From 9502654a71d05aa174ad4718bf1fdf5c30bd93a6 Mon Sep 17 00:00:00 2001
From: "mr.exodia" <mr.exodia.tpodt@gmail.com>
Date: Tue, 4 Mar 2014 23:31:16 +0100
Subject: [PATCH] - heap flags are now hidden

---
 TitanEngine/Global.Engine.Hider.cpp | 27 +++++++++++++++++++++++++--
 1 file changed, 25 insertions(+), 2 deletions(-)

diff --git a/TitanEngine/Global.Engine.Hider.cpp b/TitanEngine/Global.Engine.Hider.cpp
index 7e7f97e..8f85f9e 100644
--- a/TitanEngine/Global.Engine.Hider.cpp
+++ b/TitanEngine/Global.Engine.Hider.cpp
@@ -19,8 +19,13 @@ static bool isAtleastVista()
     return isAtleastVista;
 }
 
-static bool isWindows64()
+static bool isWindows64() //TODO: unclear behaviour, will return true when on wow64, but should not return true, because the system structures are x32 in that case
 {
+#ifdef _WIN64
+    return true;
+#else
+    return false;
+#endif;
     SYSTEM_INFO si = {0};
     typedef void (WINAPI *tGetNativeSystemInfo)(LPSYSTEM_INFO lpSystemInfo);
     tGetNativeSystemInfo _GetNativeSystemInfo = (tGetNativeSystemInfo)GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetNativeSystemInfo");
@@ -183,6 +188,7 @@ bool FixPebInProcess(HANDLE hProcess, bool Hide)
 
         if(Hide)
         {
+            //TODO: backup GlobalFlag
             myPEB.BeingDebugged = FALSE;
             myPEB.NtGlobalFlag &= ~0x70;
 
@@ -193,7 +199,24 @@ bool FixPebInProcess(HANDLE hProcess, bool Hide)
 
             heapFlagsAddress = (void *)((LONG_PTR)myPEB.ProcessHeap + getHeapFlagsOffset());
             heapForceFlagsAddress = (void *)((LONG_PTR)myPEB.ProcessHeap + getHeapForceFlagsOffset());
-            //TODO finish Heap Flag Anti-Anti-Debug
+            //TODO: finish Heap Flag Anti-Anti-Debug
+
+            /*
+            *(ULONG*)flagPtr_ &= HEAP_GROWABLE;
+	        *(ULONG*)forceFlagPtr_ = 0;
+            */
+
+            //TODO: backup heap flags
+            ULONG flagPtr_=0;
+            ReadProcessMemory(hProcess, heapFlagsAddress, &flagPtr_, sizeof(ULONG), 0);
+            ULONG forceFlagPtr_=0;
+            ReadProcessMemory(hProcess, heapForceFlagsAddress, &forceFlagPtr_, sizeof(ULONG), 0);
+
+            flagPtr_&=HEAP_GROWABLE;
+            forceFlagPtr_=0;
+
+            WriteProcessMemory(hProcess, heapFlagsAddress, &flagPtr_, sizeof(ULONG), 0);
+            WriteProcessMemory(hProcess, heapForceFlagsAddress, &forceFlagPtr_, sizeof(ULONG), 0);
         }
         else
         {