From 9eb47c282d44f0dae7bce54f52c30afd8abb3224 Mon Sep 17 00:00:00 2001 From: NtQuery Date: Wed, 5 Mar 2014 14:28:08 +0100 Subject: [PATCH] removed ntdll madness --- TitanEngine/TitanEngine.Handler.cpp | 1852 ++++++++++++-------------- TitanEngine/TitanEngine.Hider.cpp | 41 +- TitanEngine/TitanEngine.Injector.cpp | 34 +- TitanEngine/TitanEngine.vcxproj | 1 + TitanEngine/ntdll.h | 260 ++++ TitanEngine/ntdll_x64.lib | Bin 0 -> 2428 bytes TitanEngine/ntdll_x86.lib | Bin 0 -> 2500 bytes TitanEngine/stdafx.h | 9 +- 8 files changed, 1145 insertions(+), 1052 deletions(-) create mode 100644 TitanEngine/ntdll.h create mode 100644 TitanEngine/ntdll_x64.lib create mode 100644 TitanEngine/ntdll_x86.lib diff --git a/TitanEngine/TitanEngine.Handler.cpp b/TitanEngine/TitanEngine.Handler.cpp index 7a5d767..3d1a20b 100644 --- a/TitanEngine/TitanEngine.Handler.cpp +++ b/TitanEngine/TitanEngine.Handler.cpp @@ -6,1085 +6,945 @@ __declspec(dllexport) long TITCALL HandlerGetActiveHandleCount(DWORD ProcessId) { - int HandleCount = NULL; - LPVOID QuerySystemBuffer; - ULONG QuerySystemBufferSize = 0x2000; - ULONG RequiredSize = NULL; - ULONG TotalHandleCount = NULL; -#if !defined(_WIN64) - typedef NTSTATUS(WINAPI *fZwQuerySystemInformation)(DWORD fInfoType, LPVOID fBuffer, ULONG fBufferSize, PULONG fRequiredSize); - typedef NTSTATUS(WINAPI *fZwQueryObject)(HANDLE hObject, DWORD fInfoType, LPVOID fBuffer, ULONG fBufferSize, PULONG fRequiredSize); -#else - typedef NTSTATUS(__fastcall *fZwQuerySystemInformation)(DWORD fInfoType, LPVOID fBuffer, ULONG fBufferSize, PULONG fRequiredSize); - typedef NTSTATUS(__fastcall *fZwQueryObject)(HANDLE hObject, DWORD fInfoType, LPVOID fBuffer, ULONG fBufferSize, PULONG fRequiredSize); -#endif - LPVOID ZwQuerySystemInformation = (LPVOID)GetProcAddress(GetModuleHandleA("ntdll.dll"),"ZwQuerySystemInformation"); - LPVOID ZwQueryObject = (LPVOID)GetProcAddress(GetModuleHandleA("ntdll.dll"),"ZwQueryObject"); - fZwQuerySystemInformation cZwQuerySystemInformation = (fZwQuerySystemInformation)(ZwQuerySystemInformation); - fZwQueryObject cZwQueryObject = (fZwQueryObject)(ZwQueryObject); - PNTDLL_QUERY_HANDLE_INFO HandleInfo; + int HandleCount = NULL; + LPVOID QuerySystemBuffer; + ULONG QuerySystemBufferSize = 0x2000; + ULONG RequiredSize = NULL; + ULONG TotalHandleCount = NULL; - if(ZwQuerySystemInformation != NULL && ZwQueryObject != NULL) - { - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - while(cZwQuerySystemInformation(NTDLL_SystemHandleInfo, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) - { - QuerySystemBufferSize = RequiredSize; - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - } - RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); - QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); - HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; - while(TotalHandleCount > NULL) - { - if(HandleInfo->ProcessId == ProcessId) - { - HandleCount++; - } - HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); - TotalHandleCount--; - } - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - return(HandleCount); - } - return(NULL); + PNTDLL_QUERY_HANDLE_INFO HandleInfo; + + QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); + while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) + { + QuerySystemBufferSize = RequiredSize; + VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); + QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); + } + RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); + QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); + HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; + while(TotalHandleCount > NULL) + { + if(HandleInfo->ProcessId == ProcessId) + { + HandleCount++; + } + HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); + TotalHandleCount--; + } + VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); + return(HandleCount); + + return(NULL); } __declspec(dllexport) bool TITCALL HandlerIsHandleOpen(DWORD ProcessId, HANDLE hHandle) { + bool HandleActive = false; + LPVOID QuerySystemBuffer; + ULONG QuerySystemBufferSize = 0x2000; + ULONG RequiredSize = NULL; + ULONG TotalHandleCount = NULL; + PNTDLL_QUERY_HANDLE_INFO HandleInfo; - bool HandleActive = false; - LPVOID QuerySystemBuffer; - ULONG QuerySystemBufferSize = 0x2000; - ULONG RequiredSize = NULL; - ULONG TotalHandleCount = NULL; -#if !defined(_WIN64) - typedef NTSTATUS(WINAPI *fZwQuerySystemInformation)(DWORD fInfoType, LPVOID fBuffer, ULONG fBufferSize, PULONG fRequiredSize); -#else - typedef NTSTATUS(__fastcall *fZwQuerySystemInformation)(DWORD fInfoType, LPVOID fBuffer, ULONG fBufferSize, PULONG fRequiredSize); -#endif - LPVOID ZwQuerySystemInformation = (LPVOID)GetProcAddress(GetModuleHandleA("ntdll.dll"),"ZwQuerySystemInformation"); - fZwQuerySystemInformation cZwQuerySystemInformation = (fZwQuerySystemInformation)(ZwQuerySystemInformation); - PNTDLL_QUERY_HANDLE_INFO HandleInfo; + QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); + while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) + { + QuerySystemBufferSize = RequiredSize; + VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); + QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); + } + RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); + QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); + HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; + while(TotalHandleCount > NULL) + { + if(HandleInfo->ProcessId == ProcessId && (HANDLE)HandleInfo->hHandle == hHandle) + { + HandleActive = true; + break; + } + HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); + TotalHandleCount--; + } + VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); + if(HandleActive) + { + return true; + } - if(ZwQuerySystemInformation != NULL) - { - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - while(cZwQuerySystemInformation(NTDLL_SystemHandleInfo, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) - { - QuerySystemBufferSize = RequiredSize; - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - } - RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); - QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); - HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; - while(TotalHandleCount > NULL) - { - if(HandleInfo->ProcessId == ProcessId && (HANDLE)HandleInfo->hHandle == hHandle) - { - HandleActive = true; - break; - } - HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); - TotalHandleCount--; - } - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - if(HandleActive) - { - return true; - } - } - return false; + return false; } __declspec(dllexport) void* TITCALL HandlerGetHandleName(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, bool TranslateName) { - bool NameFound = false; - HANDLE myHandle = NULL; - LPVOID QuerySystemBuffer; - ULONG QuerySystemBufferSize = 0x2000; - ULONG RequiredSize = NULL; - ULONG TotalHandleCount = NULL; -#if !defined(_WIN64) - typedef NTSTATUS(WINAPI *fZwQuerySystemInformation)(DWORD fInfoType, LPVOID fBuffer, ULONG fBufferSize, PULONG fRequiredSize); - typedef NTSTATUS(WINAPI *fZwQueryObject)(HANDLE hObject, DWORD fInfoType, LPVOID fBuffer, ULONG fBufferSize, PULONG fRequiredSize); -#else - typedef NTSTATUS(__fastcall *fZwQuerySystemInformation)(DWORD fInfoType, LPVOID fBuffer, ULONG fBufferSize, PULONG fRequiredSize); - typedef NTSTATUS(__fastcall *fZwQueryObject)(HANDLE hObject, DWORD fInfoType, LPVOID fBuffer, ULONG fBufferSize, PULONG fRequiredSize); -#endif - LPVOID ZwQuerySystemInformation = (LPVOID)GetProcAddress(GetModuleHandleA("ntdll.dll"),"ZwQuerySystemInformation"); - LPVOID ZwQueryObject = (LPVOID)GetProcAddress(GetModuleHandleA("ntdll.dll"),"ZwQueryObject"); - fZwQuerySystemInformation cZwQuerySystemInformation = (fZwQuerySystemInformation)(ZwQuerySystemInformation); - fZwQueryObject cZwQueryObject = (fZwQueryObject)(ZwQueryObject); - PNTDLL_QUERY_HANDLE_INFO HandleInfo; - PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo; - LPVOID ObjectNameInfo = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); - PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo; - LPVOID HandleFullName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); - LPVOID tmpHandleFullName = NULL; + bool NameFound = false; + HANDLE myHandle = NULL; + LPVOID QuerySystemBuffer; + ULONG QuerySystemBufferSize = 0x2000; + ULONG RequiredSize = NULL; + ULONG TotalHandleCount = NULL; + PNTDLL_QUERY_HANDLE_INFO HandleInfo; + PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo; + LPVOID ObjectNameInfo = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); + PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo; + LPVOID HandleFullName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); + LPVOID tmpHandleFullName = NULL; - if(ZwQuerySystemInformation != NULL && ZwQueryObject != NULL) - { - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - while(cZwQuerySystemInformation(NTDLL_SystemHandleInfo, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) - { - QuerySystemBufferSize = RequiredSize; - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - } - RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); - QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); - HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; - while(TotalHandleCount > NULL) - { - if(HandleInfo->ProcessId == ProcessId && (HANDLE)HandleInfo->hHandle == hHandle) - { - //if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){ - if(HandleInfo->GrantedAccess != 0x0012019F) - { - if(DuplicateHandle(hProcess, hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS)) - { - RtlZeroMemory(&ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION); - cZwQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION, &RequiredSize); - cZwQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize); - cZwQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize); - RtlZeroMemory(HandleFullName, 0x1000); - if(pObjectNameInfo->Name.Length != NULL) - { - WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectNameInfo->Name.Buffer, -1, (LPSTR)HandleFullName, 0x1000, NULL, NULL); - NameFound = true; - if(TranslateName) - { - tmpHandleFullName = TranslateNativeName((char*)HandleFullName); - if(tmpHandleFullName != NULL) - { - VirtualFree(HandleFullName, NULL, MEM_RELEASE); - HandleFullName = tmpHandleFullName; - } - } - } - EngineCloseHandle(myHandle); - break; - } - } - } - HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); - TotalHandleCount--; - } - VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE); - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - if(!NameFound) - { - VirtualFree(HandleFullName, NULL, MEM_RELEASE); - return(NULL); - } - else - { - return(HandleFullName); - } - } - VirtualFree(HandleFullName, NULL, MEM_RELEASE); - VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE); - return(NULL); + + QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); + while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) + { + QuerySystemBufferSize = RequiredSize; + VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); + QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); + } + RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); + QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); + HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; + while(TotalHandleCount > NULL) + { + if(HandleInfo->ProcessId == ProcessId && (HANDLE)HandleInfo->hHandle == hHandle) + { + //if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){ + if(HandleInfo->GrantedAccess != 0x0012019F) + { + if(DuplicateHandle(hProcess, hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS)) + { + RtlZeroMemory(&ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION); + NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION, &RequiredSize); + NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize); + NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize); + RtlZeroMemory(HandleFullName, 0x1000); + if(pObjectNameInfo->Name.Length != NULL) + { + WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectNameInfo->Name.Buffer, -1, (LPSTR)HandleFullName, 0x1000, NULL, NULL); + NameFound = true; + if(TranslateName) + { + tmpHandleFullName = TranslateNativeName((char*)HandleFullName); + if(tmpHandleFullName != NULL) + { + VirtualFree(HandleFullName, NULL, MEM_RELEASE); + HandleFullName = tmpHandleFullName; + } + } + } + EngineCloseHandle(myHandle); + break; + } + } + } + HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); + TotalHandleCount--; + } + VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE); + VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); + if(!NameFound) + { + VirtualFree(HandleFullName, NULL, MEM_RELEASE); + return(NULL); + } + else + { + return(HandleFullName); + } + + VirtualFree(HandleFullName, NULL, MEM_RELEASE); + VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE); + return(NULL); } __declspec(dllexport) void* TITCALL HandlerGetHandleNameW(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, bool TranslateName) { - bool NameFound = false; - HANDLE myHandle = NULL; - LPVOID QuerySystemBuffer; - ULONG QuerySystemBufferSize = 0x2000; - ULONG RequiredSize = NULL; - ULONG TotalHandleCount = NULL; -#if !defined(_WIN64) - typedef NTSTATUS(WINAPI *fZwQuerySystemInformation)(DWORD fInfoType, LPVOID fBuffer, ULONG fBufferSize, PULONG fRequiredSize); - typedef NTSTATUS(WINAPI *fZwQueryObject)(HANDLE hObject, DWORD fInfoType, LPVOID fBuffer, ULONG fBufferSize, PULONG fRequiredSize); -#else - typedef NTSTATUS(__fastcall *fZwQuerySystemInformation)(DWORD fInfoType, LPVOID fBuffer, ULONG fBufferSize, PULONG fRequiredSize); - typedef NTSTATUS(__fastcall *fZwQueryObject)(HANDLE hObject, DWORD fInfoType, LPVOID fBuffer, ULONG fBufferSize, PULONG fRequiredSize); -#endif - LPVOID ZwQuerySystemInformation = (LPVOID)GetProcAddress(GetModuleHandleA("ntdll.dll"),"ZwQuerySystemInformation"); - LPVOID ZwQueryObject = (LPVOID)GetProcAddress(GetModuleHandleA("ntdll.dll"),"ZwQueryObject"); - fZwQuerySystemInformation cZwQuerySystemInformation = (fZwQuerySystemInformation)(ZwQuerySystemInformation); - fZwQueryObject cZwQueryObject = (fZwQueryObject)(ZwQueryObject); - PNTDLL_QUERY_HANDLE_INFO HandleInfo; - PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo; - LPVOID ObjectNameInfo = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); - PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo; - LPVOID HandleFullName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); - LPVOID tmpHandleFullName = NULL; + bool NameFound = false; + HANDLE myHandle = NULL; + LPVOID QuerySystemBuffer; + ULONG QuerySystemBufferSize = 0x2000; + ULONG RequiredSize = NULL; + ULONG TotalHandleCount = NULL; + PNTDLL_QUERY_HANDLE_INFO HandleInfo; + PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo; + LPVOID ObjectNameInfo = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); + PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo; + LPVOID HandleFullName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); + LPVOID tmpHandleFullName = NULL; - if(ZwQuerySystemInformation != NULL && ZwQueryObject != NULL) - { - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - while(cZwQuerySystemInformation(NTDLL_SystemHandleInfo, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) - { - QuerySystemBufferSize = RequiredSize; - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - } - RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); - QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); - HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; - while(TotalHandleCount > NULL) - { - if(HandleInfo->ProcessId == ProcessId && (HANDLE)HandleInfo->hHandle == hHandle) - { - //if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){ - if(HandleInfo->GrantedAccess != 0x0012019F) - { - if(DuplicateHandle(hProcess, hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS)) - { - RtlZeroMemory(&ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION); - cZwQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION, &RequiredSize); - cZwQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize); - cZwQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize); - RtlZeroMemory(HandleFullName, 0x1000); - if(pObjectNameInfo->Name.Length != NULL) - { - //WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectNameInfo->Name.Buffer, -1, (LPSTR)HandleFullName, 0x1000, NULL, NULL); - NameFound = true; - lstrcpyW((wchar_t*)HandleFullName, (wchar_t*)pObjectNameInfo->Name.Buffer); - if(TranslateName) - { - tmpHandleFullName = TranslateNativeNameW((wchar_t*)HandleFullName); - if(tmpHandleFullName != NULL) - { - VirtualFree(HandleFullName, NULL, MEM_RELEASE); - HandleFullName = tmpHandleFullName; - } - } - } - EngineCloseHandle(myHandle); - break; - } - } - } - HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); - TotalHandleCount--; - } - VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE); - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - if(!NameFound) - { - VirtualFree(HandleFullName, NULL, MEM_RELEASE); - return(NULL); - } - else - { - return(HandleFullName); - } - } - VirtualFree(HandleFullName, NULL, MEM_RELEASE); - VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE); - return(NULL); + + QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); + while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) + { + QuerySystemBufferSize = RequiredSize; + VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); + QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); + } + RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); + QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); + HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; + while(TotalHandleCount > NULL) + { + if(HandleInfo->ProcessId == ProcessId && (HANDLE)HandleInfo->hHandle == hHandle) + { + //if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){ + if(HandleInfo->GrantedAccess != 0x0012019F) + { + if(DuplicateHandle(hProcess, hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS)) + { + RtlZeroMemory(&ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION); + NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION, &RequiredSize); + NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize); + NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize); + RtlZeroMemory(HandleFullName, 0x1000); + if(pObjectNameInfo->Name.Length != NULL) + { + //WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectNameInfo->Name.Buffer, -1, (LPSTR)HandleFullName, 0x1000, NULL, NULL); + NameFound = true; + lstrcpyW((wchar_t*)HandleFullName, (wchar_t*)pObjectNameInfo->Name.Buffer); + if(TranslateName) + { + tmpHandleFullName = TranslateNativeNameW((wchar_t*)HandleFullName); + if(tmpHandleFullName != NULL) + { + VirtualFree(HandleFullName, NULL, MEM_RELEASE); + HandleFullName = tmpHandleFullName; + } + } + } + EngineCloseHandle(myHandle); + break; + } + } + } + HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); + TotalHandleCount--; + } + VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE); + VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); + if(!NameFound) + { + VirtualFree(HandleFullName, NULL, MEM_RELEASE); + return(NULL); + } + else + { + return(HandleFullName); + } + + VirtualFree(HandleFullName, NULL, MEM_RELEASE); + VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE); + return(NULL); } __declspec(dllexport) long TITCALL HandlerEnumerateOpenHandles(DWORD ProcessId, LPVOID HandleBuffer, DWORD MaxHandleCount) { - HANDLE myHandle = NULL; - LPVOID QuerySystemBuffer; - ULONG RequiredSize = NULL; - ULONG TotalHandleCount = NULL; - unsigned int HandleCount = NULL; - ULONG QuerySystemBufferSize = 0x2000; -#if !defined(_WIN64) - typedef NTSTATUS(WINAPI *fZwQuerySystemInformation)(DWORD fInfoType, LPVOID fBuffer, ULONG fBufferSize, PULONG fRequiredSize); -#else - typedef NTSTATUS(__fastcall *fZwQuerySystemInformation)(DWORD fInfoType, LPVOID fBuffer, ULONG fBufferSize, PULONG fRequiredSize); -#endif - LPVOID ZwQuerySystemInformation = (LPVOID)GetProcAddress(GetModuleHandleA("ntdll.dll"),"ZwQuerySystemInformation"); - fZwQuerySystemInformation cZwQuerySystemInformation = (fZwQuerySystemInformation)(ZwQuerySystemInformation); - PNTDLL_QUERY_HANDLE_INFO HandleInfo; + HANDLE myHandle = NULL; + LPVOID QuerySystemBuffer; + ULONG RequiredSize = NULL; + ULONG TotalHandleCount = NULL; + unsigned int HandleCount = NULL; + ULONG QuerySystemBufferSize = 0x2000; + PNTDLL_QUERY_HANDLE_INFO HandleInfo; - if(ZwQuerySystemInformation != NULL) - { - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - while(cZwQuerySystemInformation(NTDLL_SystemHandleInfo, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) - { - QuerySystemBufferSize = RequiredSize; - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - } - RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); - QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); - HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; - while(TotalHandleCount > NULL) - { - if(HandleInfo->ProcessId == ProcessId && HandleCount < MaxHandleCount) - { - myHandle = (HANDLE)HandleInfo->hHandle; - RtlMoveMemory(HandleBuffer, &myHandle, sizeof HANDLE); - HandleBuffer = (LPVOID)((ULONG_PTR)HandleBuffer + sizeof HANDLE); - HandleCount++; - } - HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); - TotalHandleCount--; - } - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - return(HandleCount); - } - return(NULL); + + QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); + while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) + { + QuerySystemBufferSize = RequiredSize; + VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); + QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); + } + RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); + QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); + HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; + while(TotalHandleCount > NULL) + { + if(HandleInfo->ProcessId == ProcessId && HandleCount < MaxHandleCount) + { + myHandle = (HANDLE)HandleInfo->hHandle; + RtlMoveMemory(HandleBuffer, &myHandle, sizeof HANDLE); + HandleBuffer = (LPVOID)((ULONG_PTR)HandleBuffer + sizeof HANDLE); + HandleCount++; + } + HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); + TotalHandleCount--; + } + VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); + return(HandleCount); + + return(NULL); } __declspec(dllexport) long long TITCALL HandlerGetHandleDetails(HANDLE hProcess, DWORD ProcessId, HANDLE hHandle, DWORD InformationReturn) { - HANDLE myHandle = NULL; - LPVOID QuerySystemBuffer; - ULONG QuerySystemBufferSize = 0x2000; - ULONG RequiredSize = NULL; - ULONG TotalHandleCount = NULL; -#if !defined(_WIN64) - typedef NTSTATUS(WINAPI *fZwQuerySystemInformation)(DWORD fInfoType, LPVOID fBuffer, ULONG fBufferSize, PULONG fRequiredSize); - typedef NTSTATUS(WINAPI *fZwQueryObject)(HANDLE hObject, DWORD fInfoType, LPVOID fBuffer, ULONG fBufferSize, PULONG fRequiredSize); -#else - typedef NTSTATUS(__fastcall *fZwQuerySystemInformation)(DWORD fInfoType, LPVOID fBuffer, ULONG fBufferSize, PULONG fRequiredSize); - typedef NTSTATUS(__fastcall *fZwQueryObject)(HANDLE hObject, DWORD fInfoType, LPVOID fBuffer, ULONG fBufferSize, PULONG fRequiredSize); -#endif - LPVOID ZwQuerySystemInformation = (LPVOID)GetProcAddress(GetModuleHandleA("ntdll.dll"),"ZwQuerySystemInformation"); - LPVOID ZwQueryObject = (LPVOID)GetProcAddress(GetModuleHandleA("ntdll.dll"),"ZwQueryObject"); - fZwQuerySystemInformation cZwQuerySystemInformation = (fZwQuerySystemInformation)(ZwQuerySystemInformation); - fZwQueryObject cZwQueryObject = (fZwQueryObject)(ZwQueryObject); - PNTDLL_QUERY_HANDLE_INFO HandleInfo; - PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo; - LPVOID HandleFullData = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); - LPVOID HandleNameData = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); - PPUBLIC_OBJECT_TYPE_INFORMATION pObjectTypeInfo = (PPUBLIC_OBJECT_TYPE_INFORMATION)HandleFullData; - bool DontFreeStringMemory = false; - ULONG_PTR ReturnData = NULL; + HANDLE myHandle = NULL; + LPVOID QuerySystemBuffer; + ULONG QuerySystemBufferSize = 0x2000; + ULONG RequiredSize = NULL; + ULONG TotalHandleCount = NULL; + PNTDLL_QUERY_HANDLE_INFO HandleInfo; + PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo; + LPVOID HandleFullData = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); + LPVOID HandleNameData = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); + PPUBLIC_OBJECT_TYPE_INFORMATION pObjectTypeInfo = (PPUBLIC_OBJECT_TYPE_INFORMATION)HandleFullData; + bool DontFreeStringMemory = false; + ULONG_PTR ReturnData = NULL; - if(ZwQuerySystemInformation != NULL && ZwQueryObject != NULL) - { - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - while(cZwQuerySystemInformation(NTDLL_SystemHandleInfo, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) - { - QuerySystemBufferSize = RequiredSize; - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - } - RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); - QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); - HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; - while(TotalHandleCount > NULL) - { - if(HandleInfo->ProcessId == ProcessId && (HANDLE)HandleInfo->hHandle == hHandle) - { - if(DuplicateHandle(hProcess, hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS)) - { - RtlZeroMemory(&ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION); - cZwQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION, &RequiredSize); - if(InformationReturn == UE_OPTION_HANDLER_RETURN_HANDLECOUNT) - { - ReturnData = (ULONG_PTR)ObjectBasicInfo.HandleCount; - } - else if(InformationReturn == UE_OPTION_HANDLER_RETURN_ACCESS) - { - ReturnData = (ULONG_PTR)HandleInfo->GrantedAccess; - } - else if(InformationReturn == UE_OPTION_HANDLER_RETURN_FLAGS) - { - ReturnData = (ULONG_PTR)HandleInfo->Flags; - } - else if(InformationReturn == UE_OPTION_HANDLER_RETURN_TYPENAME) - { - //if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){ - if(HandleInfo->GrantedAccess != 0x0012019F) - { - RtlZeroMemory(HandleFullData, 0x1000); - cZwQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize); - cZwQueryObject(myHandle, ObjectTypeInformation, HandleFullData, RequiredSize, &RequiredSize); - RtlZeroMemory(HandleNameData, 0x1000); - if(pObjectTypeInfo->TypeName.Length != NULL) - { - WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectTypeInfo->TypeName.Buffer, -1, (LPSTR)HandleNameData, 0x1000, NULL, NULL); - ReturnData = (ULONG_PTR)HandleNameData; - DontFreeStringMemory = true; - } - } - } - else if(InformationReturn == UE_OPTION_HANDLER_RETURN_TYPENAME_UNICODE) - { - //if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){ - if(HandleInfo->GrantedAccess != 0x0012019F) - { - RtlZeroMemory(HandleFullData, 0x1000); - cZwQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize); - cZwQueryObject(myHandle, ObjectTypeInformation, HandleFullData, RequiredSize, &RequiredSize); - RtlZeroMemory(HandleNameData, 0x1000); - if(pObjectTypeInfo->TypeName.Length != NULL) - { - //WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectTypeInfo->TypeName.Buffer, -1, (LPSTR)HandleNameData, 0x1000, NULL, NULL); - lstrcpyW((wchar_t*)HandleNameData, (wchar_t*)pObjectTypeInfo->TypeName.Buffer); - ReturnData = (ULONG_PTR)HandleNameData; - DontFreeStringMemory = true; - } - } - } - EngineCloseHandle(myHandle); - break; - } - } - HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); - TotalHandleCount--; - } - if(!DontFreeStringMemory) - { - VirtualFree(HandleNameData, NULL, MEM_RELEASE); - } - VirtualFree(HandleFullData, NULL, MEM_RELEASE); - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - return(ReturnData); - } - if(!DontFreeStringMemory) - { - VirtualFree(HandleNameData, NULL, MEM_RELEASE); - } - VirtualFree(HandleFullData, NULL, MEM_RELEASE); - return(NULL); + + QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); + while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) + { + QuerySystemBufferSize = RequiredSize; + VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); + QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); + } + RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); + QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); + HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; + while(TotalHandleCount > NULL) + { + if(HandleInfo->ProcessId == ProcessId && (HANDLE)HandleInfo->hHandle == hHandle) + { + if(DuplicateHandle(hProcess, hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS)) + { + RtlZeroMemory(&ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION); + NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION, &RequiredSize); + if(InformationReturn == UE_OPTION_HANDLER_RETURN_HANDLECOUNT) + { + ReturnData = (ULONG_PTR)ObjectBasicInfo.HandleCount; + } + else if(InformationReturn == UE_OPTION_HANDLER_RETURN_ACCESS) + { + ReturnData = (ULONG_PTR)HandleInfo->GrantedAccess; + } + else if(InformationReturn == UE_OPTION_HANDLER_RETURN_FLAGS) + { + ReturnData = (ULONG_PTR)HandleInfo->Flags; + } + else if(InformationReturn == UE_OPTION_HANDLER_RETURN_TYPENAME) + { + //if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){ + if(HandleInfo->GrantedAccess != 0x0012019F) + { + RtlZeroMemory(HandleFullData, 0x1000); + NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize); + NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, RequiredSize, &RequiredSize); + RtlZeroMemory(HandleNameData, 0x1000); + if(pObjectTypeInfo->TypeName.Length != NULL) + { + WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectTypeInfo->TypeName.Buffer, -1, (LPSTR)HandleNameData, 0x1000, NULL, NULL); + ReturnData = (ULONG_PTR)HandleNameData; + DontFreeStringMemory = true; + } + } + } + else if(InformationReturn == UE_OPTION_HANDLER_RETURN_TYPENAME_UNICODE) + { + //if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){ + if(HandleInfo->GrantedAccess != 0x0012019F) + { + RtlZeroMemory(HandleFullData, 0x1000); + NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize); + NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, RequiredSize, &RequiredSize); + RtlZeroMemory(HandleNameData, 0x1000); + if(pObjectTypeInfo->TypeName.Length != NULL) + { + //WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectTypeInfo->TypeName.Buffer, -1, (LPSTR)HandleNameData, 0x1000, NULL, NULL); + lstrcpyW((wchar_t*)HandleNameData, (wchar_t*)pObjectTypeInfo->TypeName.Buffer); + ReturnData = (ULONG_PTR)HandleNameData; + DontFreeStringMemory = true; + } + } + } + EngineCloseHandle(myHandle); + break; + } + } + HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); + TotalHandleCount--; + } + if(!DontFreeStringMemory) + { + VirtualFree(HandleNameData, NULL, MEM_RELEASE); + } + VirtualFree(HandleFullData, NULL, MEM_RELEASE); + VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); + return(ReturnData); + + if(!DontFreeStringMemory) + { + VirtualFree(HandleNameData, NULL, MEM_RELEASE); + } + VirtualFree(HandleFullData, NULL, MEM_RELEASE); + return(NULL); } __declspec(dllexport) bool TITCALL HandlerCloseRemoteHandle(HANDLE hProcess, HANDLE hHandle) { - HANDLE myHandle; + HANDLE myHandle; - if(hProcess != NULL) - { - DuplicateHandle(hProcess, hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_CLOSE_SOURCE); - EngineCloseHandle(myHandle); - } - return false; + if(hProcess != NULL) + { + DuplicateHandle(hProcess, hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_CLOSE_SOURCE); + EngineCloseHandle(myHandle); + } + return false; } __declspec(dllexport) long TITCALL HandlerEnumerateLockHandles(char* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated, LPVOID HandleDataBuffer, DWORD MaxHandleCount) { - wchar_t uniFileOrFolderName[MAX_PATH] = {}; + wchar_t uniFileOrFolderName[MAX_PATH] = {}; - if(szFileOrFolderName != NULL) - { - MultiByteToWideChar(CP_ACP, NULL, szFileOrFolderName, lstrlenA(szFileOrFolderName)+1, uniFileOrFolderName, sizeof(uniFileOrFolderName)/(sizeof(uniFileOrFolderName[0]))); - return(HandlerEnumerateLockHandlesW(uniFileOrFolderName, NameIsFolder, NameIsTranslated, HandleDataBuffer, MaxHandleCount)); - } - else - { - return(NULL); - } + if(szFileOrFolderName != NULL) + { + MultiByteToWideChar(CP_ACP, NULL, szFileOrFolderName, lstrlenA(szFileOrFolderName)+1, uniFileOrFolderName, sizeof(uniFileOrFolderName)/(sizeof(uniFileOrFolderName[0]))); + return(HandlerEnumerateLockHandlesW(uniFileOrFolderName, NameIsFolder, NameIsTranslated, HandleDataBuffer, MaxHandleCount)); + } + else + { + return(NULL); + } } __declspec(dllexport) long TITCALL HandlerEnumerateLockHandlesW(wchar_t* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated, LPVOID HandleDataBuffer, DWORD MaxHandleCount) { - int FoundHandles = NULL; - HANDLE hProcess = NULL; - HANDLE myHandle = NULL; - HANDLE CopyHandle = NULL; - LPVOID QuerySystemBuffer; - ULONG QuerySystemBufferSize = 0x2000; - ULONG RequiredSize = NULL; - ULONG TotalHandleCount = NULL; - DWORD LastProcessId = NULL; -#if !defined(_WIN64) - typedef NTSTATUS(WINAPI *fZwQuerySystemInformation)(DWORD fInfoType, LPVOID fBuffer, ULONG fBufferSize, PULONG fRequiredSize); - typedef NTSTATUS(WINAPI *fZwQueryObject)(HANDLE hObject, DWORD fInfoType, LPVOID fBuffer, ULONG fBufferSize, PULONG fRequiredSize); -#else - typedef NTSTATUS(__fastcall *fZwQuerySystemInformation)(DWORD fInfoType, LPVOID fBuffer, ULONG fBufferSize, PULONG fRequiredSize); - typedef NTSTATUS(__fastcall *fZwQueryObject)(HANDLE hObject, DWORD fInfoType, LPVOID fBuffer, ULONG fBufferSize, PULONG fRequiredSize); -#endif - LPVOID ZwQuerySystemInformation = (LPVOID)GetProcAddress(GetModuleHandleA("ntdll.dll"),"ZwQuerySystemInformation"); - LPVOID ZwQueryObject = (LPVOID)GetProcAddress(GetModuleHandleA("ntdll.dll"),"ZwQueryObject"); - fZwQuerySystemInformation cZwQuerySystemInformation = (fZwQuerySystemInformation)(ZwQuerySystemInformation); - fZwQueryObject cZwQueryObject = (fZwQueryObject)(ZwQueryObject); - PNTDLL_QUERY_HANDLE_INFO HandleInfo; - PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo; - LPVOID ObjectNameInfo = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); - PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo; - LPVOID HandleFullName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); - int LenFileOrFolderName = lstrlenW(szFileOrFolderName); - LPVOID tmpHandleFullName = NULL; + int FoundHandles = NULL; + HANDLE hProcess = NULL; + HANDLE myHandle = NULL; + HANDLE CopyHandle = NULL; + LPVOID QuerySystemBuffer; + ULONG QuerySystemBufferSize = 0x2000; + ULONG RequiredSize = NULL; + ULONG TotalHandleCount = NULL; + DWORD LastProcessId = NULL; - if(ZwQuerySystemInformation != NULL && ZwQueryObject != NULL) - { - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - while(cZwQuerySystemInformation(NTDLL_SystemHandleInfo, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) - { - QuerySystemBufferSize = RequiredSize; - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - } - RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); - QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); - HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; - while(TotalHandleCount > NULL) - { - if(LastProcessId != HandleInfo->ProcessId) - { - if(hProcess != NULL) - { - EngineCloseHandle(hProcess); - } - hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_DUP_HANDLE, false, HandleInfo->ProcessId); - LastProcessId = HandleInfo->ProcessId; - } - if(hProcess != NULL) - { - //if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){ - if(HandleInfo->GrantedAccess != 0x0012019F) - { - if(DuplicateHandle(hProcess, (HANDLE)HandleInfo->hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS)) - { - RtlZeroMemory(&ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION); - cZwQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION, &RequiredSize); - cZwQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize); - cZwQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize); - RtlZeroMemory(HandleFullName, 0x1000); - if(pObjectNameInfo->Name.Length != NULL) - { - //WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectNameInfo->Name.Buffer, -1, (LPSTR)HandleFullName, 0x1000, NULL, NULL); - lstrcpyW((wchar_t*)HandleFullName, (wchar_t*)pObjectNameInfo->Name.Buffer); - if(NameIsTranslated) - { - tmpHandleFullName = TranslateNativeNameW((wchar_t*)HandleFullName); - if(tmpHandleFullName != NULL) - { - VirtualFree(HandleFullName, NULL, MEM_RELEASE); - HandleFullName = tmpHandleFullName; - } - } - if(NameIsFolder) - { - if(lstrlenW((LPCWSTR)HandleFullName) > LenFileOrFolderName) - { - RtlZeroMemory((LPVOID)((ULONG_PTR)HandleFullName + LenFileOrFolderName * 2), 2); - } - } - if(lstrcmpiW((LPCWSTR)HandleFullName, szFileOrFolderName) == NULL && MaxHandleCount > NULL) - { - RtlMoveMemory(HandleDataBuffer, &HandleInfo->ProcessId, sizeof ULONG); - HandleDataBuffer = (LPVOID)((ULONG_PTR)HandleDataBuffer + sizeof ULONG); - CopyHandle = (HANDLE)HandleInfo->hHandle; - RtlMoveMemory(HandleDataBuffer, &CopyHandle, sizeof HANDLE); - HandleDataBuffer = (LPVOID)((ULONG_PTR)HandleDataBuffer + sizeof HANDLE); - FoundHandles++; - MaxHandleCount--; - } - } - EngineCloseHandle(myHandle); - } - } - } - HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); - TotalHandleCount--; - } - VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE); - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - VirtualFree(HandleFullName, NULL, MEM_RELEASE); - return(FoundHandles); - } - VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE); - VirtualFree(HandleFullName, NULL, MEM_RELEASE); - return(NULL); + + PNTDLL_QUERY_HANDLE_INFO HandleInfo; + PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo; + LPVOID ObjectNameInfo = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); + PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo; + LPVOID HandleFullName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); + int LenFileOrFolderName = lstrlenW(szFileOrFolderName); + LPVOID tmpHandleFullName = NULL; + + + QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); + while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) + { + QuerySystemBufferSize = RequiredSize; + VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); + QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); + } + RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); + QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); + HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; + while(TotalHandleCount > NULL) + { + if(LastProcessId != HandleInfo->ProcessId) + { + if(hProcess != NULL) + { + EngineCloseHandle(hProcess); + } + hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_DUP_HANDLE, false, HandleInfo->ProcessId); + LastProcessId = HandleInfo->ProcessId; + } + if(hProcess != NULL) + { + //if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){ + if(HandleInfo->GrantedAccess != 0x0012019F) + { + if(DuplicateHandle(hProcess, (HANDLE)HandleInfo->hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS)) + { + RtlZeroMemory(&ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION); + NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION, &RequiredSize); + NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize); + NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize); + RtlZeroMemory(HandleFullName, 0x1000); + if(pObjectNameInfo->Name.Length != NULL) + { + //WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectNameInfo->Name.Buffer, -1, (LPSTR)HandleFullName, 0x1000, NULL, NULL); + lstrcpyW((wchar_t*)HandleFullName, (wchar_t*)pObjectNameInfo->Name.Buffer); + if(NameIsTranslated) + { + tmpHandleFullName = TranslateNativeNameW((wchar_t*)HandleFullName); + if(tmpHandleFullName != NULL) + { + VirtualFree(HandleFullName, NULL, MEM_RELEASE); + HandleFullName = tmpHandleFullName; + } + } + if(NameIsFolder) + { + if(lstrlenW((LPCWSTR)HandleFullName) > LenFileOrFolderName) + { + RtlZeroMemory((LPVOID)((ULONG_PTR)HandleFullName + LenFileOrFolderName * 2), 2); + } + } + if(lstrcmpiW((LPCWSTR)HandleFullName, szFileOrFolderName) == NULL && MaxHandleCount > NULL) + { + RtlMoveMemory(HandleDataBuffer, &HandleInfo->ProcessId, sizeof ULONG); + HandleDataBuffer = (LPVOID)((ULONG_PTR)HandleDataBuffer + sizeof ULONG); + CopyHandle = (HANDLE)HandleInfo->hHandle; + RtlMoveMemory(HandleDataBuffer, &CopyHandle, sizeof HANDLE); + HandleDataBuffer = (LPVOID)((ULONG_PTR)HandleDataBuffer + sizeof HANDLE); + FoundHandles++; + MaxHandleCount--; + } + } + EngineCloseHandle(myHandle); + } + } + } + HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); + TotalHandleCount--; + } + VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE); + VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); + VirtualFree(HandleFullName, NULL, MEM_RELEASE); + return(FoundHandles); } __declspec(dllexport) bool TITCALL HandlerCloseAllLockHandles(char* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated) { - wchar_t uniFileOrFolderName[MAX_PATH] = {}; + wchar_t uniFileOrFolderName[MAX_PATH] = {}; - if(szFileOrFolderName != NULL) - { - MultiByteToWideChar(CP_ACP, NULL, szFileOrFolderName, lstrlenA(szFileOrFolderName)+1, uniFileOrFolderName, sizeof(uniFileOrFolderName)/(sizeof(uniFileOrFolderName[0]))); - return(HandlerCloseAllLockHandlesW(uniFileOrFolderName, NameIsFolder, NameIsTranslated)); - } - else - { - return false; - } + if(szFileOrFolderName != NULL) + { + MultiByteToWideChar(CP_ACP, NULL, szFileOrFolderName, lstrlenA(szFileOrFolderName)+1, uniFileOrFolderName, sizeof(uniFileOrFolderName)/(sizeof(uniFileOrFolderName[0]))); + return(HandlerCloseAllLockHandlesW(uniFileOrFolderName, NameIsFolder, NameIsTranslated)); + } + else + { + return false; + } } __declspec(dllexport) bool TITCALL HandlerCloseAllLockHandlesW(wchar_t* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated) { - bool AllHandled = true; - HANDLE hProcess = NULL; - HANDLE myHandle = NULL; - HANDLE CopyHandle = NULL; - LPVOID QuerySystemBuffer; - ULONG QuerySystemBufferSize = 0x2000; - ULONG RequiredSize = NULL; - ULONG TotalHandleCount = NULL; - DWORD LastProcessId = NULL; -#if !defined(_WIN64) - typedef NTSTATUS(WINAPI *fZwQuerySystemInformation)(DWORD fInfoType, LPVOID fBuffer, ULONG fBufferSize, PULONG fRequiredSize); - typedef NTSTATUS(WINAPI *fZwQueryObject)(HANDLE hObject, DWORD fInfoType, LPVOID fBuffer, ULONG fBufferSize, PULONG fRequiredSize); -#else - typedef NTSTATUS(__fastcall *fZwQuerySystemInformation)(DWORD fInfoType, LPVOID fBuffer, ULONG fBufferSize, PULONG fRequiredSize); - typedef NTSTATUS(__fastcall *fZwQueryObject)(HANDLE hObject, DWORD fInfoType, LPVOID fBuffer, ULONG fBufferSize, PULONG fRequiredSize); -#endif - LPVOID ZwQuerySystemInformation = (LPVOID)GetProcAddress(GetModuleHandleA("ntdll.dll"),"ZwQuerySystemInformation"); - LPVOID ZwQueryObject = (LPVOID)GetProcAddress(GetModuleHandleA("ntdll.dll"),"ZwQueryObject"); - fZwQuerySystemInformation cZwQuerySystemInformation = (fZwQuerySystemInformation)(ZwQuerySystemInformation); - fZwQueryObject cZwQueryObject = (fZwQueryObject)(ZwQueryObject); - PNTDLL_QUERY_HANDLE_INFO HandleInfo; - PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo; - LPVOID ObjectNameInfo = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); - PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo; - LPVOID HandleFullName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); - int LenFileOrFolderName = lstrlenW(szFileOrFolderName); - LPVOID tmpHandleFullName = NULL; + bool AllHandled = true; + HANDLE hProcess = NULL; + HANDLE myHandle = NULL; + HANDLE CopyHandle = NULL; + LPVOID QuerySystemBuffer; + ULONG QuerySystemBufferSize = 0x2000; + ULONG RequiredSize = NULL; + ULONG TotalHandleCount = NULL; + DWORD LastProcessId = NULL; + PNTDLL_QUERY_HANDLE_INFO HandleInfo; + PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo; + LPVOID ObjectNameInfo = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); + PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo; + LPVOID HandleFullName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); + int LenFileOrFolderName = lstrlenW(szFileOrFolderName); + LPVOID tmpHandleFullName = NULL; + + + QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); + while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) + { + QuerySystemBufferSize = RequiredSize; + VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); + QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); + } + RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); + QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); + HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; + while(TotalHandleCount > NULL) + { + if(LastProcessId != HandleInfo->ProcessId) + { + if(hProcess != NULL) + { + EngineCloseHandle(hProcess); + } + hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_DUP_HANDLE, false, HandleInfo->ProcessId); + LastProcessId = HandleInfo->ProcessId; + } + if(hProcess != NULL) + { + //if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){ + if(HandleInfo->GrantedAccess != 0x0012019F) + { + if(DuplicateHandle(hProcess, (HANDLE)HandleInfo->hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS)) + { + RtlZeroMemory(&ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION); + NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION, &RequiredSize); + NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize); + NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize); + RtlZeroMemory(HandleFullName, 0x1000); + if(pObjectNameInfo->Name.Length != NULL) + { + //WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectNameInfo->Name.Buffer, -1, (LPSTR)HandleFullName, 0x1000, NULL, NULL); + lstrcpyW((wchar_t*)HandleFullName, (wchar_t*)pObjectNameInfo->Name.Buffer); + if(NameIsTranslated) + { + tmpHandleFullName = TranslateNativeNameW((wchar_t*)HandleFullName); + if(tmpHandleFullName != NULL) + { + VirtualFree(HandleFullName, NULL, MEM_RELEASE); + HandleFullName = tmpHandleFullName; + } + } + if(NameIsFolder) + { + if(lstrlenW((LPCWSTR)HandleFullName) > LenFileOrFolderName) + { + RtlZeroMemory((LPVOID)((ULONG_PTR)HandleFullName + LenFileOrFolderName * 2), 2); + } + } + if(lstrcmpiW((LPCWSTR)HandleFullName, szFileOrFolderName) == NULL) + { + if(!HandlerCloseRemoteHandle(hProcess, (HANDLE)HandleInfo->hHandle)) + { + AllHandled = false; + } + } + } + EngineCloseHandle(myHandle); + } + } + } + HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); + TotalHandleCount--; + } + VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE); + VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); + VirtualFree(HandleFullName, NULL, MEM_RELEASE); + if(AllHandled) + { + return true; + } + else + { + return false; + } - if(ZwQuerySystemInformation != NULL && ZwQueryObject != NULL) - { - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - while(cZwQuerySystemInformation(NTDLL_SystemHandleInfo, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) - { - QuerySystemBufferSize = RequiredSize; - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - } - RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); - QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); - HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; - while(TotalHandleCount > NULL) - { - if(LastProcessId != HandleInfo->ProcessId) - { - if(hProcess != NULL) - { - EngineCloseHandle(hProcess); - } - hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_DUP_HANDLE, false, HandleInfo->ProcessId); - LastProcessId = HandleInfo->ProcessId; - } - if(hProcess != NULL) - { - //if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){ - if(HandleInfo->GrantedAccess != 0x0012019F) - { - if(DuplicateHandle(hProcess, (HANDLE)HandleInfo->hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS)) - { - RtlZeroMemory(&ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION); - cZwQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION, &RequiredSize); - cZwQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize); - cZwQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize); - RtlZeroMemory(HandleFullName, 0x1000); - if(pObjectNameInfo->Name.Length != NULL) - { - //WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectNameInfo->Name.Buffer, -1, (LPSTR)HandleFullName, 0x1000, NULL, NULL); - lstrcpyW((wchar_t*)HandleFullName, (wchar_t*)pObjectNameInfo->Name.Buffer); - if(NameIsTranslated) - { - tmpHandleFullName = TranslateNativeNameW((wchar_t*)HandleFullName); - if(tmpHandleFullName != NULL) - { - VirtualFree(HandleFullName, NULL, MEM_RELEASE); - HandleFullName = tmpHandleFullName; - } - } - if(NameIsFolder) - { - if(lstrlenW((LPCWSTR)HandleFullName) > LenFileOrFolderName) - { - RtlZeroMemory((LPVOID)((ULONG_PTR)HandleFullName + LenFileOrFolderName * 2), 2); - } - } - if(lstrcmpiW((LPCWSTR)HandleFullName, szFileOrFolderName) == NULL) - { - if(!HandlerCloseRemoteHandle(hProcess, (HANDLE)HandleInfo->hHandle)) - { - AllHandled = false; - } - } - } - EngineCloseHandle(myHandle); - } - } - } - HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); - TotalHandleCount--; - } - VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE); - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - VirtualFree(HandleFullName, NULL, MEM_RELEASE); - if(AllHandled) - { - return true; - } - else - { - return false; - } - } - VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE); - VirtualFree(HandleFullName, NULL, MEM_RELEASE); - return false; } __declspec(dllexport) bool TITCALL HandlerIsFileLocked(char* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated) { - wchar_t uniFileOrFolderName[MAX_PATH] = {}; + wchar_t uniFileOrFolderName[MAX_PATH] = {}; - if(szFileOrFolderName != NULL) - { - MultiByteToWideChar(CP_ACP, NULL, szFileOrFolderName, lstrlenA(szFileOrFolderName)+1, uniFileOrFolderName, sizeof(uniFileOrFolderName)/(sizeof(uniFileOrFolderName[0]))); - return(HandlerIsFileLockedW(uniFileOrFolderName, NameIsFolder, NameIsTranslated)); - } - else - { - return false; - } + if(szFileOrFolderName != NULL) + { + MultiByteToWideChar(CP_ACP, NULL, szFileOrFolderName, lstrlenA(szFileOrFolderName)+1, uniFileOrFolderName, sizeof(uniFileOrFolderName)/(sizeof(uniFileOrFolderName[0]))); + return(HandlerIsFileLockedW(uniFileOrFolderName, NameIsFolder, NameIsTranslated)); + } + else + { + return false; + } } __declspec(dllexport) bool TITCALL HandlerIsFileLockedW(wchar_t* szFileOrFolderName, bool NameIsFolder, bool NameIsTranslated) { - HANDLE hProcess = NULL; - HANDLE myHandle = NULL; - HANDLE CopyHandle = NULL; - LPVOID QuerySystemBuffer; - ULONG QuerySystemBufferSize = 0x2000; - ULONG RequiredSize = NULL; - ULONG TotalHandleCount = NULL; - DWORD LastProcessId = NULL; -#if !defined(_WIN64) - typedef NTSTATUS(WINAPI *fZwQuerySystemInformation)(DWORD fInfoType, LPVOID fBuffer, ULONG fBufferSize, PULONG fRequiredSize); - typedef NTSTATUS(WINAPI *fZwQueryObject)(HANDLE hObject, DWORD fInfoType, LPVOID fBuffer, ULONG fBufferSize, PULONG fRequiredSize); -#else - typedef NTSTATUS(__fastcall *fZwQuerySystemInformation)(DWORD fInfoType, LPVOID fBuffer, ULONG fBufferSize, PULONG fRequiredSize); - typedef NTSTATUS(__fastcall *fZwQueryObject)(HANDLE hObject, DWORD fInfoType, LPVOID fBuffer, ULONG fBufferSize, PULONG fRequiredSize); -#endif - LPVOID ZwQuerySystemInformation = (LPVOID)GetProcAddress(GetModuleHandleA("ntdll.dll"),"ZwQuerySystemInformation"); - LPVOID ZwQueryObject = (LPVOID)GetProcAddress(GetModuleHandleA("ntdll.dll"),"ZwQueryObject"); - fZwQuerySystemInformation cZwQuerySystemInformation = (fZwQuerySystemInformation)(ZwQuerySystemInformation); - fZwQueryObject cZwQueryObject = (fZwQueryObject)(ZwQueryObject); - PNTDLL_QUERY_HANDLE_INFO HandleInfo; - PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo; - LPVOID ObjectNameInfo = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); - PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo; - LPVOID HandleFullName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); - int LenFileOrFolderName = lstrlenW(szFileOrFolderName); - LPVOID tmpHandleFullName = NULL; + HANDLE hProcess = NULL; + HANDLE myHandle = NULL; + HANDLE CopyHandle = NULL; + LPVOID QuerySystemBuffer; + ULONG QuerySystemBufferSize = 0x2000; + ULONG RequiredSize = NULL; + ULONG TotalHandleCount = NULL; + DWORD LastProcessId = NULL; + + PNTDLL_QUERY_HANDLE_INFO HandleInfo; + PUBLIC_OBJECT_BASIC_INFORMATION ObjectBasicInfo; + LPVOID ObjectNameInfo = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); + PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo; + LPVOID HandleFullName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); + int LenFileOrFolderName = lstrlenW(szFileOrFolderName); + LPVOID tmpHandleFullName = NULL; + + QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); + while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) + { + QuerySystemBufferSize = RequiredSize; + VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); + QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); + } + RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); + QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); + HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; + while(TotalHandleCount > NULL) + { + if(LastProcessId != HandleInfo->ProcessId) + { + if(hProcess != NULL) + { + EngineCloseHandle(hProcess); + } + hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_DUP_HANDLE, false, HandleInfo->ProcessId); + LastProcessId = HandleInfo->ProcessId; + } + if(hProcess != NULL) + { + //if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){ + if(HandleInfo->GrantedAccess != 0x0012019F) + { + if(DuplicateHandle(hProcess, (HANDLE)HandleInfo->hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS)) + { + RtlZeroMemory(&ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION); + NtQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION, &RequiredSize); + NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize); + NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize); + RtlZeroMemory(HandleFullName, 0x1000); + if(pObjectNameInfo->Name.Length != NULL) + { + //WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectNameInfo->Name.Buffer, -1, (LPSTR)HandleFullName, 0x1000, NULL, NULL); + lstrcpyW((wchar_t*)HandleFullName, (wchar_t*)pObjectNameInfo->Name.Buffer); + if(NameIsTranslated) + { + tmpHandleFullName = TranslateNativeNameW((wchar_t*)HandleFullName); + if(tmpHandleFullName != NULL) + { + VirtualFree(HandleFullName, NULL, MEM_RELEASE); + HandleFullName = tmpHandleFullName; + } + } + if(NameIsFolder) + { + if(lstrlenW((LPCWSTR)HandleFullName) > LenFileOrFolderName) + { + RtlZeroMemory((LPVOID)((ULONG_PTR)HandleFullName + LenFileOrFolderName * 2), 2); + } + } + if(lstrcmpiW((LPCWSTR)HandleFullName, szFileOrFolderName) == NULL) + { + VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE); + VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); + VirtualFree(HandleFullName, NULL, MEM_RELEASE); + EngineCloseHandle(myHandle); + return true; + } + } + EngineCloseHandle(myHandle); + } + } + } + HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); + TotalHandleCount--; + } + VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE); + VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); + VirtualFree(HandleFullName, NULL, MEM_RELEASE); + return false; - if(ZwQuerySystemInformation != NULL && ZwQueryObject != NULL) - { - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - while(cZwQuerySystemInformation(NTDLL_SystemHandleInfo, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) - { - QuerySystemBufferSize = RequiredSize; - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - } - RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); - QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); - HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; - while(TotalHandleCount > NULL) - { - if(LastProcessId != HandleInfo->ProcessId) - { - if(hProcess != NULL) - { - EngineCloseHandle(hProcess); - } - hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_DUP_HANDLE, false, HandleInfo->ProcessId); - LastProcessId = HandleInfo->ProcessId; - } - if(hProcess != NULL) - { - //if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){ - if(HandleInfo->GrantedAccess != 0x0012019F) - { - if(DuplicateHandle(hProcess, (HANDLE)HandleInfo->hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS)) - { - RtlZeroMemory(&ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION); - cZwQueryObject(myHandle, ObjectBasicInformation, &ObjectBasicInfo, sizeof PUBLIC_OBJECT_BASIC_INFORMATION, &RequiredSize); - cZwQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize); - cZwQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize); - RtlZeroMemory(HandleFullName, 0x1000); - if(pObjectNameInfo->Name.Length != NULL) - { - //WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectNameInfo->Name.Buffer, -1, (LPSTR)HandleFullName, 0x1000, NULL, NULL); - lstrcpyW((wchar_t*)HandleFullName, (wchar_t*)pObjectNameInfo->Name.Buffer); - if(NameIsTranslated) - { - tmpHandleFullName = TranslateNativeNameW((wchar_t*)HandleFullName); - if(tmpHandleFullName != NULL) - { - VirtualFree(HandleFullName, NULL, MEM_RELEASE); - HandleFullName = tmpHandleFullName; - } - } - if(NameIsFolder) - { - if(lstrlenW((LPCWSTR)HandleFullName) > LenFileOrFolderName) - { - RtlZeroMemory((LPVOID)((ULONG_PTR)HandleFullName + LenFileOrFolderName * 2), 2); - } - } - if(lstrcmpiW((LPCWSTR)HandleFullName, szFileOrFolderName) == NULL) - { - VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE); - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - VirtualFree(HandleFullName, NULL, MEM_RELEASE); - EngineCloseHandle(myHandle); - return true; - } - } - EngineCloseHandle(myHandle); - } - } - } - HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); - TotalHandleCount--; - } - VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE); - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - VirtualFree(HandleFullName, NULL, MEM_RELEASE); - return false; - } - VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE); - VirtualFree(HandleFullName, NULL, MEM_RELEASE); - return false; } // TitanEngine.Handler[Mutex].functions: __declspec(dllexport) long TITCALL HandlerEnumerateOpenMutexes(HANDLE hProcess, DWORD ProcessId, LPVOID HandleBuffer, DWORD MaxHandleCount) { - HANDLE myHandle = NULL; - HANDLE copyHandle = NULL; - LPVOID QuerySystemBuffer; - ULONG RequiredSize = NULL; - ULONG TotalHandleCount = NULL; - unsigned int HandleCount = NULL; - ULONG QuerySystemBufferSize = 0x2000; -#if !defined(_WIN64) - typedef NTSTATUS(WINAPI *fZwQuerySystemInformation)(DWORD fInfoType, LPVOID fBuffer, ULONG fBufferSize, PULONG fRequiredSize); - typedef NTSTATUS(WINAPI *fZwQueryObject)(HANDLE hObject, DWORD fInfoType, LPVOID fBuffer, ULONG fBufferSize, PULONG fRequiredSize); -#else - typedef NTSTATUS(__fastcall *fZwQuerySystemInformation)(DWORD fInfoType, LPVOID fBuffer, ULONG fBufferSize, PULONG fRequiredSize); - typedef NTSTATUS(__fastcall *fZwQueryObject)(HANDLE hObject, DWORD fInfoType, LPVOID fBuffer, ULONG fBufferSize, PULONG fRequiredSize); -#endif - LPVOID ZwQuerySystemInformation = (LPVOID)GetProcAddress(GetModuleHandleA("ntdll.dll"),"ZwQuerySystemInformation"); - LPVOID ZwQueryObject = (LPVOID)GetProcAddress(GetModuleHandleA("ntdll.dll"),"ZwQueryObject"); - fZwQuerySystemInformation cZwQuerySystemInformation = (fZwQuerySystemInformation)(ZwQuerySystemInformation); - fZwQueryObject cZwQueryObject = (fZwQueryObject)(ZwQueryObject); - PNTDLL_QUERY_HANDLE_INFO HandleInfo; - LPVOID HandleFullData = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); - LPVOID HandleNameData = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); - PPUBLIC_OBJECT_TYPE_INFORMATION pObjectTypeInfo = (PPUBLIC_OBJECT_TYPE_INFORMATION)HandleFullData; + HANDLE myHandle = NULL; + HANDLE copyHandle = NULL; + LPVOID QuerySystemBuffer; + ULONG RequiredSize = NULL; + ULONG TotalHandleCount = NULL; + unsigned int HandleCount = NULL; + ULONG QuerySystemBufferSize = 0x2000; + + PNTDLL_QUERY_HANDLE_INFO HandleInfo; + LPVOID HandleFullData = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); + LPVOID HandleNameData = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); + PPUBLIC_OBJECT_TYPE_INFORMATION pObjectTypeInfo = (PPUBLIC_OBJECT_TYPE_INFORMATION)HandleFullData; + + + QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); + while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) + { + QuerySystemBufferSize = RequiredSize; + VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); + QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); + } + RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); + QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); + HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; + while(TotalHandleCount > NULL) + { + if(HandleInfo->ProcessId == ProcessId && HandleCount < MaxHandleCount) + { + //if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){ + if(HandleInfo->GrantedAccess != 0x0012019F) + { + if(DuplicateHandle(hProcess, (HANDLE)HandleInfo->hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS)) + { + RtlZeroMemory(HandleFullData, 0x1000); + NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize); + NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, RequiredSize, &RequiredSize); + RtlZeroMemory(HandleNameData, 0x1000); + if(pObjectTypeInfo->TypeName.Length != NULL) + { + WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectTypeInfo->TypeName.Buffer, -1, (LPSTR)HandleNameData, 0x1000, NULL, NULL); + if(lstrcmpiA((LPCSTR)HandleNameData, "Mutant") == NULL) + { + copyHandle = (HANDLE)HandleInfo->hHandle; + RtlMoveMemory(HandleBuffer, ©Handle, sizeof HANDLE); + HandleBuffer = (LPVOID)((ULONG_PTR)HandleBuffer + sizeof HANDLE); + HandleCount++; + } + } + EngineCloseHandle(myHandle); + } + } + } + HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); + TotalHandleCount--; + } + VirtualFree(HandleFullData, NULL, MEM_RELEASE); + VirtualFree(HandleNameData, NULL, MEM_RELEASE); + VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); + return(HandleCount); - if(ZwQuerySystemInformation != NULL && ZwQueryObject != NULL) - { - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - while(cZwQuerySystemInformation(NTDLL_SystemHandleInfo, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) - { - QuerySystemBufferSize = RequiredSize; - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - } - RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); - QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); - HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; - while(TotalHandleCount > NULL) - { - if(HandleInfo->ProcessId == ProcessId && HandleCount < MaxHandleCount) - { - //if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){ - if(HandleInfo->GrantedAccess != 0x0012019F) - { - if(DuplicateHandle(hProcess, (HANDLE)HandleInfo->hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS)) - { - RtlZeroMemory(HandleFullData, 0x1000); - cZwQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize); - cZwQueryObject(myHandle, ObjectTypeInformation, HandleFullData, RequiredSize, &RequiredSize); - RtlZeroMemory(HandleNameData, 0x1000); - if(pObjectTypeInfo->TypeName.Length != NULL) - { - WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectTypeInfo->TypeName.Buffer, -1, (LPSTR)HandleNameData, 0x1000, NULL, NULL); - if(lstrcmpiA((LPCSTR)HandleNameData, "Mutant") == NULL) - { - copyHandle = (HANDLE)HandleInfo->hHandle; - RtlMoveMemory(HandleBuffer, ©Handle, sizeof HANDLE); - HandleBuffer = (LPVOID)((ULONG_PTR)HandleBuffer + sizeof HANDLE); - HandleCount++; - } - } - EngineCloseHandle(myHandle); - } - } - } - HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); - TotalHandleCount--; - } - VirtualFree(HandleFullData, NULL, MEM_RELEASE); - VirtualFree(HandleNameData, NULL, MEM_RELEASE); - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - return(HandleCount); - } - VirtualFree(HandleFullData, NULL, MEM_RELEASE); - VirtualFree(HandleNameData, NULL, MEM_RELEASE); - return(NULL); } __declspec(dllexport) long long TITCALL HandlerGetOpenMutexHandle(HANDLE hProcess, DWORD ProcessId, char* szMutexString) { - wchar_t uniMutexString[MAX_PATH] = {}; + wchar_t uniMutexString[MAX_PATH] = {}; - if(szMutexString != NULL) - { - MultiByteToWideChar(CP_ACP, NULL, szMutexString, lstrlenA(szMutexString)+1, uniMutexString, sizeof(uniMutexString)/(sizeof(uniMutexString[0]))); - return((ULONG_PTR)HandlerGetOpenMutexHandleW(hProcess, ProcessId, uniMutexString)); - } - else - { - return(NULL); - } + if(szMutexString != NULL) + { + MultiByteToWideChar(CP_ACP, NULL, szMutexString, lstrlenA(szMutexString)+1, uniMutexString, sizeof(uniMutexString)/(sizeof(uniMutexString[0]))); + return((ULONG_PTR)HandlerGetOpenMutexHandleW(hProcess, ProcessId, uniMutexString)); + } + else + { + return(NULL); + } } __declspec(dllexport) long long TITCALL HandlerGetOpenMutexHandleW(HANDLE hProcess, DWORD ProcessId, wchar_t* szMutexString) { - if(!szMutexString || lstrlenW(szMutexString)>=512) - return 0; - int i; - HANDLE myHandle; - LPVOID HandleBuffer = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); - LPVOID cHandleBuffer = HandleBuffer; - int OpenHandleCount = HandlerEnumerateOpenMutexes(hProcess, ProcessId, HandleBuffer, 0x1000 / sizeof HANDLE); - wchar_t RealMutexName[512] = L"\\BaseNamedObjects\\"; - wchar_t* HandleName; + if(!szMutexString || lstrlenW(szMutexString)>=512) + return 0; + int i; + HANDLE myHandle; + LPVOID HandleBuffer = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); + LPVOID cHandleBuffer = HandleBuffer; + int OpenHandleCount = HandlerEnumerateOpenMutexes(hProcess, ProcessId, HandleBuffer, 0x1000 / sizeof HANDLE); + wchar_t RealMutexName[512] = L"\\BaseNamedObjects\\"; + wchar_t* HandleName; - if(OpenHandleCount > NULL) - { - lstrcatW(RealMutexName, szMutexString); - for(i = 0; i < OpenHandleCount; i++) - { - RtlMoveMemory(&myHandle, cHandleBuffer, sizeof HANDLE); - HandleName = (wchar_t*)HandlerGetHandleNameW(hProcess, ProcessId, myHandle, true); - if(HandleName != NULL) - { - if(lstrcmpiW(HandleName, RealMutexName) == NULL) - { - VirtualFree(HandleBuffer, NULL, MEM_RELEASE); - return((ULONG_PTR)myHandle); - } - } - cHandleBuffer = (LPVOID)((ULONG_PTR)cHandleBuffer + sizeof HANDLE); - } - } - VirtualFree(HandleBuffer, NULL, MEM_RELEASE); - return(NULL); + if(OpenHandleCount > NULL) + { + lstrcatW(RealMutexName, szMutexString); + for(i = 0; i < OpenHandleCount; i++) + { + RtlMoveMemory(&myHandle, cHandleBuffer, sizeof HANDLE); + HandleName = (wchar_t*)HandlerGetHandleNameW(hProcess, ProcessId, myHandle, true); + if(HandleName != NULL) + { + if(lstrcmpiW(HandleName, RealMutexName) == NULL) + { + VirtualFree(HandleBuffer, NULL, MEM_RELEASE); + return((ULONG_PTR)myHandle); + } + } + cHandleBuffer = (LPVOID)((ULONG_PTR)cHandleBuffer + sizeof HANDLE); + } + } + VirtualFree(HandleBuffer, NULL, MEM_RELEASE); + return(NULL); } __declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutex(char* szMutexString) { - wchar_t uniMutexString[MAX_PATH] = {}; + wchar_t uniMutexString[MAX_PATH] = {}; - if(szMutexString != NULL) - { - MultiByteToWideChar(CP_ACP, NULL, szMutexString, lstrlenA(szMutexString)+1, uniMutexString, sizeof(uniMutexString)/(sizeof(uniMutexString[0]))); - return(HandlerGetProcessIdWhichCreatedMutexW(uniMutexString)); - } - else - { - return(NULL); - } + if(szMutexString != NULL) + { + MultiByteToWideChar(CP_ACP, NULL, szMutexString, lstrlenA(szMutexString)+1, uniMutexString, sizeof(uniMutexString)/(sizeof(uniMutexString[0]))); + return(HandlerGetProcessIdWhichCreatedMutexW(uniMutexString)); + } + else + { + return(NULL); + } } __declspec(dllexport) long TITCALL HandlerGetProcessIdWhichCreatedMutexW(wchar_t* szMutexString) { - if(!szMutexString || lstrlenW(szMutexString)>=512) - return 0; - HANDLE hProcess = NULL; - DWORD ReturnData = NULL; - HANDLE myHandle = NULL; - LPVOID QuerySystemBuffer; - ULONG RequiredSize = NULL; - DWORD LastProcessId = NULL; - ULONG TotalHandleCount = NULL; - ULONG QuerySystemBufferSize = 0x2000; -#if !defined(_WIN64) - typedef NTSTATUS(WINAPI *fZwQuerySystemInformation)(DWORD fInfoType, LPVOID fBuffer, ULONG fBufferSize, PULONG fRequiredSize); - typedef NTSTATUS(WINAPI *fZwQueryObject)(HANDLE hObject, DWORD fInfoType, LPVOID fBuffer, ULONG fBufferSize, PULONG fRequiredSize); -#else - typedef NTSTATUS(__fastcall *fZwQuerySystemInformation)(DWORD fInfoType, LPVOID fBuffer, ULONG fBufferSize, PULONG fRequiredSize); - typedef NTSTATUS(__fastcall *fZwQueryObject)(HANDLE hObject, DWORD fInfoType, LPVOID fBuffer, ULONG fBufferSize, PULONG fRequiredSize); -#endif - LPVOID ZwQuerySystemInformation = (LPVOID)GetProcAddress(GetModuleHandleA("ntdll.dll"),"ZwQuerySystemInformation"); - LPVOID ZwQueryObject = (LPVOID)GetProcAddress(GetModuleHandleA("ntdll.dll"),"ZwQueryObject"); - fZwQuerySystemInformation cZwQuerySystemInformation = (fZwQuerySystemInformation)(ZwQuerySystemInformation); - fZwQueryObject cZwQueryObject = (fZwQueryObject)(ZwQueryObject); - PNTDLL_QUERY_HANDLE_INFO HandleInfo; - LPVOID HandleFullData = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); - LPVOID HandleNameData = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); - PPUBLIC_OBJECT_TYPE_INFORMATION pObjectTypeInfo = (PPUBLIC_OBJECT_TYPE_INFORMATION)HandleFullData; - LPVOID ObjectNameInfo = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); - PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo; - wchar_t RealMutexName[512] = L"\\BaseNamedObjects\\"; + if(!szMutexString || lstrlenW(szMutexString)>=512) + return 0; + HANDLE hProcess = NULL; + DWORD ReturnData = NULL; + HANDLE myHandle = NULL; + LPVOID QuerySystemBuffer; + ULONG RequiredSize = NULL; + DWORD LastProcessId = NULL; + ULONG TotalHandleCount = NULL; + ULONG QuerySystemBufferSize = 0x2000; + PNTDLL_QUERY_HANDLE_INFO HandleInfo; + LPVOID HandleFullData = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); + LPVOID HandleNameData = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); + PPUBLIC_OBJECT_TYPE_INFORMATION pObjectTypeInfo = (PPUBLIC_OBJECT_TYPE_INFORMATION)HandleFullData; + LPVOID ObjectNameInfo = VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE); + PPUBLIC_OBJECT_NAME_INFORMATION pObjectNameInfo = (PPUBLIC_OBJECT_NAME_INFORMATION)ObjectNameInfo; + wchar_t RealMutexName[512] = L"\\BaseNamedObjects\\"; + + + lstrcatW(RealMutexName, szMutexString); + QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); + while(NtQuerySystemInformation(SystemHandleInformation, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) + { + QuerySystemBufferSize = RequiredSize; + VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); + QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); + } + RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); + QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); + HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; + while(TotalHandleCount > NULL) + { + if(LastProcessId != HandleInfo->ProcessId) + { + if(hProcess != NULL) + { + EngineCloseHandle(hProcess); + } + hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_DUP_HANDLE, false, HandleInfo->ProcessId); + LastProcessId = HandleInfo->ProcessId; + } + if(hProcess != NULL) + { + //if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){ + if(HandleInfo->GrantedAccess != 0x0012019F) + { + if(DuplicateHandle(hProcess, (HANDLE)HandleInfo->hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS)) + { + RtlZeroMemory(HandleFullData, 0x1000); + NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize); + NtQueryObject(myHandle, ObjectTypeInformation, HandleFullData, RequiredSize, &RequiredSize); + RtlZeroMemory(HandleNameData, 0x1000); + if(pObjectTypeInfo->TypeName.Length != NULL) + { + //WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectTypeInfo->TypeName.Buffer, -1, (LPSTR)HandleNameData, 0x1000, NULL, NULL); + lstrcpyW((wchar_t*)HandleNameData, (wchar_t*)pObjectNameInfo->Name.Buffer); + if(lstrcmpiW((LPCWSTR)HandleNameData, L"Mutant") == NULL) + { + NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize); + NtQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize); + RtlZeroMemory(HandleNameData, 0x1000); + if(pObjectNameInfo->Name.Length != NULL) + { + RtlZeroMemory(HandleNameData, 0x1000); + //WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectNameInfo->Name.Buffer, -1, (LPSTR)HandleNameData, 0x1000, NULL, NULL); + lstrcpyW((wchar_t*)HandleNameData, (wchar_t*)pObjectNameInfo->Name.Buffer); + if(lstrcmpiW((LPCWSTR)HandleNameData, RealMutexName) == NULL) + { + ReturnData = HandleInfo->ProcessId; + break; + } + } + } + } + EngineCloseHandle(myHandle); + } + } + } + HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); + TotalHandleCount--; + } + VirtualFree(HandleFullData, NULL, MEM_RELEASE); + VirtualFree(HandleNameData, NULL, MEM_RELEASE); + VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE); + VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); + return(ReturnData); - if(ZwQuerySystemInformation != NULL && ZwQueryObject != NULL) - { - lstrcatW(RealMutexName, szMutexString); - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - while(cZwQuerySystemInformation(NTDLL_SystemHandleInfo, QuerySystemBuffer, QuerySystemBufferSize, &RequiredSize) == (NTSTATUS)0xC0000004L) - { - QuerySystemBufferSize = RequiredSize; - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - QuerySystemBuffer = VirtualAlloc(NULL, QuerySystemBufferSize, MEM_COMMIT, PAGE_READWRITE); - } - RtlMoveMemory(&TotalHandleCount, QuerySystemBuffer, sizeof ULONG); - QuerySystemBuffer = (LPVOID)((ULONG_PTR)QuerySystemBuffer + 4); - HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)QuerySystemBuffer; - while(TotalHandleCount > NULL) - { - if(LastProcessId != HandleInfo->ProcessId) - { - if(hProcess != NULL) - { - EngineCloseHandle(hProcess); - } - hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_DUP_HANDLE, false, HandleInfo->ProcessId); - LastProcessId = HandleInfo->ProcessId; - } - if(hProcess != NULL) - { - //if(!(HandleInfo->GrantedAccess & SYNCHRONIZE) || ((HandleInfo->GrantedAccess & SYNCHRONIZE) && ((WORD)HandleInfo->GrantedAccess != 0x19F9))){// && (WORD)HandleInfo->GrantedAccess != 0x89))){ - if(HandleInfo->GrantedAccess != 0x0012019F) - { - if(DuplicateHandle(hProcess, (HANDLE)HandleInfo->hHandle, GetCurrentProcess(), &myHandle, NULL, false, DUPLICATE_SAME_ACCESS)) - { - RtlZeroMemory(HandleFullData, 0x1000); - cZwQueryObject(myHandle, ObjectTypeInformation, HandleFullData, 8, &RequiredSize); - cZwQueryObject(myHandle, ObjectTypeInformation, HandleFullData, RequiredSize, &RequiredSize); - RtlZeroMemory(HandleNameData, 0x1000); - if(pObjectTypeInfo->TypeName.Length != NULL) - { - //WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectTypeInfo->TypeName.Buffer, -1, (LPSTR)HandleNameData, 0x1000, NULL, NULL); - lstrcpyW((wchar_t*)HandleNameData, (wchar_t*)pObjectNameInfo->Name.Buffer); - if(lstrcmpiW((LPCWSTR)HandleNameData, L"Mutant") == NULL) - { - cZwQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, 8, &RequiredSize); - cZwQueryObject(myHandle, ObjectNameInformation, ObjectNameInfo, RequiredSize, &RequiredSize); - RtlZeroMemory(HandleNameData, 0x1000); - if(pObjectNameInfo->Name.Length != NULL) - { - RtlZeroMemory(HandleNameData, 0x1000); - //WideCharToMultiByte(CP_ACP, NULL, (LPCWSTR)pObjectNameInfo->Name.Buffer, -1, (LPSTR)HandleNameData, 0x1000, NULL, NULL); - lstrcpyW((wchar_t*)HandleNameData, (wchar_t*)pObjectNameInfo->Name.Buffer); - if(lstrcmpiW((LPCWSTR)HandleNameData, RealMutexName) == NULL) - { - ReturnData = HandleInfo->ProcessId; - break; - } - } - } - } - EngineCloseHandle(myHandle); - } - } - } - HandleInfo = (PNTDLL_QUERY_HANDLE_INFO)((ULONG_PTR)HandleInfo + sizeof NTDLL_QUERY_HANDLE_INFO); - TotalHandleCount--; - } - VirtualFree(HandleFullData, NULL, MEM_RELEASE); - VirtualFree(HandleNameData, NULL, MEM_RELEASE); - VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE); - VirtualFree(QuerySystemBuffer, NULL, MEM_RELEASE); - return(ReturnData); - } - VirtualFree(HandleFullData, NULL, MEM_RELEASE); - VirtualFree(HandleNameData, NULL, MEM_RELEASE); - VirtualFree(ObjectNameInfo, NULL, MEM_RELEASE); - return(NULL); } diff --git a/TitanEngine/TitanEngine.Hider.cpp b/TitanEngine/TitanEngine.Hider.cpp index 8e32a6f..36a0e1c 100644 --- a/TitanEngine/TitanEngine.Hider.cpp +++ b/TitanEngine/TitanEngine.Hider.cpp @@ -5,33 +5,28 @@ // TitanEngine.Hider.functions: __declspec(dllexport) void* TITCALL GetPEBLocation(HANDLE hProcess) { - typedef NTSTATUS(WINAPI *fNtQueryInformationProcess)(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength); - ULONG RequiredLen = 0; - void * PebAddress = 0; - PPROCESS_BASIC_INFORMATION myProcessBasicInformation = (PPROCESS_BASIC_INFORMATION)VirtualAlloc(NULL, sizeof(PROCESS_BASIC_INFORMATION) * 4, MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE); + ULONG RequiredLen = 0; + void * PebAddress = 0; + PPROCESS_BASIC_INFORMATION myProcessBasicInformation = (PPROCESS_BASIC_INFORMATION)VirtualAlloc(NULL, sizeof(PROCESS_BASIC_INFORMATION) * 4, MEM_COMMIT|MEM_RESERVE, PAGE_READWRITE); - if(!myProcessBasicInformation) - return 0; + if(!myProcessBasicInformation) + return 0; - fNtQueryInformationProcess cNtQueryInformationProcess = (fNtQueryInformationProcess)GetProcAddress(GetModuleHandleA("ntdll.dll"),"NtQueryInformationProcess"); + if(NtQueryInformationProcess(hProcess, ProcessBasicInformation, myProcessBasicInformation, sizeof(PROCESS_BASIC_INFORMATION), &RequiredLen) == STATUS_SUCCESS) + { + PebAddress = (void*)myProcessBasicInformation->PebBaseAddress; + } + else + { + if(NtQueryInformationProcess(hProcess, ProcessBasicInformation, myProcessBasicInformation, RequiredLen, &RequiredLen) == STATUS_SUCCESS) + { + PebAddress = (void*)myProcessBasicInformation->PebBaseAddress; + } + } - if(cNtQueryInformationProcess != NULL) - { - if(cNtQueryInformationProcess(hProcess, ProcessBasicInformation, myProcessBasicInformation, sizeof(PROCESS_BASIC_INFORMATION), &RequiredLen) == STATUS_SUCCESS) - { - PebAddress = (void*)myProcessBasicInformation->PebBaseAddress; - } - else - { - if(cNtQueryInformationProcess(hProcess, ProcessBasicInformation, myProcessBasicInformation, RequiredLen, &RequiredLen) == STATUS_SUCCESS) - { - PebAddress = (void*)myProcessBasicInformation->PebBaseAddress; - } - } - } - VirtualFree(myProcessBasicInformation, 0, MEM_RELEASE); - return PebAddress; + VirtualFree(myProcessBasicInformation, 0, MEM_RELEASE); + return PebAddress; } __declspec(dllexport) void* TITCALL GetPEBLocation64(HANDLE hProcess) diff --git a/TitanEngine/TitanEngine.Injector.cpp b/TitanEngine/TitanEngine.Injector.cpp index 42b2310..c5400c0 100644 --- a/TitanEngine/TitanEngine.Injector.cpp +++ b/TitanEngine/TitanEngine.Injector.cpp @@ -26,13 +26,7 @@ __declspec(dllexport) bool TITCALL RemoteLoadLibraryW(HANDLE hProcess, wchar_t* LPVOID remStringData; LPVOID remCodeData; ULONG_PTR remInjectSize = (ULONG_PTR)((ULONG_PTR)&injectedRemoteFreeLibrary - (ULONG_PTR)&injectedRemoteLoadLibrary); -#if !defined(_WIN64) - typedef NTSTATUS(WINAPI *fZwSetInformationThread)(HANDLE fThreadHandle, DWORD fThreadInfoClass, LPVOID fBuffer, ULONG fBufferSize); -#else - typedef NTSTATUS(__fastcall *fZwSetInformationThread)(HANDLE fThreadHandle, DWORD fThreadInfoClass, LPVOID fBuffer, ULONG fBufferSize); -#endif - LPVOID ZwSetInformationThread = (LPVOID)GetProcAddress(GetModuleHandleA("ntdll.dll"),"ZwSetInformationThread"); - fZwSetInformationThread cZwSetInformationThread = (fZwSetInformationThread)(ZwSetInformationThread); + ULONG_PTR NumberOfBytesWritten; DWORD ThreadId; HANDLE hThread; @@ -56,10 +50,9 @@ __declspec(dllexport) bool TITCALL RemoteLoadLibraryW(HANDLE hProcess, wchar_t* if(WaitForThreadExit) { hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)remCodeData, remStringData, CREATE_SUSPENDED, &ThreadId); - if(ZwSetInformationThread != NULL) - { - cZwSetInformationThread(hThread, 0x11, NULL, NULL); - } + + NtSetInformationThread(hThread, ThreadHideFromDebugger, NULL, NULL); + ResumeThread(hThread); WaitForSingleObject(hThread, INFINITE); VirtualFreeEx(hProcess, remCodeData, NULL, MEM_RELEASE); @@ -120,13 +113,6 @@ __declspec(dllexport) bool TITCALL RemoteFreeLibraryW(HANDLE hProcess, HMODULE h LPVOID remCodeData; ULONG_PTR remInjectSize1 = (ULONG_PTR)((ULONG_PTR)&injectedExitProcess - (ULONG_PTR)&injectedRemoteFreeLibrarySimple); ULONG_PTR remInjectSize2 = (ULONG_PTR)((ULONG_PTR)&injectedRemoteFreeLibrarySimple - (ULONG_PTR)&injectedRemoteFreeLibrary); -#if !defined(_WIN64) - typedef NTSTATUS(WINAPI *fZwSetInformationThread)(HANDLE fThreadHandle, DWORD fThreadInfoClass, LPVOID fBuffer, ULONG fBufferSize); -#else - typedef NTSTATUS(__fastcall *fZwSetInformationThread)(HANDLE fThreadHandle, DWORD fThreadInfoClass, LPVOID fBuffer, ULONG fBufferSize); -#endif - LPVOID ZwSetInformationThread = (LPVOID)GetProcAddress(GetModuleHandleA("ntdll.dll"),"ZwSetInformationThread"); - fZwSetInformationThread cZwSetInformationThread = (fZwSetInformationThread)(ZwSetInformationThread); ULONG_PTR NumberOfBytesWritten; DWORD ThreadId; HANDLE hThread; @@ -153,10 +139,9 @@ __declspec(dllexport) bool TITCALL RemoteFreeLibraryW(HANDLE hProcess, HMODULE h if(WaitForThreadExit) { hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)remCodeData, remStringData, CREATE_SUSPENDED, &ThreadId); - if(ZwSetInformationThread != NULL) - { - cZwSetInformationThread(hThread, 0x11, NULL, NULL); - } + + NtSetInformationThread(hThread, ThreadHideFromDebugger, NULL, NULL); + ResumeThread(hThread); WaitForSingleObject(hThread, INFINITE); VirtualFreeEx(hProcess, remCodeData, NULL, MEM_RELEASE); @@ -200,10 +185,7 @@ __declspec(dllexport) bool TITCALL RemoteFreeLibraryW(HANDLE hProcess, HMODULE h if(WaitForThreadExit) { hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)remCodeData, remStringData, CREATE_SUSPENDED, &ThreadId); - if(ZwSetInformationThread != NULL) - { - cZwSetInformationThread(hThread, 0x11, NULL, NULL); - } + NtSetInformationThread(hThread, ThreadHideFromDebugger, NULL, NULL); ResumeThread(hThread); WaitForSingleObject(hThread, INFINITE); VirtualFreeEx(hProcess, remCodeData, NULL, MEM_RELEASE); diff --git a/TitanEngine/TitanEngine.vcxproj b/TitanEngine/TitanEngine.vcxproj index a238f5a..1ab3633 100644 --- a/TitanEngine/TitanEngine.vcxproj +++ b/TitanEngine/TitanEngine.vcxproj @@ -298,6 +298,7 @@ + diff --git a/TitanEngine/ntdll.h b/TitanEngine/ntdll.h new file mode 100644 index 0000000..49c6fc1 --- /dev/null +++ b/TitanEngine/ntdll.h @@ -0,0 +1,260 @@ +#pragma once + +#include + +#ifndef _WIN64 +#pragma comment(lib, "ntdll_x86.lib") +#else +#pragma comment(lib, "ntdll_x64.lib") +#endif + + + +typedef LONG NTSTATUS; + +typedef struct _UNICODE_STRING { + USHORT Length; + USHORT MaximumLength; + PWSTR Buffer; +} UNICODE_STRING, *PUNICODE_STRING; + +typedef struct _PUBLIC_OBJECT_BASIC_INFORMATION { + ULONG Attributes; + ACCESS_MASK GrantedAccess; + ULONG HandleCount; + ULONG PointerCount; + + ULONG Reserved[10]; // reserved for internal use + +} PUBLIC_OBJECT_BASIC_INFORMATION, *PPUBLIC_OBJECT_BASIC_INFORMATION; + +typedef struct __PUBLIC_OBJECT_TYPE_INFORMATION { + + UNICODE_STRING TypeName; + + ULONG Reserved [22]; // reserved for internal use + +} PUBLIC_OBJECT_TYPE_INFORMATION, *PPUBLIC_OBJECT_TYPE_INFORMATION; + +typedef struct _PROCESS_BASIC_INFORMATION { + PVOID Reserved1; + PVOID PebBaseAddress; + PVOID Reserved2[2]; + ULONG_PTR UniqueProcessId; + PVOID Reserved3; +} PROCESS_BASIC_INFORMATION; +typedef PROCESS_BASIC_INFORMATION *PPROCESS_BASIC_INFORMATION; + +typedef enum _PROCESSINFOCLASS { + ProcessBasicInformation, + ProcessQuotaLimits, + ProcessIoCounters, + ProcessVmCounters, + ProcessTimes, + ProcessBasePriority, + ProcessRaisePriority, + ProcessDebugPort, + ProcessExceptionPort, + ProcessAccessToken, + ProcessLdtInformation, + ProcessLdtSize, + ProcessDefaultHardErrorMode, + ProcessIoPortHandlers, // Note: this is kernel mode only + ProcessPooledUsageAndLimits, + ProcessWorkingSetWatch, + ProcessUserModeIOPL, + ProcessEnableAlignmentFaultFixup, + ProcessPriorityClass, + ProcessWx86Information, + ProcessHandleCount, + ProcessAffinityMask, + ProcessPriorityBoost, + ProcessDeviceMap, + ProcessSessionInformation, + ProcessForegroundInformation, + ProcessWow64Information, + ProcessImageFileName, + ProcessLUIDDeviceMapsEnabled, + ProcessBreakOnTermination, + ProcessDebugObjectHandle, + ProcessDebugFlags, + ProcessHandleTracing, + ProcessIoPriority, + ProcessExecuteFlags, + ProcessResourceManagement, + ProcessCookie, + ProcessImageInformation, + MaxProcessInfoClass // MaxProcessInfoClass should always be the last enum +} PROCESSINFOCLASS; + +typedef enum _SYSTEM_INFORMATION_CLASS { + SystemBasicInformation, + SystemProcessorInformation, // obsolete...delete + SystemPerformanceInformation, + SystemTimeOfDayInformation, + SystemPathInformation, + SystemProcessInformation, + SystemCallCountInformation, + SystemDeviceInformation, + SystemProcessorPerformanceInformation, + SystemFlagsInformation, + SystemCallTimeInformation, + SystemModuleInformation, + SystemLocksInformation, + SystemStackTraceInformation, + SystemPagedPoolInformation, + SystemNonPagedPoolInformation, + SystemHandleInformation, + SystemObjectInformation, + SystemPageFileInformation, + SystemVdmInstemulInformation, + SystemVdmBopInformation, + SystemFileCacheInformation, + SystemPoolTagInformation, + SystemInterruptInformation, + SystemDpcBehaviorInformation, + SystemFullMemoryInformation, + SystemLoadGdiDriverInformation, + SystemUnloadGdiDriverInformation, + SystemTimeAdjustmentInformation, + SystemSummaryMemoryInformation, + SystemMirrorMemoryInformation, + SystemPerformanceTraceInformation, + SystemObsolete0, + SystemExceptionInformation, + SystemCrashDumpStateInformation, + SystemKernelDebuggerInformation, + SystemContextSwitchInformation, + SystemRegistryQuotaInformation, + SystemExtendServiceTableInformation, + SystemPrioritySeperation, + SystemVerifierAddDriverInformation, + SystemVerifierRemoveDriverInformation, + SystemProcessorIdleInformation, + SystemLegacyDriverInformation, + SystemCurrentTimeZoneInformation, + SystemLookasideInformation, + SystemTimeSlipNotification, + SystemSessionCreate, + SystemSessionDetach, + SystemSessionInformation, + SystemRangeStartInformation, + SystemVerifierInformation, + SystemVerifierThunkExtend, + SystemSessionProcessInformation, + SystemLoadGdiDriverInSystemSpace, + SystemNumaProcessorMap, + SystemPrefetcherInformation, + SystemExtendedProcessInformation, + SystemRecommendedSharedDataAlignment, + SystemComPlusPackage, + SystemNumaAvailableMemory, + SystemProcessorPowerInformation, + SystemEmulationBasicInformation, + SystemEmulationProcessorInformation, + SystemExtendedHandleInformation, + SystemLostDelayedWriteInformation, + SystemBigPoolInformation, + SystemSessionPoolTagInformation, + SystemSessionMappedViewInformation, + SystemHotpatchInformation, + SystemObjectSecurityMode, + SystemWatchdogTimerHandler, + SystemWatchdogTimerInformation, + SystemLogicalProcessorInformation, + SystemWow64SharedInformation, + SystemRegisterFirmwareTableInformationHandler, + SystemFirmwareTableInformation, + SystemModuleInformationEx, + SystemVerifierTriageInformation, + SystemSuperfetchInformation, + SystemMemoryListInformation, + SystemFileCacheInformationEx, + MaxSystemInfoClass // MaxSystemInfoClass should always be the last enum +} SYSTEM_INFORMATION_CLASS; + +typedef enum _OBJECT_INFORMATION_CLASS { + ObjectBasicInformation, + ObjectNameInformation, + ObjectTypeInformation, + ObjectTypesInformation, + ObjectHandleFlagInformation, + ObjectSessionInformation, + MaxObjectInfoClass // MaxObjectInfoClass should always be the last enum +} OBJECT_INFORMATION_CLASS; + +typedef enum _THREADINFOCLASS { + ThreadBasicInformation, + ThreadTimes, + ThreadPriority, + ThreadBasePriority, + ThreadAffinityMask, + ThreadImpersonationToken, + ThreadDescriptorTableEntry, + ThreadEnableAlignmentFaultFixup, + ThreadEventPair_Reusable, + ThreadQuerySetWin32StartAddress, + ThreadZeroTlsCell, + ThreadPerformanceCount, + ThreadAmILastThread, + ThreadIdealProcessor, + ThreadPriorityBoost, + ThreadSetTlsArrayAddress, + ThreadIsIoPending, + ThreadHideFromDebugger, + ThreadBreakOnTermination, + ThreadSwitchLegacyState, + ThreadIsTerminated, + MaxThreadInfoClass +} THREADINFOCLASS; + + +#ifdef __cplusplus +extern "C" { +#endif + + NTSYSCALLAPI + NTSTATUS + NTAPI + NtQueryInformationProcess ( + __in HANDLE ProcessHandle, + __in PROCESSINFOCLASS ProcessInformationClass, + __out_bcount(ProcessInformationLength) PVOID ProcessInformation, + __in ULONG ProcessInformationLength, + __out_opt PULONG ReturnLength + ); + + NTSYSCALLAPI + NTSTATUS + NTAPI + NtQueryObject ( + __in HANDLE Handle, + __in OBJECT_INFORMATION_CLASS ObjectInformationClass, + __out_bcount_opt(ObjectInformationLength) PVOID ObjectInformation, + __in ULONG ObjectInformationLength, + __out_opt PULONG ReturnLength + ); + + NTSYSCALLAPI + NTSTATUS + NTAPI + NtQuerySystemInformation ( + __in SYSTEM_INFORMATION_CLASS SystemInformationClass, + __out_bcount_opt(SystemInformationLength) PVOID SystemInformation, + __in ULONG SystemInformationLength, + __out_opt PULONG ReturnLength + ); + + NTSYSCALLAPI + NTSTATUS + NTAPI + NtSetInformationThread ( + __in HANDLE ThreadHandle, + __in THREADINFOCLASS ThreadInformationClass, + __in_bcount(ThreadInformationLength) PVOID ThreadInformation, + __in ULONG ThreadInformationLength + ); + +#ifdef __cplusplus +}; +#endif diff --git a/TitanEngine/ntdll_x64.lib b/TitanEngine/ntdll_x64.lib new file mode 100644 index 0000000000000000000000000000000000000000..d4f11e8f4abee51ff19d77eb45e8a5def7175cc4 GIT binary patch literal 2428 zcmcIlL2nXK5dMGy1x-VgL=&Q+kwm>vgr#C)bgP(1N*4rrUMag3Oeqa)4?TJ7$#YNk zAO9MAwq;@g(<5$zF&8nN$*dH71zS%S!Q%~i>(a(*dAExlH z1b|EsFhal?2~L)QG*L8Srv^(1A&4-1@H_LsjOe*t z0iT8^Mq%36+Y<@7stS}s-l+oPIDmNkPCe`+tW!>Sqz!ZD@I$ITTmdg>@>wnfR}p)a z?ifw0naWC4oF?CiehUGm7b-I6!fsuN!KL?yNZPSnMe^KFJO)ZWjfh=3e5r@H9b>fo zu;qjf;)&B+Tb)+FH|XtJ$w#%v$#O~C6nYoCNh>}E69_~+i_w=*M>EF<)K;&1K<7-H ze!<1XxIGyX{Fvl*Rlq)KTT1MU4ZR2(g>7gP9Gm<|!t(q45rh8@JQXWuerWW)zJ?QZ zE;=VdvPxkLA$}Vn-|U0&@w^d24b(Np5R#J$M#xvW5S$V6A2L5rM(@!PrZ(?|V^$b- zH(6D`$iXnZ-Z7g|Re2dEu1c<|@u5PMRi#Kd+x?Ua!P)MbV>?e=6XgDydR5+e$@#_R z(lm~_U#09DF3oxkWLF%O`JCui6aoIE+vi>K>7yoc>7Ds!KY7`PFZp>ue)z?k{(?C! X7q0Al&iihw%{L literal 0 HcmV?d00001 diff --git a/TitanEngine/ntdll_x86.lib b/TitanEngine/ntdll_x86.lib new file mode 100644 index 0000000000000000000000000000000000000000..a173db378d295ae1ad705f71246ff92f491634a2 GIT binary patch literal 2500 zcmcIlO-~a+7=GGXN-Kv(Nj#vYMhtj?eryXQMi;G#4a*kWa$ZZjNC~A)yBs+A2mA?g zlKTH+4ZiPoW_SCs{V+Po?99CL?mRQ^^Sm=pUQ|1^qnEMuM1M(Twv=Q# zrKD2*_M{kQvWn<^hyl0@gmfU>2Iek-$W5=#UjueMrj}}ye4@Hx6n6KDrHYY%TYgh2 z>{W^-L$BmD4ThobYufNMKH2lV*~+_peaFaeSGHm3*84NFb6z+-Y;~GdtI;~$>$GZS zx2vX;v|6LtrX|Pvh}rUa*D{-)b<|XDV1dyt;{W2ov01Z*Q9X9uDw~!Ep>otQtMxt{ zKZlvw$+_%Ah#oxzw8OyV9B@O1>v`aqsvfne!yU{aj0geQ$?{oR(9I)cH>JmoO0hP?5Y6emP+Vr|xg6(vR&b5?4WL z;~;TRi8_Z`!TmU^iC5#oe=l9!+ilc3t#0ekO01TiC$xgTW6utJ7HG^r@&X`{aW76^ zQYG~q45+nMvrYS4y7+?ITM5SgTzF$a$m6Pjz11UWu@A;5A!$+AhYWChvaW^gkNG1C zuMTX85jR25jYaps%mVchNX$9tlnO~Jn;wM(ZH0WZH^$o=t&qAs<$gR0$w(_J zY^RCm62baNaMoz%)aka6>&@zZb}Z`Uj!O5JUg~ literal 0 HcmV?d00001 diff --git a/TitanEngine/stdafx.h b/TitanEngine/stdafx.h index ec083ec..5158805 100644 --- a/TitanEngine/stdafx.h +++ b/TitanEngine/stdafx.h @@ -12,9 +12,8 @@ #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers // Windows Header Files: #include -#include - - +//#include +#include "ntdll.h" #include "aplib.h" #include "LzmaDec.h" @@ -719,10 +718,6 @@ typedef struct // UnpackEngine.Handler: -#define NTDLL_SystemHandleInfo 0x10 -#define ObjectBasicInformation 0 -#define ObjectNameInformation 1 -#define ObjectTypeInformation 2 /*typedef enum _POOL_TYPE { NonPagedPool,