mirror of https://github.com/x64dbg/TitanEngine
- fixed a critical bug in the breakpoint filters
- support for kernel32 -> kernelbase forwarding in SetAPIBreakPoint
This commit is contained in:
parent
f8b46a7a5c
commit
7d8be98087
|
|
@ -121,7 +121,7 @@ void BreakPointPostReadFilter(ULONG_PTR lpBaseAddress, unsigned char* lpBuffer,
|
||||||
{
|
{
|
||||||
BreakPointDetail* curBp=&BreakPointBuffer.at(i);
|
BreakPointDetail* curBp=&BreakPointBuffer.at(i);
|
||||||
//check if the breakpoint is one we should be concerned about
|
//check if the breakpoint is one we should be concerned about
|
||||||
if(curBp->BreakPointActive != UE_BPXINACTIVE || (curBp->BreakPointType != UE_BREAKPOINT && curBp->BreakPointType != UE_SINGLESHOOT))
|
if(curBp->BreakPointActive != UE_BPXACTIVE || (curBp->BreakPointType != UE_BREAKPOINT && curBp->BreakPointType != UE_SINGLESHOOT))
|
||||||
continue;
|
continue;
|
||||||
ULONG_PTR cur_addr=curBp->BreakPointAddress;
|
ULONG_PTR cur_addr=curBp->BreakPointAddress;
|
||||||
if(cur_addr>=start && cur_addr<end) //breakpoint is in range
|
if(cur_addr>=start && cur_addr<end) //breakpoint is in range
|
||||||
|
|
@ -144,7 +144,7 @@ void BreakPointPreWriteFilter(ULONG_PTR lpBaseAddress, SIZE_T nSize, MutexLocker
|
||||||
{
|
{
|
||||||
BreakPointDetail* curBp=&BreakPointBuffer.at(i);
|
BreakPointDetail* curBp=&BreakPointBuffer.at(i);
|
||||||
//check if the breakpoint is one we should be concerned about
|
//check if the breakpoint is one we should be concerned about
|
||||||
if(curBp->BreakPointActive != UE_BPXINACTIVE || (curBp->BreakPointType != UE_BREAKPOINT && curBp->BreakPointType != UE_SINGLESHOOT))
|
if(curBp->BreakPointActive != UE_BPXACTIVE || (curBp->BreakPointType != UE_BREAKPOINT && curBp->BreakPointType != UE_SINGLESHOOT))
|
||||||
continue;
|
continue;
|
||||||
ULONG_PTR cur_addr=curBp->BreakPointAddress;
|
ULONG_PTR cur_addr=curBp->BreakPointAddress;
|
||||||
if(cur_addr>=start && cur_addr<end) //breakpoint is in range
|
if(cur_addr>=start && cur_addr<end) //breakpoint is in range
|
||||||
|
|
@ -166,7 +166,7 @@ void BreakPointPostWriteFilter(ULONG_PTR lpBaseAddress, SIZE_T nSize, MutexLocke
|
||||||
{
|
{
|
||||||
BreakPointDetail* curBp=&BreakPointBuffer.at(i);
|
BreakPointDetail* curBp=&BreakPointBuffer.at(i);
|
||||||
//check if the breakpoint is one we should be concerned about
|
//check if the breakpoint is one we should be concerned about
|
||||||
if(curBp->BreakPointActive != UE_BPXINACTIVE || (curBp->BreakPointType != UE_BREAKPOINT && curBp->BreakPointType != UE_SINGLESHOOT))
|
if(curBp->BreakPointActive != UE_BPXACTIVE || (curBp->BreakPointType != UE_BREAKPOINT && curBp->BreakPointType != UE_SINGLESHOOT))
|
||||||
continue;
|
continue;
|
||||||
ULONG_PTR cur_addr=curBp->BreakPointAddress;
|
ULONG_PTR cur_addr=curBp->BreakPointAddress;
|
||||||
if(cur_addr>=start && cur_addr<end) //breakpoint is in range
|
if(cur_addr>=start && cur_addr<end) //breakpoint is in range
|
||||||
|
|
|
||||||
|
|
@ -312,17 +312,45 @@ __declspec(dllexport) bool TITCALL SetAPIBreakPoint(const char* szDLLName, const
|
||||||
if(bpxPlace == UE_APIEND)
|
if(bpxPlace == UE_APIEND)
|
||||||
{
|
{
|
||||||
int i = 0;
|
int i = 0;
|
||||||
unsigned char ReadByte;
|
int len = 0;
|
||||||
do //search for RET
|
|
||||||
{
|
|
||||||
unsigned char CmdBuffer[MAXIMUM_INSTRUCTION_SIZE];
|
unsigned char CmdBuffer[MAXIMUM_INSTRUCTION_SIZE];
|
||||||
memset(CmdBuffer, 0, sizeof(CmdBuffer));
|
if(!_strnicmp(szDLLName, "kernel32", 8))
|
||||||
|
{
|
||||||
|
ULONG_PTR APIAddress_ = EngineGetProcAddressRemote("kernelbase.dll", szAPIName);
|
||||||
|
if(APIAddress_)
|
||||||
|
{
|
||||||
|
bool KernelBase = true;
|
||||||
|
do //search for forwarding indicators
|
||||||
|
{
|
||||||
|
i += len;
|
||||||
if(!MemoryReadSafe(dbgProcessInformation.hProcess, (void*)(APIAddress+i), CmdBuffer, sizeof(CmdBuffer), 0))
|
if(!MemoryReadSafe(dbgProcessInformation.hProcess, (void*)(APIAddress+i), CmdBuffer, sizeof(CmdBuffer), 0))
|
||||||
return false;
|
return false;
|
||||||
i += StaticLengthDisassemble(CmdBuffer);
|
if(CmdBuffer[0] == 0xCC || CmdBuffer[0] == 0x90) //padding
|
||||||
ReadByte = *CmdBuffer;
|
{
|
||||||
|
KernelBase = false; //failed to find forward indicator
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
while(ReadByte != 0xC3 && ReadByte != 0xC2);
|
len = StaticLengthDisassemble(CmdBuffer);
|
||||||
|
}
|
||||||
|
#ifdef _WIN64
|
||||||
|
while(!(CmdBuffer[0] == 0x48 && CmdBuffer[1] == 0xFF && CmdBuffer[2] == 0x25));
|
||||||
|
#else
|
||||||
|
while(!(CmdBuffer[0] == 0xFF && CmdBuffer[1] == 0x25));
|
||||||
|
#endif //_WIN64
|
||||||
|
if(KernelBase)
|
||||||
|
APIAddress = APIAddress_;
|
||||||
|
i = 0;
|
||||||
|
len = 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
do //search for RET
|
||||||
|
{
|
||||||
|
i += len;
|
||||||
|
if(!MemoryReadSafe(dbgProcessInformation.hProcess, (void*)(APIAddress+i), CmdBuffer, sizeof(CmdBuffer), 0))
|
||||||
|
return false;
|
||||||
|
len = StaticLengthDisassemble(CmdBuffer);
|
||||||
|
}
|
||||||
|
while(CmdBuffer[0] != 0xC3 && CmdBuffer[0] != 0xC2);
|
||||||
APIAddress += i;
|
APIAddress += i;
|
||||||
}
|
}
|
||||||
return SetBPX(APIAddress, bpxType, bpxCallBack);
|
return SetBPX(APIAddress, bpxType, bpxCallBack);
|
||||||
|
|
@ -342,17 +370,45 @@ __declspec(dllexport) bool TITCALL DeleteAPIBreakPoint(const char* szDLLName, co
|
||||||
if(bpxPlace == UE_APIEND)
|
if(bpxPlace == UE_APIEND)
|
||||||
{
|
{
|
||||||
int i = 0;
|
int i = 0;
|
||||||
unsigned char ReadByte;
|
int len = 0;
|
||||||
do //search for RET
|
|
||||||
{
|
|
||||||
unsigned char CmdBuffer[MAXIMUM_INSTRUCTION_SIZE];
|
unsigned char CmdBuffer[MAXIMUM_INSTRUCTION_SIZE];
|
||||||
memset(CmdBuffer, 0, sizeof(CmdBuffer));
|
if(!_strnicmp(szDLLName, "kernel32", 8))
|
||||||
|
{
|
||||||
|
ULONG_PTR APIAddress_ = EngineGetProcAddressRemote("kernelbase.dll", szAPIName);
|
||||||
|
if(APIAddress_)
|
||||||
|
{
|
||||||
|
bool KernelBase = true;
|
||||||
|
do //search for forwarding indicators
|
||||||
|
{
|
||||||
|
i += len;
|
||||||
if(!MemoryReadSafe(dbgProcessInformation.hProcess, (void*)(APIAddress+i), CmdBuffer, sizeof(CmdBuffer), 0))
|
if(!MemoryReadSafe(dbgProcessInformation.hProcess, (void*)(APIAddress+i), CmdBuffer, sizeof(CmdBuffer), 0))
|
||||||
return false;
|
return false;
|
||||||
i += StaticLengthDisassemble(CmdBuffer);
|
if(CmdBuffer[0] == 0xCC || CmdBuffer[0] == 0x90) //padding
|
||||||
ReadByte = *CmdBuffer;
|
{
|
||||||
|
KernelBase = false; //failed to find forward indicator
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
while(ReadByte != 0xC3 && ReadByte != 0xC2);
|
len = StaticLengthDisassemble(CmdBuffer);
|
||||||
|
}
|
||||||
|
#ifdef _WIN64
|
||||||
|
while(!(CmdBuffer[0] == 0x48 && CmdBuffer[1] == 0xFF && CmdBuffer[2] == 0x25));
|
||||||
|
#else
|
||||||
|
while(!(CmdBuffer[0] == 0xFF && CmdBuffer[1] == 0x25));
|
||||||
|
#endif //_WIN64
|
||||||
|
if(KernelBase)
|
||||||
|
APIAddress = APIAddress_;
|
||||||
|
i = 0;
|
||||||
|
len = 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
do //search for RET
|
||||||
|
{
|
||||||
|
i += len;
|
||||||
|
if(!MemoryReadSafe(dbgProcessInformation.hProcess, (void*)(APIAddress+i), CmdBuffer, sizeof(CmdBuffer), 0))
|
||||||
|
return false;
|
||||||
|
len = StaticLengthDisassemble(CmdBuffer);
|
||||||
|
}
|
||||||
|
while(CmdBuffer[0] != 0xC3 && CmdBuffer[0] != 0xC2);
|
||||||
APIAddress += i;
|
APIAddress += i;
|
||||||
}
|
}
|
||||||
return DeleteBPX(APIAddress);
|
return DeleteBPX(APIAddress);
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue