x64dbg
/
TitanEngine
mirror of https://github.com/x64dbg/TitanEngine
1
0
Fork 0
Code Releases Activity

- fixed the function EngineGetProcAddressRemote (now supports any number of modules) 

- added the function EngineGetModuleBaseRemote
- added export ImporterGetDLLNameW
- fixed export ImporterGetDLLName
This commit is contained in:
Mr. eXoDia 2014-03-11 14:53:11 +01:00
parent e60e886cf5
commit 5e5dac1186
7 changed files with 127 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
SDK/C/TitanEngine.h
View File

@ -743,6 +743,7 @@ __declspec(dllexport) long long TITCALL ImporterFindOrdinalAPIWriteLocation(ULON
__declspec(dllexport) long long TITCALL ImporterFindAPIByWriteLocation(ULONG_PTR APIWriteLocation);
__declspec(dllexport) long long TITCALL ImporterFindDLLByWriteLocation(ULONG_PTR APIWriteLocation);
__declspec(dllexport) void* TITCALL ImporterGetDLLName(ULONG_PTR APIAddress);
__declspec(dllexport) void* TITCALL ImporterGetDLLNameW(ULONG_PTR APIAddress);
__declspec(dllexport) void* TITCALL ImporterGetAPIName(ULONG_PTR APIAddress);
__declspec(dllexport) long long TITCALL ImporterGetAPIOrdinalNumber(ULONG_PTR APIAddress);
__declspec(dllexport) void* TITCALL ImporterGetAPINameEx(ULONG_PTR APIAddress, ULONG_PTR DLLBasesList);

1
SDK/CPP/TitanEngine.h
View File

@ -742,6 +742,7 @@ __declspec(dllimport) long long TITCALL ImporterFindOrdinalAPIWriteLocation(ULON
__declspec(dllimport) long long TITCALL ImporterFindAPIByWriteLocation(ULONG_PTR APIWriteLocation);
__declspec(dllimport) long long TITCALL ImporterFindDLLByWriteLocation(ULONG_PTR APIWriteLocation);
__declspec(dllimport) void* TITCALL ImporterGetDLLName(ULONG_PTR APIAddress);
__declspec(dllexport) void* TITCALL ImporterGetDLLNameW(ULONG_PTR APIAddress);
__declspec(dllimport) void* TITCALL ImporterGetAPIName(ULONG_PTR APIAddress);
__declspec(dllimport) long long TITCALL ImporterGetAPIOrdinalNumber(ULONG_PTR APIAddress);
__declspec(dllimport) void* TITCALL ImporterGetAPINameEx(ULONG_PTR APIAddress, ULONG_PTR DLLBasesList);

5
SDK/CPP/TitanEngine.hpp
View File

@ -1689,6 +1689,10 @@ protected:
{
return (const char*)UE::ImporterGetDLLName(APIAddress);
}
static const wchar_t* GetDLLNameW(ULONG_PTR APIAddress)
{
return (const wchar_t*)UE::ImporterGetDLLNameW(APIAddress);
}
static const char* GetAPIName(ULONG_PTR APIAddress)
{
return (const char*)UE::ImporterGetAPIName(APIAddress);
@ -1876,6 +1880,7 @@ public:
using ImporterX::FindAPIByWriteLocation;
using ImporterX::FindDLLByWriteLocation;
using ImporterX::GetDLLName;
using ImporterX::GetDLLNameW;
using ImporterX::GetAPIName;
using ImporterX::GetAPIOrdinalNumber;
using ImporterX::GetAPINameEx;

84
TitanEngine/Global.Engine.Importer.cpp
View File

@ -8,53 +8,37 @@ ULONG_PTR EngineGetProcAddressRemote(HANDLE hProcess, const WCHAR * szDLLName, c
{
if(!hProcess) //no process specified
{
if(dbgProcessInformation.hProcess == 0)
{
if(!dbgProcessInformation.hProcess)
hProcess = GetCurrentProcess();
}
else
{
hProcess = dbgProcessInformation.hProcess;
}
}
DWORD cbNeeded=0;
HMODULE EnumeratedModules[1024] = {0};
WCHAR RemoteDLLPath[MAX_PATH] = {0};
HMODULE hModuleLocal = GetModuleHandleW(szDLLName);
WCHAR * dllName;
if(EnumProcessModules(hProcess, EnumeratedModules, sizeof(EnumeratedModules), &cbNeeded))
if(EnumProcessModules(hProcess, 0, 0, &cbNeeded))
{
for(int i = 0; i < (int)(cbNeeded / sizeof(HMODULE)); i++)
HMODULE* hMods=(HMODULE*)malloc(cbNeeded*sizeof(HMODULE));
if(EnumProcessModules(hProcess, hMods, cbNeeded, &cbNeeded))
{
RemoteDLLPath[0] = 0;
if(GetModuleFileNameExW(hProcess, EnumeratedModules[i], RemoteDLLPath, _countof(RemoteDLLPath)) > 0)
for(unsigned int i=0; i<cbNeeded/sizeof(HMODULE); i++)
{
dllName = wcsrchr(RemoteDLLPath, L'\\');
wchar_t szModuleName[MAX_PATH]=L"";
if(GetModuleFileNameExW(hProcess, hMods[i], szModuleName, _countof(szModuleName)))
{
wchar_t* dllName=wcsrchr(szModuleName, L'\\');
if(dllName)
{
dllName++;
if(_wcsicmp(dllName, szDLLName) == 0)
if(!_wcsicmp(dllName, szDLLName))
{
LONG_PTR funcAddress = 0;
if (hModuleLocal)
HMODULE hModule = LoadLibraryExW(szModuleName, 0, DONT_RESOLVE_DLL_REFERENCES|LOAD_LIBRARY_AS_DATAFILE);
if (hModule)
{
funcAddress = (LONG_PTR)GetProcAddress(hModuleLocal, szAPIName);
ULONG_PTR funcAddress=(ULONG_PTR)GetProcAddress(hModule, szAPIName);
if(funcAddress)
{
return (LONG_PTR)funcAddress - (LONG_PTR)hModuleLocal + (LONG_PTR)EnumeratedModules[i];
}
}
else
{
hModuleLocal = LoadLibraryExW(RemoteDLLPath, 0, DONT_RESOLVE_DLL_REFERENCES);
if (hModuleLocal)
{
funcAddress = (LONG_PTR)GetProcAddress(hModuleLocal, szAPIName);
funcAddress = (LONG_PTR)funcAddress - (LONG_PTR)hModuleLocal + (LONG_PTR)EnumeratedModules[i];
FreeLibrary(hModuleLocal);
return funcAddress;
funcAddress-=(ULONG_PTR)hModule; //rva
FreeLibrary(hModule);
return funcAddress+(ULONG_PTR)hMods[i]; //va
}
}
break;
@ -63,7 +47,8 @@ ULONG_PTR EngineGetProcAddressRemote(HANDLE hProcess, const WCHAR * szDLLName, c
}
}
}
free(hMods);
}
return 0;
}
@ -89,3 +74,36 @@ ULONG_PTR EngineGetProcAddressRemote(const char * szDLLName, const char* szAPINa
{
return EngineGetProcAddressRemote(0, szDLLName, szAPIName);
}
ULONG_PTR EngineGetModuleBaseRemote(HANDLE hProcess, ULONG_PTR APIAddress)
{
if(!hProcess) //no process specified
{
if(!dbgProcessInformation.hProcess)
hProcess = GetCurrentProcess();
else
hProcess = dbgProcessInformation.hProcess;
}
DWORD cbNeeded=0;
if(EnumProcessModules(hProcess, 0, 0, &cbNeeded))
{
HMODULE* hMods=(HMODULE*)malloc(cbNeeded*sizeof(HMODULE));
if(EnumProcessModules(hProcess, hMods, cbNeeded, &cbNeeded))
{
for(unsigned int i=0; i<cbNeeded/sizeof(HMODULE); i++)
{
MODULEINFO modinfo;
memset(&modinfo, 0, sizeof(MODULEINFO));
if(GetModuleInformation(hProcess, hMods[i], &modinfo, sizeof(MODULEINFO)))
{
ULONG_PTR start=(ULONG_PTR)hMods[i];
ULONG_PTR end=modinfo.SizeOfImage;
if(APIAddress>=start && APIAddress<end)
return start;
}
}
}
free(hMods);
}
return 0;
}

1
TitanEngine/Global.Engine.Importer.h
View File

@ -6,5 +6,6 @@ ULONG_PTR EngineGetProcAddressRemote(const char * szDLLName, const char* szAPINa
ULONG_PTR EngineGetProcAddressRemote(HANDLE hProcess, const char * szDLLName, const char* szAPIName);
ULONG_PTR EngineGetProcAddressRemote(const WCHAR * szDLLName, const char* szAPIName);
ULONG_PTR EngineGetProcAddressRemote(HANDLE hProcess, const WCHAR * szDLLName, const char* szAPIName);
ULONG_PTR EngineGetModuleBaseRemote(HANDLE hProcess, ULONG_PTR APIAddress);
#endif //_GLOBAL_ENGINE_IMPORTER_H

84
TitanEngine/TitanEngine.Importer.cpp
View File

@ -4,6 +4,7 @@
#include "Global.Engine.h"
#include "Global.Librarian.h"
#include "Global.Engine.Importer.h"
#include "Global.Debugger.h"
#include "scylla_wrapper.h"
#include <psapi.h>
@ -16,6 +17,7 @@ __declspec(dllexport) void TITCALL ImporterAddNewDll(char* szDLLName, ULONG_PTR
scylla_addModule(uniDLLName, FirstThunk);
}
__declspec(dllexport) void TITCALL ImporterAddNewAPI(char* szAPIName, ULONG_PTR ThunkValue)
{
wchar_t uniAPIName[MAX_PATH] = {};
@ -24,88 +26,106 @@ __declspec(dllexport) void TITCALL ImporterAddNewAPI(char* szAPIName, ULONG_PTR
scylla_addImport(uniAPIName, ThunkValue);
}
__declspec(dllexport) void TITCALL ImporterAddNewOrdinalAPI(ULONG_PTR OrdinalNumber, ULONG_PTR ThunkValue)
{
ImporterAddNewAPI((char*)(OrdinalNumber&~IMAGE_ORDINAL_FLAG), ThunkValue);
}
if(OrdinalNumber & IMAGE_ORDINAL_FLAG)
{
OrdinalNumber = OrdinalNumber ^ IMAGE_ORDINAL_FLAG;
ImporterAddNewAPI((char*)OrdinalNumber, ThunkValue);
}
else
{
ImporterAddNewAPI((char*)OrdinalNumber, ThunkValue);
}
}
__declspec(dllexport) long TITCALL ImporterGetAddedDllCount()
{
return scylla_getModuleCount();
}
__declspec(dllexport) long TITCALL ImporterGetAddedAPICount()
{
return scylla_getImportCount();
}
__declspec(dllexport) bool TITCALL ImporterExportIAT(ULONG_PTR StorePlace, ULONG_PTR FileMapVA, HANDLE hFileMap)
{
if(scylla_fixMappedDump(StorePlace, FileMapVA, hFileMap) != SCY_ERROR_SUCCESS)
{
return false;
return (scylla_fixMappedDump(StorePlace, FileMapVA, hFileMap) == SCY_ERROR_SUCCESS);
}
return true;
}
__declspec(dllexport) long TITCALL ImporterEstimatedSize()
{
return scylla_estimatedIATSize();
}
__declspec(dllexport) bool TITCALL ImporterExportIATEx(char* szDumpFileName, char* szExportFileName, char* szSectionName)
{
wchar_t uniExportFileName[MAX_PATH] = {};
wchar_t uniDumpFileName[MAX_PATH] = {};
wchar_t uniSectionName[MAX_PATH] = {};
if(szExportFileName != NULL && szDumpFileName != NULL)
{
MultiByteToWideChar(CP_ACP, NULL, szExportFileName, lstrlenA(szExportFileName)+1, uniExportFileName, sizeof(uniExportFileName)/(sizeof(uniExportFileName[0])));
MultiByteToWideChar(CP_ACP, NULL, szDumpFileName, lstrlenA(szDumpFileName)+1, uniDumpFileName, sizeof(uniDumpFileName)/(sizeof(uniDumpFileName[0])));
MultiByteToWideChar(CP_ACP, NULL, szSectionName, lstrlenA(szSectionName)+1, uniSectionName, sizeof(uniSectionName)/(sizeof(uniSectionName[0])));
return(ImporterExportIATExW(uniDumpFileName, uniExportFileName, uniSectionName));
return ImporterExportIATExW(uniDumpFileName, uniExportFileName, uniSectionName);
}
else
{
return false;
}
}
__declspec(dllexport) bool TITCALL ImporterExportIATExW(wchar_t* szDumpFileName, wchar_t* szExportFileName, wchar_t* szSectionName)
{
if(scylla_fixDump(szDumpFileName, szExportFileName, szSectionName) != SCY_ERROR_SUCCESS)
{
return false;
}
return true;
__declspec(dllexport) bool TITCALL ImporterExportIATExW(wchar_t* szDumpFileName, wchar_t* szExportFileName, wchar_t* szSectionName)
{
return (scylla_fixDump(szDumpFileName, szExportFileName, szSectionName) == SCY_ERROR_SUCCESS);
}
__declspec(dllexport) long long TITCALL ImporterFindAPIWriteLocation(char* szAPIName)
{
return(scylla_findImportWriteLocation(szAPIName));
return scylla_findImportWriteLocation(szAPIName);
}
__declspec(dllexport) long long TITCALL ImporterFindOrdinalAPIWriteLocation(ULONG_PTR OrdinalNumber)
{
return(scylla_findOrdinalImportWriteLocation(OrdinalNumber));
return scylla_findOrdinalImportWriteLocation(OrdinalNumber);
}
__declspec(dllexport) long long TITCALL ImporterFindAPIByWriteLocation(ULONG_PTR APIWriteLocation)
{
return(scylla_findImportNameByWriteLocation(APIWriteLocation));
return scylla_findImportNameByWriteLocation(APIWriteLocation);
}
__declspec(dllexport) long long TITCALL ImporterFindDLLByWriteLocation(ULONG_PTR APIWriteLocation)
{
return scylla_findModuleNameByWriteLocation(APIWriteLocation);
}
__declspec(dllexport) void* TITCALL ImporterGetDLLName(ULONG_PTR APIAddress)
{
return((LPVOID)EngineGlobalAPIHandler(NULL, NULL, APIAddress, NULL, UE_OPTION_IMPORTER_RETURN_DLLNAME));
HANDLE hProcess;
if(!dbgProcessInformation.hProcess)
hProcess = GetCurrentProcess();
else
hProcess = dbgProcessInformation.hProcess;
ULONG_PTR moduleBase=EngineGetModuleBaseRemote(hProcess, APIAddress);
if(moduleBase)
{
static char szModuleName[MAX_PATH]="";
if(GetModuleFileNameExA(hProcess, (HMODULE)moduleBase, szModuleName, _countof(szModuleName)))
return szModuleName;
}
return 0;
}
__declspec(dllexport) void* TITCALL ImporterGetDLLNameW(ULONG_PTR APIAddress)
{
HANDLE hProcess;
if(!dbgProcessInformation.hProcess)
hProcess = GetCurrentProcess();
else
hProcess = dbgProcessInformation.hProcess;
ULONG_PTR moduleBase=EngineGetModuleBaseRemote(hProcess, APIAddress);
if(moduleBase)
{
static wchar_t szModuleName[MAX_PATH]=L"";
if(GetModuleFileNameExW(hProcess, (HMODULE)moduleBase, szModuleName, _countof(szModuleName)))
return szModuleName;
}
return 0;
}
__declspec(dllexport) void* TITCALL ImporterGetAPIName(ULONG_PTR APIAddress)
{
return((LPVOID)EngineGlobalAPIHandler(NULL, NULL, APIAddress, NULL, UE_OPTION_IMPORTER_RETURN_APINAME));

1
TitanEngine/definitions.h
View File

@ -249,6 +249,7 @@ __declspec(dllexport) long long TITCALL ImporterFindOrdinalAPIWriteLocation(ULON
__declspec(dllexport) long long TITCALL ImporterFindAPIByWriteLocation(ULONG_PTR APIWriteLocation);
__declspec(dllexport) long long TITCALL ImporterFindDLLByWriteLocation(ULONG_PTR APIWriteLocation);
__declspec(dllexport) void* TITCALL ImporterGetDLLName(ULONG_PTR APIAddress);
__declspec(dllexport) void* TITCALL ImporterGetDLLNameW(ULONG_PTR APIAddress);
__declspec(dllexport) void* TITCALL ImporterGetAPIName(ULONG_PTR APIAddress);
__declspec(dllexport) long long TITCALL ImporterGetAPIOrdinalNumber(ULONG_PTR APIAddress);
__declspec(dllexport) void* TITCALL ImporterGetAPINameEx(ULONG_PTR APIAddress, ULONG_PTR DLLBasesList);