x64dbg
/
TitanEngine
mirror of https://github.com/x64dbg/TitanEngine
1
0
Fork 0
Code Releases Activity

fixed various dumper bugs, openprocess bugs

This commit is contained in:
NtQuery 2014-03-07 13:14:46 +01:00
parent 35c3c618b1
commit a3384e931f
3 changed files with 28 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
TitanEngine/TitanEngine.Dumper.cpp
View File

@ -80,11 +80,11 @@ __declspec(dllexport) bool TITCALL DumpProcessW(HANDLE hProcess, LPVOID ImageBas
{
PEHeader32 = (PIMAGE_NT_HEADERS32)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
PEHeader64 = (PIMAGE_NT_HEADERS64)((ULONG_PTR)DOSHeader + DOSHeader->e_lfanew);
if(PEHeader32->OptionalHeader.Magic == 0x10B)
if(PEHeader32->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC)
{
FileIs64 = false;
}
else if(PEHeader32->OptionalHeader.Magic == 0x20B)
else if(PEHeader32->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC)
{
FileIs64 = true;
}
@ -350,7 +350,7 @@ __declspec(dllexport) bool TITCALL DumpProcessExW(DWORD ProcessId, LPVOID ImageB
BOOL ReturnValue = false;
hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId);
if(hProcess != INVALID_HANDLE_VALUE)
if(hProcess)
{
ReturnValue = DumpProcessW(hProcess, ImageBase, szDumpFileName, EntryPoint);
EngineCloseHandle(hProcess);
@ -467,8 +467,8 @@ __declspec(dllexport) bool TITCALL DumpMemoryExW(DWORD ProcessId, LPVOID MemoryS
HANDLE hProcess = 0;
BOOL ReturnValue = false;
hProcess = OpenProcess(PROCESS_VM_READ, FALSE, ProcessId);
if(hProcess != INVALID_HANDLE_VALUE)
hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId);
if(hProcess)
{
ReturnValue = DumpMemoryW(hProcess, MemoryStart, MemorySize, szDumpFileName);
EngineCloseHandle(hProcess);
@ -506,18 +506,18 @@ __declspec(dllexport) bool TITCALL DumpRegionsW(HANDLE hProcess, wchar_t* szDump
wchar_t szDumpFileName[MAX_PATH];
MEMORY_BASIC_INFORMATION MemInfo;
ULONG_PTR DumpAddress = NULL;
ULONG_PTR EnumeratedModules[1024];
HMODULE EnumeratedModules[1024] = {0};
bool AddressIsModuleBase = false;
if(hProcess != NULL)
{
EnumProcessModules(hProcess, (HMODULE*)EnumeratedModules, sizeof(EnumeratedModules), &Dummy);
EnumProcessModules(hProcess, EnumeratedModules, sizeof(EnumeratedModules), &Dummy);
while(VirtualQueryEx(hProcess, (LPVOID)DumpAddress, &MemInfo, sizeof MEMORY_BASIC_INFORMATION) != NULL)
{
AddressIsModuleBase = false;
for(i = 0; i < 1024; i++)
for(i = 0; i < _countof(EnumeratedModules); i++)
{
if(EnumeratedModules[i] == (ULONG_PTR)MemInfo.AllocationBase)
if(EnumeratedModules[i] == (HMODULE)MemInfo.AllocationBase)
{
AddressIsModuleBase = true;
i = 1024;
@ -529,14 +529,14 @@ __declspec(dllexport) bool TITCALL DumpRegionsW(HANDLE hProcess, wchar_t* szDump
}
if(!(MemInfo.Protect & PAGE_NOACCESS) && AddressIsModuleBase == false)
{
if(DumpAboveImageBaseOnly == false || (DumpAboveImageBaseOnly == true && EnumeratedModules[0] < (ULONG_PTR)MemInfo.BaseAddress))
if(DumpAboveImageBaseOnly == false || (DumpAboveImageBaseOnly == true && EnumeratedModules[0] < (HMODULE)MemInfo.BaseAddress))
{
RtlZeroMemory(&szDumpName, MAX_PATH);
RtlZeroMemory(&szDumpFileName, MAX_PATH);
lstrcpyW(szDumpFileName, szDumpFolder);
if(szDumpFileName[lstrlenW(szDumpFileName)-1] != 0x5C)
if(szDumpFileName[lstrlenW(szDumpFileName)-1] != L'\\')
{
szDumpFileName[lstrlenW(szDumpFileName)] = 0x5C;
szDumpFileName[lstrlenW(szDumpFileName)] = L'\\';
}
wsprintfW(szDumpName, L"Dump-%x_%x.dmp", (ULONG_PTR)MemInfo.BaseAddress, (ULONG_PTR)MemInfo.RegionSize);
lstrcatW(szDumpFileName, szDumpName);
@ -572,8 +572,8 @@ __declspec(dllexport) bool TITCALL DumpRegionsExW(DWORD ProcessId, wchar_t* szDu
HANDLE hProcess = 0;
BOOL ReturnValue = false;
hProcess = OpenProcess(PROCESS_VM_READ, FALSE, ProcessId);
if(hProcess != INVALID_HANDLE_VALUE)
hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId);
if(hProcess)
{
ReturnValue = DumpRegionsW(hProcess, szDumpFolder, DumpAboveImageBaseOnly);
EngineCloseHandle(hProcess);
@ -608,16 +608,18 @@ __declspec(dllexport) bool TITCALL DumpModuleW(HANDLE hProcess, LPVOID ModuleBas
int i;
DWORD Dummy = NULL;
MODULEINFO RemoteModuleInfo;
ULONG_PTR EnumeratedModules[1024];
HMODULE EnumeratedModules[1024];
if(EnumProcessModules(hProcess, (HMODULE*)EnumeratedModules, sizeof(EnumeratedModules), &Dummy))
if(EnumProcessModules(hProcess, EnumeratedModules, sizeof(EnumeratedModules), &Dummy))
{
for(i = 0; i < 512; i++)
for(i = 0; i < _countof(EnumeratedModules); i++)
{
if(EnumeratedModules[i] == (ULONG_PTR)ModuleBase)
if(EnumeratedModules[i] == (HMODULE)ModuleBase)
{
GetModuleInformation(hProcess, (HMODULE)EnumeratedModules[i], &RemoteModuleInfo, sizeof MODULEINFO);
return(DumpMemoryW(hProcess, (LPVOID)EnumeratedModules[i], RemoteModuleInfo.SizeOfImage, szDumpFileName));
if (GetModuleInformation(hProcess, (HMODULE)EnumeratedModules[i], &RemoteModuleInfo, sizeof(MODULEINFO)))
{
return(DumpMemoryW(hProcess, (LPVOID)EnumeratedModules[i], RemoteModuleInfo.SizeOfImage, szDumpFileName));
}
}
}
}
@ -646,8 +648,8 @@ __declspec(dllexport) bool TITCALL DumpModuleExW(DWORD ProcessId, LPVOID ModuleB
HANDLE hProcess = 0;
BOOL ReturnValue = false;
hProcess = OpenProcess(PROCESS_VM_READ, FALSE, ProcessId);
if(hProcess != INVALID_HANDLE_VALUE)
hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, FALSE, ProcessId);
if(hProcess) //If the function fails, the return value is NULL. To get extended error information, call GetLastError.
{
ReturnValue = DumpModuleW(hProcess, ModuleBase, szDumpFileName);
EngineCloseHandle(hProcess);

2
TitanEngine/TitanEngine.Process.cpp
View File

@ -88,7 +88,7 @@ __declspec(dllexport) void TITCALL EnumProcessesWithLibrary(char* szLibraryName,
{
if(bProcessId[i] != NULL)
{
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, false, bProcessId[i]);
hProcess = OpenProcess(PROCESS_VM_READ|PROCESS_QUERY_INFORMATION, false, bProcessId[i]);
if(hProcess != NULL)
{
RtlZeroMemory(&EnumeratedModules[0], sizeof EnumeratedModules);

14
TitanEngine/TitanEngine.Tracer.cpp
View File

@ -1457,13 +1457,6 @@ __declspec(dllexport) long TITCALL TracerFixRedirectionViaImpRecPlugin(HANDLE hP
ULONG_PTR fImpRecTrace = NULL;
PMEMORY_CMP_HANDLER cmpModuleName;
ULONG_PTR remInjectSize = (ULONG_PTR)((ULONG_PTR)&injectedRemoteLoadLibrary - (ULONG_PTR)&injectedImpRec);
#if !defined(_WIN64)
typedef NTSTATUS(WINAPI *fZwSetInformationThread)(HANDLE fThreadHandle, DWORD fThreadInfoClass, LPVOID fBuffer, ULONG fBufferSize);
#else
typedef NTSTATUS(__fastcall *fZwSetInformationThread)(HANDLE fThreadHandle, DWORD fThreadInfoClass, LPVOID fBuffer, ULONG fBufferSize);
#endif
LPVOID ZwSetInformationThread = (LPVOID)GetProcAddress(GetModuleHandleA("ntdll.dll"),"ZwSetInformationThread");
fZwSetInformationThread cZwSetInformationThread = (fZwSetInformationThread)(ZwSetInformationThread);
LPVOID szModuleName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
LPVOID szGarbageFile = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE);
LPVOID cModuleName = szModuleName;
@ -1519,10 +1512,9 @@ __declspec(dllexport) long TITCALL TracerFixRedirectionViaImpRecPlugin(HANDLE hP
WriteProcessMemory(hProcess, remStringData, &APIData, sizeof InjectImpRecCodeData, &NumberOfBytesWritten);
WriteProcessMemory(hProcess, (LPVOID)((ULONG_PTR)remStringData + sizeof InjectImpRecCodeData), (LPCVOID)szGarbageFile, lstrlenA((LPSTR)szGarbageFile), &NumberOfBytesWritten);
hThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)remCodeData, remStringData, CREATE_SUSPENDED, &ThreadId);
if(ZwSetInformationThread != NULL)
{
cZwSetInformationThread(hThread, 0x11, NULL, NULL);
}
NtSetInformationThread(hThread, ThreadHideFromDebugger, NULL, NULL);
ResumeThread(hThread);
WaitForSingleObject(hThread, INFINITE);
if(GetExitCodeThread(hThread, &ExitCode))