x64dbg
/
TitanEngine
mirror of https://github.com/x64dbg/TitanEngine
1
0
Fork 0
Code Releases Activity

drop VirtualProtect in favor of a DynamicBuffer

This commit is contained in:
deepzero 2014-03-08 14:47:04 +01:00
parent 772c6dbeda
commit 68a5a4b7a0
10 changed files with 127 additions and 312 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
TitanEngine/TitanEngine.Breakpoints.cpp
View File

@ -304,6 +304,7 @@ __declspec(dllexport) bool TITCALL SetAPIBreakPoint(const char* szDLLName, const
int currentInstructionLen = NULL; int currentInstructionLen = NULL;
bool ModuleLoaded = false; bool ModuleLoaded = false;
void* CmdBuffer = NULL; void* CmdBuffer = NULL;
DynBuf CmdBuf;
bool RemovedBpx = false; bool RemovedBpx = false;
if(szDLLName != NULL && szAPIName != NULL) if(szDLLName != NULL && szAPIName != NULL)
@ -322,14 +323,13 @@ __declspec(dllexport) bool TITCALL SetAPIBreakPoint(const char* szDLLName, const
APIAddress = (ULONG_PTR)EngineGlobalAPIHandler(dbgProcessInformation.hProcess, NULL, NULL, szAPIName, UE_OPTION_IMPORTER_RETURN_APIADDRESS); APIAddress = (ULONG_PTR)EngineGlobalAPIHandler(dbgProcessInformation.hProcess, NULL, NULL, szAPIName, UE_OPTION_IMPORTER_RETURN_APIADDRESS);
if(APIAddress != NULL) if(APIAddress != NULL)
{ {
CmdBuffer = VirtualAlloc(NULL, ReadMemSize, MEM_COMMIT, PAGE_READWRITE); CmdBuffer = CmdBuf.Allocate(ReadMemSize);
while(ReadProcessMemory(dbgProcessInformation.hProcess, (void*)APIAddress, CmdBuffer, ReadMemSize, &ueNumberOfReadWrite) == false && ReadMemSize > NULL) while(ReadProcessMemory(dbgProcessInformation.hProcess, (void*)APIAddress, CmdBuffer, ReadMemSize, &ueNumberOfReadWrite) == false && ReadMemSize > NULL)
{ {
ReadMemSize = ReadMemSize - (MAXIMUM_INSTRUCTION_SIZE * 10); ReadMemSize = ReadMemSize - (MAXIMUM_INSTRUCTION_SIZE * 10);
} }
if(ReadMemSize == NULL) if(ReadMemSize == NULL)
{ {
VirtualFree(CmdBuffer, NULL, MEM_RELEASE);
APIAddress = NULL; APIAddress = NULL;
} }
else else
@ -402,10 +402,6 @@ __declspec(dllexport) bool TITCALL SetAPIBreakPoint(const char* szDLLName, const
{ {
FreeLibrary(hModule); FreeLibrary(hModule);
} }
if(CmdBuffer != NULL)
{
VirtualFree(CmdBuffer, NULL, MEM_RELEASE);
}
return false; return false;
} }
} }
@ -417,13 +413,6 @@ __declspec(dllexport) bool TITCALL SetAPIBreakPoint(const char* szDLLName, const
FreeLibrary(hModule); FreeLibrary(hModule);
} }
} }
else
{
if(CmdBuffer != NULL)
{
VirtualFree(CmdBuffer, NULL, MEM_RELEASE);
}
}
return SetBPX(APIAddress, bpxType, bpxCallBack); return SetBPX(APIAddress, bpxType, bpxCallBack);
} }
else else
@ -435,13 +424,6 @@ __declspec(dllexport) bool TITCALL SetAPIBreakPoint(const char* szDLLName, const
FreeLibrary(hModule); FreeLibrary(hModule);
} }
} }
else
{
if(CmdBuffer != NULL)
{
VirtualFree(CmdBuffer, NULL, MEM_RELEASE);
}
}
return false; return false;
} }
} }
@ -465,6 +447,7 @@ __declspec(dllexport) bool TITCALL DeleteAPIBreakPoint(const char* szDLLName, co
int currentInstructionLen = NULL; int currentInstructionLen = NULL;
bool ModuleLoaded = false; bool ModuleLoaded = false;
void* CmdBuffer = NULL; void* CmdBuffer = NULL;
DynBuf CmdBuf;
bool RemovedBpx = false; bool RemovedBpx = false;
if(szDLLName != NULL && szAPIName != NULL) if(szDLLName != NULL && szAPIName != NULL)
@ -483,14 +466,13 @@ __declspec(dllexport) bool TITCALL DeleteAPIBreakPoint(const char* szDLLName, co
APIAddress = (ULONG_PTR)EngineGlobalAPIHandler(dbgProcessInformation.hProcess, NULL, NULL, szAPIName, UE_OPTION_IMPORTER_RETURN_APIADDRESS); APIAddress = (ULONG_PTR)EngineGlobalAPIHandler(dbgProcessInformation.hProcess, NULL, NULL, szAPIName, UE_OPTION_IMPORTER_RETURN_APIADDRESS);
if(APIAddress != NULL) if(APIAddress != NULL)
{ {
CmdBuffer = VirtualAlloc(NULL, ReadMemSize, MEM_COMMIT, PAGE_READWRITE); CmdBuffer = CmdBuf.Allocate(ReadMemSize);
while(ReadProcessMemory(dbgProcessInformation.hProcess, (void*)APIAddress, CmdBuffer, ReadMemSize, &ueNumberOfReadWrite) == false && ReadMemSize > NULL) while(ReadProcessMemory(dbgProcessInformation.hProcess, (void*)APIAddress, CmdBuffer, ReadMemSize, &ueNumberOfReadWrite) == false && ReadMemSize > NULL)
{ {
ReadMemSize = ReadMemSize - (MAXIMUM_INSTRUCTION_SIZE * 10); ReadMemSize = ReadMemSize - (MAXIMUM_INSTRUCTION_SIZE * 10);
} }
if(ReadMemSize == NULL) if(ReadMemSize == NULL)
{ {
VirtualFree(CmdBuffer, NULL, MEM_RELEASE);
APIAddress = NULL; APIAddress = NULL;
} }
else else
@ -563,10 +545,6 @@ __declspec(dllexport) bool TITCALL DeleteAPIBreakPoint(const char* szDLLName, co
{ {
FreeLibrary(hModule); FreeLibrary(hModule);
} }
if(CmdBuffer != NULL)
{
VirtualFree(CmdBuffer, NULL, MEM_RELEASE);
}
return false; return false;
} }
} }
@ -578,13 +556,6 @@ __declspec(dllexport) bool TITCALL DeleteAPIBreakPoint(const char* szDLLName, co
FreeLibrary(hModule); FreeLibrary(hModule);
} }
} }
else
{
if(CmdBuffer != NULL)
{
VirtualFree(CmdBuffer, NULL, MEM_RELEASE);
}
}
return(DeleteBPX(APIAddress)); return(DeleteBPX(APIAddress));
} }
else else
@ -596,13 +567,6 @@ __declspec(dllexport) bool TITCALL DeleteAPIBreakPoint(const char* szDLLName, co
FreeLibrary(hModule); FreeLibrary(hModule);
} }
} }
else
{
if(CmdBuffer != NULL)
{
VirtualFree(CmdBuffer, NULL, MEM_RELEASE);
}
}
return false; return false;
} }
} }

22
TitanEngine/TitanEngine.Debugger.Memory.cpp
View File

@ -10,6 +10,7 @@ __declspec(dllexport) bool TITCALL MatchPatternEx(HANDLE hProcess, void* MemoryT
int i = 0; int i = 0;
BYTE intWildCard = 0; BYTE intWildCard = 0;
LPVOID ueReadBuffer = NULL; LPVOID ueReadBuffer = NULL;
DynBuf ueReadBuf;
ULONG_PTR ueNumberOfBytesRead = NULL; ULONG_PTR ueNumberOfBytesRead = NULL;
MEMORY_BASIC_INFORMATION memoryInformation = {}; MEMORY_BASIC_INFORMATION memoryInformation = {};
PMEMORY_COMPARE_HANDLER memCmp = (PMEMORY_COMPARE_HANDLER)MemoryToCheck; PMEMORY_COMPARE_HANDLER memCmp = (PMEMORY_COMPARE_HANDLER)MemoryToCheck;
@ -23,8 +24,8 @@ __declspec(dllexport) bool TITCALL MatchPatternEx(HANDLE hProcess, void* MemoryT
{ {
if(hProcess != GetCurrentProcess()) if(hProcess != GetCurrentProcess())
{ {
ueReadBuffer = VirtualAlloc(NULL, SizeOfMemoryToCheck, MEM_COMMIT, PAGE_READWRITE); ueReadBuffer = ueReadBuf.Allocate(SizeOfMemoryToCheck);
if(!ReadProcessMemory(hProcess, MemoryToCheck, ueReadBuffer, SizeOfMemoryToCheck, &ueNumberOfBytesRead)) if(ueReadBuffer && !ReadProcessMemory(hProcess, MemoryToCheck, ueReadBuffer, SizeOfMemoryToCheck, &ueNumberOfBytesRead))
{ {
if(ueNumberOfBytesRead == NULL) if(ueNumberOfBytesRead == NULL)
{ {
@ -33,7 +34,6 @@ __declspec(dllexport) bool TITCALL MatchPatternEx(HANDLE hProcess, void* MemoryT
SizeOfMemoryToCheck = (int)((ULONG_PTR)memoryInformation.BaseAddress + memoryInformation.RegionSize - (ULONG_PTR)MemoryToCheck); SizeOfMemoryToCheck = (int)((ULONG_PTR)memoryInformation.BaseAddress + memoryInformation.RegionSize - (ULONG_PTR)MemoryToCheck);
if(!ReadProcessMemory(hProcess, MemoryToCheck, ueReadBuffer, SizeOfMemoryToCheck, &ueNumberOfBytesRead)) if(!ReadProcessMemory(hProcess, MemoryToCheck, ueReadBuffer, SizeOfMemoryToCheck, &ueNumberOfBytesRead))
{ {
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return(NULL); return(NULL);
} }
else else
@ -43,7 +43,6 @@ __declspec(dllexport) bool TITCALL MatchPatternEx(HANDLE hProcess, void* MemoryT
} }
else else
{ {
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return(NULL); return(NULL);
} }
} }
@ -68,12 +67,10 @@ __declspec(dllexport) bool TITCALL MatchPatternEx(HANDLE hProcess, void* MemoryT
SizeOfPatternToMatch--; SizeOfPatternToMatch--;
i++; i++;
} }
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return true; return true;
} }
__except(EXCEPTION_EXECUTE_HANDLER) __except(EXCEPTION_EXECUTE_HANDLER)
{ {
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return false; return false;
} }
} }
@ -101,6 +98,7 @@ __declspec(dllexport) long long TITCALL FindEx(HANDLE hProcess, LPVOID MemorySta
int j = NULL; int j = NULL;
ULONG_PTR Return = NULL; ULONG_PTR Return = NULL;
LPVOID ueReadBuffer = NULL; LPVOID ueReadBuffer = NULL;
DynBuf ueReadBuf;
PUCHAR SearchBuffer = NULL; PUCHAR SearchBuffer = NULL;
PUCHAR CompareBuffer = NULL; PUCHAR CompareBuffer = NULL;
MEMORY_BASIC_INFORMATION memoryInformation = {}; MEMORY_BASIC_INFORMATION memoryInformation = {};
@ -117,8 +115,8 @@ __declspec(dllexport) long long TITCALL FindEx(HANDLE hProcess, LPVOID MemorySta
{ {
if(hProcess != GetCurrentProcess()) if(hProcess != GetCurrentProcess())
{ {
ueReadBuffer = VirtualAlloc(NULL, MemorySize, MEM_COMMIT, PAGE_READWRITE); ueReadBuffer = ueReadBuf.Allocate(MemorySize);
if(!ReadProcessMemory(hProcess, MemoryStart, ueReadBuffer, MemorySize, &ueNumberOfBytesRead)) if(ueReadBuffer && !ReadProcessMemory(hProcess, MemoryStart, ueReadBuffer, MemorySize, &ueNumberOfBytesRead))
{ {
if(ueNumberOfBytesRead == NULL) if(ueNumberOfBytesRead == NULL)
{ {
@ -127,7 +125,6 @@ __declspec(dllexport) long long TITCALL FindEx(HANDLE hProcess, LPVOID MemorySta
MemorySize = (DWORD)((ULONG_PTR)memoryInformation.BaseAddress + memoryInformation.RegionSize - (ULONG_PTR)MemoryStart); MemorySize = (DWORD)((ULONG_PTR)memoryInformation.BaseAddress + memoryInformation.RegionSize - (ULONG_PTR)MemoryStart);
if(!ReadProcessMemory(hProcess, MemoryStart, ueReadBuffer, MemorySize, &ueNumberOfBytesRead)) if(!ReadProcessMemory(hProcess, MemoryStart, ueReadBuffer, MemorySize, &ueNumberOfBytesRead))
{ {
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return(NULL); return(NULL);
} }
else else
@ -137,7 +134,6 @@ __declspec(dllexport) long long TITCALL FindEx(HANDLE hProcess, LPVOID MemorySta
} }
else else
{ {
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return(NULL); return(NULL);
} }
} }
@ -172,12 +168,10 @@ __declspec(dllexport) long long TITCALL FindEx(HANDLE hProcess, LPVOID MemorySta
Return = (ULONG_PTR)MemoryStart + i; Return = (ULONG_PTR)MemoryStart + i;
} }
} }
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return(Return); return(Return);
} }
__except(EXCEPTION_EXECUTE_HANDLER) __except(EXCEPTION_EXECUTE_HANDLER)
{ {
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return(NULL); return(NULL);
} }
} }
@ -313,7 +307,8 @@ __declspec(dllexport) bool TITCALL ReplaceEx(HANDLE hProcess, LPVOID MemoryStart
ULONG_PTR CurrentFoundPattern; ULONG_PTR CurrentFoundPattern;
LPVOID cMemoryStart = MemoryStart; LPVOID cMemoryStart = MemoryStart;
DWORD cMemorySize = MemorySize; DWORD cMemorySize = MemorySize;
LPVOID lpReadMemory = VirtualAlloc(NULL, PatternSize, MEM_COMMIT, PAGE_READWRITE); DynBuf lpReadMem;
LPVOID lpReadMemory = lpReadMem.Allocate(PatternSize);
CurrentFoundPattern = (ULONG_PTR)FindEx(hProcess, cMemoryStart, cMemorySize, SearchPattern, PatternSize, WildCard); CurrentFoundPattern = (ULONG_PTR)FindEx(hProcess, cMemoryStart, cMemorySize, SearchPattern, PatternSize, WildCard);
NumberOfRepetitions--; NumberOfRepetitions--;
@ -335,7 +330,6 @@ __declspec(dllexport) bool TITCALL ReplaceEx(HANDLE hProcess, LPVOID MemoryStart
CurrentFoundPattern = (ULONG_PTR)FindEx(hProcess, cMemoryStart, cMemorySize, SearchPattern, PatternSize, WildCard); CurrentFoundPattern = (ULONG_PTR)FindEx(hProcess, cMemoryStart, cMemorySize, SearchPattern, PatternSize, WildCard);
NumberOfRepetitions--; NumberOfRepetitions--;
} }
VirtualFree(lpReadMemory, NULL, MEM_RELEASE);
if(NumberOfRepetitions != NULL) if(NumberOfRepetitions != NULL)
{ {
return false; return false;

12
TitanEngine/TitanEngine.Disassembler.cpp
View File

@ -65,7 +65,8 @@ __declspec(dllexport) void* TITCALL DisassembleEx(HANDLE hProcess, LPVOID Disass
_DecodeType DecodingType = Decode64Bits; _DecodeType DecodingType = Decode64Bits;
#endif #endif
ULONG_PTR ueNumberOfBytesRead = 0; ULONG_PTR ueNumberOfBytesRead = 0;
LPVOID ueReadBuffer = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); DynBuf ueReadBuf;
LPVOID ueReadBuffer = ueReadBuf.Allocate(0x1000);
MEMORY_BASIC_INFORMATION MemInfo; MEMORY_BASIC_INFORMATION MemInfo;
DWORD MaxDisassmSize; DWORD MaxDisassmSize;
@ -101,7 +102,6 @@ __declspec(dllexport) void* TITCALL DisassembleEx(HANDLE hProcess, LPVOID Disass
if(rpm) if(rpm)
{ {
DecodingResult = distorm_decode((ULONG_PTR)DisassmAddress, (const unsigned char*)ueReadBuffer, MaxDisassmSize, DecodingType, engineDecodedInstructions, MAX_DECODE_INSTRUCTIONS, &DecodedInstructionsCount); DecodingResult = distorm_decode((ULONG_PTR)DisassmAddress, (const unsigned char*)ueReadBuffer, MaxDisassmSize, DecodingType, engineDecodedInstructions, MAX_DECODE_INSTRUCTIONS, &DecodedInstructionsCount);
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
RtlZeroMemory(&engineDisassembledInstruction, 128); RtlZeroMemory(&engineDisassembledInstruction, 128);
lstrcpyA(engineDisassembledInstruction, (LPCSTR)engineDecodedInstructions[0].mnemonic.p); lstrcpyA(engineDisassembledInstruction, (LPCSTR)engineDecodedInstructions[0].mnemonic.p);
if(!ReturnInstructionType) if(!ReturnInstructionType)
@ -116,7 +116,6 @@ __declspec(dllexport) void* TITCALL DisassembleEx(HANDLE hProcess, LPVOID Disass
} }
else else
{ {
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return(NULL); return(NULL);
} }
} }
@ -127,7 +126,6 @@ __declspec(dllexport) void* TITCALL DisassembleEx(HANDLE hProcess, LPVOID Disass
} }
else else
{ {
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return(NULL); return(NULL);
} }
} }
@ -185,7 +183,8 @@ __declspec(dllexport) long TITCALL LengthDisassembleEx(HANDLE hProcess, LPVOID D
_DecodeType DecodingType = Decode64Bits; _DecodeType DecodingType = Decode64Bits;
#endif #endif
ULONG_PTR ueNumberOfBytesRead = 0; ULONG_PTR ueNumberOfBytesRead = 0;
LPVOID ueReadBuffer = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); DynBuf ueReadBuf;
LPVOID ueReadBuffer = ueReadBuf.Allocate(0x1000);
MEMORY_BASIC_INFORMATION MemInfo; MEMORY_BASIC_INFORMATION MemInfo;
DWORD MaxDisassmSize; DWORD MaxDisassmSize;
@ -210,12 +209,10 @@ __declspec(dllexport) long TITCALL LengthDisassembleEx(HANDLE hProcess, LPVOID D
if(ReadProcessMemory(hProcess, (LPVOID)DisassmAddress, ueReadBuffer, MaxDisassmSize, &ueNumberOfBytesRead)) if(ReadProcessMemory(hProcess, (LPVOID)DisassmAddress, ueReadBuffer, MaxDisassmSize, &ueNumberOfBytesRead))
{ {
DecodingResult = distorm_decode(NULL, (const unsigned char*)ueReadBuffer, MaxDisassmSize, DecodingType, DecodedInstructions, MAX_DECODE_INSTRUCTIONS, &DecodedInstructionsCount); DecodingResult = distorm_decode(NULL, (const unsigned char*)ueReadBuffer, MaxDisassmSize, DecodingType, DecodedInstructions, MAX_DECODE_INSTRUCTIONS, &DecodedInstructionsCount);
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return(DecodedInstructions[0].size); return(DecodedInstructions[0].size);
} }
else else
{ {
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return(-1); return(-1);
} }
} }
@ -226,7 +223,6 @@ __declspec(dllexport) long TITCALL LengthDisassembleEx(HANDLE hProcess, LPVOID D
} }
else else
{ {
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return(-1); return(-1);
} }
} }

35
TitanEngine/TitanEngine.Dumper.cpp
View File

@ -38,8 +38,9 @@ __declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBas
LPVOID ReadBase = ImageBase; LPVOID ReadBase = ImageBase;
SIZE_T CalculatedHeaderSize = NULL; SIZE_T CalculatedHeaderSize = NULL;
SIZE_T AlignedHeaderSize = NULL; SIZE_T AlignedHeaderSize = NULL;
LPVOID ueReadBuffer = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); DynBuf ueReadBuf, ueCopyBuf;
LPVOID ueCopyBuffer = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); LPVOID ueReadBuffer = ueReadBuf.Allocate(0x2000);
LPVOID ueCopyBuffer = ueCopyBuf.Allocate(0x2000);
MEMORY_BASIC_INFORMATION MemInfo; MEMORY_BASIC_INFORMATION MemInfo;
if(ReadProcessMemory(hProcess, ImageBase, ueReadBuffer, 0x1000, &ueNumberOfBytesRead)) if(ReadProcessMemory(hProcess, ImageBase, ueReadBuffer, 0x1000, &ueNumberOfBytesRead))
@ -56,14 +57,10 @@ __declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBas
{ {
AlignedHeaderSize = ((CalculatedHeaderSize / 0x1000) + 1) * 0x1000; AlignedHeaderSize = ((CalculatedHeaderSize / 0x1000) + 1) * 0x1000;
} }
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); ueReadBuffer = ueReadBuf.Allocate(AlignedHeaderSize);
VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE); ueCopyBuffer = ueCopyBuf.Allocate(AlignedHeaderSize);
ueReadBuffer = VirtualAlloc(NULL, AlignedHeaderSize, MEM_COMMIT, PAGE_READWRITE);
ueCopyBuffer = VirtualAlloc(NULL, AlignedHeaderSize, MEM_COMMIT, PAGE_READWRITE);
if(!ReadProcessMemory(hProcess, ImageBase, ueReadBuffer, AlignedHeaderSize, &ueNumberOfBytesRead)) if(!ReadProcessMemory(hProcess, ImageBase, ueReadBuffer, AlignedHeaderSize, &ueNumberOfBytesRead))
{ {
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE);
return false; return false;
} }
else else
@ -90,8 +87,6 @@ __declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBas
} }
else else
{ {
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE);
return false; return false;
} }
if(!FileIs64) if(!FileIs64)
@ -174,30 +169,22 @@ __declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBas
} }
} }
EngineCloseHandle(hFile); EngineCloseHandle(hFile);
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE);
return true; return true;
} }
__except(EXCEPTION_EXECUTE_HANDLER) __except(EXCEPTION_EXECUTE_HANDLER)
{ {
EngineCloseHandle(hFile); EngineCloseHandle(hFile);
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE);
return false; return false;
} }
} }
else else
{ {
EngineCloseHandle(hFile); EngineCloseHandle(hFile);
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE);
return false; return false;
} }
} }
else else
{ {
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE);
return false; return false;
} }
} }
@ -282,30 +269,22 @@ __declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBas
} }
} }
EngineCloseHandle(hFile); EngineCloseHandle(hFile);
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE);
return true; return true;
} }
__except(EXCEPTION_EXECUTE_HANDLER) __except(EXCEPTION_EXECUTE_HANDLER)
{ {
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE);
return false; return false;
} }
} }
else else
{ {
EngineCloseHandle(hFile); EngineCloseHandle(hFile);
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE);
return false; return false;
} }
} }
else else
{ {
EngineCloseHandle(hFile); EngineCloseHandle(hFile);
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE);
return false; return false;
} }
} }
@ -313,15 +292,11 @@ __declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBas
} }
else else
{ {
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE);
return false; return false;
} }
} }
else else
{ {
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
VirtualFree(ueCopyBuffer, NULL, MEM_RELEASE);
return false; return false;
} }
return false; return false;

5
TitanEngine/TitanEngine.Exporter.cpp
View File

@ -152,6 +152,7 @@ __declspec(dllexport) bool TITCALL ExporterBuildExportTable(ULONG_PTR StorePlace
PIMAGE_NT_HEADERS32 PEHeader32; PIMAGE_NT_HEADERS32 PEHeader32;
PIMAGE_NT_HEADERS64 PEHeader64; PIMAGE_NT_HEADERS64 PEHeader64;
LPVOID expBuildExportData; LPVOID expBuildExportData;
DynBuf expBuildExportDyn;
LPVOID expBuildExportDataCWP; LPVOID expBuildExportDataCWP;
DWORD StorePlaceRVA = (DWORD)ConvertFileOffsetToVA(FileMapVA, StorePlace, false); DWORD StorePlaceRVA = (DWORD)ConvertFileOffsetToVA(FileMapVA, StorePlace, false);
ULONG_PTR TempULONG; ULONG_PTR TempULONG;
@ -160,7 +161,7 @@ __declspec(dllexport) bool TITCALL ExporterBuildExportTable(ULONG_PTR StorePlace
if(expTableDataCWP != NULL) if(expTableDataCWP != NULL)
{ {
expBuildExportData = VirtualAlloc(NULL, ExporterEstimatedSize(), MEM_COMMIT, PAGE_READWRITE); expBuildExportData = expBuildExportDyn.Allocate(ExporterEstimatedSize());
expBuildExportDataCWP = (LPVOID)((ULONG_PTR)expBuildExportData + sizeof IMAGE_EXPORT_DIRECTORY); expBuildExportDataCWP = (LPVOID)((ULONG_PTR)expBuildExportData + sizeof IMAGE_EXPORT_DIRECTORY);
expExportData.NumberOfNames = expExportNumber; expExportData.NumberOfNames = expExportNumber;
@ -210,7 +211,6 @@ __declspec(dllexport) bool TITCALL ExporterBuildExportTable(ULONG_PTR StorePlace
} }
__except(EXCEPTION_EXECUTE_HANDLER) __except(EXCEPTION_EXECUTE_HANDLER)
{ {
VirtualFree(expBuildExportData, NULL, MEM_RELEASE);
ExporterCleanup(); ExporterCleanup();
return false; return false;
} }
@ -246,7 +246,6 @@ __declspec(dllexport) bool TITCALL ExporterBuildExportTable(ULONG_PTR StorePlace
} }
} }
} }
VirtualFree(expBuildExportData, NULL, MEM_RELEASE);
ExporterCleanup(); ExporterCleanup();
return true; return true;
} }

280
TitanEngine/TitanEngine.Handler.cpp
View File

@ -2,25 +2,33 @@
#include "definitions.h" #include "definitions.h"
#include "Global.Handle.h" #include "Global.Handle.h"
void NtQuerySysHandleInfo(DynBuf& buf)
{
DynBuf QSB;
ULONG RequiredSize = NULL;
QSB.Allocate(0x2000);
while(NtQuerySystemInformation(SystemHandleInformation, QSB.GetPtr(), QSB.Size(), &RequiredSize) == (NTSTATUS)0xC0000004L)
{
QSB.Allocate(RequiredSize);
}
}
// TitanEngine.Handler.functions: // TitanEngine.Handler.functions:
__declspec(dllexport) long TITCALL HandlerGetActiveHandleCount(DWORD ProcessId) __declspec(dllexport) long TITCALL HandlerGetActiveHandleCount(DWORD ProcessId)
{ {
int HandleCount = NULL; int HandleCount = 0;
LPVOID QuerySystemBuffer; ULONG TotalHandleCount = 0;
ULONG QuerySystemBufferSize = 0x2000;
ULONG RequiredSize = NULL;
ULONG TotalHandleCount = NULL;
PNTDLL_QUERY_HANDLE_INFO HandleInfo; PNTDLL_QUERY_HANDLE_INFO HandleInfo;
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); DynBuf hinfo;
while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) NtQuerySysHandleInfo(hinfo);
{ LPVOID QuerySystemBuffer = hinfo.GetPtr();
QuerySystemBufferSize = RequiredSize;
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE);
}
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG);
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
@ -33,27 +41,19 @@ __declspec(dllexport) long TITCALL HandlerGetActiveHandleCount(DWORD ProcessId)
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO);
TotalHandleCount--; TotalHandleCount--;
} }
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
return(HandleCount);
return(NULL); return(HandleCount);
} }
__declspec(dllexport) bool TITCALL HandlerIsHandleOpen(DWORD ProcessId, HANDLE hHandle) __declspec(dllexport) bool TITCALL HandlerIsHandleOpen(DWORD ProcessId, HANDLE hHandle)
{ {
bool HandleActive = false; bool HandleActive = false;
LPVOID QuerySystemBuffer;
ULONG QuerySystemBufferSize = 0x2000;
ULONG RequiredSize = NULL;
ULONG TotalHandleCount = NULL; ULONG TotalHandleCount = NULL;
PNTDLL_QUERY_HANDLE_INFO HandleInfo; PNTDLL_QUERY_HANDLE_INFO HandleInfo;
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); DynBuf hinfo;
while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) NtQuerySysHandleInfo(hinfo);
{ LPVOID QuerySystemBuffer = hinfo.GetPtr();
QuerySystemBufferSize = RequiredSize;
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE);
}
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG);
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
@ -67,38 +67,29 @@ __declspec(dllexport) bool TITCALL HandlerIsHandleOpen(DWORD ProcessId, HANDLE h
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO);
TotalHandleCount--; TotalHandleCount--;
} }
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
if(HandleActive)
{
return true;
}
return false; return HandleActive;
} }
__declspec(dllexport) void* TITCALL HandlerGetHandleName(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, bool TranslateName) __declspec(dllexport) void* TITCALL HandlerGetHandleName(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, bool TranslateName)
{ {
bool NameFound = false; bool NameFound = false;
HANDLE myHandle = NULL; HANDLE myHandle = NULL;
LPVOID QuerySystemBuffer;
ULONG QuerySystemBufferSize = 0x2000;
ULONG RequiredSize = NULL; ULONG RequiredSize = NULL;
ULONG TotalHandleCount = NULL; ULONG TotalHandleCount = NULL;
PNTDLL_QUERY_HANDLE_INFO HandleInfo; PNTDLL_QUERY_HANDLE_INFO HandleInfo;
PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo; PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo;
LPVOID ObjectNameInfo = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); char ObjectNameInfo[0x2000] = {0};
PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo; PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo;
LPVOID HandleFullName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); LPVOID HandleFullName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
LPVOID tmpHandleFullName = NULL; LPVOID tmpHandleFullName = NULL;
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); DynBuf hinfo;
while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) NtQuerySysHandleInfo(hinfo);
{ LPVOID QuerySystemBuffer = hinfo.GetPtr();
QuerySystemBufferSize = RequiredSize;
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE);
}
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG);
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
@ -139,9 +130,6 @@ __declspec(dllexport) void* TITCALL HandlerGetHandleName(HANDLE hProcess, DWORD
TotalHandleCount--; TotalHandleCount--;
} }
VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE);
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
if(!NameFound) if(!NameFound)
{ {
VirtualFree(HandleFullName, NULL, MEM_RELEASE); VirtualFree(HandleFullName, NULL, MEM_RELEASE);
@ -151,33 +139,26 @@ __declspec(dllexport) void* TITCALL HandlerGetHandleName(HANDLE hProcess, DWORD
{ {
return(HandleFullName); return(HandleFullName);
} }
return(NULL);
} }
__declspec(dllexport) void* TITCALL HandlerGetHandleNameW(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, bool TranslateName) __declspec(dllexport) void* TITCALL HandlerGetHandleNameW(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, bool TranslateName)
{ {
bool NameFound = false; bool NameFound = false;
HANDLE myHandle = NULL; HANDLE myHandle = NULL;
LPVOID QuerySystemBuffer;
ULONG QuerySystemBufferSize = 0x2000;
ULONG RequiredSize = NULL; ULONG RequiredSize = NULL;
ULONG TotalHandleCount = NULL; ULONG TotalHandleCount = NULL;
PNTDLL_QUERY_HANDLE_INFO HandleInfo; PNTDLL_QUERY_HANDLE_INFO HandleInfo;
PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo; PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo;
LPVOID ObjectNameInfo = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); char ObjectNameInfo[0x2000] = {0};
PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo; PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo;
LPVOID HandleFullName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); LPVOID HandleFullName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
LPVOID tmpHandleFullName = NULL; LPVOID tmpHandleFullName = NULL;
DynBuf hinfo;
NtQuerySysHandleInfo(hinfo);
LPVOID QuerySystemBuffer = hinfo.GetPtr();
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE);
while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L)
{
QuerySystemBufferSize = RequiredSize;
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE);
}
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG);
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
@ -219,9 +200,6 @@ __declspec(dllexport) void* TITCALL HandlerGetHandleNameW(HANDLE hProcess, DWORD
TotalHandleCount--; TotalHandleCount--;
} }
VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE);
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
if(!NameFound) if(!NameFound)
{ {
VirtualFree(HandleFullName, NULL, MEM_RELEASE); VirtualFree(HandleFullName, NULL, MEM_RELEASE);
@ -238,21 +216,15 @@ __declspec(dllexport) long TITCALL HandlerEnumerateOpenHandles(DWORD ProcessId,
{ {
HANDLE myHandle = NULL; HANDLE myHandle = NULL;
LPVOID QuerySystemBuffer;
ULONG RequiredSize = NULL; ULONG RequiredSize = NULL;
ULONG TotalHandleCount = NULL; ULONG TotalHandleCount = NULL;
unsigned int HandleCount = NULL; unsigned int HandleCount = NULL;
ULONG QuerySystemBufferSize = 0x2000;
PNTDLL_QUERY_HANDLE_INFO HandleInfo; PNTDLL_QUERY_HANDLE_INFO HandleInfo;
DynBuf hinfo;
NtQuerySysHandleInfo(hinfo);
LPVOID QuerySystemBuffer = hinfo.GetPtr();
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE);
while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L)
{
QuerySystemBufferSize = RequiredSize;
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE);
}
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG);
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
@ -268,35 +240,27 @@ __declspec(dllexport) long TITCALL HandlerEnumerateOpenHandles(DWORD ProcessId,
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO);
TotalHandleCount--; TotalHandleCount--;
} }
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
return(HandleCount); return(HandleCount);
return(NULL);
} }
__declspec(dllexport) long long TITCALL HandlerGetHandleDetails(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, DWORD InformationReturn) __declspec(dllexport) long long TITCALL HandlerGetHandleDetails(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, DWORD InformationReturn)
{ {
HANDLE myHandle = NULL; HANDLE myHandle = NULL;
LPVOID QuerySystemBuffer;
ULONG QuerySystemBufferSize = 0x2000;
ULONG RequiredSize = NULL; ULONG RequiredSize = NULL;
ULONG TotalHandleCount = NULL; ULONG TotalHandleCount = NULL;
PNTDLL_QUERY_HANDLE_INFO HandleInfo; PNTDLL_QUERY_HANDLE_INFO HandleInfo;
PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo; PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo;
LPVOID HandleFullData = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); char HandleFullData[0x1000] = {0};
LPVOID HandleNameData = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); LPVOID HandleNameData = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
PPUBLIC_OBJECT_TYPE_INFORMATION pObjectTypeInfo = (PPUBLIC_OBJECT_TYPE_INFORMATION)HandleFullData; PPUBLIC_OBJECT_TYPE_INFORMATION pObjectTypeInfo = (PPUBLIC_OBJECT_TYPE_INFORMATION)HandleFullData;
bool DontFreeStringMemory = false; bool DontFreeStringMemory = false;
ULONG_PTR ReturnData = NULL; ULONG_PTR ReturnData = NULL;
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); DynBuf hinfo;
while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) NtQuerySysHandleInfo(hinfo);
{ LPVOID QuerySystemBuffer = hinfo.GetPtr();
QuerySystemBufferSize = RequiredSize;
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE);
}
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG);
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
@ -325,7 +289,7 @@ __declspec(dllexport) long long TITCALL HandlerGetHandleDetails(HANDLE hProcess,
//if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){ //if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){
if(HandleInfo->GrantedAccess != 0x0012019F) if(HandleInfo->GrantedAccess != 0x0012019F)
{ {
RtlZeroMemory(HandleFullData, 0x1000); RtlZeroMemory(HandleFullData, sizeof(HandleFullData));
NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize); NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize);
NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, RequiredSize, &RequiredSize); NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, RequiredSize, &RequiredSize);
RtlZeroMemory(HandleNameData, 0x1000); RtlZeroMemory(HandleNameData, 0x1000);
@ -342,7 +306,7 @@ __declspec(dllexport) long long TITCALL HandlerGetHandleDetails(HANDLE hProcess,
//if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){ //if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){
if(HandleInfo->GrantedAccess != 0x0012019F) if(HandleInfo->GrantedAccess != 0x0012019F)
{ {
RtlZeroMemory(HandleFullData, 0x1000); RtlZeroMemory(HandleFullData, sizeof(HandleFullData));
NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize); NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize);
NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, RequiredSize, &RequiredSize); NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, RequiredSize, &RequiredSize);
RtlZeroMemory(HandleNameData, 0x1000); RtlZeroMemory(HandleNameData, 0x1000);
@ -366,16 +330,7 @@ __declspec(dllexport) long long TITCALL HandlerGetHandleDetails(HANDLE hProcess,
{ {
VirtualFree(HandleNameData, NULL, MEM_RELEASE); VirtualFree(HandleNameData, NULL, MEM_RELEASE);
} }
VirtualFree(HandleFullData, NULL, MEM_RELEASE);
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
return(ReturnData); return(ReturnData);
if(!DontFreeStringMemory)
{
VirtualFree(HandleNameData, NULL, MEM_RELEASE);
}
VirtualFree(HandleFullData, NULL, MEM_RELEASE);
return(NULL);
} }
__declspec(dllexport) bool TITCALL HandlerCloseRemoteHandle(HANDLE hProcess, HANDLE hHandle) __declspec(dllexport) bool TITCALL HandlerCloseRemoteHandle(HANDLE hProcess, HANDLE hHandle)
{ {
@ -411,29 +366,24 @@ __declspec(dllexport) long TITCALL HandlerEnumerateLockHandlesW(wchar_t* szFileO
HANDLE hProcess = NULL; HANDLE hProcess = NULL;
HANDLE myHandle = NULL; HANDLE myHandle = NULL;
HANDLE CopyHandle = NULL; HANDLE CopyHandle = NULL;
LPVOID QuerySystemBuffer;
ULONG QuerySystemBufferSize = 0x2000;
ULONG RequiredSize = NULL; ULONG RequiredSize = NULL;
ULONG TotalHandleCount = NULL; ULONG TotalHandleCount = NULL;
DWORD LastProcessId = NULL; DWORD LastProcessId = NULL;
PNTDLL_QUERY_HANDLE_INFO HandleInfo; PNTDLL_QUERY_HANDLE_INFO HandleInfo;
PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo; PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo;
LPVOID ObjectNameInfo = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); char ObjectNameInfo[0x2000] = {0};
PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo; PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo;
LPVOID HandleFullName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); char HandleFullNameB[0x1000] = {0};
LPVOID HandleFullName = HandleFullNameB;
int LenFileOrFolderName = lstrlenW(szFileOrFolderName); int LenFileOrFolderName = lstrlenW(szFileOrFolderName);
LPVOID tmpHandleFullName = NULL; LPVOID tmpHandleFullName = NULL;
DynBuf hinfo;
NtQuerySysHandleInfo(hinfo);
LPVOID QuerySystemBuffer = hinfo.GetPtr();
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE);
while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L)
{
QuerySystemBufferSize = RequiredSize;
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE);
}
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG);
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
@ -469,7 +419,6 @@ __declspec(dllexport) long TITCALL HandlerEnumerateLockHandlesW(wchar_t* szFileO
tmpHandleFullName = TranslateNativeNameW((wchar_t*)HandleFullName); tmpHandleFullName = TranslateNativeNameW((wchar_t*)HandleFullName);
if(tmpHandleFullName != NULL) if(tmpHandleFullName != NULL)
{ {
VirtualFree(HandleFullName, NULL, MEM_RELEASE);
HandleFullName = tmpHandleFullName; HandleFullName = tmpHandleFullName;
} }
} }
@ -498,9 +447,7 @@ __declspec(dllexport) long TITCALL HandlerEnumerateLockHandlesW(wchar_t* szFileO
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO);
TotalHandleCount--; TotalHandleCount--;
} }
VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE);
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
VirtualFree(HandleFullName, NULL, MEM_RELEASE);
return(FoundHandles); return(FoundHandles);
} }
__declspec(dllexport) bool TITCALL HandlerCloseAllLockHandles(char* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated) __declspec(dllexport) bool TITCALL HandlerCloseAllLockHandles(char* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated)
@ -525,27 +472,24 @@ __declspec(dllexport) bool TITCALL HandlerCloseAllLockHandlesW(wchar_t* szFileOr
HANDLE hProcess = NULL; HANDLE hProcess = NULL;
HANDLE myHandle = NULL; HANDLE myHandle = NULL;
HANDLE CopyHandle = NULL; HANDLE CopyHandle = NULL;
LPVOID QuerySystemBuffer;
ULONG QuerySystemBufferSize = 0x2000;
ULONG RequiredSize = NULL; ULONG RequiredSize = NULL;
ULONG TotalHandleCount = NULL; ULONG TotalHandleCount = NULL;
DWORD LastProcessId = NULL; DWORD LastProcessId = NULL;
PNTDLL_QUERY_HANDLE_INFO HandleInfo; PNTDLL_QUERY_HANDLE_INFO HandleInfo;
PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo; PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo;
LPVOID ObjectNameInfo = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); char ObjectNameInfo[0x2000] = {0};
PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo; PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo;
LPVOID HandleFullName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); char HandleFullNameB[0x1000] = {0};
LPVOID HandleFullName = HandleFullNameB;
int LenFileOrFolderName = lstrlenW(szFileOrFolderName); int LenFileOrFolderName = lstrlenW(szFileOrFolderName);
LPVOID tmpHandleFullName = NULL; LPVOID tmpHandleFullName = NULL;
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); DynBuf hinfo;
while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) NtQuerySysHandleInfo(hinfo);
{ LPVOID QuerySystemBuffer = hinfo.GetPtr();
QuerySystemBufferSize = RequiredSize;
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE);
}
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG);
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
@ -581,7 +525,6 @@ __declspec(dllexport) bool TITCALL HandlerCloseAllLockHandlesW(wchar_t* szFileOr
tmpHandleFullName = TranslateNativeNameW((wchar_t*)HandleFullName); tmpHandleFullName = TranslateNativeNameW((wchar_t*)HandleFullName);
if(tmpHandleFullName != NULL) if(tmpHandleFullName != NULL)
{ {
VirtualFree(HandleFullName, NULL, MEM_RELEASE);
HandleFullName = tmpHandleFullName; HandleFullName = tmpHandleFullName;
} }
} }
@ -607,18 +550,8 @@ __declspec(dllexport) bool TITCALL HandlerCloseAllLockHandlesW(wchar_t* szFileOr
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO);
TotalHandleCount--; TotalHandleCount--;
} }
VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE);
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
VirtualFree(HandleFullName, NULL, MEM_RELEASE);
if(AllHandled)
{
return true;
}
else
{
return false;
}
return AllHandled;
} }
__declspec(dllexport) bool TITCALL HandlerIsFileLocked(char* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated) __declspec(dllexport) bool TITCALL HandlerIsFileLocked(char* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated)
{ {
@ -641,27 +574,24 @@ __declspec(dllexport) bool TITCALL HandlerIsFileLockedW(wchar_t* szFileOrFolderN
HANDLE hProcess = NULL; HANDLE hProcess = NULL;
HANDLE myHandle = NULL; HANDLE myHandle = NULL;
HANDLE CopyHandle = NULL; HANDLE CopyHandle = NULL;
LPVOID QuerySystemBuffer;
ULONG QuerySystemBufferSize = 0x2000;
ULONG RequiredSize = NULL; ULONG RequiredSize = NULL;
ULONG TotalHandleCount = NULL; ULONG TotalHandleCount = NULL;
DWORD LastProcessId = NULL; DWORD LastProcessId = NULL;
PNTDLL_QUERY_HANDLE_INFO HandleInfo; PNTDLL_QUERY_HANDLE_INFO HandleInfo;
PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo; PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo;
LPVOID ObjectNameInfo = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); char ObjectNameInfo[0x2000] = {0};
PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo; PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo;
LPVOID HandleFullName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); char HandleFullNameB[0x1000] = {0};
LPVOID HandleFullName = HandleFullNameB;
int LenFileOrFolderName = lstrlenW(szFileOrFolderName); int LenFileOrFolderName = lstrlenW(szFileOrFolderName);
LPVOID tmpHandleFullName = NULL; LPVOID tmpHandleFullName = NULL;
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); DynBuf hinfo;
while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) NtQuerySysHandleInfo(hinfo);
{ LPVOID QuerySystemBuffer = hinfo.GetPtr();
QuerySystemBufferSize = RequiredSize;
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE);
}
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG);
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
@ -697,7 +627,6 @@ __declspec(dllexport) bool TITCALL HandlerIsFileLockedW(wchar_t* szFileOrFolderN
tmpHandleFullName = TranslateNativeNameW((wchar_t*)HandleFullName); tmpHandleFullName = TranslateNativeNameW((wchar_t*)HandleFullName);
if(tmpHandleFullName != NULL) if(tmpHandleFullName != NULL)
{ {
VirtualFree(HandleFullName, NULL, MEM_RELEASE);
HandleFullName = tmpHandleFullName; HandleFullName = tmpHandleFullName;
} }
} }
@ -710,9 +639,6 @@ __declspec(dllexport) bool TITCALL HandlerIsFileLockedW(wchar_t* szFileOrFolderN
} }
if(lstrcmpiW((LPCWSTR)HandleFullName, szFileOrFolderName) == NULL) if(lstrcmpiW((LPCWSTR)HandleFullName, szFileOrFolderName) == NULL)
{ {
VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE);
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
VirtualFree(HandleFullName, NULL, MEM_RELEASE);
EngineCloseHandle(myHandle); EngineCloseHandle(myHandle);
return true; return true;
} }
@ -724,9 +650,6 @@ __declspec(dllexport) bool TITCALL HandlerIsFileLockedW(wchar_t* szFileOrFolderN
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO);
TotalHandleCount--; TotalHandleCount--;
} }
VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE);
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
VirtualFree(HandleFullName, NULL, MEM_RELEASE);
return false; return false;
} }
@ -736,25 +659,20 @@ __declspec(dllexport) long TITCALL HandlerEnumerateOpenMutexes(HANDLE hProcess,
HANDLE myHandle = NULL; HANDLE myHandle = NULL;
HANDLE copyHandle = NULL; HANDLE copyHandle = NULL;
LPVOID QuerySystemBuffer;
ULONG RequiredSize = NULL; ULONG RequiredSize = NULL;
ULONG TotalHandleCount = NULL; ULONG TotalHandleCount = NULL;
unsigned int HandleCount = NULL; unsigned int HandleCount = NULL;
ULONG QuerySystemBufferSize = 0x2000;
PNTDLL_QUERY_HANDLE_INFO HandleInfo; PNTDLL_QUERY_HANDLE_INFO HandleInfo;
LPVOID HandleFullData = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); char HandleFullData[0x1000] = {0};
LPVOID HandleNameData = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); char HandleNameDataB[0x1000] = {0};
LPVOID HandleNameData = HandleNameDataB;
PPUBLIC_OBJECT_TYPE_INFORMATION pObjectTypeInfo = (PPUBLIC_OBJECT_TYPE_INFORMATION)HandleFullData; PPUBLIC_OBJECT_TYPE_INFORMATION pObjectTypeInfo = (PPUBLIC_OBJECT_TYPE_INFORMATION)HandleFullData;
DynBuf hinfo;
NtQuerySysHandleInfo(hinfo);
LPVOID QuerySystemBuffer = hinfo.GetPtr();
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE);
while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L)
{
QuerySystemBufferSize = RequiredSize;
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE);
}
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG);
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
@ -767,7 +685,7 @@ __declspec(dllexport) long TITCALL HandlerEnumerateOpenMutexes(HANDLE hProcess,
{ {
if(DuplicateHandle(hProcess, (HANDLE)HandleInfo->hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS)) if(DuplicateHandle(hProcess, (HANDLE)HandleInfo->hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS))
{ {
RtlZeroMemory(HandleFullData, 0x1000); RtlZeroMemory(HandleFullData, sizeof(HandleFullData));
NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize); NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize);
NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, RequiredSize, &RequiredSize); NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, RequiredSize, &RequiredSize);
RtlZeroMemory(HandleNameData, 0x1000); RtlZeroMemory(HandleNameData, 0x1000);
@ -789,9 +707,6 @@ __declspec(dllexport) long TITCALL HandlerEnumerateOpenMutexes(HANDLE hProcess,
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO);
TotalHandleCount--; TotalHandleCount--;
} }
VirtualFree(HandleFullData, NULL, MEM_RELEASE);
VirtualFree(HandleNameData, NULL, MEM_RELEASE);
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
return(HandleCount); return(HandleCount);
} }
@ -816,7 +731,7 @@ __declspec(dllexport) long long TITCALL HandlerGetOpenMutexHandleW(HANDLE hProce
return 0; return 0;
int i; int i;
HANDLE myHandle; HANDLE myHandle;
LPVOID HandleBuffer = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); char HandleBuffer[0x1000] = {0};
LPVOID cHandleBuffer = HandleBuffer; LPVOID cHandleBuffer = HandleBuffer;
int OpenHandleCount = HandlerEnumerateOpenMutexes(hProcess, ProcessId, HandleBuffer, 0x1000 / sizeof HANDLE); int OpenHandleCount = HandlerEnumerateOpenMutexes(hProcess, ProcessId, HandleBuffer, 0x1000 / sizeof HANDLE);
wchar_t RealMutexName[512] = L"\\BaseNamedObjects\\"; wchar_t RealMutexName[512] = L"\\BaseNamedObjects\\";
@ -833,14 +748,12 @@ __declspec(dllexport) long long TITCALL HandlerGetOpenMutexHandleW(HANDLE hProce
{ {
if(lstrcmpiW(HandleName, RealMutexName) == NULL) if(lstrcmpiW(HandleName, RealMutexName) == NULL)
{ {
VirtualFree(HandleBuffer, NULL, MEM_RELEASE);
return((ULONG_PTR)myHandle); return((ULONG_PTR)myHandle);
} }
} }
cHandleBuffer = (LPVOID)((ULONG_PTR)cHandleBuffer + sizeof HANDLE); cHandleBuffer = (LPVOID)((ULONG_PTR)cHandleBuffer + sizeof HANDLE);
} }
} }
VirtualFree(HandleBuffer, NULL, MEM_RELEASE);
return(NULL); return(NULL);
} }
__declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutex(char* szMutexString) __declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutex(char* szMutexString)
@ -865,28 +778,24 @@ __declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutexW(wchar_t
HANDLE hProcess = NULL; HANDLE hProcess = NULL;
DWORD ReturnData = NULL; DWORD ReturnData = NULL;
HANDLE myHandle = NULL; HANDLE myHandle = NULL;
LPVOID QuerySystemBuffer;
ULONG RequiredSize = NULL; ULONG RequiredSize = NULL;
DWORD LastProcessId = NULL; DWORD LastProcessId = NULL;
ULONG TotalHandleCount = NULL; ULONG TotalHandleCount = NULL;
ULONG QuerySystemBufferSize = 0x2000;
PNTDLL_QUERY_HANDLE_INFO HandleInfo; PNTDLL_QUERY_HANDLE_INFO HandleInfo;
LPVOID HandleFullData = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); char HandleFullData[0x1000] = {0};
LPVOID HandleNameData = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); char HandleNameData[0x1000] = {0};
PPUBLIC_OBJECT_TYPE_INFORMATION pObjectTypeInfo = (PPUBLIC_OBJECT_TYPE_INFORMATION)HandleFullData; PPUBLIC_OBJECT_TYPE_INFORMATION pObjectTypeInfo = (PPUBLIC_OBJECT_TYPE_INFORMATION)HandleFullData;
LPVOID ObjectNameInfo = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); char ObjectNameInfo[0x2000] = {0};
PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo; PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo;
wchar_t RealMutexName[512] = L"\\BaseNamedObjects\\"; wchar_t RealMutexName[512] = L"\\BaseNamedObjects\\";
lstrcatW(RealMutexName, szMutexString); lstrcatW(RealMutexName, szMutexString);
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE);
while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) DynBuf hinfo;
{ NtQuerySysHandleInfo(hinfo);
QuerySystemBufferSize = RequiredSize; LPVOID QuerySystemBuffer = hinfo.GetPtr();
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE);
}
RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG);
QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4);
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer;
@ -908,10 +817,10 @@ __declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutexW(wchar_t
{ {
if(DuplicateHandle(hProcess, (HANDLE)HandleInfo->hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS)) if(DuplicateHandle(hProcess, (HANDLE)HandleInfo->hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS))
{ {
RtlZeroMemory(HandleFullData, 0x1000); RtlZeroMemory(HandleFullData, sizeof(HandleFullData));
NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize); NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize);
NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, RequiredSize, &RequiredSize); NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, RequiredSize, &RequiredSize);
RtlZeroMemory(HandleNameData, 0x1000); RtlZeroMemory(HandleNameData, sizeof(HandleNameData));
if(pObjectTypeInfo->TypeName.Length != NULL) if(pObjectTypeInfo->TypeName.Length != NULL)
{ {
//WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectTypeInfo->TypeName.Buffer, -1, (LPSTR)HandleNameData, 0x1000, NULL, NULL); //WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectTypeInfo->TypeName.Buffer, -1, (LPSTR)HandleNameData, 0x1000, NULL, NULL);
@ -920,10 +829,9 @@ __declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutexW(wchar_t
{ {
NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize); NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize);
NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize); NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize);
RtlZeroMemory(HandleNameData, 0x1000); RtlZeroMemory(HandleNameData, sizeof(HandleNameData));
if(pObjectNameInfo->Name.Length != NULL) if(pObjectNameInfo->Name.Length != NULL)
{ {
RtlZeroMemory(HandleNameData, 0x1000);
//WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectNameInfo->Name.Buffer, -1, (LPSTR)HandleNameData, 0x1000, NULL, NULL); //WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectNameInfo->Name.Buffer, -1, (LPSTR)HandleNameData, 0x1000, NULL, NULL);
lstrcpyW((wchar_t*)HandleNameData, (wchar_t*)pObjectNameInfo->Name.Buffer); lstrcpyW((wchar_t*)HandleNameData, (wchar_t*)pObjectNameInfo->Name.Buffer);
if(lstrcmpiW((LPCWSTR)HandleNameData, RealMutexName) == NULL) if(lstrcmpiW((LPCWSTR)HandleNameData, RealMutexName) == NULL)
@ -941,10 +849,6 @@ __declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutexW(wchar_t
HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO);
TotalHandleCount--; TotalHandleCount--;
} }
VirtualFree(HandleFullData, NULL, MEM_RELEASE);
VirtualFree(HandleNameData, NULL, MEM_RELEASE);
VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE);
VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE);
return(ReturnData); return(ReturnData);
} }

9
TitanEngine/TitanEngine.PE.Section.cpp
View File

@ -165,6 +165,7 @@ __declspec(dllexport) bool TITCALL ResortFileSectionsW(wchar_t* szFileName)
ULONG_PTR fileSectionData[MAXIMUM_SECTION_NUMBER][3]; ULONG_PTR fileSectionData[MAXIMUM_SECTION_NUMBER][3];
ULONG_PTR fileSectionTemp; ULONG_PTR fileSectionTemp;
LPVOID sortedFileName; LPVOID sortedFileName;
DynBuf sortedFileNameBuf;
if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof szBackupItem)) if(engineBackupForCriticalFunctions && CreateGarbageItem(&szBackupItem, sizeof szBackupItem))
{ {
@ -202,7 +203,7 @@ __declspec(dllexport) bool TITCALL ResortFileSectionsW(wchar_t* szFileName)
} }
if(!FileIs64) if(!FileIs64)
{ {
sortedFileName = VirtualAlloc(NULL, FileSize, MEM_COMMIT, PAGE_READWRITE); sortedFileName = sortedFileNameBuf.Allocate(FileSize);
__try __try
{ {
RtlMoveMemory(sortedFileName, (LPVOID)FileMapVA, FileSize); RtlMoveMemory(sortedFileName, (LPVOID)FileMapVA, FileSize);
@ -242,7 +243,6 @@ __declspec(dllexport) bool TITCALL ResortFileSectionsW(wchar_t* szFileName)
} }
RtlMoveMemory((LPVOID)FileMapVA, sortedFileName, FileSize); RtlMoveMemory((LPVOID)FileMapVA, sortedFileName, FileSize);
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
VirtualFree(sortedFileName, NULL, MEM_RELEASE);
if(szBackupItem[0] != NULL) if(szBackupItem[0] != NULL)
{ {
if(CopyFileW(szBackupFile, szFileName, false)) if(CopyFileW(szBackupFile, szFileName, false))
@ -264,14 +264,13 @@ __declspec(dllexport) bool TITCALL ResortFileSectionsW(wchar_t* szFileName)
__except(EXCEPTION_EXECUTE_HANDLER) __except(EXCEPTION_EXECUTE_HANDLER)
{ {
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
VirtualFree(sortedFileName, NULL, MEM_RELEASE);
RemoveGarbageItem(szBackupItem, true); RemoveGarbageItem(szBackupItem, true);
return false; return false;
} }
} }
else else
{ {
sortedFileName = VirtualAlloc(NULL, FileSize, MEM_COMMIT, PAGE_READWRITE); sortedFileName = sortedFileNameBuf.Allocate(FileSize);
__try __try
{ {
RtlMoveMemory(sortedFileName, (LPVOID)FileMapVA, FileSize); RtlMoveMemory(sortedFileName, (LPVOID)FileMapVA, FileSize);
@ -311,7 +310,6 @@ __declspec(dllexport) bool TITCALL ResortFileSectionsW(wchar_t* szFileName)
} }
RtlMoveMemory((LPVOID)FileMapVA, sortedFileName, FileSize); RtlMoveMemory((LPVOID)FileMapVA, sortedFileName, FileSize);
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
VirtualFree(sortedFileName, NULL, MEM_RELEASE);
if(szBackupItem[0] != NULL) if(szBackupItem[0] != NULL)
{ {
if(CopyFileW(szBackupFile, szFileName, false)) if(CopyFileW(szBackupFile, szFileName, false))
@ -333,7 +331,6 @@ __declspec(dllexport) bool TITCALL ResortFileSectionsW(wchar_t* szFileName)
__except(EXCEPTION_EXECUTE_HANDLER) __except(EXCEPTION_EXECUTE_HANDLER)
{ {
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
VirtualFree(sortedFileName, NULL, MEM_RELEASE);
RemoveGarbageItem(szBackupItem, true); RemoveGarbageItem(szBackupItem, true);
return false; return false;
} }

17
TitanEngine/TitanEngine.PE.cpp
View File

@ -35,7 +35,8 @@ __declspec(dllexport) bool TITCALL PastePEHeaderW(HANDLE hProcess, LPVOID ImageB
BOOL FileIs64 = false; BOOL FileIs64 = false;
HANDLE hFile = 0; HANDLE hFile = 0;
SIZE_T CalculatedHeaderSize = NULL; SIZE_T CalculatedHeaderSize = NULL;
LPVOID ueReadBuffer = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); DynBuf ueReadBuf;
LPVOID ueReadBuffer = ueReadBuf.Allocate(0x2000);
DWORD OldProtect = PAGE_READWRITE; DWORD OldProtect = PAGE_READWRITE;
hFile = CreateFileW(szDebuggedFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); hFile = CreateFileW(szDebuggedFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
@ -63,12 +64,10 @@ __declspec(dllexport) bool TITCALL PastePEHeaderW(HANDLE hProcess, LPVOID ImageB
if(CalculatedHeaderSize > 0x1000) if(CalculatedHeaderSize > 0x1000)
{ {
SetFilePointer(hFile, NULL, NULL, FILE_BEGIN); SetFilePointer(hFile, NULL, NULL, FILE_BEGIN);
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); ueReadBuffer = ueReadBuf.Allocate(CalculatedHeaderSize);
ueReadBuffer = VirtualAlloc(NULL, CalculatedHeaderSize, MEM_COMMIT, PAGE_READWRITE);
if(!ReadFile(hFile, ueReadBuffer, (DWORD)CalculatedHeaderSize, &uedNumberOfBytesRead, NULL)) if(!ReadFile(hFile, ueReadBuffer, (DWORD)CalculatedHeaderSize, &uedNumberOfBytesRead, NULL))
{ {
EngineCloseHandle(hFile); EngineCloseHandle(hFile);
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return false; return false;
} }
} }
@ -91,7 +90,6 @@ __declspec(dllexport) bool TITCALL PastePEHeaderW(HANDLE hProcess, LPVOID ImageB
else else
{ {
EngineCloseHandle(hFile); EngineCloseHandle(hFile);
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return false; return false;
} }
if(!FileIs64) if(!FileIs64)
@ -103,20 +101,17 @@ __declspec(dllexport) bool TITCALL PastePEHeaderW(HANDLE hProcess, LPVOID ImageB
{ {
EngineCloseHandle(hFile); EngineCloseHandle(hFile);
VirtualProtectEx(hProcess, ImageBase, PEHeaderSize, OldProtect, &OldProtect); VirtualProtectEx(hProcess, ImageBase, PEHeaderSize, OldProtect, &OldProtect);
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return true; return true;
} }
else else
{ {
EngineCloseHandle(hFile); EngineCloseHandle(hFile);
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return false; return false;
} }
} }
else else
{ {
EngineCloseHandle(hFile); EngineCloseHandle(hFile);
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return false; return false;
} }
} }
@ -129,20 +124,17 @@ __declspec(dllexport) bool TITCALL PastePEHeaderW(HANDLE hProcess, LPVOID ImageB
{ {
EngineCloseHandle(hFile); EngineCloseHandle(hFile);
VirtualProtectEx(hProcess, ImageBase, PEHeaderSize, OldProtect, &OldProtect); VirtualProtectEx(hProcess, ImageBase, PEHeaderSize, OldProtect, &OldProtect);
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return true; return true;
} }
else else
{ {
EngineCloseHandle(hFile); EngineCloseHandle(hFile);
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return false; return false;
} }
} }
else else
{ {
EngineCloseHandle(hFile); EngineCloseHandle(hFile);
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return false; return false;
} }
} }
@ -150,21 +142,18 @@ __declspec(dllexport) bool TITCALL PastePEHeaderW(HANDLE hProcess, LPVOID ImageB
else else
{ {
EngineCloseHandle(hFile); EngineCloseHandle(hFile);
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return false; return false;
} }
} }
else else
{ {
EngineCloseHandle(hFile); EngineCloseHandle(hFile);
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return false; return false;
} }
} }
else else
{ {
EngineCloseHandle(hFile); EngineCloseHandle(hFile);
VirtualFree(ueReadBuffer, NULL, MEM_RELEASE);
return false; return false;
} }
return false; return false;

5
TitanEngine/TitanEngine.Relocator.cpp
View File

@ -258,6 +258,7 @@ __declspec(dllexport) bool TITCALL RelocaterGrabRelocationTableEx(HANDLE hProces
DWORD RelocationBase = NULL; DWORD RelocationBase = NULL;
DWORD RelocationSize = NULL; DWORD RelocationSize = NULL;
DWORD OldProtect; DWORD OldProtect;
DynBuf mem;
if(RelocationData != NULL) if(RelocationData != NULL)
{ {
@ -269,7 +270,7 @@ __declspec(dllexport) bool TITCALL RelocaterGrabRelocationTableEx(HANDLE hProces
MemorySize = MemInfo.RegionSize; MemorySize = MemInfo.RegionSize;
} }
VirtualProtectEx(hProcess, (LPVOID)MemoryStart, MemorySize, PAGE_EXECUTE_READWRITE, &OldProtect); VirtualProtectEx(hProcess, (LPVOID)MemoryStart, MemorySize, PAGE_EXECUTE_READWRITE, &OldProtect);
ReadMemoryStorage = VirtualAlloc(NULL, MemorySize, MEM_COMMIT, PAGE_READWRITE); ReadMemoryStorage = mem.Allocate(MemorySize);
mReadMemoryStorage = ReadMemoryStorage; mReadMemoryStorage = ReadMemoryStorage;
if(ReadProcessMemory(hProcess, (LPVOID)MemoryStart, ReadMemoryStorage, MemorySize, &ueNumberOfBytesRead)) if(ReadProcessMemory(hProcess, (LPVOID)MemoryStart, ReadMemoryStorage, MemorySize, &ueNumberOfBytesRead))
{ {
@ -281,12 +282,10 @@ __declspec(dllexport) bool TITCALL RelocaterGrabRelocationTableEx(HANDLE hProces
RtlMoveMemory(&RelocationBase, ReadMemoryStorage, 4); RtlMoveMemory(&RelocationBase, ReadMemoryStorage, 4);
RtlMoveMemory(&RelocationSize, (LPVOID)((ULONG_PTR)ReadMemoryStorage + 4), 4); RtlMoveMemory(&RelocationSize, (LPVOID)((ULONG_PTR)ReadMemoryStorage + 4), 4);
} }
VirtualFree(mReadMemoryStorage, NULL, MEM_RELEASE);
return(RelocaterGrabRelocationTable(hProcess, MemoryStart, (DWORD)((ULONG_PTR)ReadMemoryStorage - (ULONG_PTR)mReadMemoryStorage))); return(RelocaterGrabRelocationTable(hProcess, MemoryStart, (DWORD)((ULONG_PTR)ReadMemoryStorage - (ULONG_PTR)mReadMemoryStorage)));
} }
else else
{ {
VirtualFree(ReadMemoryStorage, NULL, MEM_RELEASE);
return false; return false;
} }
} }

10
TitanEngine/TitanEngine.Tracer.cpp
View File

@ -16,6 +16,7 @@ static long long EngineGlobalTracerHandler1(HANDLE hProcess, ULONG_PTR AddressTo
int LengthOfValidInstruction = 0; int LengthOfValidInstruction = 0;
int CurrentNumberOfInstructions = 0; int CurrentNumberOfInstructions = 0;
MEMORY_BASIC_INFORMATION MemInfo; MEMORY_BASIC_INFORMATION MemInfo;
DynBuf tracmem;
LPVOID TraceMemory, cTraceMemory; LPVOID TraceMemory, cTraceMemory;
ULONG_PTR ueNumberOfBytesRead = NULL; ULONG_PTR ueNumberOfBytesRead = NULL;
DWORD LastPushValue = NULL; DWORD LastPushValue = NULL;
@ -41,7 +42,7 @@ static long long EngineGlobalTracerHandler1(HANDLE hProcess, ULONG_PTR AddressTo
{ {
memSize = 0x4000; memSize = 0x4000;
} }
TraceMemory = VirtualAlloc(NULL, memSize, MEM_COMMIT, PAGE_READWRITE); TraceMemory = tracmem.Allocate(memSize);
cTraceMemory = TraceMemory; cTraceMemory = TraceMemory;
if(ReadProcessMemory(hProcess, (LPVOID)MemInfo.BaseAddress, TraceMemory, memSize, &ueNumberOfBytesRead)) if(ReadProcessMemory(hProcess, (LPVOID)MemInfo.BaseAddress, TraceMemory, memSize, &ueNumberOfBytesRead))
{ {
@ -491,7 +492,6 @@ static long long EngineGlobalTracerHandler1(HANDLE hProcess, ULONG_PTR AddressTo
} }
TraceStartAddress = TraceStartAddress + CurrentInstructionSize; TraceStartAddress = TraceStartAddress + CurrentInstructionSize;
} }
VirtualFree(TraceMemory, NULL, MEM_RELEASE);
if(!HashInstructions) if(!HashInstructions)
{ {
if(FoundValidAPI == true) if(FoundValidAPI == true)
@ -518,7 +518,6 @@ static long long EngineGlobalTracerHandler1(HANDLE hProcess, ULONG_PTR AddressTo
} }
else else
{ {
VirtualFree(TraceMemory, NULL, MEM_RELEASE);
} }
} }
} }
@ -717,6 +716,7 @@ __declspec(dllexport) long TITCALL TracerDetectRedirection(HANDLE hProcess, ULON
DWORD MemoryHash = NULL; DWORD MemoryHash = NULL;
DWORD MaximumReadSize = 0; DWORD MaximumReadSize = 0;
DWORD TestAddressX86; DWORD TestAddressX86;
DynBuf tracemem;
LPVOID TraceMemory; LPVOID TraceMemory;
bool HashCheck = false; bool HashCheck = false;
@ -735,7 +735,7 @@ __declspec(dllexport) long TITCALL TracerDetectRedirection(HANDLE hProcess, ULON
} }
if(sizeof HANDLE == 4) if(sizeof HANDLE == 4)
{ {
TraceMemory = VirtualAlloc(NULL, MaximumReadSize, MEM_COMMIT, PAGE_READWRITE); TraceMemory = tracemem.Allocate(MaximumReadSize);
if(!TraceMemory) if(!TraceMemory)
{ {
return (NULL); return (NULL);
@ -1104,12 +1104,10 @@ __declspec(dllexport) long TITCALL TracerDetectRedirection(HANDLE hProcess, ULON
} }
} }
} }
VirtualFree(TraceMemory, NULL, MEM_RELEASE);
return(KnownRedirectionIndex); return(KnownRedirectionIndex);
} }
else else
{ {
VirtualFree(TraceMemory, NULL, MEM_RELEASE);
} }
} }
} }