From 7d8be98087c6cb54bdcaf61ea9da10437dd17a74 Mon Sep 17 00:00:00 2001
From: "Mr. eXoDia" <mr.exodia.tpodt@gmail.com>
Date: Tue, 11 Mar 2014 00:50:09 +0100
Subject: [PATCH] - fixed a critical bug in the breakpoint filters

- support for kernel32 -> kernelbase forwarding in SetAPIBreakPoint
---
 TitanEngine/Global.Breakpoints.cpp      |  6 +-
 TitanEngine/TitanEngine.Breakpoints.cpp | 80 +++++++++++++++++++++----
 2 files changed, 71 insertions(+), 15 deletions(-)

diff --git a/TitanEngine/Global.Breakpoints.cpp b/TitanEngine/Global.Breakpoints.cpp
index 62b1093..a084a82 100644
--- a/TitanEngine/Global.Breakpoints.cpp
+++ b/TitanEngine/Global.Breakpoints.cpp
@@ -121,7 +121,7 @@ void BreakPointPostReadFilter(ULONG_PTR lpBaseAddress, unsigned char* lpBuffer,
     {
         BreakPointDetail* curBp=&BreakPointBuffer.at(i);
         //check if the breakpoint is one we should be concerned about
-        if(curBp->BreakPointActive != UE_BPXINACTIVE || (curBp->BreakPointType != UE_BREAKPOINT && curBp->BreakPointType != UE_SINGLESHOOT))
+        if(curBp->BreakPointActive != UE_BPXACTIVE || (curBp->BreakPointType != UE_BREAKPOINT && curBp->BreakPointType != UE_SINGLESHOOT))
             continue;
         ULONG_PTR cur_addr=curBp->BreakPointAddress;
         if(cur_addr>=start && cur_addr<end) //breakpoint is in range
@@ -144,7 +144,7 @@ void BreakPointPreWriteFilter(ULONG_PTR lpBaseAddress, SIZE_T nSize, MutexLocker
     {
         BreakPointDetail* curBp=&BreakPointBuffer.at(i);
         //check if the breakpoint is one we should be concerned about
-        if(curBp->BreakPointActive != UE_BPXINACTIVE || (curBp->BreakPointType != UE_BREAKPOINT && curBp->BreakPointType != UE_SINGLESHOOT))
+        if(curBp->BreakPointActive != UE_BPXACTIVE || (curBp->BreakPointType != UE_BREAKPOINT && curBp->BreakPointType != UE_SINGLESHOOT))
             continue;
         ULONG_PTR cur_addr=curBp->BreakPointAddress;
         if(cur_addr>=start && cur_addr<end) //breakpoint is in range
@@ -166,7 +166,7 @@ void BreakPointPostWriteFilter(ULONG_PTR lpBaseAddress, SIZE_T nSize, MutexLocke
     {
         BreakPointDetail* curBp=&BreakPointBuffer.at(i);
         //check if the breakpoint is one we should be concerned about
-        if(curBp->BreakPointActive != UE_BPXINACTIVE || (curBp->BreakPointType != UE_BREAKPOINT && curBp->BreakPointType != UE_SINGLESHOOT))
+        if(curBp->BreakPointActive != UE_BPXACTIVE || (curBp->BreakPointType != UE_BREAKPOINT && curBp->BreakPointType != UE_SINGLESHOOT))
             continue;
         ULONG_PTR cur_addr=curBp->BreakPointAddress;
         if(cur_addr>=start && cur_addr<end) //breakpoint is in range
diff --git a/TitanEngine/TitanEngine.Breakpoints.cpp b/TitanEngine/TitanEngine.Breakpoints.cpp
index 4c54ca0..6f9b256 100644
--- a/TitanEngine/TitanEngine.Breakpoints.cpp
+++ b/TitanEngine/TitanEngine.Breakpoints.cpp
@@ -312,17 +312,45 @@ __declspec(dllexport) bool TITCALL SetAPIBreakPoint(const char* szDLLName, const
             if(bpxPlace == UE_APIEND)
             {
                 int i = 0;
-                unsigned char ReadByte;
+                int len = 0;
+                unsigned char CmdBuffer[MAXIMUM_INSTRUCTION_SIZE];
+                if(!_strnicmp(szDLLName, "kernel32", 8))
+                {
+                    ULONG_PTR APIAddress_ = EngineGetProcAddressRemote("kernelbase.dll", szAPIName);
+                    if(APIAddress_)
+                    {
+                        bool KernelBase = true;
+                        do //search for forwarding indicators
+                        {
+                            i += len;
+                            if(!MemoryReadSafe(dbgProcessInformation.hProcess, (void*)(APIAddress+i), CmdBuffer, sizeof(CmdBuffer), 0))
+                                return false;
+                            if(CmdBuffer[0] == 0xCC || CmdBuffer[0] == 0x90) //padding
+                            {
+                                KernelBase = false; //failed to find forward indicator
+                                break;
+                            }
+                            len = StaticLengthDisassemble(CmdBuffer);
+                        }
+#ifdef _WIN64
+                        while(!(CmdBuffer[0] == 0x48 && CmdBuffer[1] == 0xFF && CmdBuffer[2] == 0x25));
+#else
+                        while(!(CmdBuffer[0] == 0xFF && CmdBuffer[1] == 0x25));
+#endif //_WIN64
+                        if(KernelBase)
+                            APIAddress = APIAddress_;
+                        i = 0;
+                        len = 0;
+                    }
+                }
                 do  //search for RET
                 {
-                    unsigned char CmdBuffer[MAXIMUM_INSTRUCTION_SIZE];
-                    memset(CmdBuffer, 0, sizeof(CmdBuffer));
+                    i += len;
                     if(!MemoryReadSafe(dbgProcessInformation.hProcess, (void*)(APIAddress+i), CmdBuffer, sizeof(CmdBuffer), 0))
                         return false;
-                    i += StaticLengthDisassemble(CmdBuffer);
-                    ReadByte = *CmdBuffer;
+                    len = StaticLengthDisassemble(CmdBuffer);
                 }
-                while(ReadByte != 0xC3 && ReadByte != 0xC2);
+                while(CmdBuffer[0] != 0xC3 && CmdBuffer[0] != 0xC2);
                 APIAddress += i;
             }
             return SetBPX(APIAddress, bpxType, bpxCallBack);
@@ -342,17 +370,45 @@ __declspec(dllexport) bool TITCALL DeleteAPIBreakPoint(const char* szDLLName, co
             if(bpxPlace == UE_APIEND)
             {
                 int i = 0;
-                unsigned char ReadByte;
+                int len = 0;
+                unsigned char CmdBuffer[MAXIMUM_INSTRUCTION_SIZE];
+                if(!_strnicmp(szDLLName, "kernel32", 8))
+                {
+                    ULONG_PTR APIAddress_ = EngineGetProcAddressRemote("kernelbase.dll", szAPIName);
+                    if(APIAddress_)
+                    {
+                        bool KernelBase = true;
+                        do //search for forwarding indicators
+                        {
+                            i += len;
+                            if(!MemoryReadSafe(dbgProcessInformation.hProcess, (void*)(APIAddress+i), CmdBuffer, sizeof(CmdBuffer), 0))
+                                return false;
+                            if(CmdBuffer[0] == 0xCC || CmdBuffer[0] == 0x90) //padding
+                            {
+                                KernelBase = false; //failed to find forward indicator
+                                break;
+                            }
+                            len = StaticLengthDisassemble(CmdBuffer);
+                        }
+#ifdef _WIN64
+                        while(!(CmdBuffer[0] == 0x48 && CmdBuffer[1] == 0xFF && CmdBuffer[2] == 0x25));
+#else
+                        while(!(CmdBuffer[0] == 0xFF && CmdBuffer[1] == 0x25));
+#endif //_WIN64
+                        if(KernelBase)
+                            APIAddress = APIAddress_;
+                        i = 0;
+                        len = 0;
+                    }
+                }
                 do  //search for RET
                 {
-                    unsigned char CmdBuffer[MAXIMUM_INSTRUCTION_SIZE];
-                    memset(CmdBuffer, 0, sizeof(CmdBuffer));
+                    i += len;
                     if(!MemoryReadSafe(dbgProcessInformation.hProcess, (void*)(APIAddress+i), CmdBuffer, sizeof(CmdBuffer), 0))
                         return false;
-                    i += StaticLengthDisassemble(CmdBuffer);
-                    ReadByte = *CmdBuffer;
+                    len = StaticLengthDisassemble(CmdBuffer);
                 }
-                while(ReadByte != 0xC3 && ReadByte != 0xC2);
+                while(CmdBuffer[0] != 0xC3 && CmdBuffer[0] != 0xC2);
                 APIAddress += i;
             }
             return DeleteBPX(APIAddress);