From 68a5a4b7a0a9970e2e9ac20f49df40d739ba4a79 Mon Sep 17 00:00:00 2001 From: deepzero Date: Sat, 8 Mar 2014 14:47:04 +0100 Subject: [PATCH] drop VirtualProtect in favor of a DynamicBuffer --- TitanEngine/TitanEngine.Breakpoints.cpp | 44 +-- TitanEngine/TitanEngine.Debugger.Memory.cpp | 22 +- TitanEngine/TitanEngine.Disassembler.cpp | 12 +- TitanEngine/TitanEngine.Dumper.cpp | 35 +-- TitanEngine/TitanEngine.Exporter.cpp | 5 +- TitanEngine/TitanEngine.Handler.cpp | 280 +++++++------------- TitanEngine/TitanEngine.PE.Section.cpp | 9 +- TitanEngine/TitanEngine.PE.cpp | 17 +- TitanEngine/TitanEngine.Relocator.cpp | 5 +- TitanEngine/TitanEngine.Tracer.cpp | 10 +- 10 files changed, 127 insertions(+), 312 deletions(-) diff --git a/TitanEngine/TitanEngine.Breakpoints.cpp b/TitanEngine/TitanEngine.Breakpoints.cpp index 04645db..127bb19 100644 --- a/TitanEngine/TitanEngine.Breakpoints.cpp +++ b/TitanEngine/TitanEngine.Breakpoints.cpp @@ -304,6 +304,7 @@ __declspec(dllexport) bool TITCALL SetAPIBreakPoint(const char* szDLLName, const int currentInstructionLen = NULL; bool ModuleLoaded = false; void* CmdBuffer = NULL; + DynBuf CmdBuf; bool RemovedBpx = false; if(szDLLName != NULL && szAPIName != NULL) @@ -322,14 +323,13 @@ __declspec(dllexport) bool TITCALL SetAPIBreakPoint(const char* szDLLName, const APIAddress = (ULONG_PTR)EngineGlobalAPIHandler(dbgProcessInformation.hProcess, NULL, NULL, szAPIName, UE_OPTION_IMPORTER_RETURN_APIADDRESS); if(APIAddress != NULL) { - CmdBuffer = VirtualAlloc(NULL, ReadMemSize, MEM_COMMIT, PAGE_READWRITE); + CmdBuffer = CmdBuf.Allocate(ReadMemSize); while(ReadProcessMemory(dbgProcessInformation.hProcess, (void*)APIAddress, CmdBuffer, ReadMemSize, &ueNumberOfReadWrite) == false && ReadMemSize > NULL) { ReadMemSize = ReadMemSize - (MAXIMUM_INSTRUCTION_SIZE * 10); } if(ReadMemSize == NULL) { - VirtualFree(CmdBuffer, NULL, MEM_RELEASE); APIAddress = NULL; } else @@ -402,10 +402,6 @@ __declspec(dllexport) bool TITCALL SetAPIBreakPoint(const char* szDLLName, const { FreeLibrary(hModule); } - if(CmdBuffer != NULL) - { - VirtualFree(CmdBuffer, NULL, MEM_RELEASE); - } return false; } } @@ -417,13 +413,6 @@ __declspec(dllexport) bool TITCALL SetAPIBreakPoint(const char* szDLLName, const FreeLibrary(hModule); } } - else - { - if(CmdBuffer != NULL) - { - VirtualFree(CmdBuffer, NULL, MEM_RELEASE); - } - } return SetBPX(APIAddress, bpxType, bpxCallBack); } else @@ -435,13 +424,6 @@ __declspec(dllexport) bool TITCALL SetAPIBreakPoint(const char* szDLLName, const FreeLibrary(hModule); } } - else - { - if(CmdBuffer != NULL) - { - VirtualFree(CmdBuffer, NULL, MEM_RELEASE); - } - } return false; } } @@ -465,6 +447,7 @@ __declspec(dllexport) bool TITCALL DeleteAPIBreakPoint(const char* szDLLName, co int currentInstructionLen = NULL; bool ModuleLoaded = false; void* CmdBuffer = NULL; + DynBuf CmdBuf; bool RemovedBpx = false; if(szDLLName != NULL && szAPIName != NULL) @@ -483,14 +466,13 @@ __declspec(dllexport) bool TITCALL DeleteAPIBreakPoint(const char* szDLLName, co APIAddress = (ULONG_PTR)EngineGlobalAPIHandler(dbgProcessInformation.hProcess, NULL, NULL, szAPIName, UE_OPTION_IMPORTER_RETURN_APIADDRESS); if(APIAddress != NULL) { - CmdBuffer = VirtualAlloc(NULL, ReadMemSize, MEM_COMMIT, PAGE_READWRITE); + CmdBuffer = CmdBuf.Allocate(ReadMemSize); while(ReadProcessMemory(dbgProcessInformation.hProcess, (void*)APIAddress, CmdBuffer, ReadMemSize, &ueNumberOfReadWrite) == false && ReadMemSize > NULL) { ReadMemSize = ReadMemSize - (MAXIMUM_INSTRUCTION_SIZE * 10); } if(ReadMemSize == NULL) { - VirtualFree(CmdBuffer, NULL, MEM_RELEASE); APIAddress = NULL; } else @@ -563,10 +545,6 @@ __declspec(dllexport) bool TITCALL DeleteAPIBreakPoint(const char* szDLLName, co { FreeLibrary(hModule); } - if(CmdBuffer != NULL) - { - VirtualFree(CmdBuffer, NULL, MEM_RELEASE); - } return false; } } @@ -578,13 +556,6 @@ __declspec(dllexport) bool TITCALL DeleteAPIBreakPoint(const char* szDLLName, co FreeLibrary(hModule); } } - else - { - if(CmdBuffer != NULL) - { - VirtualFree(CmdBuffer, NULL, MEM_RELEASE); - } - } return(DeleteBPX(APIAddress)); } else @@ -596,13 +567,6 @@ __declspec(dllexport) bool TITCALL DeleteAPIBreakPoint(const char* szDLLName, co FreeLibrary(hModule); } } - else - { - if(CmdBuffer != NULL) - { - VirtualFree(CmdBuffer, NULL, MEM_RELEASE); - } - } return false; } } diff --git a/TitanEngine/TitanEngine.Debugger.Memory.cpp b/TitanEngine/TitanEngine.Debugger.Memory.cpp index 10ebfda..b608fa0 100644 --- a/TitanEngine/TitanEngine.Debugger.Memory.cpp +++ b/TitanEngine/TitanEngine.Debugger.Memory.cpp @@ -10,6 +10,7 @@ __declspec(dllexport) bool TITCALL MatchPatternEx(HANDLE hProcess, void* MemoryT int i = 0; BYTE intWildCard = 0; LPVOID ueReadBuffer = NULL; + DynBuf ueReadBuf; ULONG_PTR ueNumberOfBytesRead = NULL; MEMORY_BASIC_INFORMATION memoryInformation = {}; PMEMORY_COMPARE_HANDLER memCmp = (PMEMORY_COMPARE_HANDLER)MemoryToCheck; @@ -23,8 +24,8 @@ __declspec(dllexport) bool TITCALL MatchPatternEx(HANDLE hProcess, void* MemoryT { if(hProcess != GetCurrentProcess()) { - ueReadBuffer = VirtualAlloc(NULL, SizeOfMemoryToCheck, MEM_COMMIT, PAGE_READWRITE); - if(!ReadProcessMemory(hProcess, MemoryToCheck, ueReadBuffer, SizeOfMemoryToCheck, &ueNumberOfBytesRead)) + ueReadBuffer = ueReadBuf.Allocate(SizeOfMemoryToCheck); + if(ueReadBuffer && !ReadProcessMemory(hProcess, MemoryToCheck, ueReadBuffer, SizeOfMemoryToCheck, &ueNumberOfBytesRead)) { if(ueNumberOfBytesRead == NULL) { @@ -33,7 +34,6 @@ __declspec(dllexport) bool TITCALL MatchPatternEx(HANDLE hProcess, void* MemoryT SizeOfMemoryToCheck = (int)((ULONG_PTR)memoryInformation.BaseAddress + memoryInformation.RegionSize - (ULONG_PTR)MemoryToCheck); if(!ReadProcessMemory(hProcess, MemoryToCheck, ueReadBuffer, SizeOfMemoryToCheck, &ueNumberOfBytesRead)) { - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return(NULL); } else @@ -43,7 +43,6 @@ __declspec(dllexport) bool TITCALL MatchPatternEx(HANDLE hProcess, void* MemoryT } else { - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return(NULL); } } @@ -68,12 +67,10 @@ __declspec(dllexport) bool TITCALL MatchPatternEx(HANDLE hProcess, void* MemoryT SizeOfPatternToMatch--; i++; } - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return true; } __except(EXCEPTION_EXECUTE_HANDLER) { - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return false; } } @@ -101,6 +98,7 @@ __declspec(dllexport) long long TITCALL FindEx(HANDLE hProcess, LPVOID MemorySta int j = NULL; ULONG_PTR Return = NULL; LPVOID ueReadBuffer = NULL; + DynBuf ueReadBuf; PUCHAR SearchBuffer = NULL; PUCHAR CompareBuffer = NULL; MEMORY_BASIC_INFORMATION memoryInformation = {}; @@ -117,8 +115,8 @@ __declspec(dllexport) long long TITCALL FindEx(HANDLE hProcess, LPVOID MemorySta { if(hProcess != GetCurrentProcess()) { - ueReadBuffer = VirtualAlloc(NULL, MemorySize, MEM_COMMIT, PAGE_READWRITE); - if(!ReadProcessMemory(hProcess, MemoryStart, ueReadBuffer, MemorySize, &ueNumberOfBytesRead)) + ueReadBuffer = ueReadBuf.Allocate(MemorySize); + if(ueReadBuffer && !ReadProcessMemory(hProcess, MemoryStart, ueReadBuffer, MemorySize, &ueNumberOfBytesRead)) { if(ueNumberOfBytesRead == NULL) { @@ -127,7 +125,6 @@ __declspec(dllexport) long long TITCALL FindEx(HANDLE hProcess, LPVOID MemorySta MemorySize = (DWORD)((ULONG_PTR)memoryInformation.BaseAddress + memoryInformation.RegionSize - (ULONG_PTR)MemoryStart); if(!ReadProcessMemory(hProcess, MemoryStart, ueReadBuffer, MemorySize, &ueNumberOfBytesRead)) { - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return(NULL); } else @@ -137,7 +134,6 @@ __declspec(dllexport) long long TITCALL FindEx(HANDLE hProcess, LPVOID MemorySta } else { - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return(NULL); } } @@ -172,12 +168,10 @@ __declspec(dllexport) long long TITCALL FindEx(HANDLE hProcess, LPVOID MemorySta Return = (ULONG_PTR)MemoryStart + i; } } - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return(Return); } __except(EXCEPTION_EXECUTE_HANDLER) { - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return(NULL); } } @@ -313,7 +307,8 @@ __declspec(dllexport) bool TITCALL ReplaceEx(HANDLE hProcess, LPVOID MemoryStart ULONG_PTR CurrentFoundPattern; LPVOID cMemoryStart = MemoryStart; DWORD cMemorySize = MemorySize; - LPVOID lpReadMemory = VirtualAlloc(NULL, PatternSize, MEM_COMMIT, PAGE_READWRITE); + DynBuf lpReadMem; + LPVOID lpReadMemory = lpReadMem.Allocate(PatternSize); CurrentFoundPattern = (ULONG_PTR)FindEx(hProcess, cMemoryStart, cMemorySize, SearchPattern, PatternSize, WildCard); NumberOfRepetitions--; @@ -335,7 +330,6 @@ __declspec(dllexport) bool TITCALL ReplaceEx(HANDLE hProcess, LPVOID MemoryStart CurrentFoundPattern = (ULONG_PTR)FindEx(hProcess, cMemoryStart, cMemorySize, SearchPattern, PatternSize, WildCard); NumberOfRepetitions--; } - VirtualFree(lpReadMemory, NULL, MEM_RELEASE); if(NumberOfRepetitions != NULL) { return false; diff --git a/TitanEngine/TitanEngine.Disassembler.cpp b/TitanEngine/TitanEngine.Disassembler.cpp index 391a7ad..a98f954 100644 --- a/TitanEngine/TitanEngine.Disassembler.cpp +++ b/TitanEngine/TitanEngine.Disassembler.cpp @@ -65,7 +65,8 @@ __declspec(dllexport) void* TITCALL DisassembleEx(HANDLE hProcess, LPVOID Disass _DecodeType DecodingType = Decode64Bits; #endif ULONG_PTR ueNumberOfBytesRead = 0; - LPVOID ueReadBuffer = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); + DynBuf ueReadBuf; + LPVOID ueReadBuffer = ueReadBuf.Allocate(0x1000); MEMORY_BASIC_INFORMATION MemInfo; DWORD MaxDisassmSize; @@ -101,7 +102,6 @@ __declspec(dllexport) void* TITCALL DisassembleEx(HANDLE hProcess, LPVOID Disass if(rpm) { DecodingResult = distorm_decode((ULONG_PTR)DisassmAddress, (const unsigned char*)ueReadBuffer, MaxDisassmSize, DecodingType, engineDecodedInstructions, MAX_DECODE_INSTRUCTIONS, &DecodedInstructionsCount); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); RtlZeroMemory(&engineDisassembledInstruction, 128); lstrcpyA(engineDisassembledInstruction, (LPCSTR)engineDecodedInstructions[0].mnemonic.p); if(!ReturnInstructionType) @@ -116,7 +116,6 @@ __declspec(dllexport) void* TITCALL DisassembleEx(HANDLE hProcess, LPVOID Disass } else { - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return(NULL); } } @@ -127,7 +126,6 @@ __declspec(dllexport) void* TITCALL DisassembleEx(HANDLE hProcess, LPVOID Disass } else { - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return(NULL); } } @@ -185,7 +183,8 @@ __declspec(dllexport) long TITCALL LengthDisassembleEx(HANDLE hProcess, LPVOID D _DecodeType DecodingType = Decode64Bits; #endif ULONG_PTR ueNumberOfBytesRead = 0; - LPVOID ueReadBuffer = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); + DynBuf ueReadBuf; + LPVOID ueReadBuffer = ueReadBuf.Allocate(0x1000); MEMORY_BASIC_INFORMATION MemInfo; DWORD MaxDisassmSize; @@ -210,12 +209,10 @@ __declspec(dllexport) long TITCALL LengthDisassembleEx(HANDLE hProcess, LPVOID D if(ReadProcessMemory(hProcess, (LPVOID)DisassmAddress, ueReadBuffer, MaxDisassmSize, &ueNumberOfBytesRead)) { DecodingResult = distorm_decode(NULL, (const unsigned char*)ueReadBuffer, MaxDisassmSize, DecodingType, DecodedInstructions, MAX_DECODE_INSTRUCTIONS, &DecodedInstructionsCount); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return(DecodedInstructions[0].size); } else { - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return(-1); } } @@ -226,7 +223,6 @@ __declspec(dllexport) long TITCALL LengthDisassembleEx(HANDLE hProcess, LPVOID D } else { - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return(-1); } } diff --git a/TitanEngine/TitanEngine.Dumper.cpp b/TitanEngine/TitanEngine.Dumper.cpp index 2665134..820b042 100644 --- a/TitanEngine/TitanEngine.Dumper.cpp +++ b/TitanEngine/TitanEngine.Dumper.cpp @@ -38,8 +38,9 @@ __declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBas LPVOID ReadBase = ImageBase; SIZE_T CalculatedHeaderSize = NULL; SIZE_T AlignedHeaderSize = NULL; - LPVOID ueReadBuffer = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); - LPVOID ueCopyBuffer = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); + DynBuf ueReadBuf, ueCopyBuf; + LPVOID ueReadBuffer = ueReadBuf.Allocate(0x2000); + LPVOID ueCopyBuffer = ueCopyBuf.Allocate(0x2000); MEMORY_BASIC_INFORMATION MemInfo; if(ReadProcessMemory(hProcess, ImageBase, ueReadBuffer, 0x1000, &ueNumberOfBytesRead)) @@ -56,14 +57,10 @@ __declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBas { AlignedHeaderSize = ((CalculatedHeaderSize / 0x1000) + 1) * 0x1000; } - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); - VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE); - ueReadBuffer = VirtualAlloc(NULL, AlignedHeaderSize, MEM_COMMIT, PAGE_READWRITE); - ueCopyBuffer = VirtualAlloc(NULL, AlignedHeaderSize, MEM_COMMIT, PAGE_READWRITE); + ueReadBuffer = ueReadBuf.Allocate(AlignedHeaderSize); + ueCopyBuffer = ueCopyBuf.Allocate(AlignedHeaderSize); if(!ReadProcessMemory(hProcess, ImageBase, ueReadBuffer, AlignedHeaderSize, &ueNumberOfBytesRead)) { - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); - VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE); return false; } else @@ -90,8 +87,6 @@ __declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBas } else { - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); - VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE); return false; } if(!FileIs64) @@ -174,30 +169,22 @@ __declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBas } } EngineCloseHandle(hFile); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); - VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE); return true; } __except(EXCEPTION_EXECUTE_HANDLER) { EngineCloseHandle(hFile); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); - VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE); return false; } } else { EngineCloseHandle(hFile); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); - VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE); return false; } } else { - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); - VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE); return false; } } @@ -282,30 +269,22 @@ __declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBas } } EngineCloseHandle(hFile); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); - VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE); return true; } __except(EXCEPTION_EXECUTE_HANDLER) { - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); - VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE); return false; } } else { EngineCloseHandle(hFile); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); - VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE); return false; } } else { EngineCloseHandle(hFile); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); - VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE); return false; } } @@ -313,15 +292,11 @@ __declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBas } else { - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); - VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE); return false; } } else { - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); - VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE); return false; } return false; diff --git a/TitanEngine/TitanEngine.Exporter.cpp b/TitanEngine/TitanEngine.Exporter.cpp index 4454a51..2720c29 100644 --- a/TitanEngine/TitanEngine.Exporter.cpp +++ b/TitanEngine/TitanEngine.Exporter.cpp @@ -152,6 +152,7 @@ __declspec(dllexport) bool TITCALL ExporterBuildExportTable(ULONG_PTR StorePlace PIMAGE_NT_HEADERS32 PEHeader32; PIMAGE_NT_HEADERS64 PEHeader64; LPVOID expBuildExportData; + DynBuf expBuildExportDyn; LPVOID expBuildExportDataCWP; DWORD StorePlaceRVA = (DWORD)ConvertFileOffsetToVA(FileMapVA, StorePlace, false); ULONG_PTR TempULONG; @@ -160,7 +161,7 @@ __declspec(dllexport) bool TITCALL ExporterBuildExportTable(ULONG_PTR StorePlace if(expTableDataCWP != NULL) { - expBuildExportData = VirtualAlloc(NULL, ExporterEstimatedSize(), MEM_COMMIT, PAGE_READWRITE); + expBuildExportData = expBuildExportDyn.Allocate(ExporterEstimatedSize()); expBuildExportDataCWP = (LPVOID)((ULONG_PTR)expBuildExportData + sizeof IMAGE_EXPORT_DIRECTORY); expExportData.NumberOfNames = expExportNumber; @@ -210,7 +211,6 @@ __declspec(dllexport) bool TITCALL ExporterBuildExportTable(ULONG_PTR StorePlace } __except(EXCEPTION_EXECUTE_HANDLER) { - VirtualFree(expBuildExportData, NULL, MEM_RELEASE); ExporterCleanup(); return false; } @@ -246,7 +246,6 @@ __declspec(dllexport) bool TITCALL ExporterBuildExportTable(ULONG_PTR StorePlace } } } - VirtualFree(expBuildExportData, NULL, MEM_RELEASE); ExporterCleanup(); return true; } diff --git a/TitanEngine/TitanEngine.Handler.cpp b/TitanEngine/TitanEngine.Handler.cpp index 96db42e..b6ee0fc 100644 --- a/TitanEngine/TitanEngine.Handler.cpp +++ b/TitanEngine/TitanEngine.Handler.cpp @@ -2,25 +2,33 @@ #include "definitions.h" #include "Global.Handle.h" + +void NtQuerySysHandleInfo(DynBuf& buf) +{ + DynBuf QSB; + ULONG RequiredSize = NULL; + + QSB.Allocate(0x2000); + while(NtQuerySystemInformation(SystemHandleInformation, QSB.GetPtr(), QSB.Size(), &RequiredSize) == (NTSTATUS)0xC0000004L) + { + QSB.Allocate(RequiredSize); + } +} + + // TitanEngine.Handler.functions: __declspec(dllexport) long TITCALL HandlerGetActiveHandleCount(DWORD ProcessId) { - int HandleCount = NULL; - LPVOID QuerySystemBuffer; - ULONG QuerySystemBufferSize = 0x2000; - ULONG RequiredSize = NULL; - ULONG TotalHandleCount = NULL; - + int HandleCount = 0; + ULONG TotalHandleCount = 0; PNTDLL_QUERY_HANDLE_INFO HandleInfo; - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) - { - QuerySystemBufferSize = RequiredSize; - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - } + DynBuf hinfo; + NtQuerySysHandleInfo(hinfo); + LPVOID QuerySystemBuffer = hinfo.GetPtr(); + + RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; @@ -33,27 +41,19 @@ __declspec(dllexport) long TITCALL HandlerGetActiveHandleCount(DWORD ProcessId) HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); TotalHandleCount--; } - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - return(HandleCount); - return(NULL); + return(HandleCount); } __declspec(dllexport) bool TITCALL HandlerIsHandleOpen(DWORD ProcessId, HANDLE hHandle) { bool HandleActive = false; - LPVOID QuerySystemBuffer; - ULONG QuerySystemBufferSize = 0x2000; - ULONG RequiredSize = NULL; ULONG TotalHandleCount = NULL; PNTDLL_QUERY_HANDLE_INFO HandleInfo; - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) - { - QuerySystemBufferSize = RequiredSize; - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - } + DynBuf hinfo; + NtQuerySysHandleInfo(hinfo); + LPVOID QuerySystemBuffer = hinfo.GetPtr(); + RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; @@ -67,38 +67,29 @@ __declspec(dllexport) bool TITCALL HandlerIsHandleOpen(DWORD ProcessId, HANDLE h HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); TotalHandleCount--; } - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - if(HandleActive) - { - return true; - } - return false; + return HandleActive; } __declspec(dllexport) void* TITCALL HandlerGetHandleName(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, bool TranslateName) { bool NameFound = false; HANDLE myHandle = NULL; - LPVOID QuerySystemBuffer; - ULONG QuerySystemBufferSize = 0x2000; ULONG RequiredSize = NULL; ULONG TotalHandleCount = NULL; PNTDLL_QUERY_HANDLE_INFO HandleInfo; PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo; - LPVOID ObjectNameInfo = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); + char ObjectNameInfo[0x2000] = {0}; PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo; LPVOID HandleFullName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); LPVOID tmpHandleFullName = NULL; - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) - { - QuerySystemBufferSize = RequiredSize; - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - } + DynBuf hinfo; + NtQuerySysHandleInfo(hinfo); + LPVOID QuerySystemBuffer = hinfo.GetPtr(); + + RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; @@ -139,9 +130,6 @@ __declspec(dllexport) void* TITCALL HandlerGetHandleName(HANDLE hProcess, DWORD TotalHandleCount--; } - VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE); - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - if(!NameFound) { VirtualFree(HandleFullName, NULL, MEM_RELEASE); @@ -151,33 +139,26 @@ __declspec(dllexport) void* TITCALL HandlerGetHandleName(HANDLE hProcess, DWORD { return(HandleFullName); } - - return(NULL); } __declspec(dllexport) void* TITCALL HandlerGetHandleNameW(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, bool TranslateName) { bool NameFound = false; HANDLE myHandle = NULL; - LPVOID QuerySystemBuffer; - ULONG QuerySystemBufferSize = 0x2000; ULONG RequiredSize = NULL; ULONG TotalHandleCount = NULL; PNTDLL_QUERY_HANDLE_INFO HandleInfo; PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo; - LPVOID ObjectNameInfo = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); + char ObjectNameInfo[0x2000] = {0}; PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo; LPVOID HandleFullName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); LPVOID tmpHandleFullName = NULL; + DynBuf hinfo; + NtQuerySysHandleInfo(hinfo); + LPVOID QuerySystemBuffer = hinfo.GetPtr(); + - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) - { - QuerySystemBufferSize = RequiredSize; - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - } RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; @@ -219,9 +200,6 @@ __declspec(dllexport) void* TITCALL HandlerGetHandleNameW(HANDLE hProcess, DWORD TotalHandleCount--; } - VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE); - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - if(!NameFound) { VirtualFree(HandleFullName, NULL, MEM_RELEASE); @@ -238,21 +216,15 @@ __declspec(dllexport) long TITCALL HandlerEnumerateOpenHandles(DWORD ProcessId, { HANDLE myHandle = NULL; - LPVOID QuerySystemBuffer; ULONG RequiredSize = NULL; ULONG TotalHandleCount = NULL; unsigned int HandleCount = NULL; - ULONG QuerySystemBufferSize = 0x2000; PNTDLL_QUERY_HANDLE_INFO HandleInfo; + DynBuf hinfo; + NtQuerySysHandleInfo(hinfo); + LPVOID QuerySystemBuffer = hinfo.GetPtr(); - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) - { - QuerySystemBufferSize = RequiredSize; - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - } RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; @@ -268,35 +240,27 @@ __declspec(dllexport) long TITCALL HandlerEnumerateOpenHandles(DWORD ProcessId, HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); TotalHandleCount--; } - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); return(HandleCount); - - return(NULL); } __declspec(dllexport) long long TITCALL HandlerGetHandleDetails(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, DWORD InformationReturn) { HANDLE myHandle = NULL; - LPVOID QuerySystemBuffer; - ULONG QuerySystemBufferSize = 0x2000; ULONG RequiredSize = NULL; ULONG TotalHandleCount = NULL; PNTDLL_QUERY_HANDLE_INFO HandleInfo; PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo; - LPVOID HandleFullData = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); + char HandleFullData[0x1000] = {0}; LPVOID HandleNameData = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); PPUBLIC_OBJECT_TYPE_INFORMATION pObjectTypeInfo = (PPUBLIC_OBJECT_TYPE_INFORMATION)HandleFullData; bool DontFreeStringMemory = false; ULONG_PTR ReturnData = NULL; - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) - { - QuerySystemBufferSize = RequiredSize; - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - } + DynBuf hinfo; + NtQuerySysHandleInfo(hinfo); + LPVOID QuerySystemBuffer = hinfo.GetPtr(); + RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; @@ -325,7 +289,7 @@ __declspec(dllexport) long long TITCALL HandlerGetHandleDetails(HANDLE hProcess, //if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){ if(HandleInfo->GrantedAccess != 0x0012019F) { - RtlZeroMemory(HandleFullData, 0x1000); + RtlZeroMemory(HandleFullData, sizeof(HandleFullData)); NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize); NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, RequiredSize, &RequiredSize); RtlZeroMemory(HandleNameData, 0x1000); @@ -342,7 +306,7 @@ __declspec(dllexport) long long TITCALL HandlerGetHandleDetails(HANDLE hProcess, //if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){ if(HandleInfo->GrantedAccess != 0x0012019F) { - RtlZeroMemory(HandleFullData, 0x1000); + RtlZeroMemory(HandleFullData, sizeof(HandleFullData)); NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize); NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, RequiredSize, &RequiredSize); RtlZeroMemory(HandleNameData, 0x1000); @@ -366,16 +330,7 @@ __declspec(dllexport) long long TITCALL HandlerGetHandleDetails(HANDLE hProcess, { VirtualFree(HandleNameData, NULL, MEM_RELEASE); } - VirtualFree(HandleFullData, NULL, MEM_RELEASE); - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); return(ReturnData); - - if(!DontFreeStringMemory) - { - VirtualFree(HandleNameData, NULL, MEM_RELEASE); - } - VirtualFree(HandleFullData, NULL, MEM_RELEASE); - return(NULL); } __declspec(dllexport) bool TITCALL HandlerCloseRemoteHandle(HANDLE hProcess, HANDLE hHandle) { @@ -411,29 +366,24 @@ __declspec(dllexport) long TITCALL HandlerEnumerateLockHandlesW(wchar_t* szFileO HANDLE hProcess = NULL; HANDLE myHandle = NULL; HANDLE CopyHandle = NULL; - LPVOID QuerySystemBuffer; - ULONG QuerySystemBufferSize = 0x2000; ULONG RequiredSize = NULL; ULONG TotalHandleCount = NULL; DWORD LastProcessId = NULL; - PNTDLL_QUERY_HANDLE_INFO HandleInfo; PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo; - LPVOID ObjectNameInfo = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); + char ObjectNameInfo[0x2000] = {0}; PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo; - LPVOID HandleFullName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); + char HandleFullNameB[0x1000] = {0}; + LPVOID HandleFullName = HandleFullNameB; int LenFileOrFolderName = lstrlenW(szFileOrFolderName); LPVOID tmpHandleFullName = NULL; + DynBuf hinfo; + NtQuerySysHandleInfo(hinfo); + LPVOID QuerySystemBuffer = hinfo.GetPtr(); + - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) - { - QuerySystemBufferSize = RequiredSize; - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - } RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; @@ -469,7 +419,6 @@ __declspec(dllexport) long TITCALL HandlerEnumerateLockHandlesW(wchar_t* szFileO tmpHandleFullName = TranslateNativeNameW((wchar_t*)HandleFullName); if(tmpHandleFullName != NULL) { - VirtualFree(HandleFullName, NULL, MEM_RELEASE); HandleFullName = tmpHandleFullName; } } @@ -498,9 +447,7 @@ __declspec(dllexport) long TITCALL HandlerEnumerateLockHandlesW(wchar_t* szFileO HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); TotalHandleCount--; } - VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE); - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - VirtualFree(HandleFullName, NULL, MEM_RELEASE); + return(FoundHandles); } __declspec(dllexport) bool TITCALL HandlerCloseAllLockHandles(char* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated) @@ -525,27 +472,24 @@ __declspec(dllexport) bool TITCALL HandlerCloseAllLockHandlesW(wchar_t* szFileOr HANDLE hProcess = NULL; HANDLE myHandle = NULL; HANDLE CopyHandle = NULL; - LPVOID QuerySystemBuffer; - ULONG QuerySystemBufferSize = 0x2000; ULONG RequiredSize = NULL; ULONG TotalHandleCount = NULL; DWORD LastProcessId = NULL; PNTDLL_QUERY_HANDLE_INFO HandleInfo; PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo; - LPVOID ObjectNameInfo = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); + char ObjectNameInfo[0x2000] = {0}; PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo; - LPVOID HandleFullName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); + char HandleFullNameB[0x1000] = {0}; + LPVOID HandleFullName = HandleFullNameB; int LenFileOrFolderName = lstrlenW(szFileOrFolderName); LPVOID tmpHandleFullName = NULL; - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) - { - QuerySystemBufferSize = RequiredSize; - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - } + DynBuf hinfo; + NtQuerySysHandleInfo(hinfo); + LPVOID QuerySystemBuffer = hinfo.GetPtr(); + + RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; @@ -581,7 +525,6 @@ __declspec(dllexport) bool TITCALL HandlerCloseAllLockHandlesW(wchar_t* szFileOr tmpHandleFullName = TranslateNativeNameW((wchar_t*)HandleFullName); if(tmpHandleFullName != NULL) { - VirtualFree(HandleFullName, NULL, MEM_RELEASE); HandleFullName = tmpHandleFullName; } } @@ -607,18 +550,8 @@ __declspec(dllexport) bool TITCALL HandlerCloseAllLockHandlesW(wchar_t* szFileOr HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); TotalHandleCount--; } - VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE); - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - VirtualFree(HandleFullName, NULL, MEM_RELEASE); - if(AllHandled) - { - return true; - } - else - { - return false; - } + return AllHandled; } __declspec(dllexport) bool TITCALL HandlerIsFileLocked(char* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated) { @@ -641,27 +574,24 @@ __declspec(dllexport) bool TITCALL HandlerIsFileLockedW(wchar_t* szFileOrFolderN HANDLE hProcess = NULL; HANDLE myHandle = NULL; HANDLE CopyHandle = NULL; - LPVOID QuerySystemBuffer; - ULONG QuerySystemBufferSize = 0x2000; ULONG RequiredSize = NULL; ULONG TotalHandleCount = NULL; DWORD LastProcessId = NULL; PNTDLL_QUERY_HANDLE_INFO HandleInfo; PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo; - LPVOID ObjectNameInfo = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); + char ObjectNameInfo[0x2000] = {0}; PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo; - LPVOID HandleFullName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); + char HandleFullNameB[0x1000] = {0}; + LPVOID HandleFullName = HandleFullNameB; int LenFileOrFolderName = lstrlenW(szFileOrFolderName); LPVOID tmpHandleFullName = NULL; - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) - { - QuerySystemBufferSize = RequiredSize; - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - } + DynBuf hinfo; + NtQuerySysHandleInfo(hinfo); + LPVOID QuerySystemBuffer = hinfo.GetPtr(); + + RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; @@ -697,7 +627,6 @@ __declspec(dllexport) bool TITCALL HandlerIsFileLockedW(wchar_t* szFileOrFolderN tmpHandleFullName = TranslateNativeNameW((wchar_t*)HandleFullName); if(tmpHandleFullName != NULL) { - VirtualFree(HandleFullName, NULL, MEM_RELEASE); HandleFullName = tmpHandleFullName; } } @@ -710,9 +639,6 @@ __declspec(dllexport) bool TITCALL HandlerIsFileLockedW(wchar_t* szFileOrFolderN } if(lstrcmpiW((LPCWSTR)HandleFullName, szFileOrFolderName) == NULL) { - VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE); - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - VirtualFree(HandleFullName, NULL, MEM_RELEASE); EngineCloseHandle(myHandle); return true; } @@ -724,9 +650,6 @@ __declspec(dllexport) bool TITCALL HandlerIsFileLockedW(wchar_t* szFileOrFolderN HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); TotalHandleCount--; } - VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE); - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - VirtualFree(HandleFullName, NULL, MEM_RELEASE); return false; } @@ -736,25 +659,20 @@ __declspec(dllexport) long TITCALL HandlerEnumerateOpenMutexes(HANDLE hProcess, HANDLE myHandle = NULL; HANDLE copyHandle = NULL; - LPVOID QuerySystemBuffer; ULONG RequiredSize = NULL; ULONG TotalHandleCount = NULL; unsigned int HandleCount = NULL; - ULONG QuerySystemBufferSize = 0x2000; PNTDLL_QUERY_HANDLE_INFO HandleInfo; - LPVOID HandleFullData = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); - LPVOID HandleNameData = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); + char HandleFullData[0x1000] = {0}; + char HandleNameDataB[0x1000] = {0}; + LPVOID HandleNameData = HandleNameDataB; PPUBLIC_OBJECT_TYPE_INFORMATION pObjectTypeInfo = (PPUBLIC_OBJECT_TYPE_INFORMATION)HandleFullData; + DynBuf hinfo; + NtQuerySysHandleInfo(hinfo); + LPVOID QuerySystemBuffer = hinfo.GetPtr(); - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) - { - QuerySystemBufferSize = RequiredSize; - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - } RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; @@ -767,7 +685,7 @@ __declspec(dllexport) long TITCALL HandlerEnumerateOpenMutexes(HANDLE hProcess, { if(DuplicateHandle(hProcess, (HANDLE)HandleInfo->hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS)) { - RtlZeroMemory(HandleFullData, 0x1000); + RtlZeroMemory(HandleFullData, sizeof(HandleFullData)); NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize); NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, RequiredSize, &RequiredSize); RtlZeroMemory(HandleNameData, 0x1000); @@ -789,9 +707,6 @@ __declspec(dllexport) long TITCALL HandlerEnumerateOpenMutexes(HANDLE hProcess, HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); TotalHandleCount--; } - VirtualFree(HandleFullData, NULL, MEM_RELEASE); - VirtualFree(HandleNameData, NULL, MEM_RELEASE); - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); return(HandleCount); } @@ -816,7 +731,7 @@ __declspec(dllexport) long long TITCALL HandlerGetOpenMutexHandleW(HANDLE hProce return 0; int i; HANDLE myHandle; - LPVOID HandleBuffer = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); + char HandleBuffer[0x1000] = {0}; LPVOID cHandleBuffer = HandleBuffer; int OpenHandleCount = HandlerEnumerateOpenMutexes(hProcess, ProcessId, HandleBuffer, 0x1000 / sizeof HANDLE); wchar_t RealMutexName[512] = L"\\BaseNamedObjects\\"; @@ -833,14 +748,12 @@ __declspec(dllexport) long long TITCALL HandlerGetOpenMutexHandleW(HANDLE hProce { if(lstrcmpiW(HandleName, RealMutexName) == NULL) { - VirtualFree(HandleBuffer, NULL, MEM_RELEASE); return((ULONG_PTR)myHandle); } } cHandleBuffer = (LPVOID)((ULONG_PTR)cHandleBuffer + sizeof HANDLE); } } - VirtualFree(HandleBuffer, NULL, MEM_RELEASE); return(NULL); } __declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutex(char* szMutexString) @@ -865,28 +778,24 @@ __declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutexW(wchar_t HANDLE hProcess = NULL; DWORD ReturnData = NULL; HANDLE myHandle = NULL; - LPVOID QuerySystemBuffer; ULONG RequiredSize = NULL; DWORD LastProcessId = NULL; ULONG TotalHandleCount = NULL; - ULONG QuerySystemBufferSize = 0x2000; PNTDLL_QUERY_HANDLE_INFO HandleInfo; - LPVOID HandleFullData = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); - LPVOID HandleNameData = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); + char HandleFullData[0x1000] = {0}; + char HandleNameData[0x1000] = {0}; PPUBLIC_OBJECT_TYPE_INFORMATION pObjectTypeInfo = (PPUBLIC_OBJECT_TYPE_INFORMATION)HandleFullData; - LPVOID ObjectNameInfo = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); + char ObjectNameInfo[0x2000] = {0}; PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo; wchar_t RealMutexName[512] = L"\\BaseNamedObjects\\"; lstrcatW(RealMutexName, szMutexString); - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) - { - QuerySystemBufferSize = RequiredSize; - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - } + + DynBuf hinfo; + NtQuerySysHandleInfo(hinfo); + LPVOID QuerySystemBuffer = hinfo.GetPtr(); + RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; @@ -908,10 +817,10 @@ __declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutexW(wchar_t { if(DuplicateHandle(hProcess, (HANDLE)HandleInfo->hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS)) { - RtlZeroMemory(HandleFullData, 0x1000); + RtlZeroMemory(HandleFullData, sizeof(HandleFullData)); NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize); NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, RequiredSize, &RequiredSize); - RtlZeroMemory(HandleNameData, 0x1000); + RtlZeroMemory(HandleNameData, sizeof(HandleNameData)); if(pObjectTypeInfo->TypeName.Length != NULL) { //WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectTypeInfo->TypeName.Buffer, -1, (LPSTR)HandleNameData, 0x1000, NULL, NULL); @@ -920,10 +829,9 @@ __declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutexW(wchar_t { NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize); NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize); - RtlZeroMemory(HandleNameData, 0x1000); + RtlZeroMemory(HandleNameData, sizeof(HandleNameData)); if(pObjectNameInfo->Name.Length != NULL) { - RtlZeroMemory(HandleNameData, 0x1000); //WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectNameInfo->Name.Buffer, -1, (LPSTR)HandleNameData, 0x1000, NULL, NULL); lstrcpyW((wchar_t*)HandleNameData, (wchar_t*)pObjectNameInfo->Name.Buffer); if(lstrcmpiW((LPCWSTR)HandleNameData, RealMutexName) == NULL) @@ -941,10 +849,6 @@ __declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutexW(wchar_t HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); TotalHandleCount--; } - VirtualFree(HandleFullData, NULL, MEM_RELEASE); - VirtualFree(HandleNameData, NULL, MEM_RELEASE); - VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE); - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); return(ReturnData); } diff --git a/TitanEngine/TitanEngine.PE.Section.cpp b/TitanEngine/TitanEngine.PE.Section.cpp index 50678a9..00040e8 100644 --- a/TitanEngine/TitanEngine.PE.Section.cpp +++ b/TitanEngine/TitanEngine.PE.Section.cpp @@ -165,6 +165,7 @@ __declspec(dllexport) bool TITCALL ResortFileSectionsW(wchar_t* szFileName) ULONG_PTR fileSectionData[MAXIMUM_SECTION_NUMBER][3]; ULONG_PTR fileSectionTemp; LPVOID sortedFileName; + DynBuf sortedFileNameBuf; if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof szBackupItem)) { @@ -202,7 +203,7 @@ __declspec(dllexport) bool TITCALL ResortFileSectionsW(wchar_t* szFileName) } if(!FileIs64) { - sortedFileName = VirtualAlloc(NULL, FileSize, MEM_COMMIT, PAGE_READWRITE); + sortedFileName = sortedFileNameBuf.Allocate(FileSize); __try { RtlMoveMemory(sortedFileName, (LPVOID)FileMapVA, FileSize); @@ -242,7 +243,6 @@ __declspec(dllexport) bool TITCALL ResortFileSectionsW(wchar_t* szFileName) } RtlMoveMemory((LPVOID)FileMapVA, sortedFileName, FileSize); UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - VirtualFree(sortedFileName, NULL, MEM_RELEASE); if(szBackupItem[0] != NULL) { if(CopyFileW(szBackupFile, szFileName, false)) @@ -264,14 +264,13 @@ __declspec(dllexport) bool TITCALL ResortFileSectionsW(wchar_t* szFileName) __except(EXCEPTION_EXECUTE_HANDLER) { UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - VirtualFree(sortedFileName, NULL, MEM_RELEASE); RemoveGarbageItem(szBackupItem, true); return false; } } else { - sortedFileName = VirtualAlloc(NULL, FileSize, MEM_COMMIT, PAGE_READWRITE); + sortedFileName = sortedFileNameBuf.Allocate(FileSize); __try { RtlMoveMemory(sortedFileName, (LPVOID)FileMapVA, FileSize); @@ -311,7 +310,6 @@ __declspec(dllexport) bool TITCALL ResortFileSectionsW(wchar_t* szFileName) } RtlMoveMemory((LPVOID)FileMapVA, sortedFileName, FileSize); UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - VirtualFree(sortedFileName, NULL, MEM_RELEASE); if(szBackupItem[0] != NULL) { if(CopyFileW(szBackupFile, szFileName, false)) @@ -333,7 +331,6 @@ __declspec(dllexport) bool TITCALL ResortFileSectionsW(wchar_t* szFileName) __except(EXCEPTION_EXECUTE_HANDLER) { UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - VirtualFree(sortedFileName, NULL, MEM_RELEASE); RemoveGarbageItem(szBackupItem, true); return false; } diff --git a/TitanEngine/TitanEngine.PE.cpp b/TitanEngine/TitanEngine.PE.cpp index bc4d1ee..ab88f74 100644 --- a/TitanEngine/TitanEngine.PE.cpp +++ b/TitanEngine/TitanEngine.PE.cpp @@ -35,7 +35,8 @@ __declspec(dllexport) bool TITCALL PastePEHeaderW(HANDLE hProcess, LPVOID ImageB BOOL FileIs64 = false; HANDLE hFile = 0; SIZE_T CalculatedHeaderSize = NULL; - LPVOID ueReadBuffer = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); + DynBuf ueReadBuf; + LPVOID ueReadBuffer = ueReadBuf.Allocate(0x2000); DWORD OldProtect = PAGE_READWRITE; hFile = CreateFileW(szDebuggedFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); @@ -63,12 +64,10 @@ __declspec(dllexport) bool TITCALL PastePEHeaderW(HANDLE hProcess, LPVOID ImageB if(CalculatedHeaderSize > 0x1000) { SetFilePointer(hFile, NULL, NULL, FILE_BEGIN); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); - ueReadBuffer = VirtualAlloc(NULL, CalculatedHeaderSize, MEM_COMMIT, PAGE_READWRITE); + ueReadBuffer = ueReadBuf.Allocate(CalculatedHeaderSize); if(!ReadFile(hFile, ueReadBuffer, (DWORD)CalculatedHeaderSize, &uedNumberOfBytesRead, NULL)) { EngineCloseHandle(hFile); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return false; } } @@ -91,7 +90,6 @@ __declspec(dllexport) bool TITCALL PastePEHeaderW(HANDLE hProcess, LPVOID ImageB else { EngineCloseHandle(hFile); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return false; } if(!FileIs64) @@ -103,20 +101,17 @@ __declspec(dllexport) bool TITCALL PastePEHeaderW(HANDLE hProcess, LPVOID ImageB { EngineCloseHandle(hFile); VirtualProtectEx(hProcess, ImageBase, PEHeaderSize, OldProtect, &OldProtect); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return true; } else { EngineCloseHandle(hFile); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return false; } } else { EngineCloseHandle(hFile); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return false; } } @@ -129,20 +124,17 @@ __declspec(dllexport) bool TITCALL PastePEHeaderW(HANDLE hProcess, LPVOID ImageB { EngineCloseHandle(hFile); VirtualProtectEx(hProcess, ImageBase, PEHeaderSize, OldProtect, &OldProtect); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return true; } else { EngineCloseHandle(hFile); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return false; } } else { EngineCloseHandle(hFile); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return false; } } @@ -150,21 +142,18 @@ __declspec(dllexport) bool TITCALL PastePEHeaderW(HANDLE hProcess, LPVOID ImageB else { EngineCloseHandle(hFile); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return false; } } else { EngineCloseHandle(hFile); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return false; } } else { EngineCloseHandle(hFile); - VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); return false; } return false; diff --git a/TitanEngine/TitanEngine.Relocator.cpp b/TitanEngine/TitanEngine.Relocator.cpp index 058c5c7..cd9fa24 100644 --- a/TitanEngine/TitanEngine.Relocator.cpp +++ b/TitanEngine/TitanEngine.Relocator.cpp @@ -258,6 +258,7 @@ __declspec(dllexport) bool TITCALL RelocaterGrabRelocationTableEx(HANDLE hProces DWORD RelocationBase = NULL; DWORD RelocationSize = NULL; DWORD OldProtect; + DynBuf mem; if(RelocationData != NULL) { @@ -269,7 +270,7 @@ __declspec(dllexport) bool TITCALL RelocaterGrabRelocationTableEx(HANDLE hProces MemorySize = MemInfo.RegionSize; } VirtualProtectEx(hProcess, (LPVOID)MemoryStart, MemorySize, PAGE_EXECUTE_READWRITE, &OldProtect); - ReadMemoryStorage = VirtualAlloc(NULL, MemorySize, MEM_COMMIT, PAGE_READWRITE); + ReadMemoryStorage = mem.Allocate(MemorySize); mReadMemoryStorage = ReadMemoryStorage; if(ReadProcessMemory(hProcess, (LPVOID)MemoryStart, ReadMemoryStorage, MemorySize, &ueNumberOfBytesRead)) { @@ -281,12 +282,10 @@ __declspec(dllexport) bool TITCALL RelocaterGrabRelocationTableEx(HANDLE hProces RtlMoveMemory(&RelocationBase, ReadMemoryStorage, 4); RtlMoveMemory(&RelocationSize, (LPVOID)((ULONG_PTR)ReadMemoryStorage + 4), 4); } - VirtualFree(mReadMemoryStorage, NULL, MEM_RELEASE); return(RelocaterGrabRelocationTable(hProcess, MemoryStart, (DWORD)((ULONG_PTR)ReadMemoryStorage - (ULONG_PTR)mReadMemoryStorage))); } else { - VirtualFree(ReadMemoryStorage, NULL, MEM_RELEASE); return false; } } diff --git a/TitanEngine/TitanEngine.Tracer.cpp b/TitanEngine/TitanEngine.Tracer.cpp index e8ddb9f..4743eae 100644 --- a/TitanEngine/TitanEngine.Tracer.cpp +++ b/TitanEngine/TitanEngine.Tracer.cpp @@ -16,6 +16,7 @@ static long long EngineGlobalTracerHandler1(HANDLE hProcess, ULONG_PTR AddressTo int LengthOfValidInstruction = 0; int CurrentNumberOfInstructions = 0; MEMORY_BASIC_INFORMATION MemInfo; + DynBuf tracmem; LPVOID TraceMemory, cTraceMemory; ULONG_PTR ueNumberOfBytesRead = NULL; DWORD LastPushValue = NULL; @@ -41,7 +42,7 @@ static long long EngineGlobalTracerHandler1(HANDLE hProcess, ULONG_PTR AddressTo { memSize = 0x4000; } - TraceMemory = VirtualAlloc(NULL, memSize, MEM_COMMIT, PAGE_READWRITE); + TraceMemory = tracmem.Allocate(memSize); cTraceMemory = TraceMemory; if(ReadProcessMemory(hProcess, (LPVOID)MemInfo.BaseAddress, TraceMemory, memSize, &ueNumberOfBytesRead)) { @@ -491,7 +492,6 @@ static long long EngineGlobalTracerHandler1(HANDLE hProcess, ULONG_PTR AddressTo } TraceStartAddress = TraceStartAddress + CurrentInstructionSize; } - VirtualFree(TraceMemory, NULL, MEM_RELEASE); if(!HashInstructions) { if(FoundValidAPI == true) @@ -518,7 +518,6 @@ static long long EngineGlobalTracerHandler1(HANDLE hProcess, ULONG_PTR AddressTo } else { - VirtualFree(TraceMemory, NULL, MEM_RELEASE); } } } @@ -717,6 +716,7 @@ __declspec(dllexport) long TITCALL TracerDetectRedirection(HANDLE hProcess, ULON DWORD MemoryHash = NULL; DWORD MaximumReadSize = 0; DWORD TestAddressX86; + DynBuf tracemem; LPVOID TraceMemory; bool HashCheck = false; @@ -735,7 +735,7 @@ __declspec(dllexport) long TITCALL TracerDetectRedirection(HANDLE hProcess, ULON } if(sizeof HANDLE == 4) { - TraceMemory = VirtualAlloc(NULL, MaximumReadSize, MEM_COMMIT, PAGE_READWRITE); + TraceMemory = tracemem.Allocate(MaximumReadSize); if(!TraceMemory) { return (NULL); @@ -1104,12 +1104,10 @@ __declspec(dllexport) long TITCALL TracerDetectRedirection(HANDLE hProcess, ULON } } } - VirtualFree(TraceMemory, NULL, MEM_RELEASE); return(KnownRedirectionIndex); } else { - VirtualFree(TraceMemory, NULL, MEM_RELEASE); } } }