x64dbg
/
TitanEngine
mirror of https://github.com/x64dbg/TitanEngine
1
0
Fork 0
Code Releases Activity

- fixed EngineSetDebugPrivilege 

- added function EngineOpenProcess (with debug privilege option)
- added UE_ENGINE_SET_DEBUG_PRIVILEGE
- added debug privileges before CreateProcess and DebugActiveProcess
- remove debug privilege from the child process
- dumper/handler/importer/process now use EngineOpenProcess
This commit is contained in:
Mr. eXoDia 2014-04-16 17:14:20 +02:00
parent 1ce0b5f838
commit 98f71dbad6
19 changed files with 90 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
SDK/C/TitanEngine.h
View File

@ -51,6 +51,7 @@
#define UE_ENGINE_CALL_PLUGIN_CALLBACK 6 #define UE_ENGINE_CALL_PLUGIN_CALLBACK 6
#define UE_ENGINE_RESET_CUSTOM_HANDLER 7 #define UE_ENGINE_RESET_CUSTOM_HANDLER 7
#define UE_ENGINE_CALL_PLUGIN_DEBUG_CALLBACK 8 #define UE_ENGINE_CALL_PLUGIN_DEBUG_CALLBACK 8
#define UE_ENGINE_SET_DEBUG_PRIVILEGE 9
#define UE_OPTION_REMOVEALL 1 #define UE_OPTION_REMOVEALL 1
#define UE_OPTION_DISABLEALL 2 #define UE_OPTION_DISABLEALL 2

1
SDK/CPP/TitanEngine.h
View File

@ -51,6 +51,7 @@ const BYTE UE_ENGINE_BACKUP_FOR_CRITICAL_FUNCTIONS = 5;
const BYTE UE_ENGINE_CALL_PLUGIN_CALLBACK = 6; const BYTE UE_ENGINE_CALL_PLUGIN_CALLBACK = 6;
const BYTE UE_ENGINE_RESET_CUSTOM_HANDLER = 7; const BYTE UE_ENGINE_RESET_CUSTOM_HANDLER = 7;
const BYTE UE_ENGINE_CALL_PLUGIN_DEBUG_CALLBACK = 8; const BYTE UE_ENGINE_CALL_PLUGIN_DEBUG_CALLBACK = 8;
const BYTE UE_ENGINE_SET_DEBUG_PRIVILEGE = 9;
const BYTE UE_OPTION_REMOVEALL = 1; const BYTE UE_OPTION_REMOVEALL = 1;
const BYTE UE_OPTION_DISABLEALL = 2; const BYTE UE_OPTION_DISABLEALL = 2;

3
SDK/CPP/TitanEngine.hpp
View File

@ -70,7 +70,8 @@ enum eEngineVariable : DWORD
UE_ENGINE_BACKUP_FOR_CRITICAL_FUNCTIONS = UE::UE_ENGINE_BACKUP_FOR_CRITICAL_FUNCTIONS, UE_ENGINE_BACKUP_FOR_CRITICAL_FUNCTIONS = UE::UE_ENGINE_BACKUP_FOR_CRITICAL_FUNCTIONS,
UE_ENGINE_CALL_PLUGIN_CALLBACK = UE::UE_ENGINE_CALL_PLUGIN_CALLBACK, UE_ENGINE_CALL_PLUGIN_CALLBACK = UE::UE_ENGINE_CALL_PLUGIN_CALLBACK,
UE_ENGINE_RESET_CUSTOM_HANDLER = UE::UE_ENGINE_RESET_CUSTOM_HANDLER, UE_ENGINE_RESET_CUSTOM_HANDLER = UE::UE_ENGINE_RESET_CUSTOM_HANDLER,
UE_ENGINE_CALL_PLUGIN_DEBUG_CALLBACK = UE::UE_ENGINE_CALL_PLUGIN_DEBUG_CALLBACK UE_ENGINE_CALL_PLUGIN_DEBUG_CALLBACK = UE::UE_ENGINE_CALL_PLUGIN_DEBUG_CALLBACK,
UE_ENGINE_SET_DEBUG_PRIVILEGE = UE::UE_ENGINE_SET_DEBUG_PRIVILEGE
}; };
enum eBPRemoveOption : DWORD enum eBPRemoveOption : DWORD

1
SDK/Delphi/TitanEngine.pas
View File

@ -336,6 +336,7 @@ const
UE_ENGINE_CALL_PLUGIN_CALLBACK = 6; UE_ENGINE_CALL_PLUGIN_CALLBACK = 6;
UE_ENGINE_RESET_CUSTOM_HANDLER = 7; UE_ENGINE_RESET_CUSTOM_HANDLER = 7;
UE_ENGINE_CALL_PLUGIN_DEBUG_CALLBACK = 8; UE_ENGINE_CALL_PLUGIN_DEBUG_CALLBACK = 8;
UE_ENGINE_SET_DEBUG_PRIVILEGE = 9;
UE_OPTION_REMOVEALL = 1; UE_OPTION_REMOVEALL = 1;
UE_OPTION_DISABLEALL = 2; UE_OPTION_DISABLEALL = 2;

1
SDK/LUA/TitanEngine.lua
View File

@ -36,6 +36,7 @@ UE_ENGINE_BACKUP_FOR_CRITICAL_FUNCTIONS = 5
UE_ENGINE_CALL_PLUGIN_CALLBACK = 6 UE_ENGINE_CALL_PLUGIN_CALLBACK = 6
UE_ENGINE_RESET_CUSTOM_HANDLER = 7 UE_ENGINE_RESET_CUSTOM_HANDLER = 7
UE_ENGINE_CALL_PLUGIN_DEBUG_CALLBACK = 8 UE_ENGINE_CALL_PLUGIN_DEBUG_CALLBACK = 8
UE_ENGINE_SET_DEBUG_PRIVILEGE = 9
UE_OPTION_REMOVEALL = 1 UE_OPTION_REMOVEALL = 1
UE_OPTION_DISABLEALL = 2 UE_OPTION_DISABLEALL = 2

1
SDK/MASM/TitanEngine.INC
View File

@ -23,6 +23,7 @@ UE_ENGINE_BACKUP_FOR_CRITICAL_FUNCTIONS EQU 5
UE_ENGINE_CALL_PLUGIN_CALLBACK EQU 6 UE_ENGINE_CALL_PLUGIN_CALLBACK EQU 6
UE_ENGINE_RESET_CUSTOM_HANDLER EQU 7 UE_ENGINE_RESET_CUSTOM_HANDLER EQU 7
UE_ENGINE_CALL_PLUGIN_DEBUG_CALLBACK EQU 8 UE_ENGINE_CALL_PLUGIN_DEBUG_CALLBACK EQU 8
UE_ENGINE_SET_DEBUG_PRIVILEGE EQU 9
UE_OPTION_REMOVEALL EQU 1 UE_OPTION_REMOVEALL EQU 1
UE_OPTION_DISABLEALL EQU 2 UE_OPTION_DISABLEALL EQU 2
UE_OPTION_REMOVEALLDISABLED EQU 3 UE_OPTION_REMOVEALLDISABLED EQU 3

1
SDK/Python/TitanEngine.py
View File

@ -27,6 +27,7 @@ UE_ENGINE_BACKUP_FOR_CRITICAL_FUNCTIONS = 5
UE_ENGINE_CALL_PLUGIN_CALLBACK = 6 UE_ENGINE_CALL_PLUGIN_CALLBACK = 6
UE_ENGINE_RESET_CUSTOM_HANDLER = 7 UE_ENGINE_RESET_CUSTOM_HANDLER = 7
UE_ENGINE_CALL_PLUGIN_DEBUG_CALLBACK = 8 UE_ENGINE_CALL_PLUGIN_DEBUG_CALLBACK = 8
UE_ENGINE_SET_DEBUG_PRIVILEGE = 9
UE_OPTION_REMOVEALL = 1 UE_OPTION_REMOVEALL = 1
UE_OPTION_DISABLEALL = 2 UE_OPTION_DISABLEALL = 2

1
TitanEngine/Global.Debugger.cpp
View File

@ -18,6 +18,7 @@ ULONG_PTR DebugReserveModuleBase = NULL;
ULONG_PTR DebugDebuggingMainModuleBase = NULL; ULONG_PTR DebugDebuggingMainModuleBase = NULL;
ULONG_PTR DebugDebuggingDLLBase = NULL; ULONG_PTR DebugDebuggingDLLBase = NULL;
bool DebugAttachedToProcess = false; bool DebugAttachedToProcess = false;
bool DebugRemoveDebugPrivilege = false;
bool DebugDebuggingDLL = false; bool DebugDebuggingDLL = false;
wchar_t* DebugDebuggingDLLFullFileName; wchar_t* DebugDebuggingDLLFullFileName;
wchar_t* DebugDebuggingDLLFileName; wchar_t* DebugDebuggingDLLFileName;

1
TitanEngine/Global.Debugger.h
View File

@ -15,6 +15,7 @@ extern ULONG_PTR DebugModuleEntryPoint;
extern ULONG_PTR DebugModuleImageBase; extern ULONG_PTR DebugModuleImageBase;
extern ULONG_PTR DebugAttachedProcessCallBack; extern ULONG_PTR DebugAttachedProcessCallBack;
extern bool DebugAttachedToProcess; extern bool DebugAttachedToProcess;
extern bool DebugRemoveDebugPrivilege;
extern ULONG_PTR DebugReserveModuleBase; extern ULONG_PTR DebugReserveModuleBase;
extern ULONG_PTR DebugDebuggingMainModuleBase; extern ULONG_PTR DebugDebuggingMainModuleBase;
extern ULONG_PTR DebugDebuggingDLLBase; extern ULONG_PTR DebugDebuggingDLLBase;

23
TitanEngine/Global.Engine.cpp
View File

@ -17,6 +17,7 @@ bool engineRemoveConsoleForDebugee = false;
bool enginePassAllExceptions = true; bool enginePassAllExceptions = true;
bool engineExecutePluginCallBack = true; bool engineExecutePluginCallBack = true;
bool engineAutoHideFromDebugger = false; // hardcoded bool engineAutoHideFromDebugger = false; // hardcoded
bool engineEnableDebugPrivilege = false;
char engineFoundDLLName[512] = {0}; char engineFoundDLLName[512] = {0};
char engineFoundAPIName[512] = {0}; char engineFoundAPIName[512] = {0};
@ -2037,7 +2038,11 @@ DWORD EngineSetDebugPrivilege(HANDLE hProcess, bool bEnablePrivilege)
memset(&tokenPrivileges, 0, sizeof(TOKEN_PRIVILEGES)); memset(&tokenPrivileges, 0, sizeof(TOKEN_PRIVILEGES));
LUID luid; LUID luid;
if(!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid)) if(!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid))
return false; {
dwLastError = GetLastError();
CloseHandle(hToken);
return dwLastError;
}
tokenPrivileges.PrivilegeCount = 1; tokenPrivileges.PrivilegeCount = 1;
tokenPrivileges.Privileges[0].Luid = luid; tokenPrivileges.Privileges[0].Luid = luid;
if(bEnablePrivilege) if(bEnablePrivilege)
@ -2045,5 +2050,19 @@ DWORD EngineSetDebugPrivilege(HANDLE hProcess, bool bEnablePrivilege)
else else
tokenPrivileges.Privileges[0].Attributes = 0; tokenPrivileges.Privileges[0].Attributes = 0;
AdjustTokenPrivileges(hToken, FALSE, &tokenPrivileges, sizeof(TOKEN_PRIVILEGES), NULL, NULL); AdjustTokenPrivileges(hToken, FALSE, &tokenPrivileges, sizeof(TOKEN_PRIVILEGES), NULL, NULL);
return GetLastError(); dwLastError = GetLastError();
CloseHandle(hToken);
return dwLastError;
}
HANDLE EngineOpenProcess(DWORD dwDesiredAccess, bool bInheritHandle, DWORD dwProcessId)
{
if(engineEnableDebugPrivilege)
EngineSetDebugPrivilege(GetCurrentProcess(), true);
HANDLE hProcess = OpenProcess(dwDesiredAccess, bInheritHandle, dwProcessId);
DWORD dwLastError = GetLastError();
if(engineEnableDebugPrivilege)
EngineSetDebugPrivilege(GetCurrentProcess(), false);
SetLastError(dwLastError);
return hProcess;
} }

2
TitanEngine/Global.Engine.h
View File

@ -20,6 +20,7 @@ extern bool engineRemoveConsoleForDebugee;
extern bool enginePassAllExceptions; extern bool enginePassAllExceptions;
extern bool engineExecutePluginCallBack; extern bool engineExecutePluginCallBack;
extern bool engineAutoHideFromDebugger; extern bool engineAutoHideFromDebugger;
extern bool engineEnableDebugPrivilege;
//Global.Engine.Functions //Global.Engine.Functions
void EngineInit(); void EngineInit();
@ -52,5 +53,6 @@ ULONG_PTR EngineGetProcAddress(ULONG_PTR ModuleBase, char* szAPIName);
bool EngineGetLibraryOrdinalData(ULONG_PTR ModuleBase, LPDWORD ptrOrdinalBase, LPDWORD ptrOrdinalCount); bool EngineGetLibraryOrdinalData(ULONG_PTR ModuleBase, LPDWORD ptrOrdinalBase, LPDWORD ptrOrdinalCount);
ULONG_PTR EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBases, ULONG_PTR APIAddress, const char* szAPIName, DWORD ReturnType); ULONG_PTR EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBases, ULONG_PTR APIAddress, const char* szAPIName, DWORD ReturnType);
DWORD EngineSetDebugPrivilege(HANDLE hProcess, bool bEnablePrivilege); DWORD EngineSetDebugPrivilege(HANDLE hProcess, bool bEnablePrivilege);
HANDLE EngineOpenProcess(DWORD dwDesiredAccess, bool bInheritHandle, DWORD dwProcessId);
#endif //_GLOBAL_ENGINE_H #endif //_GLOBAL_ENGINE_H

7
TitanEngine/TitanEngine.Debugger.DebugLoop.cpp
View File

@ -26,6 +26,8 @@ __declspec(dllexport) void TITCALL DebugLoop()
bool hListThreadFirst = true; bool hListThreadFirst = true;
bool hListLibraryFirst = true; bool hListLibraryFirst = true;
bool MemoryBpxFound = false; bool MemoryBpxFound = false;
bool RemoveDebugPrivilege = DebugRemoveDebugPrivilege; //store the flag in a local variable
DebugRemoveDebugPrivilege = false; //reset this flag
PLIBRARY_ITEM_DATAW hLoadedLibData = NULL; PLIBRARY_ITEM_DATAW hLoadedLibData = NULL;
PLIBRARY_BREAK_DATA ptrLibrarianData = NULL; PLIBRARY_BREAK_DATA ptrLibrarianData = NULL;
typedef void(TITCALL *fCustomBreakPoint)(void); typedef void(TITCALL *fCustomBreakPoint)(void);
@ -87,7 +89,7 @@ __declspec(dllexport) void TITCALL DebugLoop()
{ {
case CREATE_PROCESS_DEBUG_EVENT: case CREATE_PROCESS_DEBUG_EVENT:
{ {
if(DBGFileHandle == NULL) //we didn't set the handle yet if(DBGFileHandle == NULL) //we didn't set the handle yet (initial process)
{ {
DBGEntryPoint = DBGEvent.u.CreateProcessInfo.lpStartAddress; DBGEntryPoint = DBGEvent.u.CreateProcessInfo.lpStartAddress;
DBGFileHandle = DBGEvent.u.CreateProcessInfo.hFile; DBGFileHandle = DBGEvent.u.CreateProcessInfo.hFile;
@ -137,6 +139,9 @@ __declspec(dllexport) void TITCALL DebugLoop()
NewThreadData.ThreadStartAddress = (void*)DBGEvent.u.CreateProcessInfo.lpStartAddress; NewThreadData.ThreadStartAddress = (void*)DBGEvent.u.CreateProcessInfo.lpStartAddress;
NewThreadData.ThreadLocalBase = (void*)DBGEvent.u.CreateProcessInfo.lpThreadLocalBase; NewThreadData.ThreadLocalBase = (void*)DBGEvent.u.CreateProcessInfo.lpThreadLocalBase;
hListThread.push_back(NewThreadData); hListThread.push_back(NewThreadData);
//remove debug privilege from child process
if(RemoveDebugPrivilege)
EngineSetDebugPrivilege(DBGEvent.u.CreateProcessInfo.hProcess, false);
} }
//update process list //update process list
PROCESS_ITEM_DATA NewProcessItem; PROCESS_ITEM_DATA NewProcessItem;

43
TitanEngine/TitanEngine.Debugger.cpp
View File

@ -11,7 +11,6 @@ static wchar_t szBackupDebuggedFileName[512];
// TitanEngine.Debugger.functions: // TitanEngine.Debugger.functions:
__declspec(dllexport) void* TITCALL InitDebug(char* szFileName, char* szCommandLine, char* szCurrentFolder) __declspec(dllexport) void* TITCALL InitDebug(char* szFileName, char* szCommandLine, char* szCurrentFolder)
{ {
wchar_t* PtrUniFileName = NULL; wchar_t* PtrUniFileName = NULL;
wchar_t uniFileName[MAX_PATH] = {}; wchar_t uniFileName[MAX_PATH] = {};
wchar_t* PtrUniCommandLine = NULL; wchar_t* PtrUniCommandLine = NULL;
@ -55,10 +54,17 @@ __declspec(dllexport) void* TITCALL InitDebugW(wchar_t* szFileName, wchar_t* szC
DebugConsoleFlag = CREATE_NO_WINDOW; DebugConsoleFlag = CREATE_NO_WINDOW;
} }
std::vector<BreakPointDetail>().swap(BreakPointBuffer); std::vector<BreakPointDetail>().swap(BreakPointBuffer);
if(engineEnableDebugPrivilege)
{
EngineSetDebugPrivilege(GetCurrentProcess(), true);
DebugRemoveDebugPrivilege = true;
}
if(szCommandLine == NULL) if(szCommandLine == NULL)
{ {
if(CreateProcessW(szFileName, NULL, NULL, NULL, false, DEBUG_PROCESS|DEBUG_ONLY_THIS_PROCESS|DebugConsoleFlag|CREATE_NEW_CONSOLE, NULL, szCurrentFolder, &dbgStartupInfo, &dbgProcessInformation)) if(CreateProcessW(szFileName, NULL, NULL, NULL, false, DEBUG_PROCESS|DEBUG_ONLY_THIS_PROCESS|DebugConsoleFlag|CREATE_NEW_CONSOLE, NULL, szCurrentFolder, &dbgStartupInfo, &dbgProcessInformation))
{ {
if(engineEnableDebugPrivilege)
EngineSetDebugPrivilege(GetCurrentProcess(), false);
DebugAttachedToProcess = false; DebugAttachedToProcess = false;
DebugAttachedProcessCallBack = NULL; DebugAttachedProcessCallBack = NULL;
std::vector<BreakPointDetail>().swap(BreakPointBuffer); std::vector<BreakPointDetail>().swap(BreakPointBuffer);
@ -66,6 +72,11 @@ __declspec(dllexport) void* TITCALL InitDebugW(wchar_t* szFileName, wchar_t* szC
} }
else else
{ {
if(engineEnableDebugPrivilege)
{
EngineSetDebugPrivilege(GetCurrentProcess(), false);
DebugRemoveDebugPrivilege = false;
}
RtlZeroMemory(&dbgProcessInformation,sizeof PROCESS_INFORMATION); RtlZeroMemory(&dbgProcessInformation,sizeof PROCESS_INFORMATION);
return(0); return(0);
} }
@ -75,6 +86,8 @@ __declspec(dllexport) void* TITCALL InitDebugW(wchar_t* szFileName, wchar_t* szC
wsprintfW(szCreateWithCmdLine, L"\"%s\" %s", szFileName, szCommandLine); wsprintfW(szCreateWithCmdLine, L"\"%s\" %s", szFileName, szCommandLine);
if(CreateProcessW(NULL, szCreateWithCmdLine, NULL, NULL, false, DEBUG_PROCESS|DEBUG_ONLY_THIS_PROCESS|DebugConsoleFlag|CREATE_NEW_CONSOLE, NULL, szCurrentFolder, &dbgStartupInfo, &dbgProcessInformation)) if(CreateProcessW(NULL, szCreateWithCmdLine, NULL, NULL, false, DEBUG_PROCESS|DEBUG_ONLY_THIS_PROCESS|DebugConsoleFlag|CREATE_NEW_CONSOLE, NULL, szCurrentFolder, &dbgStartupInfo, &dbgProcessInformation))
{ {
if(engineEnableDebugPrivilege)
EngineSetDebugPrivilege(GetCurrentProcess(), false);
DebugAttachedToProcess = false; DebugAttachedToProcess = false;
DebugAttachedProcessCallBack = NULL; DebugAttachedProcessCallBack = NULL;
std::vector<BreakPointDetail>().swap(BreakPointBuffer); std::vector<BreakPointDetail>().swap(BreakPointBuffer);
@ -82,6 +95,11 @@ __declspec(dllexport) void* TITCALL InitDebugW(wchar_t* szFileName, wchar_t* szC
} }
else else
{ {
if(engineEnableDebugPrivilege)
{
EngineSetDebugPrivilege(GetCurrentProcess(), false);
DebugRemoveDebugPrivilege = false;
}
RtlZeroMemory(&dbgProcessInformation,sizeof PROCESS_INFORMATION); RtlZeroMemory(&dbgProcessInformation,sizeof PROCESS_INFORMATION);
return(0); return(0);
} }
@ -191,11 +209,7 @@ __declspec(dllexport) void* TITCALL InitDLLDebugW(wchar_t* szFileName, bool Rese
DebugModuleEntryPointCallBack = EntryCallBack; DebugModuleEntryPointCallBack = EntryCallBack;
return(InitDebugW(szDebuggerName, szCommandLine, szCurrentFolder)); return(InitDebugW(szDebuggerName, szCommandLine, szCurrentFolder));
} }
else return 0;
{
return(NULL);
}
return(NULL);
} }
__declspec(dllexport) bool TITCALL StopDebug() __declspec(dllexport) bool TITCALL StopDebug()
@ -207,15 +221,11 @@ __declspec(dllexport) bool TITCALL StopDebug()
Sleep(10); //allow thread switching Sleep(10); //allow thread switching
return true; return true;
} }
else return false;
{
return false;
}
} }
__declspec(dllexport) bool TITCALL AttachDebugger(DWORD ProcessId, bool KillOnExit, LPVOID DebugInfo, LPVOID CallBack) __declspec(dllexport) bool TITCALL AttachDebugger(DWORD ProcessId, bool KillOnExit, LPVOID DebugInfo, LPVOID CallBack)
{ {
typedef void(WINAPI *fDebugSetProcessKillOnExit)(bool KillExitingDebugee); typedef void(WINAPI *fDebugSetProcessKillOnExit)(bool KillExitingDebugee);
fDebugSetProcessKillOnExit myDebugSetProcessKillOnExit; fDebugSetProcessKillOnExit myDebugSetProcessKillOnExit;
LPVOID funcDebugSetProcessKillOnExit = NULL; LPVOID funcDebugSetProcessKillOnExit = NULL;
@ -223,8 +233,15 @@ __declspec(dllexport) bool TITCALL AttachDebugger(DWORD ProcessId, bool KillOnEx
if(ProcessId != NULL && dbgProcessInformation.hProcess == NULL) if(ProcessId != NULL && dbgProcessInformation.hProcess == NULL)
{ {
std::vector<BreakPointDetail>().swap(BreakPointBuffer); std::vector<BreakPointDetail>().swap(BreakPointBuffer);
if(engineEnableDebugPrivilege)
{
EngineSetDebugPrivilege(GetCurrentProcess(), true);
DebugRemoveDebugPrivilege = true;
}
if(DebugActiveProcess(ProcessId)) if(DebugActiveProcess(ProcessId))
{ {
if(engineEnableDebugPrivilege)
EngineSetDebugPrivilege(GetCurrentProcess(), false);
if(KillOnExit) if(KillOnExit)
{ {
funcDebugSetProcessKillOnExit = GetProcAddress(GetModuleHandleA("kernel32.dll"), "DebugSetProcessKillOnExit"); funcDebugSetProcessKillOnExit = GetProcAddress(GetModuleHandleA("kernel32.dll"), "DebugSetProcessKillOnExit");
@ -246,10 +263,6 @@ __declspec(dllexport) bool TITCALL AttachDebugger(DWORD ProcessId, bool KillOnEx
return true; return true;
} }
} }
else
{
return false;
}
return false; return false;
} }

8
TitanEngine/TitanEngine.Dumper.cpp
View File

@ -274,7 +274,7 @@ __declspec(dllexport) bool TITCALL DumpProcessExW(DWORD ProcessId, LPVOID ImageB
HANDLE hProcess = 0; HANDLE hProcess = 0;
bool ReturnValue = false; bool ReturnValue = false;
hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId); hProcess = EngineOpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId);
if(hProcess) if(hProcess)
{ {
ReturnValue = DumpProcessW(hProcess, ImageBase, szDumpFileName, EntryPoint); ReturnValue = DumpProcessW(hProcess, ImageBase, szDumpFileName, EntryPoint);
@ -364,7 +364,7 @@ __declspec(dllexport) bool TITCALL DumpMemoryExW(DWORD ProcessId, LPVOID MemoryS
HANDLE hProcess = 0; HANDLE hProcess = 0;
bool ReturnValue = false; bool ReturnValue = false;
hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId); hProcess = EngineOpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId);
if(hProcess) if(hProcess)
{ {
ReturnValue = DumpMemoryW(hProcess, MemoryStart, MemorySize, szDumpFileName); ReturnValue = DumpMemoryW(hProcess, MemoryStart, MemorySize, szDumpFileName);
@ -466,7 +466,7 @@ __declspec(dllexport) bool TITCALL DumpRegionsExW(DWORD ProcessId, wchar_t* szDu
HANDLE hProcess = 0; HANDLE hProcess = 0;
bool ReturnValue = false; bool ReturnValue = false;
hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId); hProcess = EngineOpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId);
if(hProcess) if(hProcess)
{ {
ReturnValue = DumpRegionsW(hProcess, szDumpFolder, DumpAboveImageBaseOnly); ReturnValue = DumpRegionsW(hProcess, szDumpFolder, DumpAboveImageBaseOnly);
@ -537,7 +537,7 @@ __declspec(dllexport) bool TITCALL DumpModuleExW(DWORD ProcessId, LPVOID ModuleB
HANDLE hProcess = 0; HANDLE hProcess = 0;
bool ReturnValue = false; bool ReturnValue = false;
hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId); hProcess = EngineOpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId);
if(hProcess) //If the function fails, the return value is NULL. To get extended error information, call GetLastError. if(hProcess) //If the function fails, the return value is NULL. To get extended error information, call GetLastError.
{ {
ReturnValue = DumpModuleW(hProcess, ModuleBase, szDumpFileName); ReturnValue = DumpModuleW(hProcess, ModuleBase, szDumpFileName);

4
TitanEngine/TitanEngine.Engine.cpp
View File

@ -38,6 +38,10 @@ __declspec(dllexport) void TITCALL SetEngineVariable(DWORD VariableId, bool Vari
{ {
engineExecutePluginCallBack = VariableSet; engineExecutePluginCallBack = VariableSet;
} }
else if(VariableId == UE_ENGINE_SET_DEBUG_PRIVILEGE)
{
engineEnableDebugPrivilege = VariableSet;
}
} }
__declspec(dllexport) bool TITCALL EngineCreateMissingDependencies(char* szFileName, char* szOutputFolder, bool LogCreatedFiles) __declspec(dllexport) bool TITCALL EngineCreateMissingDependencies(char* szFileName, char* szOutputFolder, bool LogCreatedFiles)

10
TitanEngine/TitanEngine.Handler.cpp
View File

@ -1,7 +1,7 @@
#include "stdafx.h" #include "stdafx.h"
#include "definitions.h" #include "definitions.h"
#include "Global.Handle.h" #include "Global.Handle.h"
#include "Global.Engine.h"
bool NtQuerySysHandleInfo(DynBuf& buf) bool NtQuerySysHandleInfo(DynBuf& buf)
{ {
@ -334,7 +334,7 @@ __declspec(dllexport) long TITCALL HandlerEnumerateLockHandlesW(wchar_t* szFileO
{ {
EngineCloseHandle(hProcess); EngineCloseHandle(hProcess);
} }
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_DUP_HANDLE, false, HandleInfo->ProcessId); hProcess = EngineOpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_DUP_HANDLE, false, HandleInfo->ProcessId);
LastProcessId = HandleInfo->ProcessId; LastProcessId = HandleInfo->ProcessId;
} }
if(hProcess != NULL) if(hProcess != NULL)
@ -441,7 +441,7 @@ __declspec(dllexport) bool TITCALL HandlerCloseAllLockHandlesW(wchar_t* szFileOr
{ {
EngineCloseHandle(hProcess); EngineCloseHandle(hProcess);
} }
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_DUP_HANDLE, false, HandleInfo->ProcessId); hProcess = EngineOpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_DUP_HANDLE, false, HandleInfo->ProcessId);
LastProcessId = HandleInfo->ProcessId; LastProcessId = HandleInfo->ProcessId;
} }
if(hProcess != NULL) if(hProcess != NULL)
@ -544,7 +544,7 @@ __declspec(dllexport) bool TITCALL HandlerIsFileLockedW(wchar_t* szFileOrFolderN
{ {
EngineCloseHandle(hProcess); EngineCloseHandle(hProcess);
} }
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_DUP_HANDLE, false, HandleInfo->ProcessId); hProcess = EngineOpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_DUP_HANDLE, false, HandleInfo->ProcessId);
LastProcessId = HandleInfo->ProcessId; LastProcessId = HandleInfo->ProcessId;
} }
if(hProcess != NULL) if(hProcess != NULL)
@ -749,7 +749,7 @@ __declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutexW(wchar_t
{ {
EngineCloseHandle(hProcess); EngineCloseHandle(hProcess);
} }
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_DUP_HANDLE, FALSE, HandleInfo->ProcessId); hProcess = EngineOpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_DUP_HANDLE, FALSE, HandleInfo->ProcessId);
LastProcessId = HandleInfo->ProcessId; LastProcessId = HandleInfo->ProcessId;
} }
if(hProcess != NULL) if(hProcess != NULL)

4
TitanEngine/TitanEngine.Importer.cpp
View File

@ -555,7 +555,7 @@ __declspec(dllexport) void TITCALL ImporterAutoSearchIATEx(DWORD ProcessId, ULON
{ {
if(GetTempFileNameW(szTempFolder, L"DumpTemp", GetTickCount() + 102, szTempName)) if(GetTempFileNameW(szTempFolder, L"DumpTemp", GetTickCount() + 102, szTempName))
{ {
HANDLE hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId); HANDLE hProcess = EngineOpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId);
DumpProcessW(hProcess, (LPVOID)ImageBase, szTempName, NULL); DumpProcessW(hProcess, (LPVOID)ImageBase, szTempName, NULL);
ImporterAutoSearchIATW(ProcessId, szTempName, SearchStart, pIATStart, pIATSize); ImporterAutoSearchIATW(ProcessId, szTempName, SearchStart, pIATStart, pIATSize);
@ -609,7 +609,7 @@ __declspec(dllexport) long TITCALL ImporterAutoFixIATExW(DWORD ProcessId, wchar_
//do we need to dump first? //do we need to dump first?
if(DumpRunningProcess) if(DumpRunningProcess)
{ {
HANDLE hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId); HANDLE hProcess = EngineOpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId);
if(!DumpProcessW(hProcess, (LPVOID)ImageBase, szDumpedFile, EntryPointAddress)) if(!DumpProcessW(hProcess, (LPVOID)ImageBase, szDumpedFile, EntryPointAddress))
{ {

4
TitanEngine/TitanEngine.Process.cpp
View File

@ -36,7 +36,7 @@ __declspec(dllexport) long TITCALL GetActiveProcessIdW(wchar_t* szImageName)
{ {
if(bProcessId[i] != NULL) if(bProcessId[i] != NULL)
{ {
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, false, bProcessId[i]); hProcess = EngineOpenProcess(PROCESS_QUERY_INFORMATION, false, bProcessId[i]);
if(hProcess != NULL) if(hProcess != NULL)
{ {
if(GetProcessImageFileNameW(hProcess, szProcessPath, _countof(szProcessPath)) > NULL) if(GetProcessImageFileNameW(hProcess, szProcessPath, _countof(szProcessPath)) > NULL)
@ -96,7 +96,7 @@ __declspec(dllexport) void TITCALL EnumProcessesWithLibrary(char* szLibraryName,
{ {
if(bProcessId[i] != NULL) if(bProcessId[i] != NULL)
{ {
hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, 0, bProcessId[i]); hProcess = EngineOpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, 0, bProcessId[i]);
if(hProcess != NULL) if(hProcess != NULL)
{ {
RtlZeroMemory(EnumeratedModules, sizeof(EnumeratedModules)); RtlZeroMemory(EnumeratedModules, sizeof(EnumeratedModules));

1
TitanEngine/stdafx.h
View File

@ -362,6 +362,7 @@ typedef struct HOOK_ENTRY
#define UE_ENGINE_CALL_PLUGIN_CALLBACK 6 #define UE_ENGINE_CALL_PLUGIN_CALLBACK 6
#define UE_ENGINE_RESET_CUSTOM_HANDLER 7 #define UE_ENGINE_RESET_CUSTOM_HANDLER 7
#define UE_ENGINE_CALL_PLUGIN_DEBUG_CALLBACK 8 #define UE_ENGINE_CALL_PLUGIN_DEBUG_CALLBACK 8
#define UE_ENGINE_SET_DEBUG_PRIVILEGE 9
#define UE_OPTION_REMOVEALL 1 #define UE_OPTION_REMOVEALL 1
#define UE_OPTION_DISABLEALL 2 #define UE_OPTION_DISABLEALL 2