diff --git a/TitanEngine/Global.Engine.Importer.cpp b/TitanEngine/Global.Engine.Importer.cpp index f49ea1a..f68a1ca 100644 --- a/TitanEngine/Global.Engine.Importer.cpp +++ b/TitanEngine/Global.Engine.Importer.cpp @@ -239,27 +239,37 @@ bool EngineGetAPINameRemote(HANDLE hProcess, ULONG_PTR APIAddress, char* APIName ExportDirectorySize=(ULONG_PTR)PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size; } PIMAGE_EXPORT_DIRECTORY ExportDirectory=(PIMAGE_EXPORT_DIRECTORY)ConvertVAtoFileOffset(FileMapVA, ExportDirectoryVA+ImageBase, true); - DWORD* AddrOfFunctions=(DWORD*)ConvertVAtoFileOffset(FileMapVA, ExportDirectory->AddressOfFunctions+ImageBase, true); - DWORD* AddrOfNames=(DWORD*)ConvertVAtoFileOffset(FileMapVA, ExportDirectory->AddressOfNames+ImageBase, true); - SHORT* AddrOfNameOrdinals=(SHORT*)ConvertVAtoFileOffset(FileMapVA, ExportDirectory->AddressOfNameOrdinals+ImageBase, true); - unsigned int NumberOfNames=ExportDirectory->NumberOfNames; - for(unsigned int i=0; i=ExportDirectoryVA+ExportDirectorySize) //non-forwarded exports + DWORD* AddrOfFunctions=(DWORD*)ConvertVAtoFileOffset(FileMapVA, ExportDirectory->AddressOfFunctions+ImageBase, true); + DWORD* AddrOfNames=(DWORD*)ConvertVAtoFileOffset(FileMapVA, ExportDirectory->AddressOfNames+ImageBase, true); + SHORT* AddrOfNameOrdinals=(SHORT*)ConvertVAtoFileOffset(FileMapVA, ExportDirectory->AddressOfNameOrdinals+ImageBase, true); + if(AddrOfFunctions && AddrOfNames && AddrOfNameOrdinals) { - if(curRva+ModuleBase==APIAddress) + unsigned int NumberOfNames=ExportDirectory->NumberOfNames; + for(unsigned int i=0; istrlen(curName)) + const char* curName=(const char*)ConvertVAtoFileOffset(FileMapVA, AddrOfNames[i]+ImageBase, true); + if(!curName) + continue; + unsigned int curRva=AddrOfFunctions[AddrOfNameOrdinals[i]]; + if(curRva=ExportDirectoryVA+ExportDirectorySize) //non-forwarded exports { - strcpy(APIName, curName); - return true; - } - if(APINameSizeNeeded) - { - *APINameSizeNeeded=strlen(curName); - return true; + if(curRva+ModuleBase==APIAddress) + { + if(APIName && APINameSize>strlen(curName)) + { + strcpy(APIName, curName); + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return true; + } + if(APINameSizeNeeded) + { + *APINameSizeNeeded=strlen(curName); + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return true; + } + } } } } @@ -312,18 +322,27 @@ DWORD EngineGetAPIOrdinalRemote(HANDLE hProcess, ULONG_PTR APIAddress) ExportDirectorySize=(ULONG_PTR)PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size; } PIMAGE_EXPORT_DIRECTORY ExportDirectory=(PIMAGE_EXPORT_DIRECTORY)ConvertVAtoFileOffset(FileMapVA, ExportDirectoryVA+ImageBase, true); - DWORD* AddrOfFunctions=(DWORD*)ConvertVAtoFileOffset(FileMapVA, ExportDirectory->AddressOfFunctions+ImageBase, true); - unsigned int NumberOfFunctions=ExportDirectory->NumberOfFunctions; - for(unsigned int i=0,j=0; i=ExportDirectoryVA+ExportDirectorySize) //non-forwarded exports + DWORD* AddrOfFunctions=(DWORD*)ConvertVAtoFileOffset(FileMapVA, ExportDirectory->AddressOfFunctions+ImageBase, true); + if(AddrOfFunctions) { - if(curRva+ModuleBase==APIAddress) - return j; + unsigned int NumberOfFunctions=ExportDirectory->NumberOfFunctions; + for(unsigned int i=0,j=0; i=ExportDirectoryVA+ExportDirectorySize) //non-forwarded exports + { + if(curRva+ModuleBase==APIAddress) + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return j; + } + } + } } } } diff --git a/TitanEngine/TitanEngine.Engine.cpp b/TitanEngine/TitanEngine.Engine.cpp index 3c5cb14..bf407d4 100644 --- a/TitanEngine/TitanEngine.Engine.cpp +++ b/TitanEngine/TitanEngine.Engine.cpp @@ -119,52 +119,56 @@ __declspec(dllexport) bool TITCALL EngineCreateMissingDependenciesW(wchar_t* szF ImportTableAddress = (ULONG_PTR)PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress; ImportTableAddress = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportTableAddress + ImageBase, true); ImportPointer = (PIMAGE_IMPORT_DESCRIPTOR)ImportTableAddress; - while(ImportPointer->FirstThunk != NULL) + while(ImportPointer && ImportPointer->FirstThunk != NULL) { ImportDllName = (PCHAR)((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportPointer->Name + ImageBase, true)); - MultiByteToWideChar(CP_ACP, NULL, ImportDllName, lstrlenA(ImportDllName)+1, ImportDllNameW, sizeof(ImportDllNameW)/(sizeof(ImportDllNameW[0]))); - if(!EngineIsDependencyPresentW(ImportDllNameW, szFileName, szOutputFolder)) + if(ImportDllName) { - RtlZeroMemory(&BuildExportName, sizeof(BuildExportName)); - lstrcatW(BuildExportName, szOutputFolder); - if(BuildExportName[lstrlenW(BuildExportName)-1] != 0x5C) + MultiByteToWideChar(CP_ACP, NULL, ImportDllName, lstrlenA(ImportDllName)+1, ImportDllNameW, sizeof(ImportDllNameW)/(sizeof(ImportDllNameW[0]))); + if(!EngineIsDependencyPresentW(ImportDllNameW, szFileName, szOutputFolder)) { - BuildExportName[lstrlenW(BuildExportName)] = 0x5C; - } - lstrcatW(BuildExportName, ImportDllNameW); - if(LogCreatedFiles) - { - RtlMoveMemory(engineDependencyFilesCWP, &BuildExportName, lstrlenW(BuildExportName) * 2); - engineDependencyFilesCWP = (LPVOID)((ULONG_PTR)engineDependencyFilesCWP + (lstrlenW(BuildExportName) * 2) + 2); - } - EngineExtractResource("MODULEx86", BuildExportName); - ExporterInit(20 * 1024, (ULONG_PTR)GetPE32DataW(BuildExportName, NULL, UE_IMAGEBASE), NULL, ImportDllName); - ImportThunkAddress = ImportPointer->FirstThunk; - if(ImportPointer->OriginalFirstThunk != NULL) - { - ImportThunkX86 = (PIMAGE_THUNK_DATA32)((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportPointer->OriginalFirstThunk + ImageBase, true)); - } - else - { - ImportThunkX86 = (PIMAGE_THUNK_DATA32)((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportPointer->FirstThunk + ImageBase, true)); - } - while(ImportThunkX86->u1.Function != NULL) - { - if(ImportThunkX86->u1.Ordinal & IMAGE_ORDINAL_FLAG32) + RtlZeroMemory(&BuildExportName, sizeof(BuildExportName)); + lstrcatW(BuildExportName, szOutputFolder); + if(BuildExportName[lstrlenW(BuildExportName)-1] != 0x5C) { - ExporterAddNewOrdinalExport(ImportThunkX86->u1.Ordinal ^ IMAGE_ORDINAL_FLAG32, 0x1000); + BuildExportName[lstrlenW(BuildExportName)] = 0x5C; + } + lstrcatW(BuildExportName, ImportDllNameW); + if(LogCreatedFiles) + { + RtlMoveMemory(engineDependencyFilesCWP, &BuildExportName, lstrlenW(BuildExportName) * 2); + engineDependencyFilesCWP = (LPVOID)((ULONG_PTR)engineDependencyFilesCWP + (lstrlenW(BuildExportName) * 2) + 2); + } + EngineExtractResource("MODULEx86", BuildExportName); + ExporterInit(20 * 1024, (ULONG_PTR)GetPE32DataW(BuildExportName, NULL, UE_IMAGEBASE), NULL, ImportDllName); + ImportThunkAddress = ImportPointer->FirstThunk; + if(ImportPointer->OriginalFirstThunk != NULL) + { + ImportThunkX86 = (PIMAGE_THUNK_DATA32)((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportPointer->OriginalFirstThunk + ImageBase, true)); } else { - ImportThunkName = (ULONG_PTR)(ConvertVAtoFileOffset(FileMapVA, ImportThunkX86->u1.AddressOfData + ImageBase, true) + 2); - ExporterAddNewExport((PCHAR)ImportThunkName, 0x1000); + ImportThunkX86 = (PIMAGE_THUNK_DATA32)((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportPointer->FirstThunk + ImageBase, true)); } - ImportThunkX86 = (PIMAGE_THUNK_DATA32)((ULONG_PTR)ImportThunkX86 + 4); - ImportThunkAddress = ImportThunkAddress + 4; + while(ImportThunkX86 && ImportThunkX86->u1.Function != NULL) + { + if(ImportThunkX86->u1.Ordinal & IMAGE_ORDINAL_FLAG32) + { + ExporterAddNewOrdinalExport(ImportThunkX86->u1.Ordinal ^ IMAGE_ORDINAL_FLAG32, 0x1000); + } + else + { + ImportThunkName = (ULONG_PTR)(ConvertVAtoFileOffset(FileMapVA, ImportThunkX86->u1.AddressOfData + ImageBase, true) + 2); + if(ImportThunkName) + ExporterAddNewExport((PCHAR)ImportThunkName, 0x1000); + } + ImportThunkX86 = (PIMAGE_THUNK_DATA32)((ULONG_PTR)ImportThunkX86 + 4); + ImportThunkAddress = ImportThunkAddress + 4; + } + ExporterBuildExportTableExW(BuildExportName, ".export"); } - ExporterBuildExportTableExW(BuildExportName, ".export"); + ImportPointer = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportPointer + sizeof IMAGE_IMPORT_DESCRIPTOR); } - ImportPointer = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportPointer + sizeof IMAGE_IMPORT_DESCRIPTOR); } } else @@ -173,52 +177,56 @@ __declspec(dllexport) bool TITCALL EngineCreateMissingDependenciesW(wchar_t* szF ImportTableAddress = (ULONG_PTR)PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress; ImportTableAddress = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportTableAddress + ImageBase, true); ImportPointer = (PIMAGE_IMPORT_DESCRIPTOR)ImportTableAddress; - while(ImportPointer->FirstThunk != NULL) + while(ImportPointer && ImportPointer->FirstThunk != NULL) { ImportDllName = (PCHAR)((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportPointer->Name + ImageBase, true)); - MultiByteToWideChar(CP_ACP, NULL, ImportDllName, lstrlenA(ImportDllName)+1, ImportDllNameW, sizeof(ImportDllNameW)/(sizeof(ImportDllNameW[0]))); - if(!EngineIsDependencyPresentW(ImportDllNameW, szFileName, szOutputFolder)) + if(ImportDllName) { - RtlZeroMemory(&BuildExportName, sizeof(BuildExportName)); - lstrcatW(BuildExportName, szOutputFolder); - if(BuildExportName[lstrlenW(BuildExportName)-1] != 0x5C) + MultiByteToWideChar(CP_ACP, NULL, ImportDllName, lstrlenA(ImportDllName)+1, ImportDllNameW, sizeof(ImportDllNameW)/(sizeof(ImportDllNameW[0]))); + if(!EngineIsDependencyPresentW(ImportDllNameW, szFileName, szOutputFolder)) { - BuildExportName[lstrlenW(BuildExportName)] = 0x5C; - } - lstrcatW(BuildExportName, ImportDllNameW); - if(LogCreatedFiles) - { - RtlMoveMemory(engineDependencyFilesCWP, &BuildExportName, lstrlenW(BuildExportName) * 2); - engineDependencyFilesCWP = (LPVOID)((ULONG_PTR)engineDependencyFilesCWP + (lstrlenW(BuildExportName) * 2) + 2); - } - EngineExtractResource("MODULEx64", BuildExportName); - ExporterInit(20 * 1024, (ULONG_PTR)GetPE32DataW(BuildExportName, NULL, UE_IMAGEBASE), NULL, ImportDllName); - ImportThunkAddress = ImportPointer->FirstThunk; - if(ImportPointer->OriginalFirstThunk != NULL) - { - ImportThunkX64 = (PIMAGE_THUNK_DATA64)((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportPointer->OriginalFirstThunk + ImageBase, true)); - } - else - { - ImportThunkX64 = (PIMAGE_THUNK_DATA64)((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportPointer->FirstThunk + ImageBase, true)); - } - while(ImportThunkX64->u1.Function != NULL) - { - if(ImportThunkX64->u1.Ordinal & IMAGE_ORDINAL_FLAG64) + RtlZeroMemory(&BuildExportName, sizeof(BuildExportName)); + lstrcatW(BuildExportName, szOutputFolder); + if(BuildExportName[lstrlenW(BuildExportName)-1] != 0x5C) { - ExporterAddNewOrdinalExport((DWORD)(ImportThunkX64->u1.Ordinal ^ IMAGE_ORDINAL_FLAG64), 0x1000); + BuildExportName[lstrlenW(BuildExportName)] = 0x5C; + } + lstrcatW(BuildExportName, ImportDllNameW); + if(LogCreatedFiles) + { + RtlMoveMemory(engineDependencyFilesCWP, &BuildExportName, lstrlenW(BuildExportName) * 2); + engineDependencyFilesCWP = (LPVOID)((ULONG_PTR)engineDependencyFilesCWP + (lstrlenW(BuildExportName) * 2) + 2); + } + EngineExtractResource("MODULEx64", BuildExportName); + ExporterInit(20 * 1024, (ULONG_PTR)GetPE32DataW(BuildExportName, NULL, UE_IMAGEBASE), NULL, ImportDllName); + ImportThunkAddress = ImportPointer->FirstThunk; + if(ImportPointer->OriginalFirstThunk != NULL) + { + ImportThunkX64 = (PIMAGE_THUNK_DATA64)((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportPointer->OriginalFirstThunk + ImageBase, true)); } else { - ImportThunkName = (ULONG_PTR)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(ImportThunkX64->u1.AddressOfData + ImageBase), true) + 2); - ExporterAddNewExport((PCHAR)ImportThunkName, 0x1000); + ImportThunkX64 = (PIMAGE_THUNK_DATA64)((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportPointer->FirstThunk + ImageBase, true)); } - ImportThunkX64 = (PIMAGE_THUNK_DATA64)((ULONG_PTR)ImportThunkX64 + 8); - ImportThunkAddress = ImportThunkAddress + 8; + while(ImportThunkX64 && ImportThunkX64->u1.Function != NULL) + { + if(ImportThunkX64->u1.Ordinal & IMAGE_ORDINAL_FLAG64) + { + ExporterAddNewOrdinalExport((DWORD)(ImportThunkX64->u1.Ordinal ^ IMAGE_ORDINAL_FLAG64), 0x1000); + } + else + { + ImportThunkName = (ULONG_PTR)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(ImportThunkX64->u1.AddressOfData + ImageBase), true) + 2); + if(ImportThunkName) + ExporterAddNewExport((PCHAR)ImportThunkName, 0x1000); + } + ImportThunkX64 = (PIMAGE_THUNK_DATA64)((ULONG_PTR)ImportThunkX64 + 8); + ImportThunkAddress = ImportThunkAddress + 8; + } + ExporterBuildExportTableExW(BuildExportName, ".export"); } - ExporterBuildExportTableExW(BuildExportName, ".export"); + ImportPointer = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportPointer + sizeof IMAGE_IMPORT_DESCRIPTOR); } - ImportPointer = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportPointer + sizeof IMAGE_IMPORT_DESCRIPTOR); } } UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); diff --git a/TitanEngine/TitanEngine.Exporter.cpp b/TitanEngine/TitanEngine.Exporter.cpp index 83574ef..446677a 100644 --- a/TitanEngine/TitanEngine.Exporter.cpp +++ b/TitanEngine/TitanEngine.Exporter.cpp @@ -276,7 +276,8 @@ __declspec(dllexport) bool TITCALL ExporterBuildExportTableExW(wchar_t* szExport if(MapFileExW(szExportFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) { NewSectionFO = (DWORD)ConvertVAtoFileOffset(FileMapVA, NewSectionVO + (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_IMAGEBASE), true); - ReturnValue = ExporterBuildExportTable(NewSectionFO, FileMapVA); + if(NewSectionFO) + ReturnValue = ExporterBuildExportTable(NewSectionFO, FileMapVA); UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); if(ReturnValue) { @@ -359,9 +360,15 @@ __declspec(dllexport) bool TITCALL ExporterLoadExportTableW(wchar_t* szFileName) if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress != NULL) { PEExports = (PIMAGE_EXPORT_DIRECTORY)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + PEHeader32->OptionalHeader.ImageBase), true)); - ExportedFunctions = (PEXPORTED_DATA)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEExports->AddressOfFunctions + PEHeader32->OptionalHeader.ImageBase), true)); - ExporterInit(50 * 1024, (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, PEExports->Base, NULL); - ExportPresent = true; + if(PEExports) + { + ExportedFunctions = (PEXPORTED_DATA)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEExports->AddressOfFunctions + PEHeader32->OptionalHeader.ImageBase), true)); + if(ExportedFunctions) + { + ExporterInit(50 * 1024, (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, PEExports->Base, NULL); + ExportPresent = true; + } + } } } else @@ -369,9 +376,15 @@ __declspec(dllexport) bool TITCALL ExporterLoadExportTableW(wchar_t* szFileName) if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress != NULL) { PEExports = (PIMAGE_EXPORT_DIRECTORY)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + PEHeader64->OptionalHeader.ImageBase), true)); - ExportedFunctions = (PEXPORTED_DATA)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEExports->AddressOfFunctions + PEHeader64->OptionalHeader.ImageBase), true)); - ExporterInit(50 * 1024, (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, PEExports->Base, NULL); - ExportPresent = true; + if(PEExports) + { + ExportedFunctions = (PEXPORTED_DATA)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEExports->AddressOfFunctions + PEHeader64->OptionalHeader.ImageBase), true)); + if(ExportedFunctions) + { + ExporterInit(50 * 1024, (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, PEExports->Base, NULL); + ExportPresent = true; + } + } } } if(ExportPresent) @@ -390,32 +403,36 @@ __declspec(dllexport) bool TITCALL ExporterLoadExportTableW(wchar_t* szFileName) ExportedFunctionNames = (PEXPORTED_DATA)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEExports->AddressOfNames + PEHeader64->OptionalHeader.ImageBase), true)); ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEExports->AddressOfNameOrdinals + PEHeader64->OptionalHeader.ImageBase), true)); } - for(j = 0; j <= PEExports->NumberOfNames; j++) + if(ExportedFunctionNames && ExportedFunctionOrdinals) { - if(ExportedFunctionOrdinals->OrdinalNumber != x) + for(j = 0; j <= PEExports->NumberOfNames; j++) { - ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)((ULONG_PTR)ExportedFunctionOrdinals + 2); + if(ExportedFunctionOrdinals->OrdinalNumber != x) + { + ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)((ULONG_PTR)ExportedFunctionOrdinals + 2); + } + else + { + ExportPresent = true; + break; + } } - else + if(ExportPresent) { - ExportPresent = true; - break; + ExportedFunctionNames = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctionNames + j * 4); + if(!FileIs64) + { + ExportName = (char*)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(ExportedFunctionNames->ExportedItem + PEHeader32->OptionalHeader.ImageBase), true)); + } + else + { + ExportName = (char*)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(ExportedFunctionNames->ExportedItem + PEHeader64->OptionalHeader.ImageBase), true)); + } + if(ExportName) + ExporterAddNewExport(ExportName, ExportedFunctions->ExportedItem); } + ExportedFunctions = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctions + 4); } - if(ExportPresent) - { - ExportedFunctionNames = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctionNames + j * 4); - if(!FileIs64) - { - ExportName = (char*)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(ExportedFunctionNames->ExportedItem + PEHeader32->OptionalHeader.ImageBase), true)); - } - else - { - ExportName = (char*)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(ExportedFunctionNames->ExportedItem + PEHeader64->OptionalHeader.ImageBase), true)); - } - ExporterAddNewExport(ExportName, ExportedFunctions->ExportedItem); - } - ExportedFunctions = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctions + 4); } UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); return true; diff --git a/TitanEngine/TitanEngine.Hooks.cpp b/TitanEngine/TitanEngine.Hooks.cpp index 69bffb3..7dd31b6 100644 --- a/TitanEngine/TitanEngine.Hooks.cpp +++ b/TitanEngine/TitanEngine.Hooks.cpp @@ -470,7 +470,7 @@ __declspec(dllexport) bool TITCALL HooksInsertNewIATRedirectionEx(ULONG_PTR File ThunkData32 = (PIMAGE_THUNK_DATA32)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)((ULONG_PTR)ImportIID->FirstThunk + PEHeader32->OptionalHeader.ImageBase), true); CurrentThunk = (ULONG_PTR)ImportIID->FirstThunk; } - while(ThunkData32->u1.AddressOfData != NULL) + while(ThunkData32 && ThunkData32->u1.AddressOfData != NULL) { if(!(ThunkData32->u1.Ordinal & IMAGE_ORDINAL_FLAG32)) { @@ -519,7 +519,7 @@ __declspec(dllexport) bool TITCALL HooksInsertNewIATRedirectionEx(ULONG_PTR File ThunkData64 = (PIMAGE_THUNK_DATA64)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)((ULONG_PTR)ImportIID->FirstThunk + PEHeader64->OptionalHeader.ImageBase), true); CurrentThunk = (ULONG_PTR)ImportIID->FirstThunk; } - while(ThunkData64->u1.AddressOfData != NULL) + while(ThunkData64 && ThunkData64->u1.AddressOfData != NULL) { if(!(ThunkData64->u1.Ordinal & IMAGE_ORDINAL_FLAG64)) { diff --git a/TitanEngine/TitanEngine.PE.Convert.cpp b/TitanEngine/TitanEngine.PE.Convert.cpp index 11550b2..cef82f6 100644 --- a/TitanEngine/TitanEngine.PE.Convert.cpp +++ b/TitanEngine/TitanEngine.PE.Convert.cpp @@ -73,7 +73,6 @@ __declspec(dllexport) long TITCALL GetPE32SectionNumberFromVA(ULONG_PTR FileMapV } __declspec(dllexport) ULONG_PTR TITCALL ConvertVAtoFileOffset(ULONG_PTR FileMapVA, ULONG_PTR AddressToConvert, bool ReturnType) { - PIMAGE_DOS_HEADER DOSHeader; PIMAGE_NT_HEADERS32 PEHeader32; PIMAGE_NT_HEADERS64 PEHeader64; @@ -129,14 +128,14 @@ __declspec(dllexport) ULONG_PTR TITCALL ConvertVAtoFileOffset(ULONG_PTR FileMapV { if(ConvertedAddress != NULL) { - ConvertedAddress = ConvertedAddress + FileMapVA; + ConvertedAddress += FileMapVA; } else if(ConvertAddress == NULL) { ConvertedAddress = FileMapVA; } } - return(ConvertedAddress); + return ConvertedAddress; } __except(EXCEPTION_EXECUTE_HANDLER) { @@ -170,7 +169,7 @@ __declspec(dllexport) ULONG_PTR TITCALL ConvertVAtoFileOffset(ULONG_PTR FileMapV { if(ConvertedAddress != NULL) { - ConvertedAddress = ConvertedAddress + FileMapVA; + ConvertedAddress += FileMapVA; } else if(ConvertAddress == NULL) { diff --git a/TitanEngine/TitanEngine.Relocator.cpp b/TitanEngine/TitanEngine.Relocator.cpp index 6221ad9..452398f 100644 --- a/TitanEngine/TitanEngine.Relocator.cpp +++ b/TitanEngine/TitanEngine.Relocator.cpp @@ -211,7 +211,8 @@ __declspec(dllexport) bool TITCALL RelocaterExportRelocationExW(wchar_t* szFileN if(MapFileExW(szFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) { NewSectionFO = (DWORD)ConvertVAtoFileOffset(FileMapVA, NewSectionVO + (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_IMAGEBASE), true); - ReturnValue = RelocaterExportRelocation(NewSectionFO, NewSectionVO, FileMapVA); + if(NewSectionFO) + ReturnValue = RelocaterExportRelocation(NewSectionFO, NewSectionVO, FileMapVA); UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); if(ReturnValue) { diff --git a/TitanEngine/TitanEngine.TLS.cpp b/TitanEngine/TitanEngine.TLS.cpp index bb4bc38..677ad81 100644 --- a/TitanEngine/TitanEngine.TLS.cpp +++ b/TitanEngine/TitanEngine.TLS.cpp @@ -74,24 +74,34 @@ __declspec(dllexport) bool TITCALL TLSGrabCallBackDataW(wchar_t* szFileName, LPV { ULONG_PTR TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader32->OptionalHeader.ImageBase + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress); PIMAGE_TLS_DIRECTORY32 TLSDirectoryX86 = (PIMAGE_TLS_DIRECTORY32)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true); - if(TLSDirectoryX86->AddressOfCallBacks != NULL) + if(TLSDirectoryX86 && TLSDirectoryX86->AddressOfCallBacks != NULL) { ULONG_PTR TLSCompareData = 0; ULONG_PTR TLSCallBackAddress = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryX86->AddressOfCallBacks, true); - while(memcmp((LPVOID)TLSCallBackAddress, &TLSCompareData, sizeof ULONG_PTR) != NULL) + if(TLSCallBackAddress) { - if(ArrayOfCallBacks) + while(memcmp((LPVOID)TLSCallBackAddress, &TLSCompareData, sizeof ULONG_PTR) != NULL) { - RtlMoveMemory(ArrayOfCallBacks, (LPVOID)TLSCallBackAddress, sizeof ULONG_PTR); - ArrayOfCallBacks = (LPVOID)((ULONG_PTR)ArrayOfCallBacks + sizeof ULONG_PTR); + if(ArrayOfCallBacks) + { + RtlMoveMemory(ArrayOfCallBacks, (LPVOID)TLSCallBackAddress, sizeof ULONG_PTR); + ArrayOfCallBacks = (LPVOID)((ULONG_PTR)ArrayOfCallBacks + sizeof ULONG_PTR); + } + TLSCallBackAddress = TLSCallBackAddress + sizeof ULONG_PTR; + NumberOfTLSCallBacks++; } - TLSCallBackAddress = TLSCallBackAddress + sizeof ULONG_PTR; - NumberOfTLSCallBacks++; + if(NumberOfCallBacks) + *NumberOfCallBacks = NumberOfTLSCallBacks; + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return true; + } + else + { + if(NumberOfCallBacks) + *NumberOfCallBacks = 0; + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return false; } - if(NumberOfCallBacks) - *NumberOfCallBacks = NumberOfTLSCallBacks; - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return true; } else { @@ -115,24 +125,34 @@ __declspec(dllexport) bool TITCALL TLSGrabCallBackDataW(wchar_t* szFileName, LPV { ULONG_PTR TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader64->OptionalHeader.ImageBase + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress); PIMAGE_TLS_DIRECTORY64 TLSDirectoryX64 = (PIMAGE_TLS_DIRECTORY64)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true); - if(TLSDirectoryX64->AddressOfCallBacks != NULL) + if(TLSDirectoryX64 && TLSDirectoryX64->AddressOfCallBacks != NULL) { ULONG_PTR TLSCompareData = NULL; ULONG_PTR TLSCallBackAddress = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryX64->AddressOfCallBacks, true); - while(memcmp((LPVOID)TLSCallBackAddress, &TLSCompareData, sizeof ULONG_PTR) != NULL) + if(TLSCallBackAddress) { - if(ArrayOfCallBacks) + while(memcmp((LPVOID)TLSCallBackAddress, &TLSCompareData, sizeof ULONG_PTR) != NULL) { - RtlMoveMemory(ArrayOfCallBacks, (LPVOID)TLSCallBackAddress, sizeof ULONG_PTR); - ArrayOfCallBacks = (LPVOID)((ULONG_PTR)ArrayOfCallBacks + sizeof ULONG_PTR); + if(ArrayOfCallBacks) + { + RtlMoveMemory(ArrayOfCallBacks, (LPVOID)TLSCallBackAddress, sizeof ULONG_PTR); + ArrayOfCallBacks = (LPVOID)((ULONG_PTR)ArrayOfCallBacks + sizeof ULONG_PTR); + } + TLSCallBackAddress = TLSCallBackAddress + sizeof ULONG_PTR; + NumberOfTLSCallBacks++; } - TLSCallBackAddress = TLSCallBackAddress + sizeof ULONG_PTR; - NumberOfTLSCallBacks++; + if(NumberOfCallBacks) + *NumberOfCallBacks = NumberOfTLSCallBacks; + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return true; + } + else + { + if(NumberOfCallBacks) + *NumberOfCallBacks = 0; + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return false; } - if(NumberOfCallBacks) - *NumberOfCallBacks = NumberOfTLSCallBacks; - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return true; } else { @@ -695,7 +715,9 @@ __declspec(dllexport) bool TITCALL TLSBuildNewTableExW(wchar_t* szFileName, char if(MapFileExW(szFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) { DWORD NewSectionFO = (DWORD)ConvertVAtoFileOffset(FileMapVA, NewSectionVO + tlsImageBase, true); - bool ReturnValue = TLSBuildNewTable(FileMapVA, NewSectionFO, NewSectionVO, ArrayOfCallBacks, NumberOfCallBacks); + bool ReturnValue = false; + if(NewSectionFO) + ReturnValue = TLSBuildNewTable(FileMapVA, NewSectionFO, NewSectionVO, ArrayOfCallBacks, NumberOfCallBacks); UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); if(ReturnValue) {