x64dbg
/
TitanEngine
mirror of https://github.com/x64dbg/TitanEngine
1
0
Fork 0
Code Releases Activity

updated to use scylla: 

ImporterExportIAT
- broken, scylla_wrapper needs to be updated to support export to VA

ImporterExportIATEx
ImporterExportIATExW
This commit is contained in:
cypherpunk 2014-01-12 17:05:40 +01:00
parent c74ac34963
commit 86ed5042aa
1 changed files with 6 additions and 170 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

176
TitanEngine/TitanEngine.cpp
View File

@ -18697,142 +18697,8 @@ __declspec(dllexport) void TITCALL ImporterMoveIAT()
} }
__declspec(dllexport) bool TITCALL ImporterExportIAT(ULONG_PTR StorePlace, ULONG_PTR FileMapVA) __declspec(dllexport) bool TITCALL ImporterExportIAT(ULONG_PTR StorePlace, ULONG_PTR FileMapVA)
{ {
//TODO this needs an scylla_wrapper update for exporting to a VA
int i = 0; return false;
int j = 0;
int x = 0;
int NumberOfAPIs = NULL;
DWORD DLLNumber = NULL;
DWORD APINumber = NULL;
PIMAGE_IMPORT_DESCRIPTOR StoreIID = (PIMAGE_IMPORT_DESCRIPTOR)StorePlace;
ULONG_PTR StorePlaceVA = (ULONG_PTR)ConvertFileOffsetToVA(FileMapVA, StorePlace, true);
ULONG_PTR OriginalStorePlaceRVA = (DWORD)(StorePlaceVA - impImageBase);
ULONG_PTR StringStorePlaceFO = StorePlace + ((impDLLNumber + 2) * sizeof IMAGE_IMPORT_DESCRIPTOR);
ULONG_PTR StringStorePlaceVA = StorePlaceVA + ((impDLLNumber + 2) * sizeof IMAGE_IMPORT_DESCRIPTOR);
ULONG_PTR ThunkStorePlaceFO = NULL;
ULONG_PTR ThunkReadValue = NULL;
LPVOID ThunkReadPlace = NULL;
ULONG_PTR FirstThunk = NULL;
ULONG_PTR CurrentThunk = NULL;
PIMAGE_DOS_HEADER DOSHeader;
PIMAGE_NT_HEADERS32 PEHeader32;
PIMAGE_NT_HEADERS64 PEHeader64;
bool FileIs64 = false;
bool OrdinalImport = false;
if(ImporterGetAddedDllCount() > NULL)
{
if(impMoveIAT)
{
NumberOfAPIs = ImporterGetAddedAPICount() + ImporterGetAddedDllCount();
StorePlaceVA = StorePlaceVA + (NumberOfAPIs * sizeof ULONG_PTR);
StringStorePlaceFO = StringStorePlaceFO + (NumberOfAPIs * sizeof ULONG_PTR);
StringStorePlaceVA = StringStorePlaceVA + (NumberOfAPIs * sizeof ULONG_PTR);
OriginalStorePlaceRVA = OriginalStorePlaceRVA + (NumberOfAPIs * sizeof ULONG_PTR);
StoreIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)StorePlace + (NumberOfAPIs * sizeof ULONG_PTR));
}
__try
{
DLLNumber = impDLLNumber + 1;
while(DLLNumber > NULL)
{
RtlMoveMemory(&FirstThunk, (LPVOID)impDLLDataList[i][0], sizeof ULONG_PTR);
StoreIID->FirstThunk = (DWORD)(FirstThunk - impImageBase);
StoreIID->Name = (DWORD)(StringStorePlaceVA - impImageBase);
RtlMoveMemory((LPVOID)StringStorePlaceFO, (LPVOID)impDLLStringList[i][0], (int)(impDLLStringList[i][1] - impDLLStringList[i][0]));
StringStorePlaceFO = StringStorePlaceFO + (int)(impDLLStringList[i][1] - impDLLStringList[i][0]);
#if !defined(_WIN64)
ThunkReadPlace = (LPVOID)(impDLLDataList[i][0] + 12);
#else
ThunkReadPlace = (LPVOID)(impDLLDataList[i][0] + 20);
#endif
ThunkStorePlaceFO = (ULONG_PTR)ConvertVAtoFileOffset(FileMapVA, FirstThunk, true);
RtlMoveMemory(&APINumber, (LPVOID)(impDLLDataList[i][0] + 2 * sizeof ULONG_PTR), 4);
CurrentThunk = FirstThunk;
APINumber--;
while(APINumber > NULL)
{
OrdinalImport = false;
for(j = 0; j < 1000; j++)
{
if(impOrdinalList[j][0] == CurrentThunk)
{
OrdinalImport = true;
x = j;
j = 1000;
}
else if(impOrdinalList[j][0] == NULL)
{
j = 1000;
}
}
if(!OrdinalImport)
{
RtlMoveMemory(&ThunkReadValue, ThunkReadPlace, 4);
ThunkReadValue = ThunkReadValue + StringStorePlaceVA - impImageBase;
RtlMoveMemory((LPVOID)ThunkStorePlaceFO, &ThunkReadValue, sizeof ULONG_PTR);
ThunkReadPlace = (LPVOID)((ULONG_PTR)ThunkReadPlace + 4);
ThunkStorePlaceFO = ThunkStorePlaceFO + sizeof ULONG_PTR;
}
else
{
j = x;
ThunkReadValue = impOrdinalList[j][1];
RtlMoveMemory((LPVOID)ThunkStorePlaceFO, &ThunkReadValue, sizeof ULONG_PTR);
ThunkReadPlace = (LPVOID)((ULONG_PTR)ThunkReadPlace + 4);
ThunkStorePlaceFO = ThunkStorePlaceFO + sizeof ULONG_PTR;
}
CurrentThunk = CurrentThunk + sizeof ULONG_PTR;
APINumber--;
}
ThunkReadValue = 0;
RtlMoveMemory((LPVOID)ThunkStorePlaceFO, &ThunkReadValue, sizeof ULONG_PTR);
StorePlaceVA = StorePlaceVA + (int)(impDLLStringList[i][1] - impDLLStringList[i][0]);
StringStorePlaceVA = StringStorePlaceVA + (int)(impDLLStringList[i][1] - impDLLStringList[i][0]);
StoreIID = (PIMAGE_IMPORT_DESCRIPTOR)((ULONG_PTR)StoreIID + sizeof IMAGE_IMPORT_DESCRIPTOR);
DLLNumber--;
i++;
}
DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA;
if(EngineValidateHeader(FileMapVA, NULL, NULL, DOSHeader, true))
{
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
if(PEHeader32->OptionalHeader.Magic == 0x10B)
{
FileIs64 = false;
}
else if(PEHeader32->OptionalHeader.Magic == 0x20B)
{
FileIs64 = true;
}
if(!FileIs64)
{
PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress = (DWORD)OriginalStorePlaceRVA;
PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size = (DWORD)((impDLLNumber + 2) * sizeof IMAGE_IMPORT_DESCRIPTOR);
}
else
{
PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress = (DWORD)OriginalStorePlaceRVA;
PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].Size = (DWORD)((impDLLNumber + 2) * sizeof IMAGE_IMPORT_DESCRIPTOR);
}
}
ImporterCleanup();
return(true);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
ImporterCleanup();
return(false);
}
}
else
{
return(false);
}
} }
__declspec(dllexport) long TITCALL ImporterEstimatedSize() __declspec(dllexport) long TITCALL ImporterEstimatedSize()
{ {
@ -18879,41 +18745,11 @@ __declspec(dllexport) bool TITCALL ImporterExportIATEx(char* szExportFileName, c
} }
__declspec(dllexport) bool TITCALL ImporterExportIATExW(wchar_t* szExportFileName, char* szSectionName) __declspec(dllexport) bool TITCALL ImporterExportIATExW(wchar_t* szExportFileName, char* szSectionName)
{ {
if(scylla_fixDump(szExportFileName, L".scy") != SCY_ERROR_SUCCESS) {
HANDLE FileHandle; return false;
DWORD FileSize;
HANDLE FileMap;
ULONG_PTR FileMapVA;
DWORD NewSectionVO = NULL;
DWORD NewSectionFO = NULL;
bool ReturnValue = false;
if(ImporterGetAddedDllCount() > NULL)
{
NewSectionVO = AddNewSectionW(szExportFileName, szSectionName, ImporterEstimatedSize());
if(MapFileExW(szExportFileName, UE_ACCESS_ALL, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL))
{
NewSectionFO = (DWORD)ConvertVAtoFileOffset(FileMapVA, NewSectionVO + impImageBase, true);
ReturnValue = ImporterExportIAT(NewSectionFO, FileMapVA);
UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA);
if(ReturnValue)
{
return(true);
}
else
{
return(false);
}
}
else
{
return(false);
}
}
else
{
return(false);
} }
return true;
} }
__declspec(dllexport) long long TITCALL ImporterFindAPIWriteLocation(char* szAPIName) __declspec(dllexport) long long TITCALL ImporterFindAPIWriteLocation(char* szAPIName)
{ {