_SIZEOF_SECTION_HEADER); - NewSectionRawPointer = PESections->PointerToRawData + PESections->SizeOfRawData; - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); - PESections->PointerToRawData = NewSectionRawPointer; - RtlMoveMemory((LPVOID)((ULONG_PTR)FileMapVA + NewSectionRawPointer), (LPVOID)((ULONG_PTR)FileMapVA + OldSectionDataRawPtr), SectionDataPtr); - } - NewVirtualSectionSize = (PESections->Misc.VirtualSize / PEHeader32->OptionalHeader.SectionAlignment) * PEHeader32->OptionalHeader.SectionAlignment; - if(NewVirtualSectionSize < PESections->Misc.VirtualSize) - { - NewVirtualSectionSize = NewVirtualSectionSize + PEHeader32->OptionalHeader.SectionAlignment; - } - PESections->Misc.VirtualSize = NewVirtualSectionSize; - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); - CurrentSection++; - SectionNumber--; - } - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections - IMAGE_SIZEOF_SECTION_HEADER); - if(RealingFileSize == NULL) - { - FileSize = PESections->PointerToRawData + PESections->SizeOfRawData; - } - else - { - FileSize = RealingFileSize; - } - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - if(szBackupItem[0] != NULL) - { - if(CopyFileW(szBackupFile, szFileName, false)) - { - RemoveGarbageItem(szBackupItem, true); - return(FileSize); - } - else - { - RemoveGarbageItem(szBackupItem, true); - return(-1); - } - } - else - { - return(FileSize); - } - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - RemoveGarbageItem(szBackupItem, true); - return(-1); - } - } - else - { - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - SectionNumber = PEHeader64->FileHeader.NumberOfSections; - if(ForcedFileAlignment == 0x0) - { - ForcedFileAlignment = 0x200; - } - __try - { - PEHeader64->OptionalHeader.FileAlignment = ForcedFileAlignment; - while(SectionNumber > 0) - { - SectionDataPtr = PESections->PointerToRawData + PESections->SizeOfRawData; - if(PESections->SizeOfRawData > NULL) - { - SectionDataPtr--; - while(*(PUCHAR)(FileMapVA + SectionDataPtr) == 0x00 && SectionDataPtr > PESections->PointerToRawData) - { - SectionDataPtr--; - } - } - SectionDataPtr = SectionDataPtr - PESections->PointerToRawData; - OldSectionDataPtr = SectionDataPtr; - SectionDataPtr = (SectionDataPtr / ForcedFileAlignment) * ForcedFileAlignment; - if(SectionDataPtr < OldSectionDataPtr) - { - SectionDataPtr = SectionDataPtr + ForcedFileAlignment; - } - if(CurrentSection == NULL) - { - PEHeader64->OptionalHeader.SizeOfHeaders = PESections->PointerToRawData; - PEHeader64->OptionalHeader.SectionAlignment = PESections->VirtualAddress; - PESections->SizeOfRawData = SectionDataPtr; - } - else - { - OldSectionDataRawPtr = PESections->PointerToRawData; - PESections->SizeOfRawData = SectionDataPtr; - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections - IMAGE_SIZEOF_SECTION_HEADER); - NewSectionRawPointer = PESections->PointerToRawData + PESections->SizeOfRawData; - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); - PESections->PointerToRawData = NewSectionRawPointer; - RtlMoveMemory((LPVOID)((ULONG_PTR)FileMapVA + NewSectionRawPointer), (LPVOID)((ULONG_PTR)FileMapVA + OldSectionDataRawPtr), SectionDataPtr); - } - NewVirtualSectionSize = (PESections->Misc.VirtualSize / PEHeader64->OptionalHeader.SectionAlignment) * PEHeader64->OptionalHeader.SectionAlignment; - if(NewVirtualSectionSize < PESections->Misc.VirtualSize) - { - NewVirtualSectionSize = NewVirtualSectionSize + PEHeader64->OptionalHeader.SectionAlignment; - } - PESections->Misc.VirtualSize = NewVirtualSectionSize; - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); - CurrentSection++; - SectionNumber--; - } - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections - IMAGE_SIZEOF_SECTION_HEADER); - if(RealingFileSize == NULL) - { - FileSize = PESections->PointerToRawData + PESections->SizeOfRawData; - } - else - { - FileSize = RealingFileSize; - } - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - if(szBackupItem[0] != NULL) - { - if(CopyFileW(szBackupFile, szFileName, false)) - { - RemoveGarbageItem(szBackupItem, true); - return(FileSize); - } - else - { - RemoveGarbageItem(szBackupItem, true); - return(-1); - } - } - else - { - return(FileSize); - } - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - RemoveGarbageItem(szBackupItem, true); - return(-1); - } - } - } - else - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - RemoveGarbageItem(szBackupItem, true); - return(-1); - } - } - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - RemoveGarbageItem(szBackupItem, true); - return(-1); -} -__declspec(dllexport) bool TITCALL WipeSection(char* szFileName, int WipeSectionNumber, bool RemovePhysically) -{ - - wchar_t uniFileName[MAX_PATH] = {}; - - if(szFileName != NULL) - { - MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); - return(WipeSectionW(uniFileName, WipeSectionNumber, RemovePhysically)); - } - else - { - return(false); - } -} -__declspec(dllexport) bool TITCALL WipeSectionW(wchar_t* szFileName, int WipeSectionNumber, bool RemovePhysically) -{ - - wchar_t szBackupFile[MAX_PATH] = {}; - wchar_t szBackupItem[MAX_PATH] = {}; - PIMAGE_DOS_HEADER DOSHeader; - PIMAGE_NT_HEADERS32 PEHeader32; - PIMAGE_NT_HEADERS64 PEHeader64; - PIMAGE_SECTION_HEADER PESections; - DWORD NewVirtualSectionSize = 0; - DWORD NewSectionRawPointer = 0; - DWORD OldSectionDataRawPtr = 0; - DWORD OldSectionDataPtr = 0; - DWORD CurrentSectionPSize = 0; - DWORD WipeSectionVirSize = 0; - DWORD WipeSectionSize = 0; - DWORD SectionDataPtr = 0; - DWORD FileAlignment = 0; - int SectionNumber = 0; - BOOL FileIs64; - HANDLE FileHandle; - DWORD FileSize; - HANDLE FileMap; - ULONG_PTR FileMapVA; - - if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof szBackupItem)) - { - if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof szBackupItem)) - { - RtlZeroMemory(&szBackupItem, sizeof szBackupItem); - lstrcpyW(szBackupFile, szFileName); - } - } - else - { - RtlZeroMemory(&szBackupItem, sizeof szBackupItem); - lstrcpyW(szBackupFile, szFileName); - } - if(MapFileExW(szBackupFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) - { - DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; - if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true)) - { - PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - if(PEHeader32->OptionalHeader.Magic == 0x10B) - { - FileIs64 = false; - } - else if(PEHeader32->OptionalHeader.Magic == 0x20B) - { - FileIs64 = true; - } - else - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - RemoveGarbageItem(szBackupItem, true); - return(false); - } - if(!FileIs64) - { - if(WipeSectionNumber != -1 && WipeSectionNumber <= PEHeader32->FileHeader.NumberOfSections) - { - WipeSectionVirSize = (DWORD)GetPE32DataFromMappedFile(FileMapVA, WipeSectionNumber, UE_SECTIONVIRTUALSIZE); - WipeSectionSize = (DWORD)GetPE32DataFromMappedFile(FileMapVA, WipeSectionNumber, UE_SECTIONRAWSIZE); - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - FileAlignment = PEHeader32->OptionalHeader.FileAlignment; - __try - { - while(SectionNumber < PEHeader32->FileHeader.NumberOfSections) - { - if(SectionNumber == WipeSectionNumber - 1) - { - CurrentSectionPSize = PESections->SizeOfRawData; - if(CurrentSectionPSize % FileAlignment == NULL) - { - CurrentSectionPSize = ((CurrentSectionPSize / FileAlignment)) * FileAlignment; - } - else - { - CurrentSectionPSize = ((CurrentSectionPSize / FileAlignment) + 1) * FileAlignment; - } - PESections->SizeOfRawData = CurrentSectionPSize; - WipeSectionVirSize = WipeSectionVirSize + PESections->Misc.VirtualSize; - if(WipeSectionVirSize % PEHeader32->OptionalHeader.SectionAlignment == NULL) - { - WipeSectionVirSize = ((WipeSectionVirSize / PEHeader32->OptionalHeader.SectionAlignment)) * PEHeader32->OptionalHeader.SectionAlignment; - } - else - { - WipeSectionVirSize = ((WipeSectionVirSize / PEHeader32->OptionalHeader.SectionAlignment) + 1) * PEHeader32->OptionalHeader.SectionAlignment; - } - PESections->Misc.VirtualSize = WipeSectionVirSize; - CurrentSectionPSize = CurrentSectionPSize - PESections->SizeOfRawData; - WipeSectionSize = WipeSectionSize - CurrentSectionPSize; - } - else if(SectionNumber > WipeSectionNumber) - { - RtlMoveMemory((LPVOID)((ULONG_PTR)PESections - IMAGE_SIZEOF_SECTION_HEADER), (LPVOID)PESections, IMAGE_SIZEOF_SECTION_HEADER); - } - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); - SectionNumber++; - } - RtlZeroMemory((LPVOID)PESections, IMAGE_SIZEOF_SECTION_HEADER); - PEHeader32->FileHeader.NumberOfSections--; - if(RemovePhysically) - { - FileSize = RealignPE(FileMapVA, FileSize, NULL); - } - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - if(szBackupItem[0] != NULL) - { - if(CopyFileW(szBackupFile, szFileName, false)) - { - RemoveGarbageItem(szBackupItem, true); - return(true); - } - else - { - RemoveGarbageItem(szBackupItem, true); - return(false); - } - } - else - { - return(true); - } - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - RemoveGarbageItem(szBackupItem, true); - return(false); - } - } - } - else - { - if(WipeSectionNumber != -1 && WipeSectionNumber <= PEHeader64->FileHeader.NumberOfSections) - { - WipeSectionVirSize = (DWORD)GetPE32DataFromMappedFile(FileMapVA, WipeSectionNumber, UE_SECTIONVIRTUALOFFSET); - WipeSectionVirSize = WipeSectionVirSize + (DWORD)GetPE32DataFromMappedFile(FileMapVA, WipeSectionNumber, UE_SECTIONVIRTUALSIZE); - if(WipeSectionVirSize % PEHeader32->OptionalHeader.SectionAlignment == NULL) - { - WipeSectionVirSize = ((WipeSectionVirSize / PEHeader32->OptionalHeader.SectionAlignment)) * PEHeader32->OptionalHeader.SectionAlignment; - } - else - { - WipeSectionVirSize = ((WipeSectionVirSize / PEHeader32->OptionalHeader.SectionAlignment) + 1) * PEHeader32->OptionalHeader.SectionAlignment; - } - WipeSectionSize = (DWORD)GetPE32DataFromMappedFile(FileMapVA, WipeSectionNumber, UE_SECTIONRAWSIZE); - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - FileAlignment = PEHeader64->OptionalHeader.FileAlignment; - __try - { - while(SectionNumber < PEHeader64->FileHeader.NumberOfSections) - { - if(SectionNumber == WipeSectionNumber - 1) - { - CurrentSectionPSize = PESections->SizeOfRawData; - if(CurrentSectionPSize % FileAlignment == NULL) - { - CurrentSectionPSize = ((CurrentSectionPSize / FileAlignment)) * FileAlignment; - } - else - { - CurrentSectionPSize = ((CurrentSectionPSize / FileAlignment) + 1) * FileAlignment; - } - PESections->SizeOfRawData = CurrentSectionPSize; - WipeSectionVirSize = WipeSectionVirSize + PESections->Misc.VirtualSize; - if(WipeSectionVirSize % PEHeader64->OptionalHeader.SectionAlignment == NULL) - { - WipeSectionVirSize = ((WipeSectionVirSize / PEHeader64->OptionalHeader.SectionAlignment)) * PEHeader64->OptionalHeader.SectionAlignment; - } - else - { - WipeSectionVirSize = ((WipeSectionVirSize / PEHeader64->OptionalHeader.SectionAlignment) + 1) * PEHeader64->OptionalHeader.SectionAlignment; - } - PESections->Misc.VirtualSize = WipeSectionVirSize; - CurrentSectionPSize = CurrentSectionPSize - PESections->SizeOfRawData; - WipeSectionSize = WipeSectionSize - CurrentSectionPSize; - } - else if(SectionNumber > WipeSectionNumber) - { - RtlMoveMemory((LPVOID)((ULONG_PTR)PESections - IMAGE_SIZEOF_SECTION_HEADER), (LPVOID)PESections, IMAGE_SIZEOF_SECTION_HEADER); - } - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); - SectionNumber++; - } - RtlZeroMemory((LPVOID)PESections, IMAGE_SIZEOF_SECTION_HEADER); - PEHeader64->FileHeader.NumberOfSections--; - if(RemovePhysically) - { - FileSize = RealignPE(FileMapVA, FileSize, NULL); - } - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - if(szBackupItem[0] != NULL) - { - if(CopyFileW(szBackupFile, szFileName, false)) - { - RemoveGarbageItem(szBackupItem, true); - return(true); - } - else - { - RemoveGarbageItem(szBackupItem, true); - return(false); - } - } - else - { - return(true); - } - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - RemoveGarbageItem(szBackupItem, true); - return(false); - } - } - } - } - else - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - RemoveGarbageItem(szBackupItem, true); - return(false); - } - } - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - RemoveGarbageItem(szBackupItem, true); - return(false); -} -__declspec(dllexport) bool TITCALL IsPE32FileValidEx(char* szFileName, DWORD CheckDepth, LPVOID FileStatusInfo) -{ - - wchar_t uniFileName[MAX_PATH] = {}; - - if(szFileName != NULL) - { - MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); - return(IsPE32FileValidExW(uniFileName, CheckDepth, FileStatusInfo)); - } - else - { - return(false); - } -} -__declspec(dllexport) bool TITCALL IsPE32FileValidExW(wchar_t* szFileName, DWORD CheckDepth, LPVOID FileStatusInfo) -{ - unsigned int i; - ULONG_PTR ReadData = NULL; - DWORD ReadSize = 0; - WORD ReadDataWORD = 0; - ULONG_PTR hSimulatedFileLoad; - long SectionNumber = 0; - DWORD SectionAttributes = 0; - ULONG_PTR ConvertedAddress = NULL; - DWORD CorrectedImageSize = 0; - DWORD SectionVirtualSize = 0; - DWORD SectionVirtualSizeFixed = 0; - DWORD NumberOfSections = 0; - FILE_STATUS_INFO myFileStatusInfo; - PIMAGE_DOS_HEADER DOSHeader; - PIMAGE_NT_HEADERS32 PEHeader32; - PIMAGE_NT_HEADERS64 PEHeader64; - PIMAGE_SECTION_HEADER PESections; - PIMAGE_EXPORT_DIRECTORY PEExports; - PIMAGE_TLS_DIRECTORY32 PETls32; - PIMAGE_TLS_DIRECTORY64 PETls64; - PIMAGE_IMPORT_DESCRIPTOR ImportIID; - PIMAGE_BOUND_IMPORT_DESCRIPTOR BoundIID; - PIMAGE_THUNK_DATA32 ThunkData32; - PIMAGE_THUNK_DATA64 ThunkData64; - bool hLoadedModuleSimulated = false; - HMODULE hLoadedModule; - ULONG_PTR ImportNamePtr; - ULONG_PTR CurrentThunk; - BOOL FileIsDLL = false; - BOOL FileIs64; - HANDLE FileHandle; - DWORD FileSize; - HANDLE FileMap; - ULONG_PTR FileMapVA; - WORD ResourceNamesTable[22] = {1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 16, 17, 18, 19, 20, 21, 22, 23, 24}; - - RtlZeroMemory(&myFileStatusInfo, sizeof FILE_STATUS_INFO); - if(MapFileExW(szFileName, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) - { - DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; - myFileStatusInfo.OveralEvaluation = UE_RESULT_FILE_OK; - if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true)) - { - PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - if(PEHeader32->Signature == 0x4550 && PEHeader32->OptionalHeader.Magic == 0x10B) - { - FileIs64 = false; - } - else if(PEHeader32->Signature == 0x4550 && PEHeader32->OptionalHeader.Magic == 0x20B) - { - FileIs64 = true; - myFileStatusInfo.FileIs64Bit = true; - } - else - { - myFileStatusInfo.OveralEvaluation = UE_RESULT_FILE_INVALID_FORMAT; - myFileStatusInfo.SignaturePE = UE_FIELD_BROKEN_NON_FIXABLE; - if(FileStatusInfo != NULL) - { - RtlMoveMemory(FileStatusInfo, &myFileStatusInfo, sizeof FILE_STATUS_INFO); - } - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return(false); - } - if(!FileIs64) - { - /* - x86 Surface check - */ - __try - { - if(PEHeader32->OptionalHeader.SizeOfImage % PEHeader32->OptionalHeader.SectionAlignment == NULL) - { - CorrectedImageSize = ((PEHeader32->OptionalHeader.SizeOfImage / PEHeader32->OptionalHeader.SectionAlignment)) * PEHeader32->OptionalHeader.SectionAlignment; - } - else - { - CorrectedImageSize = ((PEHeader32->OptionalHeader.SizeOfImage / PEHeader32->OptionalHeader.SectionAlignment) + 1) * PEHeader32->OptionalHeader.SectionAlignment; - } - if(PEHeader32->OptionalHeader.SectionAlignment != NULL && PEHeader32->OptionalHeader.SectionAlignment >= PEHeader32->OptionalHeader.FileAlignment) - { - myFileStatusInfo.SectionAlignment = UE_FIELD_OK; - if(PEHeader32->OptionalHeader.SizeOfImage % PEHeader32->OptionalHeader.SectionAlignment == NULL) - { - myFileStatusInfo.SizeOfImage = UE_FIELD_OK; - } - else - { - if(CorrectedImageSize < PEHeader32->OptionalHeader.AddressOfEntryPoint) - { - myFileStatusInfo.SizeOfImage = UE_FIELD_BROKEN_NON_FIXABLE; - } - else - { - myFileStatusInfo.SizeOfImage = UE_FIELD_FIXABLE_NON_CRITICAL; - } - } - } - else - { - myFileStatusInfo.SectionAlignment = UE_FIELD_FIXABLE_CRITICAL; - } - SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.SectionAlignment, true); - if(PEHeader32->OptionalHeader.ImageBase % 0x1000 == NULL) - { - myFileStatusInfo.ImageBase = UE_FIELD_OK; - } - else - { - myFileStatusInfo.ImageBase = UE_FIELD_BROKEN_NON_FIXABLE; - } - SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.ImageBase, true); - if(PEHeader32->OptionalHeader.FileAlignment % 2 == NULL) - { - myFileStatusInfo.FileAlignment = UE_FIELD_OK; - } - else - { - myFileStatusInfo.FileAlignment = UE_FIELD_FIXABLE_CRITICAL; - } - SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.FileAlignment, false); - /* - Get the console flag - */ - if(PEHeader32->OptionalHeader.Subsystem == IMAGE_SUBSYSTEM_WINDOWS_CUI) - { - myFileStatusInfo.FileIsConsole = true; - } - /* - Export and relocation checks [for DLL and EXE] - */ - if(PEHeader32->FileHeader.Characteristics & 0x2000) - { - /* - Export table check - */ - FileIsDLL = true; - myFileStatusInfo.FileIsDLL = true; - if(PEHeader32->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_EXPORT && PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress != NULL) - { - if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress > CorrectedImageSize || PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size > CorrectedImageSize) - { - myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; - } - else - { - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + PEHeader32->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress != NULL) - { - if(EngineIsBadReadPtrEx((LPVOID)ConvertedAddress, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size)) - { - PEExports = (PIMAGE_EXPORT_DIRECTORY)ConvertedAddress; - if(PEExports->AddressOfFunctions > CorrectedImageSize || PEExports->AddressOfFunctions + 4 * PEExports->NumberOfFunctions > CorrectedImageSize) - { - myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; - } - else if(PEExports->AddressOfNameOrdinals > CorrectedImageSize || PEExports->AddressOfNameOrdinals + 4 * PEExports->NumberOfNames > CorrectedImageSize) - { - myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; - } - else if(PEExports->AddressOfNames > CorrectedImageSize || PEExports->AddressOfNames + 4 * PEExports->NumberOfNames > CorrectedImageSize) - { - myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; - } - else if(PEExports->Name > CorrectedImageSize) - { - myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; - } - else - { - if(CheckDepth == UE_DEPTH_DEEP) - { - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEExports->AddressOfFunctions + PEHeader32->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress != NULL) - { - for(i = 0; i < PEExports->NumberOfFunctions; i++) - { - RtlMoveMemory(&ReadData, (LPVOID)ConvertedAddress, 4); - if(ReadData > CorrectedImageSize || ReadData < PEHeader32->OptionalHeader.SectionAlignment) - { - myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; - i = PEExports->NumberOfFunctions; - } - else - { - ConvertedAddress = ConvertedAddress + 4; - } - } - } - else - { - myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; - } - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEExports->AddressOfNames + PEHeader32->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress != NULL) - { - for(i = 0; i < PEExports->NumberOfNames; i++) - { - RtlMoveMemory(&ReadData, (LPVOID)ConvertedAddress, 4); - if(ReadData > CorrectedImageSize || ReadData < PEHeader32->OptionalHeader.SectionAlignment) - { - myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; - i = PEExports->NumberOfNames; - } - else - { - ConvertedAddress = ConvertedAddress + 4; - } - } - } - else - { - myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; - } - } - } - } - else - { - myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; - } - } - else - { - myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; - } - } - SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.ExportTable, true); - } - else - { - myFileStatusInfo.ExportTable = UE_FIELD_NOT_PRESET; - } - /* - Relocation table check - */ - if(PEHeader32->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_BASERELOC && PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress != NULL) - { - if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress > CorrectedImageSize || PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size > CorrectedImageSize) - { - myFileStatusInfo.RelocationTable = UE_FIELD_BROKEN_NON_FIXABLE; - } - else - { - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + PEHeader32->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress != NULL) - { - if(EngineIsBadReadPtrEx((LPVOID)ConvertedAddress, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size)) - { - RtlMoveMemory(&ReadData, (LPVOID)ConvertedAddress, 4); - RtlMoveMemory(&ReadSize, (LPVOID)(ConvertedAddress + 4), 4); - while(ReadData != NULL) - { - ReadSize = ReadSize - 8; - ConvertedAddress = ConvertedAddress + 8; - while(ReadSize > NULL) - { - RtlMoveMemory(&ReadDataWORD, (LPVOID)ConvertedAddress, 2); - if(ReadDataWORD > 0xCFFF) - { - myFileStatusInfo.RelocationTable = UE_FIELD_BROKEN_FIXABLE_FOR_STATIC_USE; - } - ConvertedAddress = ConvertedAddress + 2; - ReadSize = ReadSize - 2; - } - RtlMoveMemory(&ReadData, (LPVOID)ConvertedAddress, 4); - RtlMoveMemory(&ReadSize, (LPVOID)(ConvertedAddress + 4), 4); - } - } - else - { - myFileStatusInfo.RelocationTable = UE_FIELD_BROKEN_FIXABLE_FOR_STATIC_USE; - } - } - else - { - myFileStatusInfo.RelocationTable = UE_FIELD_BROKEN_FIXABLE_FOR_STATIC_USE; - } - } - SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.RelocationTable, true); - } - else - { - myFileStatusInfo.RelocationTable = UE_FIELD_NOT_PRESET_WARNING; - } - } - else - { - /* - Export table check - */ - if(PEHeader32->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_EXPORT && PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress != NULL) - { - if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress > CorrectedImageSize || PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size > CorrectedImageSize) - { - myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_CRITICAL; - } - else - { - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + PEHeader32->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress != NULL) - { - if(EngineIsBadReadPtrEx((LPVOID)ConvertedAddress, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size)) - { - PEExports = (PIMAGE_EXPORT_DIRECTORY)ConvertedAddress; - if(PEExports->AddressOfFunctions > CorrectedImageSize || PEExports->AddressOfFunctions + 4 * PEExports->NumberOfFunctions > CorrectedImageSize) - { - myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_CRITICAL; - } - else if(PEExports->AddressOfNameOrdinals > CorrectedImageSize || PEExports->AddressOfNameOrdinals + 4 * PEExports->NumberOfNames > CorrectedImageSize) - { - myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_CRITICAL; - } - else if(PEExports->AddressOfNames > CorrectedImageSize || PEExports->AddressOfNames + 4 * PEExports->NumberOfNames > CorrectedImageSize) - { - myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_CRITICAL; - } - else if(PEExports->Name > CorrectedImageSize) - { - myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_CRITICAL; - } - } - else - { - myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_CRITICAL; - } - } - } - SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.ExportTable, false); - } - else - { - myFileStatusInfo.ExportTable = UE_FIELD_NOT_PRESET; - } - /* - Relocation table check - */ - if(PEHeader32->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_BASERELOC && PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress != NULL) - { - if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress > CorrectedImageSize || PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size > CorrectedImageSize) - { - myFileStatusInfo.RelocationTable = UE_FIELD_BROKEN_NON_FIXABLE; - } - else - { - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + PEHeader32->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) - { - myFileStatusInfo.RelocationTable = UE_FIELD_FIXABLE_NON_CRITICAL; - } - } - SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.RelocationTable, false); - } - else - { - myFileStatusInfo.RelocationTable = UE_FIELD_NOT_PRESET; - } - } - /* - Import table check - */ - if(PEHeader32->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_IMPORT && PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress != NULL) - { - if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress > CorrectedImageSize) - { - myFileStatusInfo.ImportTable = UE_FIELD_BROKEN_NON_FIXABLE; - } - else - { - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + PEHeader32->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) - { - myFileStatusInfo.ImportTable = UE_FIELD_BROKEN_NON_FIXABLE; - } - else - { - SectionNumber = GetPE32SectionNumberFromVA(FileMapVA, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + PEHeader32->OptionalHeader.ImageBase); - if(SectionNumber < 0x7FFFFFFF) - { - SectionAttributes = (DWORD)GetPE32DataFromMappedFile(FileMapVA, SectionNumber, UE_SECTIONFLAGS); - if(SectionAttributes & IMAGE_SCN_MEM_EXECUTE || SectionAttributes & IMAGE_SCN_CNT_CODE || SectionAttributes & IMAGE_SCN_MEM_WRITE || SectionAttributes & IMAGE_SCN_CNT_INITIALIZED_DATA) - { - myFileStatusInfo.ImportTableSection = UE_FIELD_OK; - } - else - { - myFileStatusInfo.ImportTableSection = UE_FIELD_FIXABLE_CRITICAL; - } - if(CheckDepth == UE_DEPTH_DEEP) - { - if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress != NULL) - { - ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, (ULONG_PTR)(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + PEHeader32->OptionalHeader.ImageBase), false, true); - while(myFileStatusInfo.ImportTableData == UE_FIELD_OK && ImportIID->FirstThunk != NULL) - { - hLoadedModule = NULL; - ImportNamePtr = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, (ULONG_PTR)((ULONG_PTR)ImportIID->Name + PEHeader32->OptionalHeader.ImageBase), false, true); - if(ImportNamePtr != NULL) - { - if(!EngineIsDependencyPresent((char*)ImportNamePtr, NULL, NULL)) - { - myFileStatusInfo.MissingDependencies = true; - hLoadedModuleSimulated = false; - } - else - { - hLoadedModuleSimulated = false; - hLoadedModule = GetModuleHandleA((char*)ImportNamePtr); - if(hLoadedModule == NULL) - { - hLoadedModule = (HMODULE)EngineSimulateDllLoader(GetCurrentProcess(), (char*)ImportNamePtr); - hLoadedModuleSimulated = true; - } - } - } - else - { - myFileStatusInfo.ImportTableData = UE_FIELD_BROKEN_NON_FIXABLE; - } - if(ImportIID->OriginalFirstThunk != NULL) - { - ThunkData32 = (PIMAGE_THUNK_DATA32)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, (ULONG_PTR)((ULONG_PTR)ImportIID->OriginalFirstThunk + PEHeader32->OptionalHeader.ImageBase), false, true); - CurrentThunk = (ULONG_PTR)ImportIID->OriginalFirstThunk; - } - else - { - ThunkData32 = (PIMAGE_THUNK_DATA32)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, (ULONG_PTR)((ULONG_PTR)ImportIID->FirstThunk + PEHeader32->OptionalHeader.ImageBase), false, true); - CurrentThunk = (ULONG_PTR)ImportIID->FirstThunk; - } - if(ThunkData32 != NULL) - { - while(myFileStatusInfo.ImportTableData == UE_FIELD_OK && ThunkData32->u1.AddressOfData != NULL) - { - if(ThunkData32->u1.Ordinal & IMAGE_ORDINAL_FLAG32) - { - if((int)(ThunkData32->u1.Ordinal ^ IMAGE_ORDINAL_FLAG32) >= 0x10000) - { - myFileStatusInfo.ImportTableData = UE_FIELD_BROKEN_NON_FIXABLE; - } - } - else - { - ImportNamePtr = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, (ULONG_PTR)((ULONG_PTR)ThunkData32->u1.AddressOfData + 2 + PEHeader32->OptionalHeader.ImageBase), false, true); - if(ImportNamePtr != NULL) - { - if(!EngineIsBadReadPtrEx((LPVOID)ImportNamePtr, 8)) - { - myFileStatusInfo.ImportTableData = UE_FIELD_BROKEN_NON_FIXABLE; - } - else - { - if(hLoadedModule != NULL) - { - if(EngineGetProcAddress((ULONG_PTR)hLoadedModule, (char*)ImportNamePtr) == NULL) - { - myFileStatusInfo.MissingDeclaredAPIs = true; - SetOverallFileStatus(&myFileStatusInfo, UE_FIELD_FIXABLE_CRITICAL, true); - } - } - } - } - else - { - myFileStatusInfo.ImportTableData = UE_FIELD_BROKEN_NON_FIXABLE; - } - } - CurrentThunk = CurrentThunk + 4; - ThunkData32 = (PIMAGE_THUNK_DATA32)((ULONG_PTR)ThunkData32 + sizeof IMAGE_THUNK_DATA32); - } - } - else - { - myFileStatusInfo.ImportTableData = UE_FIELD_BROKEN_NON_FIXABLE; - } - if(hLoadedModuleSimulated) - { - VirtualFree((LPVOID)hLoadedModule, NULL, MEM_RELEASE); - } - ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof IMAGE_IMPORT_DESCRIPTOR); - } - } - } - } - else - { - myFileStatusInfo.ImportTable = UE_FIELD_BROKEN_NON_FIXABLE; - } - } - } - SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.ImportTable, true); - SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.ImportTableData, true); - SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.ImportTableSection, true); - } - else - { - myFileStatusInfo.ImportTable = UE_FIELD_NOT_PRESET; - } - /* - TLS table check - */ - if(PEHeader32->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_TLS && PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress != NULL) - { - if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress > CorrectedImageSize || PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size > CorrectedImageSize) - { - myFileStatusInfo.TLSTable = UE_FIELD_FIXABLE_CRITICAL; - } - else - { - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress + PEHeader32->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) - { - myFileStatusInfo.TLSTable = UE_FIELD_FIXABLE_CRITICAL; - } - else - { - PETls32 = (PIMAGE_TLS_DIRECTORY32)ConvertedAddress; - if(PETls32->StartAddressOfRawData != NULL && (PETls32->StartAddressOfRawData < PEHeader32->OptionalHeader.ImageBase || PETls32->StartAddressOfRawData > CorrectedImageSize + PEHeader32->OptionalHeader.ImageBase)) - { - myFileStatusInfo.TLSTable = UE_FIELD_FIXABLE_CRITICAL; - } - else if(PETls32->EndAddressOfRawData != NULL && (PETls32->EndAddressOfRawData < PEHeader32->OptionalHeader.ImageBase || PETls32->EndAddressOfRawData > CorrectedImageSize + PEHeader32->OptionalHeader.ImageBase)) - { - myFileStatusInfo.TLSTable = UE_FIELD_FIXABLE_CRITICAL; - } - else if(PETls32->AddressOfIndex != NULL && (PETls32->AddressOfIndex < PEHeader32->OptionalHeader.ImageBase || PETls32->AddressOfIndex > CorrectedImageSize + PEHeader32->OptionalHeader.ImageBase)) - { - myFileStatusInfo.TLSTable = UE_FIELD_FIXABLE_CRITICAL; - } - else if(PETls32->AddressOfCallBacks != NULL && (PETls32->AddressOfCallBacks < PEHeader32->OptionalHeader.ImageBase || PETls32->AddressOfCallBacks > CorrectedImageSize + PEHeader32->OptionalHeader.ImageBase)) - { - myFileStatusInfo.TLSTable = UE_FIELD_FIXABLE_CRITICAL; - } - if(PETls32->AddressOfCallBacks != NULL && CheckDepth == UE_DEPTH_DEEP) - { - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PETls32->AddressOfCallBacks + PEHeader32->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress != NULL) - { - while(ReadData != NULL) - { - RtlMoveMemory(&ReadData, (LPVOID)ConvertedAddress, 4); - if(ReadData < PEHeader32->OptionalHeader.ImageBase || ReadData > CorrectedImageSize + PEHeader32->OptionalHeader.ImageBase) - { - myFileStatusInfo.TLSTable = UE_FIELD_FIXABLE_CRITICAL; - } - ConvertedAddress = ConvertedAddress + 4; - } - } - } - } - } - SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.TLSTable, false); - } - else - { - myFileStatusInfo.TLSTable = UE_FIELD_NOT_PRESET; - } - /* - Load config table check - */ - if(PEHeader32->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG && PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress != NULL) - { - if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress > CorrectedImageSize || PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].Size > CorrectedImageSize) - { - myFileStatusInfo.LoadConfigTable = UE_FIELD_FIXABLE_CRITICAL; - } - else - { - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress + PEHeader32->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) - { - myFileStatusInfo.LoadConfigTable = UE_FIELD_FIXABLE_CRITICAL; - } - } - } - else - { - myFileStatusInfo.LoadConfigTable = UE_FIELD_NOT_PRESET; - } - SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.LoadConfigTable, false); - /* - Bound import table check - */ - if(PEHeader32->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT && PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress != NULL) - { - if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress > CorrectedImageSize || PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size > CorrectedImageSize) - { - myFileStatusInfo.BoundImportTable = UE_FIELD_FIXABLE_CRITICAL; - } - else - { - ConvertedAddress = (ULONG_PTR)PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress + FileMapVA; - if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) - { - myFileStatusInfo.BoundImportTable = UE_FIELD_FIXABLE_CRITICAL; - } - else - { - BoundIID = (PIMAGE_BOUND_IMPORT_DESCRIPTOR)ConvertedAddress; - while(BoundIID->TimeDateStamp != NULL) - { - if(BoundIID->OffsetModuleName > PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size) - { - myFileStatusInfo.BoundImportTable = UE_FIELD_FIXABLE_CRITICAL; - } - else if(!EngineIsPointedMemoryString(ConvertedAddress + BoundIID->OffsetModuleName)) - { - myFileStatusInfo.BoundImportTable = UE_FIELD_FIXABLE_CRITICAL; - } - BoundIID = (PIMAGE_BOUND_IMPORT_DESCRIPTOR)((ULONG_PTR)BoundIID + sizeof IMAGE_BOUND_IMPORT_DESCRIPTOR); - } - } - } - } - else - { - myFileStatusInfo.BoundImportTable = UE_FIELD_NOT_PRESET; - } - SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.BoundImportTable, false); - /* - IAT check - */ - if(PEHeader32->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_IAT && PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress != NULL) - { - if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress > CorrectedImageSize || PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].Size > CorrectedImageSize) - { - myFileStatusInfo.IATTable = UE_FIELD_FIXABLE_NON_CRITICAL; - } - else - { - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress + PEHeader32->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) - { - myFileStatusInfo.IATTable = UE_FIELD_FIXABLE_NON_CRITICAL; - } - } - } - else - { - myFileStatusInfo.IATTable = UE_FIELD_NOT_PRESET; - } - SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.IATTable, false); - /* - COM header check - */ - if(PEHeader32->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR && PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress != NULL) - { - if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress > CorrectedImageSize || PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].Size > CorrectedImageSize) - { - myFileStatusInfo.COMHeaderTable = UE_FIELD_FIXABLE_NON_CRITICAL; - } - else - { - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress + PEHeader32->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) - { - myFileStatusInfo.COMHeaderTable = UE_FIELD_FIXABLE_NON_CRITICAL; - } - } - } - else - { - myFileStatusInfo.COMHeaderTable = UE_FIELD_NOT_PRESET; - } - SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.COMHeaderTable, false); - /* - Resource header check - */ - if(PEHeader32->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_RESOURCE && PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress != NULL) - { - if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress > CorrectedImageSize || PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size > CorrectedImageSize) - { - myFileStatusInfo.ResourceTable = UE_FIELD_FIXABLE_NON_CRITICAL; - } - else - { - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress + PEHeader32->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize || ConvertedAddress - FileMapVA + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size > FileSize) - { - myFileStatusInfo.ResourceTable = UE_FIELD_BROKEN_BUT_CAN_BE_EMULATED; - } - if(CheckDepth == UE_DEPTH_DEEP) - { - hSimulatedFileLoad = (ULONG_PTR)EngineSimulateNtLoaderW(szFileName); - if(hSimulatedFileLoad != NULL) - { - for(i = 0; i < 22; i++) - { - if(myFileStatusInfo.ResourceData == UE_FIELD_OK) - { - EnumResourceNamesA((HMODULE)hSimulatedFileLoad, MAKEINTRESOURCEA(ResourceNamesTable[i]), (ENUMRESNAMEPROCA)EngineValidateResource, (ULONG_PTR)&myFileStatusInfo.ResourceData); - } - else - { - i = 22; - } - } - VirtualFree((LPVOID)hSimulatedFileLoad, NULL, MEM_RELEASE); - } - } - } - if(myFileStatusInfo.ResourceTable == UE_FIELD_BROKEN_BUT_CAN_BE_EMULATED && myFileStatusInfo.ResourceData == UE_FIELD_OK) - { - myFileStatusInfo.ResourceTable = UE_FIELD_OK; - } - SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.ResourceTable, true); - } - else - { - myFileStatusInfo.ResourceTable = UE_FIELD_NOT_PRESET; - } - /* - Section check - */ - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - NumberOfSections = PEHeader32->FileHeader.NumberOfSections; - while(NumberOfSections > NULL) - { - SectionVirtualSize = PESections->VirtualAddress + PESections->Misc.VirtualSize; - if(PESections->Misc.VirtualSize % PEHeader32->OptionalHeader.SectionAlignment == NULL) - { - SectionVirtualSizeFixed = SectionVirtualSize; - } - else - { - SectionVirtualSizeFixed = PESections->VirtualAddress + (((PESections->Misc.VirtualSize / PEHeader32->OptionalHeader.SectionAlignment) + 1) * PEHeader32->OptionalHeader.SectionAlignment); - } - if(NumberOfSections > 1) - { - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + sizeof IMAGE_SECTION_HEADER); - if(SectionVirtualSize > PESections->VirtualAddress || SectionVirtualSizeFixed > PESections->VirtualAddress) - { - myFileStatusInfo.SectionTable = UE_FIELD_FIXABLE_CRITICAL; - } - } - NumberOfSections--; - } - if(PESections->PointerToRawData + PESections->SizeOfRawData > FileSize && PESections->SizeOfRawData != NULL) - { - myFileStatusInfo.SectionTable = UE_FIELD_BROKEN_NON_FIXABLE; - } - SectionVirtualSizeFixed = SectionVirtualSizeFixed + 0xF000; - if(PEHeader32->OptionalHeader.SizeOfImage > SectionVirtualSizeFixed) - { - myFileStatusInfo.SizeOfImage = UE_FIELD_FIXABLE_CRITICAL; - } - SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.SizeOfImage, true); - SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.SectionTable, true); - /* - Entry point check - */ - SectionNumber = GetPE32SectionNumberFromVA(FileMapVA, PEHeader32->OptionalHeader.AddressOfEntryPoint + PEHeader32->OptionalHeader.ImageBase); - if(SectionNumber != -1) - { - SectionAttributes = (DWORD)GetPE32DataFromMappedFile(FileMapVA, SectionNumber, UE_SECTIONFLAGS); - if(SectionAttributes & IMAGE_SCN_MEM_EXECUTE || SectionAttributes & IMAGE_SCN_CNT_CODE) - { - myFileStatusInfo.EntryPoint = UE_FIELD_OK; - } - else - { - myFileStatusInfo.EntryPoint = UE_FIELD_BROKEN_NON_CRITICAL; - } - } - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader32->OptionalHeader.AddressOfEntryPoint + PEHeader32->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress == NULL) - { - myFileStatusInfo.EntryPoint = UE_FIELD_BROKEN_NON_FIXABLE; - } - else - { - ReadData = NULL; - if(memcmp(&ReadData, (LPVOID)ConvertedAddress, 4) == NULL) - { - myFileStatusInfo.EntryPoint = UE_FIELD_BROKEN_NON_FIXABLE; - } - } - SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.EntryPoint, true); - /* - Return data - */ - if(FileStatusInfo != NULL) - { - RtlMoveMemory(FileStatusInfo, &myFileStatusInfo, sizeof FILE_STATUS_INFO); - } - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - if(myFileStatusInfo.OveralEvaluation == UE_RESULT_FILE_OK) - { - return(true); - } - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - myFileStatusInfo.EvaluationTerminatedByException = true; - myFileStatusInfo.OveralEvaluation = UE_RESULT_FILE_INVALID_FORMAT; - myFileStatusInfo.SignaturePE = UE_FIELD_BROKEN_NON_FIXABLE; - if(FileStatusInfo != NULL) - { - RtlMoveMemory(FileStatusInfo, &myFileStatusInfo, sizeof FILE_STATUS_INFO); - } - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return(false); - } - } - else - { - /* - x64 Surface check - */ - __try - { - if(PEHeader64->OptionalHeader.SizeOfImage % PEHeader64->OptionalHeader.SectionAlignment == NULL) - { - CorrectedImageSize = ((PEHeader64->OptionalHeader.SizeOfImage / PEHeader64->OptionalHeader.SectionAlignment)) * PEHeader64->OptionalHeader.SectionAlignment; - } - else - { - CorrectedImageSize = ((PEHeader64->OptionalHeader.SizeOfImage / PEHeader64->OptionalHeader.SectionAlignment) + 1) * PEHeader64->OptionalHeader.SectionAlignment; - } - if(PEHeader64->OptionalHeader.SectionAlignment != NULL && PEHeader64->OptionalHeader.SectionAlignment >= PEHeader64->OptionalHeader.FileAlignment) - { - myFileStatusInfo.SectionAlignment = UE_FIELD_OK; - if(PEHeader64->OptionalHeader.SizeOfImage % PEHeader64->OptionalHeader.SectionAlignment == NULL) - { - myFileStatusInfo.SizeOfImage = UE_FIELD_OK; - } - else - { - if(CorrectedImageSize < PEHeader64->OptionalHeader.AddressOfEntryPoint) - { - myFileStatusInfo.SizeOfImage = UE_FIELD_BROKEN_NON_FIXABLE; - } - else - { - myFileStatusInfo.SizeOfImage = UE_FIELD_FIXABLE_NON_CRITICAL; - } - } - } - else - { - myFileStatusInfo.SectionAlignment = UE_FIELD_FIXABLE_CRITICAL; - } - SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.SectionAlignment, true); - if((ULONG_PTR)PEHeader64->OptionalHeader.ImageBase % 0x1000 == NULL) - { - myFileStatusInfo.ImageBase = UE_FIELD_OK; - } - else - { - myFileStatusInfo.ImageBase = UE_FIELD_BROKEN_NON_FIXABLE; - } - SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.ImageBase, true); - if(PEHeader64->OptionalHeader.FileAlignment % 2 == NULL) - { - myFileStatusInfo.FileAlignment = UE_FIELD_OK; - } - else - { - myFileStatusInfo.FileAlignment = UE_FIELD_FIXABLE_CRITICAL; - } - SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.FileAlignment, false); - /* - Get the console flag - */ - if(PEHeader64->OptionalHeader.Subsystem == IMAGE_SUBSYSTEM_WINDOWS_CUI) - { - myFileStatusInfo.FileIsConsole = true; - } - /* - Export and relocation checks [for DLL and EXE] - */ - if(PEHeader64->FileHeader.Characteristics & 0x2000) - { - /* - Export table check - */ - FileIsDLL = true; - myFileStatusInfo.FileIsDLL = true; - if(PEHeader64->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_EXPORT && PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress != NULL) - { - if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress > CorrectedImageSize || PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size > CorrectedImageSize) - { - myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; - } - else - { - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress != NULL) - { - if(EngineIsBadReadPtrEx((LPVOID)ConvertedAddress, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size)) - { - PEExports = (PIMAGE_EXPORT_DIRECTORY)ConvertedAddress; - if(PEExports->AddressOfFunctions > CorrectedImageSize || PEExports->AddressOfFunctions + 4 * PEExports->NumberOfFunctions > CorrectedImageSize) - { - myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; - } - else if(PEExports->AddressOfNameOrdinals > CorrectedImageSize || PEExports->AddressOfNameOrdinals + 4 * PEExports->NumberOfNames > CorrectedImageSize) - { - myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; - } - else if(PEExports->AddressOfNames > CorrectedImageSize || PEExports->AddressOfNames + 4 * PEExports->NumberOfNames > CorrectedImageSize) - { - myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; - } - else if(PEExports->Name > CorrectedImageSize) - { - myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; - } - else - { - if(CheckDepth == UE_DEPTH_DEEP) - { - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEExports->AddressOfFunctions + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress != NULL) - { - for(i = 0; i < PEExports->NumberOfFunctions; i++) - { - RtlMoveMemory(&ReadData, (LPVOID)ConvertedAddress, 4); - if(ReadData > CorrectedImageSize || ReadData < PEHeader64->OptionalHeader.SectionAlignment) - { - myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; - i = PEExports->NumberOfFunctions; - } - else - { - ConvertedAddress = ConvertedAddress + 4; - } - } - } - else - { - myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; - } - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEExports->AddressOfNames + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress != NULL) - { - for(i = 0; i < PEExports->NumberOfNames; i++) - { - RtlMoveMemory(&ReadData, (LPVOID)ConvertedAddress, 4); - if(ReadData > CorrectedImageSize || ReadData < PEHeader64->OptionalHeader.SectionAlignment) - { - myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; - i = PEExports->NumberOfNames; - } - else - { - ConvertedAddress = ConvertedAddress + 4; - } - } - } - else - { - myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; - } - } - } - } - else - { - myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; - } - } - else - { - myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_FIXABLE; - } - } - SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.ExportTable, true); - } - else - { - myFileStatusInfo.ExportTable = UE_FIELD_NOT_PRESET; - } - /* - Relocation table check - */ - if(PEHeader64->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_BASERELOC && PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress != NULL) - { - if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress > CorrectedImageSize || PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size > CorrectedImageSize) - { - myFileStatusInfo.RelocationTable = UE_FIELD_BROKEN_NON_FIXABLE; - } - else - { - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress != NULL) - { - if(EngineIsBadReadPtrEx((LPVOID)ConvertedAddress, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size)) - { - RtlMoveMemory(&ReadData, (LPVOID)ConvertedAddress, 4); - RtlMoveMemory(&ReadSize, (LPVOID)(ConvertedAddress + 4), 4); - while(ReadData != NULL) - { - ReadSize = ReadSize - 8; - ConvertedAddress = ConvertedAddress + 8; - while(ReadSize > NULL) - { - RtlMoveMemory(&ReadDataWORD, (LPVOID)ConvertedAddress, 2); - if(ReadDataWORD > 0xCFFF) - { - myFileStatusInfo.RelocationTable = UE_FIELD_BROKEN_FIXABLE_FOR_STATIC_USE; - } - ConvertedAddress = ConvertedAddress + 2; - ReadSize = ReadSize - 2; - } - RtlMoveMemory(&ReadData, (LPVOID)ConvertedAddress, 4); - RtlMoveMemory(&ReadSize, (LPVOID)(ConvertedAddress + 4), 4); - } - } - else - { - myFileStatusInfo.RelocationTable = UE_FIELD_BROKEN_FIXABLE_FOR_STATIC_USE; - } - } - else - { - myFileStatusInfo.RelocationTable = UE_FIELD_BROKEN_FIXABLE_FOR_STATIC_USE; - } - } - SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.RelocationTable, true); - } - else - { - myFileStatusInfo.RelocationTable = UE_FIELD_NOT_PRESET_WARNING; - } - } - else - { - /* - Export table check - */ - if(PEHeader64->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_EXPORT && PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress != NULL) - { - if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress > CorrectedImageSize || PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size > CorrectedImageSize) - { - myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_CRITICAL; - } - else - { - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress != NULL) - { - if(EngineIsBadReadPtrEx((LPVOID)ConvertedAddress, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size)) - { - PEExports = (PIMAGE_EXPORT_DIRECTORY)ConvertedAddress; - if(PEExports->AddressOfFunctions > CorrectedImageSize || PEExports->AddressOfFunctions + 4 * PEExports->NumberOfFunctions > CorrectedImageSize) - { - myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_CRITICAL; - } - else if(PEExports->AddressOfNameOrdinals > CorrectedImageSize || PEExports->AddressOfNameOrdinals + 4 * PEExports->NumberOfNames > CorrectedImageSize) - { - myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_CRITICAL; - } - else if(PEExports->AddressOfNames > CorrectedImageSize || PEExports->AddressOfNames + 4 * PEExports->NumberOfNames > CorrectedImageSize) - { - myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_CRITICAL; - } - else if(PEExports->Name > CorrectedImageSize) - { - myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_CRITICAL; - } - } - else - { - myFileStatusInfo.ExportTable = UE_FIELD_BROKEN_NON_CRITICAL; - } - } - } - SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.ExportTable, false); - } - else - { - myFileStatusInfo.ExportTable = UE_FIELD_NOT_PRESET; - } - /* - Relocation table check - */ - if(PEHeader64->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_BASERELOC && PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress != NULL) - { - if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress > CorrectedImageSize || PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size > CorrectedImageSize) - { - myFileStatusInfo.RelocationTable = UE_FIELD_BROKEN_NON_FIXABLE; - } - else - { - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) - { - myFileStatusInfo.RelocationTable = UE_FIELD_FIXABLE_NON_CRITICAL; - } - } - SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.RelocationTable, false); - } - else - { - myFileStatusInfo.RelocationTable = UE_FIELD_NOT_PRESET; - } - } - /* - Import table check - */ - if(PEHeader64->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_IMPORT && PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress != NULL) - { - if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress > CorrectedImageSize) - { - myFileStatusInfo.ImportTable = UE_FIELD_BROKEN_NON_FIXABLE; - } - else - { - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) - { - myFileStatusInfo.ImportTable = UE_FIELD_BROKEN_NON_FIXABLE; - } - else - { - SectionNumber = GetPE32SectionNumberFromVA(FileMapVA, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase); - if(SectionNumber >= NULL) - { - SectionAttributes = (DWORD)GetPE32DataFromMappedFile(FileMapVA, SectionNumber, UE_SECTIONFLAGS); - if(SectionAttributes & IMAGE_SCN_MEM_EXECUTE || SectionAttributes & IMAGE_SCN_CNT_CODE || SectionAttributes & IMAGE_SCN_MEM_WRITE || SectionAttributes & IMAGE_SCN_CNT_INITIALIZED_DATA) - { - myFileStatusInfo.ImportTableSection = UE_FIELD_OK; - } - else - { - myFileStatusInfo.ImportTableSection = UE_FIELD_FIXABLE_CRITICAL; - } - if(CheckDepth == UE_DEPTH_DEEP) - { - if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress != NULL) - { - ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)(ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, (ULONG_PTR)(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase), false, true); - while(myFileStatusInfo.ImportTableData == UE_FIELD_OK && ImportIID->FirstThunk != NULL) - { - hLoadedModule = NULL; - ImportNamePtr = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)(ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, (ULONG_PTR)((ULONG_PTR)ImportIID->Name + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase), false, true); - if(ImportNamePtr != NULL) - { - if(!EngineIsDependencyPresent((char*)ImportNamePtr, NULL, NULL)) - { - myFileStatusInfo.MissingDependencies = true; - hLoadedModuleSimulated = false; - } - else - { - hLoadedModuleSimulated = false; - hLoadedModule = GetModuleHandleA((char*)ImportNamePtr); - if(hLoadedModule == NULL) - { - hLoadedModule = (HMODULE)EngineSimulateDllLoader(GetCurrentProcess(), (char*)ImportNamePtr); - hLoadedModuleSimulated = true; - } - } - } - else - { - myFileStatusInfo.ImportTableData = UE_FIELD_BROKEN_NON_FIXABLE; - } - if(ImportIID->OriginalFirstThunk != NULL) - { - ThunkData64 = (PIMAGE_THUNK_DATA64)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, (ULONG_PTR)((ULONG_PTR)ImportIID->OriginalFirstThunk + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase), false, true); - CurrentThunk = (ULONG_PTR)ImportIID->OriginalFirstThunk; - } - else - { - ThunkData32 = (PIMAGE_THUNK_DATA32)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, (ULONG_PTR)((ULONG_PTR)ImportIID->FirstThunk + PEHeader32->OptionalHeader.ImageBase), false, true); - CurrentThunk = (ULONG_PTR)ImportIID->FirstThunk; - } - if(ThunkData64 != NULL) - { - while(myFileStatusInfo.ImportTableData == UE_FIELD_OK && ThunkData64->u1.AddressOfData != NULL) - { - if(ThunkData64->u1.Ordinal & IMAGE_ORDINAL_FLAG64) - { - if((int)(ThunkData64->u1.Ordinal ^ IMAGE_ORDINAL_FLAG64) >= 0x10000) - { - myFileStatusInfo.ImportTableData = UE_FIELD_BROKEN_NON_FIXABLE; - } - } - else - { - ImportNamePtr = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)(ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, (ULONG_PTR)((ULONG_PTR)ThunkData64->u1.AddressOfData + 2 + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase), false, true); - if(ImportNamePtr != NULL) - { - if(!EngineIsBadReadPtrEx((LPVOID)ImportNamePtr, 8)) - { - myFileStatusInfo.ImportTableData = UE_FIELD_BROKEN_NON_FIXABLE; - } - else - { - if(hLoadedModule != NULL) - { - if(EngineGetProcAddress((ULONG_PTR)hLoadedModule, (char*)ImportNamePtr) == NULL) - { - myFileStatusInfo.MissingDeclaredAPIs = true; - SetOverallFileStatus(&myFileStatusInfo, UE_FIELD_FIXABLE_CRITICAL, true); - } - } - } - } - else - { - myFileStatusInfo.ImportTableData = UE_FIELD_BROKEN_NON_FIXABLE; - } - } - CurrentThunk = CurrentThunk + 8; - ThunkData64 = (PIMAGE_THUNK_DATA64)((ULONG_PTR)ThunkData64 + sizeof IMAGE_THUNK_DATA64); - } - } - else - { - myFileStatusInfo.ImportTableData = UE_FIELD_BROKEN_NON_FIXABLE; - } - if(hLoadedModuleSimulated) - { - VirtualFree((LPVOID)hLoadedModule, NULL, MEM_RELEASE); - } - ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof IMAGE_IMPORT_DESCRIPTOR); - } - } - } - } - else - { - myFileStatusInfo.ImportTable = UE_FIELD_BROKEN_NON_FIXABLE; - } - } - } - SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.ImportTable, true); - SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.ImportTableData, true); - SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.ImportTableSection, true); - } - else - { - myFileStatusInfo.ImportTable = UE_FIELD_NOT_PRESET; - } - /* - TLS table check - */ - if(PEHeader64->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_TLS && PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress != NULL) - { - if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress > CorrectedImageSize || PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size > CorrectedImageSize) - { - myFileStatusInfo.TLSTable = UE_FIELD_FIXABLE_CRITICAL; - } - else - { - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) - { - myFileStatusInfo.TLSTable = UE_FIELD_FIXABLE_CRITICAL; - } - else - { - PETls64 = (PIMAGE_TLS_DIRECTORY64)ConvertedAddress; - if(PETls64->StartAddressOfRawData != NULL && (PETls64->StartAddressOfRawData < (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase || PETls64->StartAddressOfRawData > CorrectedImageSize + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase)) - { - myFileStatusInfo.TLSTable = UE_FIELD_FIXABLE_CRITICAL; - } - else if(PETls64->EndAddressOfRawData != NULL && (PETls64->EndAddressOfRawData < (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase || PETls64->EndAddressOfRawData > CorrectedImageSize + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase)) - { - myFileStatusInfo.TLSTable = UE_FIELD_FIXABLE_CRITICAL; - } - else if(PETls64->AddressOfIndex != NULL && (PETls64->AddressOfIndex < (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase || PETls64->AddressOfIndex > CorrectedImageSize + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase)) - { - myFileStatusInfo.TLSTable = UE_FIELD_FIXABLE_CRITICAL; - } - else if(PETls64->AddressOfCallBacks != NULL && (PETls64->AddressOfCallBacks < (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase || PETls64->AddressOfCallBacks > CorrectedImageSize + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase)) - { - myFileStatusInfo.TLSTable = UE_FIELD_FIXABLE_CRITICAL; - } - if(PETls64->AddressOfCallBacks != NULL && CheckDepth == UE_DEPTH_DEEP) - { - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, (ULONG_PTR)PETls64->AddressOfCallBacks + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress != NULL) - { - while(ReadData != NULL) - { - RtlMoveMemory(&ReadData, (LPVOID)ConvertedAddress, 8); - if(ReadData < (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase || ReadData > CorrectedImageSize + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase) - { - myFileStatusInfo.TLSTable = UE_FIELD_FIXABLE_CRITICAL; - } - ConvertedAddress = ConvertedAddress + 8; - } - } - } - } - } - SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.TLSTable, false); - } - else - { - myFileStatusInfo.TLSTable = UE_FIELD_NOT_PRESET; - } - /* - Load config table check - */ - if(PEHeader64->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG && PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress != NULL) - { - if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress > CorrectedImageSize || PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].Size > CorrectedImageSize) - { - myFileStatusInfo.LoadConfigTable = UE_FIELD_FIXABLE_CRITICAL; - } - else - { - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) - { - myFileStatusInfo.LoadConfigTable = UE_FIELD_FIXABLE_CRITICAL; - } - } - } - else - { - myFileStatusInfo.LoadConfigTable = UE_FIELD_NOT_PRESET; - } - SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.LoadConfigTable, false); - /* - Bound import table check - */ - if(PEHeader64->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT && PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress != NULL) - { - if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress > CorrectedImageSize || PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size > CorrectedImageSize) - { - myFileStatusInfo.BoundImportTable = UE_FIELD_FIXABLE_CRITICAL; - } - else - { - ConvertedAddress = (ULONG_PTR)PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress + FileMapVA; - if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) - { - myFileStatusInfo.BoundImportTable = UE_FIELD_FIXABLE_CRITICAL; - } - else - { - BoundIID = (PIMAGE_BOUND_IMPORT_DESCRIPTOR)ConvertedAddress; - while(BoundIID->TimeDateStamp != NULL) - { - if(BoundIID->OffsetModuleName > PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size) - { - myFileStatusInfo.BoundImportTable = UE_FIELD_FIXABLE_CRITICAL; - } - else if(!EngineIsPointedMemoryString(ConvertedAddress + BoundIID->OffsetModuleName)) - { - myFileStatusInfo.BoundImportTable = UE_FIELD_FIXABLE_CRITICAL; - } - BoundIID = (PIMAGE_BOUND_IMPORT_DESCRIPTOR)((ULONG_PTR)BoundIID + sizeof IMAGE_BOUND_IMPORT_DESCRIPTOR); - } - } - } - } - else - { - myFileStatusInfo.BoundImportTable = UE_FIELD_NOT_PRESET; - } - SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.BoundImportTable, false); - /* - IAT check - */ - if(PEHeader64->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_IAT && PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress != NULL) - { - if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress > CorrectedImageSize || PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].Size > CorrectedImageSize) - { - myFileStatusInfo.IATTable = UE_FIELD_FIXABLE_NON_CRITICAL; - } - else - { - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) - { - myFileStatusInfo.IATTable = UE_FIELD_FIXABLE_NON_CRITICAL; - } - } - } - else - { - myFileStatusInfo.IATTable = UE_FIELD_NOT_PRESET; - } - SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.IATTable, false); - /* - COM header check - */ - if(PEHeader64->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR && PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress != NULL) - { - if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress > CorrectedImageSize || PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].Size > CorrectedImageSize) - { - myFileStatusInfo.COMHeaderTable = UE_FIELD_FIXABLE_NON_CRITICAL; - } - else - { - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) - { - myFileStatusInfo.COMHeaderTable = UE_FIELD_FIXABLE_NON_CRITICAL; - } - } - } - else - { - myFileStatusInfo.COMHeaderTable = UE_FIELD_NOT_PRESET; - } - SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.COMHeaderTable, false); - /* - Resource header check - */ - if(PEHeader64->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_RESOURCE && PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress != NULL) - { - if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress > CorrectedImageSize || PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size > CorrectedImageSize) - { - myFileStatusInfo.ResourceTable = UE_FIELD_FIXABLE_NON_CRITICAL; - } - else - { - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize || ConvertedAddress - FileMapVA + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size > FileSize) - { - myFileStatusInfo.ResourceTable = UE_FIELD_BROKEN_BUT_CAN_BE_EMULATED; - } - if(CheckDepth == UE_DEPTH_DEEP) - { - hSimulatedFileLoad = (ULONG_PTR)EngineSimulateNtLoaderW(szFileName); - if(hSimulatedFileLoad != NULL) - { - for(i = 0; i < 22; i++) - { - if(myFileStatusInfo.ResourceData == UE_FIELD_OK) - { - EnumResourceNamesA((HMODULE)hSimulatedFileLoad, MAKEINTRESOURCEA(ResourceNamesTable[i]), (ENUMRESNAMEPROCA)EngineValidateResource, (ULONG_PTR)&myFileStatusInfo.ResourceData); - } - else - { - i = 22; - } - } - VirtualFree((LPVOID)hSimulatedFileLoad, NULL, MEM_RELEASE); - } - } - } - if(myFileStatusInfo.ResourceTable == UE_FIELD_BROKEN_BUT_CAN_BE_EMULATED && myFileStatusInfo.ResourceData == UE_FIELD_OK) - { - myFileStatusInfo.ResourceTable = UE_FIELD_OK; - } - SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.ResourceTable, true); - } - else - { - myFileStatusInfo.ResourceTable = UE_FIELD_NOT_PRESET; - } - /* - Section check - */ - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - NumberOfSections = PEHeader64->FileHeader.NumberOfSections; - while(NumberOfSections > NULL) - { - SectionVirtualSize = PESections->VirtualAddress + PESections->Misc.VirtualSize; - if(PESections->Misc.VirtualSize % PEHeader64->OptionalHeader.SectionAlignment == NULL) - { - SectionVirtualSizeFixed = SectionVirtualSize; - } - else - { - SectionVirtualSizeFixed = PESections->VirtualAddress + (((PESections->Misc.VirtualSize / PEHeader64->OptionalHeader.SectionAlignment) + 1) * PEHeader64->OptionalHeader.SectionAlignment); - } - if(NumberOfSections > 1) - { - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + sizeof IMAGE_SECTION_HEADER); - if(SectionVirtualSize > PESections->VirtualAddress || SectionVirtualSizeFixed > PESections->VirtualAddress) - { - myFileStatusInfo.SectionTable = UE_FIELD_FIXABLE_CRITICAL; - } - } - NumberOfSections--; - } - if(PESections->PointerToRawData + PESections->SizeOfRawData > FileSize && PESections->SizeOfRawData != NULL) - { - myFileStatusInfo.SectionTable = UE_FIELD_BROKEN_NON_FIXABLE; - } - SectionVirtualSizeFixed = SectionVirtualSizeFixed + 0xF000; - if(PEHeader64->OptionalHeader.SizeOfImage > SectionVirtualSizeFixed) - { - myFileStatusInfo.SizeOfImage = UE_FIELD_FIXABLE_CRITICAL; - } - SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.SizeOfImage, true); - SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.SectionTable, true); - /* - Entry point check - */ - SectionNumber = GetPE32SectionNumberFromVA(FileMapVA, PEHeader64->OptionalHeader.AddressOfEntryPoint + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase); - if(SectionNumber != -1) - { - SectionAttributes = (DWORD)GetPE32DataFromMappedFile(FileMapVA, SectionNumber, UE_SECTIONFLAGS); - if(SectionAttributes & IMAGE_SCN_MEM_EXECUTE || SectionAttributes & IMAGE_SCN_CNT_CODE) - { - myFileStatusInfo.EntryPoint = UE_FIELD_OK; - } - else - { - myFileStatusInfo.EntryPoint = UE_FIELD_BROKEN_NON_CRITICAL; - } - } - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader64->OptionalHeader.AddressOfEntryPoint + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress == NULL) - { - myFileStatusInfo.EntryPoint = UE_FIELD_BROKEN_NON_FIXABLE; - } - else - { - ReadData = NULL; - if(memcmp(&ReadData, (LPVOID)ConvertedAddress, 4) == NULL) - { - myFileStatusInfo.EntryPoint = UE_FIELD_BROKEN_NON_FIXABLE; - } - } - SetOverallFileStatus(&myFileStatusInfo, myFileStatusInfo.EntryPoint, true); - /* - Return data - */ - if(FileStatusInfo != NULL) - { - RtlMoveMemory(FileStatusInfo, &myFileStatusInfo, sizeof FILE_STATUS_INFO); - } - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - if(myFileStatusInfo.OveralEvaluation == UE_RESULT_FILE_OK) - { - return(true); - } - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - myFileStatusInfo.EvaluationTerminatedByException = true; - myFileStatusInfo.OveralEvaluation = UE_RESULT_FILE_INVALID_FORMAT; - myFileStatusInfo.SignaturePE = UE_FIELD_BROKEN_NON_FIXABLE; - if(FileStatusInfo != NULL) - { - RtlMoveMemory(FileStatusInfo, &myFileStatusInfo, sizeof FILE_STATUS_INFO); - } - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return(false); - } - } - } - else - { - myFileStatusInfo.OveralEvaluation = UE_RESULT_FILE_INVALID_FORMAT; - myFileStatusInfo.SignatureMZ = UE_FIELD_BROKEN_NON_FIXABLE; - if(FileStatusInfo != NULL) - { - RtlMoveMemory(FileStatusInfo, &myFileStatusInfo, sizeof FILE_STATUS_INFO); - } - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return(false); - } - } - if(FileStatusInfo != NULL) - { - RtlMoveMemory(FileStatusInfo, &myFileStatusInfo, sizeof FILE_STATUS_INFO); - } - return(false); -} -__declspec(dllexport) bool TITCALL FixBrokenPE32FileEx(char* szFileName, LPVOID FileStatusInfo, LPVOID FileFixInfo) -{ - - wchar_t uniFileName[MAX_PATH] = {}; - - if(szFileName != NULL) - { - MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); - return(FixBrokenPE32FileExW(uniFileName, FileStatusInfo, FileFixInfo)); - } - else - { - return(false); - } -} -__declspec(dllexport) bool TITCALL FixBrokenPE32FileExW(wchar_t* szFileName, LPVOID FileStatusInfo, LPVOID FileFixInfo) -{ - if(!FileFixInfo) - return false; - DWORD ReadData = NULL; - DWORD ReadSize = NULL; - WORD ReadDataWORD = NULL; - ULONG_PTR ReadDataQWORD = NULL; - DWORD OrdinalBase = NULL; - DWORD OrdinalCount = NULL; - long SectionNumber = NULL; - DWORD SectionAttributes = NULL; - ULONG_PTR ConvertedAddress = NULL; - DWORD CorrectedImageSize = NULL; - DWORD SectionVirtualSize = NULL; - DWORD SectionVirtualSizeFixed = NULL; - DWORD NumberOfSections = NULL; - PIMAGE_DOS_HEADER DOSHeader; - PIMAGE_NT_HEADERS32 PEHeader32; - PIMAGE_NT_HEADERS64 PEHeader64; - PIMAGE_SECTION_HEADER PESections; - PIMAGE_EXPORT_DIRECTORY PEExports; - PIMAGE_TLS_DIRECTORY32 PETls32; - PIMAGE_TLS_DIRECTORY64 PETls64; - PIMAGE_IMPORT_DESCRIPTOR ImportIID; - PIMAGE_THUNK_DATA32 ThunkData32; - PIMAGE_THUNK_DATA64 ThunkData64; - PFILE_STATUS_INFO myFileStatusInfo = (PFILE_STATUS_INFO)FileStatusInfo; - PFILE_FIX_INFO myFileFixInfo = (PFILE_FIX_INFO)FileFixInfo; //can bad point - bool hLoadedModuleSimulated = false; - HMODULE hLoadedModule; - ULONG_PTR ImportNamePtr; - ULONG_PTR CurrentThunk; - BOOL FileIs64; - HANDLE FileHandle; - DWORD FileSize; - HANDLE FileMap; - ULONG_PTR FileMapVA; - bool FileFixed = true; - bool FeatureFixed = false; - - FILE_STANDARD_INFO filestatusinfo; //for internal use - - if(myFileStatusInfo == NULL) //here check for myfilestrus..ah lol, youre right - { - myFileStatusInfo=(PFILE_STATUS_INFO)&filestatusinfo; - IsPE32FileValidExW(szFileName, UE_DEPTH_DEEP, myFileStatusInfo); - } - if(myFileFixInfo->FileFixPerformed == false && myFileStatusInfo->OveralEvaluation == UE_RESULT_FILE_INVALID_BUT_FIXABLE) - { - if(MapFileExW(szFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) - { - myFileFixInfo->OveralEvaluation = UE_RESULT_FILE_INVALID_AND_NON_FIXABLE; - DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; - if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true)) - { - PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - if(PEHeader32->Signature == 0x4550 && PEHeader32->OptionalHeader.Magic == 0x10B) - { - FileIs64 = false; - } - else if(PEHeader32->Signature == 0x4550 && PEHeader32->OptionalHeader.Magic == 0x20B) - { - FileIs64 = true; - } - else - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return(false); - } - if(myFileStatusInfo->SignatureMZ != UE_FIELD_OK) - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return(false); - } - else if(myFileStatusInfo->SignaturePE != UE_FIELD_OK) - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return(false); - } - else if(myFileStatusInfo->SectionAlignment != UE_FIELD_OK) - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return(false); - } - else if(myFileStatusInfo->FileAlignment != UE_FIELD_OK) - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return(false); - } - else if(myFileStatusInfo->ImportTable != UE_FIELD_OK) - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return(false); - } - else if(myFileStatusInfo->ImportTableData != UE_FIELD_OK) - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return(false); - } - if(!FileIs64) - { - /* - x86 Surface check - */ - __try - { - if(PEHeader32->OptionalHeader.SizeOfImage % PEHeader32->OptionalHeader.SectionAlignment == NULL) - { - CorrectedImageSize = (PEHeader32->OptionalHeader.SizeOfImage / PEHeader32->OptionalHeader.SectionAlignment) * PEHeader32->OptionalHeader.SectionAlignment; - } - else - { - CorrectedImageSize = ((PEHeader32->OptionalHeader.SizeOfImage / PEHeader32->OptionalHeader.SectionAlignment) + 1) * PEHeader32->OptionalHeader.SectionAlignment; - } - /* - Fixing import table - */ - if(myFileStatusInfo->MissingDeclaredAPIs) - { - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + PEHeader32->OptionalHeader.ImageBase, false, true); - SectionNumber = GetPE32SectionNumberFromVA(FileMapVA, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + PEHeader32->OptionalHeader.ImageBase); - if(SectionNumber >= NULL) - { - SectionAttributes = (DWORD)GetPE32DataFromMappedFile(FileMapVA, SectionNumber, UE_SECTIONFLAGS); - if(SectionAttributes & IMAGE_SCN_MEM_EXECUTE || SectionAttributes & IMAGE_SCN_CNT_CODE || SectionAttributes & IMAGE_SCN_MEM_WRITE || SectionAttributes & IMAGE_SCN_CNT_INITIALIZED_DATA) - { - // Should not execute! - } - else - { - if(!SetPE32DataForMappedFile(FileMapVA, SectionAttributes, UE_SECTIONFLAGS, 0xE0000020)) - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return(false); - } - } - if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress != NULL) - { - ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, (ULONG_PTR)(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + PEHeader32->OptionalHeader.ImageBase), false, true); - while(ImportIID->FirstThunk != NULL) - { - hLoadedModule = NULL; - ImportNamePtr = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, (ULONG_PTR)((ULONG_PTR)ImportIID->Name + PEHeader32->OptionalHeader.ImageBase), false, true); - if(ImportNamePtr != NULL) - { - if(!EngineIsDependencyPresent((char*)ImportNamePtr, NULL, NULL)) - { - hLoadedModuleSimulated = false; - } - else - { - hLoadedModuleSimulated = false; - hLoadedModule = GetModuleHandleA((char*)ImportNamePtr); - if(hLoadedModule == NULL) - { - hLoadedModule = (HMODULE)EngineSimulateDllLoader(GetCurrentProcess(), (char*)ImportNamePtr); - hLoadedModuleSimulated = true; - } - } - } - if(ImportIID->OriginalFirstThunk != NULL) - { - ThunkData32 = (PIMAGE_THUNK_DATA32)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, (ULONG_PTR)((ULONG_PTR)ImportIID->OriginalFirstThunk + PEHeader32->OptionalHeader.ImageBase), false, true); - CurrentThunk = (ULONG_PTR)ImportIID->OriginalFirstThunk; - } - else - { - ThunkData32 = (PIMAGE_THUNK_DATA32)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, (ULONG_PTR)((ULONG_PTR)ImportIID->FirstThunk + PEHeader32->OptionalHeader.ImageBase), false, true); - CurrentThunk = (ULONG_PTR)ImportIID->FirstThunk; - } - if(ThunkData32 != NULL) - { - while(ThunkData32->u1.AddressOfData != NULL) - { - if(ThunkData32->u1.Ordinal & IMAGE_ORDINAL_FLAG32) - { - if((int)(ThunkData32->u1.Ordinal ^ IMAGE_ORDINAL_FLAG32) >= 0x10000) - { - FileFixed = false; - } - } - else - { - ImportNamePtr = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, (ULONG_PTR)((ULONG_PTR)ThunkData32->u1.AddressOfData + 2 + PEHeader32->OptionalHeader.ImageBase), false, true); - if(ImportNamePtr != NULL) - { - if(EngineIsBadReadPtrEx((LPVOID)ImportNamePtr, 8)) - { - if(hLoadedModule != NULL) - { - if(EngineGetProcAddress((ULONG_PTR)hLoadedModule, (char*)ImportNamePtr) == NULL) - { - OrdinalBase = NULL; - OrdinalCount = NULL; - if(EngineGetLibraryOrdinalData((ULONG_PTR)hLoadedModule, &OrdinalBase, &OrdinalCount)) - { - if(OrdinalBase != NULL && OrdinalCount != NULL) - { - ThunkData32->u1.Ordinal = (OrdinalBase + 1) ^ IMAGE_ORDINAL_FLAG32; - } - else - { - FileFixed = false; - } - } - } - } - } - } - } - CurrentThunk = CurrentThunk + 4; - ThunkData32 = (PIMAGE_THUNK_DATA32)((ULONG_PTR)ThunkData32 + sizeof IMAGE_THUNK_DATA32); - } - } - if(hLoadedModuleSimulated) - { - VirtualFree((LPVOID)hLoadedModule, NULL, MEM_RELEASE); - } - ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof IMAGE_IMPORT_DESCRIPTOR); - } - } - } - } - /* - Fixing Export table - */ - if(myFileStatusInfo->ExportTable == UE_FIELD_NOT_PRESET_WARNING) - { - FileFixed = false; - } - else if(myFileFixInfo->DontFixExports == false && myFileStatusInfo->ExportTable != UE_FIELD_OK && myFileStatusInfo->ExportTable != UE_FIELD_NOT_PRESET) - { - if(PEHeader32->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_EXPORT && PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress != NULL) - { - if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress > CorrectedImageSize || PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size > CorrectedImageSize) - { - myFileFixInfo->StrippedExports = true; - myFileFixInfo->OriginalExportTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; - myFileFixInfo->OriginalExportTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress = NULL; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size = NULL; - } - else - { - FeatureFixed = true; - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + PEHeader32->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress != NULL) - { - if(EngineIsBadReadPtrEx((LPVOID)ConvertedAddress, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size)) - { - PEExports = (PIMAGE_EXPORT_DIRECTORY)ConvertedAddress; - if(PEExports->AddressOfFunctions > CorrectedImageSize || PEExports->AddressOfFunctions + 4 * PEExports->NumberOfFunctions > CorrectedImageSize) - { - FeatureFixed = false; - } - else if(PEExports->AddressOfNameOrdinals > CorrectedImageSize || PEExports->AddressOfNameOrdinals + 4 * PEExports->NumberOfNames > CorrectedImageSize) - { - FeatureFixed = false; - } - else if(PEExports->AddressOfNames > CorrectedImageSize || PEExports->AddressOfNames + 4 * PEExports->NumberOfNames > CorrectedImageSize) - { - FeatureFixed = false; - } - else if(PEExports->Name > CorrectedImageSize) - { - FeatureFixed = false; - } - if(!FeatureFixed) - { - myFileFixInfo->StrippedExports = true; - myFileFixInfo->OriginalExportTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; - myFileFixInfo->OriginalExportTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress = NULL; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size = NULL; - } - } - else - { - myFileFixInfo->StrippedExports = true; - myFileFixInfo->OriginalExportTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; - myFileFixInfo->OriginalExportTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress = NULL; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size = NULL; - } - } - } - } - } - /* - Fixing Relocation table - */ - if(myFileStatusInfo->FileIsDLL == true && myFileStatusInfo->RelocationTable == UE_FIELD_BROKEN_NON_FIXABLE) - { - FileFixed = false; - } - else if(myFileFixInfo->DontFixRelocations == false && myFileStatusInfo->RelocationTable != UE_FIELD_OK) - { - if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress > CorrectedImageSize || PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size > CorrectedImageSize) - { - if(myFileStatusInfo->FileIsDLL) - { - FileFixed = false; - } - else - { - myFileFixInfo->StrippedRelocation = true; - myFileFixInfo->OriginalRelocationTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress; - myFileFixInfo->OriginalRelocationTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = NULL; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size = NULL; - } - } - else - { - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + PEHeader32->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress != NULL) - { - if(EngineIsBadReadPtrEx((LPVOID)ConvertedAddress, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size)) - { - RtlMoveMemory(&ReadData, (LPVOID)ConvertedAddress, 4); - RtlMoveMemory(&ReadSize, (LPVOID)(ConvertedAddress + 4), 4); - while(ReadData != NULL) - { - ReadSize = ReadSize - 8; - ConvertedAddress = ConvertedAddress + 8; - while(ReadSize > NULL) - { - RtlMoveMemory(&ReadDataWORD, (LPVOID)ConvertedAddress, 2); - if(ReadDataWORD > 0xCFFF) - { - RtlZeroMemory((LPVOID)ConvertedAddress, 2); - } - ConvertedAddress = ConvertedAddress + 2; - ReadSize = ReadSize - 2; - } - RtlMoveMemory(&ReadData, (LPVOID)ConvertedAddress, 4); - RtlMoveMemory(&ReadSize, (LPVOID)(ConvertedAddress + 4), 4); - } - } - else - { - if(myFileStatusInfo->FileIsDLL) - { - FileFixed = false; - } - else - { - myFileFixInfo->StrippedRelocation = true; - myFileFixInfo->OriginalRelocationTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress; - myFileFixInfo->OriginalRelocationTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = NULL; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size = NULL; - } - } - } - else - { - if(myFileStatusInfo->FileIsDLL) - { - FileFixed = false; - } - else - { - myFileFixInfo->StrippedRelocation = true; - myFileFixInfo->OriginalRelocationTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress; - myFileFixInfo->OriginalRelocationTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = NULL; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size = NULL; - } - } - } - } - else if(myFileStatusInfo->RelocationTable == UE_FIELD_OK) - { - // Filter case! - } - else - { - FileFixed = false; - } - /* - Fixing Resource table - */ - if(myFileFixInfo->DontFixResources == false && myFileStatusInfo->ResourceData != UE_FIELD_OK && myFileStatusInfo->ResourceData != UE_FIELD_NOT_PRESET) - { - myFileFixInfo->StrippedResources = true; - myFileFixInfo->OriginalResourceTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress; - myFileFixInfo->OriginalResourceTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress = NULL; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size = NULL; - } - else if(myFileFixInfo->DontFixResources == false && myFileStatusInfo->ResourceTable != UE_FIELD_OK && myFileStatusInfo->ResourceTable != UE_FIELD_NOT_PRESET) - { - if(PEHeader32->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_RESOURCE && PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress != NULL) - { - if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress > CorrectedImageSize || PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size > CorrectedImageSize) - { - myFileFixInfo->StrippedResources = true; - myFileFixInfo->OriginalResourceTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress; - myFileFixInfo->OriginalResourceTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress = NULL; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size = NULL; - } - else - { - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress + PEHeader32->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize || ConvertedAddress - FileMapVA + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size > FileSize) - { - myFileFixInfo->StrippedResources = true; - myFileFixInfo->OriginalResourceTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress; - myFileFixInfo->OriginalResourceTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress = NULL; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size = NULL; - } - } - } - } - /* - Fixing TLS table - */ - if(myFileFixInfo->DontFixTLS == false && myFileStatusInfo->TLSTable != UE_FIELD_OK && myFileStatusInfo->TLSTable != UE_FIELD_NOT_PRESET) - { - if(PEHeader32->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_TLS && PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress != NULL) - { - if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress > CorrectedImageSize || PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size > CorrectedImageSize) - { - myFileFixInfo->StrippedTLS = true; - myFileFixInfo->OriginalTLSTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress; - myFileFixInfo->OriginalTLSTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = NULL; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = NULL; - } - else - { - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress + PEHeader32->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) - { - myFileFixInfo->StrippedTLS = true; - myFileFixInfo->OriginalTLSTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress; - myFileFixInfo->OriginalTLSTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = NULL; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = NULL; - } - else - { - FeatureFixed = true; - PETls32 = (PIMAGE_TLS_DIRECTORY32)ConvertedAddress; - if(PETls32->StartAddressOfRawData != NULL && (PETls32->StartAddressOfRawData < PEHeader32->OptionalHeader.ImageBase || PETls32->StartAddressOfRawData > CorrectedImageSize + PEHeader32->OptionalHeader.ImageBase)) - { - FeatureFixed = false; - } - else if(PETls32->EndAddressOfRawData != NULL && (PETls32->EndAddressOfRawData < PEHeader32->OptionalHeader.ImageBase || PETls32->EndAddressOfRawData > CorrectedImageSize + PEHeader32->OptionalHeader.ImageBase)) - { - FeatureFixed = false; - } - else if(PETls32->AddressOfIndex != NULL && (PETls32->AddressOfIndex < PEHeader32->OptionalHeader.ImageBase || PETls32->AddressOfIndex > CorrectedImageSize + PEHeader32->OptionalHeader.ImageBase)) - { - FeatureFixed = false; - } - else if(PETls32->AddressOfCallBacks != NULL && (PETls32->AddressOfCallBacks < PEHeader32->OptionalHeader.ImageBase || PETls32->AddressOfCallBacks > CorrectedImageSize + PEHeader32->OptionalHeader.ImageBase)) - { - FeatureFixed = false; - } - if(!FeatureFixed) - { - myFileFixInfo->StrippedTLS = true; - myFileFixInfo->OriginalTLSTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress; - myFileFixInfo->OriginalTLSTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = NULL; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = NULL; - } - else - { - if(PETls32->AddressOfCallBacks != NULL) - { - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PETls32->AddressOfCallBacks + PEHeader32->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress != NULL) - { - while(ReadData != NULL) - { - RtlMoveMemory(&ReadData, (LPVOID)ConvertedAddress, 4); - if(ReadData < PEHeader32->OptionalHeader.ImageBase || ReadData > CorrectedImageSize + PEHeader32->OptionalHeader.ImageBase) - { - RtlZeroMemory((LPVOID)ConvertedAddress, 4); - } - ConvertedAddress = ConvertedAddress + 4; - } - } - } - } - } - } - } - } - /* - Fix Load config table - */ - if(myFileFixInfo->DontFixLoadConfig == false && myFileStatusInfo->LoadConfigTable != UE_FIELD_OK && myFileStatusInfo->LoadConfigTable != UE_FIELD_NOT_PRESET) - { - if(PEHeader32->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG && PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress != NULL) - { - if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress > CorrectedImageSize || PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].Size > CorrectedImageSize) - { - myFileFixInfo->StrippedLoadConfig = true; - myFileFixInfo->OriginalLoadConfigTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress; - myFileFixInfo->OriginalLoadConfigTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].Size; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress = NULL; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].Size = NULL; - } - else - { - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress + PEHeader32->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) - { - myFileFixInfo->StrippedLoadConfig = true; - myFileFixInfo->OriginalLoadConfigTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress; - myFileFixInfo->OriginalLoadConfigTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].Size; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress = NULL; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].Size = NULL; - } - } - } - } - /* - Fix Bound import table - */ - if(myFileFixInfo->DontFixBoundImports == false && myFileStatusInfo->BoundImportTable != UE_FIELD_OK && myFileStatusInfo->BoundImportTable != UE_FIELD_NOT_PRESET) - { - if(PEHeader32->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT && PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress != NULL) - { - if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress > CorrectedImageSize || PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size > CorrectedImageSize) - { - myFileFixInfo->StrippedBoundImports = true; - myFileFixInfo->OriginalBoundImportTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress; - myFileFixInfo->OriginalBoundImportTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress = NULL; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size = NULL; - } - else - { - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress + PEHeader32->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) - { - myFileFixInfo->StrippedBoundImports = true; - myFileFixInfo->OriginalBoundImportTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress; - myFileFixInfo->OriginalBoundImportTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress = NULL; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size = NULL; - } - } - } - } - /* - Fix IAT - */ - if(myFileFixInfo->DontFixIAT == false && myFileStatusInfo->IATTable != UE_FIELD_OK && myFileStatusInfo->IATTable != UE_FIELD_NOT_PRESET) - { - if(PEHeader32->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_IAT && PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress != NULL) - { - if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress > CorrectedImageSize || PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].Size > CorrectedImageSize) - { - myFileFixInfo->StrippedIAT = true; - myFileFixInfo->OriginalImportAddressTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress; - myFileFixInfo->OriginalImportAddressTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].Size; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress = NULL; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size = NULL; - } - else - { - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress + PEHeader32->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) - { - myFileFixInfo->StrippedIAT = true; - myFileFixInfo->OriginalImportAddressTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress; - myFileFixInfo->OriginalImportAddressTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].Size; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress = NULL; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size = NULL; - } - } - } - } - /* - Fix COM header - */ - if(myFileFixInfo->DontFixCOM == false && myFileStatusInfo->COMHeaderTable != UE_FIELD_OK && myFileStatusInfo->COMHeaderTable != UE_FIELD_NOT_PRESET) - { - if(PEHeader32->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR && PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress != NULL) - { - if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress > CorrectedImageSize || PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].Size > CorrectedImageSize) - { - myFileFixInfo->StrippedCOM = true; - myFileFixInfo->OriginalCOMTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress; - myFileFixInfo->OriginalCOMTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].Size; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress = NULL; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].Size = NULL; - } - else - { - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress + PEHeader32->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) - { - myFileFixInfo->StrippedCOM = true; - myFileFixInfo->OriginalCOMTableAddress = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress; - myFileFixInfo->OriginalCOMTableSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].Size; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress = NULL; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].Size = NULL; - } - } - } - } - /* - Fix sections and SizeOfImage - */ - if(myFileStatusInfo->SectionTable != UE_FIELD_OK || myFileStatusInfo->SizeOfImage != UE_FIELD_OK) - { - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - NumberOfSections = PEHeader32->FileHeader.NumberOfSections; - while(NumberOfSections > NULL) - { - SectionVirtualSize = PESections->VirtualAddress + PESections->Misc.VirtualSize; - if(PESections->Misc.VirtualSize % PEHeader32->OptionalHeader.SectionAlignment == NULL) - { - SectionVirtualSizeFixed = SectionVirtualSize; - } - else - { - SectionVirtualSizeFixed = PESections->VirtualAddress + (((PESections->Misc.VirtualSize / PEHeader32->OptionalHeader.SectionAlignment) + 1) * PEHeader32->OptionalHeader.SectionAlignment); - } - if(NumberOfSections > 1) - { - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + sizeof IMAGE_SECTION_HEADER); - if(SectionVirtualSize > PESections->VirtualAddress || SectionVirtualSizeFixed > PESections->VirtualAddress) - { - PESections->Misc.VirtualSize = SectionVirtualSizeFixed; - } - } - NumberOfSections--; - } - if(PESections->PointerToRawData + PESections->SizeOfRawData > FileSize && PESections->SizeOfRawData != NULL) - { - PESections->SizeOfRawData = FileSize - PESections->PointerToRawData; - } - if(myFileStatusInfo->SizeOfImage != UE_FIELD_OK) - { - SectionVirtualSizeFixed = SectionVirtualSizeFixed + 0xF000; - if(PEHeader32->OptionalHeader.SizeOfImage > SectionVirtualSizeFixed) - { - PEHeader32->OptionalHeader.SizeOfImage = SectionVirtualSizeFixed - 0xF000; - } - } - } - /* - Entry point check - */ - if(myFileStatusInfo->EntryPoint != UE_FIELD_OK) - { - SectionNumber = GetPE32SectionNumberFromVA(FileMapVA, PEHeader32->OptionalHeader.AddressOfEntryPoint + (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase); - if(SectionNumber != -1) - { - SectionAttributes = (DWORD)GetPE32DataFromMappedFile(FileMapVA, SectionNumber, UE_SECTIONFLAGS); - if(SectionAttributes & IMAGE_SCN_MEM_EXECUTE || SectionAttributes & IMAGE_SCN_CNT_CODE) - { - // Should never execute - } - else - { - if(!SetPE32DataForMappedFile(FileMapVA, SectionNumber, UE_SECTIONFLAGS, 0xE0000020)) - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return(false); - } - } - } - } - /* - Fix end - */ - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - if(FileFixed) - { - myFileFixInfo->OveralEvaluation = UE_RESULT_FILE_OK; - myFileFixInfo->FileFixPerformed = FileFixed; - } - return(true); - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - myFileFixInfo->FixingTerminatedByException = true; - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return(false); - } - } - else - { - /* - x64 Surface check - */ - __try - { - if(PEHeader64->OptionalHeader.SizeOfImage % PEHeader64->OptionalHeader.SectionAlignment == NULL) - { - CorrectedImageSize = (PEHeader64->OptionalHeader.SizeOfImage / PEHeader64->OptionalHeader.SectionAlignment) * PEHeader64->OptionalHeader.SectionAlignment; - } - else - { - CorrectedImageSize = ((PEHeader64->OptionalHeader.SizeOfImage / PEHeader64->OptionalHeader.SectionAlignment) + 1) * PEHeader64->OptionalHeader.SectionAlignment; - } - /* - Fixing import table - */ - if(myFileStatusInfo->MissingDeclaredAPIs) - { - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); - SectionNumber = GetPE32SectionNumberFromVA(FileMapVA, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase); - if(SectionNumber >= NULL) - { - SectionAttributes = (DWORD)GetPE32DataFromMappedFile(FileMapVA, SectionNumber, UE_SECTIONFLAGS); - if(SectionAttributes & IMAGE_SCN_MEM_EXECUTE || SectionAttributes & IMAGE_SCN_CNT_CODE || SectionAttributes & IMAGE_SCN_MEM_WRITE || SectionAttributes & IMAGE_SCN_CNT_INITIALIZED_DATA) - { - // Should not execute! - } - else - { - if(!SetPE32DataForMappedFile(FileMapVA, SectionAttributes, UE_SECTIONFLAGS, 0xE0000020)) - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return(false); - } - } - if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress != NULL) - { - ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, (ULONG_PTR)(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase), false, true); - while(ImportIID->FirstThunk != NULL) - { - hLoadedModule = NULL; - ImportNamePtr = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, (ULONG_PTR)((ULONG_PTR)ImportIID->Name + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase), false, true); - if(ImportNamePtr != NULL) - { - if(!EngineIsDependencyPresent((char*)ImportNamePtr, NULL, NULL)) - { - hLoadedModuleSimulated = false; - } - else - { - hLoadedModuleSimulated = false; - hLoadedModule = GetModuleHandleA((char*)ImportNamePtr); - if(hLoadedModule == NULL) - { - hLoadedModule = (HMODULE)EngineSimulateDllLoader(GetCurrentProcess(), (char*)ImportNamePtr); - hLoadedModuleSimulated = true; - } - } - } - if(ImportIID->OriginalFirstThunk != NULL) - { - ThunkData64 = (PIMAGE_THUNK_DATA64)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, (ULONG_PTR)((ULONG_PTR)ImportIID->OriginalFirstThunk + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase), false, true); - CurrentThunk = (ULONG_PTR)ImportIID->OriginalFirstThunk; - } - else - { - ThunkData32 = (PIMAGE_THUNK_DATA32)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, (ULONG_PTR)((ULONG_PTR)ImportIID->FirstThunk + PEHeader32->OptionalHeader.ImageBase), false, true); - CurrentThunk = (ULONG_PTR)ImportIID->FirstThunk; - } - if(ThunkData64 != NULL) - { - while(ThunkData64->u1.AddressOfData != NULL) - { - if(ThunkData64->u1.Ordinal & IMAGE_ORDINAL_FLAG64) - { - if((int)(ThunkData64->u1.Ordinal ^ IMAGE_ORDINAL_FLAG64) >= 0x10000) - { - FileFixed = false; - } - } - else - { - ImportNamePtr = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, (ULONG_PTR)((ULONG_PTR)ThunkData64->u1.AddressOfData + 2 + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase), false, true); - if(ImportNamePtr != NULL) - { - if(EngineIsBadReadPtrEx((LPVOID)ImportNamePtr, 8)) - { - if(hLoadedModule != NULL) - { - if(EngineGetProcAddress((ULONG_PTR)hLoadedModule, (char*)ImportNamePtr) == NULL) - { - OrdinalBase = NULL; - OrdinalCount = NULL; - if(EngineGetLibraryOrdinalData((ULONG_PTR)hLoadedModule, &OrdinalBase, &OrdinalCount)) - { - if(OrdinalBase != NULL && OrdinalCount != NULL) - { - ThunkData64->u1.Ordinal = (OrdinalBase + 1) ^ IMAGE_ORDINAL_FLAG64; - } - else - { - FileFixed = false; - } - } - } - } - } - } - } - CurrentThunk = CurrentThunk + 8; - ThunkData64 = (PIMAGE_THUNK_DATA64)((ULONG_PTR)ThunkData64 + sizeof IMAGE_THUNK_DATA64); - } - } - if(hLoadedModuleSimulated) - { - VirtualFree((LPVOID)hLoadedModule, NULL, MEM_RELEASE); - } - ImportIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportIID + sizeof IMAGE_IMPORT_DESCRIPTOR); - } - } - } - } - /* - Fixing Export table - */ - if(myFileStatusInfo->ExportTable == UE_FIELD_NOT_PRESET_WARNING) - { - FileFixed = false; - } - else if(myFileFixInfo->DontFixExports == false && myFileStatusInfo->ExportTable != UE_FIELD_OK && myFileStatusInfo->ExportTable != UE_FIELD_NOT_PRESET) - { - if(PEHeader64->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_EXPORT && PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress != NULL) - { - if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress > CorrectedImageSize || PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size > CorrectedImageSize) - { - myFileFixInfo->StrippedExports = true; - myFileFixInfo->OriginalExportTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; - myFileFixInfo->OriginalExportTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress = NULL; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size = NULL; - } - else - { - FeatureFixed = true; - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress != NULL) - { - if(EngineIsBadReadPtrEx((LPVOID)ConvertedAddress, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size)) - { - PEExports = (PIMAGE_EXPORT_DIRECTORY)ConvertedAddress; - if(PEExports->AddressOfFunctions > CorrectedImageSize || PEExports->AddressOfFunctions + 4 * PEExports->NumberOfFunctions > CorrectedImageSize) - { - FeatureFixed = false; - } - else if(PEExports->AddressOfNameOrdinals > CorrectedImageSize || PEExports->AddressOfNameOrdinals + 4 * PEExports->NumberOfNames > CorrectedImageSize) - { - FeatureFixed = false; - } - else if(PEExports->AddressOfNames > CorrectedImageSize || PEExports->AddressOfNames + 4 * PEExports->NumberOfNames > CorrectedImageSize) - { - FeatureFixed = false; - } - else if(PEExports->Name > CorrectedImageSize) - { - FeatureFixed = false; - } - if(!FeatureFixed) - { - myFileFixInfo->StrippedExports = true; - myFileFixInfo->OriginalExportTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; - myFileFixInfo->OriginalExportTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress = NULL; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size = NULL; - } - } - else - { - myFileFixInfo->StrippedExports = true; - myFileFixInfo->OriginalExportTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; - myFileFixInfo->OriginalExportTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress = NULL; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size = NULL; - } - } - } - } - } - /* - Fixing Relocation table - */ - if(myFileStatusInfo->FileIsDLL == true && myFileStatusInfo->RelocationTable == UE_FIELD_BROKEN_NON_FIXABLE) - { - FileFixed = false; - } - else if(myFileFixInfo->DontFixRelocations == false && myFileStatusInfo->RelocationTable != UE_FIELD_OK) - { - if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress > CorrectedImageSize || PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size > CorrectedImageSize) - { - if(myFileStatusInfo->FileIsDLL) - { - FileFixed = false; - } - else - { - myFileFixInfo->StrippedRelocation = true; - myFileFixInfo->OriginalRelocationTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress; - myFileFixInfo->OriginalRelocationTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = NULL; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size = NULL; - } - } - else - { - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress != NULL) - { - if(EngineIsBadReadPtrEx((LPVOID)ConvertedAddress, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size)) - { - RtlMoveMemory(&ReadData, (LPVOID)ConvertedAddress, 4); - RtlMoveMemory(&ReadSize, (LPVOID)(ConvertedAddress + 4), 4); - while(ReadData != NULL) - { - ReadSize = ReadSize - 8; - ConvertedAddress = ConvertedAddress + 8; - while(ReadSize > NULL) - { - RtlMoveMemory(&ReadDataWORD, (LPVOID)ConvertedAddress, 2); - if(ReadDataWORD > 0xCFFF) - { - RtlZeroMemory((LPVOID)ConvertedAddress, 2); - } - ConvertedAddress = ConvertedAddress + 2; - ReadSize = ReadSize - 2; - } - RtlMoveMemory(&ReadData, (LPVOID)ConvertedAddress, 4); - RtlMoveMemory(&ReadSize, (LPVOID)(ConvertedAddress + 4), 4); - } - } - else - { - if(myFileStatusInfo->FileIsDLL) - { - FileFixed = false; - } - else - { - myFileFixInfo->StrippedRelocation = true; - myFileFixInfo->OriginalRelocationTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress; - myFileFixInfo->OriginalRelocationTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = NULL; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size = NULL; - } - } - } - else - { - if(myFileStatusInfo->FileIsDLL) - { - FileFixed = false; - } - else - { - myFileFixInfo->StrippedRelocation = true; - myFileFixInfo->OriginalRelocationTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress; - myFileFixInfo->OriginalRelocationTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = NULL; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size = NULL; - } - } - } - } - else if(myFileStatusInfo->RelocationTable == UE_FIELD_OK) - { - // Filter case! - } - else - { - FileFixed = false; - } - /* - Fixing Resource table - */ - if(myFileFixInfo->DontFixResources == false && myFileStatusInfo->ResourceData != UE_FIELD_OK && myFileStatusInfo->ResourceData != UE_FIELD_NOT_PRESET) - { - myFileFixInfo->StrippedResources = true; - myFileFixInfo->OriginalResourceTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress; - myFileFixInfo->OriginalResourceTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress = NULL; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size = NULL; - } - else if(myFileFixInfo->DontFixResources == false && myFileStatusInfo->ResourceTable != UE_FIELD_OK && myFileStatusInfo->ResourceTable != UE_FIELD_NOT_PRESET) - { - if(PEHeader64->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_RESOURCE && PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress != NULL) - { - if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress > CorrectedImageSize || PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size > CorrectedImageSize) - { - myFileFixInfo->StrippedResources = true; - myFileFixInfo->OriginalResourceTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress; - myFileFixInfo->OriginalResourceTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress = NULL; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size = NULL; - } - else - { - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize || ConvertedAddress - FileMapVA + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size > FileSize) - { - myFileFixInfo->StrippedResources = true; - myFileFixInfo->OriginalResourceTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress; - myFileFixInfo->OriginalResourceTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress = NULL; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size = NULL; - } - } - } - } - /* - Fixing TLS table - */ - if(myFileFixInfo->DontFixTLS == false && myFileStatusInfo->TLSTable != UE_FIELD_OK && myFileStatusInfo->TLSTable != UE_FIELD_NOT_PRESET) - { - if(PEHeader64->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_TLS && PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress != NULL) - { - if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress > CorrectedImageSize || PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size > CorrectedImageSize) - { - myFileFixInfo->StrippedTLS = true; - myFileFixInfo->OriginalTLSTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress; - myFileFixInfo->OriginalTLSTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = NULL; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = NULL; - } - else - { - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) - { - myFileFixInfo->StrippedTLS = true; - myFileFixInfo->OriginalTLSTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress; - myFileFixInfo->OriginalTLSTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = NULL; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = NULL; - } - else - { - FeatureFixed = true; - PETls64 = (PIMAGE_TLS_DIRECTORY64)ConvertedAddress; - if(PETls64->StartAddressOfRawData != NULL && (PETls64->StartAddressOfRawData < (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase || PETls64->StartAddressOfRawData > CorrectedImageSize + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase)) - { - FeatureFixed = false; - } - else if(PETls64->EndAddressOfRawData != NULL && (PETls64->EndAddressOfRawData < (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase || PETls64->EndAddressOfRawData > CorrectedImageSize + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase)) - { - FeatureFixed = false; - } - else if(PETls64->AddressOfIndex != NULL && (PETls64->AddressOfIndex < (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase || PETls64->AddressOfIndex > CorrectedImageSize + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase)) - { - FeatureFixed = false; - } - else if(PETls64->AddressOfCallBacks != NULL && (PETls64->AddressOfCallBacks < (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase || PETls64->AddressOfCallBacks > CorrectedImageSize + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase)) - { - FeatureFixed = false; - } - if(!FeatureFixed) - { - myFileFixInfo->StrippedTLS = true; - myFileFixInfo->OriginalTLSTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress; - myFileFixInfo->OriginalTLSTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = NULL; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = NULL; - } - else - { - if(PETls64->AddressOfCallBacks != NULL) - { - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, (ULONG_PTR)PETls64->AddressOfCallBacks + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress != NULL) - { - while(ReadData != NULL) - { - RtlMoveMemory(&ReadDataQWORD, (LPVOID)ConvertedAddress, 8); - if(ReadDataQWORD < (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase || ReadDataQWORD > CorrectedImageSize + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase) - { - RtlZeroMemory((LPVOID)ConvertedAddress, 8); - } - ConvertedAddress = ConvertedAddress + 8; - } - } - } - } - } - } - } - } - /* - Fix Load config table - */ - if(myFileFixInfo->DontFixLoadConfig == false && myFileStatusInfo->LoadConfigTable != UE_FIELD_OK && myFileStatusInfo->LoadConfigTable != UE_FIELD_NOT_PRESET) - { - if(PEHeader64->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG && PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress != NULL) - { - if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress > CorrectedImageSize || PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].Size > CorrectedImageSize) - { - myFileFixInfo->StrippedLoadConfig = true; - myFileFixInfo->OriginalLoadConfigTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress; - myFileFixInfo->OriginalLoadConfigTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].Size; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress = NULL; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].Size = NULL; - } - else - { - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) - { - myFileFixInfo->StrippedLoadConfig = true; - myFileFixInfo->OriginalLoadConfigTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress; - myFileFixInfo->OriginalLoadConfigTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].Size; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress = NULL; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].Size = NULL; - } - } - } - } - /* - Fix Bound import table - */ - if(myFileFixInfo->DontFixBoundImports == false && myFileStatusInfo->BoundImportTable != UE_FIELD_OK && myFileStatusInfo->BoundImportTable != UE_FIELD_NOT_PRESET) - { - if(PEHeader64->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT && PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress != NULL) - { - if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress > CorrectedImageSize || PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size > CorrectedImageSize) - { - myFileFixInfo->StrippedBoundImports = true; - myFileFixInfo->OriginalBoundImportTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress; - myFileFixInfo->OriginalBoundImportTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress = NULL; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size = NULL; - } - else - { - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) - { - myFileFixInfo->StrippedBoundImports = true; - myFileFixInfo->OriginalBoundImportTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress; - myFileFixInfo->OriginalBoundImportTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress = NULL; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size = NULL; - } - } - } - } - /* - Fix IAT - */ - if(myFileFixInfo->DontFixIAT == false && myFileStatusInfo->IATTable != UE_FIELD_OK && myFileStatusInfo->IATTable != UE_FIELD_NOT_PRESET) - { - if(PEHeader64->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_IAT && PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress != NULL) - { - if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress > CorrectedImageSize || PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].Size > CorrectedImageSize) - { - myFileFixInfo->StrippedIAT = true; - myFileFixInfo->OriginalImportAddressTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress; - myFileFixInfo->OriginalImportAddressTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].Size; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress = NULL; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size = NULL; - } - else - { - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) - { - myFileFixInfo->StrippedIAT = true; - myFileFixInfo->OriginalImportAddressTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress; - myFileFixInfo->OriginalImportAddressTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].Size; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress = NULL; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size = NULL; - } - } - } - } - /* - Fix COM header - */ - if(myFileFixInfo->DontFixCOM == false && myFileStatusInfo->COMHeaderTable != UE_FIELD_OK && myFileStatusInfo->COMHeaderTable != UE_FIELD_NOT_PRESET) - { - if(PEHeader64->OptionalHeader.NumberOfRvaAndSizes > IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR && PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress != NULL) - { - if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress > CorrectedImageSize || PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].Size > CorrectedImageSize) - { - myFileFixInfo->StrippedCOM = true; - myFileFixInfo->OriginalCOMTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress; - myFileFixInfo->OriginalCOMTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].Size; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress = NULL; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].Size = NULL; - } - else - { - ConvertedAddress = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, NULL, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, false, true); - if(ConvertedAddress == NULL || ConvertedAddress - FileMapVA > FileSize) - { - myFileFixInfo->StrippedCOM = true; - myFileFixInfo->OriginalCOMTableAddress = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress; - myFileFixInfo->OriginalCOMTableSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].Size; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress = NULL; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].Size = NULL; - } - } - } - } - /* - Fix sections and SizeOfImage - */ - if(myFileStatusInfo->SectionTable != UE_FIELD_OK || myFileStatusInfo->SizeOfImage != UE_FIELD_OK) - { - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - NumberOfSections = PEHeader64->FileHeader.NumberOfSections; - while(NumberOfSections > NULL) - { - SectionVirtualSize = PESections->VirtualAddress + PESections->Misc.VirtualSize; - if(PESections->Misc.VirtualSize % PEHeader64->OptionalHeader.SectionAlignment == NULL) - { - SectionVirtualSizeFixed = SectionVirtualSize; - } - else - { - SectionVirtualSizeFixed = PESections->VirtualAddress + (((PESections->Misc.VirtualSize / PEHeader64->OptionalHeader.SectionAlignment) + 1) * PEHeader64->OptionalHeader.SectionAlignment); - } - if(NumberOfSections > 1) - { - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + sizeof IMAGE_SECTION_HEADER); - if(SectionVirtualSize > PESections->VirtualAddress || SectionVirtualSizeFixed > PESections->VirtualAddress) - { - PESections->Misc.VirtualSize = SectionVirtualSizeFixed; - } - } - NumberOfSections--; - } - if(PESections->PointerToRawData + PESections->SizeOfRawData > FileSize && PESections->SizeOfRawData != NULL) - { - PESections->SizeOfRawData = FileSize - PESections->PointerToRawData; - } - if(myFileStatusInfo->SizeOfImage != UE_FIELD_OK) - { - SectionVirtualSizeFixed = SectionVirtualSizeFixed + 0xF000; - if(PEHeader64->OptionalHeader.SizeOfImage > SectionVirtualSizeFixed) - { - PEHeader64->OptionalHeader.SizeOfImage = SectionVirtualSizeFixed - 0xF000; - } - } - } - /* - Entry point check - */ - if(myFileStatusInfo->EntryPoint != UE_FIELD_OK) - { - SectionNumber = GetPE32SectionNumberFromVA(FileMapVA, PEHeader64->OptionalHeader.AddressOfEntryPoint + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase); - if(SectionNumber != -1) - { - SectionAttributes = (DWORD)GetPE32DataFromMappedFile(FileMapVA, SectionNumber, UE_SECTIONFLAGS); - if(SectionAttributes & IMAGE_SCN_MEM_EXECUTE || SectionAttributes & IMAGE_SCN_CNT_CODE) - { - // Should never execute - } - else - { - if(!SetPE32DataForMappedFile(FileMapVA, SectionNumber, UE_SECTIONFLAGS, 0xE0000020)) - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return(false); - } - } - } - } - /* - Fix end - */ - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - if(FileFixed) - { - myFileFixInfo->OveralEvaluation = UE_RESULT_FILE_OK; - myFileFixInfo->FileFixPerformed = FileFixed; - } - return(true); - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - myFileFixInfo->FixingTerminatedByException = true; - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return(false); - } - } - } - else - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return(false); - } - } - } - else if(myFileFixInfo->FileFixPerformed) - { - if(MapFileExW(szFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) - { - DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; - if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true)) - { - PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - if(PEHeader32->Signature == 0x4550 && PEHeader32->OptionalHeader.Magic == 0x10B) - { - FileIs64 = false; - } - else if(PEHeader32->Signature == 0x4550 && PEHeader32->OptionalHeader.Magic == 0x20B) - { - FileIs64 = true; - } - else - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return(false); - } - if(!FileIs64) - { - if(myFileFixInfo->StrippedRelocation) - { - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = myFileFixInfo->OriginalRelocationTableAddress; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size = myFileFixInfo->OriginalRelocationTableSize; - } - if(myFileFixInfo->StrippedExports) - { - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress = myFileFixInfo->OriginalExportTableAddress; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size = myFileFixInfo->OriginalExportTableSize; - } - if(myFileFixInfo->StrippedResources) - { - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress = myFileFixInfo->OriginalResourceTableAddress; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size = myFileFixInfo->OriginalResourceTableSize; - } - if(myFileFixInfo->StrippedTLS) - { - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = myFileFixInfo->OriginalTLSTableAddress; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = myFileFixInfo->OriginalTLSTableSize; - } - if(myFileFixInfo->StrippedLoadConfig) - { - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress = myFileFixInfo->OriginalLoadConfigTableAddress; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].Size = myFileFixInfo->OriginalLoadConfigTableSize; - } - if(myFileFixInfo->StrippedBoundImports) - { - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress = myFileFixInfo->OriginalBoundImportTableAddress; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size = myFileFixInfo->OriginalBoundImportTableSize; - } - if(myFileFixInfo->StrippedIAT) - { - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress = myFileFixInfo->OriginalImportAddressTableAddress; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].Size = myFileFixInfo->OriginalImportAddressTableSize; - } - if(myFileFixInfo->StrippedCOM) - { - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress = myFileFixInfo->OriginalCOMTableAddress; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].Size = myFileFixInfo->OriginalCOMTableSize; - } - } - else - { - if(myFileFixInfo->StrippedRelocation) - { - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = myFileFixInfo->OriginalRelocationTableAddress; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size = myFileFixInfo->OriginalRelocationTableSize; - } - if(myFileFixInfo->StrippedExports) - { - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress = myFileFixInfo->OriginalExportTableAddress; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size = myFileFixInfo->OriginalExportTableSize; - } - if(myFileFixInfo->StrippedResources) - { - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].VirtualAddress = myFileFixInfo->OriginalResourceTableAddress; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_RESOURCE].Size = myFileFixInfo->OriginalResourceTableSize; - } - if(myFileFixInfo->StrippedTLS) - { - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress = myFileFixInfo->OriginalTLSTableAddress; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].Size = myFileFixInfo->OriginalTLSTableSize; - } - if(myFileFixInfo->StrippedLoadConfig) - { - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].VirtualAddress = myFileFixInfo->OriginalLoadConfigTableAddress; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].Size = myFileFixInfo->OriginalLoadConfigTableSize; - } - if(myFileFixInfo->StrippedBoundImports) - { - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].VirtualAddress = myFileFixInfo->OriginalBoundImportTableAddress; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT].Size = myFileFixInfo->OriginalBoundImportTableSize; - } - if(myFileFixInfo->StrippedIAT) - { - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].VirtualAddress = myFileFixInfo->OriginalImportAddressTableAddress; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IAT].Size = myFileFixInfo->OriginalImportAddressTableSize; - } - if(myFileFixInfo->StrippedCOM) - { - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress = myFileFixInfo->OriginalCOMTableAddress; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].Size = myFileFixInfo->OriginalCOMTableSize; - } - } - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return(true); - } - } - } - return(false); -} -__declspec(dllexport) bool TITCALL IsFileDLL(char* szFileName, ULONG_PTR FileMapVA) -{ - - if(szFileName != NULL) - { - if((DWORD)GetPE32Data(szFileName, NULL, UE_CHARACTERISTICS) & 0x2000) - { - return(true); - } - } - else if(FileMapVA != NULL) - { - if((DWORD)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_CHARACTERISTICS) & 0x2000) - { - return(true); - } - } - return(false); -} -__declspec(dllexport) bool TITCALL IsFileDLLW(wchar_t* szFileName, ULONG_PTR FileMapVA) -{ - - if(szFileName != NULL) - { - if((DWORD)GetPE32DataW(szFileName, NULL, UE_CHARACTERISTICS) & 0x2000) - { - return(true); - } - } - else if(FileMapVA != NULL) - { - if((DWORD)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_CHARACTERISTICS) & 0x2000) - { - return(true); - } - } - return(false); -} - -static bool isAtleastVista() -{ - static bool isAtleastVista=false; - static bool isSet=false; - if(isSet) - return isAtleastVista; - OSVERSIONINFO versionInfo= {0}; - versionInfo.dwOSVersionInfoSize=sizeof(OSVERSIONINFO); - GetVersionEx(&versionInfo); - isAtleastVista=versionInfo.dwMajorVersion >= 6; - isSet=true; - return isAtleastVista; -} - -// Global.Engine.Hider.functions: -bool ChangeHideDebuggerState(HANDLE hProcess, DWORD PatchAPILevel, bool Hide) -{ - static ULONG OldHeapFlags=0; - static ULONG OldForceFlag=0; - ULONG_PTR AddressOfPEB = NULL; - ULONG_PTR ueNumberOfBytesRead = NULL; - BYTE patchCheckRemoteDebuggerPresent[5] = {0x33, 0xC0, 0xC2, 0x08, 0x00}; - BYTE patchGetTickCount[3] = {0x33, 0xC0, 0xC3}; - MEMORY_BASIC_INFORMATION MemInfo; - ULONG_PTR APIPatchAddress = NULL; - DWORD OldProtect; - NTPEB myPEB = {}; - - if(hProcess != NULL) - { - AddressOfPEB = (ULONG_PTR)GetPEBLocation(hProcess); - if(ReadProcessMemory(hProcess, (void*)AddressOfPEB, (void*)&myPEB, sizeof NTPEB, &ueNumberOfBytesRead)) - { - if(Hide) - { - myPEB.BeingDebugged = false; - myPEB.NtGlobalFlag = NULL; - //Fix heap flags: https://github.com/eschweiler/ProReversing - BYTE* Heap=(BYTE*)myPEB.ProcessHeap; - - if(WriteProcessMemory(hProcess, (void*)AddressOfPEB, (void*)&myPEB, sizeof NTPEB, &ueNumberOfBytesRead)) - { - if(PatchAPILevel == UE_HIDE_BASIC) - { - APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"),"CheckRemoteDebuggerPresent"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS); - VirtualQueryEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); - OldProtect = MemInfo.Protect; - VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, 5, PAGE_EXECUTE_READWRITE, &OldProtect); - WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), &patchCheckRemoteDebuggerPresent, 5, &ueNumberOfBytesRead); - - APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"),"GetTickCount"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS); - VirtualQueryEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); - OldProtect = MemInfo.Protect; - VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, 3, PAGE_EXECUTE_READWRITE, &OldProtect); - WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), &patchGetTickCount, 3, &ueNumberOfBytesRead); - } - return(true); - } - else - { - return(false); - } - } - else - { - myPEB.BeingDebugged = true; - if(WriteProcessMemory(hProcess, (void*)AddressOfPEB, (void*)&myPEB, sizeof NTPEB, &ueNumberOfBytesRead)) - { - if(PatchAPILevel == UE_HIDE_BASIC) - { - APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"),"CheckRemoteDebuggerPresent"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS); - VirtualQueryEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); - OldProtect = MemInfo.Protect; - VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, 5, PAGE_EXECUTE_READWRITE, &OldProtect); - WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), (void*)GetProcAddress(GetModuleHandleA("kernel32.dll"),"CheckRemoteDebuggerPresent"), 5, &ueNumberOfBytesRead); - - APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"),"GetTickCount"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS); - VirtualQueryEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); - OldProtect = MemInfo.Protect; - VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, 3, PAGE_EXECUTE_READWRITE, &OldProtect); - WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), (void*)GetProcAddress(GetModuleHandleA("kernel32.dll"),"GetTickCount"), 3, &ueNumberOfBytesRead); - } - return(true); - } - else - { - return(false); - } - } - } - else - { - return(false); - } - } - else - { - return(false); - } - return(false); -} -// TitanEngine.Hider.functions: -__declspec(dllexport) void* TITCALL GetPEBLocation(HANDLE hProcess) -{ - - ULONG RequiredLen = NULL; - PPROCESS_BASIC_INFORMATION myProcessBasicInformation = (PPROCESS_BASIC_INFORMATION)VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); - if(!myProcessBasicInformation) - return 0; -#if !defined(_WIN64) - typedef NTSTATUS(WINAPI *fZwQueryInformationProcess)(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength); -#else - typedef NTSTATUS(__fastcall *fZwQueryInformationProcess)(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength); -#endif - LPVOID ZwQueryInformationProcess = (LPVOID)GetProcAddress(GetModuleHandleA("ntdll.dll"),"ZwQueryInformationProcess"); - fZwQueryInformationProcess cZwQueryInformationProcess = (fZwQueryInformationProcess)(ZwQueryInformationProcess); - - if(cZwQueryInformationProcess != NULL) - { - if(cZwQueryInformationProcess(hProcess, ProcessBasicInformation, myProcessBasicInformation, sizeof PROCESS_BASIC_INFORMATION, &RequiredLen) == STATUS_SUCCESS) - { - return((void*)myProcessBasicInformation->PebBaseAddress); - } - else - { - if(cZwQueryInformationProcess(hProcess, ProcessBasicInformation, myProcessBasicInformation, RequiredLen, &RequiredLen) == STATUS_SUCCESS) - { - return((void*)myProcessBasicInformation->PebBaseAddress); - } - } - } - return(NULL); -} -__declspec(dllexport) bool TITCALL HideDebugger(HANDLE hProcess, DWORD PatchAPILevel) -{ - return(ChangeHideDebuggerState(hProcess, PatchAPILevel, true)); -} -__declspec(dllexport) bool TITCALL UnHideDebugger(HANDLE hProcess, DWORD PatchAPILevel) -{ - return(ChangeHideDebuggerState(hProcess, PatchAPILevel, false)); -} -// TitanEngine.Relocater.functions: -__declspec(dllexport) void TITCALL RelocaterCleanup() -{ - - if(RelocationData != NULL) - { - VirtualFree(RelocationData, NULL, MEM_RELEASE); - RelocationLastPage = NULL; - RelocationStartPosition = NULL; - RelocationWritePosition = NULL; - RelocationOldImageBase = NULL; - RelocationNewImageBase = NULL; - } -} -__declspec(dllexport) void TITCALL RelocaterInit(DWORD MemorySize, ULONG_PTR OldImageBase, ULONG_PTR NewImageBase) -{ - - if(RelocationData != NULL) - { - VirtualFree(RelocationData, NULL, MEM_RELEASE); - } - RelocationData = VirtualAlloc(NULL, MemorySize, MEM_COMMIT, PAGE_READWRITE); - RelocationLastPage = NULL; - RelocationStartPosition = RelocationData; - RelocationWritePosition = (LPVOID)((ULONG_PTR)RelocationData + 8); - RelocationOldImageBase = OldImageBase; - RelocationNewImageBase = NewImageBase; -} -__declspec(dllexport) void TITCALL RelocaterAddNewRelocation(HANDLE hProcess, ULONG_PTR RelocateAddress, DWORD RelocateState) -{ - - MEMORY_BASIC_INFORMATION MemInfo; - DWORD CompareDummy = NULL; - DWORD CopyDummy = NULL; - - VirtualQueryEx(hProcess, (LPVOID)RelocateAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); - if(MemInfo.BaseAddress != RelocationLastPage || RelocationLastPage == NULL) - { - RelocationLastPage = MemInfo.BaseAddress; - if(memcmp(RelocationStartPosition, &CompareDummy, 4) == NULL) - { - CopyDummy = (DWORD)((ULONG_PTR)MemInfo.BaseAddress - (ULONG_PTR)RelocationNewImageBase); - RtlMoveMemory(RelocationStartPosition, &CopyDummy, 4); - } - else - { - CopyDummy = (DWORD)((ULONG_PTR)RelocationWritePosition - (ULONG_PTR)RelocationStartPosition); - if(CopyDummy % 4 == NULL) - { - RtlMoveMemory((LPVOID)((ULONG_PTR)RelocationStartPosition + 4), &CopyDummy, 4); - } - else - { - RelocationWritePosition = (LPVOID)((ULONG_PTR)RelocationWritePosition + 2); - CopyDummy = (DWORD)((ULONG_PTR)RelocationWritePosition - (ULONG_PTR)RelocationStartPosition); - if(CopyDummy % 4 == NULL) - { - RtlMoveMemory((LPVOID)((ULONG_PTR)RelocationStartPosition + 4), &CopyDummy, 4); - } - else - { - RelocationWritePosition = (LPVOID)((ULONG_PTR)RelocationWritePosition + 2); - CopyDummy = (DWORD)((ULONG_PTR)RelocationWritePosition - (ULONG_PTR)RelocationStartPosition); - RtlMoveMemory((LPVOID)((ULONG_PTR)RelocationStartPosition + 4), &CopyDummy, 4); - } - } - RelocationStartPosition = RelocationWritePosition; - CopyDummy = (DWORD)((ULONG_PTR)RelocationLastPage - (ULONG_PTR)RelocationNewImageBase); - RtlMoveMemory(RelocationWritePosition, &CopyDummy, 4); - RelocationWritePosition = (LPVOID)((ULONG_PTR)RelocationWritePosition + 8); - } - } -#if !defined(_WIN64) - CopyDummy = (DWORD)((RelocateAddress - (ULONG_PTR)RelocationLastPage) ^ 0x3000); -#else - CopyDummy = (DWORD)((RelocateAddress - (ULONG_PTR)RelocationLastPage) ^ 0x8000); -#endif - RtlMoveMemory(RelocationWritePosition, &CopyDummy, 2); - RelocationWritePosition = (LPVOID)((ULONG_PTR)RelocationWritePosition + 2); -} -__declspec(dllexport) long TITCALL RelocaterEstimatedSize() -{ - return((DWORD)((ULONG_PTR)RelocationWritePosition - (ULONG_PTR)RelocationData + 8)); -} -__declspec(dllexport) bool TITCALL RelocaterExportRelocation(ULONG_PTR StorePlace, DWORD StorePlaceRVA, ULONG_PTR FileMapVA) -{ - - PIMAGE_DOS_HEADER DOSHeader; - PIMAGE_NT_HEADERS32 PEHeader32; - PIMAGE_NT_HEADERS64 PEHeader64; - BOOL FileIs64 = false; - DWORD CopyDummy = NULL; - - __try - { - if((ULONG_PTR)RelocationStartPosition != -1) - { - CopyDummy = (DWORD)((ULONG_PTR)RelocationWritePosition - (ULONG_PTR)RelocationStartPosition); - if(CopyDummy % 4 == NULL) - { - RtlMoveMemory((LPVOID)((ULONG_PTR)RelocationStartPosition + 4), &CopyDummy, 4); - } - else - { - RelocationWritePosition = (LPVOID)((ULONG_PTR)RelocationWritePosition + 2); - CopyDummy = (DWORD)((ULONG_PTR)RelocationWritePosition - (ULONG_PTR)RelocationStartPosition); - if(CopyDummy % 4 == NULL) - { - RtlMoveMemory((LPVOID)((ULONG_PTR)RelocationStartPosition + 4), &CopyDummy, 4); - } - else - { - RelocationWritePosition = (LPVOID)((ULONG_PTR)RelocationWritePosition + 2); - CopyDummy = (DWORD)((ULONG_PTR)RelocationWritePosition - (ULONG_PTR)RelocationStartPosition); - RtlMoveMemory((LPVOID)((ULONG_PTR)RelocationStartPosition + 4), &CopyDummy, 4); - } - } - } - RtlMoveMemory((LPVOID)StorePlace, RelocationData, (DWORD)((ULONG_PTR)RelocationWritePosition - (ULONG_PTR)RelocationData)); - VirtualFree(RelocationData, NULL, MEM_RELEASE); - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - return(false); - } - - DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; - if(EngineValidateHeader(FileMapVA, NULL, NULL, DOSHeader, true)) - { - PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - if(PEHeader32->OptionalHeader.Magic == 0x10B) - { - FileIs64 = false; - } - else if(PEHeader32->OptionalHeader.Magic == 0x20B) - { - FileIs64 = true; - } - else - { - RelocationData = NULL; - return(false); - } - if(!FileIs64) - { - PEHeader32->OptionalHeader.ImageBase = (DWORD)RelocationNewImageBase; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = StorePlaceRVA; - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size = (DWORD)((ULONG_PTR)RelocationWritePosition - (ULONG_PTR)RelocationData); - } - else - { - PEHeader64->OptionalHeader.ImageBase = (ULONG_PTR)RelocationNewImageBase; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress = StorePlaceRVA; - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size = (DWORD)((ULONG_PTR)RelocationWritePosition - (ULONG_PTR)RelocationData); - } - RelocationData = NULL; - return(true); - } - RelocationData = NULL; - return(false); -} -__declspec(dllexport) bool TITCALL RelocaterExportRelocationEx(char* szFileName, char* szSectionName) -{ - - wchar_t uniFileName[MAX_PATH] = {}; - - if(szFileName != NULL) - { - MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); - return(RelocaterExportRelocationExW(uniFileName, szSectionName)); - } - else - { - return(false); - } -} -__declspec(dllexport) bool TITCALL RelocaterExportRelocationExW(wchar_t* szFileName, char* szSectionName) -{ - - HANDLE FileHandle; - DWORD FileSize; - HANDLE FileMap; - ULONG_PTR FileMapVA; - DWORD NewSectionVO = NULL; - DWORD NewSectionFO = NULL; - bool ReturnValue = false; - - if(RelocaterEstimatedSize() > NULL) - { - NewSectionVO = AddNewSectionW(szFileName, szSectionName, RelocaterEstimatedSize()); - if(MapFileExW(szFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) - { - NewSectionFO = (DWORD)ConvertVAtoFileOffset(FileMapVA, NewSectionVO + (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_IMAGEBASE), true); - ReturnValue = RelocaterExportRelocation(NewSectionFO, NewSectionVO, FileMapVA); - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - if(ReturnValue) - { - return(true); - } - else - { - return(false); - } - } - else - { - return(false); - } - } - else - { - return(false); - } -} -__declspec(dllexport) bool TITCALL RelocaterGrabRelocationTable(HANDLE hProcess, ULONG_PTR MemoryStart, DWORD MemorySize) -{ - - MEMORY_BASIC_INFORMATION MemInfo; - ULONG_PTR ueNumberOfBytesRead = NULL; - DWORD OldProtect; - - if(RelocationData != NULL) - { - VirtualQueryEx(hProcess, (LPVOID)MemoryStart, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); - OldProtect = MemInfo.Protect; - VirtualProtectEx(hProcess, (LPVOID)MemoryStart, MemorySize, PAGE_EXECUTE_READWRITE, &OldProtect); - if(ReadProcessMemory(hProcess, (LPVOID)MemoryStart, RelocationData, MemorySize, &ueNumberOfBytesRead)) - { - RelocationWritePosition = (LPVOID)((ULONG_PTR)RelocationData + MemorySize); - RelocationStartPosition = (LPVOID)(-1); - return(true); - } - } - return(false); -} -__declspec(dllexport) bool TITCALL RelocaterGrabRelocationTableEx(HANDLE hProcess, ULONG_PTR MemoryStart, ULONG_PTR MemorySize, DWORD NtSizeOfImage) -{ - - MEMORY_BASIC_INFORMATION MemInfo; - LPVOID ReadMemoryStorage = NULL; - LPVOID mReadMemoryStorage = NULL; - ULONG_PTR ueNumberOfBytesRead = NULL; - DWORD CompareDummy = NULL; - DWORD RelocationBase = NULL; - DWORD RelocationSize = NULL; - DWORD OldProtect; - - if(RelocationData != NULL) - { - VirtualQueryEx(hProcess, (LPVOID)MemoryStart, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); - OldProtect = MemInfo.Protect; - VirtualQueryEx(hProcess, (LPVOID)MemInfo.BaseAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); - if(MemInfo.RegionSize < MemorySize || MemorySize == NULL) - { - MemorySize = MemInfo.RegionSize; - } - VirtualProtectEx(hProcess, (LPVOID)MemoryStart, MemorySize, PAGE_EXECUTE_READWRITE, &OldProtect); - ReadMemoryStorage = VirtualAlloc(NULL, MemorySize, MEM_COMMIT, PAGE_READWRITE); - mReadMemoryStorage = ReadMemoryStorage; - if(ReadProcessMemory(hProcess, (LPVOID)MemoryStart, ReadMemoryStorage, MemorySize, &ueNumberOfBytesRead)) - { - RtlMoveMemory(&RelocationBase, ReadMemoryStorage, 4); - RtlMoveMemory(&RelocationSize, (LPVOID)((ULONG_PTR)ReadMemoryStorage + 4), 4); - while(memcmp(ReadMemoryStorage, &CompareDummy, 4) != NULL && RelocationBase < NtSizeOfImage && RelocationSize < 0x2000) - { - ReadMemoryStorage = (LPVOID)((ULONG_PTR)ReadMemoryStorage + RelocationSize); - RtlMoveMemory(&RelocationBase, ReadMemoryStorage, 4); - RtlMoveMemory(&RelocationSize, (LPVOID)((ULONG_PTR)ReadMemoryStorage + 4), 4); - } - VirtualFree(mReadMemoryStorage, NULL, MEM_RELEASE); - return(RelocaterGrabRelocationTable(hProcess, MemoryStart, (DWORD)((ULONG_PTR)ReadMemoryStorage - (ULONG_PTR)mReadMemoryStorage))); - } - else - { - VirtualFree(ReadMemoryStorage, NULL, MEM_RELEASE); - return(false); - } - } - return(false); -} - -__declspec(dllexport) bool TITCALL RelocaterMakeSnapshot(HANDLE hProcess, char* szSaveFileName, LPVOID MemoryStart, ULONG_PTR MemorySize) -{ - return(DumpMemory(hProcess, MemoryStart, MemorySize, szSaveFileName)); -} -__declspec(dllexport) bool TITCALL RelocaterMakeSnapshotW(HANDLE hProcess, wchar_t* szSaveFileName, LPVOID MemoryStart, ULONG_PTR MemorySize) -{ - return(DumpMemoryW(hProcess, MemoryStart, MemorySize, szSaveFileName)); -} -__declspec(dllexport) bool TITCALL RelocaterCompareTwoSnapshots(HANDLE hProcess, ULONG_PTR LoadedImageBase, ULONG_PTR NtSizeOfImage, char* szDumpFile1, char* szDumpFile2, ULONG_PTR MemStart) -{ - - wchar_t uniDumpFile1[MAX_PATH] = {}; - wchar_t uniDumpFile2[MAX_PATH] = {}; - - if(szDumpFile1 != NULL && szDumpFile2 != NULL) - { - MultiByteToWideChar(CP_ACP, NULL, szDumpFile1, lstrlenA(szDumpFile1)+1, uniDumpFile1, sizeof(uniDumpFile1)/(sizeof(uniDumpFile1[0]))); - MultiByteToWideChar(CP_ACP, NULL, szDumpFile2, lstrlenA(szDumpFile2)+1, uniDumpFile2, sizeof(uniDumpFile2)/(sizeof(uniDumpFile2[0]))); - return(RelocaterCompareTwoSnapshotsW(hProcess, LoadedImageBase, NtSizeOfImage, uniDumpFile1, uniDumpFile2, MemStart)); - } - else - { - return(false); - } -} -__declspec(dllexport) bool TITCALL RelocaterCompareTwoSnapshotsW(HANDLE hProcess, ULONG_PTR LoadedImageBase, ULONG_PTR NtSizeOfImage, wchar_t* szDumpFile1, wchar_t* szDumpFile2, ULONG_PTR MemStart) -{ - - int i = NULL; - ULONG_PTR DeltaByte = NULL; - int RelativeBase = NULL; - ULONG_PTR ReadData = NULL; - HANDLE FileHandle1; - DWORD FileSize1; - HANDLE FileMap1; - ULONG_PTR FileMapVA1; - HANDLE FileHandle2; - DWORD FileSize2; - HANDLE FileMap2; - ULONG_PTR FileMapVA2; - DWORD SearchSize; - LPVOID Search1; - LPVOID Search2; - DWORD bkSearchSize; - LPVOID bkSearch1; - LPVOID bkSearch2; - - if(MapFileExW(szDumpFile1, UE_ACCESS_READ, &FileHandle1, &FileSize1, &FileMap1, &FileMapVA1, NULL)) - { - if(MapFileExW(szDumpFile2, UE_ACCESS_READ, &FileHandle2, &FileSize2, &FileMap2, &FileMapVA2, NULL)) - { - if(RelocationOldImageBase != NULL && RelocationNewImageBase != NULL && RelocationOldImageBase != RelocationNewImageBase) - { - __try - { - if(RelocationOldImageBase > RelocationNewImageBase) - { - DeltaByte = (ULONG_PTR)((ULONG_PTR)RelocationOldImageBase - (ULONG_PTR)RelocationNewImageBase); - } - else - { - DeltaByte = (ULONG_PTR)((ULONG_PTR)RelocationNewImageBase - (ULONG_PTR)RelocationOldImageBase); - } - while((BYTE)DeltaByte == NULL) - { - DeltaByte = DeltaByte / 0x10; - i++; - } - DeltaByte = i - 1; - Search1 = (LPVOID)FileMapVA1; - Search2 = (LPVOID)FileMapVA2; - NtSizeOfImage = NtSizeOfImage + LoadedImageBase; - SearchSize = FileSize2; - SearchSize--; - while((int)SearchSize > NULL) - { - if(memcmp(Search1, Search2, 1) != 0) - { - i = sizeof HANDLE; - RelativeBase = NULL; - bkSearch1 = Search1; - bkSearch2 = Search2; - bkSearchSize = SearchSize; - if(Search1 >= (void*)((ULONG_PTR)FileMapVA1 + DeltaByte)) - { - Search1 = (LPVOID)((ULONG_PTR)Search1 - DeltaByte); - Search2 = (LPVOID)((ULONG_PTR)Search2 - DeltaByte); - SearchSize = SearchSize + (DWORD)DeltaByte; - } - while(i > NULL && RelativeBase == NULL) - { - RtlMoveMemory(&ReadData, Search2, sizeof HANDLE); - if(ReadData >= LoadedImageBase && ReadData <= NtSizeOfImage) - { - RelativeBase++; - } - else - { - Search1 = (LPVOID)((ULONG_PTR)Search1 + 1); - Search2 = (LPVOID)((ULONG_PTR)Search2 + 1); - SearchSize = SearchSize - 1; - i--; - } - } - if(RelativeBase == NULL) - { - Search1 = bkSearch1; - Search2 = bkSearch2; - SearchSize = bkSearchSize; - } - else - { - RelocaterAddNewRelocation(hProcess, MemStart + ((ULONG_PTR)Search2 - (ULONG_PTR)FileMapVA2), NULL); - Search1 = (LPVOID)((ULONG_PTR)Search1 + sizeof HANDLE - 1); - Search2 = (LPVOID)((ULONG_PTR)Search2 + sizeof HANDLE - 1); - SearchSize = SearchSize - sizeof HANDLE + 1; - } - } - Search1 = (LPVOID)((ULONG_PTR)Search1 + 1); - Search2 = (LPVOID)((ULONG_PTR)Search2 + 1); - SearchSize = SearchSize - 1; - } - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - RelocaterCleanup(); - UnMapFileEx(FileHandle2, FileSize2, FileMap2, FileMapVA2); - UnMapFileEx(FileHandle1, FileSize1, FileMap1, FileMapVA1); - return(false); - } - } - UnMapFileEx(FileHandle2, FileSize2, FileMap2, FileMapVA2); - } - UnMapFileEx(FileHandle1, FileSize1, FileMap1, FileMapVA1); - return(true); - } - return(false); -} -__declspec(dllexport) bool TITCALL RelocaterChangeFileBase(char* szFileName, ULONG_PTR NewImageBase) -{ - - wchar_t uniFileName[MAX_PATH] = {}; - - if(szFileName != NULL) - { - MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); - return(RelocaterChangeFileBaseW(uniFileName, NewImageBase)); - } - else - { - return(false); - } -} -__declspec(dllexport) bool TITCALL RelocaterChangeFileBaseW(wchar_t* szFileName, ULONG_PTR NewImageBase) -{ - - DWORD RelocSize; - ULONG_PTR RelocData; - PIMAGE_DOS_HEADER DOSHeader; - PIMAGE_NT_HEADERS32 PEHeader32; - PIMAGE_NT_HEADERS64 PEHeader64; - BOOL FileIs64; - HANDLE FileHandle; - DWORD FileSize; - HANDLE FileMap; - ULONG_PTR FileMapVA; - DWORD CompareDummy = NULL; - DWORD RelocDelta = NULL; - DWORD RelocDeltaSize = NULL; - WORD RelocAddressData = NULL; - ULONG_PTR RelocWriteAddress = NULL; - ULONG_PTR RelocWriteData = NULL; - DWORD64 RelocWriteData64 = NULL; - wchar_t szBackupFile[MAX_PATH] = {}; - wchar_t szBackupItem[MAX_PATH] = {}; - - if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof szBackupItem)) - { - if(!FillGarbageItem(szBackupItem, szFileName, &szBackupFile, sizeof szBackupItem)) - { - RtlZeroMemory(&szBackupItem, sizeof szBackupItem); - lstrcpyW(szBackupFile, szFileName); - } - } - else - { - RtlZeroMemory(&szBackupItem, sizeof szBackupItem); - lstrcpyW(szBackupFile, szFileName); - } - if(MapFileExW(szBackupFile, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) - { - DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; - if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true)) - { - PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - if(PEHeader32->OptionalHeader.Magic == 0x10B) - { - FileIs64 = false; - } - else if(PEHeader32->OptionalHeader.Magic == 0x20B) - { - FileIs64 = true; - } - else - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - RemoveGarbageItem(szBackupItem, true); - return(false); - } - if(!FileIs64) - { - if(PEHeader32->OptionalHeader.ImageBase == (DWORD)NewImageBase) - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - RemoveGarbageItem(szBackupItem, true); - return(true); - } - RelocData = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + PEHeader32->OptionalHeader.ImageBase), true); - RelocSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; - } - else - { - if((ULONG_PTR)PEHeader64->OptionalHeader.ImageBase == NewImageBase) - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - RemoveGarbageItem(szBackupItem, true); - return(true); - } - RelocData = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + PEHeader64->OptionalHeader.ImageBase), true); - RelocSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; - } - __try - { - while(memcmp((LPVOID)RelocData, &CompareDummy, 4)) - { - RtlMoveMemory(&RelocDelta, (LPVOID)RelocData, 4); - RtlMoveMemory(&RelocDeltaSize, (LPVOID)((ULONG_PTR)RelocData + 4), 4); - RelocDeltaSize = RelocDeltaSize - 8; - RelocData = RelocData + 8; - while(RelocDeltaSize > NULL) - { - RtlMoveMemory(&RelocAddressData, (LPVOID)RelocData, 2); - if(RelocAddressData != NULL) - { - if(RelocAddressData & 0x8000) - { - RelocAddressData = RelocAddressData ^ 0x8000; - RelocWriteAddress = (ULONG_PTR)(RelocAddressData + RelocDelta); - RelocWriteAddress = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)((DWORD64)PEHeader64->OptionalHeader.ImageBase + RelocWriteAddress), true); - RtlMoveMemory(&RelocWriteData64, (LPVOID)RelocWriteAddress, 8); - RelocWriteData64 = RelocWriteData64 - (DWORD64)PEHeader64->OptionalHeader.ImageBase + (DWORD64)NewImageBase; - RtlMoveMemory((LPVOID)RelocWriteAddress, &RelocWriteData64, 8); - } - else if(RelocAddressData & 0x3000) - { - RelocAddressData = RelocAddressData ^ 0x3000; - RelocWriteAddress = (ULONG_PTR)(RelocAddressData + RelocDelta); - RelocWriteAddress = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, PEHeader32->OptionalHeader.ImageBase + RelocWriteAddress, true); - RtlMoveMemory(&RelocWriteData, (LPVOID)RelocWriteAddress, 4); - RelocWriteData = RelocWriteData - PEHeader32->OptionalHeader.ImageBase + NewImageBase; - RtlMoveMemory((LPVOID)RelocWriteAddress, &RelocWriteData, 4); - } - } - RelocDeltaSize = RelocDeltaSize - 2; - RelocData = RelocData + 2; - } - } - if(!FileIs64) - { - PEHeader32->OptionalHeader.ImageBase = (DWORD)NewImageBase; - } - else - { - PEHeader64->OptionalHeader.ImageBase = (ULONG_PTR)NewImageBase; - } - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - if(szBackupItem[0] != NULL) - { - if(CopyFileW(szBackupFile, szFileName, false)) - { - RemoveGarbageItem(szBackupItem, true); - return(true); - } - else - { - RemoveGarbageItem(szBackupItem, true); - return(false); - } - } - else - { - return(true); - } - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - RemoveGarbageItem(szBackupItem, true); - return(false); - } - } - else - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - RemoveGarbageItem(szBackupItem, true); - return(false); - } - } - RemoveGarbageItem(szBackupItem, true); - return(false); -} -__declspec(dllexport) bool TITCALL RelocaterRelocateMemoryBlock(ULONG_PTR FileMapVA, ULONG_PTR MemoryLocation, void* RelocateMemory, DWORD RelocateMemorySize, ULONG_PTR CurrentLoadedBase, ULONG_PTR RelocateBase) -{ - - BOOL FileIs64; - DWORD RelocSize; - ULONG_PTR RelocData; - PIMAGE_DOS_HEADER DOSHeader; - PIMAGE_NT_HEADERS32 PEHeader32; - PIMAGE_NT_HEADERS64 PEHeader64; - DWORD CompareDummy = NULL; - DWORD RelocDelta = NULL; - DWORD RelocDeltaSize = NULL; - WORD RelocAddressData = NULL; - ULONG_PTR RelocWriteAddress = NULL; - ULONG_PTR RelocWriteData = NULL; - DWORD64 RelocWriteData64 = NULL; - - DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; - MemoryLocation = MemoryLocation - CurrentLoadedBase; - if(EngineValidateHeader(FileMapVA, NULL, NULL, DOSHeader, true)) - { - PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - if(PEHeader32->OptionalHeader.Magic == 0x10B) - { - FileIs64 = false; - } - else if(PEHeader32->OptionalHeader.Magic == 0x20B) - { - FileIs64 = true; - } - else - { - return(false); - } - if(!FileIs64) - { - if(PEHeader32->OptionalHeader.ImageBase == (DWORD)RelocateBase) - { - return(true); - } - RelocData = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + PEHeader32->OptionalHeader.ImageBase), true); - RelocSize = PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; - } - else - { - if((ULONG_PTR)PEHeader64->OptionalHeader.ImageBase == RelocateBase) - { - return(true); - } - RelocData = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + PEHeader64->OptionalHeader.ImageBase), true); - RelocSize = PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].Size; - } - __try - { - while(memcmp((LPVOID)RelocData, &CompareDummy, 4)) - { - RtlMoveMemory(&RelocDelta, (LPVOID)RelocData, 4); - RtlMoveMemory(&RelocDeltaSize, (LPVOID)((ULONG_PTR)RelocData + 4), 4); - RelocDeltaSize = RelocDeltaSize - 8; - RelocData = RelocData + 8; - while(RelocDeltaSize > NULL) - { - RtlMoveMemory(&RelocAddressData, (LPVOID)RelocData, 2); - if(RelocAddressData != NULL) - { - if(RelocAddressData & 0x8000) - { - RelocAddressData = RelocAddressData ^ 0x8000; - if(RelocAddressData >= MemoryLocation && RelocAddressData < MemoryLocation + RelocateMemorySize) - { - RelocWriteAddress = (ULONG_PTR)(RelocAddressData + RelocDelta - MemoryLocation + (ULONG_PTR)RelocateMemory); - RtlMoveMemory(&RelocWriteData64, (LPVOID)RelocWriteAddress, 8); - RelocWriteData64 = RelocWriteData64 - (DWORD64)PEHeader64->OptionalHeader.ImageBase + (DWORD64)RelocateBase; - RtlMoveMemory((LPVOID)RelocWriteAddress, &RelocWriteData64, 8); - } - } - else if(RelocAddressData & 0x3000) - { - RelocAddressData = RelocAddressData ^ 0x3000; - if(RelocAddressData >= MemoryLocation && RelocAddressData < MemoryLocation + RelocateMemorySize) - { - RelocWriteAddress = (ULONG_PTR)(RelocAddressData + RelocDelta - MemoryLocation + (ULONG_PTR)RelocateMemory); - RtlMoveMemory(&RelocWriteData, (LPVOID)RelocWriteAddress, 4); - RelocWriteData = RelocWriteData - PEHeader32->OptionalHeader.ImageBase + RelocateBase; - RtlMoveMemory((LPVOID)RelocWriteAddress, &RelocWriteData, 4); - } - } - } - RelocDeltaSize = RelocDeltaSize - 2; - RelocData = RelocData + 2; - } - } - return(true); - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - return(false); - } - } - else - { - return(false); - } - return(false); -} -__declspec(dllexport) bool TITCALL RelocaterWipeRelocationTable(char* szFileName) -{ - - wchar_t uniFileName[MAX_PATH] = {}; - - if(szFileName != NULL) - { - MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); - return(RelocaterWipeRelocationTableW(uniFileName)); - } - else - { - return(false); - } -} -__declspec(dllexport) bool TITCALL RelocaterWipeRelocationTableW(wchar_t* szFileName) -{ - - PIMAGE_DOS_HEADER DOSHeader; - PIMAGE_NT_HEADERS32 PEHeader32; - PIMAGE_NT_HEADERS64 PEHeader64; - DWORD WipeSectionNumber = NULL; - ULONG_PTR Characteristics; - BOOL FileIs64; - HANDLE FileHandle; - DWORD FileSize; - HANDLE FileMap; - ULONG_PTR FileMapVA; - - if(MapFileExW(szFileName, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) - { - DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; - if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true)) - { - PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - if(PEHeader32->OptionalHeader.Magic == 0x10B) - { - FileIs64 = false; - } - else if(PEHeader32->OptionalHeader.Magic == 0x20B) - { - FileIs64 = true; - } - else - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return(false); - } - if(!FileIs64) - { - if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress != NULL) - { - Characteristics = (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_CHARACTERISTICS) ^ 1; - SetPE32DataForMappedFile(FileMapVA, NULL, UE_CHARACTERISTICS, Characteristics); - WipeSectionNumber = GetPE32SectionNumberFromVA(FileMapVA, (ULONG_PTR)((ULONG_PTR)PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase)); - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return(WipeSectionW(szFileName, (int)WipeSectionNumber, true)); - } - } - else - { - if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress != NULL) - { - Characteristics = (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_CHARACTERISTICS) ^ 1; - SetPE32DataForMappedFile(FileMapVA, NULL, UE_CHARACTERISTICS, Characteristics); - WipeSectionNumber = GetPE32SectionNumberFromVA(FileMapVA, (ULONG_PTR)((ULONG_PTR)PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress + (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase)); - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return(WipeSectionW(szFileName, (int)WipeSectionNumber, true)); - } - } - } - } - return(false); -} -// TitanEngine.Resourcer.functions: -__declspec(dllexport) long long TITCALL ResourcerLoadFileForResourceUse(char* szFileName) -{ - return((ULONG_PTR)EngineSimulateNtLoader(szFileName)); -} -__declspec(dllexport) long long TITCALL ResourcerLoadFileForResourceUseW(wchar_t* szFileName) -{ - return((ULONG_PTR)EngineSimulateNtLoaderW(szFileName)); -} -__declspec(dllexport) bool TITCALL ResourcerFreeLoadedFile(LPVOID LoadedFileBase) -{ - if(VirtualFree(LoadedFileBase, NULL, MEM_RELEASE)) - { - return(true); - } - else - { - return(false); - } -} -__declspec(dllexport) bool TITCALL ResourcerExtractResourceFromFileEx(ULONG_PTR FileMapVA, char* szResourceType, char* szResourceName, char* szExtractedFileName) -{ - - HRSRC hResource; - HGLOBAL hResourceGlobal; - DWORD ResourceSize; - LPVOID ResourceData; - DWORD NumberOfBytesWritten; - HANDLE hFile; - - hResource = FindResourceA((HMODULE)FileMapVA, (LPCSTR)szResourceName, (LPCSTR)szResourceType); - if(hResource != NULL) - { - hResourceGlobal = LoadResource((HMODULE)FileMapVA, hResource); - if(hResourceGlobal != NULL) - { - ResourceSize = SizeofResource((HMODULE)FileMapVA, hResource); - ResourceData = LockResource(hResourceGlobal); - if(EngineCreatePathForFile(szExtractedFileName)) - { - hFile = CreateFileA(szExtractedFileName, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); - if(hFile != INVALID_HANDLE_VALUE) - { - WriteFile(hFile, ResourceData, ResourceSize, &NumberOfBytesWritten, NULL); - EngineCloseHandle(hFile); - } - else - { - return(false); - } - } - } - return(true); - } - return(false); -} -__declspec(dllexport) bool TITCALL ResourcerExtractResourceFromFile(char* szFileName, char* szResourceType, char* szResourceName, char* szExtractedFileName) -{ - - HANDLE FileHandle; - DWORD FileSize; - HANDLE FileMap; - ULONG_PTR FileMapVA; - bool bReturn; - - if(MapFileEx(szFileName, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) - { - bReturn = ResourcerExtractResourceFromFileEx(FileMapVA, szResourceType, szResourceName, szExtractedFileName); - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - if(bReturn) - { - return(true); - } - } - return(false); -} -__declspec(dllexport) bool TITCALL ResourcerExtractResourceFromFileW(wchar_t* szFileName, char* szResourceType, char* szResourceName, char* szExtractedFileName) -{ - - HANDLE FileHandle; - DWORD FileSize; - HANDLE FileMap; - ULONG_PTR FileMapVA; - bool bReturn; - - if(MapFileExW(szFileName, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) - { - bReturn = ResourcerExtractResourceFromFileEx(FileMapVA, szResourceType, szResourceName, szExtractedFileName); - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - if(bReturn) - { - return(true); - } - } - return(false); -} -__declspec(dllexport) bool TITCALL ResourcerFindResource(char* szFileName, char* szResourceType, DWORD ResourceType, char* szResourceName, DWORD ResourceName, DWORD ResourceLanguage, PULONG_PTR pResourceData, LPDWORD pResourceSize) -{ - - wchar_t uniFileName[MAX_PATH] = {}; - wchar_t* PtrResourceType = NULL; - wchar_t uniResourceType[MAX_PATH] = {}; - wchar_t* PtrResourceName = NULL; - wchar_t uniResourceName[MAX_PATH] = {}; - - if(szFileName != NULL) - { - MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); - if(szResourceName != NULL) - { - MultiByteToWideChar(CP_ACP, NULL, szResourceName, lstrlenA(szResourceName)+1, uniResourceName, sizeof(uniResourceName)/(sizeof(uniResourceName[0]))); - } - else - { - PtrResourceType = &uniResourceType[0]; - } - if(szResourceType != NULL) - { - MultiByteToWideChar(CP_ACP, NULL, szResourceType, lstrlenA(szResourceType)+1, uniResourceType, sizeof(uniResourceType)/(sizeof(uniResourceType[0]))); - } - else - { - PtrResourceName = &uniResourceName[0]; - } - return(ResourcerFindResourceW(uniFileName, PtrResourceType, ResourceType, PtrResourceName, ResourceName, ResourceLanguage, pResourceData, pResourceSize)); - } - else - { - return(false); - } -} -__declspec(dllexport) bool TITCALL ResourcerFindResourceW(wchar_t* szFileName, wchar_t* szResourceType, DWORD ResourceType, wchar_t* szResourceName, DWORD ResourceName, DWORD ResourceLanguage, PULONG_PTR pResourceData, LPDWORD pResourceSize) -{ - - bool ReturnValue; - ULONG_PTR FileMapVA; - HANDLE FileHandle; - HANDLE FileMap; - DWORD FileSize; - - if(MapFileExW(szFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) - { - ReturnValue = ResourcerFindResourceEx(FileMapVA, FileSize, szResourceType, ResourceType, szResourceName, ResourceName, ResourceLanguage, pResourceData, pResourceSize); - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - if(ReturnValue) - { - return(true); - } - } - else - { - return(false); - } - return(false); -} -__declspec(dllexport) bool TITCALL ResourcerFindResourceEx(ULONG_PTR FileMapVA, DWORD FileSize, wchar_t* szResourceType, DWORD ResourceType, wchar_t* szResourceName, DWORD ResourceName, DWORD ResourceLanguage, PULONG_PTR pResourceData, LPDWORD pResourceSize) -{ - - int i,j,n; - wchar_t* uniResourceName; - wchar_t* uniResourceType; - PIMAGE_RESOURCE_DIRECTORY PEResource; - PIMAGE_RESOURCE_DIRECTORY PEResourcePtr; - PIMAGE_RESOURCE_DIRECTORY_ENTRY PEResourceDir; - PIMAGE_RESOURCE_DIRECTORY PESubResourcePtr1; - PIMAGE_RESOURCE_DIRECTORY_ENTRY PEResourceDir1; - PIMAGE_RESOURCE_DIRECTORY PESubResourcePtr2; - PIMAGE_RESOURCE_DIRECTORY_ENTRY PEResourceDir2; - PIMAGE_RESOURCE_DATA_ENTRY PEResourceItem; - - __try - { - if(FileMapVA != NULL && FileSize != NULL) - { - PEResource = (PIMAGE_RESOURCE_DIRECTORY)(ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_IMAGEBASE), (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_RESOURCETABLEADDRESS), true, true)); - if(PEResource != NULL) - { - PEResourceDir = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResource + sizeof IMAGE_RESOURCE_DIRECTORY); - i = PEResource->NumberOfIdEntries + PEResource->NumberOfNamedEntries; - PEResourcePtr = PEResource; - while(i > NULL) - { - PESubResourcePtr1 = (PIMAGE_RESOURCE_DIRECTORY)((ULONG_PTR)PEResourcePtr + (PEResourceDir->OffsetToData ^ IMAGE_RESOURCE_DATA_IS_DIRECTORY)); - PEResourceDir1 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PESubResourcePtr1 + sizeof IMAGE_RESOURCE_DIRECTORY); - j = PESubResourcePtr1->NumberOfIdEntries + PESubResourcePtr1->NumberOfNamedEntries; - uniResourceType = (wchar_t*)((ULONG_PTR)PEResourcePtr + PEResourceDir->NameOffset); - if(((bool)PEResourceDir->NameIsString == true && EngineCompareResourceString(uniResourceType, szResourceType) == true) || ((bool)PEResourceDir->NameIsString == false && PEResourceDir->Id == ResourceType)) - { - while(j > NULL) - { - PESubResourcePtr2 = (PIMAGE_RESOURCE_DIRECTORY)((ULONG_PTR)PEResourcePtr + (PEResourceDir1->OffsetToData ^ IMAGE_RESOURCE_DATA_IS_DIRECTORY)); - PEResourceDir2 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PESubResourcePtr2 + sizeof IMAGE_RESOURCE_DIRECTORY); - n = PESubResourcePtr2->NumberOfIdEntries + PESubResourcePtr2->NumberOfNamedEntries; - uniResourceName = (wchar_t*)((ULONG_PTR)PEResourcePtr + PEResourceDir1->NameOffset); - if(((bool)PEResourceDir1->NameIsString == true && EngineCompareResourceString(uniResourceName, szResourceName) == true) || ((bool)PEResourceDir1->NameIsString == false && PEResourceDir1->Id == ResourceName)) - { - while(n > NULL) - { - PEResourceItem = (PIMAGE_RESOURCE_DATA_ENTRY)((ULONG_PTR)PEResourcePtr + PEResourceDir2->OffsetToData); - if(ResourceLanguage == UE_RESOURCE_LANGUAGE_ANY || ResourceLanguage == PEResourceDir2->Id) - { - *pResourceData = PEResourceItem->OffsetToData; - *pResourceSize = PEResourceItem->Size; - return(true); - } - PEResourceDir2 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir2 + sizeof IMAGE_RESOURCE_DIRECTORY_ENTRY); - n--; - } - } - else - { - PEResourceDir2 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir2 + sizeof IMAGE_RESOURCE_DIRECTORY_ENTRY * n); - } - PEResourceDir1 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir1 + sizeof IMAGE_RESOURCE_DIRECTORY_ENTRY); - j--; - } - } - else - { - PEResourceDir1 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir1 + sizeof IMAGE_RESOURCE_DIRECTORY_ENTRY * j); - } - PEResourceDir = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir + sizeof IMAGE_RESOURCE_DIRECTORY_ENTRY); - i--; - } - } - } - else - { - return(false); - } - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - - } - return(false); -} -__declspec(dllexport) void TITCALL ResourcerEnumerateResource(char* szFileName, void* CallBack) -{ - - wchar_t uniFileName[MAX_PATH] = {}; - - if(szFileName != NULL) - { - MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); - ResourcerEnumerateResourceW(uniFileName, CallBack); - } -} -__declspec(dllexport) void TITCALL ResourcerEnumerateResourceW(wchar_t* szFileName, void* CallBack) -{ - - ULONG_PTR FileMapVA; - HANDLE FileHandle; - HANDLE FileMap; - DWORD FileSize; - - if(MapFileExW(szFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) - { - ResourcerEnumerateResourceEx(FileMapVA, FileSize, CallBack); - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - } -} -__declspec(dllexport) void TITCALL ResourcerEnumerateResourceEx(ULONG_PTR FileMapVA, DWORD FileSize, void* CallBack) -{ - - int i,j,n; - wchar_t* uniResourceName; - wchar_t* uniResourceType; - PIMAGE_RESOURCE_DIRECTORY PEResource; - PIMAGE_RESOURCE_DIRECTORY PEResourcePtr; - PIMAGE_RESOURCE_DIRECTORY_ENTRY PEResourceDir; - PIMAGE_RESOURCE_DIRECTORY PESubResourcePtr1; - PIMAGE_RESOURCE_DIRECTORY_ENTRY PEResourceDir1; - PIMAGE_RESOURCE_DIRECTORY PESubResourcePtr2; - PIMAGE_RESOURCE_DIRECTORY_ENTRY PEResourceDir2; - PIMAGE_RESOURCE_DATA_ENTRY PEResourceItem; - typedef bool(TITCALL *fResourceEnumerator)(wchar_t* szResourceType, DWORD ResourceType, wchar_t* szResourceName, DWORD ResourceName, DWORD ResourceLanguage, DWORD ResourceData, DWORD ResourceSize); - fResourceEnumerator myResourceEnumerator = (fResourceEnumerator)CallBack; - - __try - { - if(CallBack != NULL) - { - if(FileMapVA != NULL && FileSize != NULL) - { - PEResource = (PIMAGE_RESOURCE_DIRECTORY)(ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_IMAGEBASE), (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_RESOURCETABLEADDRESS), true, true)); - if(PEResource != NULL) - { - PEResourceDir = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResource + sizeof IMAGE_RESOURCE_DIRECTORY); - i = PEResource->NumberOfIdEntries + PEResource->NumberOfNamedEntries; - PEResourcePtr = PEResource; - while(i > NULL) - { - PESubResourcePtr1 = (PIMAGE_RESOURCE_DIRECTORY)((ULONG_PTR)PEResourcePtr + (PEResourceDir->OffsetToData ^ IMAGE_RESOURCE_DATA_IS_DIRECTORY)); - PEResourceDir1 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PESubResourcePtr1 + sizeof IMAGE_RESOURCE_DIRECTORY); - j = PESubResourcePtr1->NumberOfIdEntries + PESubResourcePtr1->NumberOfNamedEntries; - while(j > NULL) - { - PESubResourcePtr2 = (PIMAGE_RESOURCE_DIRECTORY)((ULONG_PTR)PEResourcePtr + (PEResourceDir1->OffsetToData ^ IMAGE_RESOURCE_DATA_IS_DIRECTORY)); - PEResourceDir2 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PESubResourcePtr2 + sizeof IMAGE_RESOURCE_DIRECTORY); - n = PESubResourcePtr2->NumberOfIdEntries + PESubResourcePtr2->NumberOfNamedEntries; - while(n > NULL) - { - PEResourceItem = (PIMAGE_RESOURCE_DATA_ENTRY)((ULONG_PTR)PEResourcePtr + PEResourceDir2->OffsetToData); - if(PEResourceDir->NameIsString) - { - uniResourceType = (wchar_t*)((ULONG_PTR)PEResourcePtr + PEResourceDir->NameOffset); - } - else - { - uniResourceType = NULL; - } - if(PEResourceDir1->NameIsString) - { - uniResourceName = (wchar_t*)((ULONG_PTR)PEResourcePtr + PEResourceDir1->NameOffset); - } - else - { - uniResourceName = NULL; - } - if(!myResourceEnumerator(uniResourceType, PEResourceDir->Id, uniResourceName, PEResourceDir1->Id, PEResourceDir2->Id, PEResourceItem->OffsetToData, PEResourceItem->Size)) - { - return; - } - PEResourceDir2 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir2 + sizeof IMAGE_RESOURCE_DIRECTORY_ENTRY); - n--; - } - PEResourceDir1 = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir1 + sizeof IMAGE_RESOURCE_DIRECTORY_ENTRY); - j--; - } - PEResourceDir = (PIMAGE_RESOURCE_DIRECTORY_ENTRY)((ULONG_PTR)PEResourceDir + sizeof IMAGE_RESOURCE_DIRECTORY_ENTRY); - i--; - } - } - } - } - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - - } -} -// TitanEngine.Threader.functions: -__declspec(dllexport) bool TITCALL ThreaderImportRunningThreadData(DWORD ProcessId) -{ - - HANDLE hSnapShot; - THREADENTRY32 ThreadEntry = {}; - PTHREAD_ITEM_DATA hListThreadPtr = NULL; - - if(dbgProcessInformation.hProcess == NULL && ProcessId != NULL) - { - if(hListThread == NULL) - { - hListThread = VirtualAlloc(NULL, MAX_DEBUG_DATA * sizeof THREAD_ITEM_DATA, MEM_COMMIT, PAGE_READWRITE); - } - else - { - RtlZeroMemory(hListThread, MAX_DEBUG_DATA * sizeof THREAD_ITEM_DATA); - } - ThreadEntry.dwSize = sizeof THREADENTRY32; - hListThreadPtr = (PTHREAD_ITEM_DATA)hListThread; - hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, ProcessId); - if(hSnapShot != INVALID_HANDLE_VALUE) - { - if(Thread32First(hSnapShot, &ThreadEntry)) - { - do - { - if(ThreadEntry.th32OwnerProcessID == ProcessId) - { - hListThreadPtr->dwThreadId = ThreadEntry.th32ThreadID; - hListThreadPtr->hThread = OpenThread(THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION|THREAD_SUSPEND_RESUME, false, hListThreadPtr->dwThreadId); - hListThreadPtr = (PTHREAD_ITEM_DATA)((ULONG_PTR)hListThreadPtr + sizeof THREAD_ITEM_DATA); - } - } - while(Thread32Next(hSnapShot, &ThreadEntry)); - } - EngineCloseHandle(hSnapShot); - return(true); - } - } - return(false); -} -__declspec(dllexport) void* TITCALL ThreaderGetThreadInfo(HANDLE hThread, DWORD ThreadId) -{ - - PTHREAD_ITEM_DATA hListThreadPtr = (PTHREAD_ITEM_DATA)hListThread; - - if(hListThreadPtr != NULL) - { - if(hThread != NULL) - { - while(hListThreadPtr->hThread != NULL && hListThreadPtr->hThread != hThread) - { - hListThreadPtr = (PTHREAD_ITEM_DATA)((ULONG_PTR)hListThreadPtr + sizeof THREAD_ITEM_DATA); - } - if(hListThreadPtr->hThread == hThread) - { - return((void*)hListThreadPtr); - } - } - else if(ThreadId != NULL) - { - while(hListThreadPtr->hThread != NULL && hListThreadPtr->dwThreadId != ThreadId) - { - hListThreadPtr = (PTHREAD_ITEM_DATA)((ULONG_PTR)hListThreadPtr + sizeof THREAD_ITEM_DATA); - } - if(hListThreadPtr->dwThreadId == ThreadId) - { - return((void*)hListThreadPtr); - } - } - } - return(NULL); -} -__declspec(dllexport) void TITCALL ThreaderEnumThreadInfo(void* EnumCallBack) -{ - - PTHREAD_ITEM_DATA hListThreadPtr = (PTHREAD_ITEM_DATA)hListThread; - typedef void(TITCALL *fEnumCallBack)(LPVOID fThreadDetail); - fEnumCallBack myEnumCallBack = (fEnumCallBack)EnumCallBack; - - if(hListThreadPtr != NULL) - { - while(EnumCallBack != NULL && hListThreadPtr->hThread != NULL) - { - if(hListThreadPtr->hThread != NULL) - { - __try - { - myEnumCallBack((void*)hListThreadPtr); - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - EnumCallBack = NULL; - } - } - hListThreadPtr = (PTHREAD_ITEM_DATA)((ULONG_PTR)hListThreadPtr + sizeof THREAD_ITEM_DATA); - } - } -} -__declspec(dllexport) bool TITCALL ThreaderPauseThread(HANDLE hThread) -{ - - PTHREAD_ITEM_DATA hListThreadPtr = (PTHREAD_ITEM_DATA)hListThread; - - if(hListThreadPtr != NULL) - { - if(hThread != NULL) - { - while(hListThreadPtr->hThread != NULL && hListThreadPtr->hThread != hThread) - { - hListThreadPtr = (PTHREAD_ITEM_DATA)((ULONG_PTR)hListThreadPtr + sizeof THREAD_ITEM_DATA); - } - if(hListThreadPtr->hThread == hThread) - { - if(SuspendThread(hThread) != -1) - { - return(true); - } - else - { - return(false); - } - } - else - { - return(false); - } - } - } - return(false); -} -__declspec(dllexport) bool TITCALL ThreaderResumeThread(HANDLE hThread) -{ - - PTHREAD_ITEM_DATA hListThreadPtr = (PTHREAD_ITEM_DATA)hListThread; - - if(hListThreadPtr != NULL) - { - if(hThread != NULL) - { - while(hListThreadPtr->hThread != NULL && hListThreadPtr->hThread != hThread) - { - hListThreadPtr = (PTHREAD_ITEM_DATA)((ULONG_PTR)hListThreadPtr + sizeof THREAD_ITEM_DATA); - } - if(hListThreadPtr->hThread == hThread) - { - if(ResumeThread(hThread) != -1) - { - return(true); - } - else - { - return(false); - } - } - else - { - return(false); - } - } - } - return(false); -} -__declspec(dllexport) bool TITCALL ThreaderTerminateThread(HANDLE hThread, DWORD ThreadExitCode) -{ - - PTHREAD_ITEM_DATA hListThreadPtr = (PTHREAD_ITEM_DATA)hListThread; - - if(hListThreadPtr != NULL) - { - if(hThread != NULL) - { - while(hListThreadPtr->hThread != NULL && hListThreadPtr->hThread != hThread) - { - hListThreadPtr = (PTHREAD_ITEM_DATA)((ULONG_PTR)hListThreadPtr + sizeof THREAD_ITEM_DATA); - } - if(hListThreadPtr->hThread == hThread) - { - if(TerminateThread(hThread, ThreadExitCode) != NULL) - { - hListThreadPtr->hThread = (HANDLE)-1; - hListThreadPtr->dwThreadId = NULL; - hListThreadPtr->ThreadLocalBase = NULL; - hListThreadPtr->ThreadStartAddress = NULL; - return(true); - } - else - { - return(false); - } - } - else - { - return(false); - } - } - } - return(false); -} -__declspec(dllexport) bool TITCALL ThreaderPauseAllThreads(bool LeaveMainRunning) -{ - - PTHREAD_ITEM_DATA hListThreadPtr = (PTHREAD_ITEM_DATA)hListThread; - - if(hListThreadPtr != NULL) - { - while(hListThreadPtr->hThread != NULL) - { - if(LeaveMainRunning) - { - if(hListThreadPtr->hThread != dbgProcessInformation.hThread) - { - SuspendThread((HANDLE)hListThreadPtr->hThread); - } - } - else - { - SuspendThread(hListThreadPtr->hThread); - } - hListThreadPtr = (PTHREAD_ITEM_DATA)((ULONG_PTR)hListThreadPtr + sizeof THREAD_ITEM_DATA); - } - return(true); - } - return(false); -} -__declspec(dllexport) bool TITCALL ThreaderResumeAllThreads(bool LeaveMainPaused) -{ - - PTHREAD_ITEM_DATA hListThreadPtr = (PTHREAD_ITEM_DATA)hListThread; - - if(hListThreadPtr != NULL) - { - while(hListThreadPtr->hThread != NULL) - { - if(LeaveMainPaused) - { - if(hListThreadPtr->hThread != dbgProcessInformation.hThread) - { - ResumeThread(hListThreadPtr->hThread); - } - } - else - { - ResumeThread(hListThreadPtr->hThread); - } - hListThreadPtr = (PTHREAD_ITEM_DATA)((ULONG_PTR)hListThreadPtr + sizeof THREAD_ITEM_DATA); - } - return(true); - } - return(false); -} -__declspec(dllexport) bool TITCALL ThreaderPauseProcess() -{ - return(ThreaderPauseAllThreads(false)); -} -__declspec(dllexport) bool TITCALL ThreaderResumeProcess() -{ - return(ThreaderResumeAllThreads(false)); -} -__declspec(dllexport) long long TITCALL ThreaderCreateRemoteThread(ULONG_PTR ThreadStartAddress, bool AutoCloseTheHandle, LPVOID ThreadPassParameter, LPDWORD ThreadId) -{ - - HANDLE myThread; - - if(dbgProcessInformation.hProcess != NULL) - { - if(!AutoCloseTheHandle) - { - return((ULONG_PTR)CreateRemoteThread(dbgProcessInformation.hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)ThreadStartAddress, ThreadPassParameter, NULL, ThreadId)); - } - else - { - myThread = CreateRemoteThread(dbgProcessInformation.hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)ThreadStartAddress, ThreadPassParameter, NULL, ThreadId); - EngineCloseHandle(myThread); - return(NULL); - } - } - return(NULL); -} -__declspec(dllexport) bool TITCALL ThreaderInjectAndExecuteCode(LPVOID InjectCode, DWORD StartDelta, DWORD InjectSize) -{ - - LPVOID ThreadBase = 0; - ULONG_PTR ueNumberOfBytesRead = 0; - - if(dbgProcessInformation.hProcess != NULL) - { - ThreadBase = VirtualAllocEx(dbgProcessInformation.hProcess, NULL, InjectSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE); - if(WriteProcessMemory(dbgProcessInformation.hProcess, ThreadBase, InjectCode, InjectSize, &ueNumberOfBytesRead)) - { - ThreaderCreateRemoteThread((ULONG_PTR)((ULONG_PTR)InjectCode + StartDelta), true, NULL, NULL); - return(true); - } - else - { - return(false); - } - } - return(false); -} -__declspec(dllexport) long long TITCALL ThreaderCreateRemoteThreadEx(HANDLE hProcess, ULONG_PTR ThreadStartAddress, bool AutoCloseTheHandle, LPVOID ThreadPassParameter, LPDWORD ThreadId) -{ - - HANDLE myThread; - - if(hProcess != NULL) - { - if(!AutoCloseTheHandle) - { - return((ULONG_PTR)CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)ThreadStartAddress, ThreadPassParameter, NULL, ThreadId)); - } - else - { - myThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)ThreadStartAddress, ThreadPassParameter, NULL, ThreadId); - EngineCloseHandle(myThread); - return(NULL); - } - } - return(NULL); -} -__declspec(dllexport) bool TITCALL ThreaderInjectAndExecuteCodeEx(HANDLE hProcess, LPVOID InjectCode, DWORD StartDelta, DWORD InjectSize) -{ - - LPVOID ThreadBase = 0; - ULONG_PTR ueNumberOfBytesRead = 0; - - if(hProcess != NULL) - { - ThreadBase = VirtualAllocEx(hProcess, NULL, InjectSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE); - if(WriteProcessMemory(hProcess, ThreadBase, InjectCode, InjectSize, &ueNumberOfBytesRead)) - { - ThreaderCreateRemoteThread((ULONG_PTR)((ULONG_PTR)InjectCode + StartDelta), true, NULL, NULL); - return(true); - } - else - { - return(false); - } - } - return(false); -} -__declspec(dllexport) void TITCALL ThreaderSetCallBackForNextExitThreadEvent(LPVOID exitThreadCallBack) -{ - engineExitThreadOneShootCallBack = exitThreadCallBack; -} -__declspec(dllexport) bool TITCALL ThreaderIsThreadStillRunning(HANDLE hThread) -{ - - CONTEXT myDBGContext; - - RtlZeroMemory(&myDBGContext, sizeof CONTEXT); - myDBGContext.ContextFlags = CONTEXT_ALL; - if(GetThreadContext(hThread, &myDBGContext)) - { - return(true); - } - else - { - return(false); - } -} -__declspec(dllexport) bool TITCALL ThreaderIsThreadActive(HANDLE hThread) -{ - if(SuspendThread(hThread)) //if previous suspend count is above 0 (which means thread is suspended) - { - ResumeThread(hThread); //decrement suspend count - return(true); - } - return(false); -} -__declspec(dllexport) bool TITCALL ThreaderIsAnyThreadActive() -{ - - PTHREAD_ITEM_DATA hListThreadPtr = (PTHREAD_ITEM_DATA)hListThread; - - if(hListThreadPtr != NULL) - { - while(hListThreadPtr->hThread != NULL) - { - if(hListThreadPtr->hThread != (HANDLE)-1) - { - if(ThreaderIsThreadActive(hListThreadPtr->hThread)) - { - return(true); - } - } - hListThreadPtr = (PTHREAD_ITEM_DATA)((ULONG_PTR)hListThreadPtr + sizeof THREAD_ITEM_DATA); - } - } - return(false); -} -__declspec(dllexport) bool TITCALL ThreaderExecuteOnlyInjectedThreads() -{ - - if(ThreaderPauseProcess()) - { - engineResumeProcessIfNoThreadIsActive = true; - return(true); - } - return(false); -} -__declspec(dllexport) long long TITCALL ThreaderGetOpenHandleForThread(DWORD ThreadId) -{ - - PTHREAD_ITEM_DATA hListThreadPtr = (PTHREAD_ITEM_DATA)hListThread; - - if(hListThread != NULL) - { - while(hListThreadPtr->hThread != NULL) - { - if(hListThreadPtr->hThread != (HANDLE)-1 && hListThreadPtr->dwThreadId == ThreadId) - { - return((ULONG_PTR)hListThreadPtr->hThread); - } - hListThreadPtr = (PTHREAD_ITEM_DATA)((ULONG_PTR)hListThreadPtr + sizeof THREAD_ITEM_DATA); - } - } - return(NULL); -} -__declspec(dllexport) void* TITCALL ThreaderGetThreadData() -{ - return(hListThread); -} -__declspec(dllexport) bool TITCALL ThreaderIsExceptionInMainThread() -{ - - LPDEBUG_EVENT myDBGEvent; - - myDBGEvent = (LPDEBUG_EVENT)GetDebugData(); - if(myDBGEvent->dwThreadId == dbgProcessInformation.dwThreadId) - { - return(true); - } - return(false); -} // Global.Debugger.functions: long DebugLoopInSecondThread(LPVOID InputParameter) { diff --git a/TitanEngine/TitanEngine.vcxproj b/TitanEngine/TitanEngine.vcxproj index 157bbe6..3687217 100644 --- a/TitanEngine/TitanEngine.vcxproj +++ b/TitanEngine/TitanEngine.vcxproj @@ -218,8 +218,11 @@ + + + Create Create @@ -229,6 +232,14 @@ + + + + + + + + @@ -236,15 +247,17 @@ + + + - @@ -259,6 +272,13 @@ + + + Document + + + Document + diff --git a/TitanEngine/TitanEngine.vcxproj.filters b/TitanEngine/TitanEngine.vcxproj.filters index ff618b4..711849d 100644 --- a/TitanEngine/TitanEngine.vcxproj.filters +++ b/TitanEngine/TitanEngine.vcxproj.filters @@ -57,6 +57,48 @@ Source Files\TitanEngine + + Source Files\TitanEngine + + + Source Files\TitanEngine + + + Source Files\TitanEngine + + + Source Files\TitanEngine + + + Source Files\TitanEngine + + + Source Files\TitanEngine + + + Source Files\TitanEngine + + + Source Files\TitanEngine + + + Source Files\TitanEngine + + + Source Files\TitanEngine + + + Source Files\TitanEngine + + + Source Files\TitanEngine + + + Source Files\TitanEngine + + + Source Files\TitanEngine + @@ -86,9 +128,6 @@ Header Files - - Header Files\TitanEngine - Header Files\TitanEngine @@ -101,6 +140,15 @@ Header Files\TitanEngine + + Header Files\TitanEngine + + + Header Files\TitanEngine + + + Header Files\TitanEngine + diff --git a/TitanEngine/definitions.h b/TitanEngine/definitions.h index 897d9c9..9382cb0 100644 --- a/TitanEngine/definitions.h +++ b/TitanEngine/definitions.h @@ -1,7 +1,6 @@ #ifndef definitions_h__ #define definitions_h__ - #define TITCALL // Global.Function.Declaration: