mirror of https://github.com/x64dbg/TitanEngine
fixed AddNewDLL, AddNewAPI to work with scylla
This commit is contained in:
cypherpunk
parent
e93e35b36f
commit
a1ee5dacc0
|
|
@ -12,6 +12,8 @@ extern "C" {
|
||||||
#endif /*__cplusplus*/
|
#endif /*__cplusplus*/
|
||||||
int scylla_searchIAT(DWORD pid, DWORD_PTR &iatStart, DWORD &iatSize, DWORD_PTR searchStart, bool advancedSearch);
|
int scylla_searchIAT(DWORD pid, DWORD_PTR &iatStart, DWORD &iatSize, DWORD_PTR searchStart, bool advancedSearch);
|
||||||
int scylla_getImports(DWORD_PTR iatAddr, DWORD iatSize, DWORD pid, LPVOID invalidImportCallback = NULL);
|
int scylla_getImports(DWORD_PTR iatAddr, DWORD iatSize, DWORD pid, LPVOID invalidImportCallback = NULL);
|
||||||
|
bool scylla_addModule(const WCHAR* moduleName, DWORD_PTR firstThunkRVA);
|
||||||
|
bool scylla_addImport(const WCHAR* importName, DWORD_PTR thunkVA);
|
||||||
bool scylla_importsValid();
|
bool scylla_importsValid();
|
||||||
bool scylla_cutImport(DWORD_PTR apiAddr);
|
bool scylla_cutImport(DWORD_PTR apiAddr);
|
||||||
int scylla_fixDump(WCHAR* dumpFile, WCHAR* iatFixFile, WCHAR* sectionName = L".scy");
|
int scylla_fixDump(WCHAR* dumpFile, WCHAR* iatFixFile, WCHAR* sectionName = L".scy");
|
||||||
|
|
|
||||||
|
|
@ -18561,108 +18561,23 @@ __declspec(dllexport) void TITCALL ImporterInit(DWORD MemorySize, ULONG_PTR Imag
|
||||||
}
|
}
|
||||||
__declspec(dllexport) void TITCALL ImporterAddNewDll(char* szDLLName, ULONG_PTR FirstThunk)
|
__declspec(dllexport) void TITCALL ImporterAddNewDll(char* szDLLName, ULONG_PTR FirstThunk)
|
||||||
{
|
{
|
||||||
//TODO scylla enable
|
wchar_t uniDLLName[MAX_PATH] = {};
|
||||||
return;
|
|
||||||
/*
|
|
||||||
int CopyDummy = 1;
|
|
||||||
|
|
||||||
impDLLNumber++;
|
MultiByteToWideChar(CP_ACP, NULL, szDLLName, lstrlenA(szDLLName)+1, uniDLLName, sizeof(uniDLLName)/(sizeof(uniDLLName[0])));
|
||||||
if(impDLLNumber>=1000)
|
|
||||||
{
|
scylla_addModule(uniDLLName, FirstThunk);
|
||||||
impDLLNumber--;
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
impDLLDataList[impDLLNumber][0] = (ULONG_PTR)(VirtualAlloc(NULL, 0x2000, MEM_COMMIT, PAGE_READWRITE));
|
|
||||||
impDLLDataList[impDLLNumber][1] = impDLLDataList[impDLLNumber][0];
|
|
||||||
impDLLStringList[impDLLNumber][0] = (ULONG_PTR)(VirtualAlloc(NULL, impAllocSize, MEM_COMMIT, PAGE_READWRITE));
|
|
||||||
impDLLStringList[impDLLNumber][1] = impDLLStringList[impDLLNumber][0];
|
|
||||||
RtlMoveMemory((LPVOID)(impDLLDataList[impDLLNumber][1]), &FirstThunk, sizeof ULONG_PTR);
|
|
||||||
RtlMoveMemory((LPVOID)(impDLLDataList[impDLLNumber][1] + sizeof ULONG_PTR), &FirstThunk, sizeof ULONG_PTR);
|
|
||||||
RtlMoveMemory((LPVOID)(impDLLDataList[impDLLNumber][1] + 2 * sizeof ULONG_PTR), &CopyDummy, 4);
|
|
||||||
#if !defined(_WIN64)
|
|
||||||
impDLLDataList[impDLLNumber][1] = impDLLDataList[impDLLNumber][0] + 12;
|
|
||||||
#else
|
|
||||||
impDLLDataList[impDLLNumber][1] = impDLLDataList[impDLLNumber][0] + 20;
|
|
||||||
#endif
|
|
||||||
RtlMoveMemory((LPVOID)(impDLLStringList[impDLLNumber][1]), szDLLName, lstrlenA((LPCSTR)szDLLName));
|
|
||||||
impDLLStringList[impDLLNumber][1] = impDLLStringList[impDLLNumber][1] + lstrlenA((LPCSTR)szDLLName) + 3;
|
|
||||||
if(FirstThunk == NULL && impDeltaStart != NULL)
|
|
||||||
{
|
|
||||||
impDeltaCurrent = impDeltaCurrent + sizeof ULONG_PTR;
|
|
||||||
}*/
|
|
||||||
}
|
}
|
||||||
__declspec(dllexport) void TITCALL ImporterAddNewAPI(char* szAPIName, ULONG_PTR ThunkValue)
|
__declspec(dllexport) void TITCALL ImporterAddNewAPI(char* szAPIName, ULONG_PTR ThunkValue)
|
||||||
{
|
{
|
||||||
//TODO scylla enable
|
wchar_t uniAPIName[MAX_PATH] = {};
|
||||||
return;
|
|
||||||
/*
|
|
||||||
int i = NULL;
|
|
||||||
int CopyDummy = NULL;
|
|
||||||
ULONG_PTR LastThunkValue = NULL;
|
|
||||||
|
|
||||||
RtlMoveMemory(&LastThunkValue, (LPVOID)(impDLLDataList[impDLLNumber][0] + sizeof ULONG_PTR), sizeof ULONG_PTR);
|
MultiByteToWideChar(CP_ACP, NULL, szAPIName, lstrlenA(szAPIName)+1, uniAPIName, sizeof(uniAPIName)/(sizeof(uniAPIName[0])));
|
||||||
if(ThunkValue == NULL && impDeltaCurrent != NULL)
|
|
||||||
{
|
scylla_addImport(uniAPIName, ThunkValue);
|
||||||
ThunkValue = impDeltaCurrent;
|
|
||||||
impDeltaCurrent = impDeltaCurrent + sizeof ULONG_PTR;
|
|
||||||
}
|
|
||||||
if(LastThunkValue != NULL && LastThunkValue != ThunkValue)
|
|
||||||
{
|
|
||||||
ImporterAddNewDll((char*)(LPVOID)impDLLStringList[impDLLNumber][0], ThunkValue);
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
if(LastThunkValue != NULL)
|
|
||||||
{
|
|
||||||
LastThunkValue = LastThunkValue + sizeof ULONG_PTR;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
RtlMoveMemory((LPVOID)(impDLLDataList[impDLLNumber][0]), &ThunkValue, sizeof ULONG_PTR);
|
|
||||||
LastThunkValue = ThunkValue + sizeof ULONG_PTR;
|
|
||||||
}
|
|
||||||
RtlMoveMemory((LPVOID)(impDLLDataList[impDLLNumber][0] + sizeof ULONG_PTR), &LastThunkValue, sizeof ULONG_PTR);
|
|
||||||
}
|
|
||||||
CopyDummy = (int)(impDLLStringList[impDLLNumber][1] - impDLLStringList[impDLLNumber][0]);
|
|
||||||
RtlMoveMemory((LPVOID)(impDLLDataList[impDLLNumber][1]), &CopyDummy, 4);
|
|
||||||
impDLLDataList[impDLLNumber][1] = impDLLDataList[impDLLNumber][1] + 4;
|
|
||||||
if((ULONG_PTR)szAPIName > 0x10000)
|
|
||||||
{
|
|
||||||
RtlMoveMemory((LPVOID)(impDLLStringList[impDLLNumber][1] + 2), szAPIName, lstrlenA((LPCSTR)szAPIName));
|
|
||||||
impDLLStringList[impDLLNumber][1] = impDLLStringList[impDLLNumber][1] + lstrlenA((LPCSTR)szAPIName) + 3;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
for(i = 0; i < 1000; i++)
|
|
||||||
{
|
|
||||||
if(impOrdinalList[i][0] == NULL && impOrdinalList[i][1] == NULL)
|
|
||||||
{
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
if(i < 1000)
|
|
||||||
{
|
|
||||||
impOrdinalList[i][0] = ThunkValue;
|
|
||||||
if(sizeof ULONG_PTR == 4)
|
|
||||||
{
|
|
||||||
impOrdinalList[i][1] = (ULONG_PTR)szAPIName ^ IMAGE_ORDINAL_FLAG32;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
impOrdinalList[i][1] = (ULONG_PTR)((ULONG_PTR)szAPIName ^ IMAGE_ORDINAL_FLAG64);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
RtlMoveMemory(&CopyDummy, (LPVOID)(impDLLDataList[impDLLNumber][0] + 2 * sizeof ULONG_PTR), 4);
|
|
||||||
CopyDummy++;
|
|
||||||
RtlMoveMemory((LPVOID)(impDLLDataList[impDLLNumber][0] + 2 * sizeof ULONG_PTR), &CopyDummy, 4);
|
|
||||||
*/
|
|
||||||
}
|
}
|
||||||
__declspec(dllexport) void TITCALL ImporterAddNewOrdinalAPI(ULONG_PTR OrdinalNumber, ULONG_PTR ThunkValue)
|
__declspec(dllexport) void TITCALL ImporterAddNewOrdinalAPI(ULONG_PTR OrdinalNumber, ULONG_PTR ThunkValue)
|
||||||
{
|
{
|
||||||
//TODO scylla enable
|
|
||||||
return;
|
|
||||||
/*
|
|
||||||
if(OrdinalNumber & IMAGE_ORDINAL_FLAG)
|
if(OrdinalNumber & IMAGE_ORDINAL_FLAG)
|
||||||
{
|
{
|
||||||
OrdinalNumber = OrdinalNumber ^ IMAGE_ORDINAL_FLAG;
|
OrdinalNumber = OrdinalNumber ^ IMAGE_ORDINAL_FLAG;
|
||||||
|
|
@ -18672,7 +18587,6 @@ __declspec(dllexport) void TITCALL ImporterAddNewOrdinalAPI(ULONG_PTR OrdinalNum
|
||||||
{
|
{
|
||||||
ImporterAddNewAPI((char*)OrdinalNumber, ThunkValue);
|
ImporterAddNewAPI((char*)OrdinalNumber, ThunkValue);
|
||||||
}
|
}
|
||||||
*/
|
|
||||||
}
|
}
|
||||||
__declspec(dllexport) long TITCALL ImporterGetAddedDllCount()
|
__declspec(dllexport) long TITCALL ImporterGetAddedDllCount()
|
||||||
{
|
{
|
||||||
|
|
@ -19415,7 +19329,7 @@ __declspec(dllexport) void TITCALL ImporterAutoSearchIATW(DWORD ProcessId, wchar
|
||||||
//we also try to automatically read imports so following call to ExportIAT has a chance
|
//we also try to automatically read imports so following call to ExportIAT has a chance
|
||||||
if(iatStart != NULL && iatSize != NULL)
|
if(iatStart != NULL && iatSize != NULL)
|
||||||
{
|
{
|
||||||
scylla_getImports(iatStart, iatSize, ProcessId);
|
scylla_getImports(0x5f2724, iatSize, ProcessId);
|
||||||
}
|
}
|
||||||
|
|
||||||
RtlMoveMemory(pIATStart, &iatStart, sizeof ULONG_PTR);
|
RtlMoveMemory(pIATStart, &iatStart, sizeof ULONG_PTR);
|
||||||
|
|
|
||||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
|
@ -1,4 +1,4 @@
|
||||||
scylla-integration possible TODO
|
scylla-integration TODO
|
||||||
|
|
||||||
|
|
||||||
obsolete functions:
|
obsolete functions:
|
||||||
|
|
@ -10,17 +10,13 @@ MoveIAT
|
||||||
RelocateWriteLocation //only used for MoveIAT
|
RelocateWriteLocation //only used for MoveIAT
|
||||||
SetUnknownDelta //only used for MoveIAT
|
SetUnknownDelta //only used for MoveIAT
|
||||||
GetCurrentDelta //only used for MoveIAT
|
GetCurrentDelta //only used for MoveIAT
|
||||||
|
GetDLLIndexEx // no benefit in my eyes. can be done by enumAddedData
|
||||||
|
GetDLLIndex
|
||||||
|
|
||||||
defunct until scylla-enabled:
|
defunct until scylla-enabled:
|
||||||
|
|
||||||
* AddNewDLL
|
|
||||||
* AddNewAPI
|
|
||||||
AddNewOrdinal -> AddNewAPI
|
|
||||||
GetLastAddedDLLName -> no scylla export needed, just rewrite
|
GetLastAddedDLLName -> no scylla export needed, just rewrite
|
||||||
* GetDLLIndexEx
|
* FindAPIWriteLocation, FindOrdinalAPIWriteLocation
|
||||||
* GetDLLIndex
|
|
||||||
* FindAPIWriteLocation
|
|
||||||
FindOrdinalAPIWriteLocation -> FindAPIWriteLocation
|
|
||||||
* FindAPIByWriteLocation
|
* FindAPIByWriteLocation
|
||||||
* FindDLLByWriteLocation
|
* FindDLLByWriteLocation
|
||||||
* LoadImportTable
|
* LoadImportTable
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue