From 1f1e3ad8f1995f4b2c4251071a08360957bd1ddc Mon Sep 17 00:00:00 2001 From: deepzero Date: Wed, 15 Jan 2014 08:48:26 +0100 Subject: [PATCH 01/17] fix msvc compiler error --- TitanEngine/TitanEngine.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/TitanEngine/TitanEngine.cpp b/TitanEngine/TitanEngine.cpp index e65637a..e505b19 100644 --- a/TitanEngine/TitanEngine.cpp +++ b/TitanEngine/TitanEngine.cpp @@ -1262,7 +1262,7 @@ bool EngineValidateHeader(ULONG_PTR FileMapVA, HANDLE hFileProc, LPVOID ImageBas { if(DOSHeader->e_magic == 0x5A4D) { - if(DOSHeader->e_lfanew + sizeof IMAGE_DOS_HEADER + sizeof IMAGE_NT_HEADERS64 < MemorySize) + if(DOSHeader->e_lfanew + sizeof IMAGE_DOS_HEADER + sizeof(IMAGE_NT_HEADERS64) < MemorySize) { PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); if(PEHeader32->Signature != 0x4550) @@ -1297,7 +1297,7 @@ bool EngineValidateHeader(ULONG_PTR FileMapVA, HANDLE hFileProc, LPVOID ImageBas { if(DOSHeader->e_magic == 0x5A4D) { - if(DOSHeader->e_lfanew + sizeof IMAGE_DOS_HEADER + sizeof IMAGE_NT_HEADERS64 < ModuleInfo.SizeOfImage) + if(DOSHeader->e_lfanew + sizeof IMAGE_DOS_HEADER + sizeof(IMAGE_NT_HEADERS64) < ModuleInfo.SizeOfImage) { if(ReadProcessMemory(hFileProc, (LPVOID)((ULONG_PTR)ImageBase + DOSHeader->e_lfanew), &RemotePEHeader32, sizeof IMAGE_NT_HEADERS32, &NumberOfBytesRW)) { From 40698229f0f0d0a9e067f7861ee4b38858562be7 Mon Sep 17 00:00:00 2001 From: deepzero Date: Wed, 15 Jan 2014 08:49:14 +0100 Subject: [PATCH 02/17] fix wchar_t array too large --- TitanEngine/TitanEngine.cpp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/TitanEngine/TitanEngine.cpp b/TitanEngine/TitanEngine.cpp index e505b19..d26a7f3 100644 --- a/TitanEngine/TitanEngine.cpp +++ b/TitanEngine/TitanEngine.cpp @@ -566,17 +566,17 @@ bool EngineCreatePathForFileW(wchar_t* szFileName) { int i,j; - wchar_t szFolderName[2 * MAX_PATH] = {}; - wchar_t szCreateFolder[2 * MAX_PATH] = {}; + wchar_t szFolderName[MAX_PATH] = {}; + wchar_t szCreateFolder[MAX_PATH] = {}; if(engineCreatePathForFiles) { i = lstrlenW(szFileName); - while(szFileName[i] != '\\' && i > NULL) + while(szFileName[i] != '\\' && i > 0) { i--; } - if(i != NULL) + if(i != 0) { RtlMoveMemory(szFolderName, szFileName, (i * 2) + 2); if(!CreateDirectoryW(szFolderName, NULL)) From 8932b34738f4bff301c2b3f8d7f8aadfa96d7413 Mon Sep 17 00:00:00 2001 From: deepzero Date: Wed, 15 Jan 2014 08:49:53 +0100 Subject: [PATCH 03/17] fix use of potentially uninitialized handles --- TitanEngine/TitanEngine.cpp | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/TitanEngine/TitanEngine.cpp b/TitanEngine/TitanEngine.cpp index d26a7f3..aa06701 100644 --- a/TitanEngine/TitanEngine.cpp +++ b/TitanEngine/TitanEngine.cpp @@ -19296,13 +19296,13 @@ __declspec(dllexport) bool TITCALL ImporterCopyOriginalIATW(wchar_t* szOriginalF PIMAGE_NT_HEADERS32 PEHeader32; PIMAGE_NT_HEADERS64 PEHeader64; BOOL FileIs64; - HANDLE FileHandle; + HANDLE FileHandle=0; DWORD FileSize; - HANDLE FileMap; + HANDLE FileMap=0; ULONG_PTR FileMapVA; - HANDLE FileHandle1; + HANDLE FileHandle1=0; DWORD FileSize1; - HANDLE FileMap1; + HANDLE FileMap1=0; ULONG_PTR FileMapVA1; ULONG_PTR IATPointer; ULONG_PTR IATWritePointer; @@ -19368,16 +19368,11 @@ __declspec(dllexport) bool TITCALL ImporterCopyOriginalIATW(wchar_t* szOriginalF } } } - else - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - UnMapFileEx(FileHandle1, FileSize1, FileMap1, FileMapVA1); - return(false); - } + UnMapFileEx(FileHandle1, FileSize1, FileMap1, FileMapVA1); } + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); } - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - UnMapFileEx(FileHandle1, FileSize1, FileMap1, FileMapVA1); + return(false); } __declspec(dllexport) bool TITCALL ImporterLoadImportTable(char* szFileName) From de4d2705abdb4f91093980b35b84ce410b0d2324 Mon Sep 17 00:00:00 2001 From: deepzero Date: Wed, 15 Jan 2014 08:50:28 +0100 Subject: [PATCH 04/17] fix return NULL instead of false --- TitanEngine/TitanEngine.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/TitanEngine/TitanEngine.cpp b/TitanEngine/TitanEngine.cpp index aa06701..ccb2759 100644 --- a/TitanEngine/TitanEngine.cpp +++ b/TitanEngine/TitanEngine.cpp @@ -12444,7 +12444,7 @@ __declspec(dllexport) void* TITCALL InitDebug(char* szFileName, char* szCommandL } else { - return(false); + return NULL; } } __declspec(dllexport) void* TITCALL InitDebugW(wchar_t* szFileName, wchar_t* szCommandLine, wchar_t* szCurrentFolder) @@ -12533,7 +12533,7 @@ __declspec(dllexport) void* TITCALL InitDLLDebug(char* szFileName, bool ReserveM } else { - return(false); + return NULL; } } __declspec(dllexport) void* TITCALL InitDLLDebugW(wchar_t* szFileName, bool ReserveModuleBase, wchar_t* szCommandLine, wchar_t* szCurrentFolder, LPVOID EntryCallBack) From 8a6f73bf402e2770c38f36d4b03f1aa23e3cfaea Mon Sep 17 00:00:00 2001 From: deepzero Date: Wed, 15 Jan 2014 08:51:10 +0100 Subject: [PATCH 05/17] fix various signedness issues --- TitanEngine/TitanEngine.cpp | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/TitanEngine/TitanEngine.cpp b/TitanEngine/TitanEngine.cpp index ccb2759..011c1da 100644 --- a/TitanEngine/TitanEngine.cpp +++ b/TitanEngine/TitanEngine.cpp @@ -7456,16 +7456,16 @@ __declspec(dllexport) bool TITCALL IsPE32FileValidExW(wchar_t* szFileName, DWORD { unsigned int i; ULONG_PTR ReadData = NULL; - DWORD ReadSize = NULL; - WORD ReadDataWORD = NULL; + DWORD ReadSize = 0; + WORD ReadDataWORD = 0; ULONG_PTR hSimulatedFileLoad; - DWORD SectionNumber = NULL; - DWORD SectionAttributes = NULL; + long SectionNumber = 0; + DWORD SectionAttributes = 0; ULONG_PTR ConvertedAddress = NULL; - DWORD CorrectedImageSize = NULL; - DWORD SectionVirtualSize = NULL; - DWORD SectionVirtualSizeFixed = NULL; - DWORD NumberOfSections = NULL; + DWORD CorrectedImageSize = 0; + DWORD SectionVirtualSize = 0; + DWORD SectionVirtualSizeFixed = 0; + DWORD NumberOfSections = 0; FILE_STATUS_INFO myFileStatusInfo; PIMAGE_DOS_HEADER DOSHeader; PIMAGE_NT_HEADERS32 PEHeader32; @@ -9041,7 +9041,7 @@ __declspec(dllexport) bool TITCALL FixBrokenPE32FileExW(wchar_t* szFileName, LPV ULONG_PTR ReadDataQWORD = NULL; DWORD OrdinalBase = NULL; DWORD OrdinalCount = NULL; - DWORD SectionNumber = NULL; + long SectionNumber = NULL; DWORD SectionAttributes = NULL; ULONG_PTR ConvertedAddress = NULL; DWORD CorrectedImageSize = NULL; @@ -19211,7 +19211,7 @@ __declspec(dllexport) bool TITCALL ImporterRelocateWriteLocation(ULONG_PTR AddVa unsigned int i; ULONG_PTR RealignData = NULL; - if(impDLLNumber >= NULL) + if(impDLLNumber) { for(i = 0; i < impDLLNumber + 1; i++) { From 38082ded2e6835964984e8d3e0d2c30bc36f9a8b Mon Sep 17 00:00:00 2001 From: deepzero Date: Wed, 15 Jan 2014 08:51:25 +0100 Subject: [PATCH 06/17] fix potential use of uninitialized variable --- TitanEngine/TitanEngine.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/TitanEngine/TitanEngine.cpp b/TitanEngine/TitanEngine.cpp index 011c1da..8398249 100644 --- a/TitanEngine/TitanEngine.cpp +++ b/TitanEngine/TitanEngine.cpp @@ -22984,12 +22984,12 @@ __declspec(dllexport) long long TITCALL TracerFixKnownRedirection(HANDLE hProces int i = NULL; DWORD TestAddressX86; DWORD ReadAddressX86; - DWORD MaximumReadSize; DWORD MemoryHash = NULL; PMEMORY_CMP_HANDLER cMem; MEMORY_BASIC_INFORMATION MemInfo; ULONG_PTR ueNumberOfBytesRead = NULL; LPVOID TracerReadMemory = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); + DWORD MaximumReadSize=0x1000; if(!TracerReadMemory) return (NULL); cMem = (PMEMORY_CMP_HANDLER)TracerReadMemory; From 96d367705454a3a95cb95a0b55989fc84d2ceeea Mon Sep 17 00:00:00 2001 From: deepzero Date: Wed, 15 Jan 2014 08:52:01 +0100 Subject: [PATCH 07/17] fix invalid winapi comparison: BOOL should not be compared to TRUE --- TitanEngine/TitanEngine.cpp | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/TitanEngine/TitanEngine.cpp b/TitanEngine/TitanEngine.cpp index 8398249..a818072 100644 --- a/TitanEngine/TitanEngine.cpp +++ b/TitanEngine/TitanEngine.cpp @@ -27016,7 +27016,7 @@ __declspec(dllexport) bool TITCALL StaticRawMemoryCopyW(HANDLE hFile, ULONG_PTR } while((int)Size > NULL) { - if(ReadFile(hFile, ueCopyBuffer, SizeToRead, &rfNumberOfBytesRead, NULL) == TRUE && rfNumberOfBytesRead == SizeToRead) + if(ReadFile(hFile, ueCopyBuffer, SizeToRead, &rfNumberOfBytesRead, NULL) && rfNumberOfBytesRead == SizeToRead) { WriteFile(hWriteFile, ueCopyBuffer, SizeToRead, &rfNumberOfBytesRead, NULL); if(Size > 0x1000) @@ -27025,7 +27025,7 @@ __declspec(dllexport) bool TITCALL StaticRawMemoryCopyW(HANDLE hFile, ULONG_PTR } else if(SizeToRead != Size) { - if(ReadFile(hFile, ueCopyBuffer, Size, &rfNumberOfBytesRead, NULL) == TRUE && rfNumberOfBytesRead == SizeToRead) + if(ReadFile(hFile, ueCopyBuffer, Size, &rfNumberOfBytesRead, NULL) && rfNumberOfBytesRead == SizeToRead) { WriteFile(hWriteFile, ueCopyBuffer, Size, &rfNumberOfBytesRead, NULL); } @@ -27111,7 +27111,7 @@ __declspec(dllexport) bool TITCALL StaticRawMemoryCopyExW(HANDLE hFile, DWORD Ra } while((int)Size > NULL) { - if(ReadFile(hFile, ueCopyBuffer, SizeToRead, &rfNumberOfBytesRead, NULL) == TRUE && rfNumberOfBytesRead == SizeToRead) + if(ReadFile(hFile, ueCopyBuffer, SizeToRead, &rfNumberOfBytesRead, NULL) && rfNumberOfBytesRead == SizeToRead) { WriteFile(hWriteFile, ueCopyBuffer, SizeToRead, &rfNumberOfBytesRead, NULL); if(Size > 0x1000) @@ -27120,7 +27120,7 @@ __declspec(dllexport) bool TITCALL StaticRawMemoryCopyExW(HANDLE hFile, DWORD Ra } else if(SizeToRead != Size) { - if(ReadFile(hFile, ueCopyBuffer, Size, &rfNumberOfBytesRead, NULL) == TRUE && rfNumberOfBytesRead == SizeToRead) + if(ReadFile(hFile, ueCopyBuffer, Size, &rfNumberOfBytesRead, NULL) && rfNumberOfBytesRead == SizeToRead) { WriteFile(hWriteFile, ueCopyBuffer, Size, &rfNumberOfBytesRead, NULL); } @@ -27209,7 +27209,7 @@ __declspec(dllexport) bool TITCALL StaticRawMemoryCopyEx64W(HANDLE hFile, DWORD6 } while(Size != NULL) { - if(ReadFile(hFile, ueCopyBuffer, SizeToRead, &rfNumberOfBytesRead, NULL) == TRUE && rfNumberOfBytesRead == SizeToRead) + if(ReadFile(hFile, ueCopyBuffer, SizeToRead, &rfNumberOfBytesRead, NULL) && rfNumberOfBytesRead == SizeToRead) { WriteFile(hWriteFile, ueCopyBuffer, SizeToRead, &rfNumberOfBytesRead, NULL); if(Size > 0x1000) @@ -27218,7 +27218,7 @@ __declspec(dllexport) bool TITCALL StaticRawMemoryCopyEx64W(HANDLE hFile, DWORD6 } else if((DWORD64)SizeToRead != Size) { - if(ReadFile(hFile, ueCopyBuffer, (DWORD)Size, &rfNumberOfBytesRead, NULL) == TRUE && rfNumberOfBytesRead == SizeToRead) + if(ReadFile(hFile, ueCopyBuffer, (DWORD)Size, &rfNumberOfBytesRead, NULL) && rfNumberOfBytesRead == SizeToRead) { WriteFile(hWriteFile, ueCopyBuffer, (DWORD)Size, &rfNumberOfBytesRead, NULL); } From b4bdd28c2430dcb3e2d5ea742d6842d88d8afb4d Mon Sep 17 00:00:00 2001 From: deepzero Date: Wed, 15 Jan 2014 08:53:16 +0100 Subject: [PATCH 08/17] fix memcmp madness --- TitanEngine/TitanEngine.cpp | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/TitanEngine/TitanEngine.cpp b/TitanEngine/TitanEngine.cpp index a818072..ed77ce8 100644 --- a/TitanEngine/TitanEngine.cpp +++ b/TitanEngine/TitanEngine.cpp @@ -28472,14 +28472,13 @@ __declspec(dllexport) bool TITCALL EngineFakeMissingDependencies(HANDLE hProcess __declspec(dllexport) bool TITCALL EngineDeleteCreatedDependencies() { - DWORD DummyCmp = NULL; wchar_t szTempName[MAX_PATH]; wchar_t szTempFolder[MAX_PATH]; if(engineDependencyFiles != NULL) { engineDependencyFilesCWP = engineDependencyFiles; - while(memcmp(engineDependencyFilesCWP, &DummyCmp, 1) != NULL) + while(*((char*)engineDependencyFilesCWP) != 0) { RtlZeroMemory(&szTempName, sizeof szTempName); RtlZeroMemory(&szTempFolder, sizeof szTempFolder); From 88fcd342ce83fe2267e23b7f6c1cbf7c01f519db Mon Sep 17 00:00:00 2001 From: deepzero Date: Wed, 15 Jan 2014 08:57:53 +0100 Subject: [PATCH 09/17] update gitignore for msvc debug builds --- .gitignore | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.gitignore b/.gitignore index 3dc0860..55bf2cf 100644 --- a/.gitignore +++ b/.gitignore @@ -11,3 +11,6 @@ Release/*/* *.bmarks TitanEngine/TitanEngine.cscope_file_list *.opensdf + +/Debug +/TitanEngine/Debug \ No newline at end of file From 75ea5b7f51baf73b9b480939438b582dc0a1e58f Mon Sep 17 00:00:00 2001 From: deepzero Date: Wed, 15 Jan 2014 11:32:00 +0100 Subject: [PATCH 10/17] various improvements and bugfixes to initialization of memory - far, far, far from complete. --- TitanEngine/TitanEngine.cpp | 39 +++++++++++++++++-------------------- 1 file changed, 18 insertions(+), 21 deletions(-) diff --git a/TitanEngine/TitanEngine.cpp b/TitanEngine/TitanEngine.cpp index ed77ce8..9612fbe 100644 --- a/TitanEngine/TitanEngine.cpp +++ b/TitanEngine/TitanEngine.cpp @@ -484,7 +484,7 @@ static char* EngineExtractPath(char* szFileName) { int i; - RtlZeroMemory(&engineExtractedFolderName, 512); + RtlZeroMemory(&engineExtractedFolderName, sizeof(engineExtractedFolderName)); lstrcpyA(engineExtractedFolderName, szFileName); i = lstrlenA(engineExtractedFolderName); while(i > 0 && engineExtractedFolderName[i] != 0x5C) @@ -502,7 +502,7 @@ char* EngineExtractFileName(char* szFileName) int x = 0; i = lstrlenA(szFileName); - RtlZeroMemory(&engineExtractedFileName, 512); + RtlZeroMemory(&engineExtractedFileName, sizeof(engineExtractedFileName)); while(i > 0 && szFileName[i] != 0x5C) { i--; @@ -919,11 +919,10 @@ bool EngineIsDependencyPresent(char* szFileName, char* szDependencyForFile, char { int i,j; HANDLE hFile; - char szTryFileName[512]; + char szTryFileName[512] = {0}; if(szPresentInFolder != NULL && szFileName != NULL) { - RtlZeroMemory(&szTryFileName, 512); lstrcpyA(szTryFileName, szPresentInFolder); if(szTryFileName[lstrlenA(szTryFileName)-1] != 0x5C) { @@ -995,11 +994,10 @@ bool EngineIsDependencyPresentW(wchar_t* szFileName, wchar_t* szDependencyForFil int i,j; HANDLE hFile; - wchar_t szTryFileName[512]; + wchar_t szTryFileName[512] = {0}; if(szPresentInFolder != NULL) { - RtlZeroMemory(&szTryFileName, 512); lstrcpyW(szTryFileName, szPresentInFolder); if(szTryFileName[lstrlenW(szTryFileName)-1] != 0x5C) { @@ -1045,7 +1043,6 @@ bool EngineIsDependencyPresentW(wchar_t* szFileName, wchar_t* szDependencyForFil } if(szDependencyForFile != NULL) { - RtlZeroMemory(&szTryFileName, 512); i = lstrlenW(szDependencyForFile); while(i > 0 && szDependencyForFile[i] != 0x5C) { @@ -1071,7 +1068,7 @@ bool EngineGetDependencyLocation(char* szFileName, char* szDependencyForFile, vo int i,j; HANDLE hFile; - char szTryFileName[512]; + char szTryFileName[512] = {0}; if(szFileName != NULL) { @@ -1179,7 +1176,7 @@ long EngineHashMemory(char* MemoryAddress, int MemorySize, DWORD InitialHashValu bool EngineIsBadReadPtrEx(LPVOID DataPointer, DWORD DataSize) { - MEMORY_BASIC_INFORMATION MemInfo; + MEMORY_BASIC_INFORMATION MemInfo = {0}; while(DataSize > NULL) { @@ -1734,11 +1731,11 @@ long long EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBa HANDLE hProcess = NULL; ULONG_PTR EnumeratedModules[0x2000]; ULONG_PTR LoadedModules[1000][4]; - char RemoteDLLName[MAX_PATH]; - char FullRemoteDLLName[MAX_PATH]; - char szWindowsSideBySide[MAX_PATH]; - char szWindowsSideBySideCmp[MAX_PATH]; - char szWindowsKernelBase[MAX_PATH]; + char RemoteDLLName[MAX_PATH]={0}; + char FullRemoteDLLName[MAX_PATH]={0}; + char szWindowsSideBySide[MAX_PATH]={0}; + char szWindowsSideBySideCmp[MAX_PATH]={0}; + char szWindowsKernelBase[MAX_PATH]={0}; HANDLE hLoadedModule = NULL; HANDLE ModuleHandle = NULL; PIMAGE_DOS_HEADER DOSHeader; @@ -1757,15 +1754,15 @@ long long EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBa unsigned int FoundIndex = 0; unsigned int FoundOrdinalNumber = 0; ULONG_PTR FileMapVA; - char szFwdDLLName[512]; - char szFwdAPIName[512]; + char szFwdDLLName[512] = {0}; + char szFwdAPIName[512] = {0}; ULONG_PTR RealignedAPIAddress; ULONG_PTR ForwarderData = NULL; unsigned int ClosestAPI = 0x1000; int Vista64UserForwarderFix = 0; unsigned int Windows7KernelBase = 0xFFFFFFFF; - RtlZeroMemory(&engineFoundDLLName, 512); + RtlZeroMemory(&engineFoundDLLName, sizeof(szFwdDLLName)); RtlZeroMemory(&EnumeratedModules, 0x2000 * sizeof ULONG_PTR); RtlZeroMemory(&LoadedModules, 1000 * 4 * sizeof ULONG_PTR); GetWindowsDirectoryA(szWindowsSideBySide, MAX_PATH); @@ -1959,7 +1956,7 @@ long long EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBa ExportedFunctionNames = (PEXPORTED_DATA)(PEExports->AddressOfNames + LoadedModules[i][1]); ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)(PEExports->AddressOfNameOrdinals + LoadedModules[i][1]); GetModuleBaseNameA(hProcess, (HMODULE)LoadedModules[i][0], (LPSTR)engineFoundDLLName, 512); - RtlZeroMemory(&engineFoundAPIName, 512); + RtlZeroMemory(&engineFoundAPIName, sizeof(engineFoundAPIName)); x = n; FoundOrdinalNumber = (unsigned int)PEExports->Base; for(j = 0; j < PEExports->NumberOfNames; j++) @@ -2042,7 +2039,7 @@ long long EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBa if(ExportedFunctions->ExportedItem + LoadedModules[i][0] == APIAddress) { GetModuleBaseNameA(hProcess, (HMODULE)LoadedModules[i][0], (LPSTR)engineFoundDLLName, 512); - RtlZeroMemory(&engineFoundAPIName, 512); + RtlZeroMemory(&engineFoundAPIName, sizeof(engineFoundAPIName)); x = j; FoundOrdinalNumber = (unsigned int)PEExports->Base; for(j = 0; j < PEExports->NumberOfNames; j++) @@ -2078,7 +2075,7 @@ long long EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBa ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)((ULONG_PTR)ExportedFunctionOrdinals + j * 2); ExportedFunctions = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctions + (ExportedFunctionOrdinals->OrdinalNumber) * 4); GetModuleBaseNameA(hProcess, (HMODULE)LoadedModules[i][0], (LPSTR)engineFoundDLLName, 512); - RtlZeroMemory(&engineFoundAPIName, 512); + RtlZeroMemory(&engineFoundAPIName, sizeof(engineFoundAPIName)); ExportedFunctions = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctions + (j + PEExports->Base) * 4); APIFoundAddress = ExportedFunctions->ExportedItem + LoadedModules[i][0]; APINameFound = true; @@ -2091,7 +2088,7 @@ long long EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBa } __except(EXCEPTION_EXECUTE_HANDLER) { - RtlZeroMemory(&engineFoundAPIName, 512); + RtlZeroMemory(&engineFoundAPIName, sizeof(engineFoundAPIName)); APINameFound = false; } } From 2677e3f1cda4ae88ac12828284f04ae432448a9b Mon Sep 17 00:00:00 2001 From: deepzero Date: Wed, 15 Jan 2014 11:34:46 +0100 Subject: [PATCH 11/17] replaces some (far from all) RtlMemMove by RtlMemCopy, some more memory init. fixes --- TitanEngine/TitanEngine.cpp | 48 ++++++++++++++++++------------------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/TitanEngine/TitanEngine.cpp b/TitanEngine/TitanEngine.cpp index 9612fbe..2f6c16b 100644 --- a/TitanEngine/TitanEngine.cpp +++ b/TitanEngine/TitanEngine.cpp @@ -548,7 +548,7 @@ bool EngineCreatePathForFile(char* szFileName) if(szFileName[i] == '\\') { RtlZeroMemory(szCreateFolder, 2 * MAX_PATH); - RtlMoveMemory(szCreateFolder, szFileName, i + 1); + RtlCopyMemory(szCreateFolder, szFileName, i + 1); CreateDirectoryA(szCreateFolder, NULL); } } @@ -578,7 +578,7 @@ bool EngineCreatePathForFileW(wchar_t* szFileName) } if(i != 0) { - RtlMoveMemory(szFolderName, szFileName, (i * 2) + 2); + RtlCopyMemory(szFolderName, szFileName, (i * 2) + 2); if(!CreateDirectoryW(szFolderName, NULL)) { if(GetLastError() != ERROR_ALREADY_EXISTS) @@ -589,7 +589,7 @@ bool EngineCreatePathForFileW(wchar_t* szFileName) if(szFileName[i] == '\\') { RtlZeroMemory(szCreateFolder, 2 * MAX_PATH); - RtlMoveMemory(szCreateFolder, szFileName, (i * 2) + 1); + RtlCopyMemory(szCreateFolder, szFileName, (i * 2) + 1); CreateDirectoryW(szCreateFolder, NULL); } } @@ -842,7 +842,7 @@ bool EngineExtractForwarderData(ULONG_PTR PossibleStringPtr, LPVOID szFwdDLLName return(false); } PossibleStringPtr--; - RtlMoveMemory(szFwdDLLName, lpPossibleStringPtr, PossibleStringPtr - (ULONG_PTR)lpPossibleStringPtr); + RtlCopyMemory(szFwdDLLName, lpPossibleStringPtr, PossibleStringPtr - (ULONG_PTR)lpPossibleStringPtr); lstrcatA((LPSTR)szFwdDLLName, ".dll"); lpPossibleStringPtr = (LPVOID)(PossibleStringPtr + 1); RtlMoveMemory(&TestChar, (LPVOID)PossibleStringPtr, 1); @@ -855,7 +855,7 @@ bool EngineExtractForwarderData(ULONG_PTR PossibleStringPtr, LPVOID szFwdDLLName RtlMoveMemory(&TestChar, (LPVOID)PossibleStringPtr, 1); PossibleStringPtr++; } - RtlMoveMemory(szFwdAPIName, lpPossibleStringPtr, PossibleStringPtr - (ULONG_PTR)lpPossibleStringPtr); + RtlCopyMemory(szFwdAPIName, lpPossibleStringPtr, PossibleStringPtr - (ULONG_PTR)lpPossibleStringPtr); return(true); } __except(EXCEPTION_EXECUTE_HANDLER) @@ -1078,7 +1078,7 @@ bool EngineGetDependencyLocation(char* szFileName, char* szDependencyForFile, vo RtlZeroMemory(szLocationOfTheFile, MaxStringSize); if(lstrlenA(szFileName) <= MaxStringSize) { - RtlMoveMemory(szLocationOfTheFile, szFileName, lstrlenA(szFileName)); + RtlCopyMemory(szLocationOfTheFile, szFileName, lstrlenA(szFileName)); } EngineCloseHandle(hFile); return(true); @@ -1093,7 +1093,7 @@ bool EngineGetDependencyLocation(char* szFileName, char* szDependencyForFile, vo RtlZeroMemory(szLocationOfTheFile, MaxStringSize); if(lstrlenA(szTryFileName) <= MaxStringSize) { - RtlMoveMemory(szLocationOfTheFile, &szTryFileName, lstrlenA(szTryFileName)); + RtlCopyMemory(szLocationOfTheFile, &szTryFileName, lstrlenA(szTryFileName)); } EngineCloseHandle(hFile); return(true); @@ -1109,7 +1109,7 @@ bool EngineGetDependencyLocation(char* szFileName, char* szDependencyForFile, vo RtlZeroMemory(szLocationOfTheFile, MaxStringSize); if(lstrlenA(szTryFileName) <= MaxStringSize) { - RtlMoveMemory(szLocationOfTheFile, &szTryFileName, lstrlenA(szTryFileName)); + RtlCopyMemory(szLocationOfTheFile, &szTryFileName, lstrlenA(szTryFileName)); } EngineCloseHandle(hFile); return(true); @@ -1134,7 +1134,7 @@ bool EngineGetDependencyLocation(char* szFileName, char* szDependencyForFile, vo RtlZeroMemory(szLocationOfTheFile, MaxStringSize); if(lstrlenA(szTryFileName) <= MaxStringSize) { - RtlMoveMemory(szLocationOfTheFile, &szTryFileName, lstrlenA(szTryFileName)); + RtlCopyMemory(szLocationOfTheFile, &szTryFileName, lstrlenA(szTryFileName)); } EngineCloseHandle(hFile); return(true); @@ -1240,7 +1240,7 @@ bool EngineValidateHeader(ULONG_PTR FileMapVA, HANDLE hFileProc, LPVOID ImageBas DWORD MemorySize = NULL; PIMAGE_NT_HEADERS32 PEHeader32; IMAGE_NT_HEADERS32 RemotePEHeader32; - MEMORY_BASIC_INFORMATION MemoryInfo; + MEMORY_BASIC_INFORMATION MemoryInfo={0}; ULONG_PTR NumberOfBytesRW = NULL; if(IsFile) @@ -1375,10 +1375,10 @@ long long EngineSimulateNtLoaderW(wchar_t* szFileName) PeHeaderSize = DOSHeader->e_lfanew + PEHeader32->FileHeader.SizeOfOptionalHeader + (sizeof(IMAGE_SECTION_HEADER) * PEHeader32->FileHeader.NumberOfSections) + sizeof(IMAGE_FILE_HEADER) + 4; PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); SectionNumber = PEHeader32->FileHeader.NumberOfSections; - RtlMoveMemory(AllocatedFile, (LPVOID)FileMapVA, PeHeaderSize); + RtlCopyMemory(AllocatedFile, (LPVOID)FileMapVA, PeHeaderSize); while(SectionNumber > 0) { - RtlMoveMemory((LPVOID)((ULONG_PTR)AllocatedFile + PESections->VirtualAddress), (LPVOID)(FileMapVA + PESections->PointerToRawData), PESections->SizeOfRawData); + RtlCopyMemory((LPVOID)((ULONG_PTR)AllocatedFile + PESections->VirtualAddress), (LPVOID)(FileMapVA + PESections->PointerToRawData), PESections->SizeOfRawData); PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); SectionNumber--; } @@ -1399,10 +1399,10 @@ long long EngineSimulateNtLoaderW(wchar_t* szFileName) PeHeaderSize = DOSHeader->e_lfanew + PEHeader64->FileHeader.SizeOfOptionalHeader + (sizeof(IMAGE_SECTION_HEADER) * PEHeader64->FileHeader.NumberOfSections) + sizeof(IMAGE_FILE_HEADER) + 4; PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); SectionNumber = PEHeader64->FileHeader.NumberOfSections; - RtlMoveMemory(AllocatedFile, (LPVOID)FileMapVA, PeHeaderSize); + RtlCopyMemory(AllocatedFile, (LPVOID)FileMapVA, PeHeaderSize); while(SectionNumber > 0) { - RtlMoveMemory((LPVOID)((ULONG_PTR)AllocatedFile + PESections->VirtualAddress), (LPVOID)(FileMapVA + PESections->PointerToRawData), PESections->SizeOfRawData); + RtlCopyMemory((LPVOID)((ULONG_PTR)AllocatedFile + PESections->VirtualAddress), (LPVOID)(FileMapVA + PESections->PointerToRawData), PESections->SizeOfRawData); PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); SectionNumber--; } @@ -1457,15 +1457,15 @@ long long EngineSimulateDllLoader(HANDLE hProcess, char* szFileName) PIMAGE_EXPORT_DIRECTORY PEExports; PEXPORTED_DATA ExportedFunctionNames; ULONG_PTR ConvertedExport = NULL; - char szFileRemoteProc[1024]; - char szDLLFileLocation[512]; - char* szTranslatedProcName; + char szFileRemoteProc[1024]={0}; + char szDLLFileLocation[512]={0}; + char* szTranslatedProcName=0; - GetProcessImageFileNameA(hProcess, szFileRemoteProc, 1024); + GetProcessImageFileNameA(hProcess, szFileRemoteProc, sizeof(szFileRemoteProc)); szTranslatedProcName = (char*)TranslateNativeName(szFileRemoteProc); if(EngineIsDependencyPresent(szFileName, NULL, NULL)) { - if(EngineGetDependencyLocation(szFileName, szTranslatedProcName, &szDLLFileLocation, 512)) + if(EngineGetDependencyLocation(szFileName, szTranslatedProcName, &szDLLFileLocation, sizeof(szDLLFileLocation))) { VirtualFree((void*)szTranslatedProcName, NULL, MEM_RELEASE); if(MapFileEx(szDLLFileLocation, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) @@ -1511,8 +1511,8 @@ long long EngineSimulateDllLoader(HANDLE hProcess, char* szFileName) if(ConvertedExport != NULL) { PEExports = (PIMAGE_EXPORT_DIRECTORY)((ULONG_PTR)DLLMemory + ExportDelta); - RtlMoveMemory(DLLMemory, (LPVOID)FileMapVA, PEHeaderSize + DOSHeader->e_lfanew); - RtlMoveMemory((LPVOID)((ULONG_PTR)DLLMemory + ExportDelta), (LPVOID)ConvertedExport, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size); + RtlCopyMemory(DLLMemory, (LPVOID)FileMapVA, PEHeaderSize + DOSHeader->e_lfanew); + RtlCopyMemory((LPVOID)((ULONG_PTR)DLLMemory + ExportDelta), (LPVOID)ConvertedExport, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size); PEExports->AddressOfFunctions = PEExports->AddressOfFunctions - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + ExportDelta; PEExports->AddressOfNameOrdinals = PEExports->AddressOfNameOrdinals - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + ExportDelta; PEExports->AddressOfNames = PEExports->AddressOfNames - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + ExportDelta; @@ -1562,8 +1562,8 @@ long long EngineSimulateDllLoader(HANDLE hProcess, char* szFileName) if(ConvertedExport != NULL) { PEExports = (PIMAGE_EXPORT_DIRECTORY)((ULONG_PTR)DLLMemory + ExportDelta); - RtlMoveMemory(DLLMemory, (LPVOID)FileMapVA, PEHeaderSize + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size); - RtlMoveMemory((LPVOID)((ULONG_PTR)DLLMemory + ExportDelta), (LPVOID)ConvertedExport, PEHeaderSize + DOSHeader->e_lfanew); + RtlCopyMemory(DLLMemory, (LPVOID)FileMapVA, PEHeaderSize + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size); + RtlCopyMemory((LPVOID)((ULONG_PTR)DLLMemory + ExportDelta), (LPVOID)ConvertedExport, PEHeaderSize + DOSHeader->e_lfanew); PEExports->AddressOfFunctions = PEExports->AddressOfFunctions - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + ExportDelta; PEExports->AddressOfNameOrdinals = PEExports->AddressOfNameOrdinals - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + ExportDelta; PEExports->AddressOfNames = PEExports->AddressOfNames - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + ExportDelta; @@ -1830,7 +1830,7 @@ long long EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBa GetModuleFileNameExA(hProcess, (HMODULE)EnumeratedModules[i], (LPSTR)RemoteDLLName, MAX_PATH); lstrcpyA(FullRemoteDLLName, RemoteDLLName); RtlZeroMemory(&szWindowsSideBySideCmp, MAX_PATH); - RtlMoveMemory(&szWindowsSideBySideCmp, FullRemoteDLLName, lstrlenA(szWindowsSideBySide)); + RtlCopyMemory(&szWindowsSideBySideCmp, FullRemoteDLLName, lstrlenA(szWindowsSideBySide)); if(GetModuleHandleA(RemoteDLLName) == NULL) { RtlZeroMemory(&RemoteDLLName, MAX_PATH); From e22d5b11310f8e3f3ac836a73cbac0ab29cb129f Mon Sep 17 00:00:00 2001 From: deepzero Date: Wed, 15 Jan 2014 11:36:22 +0100 Subject: [PATCH 12/17] replaced some RtlMemMove opartions by proper casts (far from all) --- TitanEngine/TitanEngine.cpp | 51 +++++++++++++++---------------------- 1 file changed, 21 insertions(+), 30 deletions(-) diff --git a/TitanEngine/TitanEngine.cpp b/TitanEngine/TitanEngine.cpp index 2f6c16b..538353c 100644 --- a/TitanEngine/TitanEngine.cpp +++ b/TitanEngine/TitanEngine.cpp @@ -636,8 +636,8 @@ bool EngineIsPointedMemoryString(ULONG_PTR PossibleStringPtr) bool StringIsValid = true; unsigned int i = 512; - MEMORY_BASIC_INFORMATION MemInfo; - DWORD MaxDisassmSize; + MEMORY_BASIC_INFORMATION MemInfo = {0}; + DWORD MaxDisassmSize = 512; BYTE TestChar; VirtualQueryEx(GetCurrentProcess(), (LPVOID)PossibleStringPtr, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); @@ -651,19 +651,13 @@ bool EngineIsPointedMemoryString(ULONG_PTR PossibleStringPtr) { i = MaxDisassmSize; } - else - { - MaxDisassmSize = 512; - } } - else - { - MaxDisassmSize = 512; - } - RtlMoveMemory(&TestChar, (LPVOID)PossibleStringPtr, 1); + + TestChar = *((BYTE*)PossibleStringPtr); while(i > NULL && StringIsValid == true && TestChar != 0x00) { - RtlMoveMemory(&TestChar, (LPVOID)PossibleStringPtr, 1); + TestChar = *((BYTE*)PossibleStringPtr); + if(TestChar < 32 || TestChar > 126) { if(TestChar != 0x00) @@ -691,7 +685,7 @@ int EnginePointedMemoryStringLength(ULONG_PTR PossibleStringPtr) bool StringIsValid = true; unsigned int i = 512; MEMORY_BASIC_INFORMATION MemInfo; - DWORD MaxDisassmSize; + DWORD MaxDisassmSize = 512; BYTE TestChar; VirtualQueryEx(GetCurrentProcess(), (LPVOID)PossibleStringPtr, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); @@ -705,19 +699,13 @@ int EnginePointedMemoryStringLength(ULONG_PTR PossibleStringPtr) { i = MaxDisassmSize; } - else - { - MaxDisassmSize = 512; - } } - else - { - MaxDisassmSize = 512; - } - RtlMoveMemory(&TestChar, (LPVOID)PossibleStringPtr, 1); + + TestChar = *((BYTE*)PossibleStringPtr); while(i > NULL && StringIsValid == true && TestChar != 0x00) { - RtlMoveMemory(&TestChar, (LPVOID)PossibleStringPtr, 1); + TestChar = *((BYTE*)PossibleStringPtr); + if(TestChar < 32 || TestChar > 126) { if(TestChar != 0x00) @@ -831,10 +819,11 @@ bool EngineExtractForwarderData(ULONG_PTR PossibleStringPtr, LPVOID szFwdDLLName LPVOID lpPossibleStringPtr = (LPVOID)PossibleStringPtr; BYTE TestChar; - RtlMoveMemory(&TestChar, (LPVOID)PossibleStringPtr, 1); + TestChar = *((BYTE*)PossibleStringPtr); + while(TestChar != 0x2E && TestChar != 0x00) { - RtlMoveMemory(&TestChar, (LPVOID)PossibleStringPtr, 1); + TestChar = *((BYTE*)PossibleStringPtr); PossibleStringPtr++; } if(TestChar == 0x00) @@ -845,14 +834,15 @@ bool EngineExtractForwarderData(ULONG_PTR PossibleStringPtr, LPVOID szFwdDLLName RtlCopyMemory(szFwdDLLName, lpPossibleStringPtr, PossibleStringPtr - (ULONG_PTR)lpPossibleStringPtr); lstrcatA((LPSTR)szFwdDLLName, ".dll"); lpPossibleStringPtr = (LPVOID)(PossibleStringPtr + 1); - RtlMoveMemory(&TestChar, (LPVOID)PossibleStringPtr, 1); + TestChar = *((BYTE*)PossibleStringPtr); + if(TestChar == 0x23) { lpPossibleStringPtr = (LPVOID)(PossibleStringPtr + 1); } while(TestChar != 0x00) { - RtlMoveMemory(&TestChar, (LPVOID)PossibleStringPtr, 1); + TestChar = *((BYTE*)PossibleStringPtr); PossibleStringPtr++; } RtlCopyMemory(szFwdAPIName, lpPossibleStringPtr, PossibleStringPtr - (ULONG_PTR)lpPossibleStringPtr); @@ -1218,19 +1208,20 @@ bool EngineValidateResource(HMODULE hModule, LPCTSTR lpszType, LPTSTR lpszName, { if(!EngineIsBadReadPtrEx(ResourceData, ResourceSize)) { - RtlMoveMemory((LPVOID)lParam, &ReturnData, 1); + *((LONG*)lParam) = ReturnData; return(false); } } else { - RtlMoveMemory((LPVOID)lParam, &ReturnData, 1); + *((LONG*)lParam) = ReturnData; return(false); } } return(true); } - RtlMoveMemory((LPVOID)lParam, &ReturnData, 1); + + *((LONG*)lParam) = ReturnData; return(false); } bool EngineValidateHeader(ULONG_PTR FileMapVA, HANDLE hFileProc, LPVOID ImageBase, PIMAGE_DOS_HEADER DOSHeader, bool IsFile) From f3ba7d14a71baf813856564ffb087b4772037bec Mon Sep 17 00:00:00 2001 From: deepzero Date: Wed, 15 Jan 2014 11:36:38 +0100 Subject: [PATCH 13/17] cosmetics --- TitanEngine/TitanEngine.cpp | 77 +++++++------------------------------ 1 file changed, 14 insertions(+), 63 deletions(-) diff --git a/TitanEngine/TitanEngine.cpp b/TitanEngine/TitanEngine.cpp index 538353c..33a3d0c 100644 --- a/TitanEngine/TitanEngine.cpp +++ b/TitanEngine/TitanEngine.cpp @@ -188,29 +188,20 @@ unsigned long Crc32Table[256]; // Global.Handle.functions: bool EngineCloseHandle(HANDLE myHandle) { - DWORD HandleFlags; - if(GetHandleInformation(myHandle, &HandleFlags)) { if(CloseHandle(myHandle)) { return(true); } - else - { - return(false); - } - } - else - { - return(false); } + + return(false); } // Global.Mapping.functions: bool MapFileEx(char* szFileName, DWORD ReadOrWrite, LPHANDLE FileHandle, LPDWORD FileSize, LPHANDLE FileMap, LPVOID FileMapVA, DWORD SizeModifier) { - HANDLE hFile = 0; DWORD FileAccess = 0; DWORD FileMapType = 0; @@ -467,9 +458,7 @@ bool EngineIsThereFreeHardwareBreakSlot(LPDWORD FreeRegister) bool EngineFileExists(char* szFileName) { - HANDLE hFile; - - hFile = CreateFileA(szFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); + HANDLE hFile = CreateFileA(szFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if(hFile != INVALID_HANDLE_VALUE) { EngineCloseHandle(hFile); @@ -555,10 +544,6 @@ bool EngineCreatePathForFile(char* szFileName) } } } - else - { - return(true); - } } return(true); } @@ -596,10 +581,6 @@ bool EngineCreatePathForFileW(wchar_t* szFileName) } } } - else - { - return(true); - } } return(true); } @@ -672,10 +653,6 @@ bool EngineIsPointedMemoryString(ULONG_PTR PossibleStringPtr) { return(true); } - else - { - return(false); - } } return(false); } @@ -721,10 +698,6 @@ int EnginePointedMemoryStringLength(ULONG_PTR PossibleStringPtr) i = 512 - i; return(i); } - else - { - return(NULL); - } } return(NULL); } @@ -770,6 +743,7 @@ long long EngineEstimateNewSectionRVA(ULONG_PTR FileMapVA) { return(0); } + if(!FileIs64) { PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); @@ -855,19 +829,11 @@ bool EngineExtractForwarderData(ULONG_PTR PossibleStringPtr, LPVOID szFwdDLLName } bool EngineGrabDataFromMappedFile(HANDLE hFile, ULONG_PTR FileMapVA, ULONG_PTR FileOffset, DWORD CopySize, LPVOID CopyToMemory) { - DWORD rfNumberOfBytesRead = NULL; RtlZeroMemory(CopyToMemory, CopySize); SetFilePointer(hFile, (DWORD)(FileOffset - FileMapVA), NULL, FILE_BEGIN); - if(ReadFile(hFile, CopyToMemory, CopySize, &rfNumberOfBytesRead, NULL)) - { - return(true); - } - else - { - return(false); - } + return !!ReadFile(hFile, CopyToMemory, CopySize, &rfNumberOfBytesRead, NULL); } bool EngineExtractResource(char* szResourceName, wchar_t* szExtractedFileName) { @@ -926,6 +892,7 @@ bool EngineIsDependencyPresent(char* szFileName, char* szDependencyForFile, char return(true); } } + if(szFileName != NULL) { hFile = CreateFileA(szFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); @@ -1020,6 +987,7 @@ bool EngineIsDependencyPresentW(wchar_t* szFileName, wchar_t* szDependencyForFil return(true); } } + if(GetWindowsDirectoryW(szTryFileName, 512) > NULL) { lstrcatW(szTryFileName, L"\\"); @@ -1031,6 +999,7 @@ bool EngineIsDependencyPresentW(wchar_t* szFileName, wchar_t* szDependencyForFil return(true); } } + if(szDependencyForFile != NULL) { i = lstrlenW(szDependencyForFile); @@ -2974,15 +2943,9 @@ __declspec(dllexport) bool TITCALL DumpMemoryExW(DWORD ProcessId, LPVOID MemoryS { return(true); } - else - { - return(false); - } - } - else - { - return(false); } + + return(false); } __declspec(dllexport) bool TITCALL DumpRegions(HANDLE hProcess, char* szDumpFolder, bool DumpAboveImageBaseOnly) { @@ -3081,15 +3044,9 @@ __declspec(dllexport) bool TITCALL DumpRegionsExW(DWORD ProcessId, wchar_t* szDu { return(true); } - else - { - return(false); - } - } - else - { - return(false); } + + return(false); } __declspec(dllexport) bool TITCALL DumpModule(HANDLE hProcess, LPVOID ModuleBase, char* szDumpFileName) { @@ -3157,15 +3114,9 @@ __declspec(dllexport) bool TITCALL DumpModuleExW(DWORD ProcessId, LPVOID ModuleB { return(true); } - else - { - return(false); - } - } - else - { - return(false); } + + return(false); } __declspec(dllexport) bool TITCALL PastePEHeader(HANDLE hProcess, LPVOID ImageBase, char* szDebuggedFileName) { From 89472363f0f3d06a2179098839d4dc38208ec1b8 Mon Sep 17 00:00:00 2001 From: deepzero Date: Wed, 15 Jan 2014 11:59:42 +0100 Subject: [PATCH 14/17] fix: dont write trash to file, when ReadFile() fails --- TitanEngine/TitanEngine.cpp | 60 ++++++++++++++++++++++++++++--------- 1 file changed, 46 insertions(+), 14 deletions(-) diff --git a/TitanEngine/TitanEngine.cpp b/TitanEngine/TitanEngine.cpp index 33a3d0c..9f5c5bb 100644 --- a/TitanEngine/TitanEngine.cpp +++ b/TitanEngine/TitanEngine.cpp @@ -3807,19 +3807,35 @@ __declspec(dllexport) bool TITCALL ExtractOverlayW(wchar_t* szFileName, wchar_t* SetFilePointer(hFile, OverlayStart, NULL, FILE_BEGIN); while(OverlaySize > 0) { + RtlZeroMemory(ueReadBuffer, 0x2000); + if(OverlaySize > 0x1000) { - RtlZeroMemory(ueReadBuffer, 0x2000); - if(!ReadFile(hFile, ueReadBuffer, 0x1000, &ueNumberOfBytesRead, NULL) || !WriteFile(hFileWrite, ueReadBuffer, 0x1000, &ueNumberOfBytesRead, NULL)) - return false; - OverlaySize = OverlaySize - 0x1000; + if(ReadFile(hFile, ueReadBuffer, 0x1000, &ueNumberOfBytesRead, NULL)) + { + if(!WriteFile(hFileWrite, ueReadBuffer, 0x1000, &ueNumberOfBytesRead, NULL)) + return false; + } + else + { + return false; + } + + OverlaySize = OverlaySize - 0x1000; } else { - RtlZeroMemory(ueReadBuffer, 0x2000); - if(!ReadFile(hFile, ueReadBuffer, OverlaySize, &ueNumberOfBytesRead, NULL) || !WriteFile(hFileWrite, ueReadBuffer, OverlaySize, &ueNumberOfBytesRead, NULL)) - return false; - OverlaySize = 0; + if(ReadFile(hFile, ueReadBuffer, OverlaySize, &ueNumberOfBytesRead, NULL)) + { + if(!WriteFile(hFileWrite, ueReadBuffer, OverlaySize, &ueNumberOfBytesRead, NULL)) + return false; + } + else + { + return false; + } + + OverlaySize = 0; } } VirtualFree(ueReadBuffer, NULL, MEM_RELEASE); @@ -3878,18 +3894,34 @@ __declspec(dllexport) bool TITCALL AddOverlayW(wchar_t* szFileName, wchar_t* szO SetFilePointer(hFile, FileSize, NULL, FILE_BEGIN); while(OverlaySize > 0) { + RtlZeroMemory(ueReadBuffer, 0x2000); + if(OverlaySize > 0x1000) { - RtlZeroMemory(ueReadBuffer, 0x2000); - if(!ReadFile(hFileRead, ueReadBuffer, 0x1000, &uedNumberOfBytesRead, NULL) || !WriteFile(hFile, ueReadBuffer, 0x1000, &uedNumberOfBytesRead, NULL)) - return false; + if(ReadFile(hFileRead, ueReadBuffer, 0x1000, &uedNumberOfBytesRead, NULL)) + { + if(!WriteFile(hFile, ueReadBuffer, 0x1000, &uedNumberOfBytesRead, NULL)) + return false; + } + else + { + return false; + } + OverlaySize = OverlaySize - 0x1000; } else { - RtlZeroMemory(ueReadBuffer, 0x2000); - if(!ReadFile(hFileRead, ueReadBuffer, OverlaySize, &uedNumberOfBytesRead, NULL) || !WriteFile(hFile, ueReadBuffer, OverlaySize, &uedNumberOfBytesRead, NULL)) - return false; + if(ReadFile(hFileRead, ueReadBuffer, OverlaySize, &uedNumberOfBytesRead, NULL)) + { + if(!WriteFile(hFile, ueReadBuffer, OverlaySize, &uedNumberOfBytesRead, NULL)) + return false; + } + else + { + return false; + } + OverlaySize = 0; } } From e80e2db7df192392ebbd8e80e2b609eea4df61c0 Mon Sep 17 00:00:00 2001 From: deepzero Date: Wed, 15 Jan 2014 22:32:16 +0100 Subject: [PATCH 15/17] fix brackets with #defines --- TitanEngine/stdafx.h | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/TitanEngine/stdafx.h b/TitanEngine/stdafx.h index f50c889..c97c25a 100644 --- a/TitanEngine/stdafx.h +++ b/TitanEngine/stdafx.h @@ -26,16 +26,16 @@ #define STATUS_SUCCESS ((NTSTATUS)0x00000000L) // ntsubauth // Engine.Internal: -#define TITANENGINE_PAGESIZE 0x1000 -#define MAX_IMPORT_ALLOC 256 * 256 -#define MAX_RELOC_ALLOC 1024 * 1024 -#define UE_MAX_RESERVED_MEMORY_LEFT 32 -#define MAXIMUM_SECTION_NUMBER 32 -#define MAX_DECODE_INSTRUCTIONS 32 +#define TITANENGINE_PAGESIZE (0x1000) +#define MAX_IMPORT_ALLOC (256 * 256) +#define MAX_RELOC_ALLOC (1024 * 1024) +#define UE_MAX_RESERVED_MEMORY_LEFT (32) +#define MAXIMUM_SECTION_NUMBER (32) +#define MAX_DECODE_INSTRUCTIONS (32) #define MAX_INSTRUCTIONS (1000) -#define MAXIMUM_BREAKPOINTS 1000 -#define MAXIMUM_INSTRUCTION_SIZE 40 -#define MAX_RET_SEARCH_INSTRUCTIONS 100 +#define MAXIMUM_BREAKPOINTS (1000) +#define MAXIMUM_INSTRUCTION_SIZE (40) +#define MAX_RET_SEARCH_INSTRUCTIONS (100) #define UE_OPTION_IMPORTER_REALIGN_LOCAL_APIADDRESS 0 #define UE_OPTION_IMPORTER_REALIGN_APIADDRESS 1 From 19859f87a4303b15bb5922b916e9979bc340cd6e Mon Sep 17 00:00:00 2001 From: deepzero Date: Wed, 15 Jan 2014 22:32:33 +0100 Subject: [PATCH 16/17] added inclusion guard for definitions.h --- TitanEngine/definitions.h | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/TitanEngine/definitions.h b/TitanEngine/definitions.h index 1ce4c5b..ca95e2f 100644 --- a/TitanEngine/definitions.h +++ b/TitanEngine/definitions.h @@ -1,3 +1,7 @@ +#ifndef definitions_h__ +#define definitions_h__ + + #define TITCALL // Global.Function.Declaration: @@ -446,3 +450,7 @@ __declspec(dllexport) void* TITCALL ExtensionManagerGetPluginInfo(char* szPlugin #ifdef __cplusplus } #endif /*__cplusplus*/ + + +#endif // definitions_h__ + From 23b1e56949418801595534775a0baecf1796ec15 Mon Sep 17 00:00:00 2001 From: deepzero Date: Wed, 15 Jan 2014 22:33:15 +0100 Subject: [PATCH 17/17] fix compiling of resources without MFC headers --- TitanEngine/TitanEngine.rc | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/TitanEngine/TitanEngine.rc b/TitanEngine/TitanEngine.rc index efd9eed..142a54d 100644 --- a/TitanEngine/TitanEngine.rc +++ b/TitanEngine/TitanEngine.rc @@ -2,12 +2,15 @@ // #include "resource.h" +#include "WinResrc.h" +#define IDC_STATIC (-1) + #define APSTUDIO_READONLY_SYMBOLS ///////////////////////////////////////////////////////////////////////////// // // Generated from the TEXTINCLUDE 2 resource. // -#include "afxres.h" +//#include "afxres.h" //MFC ///////////////////////////////////////////////////////////////////////////// #undef APSTUDIO_READONLY_SYMBOLS