From a1134258a5cf3fde4f7d76e1628dce9be0e0248c Mon Sep 17 00:00:00 2001 From: "mr.exodia" Date: Wed, 19 Feb 2014 17:52:38 +0100 Subject: [PATCH] - baby steps in better TitanEngine code --- TitanEngine/Global.Engine.cpp | 2153 +++++++++++++++++++++ TitanEngine/Global.Engine.h | 50 + TitanEngine/Global.Handle.cpp | 11 + TitanEngine/Global.Handle.h | 6 + TitanEngine/Global.Mapping.cpp | 138 ++ TitanEngine/Global.Mapping.h | 8 + TitanEngine/TitanEngine.Dumper.cpp | 3 + TitanEngine/TitanEngine.Dumper.h | 6 + TitanEngine/TitanEngine.cpp | 2366 +---------------------- TitanEngine/TitanEngine.vcxproj | 8 + TitanEngine/TitanEngine.vcxproj.filters | 30 + TitanEngine/stdafx.h | 2 +- 12 files changed, 2468 insertions(+), 2313 deletions(-) create mode 100644 TitanEngine/Global.Engine.cpp create mode 100644 TitanEngine/Global.Engine.h create mode 100644 TitanEngine/Global.Handle.cpp create mode 100644 TitanEngine/Global.Handle.h create mode 100644 TitanEngine/Global.Mapping.cpp create mode 100644 TitanEngine/Global.Mapping.h create mode 100644 TitanEngine/TitanEngine.Dumper.cpp create mode 100644 TitanEngine/TitanEngine.Dumper.h diff --git a/TitanEngine/Global.Engine.cpp b/TitanEngine/Global.Engine.cpp new file mode 100644 index 0000000..18221cc --- /dev/null +++ b/TitanEngine/Global.Engine.cpp @@ -0,0 +1,2153 @@ +#include "stdafx.h" +#include "definitions.h" +#include "Global.Engine.h" +#include "Global.Handle.h" +#include "Global.Mapping.h" +#include + +HARDWARE_DATA DebugRegister[4] = {}; +PROCESS_INFORMATION dbgProcessInformation = {}; +char engineExtractedFolderName[512]; +char engineFoundDLLName[512]; +char engineFoundAPIName[512]; +char engineExtractedFileName[512]; +wchar_t engineExtractedFileNameW[512]; +std::vector Plugin; +HMODULE engineHandle; +bool engineCheckForwarders = true; +bool engineAlowModuleLoading = false; +bool engineCreatePathForFiles = true; // hardcoded + +// Global.Engine.functions: +void EngineExecutePluginReleaseCallBack() +{ + typedef void(TITCALL *fPluginReleaseExec)(); + fPluginReleaseExec myPluginReleaseExec; + + for(unsigned int i = 0; i < Plugin.size(); i++) + { + __try + { + if(Plugin.at(i).TitanReleasePlugin != NULL) + { + myPluginReleaseExec = (fPluginReleaseExec)Plugin[i].TitanReleasePlugin; + myPluginReleaseExec(); + } + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + + } + } +} + +void EngineExecutePluginResetCallBack() +{ + + typedef void(TITCALL *fPluginResetExec)(); + fPluginResetExec myPluginResetExec; + + for(unsigned int i = 0; i < Plugin.size(); i++) + { + __try + { + if(Plugin.at(i).TitanResetPlugin != NULL) + { + myPluginResetExec = (fPluginResetExec)Plugin[i].TitanResetPlugin; + myPluginResetExec(); + } + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + + } + } +} + +void EngineExecutePluginDebugCallBack(LPDEBUG_EVENT debugEvent, int CallReason) +{ + typedef void(TITCALL *fPluginDebugExec)(LPDEBUG_EVENT debugEvent, int CallReason); + fPluginDebugExec myPluginDebugExec; + + for(unsigned int i = 0; i < Plugin.size(); i++) + { + __try + { + if(!Plugin.at(i).PluginDisabled) + { + if(Plugin.at(i).TitanDebuggingCallBack != NULL) + { + myPluginDebugExec = (fPluginDebugExec)Plugin[i].TitanDebuggingCallBack; + myPluginDebugExec(debugEvent, CallReason); + } + } + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + + } + } +} + +bool EngineIsThereFreeHardwareBreakSlot(LPDWORD FreeRegister) +{ + + if(DebugRegister[0].DrxEnabled == false) + { + if(FreeRegister != NULL) + { + *FreeRegister = UE_DR0; + } + return(true); + } + else if(DebugRegister[1].DrxEnabled == false) + { + if(FreeRegister != NULL) + { + *FreeRegister = UE_DR1; + } + return(true); + } + else if(DebugRegister[2].DrxEnabled == false) + { + if(FreeRegister != NULL) + { + *FreeRegister = UE_DR2; + } + return(true); + } + else if(DebugRegister[3].DrxEnabled == false) + { + if(FreeRegister != NULL) + { + *FreeRegister = UE_DR3; + } + return(true); + } + return(false); +} + +bool EngineFileExists(char* szFileName) +{ + + HANDLE hFile = CreateFileA(szFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL); + if(hFile != INVALID_HANDLE_VALUE) + { + EngineCloseHandle(hFile); + return(true); + } + else + { + return(false); + } +} + +char* EngineExtractPath(char* szFileName) +{ + int i; + + RtlZeroMemory(&engineExtractedFolderName, sizeof(engineExtractedFolderName)); + lstrcpyA(engineExtractedFolderName, szFileName); + i = lstrlenA(engineExtractedFolderName); + while(i > 0 && engineExtractedFolderName[i] != 0x5C) + { + engineExtractedFolderName[i] = 0x00; + i--; + } + return(engineExtractedFolderName); +} + +char* EngineExtractFileName(char* szFileName) +{ + + int i; + int j; + int x = 0; + + i = lstrlenA(szFileName); + RtlZeroMemory(&engineExtractedFileName, sizeof(engineExtractedFileName)); + while(i > 0 && szFileName[i] != 0x5C) + { + i--; + } + if(szFileName[i] == 0x5C) + { + for(j = i + 1; j <= lstrlenA(szFileName); j++) + { + engineExtractedFileName[x] = szFileName[j]; + x++; + } + } + else + { + return(szFileName); + } + return(engineExtractedFileName); +} + +bool EngineCreatePathForFile(char* szFileName) +{ + + int i,j; + char szFolderName[2 * MAX_PATH] = {}; + char szCreateFolder[2 * MAX_PATH] = {}; + + if(engineCreatePathForFiles) + { + i = lstrlenA(szFileName); + while(szFileName[i] != '\\' && i > NULL) + { + i--; + } + if(i != NULL) + { + RtlMoveMemory(szFolderName, szFileName, i + 1); + if(!CreateDirectoryA(szFolderName, NULL)) + { + if(GetLastError() != ERROR_ALREADY_EXISTS) + { + j = lstrlenA(szFolderName); + for(i = 4; i < j; i++) + { + if(szFileName[i] == '\\') + { + RtlZeroMemory(szCreateFolder, 2 * MAX_PATH); + RtlCopyMemory(szCreateFolder, szFileName, i + 1); + CreateDirectoryA(szCreateFolder, NULL); + } + } + } + } + } + } + return(true); +} + +bool EngineCreatePathForFileW(wchar_t* szFileName) +{ + + int i,j; + wchar_t szFolderName[MAX_PATH] = {}; + wchar_t szCreateFolder[MAX_PATH] = {}; + + if(engineCreatePathForFiles) + { + i = lstrlenW(szFileName); + while(szFileName[i] != '\\' && i > 0) + { + i--; + } + if(i != 0) + { + RtlCopyMemory(szFolderName, szFileName, (i * 2) + 2); + if(!CreateDirectoryW(szFolderName, NULL)) + { + if(GetLastError() != ERROR_ALREADY_EXISTS) + { + j = lstrlenW(szFolderName); + for(i = 4; i < j; i++) + { + if(szFileName[i] == '\\') + { + RtlZeroMemory(szCreateFolder, 2 * MAX_PATH); + RtlCopyMemory(szCreateFolder, szFileName, (i * 2) + 1); + CreateDirectoryW(szCreateFolder, NULL); + } + } + } + } + } + } + return(true); +} + +wchar_t* EngineExtractFileNameW(wchar_t* szFileName) +{ + + int i; + int j; + int x = 0; + + i = lstrlenW(szFileName); + RtlZeroMemory(&engineExtractedFileNameW, sizeof engineExtractedFileNameW); + while(i > 0 && szFileName[i] != 0x5C) + { + i--; + } + if(szFileName[i] == 0x5C) + { + int len=lstrlenW(szFileName); + for(j = i + 1; j <= len; j++) + { + engineExtractedFileNameW[x] = szFileName[j]; + x++; + } + } + else + { + return(szFileName); + } + return(engineExtractedFileNameW); +} + +bool EngineIsPointedMemoryString(ULONG_PTR PossibleStringPtr) +{ + + bool StringIsValid = true; + unsigned int i = 512; + MEMORY_BASIC_INFORMATION MemInfo = {0}; + DWORD MaxDisassmSize = 512; + BYTE TestChar; + + VirtualQueryEx(GetCurrentProcess(), (LPVOID)PossibleStringPtr, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); + if(MemInfo.State == MEM_COMMIT) + { + if((ULONG_PTR)MemInfo.BaseAddress + (ULONG_PTR)MemInfo.RegionSize - PossibleStringPtr <= 512) + { + MaxDisassmSize = (DWORD)((ULONG_PTR)MemInfo.BaseAddress + (ULONG_PTR)MemInfo.RegionSize - PossibleStringPtr - 1); + VirtualQueryEx(GetCurrentProcess(), (LPVOID)(PossibleStringPtr + (ULONG_PTR)MemInfo.RegionSize), &MemInfo, sizeof MEMORY_BASIC_INFORMATION); + if(MemInfo.State != MEM_COMMIT) + { + i = MaxDisassmSize; + } + else + { + MaxDisassmSize = 512; + } + } + else + { + MaxDisassmSize = 512; + } + + TestChar = *((BYTE*)PossibleStringPtr); + while(i > NULL && StringIsValid == true && TestChar != 0x00) + { + TestChar = *((BYTE*)PossibleStringPtr); + + if(TestChar < 32 || TestChar > 126) + { + if(TestChar != 0x00) + { + StringIsValid = false; + } + } + PossibleStringPtr++; + i--; + } + if(StringIsValid == true && MaxDisassmSize - i > 4) + { + return(true); + } + } + return(false); +} + +int EnginePointedMemoryStringLength(ULONG_PTR PossibleStringPtr) +{ + + bool StringIsValid = true; + unsigned int i = 512; + MEMORY_BASIC_INFORMATION MemInfo; + DWORD MaxDisassmSize = 512; + BYTE TestChar; + + VirtualQueryEx(GetCurrentProcess(), (LPVOID)PossibleStringPtr, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); + if(MemInfo.State == MEM_COMMIT) + { + if((ULONG_PTR)MemInfo.BaseAddress + (ULONG_PTR)MemInfo.RegionSize - PossibleStringPtr <= 512) + { + MaxDisassmSize = (DWORD)((ULONG_PTR)MemInfo.BaseAddress + (ULONG_PTR)MemInfo.RegionSize - PossibleStringPtr - 1); + VirtualQueryEx(GetCurrentProcess(), (LPVOID)(PossibleStringPtr + (ULONG_PTR)MemInfo.RegionSize), &MemInfo, sizeof MEMORY_BASIC_INFORMATION); + if(MemInfo.State != MEM_COMMIT) + { + i = MaxDisassmSize; + } + } + + TestChar = *((BYTE*)PossibleStringPtr); + while(i > NULL && StringIsValid == true && TestChar != 0x00) + { + TestChar = *((BYTE*)PossibleStringPtr); + + if(TestChar < 32 || TestChar > 126) + { + if(TestChar != 0x00) + { + StringIsValid = false; + } + } + PossibleStringPtr++; + i--; + } + if(StringIsValid == true && 512 - i > 4) + { + i = 512 - i; + return(i); + } + } + return(NULL); +} + +bool EngineCompareResourceString(wchar_t* String1, wchar_t* String2) +{ + + PMEMORY_COMPARE_HANDLER memData = (PMEMORY_COMPARE_HANDLER)String1; + wchar_t StringCmp[MAX_PATH] = {}; + + String1 = (wchar_t*)((ULONG_PTR)String1 + 2); + RtlMoveMemory(&StringCmp[0], &String1[0], memData->Array.wArrayEntry[0] * 2); + if(lstrcmpiW(StringCmp, String2) == NULL) + { + return(true); + } + return(false); +} + +long long EngineEstimateNewSectionRVA(ULONG_PTR FileMapVA) +{ + + PIMAGE_DOS_HEADER DOSHeader; + PIMAGE_NT_HEADERS32 PEHeader32; + PIMAGE_NT_HEADERS64 PEHeader64; + PIMAGE_SECTION_HEADER PESections; + DWORD NewSectionVirtualOffset = 0; + DWORD SectionNumber = 0; + BOOL FileIs64; + + if(FileMapVA != NULL) + { + DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; + PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + if(PEHeader32->OptionalHeader.Magic == 0x10B) + { + FileIs64 = false; + } + else if(PEHeader32->OptionalHeader.Magic == 0x20B) + { + FileIs64 = true; + } + else + { + return(0); + } + + if(!FileIs64) + { + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + SectionNumber = PEHeader32->FileHeader.NumberOfSections; + __try + { + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + (SectionNumber - 1) * IMAGE_SIZEOF_SECTION_HEADER); + NewSectionVirtualOffset = PESections->VirtualAddress + (PESections->Misc.VirtualSize / PEHeader32->OptionalHeader.SectionAlignment) * PEHeader32->OptionalHeader.SectionAlignment; + if(NewSectionVirtualOffset < PESections->VirtualAddress + PESections->Misc.VirtualSize) + { + NewSectionVirtualOffset = NewSectionVirtualOffset + PEHeader32->OptionalHeader.SectionAlignment; + } + return((ULONG_PTR)(NewSectionVirtualOffset + PEHeader32->OptionalHeader.ImageBase)); + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + return(0); + } + } + else + { + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + SectionNumber = PEHeader64->FileHeader.NumberOfSections; + __try + { + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + (SectionNumber - 1) * IMAGE_SIZEOF_SECTION_HEADER); + NewSectionVirtualOffset = PESections->VirtualAddress + (PESections->Misc.VirtualSize / PEHeader64->OptionalHeader.SectionAlignment) * PEHeader64->OptionalHeader.SectionAlignment; + if(NewSectionVirtualOffset < PESections->VirtualAddress + PESections->Misc.VirtualSize) + { + NewSectionVirtualOffset = NewSectionVirtualOffset + PEHeader32->OptionalHeader.SectionAlignment; + } + return((ULONG_PTR)(NewSectionVirtualOffset + PEHeader64->OptionalHeader.ImageBase)); + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + return(0); + } + } + } + return(0); +} + +bool EngineExtractForwarderData(ULONG_PTR PossibleStringPtr, LPVOID szFwdDLLName, LPVOID szFwdAPIName) +{ + + __try + { + LPVOID lpPossibleStringPtr = (LPVOID)PossibleStringPtr; + BYTE TestChar; + + TestChar = *((BYTE*)PossibleStringPtr); + + while(TestChar != 0x2E && TestChar != 0x00) + { + TestChar = *((BYTE*)PossibleStringPtr); + PossibleStringPtr++; + } + if(TestChar == 0x00) + { + return(false); + } + PossibleStringPtr--; + RtlCopyMemory(szFwdDLLName, lpPossibleStringPtr, PossibleStringPtr - (ULONG_PTR)lpPossibleStringPtr); + lstrcatA((LPSTR)szFwdDLLName, ".dll"); + lpPossibleStringPtr = (LPVOID)(PossibleStringPtr + 1); + TestChar = *((BYTE*)PossibleStringPtr); + + if(TestChar == 0x23) + { + lpPossibleStringPtr = (LPVOID)(PossibleStringPtr + 1); + } + while(TestChar != 0x00) + { + TestChar = *((BYTE*)PossibleStringPtr); + PossibleStringPtr++; + } + RtlCopyMemory(szFwdAPIName, lpPossibleStringPtr, PossibleStringPtr - (ULONG_PTR)lpPossibleStringPtr); + return(true); + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + return(false); + } +} + +bool EngineGrabDataFromMappedFile(HANDLE hFile, ULONG_PTR FileMapVA, ULONG_PTR FileOffset, DWORD CopySize, LPVOID CopyToMemory) +{ + DWORD rfNumberOfBytesRead = NULL; + + RtlZeroMemory(CopyToMemory, CopySize); + SetFilePointer(hFile, (DWORD)(FileOffset - FileMapVA), NULL, FILE_BEGIN); + return !!ReadFile(hFile, CopyToMemory, CopySize, &rfNumberOfBytesRead, NULL); +} + +bool EngineExtractResource(char* szResourceName, wchar_t* szExtractedFileName) +{ + + HRSRC hResource; + HGLOBAL hResourceGlobal; + DWORD ResourceSize; + LPVOID ResourceData; + DWORD NumberOfBytesWritten; + HANDLE hFile; + + hResource = FindResourceA(engineHandle, (LPCSTR)szResourceName, "BINARY"); + if(hResource != NULL) + { + hResourceGlobal = LoadResource(engineHandle, hResource); + if(hResourceGlobal != NULL) + { + ResourceSize = SizeofResource(engineHandle, hResource); + ResourceData = LockResource(hResourceGlobal); + if(EngineCreatePathForFileW(szExtractedFileName)) + { + hFile = CreateFileW(szExtractedFileName, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); + if(hFile != INVALID_HANDLE_VALUE) + { + WriteFile(hFile, ResourceData, ResourceSize, &NumberOfBytesWritten, NULL); + EngineCloseHandle(hFile); + } + else + { + return(false); + } + } + } + return(true); + } + return(false); +} + +bool EngineIsDependencyPresent(char* szFileName, char* szDependencyForFile, char* szPresentInFolder) +{ + int i,j; + HANDLE hFile; + char szTryFileName[512] = {0}; + + if(szPresentInFolder != NULL && szFileName != NULL) + { + lstrcpyA(szTryFileName, szPresentInFolder); + if(szTryFileName[lstrlenA(szTryFileName)-1] != 0x5C) + { + szTryFileName[lstrlenA(szTryFileName)] = 0x5C; + } + lstrcatA(szTryFileName, szFileName); + hFile = CreateFileA(szTryFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); + if(hFile != INVALID_HANDLE_VALUE) + { + EngineCloseHandle(hFile); + return(true); + } + } + + if(szFileName != NULL) + { + hFile = CreateFileA(szFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); + if(hFile != INVALID_HANDLE_VALUE) + { + EngineCloseHandle(hFile); + return(true); + } + if(GetSystemDirectoryA(szTryFileName, 512) > NULL) + { + lstrcatA(szTryFileName, "\\"); + lstrcatA(szTryFileName, szFileName); + hFile = CreateFileA(szTryFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); + if(hFile != INVALID_HANDLE_VALUE) + { + EngineCloseHandle(hFile); + return(true); + } + } + if(GetWindowsDirectoryA(szTryFileName, 512) > NULL) + { + lstrcatA(szTryFileName, "\\"); + lstrcatA(szTryFileName, szFileName); + hFile = CreateFileA(szTryFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); + if(hFile != INVALID_HANDLE_VALUE) + { + EngineCloseHandle(hFile); + return(true); + } + } + if(szDependencyForFile != NULL) + { + RtlZeroMemory(&szTryFileName, 512); + i = lstrlenA(szDependencyForFile); + while(i > 0 && szDependencyForFile[i] != 0x5C) + { + i--; + } + for(j = 0; j <= i; j++) + { + szTryFileName[j] = szDependencyForFile[j]; + } + lstrcatA(szTryFileName, szFileName); + hFile = CreateFileA(szTryFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); + if(hFile != INVALID_HANDLE_VALUE) + { + EngineCloseHandle(hFile); + return(true); + } + } + } + return(false); +} + +bool EngineIsDependencyPresentW(wchar_t* szFileName, wchar_t* szDependencyForFile, wchar_t* szPresentInFolder) +{ + + int i,j; + HANDLE hFile; + wchar_t szTryFileName[512] = {0}; + + if(szPresentInFolder != NULL) + { + lstrcpyW(szTryFileName, szPresentInFolder); + if(szTryFileName[lstrlenW(szTryFileName)-1] != 0x5C) + { + szTryFileName[lstrlenW(szTryFileName)] = 0x5C; + } + lstrcatW(szTryFileName, szFileName); + hFile = CreateFileW(szTryFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); + if(hFile != INVALID_HANDLE_VALUE) + { + EngineCloseHandle(hFile); + return(true); + } + } + if(szFileName != NULL) + { + hFile = CreateFileW(szFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); + if(hFile != INVALID_HANDLE_VALUE) + { + EngineCloseHandle(hFile); + return(true); + } + if(GetSystemDirectoryW(szTryFileName, 512) > NULL) + { + lstrcatW(szTryFileName, L"\\"); + lstrcatW(szTryFileName, szFileName); + hFile = CreateFileW(szTryFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); + if(hFile != INVALID_HANDLE_VALUE) + { + EngineCloseHandle(hFile); + return(true); + } + } + + if(GetWindowsDirectoryW(szTryFileName, 512) > NULL) + { + lstrcatW(szTryFileName, L"\\"); + lstrcatW(szTryFileName, szFileName); + hFile = CreateFileW(szTryFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); + if(hFile != INVALID_HANDLE_VALUE) + { + EngineCloseHandle(hFile); + return(true); + } + } + + if(szDependencyForFile != NULL) + { + i = lstrlenW(szDependencyForFile); + while(i > 0 && szDependencyForFile[i] != 0x5C) + { + i--; + } + for(j = 0; j <= i; j++) + { + szTryFileName[j] = szDependencyForFile[j]; + } + lstrcatW(szTryFileName, szFileName); + hFile = CreateFileW(szTryFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); + if(hFile != INVALID_HANDLE_VALUE) + { + EngineCloseHandle(hFile); + return(true); + } + } + } + return(false); +} + +bool EngineGetDependencyLocation(char* szFileName, char* szDependencyForFile, void* szLocationOfTheFile, int MaxStringSize) +{ + + int i,j; + HANDLE hFile; + char szTryFileName[512] = {0}; + + if(szFileName != NULL) + { + hFile = CreateFileA(szFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); + if(hFile != INVALID_HANDLE_VALUE) + { + RtlZeroMemory(szLocationOfTheFile, MaxStringSize); + if(lstrlenA(szFileName) <= MaxStringSize) + { + RtlCopyMemory(szLocationOfTheFile, szFileName, lstrlenA(szFileName)); + } + EngineCloseHandle(hFile); + return(true); + } + if(GetSystemDirectoryA(szTryFileName, 512) > NULL) + { + lstrcatA(szTryFileName, "\\"); + lstrcatA(szTryFileName, szFileName); + hFile = CreateFileA(szTryFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); + if(hFile != INVALID_HANDLE_VALUE) + { + RtlZeroMemory(szLocationOfTheFile, MaxStringSize); + if(lstrlenA(szTryFileName) <= MaxStringSize) + { + RtlCopyMemory(szLocationOfTheFile, &szTryFileName, lstrlenA(szTryFileName)); + } + EngineCloseHandle(hFile); + return(true); + } + } + if(GetWindowsDirectoryA(szTryFileName, 512) > NULL) + { + lstrcatA(szTryFileName, "\\"); + lstrcatA(szTryFileName, szFileName); + hFile = CreateFileA(szTryFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); + if(hFile != INVALID_HANDLE_VALUE) + { + RtlZeroMemory(szLocationOfTheFile, MaxStringSize); + if(lstrlenA(szTryFileName) <= MaxStringSize) + { + RtlCopyMemory(szLocationOfTheFile, &szTryFileName, lstrlenA(szTryFileName)); + } + EngineCloseHandle(hFile); + return(true); + } + } + if(szDependencyForFile != NULL) + { + RtlZeroMemory(&szTryFileName, 512); + i = lstrlenA(szDependencyForFile); + while(i > 0 && szDependencyForFile[i] != 0x5C) + { + i--; + } + for(j = 0; j <= i; j++) + { + szTryFileName[j] = szDependencyForFile[j]; + } + lstrcatA(szTryFileName, szFileName); + hFile = CreateFileA(szTryFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); + if(hFile != INVALID_HANDLE_VALUE) + { + RtlZeroMemory(szLocationOfTheFile, MaxStringSize); + if(lstrlenA(szTryFileName) <= MaxStringSize) + { + RtlCopyMemory(szLocationOfTheFile, &szTryFileName, lstrlenA(szTryFileName)); + } + EngineCloseHandle(hFile); + return(true); + } + } + } + return(false); +} + +long EngineHashString(char* szStringToHash) +{ + + int i = NULL; + DWORD HashValue = NULL; + + if(szStringToHash != NULL) + { + for(i = 0; i < lstrlenA(szStringToHash); i++) + { + HashValue = (((HashValue << 7) | (HashValue >> (32 - 7))) ^ szStringToHash[i]); + } + } + return(HashValue); +} + +long EngineHashMemory(char* MemoryAddress, int MemorySize, DWORD InitialHashValue) +{ + + int i = NULL; + DWORD HashValue = InitialHashValue; + + for(i = 0; i < MemorySize; i++) + { + if(MemoryAddress[i] != NULL) + { + HashValue = (((HashValue << 7) | (HashValue >> (32 - 7))) ^ MemoryAddress[i]); + } + } + return(HashValue); +} + +bool EngineIsBadReadPtrEx(LPVOID DataPointer, DWORD DataSize) +{ + + MEMORY_BASIC_INFORMATION MemInfo = {0}; + + while(DataSize > NULL) + { + VirtualQuery(DataPointer, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); + if(MemInfo.AllocationProtect == MEM_FREE || MemInfo.AllocationProtect == MEM_PRIVATE) + { + return(false); + } + DataPointer = (LPVOID)((ULONG_PTR)DataPointer + MemInfo.RegionSize); + if(MemInfo.RegionSize > DataSize) + { + DataSize = NULL; + } + else + { + DataSize = DataSize - (DWORD)MemInfo.RegionSize; + } + } + return(true); +} + +bool EngineValidateResource(HMODULE hModule, LPCTSTR lpszType, LPTSTR lpszName, LONG_PTR lParam) +{ + + HRSRC hResource; + HGLOBAL hResourceGlobal; + DWORD ResourceSize; + LPVOID ResourceData; + BYTE ReturnData = UE_FIELD_FIXABLE_CRITICAL; + + hResource = FindResourceA(hModule, (LPCSTR)lpszName, (LPCSTR)lpszType); + if(hResource != NULL) + { + hResourceGlobal = LoadResource(hModule, hResource); + if(hResourceGlobal != NULL) + { + ResourceSize = SizeofResource(hModule, hResource); + ResourceData = LockResource(hResourceGlobal); + if(ResourceData != NULL) + { + if(!EngineIsBadReadPtrEx(ResourceData, ResourceSize)) + { + *((LONG*)lParam) = ReturnData; + return(false); + } + } + else + { + *((LONG*)lParam) = ReturnData; + return(false); + } + } + return(true); + } + + *((LONG*)lParam) = ReturnData; + return(false); +} + +bool EngineValidateHeader(ULONG_PTR FileMapVA, HANDLE hFileProc, LPVOID ImageBase, PIMAGE_DOS_HEADER DOSHeader, bool IsFile) +{ + + MODULEINFO ModuleInfo; + DWORD MemorySize = NULL; + PIMAGE_NT_HEADERS32 PEHeader32; + IMAGE_NT_HEADERS32 RemotePEHeader32; + MEMORY_BASIC_INFORMATION MemoryInfo= {0}; + ULONG_PTR NumberOfBytesRW = NULL; + + if(IsFile) + { + if(hFileProc == NULL) + { + VirtualQueryEx(GetCurrentProcess(), (LPVOID)FileMapVA, &MemoryInfo, sizeof MEMORY_BASIC_INFORMATION); + VirtualQueryEx(GetCurrentProcess(), MemoryInfo.AllocationBase, &MemoryInfo, sizeof MEMORY_BASIC_INFORMATION); + MemorySize = (DWORD)((ULONG_PTR)MemoryInfo.AllocationBase + (ULONG_PTR)MemoryInfo.RegionSize - (ULONG_PTR)FileMapVA); + } + else + { + MemorySize = GetFileSize(hFileProc, NULL); + } + __try + { + if(DOSHeader->e_magic == 0x5A4D) + { + if(DOSHeader->e_lfanew + sizeof IMAGE_DOS_HEADER + sizeof(IMAGE_NT_HEADERS64) < MemorySize) + { + PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + if(PEHeader32->Signature != 0x4550) + { + return(false); + } + else + { + return(true); + } + } + else + { + return(false); + } + } + else + { + return(false); + } + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + return(false); + } + } + else + { + RtlZeroMemory(&ModuleInfo, sizeof MODULEINFO); + GetModuleInformation(hFileProc, (HMODULE)ImageBase, &ModuleInfo, sizeof MODULEINFO); + __try + { + if(DOSHeader->e_magic == 0x5A4D) + { + if(DOSHeader->e_lfanew + sizeof IMAGE_DOS_HEADER + sizeof(IMAGE_NT_HEADERS64) < ModuleInfo.SizeOfImage) + { + if(ReadProcessMemory(hFileProc, (LPVOID)((ULONG_PTR)ImageBase + DOSHeader->e_lfanew), &RemotePEHeader32, sizeof IMAGE_NT_HEADERS32, &NumberOfBytesRW)) + { + PEHeader32 = (PIMAGE_NT_HEADERS32)(&RemotePEHeader32); + if(PEHeader32->Signature != 0x4550) + { + return(false); + } + else + { + return(true); + } + } + else + { + return(false); + } + } + else + { + return(false); + } + } + else + { + return(false); + } + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + return(false); + } + } +} + +long long EngineSimulateNtLoaderW(wchar_t* szFileName) +{ + + DWORD PeHeaderSize; + LPVOID AllocatedFile; + PIMAGE_DOS_HEADER DOSHeader; + PIMAGE_NT_HEADERS32 PEHeader32; + PIMAGE_NT_HEADERS64 PEHeader64; + PIMAGE_SECTION_HEADER PESections; + DWORD SectionNumber = 0; + DWORD SectionRawOffset = 0; + DWORD SectionRawSize = 0; + BOOL FileIs64; + HANDLE FileHandle; + DWORD FileSize; + HANDLE FileMap; + ULONG_PTR FileMapVA; + + if(MapFileExW(szFileName, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) + { + DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; + if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true)) + { + PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + if(PEHeader32->OptionalHeader.Magic == 0x10B) + { + FileIs64 = false; + } + else if(PEHeader32->OptionalHeader.Magic == 0x20B) + { + FileIs64 = true; + } + else + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return(NULL); + } + if(!FileIs64) + { + AllocatedFile = VirtualAlloc(NULL, PEHeader32->OptionalHeader.SizeOfImage, MEM_COMMIT, PAGE_READWRITE); + __try + { + PeHeaderSize = DOSHeader->e_lfanew + PEHeader32->FileHeader.SizeOfOptionalHeader + (sizeof(IMAGE_SECTION_HEADER) * PEHeader32->FileHeader.NumberOfSections) + sizeof(IMAGE_FILE_HEADER) + 4; + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + SectionNumber = PEHeader32->FileHeader.NumberOfSections; + RtlCopyMemory(AllocatedFile, (LPVOID)FileMapVA, PeHeaderSize); + while(SectionNumber > 0) + { + RtlCopyMemory((LPVOID)((ULONG_PTR)AllocatedFile + PESections->VirtualAddress), (LPVOID)(FileMapVA + PESections->PointerToRawData), PESections->SizeOfRawData); + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); + SectionNumber--; + } + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + VirtualFree(AllocatedFile, NULL, MEM_RELEASE); + AllocatedFile = NULL; + } + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return((ULONG_PTR)AllocatedFile); + } + else + { + AllocatedFile = VirtualAlloc(NULL, PEHeader64->OptionalHeader.SizeOfImage, MEM_COMMIT, PAGE_READWRITE); + __try + { + PeHeaderSize = DOSHeader->e_lfanew + PEHeader64->FileHeader.SizeOfOptionalHeader + (sizeof(IMAGE_SECTION_HEADER) * PEHeader64->FileHeader.NumberOfSections) + sizeof(IMAGE_FILE_HEADER) + 4; + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); + SectionNumber = PEHeader64->FileHeader.NumberOfSections; + RtlCopyMemory(AllocatedFile, (LPVOID)FileMapVA, PeHeaderSize); + while(SectionNumber > 0) + { + RtlCopyMemory((LPVOID)((ULONG_PTR)AllocatedFile + PESections->VirtualAddress), (LPVOID)(FileMapVA + PESections->PointerToRawData), PESections->SizeOfRawData); + PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); + SectionNumber--; + } + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + VirtualFree(AllocatedFile, NULL, MEM_RELEASE); + AllocatedFile = NULL; + } + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return((ULONG_PTR)AllocatedFile); + } + } + else + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return(NULL); + } + } + return(NULL); +} + +long long EngineSimulateNtLoader(char* szFileName) +{ + + wchar_t uniFileName[MAX_PATH] = {}; + + if(szFileName != NULL) + { + MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); + return(EngineSimulateNtLoaderW(uniFileName)); + } + else + { + return(NULL); + } +} + +long long EngineSimulateDllLoader(HANDLE hProcess, char* szFileName) +{ + + int n; + BOOL FileIs64; + DWORD FileSize; + HANDLE FileMap; + ULONG_PTR FileMapVA; + HANDLE FileHandle; + LPVOID DLLMemory = NULL; + DWORD ExportDelta = NULL; + DWORD PEHeaderSize = NULL; + PIMAGE_DOS_HEADER DOSHeader; + PIMAGE_NT_HEADERS32 PEHeader32; + PIMAGE_NT_HEADERS64 PEHeader64; + PIMAGE_EXPORT_DIRECTORY PEExports; + PEXPORTED_DATA ExportedFunctionNames; + ULONG_PTR ConvertedExport = NULL; + char szFileRemoteProc[1024]= {0}; + char szDLLFileLocation[512]= {0}; + char* szTranslatedProcName=0; + + GetProcessImageFileNameA(hProcess, szFileRemoteProc, sizeof(szFileRemoteProc)); + szTranslatedProcName = (char*)TranslateNativeName(szFileRemoteProc); + if(EngineIsDependencyPresent(szFileName, NULL, NULL)) + { + if(EngineGetDependencyLocation(szFileName, szTranslatedProcName, &szDLLFileLocation, sizeof(szDLLFileLocation))) + { + VirtualFree((void*)szTranslatedProcName, NULL, MEM_RELEASE); + if(MapFileEx(szDLLFileLocation, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) + { + DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; + if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true)) + { + PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + if(PEHeader32->OptionalHeader.Magic == 0x10B) + { + PEHeaderSize = PEHeader32->FileHeader.NumberOfSections * IMAGE_SIZEOF_SECTION_HEADER + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4; + FileIs64 = false; + } + else if(PEHeader32->OptionalHeader.Magic == 0x20B) + { + PEHeaderSize = PEHeader64->FileHeader.NumberOfSections * IMAGE_SIZEOF_SECTION_HEADER + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4; + FileIs64 = true; + } + else + { + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return(NULL); + } + if(!FileIs64) + { + if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress != NULL) + { + DLLMemory = VirtualAlloc(NULL, DOSHeader->e_lfanew + PEHeaderSize + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size + 0x1000, MEM_COMMIT, PAGE_READWRITE); + if(DLLMemory != NULL) + { + __try + { + if((DOSHeader->e_lfanew + PEHeaderSize) % 0x1000 != 0) + { + ExportDelta = (((DOSHeader->e_lfanew + PEHeaderSize) / 0x1000) + 1) * 0x1000; + } + else + { + ExportDelta = ((DOSHeader->e_lfanew + PEHeaderSize) / 0x1000) * 0x1000; + } + ConvertedExport = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, PEHeader32->OptionalHeader.ImageBase, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress, true, true); + if(ConvertedExport != NULL) + { + PEExports = (PIMAGE_EXPORT_DIRECTORY)((ULONG_PTR)DLLMemory + ExportDelta); + RtlCopyMemory(DLLMemory, (LPVOID)FileMapVA, PEHeaderSize + DOSHeader->e_lfanew); + RtlCopyMemory((LPVOID)((ULONG_PTR)DLLMemory + ExportDelta), (LPVOID)ConvertedExport, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size); + PEExports->AddressOfFunctions = PEExports->AddressOfFunctions - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + ExportDelta; + PEExports->AddressOfNameOrdinals = PEExports->AddressOfNameOrdinals - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + ExportDelta; + PEExports->AddressOfNames = PEExports->AddressOfNames - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + ExportDelta; + PEExports->Name = PEExports->Name - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + ExportDelta; + ExportedFunctionNames = (PEXPORTED_DATA)(PEExports->AddressOfNames + (ULONG_PTR)DLLMemory); + for(n = 0; n < (int)PEExports->NumberOfNames; n++) + { + ExportedFunctionNames->ExportedItem = ExportedFunctionNames->ExportedItem - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + ExportDelta; + ExportedFunctionNames = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctionNames + 4); + } + DOSHeader = (PIMAGE_DOS_HEADER)DLLMemory; + PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress = ExportDelta; + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return((ULONG_PTR)DLLMemory); + } + else + { + VirtualFree(DLLMemory, NULL, MEM_RELEASE); + } + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + VirtualFree(DLLMemory, NULL, MEM_RELEASE); + } + } + } + } + else + { + if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress != NULL) + { + DLLMemory = VirtualAlloc(NULL, DOSHeader->e_lfanew + PEHeaderSize + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size + 0x1000, MEM_COMMIT, PAGE_READWRITE); + if(DLLMemory != NULL) + { + __try + { + if((DOSHeader->e_lfanew + PEHeaderSize) % 0x1000 != 0) + { + ExportDelta = (((DOSHeader->e_lfanew + PEHeaderSize) % 0x1000) + 1) * 0x1000; + } + else + { + ExportDelta = ((DOSHeader->e_lfanew + PEHeaderSize) % 0x1000) * 0x1000; + } + ConvertedExport = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress, true, true); + if(ConvertedExport != NULL) + { + PEExports = (PIMAGE_EXPORT_DIRECTORY)((ULONG_PTR)DLLMemory + ExportDelta); + RtlCopyMemory(DLLMemory, (LPVOID)FileMapVA, PEHeaderSize + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size); + RtlCopyMemory((LPVOID)((ULONG_PTR)DLLMemory + ExportDelta), (LPVOID)ConvertedExport, PEHeaderSize + DOSHeader->e_lfanew); + PEExports->AddressOfFunctions = PEExports->AddressOfFunctions - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + ExportDelta; + PEExports->AddressOfNameOrdinals = PEExports->AddressOfNameOrdinals - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + ExportDelta; + PEExports->AddressOfNames = PEExports->AddressOfNames - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + ExportDelta; + PEExports->Name = PEExports->Name - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + ExportDelta; + ExportedFunctionNames = (PEXPORTED_DATA)(PEExports->AddressOfNames + (ULONG_PTR)DLLMemory); + for(n = 0; n < (int)PEExports->NumberOfNames; n++) + { + ExportedFunctionNames->ExportedItem = ExportedFunctionNames->ExportedItem - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + ExportDelta; + ExportedFunctionNames = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctionNames + 4); + } + DOSHeader = (PIMAGE_DOS_HEADER)DLLMemory; + PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress = ExportDelta; + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + return((ULONG_PTR)DLLMemory); + } + else + { + VirtualFree(DLLMemory, NULL, MEM_RELEASE); + } + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + VirtualFree(DLLMemory, NULL, MEM_RELEASE); + } + } + } + } + UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); + } + } + } + } + VirtualFree((void*)szTranslatedProcName, NULL, MEM_RELEASE); + return(NULL); +} + +long long EngineGetProcAddress(ULONG_PTR ModuleBase, char* szAPIName) +{ + + int i = 0; + int j = 0; + ULONG_PTR APIFoundAddress = 0; + PIMAGE_DOS_HEADER DOSHeader; + PIMAGE_NT_HEADERS32 PEHeader32; + PIMAGE_NT_HEADERS64 PEHeader64; + PIMAGE_EXPORT_DIRECTORY PEExports; + PEXPORTED_DATA ExportedFunctions; + PEXPORTED_DATA ExportedFunctionNames; + PEXPORTED_DATA_WORD ExportedFunctionOrdinals; + char szModuleName[MAX_PATH] = {}; + bool FileIs64 = false; + + if(GetModuleFileNameA((HMODULE)ModuleBase, szModuleName, MAX_PATH) == NULL) + { + __try + { + DOSHeader = (PIMAGE_DOS_HEADER)ModuleBase; + PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + if(PEHeader32->OptionalHeader.Magic == 0x10B) + { + FileIs64 = false; + } + else if(PEHeader32->OptionalHeader.Magic == 0x20B) + { + FileIs64 = true; + } + else + { + return(NULL); + } + if(!FileIs64) + { + PEExports = (PIMAGE_EXPORT_DIRECTORY)(ModuleBase + (ULONG_PTR)PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); + ExportedFunctions = (PEXPORTED_DATA)(ModuleBase + (ULONG_PTR)PEExports->AddressOfFunctions); + ExportedFunctionNames = (PEXPORTED_DATA)(ModuleBase + (ULONG_PTR)PEExports->AddressOfNames); + ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)(ModuleBase + (ULONG_PTR)PEExports->AddressOfNameOrdinals); + } + else + { + PEExports = (PIMAGE_EXPORT_DIRECTORY)(ModuleBase + (ULONG_PTR)PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); + ExportedFunctions = (PEXPORTED_DATA)(ModuleBase + (ULONG_PTR)PEExports->AddressOfFunctions); + ExportedFunctionNames = (PEXPORTED_DATA)(ModuleBase + (ULONG_PTR)PEExports->AddressOfNames); + ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)(ModuleBase + (ULONG_PTR)PEExports->AddressOfNameOrdinals); + } + for(j = 0; j < (int)PEExports->NumberOfNames; j++) + { + if(lstrcmpiA((LPCSTR)szAPIName, (LPCSTR)(ModuleBase + (ULONG_PTR)ExportedFunctionNames->ExportedItem)) == NULL) + { + ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)((ULONG_PTR)ExportedFunctionOrdinals + j * 2); + ExportedFunctions = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctions + (ExportedFunctionOrdinals->OrdinalNumber) * 4); + APIFoundAddress = ExportedFunctions->ExportedItem + (ULONG_PTR)ModuleBase; + return((ULONG_PTR)APIFoundAddress); + } + ExportedFunctionNames = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctionNames + 4); + } + return(NULL); + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + return(NULL); + } + } + else + { + return((ULONG_PTR)GetProcAddress((HMODULE)ModuleBase, szAPIName)); + } +} + +bool EngineGetLibraryOrdinalData(ULONG_PTR ModuleBase, LPDWORD ptrOrdinalBase, LPDWORD ptrOrdinalCount) +{ + + PIMAGE_DOS_HEADER DOSHeader; + PIMAGE_NT_HEADERS32 PEHeader32; + PIMAGE_NT_HEADERS64 PEHeader64; + PIMAGE_EXPORT_DIRECTORY PEExports; + bool FileIs64 = false; + + __try + { + DOSHeader = (PIMAGE_DOS_HEADER)ModuleBase; + PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + if(PEHeader32->OptionalHeader.Magic == 0x10B) + { + FileIs64 = false; + } + else if(PEHeader32->OptionalHeader.Magic == 0x20B) + { + FileIs64 = true; + } + else + { + return(false); + } + if(!FileIs64) + { + PEExports = (PIMAGE_EXPORT_DIRECTORY)(ModuleBase + (ULONG_PTR)PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); + *ptrOrdinalBase = PEExports->Base; + *ptrOrdinalCount = PEExports->NumberOfNames; + } + else + { + PEExports = (PIMAGE_EXPORT_DIRECTORY)(ModuleBase + (ULONG_PTR)PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); + *ptrOrdinalBase = PEExports->Base; + *ptrOrdinalCount = PEExports->NumberOfNames; + } + return(true); + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + return(false); + } + return(false); +} + +long long EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBases, ULONG_PTR APIAddress, char* szAPIName, DWORD ReturnType) +{ + + unsigned int i = 0; + unsigned int j = 0; + unsigned int n = 0; + unsigned int x = 0; + unsigned int y = 0; + unsigned int z = 0; + DWORD Dummy = NULL; + HANDLE hProcess = NULL; + ULONG_PTR EnumeratedModules[0x2000]; + ULONG_PTR LoadedModules[1000][4]; + char RemoteDLLName[MAX_PATH]= {0}; + char FullRemoteDLLName[MAX_PATH]= {0}; + char szWindowsSideBySide[MAX_PATH]= {0}; + char szWindowsSideBySideCmp[MAX_PATH]= {0}; + char szWindowsKernelBase[MAX_PATH]= {0}; + HANDLE hLoadedModule = NULL; + HANDLE ModuleHandle = NULL; + PIMAGE_DOS_HEADER DOSHeader; + PIMAGE_NT_HEADERS32 PEHeader32; + PIMAGE_NT_HEADERS64 PEHeader64; + PIMAGE_EXPORT_DIRECTORY PEExports; + PEXPORTED_DATA ExportedFunctions; + PEXPORTED_DATA ExportedFunctionNames; + PEXPORTED_DATA_WORD ExportedFunctionOrdinals; + ULONG_PTR APIFoundAddress = NULL; + MODULEINFO RemoteModuleInfo; + bool ValidateHeader = false; + bool FileIs64 = false; + bool APINameFound = false; + bool SkipModule = false; + unsigned int FoundIndex = 0; + unsigned int FoundOrdinalNumber = 0; + ULONG_PTR FileMapVA; + char szFwdDLLName[512] = {0}; + char szFwdAPIName[512] = {0}; + ULONG_PTR RealignedAPIAddress; + ULONG_PTR ForwarderData = NULL; + unsigned int ClosestAPI = 0x1000; + int Vista64UserForwarderFix = 0; + unsigned int Windows7KernelBase = 0xFFFFFFFF; + + RtlZeroMemory(&engineFoundDLLName, sizeof(szFwdDLLName)); + RtlZeroMemory(&EnumeratedModules, 0x2000 * sizeof ULONG_PTR); + RtlZeroMemory(&LoadedModules, 1000 * 4 * sizeof ULONG_PTR); + GetWindowsDirectoryA(szWindowsSideBySide, MAX_PATH); + lstrcpyA(szWindowsKernelBase, szWindowsSideBySide); + lstrcatA(szWindowsSideBySide, "\\WinSxS"); + if(EnumedModulesBases != NULL) + { + RtlMoveMemory(&EnumeratedModules, (LPVOID)EnumedModulesBases, 0x1000); + i--; + } + if(handleProcess == NULL) + { + if(dbgProcessInformation.hProcess == NULL) + { + hProcess = GetCurrentProcess(); + } + else + { + hProcess = dbgProcessInformation.hProcess; + } + } + else + { + hProcess = handleProcess; + } + if(EnumedModulesBases != NULL || EnumProcessModules(hProcess, (HMODULE*)EnumeratedModules, 0x2000, &Dummy)) + { + i++; + z = i; + y = i; + while(EnumeratedModules[y] != NULL) + { + // Vista x64 fix + if(Vista64UserForwarderFix == NULL) + { + GetModuleBaseNameA(hProcess, (HMODULE)EnumeratedModules[y], (LPSTR)RemoteDLLName, MAX_PATH); + if(!lstrcmpiA(RemoteDLLName, "user32.dll")) + Vista64UserForwarderFix = y; + //NOTE: this code is used to ignore all APIs inside kernelbase.dll + else if(!lstrcmpiA(RemoteDLLName, "kernelbase.dll")) + { + GetModuleFileNameExA(hProcess, (HMODULE)EnumeratedModules[y], (LPSTR)RemoteDLLName, MAX_PATH); + RemoteDLLName[lstrlenA(szWindowsKernelBase)] = 0x00; + if(lstrcmpiA(RemoteDLLName, szWindowsKernelBase) == NULL) + { + Windows7KernelBase = y; + } + } + } + y++; + } + while(APINameFound == false && EnumeratedModules[i] != NULL) + { + //NOTE: un-comment when kernelbase should be ignored + /*if(i == Windows7KernelBase) + { + i++; + if(EnumeratedModules[i] == NULL) + { + break; + } + }*/ + ValidateHeader = false; + RtlZeroMemory(&RemoteDLLName, MAX_PATH); + GetModuleFileNameExA(hProcess, (HMODULE)EnumeratedModules[i], (LPSTR)RemoteDLLName, MAX_PATH); + lstrcpyA(FullRemoteDLLName, RemoteDLLName); + RtlZeroMemory(&szWindowsSideBySideCmp, MAX_PATH); + RtlCopyMemory(&szWindowsSideBySideCmp, FullRemoteDLLName, lstrlenA(szWindowsSideBySide)); + if(GetModuleHandleA(RemoteDLLName) == NULL) + { + RtlZeroMemory(&RemoteDLLName, MAX_PATH); + GetModuleBaseNameA(hProcess, (HMODULE)EnumeratedModules[i], (LPSTR)RemoteDLLName, MAX_PATH); + if(GetModuleHandleA(RemoteDLLName) == NULL || lstrcmpiA(szWindowsSideBySideCmp, szWindowsSideBySide) == NULL) + { + if(engineAlowModuleLoading) + { + hLoadedModule = LoadLibraryA(FullRemoteDLLName); + if(hLoadedModule != NULL) + { + LoadedModules[i][0] = EnumeratedModules[i]; + LoadedModules[i][1] = (ULONG_PTR)hLoadedModule; + LoadedModules[i][2] = 1; + } + } + else + { + hLoadedModule = (HANDLE)EngineSimulateDllLoader(hProcess, FullRemoteDLLName); + if(hLoadedModule != NULL) + { + LoadedModules[i][0] = EnumeratedModules[i]; + LoadedModules[i][1] = (ULONG_PTR)hLoadedModule; + LoadedModules[i][2] = 1; + ValidateHeader = true; + } + } + } + else + { + LoadedModules[i][0] = EnumeratedModules[i]; + LoadedModules[i][1] = (ULONG_PTR)GetModuleHandleA(RemoteDLLName); + LoadedModules[i][2] = 0; + } + } + else + { + LoadedModules[i][0] = EnumeratedModules[i]; + LoadedModules[i][1] = (ULONG_PTR)GetModuleHandleA(RemoteDLLName); + LoadedModules[i][2] = 0; + } + + + if(ReturnType != UE_OPTION_IMPORTER_RETURN_FORWARDER_DLLNAME && ReturnType != UE_OPTION_IMPORTER_RETURN_FORWARDER_DLLINDEX && ReturnType != UE_OPTION_IMPORTER_RETURN_FORWARDER_APINAME) + { + if(szAPIName == NULL && ReturnType == UE_OPTION_IMPORTER_REALIGN_APIADDRESS) + { + RtlZeroMemory(&RemoteModuleInfo, sizeof MODULEINFO); + //GetModuleInformation(GetCurrentProcess(), (HMODULE)LoadedModules[i][1], &RemoteModuleInfo, sizeof MODULEINFO); + GetModuleInformation(hProcess, (HMODULE)LoadedModules[i][0], &RemoteModuleInfo, sizeof MODULEINFO); + if(APIAddress >= LoadedModules[i][1] && APIAddress <= LoadedModules[i][1] + RemoteModuleInfo.SizeOfImage) + { + GetModuleBaseNameA(hProcess, (HMODULE)LoadedModules[i][0], (LPSTR)engineFoundDLLName, 512); + APIFoundAddress = (ULONG_PTR)(APIAddress - LoadedModules[i][1] + LoadedModules[i][0]); + APINameFound = true; + FoundIndex = i; + break; + } + } + else if(szAPIName == NULL && ReturnType == UE_OPTION_IMPORTER_REALIGN_LOCAL_APIADDRESS) + { + RtlZeroMemory(&RemoteModuleInfo, sizeof MODULEINFO); + GetModuleInformation(hProcess, (HMODULE)LoadedModules[i][0], &RemoteModuleInfo, sizeof MODULEINFO); + if(APIAddress >= LoadedModules[i][0] && APIAddress <= LoadedModules[i][0] + RemoteModuleInfo.SizeOfImage) + { + GetModuleBaseNameA(hProcess, (HMODULE)LoadedModules[i][0], (LPSTR)engineFoundDLLName, 512); + APIFoundAddress = (ULONG_PTR)(APIAddress - LoadedModules[i][0] + LoadedModules[i][1]); + APINameFound = true; + FoundIndex = i; + break; + } + } + else if(szAPIName == NULL && ReturnType == UE_OPTION_IMPORTER_RETURN_DLLBASE) + { + if(APIAddress == LoadedModules[i][1]) + { + APIFoundAddress = LoadedModules[i][0]; + APINameFound = true; + FoundIndex = i; + break; + } + } + else if(ReturnType == UE_OPTION_IMPORTER_RETURN_NEAREST_APIADDRESS || ReturnType == UE_OPTION_IMPORTER_RETURN_NEAREST_APINAME) + { + RtlZeroMemory(&RemoteModuleInfo, sizeof MODULEINFO); + GetModuleInformation(hProcess, (HMODULE)LoadedModules[i][0], &RemoteModuleInfo, sizeof MODULEINFO); + if(APIAddress >= LoadedModules[i][0] && APIAddress <= LoadedModules[i][0] + RemoteModuleInfo.SizeOfImage) + { + DOSHeader = (PIMAGE_DOS_HEADER)LoadedModules[i][1]; + if(ValidateHeader || EngineValidateHeader((ULONG_PTR)LoadedModules[i][1], GetCurrentProcess(), RemoteModuleInfo.lpBaseOfDll, DOSHeader, false)) + { + __try + { + PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + if(PEHeader32->OptionalHeader.Magic == 0x10B) + { + FileIs64 = false; + } + else if(PEHeader32->OptionalHeader.Magic == 0x20B) + { + FileIs64 = true; + } + else + { + return(NULL); + } + if(!FileIs64) + { + PEExports = (PIMAGE_EXPORT_DIRECTORY)(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + LoadedModules[i][1]); + ExportedFunctions = (PEXPORTED_DATA)(PEExports->AddressOfFunctions + LoadedModules[i][1]); + } + else + { + PEExports = (PIMAGE_EXPORT_DIRECTORY)(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + LoadedModules[i][1]); + ExportedFunctions = (PEXPORTED_DATA)(PEExports->AddressOfFunctions + LoadedModules[i][1]); + } + for(n = 0; n < PEExports->NumberOfFunctions; n++) //NumberOfNames + { + if(APIAddress - (ExportedFunctions->ExportedItem + LoadedModules[i][0]) < ClosestAPI) + { + ClosestAPI = (unsigned int)(APIAddress - (ExportedFunctions->ExportedItem + LoadedModules[i][0])); + ExportedFunctionNames = (PEXPORTED_DATA)(PEExports->AddressOfNames + LoadedModules[i][1]); + ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)(PEExports->AddressOfNameOrdinals + LoadedModules[i][1]); + GetModuleBaseNameA(hProcess, (HMODULE)LoadedModules[i][0], (LPSTR)engineFoundDLLName, 512); + RtlZeroMemory(&engineFoundAPIName, sizeof(engineFoundAPIName)); + x = n; + FoundOrdinalNumber = (unsigned int)PEExports->Base; + for(j = 0; j < PEExports->NumberOfNames; j++) + { + if(ExportedFunctionOrdinals->OrdinalNumber != x) + { + ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)((ULONG_PTR)ExportedFunctionOrdinals + 2); + } + else + { + FoundOrdinalNumber = FoundOrdinalNumber + (unsigned int)ExportedFunctionOrdinals->OrdinalNumber; + break; + } + } + ExportedFunctionNames = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctionNames + j * 4); + if(EngineIsPointedMemoryString((ULONG_PTR)(ExportedFunctionNames->ExportedItem + LoadedModules[i][1]))) + { + lstrcpyA((LPSTR)engineFoundAPIName, (LPCSTR)(ExportedFunctionNames->ExportedItem + LoadedModules[i][1])); + } + APIFoundAddress = ExportedFunctions->ExportedItem + LoadedModules[i][0]; + APINameFound = true; + FoundIndex = i; + } + ExportedFunctions = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctions + 4); + } + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + ClosestAPI = 0x1000; + APINameFound = false; + } + } + } + } + + if((ReturnType == UE_OPTION_IMPORTER_RETURN_API_ORDINAL_NUMBER || (ReturnType > UE_OPTION_IMPORTER_REALIGN_APIADDRESS && ReturnType < UE_OPTION_IMPORTER_RETURN_FORWARDER_DLLNAME)) && ReturnType != UE_OPTION_IMPORTER_RETURN_DLLBASE && LoadedModules[i][1] != NULL) + { + RtlZeroMemory(&RemoteModuleInfo, sizeof MODULEINFO); + DOSHeader = (PIMAGE_DOS_HEADER)LoadedModules[i][1]; + //GetModuleInformation(GetCurrentProcess(), (HMODULE)LoadedModules[i][1], &RemoteModuleInfo, sizeof MODULEINFO); + GetModuleInformation(hProcess, (HMODULE)LoadedModules[i][0], &RemoteModuleInfo, sizeof MODULEINFO); + if(APIAddress >= LoadedModules[i][0] && APIAddress <= LoadedModules[i][0] + RemoteModuleInfo.SizeOfImage) + { + if(ValidateHeader || EngineValidateHeader((ULONG_PTR)LoadedModules[i][1], GetCurrentProcess(), RemoteModuleInfo.lpBaseOfDll, DOSHeader, false)) + { + __try + { + PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + if(PEHeader32->OptionalHeader.Magic == 0x10B) + { + FileIs64 = false; + } + else if(PEHeader32->OptionalHeader.Magic == 0x20B) + { + FileIs64 = true; + } + else + { + return(NULL); + } + if(!FileIs64) + { + PEExports = (PIMAGE_EXPORT_DIRECTORY)(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + LoadedModules[i][1]); + ExportedFunctions = (PEXPORTED_DATA)(PEExports->AddressOfFunctions + LoadedModules[i][1]); + ExportedFunctionNames = (PEXPORTED_DATA)(PEExports->AddressOfNames + LoadedModules[i][1]); + ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)(PEExports->AddressOfNameOrdinals + LoadedModules[i][1]); + } + else + { + PEExports = (PIMAGE_EXPORT_DIRECTORY)(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + LoadedModules[i][1]); + ExportedFunctions = (PEXPORTED_DATA)(PEExports->AddressOfFunctions + LoadedModules[i][1]); + ExportedFunctionNames = (PEXPORTED_DATA)(PEExports->AddressOfNames + LoadedModules[i][1]); + ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)(PEExports->AddressOfNameOrdinals + LoadedModules[i][1]); + } + if(ReturnType == UE_OPTION_IMPORTER_RETURN_APINAME || ReturnType == UE_OPTION_IMPORTER_RETURN_DLLNAME || ReturnType == UE_OPTION_IMPORTER_RETURN_DLLINDEX || ReturnType == UE_OPTION_IMPORTER_RETURN_API_ORDINAL_NUMBER) + { + for(j = 0; j < PEExports->NumberOfFunctions; j++) //NumberOfNames + { + if(ExportedFunctions->ExportedItem + LoadedModules[i][0] == APIAddress) + { + GetModuleBaseNameA(hProcess, (HMODULE)LoadedModules[i][0], (LPSTR)engineFoundDLLName, 512); + RtlZeroMemory(&engineFoundAPIName, sizeof(engineFoundAPIName)); + x = j; + FoundOrdinalNumber = (unsigned int)PEExports->Base; + for(j = 0; j < PEExports->NumberOfNames; j++) + { + if(ExportedFunctionOrdinals->OrdinalNumber != x) + { + ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)((ULONG_PTR)ExportedFunctionOrdinals + 2); + } + else + { + FoundOrdinalNumber = FoundOrdinalNumber + (unsigned int)ExportedFunctionOrdinals->OrdinalNumber; + break; + } + } + ExportedFunctionNames = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctionNames + j * 4); + if(EngineIsPointedMemoryString((ULONG_PTR)(ExportedFunctionNames->ExportedItem + LoadedModules[i][1]))) + { + lstrcpyA((LPSTR)engineFoundAPIName, (LPCSTR)(ExportedFunctionNames->ExportedItem + LoadedModules[i][1])); + } + APINameFound = true; + FoundIndex = i; + break; + } + ExportedFunctions = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctions + 4); + } + } + else if(ReturnType == UE_OPTION_IMPORTER_RETURN_APIADDRESS) + { + for(j = 0; j < PEExports->NumberOfFunctions; j++) //NumberOfNames + { + if(lstrcmpiA((LPCSTR)szAPIName, (LPCSTR)(ExportedFunctionNames->ExportedItem + LoadedModules[i][1])) == NULL) + { + ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)((ULONG_PTR)ExportedFunctionOrdinals + j * 2); + ExportedFunctions = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctions + (ExportedFunctionOrdinals->OrdinalNumber) * 4); + GetModuleBaseNameA(hProcess, (HMODULE)LoadedModules[i][0], (LPSTR)engineFoundDLLName, 512); + RtlZeroMemory(&engineFoundAPIName, sizeof(engineFoundAPIName)); + ExportedFunctions = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctions + (j + PEExports->Base) * 4); + APIFoundAddress = ExportedFunctions->ExportedItem + LoadedModules[i][0]; + APINameFound = true; + FoundIndex = i; + break; + } + ExportedFunctionNames = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctionNames + 4); + } + } + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + RtlZeroMemory(&engineFoundAPIName, sizeof(engineFoundAPIName)); + APINameFound = false; + } + } + } + } + } + i++; + } + + if(ReturnType == UE_OPTION_IMPORTER_RETURN_FORWARDER_DLLNAME || ReturnType == UE_OPTION_IMPORTER_RETURN_FORWARDER_APINAME || ReturnType == UE_OPTION_IMPORTER_RETURN_FORWARDER_DLLINDEX || ReturnType == UE_OPTION_IMPORTER_RETURN_FORWARDER_API_ORDINAL_NUMBER) + { + RealignedAPIAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, APIAddress, NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS); + if(z <= 1) + { + z = 2; + } + for(i = y; i >= z; i--) + { + FileMapVA = LoadedModules[i][1]; + if(FileMapVA != NULL) + { + DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; + RtlZeroMemory(&RemoteModuleInfo, sizeof MODULEINFO); + //GetModuleInformation(GetCurrentProcess(), (HMODULE)LoadedModules[i][1], &RemoteModuleInfo, sizeof MODULEINFO); + GetModuleInformation(hProcess, (HMODULE)LoadedModules[i][0], &RemoteModuleInfo, sizeof MODULEINFO); + if(ValidateHeader || EngineValidateHeader((ULONG_PTR)LoadedModules[i][1], GetCurrentProcess(), RemoteModuleInfo.lpBaseOfDll, DOSHeader, false)) + { + __try + { + PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); + if(PEHeader32->OptionalHeader.Magic == 0x10B) + { + FileIs64 = false; + } + else if(PEHeader32->OptionalHeader.Magic == 0x20B) + { + FileIs64 = true; + } + else + { + SkipModule = true; + } + if(!SkipModule) + { + if(!FileIs64) + { + PEExports = (PIMAGE_EXPORT_DIRECTORY)(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + LoadedModules[i][1]); + ExportedFunctionNames = (PEXPORTED_DATA)(PEExports->AddressOfNames + LoadedModules[i][1]); + ExportedFunctions = (PEXPORTED_DATA)(PEExports->AddressOfFunctions + LoadedModules[i][1]); + ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)(PEExports->AddressOfNameOrdinals + LoadedModules[i][1]); + } + else + { + PEExports = (PIMAGE_EXPORT_DIRECTORY)(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + LoadedModules[i][1]); + ExportedFunctionNames = (PEXPORTED_DATA)(PEExports->AddressOfNames + LoadedModules[i][1]); + ExportedFunctions = (PEXPORTED_DATA)(PEExports->AddressOfFunctions + LoadedModules[i][1]); + ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)(PEExports->AddressOfNameOrdinals + LoadedModules[i][1]); + } + for(j = 0; j < PEExports->NumberOfFunctions; j++) + { + if(EngineIsPointedMemoryString((ULONG_PTR)ExportedFunctions->ExportedItem + LoadedModules[i][1])) + { + RtlZeroMemory(&szFwdAPIName, 512); + RtlZeroMemory(&szFwdDLLName, 512); + if(EngineExtractForwarderData((ULONG_PTR)ExportedFunctions->ExportedItem + LoadedModules[i][1], &szFwdDLLName, &szFwdAPIName)) + { + if((ULONG_PTR)GetProcAddress(GetModuleHandleA(szFwdDLLName), szFwdAPIName) == RealignedAPIAddress) + { + GetModuleBaseNameA(hProcess, (HMODULE)LoadedModules[i][0], (LPSTR)engineFoundDLLName, 512); + RtlZeroMemory(&engineFoundAPIName, 512); + x = j; + FoundOrdinalNumber = (unsigned int)PEExports->Base; + for(j = 0; j < PEExports->NumberOfNames; j++) + { + if(ExportedFunctionOrdinals->OrdinalNumber != x) + { + ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)((ULONG_PTR)ExportedFunctionOrdinals + 2); + } + else + { + FoundOrdinalNumber = FoundOrdinalNumber + (unsigned int)ExportedFunctionOrdinals->OrdinalNumber; + break; + } + } + ExportedFunctionNames = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctionNames + j * 4); + if(EngineIsPointedMemoryString((ULONG_PTR)(ExportedFunctionNames->ExportedItem + LoadedModules[i][1]))) + { + lstrcpyA((LPSTR)engineFoundAPIName, (LPCSTR)(ExportedFunctionNames->ExportedItem + LoadedModules[i][1])); + } + APINameFound = true; + FoundIndex = i; + break; + } + } + } + ExportedFunctions = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctions + 4); + } + } + } + __except(EXCEPTION_EXECUTE_HANDLER) + { + RtlZeroMemory(&szFwdAPIName, 512); + RtlZeroMemory(&szFwdDLLName, 512); + APINameFound = false; + } + } + } + if(APINameFound) + { + break; + } + } + } + i = 1; + while(EnumeratedModules[i] != NULL) + { + if(engineAlowModuleLoading) + { + if(LoadedModules[i][2] == 1) + { + FreeLibrary((HMODULE)LoadedModules[i][1]); + } + } + else + { + if(LoadedModules[i][2] == 1) + { + VirtualFree((void*)LoadedModules[i][1], NULL, MEM_RELEASE); + } + } + i++; + } + if(APINameFound) + { + // + // Vista/w7 x64 fix + // + if(lstrcmpiA(engineFoundAPIName, "NtdllDefWindowProc_A") == NULL) + { + lstrcpyA(engineFoundAPIName, "DefWindowProcA"); + lstrcpyA(engineFoundDLLName, "user32.dll"); + FoundIndex = Vista64UserForwarderFix; + } + else if(lstrcmpiA(engineFoundAPIName, "NtdllDefWindowProc_W") == NULL) + { + lstrcpyA(engineFoundAPIName, "DefWindowProcW"); + lstrcpyA(engineFoundDLLName, "user32.dll"); + FoundIndex = Vista64UserForwarderFix; + } + else if(lstrcmpiA(engineFoundAPIName, "NtdllDialogWndProc_A") == NULL) + { + lstrcpyA(engineFoundAPIName, "DefDlgProcA"); + lstrcpyA(engineFoundDLLName, "user32.dll"); + FoundIndex = Vista64UserForwarderFix; + } + else if(lstrcmpiA(engineFoundAPIName, "NtdllDialogWndProc_W") == NULL) + { + lstrcpyA(engineFoundAPIName, "DefDlgProcW"); + lstrcpyA(engineFoundDLLName, "user32.dll"); + FoundIndex = Vista64UserForwarderFix; + } + if(ReturnType == UE_OPTION_IMPORTER_RETURN_APINAME || ReturnType == UE_OPTION_IMPORTER_RETURN_FORWARDER_APINAME) + { + if(ReturnType == UE_OPTION_IMPORTER_RETURN_APINAME && engineCheckForwarders == true) + { + if(engineAlowModuleLoading == true || (engineAlowModuleLoading == false && LoadedModules[FoundIndex][2] != 1)) + { + if(lstrcmpiA(engineFoundDLLName, "ntdll.dll") == NULL) + { + ForwarderData = (ULONG_PTR)EngineGlobalAPIHandler(handleProcess, EnumedModulesBases, APIAddress, NULL, UE_OPTION_IMPORTER_RETURN_FORWARDER_APINAME); + } + else + { + ForwarderData = NULL; + } + if(ForwarderData != NULL) + { + return(ForwarderData); + } + else + { + if(engineFoundAPIName[0] != 0x00) + { + return((ULONG_PTR)engineFoundAPIName); + } + else + { + return(NULL); + } + } + } + else + { + if(engineFoundAPIName[0] != 0x00) + { + return((ULONG_PTR)engineFoundAPIName); + } + else + { + return(NULL); + } + } + } + else + { + if(engineFoundAPIName[0] != 0x00) + { + return((ULONG_PTR)engineFoundAPIName); + } + else + { + return(NULL); + } + } + } + else if(ReturnType == UE_OPTION_IMPORTER_RETURN_APIADDRESS) + { + return(APIFoundAddress); + } + else if(ReturnType == UE_OPTION_IMPORTER_RETURN_API_ORDINAL_NUMBER || ReturnType == UE_OPTION_IMPORTER_RETURN_FORWARDER_API_ORDINAL_NUMBER) + { + return((ULONG_PTR)FoundOrdinalNumber); + } + else if(ReturnType == UE_OPTION_IMPORTER_RETURN_DLLNAME || ReturnType == UE_OPTION_IMPORTER_RETURN_FORWARDER_DLLNAME) + { + if(ReturnType == UE_OPTION_IMPORTER_RETURN_DLLNAME && engineCheckForwarders == true) + { + if(engineAlowModuleLoading == true || (engineAlowModuleLoading == false && LoadedModules[FoundIndex][2] != 1)) + { + if(lstrcmpiA(engineFoundDLLName, "ntdll.dll") == NULL) + { + ForwarderData = (ULONG_PTR)EngineGlobalAPIHandler(handleProcess, EnumedModulesBases, APIAddress, NULL, UE_OPTION_IMPORTER_RETURN_FORWARDER_DLLNAME); + } + else + { + ForwarderData = NULL; + } + if(ForwarderData != NULL) + { + return(ForwarderData); + } + else + { + if(engineFoundDLLName[0] != 0x00) + { + return((ULONG_PTR)engineFoundDLLName); + } + else + { + return(NULL); + } + } + } + else + { + if(engineFoundDLLName[0] != 0x00) + { + return((ULONG_PTR)engineFoundDLLName); + } + else + { + return(NULL); + } + } + } + else + { + if(engineFoundDLLName[0] != 0x00) + { + return((ULONG_PTR)engineFoundDLLName); + } + else + { + return(NULL); + } + } + } + else if(ReturnType == UE_OPTION_IMPORTER_RETURN_DLLINDEX || ReturnType == UE_OPTION_IMPORTER_RETURN_FORWARDER_DLLINDEX) + { + if(ReturnType == UE_OPTION_IMPORTER_RETURN_DLLINDEX && engineCheckForwarders == true) + { + if(engineAlowModuleLoading == true || (engineAlowModuleLoading == false && LoadedModules[FoundIndex][2] != 1)) + { + if(lstrcmpiA(engineFoundDLLName, "ntdll.dll") == NULL) + { + ForwarderData = (ULONG_PTR)EngineGlobalAPIHandler(handleProcess, EnumedModulesBases, APIAddress, NULL, UE_OPTION_IMPORTER_RETURN_FORWARDER_DLLINDEX); + } + else + { + ForwarderData = NULL; + } + if(ForwarderData != NULL) + { + return(ForwarderData); + } + else + { + return(FoundIndex); + } + } + else + { + return(FoundIndex); + } + } + else + { + return(FoundIndex); + } + } + else if(ReturnType == UE_OPTION_IMPORTER_RETURN_DLLBASE) + { + return(APIFoundAddress); + } + else if(ReturnType == UE_OPTION_IMPORTER_RETURN_NEAREST_APIADDRESS) + { + return(APIFoundAddress); + } + else if(ReturnType == UE_OPTION_IMPORTER_RETURN_NEAREST_APINAME) + { + if(engineCheckForwarders) + { + if(engineAlowModuleLoading == true || (engineAlowModuleLoading == false && LoadedModules[FoundIndex][2] != 1)) + { + if(lstrcmpiA(engineFoundDLLName, "ntdll.dll") == NULL) + { + ForwarderData = (ULONG_PTR)EngineGlobalAPIHandler(handleProcess, EnumedModulesBases, APIAddress, NULL, UE_OPTION_IMPORTER_RETURN_FORWARDER_APINAME); + } + else + { + ForwarderData = NULL; + } + if(ForwarderData != NULL) + { + return(ForwarderData); + } + else + { + if(engineFoundAPIName[0] != 0x00) + { + return((ULONG_PTR)engineFoundAPIName); + } + else + { + return(NULL); + } + } + } + else + { + if(engineFoundAPIName[0] != 0x00) + { + return((ULONG_PTR)engineFoundAPIName); + } + else + { + return(NULL); + } + } + } + else + { + if(engineFoundAPIName[0] != 0x00) + { + return((ULONG_PTR)engineFoundAPIName); + } + else + { + return(NULL); + } + } + } + else + { + return(APIFoundAddress); + } + } + else + { + if(ReturnType == UE_OPTION_IMPORTER_RETURN_API_ORDINAL_NUMBER || ReturnType == UE_OPTION_IMPORTER_RETURN_FORWARDER_API_ORDINAL_NUMBER) + { + return((ULONG_PTR)-1); + } + else + { + return(NULL); + } + } + } + else + { + return(NULL); + } + return(NULL); +} \ No newline at end of file diff --git a/TitanEngine/Global.Engine.h b/TitanEngine/Global.Engine.h new file mode 100644 index 0000000..ca6d8de --- /dev/null +++ b/TitanEngine/Global.Engine.h @@ -0,0 +1,50 @@ +#ifndef _GLOBAL_ENGINE_H +#define _GLOBAL_ENGINE_H + +#include + +//Global.Engine.Variables +extern PROCESS_INFORMATION dbgProcessInformation; +extern HARDWARE_DATA DebugRegister[4]; +extern HMODULE engineHandle; + +extern bool engineAlowModuleLoading; +extern bool engineCheckForwarders; + +extern std::vector Plugin; + + +//Global.Engine.Functions +void EngineExecutePluginReleaseCallBack(); +void EngineExecutePluginResetCallBack(); +void EngineExecutePluginDebugCallBack(LPDEBUG_EVENT debugEvent, int CallReason); +bool EngineIsThereFreeHardwareBreakSlot(LPDWORD FreeRegister); +bool EngineFileExists(char* szFileName); +char* EngineExtractPath(char* szFileName); +char* EngineExtractFileName(char* szFileName); +bool EngineCreatePathForFile(char* szFileName); +bool EngineCreatePathForFileW(wchar_t* szFileName); +wchar_t* EngineExtractFileNameW(wchar_t* szFileName); +bool EngineIsPointedMemoryString(ULONG_PTR PossibleStringPtr); +int EnginePointedMemoryStringLength(ULONG_PTR PossibleStringPtr); +bool EngineCompareResourceString(wchar_t* String1, wchar_t* String2); +long long EngineEstimateNewSectionRVA(ULONG_PTR FileMapVA); +bool EngineExtractForwarderData(ULONG_PTR PossibleStringPtr, LPVOID szFwdDLLName, LPVOID szFwdAPIName); +bool EngineGrabDataFromMappedFile(HANDLE hFile, ULONG_PTR FileMapVA, ULONG_PTR FileOffset, DWORD CopySize, LPVOID CopyToMemory); +bool EngineExtractResource(char* szResourceName, wchar_t* szExtractedFileName); +bool EngineIsDependencyPresent(char* szFileName, char* szDependencyForFile, char* szPresentInFolder); +bool EngineIsDependencyPresentW(wchar_t* szFileName, wchar_t* szDependencyForFile, wchar_t* szPresentInFolder); +bool EngineGetDependencyLocation(char* szFileName, char* szDependencyForFile, void* szLocationOfTheFile, int MaxStringSize); +long EngineHashString(char* szStringToHash); +long EngineHashMemory(char* MemoryAddress, int MemorySize, DWORD InitialHashValue); +bool EngineIsBadReadPtrEx(LPVOID DataPointer, DWORD DataSize); +bool EngineValidateResource(HMODULE hModule, LPCTSTR lpszType, LPTSTR lpszName, LONG_PTR lParam); +bool EngineValidateHeader(ULONG_PTR FileMapVA, HANDLE hFileProc, LPVOID ImageBase, PIMAGE_DOS_HEADER DOSHeader, bool IsFile); +long long EngineSimulateNtLoaderW(wchar_t* szFileName); +long long EngineSimulateNtLoader(char* szFileName); +long long EngineSimulateDllLoader(HANDLE hProcess, char* szFileName); +long long EngineGetProcAddress(ULONG_PTR ModuleBase, char* szAPIName); +bool EngineGetLibraryOrdinalData(ULONG_PTR ModuleBase, LPDWORD ptrOrdinalBase, LPDWORD ptrOrdinalCount); +long long EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBases, ULONG_PTR APIAddress, char* szAPIName, DWORD ReturnType); + +#endif //_GLOBAL_ENGINE_H \ No newline at end of file diff --git a/TitanEngine/Global.Handle.cpp b/TitanEngine/Global.Handle.cpp new file mode 100644 index 0000000..baee92f --- /dev/null +++ b/TitanEngine/Global.Handle.cpp @@ -0,0 +1,11 @@ +#include "stdafx.h" +#include "Global.Handle.h" + +// Global.Handle.functions: +bool EngineCloseHandle(HANDLE myHandle) +{ + DWORD HandleFlags; + if(GetHandleInformation(myHandle, &HandleFlags) && HandleFlags!=HANDLE_FLAG_PROTECT_FROM_CLOSE) + return (CloseHandle(myHandle)==TRUE); + return false; +} \ No newline at end of file diff --git a/TitanEngine/Global.Handle.h b/TitanEngine/Global.Handle.h new file mode 100644 index 0000000..b5ab5ff --- /dev/null +++ b/TitanEngine/Global.Handle.h @@ -0,0 +1,6 @@ +#ifndef _GLOBAL_HANDLE_H +#define _GLOBAL_HANDLE_H + +bool EngineCloseHandle(HANDLE myHandle); + +#endif //_GLOBAL_HANDLE_H \ No newline at end of file diff --git a/TitanEngine/Global.Mapping.cpp b/TitanEngine/Global.Mapping.cpp new file mode 100644 index 0000000..4b792f5 --- /dev/null +++ b/TitanEngine/Global.Mapping.cpp @@ -0,0 +1,138 @@ +#include "stdafx.h" +#include "definitions.h" +#include "Global.Mapping.h" +#include "Global.Handle.h" + +// Global.Mapping.functions: +bool MapFileEx(char* szFileName, DWORD ReadOrWrite, LPHANDLE FileHandle, LPDWORD FileSize, LPHANDLE FileMap, LPVOID FileMapVA, DWORD SizeModifier) +{ + DWORD FileAccess = 0; + DWORD FileMapType = 0; + DWORD FileMapViewType = 0; + + if(ReadOrWrite == UE_ACCESS_READ) + { + FileAccess = GENERIC_READ; + FileMapType = PAGE_READONLY; + FileMapViewType = FILE_MAP_READ; + } + else if(ReadOrWrite == UE_ACCESS_WRITE) + { + FileAccess = GENERIC_WRITE; + FileMapType = PAGE_READWRITE; + FileMapViewType = FILE_MAP_WRITE; + } + else if(ReadOrWrite == UE_ACCESS_ALL) + { + FileAccess = GENERIC_READ+GENERIC_WRITE+GENERIC_EXECUTE; + FileMapType = PAGE_EXECUTE_READWRITE; + FileMapViewType = FILE_MAP_WRITE; + } + else + { + FileAccess = GENERIC_READ+GENERIC_WRITE+GENERIC_EXECUTE; + FileMapType = PAGE_EXECUTE_READWRITE; + FileMapViewType = FILE_MAP_ALL_ACCESS; + } + + HANDLE hFile = CreateFileA(szFileName, FileAccess, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); + if(hFile != INVALID_HANDLE_VALUE) + { + *FileHandle = hFile; + DWORD mfFileSize = GetFileSize(hFile,NULL); + mfFileSize = mfFileSize + SizeModifier; + *FileSize = mfFileSize; + HANDLE mfFileMap = CreateFileMappingA(hFile, NULL, FileMapType, NULL, mfFileSize, NULL); + if(mfFileMap != NULL) + { + *FileMap = mfFileMap; + LPVOID mfFileMapVA = MapViewOfFile(mfFileMap, FileMapViewType, NULL, NULL, NULL); + if(mfFileMapVA != NULL) + { + RtlMoveMemory(FileMapVA, &mfFileMapVA, sizeof ULONG_PTR); + return true; + } + } + RtlZeroMemory(FileMapVA, sizeof ULONG_PTR); + *FileHandle = NULL; + *FileSize = NULL; + EngineCloseHandle(hFile); + } + else + { + RtlZeroMemory(FileMapVA, sizeof ULONG_PTR); + } + return false; +} + +bool MapFileExW(wchar_t* szFileName, DWORD ReadOrWrite, LPHANDLE FileHandle, LPDWORD FileSize, LPHANDLE FileMap, LPVOID FileMapVA, DWORD SizeModifier) +{ + DWORD FileAccess = 0; + DWORD FileMapType = 0; + DWORD FileMapViewType = 0; + + if(ReadOrWrite == UE_ACCESS_READ) + { + FileAccess = GENERIC_READ; + FileMapType = PAGE_READONLY; + FileMapViewType = FILE_MAP_READ; + } + else if(ReadOrWrite == UE_ACCESS_WRITE) + { + FileAccess = GENERIC_WRITE; + FileMapType = PAGE_READWRITE; + FileMapViewType = FILE_MAP_WRITE; + } + else if(ReadOrWrite == UE_ACCESS_ALL) + { + FileAccess = GENERIC_READ+GENERIC_WRITE+GENERIC_EXECUTE; + FileMapType = PAGE_EXECUTE_READWRITE; + FileMapViewType = FILE_MAP_WRITE; + } + else + { + FileAccess = GENERIC_READ+GENERIC_WRITE+GENERIC_EXECUTE; + FileMapType = PAGE_EXECUTE_READWRITE; + FileMapViewType = FILE_MAP_ALL_ACCESS; + } + + HANDLE hFile = CreateFileW(szFileName, FileAccess, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); + if(hFile != INVALID_HANDLE_VALUE) + { + *FileHandle = hFile; + DWORD mfFileSize = GetFileSize(hFile,NULL); + mfFileSize = mfFileSize + SizeModifier; + *FileSize = mfFileSize; + HANDLE mfFileMap = CreateFileMappingA(hFile, NULL, FileMapType, NULL, mfFileSize, NULL); + if(mfFileMap != NULL) + { + *FileMap = mfFileMap; + LPVOID mfFileMapVA = MapViewOfFile(mfFileMap, FileMapViewType, NULL, NULL, NULL); + if(mfFileMapVA != NULL) + { + RtlMoveMemory(FileMapVA, &mfFileMapVA, sizeof ULONG_PTR); + return true; + } + } + RtlZeroMemory(FileMapVA, sizeof ULONG_PTR); + *FileHandle = NULL; + *FileSize = NULL; + EngineCloseHandle(hFile); + } + else + { + RtlZeroMemory(FileMapVA, sizeof ULONG_PTR); + } + return false; +} + +void UnMapFileEx(HANDLE FileHandle, DWORD FileSize, HANDLE FileMap, ULONG_PTR FileMapVA) +{ + if(UnmapViewOfFile((void*)FileMapVA)) + { + EngineCloseHandle(FileMap); + SetFilePointer(FileHandle,FileSize,NULL,FILE_BEGIN); + SetEndOfFile(FileHandle); + EngineCloseHandle(FileHandle); + } +} \ No newline at end of file diff --git a/TitanEngine/Global.Mapping.h b/TitanEngine/Global.Mapping.h new file mode 100644 index 0000000..4298cc7 --- /dev/null +++ b/TitanEngine/Global.Mapping.h @@ -0,0 +1,8 @@ +#ifndef _GLOBAL_MAPPING_H +#define _GLOBAL_MAPPING_H + +bool MapFileEx(char* szFileName, DWORD ReadOrWrite, LPHANDLE FileHandle, LPDWORD FileSize, LPHANDLE FileMap, LPVOID FileMapVA, DWORD SizeModifier); +bool MapFileExW(wchar_t* szFileName, DWORD ReadOrWrite, LPHANDLE FileHandle, LPDWORD FileSize, LPHANDLE FileMap, LPVOID FileMapVA, DWORD SizeModifier); +void UnMapFileEx(HANDLE FileHandle, DWORD FileSize, HANDLE FileMap, ULONG_PTR FileMapVA); + +#endif //_GLOBAL_MAPPING_H \ No newline at end of file diff --git a/TitanEngine/TitanEngine.Dumper.cpp b/TitanEngine/TitanEngine.Dumper.cpp new file mode 100644 index 0000000..0d20c20 --- /dev/null +++ b/TitanEngine/TitanEngine.Dumper.cpp @@ -0,0 +1,3 @@ +#include "stdafx.h" +#include "TitanEngine.Dumper.h" +#include "definitions.h" \ No newline at end of file diff --git a/TitanEngine/TitanEngine.Dumper.h b/TitanEngine/TitanEngine.Dumper.h new file mode 100644 index 0000000..da286b1 --- /dev/null +++ b/TitanEngine/TitanEngine.Dumper.h @@ -0,0 +1,6 @@ +#ifndef _TITANENGINE_DUMPER_H +#define _TITANENGINE_DUMPER_H + + + +#endif //_TITANENGINE_DUMPER_H \ No newline at end of file diff --git a/TitanEngine/TitanEngine.cpp b/TitanEngine/TitanEngine.cpp index b479b20..b7fbed5 100644 --- a/TitanEngine/TitanEngine.cpp +++ b/TitanEngine/TitanEngine.cpp @@ -23,6 +23,11 @@ // scylla wrapper #include "scylla_wrapper.h" +//New includes +#include "Global.Engine.h" +#include "Global.Handle.h" +#include "Global.Mapping.h" + #define TE_VER_MAJOR 2 #define TE_VER_MIDDLE 1 #define TE_VER_MINOR 0 @@ -34,7 +39,7 @@ char* szSharedOverlay = 0; wchar_t* szSharedOverlayW = 0; STARTUPINFOW dbgStartupInfo = {}; -PROCESS_INFORMATION dbgProcessInformation = {}; + DWORD DBGCode = DBG_CONTINUE; DWORD CurrentExceptionsNumber = 0; int BreakPointSetCount = 0; @@ -73,12 +78,12 @@ DWORD engineBackupNumberOfCallBacks = NULL; DWORD engineBackupTLSAddress = NULL; IMAGE_TLS_DIRECTORY32 engineBackupTLSDataX86 = {}; IMAGE_TLS_DIRECTORY64 engineBackupTLSDataX64 = {}; -bool engineAlowModuleLoading = false; -bool engineCheckForwarders = true; + + bool enginePassAllExceptions = true; bool engineRemoveConsoleForDebugee = false; bool engineBackupForCriticalFunctions = true; -bool engineCreatePathForFiles = true; // hardcoded + bool engineResetCustomHandler = true; bool engineExecutePluginCallBack = true; bool engineFileIsBeingDebugged = false; @@ -112,19 +117,15 @@ ULONG_PTR DebugModuleEntryPoint; ULONG_PTR DebugModuleImageBase; LPVOID DebugModuleEntryPointCallBack; LPVOID DebugExeFileEntryPointCallBack; -HMODULE engineHandle; -HARDWARE_DATA DebugRegister[4] = {}; + + LPVOID RelocationData = NULL; LPVOID RelocationLastPage = NULL; LPVOID RelocationStartPosition = NULL; LPVOID RelocationWritePosition = NULL; ULONG_PTR RelocationOldImageBase; ULONG_PTR RelocationNewImageBase; -char engineExtractedFolderName[512]; -char engineExtractedFileName[512]; -wchar_t engineExtractedFileNameW[512]; -char engineFoundAPIName[512]; -char engineFoundDLLName[512]; + wchar_t szBackupDebuggedFileName[512]; //wchar_t szReserveModuleName[512]; wchar_t szDebuggerName[512]; @@ -168,8 +169,7 @@ DWORD buffPatchedEntrySize = 0x3000; void* CwpBuffPatchedEntry; void* buffPatchedEntry; std::vector hookEntry; -// Global.Engine.Plugins: -std::vector Plugin; + // Global.Engine.Hash: unsigned long Crc32Table[256]; @@ -178,2274 +178,6 @@ unsigned long Crc32Table[256]; #define UE_MODULEx86 0x2000; #define UE_MODULEx64 0x2000; -// Global.Handle.functions: -bool EngineCloseHandle(HANDLE myHandle) -{ - DWORD HandleFlags; - if(GetHandleInformation(myHandle, &HandleFlags)) - { - if(CloseHandle(myHandle)) - { - return(true); - } - } - - return(false); -} -// Global.Mapping.functions: -bool MapFileEx(char* szFileName, DWORD ReadOrWrite, LPHANDLE FileHandle, LPDWORD FileSize, LPHANDLE FileMap, LPVOID FileMapVA, DWORD SizeModifier) -{ - HANDLE hFile = 0; - DWORD FileAccess = 0; - DWORD FileMapType = 0; - DWORD FileMapViewType = 0; - DWORD mfFileSize = 0; - HANDLE mfFileMap = 0; - LPVOID mfFileMapVA = 0; - - if(ReadOrWrite == UE_ACCESS_READ) - { - FileAccess = GENERIC_READ; - FileMapType = PAGE_READONLY; - FileMapViewType = FILE_MAP_READ; - } - else if(ReadOrWrite == UE_ACCESS_WRITE) - { - FileAccess = GENERIC_WRITE; - FileMapType = PAGE_READWRITE; - FileMapViewType = FILE_MAP_WRITE; - } - else if(ReadOrWrite == UE_ACCESS_ALL) - { - FileAccess = GENERIC_READ+GENERIC_WRITE+GENERIC_EXECUTE; - FileMapType = PAGE_EXECUTE_READWRITE; - FileMapViewType = FILE_MAP_WRITE; - } - else - { - FileAccess = GENERIC_READ+GENERIC_WRITE+GENERIC_EXECUTE; - FileMapType = PAGE_EXECUTE_READWRITE; - FileMapViewType = FILE_MAP_ALL_ACCESS; - } - - hFile = CreateFileA(szFileName, FileAccess, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); - if(hFile != INVALID_HANDLE_VALUE) - { - *FileHandle = hFile; - mfFileSize = GetFileSize(hFile,NULL); - mfFileSize = mfFileSize + SizeModifier; - *FileSize = mfFileSize; - mfFileMap = CreateFileMappingA(hFile, NULL, FileMapType, NULL, mfFileSize, NULL); - if(mfFileMap != NULL) - { - *FileMap = mfFileMap; - mfFileMapVA = MapViewOfFile(mfFileMap, FileMapViewType, NULL, NULL, NULL); - if(mfFileMapVA != NULL) - { - RtlMoveMemory(FileMapVA, &mfFileMapVA, sizeof ULONG_PTR); - return(true); - } - } - RtlZeroMemory(FileMapVA, sizeof ULONG_PTR); - *FileHandle = NULL; - *FileSize = NULL; - EngineCloseHandle(hFile); - } - else - { - RtlZeroMemory(FileMapVA, sizeof ULONG_PTR); - } - return(false); -} - -bool MapFileExW(wchar_t* szFileName, DWORD ReadOrWrite, LPHANDLE FileHandle, LPDWORD FileSize, LPHANDLE FileMap, LPVOID FileMapVA, DWORD SizeModifier) -{ - - HANDLE hFile = 0; - DWORD FileAccess = 0; - DWORD FileMapType = 0; - DWORD FileMapViewType = 0; - DWORD mfFileSize = 0; - HANDLE mfFileMap = 0; - LPVOID mfFileMapVA = 0; - - if(ReadOrWrite == UE_ACCESS_READ) - { - FileAccess = GENERIC_READ; - FileMapType = PAGE_READONLY; - FileMapViewType = FILE_MAP_READ; - } - else if(ReadOrWrite == UE_ACCESS_WRITE) - { - FileAccess = GENERIC_WRITE; - FileMapType = PAGE_READWRITE; - FileMapViewType = FILE_MAP_WRITE; - } - else if(ReadOrWrite == UE_ACCESS_ALL) - { - FileAccess = GENERIC_READ+GENERIC_WRITE+GENERIC_EXECUTE; - FileMapType = PAGE_EXECUTE_READWRITE; - FileMapViewType = FILE_MAP_WRITE; - } - else - { - FileAccess = GENERIC_READ+GENERIC_WRITE+GENERIC_EXECUTE; - FileMapType = PAGE_EXECUTE_READWRITE; - FileMapViewType = FILE_MAP_ALL_ACCESS; - } - - hFile = CreateFileW(szFileName, FileAccess, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); - if(hFile != INVALID_HANDLE_VALUE) - { - *FileHandle = hFile; - mfFileSize = GetFileSize(hFile,NULL); - mfFileSize = mfFileSize + SizeModifier; - *FileSize = mfFileSize; - mfFileMap = CreateFileMappingA(hFile, NULL, FileMapType, NULL, mfFileSize, NULL); - if(mfFileMap != NULL) - { - *FileMap = mfFileMap; - mfFileMapVA = MapViewOfFile(mfFileMap, FileMapViewType, NULL, NULL, NULL); - if(mfFileMapVA != NULL) - { - RtlMoveMemory(FileMapVA, &mfFileMapVA, sizeof ULONG_PTR); - return(true); - } - } - RtlZeroMemory(FileMapVA, sizeof ULONG_PTR); - *FileHandle = NULL; - *FileSize = NULL; - EngineCloseHandle(hFile); - } - else - { - RtlZeroMemory(FileMapVA, sizeof ULONG_PTR); - } - return(false); -} - -void UnMapFileEx(HANDLE FileHandle, DWORD FileSize, HANDLE FileMap, ULONG_PTR FileMapVA) -{ - - LPVOID ufFileMapVA = (void*)FileMapVA; - - if(UnmapViewOfFile(ufFileMapVA)) - { - EngineCloseHandle(FileMap); - SetFilePointer(FileHandle,FileSize,NULL,FILE_BEGIN); - SetEndOfFile(FileHandle); - EngineCloseHandle(FileHandle); - } -} -// Global.Engine.functions: -void EngineGlobalTestFunction() -{ - MessageBoxA(NULL, "TitanEngine test message!", "TitanEngine2:", 0x40); -} -void EngineExecutePluginReleaseCallBack() -{ - - typedef void(TITCALL *fPluginReleaseExec)(); - fPluginReleaseExec myPluginReleaseExec; - - for(unsigned int i = 0; i < Plugin.size(); i++) - { - __try - { - if(Plugin[i].TitanReleasePlugin != NULL) - { - myPluginReleaseExec = (fPluginReleaseExec)Plugin[i].TitanReleasePlugin; - myPluginReleaseExec(); - } - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - - } - } -} -void EngineExecutePluginResetCallBack() -{ - - typedef void(TITCALL *fPluginResetExec)(); - fPluginResetExec myPluginResetExec; - - for(unsigned int i = 0; i < Plugin.size(); i++) - { - __try - { - if(Plugin[i].TitanResetPlugin != NULL) - { - myPluginResetExec = (fPluginResetExec)Plugin[i].TitanResetPlugin; - myPluginResetExec(); - } - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - - } - } -} -void EngineExecutePluginDebugCallBack(LPDEBUG_EVENT debugEvent, int CallReason) -{ - - typedef void(TITCALL *fPluginDebugExec)(LPDEBUG_EVENT debugEvent, int CallReason); - fPluginDebugExec myPluginDebugExec; - - for(unsigned int i = 0; i < Plugin.size(); i++) - { - __try - { - if(!Plugin[i].PluginDisabled) - { - if(Plugin[i].TitanDebuggingCallBack != NULL) - { - myPluginDebugExec = (fPluginDebugExec)Plugin[i].TitanDebuggingCallBack; - myPluginDebugExec(debugEvent, CallReason); - } - } - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - - } - } -} -bool EngineIsThereFreeHardwareBreakSlot(LPDWORD FreeRegister) -{ - - if(DebugRegister[0].DrxEnabled == false) - { - if(FreeRegister != NULL) - { - *FreeRegister = UE_DR0; - } - return(true); - } - else if(DebugRegister[1].DrxEnabled == false) - { - if(FreeRegister != NULL) - { - *FreeRegister = UE_DR1; - } - return(true); - } - else if(DebugRegister[2].DrxEnabled == false) - { - if(FreeRegister != NULL) - { - *FreeRegister = UE_DR2; - } - return(true); - } - else if(DebugRegister[3].DrxEnabled == false) - { - if(FreeRegister != NULL) - { - *FreeRegister = UE_DR3; - } - return(true); - } - return(false); -} -bool EngineFileExists(char* szFileName) -{ - - HANDLE hFile = CreateFileA(szFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); - if(hFile != INVALID_HANDLE_VALUE) - { - EngineCloseHandle(hFile); - return(true); - } - else - { - return(false); - } -} -static char* EngineExtractPath(char* szFileName) -{ - int i; - - RtlZeroMemory(&engineExtractedFolderName, sizeof(engineExtractedFolderName)); - lstrcpyA(engineExtractedFolderName, szFileName); - i = lstrlenA(engineExtractedFolderName); - while(i > 0 && engineExtractedFolderName[i] != 0x5C) - { - engineExtractedFolderName[i] = 0x00; - i--; - } - return(engineExtractedFolderName); -} -char* EngineExtractFileName(char* szFileName) -{ - - int i; - int j; - int x = 0; - - i = lstrlenA(szFileName); - RtlZeroMemory(&engineExtractedFileName, sizeof(engineExtractedFileName)); - while(i > 0 && szFileName[i] != 0x5C) - { - i--; - } - if(szFileName[i] == 0x5C) - { - for(j = i + 1; j <= lstrlenA(szFileName); j++) - { - engineExtractedFileName[x] = szFileName[j]; - x++; - } - } - else - { - return(szFileName); - } - return(engineExtractedFileName); -} -bool EngineCreatePathForFile(char* szFileName) -{ - - int i,j; - char szFolderName[2 * MAX_PATH] = {}; - char szCreateFolder[2 * MAX_PATH] = {}; - - if(engineCreatePathForFiles) - { - i = lstrlenA(szFileName); - while(szFileName[i] != '\\' && i > NULL) - { - i--; - } - if(i != NULL) - { - RtlMoveMemory(szFolderName, szFileName, i + 1); - if(!CreateDirectoryA(szFolderName, NULL)) - { - if(GetLastError() != ERROR_ALREADY_EXISTS) - { - j = lstrlenA(szFolderName); - for(i = 4; i < j; i++) - { - if(szFileName[i] == '\\') - { - RtlZeroMemory(szCreateFolder, 2 * MAX_PATH); - RtlCopyMemory(szCreateFolder, szFileName, i + 1); - CreateDirectoryA(szCreateFolder, NULL); - } - } - } - } - } - } - return(true); -} -bool EngineCreatePathForFileW(wchar_t* szFileName) -{ - - int i,j; - wchar_t szFolderName[MAX_PATH] = {}; - wchar_t szCreateFolder[MAX_PATH] = {}; - - if(engineCreatePathForFiles) - { - i = lstrlenW(szFileName); - while(szFileName[i] != '\\' && i > 0) - { - i--; - } - if(i != 0) - { - RtlCopyMemory(szFolderName, szFileName, (i * 2) + 2); - if(!CreateDirectoryW(szFolderName, NULL)) - { - if(GetLastError() != ERROR_ALREADY_EXISTS) - { - j = lstrlenW(szFolderName); - for(i = 4; i < j; i++) - { - if(szFileName[i] == '\\') - { - RtlZeroMemory(szCreateFolder, 2 * MAX_PATH); - RtlCopyMemory(szCreateFolder, szFileName, (i * 2) + 1); - CreateDirectoryW(szCreateFolder, NULL); - } - } - } - } - } - } - return(true); -} -wchar_t* EngineExtractFileNameW(wchar_t* szFileName) -{ - - int i; - int j; - int x = 0; - - i = lstrlenW(szFileName); - RtlZeroMemory(&engineExtractedFileNameW, sizeof engineExtractedFileNameW); - while(i > 0 && szFileName[i] != 0x5C) - { - i--; - } - if(szFileName[i] == 0x5C) - { - int len=lstrlenW(szFileName); - for(j = i + 1; j <= len; j++) - { - engineExtractedFileNameW[x] = szFileName[j]; - x++; - } - } - else - { - return(szFileName); - } - return(engineExtractedFileNameW); -} -bool EngineIsPointedMemoryString(ULONG_PTR PossibleStringPtr) -{ - - bool StringIsValid = true; - unsigned int i = 512; - MEMORY_BASIC_INFORMATION MemInfo = {0}; - DWORD MaxDisassmSize = 512; - BYTE TestChar; - - VirtualQueryEx(GetCurrentProcess(), (LPVOID)PossibleStringPtr, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); - if(MemInfo.State == MEM_COMMIT) - { - if((ULONG_PTR)MemInfo.BaseAddress + (ULONG_PTR)MemInfo.RegionSize - PossibleStringPtr <= 512) - { - MaxDisassmSize = (DWORD)((ULONG_PTR)MemInfo.BaseAddress + (ULONG_PTR)MemInfo.RegionSize - PossibleStringPtr - 1); - VirtualQueryEx(GetCurrentProcess(), (LPVOID)(PossibleStringPtr + (ULONG_PTR)MemInfo.RegionSize), &MemInfo, sizeof MEMORY_BASIC_INFORMATION); - if(MemInfo.State != MEM_COMMIT) - { - i = MaxDisassmSize; - } - else - { - MaxDisassmSize = 512; - } - } - else - { - MaxDisassmSize = 512; - } - - TestChar = *((BYTE*)PossibleStringPtr); - while(i > NULL && StringIsValid == true && TestChar != 0x00) - { - TestChar = *((BYTE*)PossibleStringPtr); - - if(TestChar < 32 || TestChar > 126) - { - if(TestChar != 0x00) - { - StringIsValid = false; - } - } - PossibleStringPtr++; - i--; - } - if(StringIsValid == true && MaxDisassmSize - i > 4) - { - return(true); - } - } - return(false); -} -int EnginePointedMemoryStringLength(ULONG_PTR PossibleStringPtr) -{ - - bool StringIsValid = true; - unsigned int i = 512; - MEMORY_BASIC_INFORMATION MemInfo; - DWORD MaxDisassmSize = 512; - BYTE TestChar; - - VirtualQueryEx(GetCurrentProcess(), (LPVOID)PossibleStringPtr, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); - if(MemInfo.State == MEM_COMMIT) - { - if((ULONG_PTR)MemInfo.BaseAddress + (ULONG_PTR)MemInfo.RegionSize - PossibleStringPtr <= 512) - { - MaxDisassmSize = (DWORD)((ULONG_PTR)MemInfo.BaseAddress + (ULONG_PTR)MemInfo.RegionSize - PossibleStringPtr - 1); - VirtualQueryEx(GetCurrentProcess(), (LPVOID)(PossibleStringPtr + (ULONG_PTR)MemInfo.RegionSize), &MemInfo, sizeof MEMORY_BASIC_INFORMATION); - if(MemInfo.State != MEM_COMMIT) - { - i = MaxDisassmSize; - } - } - - TestChar = *((BYTE*)PossibleStringPtr); - while(i > NULL && StringIsValid == true && TestChar != 0x00) - { - TestChar = *((BYTE*)PossibleStringPtr); - - if(TestChar < 32 || TestChar > 126) - { - if(TestChar != 0x00) - { - StringIsValid = false; - } - } - PossibleStringPtr++; - i--; - } - if(StringIsValid == true && 512 - i > 4) - { - i = 512 - i; - return(i); - } - } - return(NULL); -} -bool EngineCompareResourceString(wchar_t* String1, wchar_t* String2) -{ - - PMEMORY_COMPARE_HANDLER memData = (PMEMORY_COMPARE_HANDLER)String1; - wchar_t StringCmp[MAX_PATH] = {}; - - String1 = (wchar_t*)((ULONG_PTR)String1 + 2); - RtlMoveMemory(&StringCmp[0], &String1[0], memData->Array.wArrayEntry[0] * 2); - if(lstrcmpiW(StringCmp, String2) == NULL) - { - return(true); - } - return(false); -} -long long EngineEstimateNewSectionRVA(ULONG_PTR FileMapVA) -{ - - PIMAGE_DOS_HEADER DOSHeader; - PIMAGE_NT_HEADERS32 PEHeader32; - PIMAGE_NT_HEADERS64 PEHeader64; - PIMAGE_SECTION_HEADER PESections; - DWORD NewSectionVirtualOffset = 0; - DWORD SectionNumber = 0; - BOOL FileIs64; - - if(FileMapVA != NULL) - { - DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; - PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - if(PEHeader32->OptionalHeader.Magic == 0x10B) - { - FileIs64 = false; - } - else if(PEHeader32->OptionalHeader.Magic == 0x20B) - { - FileIs64 = true; - } - else - { - return(0); - } - - if(!FileIs64) - { - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - SectionNumber = PEHeader32->FileHeader.NumberOfSections; - __try - { - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + (SectionNumber - 1) * IMAGE_SIZEOF_SECTION_HEADER); - NewSectionVirtualOffset = PESections->VirtualAddress + (PESections->Misc.VirtualSize / PEHeader32->OptionalHeader.SectionAlignment) * PEHeader32->OptionalHeader.SectionAlignment; - if(NewSectionVirtualOffset < PESections->VirtualAddress + PESections->Misc.VirtualSize) - { - NewSectionVirtualOffset = NewSectionVirtualOffset + PEHeader32->OptionalHeader.SectionAlignment; - } - return((ULONG_PTR)(NewSectionVirtualOffset + PEHeader32->OptionalHeader.ImageBase)); - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - return(0); - } - } - else - { - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - SectionNumber = PEHeader64->FileHeader.NumberOfSections; - __try - { - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + (SectionNumber - 1) * IMAGE_SIZEOF_SECTION_HEADER); - NewSectionVirtualOffset = PESections->VirtualAddress + (PESections->Misc.VirtualSize / PEHeader64->OptionalHeader.SectionAlignment) * PEHeader64->OptionalHeader.SectionAlignment; - if(NewSectionVirtualOffset < PESections->VirtualAddress + PESections->Misc.VirtualSize) - { - NewSectionVirtualOffset = NewSectionVirtualOffset + PEHeader32->OptionalHeader.SectionAlignment; - } - return((ULONG_PTR)(NewSectionVirtualOffset + PEHeader64->OptionalHeader.ImageBase)); - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - return(0); - } - } - } - return(0); -} -bool EngineExtractForwarderData(ULONG_PTR PossibleStringPtr, LPVOID szFwdDLLName, LPVOID szFwdAPIName) -{ - - __try - { - LPVOID lpPossibleStringPtr = (LPVOID)PossibleStringPtr; - BYTE TestChar; - - TestChar = *((BYTE*)PossibleStringPtr); - - while(TestChar != 0x2E && TestChar != 0x00) - { - TestChar = *((BYTE*)PossibleStringPtr); - PossibleStringPtr++; - } - if(TestChar == 0x00) - { - return(false); - } - PossibleStringPtr--; - RtlCopyMemory(szFwdDLLName, lpPossibleStringPtr, PossibleStringPtr - (ULONG_PTR)lpPossibleStringPtr); - lstrcatA((LPSTR)szFwdDLLName, ".dll"); - lpPossibleStringPtr = (LPVOID)(PossibleStringPtr + 1); - TestChar = *((BYTE*)PossibleStringPtr); - - if(TestChar == 0x23) - { - lpPossibleStringPtr = (LPVOID)(PossibleStringPtr + 1); - } - while(TestChar != 0x00) - { - TestChar = *((BYTE*)PossibleStringPtr); - PossibleStringPtr++; - } - RtlCopyMemory(szFwdAPIName, lpPossibleStringPtr, PossibleStringPtr - (ULONG_PTR)lpPossibleStringPtr); - return(true); - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - return(false); - } -} -bool EngineGrabDataFromMappedFile(HANDLE hFile, ULONG_PTR FileMapVA, ULONG_PTR FileOffset, DWORD CopySize, LPVOID CopyToMemory) -{ - DWORD rfNumberOfBytesRead = NULL; - - RtlZeroMemory(CopyToMemory, CopySize); - SetFilePointer(hFile, (DWORD)(FileOffset - FileMapVA), NULL, FILE_BEGIN); - return !!ReadFile(hFile, CopyToMemory, CopySize, &rfNumberOfBytesRead, NULL); -} -bool EngineExtractResource(char* szResourceName, wchar_t* szExtractedFileName) -{ - - HRSRC hResource; - HGLOBAL hResourceGlobal; - DWORD ResourceSize; - LPVOID ResourceData; - DWORD NumberOfBytesWritten; - HANDLE hFile; - - hResource = FindResourceA(engineHandle, (LPCSTR)szResourceName, "BINARY"); - if(hResource != NULL) - { - hResourceGlobal = LoadResource(engineHandle, hResource); - if(hResourceGlobal != NULL) - { - ResourceSize = SizeofResource(engineHandle, hResource); - ResourceData = LockResource(hResourceGlobal); - if(EngineCreatePathForFileW(szExtractedFileName)) - { - hFile = CreateFileW(szExtractedFileName, GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); - if(hFile != INVALID_HANDLE_VALUE) - { - WriteFile(hFile, ResourceData, ResourceSize, &NumberOfBytesWritten, NULL); - EngineCloseHandle(hFile); - } - else - { - return(false); - } - } - } - return(true); - } - return(false); -} -bool EngineIsDependencyPresent(char* szFileName, char* szDependencyForFile, char* szPresentInFolder) -{ - int i,j; - HANDLE hFile; - char szTryFileName[512] = {0}; - - if(szPresentInFolder != NULL && szFileName != NULL) - { - lstrcpyA(szTryFileName, szPresentInFolder); - if(szTryFileName[lstrlenA(szTryFileName)-1] != 0x5C) - { - szTryFileName[lstrlenA(szTryFileName)] = 0x5C; - } - lstrcatA(szTryFileName, szFileName); - hFile = CreateFileA(szTryFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); - if(hFile != INVALID_HANDLE_VALUE) - { - EngineCloseHandle(hFile); - return(true); - } - } - - if(szFileName != NULL) - { - hFile = CreateFileA(szFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); - if(hFile != INVALID_HANDLE_VALUE) - { - EngineCloseHandle(hFile); - return(true); - } - if(GetSystemDirectoryA(szTryFileName, 512) > NULL) - { - lstrcatA(szTryFileName, "\\"); - lstrcatA(szTryFileName, szFileName); - hFile = CreateFileA(szTryFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); - if(hFile != INVALID_HANDLE_VALUE) - { - EngineCloseHandle(hFile); - return(true); - } - } - if(GetWindowsDirectoryA(szTryFileName, 512) > NULL) - { - lstrcatA(szTryFileName, "\\"); - lstrcatA(szTryFileName, szFileName); - hFile = CreateFileA(szTryFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); - if(hFile != INVALID_HANDLE_VALUE) - { - EngineCloseHandle(hFile); - return(true); - } - } - if(szDependencyForFile != NULL) - { - RtlZeroMemory(&szTryFileName, 512); - i = lstrlenA(szDependencyForFile); - while(i > 0 && szDependencyForFile[i] != 0x5C) - { - i--; - } - for(j = 0; j <= i; j++) - { - szTryFileName[j] = szDependencyForFile[j]; - } - lstrcatA(szTryFileName, szFileName); - hFile = CreateFileA(szTryFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); - if(hFile != INVALID_HANDLE_VALUE) - { - EngineCloseHandle(hFile); - return(true); - } - } - } - return(false); -} -bool EngineIsDependencyPresentW(wchar_t* szFileName, wchar_t* szDependencyForFile, wchar_t* szPresentInFolder) -{ - - int i,j; - HANDLE hFile; - wchar_t szTryFileName[512] = {0}; - - if(szPresentInFolder != NULL) - { - lstrcpyW(szTryFileName, szPresentInFolder); - if(szTryFileName[lstrlenW(szTryFileName)-1] != 0x5C) - { - szTryFileName[lstrlenW(szTryFileName)] = 0x5C; - } - lstrcatW(szTryFileName, szFileName); - hFile = CreateFileW(szTryFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); - if(hFile != INVALID_HANDLE_VALUE) - { - EngineCloseHandle(hFile); - return(true); - } - } - if(szFileName != NULL) - { - hFile = CreateFileW(szFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); - if(hFile != INVALID_HANDLE_VALUE) - { - EngineCloseHandle(hFile); - return(true); - } - if(GetSystemDirectoryW(szTryFileName, 512) > NULL) - { - lstrcatW(szTryFileName, L"\\"); - lstrcatW(szTryFileName, szFileName); - hFile = CreateFileW(szTryFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); - if(hFile != INVALID_HANDLE_VALUE) - { - EngineCloseHandle(hFile); - return(true); - } - } - - if(GetWindowsDirectoryW(szTryFileName, 512) > NULL) - { - lstrcatW(szTryFileName, L"\\"); - lstrcatW(szTryFileName, szFileName); - hFile = CreateFileW(szTryFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); - if(hFile != INVALID_HANDLE_VALUE) - { - EngineCloseHandle(hFile); - return(true); - } - } - - if(szDependencyForFile != NULL) - { - i = lstrlenW(szDependencyForFile); - while(i > 0 && szDependencyForFile[i] != 0x5C) - { - i--; - } - for(j = 0; j <= i; j++) - { - szTryFileName[j] = szDependencyForFile[j]; - } - lstrcatW(szTryFileName, szFileName); - hFile = CreateFileW(szTryFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); - if(hFile != INVALID_HANDLE_VALUE) - { - EngineCloseHandle(hFile); - return(true); - } - } - } - return(false); -} -bool EngineGetDependencyLocation(char* szFileName, char* szDependencyForFile, void* szLocationOfTheFile, int MaxStringSize) -{ - - int i,j; - HANDLE hFile; - char szTryFileName[512] = {0}; - - if(szFileName != NULL) - { - hFile = CreateFileA(szFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); - if(hFile != INVALID_HANDLE_VALUE) - { - RtlZeroMemory(szLocationOfTheFile, MaxStringSize); - if(lstrlenA(szFileName) <= MaxStringSize) - { - RtlCopyMemory(szLocationOfTheFile, szFileName, lstrlenA(szFileName)); - } - EngineCloseHandle(hFile); - return(true); - } - if(GetSystemDirectoryA(szTryFileName, 512) > NULL) - { - lstrcatA(szTryFileName, "\\"); - lstrcatA(szTryFileName, szFileName); - hFile = CreateFileA(szTryFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); - if(hFile != INVALID_HANDLE_VALUE) - { - RtlZeroMemory(szLocationOfTheFile, MaxStringSize); - if(lstrlenA(szTryFileName) <= MaxStringSize) - { - RtlCopyMemory(szLocationOfTheFile, &szTryFileName, lstrlenA(szTryFileName)); - } - EngineCloseHandle(hFile); - return(true); - } - } - if(GetWindowsDirectoryA(szTryFileName, 512) > NULL) - { - lstrcatA(szTryFileName, "\\"); - lstrcatA(szTryFileName, szFileName); - hFile = CreateFileA(szTryFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); - if(hFile != INVALID_HANDLE_VALUE) - { - RtlZeroMemory(szLocationOfTheFile, MaxStringSize); - if(lstrlenA(szTryFileName) <= MaxStringSize) - { - RtlCopyMemory(szLocationOfTheFile, &szTryFileName, lstrlenA(szTryFileName)); - } - EngineCloseHandle(hFile); - return(true); - } - } - if(szDependencyForFile != NULL) - { - RtlZeroMemory(&szTryFileName, 512); - i = lstrlenA(szDependencyForFile); - while(i > 0 && szDependencyForFile[i] != 0x5C) - { - i--; - } - for(j = 0; j <= i; j++) - { - szTryFileName[j] = szDependencyForFile[j]; - } - lstrcatA(szTryFileName, szFileName); - hFile = CreateFileA(szTryFileName, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); - if(hFile != INVALID_HANDLE_VALUE) - { - RtlZeroMemory(szLocationOfTheFile, MaxStringSize); - if(lstrlenA(szTryFileName) <= MaxStringSize) - { - RtlCopyMemory(szLocationOfTheFile, &szTryFileName, lstrlenA(szTryFileName)); - } - EngineCloseHandle(hFile); - return(true); - } - } - } - return(false); -} -long EngineHashString(char* szStringToHash) -{ - - int i = NULL; - DWORD HashValue = NULL; - - if(szStringToHash != NULL) - { - for(i = 0; i < lstrlenA(szStringToHash); i++) - { - HashValue = (((HashValue << 7) | (HashValue >> (32 - 7))) ^ szStringToHash[i]); - } - } - return(HashValue); -} -long EngineHashMemory(char* MemoryAddress, int MemorySize, DWORD InitialHashValue) -{ - - int i = NULL; - DWORD HashValue = InitialHashValue; - - for(i = 0; i < MemorySize; i++) - { - if(MemoryAddress[i] != NULL) - { - HashValue = (((HashValue << 7) | (HashValue >> (32 - 7))) ^ MemoryAddress[i]); - } - } - return(HashValue); -} -bool EngineIsBadReadPtrEx(LPVOID DataPointer, DWORD DataSize) -{ - - MEMORY_BASIC_INFORMATION MemInfo = {0}; - - while(DataSize > NULL) - { - VirtualQuery(DataPointer, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); - if(MemInfo.AllocationProtect == MEM_FREE || MemInfo.AllocationProtect == MEM_PRIVATE) - { - return(false); - } - DataPointer = (LPVOID)((ULONG_PTR)DataPointer + MemInfo.RegionSize); - if(MemInfo.RegionSize > DataSize) - { - DataSize = NULL; - } - else - { - DataSize = DataSize - (DWORD)MemInfo.RegionSize; - } - } - return(true); -} -bool EngineValidateResource(HMODULE hModule, LPCTSTR lpszType, LPTSTR lpszName, LONG_PTR lParam) -{ - - HRSRC hResource; - HGLOBAL hResourceGlobal; - DWORD ResourceSize; - LPVOID ResourceData; - BYTE ReturnData = UE_FIELD_FIXABLE_CRITICAL; - - hResource = FindResourceA(hModule, (LPCSTR)lpszName, (LPCSTR)lpszType); - if(hResource != NULL) - { - hResourceGlobal = LoadResource(hModule, hResource); - if(hResourceGlobal != NULL) - { - ResourceSize = SizeofResource(hModule, hResource); - ResourceData = LockResource(hResourceGlobal); - if(ResourceData != NULL) - { - if(!EngineIsBadReadPtrEx(ResourceData, ResourceSize)) - { - *((LONG*)lParam) = ReturnData; - return(false); - } - } - else - { - *((LONG*)lParam) = ReturnData; - return(false); - } - } - return(true); - } - - *((LONG*)lParam) = ReturnData; - return(false); -} -bool EngineValidateHeader(ULONG_PTR FileMapVA, HANDLE hFileProc, LPVOID ImageBase, PIMAGE_DOS_HEADER DOSHeader, bool IsFile) -{ - - MODULEINFO ModuleInfo; - DWORD MemorySize = NULL; - PIMAGE_NT_HEADERS32 PEHeader32; - IMAGE_NT_HEADERS32 RemotePEHeader32; - MEMORY_BASIC_INFORMATION MemoryInfo= {0}; - ULONG_PTR NumberOfBytesRW = NULL; - - if(IsFile) - { - if(hFileProc == NULL) - { - VirtualQueryEx(GetCurrentProcess(), (LPVOID)FileMapVA, &MemoryInfo, sizeof MEMORY_BASIC_INFORMATION); - VirtualQueryEx(GetCurrentProcess(), MemoryInfo.AllocationBase, &MemoryInfo, sizeof MEMORY_BASIC_INFORMATION); - MemorySize = (DWORD)((ULONG_PTR)MemoryInfo.AllocationBase + (ULONG_PTR)MemoryInfo.RegionSize - (ULONG_PTR)FileMapVA); - } - else - { - MemorySize = GetFileSize(hFileProc, NULL); - } - __try - { - if(DOSHeader->e_magic == 0x5A4D) - { - if(DOSHeader->e_lfanew + sizeof IMAGE_DOS_HEADER + sizeof(IMAGE_NT_HEADERS64) < MemorySize) - { - PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - if(PEHeader32->Signature != 0x4550) - { - return(false); - } - else - { - return(true); - } - } - else - { - return(false); - } - } - else - { - return(false); - } - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - return(false); - } - } - else - { - RtlZeroMemory(&ModuleInfo, sizeof MODULEINFO); - GetModuleInformation(hFileProc, (HMODULE)ImageBase, &ModuleInfo, sizeof MODULEINFO); - __try - { - if(DOSHeader->e_magic == 0x5A4D) - { - if(DOSHeader->e_lfanew + sizeof IMAGE_DOS_HEADER + sizeof(IMAGE_NT_HEADERS64) < ModuleInfo.SizeOfImage) - { - if(ReadProcessMemory(hFileProc, (LPVOID)((ULONG_PTR)ImageBase + DOSHeader->e_lfanew), &RemotePEHeader32, sizeof IMAGE_NT_HEADERS32, &NumberOfBytesRW)) - { - PEHeader32 = (PIMAGE_NT_HEADERS32)(&RemotePEHeader32); - if(PEHeader32->Signature != 0x4550) - { - return(false); - } - else - { - return(true); - } - } - else - { - return(false); - } - } - else - { - return(false); - } - } - else - { - return(false); - } - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - return(false); - } - } -} -long long EngineSimulateNtLoaderW(wchar_t* szFileName) -{ - - DWORD PeHeaderSize; - LPVOID AllocatedFile; - PIMAGE_DOS_HEADER DOSHeader; - PIMAGE_NT_HEADERS32 PEHeader32; - PIMAGE_NT_HEADERS64 PEHeader64; - PIMAGE_SECTION_HEADER PESections; - DWORD SectionNumber = 0; - DWORD SectionRawOffset = 0; - DWORD SectionRawSize = 0; - BOOL FileIs64; - HANDLE FileHandle; - DWORD FileSize; - HANDLE FileMap; - ULONG_PTR FileMapVA; - - if(MapFileExW(szFileName, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) - { - DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; - if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true)) - { - PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - if(PEHeader32->OptionalHeader.Magic == 0x10B) - { - FileIs64 = false; - } - else if(PEHeader32->OptionalHeader.Magic == 0x20B) - { - FileIs64 = true; - } - else - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return(NULL); - } - if(!FileIs64) - { - AllocatedFile = VirtualAlloc(NULL, PEHeader32->OptionalHeader.SizeOfImage, MEM_COMMIT, PAGE_READWRITE); - __try - { - PeHeaderSize = DOSHeader->e_lfanew + PEHeader32->FileHeader.SizeOfOptionalHeader + (sizeof(IMAGE_SECTION_HEADER) * PEHeader32->FileHeader.NumberOfSections) + sizeof(IMAGE_FILE_HEADER) + 4; - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader32 + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - SectionNumber = PEHeader32->FileHeader.NumberOfSections; - RtlCopyMemory(AllocatedFile, (LPVOID)FileMapVA, PeHeaderSize); - while(SectionNumber > 0) - { - RtlCopyMemory((LPVOID)((ULONG_PTR)AllocatedFile + PESections->VirtualAddress), (LPVOID)(FileMapVA + PESections->PointerToRawData), PESections->SizeOfRawData); - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); - SectionNumber--; - } - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - VirtualFree(AllocatedFile, NULL, MEM_RELEASE); - AllocatedFile = NULL; - } - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return((ULONG_PTR)AllocatedFile); - } - else - { - AllocatedFile = VirtualAlloc(NULL, PEHeader64->OptionalHeader.SizeOfImage, MEM_COMMIT, PAGE_READWRITE); - __try - { - PeHeaderSize = DOSHeader->e_lfanew + PEHeader64->FileHeader.SizeOfOptionalHeader + (sizeof(IMAGE_SECTION_HEADER) * PEHeader64->FileHeader.NumberOfSections) + sizeof(IMAGE_FILE_HEADER) + 4; - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PEHeader64 + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); - SectionNumber = PEHeader64->FileHeader.NumberOfSections; - RtlCopyMemory(AllocatedFile, (LPVOID)FileMapVA, PeHeaderSize); - while(SectionNumber > 0) - { - RtlCopyMemory((LPVOID)((ULONG_PTR)AllocatedFile + PESections->VirtualAddress), (LPVOID)(FileMapVA + PESections->PointerToRawData), PESections->SizeOfRawData); - PESections = (PIMAGE_SECTION_HEADER)((ULONG_PTR)PESections + IMAGE_SIZEOF_SECTION_HEADER); - SectionNumber--; - } - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - VirtualFree(AllocatedFile, NULL, MEM_RELEASE); - AllocatedFile = NULL; - } - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return((ULONG_PTR)AllocatedFile); - } - } - else - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return(NULL); - } - } - return(NULL); -} -long long EngineSimulateNtLoader(char* szFileName) -{ - - wchar_t uniFileName[MAX_PATH] = {}; - - if(szFileName != NULL) - { - MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName)+1, uniFileName, sizeof(uniFileName)/(sizeof(uniFileName[0]))); - return(EngineSimulateNtLoaderW(uniFileName)); - } - else - { - return(NULL); - } -} -long long EngineSimulateDllLoader(HANDLE hProcess, char* szFileName) -{ - - int n; - BOOL FileIs64; - DWORD FileSize; - HANDLE FileMap; - ULONG_PTR FileMapVA; - HANDLE FileHandle; - LPVOID DLLMemory = NULL; - DWORD ExportDelta = NULL; - DWORD PEHeaderSize = NULL; - PIMAGE_DOS_HEADER DOSHeader; - PIMAGE_NT_HEADERS32 PEHeader32; - PIMAGE_NT_HEADERS64 PEHeader64; - PIMAGE_EXPORT_DIRECTORY PEExports; - PEXPORTED_DATA ExportedFunctionNames; - ULONG_PTR ConvertedExport = NULL; - char szFileRemoteProc[1024]= {0}; - char szDLLFileLocation[512]= {0}; - char* szTranslatedProcName=0; - - GetProcessImageFileNameA(hProcess, szFileRemoteProc, sizeof(szFileRemoteProc)); - szTranslatedProcName = (char*)TranslateNativeName(szFileRemoteProc); - if(EngineIsDependencyPresent(szFileName, NULL, NULL)) - { - if(EngineGetDependencyLocation(szFileName, szTranslatedProcName, &szDLLFileLocation, sizeof(szDLLFileLocation))) - { - VirtualFree((void*)szTranslatedProcName, NULL, MEM_RELEASE); - if(MapFileEx(szDLLFileLocation, UE_ACCESS_READ, &FileHandle, &FileSize, &FileMap, &FileMapVA, NULL)) - { - DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; - if(EngineValidateHeader(FileMapVA, FileHandle, NULL, DOSHeader, true)) - { - PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - if(PEHeader32->OptionalHeader.Magic == 0x10B) - { - PEHeaderSize = PEHeader32->FileHeader.NumberOfSections * IMAGE_SIZEOF_SECTION_HEADER + PEHeader32->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4; - FileIs64 = false; - } - else if(PEHeader32->OptionalHeader.Magic == 0x20B) - { - PEHeaderSize = PEHeader64->FileHeader.NumberOfSections * IMAGE_SIZEOF_SECTION_HEADER + PEHeader64->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4; - FileIs64 = true; - } - else - { - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return(NULL); - } - if(!FileIs64) - { - if(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress != NULL) - { - DLLMemory = VirtualAlloc(NULL, DOSHeader->e_lfanew + PEHeaderSize + PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size + 0x1000, MEM_COMMIT, PAGE_READWRITE); - if(DLLMemory != NULL) - { - __try - { - if((DOSHeader->e_lfanew + PEHeaderSize) % 0x1000 != 0) - { - ExportDelta = (((DOSHeader->e_lfanew + PEHeaderSize) / 0x1000) + 1) * 0x1000; - } - else - { - ExportDelta = ((DOSHeader->e_lfanew + PEHeaderSize) / 0x1000) * 0x1000; - } - ConvertedExport = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, PEHeader32->OptionalHeader.ImageBase, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress, true, true); - if(ConvertedExport != NULL) - { - PEExports = (PIMAGE_EXPORT_DIRECTORY)((ULONG_PTR)DLLMemory + ExportDelta); - RtlCopyMemory(DLLMemory, (LPVOID)FileMapVA, PEHeaderSize + DOSHeader->e_lfanew); - RtlCopyMemory((LPVOID)((ULONG_PTR)DLLMemory + ExportDelta), (LPVOID)ConvertedExport, PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size); - PEExports->AddressOfFunctions = PEExports->AddressOfFunctions - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + ExportDelta; - PEExports->AddressOfNameOrdinals = PEExports->AddressOfNameOrdinals - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + ExportDelta; - PEExports->AddressOfNames = PEExports->AddressOfNames - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + ExportDelta; - PEExports->Name = PEExports->Name - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + ExportDelta; - ExportedFunctionNames = (PEXPORTED_DATA)(PEExports->AddressOfNames + (ULONG_PTR)DLLMemory); - for(n = 0; n < (int)PEExports->NumberOfNames; n++) - { - ExportedFunctionNames->ExportedItem = ExportedFunctionNames->ExportedItem - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + ExportDelta; - ExportedFunctionNames = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctionNames + 4); - } - DOSHeader = (PIMAGE_DOS_HEADER)DLLMemory; - PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress = ExportDelta; - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return((ULONG_PTR)DLLMemory); - } - else - { - VirtualFree(DLLMemory, NULL, MEM_RELEASE); - } - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - VirtualFree(DLLMemory, NULL, MEM_RELEASE); - } - } - } - } - else - { - if(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress != NULL) - { - DLLMemory = VirtualAlloc(NULL, DOSHeader->e_lfanew + PEHeaderSize + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size + 0x1000, MEM_COMMIT, PAGE_READWRITE); - if(DLLMemory != NULL) - { - __try - { - if((DOSHeader->e_lfanew + PEHeaderSize) % 0x1000 != 0) - { - ExportDelta = (((DOSHeader->e_lfanew + PEHeaderSize) % 0x1000) + 1) * 0x1000; - } - else - { - ExportDelta = ((DOSHeader->e_lfanew + PEHeaderSize) % 0x1000) * 0x1000; - } - ConvertedExport = (ULONG_PTR)ConvertVAtoFileOffsetEx(FileMapVA, FileSize, (ULONG_PTR)PEHeader64->OptionalHeader.ImageBase, PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress, true, true); - if(ConvertedExport != NULL) - { - PEExports = (PIMAGE_EXPORT_DIRECTORY)((ULONG_PTR)DLLMemory + ExportDelta); - RtlCopyMemory(DLLMemory, (LPVOID)FileMapVA, PEHeaderSize + PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size); - RtlCopyMemory((LPVOID)((ULONG_PTR)DLLMemory + ExportDelta), (LPVOID)ConvertedExport, PEHeaderSize + DOSHeader->e_lfanew); - PEExports->AddressOfFunctions = PEExports->AddressOfFunctions - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + ExportDelta; - PEExports->AddressOfNameOrdinals = PEExports->AddressOfNameOrdinals - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + ExportDelta; - PEExports->AddressOfNames = PEExports->AddressOfNames - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + ExportDelta; - PEExports->Name = PEExports->Name - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + ExportDelta; - ExportedFunctionNames = (PEXPORTED_DATA)(PEExports->AddressOfNames + (ULONG_PTR)DLLMemory); - for(n = 0; n < (int)PEExports->NumberOfNames; n++) - { - ExportedFunctionNames->ExportedItem = ExportedFunctionNames->ExportedItem - PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + ExportDelta; - ExportedFunctionNames = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctionNames + 4); - } - DOSHeader = (PIMAGE_DOS_HEADER)DLLMemory; - PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress = ExportDelta; - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - return((ULONG_PTR)DLLMemory); - } - else - { - VirtualFree(DLLMemory, NULL, MEM_RELEASE); - } - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - VirtualFree(DLLMemory, NULL, MEM_RELEASE); - } - } - } - } - UnMapFileEx(FileHandle, FileSize, FileMap, FileMapVA); - } - } - } - } - VirtualFree((void*)szTranslatedProcName, NULL, MEM_RELEASE); - return(NULL); -} -long long EngineGetProcAddress(ULONG_PTR ModuleBase, char* szAPIName) -{ - - int i = 0; - int j = 0; - ULONG_PTR APIFoundAddress = 0; - PIMAGE_DOS_HEADER DOSHeader; - PIMAGE_NT_HEADERS32 PEHeader32; - PIMAGE_NT_HEADERS64 PEHeader64; - PIMAGE_EXPORT_DIRECTORY PEExports; - PEXPORTED_DATA ExportedFunctions; - PEXPORTED_DATA ExportedFunctionNames; - PEXPORTED_DATA_WORD ExportedFunctionOrdinals; - char szModuleName[MAX_PATH] = {}; - bool FileIs64 = false; - - if(GetModuleFileNameA((HMODULE)ModuleBase, szModuleName, MAX_PATH) == NULL) - { - __try - { - DOSHeader = (PIMAGE_DOS_HEADER)ModuleBase; - PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - if(PEHeader32->OptionalHeader.Magic == 0x10B) - { - FileIs64 = false; - } - else if(PEHeader32->OptionalHeader.Magic == 0x20B) - { - FileIs64 = true; - } - else - { - return(NULL); - } - if(!FileIs64) - { - PEExports = (PIMAGE_EXPORT_DIRECTORY)(ModuleBase + (ULONG_PTR)PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); - ExportedFunctions = (PEXPORTED_DATA)(ModuleBase + (ULONG_PTR)PEExports->AddressOfFunctions); - ExportedFunctionNames = (PEXPORTED_DATA)(ModuleBase + (ULONG_PTR)PEExports->AddressOfNames); - ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)(ModuleBase + (ULONG_PTR)PEExports->AddressOfNameOrdinals); - } - else - { - PEExports = (PIMAGE_EXPORT_DIRECTORY)(ModuleBase + (ULONG_PTR)PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); - ExportedFunctions = (PEXPORTED_DATA)(ModuleBase + (ULONG_PTR)PEExports->AddressOfFunctions); - ExportedFunctionNames = (PEXPORTED_DATA)(ModuleBase + (ULONG_PTR)PEExports->AddressOfNames); - ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)(ModuleBase + (ULONG_PTR)PEExports->AddressOfNameOrdinals); - } - for(j = 0; j < (int)PEExports->NumberOfNames; j++) - { - if(lstrcmpiA((LPCSTR)szAPIName, (LPCSTR)(ModuleBase + (ULONG_PTR)ExportedFunctionNames->ExportedItem)) == NULL) - { - ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)((ULONG_PTR)ExportedFunctionOrdinals + j * 2); - ExportedFunctions = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctions + (ExportedFunctionOrdinals->OrdinalNumber) * 4); - APIFoundAddress = ExportedFunctions->ExportedItem + (ULONG_PTR)ModuleBase; - return((ULONG_PTR)APIFoundAddress); - } - ExportedFunctionNames = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctionNames + 4); - } - return(NULL); - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - return(NULL); - } - } - else - { - return((ULONG_PTR)GetProcAddress((HMODULE)ModuleBase, szAPIName)); - } -} -bool EngineGetLibraryOrdinalData(ULONG_PTR ModuleBase, LPDWORD ptrOrdinalBase, LPDWORD ptrOrdinalCount) -{ - - PIMAGE_DOS_HEADER DOSHeader; - PIMAGE_NT_HEADERS32 PEHeader32; - PIMAGE_NT_HEADERS64 PEHeader64; - PIMAGE_EXPORT_DIRECTORY PEExports; - bool FileIs64 = false; - - __try - { - DOSHeader = (PIMAGE_DOS_HEADER)ModuleBase; - PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - if(PEHeader32->OptionalHeader.Magic == 0x10B) - { - FileIs64 = false; - } - else if(PEHeader32->OptionalHeader.Magic == 0x20B) - { - FileIs64 = true; - } - else - { - return(false); - } - if(!FileIs64) - { - PEExports = (PIMAGE_EXPORT_DIRECTORY)(ModuleBase + (ULONG_PTR)PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); - *ptrOrdinalBase = PEExports->Base; - *ptrOrdinalCount = PEExports->NumberOfNames; - } - else - { - PEExports = (PIMAGE_EXPORT_DIRECTORY)(ModuleBase + (ULONG_PTR)PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress); - *ptrOrdinalBase = PEExports->Base; - *ptrOrdinalCount = PEExports->NumberOfNames; - } - return(true); - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - return(false); - } - return(false); -} -long long EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBases, ULONG_PTR APIAddress, char* szAPIName, DWORD ReturnType) -{ - - unsigned int i = 0; - unsigned int j = 0; - unsigned int n = 0; - unsigned int x = 0; - unsigned int y = 0; - unsigned int z = 0; - DWORD Dummy = NULL; - HANDLE hProcess = NULL; - ULONG_PTR EnumeratedModules[0x2000]; - ULONG_PTR LoadedModules[1000][4]; - char RemoteDLLName[MAX_PATH]= {0}; - char FullRemoteDLLName[MAX_PATH]= {0}; - char szWindowsSideBySide[MAX_PATH]= {0}; - char szWindowsSideBySideCmp[MAX_PATH]= {0}; - char szWindowsKernelBase[MAX_PATH]= {0}; - HANDLE hLoadedModule = NULL; - HANDLE ModuleHandle = NULL; - PIMAGE_DOS_HEADER DOSHeader; - PIMAGE_NT_HEADERS32 PEHeader32; - PIMAGE_NT_HEADERS64 PEHeader64; - PIMAGE_EXPORT_DIRECTORY PEExports; - PEXPORTED_DATA ExportedFunctions; - PEXPORTED_DATA ExportedFunctionNames; - PEXPORTED_DATA_WORD ExportedFunctionOrdinals; - ULONG_PTR APIFoundAddress = NULL; - MODULEINFO RemoteModuleInfo; - bool ValidateHeader = false; - bool FileIs64 = false; - bool APINameFound = false; - bool SkipModule = false; - unsigned int FoundIndex = 0; - unsigned int FoundOrdinalNumber = 0; - ULONG_PTR FileMapVA; - char szFwdDLLName[512] = {0}; - char szFwdAPIName[512] = {0}; - ULONG_PTR RealignedAPIAddress; - ULONG_PTR ForwarderData = NULL; - unsigned int ClosestAPI = 0x1000; - int Vista64UserForwarderFix = 0; - unsigned int Windows7KernelBase = 0xFFFFFFFF; - - RtlZeroMemory(&engineFoundDLLName, sizeof(szFwdDLLName)); - RtlZeroMemory(&EnumeratedModules, 0x2000 * sizeof ULONG_PTR); - RtlZeroMemory(&LoadedModules, 1000 * 4 * sizeof ULONG_PTR); - GetWindowsDirectoryA(szWindowsSideBySide, MAX_PATH); - lstrcpyA(szWindowsKernelBase, szWindowsSideBySide); - lstrcatA(szWindowsSideBySide, "\\WinSxS"); - if(EnumedModulesBases != NULL) - { - RtlMoveMemory(&EnumeratedModules, (LPVOID)EnumedModulesBases, 0x1000); - i--; - } - if(handleProcess == NULL) - { - if(dbgProcessInformation.hProcess == NULL) - { - hProcess = GetCurrentProcess(); - } - else - { - hProcess = dbgProcessInformation.hProcess; - } - } - else - { - hProcess = handleProcess; - } - if(EnumedModulesBases != NULL || EnumProcessModules(hProcess, (HMODULE*)EnumeratedModules, 0x2000, &Dummy)) - { - i++; - z = i; - y = i; - while(EnumeratedModules[y] != NULL) - { - // Vista x64 fix - if(Vista64UserForwarderFix == NULL) - { - GetModuleBaseNameA(hProcess, (HMODULE)EnumeratedModules[y], (LPSTR)RemoteDLLName, MAX_PATH); - if(!lstrcmpiA(RemoteDLLName, "user32.dll")) - Vista64UserForwarderFix = y; - //NOTE: this code is used to ignore all APIs inside kernelbase.dll - else if(!lstrcmpiA(RemoteDLLName, "kernelbase.dll")) - { - GetModuleFileNameExA(hProcess, (HMODULE)EnumeratedModules[y], (LPSTR)RemoteDLLName, MAX_PATH); - RemoteDLLName[lstrlenA(szWindowsKernelBase)] = 0x00; - if(lstrcmpiA(RemoteDLLName, szWindowsKernelBase) == NULL) - { - Windows7KernelBase = y; - } - } - } - y++; - } - while(APINameFound == false && EnumeratedModules[i] != NULL) - { - //NOTE: un-comment when kernelbase should be ignored - /*if(i == Windows7KernelBase) - { - i++; - if(EnumeratedModules[i] == NULL) - { - break; - } - }*/ - ValidateHeader = false; - RtlZeroMemory(&RemoteDLLName, MAX_PATH); - GetModuleFileNameExA(hProcess, (HMODULE)EnumeratedModules[i], (LPSTR)RemoteDLLName, MAX_PATH); - lstrcpyA(FullRemoteDLLName, RemoteDLLName); - RtlZeroMemory(&szWindowsSideBySideCmp, MAX_PATH); - RtlCopyMemory(&szWindowsSideBySideCmp, FullRemoteDLLName, lstrlenA(szWindowsSideBySide)); - if(GetModuleHandleA(RemoteDLLName) == NULL) - { - RtlZeroMemory(&RemoteDLLName, MAX_PATH); - GetModuleBaseNameA(hProcess, (HMODULE)EnumeratedModules[i], (LPSTR)RemoteDLLName, MAX_PATH); - if(GetModuleHandleA(RemoteDLLName) == NULL || lstrcmpiA(szWindowsSideBySideCmp, szWindowsSideBySide) == NULL) - { - if(engineAlowModuleLoading) - { - hLoadedModule = LoadLibraryA(FullRemoteDLLName); - if(hLoadedModule != NULL) - { - LoadedModules[i][0] = EnumeratedModules[i]; - LoadedModules[i][1] = (ULONG_PTR)hLoadedModule; - LoadedModules[i][2] = 1; - } - } - else - { - hLoadedModule = (HANDLE)EngineSimulateDllLoader(hProcess, FullRemoteDLLName); - if(hLoadedModule != NULL) - { - LoadedModules[i][0] = EnumeratedModules[i]; - LoadedModules[i][1] = (ULONG_PTR)hLoadedModule; - LoadedModules[i][2] = 1; - ValidateHeader = true; - } - } - } - else - { - LoadedModules[i][0] = EnumeratedModules[i]; - LoadedModules[i][1] = (ULONG_PTR)GetModuleHandleA(RemoteDLLName); - LoadedModules[i][2] = 0; - } - } - else - { - LoadedModules[i][0] = EnumeratedModules[i]; - LoadedModules[i][1] = (ULONG_PTR)GetModuleHandleA(RemoteDLLName); - LoadedModules[i][2] = 0; - } - - - if(ReturnType != UE_OPTION_IMPORTER_RETURN_FORWARDER_DLLNAME && ReturnType != UE_OPTION_IMPORTER_RETURN_FORWARDER_DLLINDEX && ReturnType != UE_OPTION_IMPORTER_RETURN_FORWARDER_APINAME) - { - if(szAPIName == NULL && ReturnType == UE_OPTION_IMPORTER_REALIGN_APIADDRESS) - { - RtlZeroMemory(&RemoteModuleInfo, sizeof MODULEINFO); - //GetModuleInformation(GetCurrentProcess(), (HMODULE)LoadedModules[i][1], &RemoteModuleInfo, sizeof MODULEINFO); - GetModuleInformation(hProcess, (HMODULE)LoadedModules[i][0], &RemoteModuleInfo, sizeof MODULEINFO); - if(APIAddress >= LoadedModules[i][1] && APIAddress <= LoadedModules[i][1] + RemoteModuleInfo.SizeOfImage) - { - GetModuleBaseNameA(hProcess, (HMODULE)LoadedModules[i][0], (LPSTR)engineFoundDLLName, 512); - APIFoundAddress = (ULONG_PTR)(APIAddress - LoadedModules[i][1] + LoadedModules[i][0]); - APINameFound = true; - FoundIndex = i; - break; - } - } - else if(szAPIName == NULL && ReturnType == UE_OPTION_IMPORTER_REALIGN_LOCAL_APIADDRESS) - { - RtlZeroMemory(&RemoteModuleInfo, sizeof MODULEINFO); - GetModuleInformation(hProcess, (HMODULE)LoadedModules[i][0], &RemoteModuleInfo, sizeof MODULEINFO); - if(APIAddress >= LoadedModules[i][0] && APIAddress <= LoadedModules[i][0] + RemoteModuleInfo.SizeOfImage) - { - GetModuleBaseNameA(hProcess, (HMODULE)LoadedModules[i][0], (LPSTR)engineFoundDLLName, 512); - APIFoundAddress = (ULONG_PTR)(APIAddress - LoadedModules[i][0] + LoadedModules[i][1]); - APINameFound = true; - FoundIndex = i; - break; - } - } - else if(szAPIName == NULL && ReturnType == UE_OPTION_IMPORTER_RETURN_DLLBASE) - { - if(APIAddress == LoadedModules[i][1]) - { - APIFoundAddress = LoadedModules[i][0]; - APINameFound = true; - FoundIndex = i; - break; - } - } - else if(ReturnType == UE_OPTION_IMPORTER_RETURN_NEAREST_APIADDRESS || ReturnType == UE_OPTION_IMPORTER_RETURN_NEAREST_APINAME) - { - RtlZeroMemory(&RemoteModuleInfo, sizeof MODULEINFO); - GetModuleInformation(hProcess, (HMODULE)LoadedModules[i][0], &RemoteModuleInfo, sizeof MODULEINFO); - if(APIAddress >= LoadedModules[i][0] && APIAddress <= LoadedModules[i][0] + RemoteModuleInfo.SizeOfImage) - { - DOSHeader = (PIMAGE_DOS_HEADER)LoadedModules[i][1]; - if(ValidateHeader || EngineValidateHeader((ULONG_PTR)LoadedModules[i][1], GetCurrentProcess(), RemoteModuleInfo.lpBaseOfDll, DOSHeader, false)) - { - __try - { - PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - if(PEHeader32->OptionalHeader.Magic == 0x10B) - { - FileIs64 = false; - } - else if(PEHeader32->OptionalHeader.Magic == 0x20B) - { - FileIs64 = true; - } - else - { - return(NULL); - } - if(!FileIs64) - { - PEExports = (PIMAGE_EXPORT_DIRECTORY)(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + LoadedModules[i][1]); - ExportedFunctions = (PEXPORTED_DATA)(PEExports->AddressOfFunctions + LoadedModules[i][1]); - } - else - { - PEExports = (PIMAGE_EXPORT_DIRECTORY)(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + LoadedModules[i][1]); - ExportedFunctions = (PEXPORTED_DATA)(PEExports->AddressOfFunctions + LoadedModules[i][1]); - } - for(n = 0; n < PEExports->NumberOfFunctions; n++) //NumberOfNames - { - if(APIAddress - (ExportedFunctions->ExportedItem + LoadedModules[i][0]) < ClosestAPI) - { - ClosestAPI = (unsigned int)(APIAddress - (ExportedFunctions->ExportedItem + LoadedModules[i][0])); - ExportedFunctionNames = (PEXPORTED_DATA)(PEExports->AddressOfNames + LoadedModules[i][1]); - ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)(PEExports->AddressOfNameOrdinals + LoadedModules[i][1]); - GetModuleBaseNameA(hProcess, (HMODULE)LoadedModules[i][0], (LPSTR)engineFoundDLLName, 512); - RtlZeroMemory(&engineFoundAPIName, sizeof(engineFoundAPIName)); - x = n; - FoundOrdinalNumber = (unsigned int)PEExports->Base; - for(j = 0; j < PEExports->NumberOfNames; j++) - { - if(ExportedFunctionOrdinals->OrdinalNumber != x) - { - ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)((ULONG_PTR)ExportedFunctionOrdinals + 2); - } - else - { - FoundOrdinalNumber = FoundOrdinalNumber + (unsigned int)ExportedFunctionOrdinals->OrdinalNumber; - break; - } - } - ExportedFunctionNames = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctionNames + j * 4); - if(EngineIsPointedMemoryString((ULONG_PTR)(ExportedFunctionNames->ExportedItem + LoadedModules[i][1]))) - { - lstrcpyA((LPSTR)engineFoundAPIName, (LPCSTR)(ExportedFunctionNames->ExportedItem + LoadedModules[i][1])); - } - APIFoundAddress = ExportedFunctions->ExportedItem + LoadedModules[i][0]; - APINameFound = true; - FoundIndex = i; - } - ExportedFunctions = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctions + 4); - } - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - ClosestAPI = 0x1000; - APINameFound = false; - } - } - } - } - - if((ReturnType == UE_OPTION_IMPORTER_RETURN_API_ORDINAL_NUMBER || (ReturnType > UE_OPTION_IMPORTER_REALIGN_APIADDRESS && ReturnType < UE_OPTION_IMPORTER_RETURN_FORWARDER_DLLNAME)) && ReturnType != UE_OPTION_IMPORTER_RETURN_DLLBASE && LoadedModules[i][1] != NULL) - { - RtlZeroMemory(&RemoteModuleInfo, sizeof MODULEINFO); - DOSHeader = (PIMAGE_DOS_HEADER)LoadedModules[i][1]; - //GetModuleInformation(GetCurrentProcess(), (HMODULE)LoadedModules[i][1], &RemoteModuleInfo, sizeof MODULEINFO); - GetModuleInformation(hProcess, (HMODULE)LoadedModules[i][0], &RemoteModuleInfo, sizeof MODULEINFO); - if(APIAddress >= LoadedModules[i][0] && APIAddress <= LoadedModules[i][0] + RemoteModuleInfo.SizeOfImage) - { - if(ValidateHeader || EngineValidateHeader((ULONG_PTR)LoadedModules[i][1], GetCurrentProcess(), RemoteModuleInfo.lpBaseOfDll, DOSHeader, false)) - { - __try - { - PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - if(PEHeader32->OptionalHeader.Magic == 0x10B) - { - FileIs64 = false; - } - else if(PEHeader32->OptionalHeader.Magic == 0x20B) - { - FileIs64 = true; - } - else - { - return(NULL); - } - if(!FileIs64) - { - PEExports = (PIMAGE_EXPORT_DIRECTORY)(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + LoadedModules[i][1]); - ExportedFunctions = (PEXPORTED_DATA)(PEExports->AddressOfFunctions + LoadedModules[i][1]); - ExportedFunctionNames = (PEXPORTED_DATA)(PEExports->AddressOfNames + LoadedModules[i][1]); - ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)(PEExports->AddressOfNameOrdinals + LoadedModules[i][1]); - } - else - { - PEExports = (PIMAGE_EXPORT_DIRECTORY)(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + LoadedModules[i][1]); - ExportedFunctions = (PEXPORTED_DATA)(PEExports->AddressOfFunctions + LoadedModules[i][1]); - ExportedFunctionNames = (PEXPORTED_DATA)(PEExports->AddressOfNames + LoadedModules[i][1]); - ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)(PEExports->AddressOfNameOrdinals + LoadedModules[i][1]); - } - if(ReturnType == UE_OPTION_IMPORTER_RETURN_APINAME || ReturnType == UE_OPTION_IMPORTER_RETURN_DLLNAME || ReturnType == UE_OPTION_IMPORTER_RETURN_DLLINDEX || ReturnType == UE_OPTION_IMPORTER_RETURN_API_ORDINAL_NUMBER) - { - for(j = 0; j < PEExports->NumberOfFunctions; j++) //NumberOfNames - { - if(ExportedFunctions->ExportedItem + LoadedModules[i][0] == APIAddress) - { - GetModuleBaseNameA(hProcess, (HMODULE)LoadedModules[i][0], (LPSTR)engineFoundDLLName, 512); - RtlZeroMemory(&engineFoundAPIName, sizeof(engineFoundAPIName)); - x = j; - FoundOrdinalNumber = (unsigned int)PEExports->Base; - for(j = 0; j < PEExports->NumberOfNames; j++) - { - if(ExportedFunctionOrdinals->OrdinalNumber != x) - { - ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)((ULONG_PTR)ExportedFunctionOrdinals + 2); - } - else - { - FoundOrdinalNumber = FoundOrdinalNumber + (unsigned int)ExportedFunctionOrdinals->OrdinalNumber; - break; - } - } - ExportedFunctionNames = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctionNames + j * 4); - if(EngineIsPointedMemoryString((ULONG_PTR)(ExportedFunctionNames->ExportedItem + LoadedModules[i][1]))) - { - lstrcpyA((LPSTR)engineFoundAPIName, (LPCSTR)(ExportedFunctionNames->ExportedItem + LoadedModules[i][1])); - } - APINameFound = true; - FoundIndex = i; - break; - } - ExportedFunctions = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctions + 4); - } - } - else if(ReturnType == UE_OPTION_IMPORTER_RETURN_APIADDRESS) - { - for(j = 0; j < PEExports->NumberOfFunctions; j++) //NumberOfNames - { - if(lstrcmpiA((LPCSTR)szAPIName, (LPCSTR)(ExportedFunctionNames->ExportedItem + LoadedModules[i][1])) == NULL) - { - ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)((ULONG_PTR)ExportedFunctionOrdinals + j * 2); - ExportedFunctions = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctions + (ExportedFunctionOrdinals->OrdinalNumber) * 4); - GetModuleBaseNameA(hProcess, (HMODULE)LoadedModules[i][0], (LPSTR)engineFoundDLLName, 512); - RtlZeroMemory(&engineFoundAPIName, sizeof(engineFoundAPIName)); - ExportedFunctions = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctions + (j + PEExports->Base) * 4); - APIFoundAddress = ExportedFunctions->ExportedItem + LoadedModules[i][0]; - APINameFound = true; - FoundIndex = i; - break; - } - ExportedFunctionNames = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctionNames + 4); - } - } - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - RtlZeroMemory(&engineFoundAPIName, sizeof(engineFoundAPIName)); - APINameFound = false; - } - } - } - } - } - i++; - } - - if(ReturnType == UE_OPTION_IMPORTER_RETURN_FORWARDER_DLLNAME || ReturnType == UE_OPTION_IMPORTER_RETURN_FORWARDER_APINAME || ReturnType == UE_OPTION_IMPORTER_RETURN_FORWARDER_DLLINDEX || ReturnType == UE_OPTION_IMPORTER_RETURN_FORWARDER_API_ORDINAL_NUMBER) - { - RealignedAPIAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, APIAddress, NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS); - if(z <= 1) - { - z = 2; - } - for(i = y; i >= z; i--) - { - FileMapVA = LoadedModules[i][1]; - if(FileMapVA != NULL) - { - DOSHeader = (PIMAGE_DOS_HEADER)FileMapVA; - RtlZeroMemory(&RemoteModuleInfo, sizeof MODULEINFO); - //GetModuleInformation(GetCurrentProcess(), (HMODULE)LoadedModules[i][1], &RemoteModuleInfo, sizeof MODULEINFO); - GetModuleInformation(hProcess, (HMODULE)LoadedModules[i][0], &RemoteModuleInfo, sizeof MODULEINFO); - if(ValidateHeader || EngineValidateHeader((ULONG_PTR)LoadedModules[i][1], GetCurrentProcess(), RemoteModuleInfo.lpBaseOfDll, DOSHeader, false)) - { - __try - { - PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew); - if(PEHeader32->OptionalHeader.Magic == 0x10B) - { - FileIs64 = false; - } - else if(PEHeader32->OptionalHeader.Magic == 0x20B) - { - FileIs64 = true; - } - else - { - SkipModule = true; - } - if(!SkipModule) - { - if(!FileIs64) - { - PEExports = (PIMAGE_EXPORT_DIRECTORY)(PEHeader32->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + LoadedModules[i][1]); - ExportedFunctionNames = (PEXPORTED_DATA)(PEExports->AddressOfNames + LoadedModules[i][1]); - ExportedFunctions = (PEXPORTED_DATA)(PEExports->AddressOfFunctions + LoadedModules[i][1]); - ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)(PEExports->AddressOfNameOrdinals + LoadedModules[i][1]); - } - else - { - PEExports = (PIMAGE_EXPORT_DIRECTORY)(PEHeader64->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress + LoadedModules[i][1]); - ExportedFunctionNames = (PEXPORTED_DATA)(PEExports->AddressOfNames + LoadedModules[i][1]); - ExportedFunctions = (PEXPORTED_DATA)(PEExports->AddressOfFunctions + LoadedModules[i][1]); - ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)(PEExports->AddressOfNameOrdinals + LoadedModules[i][1]); - } - for(j = 0; j < PEExports->NumberOfFunctions; j++) - { - if(EngineIsPointedMemoryString((ULONG_PTR)ExportedFunctions->ExportedItem + LoadedModules[i][1])) - { - RtlZeroMemory(&szFwdAPIName, 512); - RtlZeroMemory(&szFwdDLLName, 512); - if(EngineExtractForwarderData((ULONG_PTR)ExportedFunctions->ExportedItem + LoadedModules[i][1], &szFwdDLLName, &szFwdAPIName)) - { - if((ULONG_PTR)GetProcAddress(GetModuleHandleA(szFwdDLLName), szFwdAPIName) == RealignedAPIAddress) - { - GetModuleBaseNameA(hProcess, (HMODULE)LoadedModules[i][0], (LPSTR)engineFoundDLLName, 512); - RtlZeroMemory(&engineFoundAPIName, 512); - x = j; - FoundOrdinalNumber = (unsigned int)PEExports->Base; - for(j = 0; j < PEExports->NumberOfNames; j++) - { - if(ExportedFunctionOrdinals->OrdinalNumber != x) - { - ExportedFunctionOrdinals = (PEXPORTED_DATA_WORD)((ULONG_PTR)ExportedFunctionOrdinals + 2); - } - else - { - FoundOrdinalNumber = FoundOrdinalNumber + (unsigned int)ExportedFunctionOrdinals->OrdinalNumber; - break; - } - } - ExportedFunctionNames = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctionNames + j * 4); - if(EngineIsPointedMemoryString((ULONG_PTR)(ExportedFunctionNames->ExportedItem + LoadedModules[i][1]))) - { - lstrcpyA((LPSTR)engineFoundAPIName, (LPCSTR)(ExportedFunctionNames->ExportedItem + LoadedModules[i][1])); - } - APINameFound = true; - FoundIndex = i; - break; - } - } - } - ExportedFunctions = (PEXPORTED_DATA)((ULONG_PTR)ExportedFunctions + 4); - } - } - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - RtlZeroMemory(&szFwdAPIName, 512); - RtlZeroMemory(&szFwdDLLName, 512); - APINameFound = false; - } - } - } - if(APINameFound) - { - break; - } - } - } - i = 1; - while(EnumeratedModules[i] != NULL) - { - if(engineAlowModuleLoading) - { - if(LoadedModules[i][2] == 1) - { - FreeLibrary((HMODULE)LoadedModules[i][1]); - } - } - else - { - if(LoadedModules[i][2] == 1) - { - VirtualFree((void*)LoadedModules[i][1], NULL, MEM_RELEASE); - } - } - i++; - } - if(APINameFound) - { - // - // Vista/w7 x64 fix - // - if(lstrcmpiA(engineFoundAPIName, "NtdllDefWindowProc_A") == NULL) - { - lstrcpyA(engineFoundAPIName, "DefWindowProcA"); - lstrcpyA(engineFoundDLLName, "user32.dll"); - FoundIndex = Vista64UserForwarderFix; - } - else if(lstrcmpiA(engineFoundAPIName, "NtdllDefWindowProc_W") == NULL) - { - lstrcpyA(engineFoundAPIName, "DefWindowProcW"); - lstrcpyA(engineFoundDLLName, "user32.dll"); - FoundIndex = Vista64UserForwarderFix; - } - else if(lstrcmpiA(engineFoundAPIName, "NtdllDialogWndProc_A") == NULL) - { - lstrcpyA(engineFoundAPIName, "DefDlgProcA"); - lstrcpyA(engineFoundDLLName, "user32.dll"); - FoundIndex = Vista64UserForwarderFix; - } - else if(lstrcmpiA(engineFoundAPIName, "NtdllDialogWndProc_W") == NULL) - { - lstrcpyA(engineFoundAPIName, "DefDlgProcW"); - lstrcpyA(engineFoundDLLName, "user32.dll"); - FoundIndex = Vista64UserForwarderFix; - } - if(ReturnType == UE_OPTION_IMPORTER_RETURN_APINAME || ReturnType == UE_OPTION_IMPORTER_RETURN_FORWARDER_APINAME) - { - if(ReturnType == UE_OPTION_IMPORTER_RETURN_APINAME && engineCheckForwarders == true) - { - if(engineAlowModuleLoading == true || (engineAlowModuleLoading == false && LoadedModules[FoundIndex][2] != 1)) - { - if(lstrcmpiA(engineFoundDLLName, "ntdll.dll") == NULL) - { - ForwarderData = (ULONG_PTR)EngineGlobalAPIHandler(handleProcess, EnumedModulesBases, APIAddress, NULL, UE_OPTION_IMPORTER_RETURN_FORWARDER_APINAME); - } - else - { - ForwarderData = NULL; - } - if(ForwarderData != NULL) - { - return(ForwarderData); - } - else - { - if(engineFoundAPIName[0] != 0x00) - { - return((ULONG_PTR)engineFoundAPIName); - } - else - { - return(NULL); - } - } - } - else - { - if(engineFoundAPIName[0] != 0x00) - { - return((ULONG_PTR)engineFoundAPIName); - } - else - { - return(NULL); - } - } - } - else - { - if(engineFoundAPIName[0] != 0x00) - { - return((ULONG_PTR)engineFoundAPIName); - } - else - { - return(NULL); - } - } - } - else if(ReturnType == UE_OPTION_IMPORTER_RETURN_APIADDRESS) - { - return(APIFoundAddress); - } - else if(ReturnType == UE_OPTION_IMPORTER_RETURN_API_ORDINAL_NUMBER || ReturnType == UE_OPTION_IMPORTER_RETURN_FORWARDER_API_ORDINAL_NUMBER) - { - return((ULONG_PTR)FoundOrdinalNumber); - } - else if(ReturnType == UE_OPTION_IMPORTER_RETURN_DLLNAME || ReturnType == UE_OPTION_IMPORTER_RETURN_FORWARDER_DLLNAME) - { - if(ReturnType == UE_OPTION_IMPORTER_RETURN_DLLNAME && engineCheckForwarders == true) - { - if(engineAlowModuleLoading == true || (engineAlowModuleLoading == false && LoadedModules[FoundIndex][2] != 1)) - { - if(lstrcmpiA(engineFoundDLLName, "ntdll.dll") == NULL) - { - ForwarderData = (ULONG_PTR)EngineGlobalAPIHandler(handleProcess, EnumedModulesBases, APIAddress, NULL, UE_OPTION_IMPORTER_RETURN_FORWARDER_DLLNAME); - } - else - { - ForwarderData = NULL; - } - if(ForwarderData != NULL) - { - return(ForwarderData); - } - else - { - if(engineFoundDLLName[0] != 0x00) - { - return((ULONG_PTR)engineFoundDLLName); - } - else - { - return(NULL); - } - } - } - else - { - if(engineFoundDLLName[0] != 0x00) - { - return((ULONG_PTR)engineFoundDLLName); - } - else - { - return(NULL); - } - } - } - else - { - if(engineFoundDLLName[0] != 0x00) - { - return((ULONG_PTR)engineFoundDLLName); - } - else - { - return(NULL); - } - } - } - else if(ReturnType == UE_OPTION_IMPORTER_RETURN_DLLINDEX || ReturnType == UE_OPTION_IMPORTER_RETURN_FORWARDER_DLLINDEX) - { - if(ReturnType == UE_OPTION_IMPORTER_RETURN_DLLINDEX && engineCheckForwarders == true) - { - if(engineAlowModuleLoading == true || (engineAlowModuleLoading == false && LoadedModules[FoundIndex][2] != 1)) - { - if(lstrcmpiA(engineFoundDLLName, "ntdll.dll") == NULL) - { - ForwarderData = (ULONG_PTR)EngineGlobalAPIHandler(handleProcess, EnumedModulesBases, APIAddress, NULL, UE_OPTION_IMPORTER_RETURN_FORWARDER_DLLINDEX); - } - else - { - ForwarderData = NULL; - } - if(ForwarderData != NULL) - { - return(ForwarderData); - } - else - { - return(FoundIndex); - } - } - else - { - return(FoundIndex); - } - } - else - { - return(FoundIndex); - } - } - else if(ReturnType == UE_OPTION_IMPORTER_RETURN_DLLBASE) - { - return(APIFoundAddress); - } - else if(ReturnType == UE_OPTION_IMPORTER_RETURN_NEAREST_APIADDRESS) - { - return(APIFoundAddress); - } - else if(ReturnType == UE_OPTION_IMPORTER_RETURN_NEAREST_APINAME) - { - if(engineCheckForwarders) - { - if(engineAlowModuleLoading == true || (engineAlowModuleLoading == false && LoadedModules[FoundIndex][2] != 1)) - { - if(lstrcmpiA(engineFoundDLLName, "ntdll.dll") == NULL) - { - ForwarderData = (ULONG_PTR)EngineGlobalAPIHandler(handleProcess, EnumedModulesBases, APIAddress, NULL, UE_OPTION_IMPORTER_RETURN_FORWARDER_APINAME); - } - else - { - ForwarderData = NULL; - } - if(ForwarderData != NULL) - { - return(ForwarderData); - } - else - { - if(engineFoundAPIName[0] != 0x00) - { - return((ULONG_PTR)engineFoundAPIName); - } - else - { - return(NULL); - } - } - } - else - { - if(engineFoundAPIName[0] != 0x00) - { - return((ULONG_PTR)engineFoundAPIName); - } - else - { - return(NULL); - } - } - } - else - { - if(engineFoundAPIName[0] != 0x00) - { - return((ULONG_PTR)engineFoundAPIName); - } - else - { - return(NULL); - } - } - } - else - { - return(APIFoundAddress); - } - } - else - { - if(ReturnType == UE_OPTION_IMPORTER_RETURN_API_ORDINAL_NUMBER || ReturnType == UE_OPTION_IMPORTER_RETURN_FORWARDER_API_ORDINAL_NUMBER) - { - return((ULONG_PTR)-1); - } - else - { - return(NULL); - } - } - } - else - { - return(NULL); - } - return(NULL); -} // Global.Engine.Hash.functions: unsigned long EngineCrc32Reflect(unsigned long ulReflect, const char cChar) { @@ -2473,6 +205,7 @@ void EngineCrc32PartialCRC(unsigned long *ulCRC, const unsigned char *sData, uns *(unsigned long *)ulCRC = ((*(unsigned long *)ulCRC) >> 8) ^ Crc32Table[((*(unsigned long *)ulCRC) & 0xFF) ^ *sData++]; } } + // TitanEngine.Dumper.functions: __declspec(dllexport) bool TITCALL DumpProcess(HANDLE hProcess, LPVOID ImageBase, char* szDumpFileName, ULONG_PTR EntryPoint) { @@ -10498,13 +8231,13 @@ bool ChangeHideDebuggerState(HANDLE hProcess, DWORD PatchAPILevel, bool Hide) { APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"),"CheckRemoteDebuggerPresent"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS); VirtualQueryEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); - OldProtect = MemInfo.AllocationProtect; + OldProtect = MemInfo.Protect; VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, 5, PAGE_EXECUTE_READWRITE, &OldProtect); WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), &patchCheckRemoteDebuggerPresent, 5, &ueNumberOfBytesRead); APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"),"GetTickCount"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS); VirtualQueryEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); - OldProtect = MemInfo.AllocationProtect; + OldProtect = MemInfo.Protect; VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, 3, PAGE_EXECUTE_READWRITE, &OldProtect); WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), &patchGetTickCount, 3, &ueNumberOfBytesRead); } @@ -10524,13 +8257,13 @@ bool ChangeHideDebuggerState(HANDLE hProcess, DWORD PatchAPILevel, bool Hide) { APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"),"CheckRemoteDebuggerPresent"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS); VirtualQueryEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); - OldProtect = MemInfo.AllocationProtect; + OldProtect = MemInfo.Protect; VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, 5, PAGE_EXECUTE_READWRITE, &OldProtect); WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), (void*)GetProcAddress(GetModuleHandleA("kernel32.dll"),"CheckRemoteDebuggerPresent"), 5, &ueNumberOfBytesRead); APIPatchAddress = (ULONG_PTR)EngineGlobalAPIHandler(hProcess, NULL, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"),"GetTickCount"), NULL, UE_OPTION_IMPORTER_REALIGN_APIADDRESS); VirtualQueryEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); - OldProtect = MemInfo.AllocationProtect; + OldProtect = MemInfo.Protect; VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)APIPatchAddress, 3, PAGE_EXECUTE_READWRITE, &OldProtect); WriteProcessMemory(hProcess, (LPVOID)(APIPatchAddress), (void*)GetProcAddress(GetModuleHandleA("kernel32.dll"),"GetTickCount"), 3, &ueNumberOfBytesRead); } @@ -10818,7 +8551,7 @@ __declspec(dllexport) bool TITCALL RelocaterGrabRelocationTable(HANDLE hProcess, if(RelocationData != NULL) { VirtualQueryEx(hProcess, (LPVOID)MemoryStart, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); - OldProtect = MemInfo.AllocationProtect; + OldProtect = MemInfo.Protect; VirtualProtectEx(hProcess, (LPVOID)MemoryStart, MemorySize, PAGE_EXECUTE_READWRITE, &OldProtect); if(ReadProcessMemory(hProcess, (LPVOID)MemoryStart, RelocationData, MemorySize, &ueNumberOfBytesRead)) { @@ -10844,7 +8577,7 @@ __declspec(dllexport) bool TITCALL RelocaterGrabRelocationTableEx(HANDLE hProces if(RelocationData != NULL) { VirtualQueryEx(hProcess, (LPVOID)MemoryStart, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); - OldProtect = MemInfo.AllocationProtect; + OldProtect = MemInfo.Protect; VirtualQueryEx(hProcess, (LPVOID)MemInfo.BaseAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); if(MemInfo.RegionSize < MemorySize || MemorySize == NULL) { @@ -12686,7 +10419,7 @@ __declspec(dllexport) bool TITCALL EnableBPX(ULONG_PTR bpxAddress) if(BreakPointBuffer[i].BreakPointAddress == bpxAddress) { VirtualQueryEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); - OldProtect = MemInfo.AllocationProtect; + OldProtect = MemInfo.Protect; VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, BreakPointBuffer[i].BreakPointSize, PAGE_EXECUTE_READWRITE, &OldProtect); if(BreakPointBuffer[i].BreakPointActive == UE_BPXINACTIVE && (BreakPointBuffer[i].BreakPointType == UE_BREAKPOINT || BreakPointBuffer[i].BreakPointType == UE_SINGLESHOOT)) { @@ -12746,7 +10479,7 @@ __declspec(dllexport) bool TITCALL DisableBPX(ULONG_PTR bpxAddress) if(BreakPointBuffer[i].BreakPointAddress == bpxAddress) { VirtualQueryEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); - OldProtect = MemInfo.AllocationProtect; + OldProtect = MemInfo.Protect; VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, BreakPointBuffer[i].BreakPointSize, PAGE_EXECUTE_READWRITE, &OldProtect); if(BreakPointBuffer[i].BreakPointActive == UE_BPXACTIVE && (BreakPointBuffer[i].BreakPointType == UE_BREAKPOINT || BreakPointBuffer[i].BreakPointType == UE_SINGLESHOOT)) { @@ -12860,7 +10593,7 @@ __declspec(dllexport) bool TITCALL SetBPX(ULONG_PTR bpxAddress, DWORD bpxType, L } bpxDataCmpPtr = (PMEMORY_COMPARE_HANDLER)bpxDataPrt; VirtualQueryEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); - OldProtect = MemInfo.AllocationProtect; + OldProtect = MemInfo.Protect; VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, BreakPointBuffer[i].BreakPointSize, PAGE_EXECUTE_READWRITE, &OldProtect); if(ReadProcessMemory(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, &BreakPointBuffer[i].OriginalByte[0], BreakPointBuffer[i].BreakPointSize, &NumberOfBytesReadWritten)) { @@ -12990,7 +10723,7 @@ __declspec(dllexport) bool TITCALL SetBPXEx(ULONG_PTR bpxAddress, DWORD bpxType, } bpxDataCmpPtr = (PMEMORY_COMPARE_HANDLER)bpxDataPrt; VirtualQueryEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); - OldProtect = MemInfo.AllocationProtect; + OldProtect = MemInfo.Protect; VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, BreakPointBuffer[i].BreakPointSize, PAGE_EXECUTE_READWRITE, &OldProtect); if(ReadProcessMemory(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, &BreakPointBuffer[i].OriginalByte[0], BreakPointBuffer[i].BreakPointSize, &NumberOfBytesReadWritten)) { @@ -13060,7 +10793,7 @@ __declspec(dllexport) bool TITCALL DeleteBPX(ULONG_PTR bpxAddress) if(BreakPointBuffer[i].BreakPointAddress == bpxAddress) { VirtualQueryEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); - OldProtect = MemInfo.AllocationProtect; + OldProtect = MemInfo.Protect; VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)bpxAddress, BreakPointBuffer[i].BreakPointSize, PAGE_EXECUTE_READWRITE, &OldProtect); if(BreakPointBuffer[i].BreakPointType == UE_BREAKPOINT || BreakPointBuffer[i].BreakPointType == UE_SINGLESHOOT) { @@ -13590,7 +11323,7 @@ __declspec(dllexport) bool TITCALL RemoveMemoryBPX(ULONG_PTR MemoryStart, SIZE_T if(BreakPointBuffer[i].BreakPointAddress == MemoryStart) { VirtualQueryEx(dbgProcessInformation.hProcess, (LPVOID)MemoryStart, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); - OldProtect = MemInfo.AllocationProtect; + OldProtect = MemInfo.Protect; if(OldProtect & PAGE_GUARD) { NewProtect = OldProtect ^ PAGE_GUARD; @@ -13622,7 +11355,8 @@ __declspec(dllexport) bool TITCALL GetContextFPUDataEx(HANDLE hActiveThread, voi { RtlZeroMemory(&DBGContext, sizeof CONTEXT); DBGContext.ContextFlags = CONTEXT_ALL; - GetThreadContext(hActiveThread, &DBGContext); + if(!GetThreadContext(hActiveThread, &DBGContext)) + return(false); #if !defined (_WIN64) RtlMoveMemory(FPUSaveArea, &DBGContext.FloatSave, sizeof FLOATING_SAVE_AREA); #else @@ -13637,7 +11371,6 @@ __declspec(dllexport) bool TITCALL GetContextFPUDataEx(HANDLE hActiveThread, voi } __declspec(dllexport) long long TITCALL GetContextDataEx(HANDLE hActiveThread, DWORD IndexOfRegister) { - RtlZeroMemory(&DBGContext, sizeof CONTEXT); DBGContext.ContextFlags = CONTEXT_ALL; #if defined(_WIN64) @@ -13929,7 +11662,8 @@ __declspec(dllexport) bool TITCALL SetContextFPUDataEx(HANDLE hActiveThread, voi { RtlZeroMemory(&DBGContext, sizeof CONTEXT); DBGContext.ContextFlags = CONTEXT_ALL; - GetThreadContext(hActiveThread, &DBGContext); + if(!GetThreadContext(hActiveThread, &DBGContext)) + return(false); #if !defined (_WIN64) RtlMoveMemory(&DBGContext.FloatSave, FPUSaveArea, sizeof FLOATING_SAVE_AREA); #else @@ -13948,7 +11682,11 @@ __declspec(dllexport) bool TITCALL SetContextDataEx(HANDLE hActiveThread, DWORD RtlZeroMemory(&DBGContext, sizeof CONTEXT); DBGContext.ContextFlags = CONTEXT_ALL; #ifdef _WIN64 - GetThreadContext(hActiveThread, &DBGContext); + if(!GetThreadContext(hActiveThread, &DBGContext)) + { + ResumeThread(hActiveThread); + return(false); + } if(IndexOfRegister == UE_EAX) { NewRegisterValue = DBGContext.Rax - (DWORD)DBGContext.Rax + NewRegisterValue; @@ -14137,7 +11875,11 @@ __declspec(dllexport) bool TITCALL SetContextDataEx(HANDLE hActiveThread, DWORD return(true); } #else - GetThreadContext(hActiveThread, &DBGContext); + if(!GetThreadContext(hActiveThread, &DBGContext)) + { + ResumeThread(hActiveThread); + return(false); + } if(IndexOfRegister == UE_EAX) { DBGContext.Eax = NewRegisterValue; @@ -14479,7 +12221,7 @@ __declspec(dllexport) bool TITCALL FillEx(HANDLE hProcess, LPVOID MemoryStart, D FillByte = &defFillByte; } VirtualQueryEx(hProcess, MemoryStart, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); - OldProtect = MemInfo.AllocationProtect; + OldProtect = MemInfo.Protect; VirtualProtectEx(hProcess, MemoryStart, MemorySize, PAGE_EXECUTE_READWRITE, &OldProtect); for(i = 0; i < MemorySize; i++) { @@ -14516,7 +12258,7 @@ __declspec(dllexport) bool TITCALL PatchEx(HANDLE hProcess, LPVOID MemoryStart, if(hProcess != NULL) { VirtualQueryEx(hProcess, MemoryStart, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); - OldProtect = MemInfo.AllocationProtect; + OldProtect = MemInfo.Protect; VirtualProtectEx(hProcess, MemoryStart, MemorySize, PAGE_EXECUTE_READWRITE, &OldProtect); if(MemorySize - ReplaceSize != NULL) @@ -16809,7 +14551,7 @@ __declspec(dllexport) void TITCALL DebugLoop() if(BreakPointBuffer[MaximumBreakPoints].BreakPointActive == UE_BPXACTIVE && MaximumBreakPoints < MAXIMUM_BREAKPOINTS) { VirtualQueryEx(dbgProcessInformation.hProcess, (LPVOID)BreakPointBuffer[MaximumBreakPoints].BreakPointAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); - OldProtect = MemInfo.AllocationProtect; + OldProtect = MemInfo.Protect; VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)BreakPointBuffer[MaximumBreakPoints].BreakPointAddress, BreakPointBuffer[MaximumBreakPoints].BreakPointSize, PAGE_EXECUTE_READWRITE, &OldProtect); if(BreakPointBuffer[MaximumBreakPoints].BreakPointActive == UE_BPXACTIVE && (BreakPointBuffer[MaximumBreakPoints].BreakPointType == UE_BREAKPOINT || BreakPointBuffer[MaximumBreakPoints].BreakPointType == UE_SINGLESHOOT) && (BreakPointBuffer[MaximumBreakPoints].NumberOfExecutions == -1 || BreakPointBuffer[MaximumBreakPoints].NumberOfExecutions > 0)) { @@ -16817,7 +14559,7 @@ __declspec(dllexport) void TITCALL DebugLoop() { DBGCode = DBG_CONTINUE; hActiveThread = OpenThread(THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, false, DBGEvent.dwThreadId); - myDBGContext.ContextFlags = CONTEXT_ALL; + myDBGContext.ContextFlags = CONTEXT_CONTROL; GetThreadContext(hActiveThread, &myDBGContext); if(BreakPointBuffer[MaximumBreakPoints].BreakPointType != UE_SINGLESHOOT) { @@ -17104,7 +14846,7 @@ __declspec(dllexport) void TITCALL DebugLoop() else { hActiveThread = OpenThread(THREAD_GET_CONTEXT+THREAD_SET_CONTEXT+THREAD_QUERY_INFORMATION, false, DBGEvent.dwThreadId); - myDBGContext.ContextFlags = CONTEXT_ALL; + myDBGContext.ContextFlags = CONTEXT_CONTROL; GetThreadContext(hActiveThread, &myDBGContext); if(!(myDBGContext.EFlags & 0x100)) { @@ -17144,8 +14886,8 @@ __declspec(dllexport) void TITCALL DebugLoop() { ResetMemBPX = false; VirtualQueryEx(dbgProcessInformation.hProcess, (LPCVOID)ResetMemBPXAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); - OldProtect = MemInfo.AllocationProtect; - NewProtect = OldProtect | PAGE_GUARD; + OldProtect = MemInfo.Protect; + NewProtect = OldProtect | PAGE_GUARD; //guard page protection VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)ResetMemBPXAddress, ResetMemBPXSize, NewProtect, &OldProtect); if(engineStepActive) { @@ -17197,7 +14939,7 @@ __declspec(dllexport) void TITCALL DebugLoop() else //handle hardware breakpoints { hActiveThread = OpenThread(THREAD_GET_CONTEXT+THREAD_SET_CONTEXT+THREAD_QUERY_INFORMATION, false, DBGEvent.dwThreadId); - myDBGContext.ContextFlags = CONTEXT_ALL; + myDBGContext.ContextFlags = CONTEXT_CONTROL; GetThreadContext(hActiveThread, &myDBGContext); if((ULONG_PTR)DBGEvent.u.Exception.ExceptionRecord.ExceptionAddress == myDBGContext.Dr0 || (myDBGContext.Dr6 & 0x1)) { @@ -17366,7 +15108,7 @@ __declspec(dllexport) void TITCALL DebugLoop() if(BreakPointBuffer[MaximumBreakPoints].BreakPointActive == UE_BPXACTIVE) //memory breakpoint is active { hActiveThread = OpenThread(THREAD_GET_CONTEXT|THREAD_SET_CONTEXT|THREAD_QUERY_INFORMATION, false, DBGEvent.dwThreadId); - myDBGContext.ContextFlags = CONTEXT_ALL; + myDBGContext.ContextFlags = CONTEXT_CONTROL; GetThreadContext(hActiveThread, &myDBGContext); DBGCode = DBG_CONTINUE; //debugger handled the exception MemoryBpxCallBack = BreakPointBuffer[MaximumBreakPoints].ExecuteCallBack; @@ -17485,7 +15227,7 @@ __declspec(dllexport) void TITCALL DebugLoop() { if(BreakPointBuffer[MaximumBreakPoints].MemoryBpxRestoreOnHit != 1) { - if(DBGEvent.u.Exception.ExceptionRecord.ExceptionInformation[0] == 0 && //read flag + if(DBGEvent.u.Exception.ExceptionRecord.ExceptionInformation[0] == 8 && //data execution prevention (DEP) violation (ULONG_PTR)DBGEvent.u.Exception.ExceptionRecord.ExceptionAddress == DBGEvent.u.Exception.ExceptionRecord.ExceptionInformation[1]) //exception address == read address RemoveMemoryBPX(BreakPointBuffer[MaximumBreakPoints].BreakPointAddress, BreakPointBuffer[MaximumBreakPoints].BreakPointSize); } @@ -17500,7 +15242,7 @@ __declspec(dllexport) void TITCALL DebugLoop() ResetMemBPXSize = BreakPointBuffer[MaximumBreakPoints].BreakPointSize; ResetMemBPX = true; } - if(DBGEvent.u.Exception.ExceptionRecord.ExceptionInformation[0] == 0 && //read flag + if(DBGEvent.u.Exception.ExceptionRecord.ExceptionInformation[0] == 8 && //data execution prevention (DEP) violation (ULONG_PTR)DBGEvent.u.Exception.ExceptionRecord.ExceptionAddress == DBGEvent.u.Exception.ExceptionRecord.ExceptionInformation[1]) //exception address == read address { myCustomHandler = (fCustomHandler)(MemoryBpxCallBack); @@ -17588,7 +15330,7 @@ __declspec(dllexport) void TITCALL DebugLoop() if(BreakPointBuffer[MaximumBreakPoints].BreakPointActive == UE_BPXACTIVE && MaximumBreakPoints < MAXIMUM_BREAKPOINTS) { VirtualQueryEx(dbgProcessInformation.hProcess, (LPVOID)BreakPointBuffer[MaximumBreakPoints].BreakPointAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION); - OldProtect = MemInfo.AllocationProtect; + OldProtect = MemInfo.Protect; VirtualProtectEx(dbgProcessInformation.hProcess, (LPVOID)BreakPointBuffer[MaximumBreakPoints].BreakPointAddress, BreakPointBuffer[MaximumBreakPoints].BreakPointSize, PAGE_EXECUTE_READWRITE, &OldProtect); if(BreakPointBuffer[MaximumBreakPoints].BreakPointActive == UE_BPXACTIVE && (BreakPointBuffer[MaximumBreakPoints].BreakPointType == UE_BREAKPOINT || BreakPointBuffer[MaximumBreakPoints].BreakPointType == UE_SINGLESHOOT) && (BreakPointBuffer[MaximumBreakPoints].NumberOfExecutions == -1 || BreakPointBuffer[MaximumBreakPoints].NumberOfExecutions > 0)) { @@ -17596,7 +15338,7 @@ __declspec(dllexport) void TITCALL DebugLoop() { DBGCode = DBG_CONTINUE; hActiveThread = OpenThread(THREAD_GET_CONTEXT+THREAD_SET_CONTEXT+THREAD_QUERY_INFORMATION, false, DBGEvent.dwThreadId); - myDBGContext.ContextFlags = CONTEXT_ALL; + myDBGContext.ContextFlags = CONTEXT_CONTROL; GetThreadContext(hActiveThread, &myDBGContext); if(BreakPointBuffer[MaximumBreakPoints].BreakPointType != UE_SINGLESHOOT) { @@ -18096,7 +15838,7 @@ __declspec(dllexport) bool TITCALL DetachDebuggerEx(DWORD ProcessId) while(hListThreadPtr->hThread != NULL) { hActiveThread = OpenThread(THREAD_GET_CONTEXT+THREAD_SET_CONTEXT+THREAD_QUERY_INFORMATION, false, hListThreadPtr->dwThreadId); - myDBGContext.ContextFlags = CONTEXT_ALL; + myDBGContext.ContextFlags = CONTEXT_CONTROL; GetThreadContext(hActiveThread, &myDBGContext); if((myDBGContext.EFlags & 0x100)) { diff --git a/TitanEngine/TitanEngine.vcxproj b/TitanEngine/TitanEngine.vcxproj index 8b11d02..d44b8f1 100644 --- a/TitanEngine/TitanEngine.vcxproj +++ b/TitanEngine/TitanEngine.vcxproj @@ -215,6 +215,9 @@ + + + Create Create @@ -223,17 +226,22 @@ + + + + + diff --git a/TitanEngine/TitanEngine.vcxproj.filters b/TitanEngine/TitanEngine.vcxproj.filters index de8ad07..dcdfb5b 100644 --- a/TitanEngine/TitanEngine.vcxproj.filters +++ b/TitanEngine/TitanEngine.vcxproj.filters @@ -22,6 +22,12 @@ {b4e0243e-1a54-40fe-be40-e7cc7a16c3e1} + + {e6d39ee2-6c2c-444f-a68e-26a14ba4b11a} + + + {11622163-c50b-481a-9db8-1993dc220a72} + @@ -33,6 +39,18 @@ Source Files\ThirdParty + + Source Files\TitanEngine + + + Source Files\TitanEngine + + + Source Files\TitanEngine + + + Source Files\TitanEngine + @@ -62,6 +80,18 @@ Header Files + + Header Files\TitanEngine + + + Header Files\TitanEngine + + + Header Files\TitanEngine + + + Header Files\TitanEngine + diff --git a/TitanEngine/stdafx.h b/TitanEngine/stdafx.h index 20ad66e..c70da1b 100644 --- a/TitanEngine/stdafx.h +++ b/TitanEngine/stdafx.h @@ -239,7 +239,7 @@ typedef struct MEMORY_COMPARE_HANDLER } Array; } MEMORY_COMPARE_HANDLER, *PMEMORY_COMPARE_HANDLER; -#define MAX_DEBUG_DATA 512 +#define MAX_DEBUG_DATA 65536 typedef struct {