x64dbg
/
TitanEngine
mirror of https://github.com/x64dbg/TitanEngine
1
0
Fork 0
Code Releases Activity

fixed various potential exceptions (ConvertVAtoFileOffset return wasn't checked everywhere)

This commit is contained in:
Mr. eXoDia 2014-06-01 14:34:42 +02:00
parent b89eff37c8
commit 7e1fb26ebe
7 changed files with 220 additions and 154 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
TitanEngine/Global.Engine.Importer.cpp
View File

@ -239,27 +239,37 @@ bool EngineGetAPINameRemote(HANDLE hProcess, ULONG_PTR APIAddress, char* APIName
ExportDirectorySize=(ULONG_PTR)PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size; ExportDirectorySize=(ULONG_PTR)PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;
} }
PIMAGE_EXPORT_DIRECTORY ExportDirectory=(PIMAGE_EXPORT_DIRECTORY)ConvertVAtoFileOffset(FileMapVA, ExportDirectoryVA+ImageBase, true); PIMAGE_EXPORT_DIRECTORY ExportDirectory=(PIMAGE_EXPORT_DIRECTORY)ConvertVAtoFileOffset(FileMapVA, ExportDirectoryVA+ImageBase, true);
DWORD* AddrOfFunctions=(DWORD*)ConvertVAtoFileOffset(FileMapVA, ExportDirectory->AddressOfFunctions+ImageBase, true); if(ExportDirectory)
DWORD* AddrOfNames=(DWORD*)ConvertVAtoFileOffset(FileMapVA, ExportDirectory->AddressOfNames+ImageBase, true);
SHORT* AddrOfNameOrdinals=(SHORT*)ConvertVAtoFileOffset(FileMapVA, ExportDirectory->AddressOfNameOrdinals+ImageBase, true);
unsigned int NumberOfNames=ExportDirectory->NumberOfNames;
for(unsigned int i=0; i<NumberOfNames; i++)
{ {
const char* curName=(const char*)ConvertVAtoFileOffset(FileMapVA, AddrOfNames[i]+ImageBase, true); DWORD* AddrOfFunctions=(DWORD*)ConvertVAtoFileOffset(FileMapVA, ExportDirectory->AddressOfFunctions+ImageBase, true);
unsigned int curRva=AddrOfFunctions[AddrOfNameOrdinals[i]]; DWORD* AddrOfNames=(DWORD*)ConvertVAtoFileOffset(FileMapVA, ExportDirectory->AddressOfNames+ImageBase, true);
if(curRva<ExportDirectoryVA || curRva>=ExportDirectoryVA+ExportDirectorySize) //non-forwarded exports SHORT* AddrOfNameOrdinals=(SHORT*)ConvertVAtoFileOffset(FileMapVA, ExportDirectory->AddressOfNameOrdinals+ImageBase, true);
if(AddrOfFunctions && AddrOfNames && AddrOfNameOrdinals)
{ {
if(curRva+ModuleBase==APIAddress) unsigned int NumberOfNames=ExportDirectory->NumberOfNames;
for(unsigned int i=0; i<NumberOfNames; i++)
{ {
if(APIName && APINameSize>strlen(curName)) const char* curName=(const char*)ConvertVAtoFileOffset(FileMapVA, AddrOfNames[i]+ImageBase, true);
if(!curName)
continue;
unsigned int curRva=AddrOfFunctions[AddrOfNameOrdinals[i]];
if(curRva<ExportDirectoryVA || curRva>=ExportDirectoryVA+ExportDirectorySize) //non-forwarded exports
{ {
strcpy(APIName, curName); if(curRva+ModuleBase==APIAddress)
return true; {
} if(APIName && APINameSize>strlen(curName))
if(APINameSizeNeeded) {
{ strcpy(APIName, curName);
*APINameSizeNeeded=strlen(curName); UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return true; return true;
}
if(APINameSizeNeeded)
{
*APINameSizeNeeded=strlen(curName);
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return true;
}
}
} }
} }
} }
@ -312,18 +322,27 @@ DWORD EngineGetAPIOrdinalRemote(HANDLE hProcess, ULONG_PTR APIAddress)
ExportDirectorySize=(ULONG_PTR)PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size; ExportDirectorySize=(ULONG_PTR)PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size;
} }
PIMAGE_EXPORT_DIRECTORY ExportDirectory=(PIMAGE_EXPORT_DIRECTORY)ConvertVAtoFileOffset(FileMapVA, ExportDirectoryVA+ImageBase, true); PIMAGE_EXPORT_DIRECTORY ExportDirectory=(PIMAGE_EXPORT_DIRECTORY)ConvertVAtoFileOffset(FileMapVA, ExportDirectoryVA+ImageBase, true);
DWORD* AddrOfFunctions=(DWORD*)ConvertVAtoFileOffset(FileMapVA, ExportDirectory->AddressOfFunctions+ImageBase, true); if(ExportDirectory)
unsigned int NumberOfFunctions=ExportDirectory->NumberOfFunctions;
for(unsigned int i=0,j=0; i<NumberOfFunctions; i++)
{ {
unsigned int curRva=AddrOfFunctions[i]; DWORD* AddrOfFunctions=(DWORD*)ConvertVAtoFileOffset(FileMapVA, ExportDirectory->AddressOfFunctions+ImageBase, true);
if(!curRva) if(AddrOfFunctions)
continue;
j++; //ordinal
if(curRva<ExportDirectoryVA || curRva>=ExportDirectoryVA+ExportDirectorySize) //non-forwarded exports
{ {
if(curRva+ModuleBase==APIAddress) unsigned int NumberOfFunctions=ExportDirectory->NumberOfFunctions;
return j; for(unsigned int i=0,j=0; i<NumberOfFunctions; i++)
{
unsigned int curRva=AddrOfFunctions[i];
if(!curRva)
continue;
j++; //ordinal
if(curRva<ExportDirectoryVA || curRva>=ExportDirectoryVA+ExportDirectorySize) //non-forwarded exports
{
if(curRva+ModuleBase==APIAddress)
{
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return j;
}
}
}
} }
} }
} }

148
TitanEngine/TitanEngine.Engine.cpp
View File

@ -119,52 +119,56 @@ __declspec(dllexport) bool TITCALL EngineCreateMissingDependenciesW(wchar_t* szF
ImportTableAddress = (ULONG_PTR)PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress; ImportTableAddress = (ULONG_PTR)PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
ImportTableAddress = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportTableAddress + ImageBase, true); ImportTableAddress = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportTableAddress + ImageBase, true);
ImportPointer = (PIMAGE_IMPORT_DESCRIPTOR)ImportTableAddress; ImportPointer = (PIMAGE_IMPORT_DESCRIPTOR)ImportTableAddress;
while(ImportPointer->FirstThunk != NULL) while(ImportPointer && ImportPointer->FirstThunk != NULL)
{ {
ImportDllName = (PCHAR)((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportPointer->Name + ImageBase, true)); ImportDllName = (PCHAR)((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportPointer->Name + ImageBase, true));
MultiByteToWideChar(CP_ACP, NULL, ImportDllName, lstrlenA(ImportDllName)+1, ImportDllNameW, sizeof(ImportDllNameW)/(sizeof(ImportDllNameW[0]))); if(ImportDllName)
if(!EngineIsDependencyPresentW(ImportDllNameW, szFileName, szOutputFolder))
{ {
RtlZeroMemory(&BuildExportName, sizeof(BuildExportName)); MultiByteToWideChar(CP_ACP, NULL, ImportDllName, lstrlenA(ImportDllName)+1, ImportDllNameW, sizeof(ImportDllNameW)/(sizeof(ImportDllNameW[0])));
lstrcatW(BuildExportName, szOutputFolder); if(!EngineIsDependencyPresentW(ImportDllNameW, szFileName, szOutputFolder))
if(BuildExportName[lstrlenW(BuildExportName)-1] != 0x5C)
{ {
BuildExportName[lstrlenW(BuildExportName)] = 0x5C; RtlZeroMemory(&BuildExportName, sizeof(BuildExportName));
} lstrcatW(BuildExportName, szOutputFolder);
lstrcatW(BuildExportName, ImportDllNameW); if(BuildExportName[lstrlenW(BuildExportName)-1] != 0x5C)
if(LogCreatedFiles)
{
RtlMoveMemory(engineDependencyFilesCWP, &BuildExportName, lstrlenW(BuildExportName) * 2);
engineDependencyFilesCWP = (LPVOID)((ULONG_PTR)engineDependencyFilesCWP + (lstrlenW(BuildExportName) * 2) + 2);
}
EngineExtractResource("MODULEx86", BuildExportName);
ExporterInit(20 * 1024, (ULONG_PTR)GetPE32DataW(BuildExportName, NULL, UE_IMAGEBASE), NULL, ImportDllName);
ImportThunkAddress = ImportPointer->FirstThunk;
if(ImportPointer->OriginalFirstThunk != NULL)
{
ImportThunkX86 = (PIMAGE_THUNK_DATA32)((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportPointer->OriginalFirstThunk + ImageBase, true));
}
else
{
ImportThunkX86 = (PIMAGE_THUNK_DATA32)((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportPointer->FirstThunk + ImageBase, true));
}
while(ImportThunkX86->u1.Function != NULL)
{
if(ImportThunkX86->u1.Ordinal & IMAGE_ORDINAL_FLAG32)
{ {
ExporterAddNewOrdinalExport(ImportThunkX86->u1.Ordinal ^ IMAGE_ORDINAL_FLAG32, 0x1000); BuildExportName[lstrlenW(BuildExportName)] = 0x5C;
}
lstrcatW(BuildExportName, ImportDllNameW);
if(LogCreatedFiles)
{
RtlMoveMemory(engineDependencyFilesCWP, &BuildExportName, lstrlenW(BuildExportName) * 2);
engineDependencyFilesCWP = (LPVOID)((ULONG_PTR)engineDependencyFilesCWP + (lstrlenW(BuildExportName) * 2) + 2);
}
EngineExtractResource("MODULEx86", BuildExportName);
ExporterInit(20 * 1024, (ULONG_PTR)GetPE32DataW(BuildExportName, NULL, UE_IMAGEBASE), NULL, ImportDllName);
ImportThunkAddress = ImportPointer->FirstThunk;
if(ImportPointer->OriginalFirstThunk != NULL)
{
ImportThunkX86 = (PIMAGE_THUNK_DATA32)((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportPointer->OriginalFirstThunk + ImageBase, true));
} }
else else
{ {
ImportThunkName = (ULONG_PTR)(ConvertVAtoFileOffset(FileMapVA, ImportThunkX86->u1.AddressOfData + ImageBase, true) + 2); ImportThunkX86 = (PIMAGE_THUNK_DATA32)((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportPointer->FirstThunk + ImageBase, true));
ExporterAddNewExport((PCHAR)ImportThunkName, 0x1000);
} }
ImportThunkX86 = (PIMAGE_THUNK_DATA32)((ULONG_PTR)ImportThunkX86 + 4); while(ImportThunkX86 && ImportThunkX86->u1.Function != NULL)
ImportThunkAddress = ImportThunkAddress + 4; {
if(ImportThunkX86->u1.Ordinal & IMAGE_ORDINAL_FLAG32)
{
ExporterAddNewOrdinalExport(ImportThunkX86->u1.Ordinal ^ IMAGE_ORDINAL_FLAG32, 0x1000);
}
else
{
ImportThunkName = (ULONG_PTR)(ConvertVAtoFileOffset(FileMapVA, ImportThunkX86->u1.AddressOfData + ImageBase, true) + 2);
if(ImportThunkName)
ExporterAddNewExport((PCHAR)ImportThunkName, 0x1000);
}
ImportThunkX86 = (PIMAGE_THUNK_DATA32)((ULONG_PTR)ImportThunkX86 + 4);
ImportThunkAddress = ImportThunkAddress + 4;
}
ExporterBuildExportTableExW(BuildExportName, ".export");
} }
ExporterBuildExportTableExW(BuildExportName, ".export"); ImportPointer = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportPointer + sizeof IMAGE_IMPORT_DESCRIPTOR);
} }
ImportPointer = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportPointer + sizeof IMAGE_IMPORT_DESCRIPTOR);
} }
} }
else else
@ -173,52 +177,56 @@ __declspec(dllexport) bool TITCALL EngineCreateMissingDependenciesW(wchar_t* szF
ImportTableAddress = (ULONG_PTR)PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress; ImportTableAddress = (ULONG_PTR)PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
ImportTableAddress = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportTableAddress + ImageBase, true); ImportTableAddress = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportTableAddress + ImageBase, true);
ImportPointer = (PIMAGE_IMPORT_DESCRIPTOR)ImportTableAddress; ImportPointer = (PIMAGE_IMPORT_DESCRIPTOR)ImportTableAddress;
while(ImportPointer->FirstThunk != NULL) while(ImportPointer && ImportPointer->FirstThunk != NULL)
{ {
ImportDllName = (PCHAR)((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportPointer->Name + ImageBase, true)); ImportDllName = (PCHAR)((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportPointer->Name + ImageBase, true));
MultiByteToWideChar(CP_ACP, NULL, ImportDllName, lstrlenA(ImportDllName)+1, ImportDllNameW, sizeof(ImportDllNameW)/(sizeof(ImportDllNameW[0]))); if(ImportDllName)
if(!EngineIsDependencyPresentW(ImportDllNameW, szFileName, szOutputFolder))
{ {
RtlZeroMemory(&BuildExportName, sizeof(BuildExportName)); MultiByteToWideChar(CP_ACP, NULL, ImportDllName, lstrlenA(ImportDllName)+1, ImportDllNameW, sizeof(ImportDllNameW)/(sizeof(ImportDllNameW[0])));
lstrcatW(BuildExportName, szOutputFolder); if(!EngineIsDependencyPresentW(ImportDllNameW, szFileName, szOutputFolder))
if(BuildExportName[lstrlenW(BuildExportName)-1] != 0x5C)
{ {
BuildExportName[lstrlenW(BuildExportName)] = 0x5C; RtlZeroMemory(&BuildExportName, sizeof(BuildExportName));
} lstrcatW(BuildExportName, szOutputFolder);
lstrcatW(BuildExportName, ImportDllNameW); if(BuildExportName[lstrlenW(BuildExportName)-1] != 0x5C)
if(LogCreatedFiles)
{
RtlMoveMemory(engineDependencyFilesCWP, &BuildExportName, lstrlenW(BuildExportName) * 2);
engineDependencyFilesCWP = (LPVOID)((ULONG_PTR)engineDependencyFilesCWP + (lstrlenW(BuildExportName) * 2) + 2);
}
EngineExtractResource("MODULEx64", BuildExportName);
ExporterInit(20 * 1024, (ULONG_PTR)GetPE32DataW(BuildExportName, NULL, UE_IMAGEBASE), NULL, ImportDllName);
ImportThunkAddress = ImportPointer->FirstThunk;
if(ImportPointer->OriginalFirstThunk != NULL)
{
ImportThunkX64 = (PIMAGE_THUNK_DATA64)((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportPointer->OriginalFirstThunk + ImageBase, true));
}
else
{
ImportThunkX64 = (PIMAGE_THUNK_DATA64)((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportPointer->FirstThunk + ImageBase, true));
}
while(ImportThunkX64->u1.Function != NULL)
{
if(ImportThunkX64->u1.Ordinal & IMAGE_ORDINAL_FLAG64)
{ {
ExporterAddNewOrdinalExport((DWORD)(ImportThunkX64->u1.Ordinal ^ IMAGE_ORDINAL_FLAG64), 0x1000); BuildExportName[lstrlenW(BuildExportName)] = 0x5C;
}
lstrcatW(BuildExportName, ImportDllNameW);
if(LogCreatedFiles)
{
RtlMoveMemory(engineDependencyFilesCWP, &BuildExportName, lstrlenW(BuildExportName) * 2);
engineDependencyFilesCWP = (LPVOID)((ULONG_PTR)engineDependencyFilesCWP + (lstrlenW(BuildExportName) * 2) + 2);
}
EngineExtractResource("MODULEx64", BuildExportName);
ExporterInit(20 * 1024, (ULONG_PTR)GetPE32DataW(BuildExportName, NULL, UE_IMAGEBASE), NULL, ImportDllName);
ImportThunkAddress = ImportPointer->FirstThunk;
if(ImportPointer->OriginalFirstThunk != NULL)
{
ImportThunkX64 = (PIMAGE_THUNK_DATA64)((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportPointer->OriginalFirstThunk + ImageBase, true));
} }
else else
{ {
ImportThunkName = (ULONG_PTR)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(ImportThunkX64->u1.AddressOfData + ImageBase), true) + 2); ImportThunkX64 = (PIMAGE_THUNK_DATA64)((ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, ImportPointer->FirstThunk + ImageBase, true));
ExporterAddNewExport((PCHAR)ImportThunkName, 0x1000);
} }
ImportThunkX64 = (PIMAGE_THUNK_DATA64)((ULONG_PTR)ImportThunkX64 + 8); while(ImportThunkX64 && ImportThunkX64->u1.Function != NULL)
ImportThunkAddress = ImportThunkAddress + 8; {
if(ImportThunkX64->u1.Ordinal & IMAGE_ORDINAL_FLAG64)
{
ExporterAddNewOrdinalExport((DWORD)(ImportThunkX64->u1.Ordinal ^ IMAGE_ORDINAL_FLAG64), 0x1000);
}
else
{
ImportThunkName = (ULONG_PTR)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(ImportThunkX64->u1.AddressOfData + ImageBase), true) + 2);
if(ImportThunkName)
ExporterAddNewExport((PCHAR)ImportThunkName, 0x1000);
}
ImportThunkX64 = (PIMAGE_THUNK_DATA64)((ULONG_PTR)ImportThunkX64 + 8);
ImportThunkAddress = ImportThunkAddress + 8;
}
ExporterBuildExportTableExW(BuildExportName, ".export");
} }
ExporterBuildExportTableExW(BuildExportName, ".export"); ImportPointer = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportPointer + sizeof IMAGE_IMPORT_DESCRIPTOR);
} }
ImportPointer = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)ImportPointer + sizeof IMAGE_IMPORT_DESCRIPTOR);
} }
} }
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);

71
TitanEngine/TitanEngine.Exporter.cpp
View File

@ -276,7 +276,8 @@ __declspec(dllexport) bool TITCALL ExporterBuildExportTableExW(wchar_t* szExport
if(MapFileExW(szExportFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) if(MapFileExW(szExportFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
{ {
NewSectionFO = (DWORD)ConvertVAtoFileOffset(FileMapVA, NewSectionVO + (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_IMAGEBASE), true); NewSectionFO = (DWORD)ConvertVAtoFileOffset(FileMapVA, NewSectionVO + (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_IMAGEBASE), true);
ReturnValue = ExporterBuildExportTable(NewSectionFO, FileMapVA); if(NewSectionFO)
ReturnValue = ExporterBuildExportTable(NewSectionFO, FileMapVA);
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
if(ReturnValue) if(ReturnValue)
{ {
@ -359,9 +360,15 @@ __declspec(dllexport) bool TITCALL ExporterLoadExportTableW(wchar_t* szFileName)
if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress != NULL) if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress != NULL)
{ {
PEExports = (PIMAGE_EXPORT_DIRECTORY)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + PEHeader32->OptionalHeader.ImageBase), true)); PEExports = (PIMAGE_EXPORT_DIRECTORY)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + PEHeader32->OptionalHeader.ImageBase), true));
ExportedFunctions = (PEXPORTED_DATA)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEExports->AddressOfFunctions + PEHeader32->OptionalHeader.ImageBase), true)); if(PEExports)
ExporterInit(50 * 1024, (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, PEExports->Base, NULL); {
ExportPresent = true; ExportedFunctions = (PEXPORTED_DATA)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEExports->AddressOfFunctions + PEHeader32->OptionalHeader.ImageBase), true));
if(ExportedFunctions)
{
ExporterInit(50 * 1024, (ULONG_PTR)PEHeader32->OptionalHeader.ImageBase, PEExports->Base, NULL);
ExportPresent = true;
}
}
} }
} }
else else
@ -369,9 +376,15 @@ __declspec(dllexport) bool TITCALL ExporterLoadExportTableW(wchar_t* szFileName)
if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress != NULL) if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress != NULL)
{ {
PEExports = (PIMAGE_EXPORT_DIRECTORY)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + PEHeader64->OptionalHeader.ImageBase), true)); PEExports = (PIMAGE_EXPORT_DIRECTORY)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + PEHeader64->OptionalHeader.ImageBase), true));
ExportedFunctions = (PEXPORTED_DATA)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEExports->AddressOfFunctions + PEHeader64->OptionalHeader.ImageBase), true)); if(PEExports)
ExporterInit(50 * 1024, (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, PEExports->Base, NULL); {
ExportPresent = true; ExportedFunctions = (PEXPORTED_DATA)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEExports->AddressOfFunctions + PEHeader64->OptionalHeader.ImageBase), true));
if(ExportedFunctions)
{
ExporterInit(50 * 1024, (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, PEExports->Base, NULL);
ExportPresent = true;
}
}
} }
} }
if(ExportPresent) if(ExportPresent)
@ -390,32 +403,36 @@ __declspec(dllexport) bool TITCALL ExporterLoadExportTableW(wchar_t* szFileName)
ExportedFunctionNames = (PEXPORTED_DATA)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEExports->AddressOfNames + PEHeader64->OptionalHeader.ImageBase), true)); ExportedFunctionNames = (PEXPORTED_DATA)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEExports->AddressOfNames + PEHeader64->OptionalHeader.ImageBase), true));
ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEExports->AddressOfNameOrdinals + PEHeader64->OptionalHeader.ImageBase), true)); ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(PEExports->AddressOfNameOrdinals + PEHeader64->OptionalHeader.ImageBase), true));
} }
for(j = 0; j <= PEExports->NumberOfNames; j++) if(ExportedFunctionNames && ExportedFunctionOrdinals)
{ {
if(ExportedFunctionOrdinals->OrdinalNumber != x) for(j = 0; j <= PEExports->NumberOfNames; j++)
{ {
ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)((ULONG_PTR)ExportedFunctionOrdinals + 2); if(ExportedFunctionOrdinals->OrdinalNumber != x)
{
ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)((ULONG_PTR)ExportedFunctionOrdinals + 2);
}
else
{
ExportPresent = true;
break;
}
} }
else if(ExportPresent)
{ {
ExportPresent = true; ExportedFunctionNames = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctionNames + j * 4);
break; if(!FileIs64)
{
ExportName = (char*)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(ExportedFunctionNames->ExportedItem + PEHeader32->OptionalHeader.ImageBase), true));
}
else
{
ExportName = (char*)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(ExportedFunctionNames->ExportedItem + PEHeader64->OptionalHeader.ImageBase), true));
}
if(ExportName)
ExporterAddNewExport(ExportName, ExportedFunctions->ExportedItem);
} }
ExportedFunctions = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctions + 4);
} }
if(ExportPresent)
{
ExportedFunctionNames = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctionNames + j * 4);
if(!FileIs64)
{
ExportName = (char*)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(ExportedFunctionNames->ExportedItem + PEHeader32->OptionalHeader.ImageBase), true));
}
else
{
ExportName = (char*)(ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)(ExportedFunctionNames->ExportedItem + PEHeader64->OptionalHeader.ImageBase), true));
}
ExporterAddNewExport(ExportName, ExportedFunctions->ExportedItem);
}
ExportedFunctions = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctions + 4);
} }
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return true; return true;

4
TitanEngine/TitanEngine.Hooks.cpp
View File

@ -470,7 +470,7 @@ __declspec(dllexport) bool TITCALL HooksInsertNewIATRedirectionEx(ULONG_PTR File
ThunkData32 = (PIMAGE_THUNK_DATA32)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)((ULONG_PTR)ImportIID->FirstThunk + PEHeader32->OptionalHeader.ImageBase), true); ThunkData32 = (PIMAGE_THUNK_DATA32)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)((ULONG_PTR)ImportIID->FirstThunk + PEHeader32->OptionalHeader.ImageBase), true);
CurrentThunk = (ULONG_PTR)ImportIID->FirstThunk; CurrentThunk = (ULONG_PTR)ImportIID->FirstThunk;
} }
while(ThunkData32->u1.AddressOfData != NULL) while(ThunkData32 && ThunkData32->u1.AddressOfData != NULL)
{ {
if(!(ThunkData32->u1.Ordinal & IMAGE_ORDINAL_FLAG32)) if(!(ThunkData32->u1.Ordinal & IMAGE_ORDINAL_FLAG32))
{ {
@ -519,7 +519,7 @@ __declspec(dllexport) bool TITCALL HooksInsertNewIATRedirectionEx(ULONG_PTR File
ThunkData64 = (PIMAGE_THUNK_DATA64)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)((ULONG_PTR)ImportIID->FirstThunk + PEHeader64->OptionalHeader.ImageBase), true); ThunkData64 = (PIMAGE_THUNK_DATA64)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)((ULONG_PTR)ImportIID->FirstThunk + PEHeader64->OptionalHeader.ImageBase), true);
CurrentThunk = (ULONG_PTR)ImportIID->FirstThunk; CurrentThunk = (ULONG_PTR)ImportIID->FirstThunk;
} }
while(ThunkData64->u1.AddressOfData != NULL) while(ThunkData64 && ThunkData64->u1.AddressOfData != NULL)
{ {
if(!(ThunkData64->u1.Ordinal & IMAGE_ORDINAL_FLAG64)) if(!(ThunkData64->u1.Ordinal & IMAGE_ORDINAL_FLAG64))
{ {

7
TitanEngine/TitanEngine.PE.Convert.cpp
View File

@ -73,7 +73,6 @@ __declspec(dllexport) long TITCALL GetPE32SectionNumberFromVA(ULONG_PTR FileMapV
} }
__declspec(dllexport) ULONG_PTR TITCALL ConvertVAtoFileOffset(ULONG_PTR FileMapVA, ULONG_PTR AddressToConvert, bool ReturnType) __declspec(dllexport) ULONG_PTR TITCALL ConvertVAtoFileOffset(ULONG_PTR FileMapVA, ULONG_PTR AddressToConvert, bool ReturnType)
{ {
PIMAGE_DOS_HEADER DOSHeader; PIMAGE_DOS_HEADER DOSHeader;
PIMAGE_NT_HEADERS32 PEHeader32; PIMAGE_NT_HEADERS32 PEHeader32;
PIMAGE_NT_HEADERS64 PEHeader64; PIMAGE_NT_HEADERS64 PEHeader64;
@ -129,14 +128,14 @@ __declspec(dllexport) ULONG_PTR TITCALL ConvertVAtoFileOffset(ULONG_PTR FileMapV
{ {
if(ConvertedAddress != NULL) if(ConvertedAddress != NULL)
{ {
ConvertedAddress = ConvertedAddress + FileMapVA; ConvertedAddress += FileMapVA;
} }
else if(ConvertAddress == NULL) else if(ConvertAddress == NULL)
{ {
ConvertedAddress = FileMapVA; ConvertedAddress = FileMapVA;
} }
} }
return(ConvertedAddress); return ConvertedAddress;
} }
__except(EXCEPTION_EXECUTE_HANDLER) __except(EXCEPTION_EXECUTE_HANDLER)
{ {
@ -170,7 +169,7 @@ __declspec(dllexport) ULONG_PTR TITCALL ConvertVAtoFileOffset(ULONG_PTR FileMapV
{ {
if(ConvertedAddress != NULL) if(ConvertedAddress != NULL)
{ {
ConvertedAddress = ConvertedAddress + FileMapVA; ConvertedAddress += FileMapVA;
} }
else if(ConvertAddress == NULL) else if(ConvertAddress == NULL)
{ {

3
TitanEngine/TitanEngine.Relocator.cpp
View File

@ -211,7 +211,8 @@ __declspec(dllexport) bool TITCALL RelocaterExportRelocationExW(wchar_t* szFileN
if(MapFileExW(szFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) if(MapFileExW(szFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
{ {
NewSectionFO = (DWORD)ConvertVAtoFileOffset(FileMapVA, NewSectionVO + (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_IMAGEBASE), true); NewSectionFO = (DWORD)ConvertVAtoFileOffset(FileMapVA, NewSectionVO + (ULONG_PTR)GetPE32DataFromMappedFile(FileMapVA, NULL, UE_IMAGEBASE), true);
ReturnValue = RelocaterExportRelocation(NewSectionFO, NewSectionVO, FileMapVA); if(NewSectionFO)
ReturnValue = RelocaterExportRelocation(NewSectionFO, NewSectionVO, FileMapVA);
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
if(ReturnValue) if(ReturnValue)
{ {

68
TitanEngine/TitanEngine.TLS.cpp
View File

@ -74,24 +74,34 @@ __declspec(dllexport) bool TITCALL TLSGrabCallBackDataW(wchar_t* szFileName, LPV
{ {
ULONG_PTR TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader32->OptionalHeader.ImageBase + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress); ULONG_PTR TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader32->OptionalHeader.ImageBase + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress);
PIMAGE_TLS_DIRECTORY32 TLSDirectoryX86 = (PIMAGE_TLS_DIRECTORY32)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true); PIMAGE_TLS_DIRECTORY32 TLSDirectoryX86 = (PIMAGE_TLS_DIRECTORY32)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true);
if(TLSDirectoryX86->AddressOfCallBacks != NULL) if(TLSDirectoryX86 && TLSDirectoryX86->AddressOfCallBacks != NULL)
{ {
ULONG_PTR TLSCompareData = 0; ULONG_PTR TLSCompareData = 0;
ULONG_PTR TLSCallBackAddress = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryX86->AddressOfCallBacks, true); ULONG_PTR TLSCallBackAddress = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryX86->AddressOfCallBacks, true);
while(memcmp((LPVOID)TLSCallBackAddress, &TLSCompareData, sizeof ULONG_PTR) != NULL) if(TLSCallBackAddress)
{ {
if(ArrayOfCallBacks) while(memcmp((LPVOID)TLSCallBackAddress, &TLSCompareData, sizeof ULONG_PTR) != NULL)
{ {
RtlMoveMemory(ArrayOfCallBacks, (LPVOID)TLSCallBackAddress, sizeof ULONG_PTR); if(ArrayOfCallBacks)
ArrayOfCallBacks = (LPVOID)((ULONG_PTR)ArrayOfCallBacks + sizeof ULONG_PTR); {
RtlMoveMemory(ArrayOfCallBacks, (LPVOID)TLSCallBackAddress, sizeof ULONG_PTR);
ArrayOfCallBacks = (LPVOID)((ULONG_PTR)ArrayOfCallBacks + sizeof ULONG_PTR);
}
TLSCallBackAddress = TLSCallBackAddress + sizeof ULONG_PTR;
NumberOfTLSCallBacks++;
} }
TLSCallBackAddress = TLSCallBackAddress + sizeof ULONG_PTR; if(NumberOfCallBacks)
NumberOfTLSCallBacks++; *NumberOfCallBacks = NumberOfTLSCallBacks;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return true;
}
else
{
if(NumberOfCallBacks)
*NumberOfCallBacks = 0;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
} }
if(NumberOfCallBacks)
*NumberOfCallBacks = NumberOfTLSCallBacks;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return true;
} }
else else
{ {
@ -115,24 +125,34 @@ __declspec(dllexport) bool TITCALL TLSGrabCallBackDataW(wchar_t* szFileName, LPV
{ {
ULONG_PTR TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader64->OptionalHeader.ImageBase + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress); ULONG_PTR TLSDirectoryAddress = (ULONG_PTR)((ULONG_PTR)PEHeader64->OptionalHeader.ImageBase + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_TLS].VirtualAddress);
PIMAGE_TLS_DIRECTORY64 TLSDirectoryX64 = (PIMAGE_TLS_DIRECTORY64)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true); PIMAGE_TLS_DIRECTORY64 TLSDirectoryX64 = (PIMAGE_TLS_DIRECTORY64)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryAddress, true);
if(TLSDirectoryX64->AddressOfCallBacks != NULL) if(TLSDirectoryX64 && TLSDirectoryX64->AddressOfCallBacks != NULL)
{ {
ULONG_PTR TLSCompareData = NULL; ULONG_PTR TLSCompareData = NULL;
ULONG_PTR TLSCallBackAddress = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryX64->AddressOfCallBacks, true); ULONG_PTR TLSCallBackAddress = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, (ULONG_PTR)TLSDirectoryX64->AddressOfCallBacks, true);
while(memcmp((LPVOID)TLSCallBackAddress, &TLSCompareData, sizeof ULONG_PTR) != NULL) if(TLSCallBackAddress)
{ {
if(ArrayOfCallBacks) while(memcmp((LPVOID)TLSCallBackAddress, &TLSCompareData, sizeof ULONG_PTR) != NULL)
{ {
RtlMoveMemory(ArrayOfCallBacks, (LPVOID)TLSCallBackAddress, sizeof ULONG_PTR); if(ArrayOfCallBacks)
ArrayOfCallBacks = (LPVOID)((ULONG_PTR)ArrayOfCallBacks + sizeof ULONG_PTR); {
RtlMoveMemory(ArrayOfCallBacks, (LPVOID)TLSCallBackAddress, sizeof ULONG_PTR);
ArrayOfCallBacks = (LPVOID)((ULONG_PTR)ArrayOfCallBacks + sizeof ULONG_PTR);
}
TLSCallBackAddress = TLSCallBackAddress + sizeof ULONG_PTR;
NumberOfTLSCallBacks++;
} }
TLSCallBackAddress = TLSCallBackAddress + sizeof ULONG_PTR; if(NumberOfCallBacks)
NumberOfTLSCallBacks++; *NumberOfCallBacks = NumberOfTLSCallBacks;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return true;
}
else
{
if(NumberOfCallBacks)
*NumberOfCallBacks = 0;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return false;
} }
if(NumberOfCallBacks)
*NumberOfCallBacks = NumberOfTLSCallBacks;
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
return true;
} }
else else
{ {
@ -695,7 +715,9 @@ __declspec(dllexport) bool TITCALL TLSBuildNewTableExW(wchar_t* szFileName, char
if(MapFileExW(szFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) if(MapFileExW(szFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
{ {
DWORD NewSectionFO = (DWORD)ConvertVAtoFileOffset(FileMapVA, NewSectionVO + tlsImageBase, true); DWORD NewSectionFO = (DWORD)ConvertVAtoFileOffset(FileMapVA, NewSectionVO + tlsImageBase, true);
bool ReturnValue = TLSBuildNewTable(FileMapVA, NewSectionFO, NewSectionVO, ArrayOfCallBacks, NumberOfCallBacks); bool ReturnValue = false;
if(NewSectionFO)
ReturnValue = TLSBuildNewTable(FileMapVA, NewSectionFO, NewSectionVO, ArrayOfCallBacks, NumberOfCallBacks);
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
if(ReturnValue) if(ReturnValue)
{ {