diff --git a/TitanEngine/3rdparty-definitions.h b/TitanEngine/3rdparty-definitions.h index fe9c523..2b56f4c 100644 --- a/TitanEngine/3rdparty-definitions.h +++ b/TitanEngine/3rdparty-definitions.h @@ -12,6 +12,8 @@ extern "C" { #endif /*__cplusplus*/ int scylla_searchIAT(DWORD pid, DWORD_PTR &iatStart, DWORD &iatSize, DWORD_PTR searchStart, bool advancedSearch); int scylla_getImports(DWORD_PTR iatAddr, DWORD iatSize, DWORD pid, LPVOID invalidImportCallback = NULL); +bool scylla_addModule(const WCHAR* moduleName, DWORD_PTR firstThunkRVA); +bool scylla_addImport(const WCHAR* importName, DWORD_PTR thunkVA); bool scylla_importsValid(); bool scylla_cutImport(DWORD_PTR apiAddr); int scylla_fixDump(WCHAR* dumpFile, WCHAR* iatFixFile, WCHAR* sectionName = L".scy"); diff --git a/TitanEngine/TitanEngine.cpp b/TitanEngine/TitanEngine.cpp index 408aabd..af5de95 100644 --- a/TitanEngine/TitanEngine.cpp +++ b/TitanEngine/TitanEngine.cpp @@ -18561,108 +18561,23 @@ __declspec(dllexport) void TITCALL ImporterInit(DWORD MemorySize, ULONG_PTR Imag } __declspec(dllexport) void TITCALL ImporterAddNewDll(char* szDLLName, ULONG_PTR FirstThunk) { - //TODO scylla enable - return; - /* - int CopyDummy = 1; + wchar_t uniDLLName[MAX_PATH] = {}; - impDLLNumber++; - if(impDLLNumber>=1000) - { - impDLLNumber--; - return; - } - impDLLDataList[impDLLNumber][0] = (ULONG_PTR)(VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE)); - impDLLDataList[impDLLNumber][1] = impDLLDataList[impDLLNumber][0]; - impDLLStringList[impDLLNumber][0] = (ULONG_PTR)(VirtualAlloc(NULL, impAllocSize, MEM_COMMIT, PAGE_READWRITE)); - impDLLStringList[impDLLNumber][1] = impDLLStringList[impDLLNumber][0]; - RtlMoveMemory((LPVOID)(impDLLDataList[impDLLNumber][1]), &FirstThunk, sizeof ULONG_PTR); - RtlMoveMemory((LPVOID)(impDLLDataList[impDLLNumber][1] + sizeof ULONG_PTR), &FirstThunk, sizeof ULONG_PTR); - RtlMoveMemory((LPVOID)(impDLLDataList[impDLLNumber][1] + 2 * sizeof ULONG_PTR), &CopyDummy, 4); - #if !defined(_WIN64) - impDLLDataList[impDLLNumber][1] = impDLLDataList[impDLLNumber][0] + 12; - #else - impDLLDataList[impDLLNumber][1] = impDLLDataList[impDLLNumber][0] + 20; - #endif - RtlMoveMemory((LPVOID)(impDLLStringList[impDLLNumber][1]), szDLLName, lstrlenA((LPCSTR)szDLLName)); - impDLLStringList[impDLLNumber][1] = impDLLStringList[impDLLNumber][1] + lstrlenA((LPCSTR)szDLLName) + 3; - if(FirstThunk == NULL && impDeltaStart != NULL) - { - impDeltaCurrent = impDeltaCurrent + sizeof ULONG_PTR; - }*/ + MultiByteToWideChar(CP_ACP, NULL, szDLLName, lstrlenA(szDLLName)+1, uniDLLName, sizeof(uniDLLName)/(sizeof(uniDLLName[0]))); + + scylla_addModule(uniDLLName, FirstThunk); } __declspec(dllexport) void TITCALL ImporterAddNewAPI(char* szAPIName, ULONG_PTR ThunkValue) { - //TODO scylla enable - return; - /* - int i = NULL; - int CopyDummy = NULL; - ULONG_PTR LastThunkValue = NULL; + wchar_t uniAPIName[MAX_PATH] = {}; - RtlMoveMemory(&LastThunkValue, (LPVOID)(impDLLDataList[impDLLNumber][0] + sizeof ULONG_PTR), sizeof ULONG_PTR); - if(ThunkValue == NULL && impDeltaCurrent != NULL) - { - ThunkValue = impDeltaCurrent; - impDeltaCurrent = impDeltaCurrent + sizeof ULONG_PTR; - } - if(LastThunkValue != NULL && LastThunkValue != ThunkValue) - { - ImporterAddNewDll((char*)(LPVOID)impDLLStringList[impDLLNumber][0], ThunkValue); - } - else - { - if(LastThunkValue != NULL) - { - LastThunkValue = LastThunkValue + sizeof ULONG_PTR; - } - else - { - RtlMoveMemory((LPVOID)(impDLLDataList[impDLLNumber][0]), &ThunkValue, sizeof ULONG_PTR); - LastThunkValue = ThunkValue + sizeof ULONG_PTR; - } - RtlMoveMemory((LPVOID)(impDLLDataList[impDLLNumber][0] + sizeof ULONG_PTR), &LastThunkValue, sizeof ULONG_PTR); - } - CopyDummy = (int)(impDLLStringList[impDLLNumber][1] - impDLLStringList[impDLLNumber][0]); - RtlMoveMemory((LPVOID)(impDLLDataList[impDLLNumber][1]), &CopyDummy, 4); - impDLLDataList[impDLLNumber][1] = impDLLDataList[impDLLNumber][1] + 4; - if((ULONG_PTR)szAPIName > 0x10000) - { - RtlMoveMemory((LPVOID)(impDLLStringList[impDLLNumber][1] + 2), szAPIName, lstrlenA((LPCSTR)szAPIName)); - impDLLStringList[impDLLNumber][1] = impDLLStringList[impDLLNumber][1] + lstrlenA((LPCSTR)szAPIName) + 3; - } - else - { - for(i = 0; i < 1000; i++) - { - if(impOrdinalList[i][0] == NULL && impOrdinalList[i][1] == NULL) - { - break; - } - } - if(i < 1000) - { - impOrdinalList[i][0] = ThunkValue; - if(sizeof ULONG_PTR == 4) - { - impOrdinalList[i][1] = (ULONG_PTR)szAPIName ^ IMAGE_ORDINAL_FLAG32; - } - else - { - impOrdinalList[i][1] = (ULONG_PTR)((ULONG_PTR)szAPIName ^ IMAGE_ORDINAL_FLAG64); - } - } - } - RtlMoveMemory(&CopyDummy, (LPVOID)(impDLLDataList[impDLLNumber][0] + 2 * sizeof ULONG_PTR), 4); - CopyDummy++; - RtlMoveMemory((LPVOID)(impDLLDataList[impDLLNumber][0] + 2 * sizeof ULONG_PTR), &CopyDummy, 4); - */ + MultiByteToWideChar(CP_ACP, NULL, szAPIName, lstrlenA(szAPIName)+1, uniAPIName, sizeof(uniAPIName)/(sizeof(uniAPIName[0]))); + + scylla_addImport(uniAPIName, ThunkValue); } __declspec(dllexport) void TITCALL ImporterAddNewOrdinalAPI(ULONG_PTR OrdinalNumber, ULONG_PTR ThunkValue) { - //TODO scylla enable - return; - /* + if(OrdinalNumber & IMAGE_ORDINAL_FLAG) { OrdinalNumber = OrdinalNumber ^ IMAGE_ORDINAL_FLAG; @@ -18672,7 +18587,6 @@ __declspec(dllexport) void TITCALL ImporterAddNewOrdinalAPI(ULONG_PTR OrdinalNum { ImporterAddNewAPI((char*)OrdinalNumber, ThunkValue); } - */ } __declspec(dllexport) long TITCALL ImporterGetAddedDllCount() { @@ -19415,7 +19329,7 @@ __declspec(dllexport) void TITCALL ImporterAutoSearchIATW(DWORD ProcessId, wchar //we also try to automatically read imports so following call to ExportIAT has a chance if(iatStart != NULL && iatSize != NULL) { - scylla_getImports(iatStart, iatSize, ProcessId); + scylla_getImports(0x5f2724, iatSize, ProcessId); } RtlMoveMemory(pIATStart, &iatStart, sizeof ULONG_PTR); diff --git a/TitanEngine/scylla_wrapper_x64.lib b/TitanEngine/scylla_wrapper_x64.lib index 94b44f2..045d734 100644 Binary files a/TitanEngine/scylla_wrapper_x64.lib and b/TitanEngine/scylla_wrapper_x64.lib differ diff --git a/TitanEngine/scylla_wrapper_x86.lib b/TitanEngine/scylla_wrapper_x86.lib index 15a9416..e18bfd4 100644 Binary files a/TitanEngine/scylla_wrapper_x86.lib and b/TitanEngine/scylla_wrapper_x86.lib differ diff --git a/TitanEngine/scylla_wrapperd_x64.lib b/TitanEngine/scylla_wrapperd_x64.lib index 3c82f21..6bec0f4 100644 Binary files a/TitanEngine/scylla_wrapperd_x64.lib and b/TitanEngine/scylla_wrapperd_x64.lib differ diff --git a/TitanEngine/scylla_wrapperd_x86.lib b/TitanEngine/scylla_wrapperd_x86.lib index 00ddce8..2ddb60f 100644 Binary files a/TitanEngine/scylla_wrapperd_x86.lib and b/TitanEngine/scylla_wrapperd_x86.lib differ diff --git a/scylla_integration.txt b/scylla_integration.txt index 0cb0e53..9f42c78 100644 --- a/scylla_integration.txt +++ b/scylla_integration.txt @@ -1,4 +1,4 @@ -scylla-integration possible TODO +scylla-integration TODO obsolete functions: @@ -10,17 +10,13 @@ MoveIAT RelocateWriteLocation //only used for MoveIAT SetUnknownDelta //only used for MoveIAT GetCurrentDelta //only used for MoveIAT +GetDLLIndexEx // no benefit in my eyes. can be done by enumAddedData +GetDLLIndex defunct until scylla-enabled: -* AddNewDLL -* AddNewAPI -AddNewOrdinal -> AddNewAPI GetLastAddedDLLName -> no scylla export needed, just rewrite -* GetDLLIndexEx -* GetDLLIndex -* FindAPIWriteLocation -FindOrdinalAPIWriteLocation -> FindAPIWriteLocation +* FindAPIWriteLocation, FindOrdinalAPIWriteLocation * FindAPIByWriteLocation * FindDLLByWriteLocation * LoadImportTable