mirror of https://github.com/x64dbg/TitanEngine
- fixed a critical bug in the breakpoint filters
- support for kernel32 -> kernelbase forwarding in SetAPIBreakPoint
This commit is contained in:
parent
f8b46a7a5c
commit
7d8be98087
|
|
@ -121,7 +121,7 @@ void BreakPointPostReadFilter(ULONG_PTR lpBaseAddress, unsigned char* lpBuffer,
|
|||
{
|
||||
BreakPointDetail* curBp=&BreakPointBuffer.at(i);
|
||||
//check if the breakpoint is one we should be concerned about
|
||||
if(curBp->BreakPointActive != UE_BPXINACTIVE || (curBp->BreakPointType != UE_BREAKPOINT && curBp->BreakPointType != UE_SINGLESHOOT))
|
||||
if(curBp->BreakPointActive != UE_BPXACTIVE || (curBp->BreakPointType != UE_BREAKPOINT && curBp->BreakPointType != UE_SINGLESHOOT))
|
||||
continue;
|
||||
ULONG_PTR cur_addr=curBp->BreakPointAddress;
|
||||
if(cur_addr>=start && cur_addr<end) //breakpoint is in range
|
||||
|
|
@ -144,7 +144,7 @@ void BreakPointPreWriteFilter(ULONG_PTR lpBaseAddress, SIZE_T nSize, MutexLocker
|
|||
{
|
||||
BreakPointDetail* curBp=&BreakPointBuffer.at(i);
|
||||
//check if the breakpoint is one we should be concerned about
|
||||
if(curBp->BreakPointActive != UE_BPXINACTIVE || (curBp->BreakPointType != UE_BREAKPOINT && curBp->BreakPointType != UE_SINGLESHOOT))
|
||||
if(curBp->BreakPointActive != UE_BPXACTIVE || (curBp->BreakPointType != UE_BREAKPOINT && curBp->BreakPointType != UE_SINGLESHOOT))
|
||||
continue;
|
||||
ULONG_PTR cur_addr=curBp->BreakPointAddress;
|
||||
if(cur_addr>=start && cur_addr<end) //breakpoint is in range
|
||||
|
|
@ -166,7 +166,7 @@ void BreakPointPostWriteFilter(ULONG_PTR lpBaseAddress, SIZE_T nSize, MutexLocke
|
|||
{
|
||||
BreakPointDetail* curBp=&BreakPointBuffer.at(i);
|
||||
//check if the breakpoint is one we should be concerned about
|
||||
if(curBp->BreakPointActive != UE_BPXINACTIVE || (curBp->BreakPointType != UE_BREAKPOINT && curBp->BreakPointType != UE_SINGLESHOOT))
|
||||
if(curBp->BreakPointActive != UE_BPXACTIVE || (curBp->BreakPointType != UE_BREAKPOINT && curBp->BreakPointType != UE_SINGLESHOOT))
|
||||
continue;
|
||||
ULONG_PTR cur_addr=curBp->BreakPointAddress;
|
||||
if(cur_addr>=start && cur_addr<end) //breakpoint is in range
|
||||
|
|
|
|||
|
|
@ -312,17 +312,45 @@ __declspec(dllexport) bool TITCALL SetAPIBreakPoint(const char* szDLLName, const
|
|||
if(bpxPlace == UE_APIEND)
|
||||
{
|
||||
int i = 0;
|
||||
unsigned char ReadByte;
|
||||
int len = 0;
|
||||
unsigned char CmdBuffer[MAXIMUM_INSTRUCTION_SIZE];
|
||||
if(!_strnicmp(szDLLName, "kernel32", 8))
|
||||
{
|
||||
ULONG_PTR APIAddress_ = EngineGetProcAddressRemote("kernelbase.dll", szAPIName);
|
||||
if(APIAddress_)
|
||||
{
|
||||
bool KernelBase = true;
|
||||
do //search for forwarding indicators
|
||||
{
|
||||
i += len;
|
||||
if(!MemoryReadSafe(dbgProcessInformation.hProcess, (void*)(APIAddress+i), CmdBuffer, sizeof(CmdBuffer), 0))
|
||||
return false;
|
||||
if(CmdBuffer[0] == 0xCC || CmdBuffer[0] == 0x90) //padding
|
||||
{
|
||||
KernelBase = false; //failed to find forward indicator
|
||||
break;
|
||||
}
|
||||
len = StaticLengthDisassemble(CmdBuffer);
|
||||
}
|
||||
#ifdef _WIN64
|
||||
while(!(CmdBuffer[0] == 0x48 && CmdBuffer[1] == 0xFF && CmdBuffer[2] == 0x25));
|
||||
#else
|
||||
while(!(CmdBuffer[0] == 0xFF && CmdBuffer[1] == 0x25));
|
||||
#endif //_WIN64
|
||||
if(KernelBase)
|
||||
APIAddress = APIAddress_;
|
||||
i = 0;
|
||||
len = 0;
|
||||
}
|
||||
}
|
||||
do //search for RET
|
||||
{
|
||||
unsigned char CmdBuffer[MAXIMUM_INSTRUCTION_SIZE];
|
||||
memset(CmdBuffer, 0, sizeof(CmdBuffer));
|
||||
i += len;
|
||||
if(!MemoryReadSafe(dbgProcessInformation.hProcess, (void*)(APIAddress+i), CmdBuffer, sizeof(CmdBuffer), 0))
|
||||
return false;
|
||||
i += StaticLengthDisassemble(CmdBuffer);
|
||||
ReadByte = *CmdBuffer;
|
||||
len = StaticLengthDisassemble(CmdBuffer);
|
||||
}
|
||||
while(ReadByte != 0xC3 && ReadByte != 0xC2);
|
||||
while(CmdBuffer[0] != 0xC3 && CmdBuffer[0] != 0xC2);
|
||||
APIAddress += i;
|
||||
}
|
||||
return SetBPX(APIAddress, bpxType, bpxCallBack);
|
||||
|
|
@ -342,17 +370,45 @@ __declspec(dllexport) bool TITCALL DeleteAPIBreakPoint(const char* szDLLName, co
|
|||
if(bpxPlace == UE_APIEND)
|
||||
{
|
||||
int i = 0;
|
||||
unsigned char ReadByte;
|
||||
int len = 0;
|
||||
unsigned char CmdBuffer[MAXIMUM_INSTRUCTION_SIZE];
|
||||
if(!_strnicmp(szDLLName, "kernel32", 8))
|
||||
{
|
||||
ULONG_PTR APIAddress_ = EngineGetProcAddressRemote("kernelbase.dll", szAPIName);
|
||||
if(APIAddress_)
|
||||
{
|
||||
bool KernelBase = true;
|
||||
do //search for forwarding indicators
|
||||
{
|
||||
i += len;
|
||||
if(!MemoryReadSafe(dbgProcessInformation.hProcess, (void*)(APIAddress+i), CmdBuffer, sizeof(CmdBuffer), 0))
|
||||
return false;
|
||||
if(CmdBuffer[0] == 0xCC || CmdBuffer[0] == 0x90) //padding
|
||||
{
|
||||
KernelBase = false; //failed to find forward indicator
|
||||
break;
|
||||
}
|
||||
len = StaticLengthDisassemble(CmdBuffer);
|
||||
}
|
||||
#ifdef _WIN64
|
||||
while(!(CmdBuffer[0] == 0x48 && CmdBuffer[1] == 0xFF && CmdBuffer[2] == 0x25));
|
||||
#else
|
||||
while(!(CmdBuffer[0] == 0xFF && CmdBuffer[1] == 0x25));
|
||||
#endif //_WIN64
|
||||
if(KernelBase)
|
||||
APIAddress = APIAddress_;
|
||||
i = 0;
|
||||
len = 0;
|
||||
}
|
||||
}
|
||||
do //search for RET
|
||||
{
|
||||
unsigned char CmdBuffer[MAXIMUM_INSTRUCTION_SIZE];
|
||||
memset(CmdBuffer, 0, sizeof(CmdBuffer));
|
||||
i += len;
|
||||
if(!MemoryReadSafe(dbgProcessInformation.hProcess, (void*)(APIAddress+i), CmdBuffer, sizeof(CmdBuffer), 0))
|
||||
return false;
|
||||
i += StaticLengthDisassemble(CmdBuffer);
|
||||
ReadByte = *CmdBuffer;
|
||||
len = StaticLengthDisassemble(CmdBuffer);
|
||||
}
|
||||
while(ReadByte != 0xC3 && ReadByte != 0xC2);
|
||||
while(CmdBuffer[0] != 0xC3 && CmdBuffer[0] != 0xC2);
|
||||
APIAddress += i;
|
||||
}
|
||||
return DeleteBPX(APIAddress);
|
||||
|
|
|
|||
Loading…
Reference in New Issue